[Git][security-tracker-team/security-tracker][master] 2 commits: claim graphicsmagick
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: c41c5f2f by Thorsten Alteholz at 2020-01-05T23:34:52+01:00 claim graphicsmagick - - - - - 5b7bfc11 by Thorsten Alteholz at 2020-01-05T23:35:18+01:00 update note - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -30,7 +30,7 @@ gpac NOTE: 20200105: All open issues are unfixed. Adding it here for future NOTE: triaging when more information are available. (apo) -- -graphicsmagick +graphicsmagick (Thorsten Alteholz) -- gthumb (Abhijith PA) -- @@ -81,7 +81,7 @@ lout nss (Markus Koschany) -- opendmarc (Thorsten Alteholz) - NOTE: 20191222: still testing package, original patch does not seem to be enough, still ongoing + NOTE: 20200105: still testing package, original patch does not seem to be enough, still ongoing -- pillow -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/195a570fe21e48f942229b4ec4dd67188fc2ddfd...5b7bfc11d4b2a78a45c051d3e2cbeb8cafe9df11 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/195a570fe21e48f942229b4ec4dd67188fc2ddfd...5b7bfc11d4b2a78a45c051d3e2cbeb8cafe9df11 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark open CVEs for opencv as no-dsa
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 195a570f by Salvatore Bonaccorso at 2020-01-05T21:22:41+01:00 Mark open CVEs for opencv as no-dsa Those are fairly minor and can be issued to be fixed via a scheduled point release. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7858,6 +7858,7 @@ CVE-2019-19625 (SROS 2 0.8.1 (which provides the tools that generate and distrib NOT-FOR-US: SROS CVE-2019-19624 (An out-of-bounds read was discovered in OpenCV before 4.1.1. Specifica ...) - opencv 4.1.2+dfsg-3 + [buster] - opencv (Minor issue; can be fixed via point release) [stretch] - opencv (Vulnerable code introduced later) [jessie] - opencv (Vulnerable code introduced later) NOTE: https://github.com/opencv/opencv/commit/d1615ba11a93062b1429fce9f0f638d1572d3418 @@ -26832,12 +26833,16 @@ CVE-2019-14493 (An issue was discovered in OpenCV before 4.1.1. There is a NULL CVE-2019-14492 (An issue was discovered in OpenCV before 3.4.7 and 4.x before 4.1.1. T ...) [experimental] - opencv 4.1.1+dfsg-1 - opencv 4.1.2+dfsg-3 + [buster] - opencv (Minor issue; can be fixed via point release) + [stretch] - opencv (Minor issue; can be fixed via point release) [jessie] - opencv (Minor issue, DoS, PoC not crashing) NOTE: https://github.com/opencv/opencv/issues/15124 NOTE: https://github.com/opencv/opencv/commit/ac425f67e4c1d0da9afb9203f0918d8d57c067ed CVE-2019-14491 (An issue was discovered in OpenCV before 3.4.7 and 4.x before 4.1.1. T ...) [experimental] - opencv 4.1.1+dfsg-1 - opencv 4.1.2+dfsg-3 + [buster] - opencv (Minor issue; can be fixed via point release) + [stretch] - opencv (Minor issue; can be fixed via point release) [jessie] - opencv (Minor issue, DoS, PoC not crashing) NOTE: https://github.com/opencv/opencv/issues/15125 NOTE: https://github.com/opencv/opencv/commit/ac425f67e4c1d0da9afb9203f0918d8d57c067ed View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/195a570fe21e48f942229b4ec4dd67188fc2ddfd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/195a570fe21e48f942229b4ec4dd67188fc2ddfd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2019-10195 and CVE-2019-14867 as no-dsa
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: cd43243d by Salvatore Bonaccorso at 2020-01-05T21:19:28+01:00 Mark CVE-2019-10195 and CVE-2019-14867 as no-dsa This is not quite optimal, but outside Red Hat world freeipa has less relevance. Those two issues can be fixed in a scheduled point release. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -25684,6 +25684,7 @@ CVE-2019-14868 RESERVED CVE-2019-14867 (A flaw was found in IPA, all 4.6.x versions before 4.6.7, all 4.7.x ve ...) - freeipa 4.8.3-1 + [buster] - freeipa (Minor issue; can be fixed via point release) NOTE: https://pagure.io/freeipa/c/4abd2f76d76c4c1a1ec5087ec447f4515b63c2c6 CVE-2019-14866 [improper input validation when writing tar header fields leads to unexpect tar generation] RESERVED @@ -40101,6 +40102,7 @@ CVE-2019-10196 NOT-FOR-US: nodejs-http-proxy-agent CVE-2019-10195 (A flaw was found in IPA, all 4.6.x versions before 4.6.7, all 4.7.x ve ...) - freeipa 4.8.3-1 + [buster] - freeipa (Minor issue; can be fixed via point release) NOTE: https://pagure.io/freeipa/c/02ce407f5e10e670d4788778037892b58f80adc0 CVE-2019-10194 (Sensitive passwords used in deployment and configuration of oVirt Metr ...) NOT-FOR-US: ovirt-engine-metrics View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/cd43243da1b86cedbd521be248ca2f3369e07f30 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/cd43243da1b86cedbd521be248ca2f3369e07f30 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2018-16981/libstb as no-dsa
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 50a7853f by Salvatore Bonaccorso at 2020-01-05T21:11:37+01:00 Mark CVE-2018-16981/libstb as no-dsa - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -75719,6 +75719,7 @@ CVE-2018-16982 (Open Chinese Convert (OpenCC) 1.0.5 allows attackers to cause a CVE-2018-16981 (stb stb_image.h 2.19, as used in catimg, Emscripten, and other product ...) - catimg - libstb 0.0~git20190617.5.c72a95d-1 + [buster] - libstb (Minor issue) NOTE: https://github.com/nothings/stb/issues/656 NOTE: https://github.com/nothings/stb/commit/50b1bfba583b12ceb23ef949567bdd914461e524 TODO: further check, stb_image.h in older version is embedded in src:catimg View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/50a7853ffeb9223454fbe532c1be8a9c64e17fb0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/50a7853ffeb9223454fbe532c1be8a9c64e17fb0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: bc33dbd8 by security tracker role at 2020-01-05T20:10:25+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,11 @@ +CVE-2020-5507 + RESERVED +CVE-2020-5506 + RESERVED +CVE-2020-5505 + RESERVED +CVE-2020-5504 + RESERVED CVE-2020-5503 RESERVED CVE-2020-5502 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/bc33dbd89e059bdb79a6ab743e44b673f04e99d3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/bc33dbd89e059bdb79a6ab743e44b673f04e99d3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2019-20149/node-kind-of as no-dsa
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8560d77a by Salvatore Bonaccorso at 2020-01-05T21:03:26+01:00 Mark CVE-2019-20149/node-kind-of as no-dsa - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3565,6 +3565,8 @@ CVE-2020-3940 RESERVED CVE-2019-20149 (ctorName in index.js in kind-of v6.0.2 allows external user input to o ...) - node-kind-of (bug #948095) + [buster] - node-kind-of (Minor issue; can be fixed via point release) + [stretch] - node-kind-of (Minor issue; can be fixed via point release) NOTE: https://github.com/jonschlinkert/kind-of/issues/30 NOTE: https://github.com/jonschlinkert/kind-of/pull/31 CVE-2019-20148 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8560d77a705a66d48445950926bc799cc7fede70 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8560d77a705a66d48445950926bc799cc7fede70 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2019-17109/koji as no-dsa for stretch and buster
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2ec30bc1 by Salvatore Bonaccorso at 2020-01-05T20:59:57+01:00 Mark CVE-2019-17109/koji as no-dsa for stretch and buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -18951,6 +18951,8 @@ CVE-2019-17110 REJECTED CVE-2019-17109 (Koji through 1.18.0 allows remote Directory Traversal, with resultant ...) - koji (bug #942146) + [buster] - koji (Minor issue; can be fixed via point release) + [stretch] - koji (Minor issue; can be fixed via point release) NOTE: https://docs.pagure.org/koji/CVE-2019-17109/ NOTE: https://pagure.io/koji/issue/1634 CVE-2019-17108 (Local file inclusion in brokerPerformance.php in Centreon Web before 2 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2ec30bc1ca67d5768bbbfcd15ac26d3faa72c487 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2ec30bc1ca67d5768bbbfcd15ac26d3faa72c487 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2019-16774 as unimportant
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f19f3892 by Salvatore Bonaccorso at 2020-01-05T20:57:30+01:00 Mark CVE-2019-16774 as unimportant The affected code for CVE-2019-16774 in the embedded copy used by kopano-webapp-plugin-files is not used. Upstream decided nevertheless to patch it and update to a newer version. Thanks: Carsten Schoenert - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -19935,10 +19935,11 @@ CVE-2019-16775 (Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arb NOTE: https://github.com/npm/cli/security/advisories/GHSA-m6cx-g6qm-p2cx NOTE: https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli CVE-2019-16774 (In phpfastcache before 5.1.3, there is a possible object injection vul ...) - - kopano-webapp-plugin-files 2.1.5+dfsg1-2 + - kopano-webapp-plugin-files 2.1.5+dfsg1-2 (unimportant) NOTE: https://github.com/PHPSocialNetwork/phpfastcache/security/advisories/GHSA-484f-743f-6jx2 NOTE: https://github.com/PHPSocialNetwork/phpfastcache/commit/c4527205cb7a402b595790c74310791f5b04a1a4 (5.0.13) NOTE: https://github.com/PHPSocialNetwork/phpfastcache/commit/82a84adff6e8fc9b564c616d0fdc9238ae2e86c3 (4.3.18) + NOTE: Affected phpfastcache code is not used in kopano-webapp-plugin-files. CVE-2019-16773 RESERVED CVE-2019-16772 (The serialize-to-js NPM package before version 3.0.1 is vulnerable to ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f19f38927145445fd57a4e0ab27b6588020a7fe8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f19f38927145445fd57a4e0ab27b6588020a7fe8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2019-3881/bundler as no-dsa for stretch
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7af837b9 by Salvatore Bonaccorso at 2020-01-05T20:52:57+01:00 Mark CVE-2019-3881/bundler as no-dsa for stretch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -57112,6 +57112,7 @@ CVE-2019-3882 (A flaw was found in the Linux kernel's vfio interface implementat CVE-2019-3881 [tmp_home_path insecure] RESERVED - bundler 1.16.1-2 (bug #881749; bug #796383) + [stretch] - bundler (Minor issue) [jessie] - bundler (This version just uses mktmpdir which creates temporary directories with 0700 permissions by default.) NOTE: Upstream issue: https://github.com/bundler/bundler/issues/6501 NOTE: https://salsa.debian.org/ruby-team/bundler/blob/debian/1.16.1-2/debian/patches/0006-Don-t-use-insecure-temporary-directory-as-home-direc.patch View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7af837b98b06a609dae6829ba1fdcb10c844b4fb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7af837b98b06a609dae6829ba1fdcb10c844b4fb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reference upstream issue for CVE-2019-10219
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 31dfe11d by Salvatore Bonaccorso at 2020-01-05T20:45:01+01:00 Reference upstream issue for CVE-2019-10219 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -39980,6 +39980,7 @@ CVE-2019-10219 (A vulnerability was found in Hibernate-Validator. The SafeHtml v [stretch] - libhibernate-validator-java (Vulnerable code was introduced later.) [jessie] - libhibernate-validator-java (Vulnerable code was introduced later.) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1738673 + NOTE: https://hibernate.atlassian.net/browse/HV-1739 NOTE: Fixed by https://github.com/hibernate/hibernate-validator/commit/124b7dd6d9a4ad24d4d49f74701f05a13e56ceee CVE-2019-10218 (A flaw was found in the samba client, all samba versions before samba ...) - samba 2:4.11.1+dfsg-2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/31dfe11d3342f5fb9bb31dc5b4cb42fe05e2537a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/31dfe11d3342f5fb9bb31dc5b4cb42fe05e2537a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add gpac to dla-needed.txt for future triaging.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: a8c502b4 by Markus Koschany at 2020-01-05T20:42:01+01:00 Add gpac to dla-needed.txt for future triaging. Should be revisited when more information are available. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -26,6 +26,10 @@ git (Roberto C. Sánchez) NOTE: 20191226: Patches integrated for 4 of 5 CVEs. The last, CVE-2019-1387, NOTE: 20191226: is proving rather difficult. (roberto) -- +gpac + NOTE: 20200105: All open issues are unfixed. Adding it here for future + NOTE: triaging when more information are available. (apo) +-- graphicsmagick -- gthumb (Abhijith PA) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a8c502b4b2940b7a4f2dbeb5f84647fb049c289a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a8c502b4b2940b7a4f2dbeb5f84647fb049c289a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2019-12409: Remove TODO item.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: cba520c6 by Markus Koschany at 2020-01-05T20:38:00+01:00 CVE-2019-12409: Remove TODO item. - - - - - fea2d6cc by Markus Koschany at 2020-01-05T20:38:01+01:00 CVE-2019-17558,lucene-solr: Mark as unimportant for all distributions The velocity module is not built in Debian due to missing dependencies. It is not clear if lucene-solr is affected at all because the parameter settings are missing in this version and upstream claims only 5.0.0+ is affected. I believe unimportant is correct here. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17718,7 +17718,7 @@ CVE-2019-17560 CVE-2019-17559 RESERVED CVE-2019-17558 (Apache Solr 5.0.0 to Apache Solr 8.3.1 are vulnerable to a Remote Code ...) - - lucene-solr + - lucene-solr (unimportant) NOTE: https://www.openwall.com/lists/oss-security/2019/12/30/1 NOTE: https://issues.apache.org/jira/browse/SOLR-13971 NOTE: https://issues.apache.org/jira/browse/SOLR-14025 @@ -33972,7 +33972,6 @@ CVE-2019-12410 (While investigating UBSAN errors in https://github.com/apache/ar CVE-2019-12409 (The 8.1.1 and 8.2.0 releases of Apache Solr contain an insecure settin ...) - lucene-solr (Vulnerable code was introduced later) NOTE: https://lists.apache.org/thread.html/6640c7e370fce2b74e466a605a46244ccc40666ad9e3064a4e04a85d@%3Csolr-user.lucene.apache.org%3E - TODO: check CVE-2019-12408 (It was discovered that the C++ implementation (which underlies the R, ...) NOT-FOR-US: Apache Arrow CVE-2019-12407 (On Apache JSPWiki, up to version 2.11.0.M4, a carefully crafted plugin ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/5546cbaabb10d97591b9d8e714b085bceacac302...fea2d6cc1d45fc18106aa150724af8d6a4c44572 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/5546cbaabb10d97591b9d8e714b085bceacac302...fea2d6cc1d45fc18106aa150724af8d6a4c44572 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add missing status for CVE-2019-10219
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5546cbaa by Salvatore Bonaccorso at 2020-01-05T20:32:26+01:00 Add missing status for CVE-2019-10219 Fixes: 30b3d65ab45d ("CVE-2019-10219,libhibernate-validator-java: Jessie, Stretch and Buster are not") - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -39976,7 +39976,7 @@ CVE-2019-10221 CVE-2019-10220 (Linux kernel CIFS implementation, version 4.9.0 is vulnerable to a rel ...) - linux 5.3.9-1 CVE-2019-10219 (A vulnerability was found in Hibernate-Validator. The SafeHtml validat ...) - - libhibernate-validator-java (bug #948235) + - libhibernate-validator-java (bug #948235) [buster] - libhibernate-validator-java (Vulnerable code was introduced later.) [stretch] - libhibernate-validator-java (Vulnerable code was introduced later.) [jessie] - libhibernate-validator-java (Vulnerable code was introduced later.) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5546cbaabb10d97591b9d8e714b085bceacac302 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5546cbaabb10d97591b9d8e714b085bceacac302 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2019-12409,lucene-solr: Debian is not affected
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 19211678 by Markus Koschany at 2020-01-05T19:32:08+01:00 CVE-2019-12409,lucene-solr: Debian is not affected Vulnerable code was introduced later. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -33970,7 +33970,7 @@ CVE-2019-12411 CVE-2019-12410 (While investigating UBSAN errors in https://github.com/apache/arrow/pu ...) NOT-FOR-US: Apache Arrow CVE-2019-12409 (The 8.1.1 and 8.2.0 releases of Apache Solr contain an insecure settin ...) - - lucene-solr + - lucene-solr (Vulnerable code was introduced later) NOTE: https://lists.apache.org/thread.html/6640c7e370fce2b74e466a605a46244ccc40666ad9e3064a4e04a85d@%3Csolr-user.lucene.apache.org%3E TODO: check CVE-2019-12408 (It was discovered that the C++ implementation (which underlies the R, ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/192116789d1c2db7ac6514a898a9d0952e86177f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/192116789d1c2db7ac6514a898a9d0952e86177f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add bug number for CVE-2019-10219.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 89e43e26 by Markus Koschany at 2020-01-05T19:20:05+01:00 Add bug number for CVE-2019-10219. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -39976,7 +39976,7 @@ CVE-2019-10221 CVE-2019-10220 (Linux kernel CIFS implementation, version 4.9.0 is vulnerable to a rel ...) - linux 5.3.9-1 CVE-2019-10219 (A vulnerability was found in Hibernate-Validator. The SafeHtml validat ...) - - libhibernate-validator-java + - libhibernate-validator-java (bug #948235) [buster] - libhibernate-validator-java (Vulnerable code was introduced later.) [stretch] - libhibernate-validator-java (Vulnerable code was introduced later.) [jessie] - libhibernate-validator-java (Vulnerable code was introduced later.) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/89e43e2685fec1ab7521e419656658e3f06ae88e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/89e43e2685fec1ab7521e419656658e3f06ae88e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2019-10219,hibernate-validator: Reference fixing commit
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 70ace504 by Markus Koschany at 2020-01-05T18:43:40+01:00 CVE-2019-10219,hibernate-validator: Reference fixing commit - - - - - 30b3d65a by Markus Koschany at 2020-01-05T19:12:38+01:00 CVE-2019-10219,libhibernate-validator-java: Jessie, Stretch and Buster are not affected. Vulnerable code was introduced later. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -39976,9 +39976,12 @@ CVE-2019-10221 CVE-2019-10220 (Linux kernel CIFS implementation, version 4.9.0 is vulnerable to a rel ...) - linux 5.3.9-1 CVE-2019-10219 (A vulnerability was found in Hibernate-Validator. The SafeHtml validat ...) - - libhibernate-validator-java + - libhibernate-validator-java + [buster] - libhibernate-validator-java (Vulnerable code was introduced later.) + [stretch] - libhibernate-validator-java (Vulnerable code was introduced later.) + [jessie] - libhibernate-validator-java (Vulnerable code was introduced later.) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1738673 - TODO: 20190910: Asked for more information in #1738673. (apo) + NOTE: Fixed by https://github.com/hibernate/hibernate-validator/commit/124b7dd6d9a4ad24d4d49f74701f05a13e56ceee CVE-2019-10218 (A flaw was found in the samba client, all samba versions before samba ...) - samba 2:4.11.1+dfsg-2 [buster] - samba (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/c7cffec1db839e2965c7610faa09567b6e9b99ca...30b3d65ab45db793565b9a37ec6756fe6515dd51 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/c7cffec1db839e2965c7610faa09567b6e9b99ca...30b3d65ab45db793565b9a37ec6756fe6515dd51 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2013-5027,collabtive: Jessie is not affected.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: c7cffec1 by Markus Koschany at 2020-01-05T18:26:43+01:00 CVE-2013-5027,collabtive: Jessie is not affected. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -261654,6 +261654,7 @@ CVE-2013-5028 (SQL injection vulnerability in IT/hardware-list.dll in Kwoksys Kw NOT-FOR-US: Kwok Information Server CVE-2013-5027 (Collabtive 1.0 has incorrect access control ...) - collabtive + [jessie] - collabtive (fixed in version 1.1) CVE-2013-5026 (An ActiveX control in lookout650.ocx, lookout660.ocx, and lookout670.o ...) NOT-FOR-US: National Instruments Lookout CVE-2013-5025 (An ActiveX control in exlauncher.dll in the Help subsystem in National ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c7cffec1db839e2965c7610faa09567b6e9b99ca -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c7cffec1db839e2965c7610faa09567b6e9b99ca You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2020-5496,CVE-2020-5395,fontforge: Mark as no-dsa for Jessie
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: c969a57d by Markus Koschany at 2020-01-05T18:02:52+01:00 CVE-2020-5496,CVE-2020-5395,fontforge: Mark as no-dsa for Jessie Minor issue - - - - - a0e6ba51 by Markus Koschany at 2020-01-05T18:17:39+01:00 Add bug number for fontforge - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13,9 +13,10 @@ CVE-2020-5498 CVE-2020-5497 (The OpenID Connect reference implementation for MITREid Connect throug ...) NOT-FOR-US: MITREid Connect CVE-2020-5496 (FontForge 20190801 has a heap-based buffer overflow in the Type2NotDef ...) - - fontforge + - fontforge (bug #948231) [buster] - fontforge (Minor issue) [stretch] - fontforge (Minor issue) + [jessie] - fontforge (Minor issue) NOTE: https://github.com/fontforge/fontforge/issues/4085 CVE-2020-5495 RESERVED @@ -218,9 +219,10 @@ CVE-2020-5397 CVE-2020-5396 RESERVED CVE-2020-5395 (FontForge 20190801 has a use-after-free in SFD_GetFontMetaData in sfd. ...) - - fontforge + - fontforge (bug #948231) [buster] - fontforge (Minor issue) [stretch] - fontforge (Minor issue) + [jessie] - fontforge (Minor issue) NOTE: https://github.com/fontforge/fontforge/issues/4084 CVE-2019-20334 (In Netwide Assembler (NASM) 2.14.02, stack consumption occurs in expr# ...) - nasm (unimportant) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/145e165bd1194fde3f3b463ab4c6dc38e297bfe1...a0e6ba5183c69ddbc39a62a1cb9303ef6605f86a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/145e165bd1194fde3f3b463ab4c6dc38e297bfe1...a0e6ba5183c69ddbc39a62a1cb9303ef6605f86a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Track older pillow issue as well under #948224
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ac7e3305 by Salvatore Bonaccorso at 2020-01-05T17:46:44+01:00 Track older pillow issue as well under #948224 - - - - - 145e165b by Salvatore Bonaccorso at 2020-01-05T17:48:22+01:00 Add upstream version fixing CVE-2019-19911/pillow - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4233,8 +4233,8 @@ CVE-2019-19912 RESERVED CVE-2019-19911 [Raise an error for an invalid number of bands in FPX image] RESERVED - - pillow - NOTE: https://github.com/python-pillow/Pillow/commit/774e53bb132461d8d5ebefec1162e29ec0ebc63d + - pillow (bug #948224) + NOTE: https://github.com/python-pillow/Pillow/commit/774e53bb132461d8d5ebefec1162e29ec0ebc63d (6.2.2) CVE-2019-19910 (The MinervaNeue Skin in MediaWiki from 2019-11-05 to 2019-12-13 (1.35 ...) NOT-FOR-US: Mediawiki skin CVE-2019-19909 (An issue was discovered in Public Knowledge Project (PKP) pkp-lib befo ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/52751baad25ec1f85bb8243c6bbc6fa253092eb0...145e165bd1194fde3f3b463ab4c6dc38e297bfe1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/52751baad25ec1f85bb8243c6bbc6fa253092eb0...145e165bd1194fde3f3b463ab4c6dc38e297bfe1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-19911/pillow
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 52751baa by Salvatore Bonaccorso at 2020-01-05T17:45:40+01:00 Add CVE-2019-19911/pillow - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4231,8 +4231,10 @@ CVE-2019-19913 RESERVED CVE-2019-19912 RESERVED -CVE-2019-19911 +CVE-2019-19911 [Raise an error for an invalid number of bands in FPX image] RESERVED + - pillow + NOTE: https://github.com/python-pillow/Pillow/commit/774e53bb132461d8d5ebefec1162e29ec0ebc63d CVE-2019-19910 (The MinervaNeue Skin in MediaWiki from 2019-11-05 to 2019-12-13 (1.35 ...) NOT-FOR-US: Mediawiki skin CVE-2019-19909 (An issue was discovered in Public Knowledge Project (PKP) pkp-lib befo ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/52751baad25ec1f85bb8243c6bbc6fa253092eb0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/52751baad25ec1f85bb8243c6bbc6fa253092eb0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add note for python-django
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6b3d3750 by Salvatore Bonaccorso at 2020-01-05T17:17:11+01:00 Add note for python-django - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -42,6 +42,7 @@ nss/oldstable (jmm) poppler (jmm) -- python-django + Maintainer asked if possible to prepare updates. -- python-reportlab (hle) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6b3d3750bb3f2b8c7c64b3b4bf4fbf60bcdcec30 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6b3d3750bb3f2b8c7c64b3b4bf4fbf60bcdcec30 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2020-5395 and CVE-2020-5496 as no-dsa for stretch and buster
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8d2b9e74 by Salvatore Bonaccorso at 2020-01-05T17:01:47+01:00 Mark CVE-2020-5395 and CVE-2020-5496 as no-dsa for stretch and buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -14,6 +14,8 @@ CVE-2020-5497 (The OpenID Connect reference implementation for MITREid Connect t NOT-FOR-US: MITREid Connect CVE-2020-5496 (FontForge 20190801 has a heap-based buffer overflow in the Type2NotDef ...) - fontforge + [buster] - fontforge (Minor issue) + [stretch] - fontforge (Minor issue) NOTE: https://github.com/fontforge/fontforge/issues/4085 CVE-2020-5495 RESERVED @@ -217,6 +219,8 @@ CVE-2020-5396 RESERVED CVE-2020-5395 (FontForge 20190801 has a use-after-free in SFD_GetFontMetaData in sfd. ...) - fontforge + [buster] - fontforge (Minor issue) + [stretch] - fontforge (Minor issue) NOTE: https://github.com/fontforge/fontforge/issues/4084 CVE-2019-20334 (In Netwide Assembler (NASM) 2.14.02, stack consumption occurs in expr# ...) - nasm (unimportant) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8d2b9e740513ed91b845cfe8f313257da0133c96 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8d2b9e740513ed91b845cfe8f313257da0133c96 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Track fixing commit for CVE-2019-20330/jackson-databind
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e3a2cd76 by Salvatore Bonaccorso at 2020-01-05T16:49:52+01:00 Track fixing commit for CVE-2019-20330/jackson-databind - - - - - e7b694c0 by Salvatore Bonaccorso at 2020-01-05T16:51:24+01:00 Track fixed version for CVE-2019-20330/jackson-databind - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -628,8 +628,9 @@ CVE-2020-5202 CVE-2020-5201 RESERVED CVE-2019-20330 (FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.eh ...) - - jackson-databind + - jackson-databind 2.10.1-1 NOTE: https://github.com/FasterXML/jackson-databind/issues/2526 + NOTE: https://github.com/FasterXML/jackson-databind/commit/fc4214a883dc087070f25da738ef0d49c2f3387e CVE-2019-20329 (OpenLambda 2019-09-10 allows DNS rebinding attacks against the OL serv ...) NOT-FOR-US: OpenLambda CVE-2019-20328 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/df8eb3eecb0a7edca1b6bb5b3906331838a36139...e7b694c027dbabdd37ab401dfaf9490c7ab6b44d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/df8eb3eecb0a7edca1b6bb5b3906331838a36139...e7b694c027dbabdd37ab401dfaf9490c7ab6b44d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add bug number for pillow issues.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: df8eb3ee by Markus Koschany at 2020-01-05T16:34:14+01:00 Add bug number for pillow issues. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -396,17 +396,17 @@ CVE-2019-20331 CVE-2020-5314 RESERVED CVE-2020-5313 (libImaging/FliDecode.c in Pillow before 6.2.2 has an FLI buffer overfl ...) - - pillow + - pillow (bug #948224) NOTE: https://github.com/python-pillow/Pillow/commit/a09acd0decd8a87ccce939d5ff65dab59e7d365b (6.2.2) CVE-2020-5312 (libImaging/PcxDecode.c in Pillow before 6.2.2 has a PCX P mode buffer ...) - - pillow + - pillow (bug #948224) NOTE: https://github.com/python-pillow/Pillow/commit/93b22b846e0269ee9594ff71a72bec02d2bea8fd (6.2.2) CVE-2020-5311 (libImaging/SgiRleDecode.c in Pillow before 6.2.2 has an SGI buffer ove ...) - - pillow + - pillow (bug #948224) [jessie] - pillow (The vulnerable code was introduced later) NOTE: https://github.com/python-pillow/Pillow/commit/a79b65c47c7dc6fe623aadf09aa6192fc54548f3 (6.2.2) CVE-2020-5310 (libImaging/TiffDecode.c in Pillow before 6.2.2 has a TIFF decoding int ...) - - pillow + - pillow (bug #948224) [jessie] - pillow (The vulnerable code was introduced later) NOTE: https://github.com/python-pillow/Pillow/commit/4e2def2539ec13e53a82e06c4b3daf00454100c4 (6.2.2) CVE-2020-5309 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/df8eb3eecb0a7edca1b6bb5b3906331838a36139 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/df8eb3eecb0a7edca1b6bb5b3906331838a36139 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: CVE-2020-5310,pillow: Jessie is not affected
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 09640081 by Markus Koschany at 2020-01-05T16:25:17+01:00 CVE-2020-5310,pillow: Jessie is not affected The vulnerable code was introduced later. - - - - - 78632f1b by Markus Koschany at 2020-01-05T16:25:17+01:00 CVE-2020-5311,pillow: Jessie is not affected. The vulnerable code was introduced later. - - - - - 7f9a0d04 by Markus Koschany at 2020-01-05T16:25:30+01:00 Add pillow to dla-needed.txt - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -403,9 +403,11 @@ CVE-2020-5312 (libImaging/PcxDecode.c in Pillow before 6.2.2 has a PCX P mode bu NOTE: https://github.com/python-pillow/Pillow/commit/93b22b846e0269ee9594ff71a72bec02d2bea8fd (6.2.2) CVE-2020-5311 (libImaging/SgiRleDecode.c in Pillow before 6.2.2 has an SGI buffer ove ...) - pillow + [jessie] - pillow (The vulnerable code was introduced later) NOTE: https://github.com/python-pillow/Pillow/commit/a79b65c47c7dc6fe623aadf09aa6192fc54548f3 (6.2.2) CVE-2020-5310 (libImaging/TiffDecode.c in Pillow before 6.2.2 has a TIFF decoding int ...) - pillow + [jessie] - pillow (The vulnerable code was introduced later) NOTE: https://github.com/python-pillow/Pillow/commit/4e2def2539ec13e53a82e06c4b3daf00454100c4 (6.2.2) CVE-2020-5309 RESERVED = data/dla-needed.txt = @@ -79,6 +79,8 @@ nss (Markus Koschany) opendmarc (Thorsten Alteholz) NOTE: 20191222: still testing package, original patch does not seem to be enough, still ongoing -- +pillow +-- python-reportlab (Hugo Lefeuvre) NOTE: 20191227: still no upstream fix -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/0786240d6e4b7641f634bc48053e4f9952581ebf...7f9a0d0405f9422a70fe21e81385f60c73cdb497 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/0786240d6e4b7641f634bc48053e4f9952581ebf...7f9a0d0405f9422a70fe21e81385f60c73cdb497 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for linux CVEs via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0786240d by Salvatore Bonaccorso at 2020-01-05T16:13:52+01:00 Track fixed version for linux CVEs via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4089,7 +4089,7 @@ CVE-2019-19948 (In ImageMagick 7.0.8-43 Q16, there is a heap-based buffer overfl NOTE: https://github.com/ImageMagick/ImageMagick/commit/6ae32a9038e360b3491969d5d03d490884f02b4c (7.x) NOTE: https://github.com/ImageMagick/ImageMagick6/commit/9e7db22f8c374301db3f968757f0d08070fd4e54 (6.x) CVE-2019-19947 (In the Linux kernel through 5.4.6, there are information leaks of unin ...) - - linux + - linux 5.4.8-1 NOTE: https://git.kernel.org/linus/da2311a6385c3b499da2ed5d9be59ce331fa93e9 CVE-2019-19946 RESERVED @@ -10880,7 +10880,7 @@ CVE-2019-19065 (A memory leak in the sdma_init() function in drivers/infiniband/ CVE-2019-19064 (** DISPUTED ** A memory leak in the fsl_lpspi_probe() function in driv ...) - linux (unimportant) CVE-2019-19063 (Two memory leaks in the rtl_usb_probe() function in drivers/net/wirele ...) - - linux (unimportant) + - linux 5.4.8-1 (unimportant) CVE-2019-19062 (A memory leak in the crypto_report() function in crypto/crypto_user_ba ...) - linux 5.4.6-1 CVE-2019-19061 (A memory leak in the adis_update_scan_mode_burst() function in drivers ...) @@ -10900,7 +10900,7 @@ CVE-2019-19058 (A memory leak in the alloc_sgtable() function in drivers/net/wir [jessie] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/b4b814fec1a5a849383f7b3886b654a13abbda7d CVE-2019-19057 (Two memory leaks in the mwifiex_pcie_init_evt_ring() function in drive ...) - - linux + - linux 5.4.8-1 CVE-2019-19056 (A memory leak in the mwifiex_pcie_alloc_cmdrsp_buf() function in drive ...) - linux CVE-2019-19055 (** DISPUTED ** A memory leak in the nl80211_get_ftm_responder_stats() ...) @@ -10972,7 +10972,7 @@ CVE-2019-19039 (** DISPUTED ** __btrfs_free_extent in fs/btrfs/extent-tree.c in CVE-2019-19038 RESERVED CVE-2019-19037 (ext4_empty_dir in fs/ext4/namei.c in the Linux kernel through 5.3.12 a ...) - - linux + - linux 5.4.8-1 [jessie] - linux (Vulnerability introduced later) CVE-2019-19036 (btrfs_root_node in fs/btrfs/ctree.c in the Linux kernel through 5.3.12 ...) - linux @@ -11610,7 +11610,7 @@ CVE-2019-18782 CVE-2019-18781 (An open redirect vulnerability was discovered in Zoho ManageEngine ADS ...) NOT-FOR-US: Zoho ManageEngine ADSelfService Plus CVE-2019-18786 (In the Linux kernel through 5.3.8, f->fmt.sdr.reserved is uninitial ...) - - linux + - linux 5.4.8-1 [stretch] - linux (Vulnerable code not present) [jessie] - linux (Vulnerable code not present) NOTE: https://patchwork.linuxtv.org/patch/59542/ View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0786240d6e4b7641f634bc48053e4f9952581ebf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0786240d6e4b7641f634bc48053e4f9952581ebf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixes for CVE-2019-13465 and CVE-2019-13445 via stretch-pu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 45ef9287 by Salvatore Bonaccorso at 2020-01-05T16:03:52+01:00 Track fixes for CVE-2019-13465 and CVE-2019-13445 via stretch-pu - - - - - 1 changed file: - data/next-oldstable-point-update.txt Changes: = data/next-oldstable-point-update.txt = @@ -82,6 +82,10 @@ CVE-2019-19010 [stretch] - limnoria 2017.01.10-1+deb9u1 CVE-2019-13566 [stretch] - ros-ros-comm 1.12.6-2+deb9u1 +CVE-2019-13465 + [stretch] - ros-ros-comm 1.12.6-2+deb9u1 +CVE-2019-13445 + [stretch] - ros-ros-comm 1.12.6-2+deb9u2 CVE-2019-9656 [stretch] - libofx 1:0.9.10-2+deb9u2 CVE-2019-18197 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/45ef9287aeee244b09a3dd288d8adb1e89a7709a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/45ef9287aeee244b09a3dd288d8adb1e89a7709a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information of CVE-2019-16774/kopano-webapp-plugin-files
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ba0ffa7d by Salvatore Bonaccorso at 2020-01-05T13:56:31+01:00 Update information of CVE-2019-16774/kopano-webapp-plugin-files - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -19924,11 +19924,10 @@ CVE-2019-16775 (Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arb NOTE: https://github.com/npm/cli/security/advisories/GHSA-m6cx-g6qm-p2cx NOTE: https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli CVE-2019-16774 (In phpfastcache before 5.1.3, there is a possible object injection vul ...) - - kopano-webapp-plugin-files + - kopano-webapp-plugin-files 2.1.5+dfsg1-2 NOTE: https://github.com/PHPSocialNetwork/phpfastcache/security/advisories/GHSA-484f-743f-6jx2 - NOTE: https://github.com/PHPSocialNetwork/phpfastcache/commit/c4527205cb7a402b595790c74310791f5b04a1a4 - TODO: kopano-webapp-plugin-files embeds phpfastcache, needs verification whether - TODO: actually vulnerable + NOTE: https://github.com/PHPSocialNetwork/phpfastcache/commit/c4527205cb7a402b595790c74310791f5b04a1a4 (5.0.13) + NOTE: https://github.com/PHPSocialNetwork/phpfastcache/commit/82a84adff6e8fc9b564c616d0fdc9238ae2e86c3 (4.3.18) CVE-2019-16773 RESERVED CVE-2019-16772 (The serialize-to-js NPM package before version 3.0.1 is vulnerable to ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ba0ffa7d1a609089abdffda9ed74232683631b18 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ba0ffa7d1a609089abdffda9ed74232683631b18 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add fixed version for CVE-2019-19126/glibc via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: eb62b78e by Salvatore Bonaccorso at 2020-01-05T13:51:50+01:00 Add fixed version for CVE-2019-19126/glibc via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -10689,7 +10689,7 @@ CVE-2019-19128 CVE-2019-19127 RESERVED CVE-2019-19126 (On the x86-64 architecture, the GNU C Library (aka glibc) before 2.31 ...) - - glibc (bug #945250) + - glibc 2.29-8 (bug #945250) [buster] - glibc (Minor issue) [stretch] - glibc (Minor issue) [jessie] - glibc (Vulnerable code introduced in 2.23) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/eb62b78e5d29f6fae1990bbe4218539eba489c8d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/eb62b78e5d29f6fae1990bbe4218539eba489c8d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add fixed version for CVE-2019-13445/ros-ros-comm via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 14c1d38b by Salvatore Bonaccorso at 2020-01-05T13:47:17+01:00 Add fixed version for CVE-2019-13445/ros-ros-comm via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -31118,7 +31118,7 @@ CVE-2019-13447 (An issue was discovered in Sertek Xpare 3.67. The login form doe CVE-2019-13446 REJECTED CVE-2019-13445 (An issue was discovered in the ROS communications-related packages (ak ...) - - ros-ros-comm (bug #947947) + - ros-ros-comm 1.14.3+ds1-11 (bug #947947) [buster] - ros-ros-comm (Minor issue) [stretch] - ros-ros-comm (Minor issue) NOTE: https://github.com/ros/ros_comm/issues/1738 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/14c1d38b3c547b5f2f3305b16897b4788ee9da10 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/14c1d38b3c547b5f2f3305b16897b4788ee9da10 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add fixed version for CVE-2019-13465/ros-ros-comm
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a1d1fa86 by Salvatore Bonaccorso at 2020-01-05T11:18:35+01:00 Add fixed version for CVE-2019-13465/ros-ros-comm - - - - - 2 changed files: - data/CVE/list - data/next-point-update.txt Changes: = data/CVE/list = @@ -31031,7 +31031,7 @@ CVE-2019-13467 (Description: Western Digital SSD Dashboard before 2.5.1.0 and Sa CVE-2019-13466 (Western Digital SSD Dashboard before 2.5.1.0 and SanDisk SSD Dashboard ...) NOT-FOR-US: Western Digital SSD Dashboard and SanDisk SSD Dashboard CVE-2019-13465 (An issue was discovered in the ROS communications-related packages (ak ...) - - ros-ros-comm (bug #947946) + - ros-ros-comm 1.14.3+ds1-10 (bug #947946) [buster] - ros-ros-comm (Minor issue) [stretch] - ros-ros-comm (Minor issue) NOTE: https://github.com/ros/ros_comm/issues/1752 = data/next-point-update.txt = @@ -28,6 +28,8 @@ CVE-2019-18928 [buster] - cyrus-imapd 3.0.8-6+deb10u2 CVE-2019-13566 [buster] - ros-ros-comm 1.14.3+ds1-5+deb10u1 +CVE-2019-13465 + [buster] - ros-ros-comm 1.14.3+ds1-5+deb10u1 CVE-2019-14857 [buster] - libapache2-mod-auth-openidc 2.3.10.2-1+deb10u1 CVE-2019-19555 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a1d1fa86e82c71e7b4f28919154fcaf67be8c25b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a1d1fa86e82c71e7b4f28919154fcaf67be8c25b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2019-20326/gthumb
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b8467243 by Salvatore Bonaccorso at 2020-01-05T10:12:41+01:00 Add Debian bug reference for CVE-2019-20326/gthumb - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -836,7 +836,7 @@ CVE-2019-20226 REJECTED CVE-2019-20326 [buffer overflow] RESERVED - - gthumb + - gthumb (bug #948197) [buster] - gthumb (Minor issue) [stretch] - gthumb (Minor issue) NOTE: https://gitlab.gnome.org/GNOME/gthumb/commit/14860321ce3235d420498c4f81f21003d1fb78f4 (3.8.3) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b84672436d1bb001258abe14bb76bdcbbc5b1440 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b84672436d1bb001258abe14bb76bdcbbc5b1440 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update commit references for CVE-2019-20326
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 110992e6 by Salvatore Bonaccorso at 2020-01-05T09:30:14+01:00 Update commit references for CVE-2019-20326 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -839,7 +839,8 @@ CVE-2019-20326 [buffer overflow] - gthumb [buster] - gthumb (Minor issue) [stretch] - gthumb (Minor issue) - NOTE: https://gitlab.gnome.org/GNOME/gthumb/commit/4faa5ce2358812d23a1147953ee76f59631590ad + NOTE: https://gitlab.gnome.org/GNOME/gthumb/commit/14860321ce3235d420498c4f81f21003d1fb78f4 (3.8.3) + NOTE: https://gitlab.gnome.org/GNOME/gthumb/commit/4faa5ce2358812d23a1147953ee76f59631590ad (master) CVE-2020-5200 RESERVED CVE-2020-5199 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/110992e6fccc51fb22869995334cfb289499f8f0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/110992e6fccc51fb22869995334cfb289499f8f0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 531f3c8f by security tracker role at 2020-01-05T08:10:17+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,11 @@ +CVE-2020-5503 + RESERVED +CVE-2020-5502 + RESERVED +CVE-2020-5501 + RESERVED +CVE-2020-5500 + RESERVED CVE-2020-5499 (Baidu Rust SGX SDK through 1.0.8 has an enclave ID race. There are non ...) NOT-FOR-US: Baidu Rust SGX SDK CVE-2020-5498 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/531f3c8fcf10558e593e5173d83bf2c15775c919 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/531f3c8fcf10558e593e5173d83bf2c15775c919 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits