[Git][security-tracker-team/security-tracker][master] Claim the remaining LTS frontdesk weeks in 2019.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 0d6f95a3 by Markus Koschany at 2019-10-27T22:47:09Z Claim the remaining LTS frontdesk weeks in 2019. - - - - - 1 changed file: - org/lts-frontdesk.2019.txt Changes: = org/lts-frontdesk.2019.txt = @@ -61,5 +61,5 @@ From 25-11 to 01-12:Mike Gabriel From 02-12 to 08-12:Chris Lamb From 09-12 to 15-12:Thorsten Alteholz From 16-12 to 22-12:Mike Gabriel -From 23-12 to 29-12: -From 30-12 to 05-01: +From 23-12 to 29-12:Markus Koschany +From 30-12 to 05-01:Markus Koschany View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0d6f95a31d1d9121f62fff5d1e3a4c1a59712374 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0d6f95a31d1d9121f62fff5d1e3a4c1a59712374 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2019-17543/lz4
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 18b38e4f by Salvatore Bonaccorso at 2019-10-27T21:59:41Z Add Debian bug reference for CVE-2019-17543/lz4 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3041,7 +3041,7 @@ CVE-2019-17544 (libaspell.a in GNU Aspell before 0.60.8 has a stack-based buffer NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16109 NOTE: https://github.com/GNUAspell/aspell/commit/80fa26c74279fced8d778351cff19d1d8f44fe4e CVE-2019-17543 (LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (rela ...) - - lz4 + - lz4 (bug #943680) [buster] - lz4 (Minor issue) [stretch] - lz4 (Minor issue) [jessie] - lz4 (Very hard to exploit, low risk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/18b38e4f4a3de2f803e3de2393cba6f0ecb99a33 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/18b38e4f4a3de2f803e3de2393cba6f0ecb99a33 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark lz4 as no-dsa for buster and stretch
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 998f50dd by Salvatore Bonaccorso at 2019-10-27T21:50:00Z Mark lz4 as no-dsa for buster and stretch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3042,6 +3042,8 @@ CVE-2019-17544 (libaspell.a in GNU Aspell before 0.60.8 has a stack-based buffer NOTE: https://github.com/GNUAspell/aspell/commit/80fa26c74279fced8d778351cff19d1d8f44fe4e CVE-2019-17543 (LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (rela ...) - lz4 + [buster] - lz4 (Minor issue) + [stretch] - lz4 (Minor issue) [jessie] - lz4 (Very hard to exploit, low risk) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15941 NOTE: https://github.com/lz4/lz4/pull/756 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/998f50dd8ed22e51e04c7f51241e5ebf5ce2fa81 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/998f50dd8ed22e51e04c7f51241e5ebf5ce2fa81 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2019-1145{4,5}/monit as no-dsa for stretch
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d2c7df11 by Salvatore Bonaccorso at 2019-10-27T21:25:54Z Mark CVE-2019-1145{4,5}/monit as no-dsa for stretch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -21455,10 +21455,12 @@ CVE-2019-11456 (Gila CMS 1.10.1 allows fm/save CSRF for executing arbitrary PHP CVE-2019-11455 (A buffer over-read in Util_urlDecode in util.c in Tildeslash Monit bef ...) {DLA-1767-1} - monit 1:5.25.3-1 (bug #927775) + [stretch] - monit (Minor issue) NOTE: https://bitbucket.org/tildeslash/monit/commits/f12d0cdb42d4e74dffe1525d4062c815c48ac57a CVE-2019-11454 (Persistent cross-site scripting (XSS) in http/cervlet.c in Tildeslash ...) {DLA-1767-1} - monit 1:5.25.3-1 (bug #927775) + [stretch] - monit (Minor issue) NOTE: https://bitbucket.org/tildeslash/monit/commits/1a8295eab6815072a18019b668fe084945b751f3 NOTE: https://bitbucket.org/tildeslash/monit/commits/328f60773057641c4b2075fab9820145e95b728c CVE-2019-11453 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d2c7df11622d810da8edd57f81182e75a249f53f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d2c7df11622d810da8edd57f81182e75a249f53f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e258ea9e by security tracker role at 2019-10-27T20:10:21Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -522,6 +522,7 @@ CVE-2019-18218 (cdf_read_property_info in cdf.c in file through 5.37 does not re NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16780 NOTE: https://github.com/file/file/commit/46a8443f76cec4b41ec736eca396984c74664f84 CVE-2019-18217 (ProFTPD before 1.3.6b and 1.3.7rc before 1.3.7rc2 allows remote unauth ...) + {DLA-1974-1} - proftpd-dfsg 1.3.6a-2 (bug #942831) NOTE: https://github.com/proftpd/proftpd/commit/13fe9462787b9a551152162f46f1641d65fe4df4 NOTE: https://github.com/proftpd/proftpd/issues/846 @@ -562,6 +563,7 @@ CVE-2019-18200 (An issue was discovered on Fujitsu Wireless Keyboard Set LX390 G CVE-2019-18199 (An issue was discovered on Fujitsu Wireless Keyboard Set LX390 GK381 d ...) NOT-FOR-US: Fujitsu CVE-2019-18197 (In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable i ...) + {DLA-1973-1} - libxslt (bug #942646) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15746 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15768 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e258ea9e8843eb9039e6489b5f6009e075df42a8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e258ea9e8843eb9039e6489b5f6009e075df42a8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: this is still ongoing
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: 6bc99fec by Adrian Bunk at 2019-10-27T19:14:32Z dla: this is still ongoing - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -66,7 +66,7 @@ libmatio (Adrian Bunk) NOTE: 20190428: is likely vulnerable NOTE: 20190428: some CVE testcases still fail after applying the fix, NOTE: 20190428: older changes seem to also be required for them - NOTE: 20191013: work is ongoing + NOTE: 20191027: work is ongoing -- libqb NOTE: 20190616: Upstream patch does not apply at all, but it appears that View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6bc99fecc078f106ec257f296e00ba5042af33f0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6bc99fecc078f106ec257f296e00ba5042af33f0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: claim tiff
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: efbab7c9 by Thorsten Alteholz at 2019-10-27T18:42:06Z claim tiff - - - - - 6dd2cea2 by Thorsten Alteholz at 2019-10-27T18:42:53Z update notes - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -86,7 +86,7 @@ nghttp2 NOTE: 20190930: work into the pkg triaging, too. (sunweaver) -- opendmarc (Thorsten Alteholz) - NOTE: 20191013: testing package + NOTE: 20191027: still testing package -- openjdk-7 (Markus Koschany) -- @@ -118,13 +118,13 @@ slurm-llnl NOTE: 20191022: 750cc23edcc6fddfff21d33bdaf4fb7deb28cfda would be a start.(abhijith) -- spip (Thorsten Alteholz) - NOTE: 20191013: testing package + NOTE: 20191027: still testing package -- thunderbird (Emilio) NOTE: 20191001: CVE-2019-11755: bug is private, not sure whether to backport to 60esr or wait for 68esr (Beuc) NOTE: 20191001: CVE-2019-11755: https://bugzilla.mozilla.org/show_bug.cgi?id=1240290 -- -tiff +tiff (Thorsten Alteholz) NOTE: 20191020: Time to fix the postponed CVE as well? (apo) -- tika View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/a6e2e25126577441968f2eab22bddbbd014dc450...6dd2cea209963441d056a566b70ce453784b244f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/a6e2e25126577441968f2eab22bddbbd014dc450...6dd2cea209963441d056a566b70ce453784b244f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-1974-1 for proftpd-dfsg
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: a6e2e251 by Thorsten Alteholz at 2019-10-27T18:20:43Z Reserve DLA-1974-1 for proftpd-dfsg - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[27 Oct 2019] DLA-1974-1 proftpd-dfsg - security update + {CVE-2019-18217} + [jessie] - proftpd-dfsg 1.3.5e+r1.3.5-2+deb8u4 [27 Oct 2019] DLA-1973-1 libxslt - security update {CVE-2019-18197} [jessie] - libxslt 1.1.28-2+deb8u6 = data/dla-needed.txt = @@ -98,8 +98,6 @@ pam-python (Hugo Lefeuvre) -- polarssl -- -proftpd-dfsg (Thorsten Alteholz) --- python-ecdsa (Markus Koschany) -- python-reportlab (Hugo Lefeuvre) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a6e2e25126577441968f2eab22bddbbd014dc450 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a6e2e25126577441968f2eab22bddbbd014dc450 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-1973-1 for libxslt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 31556519 by Markus Koschany at 2019-10-27T16:53:15Z Reserve DLA-1973-1 for libxslt - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[27 Oct 2019] DLA-1973-1 libxslt - security update + {CVE-2019-18197} + [jessie] - libxslt 1.1.28-2+deb8u6 [26 Oct 2019] DLA-1972-1 mosquitto - security update {CVE-2017-7655 CVE-2018-12550 CVE-2018-12551 CVE-2019-11779} [jessie] - mosquitto 1.3.4-2+deb8u4 = data/dla-needed.txt = @@ -76,8 +76,6 @@ libqb -- libssh2 (Abhijith PA) -- -libxslt (Markus Koschany) --- linux (Ben Hutchings) -- linux-4.9 (Ben Hutchings) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3155651959574f4802f058f87e8a026859aebc5e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3155651959574f4802f058f87e8a026859aebc5e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] correct release dates for DLA-1961-1 and DLA-1962-1
Holger Levsen pushed to branch master at Debian Security Tracker / security-tracker Commits: dafc13ef by Holger Levsen at 2019-10-27T13:33:00Z correct release dates for DLA-1961-1 and DLA-1962-1 Signed-off-by: Holger Levsen hol...@layer-acht.org - - - - - 1 changed file: - data/DLA/list Changes: = data/DLA/list = @@ -30,10 +30,10 @@ [17 Oct 2019] DLA-1963-1 poppler - security update {CVE-2019-9959} [jessie] - poppler 0.26.5-2+deb8u12 -[17 Oct 2019] DLA-1962-1 graphite-web - security update +[21 Oct 2019] DLA-1962-1 graphite-web - security update {CVE-2017-18638} [jessie] - graphite-web 0.9.12+debian-6+deb8u1 -[17 Oct 2019] DLA-1961-1 milkytracker - security update +[21 Oct 2019] DLA-1961-1 milkytracker - security update {CVE-2019-14464 CVE-2019-14496 CVE-2019-14497} [jessie] - milkytracker 0.90.85+dfsg-2.2+deb8u1 [16 Oct 2019] DLA-1714-2 libsdl2 - regression update View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/dafc13ef06c8fd1990d3cee4ad2ac57c11b3d5ac -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/dafc13ef06c8fd1990d3cee4ad2ac57c11b3d5ac You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update notes on CVE-2019-17498/libssh2
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 18a22792 by Salvatore Bonaccorso at 2019-10-27T12:51:55Z Update notes on CVE-2019-17498/libssh2 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3179,6 +3179,10 @@ CVE-2019-17498 (In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT l - libssh2 (bug #943562) NOTE: https://github.com/libssh2/libssh2/commit/dedcbd106f8e52d5586b0205bc7677e4c9868f9c NOTE: https://blog.semmle.com/libssh2-integer-overflow-CVE-2019-17498/ + NOTE: Backported SUSE patch for versions <= 1.8.0 (including struct string_buf, + NOTE: and the functions _libssh2_check_length(), _libssh2_get_u32() and + NOTE: libssh2_get_string(), forming part of the fix): + NOTE: https://bugzilla.suse.com/attachment.cgi?id=822416 CVE-2018-21028 (Boa through 0.94.14rc21 allows remote attackers to trigger a memory le ...) - boa CVE-2018-21027 (Boa through 0.94.14rc21 allows remote attackers to trigger an out-of-m ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/18a227922360dec6b17b78c2ff96d034fa8d93b0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/18a227922360dec6b17b78c2ff96d034fa8d93b0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3c2ab73e by security tracker role at 2019-10-27T08:10:13Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -113,6 +113,7 @@ CVE-2019-18410 CVE-2019-18409 (The ruby_parser-legacy (aka legacy) gem 1.0.0 for Ruby allows local pr ...) NOT-FOR-US: ruby_parser-legacy packaging issue CVE-2019-18408 (archive_read_format_rar_read_data in archive_read_support_format_rar.c ...) + {DLA-1971-1} - libarchive 3.4.0-1 NOTE: https://github.com/libarchive/libarchive/commit/b8592ecba2f9e451e1f5cb7ab6dcee8b8e7b3f60 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14689 @@ -20246,6 +20247,7 @@ CVE-2019-11781 CVE-2019-11780 RESERVED CVE-2019-11779 (In Eclipse Mosquitto 1.5.0 to 1.6.5 inclusive, if a malicious MQTT cli ...) + {DLA-1972-1} - mosquitto 1.6.6-1 (bug #940654) NOTE: https://bugs.eclipse.org/bugs/show_bug.cgi?id=551160 NOTE: https://github.com/eclipse/mosquitto/issues/1412 @@ -71534,12 +71536,12 @@ CVE-2018-12553 CVE-2018-12552 REJECTED CVE-2018-12551 (When Eclipse Mosquitto version 1.0 to 1.5.5 (inclusive) is configured ...) - {DSA-4388-1} + {DSA-4388-1 DLA-1972-1} - mosquitto 1.5.6-1 (bug #921976) NOTE: https://mosquitto.org/blog/2019/02/version-1-5-6-released/ NOTE: https://mosquitto.org/files/cve/2018-12551 CVE-2018-12550 (When Eclipse Mosquitto version 1.0 to 1.5.5 (inclusive) is configured ...) - {DSA-4388-1} + {DSA-4388-1 DLA-1972-1} - mosquitto 1.5.6-1 (bug #921976) NOTE: https://mosquitto.org/blog/2019/02/version-1-5-6-released/ NOTE: https://mosquitto.org/files/cve/2018-12550 @@ -136720,6 +136722,7 @@ CVE-2017-7656 (In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurat NOTE: https://bugs.eclipse.org/bugs/show_bug.cgi?id=535667 NOTE: https://github.com/eclipse/jetty.project/commit/a285deea CVE-2017-7655 (In Eclipse Mosquitto version from 1.0 to 1.4.15, a Null Dereference vu ...) + {DLA-1972-1} - mosquitto 1.5.4-1 (low) [stretch] - mosquitto (Minor issue) NOTE: https://bugs.eclipse.org/bugs/show_bug.cgi?id=533775 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3c2ab73e66e34613804897f2452b83e7f358a328 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3c2ab73e66e34613804897f2452b83e7f358a328 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits