[Git][security-tracker-team/security-tracker][master] Add CVE-2020-1749/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b8d7f155 by Salvatore Bonaccorso at 2020-03-05T07:36:03+01:00 Add CVE-2020-1749/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -20487,8 +20487,10 @@ CVE-2020-1751 RESERVED CVE-2020-1750 RESERVED -CVE-2020-1749 +CVE-2020-1749 [net: ipv6_stub: use ip6_dst_lookup_flow instead of ip6_dst_lookup] RESERVED + - linux 5.4.6-1 + NOTE: https://git.kernel.org/linus/6c8991f41546c3c472503dff1ea9daaddf9331c2 CVE-2020-1748 RESERVED CVE-2020-1747 [arbitrary command execution through python/object/new when FullLoader is used] View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b8d7f15593bef61b6f7ef4568bf8cb87d115c84c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b8d7f15593bef61b6f7ef4568bf8cb87d115c84c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add fixed version for CVE-2020-524{7,9}/puma via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8941b840 by Salvatore Bonaccorso at 2020-03-05T05:22:10+01:00 Add fixed version for CVE-2020-524{7,9}/puma via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -10689,13 +10689,13 @@ CVE-2020-5251 (In parser-server before version 4.1.0, you can fetch all the user CVE-2020-5250 RESERVED CVE-2020-5249 (In Puma (RubyGem) before 4.3.3 and 3.12.4, if an application using Pum ...) - - puma (bug #953122) + - puma 3.12.4-1 (bug #953122) NOTE: https://github.com/puma/puma/security/advisories/GHSA-33vf-4xgg-9r58 NOTE: https://github.com/puma/puma/commit/c22712fc93284a45a93f9ad7023888f3a65524f3 CVE-2020-5248 RESERVED CVE-2020-5247 (In Puma (RubyGem) before 4.3.2 and before 3.12.3, if an application us ...) - - puma (bug #952766) + - puma 3.12.4-1 (bug #952766) NOTE: https://github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8v NOTE: https://github.com/puma/puma/commit/1b17e85a06183cd169b41ca719928c26d44a6e03 (3.12.3) NOTE: https://github.com/puma/puma/commit/694feafcd4fdcea786a0730701dad933f7547bea (4.3.2) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8941b840b65cf78fb45d65f8c5e7a7da08e292f9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8941b840b65cf78fb45d65f8c5e7a7da08e292f9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-8113/gitlab
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 686e228f by Salvatore Bonaccorso at 2020-03-05T05:06:13+01:00 Add CVE-2020-8113/gitlab - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4297,6 +4297,8 @@ CVE-2020-8114 (GitLab EE 8.9 and later through 12.7.2 has Insecure Permission .. NOTE: https://about.gitlab.com/releases/2020/01/30/security-release-gitlab-12-7-4-released/ CVE-2020-8113 RESERVED + - gitlab + NOTE: https://about.gitlab.com/releases/2020/03/04/gitlab-12-dot-8-dot-2-released/ CVE-2020-8112 (opj_t1_clbl_decode_processor in openjp2/t1.c in OpenJPEG 2.3.1 through ...) {DLA-2089-1} - openjpeg2 (bug #950184) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/686e228fbe5f3826abdfc774a62ae449bd8f3c7e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/686e228fbe5f3826abdfc774a62ae449bd8f3c7e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: LTS: mark CVE-2017-18641/lxc as for jessie
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 7b46dadd by Roberto C. Sánchez at 2020-03-04T21:06:34-05:00 LTS: mark CVE-2017-18641/lxc as ignored for jessie - - - - - a34af497 by Roberto C. Sánchez at 2020-03-04T21:07:54-05:00 LTS: remove lxc from dla-needed.txt, no open vulnerabilities - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -2750,6 +2750,7 @@ CVE-2018-21034 CVE-2017-18641 (In LXC 2.0, many template scripts download code over cleartext HTTP, a ...) - lxc-templates - lxc 1:3.0.3-1 + [jessie] - lxc (https://lists.debian.org/debian-lts/2020/02/msg00102.html) NOTE: LXC 3.0.2 split the templates out to separate lxc-templates. NOTE: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1661447 NOTE: Some of the templates were switched to fetch the pacakges over HTTPS, cf. = data/dla-needed.txt = @@ -42,10 +42,6 @@ lua-cgi NOTE: 20200227: The package do not seem to be used much, but the popcon data in this case NOTE: 20200227: may not be entirelly reliable. One possibility is to declare it unsupported. (Ola) -- -lxc (Roberto C. Sánchez) - NOTE: 20200221: CVE-2017-18641 is probably to extensive to fix in Jessie - NOTE: 20200226: sent propsal for no-dsa triage to mailing list for review. (roberto) --- nova (Thorsten Alteholz) -- opendmarc (Thorsten Alteholz) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/556cc9e22eefa8e991f153ed421e23c788f5ad23...a34af497081f5ef801f510b6f9f507866dda7ad3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/556cc9e22eefa8e991f153ed421e23c788f5ad23...a34af497081f5ef801f510b6f9f507866dda7ad3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2020-5249/puma
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 556cc9e2 by Salvatore Bonaccorso at 2020-03-04T22:07:53+01:00 Add Debian bug reference for CVE-2020-5249/puma - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -10686,7 +10686,7 @@ CVE-2020-5251 (In parser-server before version 4.1.0, you can fetch all the user CVE-2020-5250 RESERVED CVE-2020-5249 (In Puma (RubyGem) before 4.3.3 and 3.12.4, if an application using Pum ...) - - puma + - puma (bug #953122) NOTE: https://github.com/puma/puma/security/advisories/GHSA-33vf-4xgg-9r58 NOTE: https://github.com/puma/puma/commit/c22712fc93284a45a93f9ad7023888f3a65524f3 CVE-2020-5248 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/556cc9e22eefa8e991f153ed421e23c788f5ad23 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/556cc9e22eefa8e991f153ed421e23c788f5ad23 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 20935df1 by Salvatore Bonaccorso at 2020-03-04T21:19:32+01:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,5 +1,5 @@ CVE-2020-10057 (GeniXCMS 1.1.7 is vulnerable to user privilege escalation due to broke ...) - TODO: check + NOT-FOR-US: GeniXCMS CVE-2020-10056 RESERVED CVE-2020-10055 @@ -596,7 +596,7 @@ CVE-2020-9763 CVE-2020-9762 RESERVED CVE-2020-9761 (An issue was discovered in UNCTAD ASYCUDA World 2001 through 2020. The ...) - TODO: check + NOT-FOR-US: UNCTAD ASYCUDA World CVE-2020-9760 RESERVED CVE-2020-9759 @@ -604,7 +604,7 @@ CVE-2020-9759 CVE-2020-9758 RESERVED CVE-2020-9757 (The Seomatic component before 3.2.46 for Craft CMS allows Server-Side ...) - TODO: check + NOT-FOR-US: Seomatic component for Craft CMS CVE-2020-9756 RESERVED CVE-2020-9755 @@ -1026,7 +1026,7 @@ CVE-2019-20487 (An issue was discovered on NETGEAR WNR1000V4 1.1.0.54 devices. M CVE-2019-20486 (An issue was discovered on NETGEAR WNR1000V4 1.1.0.54 devices. Multipl ...) NOT-FOR-US: Netgear CVE-2020-9550 (Rubetek SmartHome 2020 devices use unencrypted 433 MHz communication b ...) - TODO: check + NOT-FOR-US: Rubetek SmartHome 2020 devices CVE-2020-9549 (In PDFResurrect 0.12 through 0.19, get_type in pdf.c has an out-of-bou ...) - pdfresurrect (unimportant; bug #952948) NOTE: https://github.com/enferex/pdfresurrect/issues/8 @@ -1190,9 +1190,9 @@ CVE-2013-7487 CVE-2020-9478 RESERVED CVE-2020-9477 (An issue was discovered on HUMAX HGA12R-02 BRGCAA 1.1.53 devices. A vu ...) - TODO: check + NOT-FOR-US: HUMAX HGA12R-02 BRGCAA devices CVE-2020-9476 (ARRIS TG1692A devices allow remote attackers to discover the administr ...) - TODO: check + NOT-FOR-US: ARRIS TG1692A devices CVE-2020-9475 RESERVED CVE-2020-9474 @@ -1453,9 +1453,9 @@ CVE-2020-9374 (On TP-Link TL-WR849N 0.9.1 4.16 devices, a remote command executi CVE-2020-9373 RESERVED CVE-2020-9372 (The Appointment Booking Calendar plugin before 1.3.35 for WordPress al ...) - TODO: check + NOT-FOR-US: Appointment Booking Calendar plugin for WordPress CVE-2020-9371 (Stored XSS exists in the Appointment Booking Calendar plugin before 1. ...) - TODO: check + NOT-FOR-US: Appointment Booking Calendar plugin for WordPress CVE-2020-9370 RESERVED CVE-2020-9369 (Sympa 6.2.38 through 6.2.52 allows remote attackers to cause a denial ...) @@ -1476,7 +1476,7 @@ CVE-2020-9365 (An issue was discovered in Pure-FTPd 1.0.49. An out-of-bounds (OO [jessie] - pure-ftpd (Vulnerable code does not exist) NOTE: https://github.com/jedisct1/pure-ftpd/commit/36c6d268cb190282a2c17106acfd31863121b CVE-2020-9364 (An issue was discovered in helpers/mailer.php in the Creative Contact ...) - TODO: check + NOT-FOR-US: Creative Contact Form extension for Joomla! CVE-2020-9363 (The Sophos AV parsing engine before 2020-01-14 allows virus-detection ...) NOT-FOR-US: Sophos AV CVE-2020-9362 (The Quick Heal AV parsing engine (November 2019) allows virus-detectio ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/20935df184e1431b71804a083fa754c2dc31cd6e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/20935df184e1431b71804a083fa754c2dc31cd6e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a34adab5 by security tracker role at 2020-03-04T20:10:18+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,4 +1,60 @@ -CVE-2020-10029 [sinl() stack corruption from crafted input] +CVE-2020-10057 (GeniXCMS 1.1.7 is vulnerable to user privilege escalation due to broke ...) + TODO: check +CVE-2020-10056 + RESERVED +CVE-2020-10055 + RESERVED +CVE-2020-10054 + RESERVED +CVE-2020-10053 + RESERVED +CVE-2020-10052 + RESERVED +CVE-2020-10051 + RESERVED +CVE-2020-10050 + RESERVED +CVE-2020-10049 + RESERVED +CVE-2020-10048 + RESERVED +CVE-2020-10047 + RESERVED +CVE-2020-10046 + RESERVED +CVE-2020-10045 + RESERVED +CVE-2020-10044 + RESERVED +CVE-2020-10043 + RESERVED +CVE-2020-10042 + RESERVED +CVE-2020-10041 + RESERVED +CVE-2020-10040 + RESERVED +CVE-2020-10039 + RESERVED +CVE-2020-10038 + RESERVED +CVE-2020-10037 + RESERVED +CVE-2020-10036 + RESERVED +CVE-2020-10035 + RESERVED +CVE-2020-10034 + RESERVED +CVE-2020-10033 + RESERVED +CVE-2020-10032 + RESERVED +CVE-2020-10031 + RESERVED +CVE-2020-10030 + RESERVED +CVE-2020-10029 (The GNU C Library (aka glibc or libc6) before 2.32 could overflow an o ...) - glibc (bug #953108) [buster] - glibc (Minor issue) [stretch] - glibc (Minor issue) @@ -539,16 +595,16 @@ CVE-2020-9763 RESERVED CVE-2020-9762 RESERVED -CVE-2020-9761 - RESERVED +CVE-2020-9761 (An issue was discovered in UNCTAD ASYCUDA World 2001 through 2020. The ...) + TODO: check CVE-2020-9760 RESERVED CVE-2020-9759 RESERVED CVE-2020-9758 RESERVED -CVE-2020-9757 - RESERVED +CVE-2020-9757 (The Seomatic component before 3.2.46 for Craft CMS allows Server-Side ...) + TODO: check CVE-2020-9756 RESERVED CVE-2020-9755 @@ -969,8 +1025,8 @@ CVE-2019-20487 (An issue was discovered on NETGEAR WNR1000V4 1.1.0.54 devices. M NOT-FOR-US: Netgear CVE-2019-20486 (An issue was discovered on NETGEAR WNR1000V4 1.1.0.54 devices. Multipl ...) NOT-FOR-US: Netgear -CVE-2020-9550 - RESERVED +CVE-2020-9550 (Rubetek SmartHome 2020 devices use unencrypted 433 MHz communication b ...) + TODO: check CVE-2020-9549 (In PDFResurrect 0.12 through 0.19, get_type in pdf.c has an out-of-bou ...) - pdfresurrect (unimportant; bug #952948) NOTE: https://github.com/enferex/pdfresurrect/issues/8 @@ -990,7 +1046,7 @@ CVE-2020-9546 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the int NOTE: https://github.com/FasterXML/jackson-databind/issues/2631 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by NOTE: but still an issue when Default Typing is enabled. -CVE-2020-9545 (Pale Moon 28.8.x before 28.8.4 has a segmentation fault related to mod ...) +CVE-2020-9545 (Pale Moon 28.x before 28.8.4 has a segmentation fault related to modul ...) NOT-FOR-US: Pale Moon CVE-2020-9544 RESERVED @@ -1133,10 +1189,10 @@ CVE-2013-7487 RESERVED CVE-2020-9478 RESERVED -CVE-2020-9477 - RESERVED -CVE-2020-9476 - RESERVED +CVE-2020-9477 (An issue was discovered on HUMAX HGA12R-02 BRGCAA 1.1.53 devices. A vu ...) + TODO: check +CVE-2020-9476 (ARRIS TG1692A devices allow remote attackers to discover the administr ...) + TODO: check CVE-2020-9475 RESERVED CVE-2020-9474 @@ -1396,10 +1452,10 @@ CVE-2020-9374 (On TP-Link TL-WR849N 0.9.1 4.16 devices, a remote command executi NOT-FOR-US: TP-Link CVE-2020-9373 RESERVED -CVE-2020-9372 - RESERVED -CVE-2020-9371 - RESERVED +CVE-2020-9372 (The Appointment Booking Calendar plugin before 1.3.35 for WordPress al ...) + TODO: check +CVE-2020-9371 (Stored XSS exists in the Appointment Booking Calendar plugin before 1. ...) + TODO: check CVE-2020-9370 RESERVED CVE-2020-9369 (Sympa 6.2.38 through 6.2.52 allows remote attackers to cause a denial ...) @@ -1419,8 +1475,8 @@ CVE-2020-9365 (An issue was discovered in Pure-FTPd 1.0.49. An out-of-bounds (OO [stretch] - pure-ftpd (Minor issue) [jessie] - pure-ftpd (Vulnerable code does not exist) NOTE: https://github.com/jedisct1/pure-ftpd/commit/36c6d268cb190282a2c17106acfd31863121b -CVE-2020-9364 - RESERVED +CVE-2020-9364 (An issue was discovered in helpers/mailer.php in the Creative Contact ...) + TODO: check CVE-2020-9363 (The Sophos AV parsing engine before 2020-01-14 allows virus-detection ...) NOT-FOR-US: Sophos AV CVE-2020-9362 (The Quick Heal AV parsing engine (November 2019) allows virus-detectio ...)
[Git][security-tracker-team/security-tracker][master] Add amd64-microcode coverage for CVE-2017-5715 only
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 67beefb2 by Salvatore Bonaccorso at 2020-03-04T21:06:27+01:00 Add amd64-microcode coverage for CVE-2017-5715 only As from d3d7e7df1e20 (Add amd64-microcode to d{l,s}a-needed.txt) talked to the maintainer about the need of updating amd64-microcode to cover the missing IBPB feature for Spectre variant 2 mitigation. To be consistent with what we did tracking intel-microcode, add here in this case as well the amd64-microcode (but only here) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -169914,6 +169914,7 @@ CVE-2017-5715 (Systems with microprocessors utilizing speculative execution and - intel-microcode 3.20180425.1 [stretch] - intel-microcode 3.20180425.1~deb9u1 [jessie] - intel-microcode 3.20180425.1~deb8u1 + - amd64-microcode 3.20180515.1 NOTE: https://spectreattack.com/ NOTE: https://xenbits.xen.org/xsa/advisory-254.html NOTE: https://googleprojectzero.blogspot.co.uk/2018/01/reading-privileged-memory-with-side.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/67beefb2a391d781412169cbe1790c7a23da7eeb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/67beefb2a391d781412169cbe1790c7a23da7eeb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add notes for CVE-2019-11157
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 30575936 by Salvatore Bonaccorso at 2020-03-04T20:59:47+01:00 Add notes for CVE-2019-11157 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -48679,7 +48679,8 @@ CVE-2019-11159 CVE-2019-11158 RESERVED CVE-2019-11157 (Improper conditions check in voltage settings for some Intel(R) Proces ...) - TODO: check + NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00289.html + TODO: check, very likely only fixed via BIOS update, so NFU, Intel CVE-2019-11156 (Logic errors in Intel(R) PROSet/Wireless WiFi Software before version ...) NOT-FOR-US: Intel CVE-2019-11155 (Improper directory permissions in Intel(R) PROSet/Wireless WiFi Softwa ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3057593609167260cc9c2849a76eeb5d40e7b07f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3057593609167260cc9c2849a76eeb5d40e7b07f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim amd64-microcode in dla-needed.txt
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: db9a5ad8 by Anton Gladky at 2020-03-04T20:34:45+01:00 Claim amd64-microcode in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -10,7 +10,7 @@ this list is updated have a look at https://wiki.debian.org/LTS/Development#Triage_new_security_issues -- -amd64-microcode +amd64-microcode (Anton Gladky) NOTE: 20200224: Missing IBPB feature for Spectre variant 2 mitigation. NOTE: 20200224: (Kernel support was added in 2018.) stretch needs to NOTE: 20200224: be updated too; check dsa-needed.txt. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/db9a5ad8bf7a44549ef0476d3eacdc5d4f7f555c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/db9a5ad8bf7a44549ef0476d3eacdc5d4f7f555c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 89b308a1 by Moritz Muehlenhoff at 2020-03-04T18:54:05+01:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -10276,9 +10276,9 @@ CVE-2020-5406 CVE-2020-5405 RESERVED CVE-2020-5404 (The HttpClient from Reactor Netty, versions 0.9.x prior to 0.9.5, and ...) - TODO: check + NOT-FOR-US: Reactor Netty, different from src:netty CVE-2020-5403 (Reactor Netty HttpServer, versions 0.9.3 and 0.9.4, is exposed to a UR ...) - TODO: check + NOT-FOR-US: Reactor Netty, different from src:netty CVE-2020-5402 (In Cloud Foundry UAA, versions prior to 74.14.0, a CSRF vulnerability ...) NOT-FOR-US: Cloud Foundry CVE-2020-5401 (Cloud Foundry Routing Release, versions prior to 0.197.0, contains GoR ...) @@ -34096,7 +34096,7 @@ CVE-2019-15611 (Violation of Secure Design Principles in the iOS App 2.23.0 caus CVE-2019-15610 (Improper authorization in the Circles app 0.17.7 causes retaining acce ...) NOT-FOR-US: Circles app CVE-2019-15609 (The kill-port-process package version 2.2.0 is vulnerable to a Co ...) - TODO: check + NOT-FOR-US: Node kill-port-process CVE-2019-15608 RESERVED CVE-2019-15607 (A stored XSS vulnerability is present within node-red (version: = ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/89b308a1cc639ed4d570cad9107fa54b1f2e270f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/89b308a1cc639ed4d570cad9107fa54b1f2e270f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add fixed version for CVE-2019-17362/libtomcrypt via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 92b73adf by Salvatore Bonaccorso at 2020-03-04T18:08:32+01:00 Add fixed version for CVE-2019-17362/libtomcrypt via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -29154,7 +29154,7 @@ CVE-2019-17363 RESERVED CVE-2019-17362 (In LibTomCrypt through 1.18.2, the der_decode_utf8_string function (in ...) {DLA-1951-1} - - libtomcrypt + - libtomcrypt 1.18.2-3 [buster] - libtomcrypt (Minor issue) [stretch] - libtomcrypt (Minor issue) NOTE: https://github.com/libtom/libtomcrypt/issues/507 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/92b73adff276ed70f6d5f4fc4bc3486ea464def7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/92b73adff276ed70f6d5f4fc4bc3486ea464def7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2020-10029/glibc
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d9c190af by Salvatore Bonaccorso at 2020-03-04T17:46:19+01:00 Add Debian bug reference for CVE-2020-10029/glibc - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,5 +1,5 @@ CVE-2020-10029 [sinl() stack corruption from crafted input] - - glibc + - glibc (bug #953108) [buster] - glibc (Minor issue) [stretch] - glibc (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=25487 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d9c190af6ba04265d5c449368e7d28b19bdd19b0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d9c190af6ba04265d5c449368e7d28b19bdd19b0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-10029/glibc
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a0230c7d by Salvatore Bonaccorso at 2020-03-04T17:37:08+01:00 Add CVE-2020-10029/glibc - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,10 @@ +CVE-2020-10029 [sinl() stack corruption from crafted input] + - glibc + [buster] - glibc (Minor issue) + [stretch] - glibc (Minor issue) + NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=25487 + NOTE: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=9333498794cde1d5cca518badf79533a24114b6f + NOTE: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=c10acd40262486dac597001aecc20ad9d3bd0e4a CVE-2020- RESERVED CVE-2020-9998 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a0230c7d3637f12b34a5b91f72dbd368b6ce0236 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a0230c7d3637f12b34a5b91f72dbd368b6ce0236 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add fixed version for CVE-2020-9402/python-django
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c1e01d5c by Salvatore Bonaccorso at 2020-03-04T17:29:15+01:00 Add fixed version for CVE-2020-9402/python-django - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1316,7 +1316,7 @@ CVE-2020-9403 RESERVED CVE-2020-9402 RESERVED - - python-django (low; bug #953102) + - python-django 2:2.2.11-1 (low; bug #953102) [buster] - python-django (Can be fixed along in a future DSA) [stretch] - python-django (Can be fixed along in a future DSA) [jessie] - python-django (Vulnerable code introduced later) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c1e01d5cd779a9f6a9dfca53c3495faa1fcb2b6b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c1e01d5cd779a9f6a9dfca53c3495faa1fcb2b6b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] nvd.py: Fix typo in Parser when issueing error (VAlueError -> ValueError)
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ff11f9a1 by Salvatore Bonaccorso at 2020-03-04T17:02:59+01:00 nvd.py: Fix typo in Parser when issueing error (VAlueError - ValueError) Fixes: 966aef0927e2 (Reimplement (incompletely) simplistic NVD parser to handle JSON feed) Signed-off-by: Salvatore Bonaccorso car...@debian.org - - - - - 1 changed file: - lib/python/nvd.py Changes: = lib/python/nvd.py = @@ -38,7 +38,7 @@ class _Parser: if 'CVE_data_meta' not in entry['cve']: raise ValueError("No CVE metadata entry present") if 'ID' not in entry['cve']['CVE_data_meta']: -raise VAlueError("No CVE ID present for entry") +raise ValueError("No CVE ID present for entry") self.name=entry['cve']['CVE_data_meta']['ID'] # get CVE description View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ff11f9a17a60029781d3bb46ef387515f5b9e5f7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ff11f9a17a60029781d3bb46ef387515f5b9e5f7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2020-9402/python-django
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2c78a446 by Salvatore Bonaccorso at 2020-03-04T15:26:04+01:00 Add Debian bug reference for CVE-2020-9402/python-django - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1316,7 +1316,7 @@ CVE-2020-9403 RESERVED CVE-2020-9402 RESERVED - - python-django (low) + - python-django (low; bug #953102) [buster] - python-django (Can be fixed along in a future DSA) [stretch] - python-django (Can be fixed along in a future DSA) [jessie] - python-django (Vulnerable code introduced later) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2c78a446f11d291d1fd41f4742b9db9995c3a5af -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2c78a446f11d291d1fd41f4742b9db9995c3a5af You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reference 7.x commit for CVE-2019-13135
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1ea52111 by Salvatore Bonaccorso at 2020-03-04T15:04:16+01:00 Reference 7.x commit for CVE-2019-13135 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -43106,7 +43106,7 @@ CVE-2019-13135 (ImageMagick before 7.0.8-50 has a "use of uninitialized value" v [buster] - imagemagick (Minor issue) [stretch] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1599 - NOTE: https://github.com/ImageMagick/ImageMagick6/commit/1e59b29e520d2beab73e8c78aacd5f1c0d76196d (7.x) + NOTE: https://github.com/ImageMagick/ImageMagick/commit/cdb383749ef7b68a38891440af8cc23e0115306d (7.x) NOTE: https://github.com/ImageMagick/ImageMagick6/commit/1e59b29e520d2beab73e8c78aacd5f1c0d76196d (6.x) CVE-2019-13134 (ImageMagick before 7.0.8-50 has a memory leak vulnerability in the fun ...) - imagemagick (Only affects Imagemagick 7) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1ea52111e00b3d3a91c4bb00218833b875abb892 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1ea52111e00b3d3a91c4bb00218833b875abb892 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2020-9402/django n/a on jessie
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: b09c0f2b by Emilio Pozuelo Monfort at 2020-03-04T15:01:30+01:00 CVE-2020-9402/django n/a on jessie - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1319,7 +1319,11 @@ CVE-2020-9402 - python-django (low) [buster] - python-django (Can be fixed along in a future DSA) [stretch] - python-django (Can be fixed along in a future DSA) + [jessie] - python-django (Vulnerable code introduced later) NOTE: https://www.openwall.com/lists/oss-security/2020/03/04/1 + NOTE: Introduced by: https://github.com/django/django/commit/fcf494b48fea7c0c55ea29721ba0b2d250351ff8 + NOTE: Fixed by: https://github.com/django/django/commit/fe886a3b58a93cfbe8864b485f93cb6d426cd1f2 (v2.2) + NOTE: Fixed by: https://github.com/django/django/commit/02d97f3c9a88adc890047996e5606180bd1c6166 (v1.11) CVE-2020-9401 RESERVED CVE-2020-9400 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b09c0f2b483f57d35eb91159c8bd91e44d04915c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b09c0f2b483f57d35eb91159c8bd91e44d04915c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new django issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: d81a05eb by Moritz Muehlenhoff at 2020-03-04T14:45:31+01:00 new django issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1316,6 +1316,10 @@ CVE-2020-9403 RESERVED CVE-2020-9402 RESERVED + - python-django (low) + [buster] - python-django (Can be fixed along in a future DSA) + [stretch] - python-django (Can be fixed along in a future DSA) + NOTE: https://www.openwall.com/lists/oss-security/2020/03/04/1 CVE-2020-9401 RESERVED CVE-2020-9400 @@ -43095,8 +43099,11 @@ CVE-2019-13136 (ImageMagick before 7.0.8-50 has an integer overflow vulnerabilit CVE-2019-13135 (ImageMagick before 7.0.8-50 has a "use of uninitialized value" vulnera ...) {DLA-1888-1} - imagemagick (bug #932079) + [buster] - imagemagick (Minor issue) + [stretch] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1599 - NOTE: https://github.com/ImageMagick/ImageMagick6/commit/1e59b29e520d2beab73e8c78aacd5f1c0d76196d + NOTE: https://github.com/ImageMagick/ImageMagick6/commit/1e59b29e520d2beab73e8c78aacd5f1c0d76196d (7.x) + NOTE: https://github.com/ImageMagick/ImageMagick6/commit/1e59b29e520d2beab73e8c78aacd5f1c0d76196d (6.x) CVE-2019-13134 (ImageMagick before 7.0.8-50 has a memory leak vulnerability in the fun ...) - imagemagick (Only affects Imagemagick 7) NOTE: https://github.com/ImageMagick/ImageMagick/commit/fe3066122ef72c82415811d25e9e3fad622c0a99 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d81a05ebcd4a38316e730055e195972c0cd47845 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d81a05ebcd4a38316e730055e195972c0cd47845 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 0c17039b by Moritz Muehlenhoff at 2020-03-04T13:06:53+01:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4171,7 +4171,7 @@ CVE-2020-8134 CVE-2020-8133 RESERVED CVE-2020-8132 (Lack of input validation in pdf-image npm package version = 2.0.0 ...) - TODO: check + NOT-FOR-US: Node pdf-image package CVE-2020-8131 (Arbitrary filesystem write vulnerability in Yarn before 1.22.0 allows ...) - node-yarnpkg (bug #952912) NOTE: https://hackerone.com/reports/730239 @@ -49673,15 +49673,15 @@ CVE-2019-10807 CVE-2019-10806 RESERVED CVE-2019-10805 (valib through 2.0.0 allows Internal Property Tampering. A maliciously ...) - TODO: check + NOT-FOR-US: Node valib CVE-2019-10804 (serial-number through 1.3.0 allows execution of arbritary commands. Th ...) - TODO: check + NOT-FOR-US: Node serial-number CVE-2019-10803 (push-dir through 0.4.1 allows execution of arbritary commands. Argumen ...) - TODO: check + NOT-FOR-US: Node push-dir CVE-2019-10802 (giting version prior to 0.0.8 allows execution of arbritary commands. ...) - TODO: check + NOT-FOR-US: Node giting CVE-2019-10801 (enpeem through 2.2.0 allows execution of arbitrary commands. The "opti ...) - TODO: check + NOT-FOR-US: Node enpeem CVE-2019-10800 RESERVED CVE-2019-10799 (compile-sass prior to 1.0.5 allows execution of arbritary commands. Th ...) @@ -49730,7 +49730,7 @@ CVE-2019-10781 (In schema-inspector before 1.6.9, a maliciously crafted JavaScri CVE-2019-10780 (BibTeX-ruby before 5.1.0 allows shell command injection due to unsanit ...) NOT-FOR-US: BibTeX-ruby CVE-2019-10779 (All versions of stroom:stroom-app before 5.5.12 and all versions of th ...) - TODO: check + NOT-FOR-US: Stroom CVE-2019-10778 (devcert-sanscache before 0.4.7 allows remote attackers to execute arbi ...) NOT-FOR-US: devcert-sanscache CVE-2019-10777 (In aws-lambda versions prior to version 1.0.5, the "config.FunctioName ...) @@ -261827,7 +261827,7 @@ CVE-2013-7327 (The gdImageCrop function in ext/gd/gd.c in PHP 5.5.x before 5.5.9 CVE-2013-7326 (Cross-site scripting (XSS) vulnerability in vTiger CRM 5.4.0 allows re ...) NOT-FOR-US: vTiger CRM CVE-2013-7324 (Webkit-GTK 2.x (any version with HTML5 audio/video support based on GS ...) - TODO: check + NOT-FOR-US: Historic webkit issue CVE-2012-6638 (The tcp_rcv_state_process function in net/ipv4/tcp_input.c in the Linu ...) - linux 3.2.29-1 - linux-2.6 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0c17039b7c6cc04892607fca54c3cac18c9494b5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0c17039b7c6cc04892607fca54c3cac18c9494b5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new chromium issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 35701fa0 by Moritz Muehlenhoff at 2020-03-04T12:54:56+01:00 new chromium issue mark qt as ignored - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1191,9 +1191,9 @@ CVE-2020-9447 (The file-upload feature in GwtUpload 1.0.3 allows XSS via a craft CVE-2020-9446 RESERVED CVE-2018-21035 (In Qt through 5.14.1, the WebSocket implementation accepts up to 2GB f ...) - - qtwebsockets-opensource-src (bug #953049) - [buster] - qtwebsockets-opensource-src (Minor issue) - [stretch] - qtwebsockets-opensource-src (Minor issue) + - qtwebsockets-opensource-src (low; bug #953049) + [buster] - qtwebsockets-opensource-src (Minor issue) + [stretch] - qtwebsockets-opensource-src (Minor issue) [jessie] - qtwebsockets-opensource-src (Minor issue) NOTE: https://bugreports.qt.io/browse/QTBUG-70693 NOTE: https://codereview.qt-project.org/c/qt/qtwebsockets/+/284735 @@ -8086,6 +8086,8 @@ CVE-2020-6421 RESERVED CVE-2020-6420 RESERVED + - chromium + [stretch] - chromium (see DSA 4562) CVE-2020-6419 RESERVED CVE-2020-6418 (Type confusion in V8 in Google Chrome prior to 80.0.3987.122 allowed a ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/35701fa0a223e484e70378bb70204ab0d18ff914 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/35701fa0a223e484e70378bb70204ab0d18ff914 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2133-1 for tomcat7
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: b6ab5a51 by Markus Koschany at 2020-03-04T11:56:16+01:00 Reserve DLA-2133-1 for tomcat7 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[04 Mar 2020] DLA-2133-1 tomcat7 - security update + {CVE-2019-17569 CVE-2020-1935 CVE-2020-1938} + [jessie] - tomcat7 7.0.56-3+really7.0.100-1 [03 Mar 2020] DLA-2132-1 libzypp - security update {CVE-2019-18900} [jessie] - libzypp 14.29.1-2+deb8u1 = data/dla-needed.txt = @@ -89,8 +89,6 @@ squid3 (Markus Koschany) NOTE: 20200120: details on the intention. (Ola) NOTE: 20200224: Ongoing work. (apo) -- -tomcat7 (Markus Koschany) --- tomcat8 (Abhijith PA) NOTE: 20200106: Almost done. Working on failing testcase. NOTE: 20200210: TestFormAuthenticator failing with CVE-2019-17563. backporting upstream tests (abhijith) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b6ab5a519e5307df8816c5677975d1bede084a65 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b6ab5a519e5307df8816c5677975d1bede084a65 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: slurm-llnl: add links to upstream fixes
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 67c1d465 by Emilio Pozuelo Monfort at 2020-03-04T10:46:48+01:00 slurm-llnl: add links to upstream fixes - - - - - 58800fe4 by Emilio Pozuelo Monfort at 2020-03-04T10:52:01+01:00 slurm-llnl no-dsa on jessie - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -16596,6 +16596,8 @@ CVE-2019-19728 (SchedMD Slurm before 18.08.9 and 19.x before 19.05.5 executes sr - slurm-llnl 19.05.5-1 [buster] - slurm-llnl (Minor issue) [stretch] - slurm-llnl (Minor issue) + [jessie] - slurm-llnl (Minor issue) + NOTE: https://github.com/SchedMD/slurm/commit/5ac031b2ef5462f6e8e47dad0247bd474614c118 NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1159692 NOTE: Fixed upstream in 18.08.9, 19.05.5 CVE-2019-19727 (SchedMD Slurm before 18.08.9 and 19.x before 19.05.5 has weak slurmdbd ...) @@ -43954,6 +43956,8 @@ CVE-2019-12838 (SchedMD Slurm 17.11.x, 18.08.0 through 18.08.7, and 19.05.0 allo {DSA-4572-1} - slurm-llnl 19.05.3.2-1 (bug #931880) [stretch] - slurm-llnl (Too intrusive to backport) + [jessie] - slurm-llnl (Too intrusive to backport) + NOTE: https://github.com/SchedMD/slurm/commit/afa7d743f407c60a7c8a4bd98a10be32c82988b5 NOTE: https://lists.schedmd.com/pipermail/slurm-announce/2019/25.html CVE-2019-12837 (The Java API in accesuniversitat.gencat.cat 1.7.5 allows remote attack ...) NOT-FOR-US: Java API in Generalitat de Catalunya accesuniversitat.gencat.cat = data/dla-needed.txt = @@ -74,10 +74,6 @@ ruby-rack slirp (Utkarsh Gupta) NOTE: 20200223: WIP. -- -slurm-llnl - NOTE: 20191125: up for testing https://people.debian.org/~abhijith/upload/slurm-llnl_14.03.9-5+deb8u5.dsc - NOTE: 20191218: Regression found. (abhijith) --- squid3 (Markus Koschany) NOTE: 20191210: CVE-2019-12523 and CVE-2019-18676 Requires new API SBuf. NOTE: 20200116: Researched other distros to see if any had backported the fixes. No luck. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/6bf45ebe0c5d8b15ce72331623afdea1283d51ee...58800fe455b43b8028b745ccd415886d706c230e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/6bf45ebe0c5d8b15ce72331623afdea1283d51ee...58800fe455b43b8028b745ccd415886d706c230e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2018-21035/qtwebsockets-opensource-src no-dsa on jessie
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 6bf45ebe by Emilio Pozuelo Monfort at 2020-03-04T10:19:37+01:00 CVE-2018-21035/qtwebsockets-opensource-src no-dsa on jessie The upstream fix just adds new API to allow lowering the message size, but it would need all users to change it, and there are no rdeps on jessie anyway. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1194,6 +1194,7 @@ CVE-2018-21035 (In Qt through 5.14.1, the WebSocket implementation accepts up to - qtwebsockets-opensource-src (bug #953049) [buster] - qtwebsockets-opensource-src (Minor issue) [stretch] - qtwebsockets-opensource-src (Minor issue) + [jessie] - qtwebsockets-opensource-src (Minor issue) NOTE: https://bugreports.qt.io/browse/QTBUG-70693 NOTE: https://codereview.qt-project.org/c/qt/qtwebsockets/+/284735 CVE-2020-9445 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6bf45ebe0c5d8b15ce72331623afdea1283d51ee -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6bf45ebe0c5d8b15ce72331623afdea1283d51ee You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process two NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ad50f001 by Salvatore Bonaccorso at 2020-03-04T09:14:04+01:00 Process two NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9935,9 +9935,9 @@ CVE-2020-5538 CVE-2020-5537 RESERVED CVE-2020-5536 (OpenBlocks IoT VX2 prior to Ver.4.0.0 (Ver.3 Series) allows an attacke ...) - TODO: check + NOT-FOR-US: OpenBlocks IoT VX2 CVE-2020-5535 (OpenBlocks IoT VX2 prior to Ver.4.0.0 (Ver.3 Series) allows an attacke ...) - TODO: check + NOT-FOR-US: OpenBlocks IoT VX2 CVE-2020-5534 (Aterm WG2600HS firmware Ver1.3.2 and earlier allows an authenticated a ...) NOT-FOR-US: Aterm WG2600HS firmware CVE-2020-5533 (Cross-site scripting vulnerability in Aterm WG2600HS firmware Ver1.3.2 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ad50f001a002595375dcb83baf698cf6600508bb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ad50f001a002595375dcb83baf698cf6600508bb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits