[Git][security-tracker-team/security-tracker][master] Mark CVE-2020-1701 as NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7795683e by Salvatore Bonaccorso at 2020-01-17T07:45:24+01:00 Mark CVE-2020-1701 as NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13786,6 +13786,7 @@ CVE-2020-1702 RESERVED CVE-2020-1701 RESERVED + NOT-FOR-US: KubeVirt CVE-2020-1700 RESERVED CVE-2020-1699 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7795683e3910fc269ff24469f3ffa346a908bf59 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7795683e3910fc269ff24469f3ffa346a908bf59 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Add fixed versions via unstable for CVE-2019-1972{7,8}/slurm-llnl
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
5df8b573 by Salvatore Bonaccorso at 2020-01-17T07:25:39+01:00
Add fixed versions via unstable for CVE-2019-1972{7,8}/slurm-llnl
- - - - -
0f1da666 by Salvatore Bonaccorso at 2020-01-17T07:25:40+01:00
Track fixed version for CVE-2019-20149/node-kind-of
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -7196,7 +7196,7 @@ CVE-2020-3941 (The repair operation of VMware Tools for
Windows 10.x.y has a rac
CVE-2020-3940
RESERVED
CVE-2019-20149 (ctorName in index.js in kind-of v6.0.2 allows external user
input to o ...)
- - node-kind-of (bug #948095)
+ - node-kind-of 6.0.3+dfsg-1 (bug #948095)
[buster] - node-kind-of (Minor issue; can be fixed via point
release)
[stretch] - node-kind-of (Minor issue; can be fixed via point
release)
NOTE: https://github.com/jonschlinkert/kind-of/issues/30
@@ -9979,13 +9979,13 @@ CVE-2019-19730
CVE-2019-19729 (An issue was discovered in the BSON ObjectID (aka
bson-objectid) packa ...)
NOT-FOR-US: bsjon-objectid node module
CVE-2019-19728 (SchedMD Slurm before 18.08.9 and 19.x before 19.05.5 executes
srun --u ...)
- - slurm-llnl
+ - slurm-llnl 19.05.5-1
[buster] - slurm-llnl (Minor issue)
[stretch] - slurm-llnl (Minor issue)
NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1159692
NOTE: Fixed upstream in 18.08.9, 19.05.5
CVE-2019-19727 (SchedMD Slurm before 18.08.9 and 19.x before 19.05.5 has weak
slurmdbd ...)
- - slurm-llnl (unimportant)
+ - slurm-llnl 19.05.5-1 (unimportant)
NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1155784
NOTE: Fixed upstream in 18.08.9, 19.05.5
NOTE: The example file is installed as well in Debian as 0644 and
slurmdbd.conf
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/compare/b3ec31cf3a1eb58f1d5df41430aa25c1724eec26...0f1da666a8f4d35aa62d39937de3a088f67597f5
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/compare/b3ec31cf3a1eb58f1d5df41430aa25c1724eec26...0f1da666a8f4d35aa62d39937de3a088f67597f5
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track proposed update for node-kind-of via buster-pu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b3ec31cf by Salvatore Bonaccorso at 2020-01-17T07:10:02+01:00 Track proposed update for node-kind-of via buster-pu - - - - - 1 changed file: - data/next-point-update.txt Changes: = data/next-point-update.txt = @@ -111,6 +111,8 @@ CVE-2019-20372 [buster] - nginx 1.14.2-2+deb10u2 CVE-2016-10894 [buster] - xtrlock 2.8+deb10u1 +CVE-2019-20149 + [buster] - node-kind-of 6.0.2+dfsg-1+deb10u1 CVE-2019-14814 [buster] - linux 4.19.87-1 CVE-2019-14815 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b3ec31cf3a1eb58f1d5df41430aa25c1724eec26 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b3ec31cf3a1eb58f1d5df41430aa25c1724eec26 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track proposed fixes for xtrlock via {stretch,buster}-pu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
fecc72fb by Salvatore Bonaccorso at 2020-01-17T07:05:33+01:00
Track proposed fixes for xtrlock via {stretch,buster}-pu
- - - - -
2 changed files:
- data/next-oldstable-point-update.txt
- data/next-point-update.txt
Changes:
=
data/next-oldstable-point-update.txt
=
@@ -126,3 +126,5 @@ CVE-2019-20372
[stretch] - nginx 1.10.3-1+deb9u4
CVE-2017-14062
[stretch] - libidn 1.33-1+deb9u1
+CVE-2016-10894
+ [stretch] - xtrlock 2.8+deb9u1
=
data/next-point-update.txt
=
@@ -109,6 +109,8 @@ CVE-2019-5188
[buster] - e2fsprogs 1.44.5-1+deb10u3
CVE-2019-20372
[buster] - nginx 1.14.2-2+deb10u2
+CVE-2016-10894
+ [buster] - xtrlock 2.8+deb10u1
CVE-2019-14814
[buster] - linux 4.19.87-1
CVE-2019-14815
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/fecc72fbe1f6365e50f52a529ad17b429e684019
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/fecc72fbe1f6365e50f52a529ad17b429e684019
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 4 commits: Update to unaliased entry for reference
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
3b30ec5e by Salvatore Bonaccorso at 2020-01-16T23:53:59+01:00
Update to unaliased entry for reference
- - - - -
9b52d2a9 by Salvatore Bonaccorso at 2020-01-16T23:55:35+01:00
Update status for CVE-2019-20166
With respect to to the experimental version the same reasoning applies
as in 44c7d5b783c2 (Reference correct commit for CVE-2019-20168).
The
next update will include the fix either first via experimental or
directly to unstable and in either case should not introduce the issue
first into unstable.
- - - - -
321076d9 by Salvatore Bonaccorso at 2020-01-17T00:22:09+01:00
Update information for CVE-2019-20167
- - - - -
c7af6233 by Salvatore Bonaccorso at 2020-01-17T00:31:04+01:00
Process NFUs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -4763,17 +4763,11 @@ CVE-2019-20168 (An issue was discovered in GPAC version
0.8.0 and 0.9.0-developm
NOTE: https://github.com/gpac/gpac/issues/1333
NOTE:
https://github.com/gpac/gpac/commit/a8b6246da925cf744805c9427a01fcacb53314bb
CVE-2019-20167 (An issue was discovered in GPAC version 0.8.0 and
0.9.0-development-20 ...)
- - gpac
- [buster] - gpac (vulnerable code introduced in
development version after v0.8)
- [stretch] - gpac (vulnerable code introduced in
development version after v0.8)
- [jessie] - gpac (vulnerable code introduced in
development version after v0.8)
+ - gpac (Vulnerable code introduced in development
version after v0.8.0)
NOTE: https://github.com/gpac/gpac/issues/1330
NOTE:
https://github.com/gpac/gpac/commit/5250afecbc770c8f26829e9566d5b226a3c5fa80
(chunk #3)
CVE-2019-20166 (An issue was discovered in GPAC version 0.8.0 and
0.9.0-development-20 ...)
- - gpac
- [buster] - gpac (vulnerable code introduced in 0.7.0)
- [stretch] - gpac (vulnerable code introduced in 0.7.0)
- [jessie] - gpac (vulnerable code introduced in 0.7.0)
+ - gpac (Vulnerable code introduced in 0.7.0)
NOTE: https://github.com/gpac/gpac/issues/1331
NOTE:
https://github.com/gpac/gpac/commit/5250afecbc770c8f26829e9566d5b226a3c5fa80
(chunk #2)
CVE-2019-20165 (An issue was discovered in GPAC version 0.8.0 and
0.9.0-development-20 ...)
@@ -21452,7 +21446,7 @@ CVE-2019-17570 [untrusted deserialization]
RESERVED
- libxmlrpc3-java (bug #949089)
NOTE: https://www.openwall.com/lists/oss-security/2020/01/16/1
- NOTE: Proposed patch:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-17570
+ NOTE: Proposed patch:
https://bugzilla.redhat.com/show_bug.cgi?id=1775193
CVE-2019-17569
RESERVED
CVE-2019-17568
@@ -32719,7 +32713,7 @@ CVE-2019-13941
CVE-2019-13940
RESERVED
CVE-2019-13939 (A vulnerability has been identified in Nucleus NET (All
versions), Nuc ...)
- TODO: check
+ NOT-FOR-US: Nucleus
CVE-2019-13938
RESERVED
CVE-2019-13937
@@ -32731,7 +32725,7 @@ CVE-2019-13935 (Improper Neutralization of Input During
Web Page Generation ('Cr
CVE-2019-13934 (Improper Neutralization of Input During Web Page Generation
('Cross-si ...)
NOT-FOR-US: Siemens
CVE-2019-13933 (A vulnerability has been identified in SCALANCE X-200RNA
switch family ...)
- TODO: check
+ NOT-FOR-US: Siemens
CVE-2019-13932 (A vulnerability has been identified in XHQ (All versions
V6.0.0.2 ...)
NOT-FOR-US: Siemens
CVE-2019-13931 (A vulnerability has been identified in XHQ (All versions
V6.0.0.2 ...)
@@ -34732,7 +34726,7 @@ CVE-2019-13526 (Datalogic AV7000 Linear barcode scanner
all versions prior to 4.
CVE-2019-13525 (In IP-AK2 Access Control Panel Version 1.04.07 and prior, the
integrat ...)
NOT-FOR-US: IP-AK2 Access Control Panel
CVE-2019-13524 (GE PACSystems RX3i CPE100/115: All versions prior to
R9.85,CPE302/305/ ...)
- TODO: check
+ NOT-FOR-US: GE/Emerson
CVE-2019-13523 (In Honeywell Performance IP Cameras and Performance NVRs, the
integrat ...)
NOT-FOR-US: Honeywell
CVE-2019-13522 (An attacker could use a specially crafted project file to
corrupt the ...)
@@ -41988,7 +41982,7 @@ CVE-2019-10942 (A vulnerability has been identified in
SCALANCE X-200 (All versi
CVE-2019-10941
RESERVED
CVE-2019-10940 (A vulnerability has been identified in SINEMA Server (All
versions ...)
- TODO: check
+ NOT-FOR-US: Siemens
CVE-2019-10939
RESERVED
CVE-2019-10938 (A vulnerability has been identified in SIPROTEC 5 devices with
CPU var ...)
@@ -42000,7 +41994,7 @@ CVE-2019-10936 (A vulnerability has been identified in
Development/Evaluation Ki
CVE-2019-10935 (A vulnerability has been identified in SIMATIC PCS 7 V8.0 and
earlier ...)
NOT-FOR-US: Siemens
CVE-2019-10934 (A vulnerability has been identified in
[Git][security-tracker-team/security-tracker][master] Reference correct commit for CVE-2019-20168
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 44c7d5b7 by Salvatore Bonaccorso at 2020-01-16T23:52:28+01:00 Reference correct commit for CVE-2019-20168 As questioned in https://github.com/gpac/gpac/issues/1333#issuecomment-575329630 the previous referenced commit was incorrect. Confirmed by upstream in https://github.com/gpac/gpac/issues/1333#issuecomment-575378362 . - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4761,7 +4761,7 @@ CVE-2019-20169 (An issue was discovered in GPAC version 0.8.0 and 0.9.0-developm CVE-2019-20168 (An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20 ...) - gpac NOTE: https://github.com/gpac/gpac/issues/1333 - NOTE: https://github.com/gpac/gpac/commit/5250afecbc770c8f26829e9566d5b226a3c5fa80 + NOTE: https://github.com/gpac/gpac/commit/a8b6246da925cf744805c9427a01fcacb53314bb CVE-2019-20167 (An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20 ...) - gpac [buster] - gpac (vulnerable code introduced in development version after v0.8) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/44c7d5b783c2c915121cf583f32e4b59cc5dc77a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/44c7d5b783c2c915121cf583f32e4b59cc5dc77a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Claim libxmlrpc3-java in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 0670a2cb by Markus Koschany at 2020-01-16T23:49:08+01:00 Claim libxmlrpc3-java in dla-needed.txt - - - - - 65401fd2 by Markus Koschany at 2020-01-16T23:49:09+01:00 CVE-2019-17570,libxmlrpc3-java: Link to Red Hat bug report and proposed patch - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -21452,6 +21452,7 @@ CVE-2019-17570 [untrusted deserialization] RESERVED - libxmlrpc3-java (bug #949089) NOTE: https://www.openwall.com/lists/oss-security/2020/01/16/1 + NOTE: Proposed patch: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-17570 CVE-2019-17569 RESERVED CVE-2019-17568 = data/dla-needed.txt = @@ -61,6 +61,8 @@ libmatio (Adrian Bunk) NOTE: 20190428: older changes seem to also be required for them NOTE: 20200112: work is ongoing -- +libxmlrpc3-java (Markus Koschany) +-- linux (Ben Hutchings) -- linux-4.9 (Ben Hutchings) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/75c3a624d3167c590d2c9b50aa0ad2124b7623ab...65401fd28de38cfd893787709d60d2297d279446 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/75c3a624d3167c590d2c9b50aa0ad2124b7623ab...65401fd28de38cfd893787709d60d2297d279446 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Reorganize next-point-update file
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 69374e07 by Salvatore Bonaccorso at 2020-01-16T22:59:25+01:00 Reorganize next-point-update file - - - - - aaca0872 by Salvatore Bonaccorso at 2020-01-16T23:00:41+01:00 Update pending CVE list for linux update - - - - - 1 changed file: - data/next-point-update.txt Changes: = data/next-point-update.txt = @@ -91,6 +91,24 @@ CVE-2019-15681 [buster] - tightvnc 1:1.3.9-9deb10u1 CVE-2019-19919 [buster] - node-handlebars 3:4.1.0-1+deb10u1 +CVE-2019-2228 + [buster] - cups 2.2.10-6+deb10u2 +CVE-2019-9740 + [buster] - python3.7 3.7.3-2+deb10u1 +CVE-2019-9947 + [buster] - python3.7 3.7.3-2+deb10u1 +CVE-2019-9948 + [buster] - python3.7 3.7.3-2+deb10u1 +CVE-2019-10160 + [buster] - python3.7 3.7.3-2+deb10u1 +CVE-2019-16056 + [buster] - python3.7 3.7.3-2+deb10u1 +CVE-2019-16935 + [buster] - python3.7 3.7.3-2+deb10u1 +CVE-2019-5188 + [buster] - e2fsprogs 1.44.5-1+deb10u3 +CVE-2019-20372 + [buster] - nginx 1.14.2-2+deb10u2 CVE-2019-14814 [buster] - linux 4.19.87-1 CVE-2019-14815 @@ -133,6 +151,8 @@ CVE-2019-17133 [buster] - linux 4.19.87-1 CVE-2019-17666 [buster] - linux 4.19.87-1 +CVE-2019-18282 + [buster] - linux 4.19.87-1 CVE-2019-18660 [buster] - linux 4.19.87-1 CVE-2019-18683 @@ -185,21 +205,3 @@ CVE-2019-19060 [buster] - linux 4.19.87-1 CVE-2019-19075 [buster] - linux 4.19.87-1 -CVE-2019-2228 - [buster] - cups 2.2.10-6+deb10u2 -CVE-2019-9740 - [buster] - python3.7 3.7.3-2+deb10u1 -CVE-2019-9947 - [buster] - python3.7 3.7.3-2+deb10u1 -CVE-2019-9948 - [buster] - python3.7 3.7.3-2+deb10u1 -CVE-2019-10160 - [buster] - python3.7 3.7.3-2+deb10u1 -CVE-2019-16056 - [buster] - python3.7 3.7.3-2+deb10u1 -CVE-2019-16935 - [buster] - python3.7 3.7.3-2+deb10u1 -CVE-2019-5188 - [buster] - e2fsprogs 1.44.5-1+deb10u3 -CVE-2019-20372 - [buster] - nginx 1.14.2-2+deb10u2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/ee0a47db4c573aa08ce5c7f92a94925fbb9762c6...aaca0872afe44c83cd12614f1594a0963844b751 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/ee0a47db4c573aa08ce5c7f92a94925fbb9762c6...aaca0872afe44c83cd12614f1594a0963844b751 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-18282/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
ee0a47db by Salvatore Bonaccorso at 2020-01-16T22:53:35+01:00
Add CVE-2019-18282/linux
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -18892,7 +18892,8 @@ CVE-2019-18284 (A vulnerability has been identified in
SPPA-T3000 Application Se
CVE-2019-18283 (A vulnerability has been identified in SPPA-T3000 Application
Server ( ...)
NOT-FOR-US: Siemens
CVE-2019-18282 (The flow_dissector feature in the Linux kernel 4.3 through 5.x
before ...)
- TODO: check
+ - linux 5.3.15-1
+ NOTE:
https://git.kernel.org/linus/55667441c84fa5e0911a0aac44fb059c15ba6da2
CVE-2019-18281 (An out-of-bounds memory access in the
generateDirectionalRuns() functi ...)
{DSA-4556-1}
- qtbase-opensource-src-gles 5.12.5+dfsg-1
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/ee0a47db4c573aa08ce5c7f92a94925fbb9762c6
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/ee0a47db4c573aa08ce5c7f92a94925fbb9762c6
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Update information on CVE-2019-20159
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e96ff8bb by Salvatore Bonaccorso at 2020-01-16T22:22:33+01:00 Update information on CVE-2019-20159 experimental version of gpac would be affected, but as unstable is not we do not explicitly track it now as the next upload to experimental will be rebased likely including the fix (so unstable will never be affected). Reference introducing commit for CVE-2019-20159. - - - - - 9c250d16 by Salvatore Bonaccorso at 2020-01-16T22:46:31+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4804,12 +4804,10 @@ CVE-2019-20160 (An issue was discovered in GPAC version 0.8.0 and 0.9.0-developm NOTE: https://github.com/gpac/gpac/issues/1334 NOTE: https://github.com/gpac/gpac/commit/bcfcb3e90476692fe0d2bb532ea8deeb2a77580e CVE-2019-20159 (An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20 ...) - - gpac - [buster] - gpac (vulnerable code introduced in 0.7.0) - [stretch] - gpac (vulnerable code introduced in 0.7.0) - [jessie] - gpac (vulnerable code introduced in 0.7.0) + - gpac (Vulnerable code introduced in 0.7.0) NOTE: https://github.com/gpac/gpac/issues/1321 - NOTE: https://github.com/gpac/gpac/commit/e4c1f09ab9618b6af3bec6b94b8b349f2d01dbf8 + NOTE: Introduced in: https://github.com/gpac/gpac/commit/261fab7f51479ae8b1732350d9d4cc456c4919af (v0.7.0) + NOTE: Fixed by: https://github.com/gpac/gpac/commit/e4c1f09ab9618b6af3bec6b94b8b349f2d01dbf8 CVE-2019-20158 RESERVED CVE-2019-20157 @@ -7331,7 +7329,7 @@ CVE-2019-20099 CVE-2019-20098 RESERVED CVE-2019-20097 (Bitbucket Server and Bitbucket Data Center versions starting from 1.0. ...) - TODO: check + NOT-FOR-US: Bitbucket Server and Bitbucket Data Center CVE-2019-20096 (In the Linux kernel before 5.1, there is a memory leak in __feat_regis ...) - linux 5.2.6-1 [jessie] - linux 3.16.72-1 @@ -14024,7 +14022,7 @@ CVE-2019-19280 CVE-2019-19279 RESERVED CVE-2019-19278 (A vulnerability has been identified in SINAMICS PERFECT HARMONY GH180 ...) - TODO: check + NOT-FOR-US: SINAMICS CVE-2019-19277 RESERVED CVE-2019-19276 @@ -28996,11 +28994,11 @@ CVE-2019-15014 (A command injection vulnerability exists in the Zingbox Inspecto CVE-2019-15013 (The WorkflowResource class removeStatus method in Jira before version ...) NOT-FOR-US: Atlassian CVE-2019-15012 (Bitbucket Server and Bitbucket Data Center from version 4.13. before 5 ...) - TODO: check + NOT-FOR-US: Bitbucket Server and Bitbucket Data Center CVE-2019-15011 (The ListEntityLinksServlet resource in Application Links before versio ...) NOT-FOR-US: Application Links CVE-2019-15010 (Bitbucket Server and Bitbucket Data Center versions starting from vers ...) - TODO: check + NOT-FOR-US: Bitbucket Server and Bitbucket Data Center CVE-2019-15009 (The /json/profile/removeStarAjax.do resource in Atlassian Fisheye and ...) NOT-FOR-US: Atlassian Fisheye and Crucible CVE-2019-15008 (The /plugins/servlet/branchreview resource in Atlassian Fisheye and Cr ...) @@ -38924,9 +38922,9 @@ CVE-2019-12000 CVE-2019-11999 RESERVED CVE-2019-11998 (HPE Superdome Flex Server is vulnerable to multiple remote vulnerabili ...) - TODO: check + NOT-FOR-US: HPE Superdome Flex Server CVE-2019-11997 (A potential security vulnerability has been identified in HPE enhanced ...) - TODO: check + NOT-FOR-US: HPE CVE-2019-11996 (Potential security vulnerabilities have been identified with HPE Nimbl ...) NOT-FOR-US: HPE CVE-2019-11995 (Security vulnerabilities in HPE UIoT version 1.2.4.2 could allow unaut ...) @@ -47053,7 +47051,7 @@ CVE-2019-9511 (Some HTTP/2 implementations are vulnerable to window size manipul NOTE: https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/ NOTE: https://github.com/nghttp2/nghttp2/releases/tag/v1.39.2 CVE-2019-9510 (A vulnerability in Microsoft Windows 10 1803 and Windows Server 2019 a ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2019-9509 RESERVED CVE-2019-9508 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/b967ad692175d6a5dc5b8a4958e50abe1976a221...9c250d16845c6840822fb2e5b7346f57f371466f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/b967ad692175d6a5dc5b8a4958e50abe1976a221...9c250d16845c6840822fb2e5b7346f57f371466f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-7044/wireshark
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b967ad69 by Salvatore Bonaccorso at 2020-01-16T22:15:52+01:00 Add CVE-2020-7044/wireshark - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -342,7 +342,11 @@ CVE-2020-7045 (In Wireshark 3.0.x before 3.0.8, the BT ATT dissector could crash NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=01f261de41f4dd3233ef578e5c0ffb9c25c7d14d NOTE: https://www.wireshark.org/security/wnpa-sec-2020-02.html CVE-2020-7044 (In Wireshark 3.2.x before 3.2.1, the WASSP dissector could crash. This ...) - TODO: check + - wireshark + NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16324 + NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=f90a3720b73ca140403315126e2a478c4f70ca03 + NOTE: https://www.wireshark.org/security/wnpa-sec-2020-01.html + TODO: check, might affect only 3.2.0. CVE-2020-7043 RESERVED CVE-2020-7042 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b967ad692175d6a5dc5b8a4958e50abe1976a221 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b967ad692175d6a5dc5b8a4958e50abe1976a221 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-7045/wireshark
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 01a96767 by Salvatore Bonaccorso at 2020-01-16T22:13:45+01:00 Add CVE-2020-7045/wireshark - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -337,7 +337,10 @@ CVE-2020-7047 CVE-2020-7046 RESERVED CVE-2020-7045 (In Wireshark 3.0.x before 3.0.8, the BT ATT dissector could crash. Thi ...) - TODO: check + - wireshark 3.2.0-1 + NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16258 + NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=01f261de41f4dd3233ef578e5c0ffb9c25c7d14d + NOTE: https://www.wireshark.org/security/wnpa-sec-2020-02.html CVE-2020-7044 (In Wireshark 3.2.x before 3.2.1, the WASSP dissector could crash. This ...) TODO: check CVE-2020-7043 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/01a967677d8cdfe1e4aa990e8ab507fb0b1d7107 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/01a967677d8cdfe1e4aa990e8ab507fb0b1d7107 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] gpac: precise triage
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: c8323a37 by Sylvain Beucler at 2020-01-16T21:46:02+01:00 gpac: precise triage CVE-2019-20159,CVE-2019-20163,CVE-2019-20164,CVE-2019-20165,CVE-2019-20166,CVE-2019-20167 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4757,24 +4757,33 @@ CVE-2019-20168 (An issue was discovered in GPAC version 0.8.0 and 0.9.0-developm NOTE: https://github.com/gpac/gpac/commit/5250afecbc770c8f26829e9566d5b226a3c5fa80 CVE-2019-20167 (An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20 ...) - gpac + [buster] - gpac (vulnerable code introduced in development version after v0.8) + [stretch] - gpac (vulnerable code introduced in development version after v0.8) + [jessie] - gpac (vulnerable code introduced in development version after v0.8) NOTE: https://github.com/gpac/gpac/issues/1330 - NOTE: https://github.com/gpac/gpac/commit/5250afecbc770c8f26829e9566d5b226a3c5fa80 + NOTE: https://github.com/gpac/gpac/commit/5250afecbc770c8f26829e9566d5b226a3c5fa80 (chunk #3) CVE-2019-20166 (An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20 ...) - gpac + [buster] - gpac (vulnerable code introduced in 0.7.0) + [stretch] - gpac (vulnerable code introduced in 0.7.0) + [jessie] - gpac (vulnerable code introduced in 0.7.0) NOTE: https://github.com/gpac/gpac/issues/1331 - NOTE: https://github.com/gpac/gpac/commit/5250afecbc770c8f26829e9566d5b226a3c5fa80 + NOTE: https://github.com/gpac/gpac/commit/5250afecbc770c8f26829e9566d5b226a3c5fa80 (chunk #2) CVE-2019-20165 (An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20 ...) - gpac NOTE: https://github.com/gpac/gpac/issues/1338 - NOTE: https://github.com/gpac/gpac/commit/5250afecbc770c8f26829e9566d5b226a3c5fa80 + NOTE: https://github.com/gpac/gpac/commit/5250afecbc770c8f26829e9566d5b226a3c5fa80 (chunk #1) CVE-2019-20164 (An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20 ...) - gpac + [buster] - gpac (vulnerable code introduced in 0.7.0) + [stretch] - gpac (vulnerable code introduced in 0.7.0) + [jessie] - gpac (vulnerable code introduced in 0.7.0) NOTE: https://github.com/gpac/gpac/issues/1332 - NOTE: https://github.com/gpac/gpac/commit/5250afecbc770c8f26829e9566d5b226a3c5fa80 + NOTE: https://github.com/gpac/gpac/commit/5250afecbc770c8f26829e9566d5b226a3c5fa80 (chunk #2) CVE-2019-20163 (An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20 ...) - gpac NOTE: https://github.com/gpac/gpac/issues/1335 - NOTE: https://github.com/gpac/gpac/commit/5250afecbc770c8f26829e9566d5b226a3c5fa80 + NOTE: https://github.com/gpac/gpac/commit/5250afecbc770c8f26829e9566d5b226a3c5fa80 (chunk #4) CVE-2019-20162 (An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20 ...) - gpac NOTE: https://github.com/gpac/gpac/issues/1327 @@ -4789,6 +4798,9 @@ CVE-2019-20160 (An issue was discovered in GPAC version 0.8.0 and 0.9.0-developm NOTE: https://github.com/gpac/gpac/commit/bcfcb3e90476692fe0d2bb532ea8deeb2a77580e CVE-2019-20159 (An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20 ...) - gpac + [buster] - gpac (vulnerable code introduced in 0.7.0) + [stretch] - gpac (vulnerable code introduced in 0.7.0) + [jessie] - gpac (vulnerable code introduced in 0.7.0) NOTE: https://github.com/gpac/gpac/issues/1321 NOTE: https://github.com/gpac/gpac/commit/e4c1f09ab9618b6af3bec6b94b8b349f2d01dbf8 CVE-2019-20158 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c8323a37f4784f017ed11028224060478b3a4e3a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c8323a37f4784f017ed11028224060478b3a4e3a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2019-17570/libxmlrpc3-java
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5d65459b by Salvatore Bonaccorso at 2020-01-16T21:37:20+01:00 Add Debian bug reference for CVE-2019-17570/libxmlrpc3-java - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -21435,7 +21435,7 @@ CVE-2019-17571 (Included in Log4j 1.2 is a SocketServer class that is vulnerable NOTE: Fixed by https://src.fedoraproject.org/rpms/log4j12/c/d4c817c458d69dcc629a7271999d178b0dcb7c74?branch=master CVE-2019-17570 [untrusted deserialization] RESERVED - - libxmlrpc3-java + - libxmlrpc3-java (bug #949089) NOTE: https://www.openwall.com/lists/oss-security/2020/01/16/1 CVE-2019-17569 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5d65459b73fb96525db10ee3d9daecd117872f95 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5d65459b73fb96525db10ee3d9daecd117872f95 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4f657c57 by security tracker role at 2020-01-16T20:10:25+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,203 @@ +CVE-2020-7209 + RESERVED +CVE-2020-7208 + RESERVED +CVE-2020-7207 + RESERVED +CVE-2020-7206 + RESERVED +CVE-2020-7205 + RESERVED +CVE-2020-7204 + RESERVED +CVE-2020-7203 + RESERVED +CVE-2020-7202 + RESERVED +CVE-2020-7201 + RESERVED +CVE-2020-7200 + RESERVED +CVE-2020-7199 + RESERVED +CVE-2020-7198 + RESERVED +CVE-2020-7197 + RESERVED +CVE-2020-7196 + RESERVED +CVE-2020-7195 + RESERVED +CVE-2020-7194 + RESERVED +CVE-2020-7193 + RESERVED +CVE-2020-7192 + RESERVED +CVE-2020-7191 + RESERVED +CVE-2020-7190 + RESERVED +CVE-2020-7189 + RESERVED +CVE-2020-7188 + RESERVED +CVE-2020-7187 + RESERVED +CVE-2020-7186 + RESERVED +CVE-2020-7185 + RESERVED +CVE-2020-7184 + RESERVED +CVE-2020-7183 + RESERVED +CVE-2020-7182 + RESERVED +CVE-2020-7181 + RESERVED +CVE-2020-7180 + RESERVED +CVE-2020-7179 + RESERVED +CVE-2020-7178 + RESERVED +CVE-2020-7177 + RESERVED +CVE-2020-7176 + RESERVED +CVE-2020-7175 + RESERVED +CVE-2020-7174 + RESERVED +CVE-2020-7173 + RESERVED +CVE-2020-7172 + RESERVED +CVE-2020-7171 + RESERVED +CVE-2020-7170 + RESERVED +CVE-2020-7169 + RESERVED +CVE-2020-7168 + RESERVED +CVE-2020-7167 + RESERVED +CVE-2020-7166 + RESERVED +CVE-2020-7165 + RESERVED +CVE-2020-7164 + RESERVED +CVE-2020-7163 + RESERVED +CVE-2020-7162 + RESERVED +CVE-2020-7161 + RESERVED +CVE-2020-7160 + RESERVED +CVE-2020-7159 + RESERVED +CVE-2020-7158 + RESERVED +CVE-2020-7157 + RESERVED +CVE-2020-7156 + RESERVED +CVE-2020-7155 + RESERVED +CVE-2020-7154 + RESERVED +CVE-2020-7153 + RESERVED +CVE-2020-7152 + RESERVED +CVE-2020-7151 + RESERVED +CVE-2020-7150 + RESERVED +CVE-2020-7149 + RESERVED +CVE-2020-7148 + RESERVED +CVE-2020-7147 + RESERVED +CVE-2020-7146 + RESERVED +CVE-2020-7145 + RESERVED +CVE-2020-7144 + RESERVED +CVE-2020-7143 + RESERVED +CVE-2020-7142 + RESERVED +CVE-2020-7141 + RESERVED +CVE-2020-7140 + RESERVED +CVE-2020-7139 + RESERVED +CVE-2020-7138 + RESERVED +CVE-2020-7137 + RESERVED +CVE-2020-7136 + RESERVED +CVE-2020-7135 + RESERVED +CVE-2020-7134 + RESERVED +CVE-2020-7133 + RESERVED +CVE-2020-7132 + RESERVED +CVE-2020-7131 + RESERVED +CVE-2020-7130 + RESERVED +CVE-2020-7129 + RESERVED +CVE-2020-7128 + RESERVED +CVE-2020-7127 + RESERVED +CVE-2020-7126 + RESERVED +CVE-2020-7125 + RESERVED +CVE-2020-7124 + RESERVED +CVE-2020-7123 + RESERVED +CVE-2020-7122 + RESERVED +CVE-2020-7121 + RESERVED +CVE-2020-7120 + RESERVED +CVE-2020-7119 + RESERVED +CVE-2020-7118 + RESERVED +CVE-2020-7117 + RESERVED +CVE-2020-7116 + RESERVED +CVE-2020-7115 + RESERVED +CVE-2020-7114 + RESERVED +CVE-2020-7113 + RESERVED +CVE-2020-7112 + RESERVED +CVE-2020-7111 + RESERVED +CVE-2020-7110 + RESERVED CVE-2020-7109 RESERVED CVE-2020-7108 (The LearnDash LMS plugin before 3.1.2 for WordPress allows XSS via the ...) @@ -4047,8 +4247,8 @@ CVE-2019-20329 (OpenLambda 2019-09-10 allows DNS rebinding attacks against the O NOT-FOR-US: OpenLambda CVE-2019-20328 RESERVED -CVE-2019-20327 - RESERVED +CVE-2019-20327 (Insecure permissions in cwrapper_perl in Centreon Infrastructure Monit ...) + TODO: check CVE-2019-20325 REJECTED CVE-2019-20324 @@ -11195,7 +11395,7 @@ CVE-2019-19682 (nopCommerce through 4.20 allows XSS in the SaveStoreMappings of NOT-FOR-US: nopCommerce CVE-2019-19681 (Pandora FMS 7.x suffers from remote code execution vulnerability. With ...) NOT-FOR-US: Pandora FMS -CVE-2019-19680 (A file-extension filtering vulnerability in ProofPoint Protection Serv ...) +CVE-2019-19680 (A file-extension filtering vulnerability in Proofpoint Enterprise Prot ...) NOT-FOR-US: ProofPoint Protection Server Email Firewall CVE-2019-19679 (In "Xray Test Management for Jira" prior to version 3.5.5, remote auth ...) NOT-FOR-US: Xray Test Management for Jira @@ -13804,8 +14004,8 @@ CVE-2019-19280 RESERVED CVE-2019-19279 RESERVED -CVE-2019-19278 - RESERVED +CVE-2019-19278 (A vulnerability has been identified in SINAMICS PERFECT HARMONY GH180 ...) + TODO: check CVE-2019-19277 RESERVED CVE-2019-19276 @@ -18674,8
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2020-7039/slirp
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f38b18a3 by Salvatore Bonaccorso at 2020-01-16T21:07:50+01:00 Add Debian bug reference for CVE-2020-7039/slirp - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -153,7 +153,7 @@ CVE-2020-7039 [OOB buffer access while emulating tcp protocols in tcp_emu()] - libslirp (bug #949084) - qemu 1:4.1-2 - qemu-kvm - - slirp + - slirp (bug #949085) NOTE: https://www.openwall.com/lists/oss-security/2020/01/16/2 NOTE: https://gitlab.freedesktop.org/slirp/libslirp/commit/2655fffed7a9e765bcb4701dd876e9dab975f289 NOTE: https://gitlab.freedesktop.org/slirp/libslirp/commit/ce131029d6d4a405cb7d3ac6716d03e58fb4a5d9 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f38b18a331c43c04d63b6fb6540a280d5881fffd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f38b18a331c43c04d63b6fb6540a280d5881fffd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2020-7039/libslirp
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2c501c9b by Salvatore Bonaccorso at 2020-01-16T20:57:31+01:00 Add Debian bug reference for CVE-2020-7039/libslirp - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -150,7 +150,7 @@ CVE-2020-7040 RESERVED CVE-2020-7039 [OOB buffer access while emulating tcp protocols in tcp_emu()] RESERVED - - libslirp + - libslirp (bug #949084) - qemu 1:4.1-2 - qemu-kvm - slirp View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2c501c9bb024b5b17ffae556a188fa248291cfce -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2c501c9bb024b5b17ffae556a188fa248291cfce You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS/remove tigervnc; it does not exist in jessie; not sure why it was added in the first place
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: dd018495 by Roberto C. Sánchez at 2020-01-16T13:54:27-05:00 LTS/remove tigervnc; it does not exist in jessie; not sure why it was added in the first place - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -121,8 +121,6 @@ squid3 -- thunderbird (Emilio) -- -tigervnc (Roberto C. Sánchez) --- tomcat7 (Markus Koschany) NOTE: 20200115: https://people.debian.org/~apo/tomcat7/ NOTE: 20200115: waiting for sunweaver's review View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/dd0184954d76c7ddb41b27f1f98e216fb89ad4a6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/dd0184954d76c7ddb41b27f1f98e216fb89ad4a6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS/update note and disclaim squid3
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 5ddacb9e by Roberto C. Sánchez at 2020-01-16T11:22:33-05:00 LTS/update note and disclaim squid3 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -111,8 +111,13 @@ sqlite3 (Thorsten Alteholz) NOTE: 20191212: look at no-dsa as well NOTE: 20200112: WIP -- -squid3 (Roberto C. Sánchez) +squid3 NOTE: 20191210: Requires new API SBuf. + NOTE: 20200116: Researched other distros to see if any had backported the fixes. No luck. + NOTE: 20200116: Tried for some time to reproduce the vulnerabilities, but did not succeed. + NOTE: 20200116: The change is rather involved when considering the new SBuf API, so not + NOTE: 20200116: being able to reproduce makes it impossible isolate the minimal change that + NOTE: 20200116: addresses the vulnerabilities. (roberto) -- thunderbird (Emilio) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5ddacb9e649bcc7beab5aecb1d4058c56e019d9b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5ddacb9e649bcc7beab5aecb1d4058c56e019d9b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process two NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5bc3666d by Salvatore Bonaccorso at 2020-01-16T15:33:23+01:00 Process two NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -21223,6 +21223,7 @@ CVE-2019-17574 (An issue was discovered in the Popup Maker plugin before 1.8.13 NOT-FOR-US: Popup Maker plugin for WordPress CVE-2019-17573 RESERVED + NOT-FOR-US: Apache CFX CVE-2019-17572 RESERVED CVE-2019-17571 (Included in Log4j 1.2 is a SocketServer class that is vulnerable to de ...) @@ -37558,6 +37559,7 @@ CVE-2019-12424 REJECTED CVE-2019-12423 RESERVED + NOT-FOR-US: Apache CFX CVE-2019-12422 (Apache Shiro before 1.4.2, when using the default "remember me" config ...) - shiro (bug #947945) [jessie] - shiro (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5bc3666d15abb541d2d004bdd41a63a39ff2a965 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5bc3666d15abb541d2d004bdd41a63a39ff2a965 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-7039/libslirp
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 65baf5b5 by Salvatore Bonaccorso at 2020-01-16T15:24:37+01:00 Add CVE-2020-7039/libslirp - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -148,8 +148,18 @@ CVE-2020-7041 RESERVED CVE-2020-7040 RESERVED -CVE-2020-7039 +CVE-2020-7039 [OOB buffer access while emulating tcp protocols in tcp_emu()] RESERVED + - libslirp + - qemu 1:4.1-2 + - qemu-kvm + - slirp + NOTE: https://www.openwall.com/lists/oss-security/2020/01/16/2 + NOTE: https://gitlab.freedesktop.org/slirp/libslirp/commit/2655fffed7a9e765bcb4701dd876e9dab975f289 + NOTE: https://gitlab.freedesktop.org/slirp/libslirp/commit/ce131029d6d4a405cb7d3ac6716d03e58fb4a5d9 + NOTE: https://gitlab.freedesktop.org/slirp/libslirp/commit/82ebe9c370a0e2970fb5695aa19aa5214a6a1c80 + NOTE: qemu 1:4.1-2 switched to system libslirp, marking that version as fixed. + TODO: Futher check for src:slirp CVE-2020-7038 RESERVED CVE-2020-7037 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/65baf5b5815a73e04c8bff0419e2e5615f311c0f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/65baf5b5815a73e04c8bff0419e2e5615f311c0f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-17570/libxmlrpc3-java
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a63edf48 by Salvatore Bonaccorso at 2020-01-16T14:36:01+01:00 Add CVE-2019-17570/libxmlrpc3-java - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -21223,8 +21223,10 @@ CVE-2019-17571 (Included in Log4j 1.2 is a SocketServer class that is vulnerable NOTE: is end-of-life upstream and does not recieve a fix for this issue. Users NOTE: should upgrade to Log4j 2.x. NOTE: Fixed by https://src.fedoraproject.org/rpms/log4j12/c/d4c817c458d69dcc629a7271999d178b0dcb7c74?branch=master -CVE-2019-17570 +CVE-2019-17570 [untrusted deserialization] RESERVED + - libxmlrpc3-java + NOTE: https://www.openwall.com/lists/oss-security/2020/01/16/1 CVE-2019-17569 RESERVED CVE-2019-17568 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a63edf48f57bc2e01b81b13ad0ac3bab0ccf5d88 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a63edf48f57bc2e01b81b13ad0ac3bab0ccf5d88 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] puppet confirmed/no-dsa
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 2fd1f835 by Moritz Muehlenhoff at 2020-01-16T12:15:00+01:00 puppet confirmed/no-dsa - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -52194,8 +52194,8 @@ CVE-2019-7443 (KDE KAuth before 5.55 allows the passing of parameters with arbit - kauth 5.54.0-2 (bug #921995) [stretch] - kauth 5.28.0-2+deb9u1 - kde4libs (bug #922727) - [buster] - kde4libs (Minor issue) - [stretch] - kde4libs (Minor issue) + [buster] - kde4libs (Minor issue) + [stretch] - kde4libs (Minor issue) [jessie] - kde4libs (Minor issue) NOTE: https://mail.kde.org/pipermail/kde-announce/2019-February/11.html NOTE: https://cgit.kde.org/kauth.git/commit/?id=fc70fb0161c1b9144d26389434d34dd135cd3f4a @@ -93294,10 +93294,11 @@ CVE-2018-11753 CVE-2018-11752 (Previous releases of the Puppet cisco_ios module output SSH session de ...) NOT-FOR-US: cisco_ios Puppet module CVE-2018-11751 (Previous versions of Puppet Agent didn't verify the peer in the SSL co ...) - - puppet + - puppet + [buster] - puppet (Minor issue) + [stretch] - puppet (Minor issue) NOTE: https://puppet.com/security/cve/CVE-2018-11751/ NOTE: https://tickets.puppetlabs.com/browse/PUP-9459 - TODO: check CVE-2018-11750 (Previous releases of the Puppet cisco_ios module did not validate a ho ...) NOT-FOR-US: cisco_ios Puppet module CVE-2018-11749 (When users are configured to use startTLS with RBAC LDAP, at login tim ...) @@ -152419,8 +152420,8 @@ CVE-2017-8872 (The htmlParseTryOrFinish function in HTMLparser.c in libxml2 2.9. NOTE: https://gitlab.gnome.org/GNOME/libxml2/commit/123234f2cfcd9e9b9f83047eee1dc17b4c3f4407 CVE-2017-8871 (The cr_parser_parse_selector_core function in cr-parser.c in libcroco ...) - libcroco (bug #864666; low) - [buster] - libcroco (Minor issue) - [stretch] - libcroco (Minor issue) + [buster] - libcroco (Minor issue) + [stretch] - libcroco (Minor issue) [jessie] - libcroco (Minor issue) [wheezy] - libcroco (Vulnerable code not present) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=782649 @@ -152547,8 +152548,8 @@ CVE-2016-10369 (unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp fo NOTE: Fixed by: https://git.lxde.org/gitweb/?p=lxde/lxterminal.git;a=commit;h=f99163c6ff8b2f57c5f37b1ce5d62cf7450d4648 CVE-2017-8834 (The cr_tknzr_parse_comment function in cr-tknzr.c in libcroco 0.6.12 a ...) - libcroco (bug #864666; low) - [buster] - libcroco (Minor issue) - [stretch] - libcroco (Minor issue) + [buster] - libcroco (Minor issue) + [stretch] - libcroco (Minor issue) [jessie] - libcroco (Minor issue) [wheezy] - libcroco (Vulnerable code not present) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=782647 @@ -278746,8 +278747,8 @@ CVE-2013-0343 (The ipv6_create_tempaddr function in net/ipv6/addrconf.c in the L - linux-2.6 (low) CVE-2013-0342 (The CreateID function in packet.py in pyrad before 2.1 uses sequential ...) - pyrad (low; bug #701151) - [buster] - pyrad (Minor issue) - [stretch] - pyrad (Minor issue) + [buster] - pyrad (Minor issue) + [stretch] - pyrad (Minor issue) [jessie] - pyrad (Minor issue) [wheezy] - pyrad (Minor issue) [squeeze] - pyrad (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2fd1f835a1b838445fb895cc62ff84639f301dc2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2fd1f835a1b838445fb895cc62ff84639f301dc2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: claim gpac
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 656cad27 by Sylvain Beucler at 2020-01-16T12:06:56+01:00 dla: claim gpac - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -22,7 +22,7 @@ clamav (Hugo Lefeuvre) NOTE: team would like to wait for an init script for the new clamonacc NOTE: binary, see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946557 -- -gpac +gpac (Sylvain Beucler) NOTE: 20200105: All open issues are unfixed. Adding it here for future NOTE: triaging when more information are available. (apo) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/656cad278a3cb67b8513d6778f6a8626ab3170db -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/656cad278a3cb67b8513d6778f6a8626ab3170db You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2e985efc by Salvatore Bonaccorso at 2020-01-16T09:21:38+01:00 Process some NFUs - - - - - dacc4e34 by Salvatore Bonaccorso at 2020-01-16T09:21:53+01:00 Add CVE-2020-7106/cacti - - - - - 8ea83610 by Salvatore Bonaccorso at 2020-01-16T09:22:07+01:00 Add CVE-2020-7105/hiredis - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,13 +1,15 @@ CVE-2020-7109 RESERVED CVE-2020-7108 (The LearnDash LMS plugin before 3.1.2 for WordPress allows XSS via the ...) - TODO: check + NOT-FOR-US: LearnDash LMS plugin for WordPress CVE-2020-7107 (The Ultimate FAQ plugin before 1.8.30 for WordPress allows XSS via Dis ...) - TODO: check + NOT-FOR-US: Ultimate FAQ plugin for WordPress CVE-2020-7106 (Cacti 1.2.8 has stored XSS in data_sources.php, color_templates_item.p ...) - TODO: check + - cacti + NOTE: https://github.com/Cacti/cacti/issues/3191 CVE-2020-7105 (async.c and dict.c in libhiredis.a in hiredis through 0.14.0 allow a N ...) - TODO: check + - hiredis + NOTE: https://github.com/redis/hiredis/issues/747 CVE-2020-7104 RESERVED CVE-2019-20380 @@ -8399,17 +8401,17 @@ CVE-2019-19861 CVE-2019-19860 RESERVED CVE-2019-19859 (An issue was discovered in Serpico (aka SimplE RePort wrIting and Coll ...) - TODO: check + NOT-FOR-US: Serpico CVE-2019-19858 (An issue was discovered in Serpico (aka SimplE RePort wrIting and Coll ...) - TODO: check + NOT-FOR-US: Serpico CVE-2019-19857 (An issue was discovered in Serpico (aka SimplE RePort wrIting and Coll ...) - TODO: check + NOT-FOR-US: Serpico CVE-2019-19856 (An issue was discovered in Serpico (aka SimplE RePort wrIting and Coll ...) - TODO: check + NOT-FOR-US: Serpico CVE-2019-19855 (An issue was discovered in Serpico (aka SimplE RePort wrIting and Coll ...) - TODO: check + NOT-FOR-US: Serpico CVE-2019-19854 (An issue was discovered in Serpico (aka SimplE RePort wrIting and Coll ...) - TODO: check + NOT-FOR-US: Serpico CVE-2019-19853 RESERVED CVE-2019-19852 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/556cfc30a85eda45847435950cd09556a91e642f...8ea83610a0b2d1dda021de153819014c3ad42dfc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/556cfc30a85eda45847435950cd09556a91e642f...8ea83610a0b2d1dda021de153819014c3ad42dfc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove information from CVE-2016-1000022 (duplicate of CVE-2016-10539)
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 556cfc30 by Salvatore Bonaccorso at 2020-01-16T09:14:26+01:00 Remove information from CVE-2016-122 (duplicate of CVE-2016-10539) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -188941,10 +188941,6 @@ CVE-2016-124 RESERVED CVE-2016-122 REJECTED - - node-negotiator 0.6.1-1 (unimportant) - NOTE: https://nodesecurity.io/advisories/106 - NOTE: https://github.com/distributedweaknessfiling/DWF-Database/commit/5e607a0cad2769db2be5aafc4d9b1ec49bd7bbbc - NOTE: nodejs not covered by security support CVE-2016-121 REJECTED CVE-2016-120 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/556cfc30a85eda45847435950cd09556a91e642f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/556cfc30a85eda45847435950cd09556a91e642f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: be32fc6f by security tracker role at 2020-01-16T08:10:18+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,17 @@ +CVE-2020-7109 + RESERVED +CVE-2020-7108 (The LearnDash LMS plugin before 3.1.2 for WordPress allows XSS via the ...) + TODO: check +CVE-2020-7107 (The Ultimate FAQ plugin before 1.8.30 for WordPress allows XSS via Dis ...) + TODO: check +CVE-2020-7106 (Cacti 1.2.8 has stored XSS in data_sources.php, color_templates_item.p ...) + TODO: check +CVE-2020-7105 (async.c and dict.c in libhiredis.a in hiredis through 0.14.0 allow a N ...) + TODO: check +CVE-2020-7104 + RESERVED +CVE-2019-20380 + RESERVED CVE-2020-7103 RESERVED CVE-2020-7102 @@ -120,10 +134,10 @@ CVE-2020-7047 RESERVED CVE-2020-7046 RESERVED -CVE-2020-7045 - RESERVED -CVE-2020-7044 - RESERVED +CVE-2020-7045 (In Wireshark 3.0.x before 3.0.8, the BT ATT dissector could crash. Thi ...) + TODO: check +CVE-2020-7044 (In Wireshark 3.2.x before 3.2.1, the WASSP dissector could crash. This ...) + TODO: check CVE-2020-7043 RESERVED CVE-2020-7042 @@ -7085,8 +7099,8 @@ CVE-2019-20099 RESERVED CVE-2019-20098 RESERVED -CVE-2019-20097 - RESERVED +CVE-2019-20097 (Bitbucket Server and Bitbucket Data Center versions starting from 1.0. ...) + TODO: check CVE-2019-20096 (In the Linux kernel before 5.1, there is a memory leak in __feat_regis ...) - linux 5.2.6-1 [jessie] - linux 3.16.72-1 @@ -8384,18 +8398,18 @@ CVE-2019-19861 REJECTED CVE-2019-19860 RESERVED -CVE-2019-19859 - RESERVED -CVE-2019-19858 - RESERVED -CVE-2019-19857 - RESERVED -CVE-2019-19856 - RESERVED -CVE-2019-19855 - RESERVED -CVE-2019-19854 - RESERVED +CVE-2019-19859 (An issue was discovered in Serpico (aka SimplE RePort wrIting and Coll ...) + TODO: check +CVE-2019-19858 (An issue was discovered in Serpico (aka SimplE RePort wrIting and Coll ...) + TODO: check +CVE-2019-19857 (An issue was discovered in Serpico (aka SimplE RePort wrIting and Coll ...) + TODO: check +CVE-2019-19856 (An issue was discovered in Serpico (aka SimplE RePort wrIting and Coll ...) + TODO: check +CVE-2019-19855 (An issue was discovered in Serpico (aka SimplE RePort wrIting and Coll ...) + TODO: check +CVE-2019-19854 (An issue was discovered in Serpico (aka SimplE RePort wrIting and Coll ...) + TODO: check CVE-2019-19853 RESERVED CVE-2019-19852 @@ -28748,12 +28762,12 @@ CVE-2019-15014 (A command injection vulnerability exists in the Zingbox Inspecto NOT-FOR-US: Zingbox Inspector CVE-2019-15013 (The WorkflowResource class removeStatus method in Jira before version ...) NOT-FOR-US: Atlassian -CVE-2019-15012 - RESERVED +CVE-2019-15012 (Bitbucket Server and Bitbucket Data Center from version 4.13. before 5 ...) + TODO: check CVE-2019-15011 (The ListEntityLinksServlet resource in Application Links before versio ...) NOT-FOR-US: Application Links -CVE-2019-15010 - RESERVED +CVE-2019-15010 (Bitbucket Server and Bitbucket Data Center versions starting from vers ...) + TODO: check CVE-2019-15009 (The /json/profile/removeStarAjax.do resource in Atlassian Fisheye and ...) NOT-FOR-US: Atlassian Fisheye and Crucible CVE-2019-15008 (The /plugins/servlet/branchreview resource in Atlassian Fisheye and Cr ...) @@ -188925,7 +188939,8 @@ CVE-2016-125 REJECTED CVE-2016-124 RESERVED -CVE-2016-122 (negotiator before 0.6.1 is vulnerable to a regular expression DoS ...) +CVE-2016-122 + REJECTED - node-negotiator 0.6.1-1 (unimportant) NOTE: https://nodesecurity.io/advisories/106 NOTE: https://github.com/distributedweaknessfiling/DWF-Database/commit/5e607a0cad2769db2be5aafc4d9b1ec49bd7bbbc @@ -306402,8 +306417,7 @@ CVE-2009-5070 RESERVED CVE-2009-5069 RESERVED -CVE-2009-5068 - RESERVED +CVE-2009-5068 (There is a file disclosure vulnerability in SMF (Simple Machines Forum ...) NOT-FOR-US: Simple Machines Forum CVE-2009-5067 (Directory traversal vulnerability in html2ps before 1.0b6 allows remot ...) - html2ps 1.0b7-1 (low; bug #548633) @@ -311449,8 +311463,7 @@ CVE-2009-5027 REJECTED CVE-2009-5026 (The executable comment feature in MySQL 5.0.x before 5.0.93 and 5.1.x ...) - mysql-5.1 5.1.53-1 -CVE-2009-5025 [PyForum XSS+CSRF] - RESERVED +CVE-2009-5025 (A backdoor (aka BMSA-2009-07) was found in PyForum v1.0.3 where an att ...) NOT-FOR-US: PyForum CVE-2009-5024 (ViewVC before 1.1.11 allows remote attackers to bypass the cvsdb row_l ...)
