[Git][security-tracker-team/security-tracker][master] Reserve DLA-2149-1 for rails
Utkarsh Gupta pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
816694b3 by Utkarsh Gupta at 2020-03-20T05:33:34+05:30
Reserve DLA-2149-1 for rails
- - - - -
2 changed files:
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[20 Mar 2020] DLA-2149-1 rails - security update
+ {CVE-2020-5267}
+ [jessie] - rails 2:4.1.8-1+deb8u6
[19 Mar 2020] DLA-2148-1 amd64-microcode - security update
{CVE-2017-5715}
[jessie] - amd64-microcode 3.20181128.1~deb8u1
=
data/dla-needed.txt
=
@@ -62,8 +62,6 @@ phppgadmin
qtbase-opensource-src (Mike Gabriel)
NOTE: 20200224: No upstream fix available, yet. (sunweaver)
--
-rails (Utkarsh Gupta)
---
ruby-rack
NOTE: 20191219: The security update causes a regression and also, there's a
NOTE: slight possibility of this patch inducing a backdoor on its own.
(utkarsh2102)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/816694b3eea624f69660ecf033d058dcb68917ce
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/816694b3eea624f69660ecf033d058dcb68917ce
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] thunderbird DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
145528be by Moritz Muehlenhoff at 2020-03-19T23:29:44+01:00
thunderbird DSA
- - - - -
1 changed file:
- data/DSA/list
Changes:
=
data/DSA/list
=
@@ -1,3 +1,7 @@
+[19 Mar 2020] DSA-4642-1 thunderbird - security update
+ {CVE-2019-20503 CVE-2020-6805 CVE-2020-6806 CVE-2020-6807 CVE-2020-6811
CVE-2020-6812 CVE-2020-6814}
+ [stretch] - thunderbird 1:68.6.0-1~deb9u1
+ [buster] - thunderbird 1:68.6.0-1~deb10u1
[16 Mar 2020] DSA-4641-1 webkit2gtk - security update
{CVE-2020-10018}
[buster] - webkit2gtk 2.26.4-1~deb10u2
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/145528be8583a7f42d58d036f6df0765a3cdfed1
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/145528be8583a7f42d58d036f6df0765a3cdfed1
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add python-bleach to dsa-needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ce7db614 by Salvatore Bonaccorso at 2020-03-19T23:09:47+01:00 Add python-bleach to dsa-needed list - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -37,6 +37,8 @@ nss/oldstable (jmm) -- poppler (jmm) -- +python-bleach (carnil) +-- python-reportlab (hle) -- qbittorrent View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ce7db614e3de4ccbc0a7fdc3abe4a101ab458915 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ce7db614e3de4ccbc0a7fdc3abe4a101ab458915 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2020-6816/python-bleach as ignored for stretch
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f79fce6e by Salvatore Bonaccorso at 2020-03-19T23:04:48+01:00 Mark CVE-2020-6816/python-bleach as ignored for stretch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2997,6 +2997,7 @@ CVE-2020-9336 (fauzantrif eLection 2.0 has XSS via the Admin Dashboard - Set CVE-2020-6816 [mutation XSS vulnerability again] RESERVED - python-bleach 3.1.3-1 (bug #954236) + [stretch] - python-bleach (Requires invasive changes to address issue) NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1621692 (not public) NOTE: https://github.com/mozilla/bleach/security/advisories/GHSA-m6xf-fq7q-8743 NOTE: https://github.com/mozilla/bleach/commit/175f67740e7951e1d80cefb7831e6c3e4efeb986 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f79fce6e3eb3192e60318261ebb19f0a6cf0c23f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f79fce6e3eb3192e60318261ebb19f0a6cf0c23f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add and claim rails
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: f302879c by Utkarsh Gupta at 2020-03-20T03:33:36+05:30 Add and claim rails mostly because Im the maintainer. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -62,6 +62,8 @@ phppgadmin qtbase-opensource-src (Mike Gabriel) NOTE: 20200224: No upstream fix available, yet. (sunweaver) -- +rails (Utkarsh Gupta) +-- ruby-rack NOTE: 20191219: The security update causes a regression and also, there's a NOTE: slight possibility of this patch inducing a backdoor on its own. (utkarsh2102) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f302879c2778b786996e7d39490bf8adfde2d5dd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f302879c2778b786996e7d39490bf8adfde2d5dd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reference reported upstream issue for CVE-2014-2875
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: bb482d16 by Salvatore Bonaccorso at 2020-03-19T22:41:26+01:00 Reference reported upstream issue for CVE-2014-2875 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -261080,6 +261080,7 @@ CVE-2014-2876 RESERVED CVE-2014-2875 (The session.lua library in CGILua 5.2 alpha 1 and 5.2 alpha 2 uses wea ...) - lua-cgi (bug #953037) + NOTE: https://github.com/keplerproject/cgilua/issues/17 CVE-2013-7369 (SQL injection vulnerability in an unspecified DLL in the FSDBCom Activ ...) NOT-FOR-US: F-Secure Anti-Virus CVE-2012-6647 (The futex_wait_requeue_pi function in kernel/futex.c in the Linux kern ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bb482d16ae06a16a45237857d4bd05d13a89c89f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bb482d16ae06a16a45237857d4bd05d13a89c89f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2020-5267/rails
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5d95c99b by Salvatore Bonaccorso at 2020-03-19T22:15:55+01:00 Add Debian bug reference for CVE-2020-5267/rails - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -12248,7 +12248,7 @@ CVE-2020-5269 CVE-2020-5268 RESERVED CVE-2020-5267 (In ActionView before versions 6.0.2.2 and 5.2.4.2, there is a possible ...) - - rails + - rails (bug #954304) NOTE: https://www.openwall.com/lists/oss-security/2020/03/19/1 CVE-2020-5266 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5d95c99b0d4bbe67934fca060ae616f438170c55 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5d95c99b0d4bbe67934fca060ae616f438170c55 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-5267/rails
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8173d647 by Salvatore Bonaccorso at 2020-03-19T22:09:37+01:00 Add CVE-2020-5267/rails - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -12248,7 +12248,8 @@ CVE-2020-5269 CVE-2020-5268 RESERVED CVE-2020-5267 (In ActionView before versions 6.0.2.2 and 5.2.4.2, there is a possible ...) - TODO: check + - rails + NOTE: https://www.openwall.com/lists/oss-security/2020/03/19/1 CVE-2020-5266 RESERVED CVE-2020-5265 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8173d647641adc93503d27d353c82da72dcb7a78 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8173d647641adc93503d27d353c82da72dcb7a78 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Add Debian bug reference for CVE-2020-1951/tika
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 62af581a by Salvatore Bonaccorso at 2020-03-19T22:05:30+01:00 Add Debian bug reference for CVE-2020-1951/tika - - - - - 20641380 by Salvatore Bonaccorso at 2020-03-19T22:05:54+01:00 Add Debian bug reference for CVE-2020-1950/tika - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -21314,12 +21314,12 @@ CVE-2020-1952 RESERVED CVE-2020-1951 [Infinite Loop (DoS) vulnerability in Apache Tika's PSDParser] RESERVED - - tika + - tika (bug #954302) [buster] - tika (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2020/03/18/4 CVE-2020-1950 [Excessive memory usage (DoS) vulnerability in Apache Tika's PSDParser] RESERVED - - tika + - tika (bug #954303) [buster] - tika (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2020/03/18/3 CVE-2020-1949 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f799cbf263c67e6dd44898a7be7fab7ecfbbbc7a...2064138023b533c365f0b22f9e1af3881cd15c25 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f799cbf263c67e6dd44898a7be7fab7ecfbbbc7a...2064138023b533c365f0b22f9e1af3881cd15c25 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove stretch annotations for CVE-2020-195{0,1}/tika
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
f799cbf2 by Salvatore Bonaccorso at 2020-03-19T21:59:28+01:00
Remove stretch annotations for CVE-2020-195{0,1}/tika
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -21316,13 +21316,11 @@ CVE-2020-1951 [Infinite Loop (DoS) vulnerability in
Apache Tika's PSDParser]
RESERVED
- tika
[buster] - tika (Minor issue)
- [stretch] - tika (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2020/03/18/4
CVE-2020-1950 [Excessive memory usage (DoS) vulnerability in Apache Tika's
PSDParser]
RESERVED
- tika
[buster] - tika (Minor issue)
- [stretch] - tika (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2020/03/18/3
CVE-2020-1949
RESERVED
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f799cbf263c67e6dd44898a7be7fab7ecfbbbc7a
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f799cbf263c67e6dd44898a7be7fab7ecfbbbc7a
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6e0eb05f by Salvatore Bonaccorso at 2020-03-19T21:25:44+01:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,7 +1,7 @@ CVE-2020-10679 RESERVED CVE-2020-10678 (In Octopus Deploy before 2020.1.5, for customers running on-premises A ...) - TODO: check + NOT-FOR-US: Octopus Deploy CVE-2020-10677 RESERVED CVE-2020-10676 @@ -13,15 +13,15 @@ CVE-2020-10673 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the in CVE-2020-10672 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...) TODO: check CVE-2020-10671 (The Canon Oce Colorwave 500 4.0.0.0 printer's web application is missi ...) - TODO: check + NOT-FOR-US: Canon CVE-2020-10670 (The web application exposed by the Canon Oce Colorwave 500 4.0.0.0 pri ...) - TODO: check + NOT-FOR-US: Canon CVE-2020-10669 RESERVED CVE-2020-10668 (The web application exposed by the Canon Oce Colorwave 500 4.0.0.0 pri ...) - TODO: check + NOT-FOR-US: Canon CVE-2020-10667 (The web application exposed by the Canon Oce Colorwave 500 4.0.0.0 pri ...) - TODO: check + NOT-FOR-US: Canon CVE-2020-10666 RESERVED CVE-2020-10674 (PerlSpeak through 2.01 allows attackers to execute arbitrary OS comman ...) @@ -44,35 +44,35 @@ CVE-2019-20529 (In core/doctype/prepared_report/prepared_report.py in Frappe 11 CVE-2019-20528 (Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasour ...) NOT-FOR-US: Ignite Realtime Openfire CVE-2019-20527 (Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasour ...) - TODO: check + NOT-FOR-US: Ignite Realtime Openfire CVE-2019-20526 (Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasour ...) - TODO: check + NOT-FOR-US: Ignite Realtime Openfire CVE-2019-20525 (Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasour ...) - TODO: check + NOT-FOR-US: Ignite Realtime Openfire CVE-2019-20524 (ilchCMS 2.1.23 allows XSS via the index.php/partner/index Banner param ...) - TODO: check + NOT-FOR-US: ilchCMS CVE-2019-20523 (ilchCMS 2.1.23 allows XSS via the index.php/partner/index Name paramet ...) - TODO: check + NOT-FOR-US: ilchCMS CVE-2019-20522 (ilchCMS 2.1.23 allows XSS via the index.php/partner/index Link paramet ...) - TODO: check + NOT-FOR-US: ilchCMS CVE-2019-20521 (ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the api/ URI ...) - TODO: check + NOT-FOR-US: ERPNext CVE-2019-20520 (ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the api/meth ...) - TODO: check + NOT-FOR-US: ERPNext CVE-2019-20519 (ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the user/ UR ...) - TODO: check + NOT-FOR-US: ERPNext CVE-2019-20518 (ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the project/ ...) - TODO: check + NOT-FOR-US: ERPNext CVE-2019-20517 (ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the contact/ ...) - TODO: check + NOT-FOR-US: ERPNext CVE-2019-20516 (ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the blog/ UR ...) - TODO: check + NOT-FOR-US: ERPNext CVE-2019-20515 (ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the addresse ...) - TODO: check + NOT-FOR-US: ERPNext CVE-2019-20514 (ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the address/ ...) - TODO: check + NOT-FOR-US: ERPNext CVE-2019-20513 (Open edX Ironwood.1 allows support/certificates?user= reflected XSS. ...) - TODO: check + NOT-FOR-US: Open edX Ironwood.1 CVE-2019-20512 (Open edX Ironwood.1 allows support/certificates?course_id= reflected X ...) NOT-FOR-US: Open edX Ironwood.1 CVE-2019-20511 (ERPNext 11.1.47 allows blog?blog_category= Frame Injection. ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6e0eb05f4719006983c3413ee0c51f7054507829 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6e0eb05f4719006983c3413ee0c51f7054507829 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2148-1 for amd64-microcode
Anton Gladky pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
f0bde694 by Anton Gladky at 2020-03-19T21:25:31+01:00
Reserve DLA-2148-1 for amd64-microcode
- - - - -
2 changed files:
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[19 Mar 2020] DLA-2148-1 amd64-microcode - security update
+ {CVE-2017-5715}
+ [jessie] - amd64-microcode 3.20181128.1~deb8u1
[19 Mar 2020] DLA-2145-2 twisted - regression update
[jessie] - twisted 14.0.2-3+deb8u2
[19 Mar 2020] DLA-2147-1 gdal - security update
=
data/dla-needed.txt
=
@@ -9,15 +9,6 @@ To pick an issue, simply add your name behind it. To learn
more about how
this list is updated have a look at
https://wiki.debian.org/LTS/Development#Triage_new_security_issues
---
-amd64-microcode (Anton Gladky)
- NOTE: 20200224: Missing IBPB feature for Spectre variant 2 mitigation.
- NOTE: 20200224: (Kernel support was added in 2018.) stretch needs to
- NOTE: 20200224: be updated too; check dsa-needed.txt.
- NOTE: 20200307: maintainer contacted regarding Jessie-update
- NOTE: 20200311: ask for review/test
- NOTE: 20200312: updated package is in testing phase
- NOTE: 20200318: Stretch should be updated first to escape higher versions in
Jessie, #954023.
--
ansible
NOTE: 20200219: no upstream fixes yet
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f0bde694e4c471d8e68059eae19b281d9ecf0ad7
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f0bde694e4c471d8e68059eae19b281d9ecf0ad7
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: aa22d909 by Salvatore Bonaccorso at 2020-03-19T21:18:04+01:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -14898,11 +14898,11 @@ CVE-2020-4207 (IBM Watson IoT Message Gateway 2.0.0.x, 5.0.0.0, 5.0.0.1, and 5.0 CVE-2020-4206 RESERVED CVE-2020-4205 (IBM DataPower Gateway 2018.4.1.0 through 2018.4.1.8 could allow an aut ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4204 (IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, ...) NOT-FOR-US: IBM CVE-2020-4203 (IBM DataPower Gateway 2018.4.1.0 through 2018.4.1.8 could potentially ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4202 RESERVED CVE-2020-4201 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aa22d90957e30b6e8aa47f478bc5dfb9d0580ac7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aa22d90957e30b6e8aa47f478bc5dfb9d0580ac7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2f0c6f65 by security tracker role at 2020-03-19T20:10:22+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,17 +1,27 @@ +CVE-2020-10679 + RESERVED +CVE-2020-10678 (In Octopus Deploy before 2020.1.5, for customers running on-premises A ...) + TODO: check +CVE-2020-10677 + RESERVED +CVE-2020-10676 + RESERVED +CVE-2020-10675 (The Library API in buger jsonparser through 2019-12-04 allows attacker ...) + TODO: check CVE-2020-10673 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...) TODO: check CVE-2020-10672 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...) TODO: check -CVE-2020-10671 - RESERVED -CVE-2020-10670 - RESERVED +CVE-2020-10671 (The Canon Oce Colorwave 500 4.0.0.0 printer's web application is missi ...) + TODO: check +CVE-2020-10670 (The web application exposed by the Canon Oce Colorwave 500 4.0.0.0 pri ...) + TODO: check CVE-2020-10669 RESERVED -CVE-2020-10668 - RESERVED -CVE-2020-10667 - RESERVED +CVE-2020-10668 (The web application exposed by the Canon Oce Colorwave 500 4.0.0.0 pri ...) + TODO: check +CVE-2020-10667 (The web application exposed by the Canon Oce Colorwave 500 4.0.0.0 pri ...) + TODO: check CVE-2020-10666 RESERVED CVE-2020-10674 (PerlSpeak through 2.01 allows attackers to execute arbitrary OS comman ...) @@ -33,36 +43,36 @@ CVE-2019-20529 (In core/doctype/prepared_report/prepared_report.py in Frappe 11 NOT-FOR-US: Frappe Framework CVE-2019-20528 (Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasour ...) NOT-FOR-US: Ignite Realtime Openfire -CVE-2019-20527 - RESERVED -CVE-2019-20526 - RESERVED -CVE-2019-20525 - RESERVED -CVE-2019-20524 - RESERVED -CVE-2019-20523 - RESERVED -CVE-2019-20522 - RESERVED -CVE-2019-20521 - RESERVED -CVE-2019-20520 - RESERVED -CVE-2019-20519 - RESERVED -CVE-2019-20518 - RESERVED -CVE-2019-20517 - RESERVED -CVE-2019-20516 - RESERVED -CVE-2019-20515 - RESERVED -CVE-2019-20514 - RESERVED -CVE-2019-20513 - RESERVED +CVE-2019-20527 (Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasour ...) + TODO: check +CVE-2019-20526 (Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasour ...) + TODO: check +CVE-2019-20525 (Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasour ...) + TODO: check +CVE-2019-20524 (ilchCMS 2.1.23 allows XSS via the index.php/partner/index Banner param ...) + TODO: check +CVE-2019-20523 (ilchCMS 2.1.23 allows XSS via the index.php/partner/index Name paramet ...) + TODO: check +CVE-2019-20522 (ilchCMS 2.1.23 allows XSS via the index.php/partner/index Link paramet ...) + TODO: check +CVE-2019-20521 (ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the api/ URI ...) + TODO: check +CVE-2019-20520 (ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the api/meth ...) + TODO: check +CVE-2019-20519 (ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the user/ UR ...) + TODO: check +CVE-2019-20518 (ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the project/ ...) + TODO: check +CVE-2019-20517 (ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the contact/ ...) + TODO: check +CVE-2019-20516 (ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the blog/ UR ...) + TODO: check +CVE-2019-20515 (ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the addresse ...) + TODO: check +CVE-2019-20514 (ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the address/ ...) + TODO: check +CVE-2019-20513 (Open edX Ironwood.1 allows support/certificates?user= reflected XSS. ...) + TODO: check CVE-2019-20512 (Open edX Ironwood.1 allows support/certificates?course_id= reflected X ...) NOT-FOR-US: Open edX Ironwood.1 CVE-2019-20511 (ERPNext 11.1.47 allows blog?blog_category= Frame Injection. ...) @@ -91,8 +101,8 @@ CVE-2019-20510 REJECTED CVE-2020-10649 RESERVED -CVE-2020-10648 - RESERVED +CVE-2020-10648 (Das U-Boot through 2020.01 allows attackers to bypass verified boot re ...) + TODO: check CVE-2020-10647 RESERVED CVE-2020-10646 @@ -2985,6 +2995,7 @@ CVE-2020-9337 (In GolfBuddy Course Manager 1.1, passwords are sent (with base64 CVE-2020-9336 (fauzantrif eLection 2.0 has XSS via the Admin Dashboard - Settings ...) NOT-FOR-US: fauzantrif eLection CVE-2020-6816 [mutation XSS vulnerability again] + RESERVED - python-bleach 3.1.3-1 (bug #954236) NOTE:
[Git][security-tracker-team/security-tracker][master] Don't list CVEs for the functional regression
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
1eb27a6a by Salvatore Bonaccorso at 2020-03-19T20:57:48+01:00
Dont list CVEs for the functional regression
- - - - -
1 changed file:
- data/DLA/list
Changes:
=
data/DLA/list
=
@@ -1,5 +1,4 @@
[19 Mar 2020] DLA-2145-2 twisted - regression update
- {CVE-2020-10108 CVE-2020-10109}
[jessie] - twisted 14.0.2-3+deb8u2
[19 Mar 2020] DLA-2147-1 gdal - security update
{CVE-2019-17546}
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1eb27a6ad3c203ff6e0e78f129faf907ddac2e01
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1eb27a6ad3c203ff6e0e78f129faf907ddac2e01
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] zipios++ spu
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: a4adbd22 by Moritz Muehlenhoff at 2020-03-19T20:06:01+01:00 zipios++ spu - - - - - 1 changed file: - data/next-point-update.txt Changes: = data/next-point-update.txt = @@ -51,3 +51,5 @@ CVE-2020-10174 [buster] - timeshift 19.01+ds-2+deb10u1 CVE-2020-9543 [buster] - manila 1:7.0.0-1+deb10u1 +CVE-2019-13453 + [buster] - zipios++ 0.1.5.9+cvs.2007.04.28-10+deb10u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a4adbd22c22b9db23e0ad8272a685e9dc6630525 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a4adbd22c22b9db23e0ad8272a685e9dc6630525 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Don't warn about potential duplicate work when issuing a regression update; we...
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 3306d6a8 by Chris Lamb at 2020-03-19T17:08:24+00:00 Dont warn about potential duplicate work when issuing a regression update; we will likely not be modifying dla-needed.txt. - - - - - 1 changed file: - bin/gen-DSA Changes: = bin/gen-DSA = @@ -394,7 +394,7 @@ EOF if [ -d .git ]; then echo "Made the following changes:" git diff -- data/$IDMODE/list $needed_file - if ! git diff-index --name-only HEAD -- $needed_file | grep -qs .; then + if ! git diff-index --name-only HEAD -- $needed_file | grep -qs . && [ $TYPE = security ]; then warn "did not make any changes to $needed_file - this may indicate duplicate work" fi fi View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3306d6a87d17b5efdd705bac6131a60ed6f82287 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3306d6a87d17b5efdd705bac6131a60ed6f82287 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2145-2 for twisted
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker
Commits:
785fb0e5 by Chris Lamb at 2020-03-19T17:06:55+00:00
Reserve DLA-2145-2 for twisted
- - - - -
1 changed file:
- data/DLA/list
Changes:
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[19 Mar 2020] DLA-2145-2 twisted - regression update
+ {CVE-2020-10108 CVE-2020-10109}
+ [jessie] - twisted 14.0.2-3+deb8u2
[19 Mar 2020] DLA-2147-1 gdal - security update
{CVE-2019-17546}
[jessie] - gdal 1.10.1+dfsg-8+deb8u2
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/785fb0e5e6a8912085570d2c3696a9b09834aaa5
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/785fb0e5e6a8912085570d2c3696a9b09834aaa5
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2020-6816/python-bleach assigned
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ce308bc4 by Salvatore Bonaccorso at 2020-03-19T17:23:27+01:00 CVE-2020-6816/python-bleach assigned - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2984,7 +2984,7 @@ CVE-2020-9337 (In GolfBuddy Course Manager 1.1, passwords are sent (with base64 NOT-FOR-US: GolfBuddy Course Manager CVE-2020-9336 (fauzantrif eLection 2.0 has XSS via the Admin Dashboard - Settings ...) NOT-FOR-US: fauzantrif eLection -CVE-2020- [mutation XSS vulnerability again] +CVE-2020-6816 [mutation XSS vulnerability again] - python-bleach 3.1.3-1 (bug #954236) NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1621692 (not public) NOTE: https://github.com/mozilla/bleach/security/advisories/GHSA-m6xf-fq7q-8743 @@ -8745,8 +8745,6 @@ CVE-2020-6818 RESERVED CVE-2020-6817 RESERVED -CVE-2020-6816 - RESERVED CVE-2020-6815 RESERVED - firefox 74.0-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ce308bc4f04cfeca3c6957d769675b9a5d52b6aa -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ce308bc4f04cfeca3c6957d769675b9a5d52b6aa You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] twisted no-dsa
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
fb50483e by Moritz Muehlenhoff at 2020-03-19T16:10:29+01:00
twisted no-dsa
NFUs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -274,9 +274,9 @@ CVE-2020-10567 (An issue was discovered in Responsive
Filemanager through 9.14.0
CVE-2018-21036
RESERVED
CVE-2020-10566 (grub2-bhyve, as used in FreeBSD bhyve before revision 525916
2020-02-1 ...)
- TODO: check
+ NOT-FOR-US: FreeBSD
CVE-2020-10565 (grub2-bhyve, as used in FreeBSD bhyve before revision 525916
2020-02-1 ...)
- TODO: check
+ NOT-FOR-US: FreeBSD
CVE-2020-10564 (An issue was discovered in the File Upload plugin before
4.13.0 for Wo ...)
NOT-FOR-US: File Upload plugin for WordPress
CVE-2020-10563 (An issue was discovered in DEVOME GRR before 3.4.1c.
frmcontactlist.ph ...)
@@ -338,7 +338,7 @@ CVE-2020-10537
CVE-2020-10536
RESERVED
CVE-2020-10534 (In the GlobalBlocking extension before 2020-03-10 for
MediaWiki throug ...)
- TODO: check
+ NOT-FOR-US: MediaWiki extension
CVE-2020-10535 (GitLab 12.8.x before 12.8.6, when sign-up is enabled, allows
remote at ...)
- gitlab (Only affects Gitlab 12.8.x)
NOTE:
https://about.gitlab.com/releases/2020/03/11/critical-security-release-gitlab-12-dot-8-dot-6-released/
@@ -1261,11 +1261,15 @@ CVE-2020-10110 (** DISPUTED ** Citrix Gateway 11.1,
12.0, and 12.1 allows Inform
CVE-2020-10109 (In Twisted Web through 19.10.0, there was an HTTP request
splitting vu ...)
{DLA-2145-1}
- twisted (bug #953950)
+ [buster] - twisted (Minor issue)
+ [stretch] - twisted (Minor issue)
NOTE: https://know.bishopfox.com/advisories/twisted-version-19.10.0#INOR
NOTE:
https://github.com/twisted/twisted/commit/4a7d22e490bb8ff836892cc99a1f54b85ccb0281
CVE-2020-10108 (In Twisted Web through 19.10.0, there was an HTTP request
splitting vu ...)
{DLA-2145-1}
- twisted (bug #953950)
+ [buster] - twisted (Minor issue)
+ [stretch] - twisted (Minor issue)
NOTE: https://know.bishopfox.com/advisories/twisted-version-19.10.0#INOR
NOTE:
https://github.com/twisted/twisted/commit/4a7d22e490bb8ff836892cc99a1f54b85ccb0281
CVE-2020-10107 (PHPGurukul Daily Expense Tracker System 1.0 is vulnerable to
stored XS ...)
@@ -2799,7 +2803,7 @@ CVE-2020-9410
CVE-2020-9409
RESERVED
CVE-2020-9408 (The Spotfire library component of TIBCO Software Inc.'s TIBCO
Spotfire ...)
- TODO: check
+ NOT-FOR-US: TIBCO
CVE-2020-9407 (IBL Online Weather before 4.3.5a allows attackers to obtain
sensitive ...)
NOT-FOR-US: IBL Online Weather
CVE-2020-9406 (IBL Online Weather before 4.3.5a allows unauthenticated eval
injection ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fb50483e6f9c6bddfa0335eb6e51024edd5f4d37
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fb50483e6f9c6bddfa0335eb6e51024edd5f4d37
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track proposed update for CVE-2020-9543/manila via buster-pu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9920e7c8 by Salvatore Bonaccorso at 2020-03-19T15:27:04+01:00 Track proposed update for CVE-2020-9543/manila via buster-pu - - - - - 1 changed file: - data/next-point-update.txt Changes: = data/next-point-update.txt = @@ -49,3 +49,5 @@ CVE-2020-7598 [buster] - node-minimist 1.2.0-1+deb10u1 CVE-2020-10174 [buster] - timeshift 19.01+ds-2+deb10u1 +CVE-2020-9543 + [buster] - manila 1:7.0.0-1+deb10u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9920e7c86887c886ee8e10d51334af195bf2adff -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9920e7c86887c886ee8e10d51334af195bf2adff You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
d2ceff49 by Salvatore Bonaccorso at 2020-03-19T09:59:17+01:00
Process NFUs
- - - - -
0e2ffc26 by Salvatore Bonaccorso at 2020-03-19T09:59:19+01:00
Add CVE-2019-2045{2,3}/ajaxplorer (pydio), itped
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -687,7 +687,7 @@ CVE-2020-10367
CVE-2020-10366
RESERVED
CVE-2020-10365 (LogicalDoc before 8.3.3 allows SQL Injection. LogicalDoc
populates the ...)
- TODO: check
+ NOT-FOR-US: LogicalDoc
CVE-2020-10364
RESERVED
CVE-2020-10363
@@ -2698,7 +2698,7 @@ CVE-2020-9445
CVE-2020-9444
RESERVED
CVE-2020-9443 (Zulip Desktop before 4.0.3 loaded untrusted content in an
Electron web ...)
- TODO: check
+ NOT-FOR-US: Zulip Desktop (different from itp'ed zulip-server)
CVE-2020-9442 (OpenVPN Connect 3.1.0.361 on Windows has Insecure Permissions
for %PRO ...)
NOT-FOR-US: OpenVPN Connect on Windows
CVE-2020-9441
@@ -2730,7 +2730,7 @@ CVE-2020-9425
CVE-2020-9424
RESERVED
CVE-2020-9423 (LogicalDoc before 8.3.3 could allow an attacker to upload
arbitrary fi ...)
- TODO: check
+ NOT-FOR-US: LogicalDoc
CVE-2020-9422
RESERVED
CVE-2020-9421
@@ -4021,9 +4021,9 @@ CVE-2020-8886
CVE-2020-8885
RESERVED
CVE-2019-20453 (A problem was found in Pydio Core before 8.2.4 and Pydio
Enterprise be ...)
- TODO: check
+ - ajaxplorer (bug #668381)
CVE-2019-20452 (A problem was found in Pydio Core before 8.2.4 and Pydio
Enterprise be ...)
- TODO: check
+ - ajaxplorer (bug #668381)
CVE-2012-6721 (Multiple cross-site request forgery (CSRF) vulnerabilities in
the (1) ...)
NOT-FOR-US: SocialEngine
CVE-2012-6720 (Multiple cross-site scripting (XSS) vulnerabilities in
SocialEngine be ...)
@@ -7678,11 +7678,11 @@ CVE-2020-7260
CVE-2020-7259
RESERVED
CVE-2020-7258 (Cross site scripting vulnerability in McAfee Network Security
Manageme ...)
- TODO: check
+ NOT-FOR-US: McAfee
CVE-2020-7257
RESERVED
CVE-2020-7256 (Cross site scripting vulnerability in McAfee Network Security
Manageme ...)
- TODO: check
+ NOT-FOR-US: McAfee
CVE-2020-7255
RESERVED
CVE-2020-7254 (Privilege Escalation vulnerability in the command line
interface in Mc ...)
@@ -8337,7 +8337,7 @@ CVE-2020-7004
CVE-2020-7003
RESERVED
CVE-2020-7002 (Delta Industrial Automation CNCSoft ScreenEditor, v1.00.96 and
prior. ...)
- TODO: check
+ NOT-FOR-US: McAfee
CVE-2020-7001
RESERVED
CVE-2020-7000
@@ -8389,7 +8389,7 @@ CVE-2020-6978
CVE-2020-6977 (A restricted desktop environment escape vulnerability exists in
the Ki ...)
NOT-FOR-US: GE
CVE-2020-6976 (Delta Industrial Automation CNCSoft ScreenEditor, v1.00.96 and
prior. ...)
- TODO: check
+ NOT-FOR-US: Delta Industrial Automation CNCSoft ScreenEditor
CVE-2020-6975 (Digi International ConnectPort LTS 32 MEI, Firmware Version
1.4.3 (820 ...)
NOT-FOR-US: Digi International ConnectPort LTS 32 MEI
CVE-2020-6974
@@ -9187,7 +9187,7 @@ CVE-2020-6648
CVE-2020-6647
RESERVED
CVE-2020-6646 (An improper neutralization of input vulnerability in FortiWeb
allows a ...)
- TODO: check
+ NOT-FOR-US: Fortiguard
CVE-2020-6645
RESERVED
CVE-2020-6644
@@ -15393,9 +15393,9 @@ CVE-2020-3953
CVE-2020-3952
RESERVED
CVE-2020-3951 (VMware Workstation (15.x before 15.5.2) and Horizon Client for
Windows ...)
- TODO: check
+ NOT-FOR-US: VMware
CVE-2020-3950 (VMware Fusion (11.x before 11.5.2), VMware Remote Console for
Mac (11. ...)
- TODO: check
+ NOT-FOR-US: VMware
CVE-2020-3949
RESERVED
CVE-2020-3948 (Linux Guest VMs running on VMware Workstation (15.x before
15.5.2) and ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ddafc1771ed8099bb83e24c10815d4594dc3ac86...0e2ffc26ec915b96ac14d8cc49bb642a0933ff67
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ddafc1771ed8099bb83e24c10815d4594dc3ac86...0e2ffc26ec915b96ac14d8cc49bb642a0933ff67
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] mark CVE-2020-10380 as no-dsa for Jessie
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: ddafc177 by Thorsten Alteholz at 2020-03-19T09:52:12+01:00 mark CVE-2020-10380 as no-dsa for Jessie - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -655,6 +655,7 @@ CVE-2020-10381 RESERVED CVE-2020-10380 (RMySQL through 0.10.19 allows SQL Injection. ...) - rmysql 0.10.20-1 + [jessie] - rmysql (Minor issue) NOTE: Fixed by: https://github.com/r-dbi/RMySQL/commit/c2467c466684b4733a7b0df4689987e1f9dcfc32 NOTE: Test: https://github.com/r-dbi/RMySQL/commit/6137ce887c1e36b278f11656a9a9fc1cae6a5f40 CVE-2020-10379 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ddafc1771ed8099bb83e24c10815d4594dc3ac86 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ddafc1771ed8099bb83e24c10815d4594dc3ac86 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add fixed version for CVE-2020-0556/bluez
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b3110fe2 by Salvatore Bonaccorso at 2020-03-19T09:45:54+01:00 Add fixed version for CVE-2020-0556/bluez - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -26735,7 +26735,7 @@ CVE-2020-0558 CVE-2020-0557 RESERVED CVE-2020-0556 (Improper access control in subsystem for BlueZ before version 5.54 may ...) - - bluez (bug #953770) + - bluez 5.50-1.1 (bug #953770) NOTE: https://lore.kernel.org/linux-bluetooth/20200310023516.209146-1-ala...@chromium.org/ NOTE: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=8cdbd3b09f29da29374e2f83369df24228da0ad1 NOTE: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=3cccdbab2324086588df4ccf5f892fb3ce1f1787 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b3110fe25e0998531e57ebd19ababd5d04bee35f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b3110fe25e0998531e57ebd19ababd5d04bee35f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
8e40455d by security tracker role at 2020-03-19T08:10:37+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -1,4 +1,20 @@
-CVE-2020-10674 [shell injection RCE]
+CVE-2020-10673 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the
interact ...)
+ TODO: check
+CVE-2020-10672 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the
interact ...)
+ TODO: check
+CVE-2020-10671
+ RESERVED
+CVE-2020-10670
+ RESERVED
+CVE-2020-10669
+ RESERVED
+CVE-2020-10668
+ RESERVED
+CVE-2020-10667
+ RESERVED
+CVE-2020-10666
+ RESERVED
+CVE-2020-10674 (PerlSpeak through 2.01 allows attackers to execute arbitrary
OS comman ...)
- libperlspeak-perl (bug #954238)
NOTE: https://rt.cpan.org/Public/Bug/Display.html?id=132173
CVE-2020-10665 (Docker Desktop allows local privilege escalation to NT
AUTHORITY\SYSTE ...)
@@ -189,7 +205,7 @@ CVE-2020-10594 (An issue was discovered in drf-jwt 1.15.x
before 1.15.1. It allo
NOT-FOR-US: drf-jwt
CVE-2020-10593
RESERVED
-- tor 0.4.2.7-1
+ - tor 0.4.2.7-1
[buster] - tor (Only affects tor 0.4.0.1-alpha onwards)
[stretch] - tor (Only affects tor 0.4.0.1-alpha onwards)
[jessie] - tor (Only affects tor 0.4.0.1-alpha onwards)
@@ -197,7 +213,7 @@ CVE-2020-10593
NOTE: https://bugs.torproject.org/33119
CVE-2020-10592
RESERVED
-- tor 0.4.2.7-1
+ - tor 0.4.2.7-1
NOTE: https://blog.torproject.org/new-releases-03510-0419-0427
NOTE: https://bugs.torproject.org/33119
CVE-2020-10591 (An issue was discovered in Walmart Labs Concord before 1.44.0.
CORS Ac ...)
@@ -669,8 +685,8 @@ CVE-2020-10367
RESERVED
CVE-2020-10366
RESERVED
-CVE-2020-10365
- RESERVED
+CVE-2020-10365 (LogicalDoc before 8.3.3 allows SQL Injection. LogicalDoc
populates the ...)
+ TODO: check
CVE-2020-10364
RESERVED
CVE-2020-10363
@@ -2594,8 +2610,7 @@ CVE-2020-9480
RESERVED
CVE-2020-9479
RESERVED
-CVE-2019-20485 [potential DoS by holding a monitor job while querying QEMU
guest-agent]
- RESERVED
+CVE-2019-20485 (qemu/qemu_driver.c in libvirt before 6.0.0 mishandles the
holding of a ...)
[experimental] - libvirt 6.0.0-1
- libvirt (low; bug #953078)
[buster] - libvirt (Minor issue)
@@ -2713,8 +2728,8 @@ CVE-2020-9425
RESERVED
CVE-2020-9424
RESERVED
-CVE-2020-9423
- RESERVED
+CVE-2020-9423 (LogicalDoc before 8.3.3 could allow an attacker to upload
arbitrary fi ...)
+ TODO: check
CVE-2020-9422
RESERVED
CVE-2020-9421
@@ -7661,12 +7676,12 @@ CVE-2020-7260
RESERVED
CVE-2020-7259
RESERVED
-CVE-2020-7258
- RESERVED
+CVE-2020-7258 (Cross site scripting vulnerability in McAfee Network Security
Manageme ...)
+ TODO: check
CVE-2020-7257
RESERVED
-CVE-2020-7256
- RESERVED
+CVE-2020-7256 (Cross site scripting vulnerability in McAfee Network Security
Manageme ...)
+ TODO: check
CVE-2020-7255
RESERVED
CVE-2020-7254 (Privilege Escalation vulnerability in the command line
interface in Mc ...)
@@ -19720,10 +19735,10 @@ CVE-2019-19679 (In "Xray Test Management for Jira"
prior to version 3.5.5, remot
NOT-FOR-US: Xray Test Management for Jira
CVE-2019-19678 (In "Xray Test Management for Jira" prior to version 3.5.5,
remote auth ...)
NOT-FOR-US: Xray Test Management for Jira
-CVE-2019-19677
- RESERVED
-CVE-2019-19676
- RESERVED
+CVE-2019-19677 (arxes-tolina 3.0.0 allows User Enumeration. ...)
+ TODO: check
+CVE-2019-19676 (A CSV injection in arxes-tolina 3.0.0 allows malicious users
to gain r ...)
+ TODO: check
CVE-2019-19675 (In Ivanti Workspace Control before 10.3.180.0. a locally
authenticated ...)
NOT-FOR-US: Ivanti Workspace Control
CVE-2019-19674
@@ -23411,8 +23426,8 @@ CVE-2019-18981 (Pimcore before 6.2.2 lacks an Access
Denied outcome for a certai
NOT-FOR-US: Pimcore
CVE-2019-18980 (On Signify Philips Taolight Smart Wi-Fi Wiz Connected LED Bulb
9290022 ...)
NOT-FOR-US: Signify Philips Taolight
-CVE-2019-18979
- RESERVED
+CVE-2019-18979 (Adaware antivirus 12.6.1005.11662 and 12.7.1055.0 has a
quarantine fla ...)
+ TODO: check
CVE-2019-18978 (An issue was discovered in the rack-cors (aka Rack CORS
Middleware) ge ...)
{DLA-2096-1}
- ruby-rack-cors 1.1.1-1 (bug #944849)
@@ -30281,7 +30296,7 @@ CVE-2019-17547 (In ImageMagick before 7.0.8-62,
TraceBezier in MagickCore/draw.c
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16537
NOTE:
https://github.com/ImageMagick/ImageMagick/commit/ecf7c6b288e11e7e7f75387c5e9e93e423b98397
[Git][security-tracker-team/security-tracker][master] Add information on CVE-2020-1059{2,3}
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
4ddc9d4d by Salvatore Bonaccorso at 2020-03-19T08:38:20+01:00
Add information on CVE-2020-1059{2,3}
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -189,8 +189,17 @@ CVE-2020-10594 (An issue was discovered in drf-jwt 1.15.x
before 1.15.1. It allo
NOT-FOR-US: drf-jwt
CVE-2020-10593
RESERVED
+- tor 0.4.2.7-1
+ [buster] - tor (Only affects tor 0.4.0.1-alpha onwards)
+ [stretch] - tor (Only affects tor 0.4.0.1-alpha onwards)
+ [jessie] - tor (Only affects tor 0.4.0.1-alpha onwards)
+ NOTE: https://blog.torproject.org/new-releases-03510-0419-0427
+ NOTE: https://bugs.torproject.org/33119
CVE-2020-10592
RESERVED
+- tor 0.4.2.7-1
+ NOTE: https://blog.torproject.org/new-releases-03510-0419-0427
+ NOTE: https://bugs.torproject.org/33119
CVE-2020-10591 (An issue was discovered in Walmart Labs Concord before 1.44.0.
CORS Ac ...)
NOT-FOR-US: Walmart Labs Concord
CVE-2020-10590
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4ddc9d4d6977ee0827650c43ae7698f7cfc86a42
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4ddc9d4d6977ee0827650c43ae7698f7cfc86a42
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new chromium issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: fc723a0f by Moritz Muehlenhoff at 2020-03-19T08:28:06+01:00 new chromium issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1051,12 +1051,13 @@ CVE-2019-20503 (usrsctp before 2019-12-20 has out-of-bounds reads in sctp_load_a - firefox 74.0-1 - firefox-esr 68.6.0esr-1 - thunderbird 1:68.6.0-1 + - chromium + [stretch] - chromium (see DSA 4562) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-10/#CVE-2019-20503 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-09/#CVE-2019-20503 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-08/#CVE-2019-20503 NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1992 NOTE: https://github.com/sctplab/usrsctp/commit/790a7a2555aefb392a5a69923f1e9d17b4968467 - TODO: check, other sources thunderbird and chromium embed the library CVE-2020-10187 RESERVED CVE-2020-10186 @@ -9605,6 +9606,8 @@ CVE-2020-6450 RESERVED CVE-2020-6449 RESERVED + - chromium + [stretch] - chromium (see DSA 4562) CVE-2020-6448 RESERVED CVE-2020-6447 @@ -9645,20 +9648,34 @@ CVE-2020-6430 RESERVED CVE-2020-6429 RESERVED + - chromium + [stretch] - chromium (see DSA 4562) CVE-2020-6428 RESERVED + - chromium + [stretch] - chromium (see DSA 4562) CVE-2020-6427 RESERVED + - chromium + [stretch] - chromium (see DSA 4562) CVE-2020-6426 RESERVED + - chromium + [stretch] - chromium (see DSA 4562) CVE-2020-6425 RESERVED + - chromium + [stretch] - chromium (see DSA 4562) CVE-2020-6424 RESERVED + - chromium + [stretch] - chromium (see DSA 4562) CVE-2020-6423 RESERVED CVE-2020-6422 RESERVED + - chromium + [stretch] - chromium (see DSA 4562) CVE-2020-6421 RESERVED CVE-2020-6420 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fc723a0fefa5a5b78ca621ef67cd4e34e5d8ce26 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fc723a0fefa5a5b78ca621ef67cd4e34e5d8ce26 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-1757/undertow
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f6819735 by Salvatore Bonaccorso at 2020-03-19T07:59:47+01:00 Add CVE-2020-1757/undertow - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -22056,6 +22056,8 @@ CVE-2020-1758 RESERVED CVE-2020-1757 RESERVED + - undertow + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1752770 CVE-2020-1756 RESERVED CVE-2020-1755 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f68197354a749fd5a26d1b0c3d25d2e768c04858 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f68197354a749fd5a26d1b0c3d25d2e768c04858 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
