[Git][security-tracker-team/security-tracker][master] Claim tomcat8 in jessie
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 16c65341 by Abhijith PA at 2020-03-10T10:04:19+05:30 Claim tomcat8 in jessie - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -71,10 +71,11 @@ slirp (Chris Lamb) squid3 (Markus Koschany) NOTE: 20200309: Requires more tests. (apo) -- -tomcat8 +tomcat8 (Abhijith PA) NOTE: 20200106: Almost done. Working on failing testcase. NOTE: 20200210: TestFormAuthenticator failing with CVE-2019-17563. backporting upstream tests (abhijith) NOTE: 20200224: Guess embedding latest branch of 8.5.x in debian package is the way to go (abhijith) + NOTE: 20200310: New CVEs piled up (abhijith) -- weechat (Thorsten Alteholz) NOTE: 20200309: work is ongoing View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/16c65341c6c74404a37791f307dc9a410ae79f5a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/16c65341c6c74404a37791f307dc9a410ae79f5a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2019-3689/nfs-utils: upstream commit
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 41f2538a by Sylvain Beucler at 2020-03-09T23:50:15+01:00 CVE-2019-3689/nfs-utils: upstream commit - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -69577,10 +69577,7 @@ CVE-2019-3689 (The nfs-utils package in SUSE Linux Enterprise Server 12 before a - nfs-utils (bug #940848) [buster] - nfs-utils (Minor issue) [stretch] - nfs-utils (Minor issue) - NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1150733 - NOTE: When adressing this a related patch to make statd take the user-id from - NOTE: /var/lib/nfs/sm is needed, cf. https://bugzilla.suse.com/show_bug.cgi?id=1150733#c3 - NOTE: https://bugzilla.linux-nfs.org/show_bug.cgi?id=338 (upstream report) + NOTE: https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commitdiff;h=fee2cc29e888f2ced6a76990923aef19d326dc0e CVE-2019-3688 (The /usr/sbin/pinger binary packaged with squid in SUSE Linux Enterpri ...) - squid (/usr/lib/squid/pinger permissions are root:root) - squid3 (/usr/lib/squid/pinger permissions are root:root) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/41f2538ad24e8fd754c21f8c50f623453110e0a9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/41f2538ad24e8fd754c21f8c50f623453110e0a9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 58a493d7 by Moritz Muehlenhoff at 2020-03-09T23:36:04+01:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -195016,7 +195016,7 @@ CVE-2016-6676 (Off-by-one error in CORE/HDD/src/wlan_hdd_cfg.c in the Qualcomm W CVE-2016-6675 (Off-by-one error in CORE/HDD/src/wlan_hdd_hostapd.c in the Qualcomm Wi ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-6674 (system_server in Android before 2016-10-05 on Nexus devices allows att ...) - - android (bug #459219) + NOT-FOR-US: Android CVE-2016-6673 (The NVIDIA camera driver in Android before 2016-10-05 on Nexus 9 devic ...) NOT-FOR-US: Nvidia driver for Android CVE-2016-6672 (The Synaptics touchscreen driver in Android before 2016-10-05 on Nexus ...) @@ -212795,7 +212795,7 @@ CVE-2016-1489 (Lenovo SHAREit before 3.2.0 for Windows and SHAREit before 3.5.48 CVE-2016-1488 (Cross-site scripting (XSS) vulnerability in the login form in the inte ...) NOT-FOR-US: Siemens CVE-2016-1487 (Lexmark Markvision Enterprise before 2.3.0 misuses the Apache Commons ...) - TODO: check + NOT-FOR-US: Lexmark CVE-2016-1486 (A vulnerability in the email attachment scanning functionality of the ...) NOT-FOR-US: Siemens OZW OZW672 CVE-2016-1485 (Cross-site scripting (XSS) vulnerability in Cisco Identity Services En ...) @@ -213957,7 +213957,7 @@ CVE-2016-1161 (Cross-site request forgery (CSRF) vulnerability in ManageEngine P CVE-2016-1160 (Cross-site scripting (XSS) vulnerability in the WP Favorite Posts plug ...) NOT-FOR-US: WP Favorite Posts plugin for WordPress CVE-2016-1159 (In ZOHO Password Manager Pro (PMP) 8.3.0 (Build 8303) and 8.4.0 (Build ...) - TODO: check + NOT-FOR-US: ZOHO CVE-2016-1158 (Cross-site request forgery (CSRF) vulnerability on Corega CG-WLBARGMH ...) NOT-FOR-US: Corega CVE-2016-1157 (Cross-site scripting (XSS) vulnerability in log_chat.cgi in Script* Lo ...) @@ -217062,11 +217062,11 @@ CVE-2015-8509 (Template.pm in Bugzilla 2.x, 3.x, and 4.x before 4.2.16, 4.3.x an CVE-2015-8508 (Cross-site scripting (XSS) vulnerability in showdependencygraph.cgi in ...) - bugzilla4 (bug #669643) CVE-2015-8507 (mediaserver in Android 6.0 before 2015-12-01 allows remote attackers t ...) - - android (bug #459219) + NOT-FOR-US: Android CVE-2015-8506 (mediaserver in Android before 5.1.1 LMY48Z and 6.0 before 2015-12-01 a ...) - - android (bug #459219) + NOT-FOR-US: Android CVE-2015-8505 (mediaserver in Android before 5.1.1 LMY48Z allows remote attackers to ...) - - android (bug #459219) + NOT-FOR-US: Android CVE-2015-8503 RESERVED CVE-2015-8502 @@ -219343,7 +219343,7 @@ CVE-2015-7892 (Stack-based buffer overflow in the m2m1shot_compat_ioctl32 functi CVE-2015-7891 (Race condition in the ioctl implementation in the Samsung Graphics 2D ...) NOT-FOR-US: Samsung Graphics 2D driver on Samsung devices with Android CVE-2015-7890 (Multiple buffer overflows in the esa_write function in /dev/seirenin t ...) - TODO: check + NOT-FOR-US: Samsung CVE-2015-7889 (The SecEmailComposer/EmailComposer application in the Samsung S6 Edge ...) NOT-FOR-US: Samsung CVE-2015-7888 (Directory traversal vulnerability in the WifiHs20UtilityService on the ...) @@ -221013,19 +221013,19 @@ CVE-2015-7346 (SQL injection vulnerability in ZCMS 1.1. ...) CVE-2015-7345 RESERVED CVE-2015-7344 (HikaShop Joomla Component before 2.6.0 has XSS via an injected payload ...) - TODO: check + NOT-FOR-US: Joomla addon CVE-2015-7343 (JNews Joomla Component before 8.5.0 has XSS via the mailingsearch para ...) - TODO: check + NOT-FOR-US: Joomla addon CVE-2015-7342 (JNews Joomla Component before 8.5.0 allows SQL injection via upload th ...) - TODO: check + NOT-FOR-US: Joomla addon CVE-2015-7341 (JNews Joomla Component before 8.5.0 allows arbitrary File Upload via S ...) - TODO: check + NOT-FOR-US: Joomla addon CVE-2015-7340 (JEvents Joomla Component before 3.4.0 RC6 has SQL Injection via evid i ...) - TODO: check + NOT-FOR-US: Joomla addon CVE-2015-7339 (JCE Joomla Component 2.5.0 to 2.5.2 allows arbitrary file upload via a ...) - TODO: check + NOT-FOR-US: Joomla addon CVE-2015-7338 (SQL Injection exists in AcyMailing Joomla Component before 4.9.5 via e ...) - TODO: check + NOT-FOR-US: Joomla addon CVE-2015-7336 RESERVED CVE-2015-7335 @@ -244984,8 +244984,7 @@ CVE-2014-8741 (Directory traversal vulnerability in the GfdFileUploadServerlet s CVE-2014-8740 RESERVED CVE-2014-8739 (Unrestricted file upload vulnerability in server/php/UploadHandler.php ...) - - libjs-jquery-file-upload
[Git][security-tracker-team/security-tracker][master] Add Debian bug tracking numbers for CVE-2020-10188
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6e16d812 by Salvatore Bonaccorso at 2020-03-09T22:19:45+01:00 Add Debian bug tracking numbers for CVE-2020-10188 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -133,8 +133,8 @@ CVE-2020-10190 (An issue was discovered in MunkiReport before 5.3.0. An authenti CVE-2020-10189 (Zoho ManageEngine Desktop Central before 10.0.474 allows remote code e ...) NOT-FOR-US: Zoho ManageEngine CVE-2020-10188 (utility.c in telnetd in netkit telnet through 0.17 allows remote attac ...) - - netkit-telnet - - netkit-telnet-ssl + - netkit-telnet (bug #953477) + - netkit-telnet-ssl (bug #953478) NOTE: https://appgateresearch.blogspot.com/2020/02/bravestarr-fedora-31-netkit-telnetd_28.html TODO: check further details CVE-2019-20503 (usrsctp before 2019-12-20 has out-of-bounds reads in sctp_load_address ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6e16d812f435c48c4b9819570cea5d9c1de395e8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6e16d812f435c48c4b9819570cea5d9c1de395e8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-{9282,9386}/mahara
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7f6dd683 by Salvatore Bonaccorso at 2020-03-09T21:40:24+01:00 Add CVE-2020-{9282,9386}/mahara - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1860,7 +1860,7 @@ CVE-2020-9388 CVE-2020-9387 RESERVED CVE-2020-9386 (In Mahara 18.10 before 18.10.5, 19.04 before 19.04.4, and 19.10 before ...) - TODO: check + - mahara CVE-2020-9391 (An issue was discovered in the Linux kernel 5.4 and 5.5 through 5.5.6 ...) - linux [buster] - linux (Vulnerable code not present) @@ -2123,7 +2123,7 @@ CVE-2020-9283 (golang.org/x/crypto before v0.0.0-20200220183623-bac4c82f6975 for [jessie] - golang-go.crypto (Minor issue) NOTE: https://github.com/golang/crypto/commit/bac4c82f69751a6dd76e702d54b3ceb88adab236 CVE-2020-9282 (In Mahara 18.10 before 18.10.5, 19.04 before 19.04.4, and 19.10 before ...) - TODO: check + - mahara CVE-2020-9281 (A cross-site scripting (XSS) vulnerability in the HTML Data Processor ...) TODO: check CVE-2020-9280 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7f6dd683b1e5180c67e91699b38a7ed2606f8967 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7f6dd683b1e5180c67e91699b38a7ed2606f8967 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b63cc0ba by Salvatore Bonaccorso at 2020-03-09T21:38:52+01:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1042,7 +1042,7 @@ CVE-2020-9760 CVE-2020-9759 RESERVED CVE-2020-9758 (An issue was discovered in chat.php in LiveZilla Live Chat 8.0.1.3 (He ...) - TODO: check + NOT-FOR-US: LiveZilla Live Chat CVE-2020-9757 (The Seomatic component before 3.2.46 for Craft CMS allows Server-Side ...) NOT-FOR-US: Seomatic component for Craft CMS CVE-2020-9756 (Patriot Viper RGB Driver 1.1 and prior exposes IOCTL and allows insuff ...) @@ -2815,7 +2815,7 @@ CVE-2020-8989 (In the Voatz application 2020-01-01 for Android, the amount of da CVE-2020-8988 (The Voatz application 2020-01-01 for Android allows only 100 million d ...) NOT-FOR-US: Voatz application for Android CVE-2020-8987 (Avast AntiTrack before 1.5.1.172 and AVG Antitrack before 2.0.0.178 pr ...) - TODO: check + NOT-FOR-US: Avast AntiTrack CVE-2020-8986 RESERVED CVE-2020-8985 @@ -3591,9 +3591,9 @@ CVE-2020-8637 CVE-2020-8636 (An issue was discovered in OpServices OpMon 9.3.2 that allows Remote C ...) NOT-FOR-US: OpServices OpMon CVE-2020-8635 (Wing FTP Server v6.2.3 for Linux, macOS, and Solaris sets insecure per ...) - TODO: check + NOT-FOR-US: Wing FTP Server CVE-2020-8634 (Wing FTP Server v6.2.3 for Linux, macOS, and Solaris sets insecure per ...) - TODO: check + NOT-FOR-US: Wing FTP Server CVE-2020-8633 (An issue was discovered in Zimbra Collaboration Suite (ZCS) before 8.8 ...) NOT-FOR-US: Zimbra Collaboration Suite (ZCS) CVE-2020-8632 (In cloud-init through 19.4, rand_user_password in cloudinit/config/cc_ ...) @@ -10964,7 +10964,7 @@ CVE-2020-5329 CVE-2020-5328 (Dell EMC Isilon OneFS versions prior to 8.2.0 contain an unauthorized ...) NOT-FOR-US: EMC CVE-2020-5327 (Dell Security Management Server versions prior to 10.2.10 contain a Ja ...) - TODO: check + NOT-FOR-US: Dell CVE-2020-5326 (Affected Dell Client platforms contain a BIOS Setup configuration auth ...) NOT-FOR-US: Dell CVE-2020-5325 @@ -13976,7 +13976,7 @@ CVE-2020-4086 CVE-2020-4085 RESERVED CVE-2020-4084 (HCL Connections v5.5, v6.0, and v6.5 are vulnerable to cross-site scri ...) - TODO: check + NOT-FOR-US: HCL Connections CVE-2020-4083 (HCL Connections 6.5 is vulnerable to possible information leakage. Con ...) NOT-FOR-US: HCL Connections CVE-2020-4082 (The HCL Connections 5.5 help system is vulnerable to cross-site script ...) @@ -14371,7 +14371,7 @@ CVE-2019-20109 CVE-2019-20108 RESERVED CVE-2019-20107 (Multiple SQL injection vulnerabilities in TestLink through 1.9.19 allo ...) - TODO: check + NOT-FOR-US: TestLink CVE-2019-20106 (Comment properties in Atlassian Jira Server and Data Center before ver ...) NOT-FOR-US: Atlassian CVE-2019-20105 @@ -16011,9 +16011,9 @@ CVE-2019-19775 (The image thumbnailing handler in Zulip Server versions 1.9.0 to CVE-2019-19774 (An issue was discovered in Zoho ManageEngine EventLog Analyzer 10.0 SP ...) NOT-FOR-US: Zoho ManageEngine EventLog Analyzer CVE-2019-19773 (Various Lexmark products have stored XSS in the embedded web server us ...) - TODO: check + NOT-FOR-US: Lexmark CVE-2019-19772 (Various Lexmark products have reflected XSS in the embedded web server ...) - TODO: check + NOT-FOR-US: Lexmark CVE-2019-19771 (The lodahs package 0.0.1 for Node.js is a Trojan horse, and may have b ...) NOT-FOR-US: lodahs malicious package on npm CVE-2019-19830 (_core_/plugins/medias in SPIP 3.2.x before 3.2.7 allows remote authent ...) @@ -18752,7 +18752,7 @@ CVE-2019-19616 (An Insecure Direct Object Reference (IDOR) vulnerability in the CVE-2019-19615 RESERVED CVE-2019-19614 (An issue was discovered in Halvotec RAQuest 10.23.10801.0. The login p ...) - TODO: check + NOT-FOR-US: Halvotec RAQuest CVE-2019-19613 RESERVED CVE-2019-19612 @@ -19469,57 +19469,57 @@ CVE-2020-2161 CVE-2020-2160 RESERVED CVE-2020-2159 (Jenkins CryptoMove Plugin 0.1.33 and earlier allows attackers with Job ...) - TODO: check + NOT-FOR-US: Jenkins CryptoMove Plugin CVE-2020-2158 (Jenkins Literate Plugin 1.0 and earlier does not configure its YAML pa ...) - TODO: check + NOT-FOR-US: Jenkins Literate Plugin CVE-2020-2157 (Jenkins Skytap Cloud CI Plugin 2.07 and earlier transmits configured c ...) - TODO: check + NOT-FOR-US: Jenkins Skytap Cloud CI Plugin CVE-2020-2156 (Jenkins DeployHub Plugin 8.0.14 and earlier transmits configured crede ...) - TODO: check + NOT-FOR-US: Jenkins DeployHub Plugin CVE-2020-2155
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 673332fa by Salvatore Bonaccorso at 2020-03-09T21:31:57+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,17 +1,17 @@ CVE-2020-10250 (BWA DiREX-Pro 1.2181 devices allow remote attackers to execute arbitra ...) - TODO: check + NOT-FOR-US: BWA DiREX-Pro devices CVE-2020-10249 (BWA DiREX-Pro 1.2181 devices allow full path disclosure via an invalid ...) - TODO: check + NOT-FOR-US: BWA DiREX-Pro devices CVE-2020-10248 (BWA DiREX-Pro 1.2181 devices allow remote attackers to discover passwo ...) - TODO: check + NOT-FOR-US: BWA DiREX-Pro devices CVE-2020-10247 (MISP 2.4.122 has Persistent XSS in the sighting popover tool. This is ...) - TODO: check + NOT-FOR-US: MISP CVE-2020-10246 (MISP 2.4.122 has reflected XSS via unsanitized URL parameters. This is ...) - TODO: check + NOT-FOR-US: MISP CVE-2020-10245 RESERVED CVE-2020-10244 (JPaseto before 0.3.0 generates weak hashes when using v2.local tokens. ...) - TODO: check + NOT-FOR-US: JPaseto CVE-2020-10243 RESERVED CVE-2020-10242 @@ -25,11 +25,11 @@ CVE-2020-10239 CVE-2020-10238 RESERVED CVE-2020-10237 (An issue was discovered in Froxlor through 0.10.15. The installer wrot ...) - TODO: check + NOT-FOR-US: Froxlor CVE-2020-10236 (An issue was discovered in Froxlor before 0.10.14. It created files wi ...) - TODO: check + NOT-FOR-US: Froxlor CVE-2020-10235 (An issue was discovered in Froxlor before 0.10.14. Remote attackers wi ...) - TODO: check + NOT-FOR-US: Froxlor CVE-2020-10234 RESERVED CVE-2020-10233 (In version 4.8.0 and earlier of The Sleuth Kit (TSK), there is a heap- ...) @@ -125,11 +125,11 @@ CVE-2020-10194 CVE-2020-10193 (ESET Archive Support Module before 1294 allows virus-detection bypass ...) NOT-FOR-US: ESET Archive Support Module CVE-2020-10192 (An issue was discovered in Munkireport before 5.3.0.3923. An unauthent ...) - TODO: check + NOT-FOR-US: Munkireport CVE-2020-10191 (An issue was discovered in MunkiReport before 5.3.0. An authenticated ...) - TODO: check + NOT-FOR-US: Munkireport CVE-2020-10190 (An issue was discovered in MunkiReport before 5.3.0. An authenticated ...) - TODO: check + NOT-FOR-US: Munkireport CVE-2020-10189 (Zoho ManageEngine Desktop Central before 10.0.474 allows remote code e ...) NOT-FOR-US: Zoho ManageEngine CVE-2020-10188 (utility.c in telnetd in netkit telnet through 0.17 allows remote attac ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/673332fa70e65f1d3a4a05105baa6c2fb97e9fc8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/673332fa70e65f1d3a4a05105baa6c2fb97e9fc8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: take qemu
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: d97c62a9 by Emilio Pozuelo Monfort at 2020-03-09T21:24:04+01:00 dla: take qemu - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -53,7 +53,7 @@ php5 (Utkarsh Gupta) phppgadmin NOTE: 20200218: no fix yet; wide usage -- -qemu +qemu (Emilio) NOTE: 20200223: WIP. -- qtbase-opensource-src View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d97c62a976ba92cbcd218fc604b3ac6552335c0b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d97c62a976ba92cbcd218fc604b3ac6552335c0b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9b5017ef by Salvatore Bonaccorso at 2020-03-09T21:20:06+01:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1547,7 +1547,7 @@ CVE-2020-9519 CVE-2020-9518 RESERVED CVE-2020-9517 (There is an improper restriction of rendered UI layers or frames vulne ...) - TODO: check + NOT-FOR-US: Micro Focus CVE-2020-9516 RESERVED CVE-2020-9515 @@ -13710,7 +13710,7 @@ CVE-2020-4219 CVE-2020-4218 RESERVED CVE-2020-4217 (The IBM Spectrum Scale 4.2 and 5.0 file system component is affected b ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4216 RESERVED CVE-2020-4215 @@ -219127,7 +219127,7 @@ CVE-2015-7969 (Multiple memory leaks in Xen 4.0 through 4.6.x allow local guest NOTE: http://xenbits.xen.org/xsa/advisory-149.html NOTE: http://xenbits.xen.org/xsa/advisory-151.html CVE-2015-7968 (nwbc_ext2int in SAP NetWeaver Application Server before Security Note ...) - TODO: check + NOT-FOR-US: SAP CVE-2015-7967 (SafeNet Authentication Service for Citrix Web Interface Agent uses a w ...) NOT-FOR-US: SafeNet Authentication Service CVE-2015-7966 (SafeNet Authentication Service Windows Logon Agent uses a weak ACL for ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9b5017efe87cd0342a0e4bb4d4e8ade7d80092c1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9b5017efe87cd0342a0e4bb4d4e8ade7d80092c1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e0234400 by security tracker role at 2020-03-09T20:10:20+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,35 @@ +CVE-2020-10250 (BWA DiREX-Pro 1.2181 devices allow remote attackers to execute arbitra ...) + TODO: check +CVE-2020-10249 (BWA DiREX-Pro 1.2181 devices allow full path disclosure via an invalid ...) + TODO: check +CVE-2020-10248 (BWA DiREX-Pro 1.2181 devices allow remote attackers to discover passwo ...) + TODO: check +CVE-2020-10247 (MISP 2.4.122 has Persistent XSS in the sighting popover tool. This is ...) + TODO: check +CVE-2020-10246 (MISP 2.4.122 has reflected XSS via unsanitized URL parameters. This is ...) + TODO: check +CVE-2020-10245 + RESERVED +CVE-2020-10244 (JPaseto before 0.3.0 generates weak hashes when using v2.local tokens. ...) + TODO: check +CVE-2020-10243 + RESERVED +CVE-2020-10242 + RESERVED +CVE-2020-10241 + RESERVED +CVE-2020-10240 + RESERVED +CVE-2020-10239 + RESERVED +CVE-2020-10238 + RESERVED +CVE-2020-10237 (An issue was discovered in Froxlor through 0.10.15. The installer wrot ...) + TODO: check +CVE-2020-10236 (An issue was discovered in Froxlor before 0.10.14. It created files wi ...) + TODO: check +CVE-2020-10235 (An issue was discovered in Froxlor before 0.10.14. Remote attackers wi ...) + TODO: check CVE-2020-10234 RESERVED CVE-2020-10233 (In version 4.8.0 and earlier of The Sleuth Kit (TSK), there is a heap- ...) @@ -92,13 +124,13 @@ CVE-2020-10194 RESERVED CVE-2020-10193 (ESET Archive Support Module before 1294 allows virus-detection bypass ...) NOT-FOR-US: ESET Archive Support Module -CVE-2020-10192 - RESERVED -CVE-2020-10191 - RESERVED -CVE-2020-10190 - RESERVED -CVE-2020-10189 (Zoho ManageEngine Desktop Central 10 allows remote code execution beca ...) +CVE-2020-10192 (An issue was discovered in Munkireport before 5.3.0.3923. An unauthent ...) + TODO: check +CVE-2020-10191 (An issue was discovered in MunkiReport before 5.3.0. An authenticated ...) + TODO: check +CVE-2020-10190 (An issue was discovered in MunkiReport before 5.3.0. An authenticated ...) + TODO: check +CVE-2020-10189 (Zoho ManageEngine Desktop Central before 10.0.474 allows remote code e ...) NOT-FOR-US: Zoho ManageEngine CVE-2020-10188 (utility.c in telnetd in netkit telnet through 0.17 allows remote attac ...) - netkit-telnet @@ -141,7 +173,7 @@ CVE-2020-10177 CVE-2020-10176 RESERVED CVE-2020-10175 - RESERVED + REJECTED CVE-2020-10174 (init_tmp in TeeJee.FileSystem.vala in Timeshift before 20.03 unsafely ...) - timeshift (bug #953385) NOTE: https://www.openwall.com/lists/oss-security/2020/03/06/3 @@ -1009,8 +1041,8 @@ CVE-2020-9760 RESERVED CVE-2020-9759 RESERVED -CVE-2020-9758 - RESERVED +CVE-2020-9758 (An issue was discovered in chat.php in LiveZilla Live Chat 8.0.1.3 (He ...) + TODO: check CVE-2020-9757 (The Seomatic component before 3.2.46 for Craft CMS allows Server-Side ...) NOT-FOR-US: Seomatic component for Craft CMS CVE-2020-9756 (Patriot Viper RGB Driver 1.1 and prior exposes IOCTL and allows insuff ...) @@ -1514,8 +1546,8 @@ CVE-2020-9519 RESERVED CVE-2020-9518 RESERVED -CVE-2020-9517 - RESERVED +CVE-2020-9517 (There is an improper restriction of rendered UI layers or frames vulne ...) + TODO: check CVE-2020-9516 RESERVED CVE-2020-9515 @@ -1827,8 +1859,8 @@ CVE-2020-9388 RESERVED CVE-2020-9387 RESERVED -CVE-2020-9386 - RESERVED +CVE-2020-9386 (In Mahara 18.10 before 18.10.5, 19.04 before 19.04.4, and 19.10 before ...) + TODO: check CVE-2020-9391 (An issue was discovered in the Linux kernel 5.4 and 5.5 through 5.5.6 ...) - linux [buster] - linux (Vulnerable code not present) @@ -2090,8 +2122,8 @@ CVE-2020-9283 (golang.org/x/crypto before v0.0.0-20200220183623-bac4c82f6975 for [stretch] - golang-go.crypto (Minor issue) [jessie] - golang-go.crypto (Minor issue) NOTE: https://github.com/golang/crypto/commit/bac4c82f69751a6dd76e702d54b3ceb88adab236 -CVE-2020-9282 - RESERVED +CVE-2020-9282 (In Mahara 18.10 before 18.10.5, 19.04 before 19.04.4, and 19.10 before ...) + TODO: check CVE-2020-9281 (A cross-site scripting (XSS) vulnerability in the HTML Data Processor ...) TODO: check CVE-2020-9280 @@ -2632,6 +2664,7 @@ CVE-2019-20474 (An issue was discovered in Zoho ManageEngine Remote Access Plus CVE-2016-11019 RESERVED CVE-2020-9355 (danfruehauf NetworkManager-ssh before 1.2.11 allows privilege escalati ...) +
[Git][security-tracker-team/security-tracker][master] Add and claim sleuthkit
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 91acb03a by Utkarsh Gupta at 2020-03-10T01:14:27+05:30 Add and claim sleuthkit - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -64,6 +64,8 @@ ruby-rack NOTE: slight possibility of this patch inducing a backdoor on its own. (utkarsh2102) NOTE: 20200216: Discussion ongoing on -lts list. (lamby) -- +sleuthkit (Utkarsh Gupta) +-- slirp (Chris Lamb) -- squid3 (Markus Koschany) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/91acb03a0cdd8d1c428e4b4ee6af4b5fdf1bbaa3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/91acb03a0cdd8d1c428e4b4ee6af4b5fdf1bbaa3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DSA number for network-manager-ssh update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c33c5e43 by Salvatore Bonaccorso at 2020-03-09T20:42:31+01:00 Reserve DSA number for network-manager-ssh update - - - - - 1 changed file: - data/DSA/list Changes: = data/DSA/list = @@ -1,3 +1,7 @@ +[09 Mar 2020] DSA-4637-1 network-manager-ssh - security update + {CVE-2020-9355} + [stretch] - network-manager-ssh 1.2.1-1+deb9u1 + [buster] - network-manager-ssh 1.2.10-1+deb10u1 [28 Feb 2020] DSA-4636-1 python-bleach - security update {CVE-2020-6802} [buster] - python-bleach 3.1.1-0+deb10u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c33c5e43e3cff3088e7eb4f05f1179eaf1f25d81 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c33c5e43e3cff3088e7eb4f05f1179eaf1f25d81 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Record fixed version for libvpx
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: e72430cd by Moritz Muehlenhoff at 2020-03-09T19:46:37+01:00 Record fixed version for libvpx - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -27537,8 +27537,9 @@ CVE-2020-0035 NOT-FOR-US: Android CVE-2020-0034 RESERVED - - libvpx - NOTE: https://android.googlesource.com/platform/external/libvpx/+/30d0c20d0d04151530de62df3937de27c4f204fd + - libvpx 1.7.0-3 + [stretch] - libvpx (Minor issue) + NOTE: https://github.com/webmproject/libvpx/commit/45daecb4f73a47ab3236a29a3a48c52324cbf19a CVE-2020-0033 RESERVED NOT-FOR-US: Android media framework View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e72430cd947c3a606fc5a7d0732f644afc0c8fb4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e72430cd947c3a606fc5a7d0732f644afc0c8fb4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2136-1 for libvpx
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 7e7a2f83 by Chris Lamb at 2020-03-09T11:30:17-07:00 Reserve DLA-2136-1 for libvpx - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[09 Mar 2020] DLA-2136-1 libvpx - security update + {CVE-2020-0034} + [jessie] - libvpx 1.3.0-3+deb8u3 [06 Mar 2020] DLA-2135-1 jackson-databind - security update {CVE-2020-9546 CVE-2020-9547 CVE-2020-9548} [jessie] - jackson-databind 2.4.2-2+deb8u12 = data/dla-needed.txt = @@ -34,8 +34,6 @@ libmatio (Adrian Bunk) libmtp (Dylan Aïssi) NOTE: 20200309: WIP. -- -libvpx (Chris Lamb) --- linux (Ben Hutchings) -- linux-4.9 (Ben Hutchings) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7e7a2f837c6e41e80f1433092fdffca90f48a7a7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7e7a2f837c6e41e80f1433092fdffca90f48a7a7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Claim slirp.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 2254091e by Chris Lamb at 2020-03-09T10:06:41-07:00 data/dla-needed.txt: Claim slirp. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -66,8 +66,7 @@ ruby-rack NOTE: slight possibility of this patch inducing a backdoor on its own. (utkarsh2102) NOTE: 20200216: Discussion ongoing on -lts list. (lamby) -- -slirp - NOTE: 20200223: WIP. +slirp (Chris Lamb) -- squid3 (Markus Koschany) NOTE: 20200309: Requires more tests. (apo) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2254091e58cb731c479ce8cd065f107da97abe30 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2254091e58cb731c479ce8cd065f107da97abe30 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2020-7061 only affects code with PHP_WIN32 defined
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 6e2f910c by Thorsten Alteholz at 2020-03-09T15:44:50+01:00 CVE-2020-7061 only affects code with PHP_WIN32 defined - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7113,10 +7113,10 @@ CVE-2020-7062 (In PHP versions 7.2.x below 7.2.28, 7.3.x below 7.3.15 and 7.4.x NOTE: Fixed in PHP 7.4.3, 7.3.15, 7.2.28 NOTE: PHP Bug: http://bugs.php.net/79221 CVE-2020-7061 (In PHP versions 7.3.x below 7.3.15 and 7.4.x below 7.4.3, while extrac ...) - - php7.4 7.4.3-1 - - php7.3 7.3.15-1 - - php7.0 - - php5 + - php7.4 (Windows specific issue) + - php7.3 (Windows specific issue) + - php7.0 (Windows specific issue) + - php5 (Windows specific issue) NOTE: Fixed in PHP 7.4.3, 7.3.15 NOTE: PHP Bug: http://bugs.php.net/79171 CVE-2020-7060 (When using certain mbstring functions to convert multibyte encodings, ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6e2f910c0b6c10ecbe4bc820eb9d8f77e7abeddd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6e2f910c0b6c10ecbe4bc820eb9d8f77e7abeddd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e58939b2 by Salvatore Bonaccorso at 2020-03-09T13:00:26+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -23,15 +23,15 @@ CVE-2020-10227 CVE-2020-10226 RESERVED CVE-2020-10225 (An unauthenticated file upload vulnerability has been identified in ad ...) - TODO: check + NOT-FOR-US: PHPGurukul Job Portal CVE-2020-10224 (An unauthenticated file upload vulnerability has been identified in ad ...) - TODO: check + NOT-FOR-US: PHPGurukul Online Book Store CVE-2020-10223 (npdf.dll in Nitro Pro before 13.13.2.242 is vulnerable to JBIG2Decode ...) - TODO: check + NOT-FOR-US: npdf.dll in Nitro Pro CVE-2020-10222 (npdf.dll in Nitro Pro before 13.13.2.242 is vulnerable to Heap Corrupt ...) - TODO: check + NOT-FOR-US: npdf.dll in Nitro Pro CVE-2020-10221 (lib/ajaxHandlers/ajaxAddTemplate.php in rConfig through 3.94 allows re ...) - TODO: check + NOT-FOR-US: rConfig CVE-2019-20504 (service/krashrpt.php in Quest KACE K1000 Systems Management Appliance ...) NOT-FOR-US: Quest KACE CVE-2016-11021 (setSystemCommand on D-Link DCS-930L devices before 2.12 allows a remot ...) @@ -4016,7 +4016,7 @@ CVE-2020-8441 (JYaml through 1.3 allows remote code execution during deserializa CVE-2020-8440 (controllers/page_apply.php in Simplejobscript.com SJS through 1.66 is ...) NOT-FOR-US: Simplejobscript.com SJS CVE-2020-8439 (Monstra CMS through 3.0.4 allows remote authenticated users to take ov ...) - TODO: check + NOT-FOR-US: Monstra CMS CVE-2020-8438 (Ruckus ZoneFlex R500 104.0.0.0.1347 devices allow an authenticated att ...) NOT-FOR-US: Ruckus devices CVE-2020-8437 (The bencoding parser in BitTorrent uTorrent through 3.5.5 (build 45505 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e58939b276f4aefaad183f7933d0500204d92558 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e58939b276f4aefaad183f7933d0500204d92558 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] two sleuthkit issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 8ce4b628 by Moritz Muehlenhoff at 2020-03-09T12:13:42+01:00 two sleuthkit issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,9 +1,15 @@ CVE-2020-10234 RESERVED CVE-2020-10233 (In version 4.8.0 and earlier of The Sleuth Kit (TSK), there is a heap- ...) - TODO: check + - sleuthkit (unimportant) + NOTE: https://github.com/sleuthkit/sleuthkit/issues/1829 + NOTE: Crash in CLI tool, no security impact CVE-2020-10232 (In version 4.8.0 and earlier of The Sleuth Kit (TSK), there is a stack ...) - TODO: check + - sleuthkit (low) + [buster] - sleuthkit (Minor issue) + [stretch] - sleuthkit (Minor issue) + NOTE: https://github.com/sleuthkit/sleuthkit/issues/1836 + NOTE: https://github.com/sleuthkit/sleuthkit/commit/459ae818fc8dae717549810150de4d191ce158f1 CVE-2020-10231 RESERVED CVE-2020-10230 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8ce4b628bd794c9fcd9c1bf47c1a6e4e00769c2f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8ce4b628bd794c9fcd9c1bf47c1a6e4e00769c2f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Holger Levsen pushed to branch master at Debian Security Tracker / security-tracker Commits: 84c0eb9f by Holger Levsen at 2020-03-09T11:49:57+01:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Holger Levsen hol...@layer-acht.org - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -16,7 +16,7 @@ amd64-microcode (Anton Gladky) NOTE: 20200224: be updated too; check dsa-needed.txt. NOTE: 20200307: maintainer contacted regarding Jessie-update -- -ansible (Mike Gabriel) +ansible NOTE: 20200219: no upstream fixes yet -- libmatio (Adrian Bunk) @@ -55,10 +55,10 @@ php5 (Utkarsh Gupta) phppgadmin NOTE: 20200218: no fix yet; wide usage -- -qemu (Utkarsh Gupta) +qemu NOTE: 20200223: WIP. -- -qtbase-opensource-src (Mike Gabriel) +qtbase-opensource-src NOTE: 20200224: No upstream fix available, yet. (sunweaver) -- ruby-rack @@ -66,13 +66,13 @@ ruby-rack NOTE: slight possibility of this patch inducing a backdoor on its own. (utkarsh2102) NOTE: 20200216: Discussion ongoing on -lts list. (lamby) -- -slirp (Utkarsh Gupta) +slirp NOTE: 20200223: WIP. -- squid3 (Markus Koschany) NOTE: 20200309: Requires more tests. (apo) -- -tomcat8 (Abhijith PA) +tomcat8 NOTE: 20200106: Almost done. Working on failing testcase. NOTE: 20200210: TestFormAuthenticator failing with CVE-2019-17563. backporting upstream tests (abhijith) NOTE: 20200224: Guess embedding latest branch of 8.5.x in debian package is the way to go (abhijith) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/84c0eb9f262887c9122cabe04226867baa03ae16 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/84c0eb9f262887c9122cabe04226867baa03ae16 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Update status of squid3 in dla-needed.txt.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 2c048c8c by Markus Koschany at 2020-03-09T11:26:37+01:00 Update status of squid3 in dla-needed.txt. - - - - - 03239c99 by Markus Koschany at 2020-03-09T11:27:27+01:00 Claim wpa in dla-needed.txt. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -70,19 +70,7 @@ slirp (Utkarsh Gupta) NOTE: 20200223: WIP. -- squid3 (Markus Koschany) - NOTE: 20191210: CVE-2019-12523 and CVE-2019-18676 Requires new API SBuf. - NOTE: 20200116: Researched other distros to see if any had backported the fixes. No luck. - NOTE: 20200116: Tried for some time to reproduce the vulnerabilities, but did not succeed. - NOTE: 20200116: The change is rather involved when considering the new SBuf API, so not - NOTE: 20200116: being able to reproduce makes it impossible isolate the minimal change that - NOTE: 20200116: addresses the vulnerabilities. (roberto) - NOTE: 20200120: CVE-2019-12523 It looks like the only new checks is the introduction of NID - NOTE: 20200120: checks in parseUrn. This function replaces parseFinish. It should be easy - NOTE: 20200120: to add those checks without introducing SBuf. (Ola) - NOTE: 20200120: CVE-2019-18676 however is more complicated to locate. Potentially the // skipping - NOTE: 20200120: or the absolute function is the issue but it is hard to tell without more - NOTE: 20200120: details on the intention. (Ola) - NOTE: 20200224: Ongoing work. (apo) + NOTE: 20200309: Requires more tests. (apo) -- tomcat8 (Abhijith PA) NOTE: 20200106: Almost done. Working on failing testcase. @@ -92,7 +80,7 @@ tomcat8 (Abhijith PA) weechat (Thorsten Alteholz) NOTE: 20200309: work is ongoing -- -wpa +wpa (Markus Koschany) NOTE: 20200218: fix for CVE-2019-5061 removes IAPP functionality from hostapd, which is NOTE: normally fine, but should be carefully considered for Jessie (alteholz) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/76bfb7f0c135c4b1d053aab799713767298ae7df...03239c99e4781067975f5bbdd4b3535316180682 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/76bfb7f0c135c4b1d053aab799713767298ae7df...03239c99e4781067975f5bbdd4b3535316180682 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 76bfb7f0 by Moritz Muehlenhoff at 2020-03-09T09:42:29+01:00 NFUs imagemagick triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -27,9 +27,9 @@ CVE-2020-10222 (npdf.dll in Nitro Pro before 13.13.2.242 is vulnerable to Heap C CVE-2020-10221 (lib/ajaxHandlers/ajaxAddTemplate.php in rConfig through 3.94 allows re ...) TODO: check CVE-2019-20504 (service/krashrpt.php in Quest KACE K1000 Systems Management Appliance ...) - TODO: check + NOT-FOR-US: Quest KACE CVE-2016-11021 (setSystemCommand on D-Link DCS-930L devices before 2.12 allows a remot ...) - TODO: check + NOT-FOR-US: D-Link CVE-2020-10220 (An issue was discovered in rConfig through 3.9.4. The web interface is ...) NOT-FOR-US: rConfig CVE-2020-10219 @@ -47,7 +47,7 @@ CVE-2020-10214 (An issue was discovered on D-Link DIR-825 Rev.B 2.10 devices. Th CVE-2020-10213 (An issue was discovered on D-Link DIR-825 Rev.B 2.10 devices. They all ...) NOT-FOR-US: D-Link CVE-2020-10212 (upload.php in Responsive FileManager 9.13.4 and 9.14.0 allows SSRF via ...) - TODO: check + NOT-FOR-US: Responsive FileManager CVE-2020-10211 RESERVED CVE-2020-10210 @@ -1008,7 +1008,7 @@ CVE-2020-9758 CVE-2020-9757 (The Seomatic component before 3.2.46 for Craft CMS allows Server-Side ...) NOT-FOR-US: Seomatic component for Craft CMS CVE-2020-9756 (Patriot Viper RGB Driver 1.1 and prior exposes IOCTL and allows insuff ...) - TODO: check + NOT-FOR-US: Patriot Viper RGB Driver CVE-2020-9755 RESERVED CVE-2020-9754 @@ -1481,9 +1481,9 @@ CVE-2020-9533 CVE-2020-9532 RESERVED CVE-2020-9531 (An issue was discovered on Xiaomi MIUI V11.0.5.0.QFAEUXM devices. In t ...) - TODO: check + NOT-FOR-US: Xiaomi CVE-2020-9530 (An issue was discovered on Xiaomi MIUI V11.0.5.0.QFAEUXM devices. The ...) - TODO: check + NOT-FOR-US: Xiaomi CVE-2020-9529 RESERVED CVE-2020-9528 @@ -1611,7 +1611,7 @@ CVE-2020-9472 CVE-2020-9471 RESERVED CVE-2020-9470 (An issue was discovered in Wing FTP Server 6.2.5 before February 2020. ...) - TODO: check + NOT-FOR-US: Wing FTP Server CVE-2020-9469 RESERVED CVE-2020-9468 @@ -42781,7 +42781,9 @@ CVE-2019-13455 (In Xymon through 4.3.28, a stack-based buffer overflow vulnerabi [stretch] - xymon 4.3.28-2+deb9u1 NOTE: https://lists.xymon.com/archive/2019-July/046570.html CVE-2019-13454 (ImageMagick 7.0.8-54 Q16 allows Division by Zero in RemoveDuplicateLay ...) - - imagemagick (bug #931740) + - imagemagick (low; bug #931740) + [buster] - imagemagick (Minor issue) + [stretch] - imagemagick (Minor issue) [jessie] - imagemagick (low impact issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1629 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/4f31d78716ac94c85c244efcea368fea202e2ed4 @@ -44132,7 +44134,9 @@ CVE-2019-12978 (ImageMagick 7.0.8-34 has a "use of uninitialized value" vulnerab NOTE: https://github.com/ImageMagick/ImageMagick/issues/1519 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/ae1ded6140bfa8ae9f6dcba5413b72d98ed94614 CVE-2019-12977 (ImageMagick 7.0.8-34 has a "use of uninitialized value" vulnerability ...) - - imagemagick (bug #931191) + - imagemagick (low; bug #931191) + [buster] - imagemagick (Minor issue) + [stretch] - imagemagick (Minor issue) [jessie] - imagemagick (minor security impact) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1518 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/e6103897fae2ed47e24b9cf7de719eea877b0504 @@ -44144,7 +44148,9 @@ CVE-2019-12975 (ImageMagick 7.0.8-34 has a memory leak vulnerability in the Writ NOTE: https://github.com/ImageMagick/ImageMagick/issues/1517 CVE-2019-12974 (A NULL pointer dereference in the function ReadPANGOImage in coders/pa ...) {DLA-1888-1} - - imagemagick (bug #931196) + - imagemagick (low; bug #931196) + [buster] - imagemagick (Minor issue) + [stretch] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1515 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/b4391bdd60df0a77e97a6ef1674f2ffef0e19e24 CVE-2019-12973 (In OpenJPEG 2.3.1, there is excessive iteration in the opj_t1_encode_c ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/76bfb7f0c135c4b1d053aab799713767298ae7df -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/76bfb7f0c135c4b1d053aab799713767298ae7df You're receiving this email because of your account on
[Git][security-tracker-team/security-tracker][master] update notes
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 99a09904 by Thorsten Alteholz at 2020-03-09T09:24:19+01:00 update notes - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -45,6 +45,7 @@ lua-cgi NOTE: 20200227: may not be entirelly reliable. One possibility is to declare it unsupported. (Ola) -- nova (Thorsten Alteholz) + NOTE: 20200309: work is ongoing -- opendmarc (Thorsten Alteholz) NOTE: 20200302: still testing package, original patch does not seem to be enough, still ongoing @@ -89,6 +90,7 @@ tomcat8 (Abhijith PA) NOTE: 20200224: Guess embedding latest branch of 8.5.x in debian package is the way to go (abhijith) -- weechat (Thorsten Alteholz) + NOTE: 20200309: work is ongoing -- wpa NOTE: 20200218: fix for CVE-2019-5061 removes IAPP functionality from hostapd, which is View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/99a09904b9e074f5ae8e940f5314663df4d73d14 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/99a09904b9e074f5ae8e940f5314663df4d73d14 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 060186c2 by security tracker role at 2020-03-09T08:10:15+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,35 @@ +CVE-2020-10234 + RESERVED +CVE-2020-10233 (In version 4.8.0 and earlier of The Sleuth Kit (TSK), there is a heap- ...) + TODO: check +CVE-2020-10232 (In version 4.8.0 and earlier of The Sleuth Kit (TSK), there is a stack ...) + TODO: check +CVE-2020-10231 + RESERVED +CVE-2020-10230 + RESERVED +CVE-2020-10229 + RESERVED +CVE-2020-10228 + RESERVED +CVE-2020-10227 + RESERVED +CVE-2020-10226 + RESERVED +CVE-2020-10225 (An unauthenticated file upload vulnerability has been identified in ad ...) + TODO: check +CVE-2020-10224 (An unauthenticated file upload vulnerability has been identified in ad ...) + TODO: check +CVE-2020-10223 (npdf.dll in Nitro Pro before 13.13.2.242 is vulnerable to JBIG2Decode ...) + TODO: check +CVE-2020-10222 (npdf.dll in Nitro Pro before 13.13.2.242 is vulnerable to Heap Corrupt ...) + TODO: check +CVE-2020-10221 (lib/ajaxHandlers/ajaxAddTemplate.php in rConfig through 3.94 allows re ...) + TODO: check +CVE-2019-20504 (service/krashrpt.php in Quest KACE K1000 Systems Management Appliance ...) + TODO: check +CVE-2016-11021 (setSystemCommand on D-Link DCS-930L devices before 2.12 allows a remot ...) + TODO: check CVE-2020-10220 (An issue was discovered in rConfig through 3.9.4. The web interface is ...) NOT-FOR-US: rConfig CVE-2020-10219 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/060186c24f4ee93a33020abe88c89e0c45d855af -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/060186c24f4ee93a33020abe88c89e0c45d855af You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: still ongoing
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: 47e8382a by Adrian Bunk at 2020-03-09T08:11:57+02:00 dla: still ongoing - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -29,7 +29,7 @@ libmatio (Adrian Bunk) NOTE: 20190428: is likely vulnerable NOTE: 20190428: some CVE testcases still fail after applying the fix, NOTE: 20190428: older changes seem to also be required for them - NOTE: 20200223: work is ongoing + NOTE: 20200309: work is ongoing -- libmtp (Dylan Aïssi) NOTE: 20200309: WIP. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/47e8382a0bb749d8f9c7399f141e98ec960e0a81 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/47e8382a0bb749d8f9c7399f141e98ec960e0a81 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits