[Git][security-tracker-team/security-tracker][master] Claim the remaining LTS frontdesk weeks in 2019.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 0d6f95a3 by Markus Koschany at 2019-10-27T22:47:09Z Claim the remaining LTS frontdesk weeks in 2019. - - - - - 1 changed file: - org/lts-frontdesk.2019.txt Changes: = org/lts-frontdesk.2019.txt = @@ -61,5 +61,5 @@ From 25-11 to 01-12:Mike Gabriel From 02-12 to 08-12:Chris Lamb From 09-12 to 15-12:Thorsten Alteholz From 16-12 to 22-12:Mike Gabriel -From 23-12 to 29-12: -From 30-12 to 05-01: +From 23-12 to 29-12:Markus Koschany +From 30-12 to 05-01:Markus Koschany View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0d6f95a31d1d9121f62fff5d1e3a4c1a59712374 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0d6f95a31d1d9121f62fff5d1e3a4c1a59712374 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2019-17543/lz4
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 18b38e4f by Salvatore Bonaccorso at 2019-10-27T21:59:41Z Add Debian bug reference for CVE-2019-17543/lz4 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3041,7 +3041,7 @@ CVE-2019-17544 (libaspell.a in GNU Aspell before 0.60.8 has a stack-based buffer NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16109 NOTE: https://github.com/GNUAspell/aspell/commit/80fa26c74279fced8d778351cff19d1d8f44fe4e CVE-2019-17543 (LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (rela ...) - - lz4 + - lz4 (bug #943680) [buster] - lz4 (Minor issue) [stretch] - lz4 (Minor issue) [jessie] - lz4 (Very hard to exploit, low risk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/18b38e4f4a3de2f803e3de2393cba6f0ecb99a33 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/18b38e4f4a3de2f803e3de2393cba6f0ecb99a33 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark lz4 as no-dsa for buster and stretch
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 998f50dd by Salvatore Bonaccorso at 2019-10-27T21:50:00Z Mark lz4 as no-dsa for buster and stretch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3042,6 +3042,8 @@ CVE-2019-17544 (libaspell.a in GNU Aspell before 0.60.8 has a stack-based buffer NOTE: https://github.com/GNUAspell/aspell/commit/80fa26c74279fced8d778351cff19d1d8f44fe4e CVE-2019-17543 (LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (rela ...) - lz4 + [buster] - lz4 (Minor issue) + [stretch] - lz4 (Minor issue) [jessie] - lz4 (Very hard to exploit, low risk) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15941 NOTE: https://github.com/lz4/lz4/pull/756 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/998f50dd8ed22e51e04c7f51241e5ebf5ce2fa81 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/998f50dd8ed22e51e04c7f51241e5ebf5ce2fa81 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2019-1145{4,5}/monit as no-dsa for stretch
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
d2c7df11 by Salvatore Bonaccorso at 2019-10-27T21:25:54Z
Mark CVE-2019-1145{4,5}/monit as no-dsa for stretch
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -21455,10 +21455,12 @@ CVE-2019-11456 (Gila CMS 1.10.1 allows fm/save CSRF
for executing arbitrary PHP
CVE-2019-11455 (A buffer over-read in Util_urlDecode in util.c in Tildeslash
Monit bef ...)
{DLA-1767-1}
- monit 1:5.25.3-1 (bug #927775)
+ [stretch] - monit (Minor issue)
NOTE:
https://bitbucket.org/tildeslash/monit/commits/f12d0cdb42d4e74dffe1525d4062c815c48ac57a
CVE-2019-11454 (Persistent cross-site scripting (XSS) in http/cervlet.c in
Tildeslash ...)
{DLA-1767-1}
- monit 1:5.25.3-1 (bug #927775)
+ [stretch] - monit (Minor issue)
NOTE:
https://bitbucket.org/tildeslash/monit/commits/1a8295eab6815072a18019b668fe084945b751f3
NOTE:
https://bitbucket.org/tildeslash/monit/commits/328f60773057641c4b2075fab9820145e95b728c
CVE-2019-11453
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/d2c7df11622d810da8edd57f81182e75a249f53f
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/d2c7df11622d810da8edd57f81182e75a249f53f
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
e258ea9e by security tracker role at 2019-10-27T20:10:21Z
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -522,6 +522,7 @@ CVE-2019-18218 (cdf_read_property_info in cdf.c in file
through 5.37 does not re
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16780
NOTE:
https://github.com/file/file/commit/46a8443f76cec4b41ec736eca396984c74664f84
CVE-2019-18217 (ProFTPD before 1.3.6b and 1.3.7rc before 1.3.7rc2 allows
remote unauth ...)
+ {DLA-1974-1}
- proftpd-dfsg 1.3.6a-2 (bug #942831)
NOTE:
https://github.com/proftpd/proftpd/commit/13fe9462787b9a551152162f46f1641d65fe4df4
NOTE: https://github.com/proftpd/proftpd/issues/846
@@ -562,6 +563,7 @@ CVE-2019-18200 (An issue was discovered on Fujitsu Wireless
Keyboard Set LX390 G
CVE-2019-18199 (An issue was discovered on Fujitsu Wireless Keyboard Set LX390
GK381 d ...)
NOT-FOR-US: Fujitsu
CVE-2019-18197 (In xsltCopyText in transform.c in libxslt 1.1.33, a pointer
variable i ...)
+ {DLA-1973-1}
- libxslt (bug #942646)
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15746
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15768
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/e258ea9e8843eb9039e6489b5f6009e075df42a8
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/e258ea9e8843eb9039e6489b5f6009e075df42a8
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: this is still ongoing
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: 6bc99fec by Adrian Bunk at 2019-10-27T19:14:32Z dla: this is still ongoing - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -66,7 +66,7 @@ libmatio (Adrian Bunk) NOTE: 20190428: is likely vulnerable NOTE: 20190428: some CVE testcases still fail after applying the fix, NOTE: 20190428: older changes seem to also be required for them - NOTE: 20191013: work is ongoing + NOTE: 20191027: work is ongoing -- libqb NOTE: 20190616: Upstream patch does not apply at all, but it appears that View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6bc99fecc078f106ec257f296e00ba5042af33f0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6bc99fecc078f106ec257f296e00ba5042af33f0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: claim tiff
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: efbab7c9 by Thorsten Alteholz at 2019-10-27T18:42:06Z claim tiff - - - - - 6dd2cea2 by Thorsten Alteholz at 2019-10-27T18:42:53Z update notes - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -86,7 +86,7 @@ nghttp2 NOTE: 20190930: work into the pkg triaging, too. (sunweaver) -- opendmarc (Thorsten Alteholz) - NOTE: 20191013: testing package + NOTE: 20191027: still testing package -- openjdk-7 (Markus Koschany) -- @@ -118,13 +118,13 @@ slurm-llnl NOTE: 20191022: 750cc23edcc6fddfff21d33bdaf4fb7deb28cfda would be a start.(abhijith) -- spip (Thorsten Alteholz) - NOTE: 20191013: testing package + NOTE: 20191027: still testing package -- thunderbird (Emilio) NOTE: 20191001: CVE-2019-11755: bug is private, not sure whether to backport to 60esr or wait for 68esr (Beuc) NOTE: 20191001: CVE-2019-11755: https://bugzilla.mozilla.org/show_bug.cgi?id=1240290 -- -tiff +tiff (Thorsten Alteholz) NOTE: 20191020: Time to fix the postponed CVE as well? (apo) -- tika View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/a6e2e25126577441968f2eab22bddbbd014dc450...6dd2cea209963441d056a566b70ce453784b244f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/a6e2e25126577441968f2eab22bddbbd014dc450...6dd2cea209963441d056a566b70ce453784b244f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-1974-1 for proftpd-dfsg
Thorsten Alteholz pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
a6e2e251 by Thorsten Alteholz at 2019-10-27T18:20:43Z
Reserve DLA-1974-1 for proftpd-dfsg
- - - - -
2 changed files:
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[27 Oct 2019] DLA-1974-1 proftpd-dfsg - security update
+ {CVE-2019-18217}
+ [jessie] - proftpd-dfsg 1.3.5e+r1.3.5-2+deb8u4
[27 Oct 2019] DLA-1973-1 libxslt - security update
{CVE-2019-18197}
[jessie] - libxslt 1.1.28-2+deb8u6
=
data/dla-needed.txt
=
@@ -98,8 +98,6 @@ pam-python (Hugo Lefeuvre)
--
polarssl
--
-proftpd-dfsg (Thorsten Alteholz)
---
python-ecdsa (Markus Koschany)
--
python-reportlab (Hugo Lefeuvre)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/a6e2e25126577441968f2eab22bddbbd014dc450
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/a6e2e25126577441968f2eab22bddbbd014dc450
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-1973-1 for libxslt
Markus Koschany pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
31556519 by Markus Koschany at 2019-10-27T16:53:15Z
Reserve DLA-1973-1 for libxslt
- - - - -
2 changed files:
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[27 Oct 2019] DLA-1973-1 libxslt - security update
+ {CVE-2019-18197}
+ [jessie] - libxslt 1.1.28-2+deb8u6
[26 Oct 2019] DLA-1972-1 mosquitto - security update
{CVE-2017-7655 CVE-2018-12550 CVE-2018-12551 CVE-2019-11779}
[jessie] - mosquitto 1.3.4-2+deb8u4
=
data/dla-needed.txt
=
@@ -76,8 +76,6 @@ libqb
--
libssh2 (Abhijith PA)
--
-libxslt (Markus Koschany)
---
linux (Ben Hutchings)
--
linux-4.9 (Ben Hutchings)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/3155651959574f4802f058f87e8a026859aebc5e
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/3155651959574f4802f058f87e8a026859aebc5e
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] correct release dates for DLA-1961-1 and DLA-1962-1
Holger Levsen pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
dafc13ef by Holger Levsen at 2019-10-27T13:33:00Z
correct release dates for DLA-1961-1 and DLA-1962-1
Signed-off-by: Holger Levsen hol...@layer-acht.org
- - - - -
1 changed file:
- data/DLA/list
Changes:
=
data/DLA/list
=
@@ -30,10 +30,10 @@
[17 Oct 2019] DLA-1963-1 poppler - security update
{CVE-2019-9959}
[jessie] - poppler 0.26.5-2+deb8u12
-[17 Oct 2019] DLA-1962-1 graphite-web - security update
+[21 Oct 2019] DLA-1962-1 graphite-web - security update
{CVE-2017-18638}
[jessie] - graphite-web 0.9.12+debian-6+deb8u1
-[17 Oct 2019] DLA-1961-1 milkytracker - security update
+[21 Oct 2019] DLA-1961-1 milkytracker - security update
{CVE-2019-14464 CVE-2019-14496 CVE-2019-14497}
[jessie] - milkytracker 0.90.85+dfsg-2.2+deb8u1
[16 Oct 2019] DLA-1714-2 libsdl2 - regression update
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/dafc13ef06c8fd1990d3cee4ad2ac57c11b3d5ac
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/dafc13ef06c8fd1990d3cee4ad2ac57c11b3d5ac
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update notes on CVE-2019-17498/libssh2
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 18a22792 by Salvatore Bonaccorso at 2019-10-27T12:51:55Z Update notes on CVE-2019-17498/libssh2 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3179,6 +3179,10 @@ CVE-2019-17498 (In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT l - libssh2 (bug #943562) NOTE: https://github.com/libssh2/libssh2/commit/dedcbd106f8e52d5586b0205bc7677e4c9868f9c NOTE: https://blog.semmle.com/libssh2-integer-overflow-CVE-2019-17498/ + NOTE: Backported SUSE patch for versions <= 1.8.0 (including struct string_buf, + NOTE: and the functions _libssh2_check_length(), _libssh2_get_u32() and + NOTE: libssh2_get_string(), forming part of the fix): + NOTE: https://bugzilla.suse.com/attachment.cgi?id=822416 CVE-2018-21028 (Boa through 0.94.14rc21 allows remote attackers to trigger a memory le ...) - boa CVE-2018-21027 (Boa through 0.94.14rc21 allows remote attackers to trigger an out-of-m ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/18a227922360dec6b17b78c2ff96d034fa8d93b0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/18a227922360dec6b17b78c2ff96d034fa8d93b0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
3c2ab73e by security tracker role at 2019-10-27T08:10:13Z
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -113,6 +113,7 @@ CVE-2019-18410
CVE-2019-18409 (The ruby_parser-legacy (aka legacy) gem 1.0.0 for Ruby allows
local pr ...)
NOT-FOR-US: ruby_parser-legacy packaging issue
CVE-2019-18408 (archive_read_format_rar_read_data in
archive_read_support_format_rar.c ...)
+ {DLA-1971-1}
- libarchive 3.4.0-1
NOTE:
https://github.com/libarchive/libarchive/commit/b8592ecba2f9e451e1f5cb7ab6dcee8b8e7b3f60
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14689
@@ -20246,6 +20247,7 @@ CVE-2019-11781
CVE-2019-11780
RESERVED
CVE-2019-11779 (In Eclipse Mosquitto 1.5.0 to 1.6.5 inclusive, if a malicious
MQTT cli ...)
+ {DLA-1972-1}
- mosquitto 1.6.6-1 (bug #940654)
NOTE: https://bugs.eclipse.org/bugs/show_bug.cgi?id=551160
NOTE: https://github.com/eclipse/mosquitto/issues/1412
@@ -71534,12 +71536,12 @@ CVE-2018-12553
CVE-2018-12552
REJECTED
CVE-2018-12551 (When Eclipse Mosquitto version 1.0 to 1.5.5 (inclusive) is
configured ...)
- {DSA-4388-1}
+ {DSA-4388-1 DLA-1972-1}
- mosquitto 1.5.6-1 (bug #921976)
NOTE: https://mosquitto.org/blog/2019/02/version-1-5-6-released/
NOTE: https://mosquitto.org/files/cve/2018-12551
CVE-2018-12550 (When Eclipse Mosquitto version 1.0 to 1.5.5 (inclusive) is
configured ...)
- {DSA-4388-1}
+ {DSA-4388-1 DLA-1972-1}
- mosquitto 1.5.6-1 (bug #921976)
NOTE: https://mosquitto.org/blog/2019/02/version-1-5-6-released/
NOTE: https://mosquitto.org/files/cve/2018-12550
@@ -136720,6 +136722,7 @@ CVE-2017-7656 (In Eclipse Jetty, versions 9.2.x and
older, 9.3.x (all configurat
NOTE: https://bugs.eclipse.org/bugs/show_bug.cgi?id=535667
NOTE: https://github.com/eclipse/jetty.project/commit/a285deea
CVE-2017-7655 (In Eclipse Mosquitto version from 1.0 to 1.4.15, a Null
Dereference vu ...)
+ {DLA-1972-1}
- mosquitto 1.5.4-1 (low)
[stretch] - mosquitto (Minor issue)
NOTE: https://bugs.eclipse.org/bugs/show_bug.cgi?id=533775
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/3c2ab73e66e34613804897f2452b83e7f358a328
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/3c2ab73e66e34613804897f2452b83e7f358a328
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
