[Git][security-tracker-team/security-tracker][master] reclaim samba
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: bc446eaa by Thorsten Alteholz at 2019-11-18T07:37:42Z reclaim samba - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -106,7 +106,7 @@ radare2 NOTE: Support status is being discussed at: NOTE: https://lists.debian.org/debian-lts/2019/08/msg00064.html -- -samba +samba (Thorsten Alteholz) -- squid3 (Markus Koschany) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/bc446eaa679f87b24480cf1aed864e12f4a0c435 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/bc446eaa679f87b24480cf1aed864e12f4a0c435 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Holger Levsen pushed to branch master at Debian Security Tracker / security-tracker Commits: b4e66615 by Holger Levsen at 2019-11-18T06:48:39Z semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Holger Levsen- - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -19,7 +19,7 @@ ansible NOTE: CVE-2019-14846 should be an easy fix. NOTE: CVE-2019-14858's upstream patch is too big; fails to work properly. (utkarsh2102) -- -freeimage (Hugo Lefeuvre) +freeimage NOTE: Maintainer will take care of the update. NOTE: https://lists.debian.org/debian-lts/2019/05/msg00079.html NOTE: 20190707: maintainer is waiting for upstream https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929597 @@ -78,10 +78,10 @@ linux-4.9 (Ben Hutchings) opendmarc (Thorsten Alteholz) NOTE: 2019: still testing package -- -openjdk-7 (Markus Koschany) +openjdk-7 NOTE: 20191103: According to upstream there is ongoing work on a new IcedTea release. -- -pam-python (Hugo Lefeuvre) +pam-python NOTE: 20190927: Upstream appear to not have a distinct revision for this fix, NOTE: using a single commit for the entire release which changes many things. (lamby) NOTE: 20191017: opened bug report and asked Russell (both Debian maintainer & upstream) @@ -89,10 +89,10 @@ pam-python (Hugo Lefeuvre) NOTE: 20191028: ongoing, maintainer will probably handle part or all of the update NOTE: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942514 -- -php-horde-groupware (Mike Gabriel) +php-horde-groupware NOTE: 20191030: No upstream fix, yet. (sunweaver) -- -php-horde-trean (Mike Gabriel) +php-horde-trean NOTE: 20191030: No upstream fix, yet. (sunweaver) -- python-reportlab (Hugo Lefeuvre) @@ -106,7 +106,7 @@ radare2 NOTE: Support status is being discussed at: NOTE: https://lists.debian.org/debian-lts/2019/08/msg00064.html -- -samba (Thorsten Alteholz) +samba -- squid3 (Markus Koschany) -- @@ -123,13 +123,13 @@ thunderbird (Emilio) tiff (Thorsten Alteholz) NOTE: 20191020: Time to fix the postponed CVE as well? (apo) -- -tightvnc (Mike Gabriel) +tightvnc NOTE: 20191030: has open issues on its own and NOTE: 20191030: contains non-security-maintained code from libvncserver (sunweaver) -- tnef (Utkarsh Gupta) -- -vino (Mike Gabriel) +vino NOTE: 20191030: ships non-security-maintained copy of libvncserver. (sunweaver) -- wordpress View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b4e666155f936922da61a7406fc376ff94011b2f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b4e666155f936922da61a7406fc376ff94011b2f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-1995-1 for angular.js
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: 43a4d70c by Brian May at 2019-11-18T06:20:38Z Reserve DLA-1995-1 for angular.js - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[18 Nov 2019] DLA-1995-1 angular.js - security update + {CVE-2019-14863} + [jessie] - angular.js 1.2.26-1+deb8u1 [15 Nov 2019] DLA-1994-1 postgresql-common - security update {CVE-2019-3466} [jessie] - postgresql-common 165+deb8u4 = data/dla-needed.txt = @@ -14,8 +14,6 @@ https://wiki.debian.org/LTS/Development#Triage_new_security_issues NOTE: 20191109: Contacted upstream for relevant commits. Will ping here or claim it once they reply back. (utkarsh2102) NOTE: 20191114: Conversation going on; got a patch. (utkarsh2102) -- -angular.js (Brian May) --- ansible NOTE: 20191011: Code appears to be in lib/ansible/callbacks.py in jessie's version. (lamby) NOTE: CVE-2019-14846 should be an easy fix. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/43a4d70c85761d10d4b475d3977e2bfb4a36240e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/43a4d70c85761d10d4b475d3977e2bfb4a36240e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2019-12779/libqb: jessie end-of-life
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 67573539 by Roberto C. Sánchez at 2019-11-18T02:30:55Z CVE-2019-12779/libqb: jessie end-of-life - - - - - b55d19b5 by Roberto C. Sánchez at 2019-11-18T02:31:37Z LTS/libqb: remove from dla-needed.txt as it is now EOL - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -21647,6 +21647,7 @@ CVE-2019-5439 (A Buffer Overflow in VLC Media Player < 3.0.7 causes a crash w NOTE: http://www.jbkempf.com/blog/post/2019/VLC-3.0.7-and-security CVE-2019-12779 (libqb before 1.0.5 allows local users to overwrite arbitrary files via ...) - libqb 1.0.4-1 (unimportant; bug #927159) + [jessie] - libqb (https://salsa.debian.org/debian/debian-security-support/commit/ba638006d397eda2cc094761ed7a7bfdca9e534b) NOTE: https://github.com/ClusterLabs/libqb/issues/338 NOTE: https://github.com/ClusterLabs/libqb/commit/6a4067c1d1764d93d255eccecfd8bf9f43cb0b4d NOTE: Regression fix: https://github.com/ClusterLabs/libqb/pull/349 = data/dla-needed.txt = @@ -71,13 +71,6 @@ libmatio (Adrian Bunk) NOTE: 20190428: older changes seem to also be required for them NOTE: 2019: work is ongoing -- -libqb (Roberto C. Sánchez) - NOTE: 20190616: Upstream patch does not apply at all, but it appears that - NOTE: 20190616: package is still vulnerable in ipc_posix_mq.c etc. or - NOTE: 20190616: wherever it uses c->pid w/NAME_MAX. (lamby) - NOTE: 20190619: See https://lists.debian.org/debian-lts/2019/06/msg00015.html - NOTE: 2019: Made an attempt at backporting relevant commits; requested review by upstream. (roberto) --- libvpx (Dylan Aïssi) -- linux (Ben Hutchings) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/d989a77d1fe360ab0be6183b331fc3384f19db7d...b55d19b5bbb358f7ff4b090e0a1640e40f371af6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/d989a77d1fe360ab0be6183b331fc3384f19db7d...b55d19b5bbb358f7ff4b090e0a1640e40f371af6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Annotate CVE-2019-18889/symfony as not affecting jessie
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: d989a77d by Roberto C. Sánchez at 2019-11-18T02:21:21Z Annotate CVE-2019-18889/symfony as not affecting jessie - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -310,6 +310,7 @@ CVE-2019-18890 CVE-2019-18889 [Forbid serializing AbstractAdapter and TagAwareAdapter instances] RESERVED - symfony 4.3.8+dfsg-1 + [jessie] - symfony (Vulnerable code not present) NOTE: https://symfony.com/blog/cve-2019-18889-forbid-serializing-abstractadapter-and-tagawareadapter-instances NOTE: https://github.com/symfony/symfony/commit/8817d28fcaacb31fe01d267f6e19b44d8179395a CVE-2019-1 [Prevent argument injection in a MimeTypeGuesser] View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d989a77d1fe360ab0be6183b331fc3384f19db7d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d989a77d1fe360ab0be6183b331fc3384f19db7d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] thunderbird DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: f2313ea2 by Moritz Muehlenhoff at 2019-11-17T21:52:43Z thunderbird DSA - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,7 @@ +[17 Nov 2019] DSA-4571-1 thunderbird - security update + {CVE-2019-15903 CVE-2019-11764 CVE-2019-11763 CVE-2019-11762 CVE-2019-11761 CVE-2019-11760 CVE-2019-11759 CVE-2019-11757 CVE-2019-11755} + [stretch] - thunderbird 1:68.2.2-1~deb9u1 + [buster] - thunderbird 1:68.2.2-1~deb10u1 [17 Nov 2019] DSA-4570-1 mosquitto - security update {CVE-2019-11779} [buster] - mosquitto 1.5.7-1+deb10u1 = data/dsa-needed.txt = @@ -65,8 +65,6 @@ sssd -- symfony (jmm) -- -thunderbird (jmm) --- tiff Maintainer working on updates -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f2313ea245a701f3b9feedb4097ab252b669e71e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f2313ea245a701f3b9feedb4097ab252b669e71e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Add Debian bug reference for CVE-2019-19035/jhead
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5f61e6d6 by Salvatore Bonaccorso at 2019-11-17T20:31:36Z Add Debian bug reference for CVE-2019-19035/jhead - - - - - b821fb6c by Salvatore Bonaccorso at 2019-11-17T20:32:01Z Add Debian bug reference for CVE-2019-19012/libonig - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7,7 +7,7 @@ CVE-2019-19037 CVE-2019-19036 RESERVED CVE-2019-19035 (jhead 3.03 is affected by: heap-based buffer over-read. The impact is: ...) - - jhead + - jhead (bug #944961) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1765647 CVE-2019-19034 RESERVED @@ -54,7 +54,7 @@ CVE-2019-19014 CVE-2019-19013 RESERVED CVE-2019-19012 (An integer overflow in the search_in_range function in regexec.c in On ...) - - libonig + - libonig (bug #944959) NOTE: https://github.com/kkos/oniguruma/issues/164 CVE-2019-19011 (MiniUPnP ngiflib 0.4 has a NULL pointer dereference in GifIndexToTrueC ...) TODO: check View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/0b8be0058d5edfdfbe1a3d34a21e9b3636238a61...b821fb6c38a66977f7d89bcab6e1daababe4ba49 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/0b8be0058d5edfdfbe1a3d34a21e9b3636238a61...b821fb6c38a66977f7d89bcab6e1daababe4ba49 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-19012/libonig
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0b8be005 by Salvatore Bonaccorso at 2019-11-17T20:22:45Z Add CVE-2019-19012/libonig - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -54,7 +54,8 @@ CVE-2019-19014 CVE-2019-19013 RESERVED CVE-2019-19012 (An integer overflow in the search_in_range function in regexec.c in On ...) - TODO: check + - libonig + NOTE: https://github.com/kkos/oniguruma/issues/164 CVE-2019-19011 (MiniUPnP ngiflib 0.4 has a NULL pointer dereference in GifIndexToTrueC ...) TODO: check CVE-2019-19010 (Eval injection in the Math plugin of Limnoria (before 2019.11.09) and ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0b8be0058d5edfdfbe1a3d34a21e9b3636238a61 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0b8be0058d5edfdfbe1a3d34a21e9b3636238a61 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-19035/jhead
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 55a5747b by Salvatore Bonaccorso at 2019-11-17T20:21:00Z Add CVE-2019-19035/jhead - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7,7 +7,8 @@ CVE-2019-19037 CVE-2019-19036 RESERVED CVE-2019-19035 (jhead 3.03 is affected by: heap-based buffer over-read. The impact is: ...) - TODO: check + - jhead + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1765647 CVE-2019-19034 RESERVED CVE-2019-19033 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/55a5747b75a5c66a63a27a936b4e0d02ad440c7b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/55a5747b75a5c66a63a27a936b4e0d02ad440c7b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process one NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e466ed55 by Salvatore Bonaccorso at 2019-11-17T20:22:09Z Process one NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -34,7 +34,7 @@ CVE-2019-19024 CVE-2019-19023 RESERVED CVE-2019-19022 (iTerm2 through 3.3.6 has potentially insufficient documentation about ...) - TODO: check + NOT-FOR-US: iTerm2 CVE-2019-19021 RESERVED CVE-2019-19020 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e466ed55e8179ec519ce5c15e3a96395940e9dcf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e466ed55e8179ec519ce5c15e3a96395940e9dcf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8a7453fe by security tracker role at 2019-11-17T20:10:44Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,61 @@ +CVE-2019-19039 + RESERVED +CVE-2019-19038 + RESERVED +CVE-2019-19037 + RESERVED +CVE-2019-19036 + RESERVED +CVE-2019-19035 (jhead 3.03 is affected by: heap-based buffer over-read. The impact is: ...) + TODO: check +CVE-2019-19034 + RESERVED +CVE-2019-19033 + RESERVED +CVE-2019-19032 + RESERVED +CVE-2019-19031 + RESERVED +CVE-2019-19030 + RESERVED +CVE-2019-19029 + RESERVED +CVE-2019-19028 + RESERVED +CVE-2019-19027 + RESERVED +CVE-2019-19026 + RESERVED +CVE-2019-19025 + RESERVED +CVE-2019-19024 + RESERVED +CVE-2019-19023 + RESERVED +CVE-2019-19022 (iTerm2 through 3.3.6 has potentially insufficient documentation about ...) + TODO: check +CVE-2019-19021 + RESERVED +CVE-2019-19020 + RESERVED +CVE-2019-19019 + RESERVED +CVE-2019-19018 + RESERVED +CVE-2019-19017 + RESERVED +CVE-2019-19016 + RESERVED +CVE-2019-19015 + RESERVED +CVE-2019-19014 + RESERVED +CVE-2019-19013 + RESERVED +CVE-2019-19012 (An integer overflow in the search_in_range function in regexec.c in On ...) + TODO: check +CVE-2019-19011 (MiniUPnP ngiflib 0.4 has a NULL pointer dereference in GifIndexToTrueC ...) + TODO: check CVE-2019-19010 (Eval injection in the Math plugin of Limnoria (before 2019.11.09) and ...) - limnoria 2019.11.09-1 [buster] - limnoria (Minor issue, can be fixed via point release) @@ -24088,7 +24146,7 @@ CVE-2019-11781 CVE-2019-11780 RESERVED CVE-2019-11779 (In Eclipse Mosquitto 1.5.0 to 1.6.5 inclusive, if a malicious MQTT cli ...) - {DLA-1972-1} + {DSA-4570-1 DLA-1972-1} - mosquitto 1.6.6-1 (bug #940654) [stretch] - mosquitto (Vulnerable code introduced later) NOTE: https://bugs.eclipse.org/bugs/show_bug.cgi?id=551160 @@ -27185,7 +27243,7 @@ CVE-2019-10742 (Axios up to and including 0.18.0 allows attackers to cause a den NOTE: https://github.com/axios/axios/pull/1485 CVE-2019-10741 (K-9 Mail v5.600 can include the original quoted HTML code of a special ...) NOT-FOR-US: K-9 Mail -CVE-2019-10740 (In Roundcube Webmail 1.3.4, an attacker in possession of S/MIME or PGP ...) +CVE-2019-10740 (In Roundcube Webmail before 1.3.10, an attacker in possession of S/MIM ...) - roundcube (bug #927713) [buster] - roundcube (Relies on php-crypt-gpg, not in buster) [stretch] - roundcube (Relies on php-crypt-gpg, not in stretch. Old version in 1.3 doesn't verify signature anyway) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8a7453fecb4a1bf4012390b6478e1f30474ddf0b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8a7453fecb4a1bf4012390b6478e1f30474ddf0b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-10070 (NFU)
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: eb448b2d by Salvatore Bonaccorso at 2019-11-17T20:05:53Z Add CVE-2019-10070 (NFU) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -29062,6 +29062,7 @@ CVE-2019-10071 (The code which checks HMAC in form submissions used String.equal NOT-FOR-US: Apache Tapestry CVE-2019-10070 RESERVED + NOT-FOR-US: Apache Atlas CVE-2019-10069 (In Godot through 3.1, remote code execution is possible due to the des ...) NOT-FOR-US: Godot CVE-2019-10068 (An issue was discovered in Kentico before 12.0.15. Due to a failure to ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/eb448b2d6a1ffd851a877434758bcd1b26202d2b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/eb448b2d6a1ffd851a877434758bcd1b26202d2b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DSA number for mosquitto security update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8dde1e21 by Salvatore Bonaccorso at 2019-11-17T16:05:28Z Reserve DSA number for mosquitto security update - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,6 @@ +[17 Nov 2019] DSA-4570-1 mosquitto - security update + {CVE-2019-11779} + [buster] - mosquitto 1.5.7-1+deb10u1 [14 Nov 2019] DSA-4569-1 ghostscript - security update {CVE-2019-14869} [stretch] - ghostscript 9.26a~dfsg-0+deb9u6 = data/dsa-needed.txt = @@ -40,8 +40,6 @@ linux (carnil) -- mercurial/oldstable -- -mosquitto/stable (carnil) --- nodejs -- nss/oldstable (jmm) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8dde1e210733a18b3655919209eb87e5ca103fe1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8dde1e210733a18b3655919209eb87e5ca103fe1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Give more detailed explanation on CVE-2019-11779/mosquitto
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f7985d4d by Salvatore Bonaccorso at 2019-11-17T15:56:49Z Give more detailed explanation on CVE-2019-11779/mosquitto - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -24097,6 +24097,10 @@ CVE-2019-11779 (In Eclipse Mosquitto 1.5.0 to 1.6.5 inclusive, if a malicious MQ NOTE: Fixed by: https://github.com/eclipse/mosquitto/commit/106675093177335b18521bc0e5ad1d95343ad652 (1.6.6) NOTE: Fixed by: https://github.com/eclipse/mosquitto/commit/84681d9728ceb7f6ea2b6751b4d87200d8a62f14 (1.5.9) NOTE: https://mosquitto.org/blog/2019/09/version-1-6-6-released/ + NOTE: The issue manifests in versions 1.5.0 and onwards only, because some structs + NOTE: increased in size enough to cause the stack overflow vulnerability for excessive + NOTE: topic hierarchies. In earlier versions, the maximum possible hierarchy depth of + NOTE: 65535 wouldn't cause a stack overflow. CVE-2019-11778 (If an MQTT v5 client connects to Eclipse Mosquitto versions 1.6.0 to 1 ...) - mosquitto 1.6.6-1 [buster] - mosquitto (Session expiry interval support introduced in 1.6) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f7985d4db7aeaf5880ad2d21c046cdf8833adcdb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f7985d4db7aeaf5880ad2d21c046cdf8833adcdb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] take thunderbird/symfony
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 003882c7 by Moritz Muehlenhoff at 2019-11-17T13:44:13Z take thunderbird/symfony - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -65,7 +65,9 @@ squid3/oldstable sssd Maintainer prepared an update and proposed debdiff, acked for upload, but update needs further testing before release. -- -thunderbird +symfony (jmm) +-- +thunderbird (jmm) -- tiff Maintainer working on updates View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/003882c783c8ba7c540e73c1fe25205c1e80ac20 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/003882c783c8ba7c540e73c1fe25205c1e80ac20 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits