[Git][security-tracker-team/security-tracker][master] 2 commits: Add upstream otrs2 security advisory references for OSA-2019-{04,05,06}
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
c552b693 by Salvatore Bonaccorso at 2019-04-29T05:18:33Z
Add upstream otrs2 security advisory references for OSA-2019-{04,05,06}
- - - - -
12421b08 by Salvatore Bonaccorso at 2019-04-29T05:20:55Z
Reference upstream commits for CVE-2019-9892, CVE-2019-10066 and CVE-2019-10067
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -3560,9 +3560,14 @@ CVE-2019-10068 (An issue was discovered in Kentico
before 12.0.15. Due to a fail
CVE-2019-10067 [OSA-2019-05]
RESERVED
- otrs2 6.0.18-1
+ NOTE: OTRS 6:
https://github.com/OTRS/otrs/commit/8a489236336ddc82e745c27abb32dfa1ceefb0f4
+ NOTE: OTRS 5:
https://github.com/OTRS/otrs/commit/67158d8b08309859572c795982ecc7c52484ab0e
+ NOTE:
https://community.otrs.com/security-advisory-2019-05-security-update-for-otrs-framework/
CVE-2019-10066 [OSA-2019-06]
RESERVED
- otrs2 6.0.18-1
+ NOTE: OTRS 6:
https://github.com/OTRS/otrs/commit/b99cad21f2dd1c2d52299424a589b0b2f20d7ba8
+ NOTE:
https://community.otrs.com/security-advisory-2019-06-security-update-for-otrs-framework/
CVE-2019-10065
RESERVED
CVE-2019-10064
@@ -3989,6 +3994,9 @@ CVE-2019-9894 (A remotely triggerable memory overwrite in
RSA key exchange in Pu
CVE-2019-9892 [OSA-2019-04]
RESERVED
- otrs2 6.0.18-1
+ NOTE: OTRS 6:
https://github.com/OTRS/otrs/commit/3617488c6c28e06203e4127c7b031140f775a685
+ NOTE: OTRS 5:
https://github.com/OTRS/otrs/commit/c3b9342a85c6f2c9382e074ad9cc440ce80a6f34
+ NOTE:
https://community.otrs.com/security-advisory-2019-04-security-update-for-otrs-framework/
CVE-2019-9891
RESERVED
CVE-2019-9890 (An issue was discovered in GitLab Community and Enterprise
Edition 10. ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/compare/d479f9c394f0b516beb2f62b0b28ac7cfce2423b...12421b08ccdb8213ef2966acb71cb0690de1bbe5
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/compare/d479f9c394f0b516beb2f62b0b28ac7cfce2423b...12421b08ccdb8213ef2966acb71cb0690de1bbe5
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Cleanup trailing whitespaces in CVE list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b3529369 by Salvatore Bonaccorso at 2019-04-29T05:21:35Z Cleanup trailing whitespaces in CVE list - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -16668,7 +16668,7 @@ CVE-2019-5008 (hw/sparc64/sun4u.c in QEMU 3.1.50 is vulnerable to a NULL pointer [jessie] - qemu (Minor issue) - qemu-kvm NOTE: https://fakhrizulkifli.github.io/posts/2019/01/03/CVE-2019-5008/ - NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=ad280559c68360c9f1cd7be063857853759e6a73 (4.0.0-rc0) + NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=ad280559c68360c9f1cd7be063857853759e6a73 (4.0.0-rc0) CVE-2019-5007 (An issue was discovered in Foxit Reader and PhantomPDF before 9.4 on W ...) NOT-FOR-US: Foxit Reader and PhantomPDF CVE-2019-5006 (An issue was discovered in Foxit Reader and PhantomPDF before 9.4 on W ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b3529369ca6322d39cd305a7ceef7762cd1e8b7e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b3529369ca6322d39cd305a7ceef7762cd1e8b7e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-9892, CVE-2019-10066 and CVE-2019-10067 for otrs2
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d479f9c3 by Salvatore Bonaccorso at 2019-04-29T05:15:54Z Add CVE-2019-9892, CVE-2019-10066 and CVE-2019-10067 for otrs2 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3557,10 +3557,12 @@ CVE-2019-10069 RESERVED CVE-2019-10068 (An issue was discovered in Kentico before 12.0.15. Due to a failure to ...) NOT-FOR-US: Kentico -CVE-2019-10067 +CVE-2019-10067 [OSA-2019-05] RESERVED -CVE-2019-10066 + - otrs2 6.0.18-1 +CVE-2019-10066 [OSA-2019-06] RESERVED + - otrs2 6.0.18-1 CVE-2019-10065 RESERVED CVE-2019-10064 @@ -3984,8 +3986,9 @@ CVE-2019-9894 (A remotely triggerable memory overwrite in RSA key exchange in Pu - putty 0.70-6 NOTE: https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-rsa-kex-integer-overflow.html NOTE: https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=d82854999516046122501b2e145099740ed0284f -CVE-2019-9892 +CVE-2019-9892 [OSA-2019-04] RESERVED + - otrs2 6.0.18-1 CVE-2019-9891 RESERVED CVE-2019-9890 (An issue was discovered in GitLab Community and Enterprise Edition 10. ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d479f9c394f0b516beb2f62b0b28ac7cfce2423b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d479f9c394f0b516beb2f62b0b28ac7cfce2423b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS/python-urllib3, python2.7, python3.4 status update
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 548b4d54 by Roberto C. Sánchez at 2019-04-29T03:04:33Z LTS/python-urllib3, python2.7, python3.4 status update - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -110,15 +110,15 @@ poppler NOTE: 20190408: No known upstream patches available for remaining open CVEs (sunweaver) -- python-urllib3 (Roberto C. Sánchez) - NOTE: 20190408: Waiting on upstream action for CVE-2019-9740 (roberto) + NOTE: 20190429: Waiting on upstream action for CVE-2019-9740 (roberto) -- python2.7 (Roberto C. Sánchez) NOTE: 20190321: Patches integrated for CVE-2018-14647, CVE-2019-5010, and CVE-2019-9636 - NOTE: 20190408: Waiting on upstream action for CVE-2019-9740 (roberto) + NOTE: 20190429: Waiting on upstream action for CVE-2019-9740 (roberto) -- python3.4 (Roberto C. Sánchez) NOTE: 20190321: Patches integrated for CVE-2018-14647 and CVE-2019-9636 - NOTE: 20190408: Waiting on upstream action for CVE-2019-9740 (roberto) + NOTE: 20190429: Waiting on upstream action for CVE-2019-9740 (roberto) -- qemu (Emilio) NOTE: 20190424: fixing new plus old postponed issues View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/548b4d54ce81849a32e2d52f2ee6f82a7e9c3fed -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/548b4d54ce81849a32e2d52f2ee6f82a7e9c3fed You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2019-11498 fixed in wavpack/5.1.0-6
Sebastian Ramacher pushed to branch master at Debian Security Tracker / security-tracker Commits: 6216cf7b by Sebastian Ramacher at 2019-04-28T21:44:29Z CVE-2019-11498 fixed in wavpack/5.1.0-6 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -178,7 +178,7 @@ CVE-2019-11500 CVE-2019-11499 RESERVED CVE-2019-11498 (WavpackSetConfiguration64 in pack_utils.c in libwavpack.a in WavPack t ...) - - wavpack (bug #927903) + - wavpack 5.1.0-6 (bug #927903) NOTE: https://github.com/dbry/WavPack/issues/67 NOTE: https://github.com/dbry/WavPack/commit/bc6cba3f552c44565f7f1e66dc1580189addb2b4 CVE-2019-11497 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6216cf7bdcae3578c5211d46388fad37d4256b1e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6216cf7bdcae3578c5211d46388fad37d4256b1e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: add dhcpcd5
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 61aa25df by Thorsten Alteholz at 2019-04-28T21:10:54Z add dhcpcd5 - - - - - 186d2180 by Thorsten Alteholz at 2019-04-28T21:10:54Z claim packages - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -12,7 +12,7 @@ https://wiki.debian.org/LTS/Development#Triage_new_security_issues -- 389-ds-base (Mike Gabriel) -- -atftp +atftp (Thorsten Alteholz) -- axis -- @@ -21,6 +21,8 @@ bind9 (Thorsten Alteholz) claws-mail NOTE: 20190408: patch not yet available -- +dhcpcd5 +-- drupal7 -- evolution-ews @@ -99,7 +101,7 @@ modsecurity-crs -- openjdk-7 (Emilio) -- -php5 +php5 (Thorsten Alteholz) -- polarssl NOTE: 20181207: Not 100% sure if vulnerable. Upstream would prefer us to move to latest version, etc. (!). (lamby) @@ -138,7 +140,7 @@ wireshark (Hugo Lefeuvre) wordpress NOTE: 20190401: remaining one issue (CVE-2019-8943). Waiting for upstream patch (abhijith) -- -wpa +wpa (Thorsten Alteholz) -- xen (worked on by credativ) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/ba14e9f0064aeef237ce94c8d2e0e5d715242d9c...186d2180570f8dfc961d8aa4ae2dc96bf14fb78f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/ba14e9f0064aeef237ce94c8d2e0e5d715242d9c...186d2180570f8dfc961d8aa4ae2dc96bf14fb78f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Makefile: Remove leftover wheezy_ARCHS list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ba14e9f0 by Salvatore Bonaccorso at 2019-04-28T21:11:36Z Makefile: Remove leftover wheezy_ARCHS list - - - - - 1 changed file: - Makefile Changes: = Makefile = @@ -10,7 +10,6 @@ TESTING = buster MIRROR = http://debian.csail.mit.edu/debian SECURITY_MIRROR = http://security.debian.org/debian-security -wheezy_ARCHS = amd64 armel armhf i386 jessie_ARCHS = amd64 armel armhf i386 stretch_ARCHS = amd64 arm64 armel armhf i386 mips mips64el mipsel ppc64el s390x buster_ARCHS = amd64 arm64 armel armhf i386 mips mips64el mipsel ppc64el s390x View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ba14e9f0064aeef237ce94c8d2e0e5d715242d9c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ba14e9f0064aeef237ce94c8d2e0e5d715242d9c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-1770-1 for gst-plugins-base1.0
Thorsten Alteholz pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
4814fa3c by Thorsten Alteholz at 2019-04-28T21:01:43Z
Reserve DLA-1770-1 for gst-plugins-base1.0
- - - - -
2 changed files:
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[28 Apr 2019] DLA-1770-1 gst-plugins-base1.0 - security update
+ {CVE-2019-9928}
+ [jessie] - gst-plugins-base1.0 1.4.4-2+deb8u2
[28 Apr 2019] DLA-1769-1 gst-plugins-base0.10 - security update
{CVE-2019-9928}
[jessie] - gst-plugins-base0.10 0.10.36-2+deb8u1
=
data/dla-needed.txt
=
@@ -36,8 +36,6 @@ gradle
--
graphicsmagick
--
-gst-plugins-base1.0 (Thorsten Alteholz)
---
hdf5 (Hugo Lefeuvre)
NOTE: requires some prior triage, almost all cves undetermined.
NOTE: contacted hdf5 upstream, received information, currently updating the
tracker.
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/4814fa3cf22236527b4deeeff64b9410a29a6235
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/4814fa3cf22236527b4deeeff64b9410a29a6235
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-1769-1 for gst-plugins-base0.10
Thorsten Alteholz pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
d87df6ab by Thorsten Alteholz at 2019-04-28T20:49:45Z
Reserve DLA-1769-1 for gst-plugins-base0.10
- - - - -
2 changed files:
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[28 Apr 2019] DLA-1769-1 gst-plugins-base0.10 - security update
+ {CVE-2019-9928}
+ [jessie] - gst-plugins-base0.10 0.10.36-2+deb8u1
[28 Apr 2019] DLA-1768-1 checkstyle - security update
{CVE-2019-9658}
[jessie] - checkstyle 5.9-1+deb8u1
=
data/dla-needed.txt
=
@@ -36,8 +36,6 @@ gradle
--
graphicsmagick
--
-gst-plugins-base0.10 (Thorsten Alteholz)
---
gst-plugins-base1.0 (Thorsten Alteholz)
--
hdf5 (Hugo Lefeuvre)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/d87df6abf71f13b0557f85490a1f9867523cc3b2
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/d87df6abf71f13b0557f85490a1f9867523cc3b2
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
a4dabd74 by security tracker role at 2019-04-28T20:10:26Z
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -1,12 +1,12 @@
-CVE-2019-11577 [DHCPv6: Fix a potential buffer overflow reading NA/TA
addresses]
+CVE-2019-11577 (dhcpcd before 7.2.1 contains a buffer overflow in dhcp6_findna
in dhcp ...)
- dhcpcd5 (bug #928105)
[stretch] - dhcpcd5 (Vulnerable code not present)
[jessie] - dhcpcd5 (Vulnerable code not present)
NOTE:
https://roy.marples.name/git/dhcpcd.git/commit/?id=8d11b33f6c60e2db257130fa383ba76b6018bcf6
-CVE-2019-11579 [DHCP: Fix a potential 1 byte read overflow with
DHO_OPTSOVERLOADED]
+CVE-2019-11579 (dhcp.c in dhcpcd before 7.2.1 contains a 1-byte read overflow
with DHO ...)
- dhcpcd5 (bug #928104)
NOTE:
https://roy.marples.name/git/dhcpcd.git/commit/?id=4b67f6f1038fd4ad5ca7734eaaeba1b2ec4816b8
-CVE-2019-11578 [auth: Use consttime_memequal to avoid latency attack]
+CVE-2019-11578 (auth.c in dhcpcd before 7.2.1 allowed attackers to infer
secrets by pe ...)
- dhcpcd5 (bug #928056)
NOTE:
https://roy.marples.name/git/dhcpcd.git/commit/?id=7121040790b611ca3fbc400a1bbcd4364ef57233
NOTE:
https://roy.marples.name/git/dhcpcd.git/commit/?id=cfde89ab66cb4e5957b1c4b68ad6a9449e2784da
@@ -2295,6 +2295,7 @@ CVE-2019-10652 (An issue was discovered in flatCore
1.4.7. acp/acp.php allows re
CVE-2019-10651
RESERVED
CVE-2019-10650 (In ImageMagick 7.0.8-36 Q16, there is a heap-based buffer
over-read in ...)
+ {DSA-4436-1}
- imagemagick (bug #926091)
NOTE: https://github.com/ImageMagick/ImageMagick/issues/1532
CVE-2019-10649 (In ImageMagick 7.0.8-36 Q16, there is a memory leak in the
function SV ...)
@@ -3790,6 +3791,7 @@ CVE-2019-9958
CVE-2019-9957
RESERVED
CVE-2019-9956 (In ImageMagick 7.0.8-35 Q16, there is a stack-based buffer
overflow in ...)
+ {DSA-4436-1}
- imagemagick (bug #925395)
NOTE: https://github.com/ImageMagick/ImageMagick/issues/1523
NOTE:
https://github.com/ImageMagick/ImageMagick/commit/34a6a5a45e83a4af852090b4e43f168a380df979
@@ -5291,6 +5293,7 @@ CVE-2019-9660 (Stored XSS exists in YzmCMS 5.2 via the
admin/category/edit.html
CVE-2019-9659 (The Chuango 433 MHz burglar-alarm product line uses static
codes in th ...)
NOT-FOR-US: Chuango
CVE-2019-9658 (Checkstyle before 8.18 loads external DTDs by default. ...)
+ {DLA-1768-1}
- checkstyle (low; bug #924598)
[buster] - checkstyle (Minor issue)
[stretch] - checkstyle (Minor issue)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/a4dabd746558910bb7b03f09b59ab6ef9ab9165f
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/a4dabd746558910bb7b03f09b59ab6ef9ab9165f
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] mark two systemd issues as ignored after followup with maintainer
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 377b by Moritz Muehlenhoff at 2019-04-28T19:43:08Z mark two systemd issues as ignored after followup with maintainer - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -19094,7 +19094,7 @@ CVE-2019-3845 (A lack of access control was found in the message queues maintain NOT-FOR-US: qpid dispatch router CVE-2019-3844 (It was discovered that a systemd service that uses DynamicUser propert ...) - systemd (bug #928102) - [stretch] - systemd (Minor issue; exploit vector needs control both of the service and a helper outside) + [stretch] - systemd (Minor issue; exploit vector needs control both of the service and a helper outside) [jessie] - systemd (Vulnerable code introduced later) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1684610 NOTE: https://github.com/systemd/systemd/commit/bf65b7e0c9fc215897b676ab9a7c9d1c688143ba @@ -19102,7 +19102,7 @@ CVE-2019-3844 (It was discovered that a systemd service that uses DynamicUser pr NOTE: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1814596 CVE-2019-3843 (It was discovered that a systemd service that uses DynamicUser propert ...) - systemd (bug #928102) - [stretch] - systemd (Minor issue; exploit vector needs control both of the service and a helper outside) + [stretch] - systemd (Minor issue; exploit vector needs control both of the service and a helper outside) [jessie] - systemd (Vulnerable code introduced later) NOTE: https://github.com/systemd/systemd/commit/3c27973b13724ede05a06a5d346a569794cda433 NOTE: https://github.com/systemd/systemd/commit/f69567cbe26d09eac9d387c0be0fc32c65a83ada View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/377b48c5a5c22114b775cc2c67db69ba1f48 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/377b48c5a5c22114b775cc2c67db69ba1f48 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] imagemagick DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
ad068a5b by Moritz Muehlenhoff at 2019-04-28T19:38:01Z
imagemagick DSA
- - - - -
2 changed files:
- data/DSA/list
- data/dsa-needed.txt
Changes:
=
data/DSA/list
=
@@ -1,3 +1,6 @@
+[28 Apr 2019] DSA-4436-1 imagemagick - security update
+ {CVE-2019-9956 CVE-2019-10650}
+ [stretch] - imagemagick 8:6.9.7.4+dfsg-11+deb9u7
[27 Apr 2019] DSA-4435-1 libpng1.6 - security update
{CVE-2019-7317}
[stretch] - libpng1.6 1.6.28-1+deb9u1
=
data/dsa-needed.txt
=
@@ -24,8 +24,6 @@ glusterfs
--
graphicsmagick
--
-imagemagick (jmm)
---
koji
--
libidn
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/ad068a5b36ef913ac7cc50fb1c215dfadd1be79b
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/ad068a5b36ef913ac7cc50fb1c215dfadd1be79b
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information for CVE-2019-384{3,4}/systemd
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
c87341ee by Salvatore Bonaccorso at 2019-04-28T19:18:59Z
Update information for CVE-2019-384{3,4}/systemd
Support for DynamicUser property was added later and is not present in
v215.
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -19095,7 +19095,7 @@ CVE-2019-3845 (A lack of access control was found in
the message queues maintain
CVE-2019-3844 (It was discovered that a systemd service that uses DynamicUser
propert ...)
- systemd (bug #928102)
[stretch] - systemd (Minor issue; exploit vector needs control
both of the service and a helper outside)
- [jessie] - systemd (Minor issue; exploit vector needs control
both of the service and a helper outside)
+ [jessie] - systemd (Vulnerable code introduced later)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1684610
NOTE:
https://github.com/systemd/systemd/commit/bf65b7e0c9fc215897b676ab9a7c9d1c688143ba
NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1771
@@ -19103,7 +19103,7 @@ CVE-2019-3844 (It was discovered that a systemd service
that uses DynamicUser pr
CVE-2019-3843 (It was discovered that a systemd service that uses DynamicUser
propert ...)
- systemd (bug #928102)
[stretch] - systemd (Minor issue; exploit vector needs control
both of the service and a helper outside)
- [jessie] - systemd (Minor issue; exploit vector needs control
both of the service and a helper outside)
+ [jessie] - systemd (Vulnerable code introduced later)
NOTE:
https://github.com/systemd/systemd/commit/3c27973b13724ede05a06a5d346a569794cda433
NOTE:
https://github.com/systemd/systemd/commit/f69567cbe26d09eac9d387c0be0fc32c65a83ada
NOTE:
https://github.com/systemd/systemd/commit/9d880b70ba5c6ca83c82952f4c90e86e56c7b70c
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/c87341ee5a07fdaed7cd20876824123268465642
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/c87341ee5a07fdaed7cd20876824123268465642
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: mark CVE-2019-11577 as not affected for jessie
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 2598115f by Thorsten Alteholz at 2019-04-28T18:16:59Z mark CVE-2019-11577 as not affected for jessie - - - - - 557fb7eb by Thorsten Alteholz at 2019-04-28T18:17:00Z mark CVE-2019-3843 as no-dsa for jessie - - - - - 72f44f25 by Thorsten Alteholz at 2019-04-28T18:17:01Z mark CVE-2019-3844 as no-dsa for jessie - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,6 +1,7 @@ CVE-2019-11577 [DHCPv6: Fix a potential buffer overflow reading NA/TA addresses] - dhcpcd5 (bug #928105) [stretch] - dhcpcd5 (Vulnerable code not present) + [jessie] - dhcpcd5 (Vulnerable code not present) NOTE: https://roy.marples.name/git/dhcpcd.git/commit/?id=8d11b33f6c60e2db257130fa383ba76b6018bcf6 CVE-2019-11579 [DHCP: Fix a potential 1 byte read overflow with DHO_OPTSOVERLOADED] - dhcpcd5 (bug #928104) @@ -19094,6 +19095,7 @@ CVE-2019-3845 (A lack of access control was found in the message queues maintain CVE-2019-3844 (It was discovered that a systemd service that uses DynamicUser propert ...) - systemd (bug #928102) [stretch] - systemd (Minor issue; exploit vector needs control both of the service and a helper outside) + [jessie] - systemd (Minor issue; exploit vector needs control both of the service and a helper outside) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1684610 NOTE: https://github.com/systemd/systemd/commit/bf65b7e0c9fc215897b676ab9a7c9d1c688143ba NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1771 @@ -19101,6 +19103,7 @@ CVE-2019-3844 (It was discovered that a systemd service that uses DynamicUser pr CVE-2019-3843 (It was discovered that a systemd service that uses DynamicUser propert ...) - systemd (bug #928102) [stretch] - systemd (Minor issue; exploit vector needs control both of the service and a helper outside) + [jessie] - systemd (Minor issue; exploit vector needs control both of the service and a helper outside) NOTE: https://github.com/systemd/systemd/commit/3c27973b13724ede05a06a5d346a569794cda433 NOTE: https://github.com/systemd/systemd/commit/f69567cbe26d09eac9d387c0be0fc32c65a83ada NOTE: https://github.com/systemd/systemd/commit/9d880b70ba5c6ca83c82952f4c90e86e56c7b70c View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/9d0d2a75e7c4b3e163742fbb62c390ede77a9de3...72f44f25b4a6411f7d6020e8da6bf2159ded919d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/9d0d2a75e7c4b3e163742fbb62c390ede77a9de3...72f44f25b4a6411f7d6020e8da6bf2159ded919d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-1768-1 for checkstyle
Adrian Bunk pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
9d0d2a75 by Adrian Bunk at 2019-04-28T18:15:11Z
Reserve DLA-1768-1 for checkstyle
- - - - -
2 changed files:
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[28 Apr 2019] DLA-1768-1 checkstyle - security update
+ {CVE-2019-9658}
+ [jessie] - checkstyle 5.9-1+deb8u1
[26 Apr 2019] DLA-1767-1 monit - security update
{CVE-2019-11454 CVE-2019-11455}
[jessie] - monit 1:5.9-1+deb8u2
=
data/dla-needed.txt
=
@@ -18,13 +18,6 @@ axis
--
bind9 (Thorsten Alteholz)
--
-checkstyle (Adrian Bunk)
- NOTE: CVE-2019-9658: changes appear to involve compatibility breakage,
handle with care.
- NOTE: CVE-2019-9658: removal of DTDs from http://checkstyle.sourceforge.net
and
- NOTE: CVE-2019-9658: http://puppycrawl.com/ might affect the validity of our
default config
- NOTE: CVE-2019-9658: so depending of the impact this might require a jessie
update
- NOTE: 20190413: work ongoing
---
claws-mail
NOTE: 20190408: patch not yet available
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/9d0d2a75e7c4b3e163742fbb62c390ede77a9de3
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/9d0d2a75e7c4b3e163742fbb62c390ede77a9de3
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVEs assigned for dhcpcd5 issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c5ebd52c by Salvatore Bonaccorso at 2019-04-28T17:25:42Z CVEs assigned for dhcpcd5 issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,11 +1,11 @@ -CVE-2019- [DHCPv6: Fix a potential buffer overflow reading NA/TA addresses] +CVE-2019-11577 [DHCPv6: Fix a potential buffer overflow reading NA/TA addresses] - dhcpcd5 (bug #928105) [stretch] - dhcpcd5 (Vulnerable code not present) NOTE: https://roy.marples.name/git/dhcpcd.git/commit/?id=8d11b33f6c60e2db257130fa383ba76b6018bcf6 -CVE-2019- [DHCP: Fix a potential 1 byte read overflow with DHO_OPTSOVERLOADED] +CVE-2019-11579 [DHCP: Fix a potential 1 byte read overflow with DHO_OPTSOVERLOADED] - dhcpcd5 (bug #928104) NOTE: https://roy.marples.name/git/dhcpcd.git/commit/?id=4b67f6f1038fd4ad5ca7734eaaeba1b2ec4816b8 -CVE-2019- [auth: Use consttime_memequal to avoid latency attack] +CVE-2019-11578 [auth: Use consttime_memequal to avoid latency attack] - dhcpcd5 (bug #928056) NOTE: https://roy.marples.name/git/dhcpcd.git/commit/?id=7121040790b611ca3fbc400a1bbcd4364ef57233 NOTE: https://roy.marples.name/git/dhcpcd.git/commit/?id=cfde89ab66cb4e5957b1c4b68ad6a9449e2784da View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c5ebd52c7852fcc8a9f7dacb1e7ac21ee97ecb72 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c5ebd52c7852fcc8a9f7dacb1e7ac21ee97ecb72 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] security_db: Make source code comment independent of codename for distribution
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
7748b6ad by Salvatore Bonaccorso at 2019-04-28T17:19:38Z
security_db: Make source code comment independent of codename for distribution
- - - - -
1 changed file:
- lib/python/security_db.py
Changes:
=
lib/python/security_db.py
=
@@ -563,7 +563,7 @@ class DB:
self.db.createscalarfunction("urgency_to_number", urgency_to_number, 1)
def releasepart_to_number(r):
-# expects a string in the form "wheezy (security)"
+# expects a string in the form "codename (security)"
try:
u=r.split()[0]
return release_to_number(u)
@@ -572,7 +572,7 @@ class DB:
self.db.createscalarfunction("releasepart_to_number",
releasepart_to_number, 1)
def subreleasepart_to_number(r):
-# expects a string in the form "wheezy (security)"
+# expects a string in the form "codename (security)"
try:
if not "(" in r:
return 0
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/7748b6ad5d75f74d7be69faf9baf80702c224b5f
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/7748b6ad5d75f74d7be69faf9baf80702c224b5f
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: config.json: Add next known codenames up to bookworm
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
c112cd3f by Salvatore Bonaccorso at 2019-04-28T15:16:20Z
config.json: Add next known codenames up to bookworm
- - - - -
7a8496b3 by Salvatore Bonaccorso at 2019-04-28T15:17:40Z
config.json: Correct mappings for releases
stretch ist stable release, buster is testing release currently.
- - - - -
f26705d4 by Salvatore Bonaccorso at 2019-04-28T15:18:48Z
Reformat data/config.json with jq
- - - - -
1 changed file:
- data/config.json
Changes:
=
data/config.json
=
@@ -47,8 +47,7 @@
"optional": [
"wheezy-proposed-updates"
]
- },
- "release": "oldstable"
+ }
},
"jessie": {
"members": {
@@ -60,7 +59,7 @@
"jessie-proposed-updates"
]
},
- "release": "stable"
+ "release": "oldstable"
},
"stretch": {
"members": {
@@ -72,8 +71,42 @@
"stretch-proposed-updates"
]
},
+ "release": "stable"
+},
+"buster": {
+ "members": {
+"supported": [
+ "buster",
+ "buster-security"
+],
+"optional": [
+ "buster-proposed-updates"
+]
+ },
"release": "testing"
},
+"bullseye": {
+ "members": {
+"supported": [
+ "bullseye",
+ "bullseye-security"
+],
+"optional": [
+ "bullseye-proposed-updates"
+]
+ }
+},
+"bookworm": {
+ "members": {
+"supported": [
+ "bookworm",
+ "bookworm-security"
+],
+"optional": [
+ "bookworm-proposed-updates"
+]
+ }
+},
"sid": {
"members": {
"supported": [
@@ -84,9 +117,25 @@
}
},
"sources": [
-{"name": "CVE", "path": "/CVE/list", "class": "CVEFile"},
-{"name": "DSA", "path": "/DSA/list", "class": "DSAFile"},
-{"name": "DTSA", "path": "/DTSA/list", "class": "DTSAFile"},
-{"name": "DLA", "path": "/DLA/list", "class": "DSAFile"}
+{
+ "name": "CVE",
+ "path": "/CVE/list",
+ "class": "CVEFile"
+},
+{
+ "name": "DSA",
+ "path": "/DSA/list",
+ "class": "DSAFile"
+},
+{
+ "name": "DTSA",
+ "path": "/DTSA/list",
+ "class": "DTSAFile"
+},
+{
+ "name": "DLA",
+ "path": "/DLA/list",
+ "class": "DSAFile"
+}
]
}
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/compare/7d09d36dde25e6503a879196e6fdc26212cf198e...f26705d41178ce772dabeb29af55efbe487a2adb
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/compare/7d09d36dde25e6503a879196e6fdc26212cf198e...f26705d41178ce772dabeb29af55efbe487a2adb
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update libmatio status
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: 7d09d36d by Adrian Bunk at 2019-04-28T14:55:43Z Update libmatio status - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -86,7 +86,13 @@ liblivemedia (Hugo Lefeuvre) libmatio (Adrian Bunk) NOTE: fairly high number of open issues. Not sure why we never had a look at them. NOTE: triage work needed, help security team for fixes if needed. - NOTE: 20190413: work ongoing + NOTE: 20190428: most patches can be applied after context adaption + NOTE: 20190428: all CVEs are from one fuzzing attempt + NOTE: 20190428: some CVE testcases pass on the unpatched version, + NOTE: 20190428: but since the fixes can be made applied the code + NOTE: 20190428: is likely vulnerable + NOTE: 20190428: some CVE testcases still fail after applying the fix, + NOTE: 20190428: older changes seem to also be required for them -- libspring-security-2.0-java -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7d09d36dde25e6503a879196e6fdc26212cf198e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7d09d36dde25e6503a879196e6fdc26212cf198e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Update support end date for jessie in LTS
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
60f86379 by Salvatore Bonaccorso at 2019-04-28T12:03:25Z
Update support end date for jessie in LTS
Update time mapping according to https://wiki.debian.org/LTS/ overview.
- - - - -
a77c11fe by Salvatore Bonaccorso at 2019-04-28T12:05:07Z
bin/support-ended.py: Update comment for stretch EOL in LTS
- - - - -
1 changed file:
- bin/support-ended.py
Changes:
=
bin/support-ended.py
=
@@ -29,9 +29,8 @@ import sys
release_mapping = {
'deb6': ('squeeze', '2016-02-29'),
'deb7': ('wheezy', '2018-05-31'),
+'deb8': ('jessie', '2020-06-30'),
# End date not yet fixed
-'deb8': ('jessie', '2020-04-30'),
-# Not even released yet
'deb9': ('stretch', None),
}
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/compare/c3d1609c08b445d851af8f793c9e601af8b2e26d...a77c11fe2d0e3a564362cd1a82bf7551d8ad31bb
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/compare/c3d1609c08b445d851af8f793c9e601af8b2e26d...a77c11fe2d0e3a564362cd1a82bf7551d8ad31bb
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Fix short description of one dhcpcd5 issue
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c3d1609c by Salvatore Bonaccorso at 2019-04-28T11:43:46Z Fix short description of one dhcpcd5 issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5,7 +5,7 @@ CVE-2019- [DHCPv6: Fix a potential buffer overflow reading NA/TA addresses] CVE-2019- [DHCP: Fix a potential 1 byte read overflow with DHO_OPTSOVERLOADED] - dhcpcd5 (bug #928104) NOTE: https://roy.marples.name/git/dhcpcd.git/commit/?id=4b67f6f1038fd4ad5ca7734eaaeba1b2ec4816b8 -CVE-2019- [auth: Use consttime_memequal to avoid latency attack consttime_memequal is supplied if libc does not support it] +CVE-2019- [auth: Use consttime_memequal to avoid latency attack] - dhcpcd5 (bug #928056) NOTE: https://roy.marples.name/git/dhcpcd.git/commit/?id=7121040790b611ca3fbc400a1bbcd4364ef57233 NOTE: https://roy.marples.name/git/dhcpcd.git/commit/?id=cfde89ab66cb4e5957b1c4b68ad6a9449e2784da View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c3d1609c08b445d851af8f793c9e601af8b2e26d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c3d1609c08b445d851af8f793c9e601af8b2e26d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add three new dhcpcd5 issues (#928056, #928104, #928105)
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 46c7dfc9 by Salvatore Bonaccorso at 2019-04-28T09:14:25Z Add three new dhcpcd5 issues (#928056, #928104, #928105) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,15 @@ +CVE-2019- [DHCPv6: Fix a potential buffer overflow reading NA/TA addresses] + - dhcpcd5 (bug #928105) + [stretch] - dhcpcd5 (Vulnerable code not present) + NOTE: https://roy.marples.name/git/dhcpcd.git/commit/?id=8d11b33f6c60e2db257130fa383ba76b6018bcf6 +CVE-2019- [DHCP: Fix a potential 1 byte read overflow with DHO_OPTSOVERLOADED] + - dhcpcd5 (bug #928104) + NOTE: https://roy.marples.name/git/dhcpcd.git/commit/?id=4b67f6f1038fd4ad5ca7734eaaeba1b2ec4816b8 +CVE-2019- [auth: Use consttime_memequal to avoid latency attack consttime_memequal is supplied if libc does not support it] + - dhcpcd5 (bug #928056) + NOTE: https://roy.marples.name/git/dhcpcd.git/commit/?id=7121040790b611ca3fbc400a1bbcd4364ef57233 + NOTE: https://roy.marples.name/git/dhcpcd.git/commit/?id=cfde89ab66cb4e5957b1c4b68ad6a9449e2784da + NOTE: https://roy.marples.name/git/dhcpcd.git/commit/?id=aee631aadeef4283c8a749c1caf77823304acf5e CVE-2019-11576 (Gitea before 1.8.0 allows 1FA for user accounts that have completed 2F ...) - gitea CVE-2019-11575 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/46c7dfc9db6ecfd1f95732623065cf5562cd1c8b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/46c7dfc9db6ecfd1f95732623065cf5562cd1c8b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2018-18510/firefox
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
9914be08 by Salvatore Bonaccorso at 2019-04-28T08:51:38Z
Add CVE-2018-18510/firefox
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -32987,7 +32987,8 @@ CVE-2018-18511 (Cross-origin images can be read from a
canvas element in violati
- skia (bug #818180)
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2019-04/#CVE-2018-18511
CVE-2018-18510 (The about:crashcontent and about:crashparent pages can be
triggered by ...)
- TODO: check
+ - firefox 64.0-1
+ NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2018-29/#CVE-2018-18510
CVE-2018-18509 (A flaw during verification of certain S/MIME signatures causes
emails ...)
{DSA-4392-1 DLA-1678-1}
- thunderbird 1:60.5.1-1
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/9914be08eb5732e92752ac327f6936c8fef021bf
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/9914be08eb5732e92752ac327f6936c8fef021bf
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0e027739 by Salvatore Bonaccorso at 2019-04-28T08:33:36Z Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -15,13 +15,13 @@ CVE-2019-11570 CVE-2019-11569 RESERVED CVE-2019-11568 (An issue was discovered in AikCms v2.0. There is a File upload vulnera ...) - TODO: check + NOT-FOR-US: AikCms CVE-2019-11567 (An issue was discovered in AikCms v2.0. There is a SQL Injection vulne ...) - TODO: check + NOT-FOR-US: AikCms CVE-2019-11566 RESERVED CVE-2019-11565 (Server Side Request Forgery (SSRF) exists in the Print My Blog plugin ...) - TODO: check + NOT-FOR-US: Print My Blog plugin for WordPress CVE-2019-11564 RESERVED CVE-2019-11563 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0e027739e2435ad978f4f9e71a62a6a0945bb05f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0e027739e2435ad978f4f9e71a62a6a0945bb05f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-11576/gitea
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2eafa593 by Salvatore Bonaccorso at 2019-04-28T08:22:51Z Add CVE-2019-11576/gitea - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,5 +1,5 @@ CVE-2019-11576 (Gitea before 1.8.0 allows 1FA for user accounts that have completed 2F ...) - TODO: check + - gitea CVE-2019-11575 RESERVED CVE-2019-11574 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2eafa59334716ce6ec8f79e684e370c54ae4bc96 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2eafa59334716ce6ec8f79e684e370c54ae4bc96 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7137c7d4 by security tracker role at 2019-04-28T08:10:17Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,27 @@ +CVE-2019-11576 (Gitea before 1.8.0 allows 1FA for user accounts that have completed 2F ...) + TODO: check +CVE-2019-11575 + RESERVED +CVE-2019-11574 + RESERVED +CVE-2019-11573 + RESERVED +CVE-2019-11572 + RESERVED +CVE-2019-11571 + RESERVED +CVE-2019-11570 + RESERVED +CVE-2019-11569 + RESERVED +CVE-2019-11568 (An issue was discovered in AikCms v2.0. There is a File upload vulnera ...) + TODO: check +CVE-2019-11567 (An issue was discovered in AikCms v2.0. There is a SQL Injection vulne ...) + TODO: check +CVE-2019-11566 + RESERVED +CVE-2019-11565 (Server Side Request Forgery (SSRF) exists in the Print My Blog plugin ...) + TODO: check CVE-2019-11564 RESERVED CVE-2019-11563 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7137c7d41d6886663664fe522698857a8e350693 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7137c7d41d6886663664fe522698857a8e350693 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2019-384{3,4}/systemd
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
6ff1bdae by Salvatore Bonaccorso at 2019-04-28T07:30:31Z
Add Debian bug reference for CVE-2019-384{3,4}/systemd
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -19056,14 +19056,14 @@ CVE-2019-3846
CVE-2019-3845 (A lack of access control was found in the message queues
maintained by ...)
NOT-FOR-US: qpid dispatch router
CVE-2019-3844 (It was discovered that a systemd service that uses DynamicUser
propert ...)
- - systemd
+ - systemd (bug #928102)
[stretch] - systemd (Minor issue; exploit vector needs control
both of the service and a helper outside)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1684610
NOTE:
https://github.com/systemd/systemd/commit/bf65b7e0c9fc215897b676ab9a7c9d1c688143ba
NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1771
NOTE: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1814596
CVE-2019-3843 (It was discovered that a systemd service that uses DynamicUser
propert ...)
- - systemd
+ - systemd (bug #928102)
[stretch] - systemd (Minor issue; exploit vector needs control
both of the service and a helper outside)
NOTE:
https://github.com/systemd/systemd/commit/3c27973b13724ede05a06a5d346a569794cda433
NOTE:
https://github.com/systemd/systemd/commit/f69567cbe26d09eac9d387c0be0fc32c65a83ada
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/6ff1bdaee0defee158712f05cdcc9402c10e40a8
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/6ff1bdaee0defee158712f05cdcc9402c10e40a8
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2019-835{4,5,6,7}/sox fixed in unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
a25c2b84 by Salvatore Bonaccorso at 2019-04-28T07:06:48Z
CVE-2019-835{4,5,6,7}/sox fixed in unstable
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -8497,19 +8497,19 @@ CVE-2019-8359
CVE-2019-8358 (In Hiawatha before 10.8.4, a remote attacker is able to do
directory t ...)
NOT-FOR-US: Hiawatha
CVE-2019-8357 (An issue was discovered in SoX 14.4.2. lsx_make_lpf in
effect_i_dsp.c ...)
- - sox (low; bug #927906)
+ - sox 14.4.2+git20190427-1 (low; bug #927906)
NOTE: https://sourceforge.net/p/sox/bugs/318
NOTE:
https://sourceforge.net/p/sox/code/ci/2ce02fea7b350de9ddfbcf542ba4dd59a8ab255b/
CVE-2019-8356 (An issue was discovered in SoX 14.4.2. One of the arguments to
bitrv2 ...)
- - sox (bug #927906)
+ - sox 14.4.2+git20190427-1 (bug #927906)
NOTE: https://sourceforge.net/p/sox/bugs/321
NOTE:
https://sourceforge.net/p/sox/code/ci/b7883ae1398499daaa926ae6621f088f0f531ed8/
CVE-2019-8355 (An issue was discovered in SoX 14.4.2. In xmalloc.h, there is
an integ ...)
- - sox (bug #927906)
+ - sox 14.4.2+git20190427-1 (bug #927906)
NOTE: https://sourceforge.net/p/sox/bugs/320
NOTE:
https://sourceforge.net/p/sox/code/ci/f8587e2d50dad72d40453ac1191c539ee9e50381/
CVE-2019-8354 (An issue was discovered in SoX 14.4.2. lsx_make_lpf in
effect_i_dsp.c ...)
- - sox (bug #927906)
+ - sox 14.4.2+git20190427-1 (bug #927906)
NOTE: https://sourceforge.net/p/sox/bugs/319
NOTE:
https://sourceforge.net/p/sox/code/ci/f8587e2d50dad72d40453ac1191c539ee9e50381/
CVE-2019-8353
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/a25c2b8449738c5c6f9e9ddbfb5e3892c0795299
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/a25c2b8449738c5c6f9e9ddbfb5e3892c0795299
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2019-384{3,4}/systemd as no-dsa
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
32a4a628 by Salvatore Bonaccorso at 2019-04-28T07:01:19Z
Mark CVE-2019-384{3,4}/systemd as no-dsa
Attack vector requires control both of an exploitable service and a
helper outside. Futhermore DynamicUsers are not widely used. As per
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1814596/comments/7
in Debian itself those are yet limited, but still present.
The version in stretch (v232) is the version introducing support for
DynamicUsers, earlier versions as for jessie mght thus even not be
affected but would need to be checked.
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -19057,12 +19057,14 @@ CVE-2019-3845 (A lack of access control was found in
the message queues maintain
NOT-FOR-US: qpid dispatch router
CVE-2019-3844 (It was discovered that a systemd service that uses DynamicUser
propert ...)
- systemd
+ [stretch] - systemd (Minor issue; exploit vector needs control
both of the service and a helper outside)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1684610
NOTE:
https://github.com/systemd/systemd/commit/bf65b7e0c9fc215897b676ab9a7c9d1c688143ba
NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1771
NOTE: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1814596
CVE-2019-3843 (It was discovered that a systemd service that uses DynamicUser
propert ...)
- systemd
+ [stretch] - systemd (Minor issue; exploit vector needs control
both of the service and a helper outside)
NOTE:
https://github.com/systemd/systemd/commit/3c27973b13724ede05a06a5d346a569794cda433
NOTE:
https://github.com/systemd/systemd/commit/f69567cbe26d09eac9d387c0be0fc32c65a83ada
NOTE:
https://github.com/systemd/systemd/commit/9d880b70ba5c6ca83c82952f4c90e86e56c7b70c
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/32a4a62898f80c4680f087792970a95f2e727f6e
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/32a4a62898f80c4680f087792970a95f2e727f6e
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
