[Git][security-tracker-team/security-tracker][master] Add CVE-2019-10193/redis
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e63b9248 by Salvatore Bonaccorso at 2019-07-08T06:25:33Z Add CVE-2019-10193/redis - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -8028,8 +8028,10 @@ CVE-2019-10195 RESERVED CVE-2019-10194 RESERVED -CVE-2019-10193 +CVE-2019-10193 [Stack buffer overflow] RESERVED + - redis 5:5.0.4-1 + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1727668 CVE-2019-10192 [Heap buffer overflow] RESERVED - redis 5:5.0.4-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e63b924855208760ad98a5232d7e090652f8de2a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e63b924855208760ad98a5232d7e090652f8de2a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-10192/redis
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 79d0a4c8 by Salvatore Bonaccorso at 2019-07-08T06:24:29Z Add CVE-2019-10192/redis - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -8030,8 +8030,11 @@ CVE-2019-10194 RESERVED CVE-2019-10193 RESERVED -CVE-2019-10192 +CVE-2019-10192 [Heap buffer overflow] RESERVED + - redis 5:5.0.4-1 + NOTE: https://github.com/antirez/redis/commit/e216ceaf0e099536fe3658a29dcb725d812364e0 + NOTE: https://github.com/antirez/redis/commit/9f13b2bd4967334b1701c6eccdf53760cb13f79e CVE-2019-10191 RESERVED CVE-2019-10190 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/79d0a4c8cf69265508096300d5565987b8da5146 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/79d0a4c8cf69265508096300d5565987b8da5146 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Claim libspring-security-2.0-java
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: cba50bb4 by Abhijith PA at 2019-07-08T05:39:51Z data/dla-needed.txt: Claim libspring-security-2.0-java - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -79,7 +79,7 @@ libsdl2-image libspring-java (Roberto C. Sánchez) NOTE: 20190624: Three CVEs remain to be patched. (roberto) -- -libspring-security-2.0-java +libspring-security-2.0-java (Abhijith PA) -- libxslt NOTE: 20190701: the Security Team doesn't want us to mark when jessie was explicitely tested as unfixed, so writing it here (beuc) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/cba50bb4d0970528187065a47a78ae720c78ffb8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/cba50bb4d0970528187065a47a78ae720c78ffb8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla-needed.txt: work is still ongoing on this one
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: 2de51d79 by Adrian Bunk at 2019-07-07T20:30:07Z dla-needed.txt: work is still ongoing on this one - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -58,7 +58,7 @@ libmatio (Adrian Bunk) NOTE: 20190428: is likely vulnerable NOTE: 20190428: some CVE testcases still fail after applying the fix, NOTE: 20190428: older changes seem to also be required for them - NOTE: 20190623: work is ongoing + NOTE: 20190707: work is ongoing -- libqb NOTE: 20190616: Upstream patch does not apply at all, but it appears that View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2de51d7945e5541af8c6c1c0433359ebcdd1a248 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2de51d7945e5541af8c6c1c0433359ebcdd1a248 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 68560c4b by security tracker role at 2019-07-07T20:10:25Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,31 @@ +CVE-2019-13389 + RESERVED +CVE-2019-13388 + RESERVED +CVE-2019-13387 + RESERVED +CVE-2019-13386 + RESERVED +CVE-2019-13385 + RESERVED +CVE-2019-13384 + RESERVED +CVE-2019-13383 + RESERVED +CVE-2019-13382 + RESERVED +CVE-2019-13381 + RESERVED +CVE-2019-13380 + RESERVED +CVE-2019-13379 (On AVTECH Room Alert 3E devices before 2.2.5, an attacker with access ...) + TODO: check +CVE-2019-13378 + RESERVED +CVE-2019-13377 + RESERVED +CVE-2019-13376 + RESERVED CVE-2019-13375 (A SQL Injection was discovered in D-Link Central WiFi Manager CWM(100) ...) NOT-FOR-US: D-Link CVE-2019-13374 (A cross-site scripting (XSS) vulnerability in resource view in PayActi ...) @@ -62,6 +90,7 @@ CVE-2019-13347 CVE-2019-13346 RESERVED CVE-2019-13345 (The cachemgr.cgi web module of Squid through 4.7 has XSS via the user_ ...) + {DLA-1847-1} - squid (bug #931478) - squid3 NOTE: https://bugs.squid-cache.org/show_bug.cgi?id=4957 @@ -338,6 +367,7 @@ CVE-2019-13235 CVE-2019-13234 RESERVED CVE-2019-13232 (Info-ZIP UnZip 6.0 mishandles the overlapping of files inside a ZIP co ...) + {DLA-1846-1} - unzip (bug #931433) NOTE: https://www.bamsoftware.com/hacks/zipbomb/ NOTE: Fixed by: https://github.com/madler/unzip/commit/47b3ceae397d21bf822bc2ac73052a4b1daf8e1c @@ -452,8 +482,8 @@ CVE-2019-13185 RESERVED CVE-2019-13184 RESERVED -CVE-2019-13183 - RESERVED +CVE-2019-13183 (Flarum before 0.1.0-beta.9 allows CSRF against all POST endpoints, as ...) + TODO: check CVE-2019-13182 RESERVED CVE-2019-13181 @@ -1946,6 +1976,7 @@ CVE-2019-12596 CVE-2019-12595 RESERVED CVE-2019-12594 (DOSBox 0.74-2 has Incorrect Access Control. ...) + {DLA-1845-1} - dosbox (bug #931222) NOTE: Fixed in 0.74-3 upstream. NOTE: https://github.com/Alexandre-Bartel/CVE-2019-12594 @@ -16584,6 +16615,7 @@ CVE-2019-7167 (Zcash, before the Sapling network upgrade (2018-10-28), had a cou CVE-2019-7166 RESERVED CVE-2019-7165 (A buffer overflow in DOSBox 0.74-2 allows attackers to execute arbitra ...) + {DLA-1845-1} - dosbox (bug #931222) NOTE: Fixed in 0.74-3 upstream. NOTE: Upstream clarification https://sourceforge.net/p/dosbox/bugs/508/ View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/68560c4bcad3258c5786f237a0fda3143684eaa7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/68560c4bcad3258c5786f237a0fda3143684eaa7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-1847-1 for squid3
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 3adb6137 by Chris Lamb at 2019-07-07T20:00:40Z Reserve DLA-1847-1 for squid3 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[07 Jul 2019] DLA-1847-1 squid3 - security update + {CVE-2019-13345} + [jessie] - squid3 3.4.8-6+deb8u7 [07 Jul 2019] DLA-1846-1 unzip - security update {CVE-2019-13232} [jessie] - unzip 6.0-16+deb8u4 = data/dla-needed.txt = @@ -119,10 +119,6 @@ sqlite3 NOTE: 20190617: A preliminary package with *just* the (presumably) CVE-2019-5827 patches backported: NOTE: 20190617: https://people.debian.org/~mejo/debian/jessie-security/sqlite3_3.8.7.1-1+deb8u5.dsc -- -squid3 (Chris Lamb) - NOTE: 20190707: 2 XSS: first one unaffected AFAICS, second one reflected - NOTE: 20190707: cachemgr.cgi allows sensitive operations if authenticated (beuc) --- squirrelmail NOTE: 20190702: no patch available, upstream apparently inactive, NOTE: 20190702: reporter just recommends disabling HTML viewing of messages View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3adb61376a43b7b55f6c6c1487cb3a7bd974d2cc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3adb61376a43b7b55f6c6c1487cb3a7bd974d2cc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] jasperreports removed from unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 38c1fb07 by Salvatore Bonaccorso at 2019-07-07T19:17:49Z jasperreports removed from unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -74283,17 +74283,17 @@ CVE-2018-5433 (The TIBCO Administrator server component of TIBCO Software Inc.'s CVE-2018-5432 (The TIBCO Administrator server component of of TIBCO Software Inc.'s T ...) NOT-FOR-US: TIBCO Administrator CVE-2018-5431 (The domain designer component of TIBCO Software Inc.'s TIBCO JasperRep ...) - - jasperreports + - jasperreports [jessie] - jasperreports (not supported in Jessie) [wheezy] - jasperreports (not supported in Wheezy) NOTE: https://www.tibco.com/support/advisories/2018/04/tibco-security-advisory-april-17-2018-tibco-jasperreports-2018-5431 CVE-2018-5430 (The Spring web flows of TIBCO Software Inc.'s TIBCO JasperReports Serv ...) - - jasperreports + - jasperreports [jessie] - jasperreports (not supported in Jessie) [wheezy] - jasperreports (not supported in Wheezy) NOTE: https://www.tibco.com/support/advisories/2018/04/tibco-security-advisory-april-17-2018-tibco-jasperreports-2018-5430 CVE-2018-5429 (A vulnerability in the report scripting component of TIBCO Software In ...) - - jasperreports + - jasperreports [jessie] - jasperreports (not supported in Jessie) [wheezy] - jasperreports (not supported in Wheezy) NOTE: https://www.tibco.com/support/advisories/2018/04/tibco-security-advisory-april-17-2018-tibco-jasperreports-2018-5429 @@ -96863,7 +96863,7 @@ CVE-2017-14943 (Trapeze TransitMaster is vulnerable to information disclosure (e CVE-2017-14942 (Intelbras WRN 150 devices allow remote attackers to read the configura ...) NOT-FOR-US: Intelbras WRN 150 devices CVE-2017-14941 (Jaspersoft JasperReports 4.7 suffers from a saved credential disclosur ...) - - jasperreports (bug #880467; bug #884131) + - jasperreports (bug #880467; bug #884131) [jessie] - jasperreports (no detailed information available, only needed as build-dependency for Spring) [wheezy] - jasperreports (cannot be supported due to lack of information) NOTE: https://github.com/binary1985/VulnerabilityDisclosure/blob/master/JasperSoft%20JasperReports%20-%204.7%20-%20CVE-2017-14941 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/38c1fb075302d548d4565ad9a34923342b93db78 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/38c1fb075302d548d4565ad9a34923342b93db78 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-1846-1 for unzip
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: da78e550 by Markus Koschany at 2019-07-07T18:29:12Z Reserve DLA-1846-1 for unzip - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[07 Jul 2019] DLA-1846-1 unzip - security update + {CVE-2019-13232} + [jessie] - unzip 6.0-16+deb8u4 [07 Jul 2019] DLA-1845-1 dosbox - security update {CVE-2019-7165 CVE-2019-12594} [jessie] - dosbox 0.74-4+deb8u1 = data/dla-needed.txt = @@ -133,8 +133,6 @@ tomcat8 (Abhijith PA) NOTE: 20190522: FTBFS NOTE: 20190701: New CVE just piled up. -- -unzip (Markus Koschany) --- vim (Emilio) NOTE: 20190618: maintainer is preparing the updates (Emilio) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/da78e5509b643aedc5a94a4c3c531772bd263d04 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/da78e5509b643aedc5a94a4c3c531772bd263d04 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track some fixes for binutils via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8f22861a by Salvatore Bonaccorso at 2019-07-07T17:32:08Z Track some fixes for binutils via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -31448,13 +31448,13 @@ CVE-2018-19935 (ext/imap/php_imap.c in PHP 5.x and 7.x before 7.3.0 allows remot NOTE: https://git.php.net/?p=php-src.git;a=commit;h=648fc1e369fc05fb9200a42c7938912236b2a318 CVE-2018-19932 (An issue was discovered in the Binary File Descriptor (BFD) library (a ...) [experimental] - binutils 2.31.51.20181204-1 - - binutils (unimportant) + - binutils 2.32.51.20190707-1 (unimportant) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=23932 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=beab453223769279cc1cef68a1622ab8978641f7 NOTE: binutils not covered by security support CVE-2018-19931 (An issue was discovered in the Binary File Descriptor (BFD) library (a ...) [experimental] - binutils 2.31.51.20181204-1 - - binutils (unimportant) + - binutils 2.32.51.20190707-1 (unimportant) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=23942 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=5f60af5d24d181371d67534fa273dd221df20c07 NOTE: binutils not covered by security support @@ -38026,19 +38026,19 @@ CVE-2018-18608 (DedeCMS 5.7 SP2 allows XSS via the function named GetPageList de NOT-FOR-US: DedeCMS CVE-2018-18607 (An issue was discovered in elf_link_input_bfd in elflink.c in the Bina ...) [experimental] - binutils 2.31.51.20181204-1 - - binutils (unimportant) + - binutils 2.32.51.20190707-1 (unimportant) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=23805 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=102def4da826b3d9e169741421e5e67e8731909a NOTE: binutils not covered by security support CVE-2018-18606 (An issue was discovered in the merge_strings function in merge.c in th ...) [experimental] - binutils 2.31.51.20181204-1 - - binutils (unimportant) + - binutils 2.32.51.20190707-1 (unimportant) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=23806 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=45a0eaf77022963d639d6d19871dbab7b79703fc NOTE: binutils not covered by security support CVE-2018-18605 (A heap-based buffer over-read issue was discovered in the function sec ...) [experimental] - binutils 2.31.51.20181204-1 - - binutils (unimportant) + - binutils 2.32.51.20190707-1 (unimportant) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=23804 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ab419ddbb2cdd17ca83618990f2cacf904ce1d61 NOTE: binutils not covered by security support @@ -38904,7 +38904,7 @@ CVE-2018-18310 (An invalid memory address dereference was discovered in dwfl_seg NOTE: https://sourceware.org/git/?p=elfutils.git;a=commit;h=20f9de9b5f704cec55df92406a50bcbcfca96acd CVE-2018-18309 (An issue was discovered in the Binary File Descriptor (BFD) library (a ...) [experimental] - binutils 2.31.51.20181022-1 - - binutils (unimportant) + - binutils 2.32.51.20190707-1 (unimportant) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=23770 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=0930cb3021b8078b34cf216e79eb8608d017864f NOTE: binutils not covered by security support @@ -41376,19 +41376,19 @@ CVE-2018-17361 (Multiple XSS vulnerabilities in WeaselCMS v0.3.6 allow remote at NOT-FOR-US: WeaselCMS CVE-2018-17360 (An issue was discovered in the Binary File Descriptor (BFD) library (a ...) [experimental] - binutils 2.31.51.20181022-1 - - binutils (unimportant) + - binutils 2.32.51.20190707-1 (unimportant) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=23685 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=cf93e9c2cf8f8b2566f8fc86e961592b51b5980d NOTE: binutils not covered by security support CVE-2018-17359 (An issue was discovered in the Binary File Descriptor (BFD) library (a ...) [experimental] - binutils 2.31.51.20181022-1 - - binutils (unimportant) + - binutils 2.32.51.20190707-1 (unimportant) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=23686 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=30838132997e6a3cfe3ec11c58b32b22f6f6b102 NOTE: binutils not covered by security support CVE-2018-17358 (An issue was discovered in the Binary File Descriptor (BFD) library (a ...) [experimental] - binutils 2.31.51.20181022-1 - - binutils (unimportan
[Git][security-tracker-team/security-tracker][master] Reserve DLA-1845-1 for dosbox
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 4c937c8c by Markus Koschany at 2019-07-07T17:17:28Z Reserve DLA-1845-1 for dosbox - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[07 Jul 2019] DLA-1845-1 dosbox - security update + {CVE-2019-7165 CVE-2019-12594} + [jessie] - dosbox 0.74-4+deb8u1 [04 Jul 2019] DLA-1844-1 lemonldap-ng - security update {CVE-2019-13031} [jessie] - lemonldap-ng 1.3.3-1+deb8u2 = data/dla-needed.txt = @@ -16,8 +16,6 @@ bind9 (Thorsten Alteholz) cfengine3 (Mike Gabriel) NOTE: 20190628: likely not affected by CVE-2019-9929, but other not-yet-CVE'ed issues ahead -- -dosbox (Markus Koschany) --- faad2 NOTE: 20190519: I have a few patches pending for open issues. Will be PR-ed soon. NOTE: 20190525: see https://github.com/knik0/faad2/pull/36 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4c937c8c6e3ad3acab0e22704f578f188a3d7063 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4c937c8c6e3ad3acab0e22704f578f188a3d7063 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add fixed version for two CVEs affecting mupdf in unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 564d13f7 by Salvatore Bonaccorso at 2019-07-07T15:42:01Z Add fixed version for two CVEs affecting mupdf in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -216,7 +216,7 @@ CVE-2019-13292 (A SQL Injection issue was discovered in webERP 4.15. Payments.ph CVE-2019-13291 (In Xpdf 4.01.01, there is a heap-based buffer over-read in the functio ...) - xpdf (xpdf in Debian uses poppler, which is fixed) CVE-2019-13290 (Artifex MuPDF 1.15.0 has a heap-based buffer overflow in fz_append_dis ...) - - mupdf (bug #931475) + - mupdf 1.15.0+ds1-1 (bug #931475) [jessie] - mupdf (Vulnerable code introduced later) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=701118 NOTE: http://git.ghostscript.com/?p=mupdf.git;h=aaf794439e40a2ef544f15b50c20e657414dec7a @@ -31953,7 +31953,7 @@ CVE-2018-19779 CVE-2018-19778 RESERVED CVE-2018-19777 (In Artifex MuPDF 1.14.0, there is an infinite loop in the function svg ...) - - mupdf (unimportant; bug #915137) + - mupdf 1.15.0+ds1-1 (unimportant; bug #915137) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=700301 NOTE: No security impact, hang in GUI/CLI tool CVE-2018-19776 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/564d13f7372bdbfc82e9512d23c77e82eb289c0b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/564d13f7372bdbfc82e9512d23c77e82eb289c0b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add note re. golang-go.crypto
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: e3687a23 by Chris Lamb at 2019-07-07T14:06:10Z Add note re. golang-go.crypto - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -33,6 +33,7 @@ glib2.0 (Mike Gabriel) NOTE: 20190626: https://lists.debian.org/debian-lts/2019/06/msg00031.html -- golang-go.crypto + NOTE: 20190707: Check that an upload of this will not require reverse build-deps to also be recompiled (see previous golang uploads?). (lamby) -- hdf5 NOTE: 20190511: upstream was not aware of our undetermined issues. They have assigned View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e3687a23008bbc8e9afcb6b639eda5c1f8419663 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e3687a23008bbc8e9afcb6b639eda5c1f8419663 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Claim squid3.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 9dff5d1d by Chris Lamb at 2019-07-07T14:05:14Z data/dla-needed.txt: Claim squid3. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -120,7 +120,7 @@ sqlite3 NOTE: 20190617: A preliminary package with *just* the (presumably) CVE-2019-5827 patches backported: NOTE: 20190617: https://people.debian.org/~mejo/debian/jessie-security/sqlite3_3.8.7.1-1+deb8u5.dsc -- -squid3 +squid3 (Chris Lamb) NOTE: 20190707: 2 XSS: first one unaffected AFAICS, second one reflected NOTE: 20190707: cachemgr.cgi allows sensitive operations if authenticated (beuc) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9dff5d1d20c23d5cd05612b2243bd1560f8c1cc1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9dff5d1d20c23d5cd05612b2243bd1560f8c1cc1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2019-11841/golang-go.crypto: jessie triage
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: a86514bc by Sylvain Beucler at 2019-07-07T11:06:35Z CVE-2019-11841/golang-go.crypto: jessie triage - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -3800,6 +3800,9 @@ CVE-2019-11843 CVE-2019-11841 (A message-forgery issue was discovered in crypto/openpgp/clearsign/cle ...) - golang-go.crypto NOTE: https://go.googlesource.com/crypto/+/c05e17bb3b2dca130fc919668a96b4bec9eb9442 + NOTE: Patch fixes the second part of the CVE ("prepend arbitrary text") + NOTE: but not the first ("ignores the value of [the Hash] header"), as hinted at reporter's 2019-05-09 note: + NOTE: https://packetstormsecurity.com/files/152840/Go-Cryptography-Libraries-Cleartext-Message-Spoofing.html CVE-2019-11840 (An issue was discovered in supplementary Go cryptography libraries, ak ...) {DLA-1840-1} - golang-go.crypto = data/dla-needed.txt = @@ -32,6 +32,8 @@ freeimage glib2.0 (Mike Gabriel) NOTE: 20190626: https://lists.debian.org/debian-lts/2019/06/msg00031.html -- +golang-go.crypto +-- hdf5 NOTE: 20190511: upstream was not aware of our undetermined issues. They have assigned NOTE: a Jira issue for this: https://jira.hdfgroup.org/browse/HDFFV-10755 (hle) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a86514bc61e9d6901113936292eac5e6784f9c7a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a86514bc61e9d6901113936292eac5e6784f9c7a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] taking another week this month
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: e0961e6c by Thorsten Alteholz at 2019-07-07T10:10:54Z taking another week this month - - - - - 1 changed file: - org/lts-frontdesk.2019.txt Changes: = org/lts-frontdesk.2019.txt = @@ -40,7 +40,7 @@ From 01-07 to 07-07:Sylvain Beucler From 08-07 to 14-07:Chris Lamb From 15-07 to 21-07:Abhijith PA From 22-07 to 28-07:Thorsten Alteholz -From 29-07 to 04-08: +From 29-07 to 04-08:Thorsten Alteholz From 05-08 to 11-08:Chris Lamb From 12-08 to 18-08:Markus Koschany From 19-08 to 25-08:Thorsten Alteholz View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e0961e6cbed4f9faf9fc3f47ab256dd243ac4b69 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e0961e6cbed4f9faf9fc3f47ab256dd243ac4b69 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2019-13345/squid3: jessie triage
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 2210f008 by Sylvain Beucler at 2019-07-07T10:02:58Z CVE-2019-13345/squid3: jessie triage - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -118,6 +118,10 @@ sqlite3 NOTE: 20190617: A preliminary package with *just* the (presumably) CVE-2019-5827 patches backported: NOTE: 20190617: https://people.debian.org/~mejo/debian/jessie-security/sqlite3_3.8.7.1-1+deb8u5.dsc -- +squid3 + NOTE: 20190707: 2 XSS: first one unaffected AFAICS, second one reflected + NOTE: 20190707: cachemgr.cgi allows sensitive operations if authenticated (beuc) +-- squirrelmail NOTE: 20190702: no patch available, upstream apparently inactive, NOTE: 20190702: reporter just recommends disabling HTML viewing of messages View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2210f008933a253c4bb719fe1b9c8b89e89ecd93 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2210f008933a253c4bb719fe1b9c8b89e89ecd93 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2019-13351/jackd2: jessie: fix package name
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 2b4454c2 by Sylvain Beucler at 2019-07-07T09:27:14Z CVE-2019-13351/jackd2: jessie: fix package name - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -48,7 +48,7 @@ CVE-2019-13352 (WolfVision Cynap before 1.30j uses a static, hard-coded cryptogr TODO: check CVE-2019-13351 (posix/JackSocket.cpp in libjack in JACK2 1.9.1 through 1.9.12 (as dist ...) - jackd2 (bug #931488) - [jessie] - jessie (Minor issue, hard to reproduce crash with theoretically possible file corruption, no sensitive data to leak) + [jessie] - jackd2 (Minor issue, hard to reproduce crash with theoretically possible file corruption, no sensitive data to leak) NOTE: https://github.com/jackaudio/jack2/pull/480 NOTE: https://github.com/jackaudio/jack2/commit/994e225bbb07a89f56147f7ce7d59beb49f8cfba CVE-2019-13350 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2b4454c21b87181cf09cd26ccc4df3f880c4e9d1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2b4454c21b87181cf09cd26ccc4df3f880c4e9d1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track gitlab/11.10.8 upload to experimental for easier merge fixing version...
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 391e82c8 by Salvatore Bonaccorso at 2019-07-07T08:41:56Z Track gitlab/11.10.8 upload to experimental for easier merge fixing version once uploaded to unstable again - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -609,6 +609,7 @@ CVE-2019-13122 RESERVED CVE-2019-13121 [SSRF Vulnerability in Project GitHub Integration] RESERVED + [experimental] - gitlab 11.10.8+dfsg-1 - gitlab NOTE: https://about.gitlab.com/2019/07/03/security-release-gitlab-12-dot-0-dot-3-released/ CVE-2019-13120 @@ -889,14 +890,17 @@ CVE-2019-13013 RESERVED CVE-2019-13011 [Merge Request Template Name Disclosure] RESERVED + [experimental] - gitlab 11.10.8+dfsg-1 - gitlab NOTE: https://about.gitlab.com/2019/07/03/security-release-gitlab-12-dot-0-dot-3-released/ CVE-2019-13010 [Decoding Color Codes Caused Reseource Depletion] RESERVED + [experimental] - gitlab 11.10.8+dfsg-1 - gitlab NOTE: https://about.gitlab.com/2019/07/03/security-release-gitlab-12-dot-0-dot-3-released/ CVE-2019-13009 [Broken Access Control for the Content of Personal Snippets] RESERVED + [experimental] - gitlab 11.10.8+dfsg-1 - gitlab NOTE: https://about.gitlab.com/2019/07/03/security-release-gitlab-12-dot-0-dot-3-released/ CVE-2019-13008 @@ -907,11 +911,12 @@ CVE-2019-13007 [Enabling One of the Service Templates Could Cause Resource Deple NOTE: https://about.gitlab.com/2019/07/03/security-release-gitlab-12-dot-0-dot-3-released/ CVE-2019-13006 [Number of Merge Requests was Accessible] RESERVED + [experimental] - gitlab 11.10.8+dfsg-1 - gitlab NOTE: https://about.gitlab.com/2019/07/03/security-release-gitlab-12-dot-0-dot-3-released/ CVE-2019-13005 [Authorization Issues in GraphQL] RESERVED - [experimental] - gitlab + [experimental] - gitlab 11.10.8+dfsg-1 - gitlab (Only affects 11.10 and later) NOTE: https://about.gitlab.com/2019/07/03/security-release-gitlab-12-dot-0-dot-3-released/ CVE-2019-13004 [Error Caused by Encoded Characters in Comments] @@ -920,16 +925,17 @@ CVE-2019-13004 [Error Caused by Encoded Characters in Comments] NOTE: https://about.gitlab.com/2019/07/03/security-release-gitlab-12-dot-0-dot-3-released/ CVE-2019-13003 [Resource Exhaustion Attack] RESERVED + [experimental] - gitlab 11.10.8+dfsg-1 - gitlab NOTE: https://about.gitlab.com/2019/07/03/security-release-gitlab-12-dot-0-dot-3-released/ CVE-2019-13002 [Recent Pipeline Information Disclosed to Unauthorised Users] RESERVED - [experimental] - gitlab + [experimental] - gitlab 11.10.8+dfsg-1 - gitlab (Only affects 11.10 and later) NOTE: https://about.gitlab.com/2019/07/03/security-release-gitlab-12-dot-0-dot-3-released/ CVE-2019-13001 [Ability to Write a Note to a Private Snippet] RESERVED - [experimental] - gitlab + [experimental] - gitlab 11.10.8+dfsg-1 - gitlab (Only affects 11.9 and later) NOTE: https://about.gitlab.com/2019/07/03/security-release-gitlab-12-dot-0-dot-3-released/ CVE-2019-13000 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/391e82c8218f689b1e5eb194dc8298bca040a3df -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/391e82c8218f689b1e5eb194dc8298bca040a3df You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3c8733df by Salvatore Bonaccorso at 2019-07-07T08:39:20Z Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,15 +1,15 @@ CVE-2019-13375 (A SQL Injection was discovered in D-Link Central WiFi Manager CWM(100) ...) - TODO: check + NOT-FOR-US: D-Link CVE-2019-13374 (A cross-site scripting (XSS) vulnerability in resource view in PayActi ...) - TODO: check + NOT-FOR-US: D-Link CVE-2019-13373 (An issue was discovered in the D-Link Central WiFi Manager CWM(100) be ...) - TODO: check + NOT-FOR-US: D-Link CVE-2019-13372 (/web/Lib/Action/IndexAction.class.php in D-Link Central WiFi Manager C ...) - TODO: check + NOT-FOR-US: D-Link CVE-2019-13371 RESERVED CVE-2019-13370 (index.php/admin/permissions in Ignited CMS through 2017-02-19 allows C ...) - TODO: check + NOT-FOR-US: Ignited CMS CVE-2019-13369 RESERVED CVE-2019-13368 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3c8733dfb284842b00b106410aa44518e7245ffb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3c8733dfb284842b00b106410aa44518e7245ffb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c7dbd5db by security tracker role at 2019-07-07T08:36:31Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,33 @@ +CVE-2019-13375 (A SQL Injection was discovered in D-Link Central WiFi Manager CWM(100) ...) + TODO: check +CVE-2019-13374 (A cross-site scripting (XSS) vulnerability in resource view in PayActi ...) + TODO: check +CVE-2019-13373 (An issue was discovered in the D-Link Central WiFi Manager CWM(100) be ...) + TODO: check +CVE-2019-13372 (/web/Lib/Action/IndexAction.class.php in D-Link Central WiFi Manager C ...) + TODO: check +CVE-2019-13371 + RESERVED +CVE-2019-13370 (index.php/admin/permissions in Ignited CMS through 2017-02-19 allows C ...) + TODO: check +CVE-2019-13369 + RESERVED +CVE-2019-13368 + RESERVED +CVE-2019-13367 + RESERVED +CVE-2019-13366 + RESERVED +CVE-2019-13365 + RESERVED +CVE-2019-13364 + RESERVED +CVE-2019-13363 + RESERVED +CVE-2019-13362 (Codedoc v3.2 has a stack-based buffer overflow in add_variable in code ...) + TODO: check +CVE-2019-13361 + RESERVED CVE-2019-13360 RESERVED CVE-2019-13359 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c7dbd5db473b2a38361ba2fde8b8715cb55eddd4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c7dbd5db473b2a38361ba2fde8b8715cb55eddd4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Disable fetching of backports
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 02cd33cd by Salvatore Bonaccorso at 2019-07-07T08:28:45Z Disable fetching of backports They ship Packages/Sources.gz only and backports is anyway not very good supported in tracker. Until #664866 is fixed backports will anyway not be tracked properly in security-tracker. Temporarily disable until downloadFile can handle multiple situations more gracefully. - - - - - 1 changed file: - lib/debian-releases.mk Changes: = lib/debian-releases.mk = @@ -1,7 +1,10 @@ # This file defines the variables describing all Debian repositories # that need to be fetched in the "update-packages" process -BACKPORT_RELEASES := $(OLDSTABLE) $(STABLE) +# backports suites only have Sources.xz and respective Packages.xz +# available. +# Cf. as well https://bugs.debian.org/664866 +#BACKPORT_RELEASES := $(OLDSTABLE) $(STABLE) SECURITY_RELEASES := $(OLDOLDSTABLE) $(OLDSTABLE) $(STABLE) $(TESTING) MAIN_RELEASES := $(SECURITY_RELEASES) sid View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/02cd33cd782c84e3e06631bb609e1b480da8bcd1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/02cd33cd782c84e3e06631bb609e1b480da8bcd1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits