[Git][security-tracker-team/security-tracker][master] Fix formatting in dla-needed.txt
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 1ac14ec9 by Roberto C. Sánchez at 2020-01-11T20:08:12-05:00 Fix formatting in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -78,7 +78,7 @@ lout NOTE: 20191221: (-> at least someone is still active on lout, providing some NOTE: 20191221: patches, not related to the open CVEs, though) -- -nss (Markus Koschany +nss (Markus Koschany) -- opendmarc (Thorsten Alteholz) NOTE: 20200105: still testing package, original patch does not seem to be enough, still ongoing View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1ac14ec9e27fc12bba15eab89348f03182ce471e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1ac14ec9e27fc12bba15eab89348f03182ce471e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2019-19645/sqlite3 as no-dsa
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a7c7d13a by Salvatore Bonaccorso at 2020-01-12T00:37:57+01:00 Mark CVE-2019-19645/sqlite3 as no-dsa - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -10665,6 +10665,8 @@ CVE-2019-19646 (pragma.c in SQLite through 3.30.1 mishandles NOT NULL in an inte NOTE: https://github.com/sqlite/sqlite/commit/ebd70eedd5d6e6a890a670b5ee874a5eae86b4dd CVE-2019-19645 (alter.c in SQLite through 3.30.1 allows attackers to trigger infinite ...) - sqlite3 3.30.1+fossil191229-1 (bug #946612) + [buster] - sqlite3 (Minor issue) + [stretch] - sqlite3 (Minor issue) NOTE: https://github.com/sqlite/sqlite/commit/38096961c7cd109110ac21d3ed7dad7e0cb0ae06 CVE-2019-19644 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a7c7d13a42b8e5b2b155fbb13a566b881d47ebc7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a7c7d13a42b8e5b2b155fbb13a566b881d47ebc7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2019-17571/apache-log4j1.2 via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 890d1c22 by Salvatore Bonaccorso at 2020-01-12T00:19:30+01:00 Track fixed version for CVE-2019-17571/apache-log4j1.2 via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -20593,7 +20593,7 @@ CVE-2019-17573 CVE-2019-17572 RESERVED CVE-2019-17571 (Included in Log4j 1.2 is a SocketServer class that is vulnerable to de ...) - - apache-log4j1.2 (bug #947124) + - apache-log4j1.2 1.2.17-9 (bug #947124) NOTE: https://lists.apache.org/thread.html/eea03d504b36e8f870e8321d908e1def1addda16adda04327fe7c125%40%3Cdev.logging.apache.org%3E NOTE: CVE-2019-17571 correspond to CVE-2017-5645 for apache-log4j2. 1.2.x branch NOTE: is end-of-life upstream and does not recieve a fix for this issue. Users View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/890d1c22ab77b3723ab98b65c1b786102f73a491 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/890d1c22ab77b3723ab98b65c1b786102f73a491 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2019-19603 as no-dsa for buster and stretch
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3b46be13 by Salvatore Bonaccorso at 2020-01-12T00:17:10+01:00 Mark CVE-2019-19603 as no-dsa for buster and stretch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -10793,6 +10793,8 @@ CVE-2019-19604 (Arbitrary command execution is possible in Git before 2.20.2, 2. NOTE: https://www.openwall.com/lists/oss-security/2019/12/13/1 CVE-2019-19603 (SQLite 3.30.1 mishandles certain SELECT statements with a nonexistent ...) - sqlite3 3.30.1+fossil191229-1 + [buster] - sqlite3 (Minor issue) + [stretch] - sqlite3 (Minor issue) NOTE: https://github.com/sqlite/sqlite/commit/527cbd4a104cb93bf3994b3dd3619a6299a78b13 CVE-2019-19601 (OpenDetex 2.8.5 has a Buffer Overflow in TexOpen in detex.l because of ...) - texlive-bin View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3b46be13a373b2f54471f5d0045e812bb87b5a06 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3b46be13a373b2f54471f5d0045e812bb87b5a06 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2019-19244/sqlite3 as no-dsa for buster
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 06d43233 by Salvatore Bonaccorso at 2020-01-12T00:05:04+01:00 Mark CVE-2019-19244/sqlite3 as no-dsa for buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13317,6 +13317,7 @@ CVE-2019-19245 (NAPC Xinet Elegant 6 Asset Library 6.1.655 allows Pre-Authentica NOT-FOR-US: NAPC Xinet Elegant 6 Asset Library CVE-2019-19244 (sqlite3Select in select.c in SQLite 3.30.1 allows a crash if a sub-sel ...) - sqlite3 3.30.1+fossil191229-1 (bug #946656) + [buster] - sqlite3 (Minor issue) [stretch] - sqlite3 (Vulnerable code introduced later) [jessie] - sqlite3 (Vulnerable code, i.e. window functions, not present) NOTE: https://github.com/sqlite/sqlite/commit/e59c562b3f6894f84c715772c4b116d7b5c01348 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/06d43233783c9e71452f88161a19accf52d6fe68 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/06d43233783c9e71452f88161a19accf52d6fe68 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information on CVE-2019-19242/sqlite3
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c77c1932 by Salvatore Bonaccorso at 2020-01-11T23:54:16+01:00 Update information on CVE-2019-19242/sqlite3 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13324,6 +13324,8 @@ CVE-2019-19243 RESERVED CVE-2019-19242 (SQLite 3.30.1 mishandles pExpr->y.pTab, as demonstrated by the TK_C ...) - sqlite3 3.30.1+fossil191229-1 + [buster] - sqlite3 (Minor issue) + [stretch] - sqlite3 (Vulnerable code introduced later) [jessie] - sqlite3 (Vulnerable code not present) NOTE: https://github.com/sqlite/sqlite/commit/57f7ece78410a8aae86aa4625fb7556897db384c CVE-2019-19241 (In the Linux kernel before 5.4.2, the io_uring feature leads to reques ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c77c193231b836e71c730c9f2995fef2bac60217 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c77c193231b836e71c730c9f2995fef2bac60217 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Revert "Update status on CVE-2019-19242/sqlite3"
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ff8e9ea0 by Salvatore Bonaccorso at 2020-01-11T23:49:18+01:00 Revert "Update status on CVE-2019-19242/sqlite3" The issue is actually about misshandling pExpr->y.pTab, in sqlite3ExprCodeTarget in expr.c . Whilst the issue was triggerable in the 'generated column' case it's not assured that there is no issue in previous version. To play on safe side rather continue to mark it accordingly as affected where in expr.c in sqlite3ExprCodeTarget pExpr->y.pTab is not checked. This is at least the case for the 3.30.1-1 version which was in unstable at some point. This reverts commit 93af29d7d3c705b331d75466ef48c2f8418c613c. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13323,7 +13323,8 @@ CVE-2019-19244 (sqlite3Select in select.c in SQLite 3.30.1 allows a crash if a s CVE-2019-19243 RESERVED CVE-2019-19242 (SQLite 3.30.1 mishandles pExpr->y.pTab, as demonstrated by the TK_C ...) - - sqlite3 (Generated column support added later) + - sqlite3 3.30.1+fossil191229-1 + [jessie] - sqlite3 (Vulnerable code not present) NOTE: https://github.com/sqlite/sqlite/commit/57f7ece78410a8aae86aa4625fb7556897db384c CVE-2019-19241 (In the Linux kernel before 5.4.2, the io_uring feature leads to reques ...) - linux 5.3.15-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ff8e9ea0790e20bbd98b31e1b6a57c98eb87619a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ff8e9ea0790e20bbd98b31e1b6a57c98eb87619a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update status on CVE-2019-19242/sqlite3
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 93af29d7 by Salvatore Bonaccorso at 2020-01-11T23:45:25+01:00 Update status on CVE-2019-19242/sqlite3 The earlier version in unstable, sqlite3/3.30.1-1 did not contain yet support for generated columns. The subsequent update contains as well the necessary fix. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13323,8 +13323,7 @@ CVE-2019-19244 (sqlite3Select in select.c in SQLite 3.30.1 allows a crash if a s CVE-2019-19243 RESERVED CVE-2019-19242 (SQLite 3.30.1 mishandles pExpr->y.pTab, as demonstrated by the TK_C ...) - - sqlite3 3.30.1+fossil191229-1 - [jessie] - sqlite3 (Vulnerable code not present) + - sqlite3 (Generated column support added later) NOTE: https://github.com/sqlite/sqlite/commit/57f7ece78410a8aae86aa4625fb7556897db384c CVE-2019-19241 (In the Linux kernel before 5.4.2, the io_uring feature leads to reques ...) - linux 5.3.15-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/93af29d7d3c705b331d75466ef48c2f8418c613c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/93af29d7d3c705b331d75466ef48c2f8418c613c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update old phpMyAdmin CVE entries
William Desportes pushed to branch master at Debian Security Tracker / security-tracker Commits: 03c99cea by William Desportes at 2020-01-11T23:04:17+01:00 Update old phpMyAdmin CVE entries years: - 2003 (ignored, no CVEs found) - 2004 (4; 1 has patch links) - 2005 (9; 3 had patch links) - 2006 (9; 9 had patch links) - 2007 (8; 8 had patch links) - 2008 (10; 10 had patch links) - 2018 (5; 5 had patch links) - 2019 (5; 5 had patch links) - 2020 (1; 1 has patch links) Fixed links for: http://www.phpmyadmin.net/home_page/security/(.*).php - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17059,6 +17059,7 @@ CVE-2019-18622 (An issue was discovered in phpMyAdmin before 4.9.2. A crafted da [stretch] - phpmyadmin (vulnerable code is not present) [jessie] - phpmyadmin (vulnerable code is not present) NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/ff541af95d7155d8dd326f331b5e248fea8e7111 + NOTE: https://gist.github.com/ibennetch/4ba7d2fac6f384a5039d697a110e0912 NOTE: https://www.phpmyadmin.net/security/PMASA-2019-5/ CVE-2019-18621 RESERVED @@ -90070,6 +90071,7 @@ CVE-2018-12614 CVE-2018-12613 (An issue was discovered in phpMyAdmin 4.8.x before 4.8.2, in which an ...) - phpmyadmin (Affects 4.8.x) NOTE: https://www.phpmyadmin.net/security/PMASA-2018-4/ + NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/7662d02939fb3cf6f0d9ec32ac664401dcfe7490 CVE-2018-12612 RESERVED CVE-2018-12611 (OX App Suite 7.8.4 and earlier allows Directory Traversal. ...) @@ -105071,7 +105073,7 @@ CVE-2018-7260 (Cross-site scripting (XSS) vulnerability in db_central_columns.ph [stretch] - phpmyadmin (Minor issue) [jessie] - phpmyadmin (Vulnerable code not present) [wheezy] - phpmyadmin (Vulnerable code not present) - NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/d2886a3 + NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/d2886a3e8745e8845633ae8a0054b5ee4d8babd5 NOTE: https://www.phpmyadmin.net/security/PMASA-2018-1/ CVE-2018-7259 (The FSX / P3Dv4 installer 2.0.1.231 for Flight Sim Labs A320-X sends a ...) NOT-FOR-US: Flight Sim Labs @@ -112442,6 +112444,8 @@ CVE-2017-1000500 CVE-2017-1000499 (phpMyAdmin versions 4.7.x (prior to 4.7.6.1/4.7.7) are vulnerable to a ...) - phpmyadmin (Only affects phpMyAdmin starting from 4.7.0) NOTE: https://www.phpmyadmin.net/security/PMASA-2017-9/ + NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/edd929216ade9f7c150a262ba3db44db0fed0e1b (4.7-branch) + NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/72f109a99c82b14c07dcb19946ba9b76efc32a1b (4.8-branch) CVE-2017-1000498 (AndroidSVG version 1.2.2 is vulnerable to XXE attacks in the SVG parsi ...) NOT-FOR-US: AndroidSVG CVE-2017-1000497 (Pepperminty-Wiki version 0.15 is vulnerable to XXE attacks in the gets ...) @@ -144928,21 +144932,35 @@ CVE-2017-120 (SYN Flood or FIN Flood attack in ECos 1 and other versions emb CVE-2017-118 (phpMyAdmin 4.0, 4.4., and 4.6 are vulnerable to a DOS attack in the re ...) - phpmyadmin 4:4.6.6-1 (unimportant) NOTE: https://www.phpmyadmin.net/security/PMASA-2017-7 + NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/afe84645f29f5acc9970f3ffa5673585bf2dee7d (4.0-branch) + NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/4549ebde5a044b42c36da50dbf1af76a88545352 (4.4-branch) + NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/96b4f13e54c9ebbebfd19d0690bfa0812b6818c1 (4.6-branch) CVE-2017-117 (phpMyAdmin 4.0, 4.4 and 4.6 are vulnerable to a weakness where a user ...) - phpmyadmin 4:4.6.6-1 (unimportant) NOTE: https://www.phpmyadmin.net/security/PMASA-2017-6 + NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/f8ad5bd759156c8c00a1c3e0ef374660027a3bb4 (4.0-branch) + NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/ca8edbcd83fcd624701f43c99e7e675c1ab20387 (4.{4,6}-branch) CVE-2017-116 (A weakness was discovered where an attacker can inject arbitrary value ...) - phpmyadmin 4:4.6.6-1 (unimportant) NOTE: https://www.phpmyadmin.net/security/PMASA-2017-5 + NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/3b6ed1f9ecaab86c488d106b1588d7683a6d53ef CVE-2017-115 (phpMyAdmin 4.0, 4.4, and 4.6 are vulnerable to a CSS injection attack ...) - phpmyadmin 4:4.6.6-1 (unimportant) NOTE: https://www.phpmyadmin.net/security/PMASA-2017-4 + NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/8a0816266cc1db9e9889829f9f0d88a19650c977 (4.0-branch) + NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/bd3677f161977bf0cc800cae82e65355bf49f342 (4.4-branch) + NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/3a6247674e653507294f23480b4c0e1c53
[Git][security-tracker-team/security-tracker][master] Triage CVE-2019-20367 in libbsd for jessie LTS.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 0686c929 by Chris Lamb at 2020-01-11T21:29:56+00:00 Triage CVE-2019-20367 in libbsd for jessie LTS. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1426,6 +1426,7 @@ CVE-2019-20367 (nlist.c in libbsd before 0.10.0 has an out-of-bounds read during - libbsd 0.10.0-1 [buster] - libbsd (Minor issue) [stretch] - libbsd (Minor issue) + [jessie] - libbsd (Minor issue) NOTE: https://lists.freedesktop.org/archives/libbsd/2019-August/000229.html NOTE: https://gitlab.freedesktop.org/libbsd/libbsd/commit/9d917aad37778a9f4a96ba358415f077f3f36f3b (0.10.0) CVE-2019-20366 (An XSS issue was discovered in Ignite Realtime Openfire 4.4.4 via isTr ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0686c9294d069f5d59131e09358385299f372cfd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0686c9294d069f5d59131e09358385299f372cfd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add fixed version for CVE-2019-13508/freetds
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 547e8de8 by Salvatore Bonaccorso at 2020-01-11T22:26:03+01:00 Add fixed version for CVE-2019-13508/freetds - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -33897,7 +33897,7 @@ CVE-2019-13509 (In Docker CE and EE before 18.09.8 (as well as Docker EE before {DSA-4521-1} - docker.io 18.09.1+dfsg1-8 (bug #932673) CVE-2019-13508 (FreeTDS through 1.1.11 has a Buffer Overflow. ...) - - freetds (bug #944012) + - freetds 1.1.6-1.1 (bug #944012) [stretch] - freetds (Vulnerable code introduced in 0.95 upstream) [jessie] - freetds (Vulnerable code introduced in 0.95 upstream) NOTE: https://github.com/FreeTDS/freetds/commit/0df4eb82a0e3ff844e373d7c9f9c6c813925e2ac View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/547e8de884960ebe073741456ab015a0442cf7c0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/547e8de884960ebe073741456ab015a0442cf7c0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add fixed version for CVE-2019-18609/librabbitmq via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 728b6271 by Salvatore Bonaccorso at 2020-01-11T22:10:20+01:00 Add fixed version for CVE-2019-18609/librabbitmq via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17090,7 +17090,7 @@ CVE-2019-18610 (An issue was discovered in manager.c in Sangoma Asterisk through NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-28580 CVE-2019-18609 (An issue was discovered in amqp_handle_input in amqp_connection.c in r ...) {DLA-2022-1} - - librabbitmq (low; bug #946005) + - librabbitmq 0.10.0-1 (low; bug #946005) [buster] - librabbitmq (Minor issue) [stretch] - librabbitmq (Minor issue) NOTE: https://github.com/alanxz/rabbitmq-c/commit/fc85be7123050b91b054e45b91c78d3241a5047a View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/728b6271437b3516d0e97db7b01f9cf5bc86ea64 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/728b6271437b3516d0e97db7b01f9cf5bc86ea64 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2019-20367/libbsd as no-dsa
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 23317b8f by Salvatore Bonaccorso at 2020-01-11T21:59:13+01:00 Mark CVE-2019-20367/libbsd as no-dsa - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1424,6 +1424,8 @@ CVE-2020-6177 RESERVED CVE-2019-20367 (nlist.c in libbsd before 0.10.0 has an out-of-bounds read during a com ...) - libbsd 0.10.0-1 + [buster] - libbsd (Minor issue) + [stretch] - libbsd (Minor issue) NOTE: https://lists.freedesktop.org/archives/libbsd/2019-August/000229.html NOTE: https://gitlab.freedesktop.org/libbsd/libbsd/commit/9d917aad37778a9f4a96ba358415f077f3f36f3b (0.10.0) CVE-2019-20366 (An XSS issue was discovered in Ignite Realtime Openfire 4.4.4 via isTr ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/23317b8fd0bea4a91c7b51552d0735daf0b23ff5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/23317b8fd0bea4a91c7b51552d0735daf0b23ff5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track proposed updates for nginx via {stretch,buster}-pu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: fe0ed969 by Salvatore Bonaccorso at 2020-01-11T21:13:58+01:00 Track proposed updates for nginx via {stretch,buster}-pu - - - - - 2 changed files: - data/next-oldstable-point-update.txt - data/next-point-update.txt Changes: = data/next-oldstable-point-update.txt = @@ -122,3 +122,5 @@ CVE-2019-15681 [stretch] - tightvnc 1:1.3.9-9+deb9u1 CVE-2019-2228 [stretch] - cups 2.2.1-8+deb9u5 +CVE-2019-20372 + [stretch] - nginx 1.10.3-1+deb9u4 = data/next-point-update.txt = @@ -201,3 +201,5 @@ CVE-2019-16935 [buster] - python3.7 3.7.3-2+deb10u1 CVE-2019-5188 [buster] - e2fsprogs 1.44.5-1+deb10u3 +CVE-2019-20372 + [buster] - nginx 1.14.2-2+deb10u2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/fe0ed969f961967eddca90fe9016ea4085a0e37a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/fe0ed969f961967eddca90fe9016ea4085a0e37a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add thunderbird to dsa-needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3c4e9614 by Salvatore Bonaccorso at 2020-01-11T21:06:22+01:00 Add thunderbird to dsa-needed list - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -47,6 +47,8 @@ smarty3/oldstable -- squid3/oldstable -- +thunderbird +-- tiff Maintainer working on updates -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3c4e9614bd68042de7e3ff8477b50a05d566818c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3c4e9614bd68042de7e3ff8477b50a05d566818c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add new thunderbird issues from mfsa2020-04
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f653c93f by Salvatore Bonaccorso at 2020-01-11T21:02:44+01:00 Add new thunderbird issues from mfsa2020-04 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -22069,7 +22069,9 @@ CVE-2019-17026 {DSA-4600-1 DLA-2061-1} - firefox 72.0.1-1 (bug #948452) - firefox-esr 68.4.1esr-1 + - thunderbird 1:68.4.1-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-03/#CVE-2019-17026 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-04/#CVE-2019-17026 CVE-2019-17025 (Mozilla developers reported memory safety bugs present in Firefox 71. ...) - firefox 72.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-01/#CVE-2019-17025 @@ -22077,8 +22079,10 @@ CVE-2019-17024 (Mozilla developers reported memory safety bugs present in Firefo {DSA-4600-1 DLA-2061-1} - firefox 72.0-1 - firefox-esr 68.4.0esr-1 + - thunderbird 1:68.4.1-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-01/#CVE-2019-17024 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-02/#CVE-2019-17024 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-04/#CVE-2019-17024 CVE-2019-17023 (After a HelloRetryRequest has been sent, the client may negotiate a lo ...) - firefox 72.0-1 - nss 2:3.49-1 @@ -22089,13 +22093,17 @@ CVE-2019-17022 (When pasting a <style> tag from the clipboard into {DSA-4600-1 DLA-2061-1} - firefox 72.0-1 - firefox-esr 68.4.0esr-1 + - thunderbird 1:68.4.1-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-01/#CVE-2019-17022 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-02/#CVE-2019-17022 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-04/#CVE-2019-17022 CVE-2019-17021 (During the initialization of a new content process, a race condition o ...) - firefox (Windows-specific) - firefox-esr (Windows-specific) + - thunderbird (Windows-specific) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-01/#CVE-2019-17021 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-02/#CVE-2019-17021 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-04/#CVE-2019-17021 CVE-2019-17020 (If an XML file is served with a Content Security Policy and the XML fi ...) - firefox 72.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-01/#CVE-2019-17020 @@ -22109,19 +22117,25 @@ CVE-2019-17017 (Due to a missing case handling object types, a type confusion vu {DSA-4600-1 DLA-2061-1} - firefox 72.0-1 - firefox-esr 68.4.0esr-1 + - thunderbird 1:68.4.1-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-01/#CVE-2019-17017 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-02/#CVE-2019-17017 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-04/#CVE-2019-17017 CVE-2019-17016 (When pasting a <style> tag from the clipboard into a ric ...) {DSA-4600-1 DLA-2061-1} - firefox 72.0-1 - firefox-esr 68.4.0esr-1 + - thunderbird 1:68.4.1-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-01/#CVE-2019-17016 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-02/#CVE-2019-17016 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-04/#CVE-2019-17016 CVE-2019-17015 (During the initialization of a new content process, a pointer offset c ...) - firefox (Windows-specific) - firefox-esr (Windows-specific) + - thunderbird (Windows-specific) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-01/#CVE-2019-17015 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-02/#CVE-2019-17015 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-04/#CVE-2019-17015 CVE-2019-17014 (If an image had not loaded correctly (such as when it is not actually ...) - firefox 71.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-36/#CVE-2019-17014 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f653c93fbd38d9e6143437ec7864c4b328c348a6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f653c93fbd38d9e6143437ec7864c4b328c348a6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.ne
[Git][security-tracker-team/security-tracker][master] CVE-2019-17571,apache-log4j1.2: Remove EOL tag, link to patch
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 73c7ced2 by Markus Koschany at 2020-01-11T18:21:40+01:00 CVE-2019-17571,apache-log4j1.2: Remove EOL tag, link to patch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -20585,11 +20585,11 @@ CVE-2019-17572 RESERVED CVE-2019-17571 (Included in Log4j 1.2 is a SocketServer class that is vulnerable to de ...) - apache-log4j1.2 (bug #947124) - [jessie] - apache-log4j1.2 (https://salsa.debian.org/debian/debian-security-support/commit/4acf9529dc88fddf60bfa56bb464f9aac703797d) NOTE: https://lists.apache.org/thread.html/eea03d504b36e8f870e8321d908e1def1addda16adda04327fe7c125%40%3Cdev.logging.apache.org%3E NOTE: CVE-2019-17571 correspond to CVE-2017-5645 for apache-log4j2. 1.2.x branch NOTE: is end-of-life upstream and does not recieve a fix for this issue. Users NOTE: should upgrade to Log4j 2.x. + NOTE: Fixed by https://src.fedoraproject.org/rpms/log4j12/c/d4c817c458d69dcc629a7271999d178b0dcb7c74?branch=master CVE-2019-17570 RESERVED CVE-2019-17569 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/73c7ced223c4798fcab246e3bc94c993a985 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/73c7ced223c4798fcab246e3bc94c993a985 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] ldm removed from unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f9d766ed by Salvatore Bonaccorso at 2020-01-11T14:43:59+01:00 ldm removed from unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -228,7 +228,7 @@ CVE-2019-20372 (NGINX before 1.17.7, with certain error_page configurations, all NOTE: https://github.com/nginx/nginx/commit/c1be55f97211d38b69ac0c2027e6812ab8b1b94e CVE-2019-20373 (LTSP LDM through 2.18.06 allows fat-client root access because the LDM ...) {DSA-4601-1 DLA-2064-1} - - ldm (bug #948538) + - ldm (bug #948538) NOTE: https://git.launchpad.net/~ltsp-upstream/ltsp/+git/ldm/commit/?id=c351ac69ef63ed6c84221cef73e409059661b8ba NOTE: https://bugs.launchpad.net/ubuntu/+source/ldm/+bug/1839431 CVE-2020-6750 (GSocketClient in GNOME GLib through 2.62.4 may occasionally connect di ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f9d766ed470756d1d7533b54ab073a2c503ec3a7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f9d766ed470756d1d7533b54ab073a2c503ec3a7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for ganglia-web issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 280851d5 by Salvatore Bonaccorso at 2020-01-11T14:43:02+01:00 Add Debian bug reference for ganglia-web issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -42,11 +42,11 @@ CVE-2020-6833 CVE-2020-6832 RESERVED CVE-2019-20379 (ganglia-web (aka Ganglia Web Frontend) through 3.7.5 allows XSS via th ...) - - ganglia-web (unimportant) + - ganglia-web (unimportant; bug #948664) NOTE: https://github.com/ganglia/ganglia-web/issues/351 NOTE: See README.Debian.security, only supported behind an authenticated HTTP zone, #702776 CVE-2019-20378 (ganglia-web (aka Ganglia Web Frontend) through 3.7.5 allows XSS via th ...) - - ganglia-web (unimportant) + - ganglia-web (unimportant; bug #948664) NOTE: https://github.com/ganglia/ganglia-web/issues/351 NOTE: See README.Debian.security, only supported behind an authenticated HTTP zone, #702776 CVE-2019-20377 (TopList before 2019-09-03 allows XSS via a title. ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/280851d5f785fa04dc9c061d3f5afc0a29dcf9a8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/280851d5f785fa04dc9c061d3f5afc0a29dcf9a8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update severity for CVE-2019-20378 and CVE-2019-20379 in ganglia-web
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 99ef237f by Salvatore Bonaccorso at 2020-01-11T14:36:50+01:00 Update severity for CVE-2019-20378 and CVE-2019-20379 in ganglia-web - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -42,11 +42,13 @@ CVE-2020-6833 CVE-2020-6832 RESERVED CVE-2019-20379 (ganglia-web (aka Ganglia Web Frontend) through 3.7.5 allows XSS via th ...) - - ganglia-web + - ganglia-web (unimportant) NOTE: https://github.com/ganglia/ganglia-web/issues/351 + NOTE: See README.Debian.security, only supported behind an authenticated HTTP zone, #702776 CVE-2019-20378 (ganglia-web (aka Ganglia Web Frontend) through 3.7.5 allows XSS via th ...) - - ganglia-web + - ganglia-web (unimportant) NOTE: https://github.com/ganglia/ganglia-web/issues/351 + NOTE: See README.Debian.security, only supported behind an authenticated HTTP zone, #702776 CVE-2019-20377 (TopList before 2019-09-03 allows XSS via a title. ...) NOT-FOR-US: TopList CVE-2020-6831 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/99ef237f4d006d1362717a8fabbae228afca1b45 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/99ef237f4d006d1362717a8fabbae228afca1b45 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-2037{8,9}/gangla-web
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c8673662 by Salvatore Bonaccorso at 2020-01-11T14:34:08+01:00 Add CVE-2019-2037{8,9}/gangla-web - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -42,9 +42,11 @@ CVE-2020-6833 CVE-2020-6832 RESERVED CVE-2019-20379 (ganglia-web (aka Ganglia Web Frontend) through 3.7.5 allows XSS via th ...) - TODO: check + - ganglia-web + NOTE: https://github.com/ganglia/ganglia-web/issues/351 CVE-2019-20378 (ganglia-web (aka Ganglia Web Frontend) through 3.7.5 allows XSS via th ...) - TODO: check + - ganglia-web + NOTE: https://github.com/ganglia/ganglia-web/issues/351 CVE-2019-20377 (TopList before 2019-09-03 allows XSS via a title. ...) NOT-FOR-US: TopList CVE-2020-6831 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c867366239e85153676e98ca38bcc0f9a2c65836 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c867366239e85153676e98ca38bcc0f9a2c65836 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-68{38,39,40}/mruby, futher checks pending
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6b81486d by Salvatore Bonaccorso at 2020-01-11T13:52:22+01:00 Add CVE-2020-68{38,39,40}/mruby, futher checks pending - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13,10 +13,21 @@ CVE-2020-6842 CVE-2020-6841 RESERVED CVE-2020-6840 (In mruby 2.1.0, there is a use-after-free in hash_slice in mrbgems/mru ...) + - mruby + NOTE: https://github.com/mruby/mruby/issues/4927 + NOTE: https://github.com/mruby/mruby/commit/fc8fb41451b07b3fda0726ba80e88e509ad02452 TODO: check CVE-2020-6839 (In mruby 2.1.0, there is a stack-based buffer overflow in mrb_str_len_ ...) + - murby + NOTE: https://github.com/mruby/mruby/issues/4929 + NOTE: https://github.com/mruby/mruby/commit/2124b9b4c95e66e63b1eb26a8dab49753b82fd6c TODO: check CVE-2020-6838 (In mruby 2.1.0, there is a use-after-free in hash_values_at in mrbgems ...) + - mruby + NOTE: https://github.com/mruby/mruby/issues/4926 + NOTE: https://github.com/mruby/mruby/commit/fc8fb41451b07b3fda0726ba80e88e509ad02452 + NOTE: https://github.com/mruby/mruby/commit/70e574689664c10ed2c47581999cc2ce3e3c5afb + NOTE: https://github.com/mruby/mruby/commit/2742ded32fe18f88833d76b297f5c2170b6880c3 TODO: check CVE-2020-6837 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6b81486db41168ea5c404bc0308bdab7c12c81fa -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6b81486db41168ea5c404bc0308bdab7c12c81fa You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add fixed version for CVE-2019-20372/nginx via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e3fdcbdb by Salvatore Bonaccorso at 2020-01-11T13:48:38+01:00 Add fixed version for CVE-2019-20372/nginx via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -205,7 +205,7 @@ CVE-2019-20375 (A cross-site scripting (XSS) vulnerability in Electronic Logbook CVE-2019-20374 (A mutation cross-site scripting (XSS) issue in Typora through 0.9.9.31 ...) NOT-FOR-US: Typora CVE-2019-20372 (NGINX before 1.17.7, with certain error_page configurations, allows HT ...) - - nginx (low; bug #948579) + - nginx 1.16.1-3 (low; bug #948579) [buster] - nginx (Minor issue) [stretch] - nginx (Minor issue) [jessie] - nginx (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e3fdcbdb4a52a182878d3d385041182e2f913a38 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e3fdcbdb4a52a182878d3d385041182e2f913a38 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update status for CVE-2019-19922/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a7e47eb1 by Salvatore Bonaccorso at 2020-01-11T13:45:08+01:00 Update status for CVE-2019-19922/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7019,6 +7019,7 @@ CVE-2019-19923 (flattenSubquery in select.c in SQLite 3.30.1 mishandles certain NOTE: https://github.com/sqlite/sqlite/commit/396afe6f6aa90a31303c183e11b2b2d4b7956b35 CVE-2019-19922 (kernel/sched/fair.c in the Linux kernel before 5.3.9, when cpu.cfs_quo ...) - linux 5.3.9-1 + [stretch] - linux (Vulnerability introduced later) NOTE: https://git.kernel.org/linus/de53fd7aedb100f03e5d2231cfce0e4993282425 CVE-2019-19921 [Volume mount race condition with shared mounts] RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a7e47eb16057eb41460774787c019cc56e4f5060 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a7e47eb16057eb41460774787c019cc56e4f5060 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Triage otrs2 for jessie LTS.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 7ed0226b by Chris Lamb at 2020-01-11T11:07:15+00:00 data/dla-needed.txt: Triage otrs2 for jessie LTS. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -83,6 +83,8 @@ nss (Markus Koschany opendmarc (Thorsten Alteholz) NOTE: 20200105: still testing package, original patch does not seem to be enough, still ongoing -- +otrs2 +-- python-reportlab (Hugo Lefeuvre) NOTE: 20200111: still no upstream fix -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7ed0226b8264d0e7c4ceee4bcaeaac4ea20b5259 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7ed0226b8264d0e7c4ceee4bcaeaac4ea20b5259 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: df48a2d8 by Salvatore Bonaccorso at 2020-01-11T11:35:06+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -283725,7 +283725,7 @@ CVE-2012-4605 (The default configuration of the SMTP component in Websense Email CVE-2012-4604 (The TRITON management console in Websense Web Security before 7.6 Hotf ...) NOT-FOR-US: Websense Web Security CVE-2012-4603 (Citrix XenApp Online Plug-in for Windows 12.1 and earlier, and Citrix ...) - TODO: check + NOT-FOR-US: Citrix CVE-2012-4602 (Multiple cross-site scripting (XSS) vulnerabilities in admin/code/tce_ ...) NOT-FOR-US: Nicola Asuni TCExam CVE-2012-4601 (Multiple SQL injection vulnerabilities in Nicola Asuni TCExam before 1 ...) @@ -284644,7 +284644,7 @@ CVE-2012-4285 (The dissect_pft function in epan/dissectors/packet-dcp-etsi.c in - wireshark 1.8.2-1 (unimportant) NOTE: not suitable for code injection CVE-2012-4284 (A Privilege Escalation vulnerability exists in Viscosity 1.4.1 on Mac ...) - TODO: check + NOT-FOR-US: Viscosity CVE-2011-5099 (SQL injection vulnerability in helper/popup.php in the ccNewsletter (m ...) NOT-FOR-US: Joomla addon CVE-2012-4283 (Cross-site scripting (XSS) vulnerability in the Login With Ajax plugin ...) @@ -285890,7 +285890,7 @@ CVE-2012-3823 (Arial Campaign Enterprise before 11.0.551 stores passwords in cle CVE-2012-3822 (Arial Campaign Enterprise before 11.0.551 has unauthorized access to t ...) NOT-FOR-US: Arial Campaign Enterprise CVE-2012-3821 (A Security Bypass vulnerability exists in the activate.asp page in Ari ...) - TODO: check + NOT-FOR-US: Arial Software Campaign Enterprise CVE-2012-3820 (Multiple SQL injection vulnerabilities in Campaign11.exe in Arial Soft ...) NOT-FOR-US: Arial Software Campaign Enterprise CVE-2012-3819 (Stack consumption vulnerability in dartwebserver.dll 1.9 and earlier, ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/df48a2d818215623903e514e561bdfac443af79d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/df48a2d818215623903e514e561bdfac443af79d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-6835/bftpd, itp'ed
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ac345d63 by Salvatore Bonaccorso at 2020-01-11T09:35:44+01:00 Add CVE-2020-6835/bftpd, itp'ed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -23,7 +23,7 @@ CVE-2020-6837 CVE-2020-6836 (grammar-parser.jison in the hot-formula-parser package before 3.0.1 fo ...) TODO: check CVE-2020-6835 (An issue was discovered in Bftpd before 5.4. There is a heap-based off ...) - TODO: check + - bftpd (bug #640469) CVE-2020-6834 RESERVED CVE-2020-6833 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ac345d6381fa73f9138cdcf59b221b231275a7a4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ac345d6381fa73f9138cdcf59b221b231275a7a4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2b99e090 by Salvatore Bonaccorso at 2020-01-11T09:34:34+01:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,5 +1,5 @@ CVE-2020-6847 (OpenTrade through 0.2.0 has a DOM-based XSS vulnerability that is exec ...) - TODO: check + NOT-FOR-US: OpenTrade CVE-2020-6846 RESERVED CVE-2020-6845 @@ -35,7 +35,7 @@ CVE-2019-20379 (ganglia-web (aka Ganglia Web Frontend) through 3.7.5 allows XSS CVE-2019-20378 (ganglia-web (aka Ganglia Web Frontend) through 3.7.5 allows XSS via th ...) TODO: check CVE-2019-20377 (TopList before 2019-09-03 allows XSS via a title. ...) - TODO: check + NOT-FOR-US: TopList CVE-2020-6831 RESERVED CVE-2020-6830 @@ -12319,7 +12319,7 @@ CVE-2019-19477 CVE-2019-19476 RESERVED CVE-2019-19475 (An issue was discovered in ManageEngine Applications Manager 14 with B ...) - TODO: check + NOT-FOR-US: ManageEngine Applications Manager CVE-2019-19474 RESERVED CVE-2019-19473 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2b99e0902f63629f9506e89eeb61f74b91d5e547 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2b99e0902f63629f9506e89eeb61f74b91d5e547 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla-needed: update notes on my claimed packages
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: 74653fcd by Hugo Lefeuvre at 2020-01-11T09:35:18+01:00 dla-needed: update notes on my claimed packages - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -18,7 +18,11 @@ ansible apache-log4j1.2 (Markus Koschany) -- clamav (Hugo Lefeuvre) - NOTE: 20191227: waiting for 0.102.1 to enter stretch/buster. + NOTE: 20200111: waiting for 0.102.1 to enter stretch/buster. + NOTE: 0.102.* introduces a fair amount of ABI changes, and the migration + NOTE: does not seem very smooth from the perspective of users. The release + NOTE: team would like to wait for an init script for the new clamonacc + NOTE: binary, see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946557 -- gpac NOTE: 20200105: All open issues are unfixed. Adding it here for future @@ -43,6 +47,8 @@ libexif (Hugo Lefeuvre) NOTE: 20191201: Pinged the upstream yet again. (utkarsh2102) NOTE: 20191216: The android patch does not apply but is easy to manually apply. (ola) NOTE: 20191216: The problem is the file to trigger the fault is not known. (ola) + NOTE: 20200111: Investigated the issue, currently in contact with Ray Essick @google + NOTE: 20200111: to get access to the reproducer. (hle) -- libjackson-json-java (Adrian Bunk) NOTE: 20191230: work is ongoing @@ -78,7 +84,7 @@ opendmarc (Thorsten Alteholz) NOTE: 20200105: still testing package, original patch does not seem to be enough, still ongoing -- python-reportlab (Hugo Lefeuvre) - NOTE: 20191227: still no upstream fix + NOTE: 20200111: still no upstream fix -- radare2 NOTE: 20190816: Affected by CVE-2019-14745. Vulnerable code is in @@ -128,7 +134,9 @@ x2goclient NOTE: 20191221: https://code.x2go.org/gitweb?p=x2goclient.git;a=commitdiff;h=ce559d1 -- xcftools (Hugo Lefeuvre) - NOTE: wrote a patch + reproducer for CVE-2019-5086, waiting for review. + NOTE: 20200111: wrote a patch + reproducer for CVE-2019-5086, waiting for review. + NOTE: but I might just not receive any review any time soon, so I will now attempt to + NOTE: fix the second issue and move on with the update. -- xen -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/74653fcd9093a37d7a28b1ccef8adfd03551fd44 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/74653fcd9093a37d7a28b1ccef8adfd03551fd44 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove two TODOs from now REJECTED gitlab duplicates
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8f673910 by Salvatore Bonaccorso at 2020-01-11T09:12:58+01:00 Remove two TODOs from now REJECTED gitlab duplicates MITRE confirmed the duplication and already updated the information on the current CVE feed update, as such the TODO entry can be dropped. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -22799,7 +22799,6 @@ CVE-2019-16789 (In Waitress through version 1.4.0, if a proxy server is used in NOTE: https://github.com/Pylons/waitress/commit/11d9e138125ad46e951027184b13242a3c1de017 CVE-2019-16788 REJECTED - TODO: check, is a duplicate of CVE-2019-20043, contacted MITRE CVE-2019-16786 (Waitress through version 1.3.1 would parse the Transfer-Encoding heade ...) - waitress 1.4.1-1 (bug #947306) [buster] - waitress (Minor issue) @@ -22859,7 +22858,6 @@ CVE-2019-16774 (In phpfastcache before 5.1.3, there is a possible object injecti NOTE: Affected phpfastcache code is not used in kopano-webapp-plugin-files. CVE-2019-16773 REJECTED - TODO: check, is a duplicate of CVE-2019-20042, MITRE contacted for handling CVE-2019-16772 (The serialize-to-js NPM package before version 3.0.1 is vulnerable to ...) NOT-FOR-US: serialize-to-js Node package CVE-2019-16771 (Versions of Armeria 0.85.0 through and including 0.96.0 are vulnerable ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8f673910b3f37452c00dac8e9a09c14f33e981bf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8f673910b3f37452c00dac8e9a09c14f33e981bf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 000e91d2 by security tracker role at 2020-01-11T08:10:17+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,41 @@ +CVE-2020-6847 (OpenTrade through 0.2.0 has a DOM-based XSS vulnerability that is exec ...) + TODO: check +CVE-2020-6846 + RESERVED +CVE-2020-6845 + RESERVED +CVE-2020-6844 + RESERVED +CVE-2020-6843 + RESERVED +CVE-2020-6842 + RESERVED +CVE-2020-6841 + RESERVED +CVE-2020-6840 (In mruby 2.1.0, there is a use-after-free in hash_slice in mrbgems/mru ...) + TODO: check +CVE-2020-6839 (In mruby 2.1.0, there is a stack-based buffer overflow in mrb_str_len_ ...) + TODO: check +CVE-2020-6838 (In mruby 2.1.0, there is a use-after-free in hash_values_at in mrbgems ...) + TODO: check +CVE-2020-6837 + RESERVED +CVE-2020-6836 (grammar-parser.jison in the hot-formula-parser package before 3.0.1 fo ...) + TODO: check +CVE-2020-6835 (An issue was discovered in Bftpd before 5.4. There is a heap-based off ...) + TODO: check +CVE-2020-6834 + RESERVED +CVE-2020-6833 + RESERVED +CVE-2020-6832 + RESERVED +CVE-2019-20379 (ganglia-web (aka Ganglia Web Frontend) through 3.7.5 allows XSS via th ...) + TODO: check +CVE-2019-20378 (ganglia-web (aka Ganglia Web Frontend) through 3.7.5 allows XSS via th ...) + TODO: check +CVE-2019-20377 (TopList before 2019-09-03 allows XSS via a title. ...) + TODO: check CVE-2020-6831 RESERVED CVE-2020-6830 @@ -967,8 +1005,7 @@ CVE-2020-6379 RESERVED CVE-2020-6378 RESERVED -CVE-2020-6377 - RESERVED +CVE-2020-6377 (Use after free in audio in Google Chrome prior to 79.0.3945.117 allowe ...) - chromium CVE-2020-6376 RESERVED @@ -7865,13 +7902,13 @@ CVE-2019-19835 RESERVED CVE-2019-19834 RESERVED -CVE-2019-20043 (WordPress before 5.3.1 allowed an unauthenticated user to make a post ...) +CVE-2019-20043 (In in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.ph ...) {DSA-4599-1} - wordpress 5.3.2+dfsg1-1 (bug #946905) NOTE: https://core.trac.wordpress.org/changeset/46893/trunk NOTE: https://github.com/WordPress/wordpress-develop/commit/1d1d5be7aa94608c04516cac4238e8c22b93c1d9 NOTE: https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/ -CVE-2019-20042 (WordPress before 5.3.1 allowed an attacker to create a cross-site scri ...) +CVE-2019-20042 (In wp-includes/formatting.php in WordPress 3.7 to 5.3.0, the function ...) {DSA-4599-1} - wordpress 5.3.2+dfsg1-1 (bug #946905) NOTE: https://core.trac.wordpress.org/changeset/46894/trunk @@ -12281,8 +12318,8 @@ CVE-2019-19477 RESERVED CVE-2019-19476 RESERVED -CVE-2019-19475 - RESERVED +CVE-2019-19475 (An issue was discovered in ManageEngine Applications Manager 14 with B ...) + TODO: check CVE-2019-19474 RESERVED CVE-2019-19473 @@ -22760,7 +22797,8 @@ CVE-2019-16789 (In Waitress through version 1.4.0, if a proxy server is used in [stretch] - waitress (Minor issue) NOTE: https://github.com/Pylons/waitress/security/advisories/GHSA-m5ff-3wj3-8ph4 NOTE: https://github.com/Pylons/waitress/commit/11d9e138125ad46e951027184b13242a3c1de017 -CVE-2019-16788 (In WordPress versions from 3.7 to 5.3.0, authenticated users who do no ...) +CVE-2019-16788 + REJECTED TODO: check, is a duplicate of CVE-2019-20043, contacted MITRE CVE-2019-16786 (Waitress through version 1.3.1 would parse the Transfer-Encoding heade ...) - waitress 1.4.1-1 (bug #947306) @@ -22819,7 +22857,8 @@ CVE-2019-16774 (In phpfastcache before 5.1.3, there is a possible object injecti NOTE: https://github.com/PHPSocialNetwork/phpfastcache/commit/c4527205cb7a402b595790c74310791f5b04a1a4 (5.0.13) NOTE: https://github.com/PHPSocialNetwork/phpfastcache/commit/82a84adff6e8fc9b564c616d0fdc9238ae2e86c3 (4.3.18) NOTE: Affected phpfastcache code is not used in kopano-webapp-plugin-files. -CVE-2019-16773 (In WordPress versions from 3.7 to 5.3.0, the function wp_targeted_link ...) +CVE-2019-16773 + REJECTED TODO: check, is a duplicate of CVE-2019-20042, MITRE contacted for handling CVE-2019-16772 (The serialize-to-js NPM package before version 3.0.1 is vulnerable to ...) NOT-FOR-US: serialize-to-js Node package @@ -32129,8 +32168,7 @@ CVE-2019-13769 RESERVED CVE-2019-13768 RESERVED -CVE-2019-13767 - RESERVED +CVE-2019-13767 (Use after free in media picker in Google Chrome prior to 79.0.3945.88 ...) - chromium CVE-2019-13766 (Use-after-free in accessibility in Google Chrome prior to 77.0.3865.75 ...)
[Git][security-tracker-team/security-tracker][master] Revert "Triage CVE-2020-1765, CVE-2020-1766 & CVE-2020-1767 in otrs2 in jessie LTS."
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c9c34f0a by Salvatore Bonaccorso at 2020-01-11T09:08:47+01:00 Revert "Triage CVE-2020-1765, CVE-2020-1766 & CVE-2020-1767 in otrs2 in jessie LTS." otrs2 in Jessie is not non-free, thus while the issue might be indeed no-dsa and not warranting a DLA on it's own, the reason must/should be another one. This reverts commit cae6b097ef44fa915a70e1299c46b742fc46db9d. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -12694,14 +12694,12 @@ CVE-2020-1767 (Agent A is able to save a draft (i.e. for customer reply). Then A - otrs2 [buster] - otrs2 (Non-free not supported) [stretch] - otrs2 (Non-free not supported) - [jessie] - otrs2 (Non-free not supported) NOTE: https://otrs.com/release-notes/otrs-security-advisory-2020-03/ NOTE: https://github.com/OTRS/otrs/commit/5f488fd6c809064ee49def3a432030258d211570 CVE-2020-1766 (Due to improper handling of uploaded images it is possible in very unl ...) - otrs2 [buster] - otrs2 (Non-free not supported) [stretch] - otrs2 (Non-free not supported) - [jessie] - otrs2 (Non-free not supported) NOTE: https://otrs.com/release-notes/otrs-security-advisory-2020-02/ NOTE: https://github.com/OTRS/otrs/commit/128078b0bb30f601ed97d4a13906644264ee6013 (OTRS6) NOTE: https://github.com/OTRS/otrs/commit/b7d80f9000fc9a435743d8d1d7d44d9a17483a9a (OTRS5) @@ -12709,7 +12707,6 @@ CVE-2020-1765 (An improper control of parameters allows the spoofing of the from - otrs2 [buster] - otrs2 (Non-free not supported) [stretch] - otrs2 (Non-free not supported) - [jessie] - otrs2 (Non-free not supported) NOTE: https://otrs.com/release-notes/otrs-security-advisory-2020-01/ NOTE: https://github.com/OTRS/otrs/commit/d146d4997cbd6e1370669784c6a2ec8d64655252 (OTRS6) NOTE: https://github.com/OTRS/otrs/commit/874889b86abea4c01ceb1368a836b66694fae1c3 (OTRS5) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c9c34f0a647e29e61444677c8760fe164d325533 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c9c34f0a647e29e61444677c8760fe164d325533 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits