[Git][security-tracker-team/security-tracker][master] 2 commits: Add upstream otrs2 security advisory references for OSA-2019-{04,05,06}
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c552b693 by Salvatore Bonaccorso at 2019-04-29T05:18:33Z Add upstream otrs2 security advisory references for OSA-2019-{04,05,06} - - - - - 12421b08 by Salvatore Bonaccorso at 2019-04-29T05:20:55Z Reference upstream commits for CVE-2019-9892, CVE-2019-10066 and CVE-2019-10067 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3560,9 +3560,14 @@ CVE-2019-10068 (An issue was discovered in Kentico before 12.0.15. Due to a fail CVE-2019-10067 [OSA-2019-05] RESERVED - otrs2 6.0.18-1 + NOTE: OTRS 6: https://github.com/OTRS/otrs/commit/8a489236336ddc82e745c27abb32dfa1ceefb0f4 + NOTE: OTRS 5: https://github.com/OTRS/otrs/commit/67158d8b08309859572c795982ecc7c52484ab0e + NOTE: https://community.otrs.com/security-advisory-2019-05-security-update-for-otrs-framework/ CVE-2019-10066 [OSA-2019-06] RESERVED - otrs2 6.0.18-1 + NOTE: OTRS 6: https://github.com/OTRS/otrs/commit/b99cad21f2dd1c2d52299424a589b0b2f20d7ba8 + NOTE: https://community.otrs.com/security-advisory-2019-06-security-update-for-otrs-framework/ CVE-2019-10065 RESERVED CVE-2019-10064 @@ -3989,6 +3994,9 @@ CVE-2019-9894 (A remotely triggerable memory overwrite in RSA key exchange in Pu CVE-2019-9892 [OSA-2019-04] RESERVED - otrs2 6.0.18-1 + NOTE: OTRS 6: https://github.com/OTRS/otrs/commit/3617488c6c28e06203e4127c7b031140f775a685 + NOTE: OTRS 5: https://github.com/OTRS/otrs/commit/c3b9342a85c6f2c9382e074ad9cc440ce80a6f34 + NOTE: https://community.otrs.com/security-advisory-2019-04-security-update-for-otrs-framework/ CVE-2019-9891 RESERVED CVE-2019-9890 (An issue was discovered in GitLab Community and Enterprise Edition 10. ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/d479f9c394f0b516beb2f62b0b28ac7cfce2423b...12421b08ccdb8213ef2966acb71cb0690de1bbe5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/d479f9c394f0b516beb2f62b0b28ac7cfce2423b...12421b08ccdb8213ef2966acb71cb0690de1bbe5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Cleanup trailing whitespaces in CVE list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b3529369 by Salvatore Bonaccorso at 2019-04-29T05:21:35Z Cleanup trailing whitespaces in CVE list - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -16668,7 +16668,7 @@ CVE-2019-5008 (hw/sparc64/sun4u.c in QEMU 3.1.50 is vulnerable to a NULL pointer [jessie] - qemu (Minor issue) - qemu-kvm NOTE: https://fakhrizulkifli.github.io/posts/2019/01/03/CVE-2019-5008/ - NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=ad280559c68360c9f1cd7be063857853759e6a73 (4.0.0-rc0) + NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=ad280559c68360c9f1cd7be063857853759e6a73 (4.0.0-rc0) CVE-2019-5007 (An issue was discovered in Foxit Reader and PhantomPDF before 9.4 on W ...) NOT-FOR-US: Foxit Reader and PhantomPDF CVE-2019-5006 (An issue was discovered in Foxit Reader and PhantomPDF before 9.4 on W ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b3529369ca6322d39cd305a7ceef7762cd1e8b7e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b3529369ca6322d39cd305a7ceef7762cd1e8b7e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-9892, CVE-2019-10066 and CVE-2019-10067 for otrs2
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d479f9c3 by Salvatore Bonaccorso at 2019-04-29T05:15:54Z Add CVE-2019-9892, CVE-2019-10066 and CVE-2019-10067 for otrs2 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3557,10 +3557,12 @@ CVE-2019-10069 RESERVED CVE-2019-10068 (An issue was discovered in Kentico before 12.0.15. Due to a failure to ...) NOT-FOR-US: Kentico -CVE-2019-10067 +CVE-2019-10067 [OSA-2019-05] RESERVED -CVE-2019-10066 + - otrs2 6.0.18-1 +CVE-2019-10066 [OSA-2019-06] RESERVED + - otrs2 6.0.18-1 CVE-2019-10065 RESERVED CVE-2019-10064 @@ -3984,8 +3986,9 @@ CVE-2019-9894 (A remotely triggerable memory overwrite in RSA key exchange in Pu - putty 0.70-6 NOTE: https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-rsa-kex-integer-overflow.html NOTE: https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=d82854999516046122501b2e145099740ed0284f -CVE-2019-9892 +CVE-2019-9892 [OSA-2019-04] RESERVED + - otrs2 6.0.18-1 CVE-2019-9891 RESERVED CVE-2019-9890 (An issue was discovered in GitLab Community and Enterprise Edition 10. ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d479f9c394f0b516beb2f62b0b28ac7cfce2423b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d479f9c394f0b516beb2f62b0b28ac7cfce2423b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS/python-urllib3, python2.7, python3.4 status update
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 548b4d54 by Roberto C. Sánchez at 2019-04-29T03:04:33Z LTS/python-urllib3, python2.7, python3.4 status update - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -110,15 +110,15 @@ poppler NOTE: 20190408: No known upstream patches available for remaining open CVEs (sunweaver) -- python-urllib3 (Roberto C. Sánchez) - NOTE: 20190408: Waiting on upstream action for CVE-2019-9740 (roberto) + NOTE: 20190429: Waiting on upstream action for CVE-2019-9740 (roberto) -- python2.7 (Roberto C. Sánchez) NOTE: 20190321: Patches integrated for CVE-2018-14647, CVE-2019-5010, and CVE-2019-9636 - NOTE: 20190408: Waiting on upstream action for CVE-2019-9740 (roberto) + NOTE: 20190429: Waiting on upstream action for CVE-2019-9740 (roberto) -- python3.4 (Roberto C. Sánchez) NOTE: 20190321: Patches integrated for CVE-2018-14647 and CVE-2019-9636 - NOTE: 20190408: Waiting on upstream action for CVE-2019-9740 (roberto) + NOTE: 20190429: Waiting on upstream action for CVE-2019-9740 (roberto) -- qemu (Emilio) NOTE: 20190424: fixing new plus old postponed issues View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/548b4d54ce81849a32e2d52f2ee6f82a7e9c3fed -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/548b4d54ce81849a32e2d52f2ee6f82a7e9c3fed You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2019-11498 fixed in wavpack/5.1.0-6
Sebastian Ramacher pushed to branch master at Debian Security Tracker / security-tracker Commits: 6216cf7b by Sebastian Ramacher at 2019-04-28T21:44:29Z CVE-2019-11498 fixed in wavpack/5.1.0-6 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -178,7 +178,7 @@ CVE-2019-11500 CVE-2019-11499 RESERVED CVE-2019-11498 (WavpackSetConfiguration64 in pack_utils.c in libwavpack.a in WavPack t ...) - - wavpack (bug #927903) + - wavpack 5.1.0-6 (bug #927903) NOTE: https://github.com/dbry/WavPack/issues/67 NOTE: https://github.com/dbry/WavPack/commit/bc6cba3f552c44565f7f1e66dc1580189addb2b4 CVE-2019-11497 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6216cf7bdcae3578c5211d46388fad37d4256b1e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6216cf7bdcae3578c5211d46388fad37d4256b1e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: add dhcpcd5
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 61aa25df by Thorsten Alteholz at 2019-04-28T21:10:54Z add dhcpcd5 - - - - - 186d2180 by Thorsten Alteholz at 2019-04-28T21:10:54Z claim packages - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -12,7 +12,7 @@ https://wiki.debian.org/LTS/Development#Triage_new_security_issues -- 389-ds-base (Mike Gabriel) -- -atftp +atftp (Thorsten Alteholz) -- axis -- @@ -21,6 +21,8 @@ bind9 (Thorsten Alteholz) claws-mail NOTE: 20190408: patch not yet available -- +dhcpcd5 +-- drupal7 -- evolution-ews @@ -99,7 +101,7 @@ modsecurity-crs -- openjdk-7 (Emilio) -- -php5 +php5 (Thorsten Alteholz) -- polarssl NOTE: 20181207: Not 100% sure if vulnerable. Upstream would prefer us to move to latest version, etc. (!). (lamby) @@ -138,7 +140,7 @@ wireshark (Hugo Lefeuvre) wordpress NOTE: 20190401: remaining one issue (CVE-2019-8943). Waiting for upstream patch (abhijith) -- -wpa +wpa (Thorsten Alteholz) -- xen (worked on by credativ) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/ba14e9f0064aeef237ce94c8d2e0e5d715242d9c...186d2180570f8dfc961d8aa4ae2dc96bf14fb78f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/ba14e9f0064aeef237ce94c8d2e0e5d715242d9c...186d2180570f8dfc961d8aa4ae2dc96bf14fb78f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Makefile: Remove leftover wheezy_ARCHS list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ba14e9f0 by Salvatore Bonaccorso at 2019-04-28T21:11:36Z Makefile: Remove leftover wheezy_ARCHS list - - - - - 1 changed file: - Makefile Changes: = Makefile = @@ -10,7 +10,6 @@ TESTING = buster MIRROR = http://debian.csail.mit.edu/debian SECURITY_MIRROR = http://security.debian.org/debian-security -wheezy_ARCHS = amd64 armel armhf i386 jessie_ARCHS = amd64 armel armhf i386 stretch_ARCHS = amd64 arm64 armel armhf i386 mips mips64el mipsel ppc64el s390x buster_ARCHS = amd64 arm64 armel armhf i386 mips mips64el mipsel ppc64el s390x View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ba14e9f0064aeef237ce94c8d2e0e5d715242d9c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ba14e9f0064aeef237ce94c8d2e0e5d715242d9c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-1770-1 for gst-plugins-base1.0
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 4814fa3c by Thorsten Alteholz at 2019-04-28T21:01:43Z Reserve DLA-1770-1 for gst-plugins-base1.0 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[28 Apr 2019] DLA-1770-1 gst-plugins-base1.0 - security update + {CVE-2019-9928} + [jessie] - gst-plugins-base1.0 1.4.4-2+deb8u2 [28 Apr 2019] DLA-1769-1 gst-plugins-base0.10 - security update {CVE-2019-9928} [jessie] - gst-plugins-base0.10 0.10.36-2+deb8u1 = data/dla-needed.txt = @@ -36,8 +36,6 @@ gradle -- graphicsmagick -- -gst-plugins-base1.0 (Thorsten Alteholz) --- hdf5 (Hugo Lefeuvre) NOTE: requires some prior triage, almost all cves undetermined. NOTE: contacted hdf5 upstream, received information, currently updating the tracker. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4814fa3cf22236527b4deeeff64b9410a29a6235 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4814fa3cf22236527b4deeeff64b9410a29a6235 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-1769-1 for gst-plugins-base0.10
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: d87df6ab by Thorsten Alteholz at 2019-04-28T20:49:45Z Reserve DLA-1769-1 for gst-plugins-base0.10 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[28 Apr 2019] DLA-1769-1 gst-plugins-base0.10 - security update + {CVE-2019-9928} + [jessie] - gst-plugins-base0.10 0.10.36-2+deb8u1 [28 Apr 2019] DLA-1768-1 checkstyle - security update {CVE-2019-9658} [jessie] - checkstyle 5.9-1+deb8u1 = data/dla-needed.txt = @@ -36,8 +36,6 @@ gradle -- graphicsmagick -- -gst-plugins-base0.10 (Thorsten Alteholz) --- gst-plugins-base1.0 (Thorsten Alteholz) -- hdf5 (Hugo Lefeuvre) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d87df6abf71f13b0557f85490a1f9867523cc3b2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d87df6abf71f13b0557f85490a1f9867523cc3b2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a4dabd74 by security tracker role at 2019-04-28T20:10:26Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,12 +1,12 @@ -CVE-2019-11577 [DHCPv6: Fix a potential buffer overflow reading NA/TA addresses] +CVE-2019-11577 (dhcpcd before 7.2.1 contains a buffer overflow in dhcp6_findna in dhcp ...) - dhcpcd5 (bug #928105) [stretch] - dhcpcd5 (Vulnerable code not present) [jessie] - dhcpcd5 (Vulnerable code not present) NOTE: https://roy.marples.name/git/dhcpcd.git/commit/?id=8d11b33f6c60e2db257130fa383ba76b6018bcf6 -CVE-2019-11579 [DHCP: Fix a potential 1 byte read overflow with DHO_OPTSOVERLOADED] +CVE-2019-11579 (dhcp.c in dhcpcd before 7.2.1 contains a 1-byte read overflow with DHO ...) - dhcpcd5 (bug #928104) NOTE: https://roy.marples.name/git/dhcpcd.git/commit/?id=4b67f6f1038fd4ad5ca7734eaaeba1b2ec4816b8 -CVE-2019-11578 [auth: Use consttime_memequal to avoid latency attack] +CVE-2019-11578 (auth.c in dhcpcd before 7.2.1 allowed attackers to infer secrets by pe ...) - dhcpcd5 (bug #928056) NOTE: https://roy.marples.name/git/dhcpcd.git/commit/?id=7121040790b611ca3fbc400a1bbcd4364ef57233 NOTE: https://roy.marples.name/git/dhcpcd.git/commit/?id=cfde89ab66cb4e5957b1c4b68ad6a9449e2784da @@ -2295,6 +2295,7 @@ CVE-2019-10652 (An issue was discovered in flatCore 1.4.7. acp/acp.php allows re CVE-2019-10651 RESERVED CVE-2019-10650 (In ImageMagick 7.0.8-36 Q16, there is a heap-based buffer over-read in ...) + {DSA-4436-1} - imagemagick (bug #926091) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1532 CVE-2019-10649 (In ImageMagick 7.0.8-36 Q16, there is a memory leak in the function SV ...) @@ -3790,6 +3791,7 @@ CVE-2019-9958 CVE-2019-9957 RESERVED CVE-2019-9956 (In ImageMagick 7.0.8-35 Q16, there is a stack-based buffer overflow in ...) + {DSA-4436-1} - imagemagick (bug #925395) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1523 NOTE: https://github.com/ImageMagick/ImageMagick/commit/34a6a5a45e83a4af852090b4e43f168a380df979 @@ -5291,6 +5293,7 @@ CVE-2019-9660 (Stored XSS exists in YzmCMS 5.2 via the admin/category/edit.html CVE-2019-9659 (The Chuango 433 MHz burglar-alarm product line uses static codes in th ...) NOT-FOR-US: Chuango CVE-2019-9658 (Checkstyle before 8.18 loads external DTDs by default. ...) + {DLA-1768-1} - checkstyle (low; bug #924598) [buster] - checkstyle (Minor issue) [stretch] - checkstyle (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a4dabd746558910bb7b03f09b59ab6ef9ab9165f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a4dabd746558910bb7b03f09b59ab6ef9ab9165f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] mark two systemd issues as ignored after followup with maintainer
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 377b by Moritz Muehlenhoff at 2019-04-28T19:43:08Z mark two systemd issues as ignored after followup with maintainer - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -19094,7 +19094,7 @@ CVE-2019-3845 (A lack of access control was found in the message queues maintain NOT-FOR-US: qpid dispatch router CVE-2019-3844 (It was discovered that a systemd service that uses DynamicUser propert ...) - systemd (bug #928102) - [stretch] - systemd (Minor issue; exploit vector needs control both of the service and a helper outside) + [stretch] - systemd (Minor issue; exploit vector needs control both of the service and a helper outside) [jessie] - systemd (Vulnerable code introduced later) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1684610 NOTE: https://github.com/systemd/systemd/commit/bf65b7e0c9fc215897b676ab9a7c9d1c688143ba @@ -19102,7 +19102,7 @@ CVE-2019-3844 (It was discovered that a systemd service that uses DynamicUser pr NOTE: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1814596 CVE-2019-3843 (It was discovered that a systemd service that uses DynamicUser propert ...) - systemd (bug #928102) - [stretch] - systemd (Minor issue; exploit vector needs control both of the service and a helper outside) + [stretch] - systemd (Minor issue; exploit vector needs control both of the service and a helper outside) [jessie] - systemd (Vulnerable code introduced later) NOTE: https://github.com/systemd/systemd/commit/3c27973b13724ede05a06a5d346a569794cda433 NOTE: https://github.com/systemd/systemd/commit/f69567cbe26d09eac9d387c0be0fc32c65a83ada View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/377b48c5a5c22114b775cc2c67db69ba1f48 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/377b48c5a5c22114b775cc2c67db69ba1f48 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] imagemagick DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: ad068a5b by Moritz Muehlenhoff at 2019-04-28T19:38:01Z imagemagick DSA - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,6 @@ +[28 Apr 2019] DSA-4436-1 imagemagick - security update + {CVE-2019-9956 CVE-2019-10650} + [stretch] - imagemagick 8:6.9.7.4+dfsg-11+deb9u7 [27 Apr 2019] DSA-4435-1 libpng1.6 - security update {CVE-2019-7317} [stretch] - libpng1.6 1.6.28-1+deb9u1 = data/dsa-needed.txt = @@ -24,8 +24,6 @@ glusterfs -- graphicsmagick -- -imagemagick (jmm) --- koji -- libidn View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ad068a5b36ef913ac7cc50fb1c215dfadd1be79b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ad068a5b36ef913ac7cc50fb1c215dfadd1be79b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information for CVE-2019-384{3,4}/systemd
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c87341ee by Salvatore Bonaccorso at 2019-04-28T19:18:59Z Update information for CVE-2019-384{3,4}/systemd Support for DynamicUser property was added later and is not present in v215. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -19095,7 +19095,7 @@ CVE-2019-3845 (A lack of access control was found in the message queues maintain CVE-2019-3844 (It was discovered that a systemd service that uses DynamicUser propert ...) - systemd (bug #928102) [stretch] - systemd (Minor issue; exploit vector needs control both of the service and a helper outside) - [jessie] - systemd (Minor issue; exploit vector needs control both of the service and a helper outside) + [jessie] - systemd (Vulnerable code introduced later) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1684610 NOTE: https://github.com/systemd/systemd/commit/bf65b7e0c9fc215897b676ab9a7c9d1c688143ba NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1771 @@ -19103,7 +19103,7 @@ CVE-2019-3844 (It was discovered that a systemd service that uses DynamicUser pr CVE-2019-3843 (It was discovered that a systemd service that uses DynamicUser propert ...) - systemd (bug #928102) [stretch] - systemd (Minor issue; exploit vector needs control both of the service and a helper outside) - [jessie] - systemd (Minor issue; exploit vector needs control both of the service and a helper outside) + [jessie] - systemd (Vulnerable code introduced later) NOTE: https://github.com/systemd/systemd/commit/3c27973b13724ede05a06a5d346a569794cda433 NOTE: https://github.com/systemd/systemd/commit/f69567cbe26d09eac9d387c0be0fc32c65a83ada NOTE: https://github.com/systemd/systemd/commit/9d880b70ba5c6ca83c82952f4c90e86e56c7b70c View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c87341ee5a07fdaed7cd20876824123268465642 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c87341ee5a07fdaed7cd20876824123268465642 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: mark CVE-2019-11577 as not affected for jessie
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 2598115f by Thorsten Alteholz at 2019-04-28T18:16:59Z mark CVE-2019-11577 as not affected for jessie - - - - - 557fb7eb by Thorsten Alteholz at 2019-04-28T18:17:00Z mark CVE-2019-3843 as no-dsa for jessie - - - - - 72f44f25 by Thorsten Alteholz at 2019-04-28T18:17:01Z mark CVE-2019-3844 as no-dsa for jessie - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,6 +1,7 @@ CVE-2019-11577 [DHCPv6: Fix a potential buffer overflow reading NA/TA addresses] - dhcpcd5 (bug #928105) [stretch] - dhcpcd5 (Vulnerable code not present) + [jessie] - dhcpcd5 (Vulnerable code not present) NOTE: https://roy.marples.name/git/dhcpcd.git/commit/?id=8d11b33f6c60e2db257130fa383ba76b6018bcf6 CVE-2019-11579 [DHCP: Fix a potential 1 byte read overflow with DHO_OPTSOVERLOADED] - dhcpcd5 (bug #928104) @@ -19094,6 +19095,7 @@ CVE-2019-3845 (A lack of access control was found in the message queues maintain CVE-2019-3844 (It was discovered that a systemd service that uses DynamicUser propert ...) - systemd (bug #928102) [stretch] - systemd (Minor issue; exploit vector needs control both of the service and a helper outside) + [jessie] - systemd (Minor issue; exploit vector needs control both of the service and a helper outside) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1684610 NOTE: https://github.com/systemd/systemd/commit/bf65b7e0c9fc215897b676ab9a7c9d1c688143ba NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1771 @@ -19101,6 +19103,7 @@ CVE-2019-3844 (It was discovered that a systemd service that uses DynamicUser pr CVE-2019-3843 (It was discovered that a systemd service that uses DynamicUser propert ...) - systemd (bug #928102) [stretch] - systemd (Minor issue; exploit vector needs control both of the service and a helper outside) + [jessie] - systemd (Minor issue; exploit vector needs control both of the service and a helper outside) NOTE: https://github.com/systemd/systemd/commit/3c27973b13724ede05a06a5d346a569794cda433 NOTE: https://github.com/systemd/systemd/commit/f69567cbe26d09eac9d387c0be0fc32c65a83ada NOTE: https://github.com/systemd/systemd/commit/9d880b70ba5c6ca83c82952f4c90e86e56c7b70c View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/9d0d2a75e7c4b3e163742fbb62c390ede77a9de3...72f44f25b4a6411f7d6020e8da6bf2159ded919d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/9d0d2a75e7c4b3e163742fbb62c390ede77a9de3...72f44f25b4a6411f7d6020e8da6bf2159ded919d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-1768-1 for checkstyle
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: 9d0d2a75 by Adrian Bunk at 2019-04-28T18:15:11Z Reserve DLA-1768-1 for checkstyle - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[28 Apr 2019] DLA-1768-1 checkstyle - security update + {CVE-2019-9658} + [jessie] - checkstyle 5.9-1+deb8u1 [26 Apr 2019] DLA-1767-1 monit - security update {CVE-2019-11454 CVE-2019-11455} [jessie] - monit 1:5.9-1+deb8u2 = data/dla-needed.txt = @@ -18,13 +18,6 @@ axis -- bind9 (Thorsten Alteholz) -- -checkstyle (Adrian Bunk) - NOTE: CVE-2019-9658: changes appear to involve compatibility breakage, handle with care. - NOTE: CVE-2019-9658: removal of DTDs from http://checkstyle.sourceforge.net and - NOTE: CVE-2019-9658: http://puppycrawl.com/ might affect the validity of our default config - NOTE: CVE-2019-9658: so depending of the impact this might require a jessie update - NOTE: 20190413: work ongoing --- claws-mail NOTE: 20190408: patch not yet available -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9d0d2a75e7c4b3e163742fbb62c390ede77a9de3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9d0d2a75e7c4b3e163742fbb62c390ede77a9de3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVEs assigned for dhcpcd5 issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c5ebd52c by Salvatore Bonaccorso at 2019-04-28T17:25:42Z CVEs assigned for dhcpcd5 issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,11 +1,11 @@ -CVE-2019- [DHCPv6: Fix a potential buffer overflow reading NA/TA addresses] +CVE-2019-11577 [DHCPv6: Fix a potential buffer overflow reading NA/TA addresses] - dhcpcd5 (bug #928105) [stretch] - dhcpcd5 (Vulnerable code not present) NOTE: https://roy.marples.name/git/dhcpcd.git/commit/?id=8d11b33f6c60e2db257130fa383ba76b6018bcf6 -CVE-2019- [DHCP: Fix a potential 1 byte read overflow with DHO_OPTSOVERLOADED] +CVE-2019-11579 [DHCP: Fix a potential 1 byte read overflow with DHO_OPTSOVERLOADED] - dhcpcd5 (bug #928104) NOTE: https://roy.marples.name/git/dhcpcd.git/commit/?id=4b67f6f1038fd4ad5ca7734eaaeba1b2ec4816b8 -CVE-2019- [auth: Use consttime_memequal to avoid latency attack] +CVE-2019-11578 [auth: Use consttime_memequal to avoid latency attack] - dhcpcd5 (bug #928056) NOTE: https://roy.marples.name/git/dhcpcd.git/commit/?id=7121040790b611ca3fbc400a1bbcd4364ef57233 NOTE: https://roy.marples.name/git/dhcpcd.git/commit/?id=cfde89ab66cb4e5957b1c4b68ad6a9449e2784da View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c5ebd52c7852fcc8a9f7dacb1e7ac21ee97ecb72 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c5ebd52c7852fcc8a9f7dacb1e7ac21ee97ecb72 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] security_db: Make source code comment independent of codename for distribution
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7748b6ad by Salvatore Bonaccorso at 2019-04-28T17:19:38Z security_db: Make source code comment independent of codename for distribution - - - - - 1 changed file: - lib/python/security_db.py Changes: = lib/python/security_db.py = @@ -563,7 +563,7 @@ class DB: self.db.createscalarfunction("urgency_to_number", urgency_to_number, 1) def releasepart_to_number(r): -# expects a string in the form "wheezy (security)" +# expects a string in the form "codename (security)" try: u=r.split()[0] return release_to_number(u) @@ -572,7 +572,7 @@ class DB: self.db.createscalarfunction("releasepart_to_number", releasepart_to_number, 1) def subreleasepart_to_number(r): -# expects a string in the form "wheezy (security)" +# expects a string in the form "codename (security)" try: if not "(" in r: return 0 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7748b6ad5d75f74d7be69faf9baf80702c224b5f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7748b6ad5d75f74d7be69faf9baf80702c224b5f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: config.json: Add next known codenames up to bookworm
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c112cd3f by Salvatore Bonaccorso at 2019-04-28T15:16:20Z config.json: Add next known codenames up to bookworm - - - - - 7a8496b3 by Salvatore Bonaccorso at 2019-04-28T15:17:40Z config.json: Correct mappings for releases stretch ist stable release, buster is testing release currently. - - - - - f26705d4 by Salvatore Bonaccorso at 2019-04-28T15:18:48Z Reformat data/config.json with jq - - - - - 1 changed file: - data/config.json Changes: = data/config.json = @@ -47,8 +47,7 @@ "optional": [ "wheezy-proposed-updates" ] - }, - "release": "oldstable" + } }, "jessie": { "members": { @@ -60,7 +59,7 @@ "jessie-proposed-updates" ] }, - "release": "stable" + "release": "oldstable" }, "stretch": { "members": { @@ -72,8 +71,42 @@ "stretch-proposed-updates" ] }, + "release": "stable" +}, +"buster": { + "members": { +"supported": [ + "buster", + "buster-security" +], +"optional": [ + "buster-proposed-updates" +] + }, "release": "testing" }, +"bullseye": { + "members": { +"supported": [ + "bullseye", + "bullseye-security" +], +"optional": [ + "bullseye-proposed-updates" +] + } +}, +"bookworm": { + "members": { +"supported": [ + "bookworm", + "bookworm-security" +], +"optional": [ + "bookworm-proposed-updates" +] + } +}, "sid": { "members": { "supported": [ @@ -84,9 +117,25 @@ } }, "sources": [ -{"name": "CVE", "path": "/CVE/list", "class": "CVEFile"}, -{"name": "DSA", "path": "/DSA/list", "class": "DSAFile"}, -{"name": "DTSA", "path": "/DTSA/list", "class": "DTSAFile"}, -{"name": "DLA", "path": "/DLA/list", "class": "DSAFile"} +{ + "name": "CVE", + "path": "/CVE/list", + "class": "CVEFile" +}, +{ + "name": "DSA", + "path": "/DSA/list", + "class": "DSAFile" +}, +{ + "name": "DTSA", + "path": "/DTSA/list", + "class": "DTSAFile" +}, +{ + "name": "DLA", + "path": "/DLA/list", + "class": "DSAFile" +} ] } View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/7d09d36dde25e6503a879196e6fdc26212cf198e...f26705d41178ce772dabeb29af55efbe487a2adb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/7d09d36dde25e6503a879196e6fdc26212cf198e...f26705d41178ce772dabeb29af55efbe487a2adb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update libmatio status
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: 7d09d36d by Adrian Bunk at 2019-04-28T14:55:43Z Update libmatio status - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -86,7 +86,13 @@ liblivemedia (Hugo Lefeuvre) libmatio (Adrian Bunk) NOTE: fairly high number of open issues. Not sure why we never had a look at them. NOTE: triage work needed, help security team for fixes if needed. - NOTE: 20190413: work ongoing + NOTE: 20190428: most patches can be applied after context adaption + NOTE: 20190428: all CVEs are from one fuzzing attempt + NOTE: 20190428: some CVE testcases pass on the unpatched version, + NOTE: 20190428: but since the fixes can be made applied the code + NOTE: 20190428: is likely vulnerable + NOTE: 20190428: some CVE testcases still fail after applying the fix, + NOTE: 20190428: older changes seem to also be required for them -- libspring-security-2.0-java -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7d09d36dde25e6503a879196e6fdc26212cf198e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7d09d36dde25e6503a879196e6fdc26212cf198e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Update support end date for jessie in LTS
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 60f86379 by Salvatore Bonaccorso at 2019-04-28T12:03:25Z Update support end date for jessie in LTS Update time mapping according to https://wiki.debian.org/LTS/ overview. - - - - - a77c11fe by Salvatore Bonaccorso at 2019-04-28T12:05:07Z bin/support-ended.py: Update comment for stretch EOL in LTS - - - - - 1 changed file: - bin/support-ended.py Changes: = bin/support-ended.py = @@ -29,9 +29,8 @@ import sys release_mapping = { 'deb6': ('squeeze', '2016-02-29'), 'deb7': ('wheezy', '2018-05-31'), +'deb8': ('jessie', '2020-06-30'), # End date not yet fixed -'deb8': ('jessie', '2020-04-30'), -# Not even released yet 'deb9': ('stretch', None), } View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/c3d1609c08b445d851af8f793c9e601af8b2e26d...a77c11fe2d0e3a564362cd1a82bf7551d8ad31bb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/c3d1609c08b445d851af8f793c9e601af8b2e26d...a77c11fe2d0e3a564362cd1a82bf7551d8ad31bb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Fix short description of one dhcpcd5 issue
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c3d1609c by Salvatore Bonaccorso at 2019-04-28T11:43:46Z Fix short description of one dhcpcd5 issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5,7 +5,7 @@ CVE-2019- [DHCPv6: Fix a potential buffer overflow reading NA/TA addresses] CVE-2019- [DHCP: Fix a potential 1 byte read overflow with DHO_OPTSOVERLOADED] - dhcpcd5 (bug #928104) NOTE: https://roy.marples.name/git/dhcpcd.git/commit/?id=4b67f6f1038fd4ad5ca7734eaaeba1b2ec4816b8 -CVE-2019- [auth: Use consttime_memequal to avoid latency attack consttime_memequal is supplied if libc does not support it] +CVE-2019- [auth: Use consttime_memequal to avoid latency attack] - dhcpcd5 (bug #928056) NOTE: https://roy.marples.name/git/dhcpcd.git/commit/?id=7121040790b611ca3fbc400a1bbcd4364ef57233 NOTE: https://roy.marples.name/git/dhcpcd.git/commit/?id=cfde89ab66cb4e5957b1c4b68ad6a9449e2784da View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c3d1609c08b445d851af8f793c9e601af8b2e26d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c3d1609c08b445d851af8f793c9e601af8b2e26d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add three new dhcpcd5 issues (#928056, #928104, #928105)
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 46c7dfc9 by Salvatore Bonaccorso at 2019-04-28T09:14:25Z Add three new dhcpcd5 issues (#928056, #928104, #928105) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,15 @@ +CVE-2019- [DHCPv6: Fix a potential buffer overflow reading NA/TA addresses] + - dhcpcd5 (bug #928105) + [stretch] - dhcpcd5 (Vulnerable code not present) + NOTE: https://roy.marples.name/git/dhcpcd.git/commit/?id=8d11b33f6c60e2db257130fa383ba76b6018bcf6 +CVE-2019- [DHCP: Fix a potential 1 byte read overflow with DHO_OPTSOVERLOADED] + - dhcpcd5 (bug #928104) + NOTE: https://roy.marples.name/git/dhcpcd.git/commit/?id=4b67f6f1038fd4ad5ca7734eaaeba1b2ec4816b8 +CVE-2019- [auth: Use consttime_memequal to avoid latency attack consttime_memequal is supplied if libc does not support it] + - dhcpcd5 (bug #928056) + NOTE: https://roy.marples.name/git/dhcpcd.git/commit/?id=7121040790b611ca3fbc400a1bbcd4364ef57233 + NOTE: https://roy.marples.name/git/dhcpcd.git/commit/?id=cfde89ab66cb4e5957b1c4b68ad6a9449e2784da + NOTE: https://roy.marples.name/git/dhcpcd.git/commit/?id=aee631aadeef4283c8a749c1caf77823304acf5e CVE-2019-11576 (Gitea before 1.8.0 allows 1FA for user accounts that have completed 2F ...) - gitea CVE-2019-11575 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/46c7dfc9db6ecfd1f95732623065cf5562cd1c8b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/46c7dfc9db6ecfd1f95732623065cf5562cd1c8b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2018-18510/firefox
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9914be08 by Salvatore Bonaccorso at 2019-04-28T08:51:38Z Add CVE-2018-18510/firefox - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -32987,7 +32987,8 @@ CVE-2018-18511 (Cross-origin images can be read from a canvas element in violati - skia (bug #818180) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-04/#CVE-2018-18511 CVE-2018-18510 (The about:crashcontent and about:crashparent pages can be triggered by ...) - TODO: check + - firefox 64.0-1 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-29/#CVE-2018-18510 CVE-2018-18509 (A flaw during verification of certain S/MIME signatures causes emails ...) {DSA-4392-1 DLA-1678-1} - thunderbird 1:60.5.1-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9914be08eb5732e92752ac327f6936c8fef021bf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9914be08eb5732e92752ac327f6936c8fef021bf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0e027739 by Salvatore Bonaccorso at 2019-04-28T08:33:36Z Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -15,13 +15,13 @@ CVE-2019-11570 CVE-2019-11569 RESERVED CVE-2019-11568 (An issue was discovered in AikCms v2.0. There is a File upload vulnera ...) - TODO: check + NOT-FOR-US: AikCms CVE-2019-11567 (An issue was discovered in AikCms v2.0. There is a SQL Injection vulne ...) - TODO: check + NOT-FOR-US: AikCms CVE-2019-11566 RESERVED CVE-2019-11565 (Server Side Request Forgery (SSRF) exists in the Print My Blog plugin ...) - TODO: check + NOT-FOR-US: Print My Blog plugin for WordPress CVE-2019-11564 RESERVED CVE-2019-11563 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0e027739e2435ad978f4f9e71a62a6a0945bb05f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0e027739e2435ad978f4f9e71a62a6a0945bb05f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-11576/gitea
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2eafa593 by Salvatore Bonaccorso at 2019-04-28T08:22:51Z Add CVE-2019-11576/gitea - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,5 +1,5 @@ CVE-2019-11576 (Gitea before 1.8.0 allows 1FA for user accounts that have completed 2F ...) - TODO: check + - gitea CVE-2019-11575 RESERVED CVE-2019-11574 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2eafa59334716ce6ec8f79e684e370c54ae4bc96 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2eafa59334716ce6ec8f79e684e370c54ae4bc96 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7137c7d4 by security tracker role at 2019-04-28T08:10:17Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,27 @@ +CVE-2019-11576 (Gitea before 1.8.0 allows 1FA for user accounts that have completed 2F ...) + TODO: check +CVE-2019-11575 + RESERVED +CVE-2019-11574 + RESERVED +CVE-2019-11573 + RESERVED +CVE-2019-11572 + RESERVED +CVE-2019-11571 + RESERVED +CVE-2019-11570 + RESERVED +CVE-2019-11569 + RESERVED +CVE-2019-11568 (An issue was discovered in AikCms v2.0. There is a File upload vulnera ...) + TODO: check +CVE-2019-11567 (An issue was discovered in AikCms v2.0. There is a SQL Injection vulne ...) + TODO: check +CVE-2019-11566 + RESERVED +CVE-2019-11565 (Server Side Request Forgery (SSRF) exists in the Print My Blog plugin ...) + TODO: check CVE-2019-11564 RESERVED CVE-2019-11563 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7137c7d41d6886663664fe522698857a8e350693 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7137c7d41d6886663664fe522698857a8e350693 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2019-384{3,4}/systemd
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6ff1bdae by Salvatore Bonaccorso at 2019-04-28T07:30:31Z Add Debian bug reference for CVE-2019-384{3,4}/systemd - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -19056,14 +19056,14 @@ CVE-2019-3846 CVE-2019-3845 (A lack of access control was found in the message queues maintained by ...) NOT-FOR-US: qpid dispatch router CVE-2019-3844 (It was discovered that a systemd service that uses DynamicUser propert ...) - - systemd + - systemd (bug #928102) [stretch] - systemd (Minor issue; exploit vector needs control both of the service and a helper outside) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1684610 NOTE: https://github.com/systemd/systemd/commit/bf65b7e0c9fc215897b676ab9a7c9d1c688143ba NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1771 NOTE: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1814596 CVE-2019-3843 (It was discovered that a systemd service that uses DynamicUser propert ...) - - systemd + - systemd (bug #928102) [stretch] - systemd (Minor issue; exploit vector needs control both of the service and a helper outside) NOTE: https://github.com/systemd/systemd/commit/3c27973b13724ede05a06a5d346a569794cda433 NOTE: https://github.com/systemd/systemd/commit/f69567cbe26d09eac9d387c0be0fc32c65a83ada View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6ff1bdaee0defee158712f05cdcc9402c10e40a8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6ff1bdaee0defee158712f05cdcc9402c10e40a8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2019-835{4,5,6,7}/sox fixed in unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a25c2b84 by Salvatore Bonaccorso at 2019-04-28T07:06:48Z CVE-2019-835{4,5,6,7}/sox fixed in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -8497,19 +8497,19 @@ CVE-2019-8359 CVE-2019-8358 (In Hiawatha before 10.8.4, a remote attacker is able to do directory t ...) NOT-FOR-US: Hiawatha CVE-2019-8357 (An issue was discovered in SoX 14.4.2. lsx_make_lpf in effect_i_dsp.c ...) - - sox (low; bug #927906) + - sox 14.4.2+git20190427-1 (low; bug #927906) NOTE: https://sourceforge.net/p/sox/bugs/318 NOTE: https://sourceforge.net/p/sox/code/ci/2ce02fea7b350de9ddfbcf542ba4dd59a8ab255b/ CVE-2019-8356 (An issue was discovered in SoX 14.4.2. One of the arguments to bitrv2 ...) - - sox (bug #927906) + - sox 14.4.2+git20190427-1 (bug #927906) NOTE: https://sourceforge.net/p/sox/bugs/321 NOTE: https://sourceforge.net/p/sox/code/ci/b7883ae1398499daaa926ae6621f088f0f531ed8/ CVE-2019-8355 (An issue was discovered in SoX 14.4.2. In xmalloc.h, there is an integ ...) - - sox (bug #927906) + - sox 14.4.2+git20190427-1 (bug #927906) NOTE: https://sourceforge.net/p/sox/bugs/320 NOTE: https://sourceforge.net/p/sox/code/ci/f8587e2d50dad72d40453ac1191c539ee9e50381/ CVE-2019-8354 (An issue was discovered in SoX 14.4.2. lsx_make_lpf in effect_i_dsp.c ...) - - sox (bug #927906) + - sox 14.4.2+git20190427-1 (bug #927906) NOTE: https://sourceforge.net/p/sox/bugs/319 NOTE: https://sourceforge.net/p/sox/code/ci/f8587e2d50dad72d40453ac1191c539ee9e50381/ CVE-2019-8353 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a25c2b8449738c5c6f9e9ddbfb5e3892c0795299 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a25c2b8449738c5c6f9e9ddbfb5e3892c0795299 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2019-384{3,4}/systemd as no-dsa
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 32a4a628 by Salvatore Bonaccorso at 2019-04-28T07:01:19Z Mark CVE-2019-384{3,4}/systemd as no-dsa Attack vector requires control both of an exploitable service and a helper outside. Futhermore DynamicUsers are not widely used. As per https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1814596/comments/7 in Debian itself those are yet limited, but still present. The version in stretch (v232) is the version introducing support for DynamicUsers, earlier versions as for jessie mght thus even not be affected but would need to be checked. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -19057,12 +19057,14 @@ CVE-2019-3845 (A lack of access control was found in the message queues maintain NOT-FOR-US: qpid dispatch router CVE-2019-3844 (It was discovered that a systemd service that uses DynamicUser propert ...) - systemd + [stretch] - systemd (Minor issue; exploit vector needs control both of the service and a helper outside) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1684610 NOTE: https://github.com/systemd/systemd/commit/bf65b7e0c9fc215897b676ab9a7c9d1c688143ba NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1771 NOTE: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1814596 CVE-2019-3843 (It was discovered that a systemd service that uses DynamicUser propert ...) - systemd + [stretch] - systemd (Minor issue; exploit vector needs control both of the service and a helper outside) NOTE: https://github.com/systemd/systemd/commit/3c27973b13724ede05a06a5d346a569794cda433 NOTE: https://github.com/systemd/systemd/commit/f69567cbe26d09eac9d387c0be0fc32c65a83ada NOTE: https://github.com/systemd/systemd/commit/9d880b70ba5c6ca83c82952f4c90e86e56c7b70c View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/32a4a62898f80c4680f087792970a95f2e727f6e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/32a4a62898f80c4680f087792970a95f2e727f6e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits