[Git][security-tracker-team/security-tracker][master] Add some ancient linux CVEs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7f083ae8 by Salvatore Bonaccorso at 2019-07-28T06:18:20Z Add some ancient linux CVEs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,27 @@ +CVE-2017-18379 [nvmet-fc: ensure target queue id within range] + - linux 4.14.2-1 + NOTE: https://git.kernel.org/linus/0c319d3a144d4b8f1ea2047fd614d2149b68f889 +CVE-2016-10764 [mtd: spi-nor: Off by one in cqspi_setup_flash()] + - linux 4.9.6-1 + NOTE: https://git.kernel.org/linus/193e87143c290ec16838f5368adc0e0bc94eb931 +CVE-2015-9289 [[media] cx24116: fix a buffer overflow when checking userspace params] + - linux 4.1.5-1 + NOTE: https://git.kernel.org/linus/1fa2337a315a2448c5434f41e00d56b01a22283c +CVE-2012-6712 [iwlwifi: Sanity check for sta_id] + - linux 3.8.11-1 + NOTE: https://git.kernel.org/linus/2da424b0773cea3db47e1e81db71eeebde8269d4 +CVE-2011-5327 [loopback: off by one in tcm_loop_make_naa_tpg()] + - linux (Fixed before src:linux-2.6 -> src:linux rename) + NOTE: https://git.kernel.org/linus/12f09ccb4612734a53e47ed5302e0479c10a50f8 +CVE-2010-5332 [mlx4_en: Fix out of bounds array access] + - linux (Fixed before src:linux-2.6 -> src:linux rename) + NOTE: https://git.kernel.org/linus/0926f91083f34d047abc74f1ca4fa6a9c161f7db +CVE-2010-5331 [drivers/gpu/drm/radeon/radeon_atombios.c: range check issues] + - linux (Fixed before src:linux-2.6 -> src:linux rename) + NOTE: https://git.kernel.org/linus/0031c41be5c529f8329e327b63cde92ba1284842 +CVE-2007-6762 [NetLabel: correct CIPSO tag handling when adding new DOI definitions] + - linux (Fixed before src:linux-2.6 -> src:linux rename) + NOTE: https://git.kernel.org/linus/2a2f11c227bdf292b3a2900ad04139d301b56ac4 CVE-2019-14296 (canUnpack in p_vmlinx.cpp in UPX 3.95 allows remote attackers to cause ...) - upx-ucl (unimportant; bug #933232) NOTE: https://github.com/upx/upx/issues/287 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7f083ae82e92291ce1d13a15c13ea3f3259bcb42 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7f083ae82e92291ce1d13a15c13ea3f3259bcb42 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug number reference for upx-ucl issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5374eaca by Salvatore Bonaccorso at 2019-07-27T21:03:14Z Add Debian bug number reference for upx-ucl issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,9 +1,9 @@ CVE-2019-14296 (canUnpack in p_vmlinx.cpp in UPX 3.95 allows remote attackers to cause ...) - - upx-ucl (unimportant) + - upx-ucl (unimportant; bug #933232) NOTE: https://github.com/upx/upx/issues/287 NOTE: https://github.com/upx/upx/commit/276b748aa6021c38a2dc699153f61b10e76bc3d2 CVE-2019-14295 (An Integer overflow in the getElfSections function in p_vmlinx.cpp in ...) - - upx-ucl (unimportant) + - upx-ucl (unimportant; bug #933232) NOTE: https://github.com/upx/upx/issues/286 NOTE: https://github.com/upx/upx/commit/58b122d97da1e02dfec24b10b6b8f56218b5622c NOTE: https://github.com/upx/upx/commit/6a53c0b3d499d62346a5c51034db543a4ef78ea3 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5374eacabb86acf47da1159cf84b4ff3abd06928 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5374eacabb86acf47da1159cf84b4ff3abd06928 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add commit reference or CVE-2019-14295
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 43d65e59 by Salvatore Bonaccorso at 2019-07-27T20:52:28Z Add commit reference or CVE-2019-14295 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5,6 +5,7 @@ CVE-2019-14296 (canUnpack in p_vmlinx.cpp in UPX 3.95 allows remote attackers to CVE-2019-14295 (An Integer overflow in the getElfSections function in p_vmlinx.cpp in ...) - upx-ucl (unimportant) NOTE: https://github.com/upx/upx/issues/286 + NOTE: https://github.com/upx/upx/commit/58b122d97da1e02dfec24b10b6b8f56218b5622c NOTE: https://github.com/upx/upx/commit/6a53c0b3d499d62346a5c51034db543a4ef78ea3 CVE-2019-14294 (An issue was discovered in Xpdf 4.01.01. There is a use-after-free in ...) TODO: check View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/43d65e596202c2477e89c195e789bbedd6773047 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/43d65e596202c2477e89c195e789bbedd6773047 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-1429{5,6}/upx-ucl
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e262c02b by Salvatore Bonaccorso at 2019-07-27T20:48:55Z Add CVE-2019-1429{5,6}/upx-ucl For the classification follow same strategy as done for the other upx-ucl issues. The impact is very negligible and upstream will likely dispute the whole as valid security imapcting issues. Mark those exceptionally straight as unimportant. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,7 +1,11 @@ CVE-2019-14296 (canUnpack in p_vmlinx.cpp in UPX 3.95 allows remote attackers to cause ...) - TODO: check + - upx-ucl (unimportant) + NOTE: https://github.com/upx/upx/issues/287 + NOTE: https://github.com/upx/upx/commit/276b748aa6021c38a2dc699153f61b10e76bc3d2 CVE-2019-14295 (An Integer overflow in the getElfSections function in p_vmlinx.cpp in ...) - TODO: check + - upx-ucl (unimportant) + NOTE: https://github.com/upx/upx/issues/286 + NOTE: https://github.com/upx/upx/commit/6a53c0b3d499d62346a5c51034db543a4ef78ea3 CVE-2019-14294 (An issue was discovered in Xpdf 4.01.01. There is a use-after-free in ...) TODO: check CVE-2019-14293 (An issue was discovered in Xpdf 4.01.01. There is an out of bounds rea ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e262c02bb8395bc95abf70033e31aea7db8a24e6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e262c02bb8395bc95abf70033e31aea7db8a24e6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process one NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6c997f7b by Salvatore Bonaccorso at 2019-07-27T20:21:10Z Process one NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -19,7 +19,7 @@ CVE-2019-14288 (An issue was discovered in Xpdf 4.01.01. There is an Integer ove CVE-2019-14287 RESERVED CVE-2019-14286 (In app/webroot/js/event-graph.js in MISP 2.4.111, a stored XSS vulnera ...) - TODO: check + NOT-FOR-US: MISP CVE-2019-14285 RESERVED CVE-2015-9288 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6c997f7bfdccae7fe9429acf60801c5736e0894b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6c997f7bfdccae7fe9429acf60801c5736e0894b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4c499098 by security tracker role at 2019-07-27T20:10:22Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,29 @@ +CVE-2019-14296 (canUnpack in p_vmlinx.cpp in UPX 3.95 allows remote attackers to cause ...) + TODO: check +CVE-2019-14295 (An Integer overflow in the getElfSections function in p_vmlinx.cpp in ...) + TODO: check +CVE-2019-14294 (An issue was discovered in Xpdf 4.01.01. There is a use-after-free in ...) + TODO: check +CVE-2019-14293 (An issue was discovered in Xpdf 4.01.01. There is an out of bounds rea ...) + TODO: check +CVE-2019-14292 (An issue was discovered in Xpdf 4.01.01. There is an out of bounds rea ...) + TODO: check +CVE-2019-14291 (An issue was discovered in Xpdf 4.01.01. There is an out of bounds rea ...) + TODO: check +CVE-2019-14290 (An issue was discovered in Xpdf 4.01.01. There is an out of bounds rea ...) + TODO: check +CVE-2019-14289 (An issue was discovered in Xpdf 4.01.01. There is an integer overflow ...) + TODO: check +CVE-2019-14288 (An issue was discovered in Xpdf 4.01.01. There is an Integer overflow ...) + TODO: check +CVE-2019-14287 + RESERVED +CVE-2019-14286 (In app/webroot/js/event-graph.js in MISP 2.4.111, a stored XSS vulnera ...) + TODO: check +CVE-2019-14285 + RESERVED +CVE-2015-9288 + RESERVED CVE-2019-133 REJECTED CVE-2019-14284 (In the Linux kernel before 5.2.3, drivers/block/floppy.c allows a deni ...) @@ -1387,13 +1413,13 @@ CVE-2019-13640 (In qBittorrent before 4.1.7, the function Application::runExtern CVE-2019-13639 RESERVED CVE-2019-13638 (GNU patch through 2.7.6 is vulnerable to OS shell command injection th ...) - {DLA-1864-1} + {DSA-4489-1 DLA-1864-1} - patch 2.7.6-5 NOTE: https://git.savannah.gnu.org/cgit/patch.git/commit/?id=3fcd042d26d70856e826a42b5f93dc4854d80bf0 CVE-2019-13637 (In LogMeIn join.me before 3.16.0.5505, an attacker could execute arbit ...) NOT-FOR-US: LogMeIn join.me CVE-2019-13636 (In GNU patch through 2.7.6, the following of symlinks is mishandled in ...) - {DLA-1856-1} + {DSA-4489-1 DLA-1856-1} - patch 2.7.6-5 (bug #932401) NOTE: https://git.savannah.gnu.org/cgit/patch.git/commit/?id=dce4683cbbe107a95f1f0d45fabc304acfb5d71a CVE-2019-13635 @@ -6013,7 +6039,7 @@ CVE-2019-12224 CVE-2019-12223 RESERVED CVE-2019-1 (An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) ...) - {DLA-1861-1} + {DLA-1865-1 DLA-1861-1} - libsdl2-image 2.0.5+dfsg1-1 (bug #932754) [buster] - libsdl2-image (Minor issue) [stretch] - libsdl2-image (Minor issue) @@ -6023,7 +6049,7 @@ CVE-2019-1 (An issue was discovered in libSDL2.a in Simple DirectMedia Layer NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4621 NOTE: https://hg.libsdl.org/SDL_image/rev/e7e9786a1a34 CVE-2019-12221 (An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) ...) - {DLA-1861-1} + {DLA-1865-1 DLA-1861-1} - libsdl2-image 2.0.5+dfsg1-1 (bug #932754) [buster] - libsdl2-image (Minor issue) [stretch] - libsdl2-image (Minor issue) @@ -6033,7 +6059,7 @@ CVE-2019-12221 (An issue was discovered in libSDL2.a in Simple DirectMedia Layer NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4628 NOTE: https://hg.libsdl.org/SDL_image/rev/e7e9786a1a34 CVE-2019-12220 (An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) ...) - {DLA-1861-1} + {DLA-1865-1 DLA-1861-1} - libsdl2-image 2.0.5+dfsg1-1 (bug #932754) [buster] - libsdl2-image (Minor issue) [stretch] - libsdl2-image (Minor issue) @@ -6043,7 +6069,7 @@ CVE-2019-12220 (An issue was discovered in libSDL2.a in Simple DirectMedia Layer NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4627 NOTE: https://hg.libsdl.org/SDL_image/rev/e7e9786a1a34 CVE-2019-12219 (An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) ...) - {DLA-1861-1} + {DLA-1865-1 DLA-1861-1} - libsdl2-image 2.0.5+dfsg1-1 (bug #932754) [buster] - libsdl2-image (Minor issue) [stretch] - libsdl2-image (Minor issue) @@ -6053,7 +6079,7 @@ CVE-2019-12219 (An issue was discovered in libSDL2.a in Simple DirectMedia Layer NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4625 NOTE: https://hg.libsdl.org/SDL_image/rev/e7e9786a1a34 CVE-2019-12218 (An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) ...) - {DLA-1861-1} + {DLA-1865-1 DLA-1861-1} - libsdl2-image 2.0.5+dfsg1-1 (bug #932754) [buster] - libsdl2-image (Minor issue)
[Git][security-tracker-team/security-tracker][master] swftools removed from unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 31a54c53 by Salvatore Bonaccorso at 2019-07-27T19:00:15Z swftools removed from unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -93870,7 +93870,7 @@ CVE-2017-16892 (In Bftpd before 4.7, there is a memory leak in the file rename f CVE-2017-16891 RESERVED CVE-2017-16890 (SWFTools 0.9.2 has a divide-by-zero error in the wav_convert2mono func ...) - - swftools (unimportant) + - swftools (unimportant) NOTE: https://github.com/matthiaskramm/swftools/issues/57 NOTE: Crash in CLI tool, no security impact CVE-2017-16889 @@ -94062,7 +94062,7 @@ CVE-2017-16869 (** DISPUTED ** p_mach.cpp in UPX 3.94 allows remote attackers to NOTE: https://github.com/upx/upx/issues/146 NOTE: crash in CLI tool, no security impact CVE-2017-16868 (In SWFTools 0.9.2, the wav_convert2mono function in lib/wav.c does not ...) - - swftools (unimportant) + - swftools (unimportant) NOTE: https://github.com/matthiaskramm/swftools/issues/52 NOTE: Crash in CLI tool, no security impact CVE-2017-16867 (Amazon Key through 2017-11-16 mishandles Cloud Cam 802.11 deauthentica ...) @@ -94153,31 +94153,31 @@ CVE-2017-1000189 (nodejs ejs version older than 2.5.5 is vulnerable to a denial- CVE-2017-1000188 (nodejs ejs version older than 2.5.5 is vulnerable to a Cross-site-scri ...) NOT-FOR-US: nodejs ejs CVE-2017-1000187 (In SWFTools, an address access exception was found in pdf2swf. FoFiTru ...) - - swftools (unimportant) + - swftools (unimportant) NOTE: https://github.com/matthiaskramm/swftools/issues/36 NOTE: Crash in CLI tool, no security implications CVE-2017-1000186 (In SWFTools, a stack overflow was found in pdf2swf. ...) - - swftools (unimportant) + - swftools (unimportant) NOTE: https://github.com/matthiaskramm/swftools/issues/34 NOTE: Crash in CLI tool, no security implications CVE-2017-1000185 (In SWFTools, a memcpy buffer overflow was found in gif2swf. ...) - - swftools + - swftools [stretch] - swftools (Minor issue) [jessie] - swftools (Minor issue) [wheezy] - swftools (Minor issue) NOTE: https://github.com/matthiaskramm/swftools/issues/33 CVE-2017-1000182 (In SWFTools, a memory leak was found in wav2swf. ...) - - swftools (unimportant) + - swftools (unimportant) NOTE: https://github.com/matthiaskramm/swftools/issues/30 NOTE: Crash in CLI tool, no security implications CVE-2017-1000176 (In SWFTools, a memcpy buffer overflow was found in swfc. ...) - - swftools + - swftools [stretch] - swftools (Minor issue) [jessie] - swftools (Minor issue) [wheezy] - swftools (Minor issue) NOTE: https://github.com/matthiaskramm/swftools/issues/23 CVE-2017-1000174 (In SWFTools, an address access exception was found in swfdump swf_GetB ...) - - swftools (unimportant) + - swftools (unimportant) NOTE: https://github.com/matthiaskramm/swftools/issues/21 NOTE: Crash in CLI tool, no security implications CVE-2017-1000173 (Creolabs Gravity Version: 1.0 Heap Overflow Potential Code Execution. ...) @@ -94605,23 +94605,23 @@ CVE-2017-16799 (In CMS Made Simple 2.2.3.1, in modules/New/action.addcategory.ph CVE-2017-16798 (In CMS Made Simple 2.2.3.1, the is_file_acceptable function in modules ...) NOT-FOR-US: CMS Made Simple CVE-2017-16797 (In SWFTools 0.9.2, the png_load function in lib/png.c does not properl ...) - - swftools + - swftools [stretch] - swftools (Minor issue) [jessie] - swftools (Minor issue) [wheezy] - swftools (Minor issue) NOTE: https://github.com/matthiaskramm/swftools/issues/51 CVE-2017-16796 (In SWFTools 0.9.2, the png_load function in lib/png.c does not check t ...) - - swftools (unimportant) + - swftools (unimportant) NOTE: https://github.com/matthiaskramm/swftools/issues/51 NOTE: Crash in CLI tool, no security implications CVE-2017-16795 RESERVED CVE-2017-16794 (The png_load function in lib/png.c in SWFTools 0.9.2 does not properly ...) - - swftools (unimportant) + - swftools (unimportant) NOTE: https://github.com/matthiaskramm/swftools/issues/50 NOTE: Crash in CLI tool, no security implications CVE-2017-16793 (The wav_convert2mono function in lib/wav.c in SWFTools 0.9.2 does not ...) - - swftools + - swftools [stretch] - swftools (Minor issue) [jessie] - swftools (Minor issue) [wheezy] - swftools (Minor issue) @@ -94799,7 +94799,7 @@ CVE-2017-16713 CVE-2017-16712 RESERVED CVE-2017-16711 (The swf_DefineLosslessBitsTagToImag
[Git][security-tracker-team/security-tracker][master] Correct sdl-image1.2 version for DLA-1865-1
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ae944b82 by Salvatore Bonaccorso at 2019-07-27T18:34:51Z Correct sdl-image1.2 version for DLA-1865-1 - - - - - 1 changed file: - data/DLA/list Changes: = data/DLA/list = @@ -1,6 +1,6 @@ [27 Jul 2019] DLA-1865-1 sdl-image1.2 - security update {CVE-2018-3977 CVE-2019-5051 CVE-2019-5052 CVE-2019-7635 CVE-2019-12216 CVE-2019-12217 CVE-2019-12218 CVE-2019-12219 CVE-2019-12220 CVE-2019-12221 CVE-2019-1} - [jessie] - sdl-image1.2 1.2.12-5+deb9u2 + [jessie] - sdl-image1.2 1.2.12-5+deb8u2 [25 Jul 2019] DLA-1864-1 patch - security update {CVE-2019-13638} [jessie] - patch 2.7.5-1+deb8u3 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ae944b82391ac5e333a0d0242357e324a4c441d7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ae944b82391ac5e333a0d0242357e324a4c441d7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-1865-1 for sdl-image1.2
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: 7a3b1656 by Hugo Lefeuvre at 2019-07-27T18:22:29Z Reserve DLA-1865-1 for sdl-image1.2 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[27 Jul 2019] DLA-1865-1 sdl-image1.2 - security update + {CVE-2018-3977 CVE-2019-5051 CVE-2019-5052 CVE-2019-7635 CVE-2019-12216 CVE-2019-12217 CVE-2019-12218 CVE-2019-12219 CVE-2019-12220 CVE-2019-12221 CVE-2019-1} + [jessie] - sdl-image1.2 1.2.12-5+deb9u2 [25 Jul 2019] DLA-1864-1 patch - security update {CVE-2019-13638} [jessie] - patch 2.7.5-1+deb8u3 = data/dla-needed.txt = @@ -102,10 +102,6 @@ ruby-openid NOTE: 20190710: I'm at a loss to how to continue persuing this issue (see https://github.com/openid/ruby-openid/issues/122) so returning to the pool. (lamby) NOTE: 20190726: Still unknown how to fix (see aforementioned github issue) (lamby) -- -sdl-image1.2 (Hugo Lefeuvre) - NOTE: 20190724: update prepared and tested. - NOTE: currently coordinating with maintainer for bullseye before proceeding to jessie upload --- slurm-llnl -- sox View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7a3b1656614811437d38693208e172592c4af52b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7a3b1656614811437d38693208e172592c4af52b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DSA number for patch update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: aceb3abd by Salvatore Bonaccorso at 2019-07-27T17:37:59Z Reserve DSA number for patch update - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,7 @@ +[27 Jul 2019] DSA-4489-1 patch - security update + {CVE-2019-13636 CVE-2019-13638} + [stretch] - patch 2.7.5-1+deb9u2 + [buster] - patch 2.7.6-3+deb10u1 [25 Jul 2019] DSA-4488-1 exim4 - security update {CVE-2019-13917} [stretch] - exim4 4.89-2+deb9u5 = data/dsa-needed.txt = @@ -50,9 +50,6 @@ openjdk-8/oldstable (jmm) -- openjdk-11/stable (jmm) -- -patch (carnil) - Maintainer preparing updates --- poppler (jmm) -- proftpd-dfsg View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/aceb3abd906d67db35ccca2895ab157ecdb33772 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/aceb3abd906d67db35ccca2895ab157ecdb33772 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track proposed update for libsdl2-image for stretch-pu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: fbb40cf1 by Salvatore Bonaccorso at 2019-07-27T16:46:18Z Track proposed update for libsdl2-image for stretch-pu - - - - - 1 changed file: - data/next-oldstable-point-update.txt Changes: = data/next-oldstable-point-update.txt = @@ -101,3 +101,25 @@ CVE-2019-10153 [stretch] - fence-agents 4.0.25-1+deb9u1 CVE-2016-10711 [stretch] - pound 2.7-1.3+deb9u1 +CVE-2018-3977 + [stretch] - libsdl2-image 2.0.1+dfsg-2+deb9u2 +CVE-2019-5052 + [stretch] - libsdl2-image 2.0.1+dfsg-2+deb9u2 +CVE-2019-5051 + [stretch] - libsdl2-image 2.0.1+dfsg-2+deb9u2 +CVE-2019-7635 + [stretch] - libsdl2-image 2.0.1+dfsg-2+deb9u2 +CVE-2019-12216 + [stretch] - libsdl2-image 2.0.1+dfsg-2+deb9u2 +CVE-2019-12217 + [stretch] - libsdl2-image 2.0.1+dfsg-2+deb9u2 +CVE-2019-12218 + [stretch] - libsdl2-image 2.0.1+dfsg-2+deb9u2 +CVE-2019-12219 + [stretch] - libsdl2-image 2.0.1+dfsg-2+deb9u2 +CVE-2019-12220 + [stretch] - libsdl2-image 2.0.1+dfsg-2+deb9u2 +CVE-2019-12221 + [stretch] - libsdl2-image 2.0.1+dfsg-2+deb9u2 +CVE-2019-1 + [stretch] - libsdl2-image 2.0.1+dfsg-2+deb9u2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/fbb40cf1f4eb481debf111362fdae4ea2d7ef2ad -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/fbb40cf1f4eb481debf111362fdae4ea2d7ef2ad You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2019-12730/ffmpeg fixed in unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9447249b by Salvatore Bonaccorso at 2019-07-27T14:44:51Z CVE-2019-12730/ffmpeg fixed in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4757,7 +4757,7 @@ CVE-2019-12731 (The Windows versions of Snapview Mikogo, versions before 5.10.2 NOT-FOR-US: Snapview Mikogo CVE-2019-12730 (aa_read_header in libavformat/aadec.c in FFmpeg before 3.2.14 and 4.x ...) {DSA-4449-1} - - ffmpeg (low; bug #932469) + - ffmpeg 7:4.1.4-1 (low; bug #932469) [buster] - ffmpeg (Minor issue, wait until fixed in 4.1.x branch) NOTE: https://github.com/FFmpeg/FFmpeg/commit/ed188f6dcdf0935c939ed813cf8745d50742014b CVE-2019-12729 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9447249b03e28c1743612d18c95788b0b78a7501 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9447249b03e28c1743612d18c95788b0b78a7501 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add information on CVE-2019-14282
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 42fd87ee by Salvatore Bonaccorso at 2019-07-27T13:17:22Z Add information on CVE-2019-14282 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -47,7 +47,8 @@ CVE-2019-1020001 CVE-2018-20857 (Zendesk Samlr before 2.6.2 allows an XML nodes comment attack such as ...) NOT-FOR-US: Zendesk Samlr CVE-2019-14282 (The simple_captcha2 gem 0.2.3 for Ruby, as distributed on RubyGems.org ...) - TODO: check + - ruby-simple-captcha2 (Backdoored versions not available in a Debian release) + NOTE: https://github.com/rubygems/rubygems.org/issues/2073 CVE-2019-14281 (The datagrid gem 1.0.6 for Ruby, as distributed on RubyGems.org, inclu ...) TODO: check CVE-2019-14280 (In some circumstances, Craft 2 before 2.7.10 and 3 before 3.2.6 wasn't ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/42fd87791810f9672723941f10967cd53aa5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/42fd87791810f9672723941f10967cd53aa5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2019-13012/glib2.0 as no-dsa
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 215b3fae by Salvatore Bonaccorso at 2019-07-27T12:02:43Z Mark CVE-2019-13012/glib2.0 as no-dsa There are a couple of mitigations in place which make the whole issue less urgent and can be fixed via a point release. Detailed explanation on mitigation factors given by Simon McVittie in https://bugs.debian.org/931234#12 . - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5419,6 +5419,8 @@ CVE-2019-12451 CVE-2019-13012 (The keyfile settings backend in GNOME GLib (aka glib2.0) before 2.59.1 ...) [experimental] - glib2.0 2.60.0-1 - glib2.0 2.60.5-1 (bug #931234) + [buster] - glib2.0 (Minor issue) + [stretch] - glib2.0 (Minor issue) NOTE: https://gitlab.gnome.org/GNOME/glib/issues/1658 NOTE: https://gitlab.gnome.org/GNOME/glib/merge_requests/450 NOTE: https://gitlab.gnome.org/GNOME/glib/commit/5e4da714f00f6bfb2ccd6d73d61329c6f3a08429 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/215b3fae8d99fd787a1ce7fa47121e61470ac1fb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/215b3fae8d99fd787a1ce7fa47121e61470ac1fb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add fixed version via unstable for CVE-2019-13012/glib2.0
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8910ae08 by Salvatore Bonaccorso at 2019-07-27T11:58:09Z Add fixed version via unstable for CVE-2019-13012/glib2.0 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5418,7 +5418,7 @@ CVE-2019-12451 RESERVED CVE-2019-13012 (The keyfile settings backend in GNOME GLib (aka glib2.0) before 2.59.1 ...) [experimental] - glib2.0 2.60.0-1 - - glib2.0 (bug #931234) + - glib2.0 2.60.5-1 (bug #931234) NOTE: https://gitlab.gnome.org/GNOME/glib/issues/1658 NOTE: https://gitlab.gnome.org/GNOME/glib/merge_requests/450 NOTE: https://gitlab.gnome.org/GNOME/glib/commit/5e4da714f00f6bfb2ccd6d73d61329c6f3a08429 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8910ae083708e950c9d900c0173e9ae8dd335a17 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8910ae083708e950c9d900c0173e9ae8dd335a17 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ecdb7906 by Salvatore Bonaccorso at 2019-07-27T08:54:18Z Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2509,7 +2509,7 @@ CVE-2019-13590 (An issue was discovered in libsox.a in SoX 14.4.2. In sox-fmt.h CVE-2019-13589 (The paranoid2 gem 1.1.6 for Ruby, as distributed on RubyGems.org, incl ...) NOT-FOR-US: backdoor in paranoid_2 gem, different from src:ruby-paranoia CVE-2019-13588 (A cross-site scripting (XSS) vulnerability in getPagingStart() in core ...) - TODO: check + NOT-FOR-US: WIKINDX CVE-2019-13587 RESERVED CVE-2019-13586 @@ -10984,15 +10984,15 @@ CVE-2019-10269 (BWA (aka Burrow-Wheeler Aligner) before 2019-01-23 has a stack-b CVE-2019-10268 REJECTED CVE-2019-10267 (An insecure file upload and code execution issue was discovered in Ahs ...) - TODO: check + NOT-FOR-US: Ahsay Cloud Backup Suite CVE-2019-10266 (An issue was discovered in Ahsay Cloud Backup Suite before 8.1.1.50. W ...) - TODO: check + NOT-FOR-US: Ahsay Cloud Backup Suite CVE-2019-10265 (An issue was discovered in Ahsay Cloud Backup Suite before 8.1.1.50. O ...) - TODO: check + NOT-FOR-US: Ahsay Cloud Backup Suite CVE-2019-10264 (An issue was discovered in Ahsay Cloud Backup Suite before 8.1.1.50. W ...) - TODO: check + NOT-FOR-US: Ahsay Cloud Backup Suite CVE-2019-10263 (An issue was discovered in Ahsay Cloud Backup Suite before 8.1.1.50. W ...) - TODO: check + NOT-FOR-US: Ahsay Cloud Backup Suite CVE-2019-10262 (A SQL Injection issue was discovered in BlueCMS 1.6. The variable $ad_ ...) NOT-FOR-US: BlueCMS CVE-2019-1002162 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ecdb7906ec01196e31e0a648d6af9cd553ecc1a4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ecdb7906ec01196e31e0a648d6af9cd553ecc1a4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove todo item for CVE-2019-1000033
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 03b48062 by Salvatore Bonaccorso at 2019-07-27T08:47:14Z Remove todo item for CVE-2019-133 This was a duplication reservation for the already assigned CVE-2019-1010259. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,6 +1,5 @@ CVE-2019-133 REJECTED - TODO: check CVE-2019-14284 (In the Linux kernel before 5.2.3, drivers/block/floppy.c allows a deni ...) - linux NOTE: Fixed by: https://git.kernel.org/linus/f3554aeb991214cbfafd17d55e2bfddb50282e32 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/03b48062a90fd504da8b04273613ce9f9bce581d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/03b48062a90fd504da8b04273613ce9f9bce581d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add fixed version for CVE-2019-14275/fig2dev in unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6d6874b1 by Salvatore Bonaccorso at 2019-07-27T08:43:21Z Add fixed version for CVE-2019-14275/fig2dev in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -62,7 +62,7 @@ CVE-2019-14277 (Axway SecureTransport 5.x through 5.3 (or 5.x through 5.5 with c CVE-2019-14276 RESERVED CVE-2019-14275 (Xfig fig2dev 3.2.7a has a stack-based buffer overflow in the calc_arro ...) - - fig2dev (unimportant; bug #933075) + - fig2dev 1:3.2.7a-7 (unimportant; bug #933075) - transfig (unimportant) NOTE: https://sourceforge.net/p/mcj/tickets/52/ NOTE: Crash in CLI tool, no security impact, hardening build View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6d6874b113308656276e51796a32cd4046b738bc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6d6874b113308656276e51796a32cd4046b738bc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ab212eec by security tracker role at 2019-07-27T08:10:19Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,6 @@ +CVE-2019-133 + REJECTED + TODO: check CVE-2019-14284 (In the Linux kernel before 5.2.3, drivers/block/floppy.c allows a deni ...) - linux NOTE: Fixed by: https://git.kernel.org/linus/f3554aeb991214cbfafd17d55e2bfddb50282e32 @@ -2506,8 +2509,8 @@ CVE-2019-13590 (An issue was discovered in libsox.a in SoX 14.4.2. In sox-fmt.h NOTE: https://sourceforge.net/p/sox/bugs/325/ CVE-2019-13589 (The paranoid2 gem 1.1.6 for Ruby, as distributed on RubyGems.org, incl ...) NOT-FOR-US: backdoor in paranoid_2 gem, different from src:ruby-paranoia -CVE-2019-13588 - RESERVED +CVE-2019-13588 (A cross-site scripting (XSS) vulnerability in getPagingStart() in core ...) + TODO: check CVE-2019-13587 RESERVED CVE-2019-13586 @@ -10981,16 +10984,16 @@ CVE-2019-10269 (BWA (aka Burrow-Wheeler Aligner) before 2019-01-23 has a stack-b NOTE: https://github.com/lh3/bwa/commit/20d0a13092aa4cb73230492b05f9697d5ef0b88e CVE-2019-10268 REJECTED -CVE-2019-10267 - RESERVED -CVE-2019-10266 - RESERVED -CVE-2019-10265 - RESERVED -CVE-2019-10264 - RESERVED -CVE-2019-10263 - RESERVED +CVE-2019-10267 (An insecure file upload and code execution issue was discovered in Ahs ...) + TODO: check +CVE-2019-10266 (An issue was discovered in Ahsay Cloud Backup Suite before 8.1.1.50. W ...) + TODO: check +CVE-2019-10265 (An issue was discovered in Ahsay Cloud Backup Suite before 8.1.1.50. O ...) + TODO: check +CVE-2019-10264 (An issue was discovered in Ahsay Cloud Backup Suite before 8.1.1.50. W ...) + TODO: check +CVE-2019-10263 (An issue was discovered in Ahsay Cloud Backup Suite before 8.1.1.50. W ...) + TODO: check CVE-2019-10262 (A SQL Injection issue was discovered in BlueCMS 1.6. The variable $ad_ ...) NOT-FOR-US: BlueCMS CVE-2019-1002162 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ab212eec34f2367d48feaab12fd682fb01cb80a8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ab212eec34f2367d48feaab12fd682fb01cb80a8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-1010259/salt
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: acd77b48 by Salvatore Bonaccorso at 2019-07-27T07:08:52Z Add CVE-2019-1010259/salt - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -12284,7 +12284,8 @@ CVE-2019-1010261 (Gitea 1.7.0 and earlier is affected by: Cross Site Scripting ( CVE-2019-1010260 (Using ktlint to download and execute custom rulesets can result in arb ...) NOT-FOR-US: ktlint CVE-2019-1010259 (SaltStack Salt 2018.3, 2019.2 is affected by: SQL Injection. The impac ...) - TODO: check + - salt 2018.3.4~git20180207+dfsg1-1 + NOTE: https://github.com/saltstack/salt/pull/51462 CVE-2019-1010258 (nanosvg library nanosvg after commit c1f6e209c16b18b46aa9f45d7e619acf4 ...) NOT-FOR-US: nanosvg CVE-2019-1010257 (An Information Disclosure / Data Modification issue exists in article2 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/acd77b489061634da56c662f975c0f1d089806fd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/acd77b489061634da56c662f975c0f1d089806fd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits