[Git][security-tracker-team/security-tracker][master] Reserve DLA-2149-1 for rails
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 816694b3 by Utkarsh Gupta at 2020-03-20T05:33:34+05:30 Reserve DLA-2149-1 for rails - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[20 Mar 2020] DLA-2149-1 rails - security update + {CVE-2020-5267} + [jessie] - rails 2:4.1.8-1+deb8u6 [19 Mar 2020] DLA-2148-1 amd64-microcode - security update {CVE-2017-5715} [jessie] - amd64-microcode 3.20181128.1~deb8u1 = data/dla-needed.txt = @@ -62,8 +62,6 @@ phppgadmin qtbase-opensource-src (Mike Gabriel) NOTE: 20200224: No upstream fix available, yet. (sunweaver) -- -rails (Utkarsh Gupta) --- ruby-rack NOTE: 20191219: The security update causes a regression and also, there's a NOTE: slight possibility of this patch inducing a backdoor on its own. (utkarsh2102) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/816694b3eea624f69660ecf033d058dcb68917ce -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/816694b3eea624f69660ecf033d058dcb68917ce You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] thunderbird DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 145528be by Moritz Muehlenhoff at 2020-03-19T23:29:44+01:00 thunderbird DSA - - - - - 1 changed file: - data/DSA/list Changes: = data/DSA/list = @@ -1,3 +1,7 @@ +[19 Mar 2020] DSA-4642-1 thunderbird - security update + {CVE-2019-20503 CVE-2020-6805 CVE-2020-6806 CVE-2020-6807 CVE-2020-6811 CVE-2020-6812 CVE-2020-6814} + [stretch] - thunderbird 1:68.6.0-1~deb9u1 + [buster] - thunderbird 1:68.6.0-1~deb10u1 [16 Mar 2020] DSA-4641-1 webkit2gtk - security update {CVE-2020-10018} [buster] - webkit2gtk 2.26.4-1~deb10u2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/145528be8583a7f42d58d036f6df0765a3cdfed1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/145528be8583a7f42d58d036f6df0765a3cdfed1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add python-bleach to dsa-needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ce7db614 by Salvatore Bonaccorso at 2020-03-19T23:09:47+01:00 Add python-bleach to dsa-needed list - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -37,6 +37,8 @@ nss/oldstable (jmm) -- poppler (jmm) -- +python-bleach (carnil) +-- python-reportlab (hle) -- qbittorrent View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ce7db614e3de4ccbc0a7fdc3abe4a101ab458915 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ce7db614e3de4ccbc0a7fdc3abe4a101ab458915 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2020-6816/python-bleach as ignored for stretch
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f79fce6e by Salvatore Bonaccorso at 2020-03-19T23:04:48+01:00 Mark CVE-2020-6816/python-bleach as ignored for stretch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2997,6 +2997,7 @@ CVE-2020-9336 (fauzantrif eLection 2.0 has XSS via the Admin Dashboard - Set CVE-2020-6816 [mutation XSS vulnerability again] RESERVED - python-bleach 3.1.3-1 (bug #954236) + [stretch] - python-bleach (Requires invasive changes to address issue) NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1621692 (not public) NOTE: https://github.com/mozilla/bleach/security/advisories/GHSA-m6xf-fq7q-8743 NOTE: https://github.com/mozilla/bleach/commit/175f67740e7951e1d80cefb7831e6c3e4efeb986 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f79fce6e3eb3192e60318261ebb19f0a6cf0c23f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f79fce6e3eb3192e60318261ebb19f0a6cf0c23f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add and claim rails
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: f302879c by Utkarsh Gupta at 2020-03-20T03:33:36+05:30 Add and claim rails mostly because Im the maintainer. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -62,6 +62,8 @@ phppgadmin qtbase-opensource-src (Mike Gabriel) NOTE: 20200224: No upstream fix available, yet. (sunweaver) -- +rails (Utkarsh Gupta) +-- ruby-rack NOTE: 20191219: The security update causes a regression and also, there's a NOTE: slight possibility of this patch inducing a backdoor on its own. (utkarsh2102) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f302879c2778b786996e7d39490bf8adfde2d5dd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f302879c2778b786996e7d39490bf8adfde2d5dd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reference reported upstream issue for CVE-2014-2875
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: bb482d16 by Salvatore Bonaccorso at 2020-03-19T22:41:26+01:00 Reference reported upstream issue for CVE-2014-2875 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -261080,6 +261080,7 @@ CVE-2014-2876 RESERVED CVE-2014-2875 (The session.lua library in CGILua 5.2 alpha 1 and 5.2 alpha 2 uses wea ...) - lua-cgi (bug #953037) + NOTE: https://github.com/keplerproject/cgilua/issues/17 CVE-2013-7369 (SQL injection vulnerability in an unspecified DLL in the FSDBCom Activ ...) NOT-FOR-US: F-Secure Anti-Virus CVE-2012-6647 (The futex_wait_requeue_pi function in kernel/futex.c in the Linux kern ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bb482d16ae06a16a45237857d4bd05d13a89c89f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bb482d16ae06a16a45237857d4bd05d13a89c89f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2020-5267/rails
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5d95c99b by Salvatore Bonaccorso at 2020-03-19T22:15:55+01:00 Add Debian bug reference for CVE-2020-5267/rails - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -12248,7 +12248,7 @@ CVE-2020-5269 CVE-2020-5268 RESERVED CVE-2020-5267 (In ActionView before versions 6.0.2.2 and 5.2.4.2, there is a possible ...) - - rails + - rails (bug #954304) NOTE: https://www.openwall.com/lists/oss-security/2020/03/19/1 CVE-2020-5266 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5d95c99b0d4bbe67934fca060ae616f438170c55 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5d95c99b0d4bbe67934fca060ae616f438170c55 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-5267/rails
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8173d647 by Salvatore Bonaccorso at 2020-03-19T22:09:37+01:00 Add CVE-2020-5267/rails - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -12248,7 +12248,8 @@ CVE-2020-5269 CVE-2020-5268 RESERVED CVE-2020-5267 (In ActionView before versions 6.0.2.2 and 5.2.4.2, there is a possible ...) - TODO: check + - rails + NOTE: https://www.openwall.com/lists/oss-security/2020/03/19/1 CVE-2020-5266 RESERVED CVE-2020-5265 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8173d647641adc93503d27d353c82da72dcb7a78 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8173d647641adc93503d27d353c82da72dcb7a78 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Add Debian bug reference for CVE-2020-1951/tika
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 62af581a by Salvatore Bonaccorso at 2020-03-19T22:05:30+01:00 Add Debian bug reference for CVE-2020-1951/tika - - - - - 20641380 by Salvatore Bonaccorso at 2020-03-19T22:05:54+01:00 Add Debian bug reference for CVE-2020-1950/tika - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -21314,12 +21314,12 @@ CVE-2020-1952 RESERVED CVE-2020-1951 [Infinite Loop (DoS) vulnerability in Apache Tika's PSDParser] RESERVED - - tika + - tika (bug #954302) [buster] - tika (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2020/03/18/4 CVE-2020-1950 [Excessive memory usage (DoS) vulnerability in Apache Tika's PSDParser] RESERVED - - tika + - tika (bug #954303) [buster] - tika (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2020/03/18/3 CVE-2020-1949 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f799cbf263c67e6dd44898a7be7fab7ecfbbbc7a...2064138023b533c365f0b22f9e1af3881cd15c25 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f799cbf263c67e6dd44898a7be7fab7ecfbbbc7a...2064138023b533c365f0b22f9e1af3881cd15c25 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove stretch annotations for CVE-2020-195{0,1}/tika
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f799cbf2 by Salvatore Bonaccorso at 2020-03-19T21:59:28+01:00 Remove stretch annotations for CVE-2020-195{0,1}/tika - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -21316,13 +21316,11 @@ CVE-2020-1951 [Infinite Loop (DoS) vulnerability in Apache Tika's PSDParser] RESERVED - tika [buster] - tika (Minor issue) - [stretch] - tika (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2020/03/18/4 CVE-2020-1950 [Excessive memory usage (DoS) vulnerability in Apache Tika's PSDParser] RESERVED - tika [buster] - tika (Minor issue) - [stretch] - tika (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2020/03/18/3 CVE-2020-1949 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f799cbf263c67e6dd44898a7be7fab7ecfbbbc7a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f799cbf263c67e6dd44898a7be7fab7ecfbbbc7a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6e0eb05f by Salvatore Bonaccorso at 2020-03-19T21:25:44+01:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,7 +1,7 @@ CVE-2020-10679 RESERVED CVE-2020-10678 (In Octopus Deploy before 2020.1.5, for customers running on-premises A ...) - TODO: check + NOT-FOR-US: Octopus Deploy CVE-2020-10677 RESERVED CVE-2020-10676 @@ -13,15 +13,15 @@ CVE-2020-10673 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the in CVE-2020-10672 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...) TODO: check CVE-2020-10671 (The Canon Oce Colorwave 500 4.0.0.0 printer's web application is missi ...) - TODO: check + NOT-FOR-US: Canon CVE-2020-10670 (The web application exposed by the Canon Oce Colorwave 500 4.0.0.0 pri ...) - TODO: check + NOT-FOR-US: Canon CVE-2020-10669 RESERVED CVE-2020-10668 (The web application exposed by the Canon Oce Colorwave 500 4.0.0.0 pri ...) - TODO: check + NOT-FOR-US: Canon CVE-2020-10667 (The web application exposed by the Canon Oce Colorwave 500 4.0.0.0 pri ...) - TODO: check + NOT-FOR-US: Canon CVE-2020-10666 RESERVED CVE-2020-10674 (PerlSpeak through 2.01 allows attackers to execute arbitrary OS comman ...) @@ -44,35 +44,35 @@ CVE-2019-20529 (In core/doctype/prepared_report/prepared_report.py in Frappe 11 CVE-2019-20528 (Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasour ...) NOT-FOR-US: Ignite Realtime Openfire CVE-2019-20527 (Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasour ...) - TODO: check + NOT-FOR-US: Ignite Realtime Openfire CVE-2019-20526 (Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasour ...) - TODO: check + NOT-FOR-US: Ignite Realtime Openfire CVE-2019-20525 (Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasour ...) - TODO: check + NOT-FOR-US: Ignite Realtime Openfire CVE-2019-20524 (ilchCMS 2.1.23 allows XSS via the index.php/partner/index Banner param ...) - TODO: check + NOT-FOR-US: ilchCMS CVE-2019-20523 (ilchCMS 2.1.23 allows XSS via the index.php/partner/index Name paramet ...) - TODO: check + NOT-FOR-US: ilchCMS CVE-2019-20522 (ilchCMS 2.1.23 allows XSS via the index.php/partner/index Link paramet ...) - TODO: check + NOT-FOR-US: ilchCMS CVE-2019-20521 (ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the api/ URI ...) - TODO: check + NOT-FOR-US: ERPNext CVE-2019-20520 (ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the api/meth ...) - TODO: check + NOT-FOR-US: ERPNext CVE-2019-20519 (ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the user/ UR ...) - TODO: check + NOT-FOR-US: ERPNext CVE-2019-20518 (ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the project/ ...) - TODO: check + NOT-FOR-US: ERPNext CVE-2019-20517 (ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the contact/ ...) - TODO: check + NOT-FOR-US: ERPNext CVE-2019-20516 (ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the blog/ UR ...) - TODO: check + NOT-FOR-US: ERPNext CVE-2019-20515 (ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the addresse ...) - TODO: check + NOT-FOR-US: ERPNext CVE-2019-20514 (ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the address/ ...) - TODO: check + NOT-FOR-US: ERPNext CVE-2019-20513 (Open edX Ironwood.1 allows support/certificates?user= reflected XSS. ...) - TODO: check + NOT-FOR-US: Open edX Ironwood.1 CVE-2019-20512 (Open edX Ironwood.1 allows support/certificates?course_id= reflected X ...) NOT-FOR-US: Open edX Ironwood.1 CVE-2019-20511 (ERPNext 11.1.47 allows blog?blog_category= Frame Injection. ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6e0eb05f4719006983c3413ee0c51f7054507829 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6e0eb05f4719006983c3413ee0c51f7054507829 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2148-1 for amd64-microcode
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: f0bde694 by Anton Gladky at 2020-03-19T21:25:31+01:00 Reserve DLA-2148-1 for amd64-microcode - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[19 Mar 2020] DLA-2148-1 amd64-microcode - security update + {CVE-2017-5715} + [jessie] - amd64-microcode 3.20181128.1~deb8u1 [19 Mar 2020] DLA-2145-2 twisted - regression update [jessie] - twisted 14.0.2-3+deb8u2 [19 Mar 2020] DLA-2147-1 gdal - security update = data/dla-needed.txt = @@ -9,15 +9,6 @@ To pick an issue, simply add your name behind it. To learn more about how this list is updated have a look at https://wiki.debian.org/LTS/Development#Triage_new_security_issues --- -amd64-microcode (Anton Gladky) - NOTE: 20200224: Missing IBPB feature for Spectre variant 2 mitigation. - NOTE: 20200224: (Kernel support was added in 2018.) stretch needs to - NOTE: 20200224: be updated too; check dsa-needed.txt. - NOTE: 20200307: maintainer contacted regarding Jessie-update - NOTE: 20200311: ask for review/test - NOTE: 20200312: updated package is in testing phase - NOTE: 20200318: Stretch should be updated first to escape higher versions in Jessie, #954023. -- ansible NOTE: 20200219: no upstream fixes yet View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f0bde694e4c471d8e68059eae19b281d9ecf0ad7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f0bde694e4c471d8e68059eae19b281d9ecf0ad7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: aa22d909 by Salvatore Bonaccorso at 2020-03-19T21:18:04+01:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -14898,11 +14898,11 @@ CVE-2020-4207 (IBM Watson IoT Message Gateway 2.0.0.x, 5.0.0.0, 5.0.0.1, and 5.0 CVE-2020-4206 RESERVED CVE-2020-4205 (IBM DataPower Gateway 2018.4.1.0 through 2018.4.1.8 could allow an aut ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4204 (IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, ...) NOT-FOR-US: IBM CVE-2020-4203 (IBM DataPower Gateway 2018.4.1.0 through 2018.4.1.8 could potentially ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4202 RESERVED CVE-2020-4201 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aa22d90957e30b6e8aa47f478bc5dfb9d0580ac7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aa22d90957e30b6e8aa47f478bc5dfb9d0580ac7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2f0c6f65 by security tracker role at 2020-03-19T20:10:22+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,17 +1,27 @@ +CVE-2020-10679 + RESERVED +CVE-2020-10678 (In Octopus Deploy before 2020.1.5, for customers running on-premises A ...) + TODO: check +CVE-2020-10677 + RESERVED +CVE-2020-10676 + RESERVED +CVE-2020-10675 (The Library API in buger jsonparser through 2019-12-04 allows attacker ...) + TODO: check CVE-2020-10673 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...) TODO: check CVE-2020-10672 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...) TODO: check -CVE-2020-10671 - RESERVED -CVE-2020-10670 - RESERVED +CVE-2020-10671 (The Canon Oce Colorwave 500 4.0.0.0 printer's web application is missi ...) + TODO: check +CVE-2020-10670 (The web application exposed by the Canon Oce Colorwave 500 4.0.0.0 pri ...) + TODO: check CVE-2020-10669 RESERVED -CVE-2020-10668 - RESERVED -CVE-2020-10667 - RESERVED +CVE-2020-10668 (The web application exposed by the Canon Oce Colorwave 500 4.0.0.0 pri ...) + TODO: check +CVE-2020-10667 (The web application exposed by the Canon Oce Colorwave 500 4.0.0.0 pri ...) + TODO: check CVE-2020-10666 RESERVED CVE-2020-10674 (PerlSpeak through 2.01 allows attackers to execute arbitrary OS comman ...) @@ -33,36 +43,36 @@ CVE-2019-20529 (In core/doctype/prepared_report/prepared_report.py in Frappe 11 NOT-FOR-US: Frappe Framework CVE-2019-20528 (Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasour ...) NOT-FOR-US: Ignite Realtime Openfire -CVE-2019-20527 - RESERVED -CVE-2019-20526 - RESERVED -CVE-2019-20525 - RESERVED -CVE-2019-20524 - RESERVED -CVE-2019-20523 - RESERVED -CVE-2019-20522 - RESERVED -CVE-2019-20521 - RESERVED -CVE-2019-20520 - RESERVED -CVE-2019-20519 - RESERVED -CVE-2019-20518 - RESERVED -CVE-2019-20517 - RESERVED -CVE-2019-20516 - RESERVED -CVE-2019-20515 - RESERVED -CVE-2019-20514 - RESERVED -CVE-2019-20513 - RESERVED +CVE-2019-20527 (Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasour ...) + TODO: check +CVE-2019-20526 (Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasour ...) + TODO: check +CVE-2019-20525 (Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasour ...) + TODO: check +CVE-2019-20524 (ilchCMS 2.1.23 allows XSS via the index.php/partner/index Banner param ...) + TODO: check +CVE-2019-20523 (ilchCMS 2.1.23 allows XSS via the index.php/partner/index Name paramet ...) + TODO: check +CVE-2019-20522 (ilchCMS 2.1.23 allows XSS via the index.php/partner/index Link paramet ...) + TODO: check +CVE-2019-20521 (ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the api/ URI ...) + TODO: check +CVE-2019-20520 (ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the api/meth ...) + TODO: check +CVE-2019-20519 (ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the user/ UR ...) + TODO: check +CVE-2019-20518 (ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the project/ ...) + TODO: check +CVE-2019-20517 (ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the contact/ ...) + TODO: check +CVE-2019-20516 (ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the blog/ UR ...) + TODO: check +CVE-2019-20515 (ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the addresse ...) + TODO: check +CVE-2019-20514 (ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the address/ ...) + TODO: check +CVE-2019-20513 (Open edX Ironwood.1 allows support/certificates?user= reflected XSS. ...) + TODO: check CVE-2019-20512 (Open edX Ironwood.1 allows support/certificates?course_id= reflected X ...) NOT-FOR-US: Open edX Ironwood.1 CVE-2019-20511 (ERPNext 11.1.47 allows blog?blog_category= Frame Injection. ...) @@ -91,8 +101,8 @@ CVE-2019-20510 REJECTED CVE-2020-10649 RESERVED -CVE-2020-10648 - RESERVED +CVE-2020-10648 (Das U-Boot through 2020.01 allows attackers to bypass verified boot re ...) + TODO: check CVE-2020-10647 RESERVED CVE-2020-10646 @@ -2985,6 +2995,7 @@ CVE-2020-9337 (In GolfBuddy Course Manager 1.1, passwords are sent (with base64 CVE-2020-9336 (fauzantrif eLection 2.0 has XSS via the Admin Dashboard - Settings ...) NOT-FOR-US: fauzantrif eLection CVE-2020-6816 [mutation XSS vulnerability again] + RESERVED - python-bleach 3.1.3-1 (bug #954236) NOTE:
[Git][security-tracker-team/security-tracker][master] Don't list CVEs for the functional regression
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1eb27a6a by Salvatore Bonaccorso at 2020-03-19T20:57:48+01:00 Dont list CVEs for the functional regression - - - - - 1 changed file: - data/DLA/list Changes: = data/DLA/list = @@ -1,5 +1,4 @@ [19 Mar 2020] DLA-2145-2 twisted - regression update - {CVE-2020-10108 CVE-2020-10109} [jessie] - twisted 14.0.2-3+deb8u2 [19 Mar 2020] DLA-2147-1 gdal - security update {CVE-2019-17546} View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1eb27a6ad3c203ff6e0e78f129faf907ddac2e01 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1eb27a6ad3c203ff6e0e78f129faf907ddac2e01 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] zipios++ spu
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: a4adbd22 by Moritz Muehlenhoff at 2020-03-19T20:06:01+01:00 zipios++ spu - - - - - 1 changed file: - data/next-point-update.txt Changes: = data/next-point-update.txt = @@ -51,3 +51,5 @@ CVE-2020-10174 [buster] - timeshift 19.01+ds-2+deb10u1 CVE-2020-9543 [buster] - manila 1:7.0.0-1+deb10u1 +CVE-2019-13453 + [buster] - zipios++ 0.1.5.9+cvs.2007.04.28-10+deb10u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a4adbd22c22b9db23e0ad8272a685e9dc6630525 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a4adbd22c22b9db23e0ad8272a685e9dc6630525 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Don't warn about potential duplicate work when issuing a regression update; we...
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 3306d6a8 by Chris Lamb at 2020-03-19T17:08:24+00:00 Dont warn about potential duplicate work when issuing a regression update; we will likely not be modifying dla-needed.txt. - - - - - 1 changed file: - bin/gen-DSA Changes: = bin/gen-DSA = @@ -394,7 +394,7 @@ EOF if [ -d .git ]; then echo "Made the following changes:" git diff -- data/$IDMODE/list $needed_file - if ! git diff-index --name-only HEAD -- $needed_file | grep -qs .; then + if ! git diff-index --name-only HEAD -- $needed_file | grep -qs . && [ $TYPE = security ]; then warn "did not make any changes to $needed_file - this may indicate duplicate work" fi fi View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3306d6a87d17b5efdd705bac6131a60ed6f82287 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3306d6a87d17b5efdd705bac6131a60ed6f82287 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2145-2 for twisted
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 785fb0e5 by Chris Lamb at 2020-03-19T17:06:55+00:00 Reserve DLA-2145-2 for twisted - - - - - 1 changed file: - data/DLA/list Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[19 Mar 2020] DLA-2145-2 twisted - regression update + {CVE-2020-10108 CVE-2020-10109} + [jessie] - twisted 14.0.2-3+deb8u2 [19 Mar 2020] DLA-2147-1 gdal - security update {CVE-2019-17546} [jessie] - gdal 1.10.1+dfsg-8+deb8u2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/785fb0e5e6a8912085570d2c3696a9b09834aaa5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/785fb0e5e6a8912085570d2c3696a9b09834aaa5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2020-6816/python-bleach assigned
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ce308bc4 by Salvatore Bonaccorso at 2020-03-19T17:23:27+01:00 CVE-2020-6816/python-bleach assigned - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2984,7 +2984,7 @@ CVE-2020-9337 (In GolfBuddy Course Manager 1.1, passwords are sent (with base64 NOT-FOR-US: GolfBuddy Course Manager CVE-2020-9336 (fauzantrif eLection 2.0 has XSS via the Admin Dashboard - Settings ...) NOT-FOR-US: fauzantrif eLection -CVE-2020- [mutation XSS vulnerability again] +CVE-2020-6816 [mutation XSS vulnerability again] - python-bleach 3.1.3-1 (bug #954236) NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1621692 (not public) NOTE: https://github.com/mozilla/bleach/security/advisories/GHSA-m6xf-fq7q-8743 @@ -8745,8 +8745,6 @@ CVE-2020-6818 RESERVED CVE-2020-6817 RESERVED -CVE-2020-6816 - RESERVED CVE-2020-6815 RESERVED - firefox 74.0-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ce308bc4f04cfeca3c6957d769675b9a5d52b6aa -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ce308bc4f04cfeca3c6957d769675b9a5d52b6aa You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] twisted no-dsa
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: fb50483e by Moritz Muehlenhoff at 2020-03-19T16:10:29+01:00 twisted no-dsa NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -274,9 +274,9 @@ CVE-2020-10567 (An issue was discovered in Responsive Filemanager through 9.14.0 CVE-2018-21036 RESERVED CVE-2020-10566 (grub2-bhyve, as used in FreeBSD bhyve before revision 525916 2020-02-1 ...) - TODO: check + NOT-FOR-US: FreeBSD CVE-2020-10565 (grub2-bhyve, as used in FreeBSD bhyve before revision 525916 2020-02-1 ...) - TODO: check + NOT-FOR-US: FreeBSD CVE-2020-10564 (An issue was discovered in the File Upload plugin before 4.13.0 for Wo ...) NOT-FOR-US: File Upload plugin for WordPress CVE-2020-10563 (An issue was discovered in DEVOME GRR before 3.4.1c. frmcontactlist.ph ...) @@ -338,7 +338,7 @@ CVE-2020-10537 CVE-2020-10536 RESERVED CVE-2020-10534 (In the GlobalBlocking extension before 2020-03-10 for MediaWiki throug ...) - TODO: check + NOT-FOR-US: MediaWiki extension CVE-2020-10535 (GitLab 12.8.x before 12.8.6, when sign-up is enabled, allows remote at ...) - gitlab (Only affects Gitlab 12.8.x) NOTE: https://about.gitlab.com/releases/2020/03/11/critical-security-release-gitlab-12-dot-8-dot-6-released/ @@ -1261,11 +1261,15 @@ CVE-2020-10110 (** DISPUTED ** Citrix Gateway 11.1, 12.0, and 12.1 allows Inform CVE-2020-10109 (In Twisted Web through 19.10.0, there was an HTTP request splitting vu ...) {DLA-2145-1} - twisted (bug #953950) + [buster] - twisted (Minor issue) + [stretch] - twisted (Minor issue) NOTE: https://know.bishopfox.com/advisories/twisted-version-19.10.0#INOR NOTE: https://github.com/twisted/twisted/commit/4a7d22e490bb8ff836892cc99a1f54b85ccb0281 CVE-2020-10108 (In Twisted Web through 19.10.0, there was an HTTP request splitting vu ...) {DLA-2145-1} - twisted (bug #953950) + [buster] - twisted (Minor issue) + [stretch] - twisted (Minor issue) NOTE: https://know.bishopfox.com/advisories/twisted-version-19.10.0#INOR NOTE: https://github.com/twisted/twisted/commit/4a7d22e490bb8ff836892cc99a1f54b85ccb0281 CVE-2020-10107 (PHPGurukul Daily Expense Tracker System 1.0 is vulnerable to stored XS ...) @@ -2799,7 +2803,7 @@ CVE-2020-9410 CVE-2020-9409 RESERVED CVE-2020-9408 (The Spotfire library component of TIBCO Software Inc.'s TIBCO Spotfire ...) - TODO: check + NOT-FOR-US: TIBCO CVE-2020-9407 (IBL Online Weather before 4.3.5a allows attackers to obtain sensitive ...) NOT-FOR-US: IBL Online Weather CVE-2020-9406 (IBL Online Weather before 4.3.5a allows unauthenticated eval injection ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fb50483e6f9c6bddfa0335eb6e51024edd5f4d37 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fb50483e6f9c6bddfa0335eb6e51024edd5f4d37 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track proposed update for CVE-2020-9543/manila via buster-pu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9920e7c8 by Salvatore Bonaccorso at 2020-03-19T15:27:04+01:00 Track proposed update for CVE-2020-9543/manila via buster-pu - - - - - 1 changed file: - data/next-point-update.txt Changes: = data/next-point-update.txt = @@ -49,3 +49,5 @@ CVE-2020-7598 [buster] - node-minimist 1.2.0-1+deb10u1 CVE-2020-10174 [buster] - timeshift 19.01+ds-2+deb10u1 +CVE-2020-9543 + [buster] - manila 1:7.0.0-1+deb10u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9920e7c86887c886ee8e10d51334af195bf2adff -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9920e7c86887c886ee8e10d51334af195bf2adff You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d2ceff49 by Salvatore Bonaccorso at 2020-03-19T09:59:17+01:00 Process NFUs - - - - - 0e2ffc26 by Salvatore Bonaccorso at 2020-03-19T09:59:19+01:00 Add CVE-2019-2045{2,3}/ajaxplorer (pydio), itped - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -687,7 +687,7 @@ CVE-2020-10367 CVE-2020-10366 RESERVED CVE-2020-10365 (LogicalDoc before 8.3.3 allows SQL Injection. LogicalDoc populates the ...) - TODO: check + NOT-FOR-US: LogicalDoc CVE-2020-10364 RESERVED CVE-2020-10363 @@ -2698,7 +2698,7 @@ CVE-2020-9445 CVE-2020-9444 RESERVED CVE-2020-9443 (Zulip Desktop before 4.0.3 loaded untrusted content in an Electron web ...) - TODO: check + NOT-FOR-US: Zulip Desktop (different from itp'ed zulip-server) CVE-2020-9442 (OpenVPN Connect 3.1.0.361 on Windows has Insecure Permissions for %PRO ...) NOT-FOR-US: OpenVPN Connect on Windows CVE-2020-9441 @@ -2730,7 +2730,7 @@ CVE-2020-9425 CVE-2020-9424 RESERVED CVE-2020-9423 (LogicalDoc before 8.3.3 could allow an attacker to upload arbitrary fi ...) - TODO: check + NOT-FOR-US: LogicalDoc CVE-2020-9422 RESERVED CVE-2020-9421 @@ -4021,9 +4021,9 @@ CVE-2020-8886 CVE-2020-8885 RESERVED CVE-2019-20453 (A problem was found in Pydio Core before 8.2.4 and Pydio Enterprise be ...) - TODO: check + - ajaxplorer (bug #668381) CVE-2019-20452 (A problem was found in Pydio Core before 8.2.4 and Pydio Enterprise be ...) - TODO: check + - ajaxplorer (bug #668381) CVE-2012-6721 (Multiple cross-site request forgery (CSRF) vulnerabilities in the (1) ...) NOT-FOR-US: SocialEngine CVE-2012-6720 (Multiple cross-site scripting (XSS) vulnerabilities in SocialEngine be ...) @@ -7678,11 +7678,11 @@ CVE-2020-7260 CVE-2020-7259 RESERVED CVE-2020-7258 (Cross site scripting vulnerability in McAfee Network Security Manageme ...) - TODO: check + NOT-FOR-US: McAfee CVE-2020-7257 RESERVED CVE-2020-7256 (Cross site scripting vulnerability in McAfee Network Security Manageme ...) - TODO: check + NOT-FOR-US: McAfee CVE-2020-7255 RESERVED CVE-2020-7254 (Privilege Escalation vulnerability in the command line interface in Mc ...) @@ -8337,7 +8337,7 @@ CVE-2020-7004 CVE-2020-7003 RESERVED CVE-2020-7002 (Delta Industrial Automation CNCSoft ScreenEditor, v1.00.96 and prior. ...) - TODO: check + NOT-FOR-US: McAfee CVE-2020-7001 RESERVED CVE-2020-7000 @@ -8389,7 +8389,7 @@ CVE-2020-6978 CVE-2020-6977 (A restricted desktop environment escape vulnerability exists in the Ki ...) NOT-FOR-US: GE CVE-2020-6976 (Delta Industrial Automation CNCSoft ScreenEditor, v1.00.96 and prior. ...) - TODO: check + NOT-FOR-US: Delta Industrial Automation CNCSoft ScreenEditor CVE-2020-6975 (Digi International ConnectPort LTS 32 MEI, Firmware Version 1.4.3 (820 ...) NOT-FOR-US: Digi International ConnectPort LTS 32 MEI CVE-2020-6974 @@ -9187,7 +9187,7 @@ CVE-2020-6648 CVE-2020-6647 RESERVED CVE-2020-6646 (An improper neutralization of input vulnerability in FortiWeb allows a ...) - TODO: check + NOT-FOR-US: Fortiguard CVE-2020-6645 RESERVED CVE-2020-6644 @@ -15393,9 +15393,9 @@ CVE-2020-3953 CVE-2020-3952 RESERVED CVE-2020-3951 (VMware Workstation (15.x before 15.5.2) and Horizon Client for Windows ...) - TODO: check + NOT-FOR-US: VMware CVE-2020-3950 (VMware Fusion (11.x before 11.5.2), VMware Remote Console for Mac (11. ...) - TODO: check + NOT-FOR-US: VMware CVE-2020-3949 RESERVED CVE-2020-3948 (Linux Guest VMs running on VMware Workstation (15.x before 15.5.2) and ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ddafc1771ed8099bb83e24c10815d4594dc3ac86...0e2ffc26ec915b96ac14d8cc49bb642a0933ff67 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ddafc1771ed8099bb83e24c10815d4594dc3ac86...0e2ffc26ec915b96ac14d8cc49bb642a0933ff67 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] mark CVE-2020-10380 as no-dsa for Jessie
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: ddafc177 by Thorsten Alteholz at 2020-03-19T09:52:12+01:00 mark CVE-2020-10380 as no-dsa for Jessie - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -655,6 +655,7 @@ CVE-2020-10381 RESERVED CVE-2020-10380 (RMySQL through 0.10.19 allows SQL Injection. ...) - rmysql 0.10.20-1 + [jessie] - rmysql (Minor issue) NOTE: Fixed by: https://github.com/r-dbi/RMySQL/commit/c2467c466684b4733a7b0df4689987e1f9dcfc32 NOTE: Test: https://github.com/r-dbi/RMySQL/commit/6137ce887c1e36b278f11656a9a9fc1cae6a5f40 CVE-2020-10379 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ddafc1771ed8099bb83e24c10815d4594dc3ac86 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ddafc1771ed8099bb83e24c10815d4594dc3ac86 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add fixed version for CVE-2020-0556/bluez
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b3110fe2 by Salvatore Bonaccorso at 2020-03-19T09:45:54+01:00 Add fixed version for CVE-2020-0556/bluez - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -26735,7 +26735,7 @@ CVE-2020-0558 CVE-2020-0557 RESERVED CVE-2020-0556 (Improper access control in subsystem for BlueZ before version 5.54 may ...) - - bluez (bug #953770) + - bluez 5.50-1.1 (bug #953770) NOTE: https://lore.kernel.org/linux-bluetooth/20200310023516.209146-1-ala...@chromium.org/ NOTE: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=8cdbd3b09f29da29374e2f83369df24228da0ad1 NOTE: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=3cccdbab2324086588df4ccf5f892fb3ce1f1787 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b3110fe25e0998531e57ebd19ababd5d04bee35f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b3110fe25e0998531e57ebd19ababd5d04bee35f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8e40455d by security tracker role at 2020-03-19T08:10:37+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,4 +1,20 @@ -CVE-2020-10674 [shell injection RCE] +CVE-2020-10673 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...) + TODO: check +CVE-2020-10672 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...) + TODO: check +CVE-2020-10671 + RESERVED +CVE-2020-10670 + RESERVED +CVE-2020-10669 + RESERVED +CVE-2020-10668 + RESERVED +CVE-2020-10667 + RESERVED +CVE-2020-10666 + RESERVED +CVE-2020-10674 (PerlSpeak through 2.01 allows attackers to execute arbitrary OS comman ...) - libperlspeak-perl (bug #954238) NOTE: https://rt.cpan.org/Public/Bug/Display.html?id=132173 CVE-2020-10665 (Docker Desktop allows local privilege escalation to NT AUTHORITY\SYSTE ...) @@ -189,7 +205,7 @@ CVE-2020-10594 (An issue was discovered in drf-jwt 1.15.x before 1.15.1. It allo NOT-FOR-US: drf-jwt CVE-2020-10593 RESERVED -- tor 0.4.2.7-1 + - tor 0.4.2.7-1 [buster] - tor (Only affects tor 0.4.0.1-alpha onwards) [stretch] - tor (Only affects tor 0.4.0.1-alpha onwards) [jessie] - tor (Only affects tor 0.4.0.1-alpha onwards) @@ -197,7 +213,7 @@ CVE-2020-10593 NOTE: https://bugs.torproject.org/33119 CVE-2020-10592 RESERVED -- tor 0.4.2.7-1 + - tor 0.4.2.7-1 NOTE: https://blog.torproject.org/new-releases-03510-0419-0427 NOTE: https://bugs.torproject.org/33119 CVE-2020-10591 (An issue was discovered in Walmart Labs Concord before 1.44.0. CORS Ac ...) @@ -669,8 +685,8 @@ CVE-2020-10367 RESERVED CVE-2020-10366 RESERVED -CVE-2020-10365 - RESERVED +CVE-2020-10365 (LogicalDoc before 8.3.3 allows SQL Injection. LogicalDoc populates the ...) + TODO: check CVE-2020-10364 RESERVED CVE-2020-10363 @@ -2594,8 +2610,7 @@ CVE-2020-9480 RESERVED CVE-2020-9479 RESERVED -CVE-2019-20485 [potential DoS by holding a monitor job while querying QEMU guest-agent] - RESERVED +CVE-2019-20485 (qemu/qemu_driver.c in libvirt before 6.0.0 mishandles the holding of a ...) [experimental] - libvirt 6.0.0-1 - libvirt (low; bug #953078) [buster] - libvirt (Minor issue) @@ -2713,8 +2728,8 @@ CVE-2020-9425 RESERVED CVE-2020-9424 RESERVED -CVE-2020-9423 - RESERVED +CVE-2020-9423 (LogicalDoc before 8.3.3 could allow an attacker to upload arbitrary fi ...) + TODO: check CVE-2020-9422 RESERVED CVE-2020-9421 @@ -7661,12 +7676,12 @@ CVE-2020-7260 RESERVED CVE-2020-7259 RESERVED -CVE-2020-7258 - RESERVED +CVE-2020-7258 (Cross site scripting vulnerability in McAfee Network Security Manageme ...) + TODO: check CVE-2020-7257 RESERVED -CVE-2020-7256 - RESERVED +CVE-2020-7256 (Cross site scripting vulnerability in McAfee Network Security Manageme ...) + TODO: check CVE-2020-7255 RESERVED CVE-2020-7254 (Privilege Escalation vulnerability in the command line interface in Mc ...) @@ -19720,10 +19735,10 @@ CVE-2019-19679 (In "Xray Test Management for Jira" prior to version 3.5.5, remot NOT-FOR-US: Xray Test Management for Jira CVE-2019-19678 (In "Xray Test Management for Jira" prior to version 3.5.5, remote auth ...) NOT-FOR-US: Xray Test Management for Jira -CVE-2019-19677 - RESERVED -CVE-2019-19676 - RESERVED +CVE-2019-19677 (arxes-tolina 3.0.0 allows User Enumeration. ...) + TODO: check +CVE-2019-19676 (A CSV injection in arxes-tolina 3.0.0 allows malicious users to gain r ...) + TODO: check CVE-2019-19675 (In Ivanti Workspace Control before 10.3.180.0. a locally authenticated ...) NOT-FOR-US: Ivanti Workspace Control CVE-2019-19674 @@ -23411,8 +23426,8 @@ CVE-2019-18981 (Pimcore before 6.2.2 lacks an Access Denied outcome for a certai NOT-FOR-US: Pimcore CVE-2019-18980 (On Signify Philips Taolight Smart Wi-Fi Wiz Connected LED Bulb 9290022 ...) NOT-FOR-US: Signify Philips Taolight -CVE-2019-18979 - RESERVED +CVE-2019-18979 (Adaware antivirus 12.6.1005.11662 and 12.7.1055.0 has a quarantine fla ...) + TODO: check CVE-2019-18978 (An issue was discovered in the rack-cors (aka Rack CORS Middleware) ge ...) {DLA-2096-1} - ruby-rack-cors 1.1.1-1 (bug #944849) @@ -30281,7 +30296,7 @@ CVE-2019-17547 (In ImageMagick before 7.0.8-62, TraceBezier in MagickCore/draw.c NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16537 NOTE: https://github.com/ImageMagick/ImageMagick/commit/ecf7c6b288e11e7e7f75387c5e9e93e423b98397
[Git][security-tracker-team/security-tracker][master] Add information on CVE-2020-1059{2,3}
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4ddc9d4d by Salvatore Bonaccorso at 2020-03-19T08:38:20+01:00 Add information on CVE-2020-1059{2,3} - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -189,8 +189,17 @@ CVE-2020-10594 (An issue was discovered in drf-jwt 1.15.x before 1.15.1. It allo NOT-FOR-US: drf-jwt CVE-2020-10593 RESERVED +- tor 0.4.2.7-1 + [buster] - tor (Only affects tor 0.4.0.1-alpha onwards) + [stretch] - tor (Only affects tor 0.4.0.1-alpha onwards) + [jessie] - tor (Only affects tor 0.4.0.1-alpha onwards) + NOTE: https://blog.torproject.org/new-releases-03510-0419-0427 + NOTE: https://bugs.torproject.org/33119 CVE-2020-10592 RESERVED +- tor 0.4.2.7-1 + NOTE: https://blog.torproject.org/new-releases-03510-0419-0427 + NOTE: https://bugs.torproject.org/33119 CVE-2020-10591 (An issue was discovered in Walmart Labs Concord before 1.44.0. CORS Ac ...) NOT-FOR-US: Walmart Labs Concord CVE-2020-10590 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4ddc9d4d6977ee0827650c43ae7698f7cfc86a42 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4ddc9d4d6977ee0827650c43ae7698f7cfc86a42 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new chromium issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: fc723a0f by Moritz Muehlenhoff at 2020-03-19T08:28:06+01:00 new chromium issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1051,12 +1051,13 @@ CVE-2019-20503 (usrsctp before 2019-12-20 has out-of-bounds reads in sctp_load_a - firefox 74.0-1 - firefox-esr 68.6.0esr-1 - thunderbird 1:68.6.0-1 + - chromium + [stretch] - chromium (see DSA 4562) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-10/#CVE-2019-20503 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-09/#CVE-2019-20503 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-08/#CVE-2019-20503 NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1992 NOTE: https://github.com/sctplab/usrsctp/commit/790a7a2555aefb392a5a69923f1e9d17b4968467 - TODO: check, other sources thunderbird and chromium embed the library CVE-2020-10187 RESERVED CVE-2020-10186 @@ -9605,6 +9606,8 @@ CVE-2020-6450 RESERVED CVE-2020-6449 RESERVED + - chromium + [stretch] - chromium (see DSA 4562) CVE-2020-6448 RESERVED CVE-2020-6447 @@ -9645,20 +9648,34 @@ CVE-2020-6430 RESERVED CVE-2020-6429 RESERVED + - chromium + [stretch] - chromium (see DSA 4562) CVE-2020-6428 RESERVED + - chromium + [stretch] - chromium (see DSA 4562) CVE-2020-6427 RESERVED + - chromium + [stretch] - chromium (see DSA 4562) CVE-2020-6426 RESERVED + - chromium + [stretch] - chromium (see DSA 4562) CVE-2020-6425 RESERVED + - chromium + [stretch] - chromium (see DSA 4562) CVE-2020-6424 RESERVED + - chromium + [stretch] - chromium (see DSA 4562) CVE-2020-6423 RESERVED CVE-2020-6422 RESERVED + - chromium + [stretch] - chromium (see DSA 4562) CVE-2020-6421 RESERVED CVE-2020-6420 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fc723a0fefa5a5b78ca621ef67cd4e34e5d8ce26 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fc723a0fefa5a5b78ca621ef67cd4e34e5d8ce26 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-1757/undertow
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f6819735 by Salvatore Bonaccorso at 2020-03-19T07:59:47+01:00 Add CVE-2020-1757/undertow - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -22056,6 +22056,8 @@ CVE-2020-1758 RESERVED CVE-2020-1757 RESERVED + - undertow + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1752770 CVE-2020-1756 RESERVED CVE-2020-1755 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f68197354a749fd5a26d1b0c3d25d2e768c04858 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f68197354a749fd5a26d1b0c3d25d2e768c04858 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits