[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: claim nghttp2
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 3ff5539e by Abhijith PA at 2019-08-31T02:01:12Z data/dla-needed.txt: claim nghttp2 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -101,7 +101,7 @@ milkytracker -- mongodb (Abhijith PA) -- -nghttp2 +nghttp2 (Abhijith PA) -- pump (Chris Lamb) NOTE: 20190830: See #933674 for a possible fix / patch. (sunweaver) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3ff5539e410fa1c96bc445193b50561d0fa08f17 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3ff5539e410fa1c96bc445193b50561d0fa08f17 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] claim cimg
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 66f03364 by Thorsten Alteholz at 2019-08-30T21:13:12Z claim cimg - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -20,7 +20,7 @@ ansible (Roberto C. Sánchez) NOTE: 20190828: with policy in mind that we also work on issues whereas NOTE: 20190828: the security team would not. -- -cimg +cimg (Thorsten Alteholz) NOTE: inline function load_network_external is affected, variable filename -- clamav (Hugo Lefeuvre) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/66f03364a695552f28c5857740b97aec7cb89df8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/66f03364a695552f28c5857740b97aec7cb89df8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-1904-1 for libextractor
Thorsten Alteholz pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
4e276d20 by Thorsten Alteholz at 2019-08-30T21:03:47Z
Reserve DLA-1904-1 for libextractor
- - - - -
2 changed files:
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[30 Aug 2019] DLA-1904-1 libextractor - security update
+ {CVE-2019-15531}
+ [jessie] - libextractor 1:1.3-2+deb8u5
[29 Aug 2019] DLA-1903-1 subversion - security update
{CVE-2018-11782 CVE-2019-0203}
[jessie] - subversion 1.8.10-6+deb8u7
=
data/dla-needed.txt
=
@@ -69,8 +69,6 @@ libcommons-compress-java
--
libcrypto++
--
-libextractor (Thorsten Alteholz)
---
libgcrypt20 (Mike Gabriel)
--
libmatio (Adrian Bunk)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/4e276d201681852f766d4ae2418ac7c7e989808b
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/4e276d201681852f766d4ae2418ac7c7e989808b
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process several NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 359d0c73 by Salvatore Bonaccorso at 2019-08-30T20:21:14Z Process several NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5,59 +5,59 @@ CVE-2019-15844 CVE-2019-15843 RESERVED CVE-2019-15842 (The easy-pdf-restaurant-menu-upload plugin before 1.1.2 for WordPress ...) - TODO: check + NOT-FOR-US: easy-pdf-restaurant-menu-upload plugin for WordPress CVE-2019-15841 (The facebook-for-woocommerce plugin before 1.9.15 for WordPress has CS ...) - TODO: check + NOT-FOR-US: facebook-for-woocommerce plugin for WordPress CVE-2019-15840 (The facebook-for-woocommerce plugin before 1.9.14 for WordPress has CS ...) - TODO: check + NOT-FOR-US: facebook-for-woocommerce plugin for WordPress CVE-2019-15839 (The sina-extension-for-elementor plugin before 2.2.1 for WordPress has ...) - TODO: check + NOT-FOR-US: sina-extension-for-elementor plugin for WordPress CVE-2019-15838 (The custom-404-pro plugin before 3.2.8 for WordPress has reflected XSS ...) - TODO: check + NOT-FOR-US: custom-404-pro plugin for WordPress CVE-2019-15837 (The webp-express plugin before 0.14.8 for WordPress has stored XSS. ...) - TODO: check + NOT-FOR-US: webp-express plugin for WordPress CVE-2019-15836 (The wp-ultimate-recipe plugin before 3.12.7 for WordPress has stored X ...) - TODO: check + NOT-FOR-US: wp-ultimate-recipe plugin for WordPress CVE-2019-15835 (The wp-better-permalinks plugin before 3.0.5 for WordPress has CSRF. ...) - TODO: check + NOT-FOR-US: wp-better-permalinks plugin for WordPress CVE-2019-15834 (The webp-converter-for-media plugin before 1.0.3 for WordPress has CSR ...) - TODO: check + NOT-FOR-US: webp-converter-for-media plugin for WordPress CVE-2019-15833 (The simple-mail-address-encoder plugin before 1.7 for WordPress has re ...) - TODO: check + NOT-FOR-US: simple-mail-address-encoder plugin for WordPress CVE-2019-15832 (The visitors-traffic-real-time-statistics plugin before 1.13 for WordP ...) - TODO: check + NOT-FOR-US: visitors-traffic-real-time-statistics plugin for WordPress CVE-2019-15831 (The visitors-traffic-real-time-statistics plugin before 1.12 for WordP ...) - TODO: check + NOT-FOR-US: visitors-traffic-real-time-statistics plugin for WordPress CVE-2019-15830 (The icegram plugin before 1.10.29 for WordPress has ig_cat_list XSS. ...) - TODO: check + NOT-FOR-US: icegram plugin for WordPress CVE-2019-15829 (The photoblocks-grid-gallery plugin before 1.1.33 for WordPress has wp ...) - TODO: check + NOT-FOR-US: photoblocks-grid-gallery plugin for WordPress CVE-2019-15828 (The one-click-ssl plugin before 1.4.7 for WordPress has CSRF. ...) - TODO: check + NOT-FOR-US: one-click-ssl plugin for WordPress CVE-2019-15827 (The onesignal-free-web-push-notifications plugin before 1.17.8 for Wor ...) - TODO: check + NOT-FOR-US: onesignal-free-web-push-notifications plugin for WordPress CVE-2019-15826 (The wps-hide-login plugin before 1.5.3 for WordPress has a protection ...) - TODO: check + NOT-FOR-US: wps-hide-login plugin for WordPress CVE-2019-15825 (The wps-hide-login plugin before 1.5.3 for WordPress has an action=rp& ...) - TODO: check + NOT-FOR-US: wps-hide-login plugin for WordPress CVE-2019-15824 (The wps-hide-login plugin before 1.5.3 for WordPress has an adminhash ...) - TODO: check + NOT-FOR-US: wps-hide-login plugin for WordPress CVE-2019-15823 (The wps-hide-login plugin before 1.5.3 for WordPress has an action=con ...) - TODO: check + NOT-FOR-US: wps-hide-login plugin for WordPress CVE-2019-15822 (The wps-child-theme-generator plugin before 1.2 for WordPress has clas ...) - TODO: check + NOT-FOR-US: wps-child-theme-generator plugin for WordPress CVE-2019-15821 (The bold-page-builder plugin before 2.3.2 for WordPress has no protect ...) - TODO: check + NOT-FOR-US: bold-page-builder plugin for WordPress CVE-2019-15820 (The login-or-logout-menu-item plugin before 1.2.0 for WordPress has no ...) - TODO: check + NOT-FOR-US: login-or-logout-menu-item plugin for WordPress CVE-2019-15819 (The nd-restaurant-reservations plugin before 1.5 for WordPress has no ...) - TODO: check + NOT-FOR-US: nd-restaurant-reservations plugin for WordPress CVE-2019-15818 (The simple-301-redirects-addon-bulk-uploader plugin through 1.2.4 for ...) - TODO: check + NOT-FOR-US: simple-301-redirects-addon-bulk-uploader plugin for WordPress CVE-2019-15817 (The easy-property-listings plugin before 3.4 for WordPress has XSS. ...) - TODO: check + NOT-FOR-US:
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9d0e50d8 by security tracker role at 2019-08-30T20:10:21Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,65 +1,71 @@ -CVE-2019-15842 +CVE-2019-15845 RESERVED -CVE-2019-15841 +CVE-2019-15844 RESERVED -CVE-2019-15840 - RESERVED -CVE-2019-15839 - RESERVED -CVE-2019-15838 - RESERVED -CVE-2019-15837 - RESERVED -CVE-2019-15836 - RESERVED -CVE-2019-15835 - RESERVED -CVE-2019-15834 - RESERVED -CVE-2019-15833 - RESERVED -CVE-2019-15832 - RESERVED -CVE-2019-15831 - RESERVED -CVE-2019-15830 - RESERVED -CVE-2019-15829 - RESERVED -CVE-2019-15828 - RESERVED -CVE-2019-15827 - RESERVED -CVE-2019-15826 - RESERVED -CVE-2019-15825 - RESERVED -CVE-2019-15824 - RESERVED -CVE-2019-15823 - RESERVED -CVE-2019-15822 - RESERVED -CVE-2019-15821 - RESERVED -CVE-2019-15820 - RESERVED -CVE-2019-15819 - RESERVED -CVE-2019-15818 - RESERVED -CVE-2019-15817 - RESERVED -CVE-2019-15816 +CVE-2019-15843 RESERVED +CVE-2019-15842 (The easy-pdf-restaurant-menu-upload plugin before 1.1.2 for WordPress ...) + TODO: check +CVE-2019-15841 (The facebook-for-woocommerce plugin before 1.9.15 for WordPress has CS ...) + TODO: check +CVE-2019-15840 (The facebook-for-woocommerce plugin before 1.9.14 for WordPress has CS ...) + TODO: check +CVE-2019-15839 (The sina-extension-for-elementor plugin before 2.2.1 for WordPress has ...) + TODO: check +CVE-2019-15838 (The custom-404-pro plugin before 3.2.8 for WordPress has reflected XSS ...) + TODO: check +CVE-2019-15837 (The webp-express plugin before 0.14.8 for WordPress has stored XSS. ...) + TODO: check +CVE-2019-15836 (The wp-ultimate-recipe plugin before 3.12.7 for WordPress has stored X ...) + TODO: check +CVE-2019-15835 (The wp-better-permalinks plugin before 3.0.5 for WordPress has CSRF. ...) + TODO: check +CVE-2019-15834 (The webp-converter-for-media plugin before 1.0.3 for WordPress has CSR ...) + TODO: check +CVE-2019-15833 (The simple-mail-address-encoder plugin before 1.7 for WordPress has re ...) + TODO: check +CVE-2019-15832 (The visitors-traffic-real-time-statistics plugin before 1.13 for WordP ...) + TODO: check +CVE-2019-15831 (The visitors-traffic-real-time-statistics plugin before 1.12 for WordP ...) + TODO: check +CVE-2019-15830 (The icegram plugin before 1.10.29 for WordPress has ig_cat_list XSS. ...) + TODO: check +CVE-2019-15829 (The photoblocks-grid-gallery plugin before 1.1.33 for WordPress has wp ...) + TODO: check +CVE-2019-15828 (The one-click-ssl plugin before 1.4.7 for WordPress has CSRF. ...) + TODO: check +CVE-2019-15827 (The onesignal-free-web-push-notifications plugin before 1.17.8 for Wor ...) + TODO: check +CVE-2019-15826 (The wps-hide-login plugin before 1.5.3 for WordPress has a protection ...) + TODO: check +CVE-2019-15825 (The wps-hide-login plugin before 1.5.3 for WordPress has an action=rp& ...) + TODO: check +CVE-2019-15824 (The wps-hide-login plugin before 1.5.3 for WordPress has an adminhash ...) + TODO: check +CVE-2019-15823 (The wps-hide-login plugin before 1.5.3 for WordPress has an action=con ...) + TODO: check +CVE-2019-15822 (The wps-child-theme-generator plugin before 1.2 for WordPress has clas ...) + TODO: check +CVE-2019-15821 (The bold-page-builder plugin before 2.3.2 for WordPress has no protect ...) + TODO: check +CVE-2019-15820 (The login-or-logout-menu-item plugin before 1.2.0 for WordPress has no ...) + TODO: check +CVE-2019-15819 (The nd-restaurant-reservations plugin before 1.5 for WordPress has no ...) + TODO: check +CVE-2019-15818 (The simple-301-redirects-addon-bulk-uploader plugin through 1.2.4 for ...) + TODO: check +CVE-2019-15817 (The easy-property-listings plugin before 3.4 for WordPress has XSS. ...) + TODO: check +CVE-2019-15816 (The wp-private-content-plus plugin before 2.0 for WordPress has no pro ...) + TODO: check CVE-2019-15815 RESERVED CVE-2019-15814 RESERVED CVE-2019-15813 RESERVED -CVE-2015-9380 - RESERVED +CVE-2015-9380 (The photo-gallery plugin before 1.2.42 for WordPress has CSRF. ...) + TODO: check CVE-2019-15812 RESERVED CVE-2019-15811 (In DomainMOD through 4.13, the parameter daterange in the file reporti ...) @@ -555,8 +561,8 @@ CVE-2019-15632 RESERVED CVE-2019-15631 RESERVED -CVE-2019-15630 - RESERVED +CVE-2019-15630 (Directory Traversal in APIkit, http-connector, and OAuth2 Provider mod ...) + TODO: check CVE-2019-15629 RESERVED CVE-2019-15628 @@ -2278,8
[Git][security-tracker-team/security-tracker][master] CVE-2019-10203/pdns fixed in unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 68300efb by Salvatore Bonaccorso at 2019-08-30T20:01:49Z CVE-2019-10203/pdns fixed in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -16401,7 +16401,7 @@ CVE-2019-10204 RESERVED CVE-2019-10203 [PowerDNS Security Advisory 2019-06: Denial of service via crafted zone records] RESERVED - - pdns (low) + - pdns 4.2.0-1 (low) [buster] - pdns (Minor issue) [stretch] - pdns (Minor issue) [jessie] - pdns (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/68300efbef4870fc610339858edc7bb2d3bef6f4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/68300efbef4870fc610339858edc7bb2d3bef6f4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-15043/grafana
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d8cded30 by Salvatore Bonaccorso at 2019-08-30T19:57:13Z Add CVE-2019-15043/grafana - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2245,6 +2245,7 @@ CVE-2019-15044 RESERVED CVE-2019-15043 RESERVED + - grafana CVE-2019-15042 RESERVED CVE-2019-15041 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d8cded30cfd2944f8759876dc2855dd1499090bf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d8cded30cfd2944f8759876dc2855dd1499090bf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add rexical to CVE-2019-5477
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7b895dd3 by Salvatore Bonaccorso at 2019-08-30T19:52:53Z Add rexical to CVE-2019-5477 The CVE was originally focused on Nokogiri itself and its use of the generated code. But MITRE CNA confirmed that the scope can cover the rexical change itself as vulnerability. Thus track the issue for src:rexical itself. Thanks: Mike Gabriel for the additional input to make this change. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -29625,10 +29625,13 @@ CVE-2019-5479 CVE-2019-5478 RESERVED CVE-2019-5477 (A command injection vulnerability in Nokogiri v1.10.3 and earlier allo ...) + - rexical - ruby-nokogiri 1.10.4+dfsg1-1 (bug #934802) NOTE: https://github.com/sparklemotion/nokogiri/issues/1915 NOTE: Processes are vulnerable only if the undocumented method Nokogiri::CSS::Tokenizer#load_file NOTE: is being passed untrusted user input. + NOTE: https://github.com/tenderlove/rexical/commit/a652474dbc66be350055db3e8f9b3a7b3fd75926 + NOTE: Change in rexical is covered by the scope of this CVE. CVE-2019-5476 (An SQL Injection in the Nextcloud Lookup-Server v0.3.0 (running o ...) TODO: check CVE-2019-5475 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7b895dd394de0b79d235556efcfadf800f070dac -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7b895dd394de0b79d235556efcfadf800f070dac You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2019-13627/libgcrypt20 fixed in unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ea0c5317 by Salvatore Bonaccorso at 2019-08-30T19:42:44Z CVE-2019-13627/libgcrypt20 fixed in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6402,7 +6402,7 @@ CVE-2019-13628 RESERVED CVE-2019-13627 [ECDSA timing attack] RESERVED - - libgcrypt20 (bug #938938) + - libgcrypt20 1.8.5-1 (bug #938938) - libgcrypt11 NOTE: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=b9577f7c89b4327edc09f2231bc8b31521102c79 (master) NOTE: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=7c2943309d14407b51c8166c4dcecb56a3628567 (master) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ea0c531731d15cc20cba9600c57034448274ceae -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ea0c531731d15cc20cba9600c57034448274ceae You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add apache2 to dsa-needed for potential regression
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3a615635 by Salvatore Bonaccorso at 2019-08-30T19:40:58Z Add apache2 to dsa-needed for potential regression - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -15,6 +15,9 @@ If needed, specify the release by adding a slash after the name of the source pa 389-ds-base (fw) Thorsten Alteholz proposed an update -- +apache2 + Possible regression: #936034, sf will look into it +-- evince/oldstable -- faad2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3a615635446e354d178dced0319724c04808abe2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3a615635446e354d178dced0319724c04808abe2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2018-10754 REJECTED by MITRE CNA
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
28594633 by Salvatore Bonaccorso at 2019-08-30T19:39:07Z
CVE-2018-10754 REJECTED by MITRE CNA
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -45536,8 +45536,6 @@ CVE-2018-19211 (In ncurses 6.1, there is a NULL pointer
dereference at function
[jessie] - ncurses (Minor issue)
[wheezy] - ncurses (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1643754
- NOTE: Technically a duplicate of CVE-2018-10754, but kept separate by
MITRE as per
- NOTE: MITRE request 673089.
CVE-2018-19210 (In LibTIFF 4.0.9, there is a NULL pointer dereference in the
TIFFWrite ...)
{DLA-1680-1}
- tiff 4.0.10-4 (bug #913675)
@@ -68176,13 +68174,8 @@ CVE-2018-10756
RESERVED
CVE-2018-10755
REJECTED
-CVE-2018-10754 (In ncurses before 6.1.20180414, there is a NULL Pointer
Dereference in ...)
- - ncurses 6.1+20180210-3 (low)
- [stretch] - ncurses (Minor issue)
- [jessie] - ncurses (Minor issue)
- [wheezy] - ncurses (Minor issue)
- NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1566575
- NOTE: https://invisible-island.net/ncurses/NEWS.html#t20180414
+CVE-2018-10754
+ REJECTED
CVE-2018-10753 (Stack-based buffer overflow in the delayed_output function in
music.c ...)
- abcm2ps 8.14.2-0.1 (unimportant; bug #897966)
NOTE: https://github.com/leesavide/abcm2ps/issues/16
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/2859463381e230bb675677c6c12d08efbe5aa615
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/2859463381e230bb675677c6c12d08efbe5aa615
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Annotate CVE-2017-7481/ansible as not affecting jessie
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: e7ddc451 by Roberto C. Sánchez at 2019-08-30T17:18:38Z Annotate CVE-2017-7481/ansible as not affecting jessie - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -128724,7 +128724,7 @@ CVE-2017-7482 (In the Linux kernel before version 4.12, Kerberos 5 tickets decod CVE-2017-7481 (Ansible before versions 2.3.1.0 and 2.4.0.0 fails to properly mark loo ...) - ansible 2.3.1.0+dfsg-1 (bug #862666) [stretch] - ansible (Minor issue) - [jessie] - ansible (Minor issue) + [jessie] - ansible (vulnerable code introduced in version 2.x) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1450018 NOTE: Fixed by: https://github.com/ansible/ansible/commit/ed56f51f185a1ffd7ea57130d260098686fcc7c2 CVE-2017-7480 (rkhunter versions before 1.4.4 are vulnerable to file download over in ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e7ddc451594026b04685174ce4874feef8711b3b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e7ddc451594026b04685174ce4874feef8711b3b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2019-14466: syntax fix, make description temporary.
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: 5f7180f0 by Mike Gabriel at 2019-08-30T14:42:23Z CVE-2019-14466: syntax fix, make description temporary. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3812,11 +3812,11 @@ CVE-2019-14468 (GnuCOBOL 2.2 has a buffer overflow in cb_push_op in cobc/field.c NOTE: https://sourceforge.net/p/open-cobol/bugs/581/ CVE-2019-14467 RESERVED -CVE-2019-14466 (GOsa <= 2.7.5.2 uses unserialize to restore filter settings from a cookie. Since this cookie is supplied by the client, authenticated users can pass arbitrary content to unserialized, which opens GOsa up to a potential PHP object injection.) +CVE-2019-14466 [GOsa <= 2.7.5.2 uses unserialize to restore filter settings from a cookie. Since this cookie is supplied by the client, authenticated users can pass arbitrary content to unserialized, which opens GOsa up to a potential PHP object injection.] - gosa NOTE: https://github.com/gosa-project/gosa-core/commit/e1504e9765db2adde8b4685b5c93fbba57df868b (fix) NOTE: https://github.com/gosa-project/gosa-core/commit/90b674960335d888c76ca5e99027df8e7fa66f3a (fixing the prev commit) - NOTE: https://github.com/gosa-project/gosa-core/pull/30#issuecomment-521975100 (unofficially made public here) + NOTE: https://github.com/gosa-project/gosa-core/pull/30#issuecomment-521975100 CVE-2019-14465 (fmt_mtm_load_song in fmt/mtm.c in Schism Tracker 20190722 has a heap-b ...) - schism 2:20190805-1 (bug #933807) [buster] - schism (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5f7180f0ce51895f9311830a9f55c39a3576fc3c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5f7180f0ce51895f9311830a9f55c39a3576fc3c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/CVE/list: add detailled information to CVE-2019-14466(/gosa)
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: 7e01b387 by Mike Gabriel at 2019-08-30T14:08:21Z data/CVE/list: add detailled information to CVE-2019-14466(/gosa) See comment in another gosa-core security bug, unrelated to this: https://github.com/gosa-project/gosa-core/pull/30#issuecomment-521975100 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3812,8 +3812,11 @@ CVE-2019-14468 (GnuCOBOL 2.2 has a buffer overflow in cb_push_op in cobc/field.c NOTE: https://sourceforge.net/p/open-cobol/bugs/581/ CVE-2019-14467 RESERVED -CVE-2019-14466 - RESERVED +CVE-2019-14466 (GOsa <= 2.7.5.2 uses unserialize to restore filter settings from a cookie. Since this cookie is supplied by the client, authenticated users can pass arbitrary content to unserialized, which opens GOsa up to a potential PHP object injection.) + - gosa + NOTE: https://github.com/gosa-project/gosa-core/commit/e1504e9765db2adde8b4685b5c93fbba57df868b (fix) + NOTE: https://github.com/gosa-project/gosa-core/commit/90b674960335d888c76ca5e99027df8e7fa66f3a (fixing the prev commit) + NOTE: https://github.com/gosa-project/gosa-core/pull/30#issuecomment-521975100 (unofficially made public here) CVE-2019-14465 (fmt_mtm_load_song in fmt/mtm.c in Schism Tracker 20190722 has a heap-b ...) - schism 2:20190805-1 (bug #933807) [buster] - schism (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7e01b3874b70fea405df48bb399a41195ab2bca1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7e01b3874b70fea405df48bb399a41195ab2bca1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: re-claim libav
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: 774017eb by Mike Gabriel at 2019-08-30T13:47:39Z data/dla-needed.txt: re-claim libav - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -57,7 +57,7 @@ imagemagick -- irssi (Mike Gabriel) -- -libav +libav (Mike Gabriel) NOTE: 20190529: There are currently 19 CVE issues known for libav in jessie, NOTE: 20190529: 11 tagged as . These issues have been triaged, no patch NOTE: 20190529: has been found, so far. If you pick libav, be prepared to work View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/774017ebb76fd1f915a165a5ecc5d339cd7d4852 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/774017ebb76fd1f915a165a5ecc5d339cd7d4852 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: bin/contact-maintainers: Provide mail template for LTS updates of minor issues.
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
187f7774 by Mike Gabriel at 2019-08-30T10:40:46Z
bin/contact-maintainers: Provide mail template for LTS updates of minor issues.
As the LTS team also sometimes works on packages with only no-dsa
issues open, it might be good to also inform package maintainers about
this.
This adds an ltsp-update-planned-minor.txt mail template plus a command
line option (--minor) that LTS front desk people can use if they choose
to add a package to dla-needed.txt with no-dsa issues only.
- - - - -
dd7c30ed by Salvatore Bonaccorso at 2019-08-30T13:28:54Z
Merge branch
sunweaver/security-tracker-mr/contact-maintainer-minor-issue-updates
- - - - -
2 changed files:
- bin/contact-maintainers
- + templates/lts-update-planned-minor.txt
Changes:
=
bin/contact-maintainers
=
@@ -73,6 +73,8 @@ parser.add_argument('--lts', action='store_true',
help='Act as a member of the LTS team')
parser.add_argument('--no-dsa', dest='no_dsa', action='store_true',
help='Say that issues are low severity (no need for
DSA/DLA)')
+parser.add_argument('--minor', dest='minor_issues', action='store_true',
+help='Say that issues are low severity and someone will
work on them (LTS team only)')
parser.add_argument('--mailer', action='store', default='mutt -H {}',
help='Command executed. Must contain {} to be replaced '
'by the filename of the draft contact mail')
@@ -83,7 +85,8 @@ args = parser.parse_args()
cc = 'debian-...@lists.debian.org' if args.lts else 't...@security.debian.org'
team = 'lts' if args.lts else 'sec'
model = 'no-dsa' if args.no_dsa else 'update-planned'
-template_file = 'templates/{}-{}.txt'.format(team, model)
+minor = '-minor' if args.minor_issues and args.lts else ''
+template_file = 'templates/{}-{}{}.txt'.format(team, model, minor)
# Basic check
instructions = "packages/{}.txt".format(args.package)
=
templates/lts-update-planned-minor.txt
=
@@ -0,0 +1,40 @@
+Content-Type: text/plain; charset=utf-8
+To: {{ to }}
+Cc: {{ cc }}
+Subject: Jessie update of {{ package }} (minor security issues)?
+
+The Debian LTS team recently reviewed the security issue(s) affecting your
+package in Jessie:
+{%- if cve -%}
+{% for entry in cve %}
+https://security-tracker.debian.org/tracker/{{ entry }}
+{%- endfor -%}
+{%- else %}
+https://security-tracker.debian.org/tracker/source-package/{{ package }}
+{%- endif %}
+
+We decided that a member of the LTS team should take a look at this
+package, although the security impact of still open issues is low. When
+resources are available on our side, one of the LTS team members will
+start working on fixes for those minor security issues, as we think that
+the jessie users would most certainly benefit from a fixed package.
+
+If you'd rather want to work on such an update yourself, you're welcome
+to do so. Please send us a short notification to the debian-lts mailing
+list (debian-...@lists.debian.org), expressing your intention to work on
+issues yourself. Otherwise, no action is required from your side.
+
+When working on issues, please try to follow the workflow we have defined
+here: https://wiki.debian.org/LTS/Development
+
+If that workflow is a burden to you, feel free to just prepare an
+updated source package and send it to debian-...@lists.debian.org (via a
+debdiff, or with an URL pointing to the source package, or even with a
+pointer to your packaging repository), and the members of the LTS team
+will take care of the rest. However please make sure to submit a tested
+package.
+
+Thank you very much.
+
+{{ sender }},
+ on behalf of the Debian LTS team.
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/compare/e8b42ec2350d3fb1ab2e7efd22e7ea891a1c572a...dd7c30edac0cef176af351af019030fff0edf34a
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/compare/e8b42ec2350d3fb1ab2e7efd22e7ea891a1c572a...dd7c30edac0cef176af351af019030fff0edf34a
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/CVE/list: Update gnutls28/CVE-2018-19869/jessie.
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: e8b42ec2 by Mike Gabriel at 2019-08-30T13:16:17Z data/CVE/list: Update gnutls28/CVE-2018-19869/jessie. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -51651,7 +51651,7 @@ CVE-2018-16869 (A Bleichenbacher type side-channel based padding oracle attack w CVE-2018-16868 (A Bleichenbacher type side-channel based padding oracle attack was fou ...) [experimental] - gnutls28 3.6.5-1 - gnutls28 3.6.5-2 - [jessie] - gnutls28 (Minor issue - https://lists.debian.org/debian-lts/2019/03/msg00021.html) + [jessie] - gnutls28 (Too invasive to fix, requires newer nettle shared lib - https://lists.debian.org/debian-lts/2019/03/msg00021.html) - gnutls26 NOTE: http://cat.eyalro.net/ NOTE: https://gitlab.com/gnutls/gnutls/issues/630 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e8b42ec2350d3fb1ab2e7efd22e7ea891a1c572a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e8b42ec2350d3fb1ab2e7efd22e7ea891a1c572a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Document no-dsa status for pump
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2197f0d9 by Salvatore Bonaccorso at 2019-08-30T13:15:08Z Document no-dsa status for pump - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3368,6 +3368,8 @@ CVE-2018-20954 (The "Security and Privacy" Encryption feature in Mailpile before NOT-FOR-US: Mailpile CVE-2019- [Buffer overflow during processing of large server replies] - pump (bug #933674) + [buster] - pump (Minor issuue; Will be removed in next point release) + [stretch] - pump (Minor issue; Will be removed in enxt point release) CVE-2019-14653 (pandao Editor.md 1.5.0 allows XSS via an attribute of an ABBR or SUP e ...) NOT-FOR-US: pandao Editor.md CVE-2019-14652 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2197f0d92a9c32a56fabf32d5b7bd97c0a5d97cf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2197f0d92a9c32a56fabf32d5b7bd97c0a5d97cf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2019-13627/libgcrypt20
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 87c73b8a by Salvatore Bonaccorso at 2019-08-30T13:13:49Z Add Debian bug reference for CVE-2019-13627/libgcrypt20 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6397,7 +6397,7 @@ CVE-2019-13628 RESERVED CVE-2019-13627 [ECDSA timing attack] RESERVED - - libgcrypt20 + - libgcrypt20 (bug #938938) - libgcrypt11 NOTE: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=b9577f7c89b4327edc09f2231bc8b31521102c79 (master) NOTE: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=7c2943309d14407b51c8166c4dcecb56a3628567 (master) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/87c73b8a5ae42b8ef820f543b339144a6c48998d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/87c73b8a5ae42b8ef820f543b339144a6c48998d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: data/dla-needed.txt: Claim pump.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 5752ad20 by Chris Lamb at 2019-08-30T13:10:09Z data/dla-needed.txt: Claim pump. - - - - - 9cfbc904 by Chris Lamb at 2019-08-30T13:10:09Z data/dla-needed.txt: Add some note attributions. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -65,7 +65,7 @@ libav NOTE: 20190731: New CVEs occurred, need to be triaged. -- libcommons-compress-java - NOTE: 20190830: no patch reference found + NOTE: 20190830: no patch reference found (sunweaver) -- libcrypto++ -- @@ -105,9 +105,9 @@ mongodb (Abhijith PA) -- nghttp2 -- -pump - NOTE: 20190830: See #933674 for a possible fix / patch. - NOTE: 20190830: Former maintainer not informed, package removed from unstable, dead upstream. +pump (Chris Lamb) + NOTE: 20190830: See #933674 for a possible fix / patch. (sunweaver) + NOTE: 20190830: Former maintainer not informed, package removed from unstable, dead upstream. (sunweaver) -- python2.7 (Thorsten Alteholz) NOTE: 20190818: need to check fails with test suite unrelated to this patch; building package takes a long time @@ -131,7 +131,7 @@ ruby-mini-magick (Thorsten Alteholz) NOTE: 20190818: backporting patch -- ruby-nokogiri - NOTE: 20190830: https://lists.debian.org/debian-lts/2019/08/msg00076.html + NOTE: 20190830: https://lists.debian.org/debian-lts/2019/08/msg00076.html (sunweaver) -- ruby-openid NOTE: 20190628: In discussion with upstream/rubygems maintainer regarding what the issue actually *is*. (lamby) @@ -163,5 +163,5 @@ yard NOTE: 20190830: https://github.com/lsegal/yard/commit/225ded9ef38c6d2be5a3b0fc7effbc7d6644768d NOTE: 20190830: https://github.com/lsegal/yard/commit/6d8b9b9c71e45fd1c887545b579399931dc2466e (well..) NOTE: 20190830: Maybe someone with more knowledge of what yard is and does might know better - NOTE: 20190830: what the exact fix here could be. + NOTE: 20190830: what the exact fix here could be. (sunweaver) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/d8cae66e07bb099b2362309b141b47108572d48f...9cfbc904cd00949eef8ab8d22db3c153a628c449 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/d8cae66e07bb099b2362309b141b47108572d48f...9cfbc904cd00949eef8ab8d22db3c153a628c449 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/CVE/list: evaluate recent milkytracker CVEs as .
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: d8cae66e by Mike Gabriel at 2019-08-30T13:08:45Z data/CVE/list: evaluate recent milkytracker CVEs as no-dsa. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -3729,10 +3729,12 @@ CVE-2019-14498 (A divide-by-zero error exists in the Control function of demux/c NOTE: https://www.videolan.org/security/sb-vlc308.html CVE-2019-14497 (ModuleEditor::convertInstrument in tracker/ModuleEditor.cpp in MilkyTr ...) - milkytracker (bug #933964) + [jessie] - milkytracker (Minor issue) NOTE: https://github.com/milkytracker/MilkyTracker/issues/182 NOTE: https://github.com/milkytracker/MilkyTracker/commit/ea7772a3fae0a9dd0a322e8fec441d15843703b7 CVE-2019-14496 (LoaderXM::load in LoaderXM.cpp in milkyplay in MilkyTracker 1.02.00 ha ...) - milkytracker (bug #933964) + [jessie] - milkytracker (Minor issue) NOTE: https://github.com/milkytracker/MilkyTracker/issues/183 NOTE: https://github.com/milkytracker/MilkyTracker/commit/ea7772a3fae0a9dd0a322e8fec441d15843703b7 CVE-2019-14495 (webadmin.c in 3proxy before 0.8.13 has an out-of-bounds write in the a ...) @@ -3819,6 +3821,7 @@ CVE-2019-14465 (fmt_mtm_load_song in fmt/mtm.c in Schism Tracker 20190722 has a NOTE: https://github.com/schismtracker/schismtracker/commit/b78e8d32883f8a865035436af4fa6d541b6ebb42 CVE-2019-14464 (XMFile::read in XMFile.cpp in milkyplay in MilkyTracker 1.02.00 has a ...) - milkytracker (bug #933964) + [jessie] - milkytracker (Minor issue) NOTE: https://github.com/milkytracker/MilkyTracker/issues/184 NOTE: https://github.com/milkytracker/MilkyTracker/commit/fd607a3439fcdd0992e5efded3c16fc79c804e34 CVE-2019-14463 (An issue was discovered in libmodbus before 3.0.7 and 3.1.x before 3.1 ...) = data/dla-needed.txt = @@ -99,6 +99,7 @@ linux (Ben Hutchings) linux-4.9 (Ben Hutchings) -- milkytracker + NOTE: 20190830: Several issues open for jessie. -- mongodb (Abhijith PA) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d8cae66e07bb099b2362309b141b47108572d48f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d8cae66e07bb099b2362309b141b47108572d48f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: add milkytracker.
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: f5bd54d6 by Mike Gabriel at 2019-08-30T12:58:13Z data/dla-needed.txt: add milkytracker. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -98,6 +98,8 @@ linux (Ben Hutchings) -- linux-4.9 (Ben Hutchings) -- +milkytracker +-- mongodb (Abhijith PA) -- nghttp2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f5bd54d6f08f0aa212602d1df47de42912732ed7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f5bd54d6f08f0aa212602d1df47de42912732ed7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: add note to pump about non-informing former maintainer.
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: fae6c51c by Mike Gabriel at 2019-08-30T12:42:15Z data/dla-needed.txt: add note to pump about non-informing former maintainer. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -104,6 +104,7 @@ nghttp2 -- pump NOTE: 20190830: See #933674 for a possible fix / patch. + NOTE: 20190830: Former maintainer not informed, package removed from unstable, dead upstream. -- python2.7 (Thorsten Alteholz) NOTE: 20190818: need to check fails with test suite unrelated to this patch; building package takes a long time View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/fae6c51caf50e69fc50d023f316758c9264dc93c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/fae6c51caf50e69fc50d023f316758c9264dc93c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: add yard (as triaging RFH)
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: ad9bf3f5 by Mike Gabriel at 2019-08-30T12:27:05Z data/dla-needed.txt: add yard (as triaging RFH) - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -153,3 +153,11 @@ xen xtrlock (Chris Lamb) NOTE: 20190822: WIP on #830726 (lamby) -- +yard + NOTE: 20190830: second reviewer / triager needed. The security announcement states that the fix + NOTE: 20190830: was done between 0.9.19 and 0.9.20. Meaningful commits are + NOTE: 20190830: https://github.com/lsegal/yard/commit/225ded9ef38c6d2be5a3b0fc7effbc7d6644768d + NOTE: 20190830: https://github.com/lsegal/yard/commit/6d8b9b9c71e45fd1c887545b579399931dc2466e (well..) + NOTE: 20190830: Maybe someone with more knowledge of what yard is and does might know better + NOTE: 20190830: what the exact fix here could be. +-- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ad9bf3f5174683638b74eefc814ce75423a2ee20 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ad9bf3f5174683638b74eefc814ce75423a2ee20 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/CVE/list: Triage suricata/jessie.
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: a1814b34 by Mike Gabriel at 2019-08-30T11:48:36Z data/CVE/list: Triage suricata/jessie. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -16932,10 +16932,12 @@ CVE-2019-10053 (An issue was discovered in Suricata 4.1.x before 4.1.4. If the i NOTE: https://github.com/OISF/suricata/commit/51790d3824bc381e24aaeef20338dd6b8bd4e453 CVE-2019-10052 (An issue was discovered in Suricata 4.1.3. If the network packet does ...) - suricata 1:4.1.4-1 + [jessie] - suricata (Vulnerable code not present) NOTE: https://redmine.openinfosecfoundation.org/issues/2902 NOTE: https://redmine.openinfosecfoundation.org/issues/2947 CVE-2019-10051 (An issue was discovered in Suricata 4.1.3. If the function filetracker ...) - suricata 1:4.1.4-1 + [jessie] - suricata (Vulnerable code not present) NOTE: https://github.com/OISF/suricata/pull/3734 NOTE: https://redmine.openinfosecfoundation.org/issues/2896 CVE-2019-10050 (A buffer over-read issue was discovered in Suricata 4.1.x before 4.1.4 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a1814b346878bb3a9402174e4ba9698bd2be4f7b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a1814b346878bb3a9402174e4ba9698bd2be4f7b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: add ruby-nokogiri.
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: cc0da177 by Mike Gabriel at 2019-08-30T11:41:27Z data/dla-needed.txt: add ruby-nokogiri. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -126,6 +126,9 @@ radare2 ruby-mini-magick (Thorsten Alteholz) NOTE: 20190818: backporting patch -- +ruby-nokogiri + NOTE: 20190830: https://lists.debian.org/debian-lts/2019/08/msg00076.html +-- ruby-openid NOTE: 20190628: In discussion with upstream/rubygems maintainer regarding what the issue actually *is*. (lamby) NOTE: 20190701: Pinged bug (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/cc0da17761328266163edb2b71d68c796a759be4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/cc0da17761328266163edb2b71d68c796a759be4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: add libcommons-compress-java.
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: 9a2d1a96 by Mike Gabriel at 2019-08-30T11:05:57Z data/dla-needed.txt: add libcommons-compress-java. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -64,6 +64,9 @@ libav NOTE: 20190529: out patches yourself. NOTE: 20190731: New CVEs occurred, need to be triaged. -- +libcommons-compress-java + NOTE: 20190830: no patch reference found +-- libcrypto++ -- libextractor (Thorsten Alteholz) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9a2d1a964ca503bf4eccf0397da8da74609f1f9d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9a2d1a964ca503bf4eccf0397da8da74609f1f9d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: add pump.
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: 227b56d5 by Mike Gabriel at 2019-08-30T11:03:00Z data/dla-needed.txt: add pump. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -99,6 +99,9 @@ mongodb (Abhijith PA) -- nghttp2 -- +pump + NOTE: 20190830: See #933674 for a possible fix / patch. +-- python2.7 (Thorsten Alteholz) NOTE: 20190818: need to check fails with test suite unrelated to this patch; building package takes a long time -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/227b56d5db69bcae2178e54c2bedcab884b7ae6c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/227b56d5db69bcae2178e54c2bedcab884b7ae6c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: add libgcrypt20 and claim it.
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: 2afab427 by Mike Gabriel at 2019-08-30T11:00:32Z data/dla-needed.txt: add libgcrypt20 and claim it. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -68,6 +68,8 @@ libcrypto++ -- libextractor (Thorsten Alteholz) -- +libgcrypt20 (Mike Gabriel) +-- libmatio (Adrian Bunk) NOTE: fairly high number of open issues. Not sure why we never had a look at them. NOTE: triage work needed, help security team for fixes if needed. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2afab427fc5549313659b77362d7a1a0f3117f0b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2afab427fc5549313659b77362d7a1a0f3117f0b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/CVE/list: Triage CVE-2019-10222/ceph/jessie (not-affected).
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: c1fe452f by Mike Gabriel at 2019-08-30T10:53:26Z data/CVE/list: Triage CVE-2019-10222/ceph/jessie (not-affected). - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -16310,6 +16310,7 @@ CVE-2019-10222 [unauthenticated clients can crash RGW] - ceph (bug #936015) [buster] - ceph (Minor issue; only triggerable if experimental feature enabled) [stretch] - ceph (Vulnerable code not present) + [jessie] - ceph (Vulnerable code not present) NOTE: https://www.openwall.com/lists/oss-security/2019/08/28/9 NOTE: https://github.com/ceph/ceph/pull/29967 NOTE: https://github.com/ceph/ceph/commit/6171399fdedd928b4249d135b4036e3de25079aa View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c1fe452f10b7612a1ae1d3e13728eee1d464a006 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c1fe452f10b7612a1ae1d3e13728eee1d464a006 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: data/dla-needed.txt: add ghostscript
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: 03d7e457 by Mike Gabriel at 2019-08-30T10:43:47Z data/dla-needed.txt: add ghostscript - - - - - e558dc56 by Mike Gabriel at 2019-08-30T10:44:17Z data/dla-needed.txt: add irssi. - - - - - da2286f9 by Mike Gabriel at 2019-08-30T10:44:48Z data/CVE/list: Triage golang/jessie. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -2959,6 +2959,7 @@ CVE-2019-14809 (net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles - golang-1.8 - golang-1.7 - golang + [jessie] - golang (Fix too invasive to backport, url.go file in jessie too far behind upstream) NOTE: Issue: https://github.com/golang/go/issues/29098 NOTE: https://github.com/golang/go/commit/c1d9ca70995dc232a2145e3214f94e03409f6fcc (golang-1.11) NOTE: https://github.com/golang/go/commit/3226f2d492963d361af9dfc6714ef141ba606713 (golang-1.12) @@ -19354,6 +19355,7 @@ CVE-2019-9514 (Some HTTP/2 implementations are vulnerable to a reset flood, pote - golang-1.8 - golang-1.7 - golang + [jessie] - golang (No HTTP2 support yet) - golang-golang-x-net-dev 1:0.0+git20190811.74dc4d7+dfsg-1 - nodejs (bug #934885) [stretch] - nodejs (No HTTP2 support yet) @@ -19390,6 +19392,7 @@ CVE-2019-9512 (Some HTTP/2 implementations are vulnerable to ping floods, potent - golang-1.8 - golang-1.7 - golang + [jessie] - golang (No HTTP2 support yet) - golang-golang-x-net-dev 1:0.0+git20190811.74dc4d7+dfsg-1 - trafficserver 8.0.5+ds-1 (bug #934887) - h2o 2.2.5+dfsg2-3 (bug #934886) = data/dla-needed.txt = @@ -37,6 +37,8 @@ freeimage NOTE: https://lists.debian.org/debian-lts/2019/05/msg00079.html NOTE: 20190707: maintainer is waiting for upstream https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929597 -- +ghostscript +-- golang-go.crypto NOTE: 20190707: Check that an upload of this will not require reverse build-deps to also be recompiled (see previous golang uploads?). (lamby) -- @@ -53,6 +55,8 @@ imagemagick NOTE: 20190829: we also work on issues whereas the security team would not. NOTE: 20190829: Only claim this, if nothing more urgent is available in dla-needed.txt. -- +irssi (Mike Gabriel) +-- libav NOTE: 20190529: There are currently 19 CVE issues known for libav in jessie, NOTE: 20190529: 11 tagged as . These issues have been triaged, no patch View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/72b94db8f39f590f0906ee438532cecef13b7712...da2286f923a4ac9c1e4eba89ab04293d24844062 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/72b94db8f39f590f0906ee438532cecef13b7712...da2286f923a4ac9c1e4eba89ab04293d24844062 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: add imagemagick
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: 72b94db8 by Mike Gabriel at 2019-08-30T08:39:40Z data/dla-needed.txt: add imagemagick - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -47,6 +47,12 @@ hdf5 (Hugo Lefeuvre) -- icedtea-web (Markus Koschany) -- +imagemagick + NOTE: 20190829: Several and issues some of them with simple patch + NOTE: 20190829: are still open for jessie. Should be revisited with policy in mind that + NOTE: 20190829: we also work on issues whereas the security team would not. + NOTE: 20190829: Only claim this, if nothing more urgent is available in dla-needed.txt. +-- libav NOTE: 20190529: There are currently 19 CVE issues known for libav in jessie, NOTE: 20190529: 11 tagged as . These issues have been triaged, no patch View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/72b94db8f39f590f0906ee438532cecef13b7712 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/72b94db8f39f590f0906ee438532cecef13b7712 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/CVE/list: Switch CVE-2019-13038 from to (see reason already given).
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: 9b948cfb by Mike Gabriel at 2019-08-30T08:16:53Z data/CVE/list: Switch CVE-2019-13038 from no-dsa to ignored (see reason already given). - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -8979,7 +8979,7 @@ CVE-2019-13039 RESERVED CVE-2019-13038 (mod_auth_mellon through 0.14.2 has an Open Redirect via the login?Retu ...) - libapache2-mod-auth-mellon (bug #931265) - [jessie] - libapache2-mod-auth-mellon (Open Redirect protection not implemented yet) + [jessie] - libapache2-mod-auth-mellon (Open Redirect protection not implemented yet) NOTE: https://github.com/Uninett/mod_auth_mellon/issues/35#issuecomment-503974885 CVE-2019-13037 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9b948cfb898ca23373275e12ecc214c7dbfa832c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9b948cfb898ca23373275e12ecc214c7dbfa832c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
dfbf6c28 by security tracker role at 2019-08-30T08:10:42Z
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -1,3 +1,65 @@
+CVE-2019-15842
+ RESERVED
+CVE-2019-15841
+ RESERVED
+CVE-2019-15840
+ RESERVED
+CVE-2019-15839
+ RESERVED
+CVE-2019-15838
+ RESERVED
+CVE-2019-15837
+ RESERVED
+CVE-2019-15836
+ RESERVED
+CVE-2019-15835
+ RESERVED
+CVE-2019-15834
+ RESERVED
+CVE-2019-15833
+ RESERVED
+CVE-2019-15832
+ RESERVED
+CVE-2019-15831
+ RESERVED
+CVE-2019-15830
+ RESERVED
+CVE-2019-15829
+ RESERVED
+CVE-2019-15828
+ RESERVED
+CVE-2019-15827
+ RESERVED
+CVE-2019-15826
+ RESERVED
+CVE-2019-15825
+ RESERVED
+CVE-2019-15824
+ RESERVED
+CVE-2019-15823
+ RESERVED
+CVE-2019-15822
+ RESERVED
+CVE-2019-15821
+ RESERVED
+CVE-2019-15820
+ RESERVED
+CVE-2019-15819
+ RESERVED
+CVE-2019-15818
+ RESERVED
+CVE-2019-15817
+ RESERVED
+CVE-2019-15816
+ RESERVED
+CVE-2019-15815
+ RESERVED
+CVE-2019-15814
+ RESERVED
+CVE-2019-15813
+ RESERVED
+CVE-2015-9380
+ RESERVED
CVE-2019-15812
RESERVED
CVE-2019-15811 (In DomainMOD through 4.13, the parameter daterange in the file
reporti ...)
@@ -1807,18 +1869,22 @@ CVE-2019-15147 (GoPro GPMF-parser 1.2.2 has an
out-of-bounds read and SEGV in GP
CVE-2019-15146 (GoPro GPMF-parser 1.2.2 has a heap-based buffer over-read (4
bytes) in ...)
NOT-FOR-US: gpmf-parser
CVE-2019-15145 (DjVuLibre 3.5.27 allows attackers to cause a denial-of-service
attack ...)
+ {DLA-1902-1}
- djvulibre 3.5.27.1-11
NOTE: https://sourceforge.net/p/djvu/bugs/298/
NOTE:
https://sourceforge.net/p/djvu/djvulibre-git/ci/9658b01431cd7ff6344d7787f855179e73fe81a7/
CVE-2019-15144 (In DjVuLibre 3.5.27, the sorting functionality (aka
GArrayTemplate ...)
+ {DLA-1902-1}
- djvulibre 3.5.27.1-11
NOTE: https://sourceforge.net/p/djvu/bugs/299/
NOTE:
https://sourceforge.net/p/djvu/djvulibre-git/ci/e15d51510048927f172f1bf1f27ede65907d940d/
CVE-2019-15143 (In DjVuLibre 3.5.27, the bitmap reader component allows
attackers to c ...)
+ {DLA-1902-1}
- djvulibre 3.5.27.1-11
NOTE: https://sourceforge.net/p/djvu/bugs/297/
NOTE:
https://sourceforge.net/p/djvu/djvulibre-git/ci/b1f4e1b2187d9e5010cd01ceccf20b4a11ce723f/
CVE-2019-15142 (In DjVuLibre 3.5.27, DjVmDir.cpp in the DJVU reader component
allows a ...)
+ {DLA-1902-1}
- djvulibre 3.5.27.1-11
NOTE: https://sourceforge.net/p/djvu/bugs/296/
NOTE:
https://sourceforge.net/p/djvu/djvulibre-git/ci/970fb11a296b5bbdc5e8425851253d2c5913c45e/
@@ -7596,8 +7662,8 @@ CVE-2019-13528
RESERVED
CVE-2019-13527
RESERVED
-CVE-2019-13526
- RESERVED
+CVE-2019-13526 (Datalogic AV7000 Linear barcode scanner all versions prior to
4.6.0.0 ...)
+ TODO: check
CVE-2019-13525
RESERVED
CVE-2019-13524
@@ -9729,10 +9795,10 @@ CVE-2019-12756
RESERVED
CVE-2019-12755
RESERVED
-CVE-2019-12754
- RESERVED
-CVE-2019-12753
- RESERVED
+CVE-2019-12754 (Symantec My VIP portal, previous version which has already
been auto u ...)
+ TODO: check
+CVE-2019-12753 (An information disclosure vulnerability in Symantec Reporter
web UI 10 ...)
+ TODO: check
CVE-2019-12752
RESERVED
CVE-2019-12751 (Symantec Messaging Gateway, prior to 10.7.1, may be
susceptible to a p ...)
@@ -10609,8 +10675,7 @@ CVE-2019-12404
RESERVED
CVE-2019-12403
RESERVED
-CVE-2019-12402 [Apache Commons Compress denial of service vulnerability]
- RESERVED
+CVE-2019-12402 (The file name encoding algorithm used internally in Apache
Commons Com ...)
- libcommons-compress-java
NOTE: https://www.openwall.com/lists/oss-security/2019/08/27/1
CVE-2019-12401
@@ -12555,8 +12620,8 @@ CVE-2019-11660
RESERVED
CVE-2019-11659
RESERVED
-CVE-2019-11658
- RESERVED
+CVE-2019-11658 (Information exposure in Micro Focus Content Manager, versions
9.1, 9.2 ...)
+ TODO: check
CVE-2019-11657
RESERVED
CVE-2019-11656
@@ -13371,10 +13436,10 @@ CVE-2019-11368 (Stored XSS was discovered in AUO
Solar Data Recorder before 1.3.
NOT-FOR-US: AUO Solar Data Recorder
CVE-2019-11367 (An issue was discovered in AUO Solar Data Recorder before
1.3.0. The w ...)
NOT-FOR-US: AUO Solar Data Recorder
-CVE-2019-11364
- RESERVED
-CVE-2019-11363
- RESERVED
+CVE-2019-11364 (An OS Command Injection vulnerability in Snare Central before
7.4.5 al ...)
+ TODO: check
+CVE-2019-11363 (A SQL injection vulnerability in Snare Central before 7.4.5
allows rem ...)
+
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-15785/fontforge
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a6087921 by Salvatore Bonaccorso at 2019-08-30T06:30:23Z Add CVE-2019-15785/fontforge - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -54,7 +54,8 @@ CVE-2019-15787 (libZetta.rs through 0.1.2 has an integer overflow in the zpool p CVE-2019-15786 (ROBOTIS Dynamixel SDK through 3.7.11 has a buffer overflow via a large ...) TODO: check CVE-2019-15785 (FontForge through 20190801 has a buffer overflow in PrefsUI_LoadPrefs ...) - TODO: check + - fontforge (Vulnerable code introduced later) + NOTE: https://github.com/fontforge/fontforge/pull/3886 CVE-2019-15784 (Secure Reliable Transport (SRT) through 1.3.4 has a CSndUList array ov ...) TODO: check CVE-2019-15783 (Lute-Tab before 2019-08-23 has a buffer overflow in pdf_print.cc. ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a6087921dd983cb56b6bef4c75f91f59732cb88d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a6087921dd983cb56b6bef4c75f91f59732cb88d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a6f9eb2d by Salvatore Bonaccorso at 2019-08-30T06:27:38Z Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,7 +1,7 @@ CVE-2019-15812 RESERVED CVE-2019-15811 (In DomainMOD through 4.13, the parameter daterange in the file reporti ...) - TODO: check + NOT-FOR-US: DomainMOD CVE-2019-15810 RESERVED CVE-2019-15809 @@ -9,9 +9,9 @@ CVE-2019-15809 CVE-2019-15808 RESERVED CVE-2019-15806 (CommScope ARRIS TR4400 devices with firmware through A1.00.004-180301 ...) - TODO: check + NOT-FOR-US: CommScope ARRIS TR4400 devices CVE-2019-15805 (CommScope ARRIS TR4400 devices with firmware through A1.00.004-180301 ...) - TODO: check + NOT-FOR-US: CommScope ARRIS TR4400 devices CVE-2019-15804 RESERVED CVE-2019-15803 @@ -48,7 +48,7 @@ CVE-2019-15807 (In the Linux kernel before 5.1.13, there is a memory leak in dri - linux 5.2.6-1 NOTE: https://git.kernel.org/linus/3b0541791453fbe7f42867e310e0c9eb6295364d CVE-2019-15788 (Clara Genomics Analysis before 0.2.0 has an integer overflow for cudap ...) - TODO: check + NOT-FOR-US: Clara Genomics Analysis CVE-2019-15787 (libZetta.rs through 0.1.2 has an integer overflow in the zpool parser ...) TODO: check CVE-2019-15786 (ROBOTIS Dynamixel SDK through 3.7.11 has a buffer overflow via a large ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a6f9eb2d9db5fcfc094a9918d66d52c967ca33d0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a6f9eb2d9db5fcfc094a9918d66d52c967ca33d0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track stretch-pu update including CVE-2019-15538
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b3636d61 by Salvatore Bonaccorso at 2019-08-30T06:15:56Z Track stretch-pu update including CVE-2019-15538 - - - - - 1 changed file: - data/next-oldstable-point-update.txt Changes: = data/next-oldstable-point-update.txt = @@ -121,6 +121,8 @@ CVE-2019-15211 [stretch] - linux 4.9.189-1 CVE-2019-15215 [stretch] - linux 4.9.189-1 +CVE-2019-15538 + [stretch] - linux 4.9.189-2 CVE-2019-10153 [stretch] - fence-agents 4.0.25-1+deb9u1 CVE-2016-10711 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b3636d617a9b36a74ff287f4839c85aae06740d5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b3636d617a9b36a74ff287f4839c85aae06740d5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process several NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ca04890e by Salvatore Bonaccorso at 2019-08-30T06:12:00Z Process several NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -62,31 +62,31 @@ CVE-2019-15783 (Lute-Tab before 2019-08-23 has a buffer overflow in pdf_print.cc CVE-2019-15782 (WebTorrent before 0.107.6 allows XSS in the HTTP server via a title or ...) TODO: check CVE-2019-15781 (The facebook-by-weblizar plugin before 2.8.5 for WordPress has CSRF. ...) - TODO: check + NOT-FOR-US: facebook-by-weblizar plugin for WordPress CVE-2019-15780 (The formidable plugin before 4.02.01 for WordPress has unsafe deserial ...) - TODO: check + NOT-FOR-US: formidable plugin for WordPress CVE-2019-15779 (The insta-gallery plugin before 2.4.8 for WordPress has no nonce valid ...) - TODO: check + NOT-FOR-US: insta-gallery plugin for WordPress CVE-2019-15778 (The woo-variation-gallery plugin before 1.1.29 for WordPress has XSS. ...) - TODO: check + NOT-FOR-US: woo-variation-gallery plugin for WordPress CVE-2019-15777 (The shapepress-dsgvo plugin before 2.2.19 for WordPress has wp-admin/a ...) - TODO: check + NOT-FOR-US: shapepress-dsgvo plugin for WordPress CVE-2019-15776 (The simple-301-redirects-addon-bulk-uploader plugin before 1.2.5 for W ...) - TODO: check + NOT-FOR-US: simple-301-redirects-addon-bulk-uploader plugin for WordPress CVE-2019-15775 (The nd-learning plugin before 4.8 for WordPress has a nopriv_ AJAX act ...) - TODO: check + NOT-FOR-US: nd-learning plugin for WordPress CVE-2019-15774 (The nd-booking plugin before 2.5 for WordPress has a nopriv_ AJAX acti ...) - TODO: check + NOT-FOR-US: nd-booking plugin for WordPress CVE-2019-15773 (The nd-travel plugin before 1.7 for WordPress has a nopriv_ AJAX actio ...) - TODO: check + NOT-FOR-US: nd-travel plugin for WordPress CVE-2019-15772 (The nd-donations plugin before 1.4 for WordPress has a nopriv_ AJAX ac ...) - TODO: check + NOT-FOR-US: nd-donations plugin for WordPress CVE-2019-15771 (The nd-shortcodes plugin before 6.0 for WordPress has a nopriv_ AJAX a ...) - TODO: check + NOT-FOR-US: nd-shortcodes plugin for WordPress CVE-2019-15770 (The woo-address-book plugin before 1.6.0 for WordPress has save calls ...) - TODO: check + NOT-FOR-US: woo-address-book plugin for WordPress CVE-2019-15769 (The handl-utm-grabber plugin before 2.6.5 for WordPress has CSRF via a ...) - TODO: check + NOT-FOR-US: handl-utm-grabber plugin for WordPress CVE-2019-15768 RESERVED CVE-2019-15767 (In GNU Chess 6.2.5, there is a stack-based buffer overflow in the cmd_ ...) @@ -128,7 +128,7 @@ CVE-2019-15753 (In OpenStack os-vif 1.15.x before 1.15.2, and 1.16.0, a hard-cod CVE-2019-15752 (Docker Desktop Community Edition before 2.1.0.1 allows local users to ...) TODO: check CVE-2018-21007 (The woo-confirmation-email plugin before 3.2.0 for WordPress has no bl ...) - TODO: check + NOT-FOR-US: woo-confirmation-email plugin for WordPress CVE-2017-18594 (nse_libssh2.cc in Nmap 7.70 is subject to a denial of service conditio ...) TODO: check CVE-2019-15751 @@ -2375,11 +2375,11 @@ CVE-2019-14980 (In ImageMagick 7.x before 7.0.8-42 and 6.x before 6.9.10-42, the NOTE: Introduced in https://github.com/ImageMagick/ImageMagick6/commit/6f29b3755748a899145b639195dd3bc640d36bb4 (6.9.10-24) NOTE: Fixed by: https://github.com/ImageMagick/ImageMagick6/commit/614a257295bdcdeda347086761062ac7658b6830 (6.9.10-42) CVE-2019-14979 (cgi-bin/webscr?cmd=_cart in the WooCommerce PayPal Checkout Payment Ga ...) - TODO: check + NOT-FOR-US: WooCommerce PayPal Checkout Payment Gateway plugin for WordPress CVE-2019-14978 (/payu/icpcheckout/ in the WooCommerce PayU India Payment Gateway plugi ...) - TODO: check + NOT-FOR-US: WooCommerce PayU India Payment Gateway plugin for WordPress CVE-2019-14977 (card/pay/.../amount in the WooCommerce Instamojo Payment Gateway plugi ...) - TODO: check + NOT-FOR-US: WooCommerce Instamojo Payment Gateway plugin for WordPress CVE-2019-14976 (iCMS 7.0.15 allows admincp.php?app=apps XSS via the keywords parameter ...) NOT-FOR-US: idreamsoft iCMS CVE-2019-14975 (Artifex MuPDF before 1.16.0 has a heap-based buffer over-read in fz_ch ...) @@ -31600,7 +31600,7 @@ CVE-2019-4538 CVE-2019-4537 RESERVED CVE-2019-4536 (IBM i 7.4 users who have done a Restore User Profile (RSTUSRPRF) on a ...) - TODO: check + NOT-FOR-US: IBM CVE-2019-4535 RESERVED CVE-2019-4534 @@ -32406,9 +32406,9 @@ CVE-2019-4135 (IBM Security Access Manager 9.0.1 through 9.0.6 is affected by a CVE-2019-4134 (IBM
