[Git][security-tracker-team/security-tracker][master] jessie triage
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 326aadc4 by Abhijith PA at 2019-07-16T05:26:38Z jessie triage - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -9,6 +9,8 @@ To pick an issue, simply add your name behind it. To learn more about how this list is updated have a look at https://wiki.debian.org/LTS/Development#Triage_new_security_issues +-- +asterisk -- bind9 (Thorsten Alteholz) NOTE: 20190623: test package @@ -20,6 +22,8 @@ bzip2 (Thorsten Alteholz) cfengine3 (Mike Gabriel) NOTE: 20190628: likely not affected by CVE-2019-9929, but other not-yet-CVE'ed issues ahead -- +exiv2 +-- faad2 NOTE: 20190519: I have a few patches pending for open issues. Will be PR-ed soon. NOTE: 20190525: see https://github.com/knik0/faad2/pull/36 @@ -102,6 +106,8 @@ php5 pound NOTE: 20190715: https://salsa.debian.org/debian/pound/blob/jessie/debian/patches/0009-CVE-2016-1071.patch -- +python2.7 +-- qemu NOTE: 20190528: An upload candidate is waiting for being tested on real hardware. NOTE: 20190528: Still need to set up a notebook with jessie installed for testing. @@ -121,6 +127,10 @@ ruby-openid sdl-image1.2 NOTE: see libsdl2 entry. -- +slurm-llnl +-- +sox +-- sqlite3 NOTE: CVE-2019-8457: Should be ignored, based on the discussion on debian-lts: NOTE: CVE-2019-8457: https://lists.debian.org/debian-lts/2019/06/msg00013.html (mejo, 2019-06-13) @@ -132,12 +142,16 @@ sqlite3 NOTE: 20190617: A preliminary package with *just* the (presumably) CVE-2019-5827 patches backported: NOTE: 20190617: https://people.debian.org/~mejo/debian/jessie-security/sqlite3_3.8.7.1-1+deb8u5.dsc -- +squid3 +-- squirrelmail NOTE: 20190702: no patch available, upstream apparently inactive, NOTE: 20190702: reporter just recommends disabling HTML viewing of messages NOTE: 20190702: we've got squirrelmail and squirrelmail-viewashtml users NOTE: 20190702: so either write a patch or force disabling HTML? -- +thunderbird +-- tomcat8 (Abhijith PA) NOTE: 20190522: FTBFS NOTE: 20190701: New CVE just piled up. @@ -145,6 +159,8 @@ tomcat8 (Abhijith PA) vim NOTE: 20190618: maintainer is preparing the updates (Emilio) -- +wavpack +-- wordpress NOTE: 20190614: No upstream fix yet. (apo) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/326aadc4fd0a75f68b7d1b787102d3244b8bc059 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/326aadc4fd0a75f68b7d1b787102d3244b8bc059 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add fixed version for CVE-2018-7169/shadow in unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5fc25f10 by Salvatore Bonaccorso at 2019-07-15T21:04:41Z Add fixed version for CVE-2018-7169/shadow in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -70608,7 +70608,7 @@ CVE-2018-7170 (ntpd in ntp 4.2.x before 4.2.8p7 and 4.3.x before 4.3.92 allows a NOTE: http://support.ntp.org/bin/view/Main/NtpBug3415 NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#February_2018_ntp_4_2_8p11_NTP_S CVE-2018-7169 (An issue was discovered in shadow 4.5. newgidmap (in shadow-utils) is ...) - - shadow (low; bug #890557) + - shadow 1:4.7-1 (low; bug #890557) [buster] - shadow (Minor issue) [stretch] - shadow (Minor issue) [jessie] - shadow (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5fc25f1084fa95feb3ff5a4ba49c2b1f1f160c30 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5fc25f1084fa95feb3ff5a4ba49c2b1f1f160c30 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug references for CVE-2019-101030{1,2}/jhead
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
a62f804a by Salvatore Bonaccorso at 2019-07-15T20:57:18Z
Add Debian bug references for CVE-2019-101030{1,2}/jhead
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -10615,10 +10615,10 @@ CVE-2019-1010304 (Saleor Issue was introduced by
merge commit: e1b01bad0703afd08
CVE-2019-1010303
RESERVED
CVE-2019-1010302 (jhead 3.03 is affected by: Incorrect Access Control. The
impact is: De ...)
- - jhead
+ - jhead (bug #932146)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1679978
CVE-2019-1010301 (jhead 3.03 is affected by: Buffer Overflow. The impact is:
Denial of s ...)
- - jhead
+ - jhead (bug #932145)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1679952
CVE-2019-1010300 (mz-automation libiec61850 1.3.2 1.3.1 1.3.0 is affected by:
Buffer Ove ...)
TODO: check
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/a62f804a5375eaa6f1a5f824e95b0800ce96d6d1
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/a62f804a5375eaa6f1a5f824e95b0800ce96d6d1
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b16b77be by Salvatore Bonaccorso at 2019-07-15T20:44:26Z Process NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -991,7 +991,7 @@ CVE-2019-13606 CVE-2019-13605 RESERVED CVE-2019-13604 (There is a short key vulnerability in HID Global DigitalPersona (forme ...) - TODO: check + NOT-FOR-US: HID Global DigitalPersona U.are.U 4500 Fingerprint Reader CVE-2019-13603 RESERVED CVE-2019-13602 (An Integer Underflow in MP4_EIA608_Convert() in modules/demux/mp4/mp4. ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b16b77bec4940c20c41bb22bf48c45c0ee12f3c6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b16b77bec4940c20c41bb22bf48c45c0ee12f3c6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-101030{1,2}/jhead
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
779bd1bc by Salvatore Bonaccorso at 2019-07-15T20:44:56Z
Add CVE-2019-101030{1,2}/jhead
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -10615,9 +10615,11 @@ CVE-2019-1010304 (Saleor Issue was introduced by merge
commit: e1b01bad0703afd08
CVE-2019-1010303
RESERVED
CVE-2019-1010302 (jhead 3.03 is affected by: Incorrect Access Control. The
impact is: De ...)
- TODO: check
+ - jhead
+ NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1679978
CVE-2019-1010301 (jhead 3.03 is affected by: Buffer Overflow. The impact is:
Denial of s ...)
- TODO: check
+ - jhead
+ NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1679952
CVE-2019-1010300 (mz-automation libiec61850 1.3.2 1.3.1 1.3.0 is affected by:
Buffer Ove ...)
TODO: check
CVE-2019-1010299 (The Rust Programming Language Standard Library 1.18.0 and
later is aff ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/779bd1bc35a67406ff44435af48157d4d30cfde2
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/779bd1bc35a67406ff44435af48157d4d30cfde2
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove now uneeded TODO
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b50eb22f by Salvatore Bonaccorso at 2019-07-15T20:30:57Z Remove now uneeded TODO - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -11224,7 +11224,6 @@ CVE-2019-1010006 (Evince 3.26.0 is affected by buffer overflow. The impact is: D NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=788980 NOTE: https://gitlab.gnome.org/GNOME/evince/commit/e6ed0d4cdb6326e329c8f61f9cc19ff9331cb0ce (3.27.91) NOTE: https://gitlab.gnome.org/GNOME/evince/commit/e02fe9170ad0ac2fd46c75329c4f1d4502d4a362 (3.27.91) - TODO: track down in depth, whether in Evince or libtiff and if fixed CVE-2019-1010005 (HexoEditor v1.1.8-beta is affected by: XSS to code execution. ...) NOT-FOR-US: HexoEditor CVE-2019-1010004 (SoX - Sound eXchange 14.4.2 and earlier is affected by: Out-of-bounds ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b50eb22f9cbcdee9dbc7ee3088790ba4581ac175 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b50eb22f9cbcdee9dbc7ee3088790ba4581ac175 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-1010307/glpi
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 54de1c93 by Salvatore Bonaccorso at 2019-07-15T20:29:07Z Add CVE-2019-1010307/glpi - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -10602,7 +10602,8 @@ CVE-2019-1010309 CVE-2019-1010308 (Aquaverde GmbH Aquarius CMS prior to version 4.1.1 is affected by: Inc ...) NOT-FOR-US: Aquaverde GmbH Aquarius CMS CVE-2019-1010307 (GLPI GLPI Product 9.3.1 is affected by: Cross Site Scripting (XSS). Th ...) - TODO: check + - glpi (unimportant) + NOTE: Only supported behind an authenticated HTTP zone CVE-2019-1010306 (Slanger 0.6.0 is affected by: Remote Code Execution (RCE). The impact ...) NOT-FOR-US: Slanger CVE-2019-1010305 (libmspack 0.9.1alpha is affected by: Buffer Overflow. The impact is: I ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/54de1c933297f5cfaa44dcf2dc6aa2d0e4b3f338 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/54de1c933297f5cfaa44dcf2dc6aa2d0e4b3f338 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-1010305/libmspack
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2e79c56f by Salvatore Bonaccorso at 2019-07-15T20:27:54Z Add CVE-2019-1010305/libmspack - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -10606,7 +10606,9 @@ CVE-2019-1010307 (GLPI GLPI Product 9.3.1 is affected by: Cross Site Scripting ( CVE-2019-1010306 (Slanger 0.6.0 is affected by: Remote Code Execution (RCE). The impact ...) NOT-FOR-US: Slanger CVE-2019-1010305 (libmspack 0.9.1alpha is affected by: Buffer Overflow. The impact is: I ...) - TODO: check + - libmspack 0.10.1-1 + NOTE: https://github.com/kyz/libmspack/commit/2f084136cfe0d05e5bf5703f3e83c6d955234b4d + NOTE: https://github.com/kyz/libmspack/issues/27 CVE-2019-1010304 (Saleor Issue was introduced by merge commit: e1b01bad0703afd08d297ed3f ...) NOT-FOR-US: Mirumee Saleor CVE-2019-1010303 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2e79c56fff79fa083bfbc78500c7da083bbd74b5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2e79c56fff79fa083bfbc78500c7da083bbd74b5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: df5ef5cb by Salvatore Bonaccorso at 2019-07-15T20:22:06Z Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -321,7 +321,7 @@ CVE-2014-1039 CVE-2014-1038 RESERVED CVE-2014-10374 (On Fitbit activity-tracker devices, certain addresses never change. Ac ...) - TODO: check + NOT-FOR-US: Fitbit activity-tracker devices CVE-2014-10373 RESERVED CVE-2014-10372 @@ -10600,15 +10600,15 @@ CVE-2019-1010310 (GLPI GLPI Product 9.3.1 is affected by: Frame and Form tags In CVE-2019-1010309 REJECTED CVE-2019-1010308 (Aquaverde GmbH Aquarius CMS prior to version 4.1.1 is affected by: Inc ...) - TODO: check + NOT-FOR-US: Aquaverde GmbH Aquarius CMS CVE-2019-1010307 (GLPI GLPI Product 9.3.1 is affected by: Cross Site Scripting (XSS). Th ...) TODO: check CVE-2019-1010306 (Slanger 0.6.0 is affected by: Remote Code Execution (RCE). The impact ...) - TODO: check + NOT-FOR-US: Slanger CVE-2019-1010305 (libmspack 0.9.1alpha is affected by: Buffer Overflow. The impact is: I ...) TODO: check CVE-2019-1010304 (Saleor Issue was introduced by merge commit: e1b01bad0703afd08d297ed3f ...) - TODO: check + NOT-FOR-US: Mirumee Saleor CVE-2019-1010303 RESERVED CVE-2019-1010302 (jhead 3.03 is affected by: Incorrect Access Control. The impact is: De ...) @@ -11132,7 +11132,7 @@ CVE-2019-1010044 (borg-reducer c6d5240 is affected by: Buffer Overflow. The impa CVE-2019-1010043 RESERVED CVE-2019-1010042 (couchcms 2 is affected by: Web Site physical path leakage. The impact ...) - TODO: check + NOT-FOR-US: CouchCMS CVE-2019-1010041 RESERVED CVE-2019-1010040 @@ -11148,7 +11148,7 @@ CVE-2019-1010036 CVE-2019-1010035 RESERVED CVE-2019-1010034 (Deepwoods Software WebLibrarian 3.5.2 and earlier is affected by: SQL ...) - TODO: check + NOT-FOR-US: Deepwoods Software WebLibrarian CVE-2019-1010033 RESERVED CVE-2019-1010032 @@ -35056,35 +35056,35 @@ CVE-2019-1098 CVE-2019-1097 (An information disclosure vulnerability exists when DirectWrite improp ...) TODO: check CVE-2019-1096 (An information disclosure vulnerability exists when the win32k compone ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2019-1095 (An information disclosure vulnerability exists when the Windows GDI co ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2019-1094 (An information disclosure vulnerability exists when the Windows GDI co ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2019-1093 (An information disclosure vulnerability exists when DirectWrite improp ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2019-1092 (A remote code execution vulnerability exists in the way that the Chakr ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2019-1091 (An information disclosure vulnerability exists when Unistore.dll fails ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2019-1090 (An elevation of privilege vulnerability exists in the way that the dns ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2019-1089 (An elevation of privilege vulnerability exists in rpcss.dll when the R ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2019-1088 (An elevation of privilege exists in Windows Audio Service, aka 'Window ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2019-1087 (An elevation of privilege exists in Windows Audio Service, aka 'Window ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2019-1086 (An elevation of privilege exists in Windows Audio Service, aka 'Window ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2019-1085 (An elevation of privilege vulnerability exists in the way that the wla ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2019-1084 (An information disclosure vulnerability exists when Exchange allows cr ...) TODO: check CVE-2019-1083 (A denial of service vulnerability exists when Microsoft Common Object ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2019-1082 (An elevation of privilege vulnerability exists in Microsoft Windows wh ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2019-1081 (An information disclosure vulnerability exists when affected Microsoft ...) NOT-FOR-US: Microsoft CVE-2019-1080 (A remote code execution vulnerability exists in the way the scripting ...) @@ -35100,9 +35100,9 @@ CVE-2019-1076 (A Cross-site Scripting (XSS) vulnerability exists when Team Found CVE-2019-1075 (A spoofing vulnerability exists in ASP.NET Core that could lead to an ...) TODO: check CVE-2019-1074 (An elevation of privilege vulnerability exists in Microsoft Windows
[Git][security-tracker-team/security-tracker][master] Remove note for CVE-2019-13044
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d8128593 by Salvatore Bonaccorso at 2019-07-15T20:11:55Z Remove note for CVE-2019-13044 The CVE has been withdrawn by its CNA. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2329,7 +2329,6 @@ CVE-2019-13046 (linker/linker.c in ToaruOS through 1.10.9 has insecure LD_LIBRAR NOT-FOR-US: ToaruOS CVE-2019-13044 REJECTED - NOT-FOR-US: Panduit CVE-2019-13043 RESERVED CVE-2019-13042 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d8128593b8d436307053933dcafab4c28fe1d3a1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d8128593b8d436307053933dcafab4c28fe1d3a1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: bb93c2b0 by security tracker role at 2019-07-15T20:10:24Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,11 +1,997 @@ +CVE-2014-1200 + RESERVED +CVE-2014-1199 + RESERVED +CVE-2014-1198 + RESERVED +CVE-2014-1197 + RESERVED +CVE-2014-1196 + RESERVED +CVE-2014-1195 + RESERVED +CVE-2014-1194 + RESERVED +CVE-2014-1193 + RESERVED +CVE-2014-1192 + RESERVED +CVE-2014-1191 + RESERVED +CVE-2014-1190 + RESERVED +CVE-2014-1189 + RESERVED +CVE-2014-1188 + RESERVED +CVE-2014-1187 + RESERVED +CVE-2014-1186 + RESERVED +CVE-2014-1185 + RESERVED +CVE-2014-1184 + RESERVED +CVE-2014-1183 + RESERVED +CVE-2014-1182 + RESERVED +CVE-2014-1181 + RESERVED +CVE-2014-1180 + RESERVED +CVE-2014-1179 + RESERVED +CVE-2014-1178 + RESERVED +CVE-2014-1177 + RESERVED +CVE-2014-1176 + RESERVED +CVE-2014-1175 + RESERVED +CVE-2014-1174 + RESERVED +CVE-2014-1173 + RESERVED +CVE-2014-1172 + RESERVED +CVE-2014-1171 + RESERVED +CVE-2014-1170 + RESERVED +CVE-2014-1169 + RESERVED +CVE-2014-1168 + RESERVED +CVE-2014-1167 + RESERVED +CVE-2014-1166 + RESERVED +CVE-2014-1165 + RESERVED +CVE-2014-1164 + RESERVED +CVE-2014-1163 + RESERVED +CVE-2014-1162 + RESERVED +CVE-2014-1161 + RESERVED +CVE-2014-1160 + RESERVED +CVE-2014-1159 + RESERVED +CVE-2014-1158 + RESERVED +CVE-2014-1157 + RESERVED +CVE-2014-1156 + RESERVED +CVE-2014-1154 + RESERVED +CVE-2014-1153 + RESERVED +CVE-2014-1152 + RESERVED +CVE-2014-1151 + RESERVED +CVE-2014-1150 + RESERVED +CVE-2014-1149 + RESERVED +CVE-2014-1148 + RESERVED +CVE-2014-1147 + RESERVED +CVE-2014-1146 + RESERVED +CVE-2014-1145 + RESERVED +CVE-2014-1144 + RESERVED +CVE-2014-1143 + RESERVED +CVE-2014-1142 + RESERVED +CVE-2014-1141 + RESERVED +CVE-2014-1140 + RESERVED +CVE-2014-1139 + RESERVED +CVE-2014-1138 + RESERVED +CVE-2014-1136 + RESERVED +CVE-2014-1135 + RESERVED +CVE-2014-1134 + RESERVED +CVE-2014-1133 + RESERVED +CVE-2014-1132 + RESERVED +CVE-2014-1131 + RESERVED +CVE-2014-1130 + RESERVED +CVE-2014-1129 + RESERVED +CVE-2014-1128 + RESERVED +CVE-2014-1127 + RESERVED +CVE-2014-1126 + RESERVED +CVE-2014-1125 + RESERVED +CVE-2014-1124 + RESERVED +CVE-2014-1123 + RESERVED +CVE-2014-1122 + RESERVED +CVE-2014-1121 + RESERVED +CVE-2014-1120 + RESERVED +CVE-2014-1119 + RESERVED +CVE-2014-1118 + RESERVED +CVE-2014-1117 + RESERVED +CVE-2014-1116 + RESERVED +CVE-2014-1115 + RESERVED +CVE-2014-1114 + RESERVED +CVE-2014-1113 + RESERVED +CVE-2014-1112 + RESERVED +CVE-2014- + RESERVED +CVE-2014-1110 + RESERVED +CVE-2014-1109 + RESERVED +CVE-2014-1108 + RESERVED +CVE-2014-1107 + RESERVED +CVE-2014-1106 + RESERVED +CVE-2014-1105 + RESERVED +CVE-2014-1104 + RESERVED +CVE-2014-1103 + RESERVED +CVE-2014-1102 + RESERVED +CVE-2014-1101 + RESERVED +CVE-2014-1100 + RESERVED +CVE-2014-1099 + RESERVED +CVE-2014-1098 + RESERVED +CVE-2014-1097 + RESERVED +CVE-2014-1096 + RESERVED +CVE-2014-1095 + RESERVED +CVE-2014-1094 + RESERVED +CVE-2014-1093 + RESERVED +CVE-2014-1092 + RESERVED +CVE-2014-1091 + RESERVED +CVE-2014-1090 + RESERVED +CVE-2014-1089 + RESERVED +CVE-2014-1088 + RESERVED +CVE-2014-1087 + RESERVED +CVE-2014-1086 + RESERVED +CVE-2014-1085 + RESERVED +CVE-2014-1084 + RESERVED +CVE-2014-1083 + RESERVED +CVE-2014-1082 + RESERVED +CVE-2014-1081 + RESERVED +CVE-2014-1080 + RESERVED +CVE-2014-1079 + RESERVED +CVE-2014-1078 + RESERVED +CVE-2014-1077 + RESERVED +CVE-2014-1076 + RESERVED +CVE-2014-1075 + RESERVED +CVE-2014-1074 + RESERVED +CVE-2014-1073 + RESERVED +CVE-2014-1072 + RESERVED +CVE-2014-1071 + RESERVED +CVE-2014-1070 + RESERVED +CVE-2014-1069 + RESERVED +CVE-2014-1068 + RESERVED +CVE-2014-1067 + RESERVED +CVE-2014-1066 + RESERVED +CVE-2014-1065 + RESERVED +CVE-2014-1064 + RESERVED +CVE-2014-1063 + RESERVED +CVE-2014-1062 + RESERVED +CVE-2014-1061 + RESERVED +CVE-2014-1060 + RESERVED +CVE-2014-1059 + RESERVED +CVE-2014-1058 + RESERVED +CVE-2014-1057 + RESERVED +CVE-2014-1056 + RESERVED +CVE-2014-1055 + RESERVED +CVE-2014-1054 + RESERVED
[Git][security-tracker-team/security-tracker][master] Add src:atril for CVE-2019-1010006
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 19335063 by Salvatore Bonaccorso at 2019-07-15T19:40:26Z Add src:atril for CVE-2019-1010006 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -10230,6 +10230,7 @@ CVE-2019-1010008 (OpenEnergyMonitor Project Emoncms 9.8.8 is affected by: Cross CVE-2019-1010007 RESERVED CVE-2019-1010006 (Evince 3.26.0 is affected by buffer overflow. The impact is: DOS / Pos ...) + - atril - evince 3.27.92-1 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=788980 NOTE: https://gitlab.gnome.org/GNOME/evince/commit/e6ed0d4cdb6326e329c8f61f9cc19ff9331cb0ce (3.27.91) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/19335063fb2661f26c2e817c4463831975e193c6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/19335063fb2661f26c2e817c4463831975e193c6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add information for CVE-2019-1010006/evince
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6445b083 by Salvatore Bonaccorso at 2019-07-15T19:34:04Z Add information for CVE-2019-1010006/evince The issue was fixed in evince via e6ed0d4 (Remove unused configure check for cairo_format_stride_for_width) and e02fe91 (Fix overflow checks in tiff backend). Cf. https://bugzilla.gnome.org/show_bug.cgi?id=788980#c7 . Those are included in upstream version 3.27.91 and first included in Debian unstable as per the 3.27.92-1 upload. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -10230,8 +10230,10 @@ CVE-2019-1010008 (OpenEnergyMonitor Project Emoncms 9.8.8 is affected by: Cross CVE-2019-1010007 RESERVED CVE-2019-1010006 (Evince 3.26.0 is affected by buffer overflow. The impact is: DOS / Pos ...) - - evince + - evince 3.27.92-1 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=788980 + NOTE: https://gitlab.gnome.org/GNOME/evince/commit/e6ed0d4cdb6326e329c8f61f9cc19ff9331cb0ce (3.27.91) + NOTE: https://gitlab.gnome.org/GNOME/evince/commit/e02fe9170ad0ac2fd46c75329c4f1d4502d4a362 (3.27.91) TODO: track down in depth, whether in Evince or libtiff and if fixed CVE-2019-1010005 (HexoEditor v1.1.8-beta is affected by: XSS to code execution. ...) NOT-FOR-US: HexoEditor View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6445b08321c52f747a5d12ec8c8c78449ecffd31 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6445b08321c52f747a5d12ec8c8c78449ecffd31 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2019-13602 fixed in vlc 3.0.7.1-2
Sebastian Ramacher pushed to branch master at Debian Security Tracker / security-tracker Commits: 1bc12283 by Sebastian Ramacher at 2019-07-15T18:48:35Z CVE-2019-13602 fixed in vlc 3.0.7.1-2 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9,7 +9,7 @@ CVE-2019-13604 CVE-2019-13603 RESERVED CVE-2019-13602 (An Integer Underflow in MP4_EIA608_Convert() in modules/demux/mp4/mp4. ...) - - vlc (bug #932131) + - vlc 3.0.7.1-2 (bug #932131) NOTE: https://git.videolan.org/?p=vlc.git;a=commit;h=8e8e0d72447f8378244f5b4a3dcde036dbeb1491 NOTE: https://git.videolan.org/?p=vlc.git;a=commit;h=b2b157076d9e94df34502dd8df0787deb940e938 CVE-2019-13601 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1bc12283d2a751f12ce414f6689cfc30cac12a31 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1bc12283d2a751f12ce414f6689cfc30cac12a31 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] buster/stretch triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
94c16d35 by Moritz Muehlenhoff at 2019-07-15T18:01:34Z
buster/stretch triage
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -979,6 +979,7 @@ CVE-2019-13180
RESERVED
CVE-2019-13179 (Calamares versions 3.1 through 3.2.10 copies a LUKS encryption
keyfile ...)
- calamares 3.2.11-1 (bug #931392)
+ [buster] - calamares (Mitigated via calamares-settings-debian
in Debian)
- calamares-settings-debian 10.0.23-1 (bug #931373)
[buster] - calamares-settings-debian (Will be fixed via Buster
point release)
NOTE: https://github.com/calamares/calamares/issues/1191
@@ -7377,6 +7378,7 @@ CVE-2019-10732 (In KDE KMail 5.2.3, an attacker in
possession of S/MIME or PGP e
{DLA-1825-1}
- kf5-messagelib (bug #926996)
[buster] - kf5-messagelib (Revisit when fixed upstream)
+ [stretch] - kf5-messagelib (Revisit when fixed upstream)
- kdepim
[stretch] - kdepim (Revisit when fixed upstream)
NOTE: https://bugs.kde.org/show_bug.cgi?id=404698
@@ -57439,6 +57441,7 @@ CVE-2018-11564 (Stored XSS in YOOtheme Pagekit 1.0.13
and earlier allows a user
NOT-FOR-US: Pagekit CMS
CVE-2018-11563 (An issue was discovered in Open Ticket Request System (OTRS)
6.0.x thr ...)
- otrs2 6.0.8-1
+ [stretch] - otrs2 (Non-free not supported)
NOTE:
https://community.otrs.com/security-advisory-2018-02-security-update-for-otrs-framework/
NOTE:
https://github.com/OTRS/otrs/commit/50861a2a1183a07daf99cc2e71395e79f022338f
CVE-2018-11562 (An issue was discovered in MISP 2.4.91. A vulnerability in
app/View/El ...)
@@ -86941,6 +86944,7 @@ CVE-2018-1258 (Spring Framework version 5.0.5 when used
in combination with any
NOTE: https://pivotal.io/security/cve-2018-1258
CVE-2018-1257 (Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x
prior ...)
- libspring-java 4.3.19-1
+ [stretch] - libspring-java (Minor issue)
[jessie] - libspring-java (hard to find upstream commits
regarding this)
NOTE: https://pivotal.io/security/cve-2018-1257
CVE-2018-1256 (Spring Cloud SSO Connector, version 2.1.2, contains a
regression which ...)
@@ -104596,7 +104600,14 @@ CVE-2017-12653 (360 Total Security 9.0.0.1202 before
2017-07-07 allows Privilege
NOT-FOR-US: 360 Total Security
CVE-2017-12652 (libpng before 1.6.32 does not properly check the length of
chunks agai ...)
- libpng1.6 1.6.32-1
- TODO: check, details on fix
+ [stretch] - libpng1.6 (Minor issue)
+ NOTE:
https://github.com/glennrp/libpng/commit/347538efbdc21b8df684ebd92d37400b3ce85d55
+ NOTE:
https://github.com/glennrp/libpng/commit/a1fe2c98489519d415b72bc0026f0c86d82278b7
+ NOTE:
https://github.com/glennrp/libpng/commit/095b4ce16bb46acb259ea1a4ca6562a623e58d93
+ NOTE:
https://github.com/glennrp/libpng/commit/2dbef2f2a9e759a80d2decb6862518acf4919c59
+ NOTE:
https://github.com/glennrp/libpng/commit/2dca15686fadb1b8951cb29b02bad4cae73448da
+ NOTE:
https://github.com/glennrp/libpng/commit/fcd1bb93124d76059abef98216d8390f520c577b
+ NOTE:
https://github.com/glennrp/libpng/commit/13bc0b6b1f8f2f2491fcc9f0c1c939ff06e13c15
CVE-2017-12651 (Cross Site Request Forgery (CSRF) exists in the Blacklist and
Whitelis ...)
NOT-FOR-US: Loginizer plugin for WordPress
CVE-2017-12650 (SQL Injection exists in the Loginizer plugin before 1.3.6 for
WordPres ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/94c16d3521e9740673f74e1e954d50bbcd4bda57
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/94c16d3521e9740673f74e1e954d50bbcd4bda57
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information on CVE-2019-1010004
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
c0ed0530 by Salvatore Bonaccorso at 2019-07-15T17:29:22Z
Update information on CVE-2019-1010004
Although fixed with same commit, it is considered disinct but
overlapping with CVE-2017-18189. Thus track separately.
- - - - -
2 changed files:
- data/CVE/list
- data/DLA/list
Changes:
=
data/CVE/list
=
@@ -10234,7 +10234,9 @@ CVE-2019-1010006 (Evince 3.26.0 is affected by buffer
overflow. The impact is: D
CVE-2019-1010005 (HexoEditor v1.1.8-beta is affected by: XSS to code
execution. ...)
NOT-FOR-US: HexoEditor
CVE-2019-1010004 (SoX - Sound eXchange 14.4.2 and earlier is affected by:
Out-of-bounds ...)
- NOT-FOR-US: Duplicate of CVE-2017-18189, should be rejected
+ - sox 14.4.2-2 (bug #881121)
+ [stretch] - sox (Minor issue)
+ NOTE:
https://github.com/mansr/sox/commit/7a8ceb86212b28243bbb6d0de636f0dfbe833e53
CVE-2019-1010003 (Leanote prior to version 2.6 is affected by: Cross Site
Scripting (XSS ...)
NOT-FOR-US: Leanote
CVE-2019-1010002
=
data/DLA/list
=
@@ -487,7 +487,7 @@
{CVE-2018-14662 CVE-2018-16846}
[jessie] - ceph 0.80.7-2+deb8u3
[28 Feb 2019] DLA-1695-1 sox - security update
- {CVE-2017-15370 CVE-2017-15372 CVE-2017-15642 CVE-2017-18189}
+ {CVE-2017-15370 CVE-2017-15372 CVE-2017-15642 CVE-2017-18189
CVE-2019-1010004}
[jessie] - sox 14.4.1-5+deb8u2
[28 Feb 2019] DLA-1694-1 qemu - security update
{CVE-2018-12617 CVE-2018-16872 CVE-2019-6778}
@@ -1991,7 +1991,7 @@
{CVE-2017-15266 CVE-2017-15267 CVE-2017-15600 CVE-2017-15601
CVE-2017-15602 CVE-2017-15922}
[wheezy] - libextractor 1:0.6.3-5+deb7u1
[30 Nov 2017] DLA-1197-1 sox - security update
- {CVE-2017-11332 CVE-2017-11358 CVE-2017-11359 CVE-2017-15370
CVE-2017-15371 CVE-2017-15372 CVE-2017-15642 CVE-2017-18189}
+ {CVE-2017-11332 CVE-2017-11358 CVE-2017-11359 CVE-2017-15370
CVE-2017-15371 CVE-2017-15372 CVE-2017-15642 CVE-2017-18189 CVE-2019-1010004}
[wheezy] - sox 14.4.0-3+deb7u2
[30 Nov 2017] DLA-1196-1 optipng - security update
{CVE-2017-16938}
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/c0ed0530e06a3f9eee40132ac9c12844944a8050
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/c0ed0530e06a3f9eee40132ac9c12844944a8050
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2019-13602/vlc
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 54959a6b by Salvatore Bonaccorso at 2019-07-15T17:27:29Z Add Debian bug reference for CVE-2019-13602/vlc - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9,7 +9,7 @@ CVE-2019-13604 CVE-2019-13603 RESERVED CVE-2019-13602 (An Integer Underflow in MP4_EIA608_Convert() in modules/demux/mp4/mp4. ...) - - vlc + - vlc (bug #932131) NOTE: https://git.videolan.org/?p=vlc.git;a=commit;h=8e8e0d72447f8378244f5b4a3dcde036dbeb1491 NOTE: https://git.videolan.org/?p=vlc.git;a=commit;h=b2b157076d9e94df34502dd8df0787deb940e938 CVE-2019-13601 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/54959a6bdc1bd6a33c2e1b97c08cd7b853e90006 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/54959a6bdc1bd6a33c2e1b97c08cd7b853e90006 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add upstream reference for CVE-2019-1010011/abcm2ps
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 23418d6e by Salvatore Bonaccorso at 2019-07-15T17:26:42Z Add upstream reference for CVE-2019-1010011/abcm2ps - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -10218,8 +10218,7 @@ CVE-2019-1010012 RESERVED CVE-2019-1010011 (moinejf abcm2ps 8.13.16 and after is affected by: CWE-121: Stack-based ...) - abcm2ps (low) - NOTE: https://drive.google.com/drive/folders/1nAL-B_I5Y7SKX0AeIurGkTzNHMazoyzP - NOTE: https://drive.google.com/drive/folders/1xiVrcB1lTE_mSd_mL7akjpscH4CUahYU + NOTE: https://github.com/leesavide/abcm2ps/issues/55 CVE-2019-1010010 RESERVED CVE-2019-1010009 (DGLogik Inc DGLux Server All Versions is affected by: Insecure Permiss ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/23418d6eadb9128fbf016570d39529d0b12790e0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/23418d6eadb9128fbf016570d39529d0b12790e0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add upstream issue reference for CVE-2019-1010016
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 942e76c1 by Salvatore Bonaccorso at 2019-07-15T17:19:44Z Add upstream issue reference for CVE-2019-1010016 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -10207,6 +10207,7 @@ CVE-2019-1010017 (libnmap v0.6.3 is affected by: XML Injection. The impact NOTE: https://github.com/savon-noir/python-libnmap/issues/87 CVE-2019-1010016 (Dolibarr 6.0.4 is affected by: Cross Site Scripting (XSS). The impact ...) - dolibarr + NOTE: https://github.com/Dolibarr/dolibarr/issues/7962 CVE-2019-1010015 RESERVED CVE-2019-1010014 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/942e76c146b529770d680af8106addc9a74601f0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/942e76c146b529770d680af8106addc9a74601f0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] buster/stretch triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: df41bc15 by Moritz Muehlenhoff at 2019-07-15T15:17:47Z buster/stretch triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1035,7 +1035,9 @@ CVE-2019-13163 CVE-2019-13162 RESERVED CVE-2019-13161 (An issue was discovered in Asterisk Open Source through 13.27.0, 14.x ...) - - asterisk 1:16.2.1~dfsg-2 (bug #931981) + - asterisk 1:16.2.1~dfsg-2 (low; bug #931981) + [buster] - asterisk (Minor issue) + [stretch] - asterisk (Minor issue) NOTE: http://downloads.digium.com/pub/security/AST-2019-003.html NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-28465 CVE-2019-13160 @@ -1537,6 +1539,8 @@ CVE-2019-12974 (A NULL pointer dereference in the function ReadPANGOImage in cod NOTE: https://github.com/ImageMagick/ImageMagick6/commit/b4391bdd60df0a77e97a6ef1674f2ffef0e19e24 CVE-2019-12973 (In OpenJPEG 2.3.1, there is excessive iteration in the opj_t1_encode_c ...) - openjpeg2 (bug #931292) + [buster] - openjpeg2 (Minor issue) + [stretch] - openjpeg2 (Minor issue) [jessie] - openjpeg2 (vulnerable code is not present) NOTE: https://github.com/uclouvain/openjpeg/pull/1185 NOTE: https://github.com/uclouvain/openjpeg/commit/21399f6b7d318fcdf4406d5e88723c4922202aa3 @@ -1922,6 +1926,8 @@ CVE-2019-12828 (An issue was discovered in Electronic Arts Origin before 10.5.39 NOT-FOR-US: Electronic Arts Origin CVE-2019-12827 (Buffer overflow in res_pjsip_messaging in Digium Asterisk versions 13. ...) - asterisk 1:16.2.1~dfsg-2 (bug #931980) + [buster] - asterisk (Minor issue) + [stretch] - asterisk (Minor issue) NOTE: https://downloads.asterisk.org/pub/security/AST-2019-002.html NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-28447 CVE-2019-12826 (A Cross-Site-Request-Forgery (CSRF) vulnerability in widget_logic.php ...) @@ -9572,18 +9578,23 @@ CVE-2019-9888 RESERVED CVE-2019-1010319 (WavPack 5.1.0 and earlier is affected by: CWE-457: Use of Uninitialize ...) - wavpack 5.1.0-7 (low; bug #932061) + [buster] - wavpack (Minor issue) + [stretch] - wavpack (Minor issue) NOTE: https://github.com/dbry/WavPack/commit/33a0025d1d63ccd05d9dbaa6923d52b1446a62fe NOTE: https://github.com/dbry/WavPack/issues/68 CVE-2019-1010318 REJECTED CVE-2019-1010317 (WavPack 5.1.0 and earlier is affected by: CWE-457: Use of Uninitialize ...) - wavpack 5.1.0-7 (low; bug #932060) + [buster] - wavpack (Minor issue) + [stretch] - wavpack (Minor issue) NOTE: https://github.com/dbry/WavPack/commit/f68a9555b548306c5b1ee45199ccdc4a16a6101b NOTE: https://github.com/dbry/WavPack/issues/66 CVE-2019-1010316 (pyxtrlock 0.3 and earlier is affected by: Incorrect Access Control. Th ...) NOT-FOR-US: pyxtrlock CVE-2019-1010315 (WavPack 5.1 and earlier is affected by: CWE 369: Divide by Zero. The i ...) - wavpack 5.1.0-6 (low) + [stretch] - wavpack (Minor issue) NOTE: https://github.com/dbry/WavPack/commit/4c0faba32fddbd0745cbfaf1e1aeb3da5d35b9fc NOTE: https://github.com/dbry/WavPack/issues/65 CVE-2019-1010314 (Gitea 1.7.2, 1.7.3 is affected by: Cross Site Scripting (XSS). The imp ...) @@ -45868,8 +45879,8 @@ CVE-2018-15912 (An issue was discovered in manjaro-update-system.sh in manjaro-s NOT-FOR-US: manjaro-update-system.sh in manjaro-system on Manjaro Linux CVE-2018-15919 (Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 co ...) - openssh (low; bug #907503) - [buster] - openssh (Minor issue) - [stretch] - openssh (Minor issue) + [buster] - openssh (Minor issue) + [stretch] - openssh (Minor issue) [jessie] - openssh (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2018/08/27/2 CVE-2018-15911 (In Artifex Ghostscript 9.23 before 2018-08-24, attackers able to suppl ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/df41bc15aa0493081cb199b42ea7c2da4a2826b5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/df41bc15aa0493081cb199b42ea7c2da4a2826b5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new vlc issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: ef924fe2 by Moritz Muehlenhoff at 2019-07-15T11:10:36Z new vlc issue exif ignored glibc non-issues new python-libnmap issue new abcm2ps issue new potential evince issue sox duplicate NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9,7 +9,9 @@ CVE-2019-13604 CVE-2019-13603 RESERVED CVE-2019-13602 (An Integer Underflow in MP4_EIA608_Convert() in modules/demux/mp4/mp4. ...) - TODO: check + - vlc + NOTE: https://git.videolan.org/?p=vlc.git;a=commit;h=8e8e0d72447f8378244f5b4a3dcde036dbeb1491 + NOTE: https://git.videolan.org/?p=vlc.git;a=commit;h=b2b157076d9e94df34502dd8df0787deb940e938 CVE-2019-13601 RESERVED CVE-2019-13600 @@ -36,7 +38,7 @@ CVE-2019-13590 (An issue was discovered in libsox.a in SoX 14.4.2. In sox-fmt.h - sox (bug #932082) NOTE: https://sourceforge.net/p/sox/bugs/325/ CVE-2019-13589 (The paranoid2 gem 1.1.6 for Ruby, as distributed on RubyGems.org, incl ...) - TODO: check + NOT-FOR-US: backdoor in paranoid_2 gem, different from src:ruby-paranoia CVE-2019-13588 RESERVED CVE-2019-13587 @@ -219,9 +221,11 @@ CVE-2019-13506 (@nuxt/devalue before 1.2.3, as used in Nuxt.js before 2.6.2, mis CVE-2019-13505 (The Appointment Hour Booking plugin 1.1.44 for WordPress allows XSS vi ...) NOT-FOR-US: Appointment Hour Booking plugin for WordPress CVE-2019-13504 (There is an out-of-bounds read in Exiv2::MrwImage::readMetadata in mrw ...) - - exiv2 + - exiv2 (low) + [buster] - exiv2 (Minor issue) + [stretch] - exiv2 (Minor issue) NOTE: https://github.com/Exiv2/exiv2/pull/943 - TODO: check + NOTE: https://github.com/Exiv2/exiv2/commit/54f0bebca032d0286a0e48f47e67dfc6141fedff CVE-2019-13503 (mq_parse_http in mongoose.c in Mongoose 6.15 has a heap-based buffer o ...) NOT-FOR-US: Cesanta Mongoose NOTE: smplayer embeds a copy, which is unused in any released version and disabled since 18.5.0~ds1-1 @@ -10157,19 +10161,27 @@ CVE-2019-1010030 CVE-2019-1010029 RESERVED CVE-2019-1010028 (phpscriptsmall.com School College Portal with ERP Script 2.6.1 and ear ...) - TODO: check + NOT-FOR-US: School College Portal CVE-2019-1010027 RESERVED CVE-2019-1010026 RESERVED CVE-2019-1010025 (GNU Libc current is affected by: Mitigation bypass. The impact is: Att ...) - TODO: check + - glibc (unimportant) + NOTE: Not treated as a security issue by upstream + NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22853 CVE-2019-1010024 (GNU Libc current is affected by: Mitigation bypass. The impact is: Att ...) - TODO: check + - glibc (unimportant) + NOTE: Not treated as a security issue by upstream + NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22852 CVE-2019-1010023 (GNU Libc current is affected by: Re-mapping current loaded libray with ...) - TODO: check + - glibc (unimportant) + NOTE: Not treated as a security issue by upstream + NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22851 CVE-2019-1010022 (GNU Libc current is affected by: Mitigation bypass. The impact is: Att ...) - TODO: check + - glibc (unimportant) + NOTE: Not treated as a security issue by upstream + NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22850 CVE-2019-1010021 RESERVED CVE-2019-1010020 @@ -10179,9 +10191,11 @@ CVE-2019-1010019 CVE-2019-1010018 RESERVED CVE-2019-1010017 (libnmap v0.6.3 is affected by: XML Injection. The impact is: Deni ...) - TODO: check + - python-libnmap (low) + [buster] - python-libnmap (Minor issue) + NOTE: https://github.com/savon-noir/python-libnmap/issues/87 CVE-2019-1010016 (Dolibarr 6.0.4 is affected by: Cross Site Scripting (XSS). The impact ...) - TODO: check + - dolibarr CVE-2019-1010015 RESERVED CVE-2019-1010014 @@ -10191,21 +10205,25 @@ CVE-2019-1010013 CVE-2019-1010012 RESERVED CVE-2019-1010011 (moinejf abcm2ps 8.13.16 and after is affected by: CWE-121: Stack-based ...) - TODO: check + - abcm2ps (low) + NOTE: https://drive.google.com/drive/folders/1nAL-B_I5Y7SKX0AeIurGkTzNHMazoyzP + NOTE: https://drive.google.com/drive/folders/1xiVrcB1lTE_mSd_mL7akjpscH4CUahYU CVE-2019-1010010 RESERVED CVE-2019-1010009 (DGLogik Inc DGLux Server All Versions is affected by: Insecure Permiss ...) - TODO: check + NOT-FOR-US: DGLogik Inc DGLux Server CVE-2019-1010008 (OpenEnergyMonitor Project Emoncms 9.8.8 is affected by: Cross Site Scr ...) - TODO: check + NOT-FOR-US: OpenEnergyMonitor Project Emoncms CVE-2019-1010007 RESERVED CVE-2019-1010006
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b405f8cd by security tracker role at 2019-07-15T08:10:14Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,19 @@ +CVE-2019-13607 + RESERVED +CVE-2019-13606 + RESERVED +CVE-2019-13605 + RESERVED +CVE-2019-13604 + RESERVED +CVE-2019-13603 + RESERVED +CVE-2019-13602 (An Integer Underflow in MP4_EIA608_Convert() in modules/demux/mp4/mp4. ...) + TODO: check +CVE-2019-13601 + RESERVED +CVE-2019-13600 + RESERVED CVE-2019-13599 RESERVED CVE-2019-13598 (LuaUPnP in Vera Edge Home Controller 1.7.4452 allows remote unauthenti ...) @@ -10137,23 +10153,23 @@ CVE-2019-1010032 CVE-2019-1010031 RESERVED CVE-2019-1010030 - RESERVED + REJECTED CVE-2019-1010029 RESERVED -CVE-2019-1010028 - RESERVED +CVE-2019-1010028 (phpscriptsmall.com School College Portal with ERP Script 2.6.1 and ear ...) + TODO: check CVE-2019-1010027 RESERVED CVE-2019-1010026 RESERVED -CVE-2019-1010025 - RESERVED -CVE-2019-1010024 - RESERVED -CVE-2019-1010023 - RESERVED -CVE-2019-1010022 - RESERVED +CVE-2019-1010025 (GNU Libc current is affected by: Mitigation bypass. The impact is: Att ...) + TODO: check +CVE-2019-1010024 (GNU Libc current is affected by: Mitigation bypass. The impact is: Att ...) + TODO: check +CVE-2019-1010023 (GNU Libc current is affected by: Re-mapping current loaded libray with ...) + TODO: check +CVE-2019-1010022 (GNU Libc current is affected by: Mitigation bypass. The impact is: Att ...) + TODO: check CVE-2019-1010021 RESERVED CVE-2019-1010020 @@ -10162,10 +10178,10 @@ CVE-2019-1010019 RESERVED CVE-2019-1010018 RESERVED -CVE-2019-1010017 - RESERVED -CVE-2019-1010016 - RESERVED +CVE-2019-1010017 (libnmap v0.6.3 is affected by: XML Injection. The impact is: Deni ...) + TODO: check +CVE-2019-1010016 (Dolibarr 6.0.4 is affected by: Cross Site Scripting (XSS). The impact ...) + TODO: check CVE-2019-1010015 RESERVED CVE-2019-1010014 @@ -10174,22 +10190,22 @@ CVE-2019-1010013 RESERVED CVE-2019-1010012 RESERVED -CVE-2019-1010011 - RESERVED +CVE-2019-1010011 (moinejf abcm2ps 8.13.16 and after is affected by: CWE-121: Stack-based ...) + TODO: check CVE-2019-1010010 RESERVED -CVE-2019-1010009 - RESERVED -CVE-2019-1010008 - RESERVED +CVE-2019-1010009 (DGLogik Inc DGLux Server All Versions is affected by: Insecure Permiss ...) + TODO: check +CVE-2019-1010008 (OpenEnergyMonitor Project Emoncms 9.8.8 is affected by: Cross Site Scr ...) + TODO: check CVE-2019-1010007 RESERVED -CVE-2019-1010006 - RESERVED -CVE-2019-1010005 - RESERVED -CVE-2019-1010004 - RESERVED +CVE-2019-1010006 (Evince 3.26.0 is affected by buffer overflow. The impact is: DOS / Pos ...) + TODO: check +CVE-2019-1010005 (HexoEditor v1.1.8-beta is affected by: XSS to code execution. ...) + TODO: check +CVE-2019-1010004 (SoX - Sound eXchange 14.4.2 and earlier is affected by: Out-of-bounds ...) + TODO: check CVE-2019-1010003 (Leanote prior to version 2.6 is affected by: Cross Site Scripting (XSS ...) NOT-FOR-US: Leanote CVE-2019-1010002 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b405f8cd04ececce4006d99c96adc4df5751eccc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b405f8cd04ececce4006d99c96adc4df5751eccc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Add pound
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: b369c8de by Abhijith PA at 2019-07-15T06:02:52Z data/dla-needed.txt: Add pound - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -99,6 +99,9 @@ otrs2 (Abhijith PA) -- php5 -- +pound + NOTE: 20190715: https://salsa.debian.org/debian/pound/blob/jessie/debian/patches/0009-CVE-2016-1071.patch +-- qemu NOTE: 20190528: An upload candidate is waiting for being tested on real hardware. NOTE: 20190528: Still need to set up a notebook with jessie installed for testing. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b369c8de14040d3bb15a12292a03b0ba63eefb0e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b369c8de14040d3bb15a12292a03b0ba63eefb0e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
