[Git][security-tracker-team/security-tracker][master] Add new edk2 issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8c56b4b1 by Salvatore Bonaccorso at 2020-02-11T07:21:01+01:00 Add new edk2 issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -34567,8 +34567,10 @@ CVE-2019-14577 RESERVED CVE-2019-14576 RESERVED -CVE-2019-14575 +CVE-2019-14575 [DxeImageVerificationHandler() fails open in case of dbx signature check] RESERVED + - edk2 + NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=1608 CVE-2019-14574 (Out of bounds read in a subsystem for Intel(R) Graphics Driver version ...) NOT-FOR-US: Intel Windows graphics driver CVE-2019-14573 @@ -34591,16 +34593,21 @@ CVE-2019-14565 (Insufficient initialization in Intel(R) SGX SDK Windows versions NOT-FOR-US: Intel CVE-2019-14564 RESERVED -CVE-2019-14563 +CVE-2019-14563 [numeric truncation in MdeModulePkg/PiDxeS3BootScriptLib] RESERVED + - edk2 + NOTE: https://github.com/tianocore/edk2/commit/322ac05f8bbc1bce066af1dabd1b70ccdbe28891 + NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=2001 CVE-2019-14562 RESERVED CVE-2019-14561 RESERVED CVE-2019-14560 RESERVED -CVE-2019-14559 +CVE-2019-14559 [memory leak in ArpOnFrameRcvdDpc] RESERVED + - edk2 + NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=2031 CVE-2019-14558 RESERVED CVE-2019-14557 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8c56b4b19ce945d3a3d7c8f7d66ba860242bd012 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8c56b4b19ce945d3a3d7c8f7d66ba860242bd012 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add fixed version via unstable for CVE-2020-6860/libymysofa
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 829ee756 by Salvatore Bonaccorso at 2020-02-10T22:34:06+01:00 Add fixed version via unstable for CVE-2020-6860/libymysofa - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4353,8 +4353,7 @@ CVE-2020-6862 (V6.0.10P2T2 and V6.0.10P2T5 of F6x2W product are impacted by Info CVE-2020-6861 RESERVED CVE-2020-6860 (libmysofa 0.9.1 has a stack-based buffer overflow in readDataVar in hd ...) - [experimental] - libmysofa 1.0~dfsg0-1~exp1 - - libmysofa (bug #949325) + - libmysofa 1.0~dfsg0-1 (bug #949325) [buster] - libmysofa (Minor issue) NOTE: https://github.com/hoene/libmysofa/issues/96 NOTE: https://github.com/hoene/libmysofa/commit/c31120a4ddfe3fc705cfdd74da7e884e1866da85 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/829ee756d4387a9452d145cd6a8cbfc0f081abbc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/829ee756d4387a9452d145cd6a8cbfc0f081abbc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add fixed version for CVE-2019-1490{4,5}/ansible via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c529872e by Salvatore Bonaccorso at 2020-02-10T21:43:51+01:00 Add fixed version for CVE-2019-1490{4,5}/ansible via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -33468,14 +33468,14 @@ CVE-2019-14906 (A flaw was found with the RHSA-2019:3950 erratum, where it did n NOT-FOR-US: Specific CVE assignment for incorrect/incomplete fix of CVE-2019-13616 in RHEL 7 CVE-2019-14905 [malicious code could craft filename in nxos_file_copy module] RESERVED - - ansible (low) + - ansible 2.9.4+dfsg-1 (low) [buster] - ansible (Minor issue) [stretch] - ansible (Minor issue) [jessie] - ansible (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1776943 CVE-2019-14904 [vulnerability in solaris_zone module via crafted solaris zone] RESERVED - - ansible (low) + - ansible 2.9.4+dfsg-1 (low) [buster] - ansible (Minor issue) [stretch] - ansible (Minor issue) [jessie] - ansible (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c529872e0bf115aeee43c215deff96dd50892180 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c529872e0bf115aeee43c215deff96dd50892180 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-8089/piwigo
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c919e4e7 by Salvatore Bonaccorso at 2020-02-10T21:19:37+01:00 Add CVE-2020-8089/piwigo - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1596,7 +1596,7 @@ CVE-2020-8091 (svg.swf in TYPO3 6.2.0 to 6.2.38 ELTS and 7.0.0 to 7.1.0 could al CVE-2020-8090 (The Username field in the Storage Service settings of A1 WLAN Box ADB ...) NOT-FOR-US: A1 WLAN Box ADB VV2220v2 devices CVE-2020-8089 (Piwigo 2.10.1 is affected by stored XSS via the Group Name Field to th ...) - TODO: check + - piwigo CVE-2020-8088 (panel_login.php in UseBB 1.0.12 allows type juggling for login bypass ...) NOT-FOR-US: UseBB CVE-2020-8087 (SMC Networks D3G0804W D3GNV5M-3.5.1.6.10_GA devices allow remote comma ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c919e4e7c3ef903f677d75513ee5d9af52a4edee -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c919e4e7c3ef903f677d75513ee5d9af52a4edee You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 240d55e2 by Salvatore Bonaccorso at 2020-02-10T21:18:17+01:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -15,7 +15,7 @@ CVE-2020-8832 CVE-2020-8831 RESERVED CVE-2019-20451 (The HTTP API in Prismview System 9 11.10.17.00 and Prismview Player 11 ...) - TODO: check + NOT-FOR-US: Prismview CVE-2017-18642 RESERVED CVE-2020-8830 @@ -29,7 +29,7 @@ CVE-2020-8827 CVE-2020-8826 RESERVED CVE-2020-8825 (index.php?p=/dashboard/settings/branding in Vanilla 2.6.3 allows store ...) - TODO: check + NOT-FOR-US: Vanilla Forums CVE-2020-8824 RESERVED CVE-2020-8823 (htmlfile in lib/transport/htmlfile.js in SockJS before 3.0 is vulnerab ...) @@ -11189,13 +11189,13 @@ CVE-2019-20063 (hdf/dataobject.c in libmysofa before 0.8 has an uninitialized us NOTE: https://github.com/hoene/libmysofa/issues/67 NOTE: https://github.com/hoene/libmysofa/commit/ecb7b743b6f6d47b93a7bc680a60071a0f9524c6 CVE-2019-20062 (MFScripts YetiShare v3.5.2 through v4.5.4 might allow an attacker to r ...) - TODO: check + NOT-FOR-US: MFScripts YetiShare CVE-2019-20061 (The user-introduction email in MFScripts YetiShare v3.5.2 through v4.5 ...) - TODO: check + NOT-FOR-US: MFScripts YetiShare CVE-2019-20060 (MFScripts YetiShare v3.5.2 through v4.5.4 places sensitive information ...) - TODO: check + NOT-FOR-US: MFScripts YetiShare CVE-2019-20059 (payment_manage.ajax.php and various *_manage.ajax.php in MFScripts Yet ...) - TODO: check + NOT-FOR-US: MFScripts YetiShare CVE-2019-20058 (** DISPUTED ** Bolt 3.7.0, if Symfony Web Profiler is used, allows XSS ...) NOT-FOR-US: Bolt CMS CVE-2019-20057 (com.proxyman.NSProxy.HelperTool in Privileged Helper Tool in Proxyman ...) @@ -15243,29 +15243,29 @@ CVE-2019-19672 CVE-2019-19671 RESERVED CVE-2019-19670 (A HTTP Response Splitting vulnerability was identified in the Web Sett ...) - TODO: check + NOT-FOR-US: Rumpus FTP Server CVE-2019-19669 (A CSRF vulnerability exists in the Upload Center Forms Component of We ...) - TODO: check + NOT-FOR-US: Rumpus FTP CVE-2019-19668 (A CSRF vulnerability exists in the File Types component of Web File Ma ...) - TODO: check + NOT-FOR-US: Rumpus FTP CVE-2019-19667 (A CSRF vulnerability exists in the Block Clients component of Web File ...) - TODO: check + NOT-FOR-US: Rumpus FTP CVE-2019-19666 (A CSRF vulnerability exists in the Event Notices Settings of Web File ...) - TODO: check + NOT-FOR-US: Rumpus FTP CVE-2019-19665 (A CSRF vulnerability exists in the FTP Settings of Web File Manager in ...) - TODO: check + NOT-FOR-US: Rumpus FTP CVE-2019-19664 (A CSRF vulnerability exists in the Web Settings of Web File Manager in ...) - TODO: check + NOT-FOR-US: Rumpus FTP CVE-2019-19663 (A CSRF vulnerability exists in the Folder Sets Settings of Web File Ma ...) - TODO: check + NOT-FOR-US: Rumpus FTP CVE-2019-19662 (A CSRF vulnerability exists in the Web File Manager's Create/Delete Ac ...) - TODO: check + NOT-FOR-US: Rumpus FTP CVE-2019-19661 (A Cookie based reflected XSS exists in the Web File Manager of Rumpus ...) - TODO: check + NOT-FOR-US: Rumpus FTP CVE-2019-19660 (A CSRF vulnerability exists in the Web File Manager's Network Setting ...) - TODO: check + NOT-FOR-US: Rumpus FTP CVE-2019-19659 (A CSRF vulnerability exists in the Web File Manager's Edit Accounts fu ...) - TODO: check + NOT-FOR-US: Rumpus FTP CVE-2019-19658 RESERVED CVE-2019-19657 @@ -282091,7 +282091,7 @@ CVE-2012-6451 (Lorex LNC116 and LNC104 IP Cameras have a Remote Authentication B CVE-2012-6450 RESERVED CVE-2012-6449 (The clientconf.html and detailbw.html pages in x3 in cPanel WHM ...) - TODO: check + NOT-FOR-US: cPanel CVE-2012-6448 (Cross-site Scripting (XSS) in cPanel WebHost Manager (WHM) 11.34.0 all ...) NOT-FOR-US: cPanel CVE-2012-6447 (Cross-site scripting (XSS) vulnerability in Splunk Web in Splunk 5.0.0 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/240d55e2a204cd4d8aa88aa5299049cdaf88c92f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/240d55e2a204cd4d8aa88aa5299049cdaf88c92f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove source package annotations for CVE-2018-1709{4,5}
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9f825c7e by Salvatore Bonaccorso at 2020-02-10T21:12:03+01:00 Remove source package annotations for CVE-2018-1709{4,5} Both were duplicates of already earlier assigned CVEs for src:xar and now properly rejected. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -83672,10 +83672,8 @@ CVE-2018-17095 (An issue has been discovered in mpruett Audio File Library (aka NOTE: https://github.com/mpruett/audiofile/issues/51 CVE-2018-17094 REJECTED - - xar CVE-2018-17093 REJECTED - - xar CVE-2018-17092 (An issue was discovered in DonLinkage 6.6.8. SQL injection in /pages/p ...) NOT-FOR-US: DonLinkage CVE-2018-17091 (An issue was discovered in DonLinkage 6.6.8. It allows remote attacker ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9f825c7e4d199f3ebdb05ad174160383a44a0285 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9f825c7e4d199f3ebdb05ad174160383a44a0285 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ed3f050a by security tracker role at 2020-02-10T20:10:29+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,23 @@ +CVE-2020-8838 + RESERVED +CVE-2020-8837 + RESERVED +CVE-2020-8836 + RESERVED +CVE-2020-8835 + RESERVED +CVE-2020-8834 + RESERVED +CVE-2020-8833 + RESERVED +CVE-2020-8832 + RESERVED +CVE-2020-8831 + RESERVED +CVE-2019-20451 (The HTTP API in Prismview System 9 11.10.17.00 and Prismview Player 11 ...) + TODO: check +CVE-2017-18642 + RESERVED CVE-2020-8830 RESERVED CVE-2020-8829 @@ -8,8 +28,8 @@ CVE-2020-8827 RESERVED CVE-2020-8826 RESERVED -CVE-2020-8825 - RESERVED +CVE-2020-8825 (index.php?p=/dashboard/settings/branding in Vanilla 2.6.3 allows store ...) + TODO: check CVE-2020-8824 RESERVED CVE-2020-8823 (htmlfile in lib/transport/htmlfile.js in SockJS before 3.0 is vulnerab ...) @@ -664,7 +684,7 @@ CVE-2020-8517 (An issue was discovered in Squid before 4.10. Due to incorrect in NOTE: Squid 3.5: http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-c62d2b43ad4962ea44aa0c5edb4cc99cb83a413d.patch NOTE: Squid 4: http://www.squid-cache.org/Versions/v4/changesets/squid-4-6982f1187a26557e582172965e266f544ea562a5.patch NOTE: Debian binary packages are not build with --enable-external-acl-helpers="[...]LM_group[...". -CVE-2020-8516 (The daemon in Tor through 0.4.1.8 and 0.4.2.x through 0.4.2.6 does not ...) +CVE-2020-8516 (** DISPUTED ** The daemon in Tor through 0.4.1.8 and 0.4.2.x through 0 ...) - tor (unimportant) NOTE: Not considered a bug / explicit design choice by upstream NOTE: https://lists.torproject.org/pipermail/tor-dev/2020-February/014147.html @@ -674,7 +694,7 @@ CVE-2019-20446 (In xml.rs in GNOME librsvg before 2.46.2, a crafted SVG file wit - librsvg 2.46.4-1 NOTE: https://gitlab.gnome.org/GNOME/librsvg/issues/515 NOTE: https://gitlab.gnome.org/GNOME/librsvg/commit/572f95f739529b865e2717664d6fefcef9493135 -CVE-2020-8515 (DrayTek Vigor2960 1.3.1_Beta; Vigor3900 1.4.4_Beta; and Vigor300B 1.3. ...) +CVE-2020-8515 (DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta, and Vigor300B 1.3. ...) NOT-FOR-US: DrayTek devices CVE-2020-8514 (An issue was discovered in Rumpus 8.2.10 on macOS. By crafting a direc ...) NOT-FOR-US: Rumpus on macOS @@ -1575,8 +1595,8 @@ CVE-2020-8091 (svg.swf in TYPO3 6.2.0 to 6.2.38 ELTS and 7.0.0 to 7.1.0 could al NOT-FOR-US: TYPO3 CVE-2020-8090 (The Username field in the Storage Service settings of A1 WLAN Box ADB ...) NOT-FOR-US: A1 WLAN Box ADB VV2220v2 devices -CVE-2020-8089 - RESERVED +CVE-2020-8089 (Piwigo 2.10.1 is affected by stored XSS via the Group Name Field to th ...) + TODO: check CVE-2020-8088 (panel_login.php in UseBB 1.0.12 allows type juggling for login bypass ...) NOT-FOR-US: UseBB CVE-2020-8087 (SMC Networks D3G0804W D3GNV5M-3.5.1.6.10_GA devices allow remote comma ...) @@ -3887,16 +3907,14 @@ CVE-2020-7062 RESERVED CVE-2020-7061 RESERVED -CVE-2020-7060 [Global buffer-overflow in mbfl_filt_conv_big5_wchar function] - RESERVED +CVE-2020-7060 (When using certain mbstring functions to convert multibyte encodings, ...) - php7.4 7.4.2-7 - php7.3 - php7.0 - php5 NOTE: Fixed in PHP 7.4.2, 7.3.14, 7.2.27 NOTE: PHP Bug: http://bugs.php.net/79037 -CVE-2020-7059 [Out of bounds read in php_strip_tags_ex] - RESERVED +CVE-2020-7059 (When using fgetss() function to read data with stripping tags, in PHP ...) - php7.4 7.4.2-7 - php7.3 - php7.0 @@ -11170,14 +11188,14 @@ CVE-2019-20063 (hdf/dataobject.c in libmysofa before 0.8 has an uninitialized us [buster] - libmysofa 0.6~dfsg0-3+deb10u1 NOTE: https://github.com/hoene/libmysofa/issues/67 NOTE: https://github.com/hoene/libmysofa/commit/ecb7b743b6f6d47b93a7bc680a60071a0f9524c6 -CVE-2019-20062 - RESERVED -CVE-2019-20061 - RESERVED -CVE-2019-20060 - RESERVED -CVE-2019-20059 - RESERVED +CVE-2019-20062 (MFScripts YetiShare v3.5.2 through v4.5.4 might allow an attacker to r ...) + TODO: check +CVE-2019-20061 (The user-introduction email in MFScripts YetiShare v3.5.2 through v4.5 ...) + TODO: check +CVE-2019-20060 (MFScripts YetiShare v3.5.2 through v4.5.4 places sensitive information ...) + TODO: check +CVE-2019-20059 (payment_manage.ajax.php and various *_manage.ajax.php in MFScripts Yet ...) + TODO: check CVE-2019-20058 (** DISPUTED ** Bolt 3.7.0, if Symfony Web Profiler is used, allows XSS ...) NOT-FOR-US: Bolt CMS CVE-2019-20057
[Git][security-tracker-team/security-tracker][master] Assigning myself to some more work.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 05f6f806 by Ola Lundqvist at 2020-02-10T21:01:32+01:00 Assigning myself to some more work. - - - - - 1 changed file: - org/lts-frontdesk.2020.txt Changes: = org/lts-frontdesk.2020.txt = @@ -23,11 +23,11 @@ From 02-03 to 08-03:Chris Lamb From 09-03 to 15-03:Mike Gabriel From 16-03 to 22-03:Thorsten Alteholz From 23-03 to 29-03:Utkarsh Gupta -From 30-03 to 05-04: +From 30-03 to 05-04:Ola Lundqvist From 06-04 to 12-04:Chris Lamb From 13-04 to 19-04:Mike Gabriel From 20-04 to 26-04:Thorsten Alteholz -From 27-04 to 03-05: +From 27-04 to 03-05:Ola Lundqvist From 04-05 to 10-05:Chris Lamb From 11-05 to 17-05:Mike Gabriel From 18-05 to 24-05:Thorsten Alteholz View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/05f6f806d81d6f87abb5c0e2d792ab9bb19d6ba0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/05f6f806d81d6f87abb5c0e2d792ab9bb19d6ba0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add WIP for qemu
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: b39279d5 by Utkarsh Gupta at 2020-02-10T18:45:55+01:00 Add WIP for qemu - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -72,6 +72,7 @@ python2.7 (Roberto C. Sánchez) python3.4 (Roberto C. Sánchez) -- qemu (Utkarsh Gupta) + NOTE: 20200210: WIP. -- radare2 NOTE: 20190816: Affected by CVE-2019-14745. Vulnerable code is in View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b39279d59c25469ca7bcf13f1c063c3659e189cf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b39279d59c25469ca7bcf13f1c063c3659e189cf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 5c94800b by Moritz Muehlenhoff at 2020-02-10T17:54:01+01:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -273606,13 +273606,13 @@ CVE-2013-3640 (Cross-site scripting (XSS) vulnerability in the Instant Web Publi CVE-2013-3639 (Multiple cross-site scripting (XSS) vulnerabilities in Xaraya 2.4.0-b1 ...) NOT-FOR-US: Xaraya CVE-2013-3638 (SQL injection vulnerability in Boonex Dolphin before 7.1.3 allows remo ...) - TODO: check + NOT-FOR-US: Boonex Dolphin CVE-2013-3637 (ProjectPier 0.8.8 does not use the Secure flag for cookies ...) - TODO: check + NOT-FOR-US: ProjectPier CVE-2013-3636 (ProjectPier 0.8.8 has a Remote Information Disclosure Weakness because ...) - TODO: check + NOT-FOR-US: ProjectPier CVE-2013-3635 (ProjectPier 0.8.8 has stored XSS ...) - TODO: check + NOT-FOR-US: ProjectPier CVE-2013-3634 (A vulnerability has been identified in SCALANCE X-200 switch family (i ...) NOT-FOR-US: Siemens switches CVE-2013-3633 (A vulnerability has been identified in SCALANCE X-200 switch family (i ...) @@ -283885,13 +283885,13 @@ CVE-2012-6311 CVE-2012-6310 RESERVED CVE-2012-6309 (A vulnerability exists in Arctic Torrent 1.4 via unspecified vectors i ...) - TODO: check + NOT-FOR-US: Arctic Torrent CVE-2012-6308 RESERVED CVE-2012-6307 (A vulnerability exists in JPEGsnoop 1.5.2 due to an unspecified issue ...) - TODO: check + NOT-FOR-US: JPEGsnoop CVE-2012-6306 (A vulnerability exists in HCView (aka Hardcoreview) 1.4 due to a write ...) - TODO: check + NOT-FOR-US: HCView (aka Hardcoreview) CVE-2012-6305 RESERVED CVE-2012-6304 @@ -286099,7 +286099,7 @@ CVE-2012-5572 (CRLF injection vulnerability in the cookie method (lib/Dancer/Coo CVE-2012-5571 (OpenStack Keystone Essex (2012.1) and Folsom (2012.2) does not properl ...) - keystone 2012.1.1-11 (bug #694433) CVE-2012-5570 (The Basic webmail module 6.x-1.x before 6.x-1.2 for Drupal allows remo ...) - TODO: check + NOT-FOR-US: Drupal addon CVE-2012-5569 (Multiple cross-site scripting (XSS) vulnerabilities in the Basic webma ...) NOT-FOR-US: Drupal Webmail module CVE-2012-5568 (Apache Tomcat through 7.0.x allows remote attackers to cause a denial ...) @@ -314905,7 +314905,7 @@ CVE-2011-0222 (WebKit, as used in Apple Safari before 5.0.6, allows remote attac CVE-2011-0221 (WebKit, as used in Apple Safari before 5.0.6, allows remote attackers ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-0220 (Apple Bonjour before 2011 allows a crash via a crafted multicast DNS p ...) - TODO: check + NOT-FOR-US: Apple CVE-2011-0219 (Apple Safari before 5.0.6 allows remote attackers to bypass the Same O ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-0218 (WebKit, as used in Apple Safari before 5.0.6, allows remote attackers ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5c94800b95c14e49248615ee18c6b35ef23671df -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5c94800b95c14e49248615ee18c6b35ef23671df You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2019-10782,checkstyle: Fixed in unstable
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: cab62f7f by Markus Koschany at 2020-02-10T16:59:50+01:00 CVE-2019-10782,checkstyle: Fixed in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -50828,7 +50828,7 @@ CVE-2019-9660 (Stored XSS exists in YzmCMS 5.2 via the admin/category/edit.html CVE-2019-9659 (The Chuango 433 MHz burglar-alarm product line uses static codes in th ...) NOT-FOR-US: Chuango CVE-2019-10782 (All versions of com.puppycrawl.tools:checkstyle before 8.29 are vulner ...) - - checkstyle + - checkstyle 8.29-1 [buster] - checkstyle (Incomplete fix for CVE-2019-9658 not applied) [stretch] - checkstyle (Incomplete fix for CVE-2019-9658 not applied) NOTE: https://snyk.io/vuln/SNYK-JAVA-COMPUPPYCRAWLTOOLS-543266 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/cab62f7f6a8f755275e67eff671922d4a625334b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/cab62f7f6a8f755275e67eff671922d4a625334b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2015-9541/qtbase-opensource-src
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 85ad4d51 by Salvatore Bonaccorso at 2020-02-10T16:32:05+01:00 Add Debian bug reference for CVE-2015-9541/qtbase-opensource-src - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1908,7 +1908,7 @@ CVE-2020-7963 CVE-2019-20420 RESERVED CVE-2015-9541 (Qt through 5.14 allows an exponential XML entity expansion attack via ...) - - qtbase-opensource-src (low) + - qtbase-opensource-src (low; bug #951066) [buster] - qtbase-opensource-src (Minor issue) [stretch] - qtbase-opensource-src (Minor issue) NOTE: https://bugreports.qt.io/browse/QTBUG-47417 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/85ad4d511fcf9b54482e1200718f076c09eb8981 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/85ad4d511fcf9b54482e1200718f076c09eb8981 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new QT issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: fc21ff24 by Moritz Muehlenhoff at 2020-02-10T15:14:47+01:00 new QT issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1908,7 +1908,10 @@ CVE-2020-7963 CVE-2019-20420 RESERVED CVE-2015-9541 (Qt through 5.14 allows an exponential XML entity expansion attack via ...) - TODO: check + - qtbase-opensource-src (low) + [buster] - qtbase-opensource-src (Minor issue) + [stretch] - qtbase-opensource-src (Minor issue) + NOTE: https://bugreports.qt.io/browse/QTBUG-47417 CVE-2020-7962 RESERVED CVE-2020-7961 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/fc21ff24ff8c9c0cda87433e14ee4b37f3015e3c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/fc21ff24ff8c9c0cda87433e14ee4b37f3015e3c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Four squid issues fixed in unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: bcc94719 by Salvatore Bonaccorso at 2020-02-10T15:01:52+01:00 Four squid issues fixed in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -658,7 +658,7 @@ CVE-2020-8519 CVE-2020-8518 RESERVED CVE-2020-8517 (An issue was discovered in Squid before 4.10. Due to incorrect input v ...) - - squid (unimportant) + - squid 4.10-1 (unimportant) - squid3 (unimportant) NOTE: http://www.squid-cache.org/Advisories/SQUID-2020_3.txt NOTE: Squid 3.5: http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-c62d2b43ad4962ea44aa0c5edb4cc99cb83a413d.patch @@ -812,14 +812,14 @@ CVE-2020-8452 CVE-2020-8451 RESERVED CVE-2020-8450 (An issue was discovered in Squid before 4.10. Due to incorrect buffer ...) - - squid (bug #950802) + - squid 4.10-1 (bug #950802) - squid3 NOTE: http://www.squid-cache.org/Advisories/SQUID-2020_1.txt NOTE: http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2020_1.patch (Squid 3.5) NOTE: http://www.squid-cache.org/Versions/v4/changesets/SQUID-2020_1.patch (Squid 4.8 and older) NOTE: http://www.squid-cache.org/Versions/v4/changesets/squid-4-b3a0719affab099c684f1cd62b79ab02816fa962.patch (Squid 4.9) CVE-2020-8449 (An issue was discovered in Squid before 4.10. Due to incorrect input v ...) - - squid (bug #950802) + - squid 4.10-1 (bug #950802) - squid3 NOTE: http://www.squid-cache.org/Advisories/SQUID-2020_1.txt NOTE: http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2020_1.patch (Squid 3.5) @@ -41717,7 +41717,7 @@ CVE-2019-12529 (An issue was discovered in Squid 2.x through 2.7.STABLE9, 3.x th NOTE: http://www.squid-cache.org/Advisories/SQUID-2019_2.txt NOTE: Squid 4: http://www.squid-cache.org/Versions/v4/changesets/squid-4-dd46b5417809647f561d8a5e0e74c3aacd235258.patch CVE-2019-12528 (An issue was discovered in Squid before 4.10. It allows a crafted FTP ...) - - squid (bug #950925) + - squid 4.10-1 (bug #950925) - squid3 NOTE: http://www.squid-cache.org/Advisories/SQUID-2020_2.txt NOTE: Squid 3: http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-8cdb18ca1829a0b7faa1c9e472604ed0e7e105ac.patch View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/bcc9471967570ebc33c3483131de8f1092a8812b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/bcc9471967570ebc33c3483131de8f1092a8812b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Restore faulty removed CVE identifier back
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7146be89 by Salvatore Bonaccorso at 2020-02-10T14:23:03+01:00 Restore faulty removed CVE identifier back - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -41,6 +41,7 @@ CVE-2017-18641 (In LXC 2.0, many template scripts download code over cleartext H NOTE: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1661447 NOTE: Some of the templates were switched to fetch the pacakges over HTTPS, cf. NOTE: https://github.com/lxc/lxc/pull/1371 for the lxc-fedora template. +CVE-2020-8813 RESERVED CVE-2020-8812 (** DISPUTED ** Bludit 3.10.0 allows Editor or Author roles to insert m ...) NOT-FOR-US: Bludit View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7146be8950ae7046a8a283e5ea0f040e930a64ce -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7146be8950ae7046a8a283e5ea0f040e930a64ce You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2017-18641/lxc{,-templates}
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 95a9ef18 by Salvatore Bonaccorso at 2020-02-10T14:22:13+01:00 Add CVE-2017-18641/lxc{,-templates} - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -35,8 +35,12 @@ CVE-2020-8814 CVE-2018-21034 RESERVED CVE-2017-18641 (In LXC 2.0, many template scripts download code over cleartext HTTP, a ...) - TODO: check -CVE-2020-8813 + - lxc-templates + - lxc 1:3.0.3-1 + NOTE: LXC 3.0.2 split the templates out to separate lxc-templates. + NOTE: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1661447 + NOTE: Some of the templates were switched to fetch the pacakges over HTTPS, cf. + NOTE: https://github.com/lxc/lxc/pull/1371 for the lxc-fedora template. RESERVED CVE-2020-8812 (** DISPUTED ** Bludit 3.10.0 allows Editor or Author roles to insert m ...) NOT-FOR-US: Bludit View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/95a9ef18bad3d708075aea7f5bc5d72dac0355b9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/95a9ef18bad3d708075aea7f5bc5d72dac0355b9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS/claim ntp in dla-needed.txt
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 576ac824 by Roberto C. Sánchez at 2020-02-10T08:20:06-05:00 LTS/claim ntp in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -51,7 +51,7 @@ netty-3.9 (Sylvain Beucler) -- nodejs -- -ntp +ntp (Roberto C. Sánchez) -- opendmarc (Thorsten Alteholz) NOTE: 20200119: still testing package, original patch does not seem to be enough, still ongoing View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/576ac8245d7047060fff14f26772b1aabf2a25d5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/576ac8245d7047060fff14f26772b1aabf2a25d5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2100-1 for libexif
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: 3b1702bf by Hugo Lefeuvre at 2020-02-10T14:09:43+01:00 Reserve DLA-2100-1 for libexif - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[10 Feb 2020] DLA-2100-1 libexif - security update + {CVE-2019-9278} + [jessie] - libexif 0.6.21-2+deb8u1 [10 Feb 2020] DLA-2099-1 checkstyle - security update {CVE-2019-10782} [jessie] - checkstyle 5.9-1+deb8u2 = data/dla-needed.txt = @@ -27,16 +27,6 @@ intel-microcode jackson-databind NOTE: 20200105: Can be postponed again. (apo) -- -libexif - NOTE: 2019: Contacted upstream for relevant commits of CVE-2019-9278. (utkarsh2102) - NOTE: 20191114: Pinged upstream; just have the Android patch yet. (utkarsh2102) - NOTE: 20191118: No patch yet. Shall claim and fix once the patch is available. (utkarsh2102) - NOTE: 20191201: Pinged the upstream yet again. (utkarsh2102) - NOTE: 20191216: The android patch does not apply but is easy to manually apply. (ola) - NOTE: 20191216: The problem is the file to trigger the fault is not known. (ola) - NOTE: 20200111: Investigated the issue, currently in contact with Ray Essick @google - NOTE: 20200111: to get access to the reproducer. (hle) --- libmatio (Adrian Bunk) NOTE: fairly high number of open issues. Not sure why we never had a look at them. NOTE: triage work needed, help security team for fixes if needed. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3b1702bffe1719c0a61c23522f81f8be5757e6a8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3b1702bffe1719c0a61c23522f81f8be5757e6a8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2099-1 for checkstyle
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: d8f7179d by Markus Koschany at 2020-02-10T12:51:02+01:00 Reserve DLA-2099-1 for checkstyle - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[10 Feb 2020] DLA-2099-1 checkstyle - security update + {CVE-2019-10782} + [jessie] - checkstyle 5.9-1+deb8u2 [09 Feb 2020] DLA-2098-1 ipmitool - security update {CVE-2020-5208} [jessie] - ipmitool 1.8.14-4+deb8u1 = data/dla-needed.txt = @@ -9,8 +9,6 @@ To pick an issue, simply add your name behind it. To learn more about how this list is updated have a look at https://wiki.debian.org/LTS/Development#Triage_new_security_issues --- -checkstyle (Markus Koschany) -- clamav (Hugo Lefeuvre) NOTE: 20200127: waiting for 0.102.1 to enter stretch/buster. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d8f7179da1611f298bbfa22c43c2338209f029d4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d8f7179da1611f298bbfa22c43c2338209f029d4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: data/dla-needed.txt: Triage nodejs for jessie LTS.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 6ad9bfde by Chris Lamb at 2020-02-10T11:08:25+00:00 data/dla-needed.txt: Triage nodejs for jessie LTS. - - - - - d9fcd23e by Chris Lamb at 2020-02-10T11:10:30+00:00 data/dla-needed.txt: Triage ntp for jessie LTS. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -61,6 +61,10 @@ netty (Sylvain Beucler) -- netty-3.9 (Sylvain Beucler) -- +nodejs +-- +ntp +-- opendmarc (Thorsten Alteholz) NOTE: 20200119: still testing package, original patch does not seem to be enough, still ongoing -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/07cdce3ee449072ccc7e9d1e7f62ce30a3946822...d9fcd23eb275b959096d388e410d7acf995e478c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/07cdce3ee449072ccc7e9d1e7f62ce30a3946822...d9fcd23eb275b959096d388e410d7acf995e478c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Correct "not-affected" tag on CVE-2019-20387 (accidentally added to CVE-2019-19844).
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 07cdce3e by Chris Lamb at 2020-02-10T11:06:49+00:00 Correct not-affected tag on CVE-2019-20387 (accidentally added to CVE-2019-19844). - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2997,6 +2997,7 @@ CVE-2019-20387 (repodata_schema2id in repodata.c in libsolv before 0.7.6 has a h NOTE: https://github.com/openSUSE/libsolv/commit/fdb9c9c03508990e4583046b590c30d958f272da (0.7.6) CVE-2020-7471 (Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 al ...) - python-django 2:2.2.10-1 (bug #950581) + [jessie] - python-django (Vulnerable code introduced in Django ~1.9) NOTE: https://www.djangoproject.com/weblog/2020/feb/03/security-releases/ NOTE: https://github.com/django/django/commit/eb31d845323618d688ad429479c6dda973056136 (master) NOTE: https://github.com/django/django/commit/505826b469b16ab36693360da9e11fd13213421b (3.0.3) @@ -12429,7 +12430,6 @@ CVE-2019-19845 (In Joomla! before 3.9.14, a missing access check in framework fi CVE-2019-19844 (Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows a ...) {DSA-4598-1 DLA-2042-1} - python-django 2:2.2.9-1 (bug #946937) - [jessie] - python-django (Vulnerable code introduced in Django ~1.9) NOTE: https://www.djangoproject.com/weblog/2019/dec/18/security-releases/ NOTE: https://github.com/django/django/commit/5b1fbcef7a8bec991ebe7b2a18b5d5a95d72cb70 (master) NOTE: https://github.com/django/django/commit/302a4ff1e8b1c798aab97673909c7a3dfda42c26 (3.0.x branch) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/07cdce3ee449072ccc7e9d1e7f62ce30a3946822 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/07cdce3ee449072ccc7e9d1e7f62ce30a3946822 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 6fe3d5ec by Moritz Muehlenhoff at 2020-02-10T11:13:49+01:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13,9 +13,9 @@ CVE-2020-8825 CVE-2020-8824 RESERVED CVE-2020-8823 (htmlfile in lib/transport/htmlfile.js in SockJS before 3.0 is vulnerab ...) - TODO: check + NOT-FOR-US: SockJS CVE-2020-8822 (Digi TransPort WR21 5.2.2.3, WR44 5.1.6.4, and WR44v2 5.1.6.9 devices ...) - TODO: check + NOT-FOR-US: Digi TransPort CVE-2020-8821 RESERVED CVE-2020-8820 @@ -16809,7 +16809,7 @@ CVE-2020-1930 (A command execution issue was found in Apache SpamAssassin prior NOTE: https://www.openwall.com/lists/oss-security/2020/01/30/3 NOTE: https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7648 (restricted) CVE-2020-1929 (The Apache Beam MongoDB connector in versions 2.10.0 to 2.16.0 has an ...) - TODO: check + NOT-FOR-US: Apache Beam MongoDB connector CVE-2020-1928 (An information disclosure vulnerability was found in Apache NiFi 1.10. ...) NOT-FOR-US: Apache NiFi CVE-2020-1927 @@ -18766,7 +18766,7 @@ CVE-2019-18990 CVE-2019-18989 RESERVED CVE-2019-18988 (TeamViewer Desktop through 14.7.1965 allows a bypass of remote-login a ...) - TODO: check + NOT-FOR-US: TeamViewer CVE-2019-18987 (An issue was discovered in the AbuseFilter extension through 1.34 for ...) NOT-FOR-US: AbuseFilter MediaWiki extension CVE-2019-18986 (Pimcore before 6.2.2 allow attackers to brute-force (guess) valid user ...) @@ -22580,7 +22580,7 @@ CVE-2019-18414 (Sourcecodester Restaurant Management System 1.0 is affected by a CVE-2019-18413 (In TypeStack class-validator 0.10.2, validate() input validation can b ...) NOT-FOR-US: TypeStack class-validator CVE-2019-18412 (JetBrains IDETalk plugin before version 193.4099.10 allows XXE ...) - TODO: check + NOT-FOR-US: JetBrains IDETalk plugin CVE-2019-18411 (Zoho ManageEngine ADSelfService Plus 5.x through 5803 has CSRF on the ...) NOT-FOR-US: Zoho ManageEngine CVE-2019-18410 @@ -26366,7 +26366,7 @@ CVE-2019-17270 (Yachtcontrol through 2019-10-06: It's possible to perform direct CVE-2019-17269 (Intellian Remote Access 3.18 allows remote attackers to execute arbitr ...) NOT-FOR-US: Intellian Remote Access CVE-2019-17268 (The omniauth-weibo-oauth2 gem 0.4.6 for Ruby, as distributed on RubyGe ...) - TODO: check + NOT-FOR-US: omniauth-weibo-oauth2 gem CVE-2019-17267 (A Polymorphic Typing issue was discovered in FasterXML jackson-databin ...) {DLA-2030-1} - jackson-databind 2.10.0-1 @@ -26676,11 +26676,11 @@ CVE-2019-17129 CVE-2019-17128 (Netreo OmniCenter through 12.1.1 allows unauthenticated SQL Injection ...) NOT-FOR-US: Netreo OmniCenter CVE-2019-17127 (A Stored Client Side Template Injection (CSTI) with Angular was discov ...) - TODO: check + NOT-FOR-US: SolarWinds Orion Platform CVE-2019-17126 RESERVED CVE-2019-17125 (A Reflected Client Side Template Injection (CSTI) with Angular was dis ...) - TODO: check + NOT-FOR-US: SolarWinds Orion Platform CVE-2019-17124 (Kramer VIAware 2.5.0719.1034 has Incorrect Access Control. ...) NOT-FOR-US: Kramer VIAware CVE-2019-17123 (The eGain Web Email API 11+ allows spoofed messages because the fromNa ...) @@ -31101,15 +31101,15 @@ CVE-2019-15622 (Not strictly enough sanitization in the Nextcloud Android app 3. CVE-2019-15621 (Improper permissions preservation in Nextcloud Server 16.0.1 causes sh ...) - nextcloud-server (bug #941708) CVE-2019-15620 (Improper access control in Nextcloud Talk 6.0.3 leaks the existance an ...) - TODO: check + NOT-FOR-US: Nextcloud Talk CVE-2019-15619 (Improper neutralization of file names, conversation names and board na ...) - nextcloud-server (bug #941708) CVE-2019-15618 (Missing escaping of HTML in the Updater of Nextcloud 15.0.5 allowed a ...) - TODO: check + - nextcloud-server (bug #941708) CVE-2019-15617 (A missing check in Nextcloud Server 17.0.0 allowed an attacker to set ...) - nextcloud-server (bug #941708) CVE-2019-15616 (Dangling remote share attempts in Nextcloud 16 allow a DNS pollution w ...) - TODO: check + - nextcloud-server (bug #941708) CVE-2019-15615 (A wrong check for the system time in the Android App 3.9.0 causes a by ...) NOT-FOR-US: Nextcloud Android app CVE-2019-15614 (Missing sanitization in the iOS App 2.24.4 causes an XSS when opening ...) @@ -31121,13 +31121,13 @@ CVE-2019-15612 (A bug in Nextcloud Server 15.0.2 causes pending 2FA logins to no CVE-2019-15611 (Violation of Secure Design Principles in the iOS App 2.23.0 causes the ...)
[Git][security-tracker-team/security-tracker][master] dla-needed: reclaim xereces-c
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: a671f6cb by Hugo Lefeuvre at 2020-02-10T10:36:47+01:00 dla-needed: reclaim xereces-c - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -136,9 +136,10 @@ xcftools (Hugo Lefeuvre) -- xen -- -xerces-c +xerces-c (Hugo Lefeuvre) NOTE: 20191231: There is no upstream patch yet. (apo) NOTE: 20200118: There is still no upstream patch. (lamby) + NOTE: 20200210: working on a patch, see ML (hle) -- yara NOTE: 20191212: no upstream fix yet View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a671f6cbd9434828b14875b1b18cfc8fe87997bd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a671f6cbd9434828b14875b1b18cfc8fe87997bd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Holger Levsen pushed to branch master at Debian Security Tracker / security-tracker Commits: ee4c8208 by Holger Levsen at 2020-02-10T10:11:13+01:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Holger Levsen hol...@layer-acht.org - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -136,7 +136,7 @@ xcftools (Hugo Lefeuvre) -- xen -- -xerces-c (Hugo Lefeuvre) +xerces-c NOTE: 20191231: There is no upstream patch yet. (apo) NOTE: 20200118: There is still no upstream patch. (lamby) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ee4c820815b75eebb6107829ea9dcd64399b9334 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ee4c820815b75eebb6107829ea9dcd64399b9334 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] remove for older cargo issue, this one is present in stretch 9.12 and jessie-security
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 0dc00f1f by Moritz Muehlenhoff at 2020-02-10T10:09:11+01:00 remove postponed for older cargo issue, this one is present in stretch 9.12 and jessie-security - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -27804,8 +27804,6 @@ CVE-2019-16761 (A specially crafted Bitcoin script can cause a discrepancy betwe NOT-FOR-US: SLP CVE-2019-16760 (Cargo prior to Rust 1.26.0 may download the wrong dependency if your p ...) - cargo 0.27.0-1 - [stretch] - cargo (Upcoming upgrade of Cargo for ESR68 will fix this) - [jessie] - cargo (Upcoming upgrade of Cargo for ESR68 will fix this) NOTE: https://rustsec.org/advisories/CVE-2019-16760.html CVE-2019-16759 (vBulletin 5.x through 5.5.4 allows remote command execution via the wi ...) NOT-FOR-US: vBulletin View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0dc00f1faf84db79538826ac4f8321cb10630265 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0dc00f1faf84db79538826ac4f8321cb10630265 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7e08c6af by security tracker role at 2020-02-10T08:10:19+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,41 @@ +CVE-2020-8830 + RESERVED +CVE-2020-8829 + RESERVED +CVE-2020-8828 + RESERVED +CVE-2020-8827 + RESERVED +CVE-2020-8826 + RESERVED +CVE-2020-8825 + RESERVED +CVE-2020-8824 + RESERVED +CVE-2020-8823 (htmlfile in lib/transport/htmlfile.js in SockJS before 3.0 is vulnerab ...) + TODO: check +CVE-2020-8822 (Digi TransPort WR21 5.2.2.3, WR44 5.1.6.4, and WR44v2 5.1.6.9 devices ...) + TODO: check +CVE-2020-8821 + RESERVED +CVE-2020-8820 + RESERVED +CVE-2020-8819 + RESERVED +CVE-2020-8818 + RESERVED +CVE-2020-8817 + RESERVED +CVE-2020-8816 + RESERVED +CVE-2020-8815 + RESERVED +CVE-2020-8814 + RESERVED +CVE-2018-21034 + RESERVED +CVE-2017-18641 (In LXC 2.0, many template scripts download code over cleartext HTTP, a ...) + TODO: check CVE-2020-8813 RESERVED CVE-2020-8812 (** DISPUTED ** Bludit 3.10.0 allows Editor or Author roles to insert m ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7e08c6afcc38e066fb2145e53b4bbf5e63ed1d90 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7e08c6afcc38e066fb2145e53b4bbf5e63ed1d90 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits