date:20200531

[Git][security-tracker-team/security-tracker][master] Mark CVE-2020-8035 as no-dsa

2020-05-31 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
49ff1e14 by Salvatore Bonaccorso at 2020-06-01T08:58:02+02:00
Mark CVE-2020-8035 as no-dsa

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -14814,6 +14814,8 @@ CVE-2020-8036
RESERVED
 CVE-2020-8035 (The image view functionality in Horde Groupware Webmail Edition 
before ...)
- php-horde 
+   [buster] - php-horde  (Minor issue; can be fixed via point 
release)
+   [stretch] - php-horde  (Minor issue; can be fixed via point 
release)
NOTE: 
https://github.com/horde/base/commit/64127fe3c2b9843c9760218e59dae9731cc56bdf
NOTE: https://lists.horde.org/archives/announce/2020/001290.html
 CVE-2020-8034 (Gollem before 3.0.13, as used in Horde Groupware Webmail 
Edition 5.2.2 ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/49ff1e14372c8d2573229c9ee597174019a81b77

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/49ff1e14372c8d2573229c9ee597174019a81b77
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Four gnucobol issues fixed via unstable

2020-05-31 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
e6335775 by Salvatore Bonaccorso at 2020-06-01T08:42:43+02:00
Four gnucobol issues fixed via unstable

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -48961,7 +48961,7 @@ CVE-2019-14543
 CVE-2019-14542
RESERVED
 CVE-2019-14541 (GnuCOBOL 2.2 has a stack-based buffer overflow in 
cb_encode_program_id ...)
-   - gnucobol  (low; bug #933884)
+   - gnucobol 3.0~rc1-2 (low; bug #933884)
[buster] - gnucobol  (Minor issue)
- open-cobol 
[stretch] - open-cobol  (Minor issue)
@@ -49015,7 +49015,7 @@ CVE-2019-14530 (An issue was discovered in 
custom/ajax_download.php in OpenEMR b
 CVE-2019-14529 (OpenEMR before 5.0.2 allows SQL Injection in 
interface/forms/eye_mag/s ...)
NOT-FOR-US: OpenEMR
 CVE-2019-14528 (GnuCOBOL 2.2 has a heap-based buffer overflow in read_literal 
in cobc/ ...)
-   - gnucobol  (low; bug #933884)
+   - gnucobol 3.0~rc1-2 (low; bug #933884)
[buster] - gnucobol  (Minor issue)
- open-cobol 
[stretch] - open-cobol  (Minor issue)
@@ -49165,7 +49165,7 @@ CVE-2019-14488
 CVE-2019-14487
RESERVED
 CVE-2019-14486 (GnuCOBOL 2.2 has a buffer overflow in cb_evaluate_expr in 
cobc/field.c ...)
-   - gnucobol  (low; bug #933884)
+   - gnucobol 3.0~rc1-2 (low; bug #933884)
[buster] - gnucobol  (Minor issue)
- open-cobol 
[stretch] - open-cobol  (Minor issue)
@@ -49206,7 +49206,7 @@ CVE-2019-14470 (cosenary Instagram-PHP-API (aka 
Instagram PHP API V2), as used i
 CVE-2019-14469 (In Nexus Repository Manager before 3.18.0, users with elevated 
privile ...)
NOT-FOR-US: Nexus Repository Manager
 CVE-2019-14468 (GnuCOBOL 2.2 has a buffer overflow in cb_push_op in 
cobc/field.c via c ...)
-   - gnucobol  (low; bug #933884)
+   - gnucobol 3.0~rc1-2 (low; bug #933884)
[buster] - gnucobol  (Minor issue)
- open-cobol 
[stretch] - open-cobol  (Minor issue)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e6335775eb3dcd57d34676d850c1b21bddecab6f

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e6335775eb3dcd57d34676d850c1b21bddecab6f
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Add note to freerdp

2020-05-31 Thread Mike Gabriel



Mike Gabriel pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
e7d3b1e5 by Mike Gabriel at 2020-05-31T23:12:00+02:00
data/dla-needed.txt: Add note to freerdp

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -45,6 +45,7 @@ drupal7
 --
 freerdp (Mike Gabriel)
   NOTE: 20200510: Vulnerable to at least CVE-2020-11042. (lamby)
+  NOTE: 20200531: Discussing if EOL'ing of freerdp (1.1) makes sense 
(sunweaver)
 --
 graphicsmagick (Roberto C. Sánchez)
   NOTE: 20200514: no upstream patch available, yet, for CVE-2020-12672 
(sunweaver)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e7d3b1e5fab07b166f8d869e4f940be6f6b5feda

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e7d3b1e5fab07b166f8d869e4f940be6f6b5feda
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-2231-1 for sane-backends

2020-05-31 Thread Adrian Bunk



Adrian Bunk pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
fbae5496 by Adrian Bunk at 2020-05-31T23:59:02+03:00
Reserve DLA-2231-1 for sane-backends

- - - - -


2 changed files:

- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[31 May 2020] DLA-2231-1 sane-backends - security update
+   {CVE-2020-12867}
+   [jessie] - sane-backends 1.0.24-8+deb8u3
 [31 May 2020] DLA-2230-1 php-horde - security update
{CVE-2020-8035}
[jessie] - php-horde 5.2.1+debian0-2+deb8u6


=
data/dla-needed.txt
=
@@ -99,8 +99,6 @@ python-httplib2 (Abhijith PA)
 qemu (Adrian Bunk)
   NOTE: 20200531: waiting for CVE-2020-13362 fix to be applied upstream (bunk)
 --
-sane-backends (Adrian Bunk)
---
 sqlite3 (Abhijith PA)
 --
 squid3 (Markus Koschany)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fbae549601b62f057d469179dbbc192473a3d357

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fbae549601b62f057d469179dbbc192473a3d357
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] data/CVE/list: Mark freerdp2/CVE-2020-110{17, 18} as no-dsa issues as discussed with Salvatore.

2020-05-31 Thread Mike Gabriel



Mike Gabriel pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
31dd7f32 by Mike Gabriel at 2020-05-31T22:57:02+02:00
data/CVE/list: Mark freerdp2/CVE-2020-110{17,18} as no-dsa issues as discussed 
with Salvatore.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -7523,11 +7523,17 @@ CVE-2020-11019 (In FreeRDP less than or equal to 2.0.0, 
when running with logger
NOTE: 
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-wvrr-2f4r-hjvh
 CVE-2020-11018 (In FreeRDP less than or equal to 2.0.0, a possible resource 
exhaustion ...)
- freerdp2 2.1.1+dfsg1-1
+   [buster] - freerdp2  (Minor issue)
- freerdp 
+   [stretch] - freerdp  (Minor issue)
+   [jessie] - freerdp  (Minor issue)
NOTE: 
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-8cvc-vcw7-6mfw
 CVE-2020-11017 (In FreeRDP less than or equal to 2.0.0, by providing 
manipulated input ...)
- freerdp2 2.1.1+dfsg1-1
+   [buster] - freerdp2  (Minor issue)
- freerdp 
+   [stretch] - freerdp  (Minor issue)
+   [jessie] - freerdp  (Minor issue)
NOTE: 
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-q5c8-fm29-q57c
 CVE-2020-11016 (IntelMQ Manager from version 1.1.0 and before version 2.1.1 
has a vuln ...)
NOT-FOR-US: IntelMQ Manager



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/31dd7f3276d2efcb6eed666ca6cbbdfc38b46d89

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/31dd7f3276d2efcb6eed666ca6cbbdfc38b46d89
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] dla: update and give back condor

2020-05-31 Thread Adrian Bunk



Adrian Bunk pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
beeb2a32 by Adrian Bunk at 2020-05-31T23:40:36+03:00
dla: update and give back condor

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -32,10 +32,11 @@ bluez (Roberto C. Sánchez)
 cacti (Abhijith PA)
   NOTE: 20200529: A patch need to be cooked up. Upstream patch not fit for 
jessie version (abhijith)
 --
-condor (Adrian Bunk)
+condor
   NOTE: 20200502: Upstream has only released workarounds; complete fix is 
still embargoed (roberto)
   NOTE: 20200521: Still embargoed (eg. 
https://research.cs.wisc.edu/htcondor/security/vulnerabilities/HTCONDOR-2020-0004.html).
 (lamby)
   NOTE: 20200525: Fix: 
https://github.com/htcondor/htcondor/compare/V8_8_7...V8_8_8 (utkarsh)
+  NOTE: 20200531: Patches are linked from 
https://security-tracker.debian.org/tracker/CVE-2019-18823 (bunk)
 --
 cups (Anton Gladky)
   NOTE: 20200514: Two open  issues. Added on request from Anton 
Gladky. (sunweaver)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/beeb2a321500e3f8f04fdd0f161716ef34b34d87

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/beeb2a321500e3f8f04fdd0f161716ef34b34d87
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 2 commits: data/CVE/list: Drop [postponed] tag from CVE-2020-8035/php-horde.

2020-05-31 Thread Mike Gabriel



Mike Gabriel pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
06aa7cd4 by Mike Gabriel at 2020-05-31T22:39:28+02:00
data/CVE/list: Drop [postponed] tag from CVE-2020-8035/php-horde.

- - - - -
0665037a by Mike Gabriel at 2020-05-31T22:39:28+02:00
Reserve DLA-2230-1 for php-horde

- - - - -


2 changed files:

- data/CVE/list
- data/DLA/list


Changes:

=
data/CVE/list
=
@@ -14808,7 +14808,6 @@ CVE-2020-8036
RESERVED
 CVE-2020-8035 (The image view functionality in Horde Groupware Webmail Edition 
before ...)
- php-horde 
-   [jessie] - php-horde  (Minor issue, can be fixed along with 
next releases)
NOTE: 
https://github.com/horde/base/commit/64127fe3c2b9843c9760218e59dae9731cc56bdf
NOTE: https://lists.horde.org/archives/announce/2020/001290.html
 CVE-2020-8034 (Gollem before 3.0.13, as used in Horde Groupware Webmail 
Edition 5.2.2 ...)


=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[31 May 2020] DLA-2230-1 php-horde - security update
+   {CVE-2020-8035}
+   [jessie] - php-horde 5.2.1+debian0-2+deb8u6
 [31 May 2020] DLA-2228-2 json-c - regression update
{CVE-2020-12762}
[jessie] - json-c 0.11-4+deb8u2



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/dca9ff1430dea31e162bbb8f1ebad4c1ef3ecb45...0665037ad49cb831b1cbe737679b74d043c8cfa2

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/dca9ff1430dea31e162bbb8f1ebad4c1ef3ecb45...0665037ad49cb831b1cbe737679b74d043c8cfa2
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] dla-needed.txt: Final version for Stretch and Jessie this week but will ask for

2020-05-31 Thread Markus Koschany



Markus Koschany pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
dca9ff14 by Markus Koschany at 2020-05-31T22:29:58+02:00
dla-needed.txt: Final version for Stretch and Jessie this week but will ask for

testing on debian-lts first due to the many changes and issues fixed.

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -103,8 +103,8 @@ sane-backends (Adrian Bunk)
 sqlite3 (Abhijith PA)
 --
 squid3 (Markus Koschany)
-  NOTE: 20200518: Ongoing work on squid3 in Stretch which will be used for 
Jessie
-  NOTE: 20200518: and Stretch.
+  NOTE: 20200531: Ongoing work on squid3 in Stretch which will be used for 
Jessie
+  NOTE: 20200531: and Stretch.
 --
 sympa (Utkarsh Gupta)
   NOTE: 20200525: Incomplete patch. Not the complete patch is made public. 
(utkarsh)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dca9ff1430dea31e162bbb8f1ebad4c1ef3ecb45

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dca9ff1430dea31e162bbb8f1ebad4c1ef3ecb45
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] automatic update

2020-05-31 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
bb78c34b by security tracker role at 2020-05-31T20:10:22+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -2083,6 +2083,7 @@ CVE-2020-12764 (Gnuteca 3.8 allows 
file.php?folder=/&file= Directory Travers
 CVE-2020-12763 (TRENDnet ProView Wireless camera TV-IP512WN 1.0R 1.0.4 is 
vulnerable t ...)
NOT-FOR-US: TRENDnet ProView
 CVE-2020-12762 (json-c through 0.14 has an integer overflow and out-of-bounds 
write vi ...)
+   {DLA-2228-2 DLA-2228-1}
- json-c  (bug #960326)
NOTE: https://github.com/json-c/json-c/pull/592
NOTE: 
https://github.com/json-c/json-c/commit/099016b7e8d70a6d5dd814e788bba08d33d48426
@@ -7248,7 +7249,7 @@ CVE-2020-11083
RESERVED
 CVE-2020-11082 (In Kaminari before 1.2.1, there is a vulnerability that would 
allow an ...)
- ruby-kaminari  (bug #961847)
-[jessie] - ruby-kaminari  (No reverse dependency)
+   [jessie] - ruby-kaminari  (No reverse dependency)
NOTE: 
https://github.com/kaminari/kaminari/security/advisories/GHSA-r5jw-62xg-j433
NOTE: 
https://github.com/kaminari/kaminari/commit/8dd52a1aed3d2fa2835d836de23fc0d8c4ff5db8
 CVE-2020-11081
@@ -14811,6 +14812,7 @@ CVE-2020-8035 (The image view functionality in Horde 
Groupware Webmail Edition b
NOTE: 
https://github.com/horde/base/commit/64127fe3c2b9843c9760218e59dae9731cc56bdf
NOTE: https://lists.horde.org/archives/announce/2020/001290.html
 CVE-2020-8034 (Gollem before 3.0.13, as used in Horde Groupware Webmail 
Edition 5.2.2 ...)
+   {DLA-2229-1}
- php-horde-gollem 3.0.12-6 (bug #961649)
[buster] - php-horde-gollem  (Minor issue)
[stretch] - php-horde-gollem  (Minor issue)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bb78c34bcdb68bf01649986b4b6e01235f9e84b5

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bb78c34bcdb68bf01649986b4b6e01235f9e84b5
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: claim graphicsmagick in dla-needed.txt

2020-05-31 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
4635f418 by Roberto C. Sánchez at 2020-05-31T15:48:56-04:00
LTS: claim graphicsmagick in dla-needed.txt

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -45,7 +45,7 @@ drupal7
 freerdp (Mike Gabriel)
   NOTE: 20200510: Vulnerable to at least CVE-2020-11042. (lamby)
 --
-graphicsmagick
+graphicsmagick (Roberto C. Sánchez)
   NOTE: 20200514: no upstream patch available, yet, for CVE-2020-12672 
(sunweaver)
   NOTE: 20200529: still no upstream patch available, yet, for CVE-2020-12672 
(roberto)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4635f4182aa31bacd696af65da6c4586bbd92b9f

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4635f4182aa31bacd696af65da6c4586bbd92b9f
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2020-861{6,7}/bind9

2020-05-31 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
81b8054e by Salvatore Bonaccorso at 2020-05-31T21:30:24+02:00
Add Debian bug reference for CVE-2020-861{6,7}/bind9

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -13489,12 +13489,12 @@ CVE-2020-8618
RESERVED
 CVE-2020-8617 (Using a specially-crafted message, an attacker may potentially 
cause a ...)
{DSA-4689-1 DLA-2227-1}
-   - bind9 
+   - bind9  (bug #961939)
NOTE: https://kb.isc.org/docs/cve-2020-8617
NOTE: 
https://kb.isc.org/docs/cve-2020-8617-faq-and-supplemental-information
 CVE-2020-8616 (A malicious actor who intentionally exploits this lack of 
effective li ...)
{DSA-4689-1 DLA-2227-1}
-   - bind9 
+   - bind9  (bug #961939)
NOTE: https://kb.isc.org/docs/cve-2020-8616
 CVE-2020-8615 (A CSRF vulnerability in the Tutor LMS plugin before 1.5.3 for 
WordPres ...)
NOT-FOR-US: Tutor LMS plugin for WordPress



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/81b8054e4b479a80a05c87e093573b8f6bc6ce0d

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/81b8054e4b479a80a05c87e093573b8f6bc6ce0d
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] sane-backends: The epsonds backend is not in jessie

2020-05-31 Thread Adrian Bunk



Adrian Bunk pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
782fe9e6 by Adrian Bunk at 2020-05-31T22:24:43+03:00
sane-backends: The epsonds backend is not in jessie

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1805,31 +1805,37 @@ CVE-2020-12866
RESERVED
[experimental] - sane-backends 1.0.30-1~experimental1
- sane-backends  (bug #961302)
+   [jessie] - sane-backends  (epsonds backend was added in 
1.0.25)
NOTE: 
https://alioth-lists.debian.net/pipermail/sane-announce/2020/41.html
 CVE-2020-12865
RESERVED
[experimental] - sane-backends 1.0.30-1~experimental1
- sane-backends  (bug #961302)
+   [jessie] - sane-backends  (epsonds backend was added in 
1.0.25)
NOTE: 
https://alioth-lists.debian.net/pipermail/sane-announce/2020/41.html
 CVE-2020-12864
RESERVED
[experimental] - sane-backends 1.0.30-1~experimental1
- sane-backends  (bug #961302)
+   [jessie] - sane-backends  (epsonds backend was added in 
1.0.25)
NOTE: 
https://alioth-lists.debian.net/pipermail/sane-announce/2020/41.html
 CVE-2020-12863
RESERVED
[experimental] - sane-backends 1.0.30-1~experimental1
- sane-backends  (bug #961302)
+   [jessie] - sane-backends  (epsonds backend was added in 
1.0.25)
NOTE: 
https://alioth-lists.debian.net/pipermail/sane-announce/2020/41.html
 CVE-2020-12862
RESERVED
[experimental] - sane-backends 1.0.30-1~experimental1
- sane-backends  (bug #961302)
+   [jessie] - sane-backends  (epsonds backend was added in 
1.0.25)
NOTE: 
https://alioth-lists.debian.net/pipermail/sane-announce/2020/41.html
 CVE-2020-12861
RESERVED
[experimental] - sane-backends 1.0.30-1~experimental1
- sane-backends  (bug #961302)
+   [jessie] - sane-backends  (epsonds backend was added in 
1.0.25)
NOTE: 
https://alioth-lists.debian.net/pipermail/sane-announce/2020/41.html
 CVE-2020-12860 (COVIDSafe through v1.0.17 allows a remote attacker to access 
phone nam ...)
NOT-FOR-US: COVIDSafe



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/782fe9e65fc81b781c0e88677bce8b409d24b22b

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/782fe9e65fc81b781c0e88677bce8b409d24b22b
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 3 commits: Mark ssvnc issues as no-dsa

2020-05-31 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
b3093774 by Salvatore Bonaccorso at 2020-05-31T21:18:52+02:00
Mark ssvnc issues as no-dsa

- - - - -
6b4161ff by Salvatore Bonaccorso at 2020-05-31T21:18:52+02:00
Track proposed fixes for ssnvc via buster-pu

- - - - -
bde840ec by Salvatore Bonaccorso at 2020-05-31T21:18:52+02:00
Track proposed ssvnc fixes via stretch-pu

- - - - -


3 changed files:

- data/CVE/list
- data/next-oldstable-point-update.txt
- data/next-point-update.txt


Changes:

=
data/CVE/list
=
@@ -86196,6 +86196,8 @@ CVE-2018-20024 (LibVNC before commit 
4a21bbd097ef7c44bb000c3bd0907f96a10e4ce7 co
- italc 
[stretch] - italc 1:3.0.3+dfsg1-1+deb9u1
- ssvnc 1.0.29-5 (bug #945827)
+   [buster] - ssvnc  (Minor issue)
+   [stretch] - ssvnc  (Minor issue)
- veyon 4.1.4+repack1-1
NOTE: https://github.com/LibVNC/libvncserver/issues/254
NOTE: 
https://github.com/LibVNC/libvncserver/commit/4a21bbd097ef7c44bb000c3bd0907f96a10e4ce7
@@ -86215,6 +86217,8 @@ CVE-2018-20022 (LibVNC before 
2f5b2ad1c6c99b1ac6482c95844a84d66bb52838 contains
- italc 
[stretch] - italc 1:3.0.3+dfsg1-1+deb9u1
- ssvnc 1.0.29-5 (bug #945827)
+   [buster] - ssvnc  (Minor issue)
+   [stretch] - ssvnc  (Minor issue)
- tightvnc 1:1.3.9-9.1
[buster] - tightvnc 1:1.3.9-9deb10u1
[stretch] - tightvnc 1:1.3.9-9+deb9u1
@@ -86228,6 +86232,8 @@ CVE-2018-20021 (LibVNC before commit 
c3115350eb8bb635d0fdb4dbbb0d0541f38ed19c co
- italc 
[stretch] - italc 1:3.0.3+dfsg1-1+deb9u1
- ssvnc 1.0.29-5 (bug #945827)
+   [buster] - ssvnc  (Minor issue)
+   [stretch] - ssvnc  (Minor issue)
- tightvnc 1:1.3.9-9.1
[buster] - tightvnc 1:1.3.9-9deb10u1
[stretch] - tightvnc 1:1.3.9-9+deb9u1
@@ -86241,6 +86247,8 @@ CVE-2018-20020 (LibVNC before commit 
7b1ef0ffc4815cab9a96c7278394152bdc89dc4d co
- italc 
[stretch] - italc  (Incomplete fix for CVE-2018-20019 not 
applied)
- ssvnc 1.0.29-5 (bug #945827)
+   [buster] - ssvnc  (Minor issue)
+   [stretch] - ssvnc  (Minor issue)
- veyon 4.1.4+repack1-1
NOTE: https://github.com/LibVNC/libvncserver/issues/250
NOTE: 
https://github.com/LibVNC/libvncserver/commit/09f2f3fb6a5a163e453e5c2979054670c39694bc


=
data/next-oldstable-point-update.txt
=
@@ -96,3 +96,11 @@ CVE-2020-0093
[stretch] - libexif 0.6.21-2+deb9u2
 CVE-2020-8034
[stretch] - php-horde-gollem 3.0.10-1+deb9u1
+CVE-2018-20020
+   [stretch] - ssvnc 1.0.29-3+deb9u1
+CVE-2018-20021
+   [stretch] - ssvnc 1.0.29-3+deb9u1
+CVE-2018-20022
+   [stretch] - ssvnc 1.0.29-3+deb9u1
+CVE-2018-20024
+   [stretch] - ssvnc 1.0.29-3+deb9u1


=
data/next-point-update.txt
=
@@ -32,3 +32,11 @@ CVE-2020-0093
[buster] - libexif 0.6.21-5.1+deb10u2
 CVE-2020-8034
[buster] - php-horde-gollem 3.0.12-3+deb10u1
+CVE-2018-20020
+   [buster] - ssvnc 1.0.29-4+deb10u1
+CVE-2018-20021
+   [buster] - ssvnc 1.0.29-4+deb10u1
+CVE-2018-20022
+   [buster] - ssvnc 1.0.29-4+deb10u1
+CVE-2018-20024
+   [buster] - ssvnc 1.0.29-4+deb10u1



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ec84e3a404ab98086bf3d3e4added420aa14b42c...bde840ec547526586325580b2ae8997ddde92a25

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ec84e3a404ab98086bf3d3e4added420aa14b42c...bde840ec547526586325580b2ae8997ddde92a25
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] dla-needed: update notes

2020-05-31 Thread Adrian Bunk



Adrian Bunk pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
ec84e3a4 by Adrian Bunk at 2020-05-31T22:12:01+03:00
dla-needed: update notes

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -83,7 +83,6 @@ nginx (Mike Gabriel)
   NOTE: 20200505: Patch for CVE-2020-11724 appears to be fairly invasive and, 
alas, no tests. (lamby)
 --
 nss (Adrian Bunk)
-  NOTE: 20200521: bug report is not yet public, so probably Jessie is not 
affected
 --
 opendmarc (Thorsten Alteholz)
   NOTE: 20200511: new CVEs arrived (thorsten)
@@ -97,7 +96,7 @@ php5 (Thorsten Alteholz)
 python-httplib2 (Abhijith PA)
 --
 qemu (Adrian Bunk)
-  NOTE: 20200525: work is ongoing (bunk)
+  NOTE: 20200531: waiting for CVE-2020-13362 fix to be applied upstream (bunk)
 --
 sane-backends (Adrian Bunk)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ec84e3a404ab98086bf3d3e4added420aa14b42c

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ec84e3a404ab98086bf3d3e4added420aa14b42c
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Track proposed update for php-horde-gollem via {buster,stretch}-pu

2020-05-31 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
bdfe937e by Salvatore Bonaccorso at 2020-05-31T20:39:30+02:00
Track proposed update for php-horde-gollem via {buster,stretch}-pu

- - - - -


2 changed files:

- data/next-oldstable-point-update.txt
- data/next-point-update.txt


Changes:

=
data/next-oldstable-point-update.txt
=
@@ -94,3 +94,5 @@ CVE-2020-12767
[stretch] - libexif 0.6.21-2+deb9u2
 CVE-2020-0093
[stretch] - libexif 0.6.21-2+deb9u2
+CVE-2020-8034
+   [stretch] - php-horde-gollem 3.0.10-1+deb9u1


=
data/next-point-update.txt
=
@@ -30,3 +30,5 @@ CVE-2020-12767
[buster] - libexif 0.6.21-5.1+deb10u2
 CVE-2020-0093
[buster] - libexif 0.6.21-5.1+deb10u2
+CVE-2020-8034
+   [buster] - php-horde-gollem 3.0.12-3+deb10u1



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bdfe937ee1611468f1a11a6d9c5875cf60379881

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bdfe937ee1611468f1a11a6d9c5875cf60379881
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Several nethack issues fixed via unstable upload

2020-05-31 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
d6f936b2 by Salvatore Bonaccorso at 2020-05-31T20:34:23+02:00
Several nethack issues fixed via unstable upload

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -21395,7 +21395,7 @@ CVE-2020-5255 (In Symfony before versions 4.4.7 and 
5.0.7, when a `Response` doe
NOTE: 
https://symfony.com/blog/cve-2020-5255-prevent-cache-poisoning-via-a-response-content-type-header
NOTE: 
https://github.com/symfony/symfony/commit/dca343442e6a954f96a2609e7b4e9c21ed6d74e6
 CVE-2020-5254 (In NetHack before 3.6.6, some out-of-bound values for the 
hilite_statu ...)
-   - nethack  (bug #953978)
+   - nethack 3.6.6-1 (bug #953978)
[buster] - nethack  (Minor issue)
[stretch] - nethack  (Vulnerable code introduced in 3.6.1)
[jessie] - nethack  (Vulnerable code introduced in 3.6.1)
@@ -21526,28 +21526,28 @@ CVE-2020-5216 (In Secure Headers (RubyGem 
secure_headers), a directive injection
 CVE-2020-5215 (In TensorFlow before 1.15.2 and 2.0.1, converting a string 
(from Pytho ...)
- tensorflow  (bug #804612)
 CVE-2020-5214 (In NetHack before 3.6.5, detecting an unknown configuration 
file optio ...)
-   - nethack  (unimportant)
+   - nethack 3.6.6-1 (unimportant)
NOTE: 
https://github.com/NetHack/NetHack/security/advisories/GHSA-p8fw-rq89-xqx6
NOTE: Negligible security impact
 CVE-2020-5213 (In NetHack before 3.6.5, too long of a value for the SYMBOL 
configurat ...)
-   - nethack  (unimportant)
+   - nethack 3.6.6-1 (unimportant)
NOTE: 
https://github.com/NetHack/NetHack/security/advisories/GHSA-rr25-4v34-pr7v
NOTE: Negligible security impact
 CVE-2020-5212 (In NetHack before 3.6.5, an extremely long value for the 
MENUCOLOR con ...)
-   - nethack  (unimportant)
+   - nethack 3.6.6-1 (unimportant)
NOTE: 
https://github.com/NetHack/NetHack/security/advisories/GHSA-g89f-m829-4m56
NOTE: Negligible security impact
 CVE-2020-5211 (In NetHack before 3.6.5, an invalid extended command in value 
for the  ...)
-   - nethack  (unimportant)
+   - nethack 3.6.6-1 (unimportant)
NOTE: 
https://github.com/NetHack/NetHack/security/advisories/GHSA-r788-4jf4-r9f7
NOTE: Negligible security impact
 CVE-2020-5210 (In NetHack before 3.6.5, an invalid argument to the -w command 
line op ...)
-   - nethack  (unimportant)
+   - nethack 3.6.6-1 (unimportant)
NOTE: 
https://github.com/NetHack/NetHack/security/advisories/GHSA-v5pg-hpjg-9rpp
NOTE: 
https://github.com/NetHack/NetHack/commit/f3def5c0b999478da2d0a8f0b6a7c370a2065f77
NOTE: Negligible security impact
 CVE-2020-5209 (In NetHack before 3.6.5, unknown options starting with -de and 
-i can  ...)
-   - nethack  (unimportant)
+   - nethack 3.6.6-1 (unimportant)
NOTE: 
https://github.com/NetHack/NetHack/security/advisories/GHSA-fw72-r8xm-45p8
NOTE: 
https://github.com/NetHack/NetHack/commit/f3def5c0b999478da2d0a8f0b6a7c370a2065f77
NOTE: Negligible security impact
@@ -25315,7 +25315,7 @@ CVE-2019-19906 (cyrus-sasl (aka Cyrus SASL) 2.1.27 has 
an out-of-bounds write le
 CVE-2019-16787
REJECTED
 CVE-2019-19905 (NetHack 3.6.x before 3.6.4 is prone to a buffer overflow 
vulnerability ...)
-   - nethack  (unimportant; bug #947005)
+   - nethack 3.6.6-1 (unimportant; bug #947005)
NOTE: 
https://github.com/NetHack/NetHack/commit/f4a840a48f4bcf11757b3d859e9d53cc9d5ef226
NOTE: 
https://github.com/NetHack/NetHack/commit/f001de79542b8c38b1f8e6d7eaefbbd28ab94b47
NOTE: Negligible security impact



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d6f936b272814da4aa36610bef002d2e607e52ae

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d6f936b272814da4aa36610bef002d2e607e52ae
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Mark CVE-2020-11082 for jessie

2020-05-31 Thread Abhijith PA



Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
2b1a8128 by Abhijith PA at 2020-05-31T22:43:15+05:30
Mark CVE-2020-11082  for jessie

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -7242,6 +7242,7 @@ CVE-2020-11083
RESERVED
 CVE-2020-11082 (In Kaminari before 1.2.1, there is a vulnerability that would 
allow an ...)
- ruby-kaminari  (bug #961847)
+[jessie] - ruby-kaminari  (No reverse dependency)
NOTE: 
https://github.com/kaminari/kaminari/security/advisories/GHSA-r5jw-62xg-j433
NOTE: 
https://github.com/kaminari/kaminari/commit/8dd52a1aed3d2fa2835d836de23fc0d8c4ff5db8
 CVE-2020-11081



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2b1a8128e1e060b1eea46e019f17fd4eddd30760

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2b1a8128e1e060b1eea46e019f17fd4eddd30760
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] gollem fixed in sid

2020-05-31 Thread Moritz Muehlenhoff



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
0e0c201d by Moritz Muehlenhoff at 2020-05-31T18:55:29+02:00
gollem fixed in sid

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -14804,7 +14804,7 @@ CVE-2020-8035 (The image view functionality in Horde 
Groupware Webmail Edition b
NOTE: 
https://github.com/horde/base/commit/64127fe3c2b9843c9760218e59dae9731cc56bdf
NOTE: https://lists.horde.org/archives/announce/2020/001290.html
 CVE-2020-8034 (Gollem before 3.0.13, as used in Horde Groupware Webmail 
Edition 5.2.2 ...)
-   - php-horde-gollem  (bug #961649)
+   - php-horde-gollem 3.0.12-6 (bug #961649)
[buster] - php-horde-gollem  (Minor issue)
[stretch] - php-horde-gollem  (Minor issue)
NOTE: https://lists.horde.org/archives/announce/2020/001289.html



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0e0c201d9e3a96058382d748f0ecd5371850da71

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0e0c201d9e3a96058382d748f0ecd5371850da71
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-2228-2 for json-c

2020-05-31 Thread Mike Gabriel



Mike Gabriel pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
5b86eaa2 by Mike Gabriel at 2020-05-31T17:50:21+02:00
Reserve DLA-2228-2 for json-c

- - - - -


1 changed file:

- data/DLA/list


Changes:

=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[31 May 2020] DLA-2228-2 json-c - regression update
+   {CVE-2020-12762}
+   [jessie] - json-c 0.11-4+deb8u2
 [31 May 2020] DLA-2229-1 php-horde-gollem - security update
{CVE-2020-8034}
[jessie] - php-horde-gollem 3.0.3-2+deb8u1



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5b86eaa2621d4847f89811190e5cbe695d2da844

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5b86eaa2621d4847f89811190e5cbe695d2da844
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-2229-1 for php-horde-gollem

2020-05-31 Thread Mike Gabriel



Mike Gabriel pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
56f611d5 by Mike Gabriel at 2020-05-31T16:48:56+02:00
Reserve DLA-2229-1 for php-horde-gollem

- - - - -


2 changed files:

- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[31 May 2020] DLA-2229-1 php-horde-gollem - security update
+   {CVE-2020-8034}
+   [jessie] - php-horde-gollem 3.0.3-2+deb8u1
 [31 May 2020] DLA-2228-1 json-c - security update
{CVE-2020-12762}
[jessie] - json-c 0.11-4+deb8u1


=
data/dla-needed.txt
=
@@ -89,8 +89,6 @@ opendmarc (Thorsten Alteholz)
   NOTE: 20200511: new CVEs arrived (thorsten)
   NOTE: 20200524: testing package
 --
-php-horde-gollem (Mike Gabriel)
---
 php5 (Thorsten Alteholz)
   NOTE: 20200427: embedded software "file" needs fix for CVE-2019-18218
   NOTE: 20200511: still trying to determine how this CVE affects php



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/56f611d56826545177085504c0af15789654f13e

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/56f611d56826545177085504c0af15789654f13e
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Mark CVE-2020-8034/php-horde-gollem as no-dsa

2020-05-31 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
2c3da84c by Salvatore Bonaccorso at 2020-05-31T16:25:55+02:00
Mark CVE-2020-8034/php-horde-gollem as no-dsa

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -14805,6 +14805,8 @@ CVE-2020-8035 (The image view functionality in Horde 
Groupware Webmail Edition b
NOTE: https://lists.horde.org/archives/announce/2020/001290.html
 CVE-2020-8034 (Gollem before 3.0.13, as used in Horde Groupware Webmail 
Edition 5.2.2 ...)
- php-horde-gollem  (bug #961649)
+   [buster] - php-horde-gollem  (Minor issue)
+   [stretch] - php-horde-gollem  (Minor issue)
NOTE: https://lists.horde.org/archives/announce/2020/001289.html
NOTE: 
https://github.com/horde/gollem/commit/a73bef1aef27d4cbfc7b939c2a81dea69aabb083
 CVE-2020-8033 (Ruckus R500 3.4.2.0.384 devices allow XSS via the index.asp 
Device Nam ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2c3da84c19dd9ebe0befd3b58dc10d8b0dd07a11

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2c3da84c19dd9ebe0befd3b58dc10d8b0dd07a11
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add notes for packages

2020-05-31 Thread Utkarsh Gupta



Utkarsh Gupta pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
e1a803b3 by Utkarsh Gupta at 2020-05-31T19:26:30+05:30
Add notes for packages

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -24,7 +24,7 @@ ansible
 apache2 (Utkarsh Gupta)
   NOTE: 20200501: The problem to solve is this: 
https://bz.apache.org/bugzilla/show_bug.cgi?id=60251 (Ola)
   NOTE: 20200501: No CVE yet. (Ola)
-  NOTE: 20200510: Asking upstream for CVE assignment. (utkarsh)
+  NOTE: 20200531: Asking upstream for CVE assignment. (utkarsh)
 --
 bluez (Roberto C. Sánchez)
   NOTE: 20200521: Uploaded backport (version 5.43-2+deb8u1), which now must go 
through NEW (roberto)
@@ -77,6 +77,7 @@ mumble
   NOTE: 20200504: discussion going on with t...@security.debian.org and mumble 
maintainer (abhijith)
 --
 netqmail (Utkarsh Gupta)
+  NOTE: 20200531: Work ongoing. Probably should backport the version. (utkarsh)
 --
 nginx (Mike Gabriel)
   NOTE: 20200505: Patch for CVE-2020-11724 appears to be fairly invasive and, 
alas, no tests. (lamby)
@@ -114,6 +115,7 @@ sympa (Utkarsh Gupta)
   NOTE: 20200525: More discussion about this has been shared on the list. 
(utkarsh)
   NOTE: 20200525: Anyway, the patch that is made public so far has been 
uploaded to
   NOTE: 20200525: https://people.debian.org/~utkarsh/jessie-lts/sympa/ 
(utkarsh)
+  NOTE: 20200531: non-public patch received but don't think it should applied 
(utkarsh)
 --
 tzdata
   NOTE: 20200514: LTS update must wait on oldstable update first to prevent 
newer version in LTS (roberto)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e1a803b390bc27033bebc5ddd795267325dfda3e

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e1a803b390bc27033bebc5ddd795267325dfda3e
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-2228-1 for json-c

2020-05-31 Thread Mike Gabriel



Mike Gabriel pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
021ecaae by Mike Gabriel at 2020-05-31T15:46:49+02:00
Reserve DLA-2228-1 for json-c

- - - - -


2 changed files:

- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[31 May 2020] DLA-2228-1 json-c - security update
+   {CVE-2020-12762}
+   [jessie] - json-c 0.11-4+deb8u1
 [30 May 2020] DLA-2227-1 bind9 - security update
{CVE-2020-8616 CVE-2020-8617}
[jessie] - bind9 1:9.9.5.dfsg-9+deb8u19


=
data/dla-needed.txt
=
@@ -51,9 +51,6 @@ graphicsmagick
 --
 imagemagick (Markus Koschany)
 --
-json-c (Mike Gabriel)
-  NOTE: 20200514: json-c is currently orphaned, so possibly fix (old)stable, 
too? (sunweaver)
---
 libdatetime-timezone-perl
   NOTE: 20200514: LTS update must wait on oldstable update first to prevent 
newer version in LTS (roberto)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/021ecaaebd3646c42f62b1176008eda1e4987b20

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/021ecaaebd3646c42f62b1176008eda1e4987b20
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] DLA: update notes for xcftools

2020-05-31 Thread Anton Gladky



Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
520dfbbc by Anton Gladky at 2020-05-31T15:16:37+02:00
DLA: update notes for xcftools

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -128,6 +128,7 @@ xcftools (Anton Gladky)
   NOTE: 20200414: Flurry of activity on/around 20200401 essentially rejecting 
original patch
   NOTE: 20200414: from 20200111 as incomplete, but with suggestion on 
improvement. (lamby)
   NOTE: 20200517: work is ongoing. (gladk)
+  NOTE: 20200523: Proposed fix https://github.com/j-jorge/xcftools/pull/15 
(gladk)
 --
 xen
   NOTE: 20200414: debian-security-support has been updated with EOL status



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/520dfbbcccfbc970c382b12a984c869b9a97e0de

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/520dfbbcccfbc970c382b12a984c869b9a97e0de
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] automatic update

2020-05-31 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
2980c3ec by security tracker role at 2020-05-31T08:10:21+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -13481,12 +13481,12 @@ CVE-2020-8619
 CVE-2020-8618
RESERVED
 CVE-2020-8617 (Using a specially-crafted message, an attacker may potentially 
cause a ...)
-   {DSA-4689-1}
+   {DSA-4689-1 DLA-2227-1}
- bind9 
NOTE: https://kb.isc.org/docs/cve-2020-8617
NOTE: 
https://kb.isc.org/docs/cve-2020-8617-faq-and-supplemental-information
 CVE-2020-8616 (A malicious actor who intentionally exploits this lack of 
effective li ...)
-   {DSA-4689-1}
+   {DSA-4689-1 DLA-2227-1}
- bind9 
NOTE: https://kb.isc.org/docs/cve-2020-8616
 CVE-2020-8615 (A CSRF vulnerability in the Tutor LMS plugin before 1.5.3 for 
WordPres ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2980c3ec6caca9bca101713c0afe33186e6be274

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2980c3ec6caca9bca101713c0afe33186e6be274
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] CVE-2020-1746/ansible fixed in unstable via 2.9.7 upload

2020-05-31 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
f843c0da by Salvatore Bonaccorso at 2020-05-31T09:47:58+02:00
CVE-2020-1746/ansible fixed in unstable via 2.9.7 upload

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -31584,11 +31584,12 @@ CVE-2020-1747 (A vulnerability was discovered in the 
PyYAML library in versions
[jessie] - pyyaml  (Loader/Constructor classes are unsafe 
in this version)
NOTE: https://github.com/yaml/pyyaml/pull/386
 CVE-2020-1746 (A flaw was found in the Ansible Engine affecting Ansible Engine 
versio ...)
-   - ansible 
+   - ansible 2.9.7+dfsg-1
[stretch] - ansible  (Vulnerable code introduced later)
[jessie] - ansible  (Vulnerable code introduced later)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1805491
NOTE: https://github.com/ansible/ansible/pull/67866
+   NOTE: Fixed by: 
https://github.com/ansible/ansible/commit/d41e38435b1a9e300d8011ac28f16a5add2db119
 (v2.9.7)
 CVE-2020-1745 (A file inclusion vulnerability was found in the AJP connector 
enabled  ...)
- undertow 2.0.30-1
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1807305



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f843c0da94056e3d483d09b2ef46b52502a34785

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f843c0da94056e3d483d09b2ef46b52502a34785
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Update information on CVE-2020-1735/ansible

2020-05-31 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
b472fe52 by Salvatore Bonaccorso at 2020-05-31T09:45:15+02:00
Update information on CVE-2020-1735/ansible

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -31634,12 +31634,15 @@ CVE-2020-1736 (A flaw was found in Ansible Engine 
when a file is moved using ato
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1802124
NOTE: https://github.com/ansible/ansible/issues/67794
 CVE-2020-1735 (A flaw was found in the Ansible Engine when the fetch module is 
used.  ...)
-   - ansible 
+   - ansible 2.9.7+dfsg-1
[jessie] - ansible  (No remote expansion in fetch module)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1802085
NOTE: https://github.com/ansible/ansible/issues/67793
NOTE: https://github.com/ansible/ansible/pull/68720
NOTE: Introduced in 
https://github.com/ansible/ansible/commit/e47f6137e5b897dec4319e7cb7791fb9b2cffb8d
 (1.8)
+   NOTE: Fixed by: 
https://github.com/ansible/ansible/commit/290bfa820d533dc224e0c3fa7dd7c6b907ed0189
+   NOTE: The commit has incorrect CVE reference adressed in
+   NOTE: 
https://github.com/ansible/ansible/commit/18f91bbb88a84b1d3614ef41c3550da735592ac1
 CVE-2020-1734 (A flaw was found in the pipe lookup plugin of ansible. 
Arbitrary comma ...)
- ansible  (unimportant)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1801804



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b472fe52b977ca59c414a68c2a0467f7ad764dd8

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b472fe52b977ca59c414a68c2a0467f7ad764dd8
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] CVE-2020-10685/ansible fixed with 2.9.7+dfsg-1 upload

2020-05-31 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
f080f084 by Salvatore Bonaccorso at 2020-05-31T09:38:29+02:00
CVE-2020-10685/ansible fixed with 2.9.7+dfsg-1 upload

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -8670,7 +8670,7 @@ CVE-2020-10687
 CVE-2020-10686 (A flaw was found in Keycloak version 8.0.2 and 9.0.0, and was 
fixed in ...)
NOT-FOR-US: Keycloak
 CVE-2020-10685 (A flaw was found in Ansible Engine affecting Ansible Engine 
versions 2 ...)
-   - ansible 
+   - ansible 2.9.7+dfsg-1
[jessie] - ansible  (Vulnerable code introduced later, 
all decryption in-memory, no transparent file decryption)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1814627
NOTE: https://github.com/ansible/ansible/pull/68433



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f080f084ebb5bd279727b524d4c3cf5affc87ec7

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f080f084ebb5bd279727b524d4c3cf5affc87ec7
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] CVE-2020-10684/ansible fixed in 2.9.7

2020-05-31 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
9f17ef48 by Salvatore Bonaccorso at 2020-05-31T09:36:24+02:00
CVE-2020-10684/ansible fixed in 2.9.7

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -8677,7 +8677,7 @@ CVE-2020-10685 (A flaw was found in Ansible Engine 
affecting Ansible Engine vers
NOTE: 
https://github.com/ansible/ansible/commit/6452a82452f3a721233b50f62419598206442fd9
NOTE: Introduced in 
https://github.com/ansible/ansible/commit/cdf6e3e4bf44fdab62c2e4ccd3f5fd67ea554548
 (2.1)
 CVE-2020-10684 (A flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x 
and 2.9. ...)
-   - ansible 
+   - ansible 2.9.7+dfsg-1
[jessie] - ansible  (Vulnerable code introduced later, 
'ansible_facts' variable not exposed)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1815519
NOTE: https://github.com/ansible/ansible/pull/68431



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9f17ef48e3f04004b0fd01312657e67d4d518ddc

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9f17ef48e3f04004b0fd01312657e67d4d518ddc
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add fixed version for CVE-2020-12399/nss via unstable

2020-05-31 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
61a19e0c by Salvatore Bonaccorso at 2020-05-31T09:04:50+02:00
Add fixed version for CVE-2020-12399/nss via unstable

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -2932,7 +2932,7 @@ CVE-2020-12400
RESERVED
 CVE-2020-12399 [Force a fixed length for DSA exponentiation]
RESERVED
-   - nss  (bug #961752)
+   - nss 2:3.53-1 (bug #961752)
NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1631576 (non-public)
NOTE: Fixed by: 
https://hg.mozilla.org/projects/nss/rev/daa823a4a29bcef0fec33a379ec83857429aea2e
 CVE-2020-12398



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/61a19e0c8be63cd698f76a8707014de957b671f8

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/61a19e0c8be63cd698f76a8707014de957b671f8
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Mark CVE-2020-8035 as no-dsa

[Git][security-tracker-team/security-tracker][master] Four gnucobol issues fixed via unstable

[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Add note to freerdp

[Git][security-tracker-team/security-tracker][master] Reserve DLA-2231-1 for sane-backends

[Git][security-tracker-team/security-tracker][master] data/CVE/list: Mark freerdp2/CVE-2020-110{17, 18} as no-dsa issues as discussed with Salvatore.

[Git][security-tracker-team/security-tracker][master] dla: update and give back condor

[Git][security-tracker-team/security-tracker][master] 2 commits: data/CVE/list: Drop [postponed] tag from CVE-2020-8035/php-horde.

[Git][security-tracker-team/security-tracker][master] dla-needed.txt: Final version for Stretch and Jessie this week but will ask for

[Git][security-tracker-team/security-tracker][master] automatic update

[Git][security-tracker-team/security-tracker][master] LTS: claim graphicsmagick in dla-needed.txt

[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2020-861{6,7}/bind9

[Git][security-tracker-team/security-tracker][master] sane-backends: The epsonds backend is not in jessie

[Git][security-tracker-team/security-tracker][master] 3 commits: Mark ssvnc issues as no-dsa

[Git][security-tracker-team/security-tracker][master] dla-needed: update notes

[Git][security-tracker-team/security-tracker][master] Track proposed update for php-horde-gollem via {buster,stretch}-pu

[Git][security-tracker-team/security-tracker][master] Several nethack issues fixed via unstable upload

[Git][security-tracker-team/security-tracker][master] Mark CVE-2020-11082 for jessie

[Git][security-tracker-team/security-tracker][master] gollem fixed in sid

[Git][security-tracker-team/security-tracker][master] Reserve DLA-2228-2 for json-c

[Git][security-tracker-team/security-tracker][master] Reserve DLA-2229-1 for php-horde-gollem

[Git][security-tracker-team/security-tracker][master] Mark CVE-2020-8034/php-horde-gollem as no-dsa

[Git][security-tracker-team/security-tracker][master] Add notes for packages

[Git][security-tracker-team/security-tracker][master] Reserve DLA-2228-1 for json-c

[Git][security-tracker-team/security-tracker][master] DLA: update notes for xcftools

[Git][security-tracker-team/security-tracker][master] automatic update

[Git][security-tracker-team/security-tracker][master] CVE-2020-1746/ansible fixed in unstable via 2.9.7 upload

[Git][security-tracker-team/security-tracker][master] Update information on CVE-2020-1735/ansible

[Git][security-tracker-team/security-tracker][master] CVE-2020-10685/ansible fixed with 2.9.7+dfsg-1 upload

[Git][security-tracker-team/security-tracker][master] CVE-2020-10684/ansible fixed in 2.9.7

[Git][security-tracker-team/security-tracker][master] Add fixed version for CVE-2020-12399/nss via unstable

30 matches

Site Navigation

Mail list logo

Footer information