[Git][security-tracker-team/security-tracker][master] Mark CVE-2020-8035 as no-dsa
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 49ff1e14 by Salvatore Bonaccorso at 2020-06-01T08:58:02+02:00 Mark CVE-2020-8035 as no-dsa - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -14814,6 +14814,8 @@ CVE-2020-8036 RESERVED CVE-2020-8035 (The image view functionality in Horde Groupware Webmail Edition before ...) - php-horde + [buster] - php-horde (Minor issue; can be fixed via point release) + [stretch] - php-horde (Minor issue; can be fixed via point release) NOTE: https://github.com/horde/base/commit/64127fe3c2b9843c9760218e59dae9731cc56bdf NOTE: https://lists.horde.org/archives/announce/2020/001290.html CVE-2020-8034 (Gollem before 3.0.13, as used in Horde Groupware Webmail Edition 5.2.2 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/49ff1e14372c8d2573229c9ee597174019a81b77 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/49ff1e14372c8d2573229c9ee597174019a81b77 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Four gnucobol issues fixed via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e6335775 by Salvatore Bonaccorso at 2020-06-01T08:42:43+02:00 Four gnucobol issues fixed via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -48961,7 +48961,7 @@ CVE-2019-14543 CVE-2019-14542 RESERVED CVE-2019-14541 (GnuCOBOL 2.2 has a stack-based buffer overflow in cb_encode_program_id ...) - - gnucobol (low; bug #933884) + - gnucobol 3.0~rc1-2 (low; bug #933884) [buster] - gnucobol (Minor issue) - open-cobol [stretch] - open-cobol (Minor issue) @@ -49015,7 +49015,7 @@ CVE-2019-14530 (An issue was discovered in custom/ajax_download.php in OpenEMR b CVE-2019-14529 (OpenEMR before 5.0.2 allows SQL Injection in interface/forms/eye_mag/s ...) NOT-FOR-US: OpenEMR CVE-2019-14528 (GnuCOBOL 2.2 has a heap-based buffer overflow in read_literal in cobc/ ...) - - gnucobol (low; bug #933884) + - gnucobol 3.0~rc1-2 (low; bug #933884) [buster] - gnucobol (Minor issue) - open-cobol [stretch] - open-cobol (Minor issue) @@ -49165,7 +49165,7 @@ CVE-2019-14488 CVE-2019-14487 RESERVED CVE-2019-14486 (GnuCOBOL 2.2 has a buffer overflow in cb_evaluate_expr in cobc/field.c ...) - - gnucobol (low; bug #933884) + - gnucobol 3.0~rc1-2 (low; bug #933884) [buster] - gnucobol (Minor issue) - open-cobol [stretch] - open-cobol (Minor issue) @@ -49206,7 +49206,7 @@ CVE-2019-14470 (cosenary Instagram-PHP-API (aka Instagram PHP API V2), as used i CVE-2019-14469 (In Nexus Repository Manager before 3.18.0, users with elevated privile ...) NOT-FOR-US: Nexus Repository Manager CVE-2019-14468 (GnuCOBOL 2.2 has a buffer overflow in cb_push_op in cobc/field.c via c ...) - - gnucobol (low; bug #933884) + - gnucobol 3.0~rc1-2 (low; bug #933884) [buster] - gnucobol (Minor issue) - open-cobol [stretch] - open-cobol (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e6335775eb3dcd57d34676d850c1b21bddecab6f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e6335775eb3dcd57d34676d850c1b21bddecab6f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Add note to freerdp
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: e7d3b1e5 by Mike Gabriel at 2020-05-31T23:12:00+02:00 data/dla-needed.txt: Add note to freerdp - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -45,6 +45,7 @@ drupal7 -- freerdp (Mike Gabriel) NOTE: 20200510: Vulnerable to at least CVE-2020-11042. (lamby) + NOTE: 20200531: Discussing if EOL'ing of freerdp (1.1) makes sense (sunweaver) -- graphicsmagick (Roberto C. Sánchez) NOTE: 20200514: no upstream patch available, yet, for CVE-2020-12672 (sunweaver) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e7d3b1e5fab07b166f8d869e4f940be6f6b5feda -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e7d3b1e5fab07b166f8d869e4f940be6f6b5feda You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2231-1 for sane-backends
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: fbae5496 by Adrian Bunk at 2020-05-31T23:59:02+03:00 Reserve DLA-2231-1 for sane-backends - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[31 May 2020] DLA-2231-1 sane-backends - security update + {CVE-2020-12867} + [jessie] - sane-backends 1.0.24-8+deb8u3 [31 May 2020] DLA-2230-1 php-horde - security update {CVE-2020-8035} [jessie] - php-horde 5.2.1+debian0-2+deb8u6 = data/dla-needed.txt = @@ -99,8 +99,6 @@ python-httplib2 (Abhijith PA) qemu (Adrian Bunk) NOTE: 20200531: waiting for CVE-2020-13362 fix to be applied upstream (bunk) -- -sane-backends (Adrian Bunk) --- sqlite3 (Abhijith PA) -- squid3 (Markus Koschany) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fbae549601b62f057d469179dbbc192473a3d357 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fbae549601b62f057d469179dbbc192473a3d357 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/CVE/list: Mark freerdp2/CVE-2020-110{17, 18} as no-dsa issues as discussed with Salvatore.
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: 31dd7f32 by Mike Gabriel at 2020-05-31T22:57:02+02:00 data/CVE/list: Mark freerdp2/CVE-2020-110{17,18} as no-dsa issues as discussed with Salvatore. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7523,11 +7523,17 @@ CVE-2020-11019 (In FreeRDP less than or equal to 2.0.0, when running with logger NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-wvrr-2f4r-hjvh CVE-2020-11018 (In FreeRDP less than or equal to 2.0.0, a possible resource exhaustion ...) - freerdp2 2.1.1+dfsg1-1 + [buster] - freerdp2 (Minor issue) - freerdp + [stretch] - freerdp (Minor issue) + [jessie] - freerdp (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-8cvc-vcw7-6mfw CVE-2020-11017 (In FreeRDP less than or equal to 2.0.0, by providing manipulated input ...) - freerdp2 2.1.1+dfsg1-1 + [buster] - freerdp2 (Minor issue) - freerdp + [stretch] - freerdp (Minor issue) + [jessie] - freerdp (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-q5c8-fm29-q57c CVE-2020-11016 (IntelMQ Manager from version 1.1.0 and before version 2.1.1 has a vuln ...) NOT-FOR-US: IntelMQ Manager View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/31dd7f3276d2efcb6eed666ca6cbbdfc38b46d89 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/31dd7f3276d2efcb6eed666ca6cbbdfc38b46d89 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: update and give back condor
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: beeb2a32 by Adrian Bunk at 2020-05-31T23:40:36+03:00 dla: update and give back condor - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -32,10 +32,11 @@ bluez (Roberto C. Sánchez) cacti (Abhijith PA) NOTE: 20200529: A patch need to be cooked up. Upstream patch not fit for jessie version (abhijith) -- -condor (Adrian Bunk) +condor NOTE: 20200502: Upstream has only released workarounds; complete fix is still embargoed (roberto) NOTE: 20200521: Still embargoed (eg. https://research.cs.wisc.edu/htcondor/security/vulnerabilities/HTCONDOR-2020-0004.html). (lamby) NOTE: 20200525: Fix: https://github.com/htcondor/htcondor/compare/V8_8_7...V8_8_8 (utkarsh) + NOTE: 20200531: Patches are linked from https://security-tracker.debian.org/tracker/CVE-2019-18823 (bunk) -- cups (Anton Gladky) NOTE: 20200514: Two open issues. Added on request from Anton Gladky. (sunweaver) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/beeb2a321500e3f8f04fdd0f161716ef34b34d87 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/beeb2a321500e3f8f04fdd0f161716ef34b34d87 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: data/CVE/list: Drop [postponed] tag from CVE-2020-8035/php-horde.
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: 06aa7cd4 by Mike Gabriel at 2020-05-31T22:39:28+02:00 data/CVE/list: Drop [postponed] tag from CVE-2020-8035/php-horde. - - - - - 0665037a by Mike Gabriel at 2020-05-31T22:39:28+02:00 Reserve DLA-2230-1 for php-horde - - - - - 2 changed files: - data/CVE/list - data/DLA/list Changes: = data/CVE/list = @@ -14808,7 +14808,6 @@ CVE-2020-8036 RESERVED CVE-2020-8035 (The image view functionality in Horde Groupware Webmail Edition before ...) - php-horde - [jessie] - php-horde (Minor issue, can be fixed along with next releases) NOTE: https://github.com/horde/base/commit/64127fe3c2b9843c9760218e59dae9731cc56bdf NOTE: https://lists.horde.org/archives/announce/2020/001290.html CVE-2020-8034 (Gollem before 3.0.13, as used in Horde Groupware Webmail Edition 5.2.2 ...) = data/DLA/list = @@ -1,3 +1,6 @@ +[31 May 2020] DLA-2230-1 php-horde - security update + {CVE-2020-8035} + [jessie] - php-horde 5.2.1+debian0-2+deb8u6 [31 May 2020] DLA-2228-2 json-c - regression update {CVE-2020-12762} [jessie] - json-c 0.11-4+deb8u2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/dca9ff1430dea31e162bbb8f1ebad4c1ef3ecb45...0665037ad49cb831b1cbe737679b74d043c8cfa2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/dca9ff1430dea31e162bbb8f1ebad4c1ef3ecb45...0665037ad49cb831b1cbe737679b74d043c8cfa2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla-needed.txt: Final version for Stretch and Jessie this week but will ask for
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: dca9ff14 by Markus Koschany at 2020-05-31T22:29:58+02:00 dla-needed.txt: Final version for Stretch and Jessie this week but will ask for testing on debian-lts first due to the many changes and issues fixed. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -103,8 +103,8 @@ sane-backends (Adrian Bunk) sqlite3 (Abhijith PA) -- squid3 (Markus Koschany) - NOTE: 20200518: Ongoing work on squid3 in Stretch which will be used for Jessie - NOTE: 20200518: and Stretch. + NOTE: 20200531: Ongoing work on squid3 in Stretch which will be used for Jessie + NOTE: 20200531: and Stretch. -- sympa (Utkarsh Gupta) NOTE: 20200525: Incomplete patch. Not the complete patch is made public. (utkarsh) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dca9ff1430dea31e162bbb8f1ebad4c1ef3ecb45 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dca9ff1430dea31e162bbb8f1ebad4c1ef3ecb45 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: bb78c34b by security tracker role at 2020-05-31T20:10:22+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2083,6 +2083,7 @@ CVE-2020-12764 (Gnuteca 3.8 allows file.php?folder=/&file= Directory Travers CVE-2020-12763 (TRENDnet ProView Wireless camera TV-IP512WN 1.0R 1.0.4 is vulnerable t ...) NOT-FOR-US: TRENDnet ProView CVE-2020-12762 (json-c through 0.14 has an integer overflow and out-of-bounds write vi ...) + {DLA-2228-2 DLA-2228-1} - json-c (bug #960326) NOTE: https://github.com/json-c/json-c/pull/592 NOTE: https://github.com/json-c/json-c/commit/099016b7e8d70a6d5dd814e788bba08d33d48426 @@ -7248,7 +7249,7 @@ CVE-2020-11083 RESERVED CVE-2020-11082 (In Kaminari before 1.2.1, there is a vulnerability that would allow an ...) - ruby-kaminari (bug #961847) -[jessie] - ruby-kaminari (No reverse dependency) + [jessie] - ruby-kaminari (No reverse dependency) NOTE: https://github.com/kaminari/kaminari/security/advisories/GHSA-r5jw-62xg-j433 NOTE: https://github.com/kaminari/kaminari/commit/8dd52a1aed3d2fa2835d836de23fc0d8c4ff5db8 CVE-2020-11081 @@ -14811,6 +14812,7 @@ CVE-2020-8035 (The image view functionality in Horde Groupware Webmail Edition b NOTE: https://github.com/horde/base/commit/64127fe3c2b9843c9760218e59dae9731cc56bdf NOTE: https://lists.horde.org/archives/announce/2020/001290.html CVE-2020-8034 (Gollem before 3.0.13, as used in Horde Groupware Webmail Edition 5.2.2 ...) + {DLA-2229-1} - php-horde-gollem 3.0.12-6 (bug #961649) [buster] - php-horde-gollem (Minor issue) [stretch] - php-horde-gollem (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bb78c34bcdb68bf01649986b4b6e01235f9e84b5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bb78c34bcdb68bf01649986b4b6e01235f9e84b5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim graphicsmagick in dla-needed.txt
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 4635f418 by Roberto C. Sánchez at 2020-05-31T15:48:56-04:00 LTS: claim graphicsmagick in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -45,7 +45,7 @@ drupal7 freerdp (Mike Gabriel) NOTE: 20200510: Vulnerable to at least CVE-2020-11042. (lamby) -- -graphicsmagick +graphicsmagick (Roberto C. Sánchez) NOTE: 20200514: no upstream patch available, yet, for CVE-2020-12672 (sunweaver) NOTE: 20200529: still no upstream patch available, yet, for CVE-2020-12672 (roberto) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4635f4182aa31bacd696af65da6c4586bbd92b9f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4635f4182aa31bacd696af65da6c4586bbd92b9f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2020-861{6,7}/bind9
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 81b8054e by Salvatore Bonaccorso at 2020-05-31T21:30:24+02:00 Add Debian bug reference for CVE-2020-861{6,7}/bind9 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13489,12 +13489,12 @@ CVE-2020-8618 RESERVED CVE-2020-8617 (Using a specially-crafted message, an attacker may potentially cause a ...) {DSA-4689-1 DLA-2227-1} - - bind9 + - bind9 (bug #961939) NOTE: https://kb.isc.org/docs/cve-2020-8617 NOTE: https://kb.isc.org/docs/cve-2020-8617-faq-and-supplemental-information CVE-2020-8616 (A malicious actor who intentionally exploits this lack of effective li ...) {DSA-4689-1 DLA-2227-1} - - bind9 + - bind9 (bug #961939) NOTE: https://kb.isc.org/docs/cve-2020-8616 CVE-2020-8615 (A CSRF vulnerability in the Tutor LMS plugin before 1.5.3 for WordPres ...) NOT-FOR-US: Tutor LMS plugin for WordPress View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/81b8054e4b479a80a05c87e093573b8f6bc6ce0d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/81b8054e4b479a80a05c87e093573b8f6bc6ce0d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] sane-backends: The epsonds backend is not in jessie
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: 782fe9e6 by Adrian Bunk at 2020-05-31T22:24:43+03:00 sane-backends: The epsonds backend is not in jessie - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1805,31 +1805,37 @@ CVE-2020-12866 RESERVED [experimental] - sane-backends 1.0.30-1~experimental1 - sane-backends (bug #961302) + [jessie] - sane-backends (epsonds backend was added in 1.0.25) NOTE: https://alioth-lists.debian.net/pipermail/sane-announce/2020/41.html CVE-2020-12865 RESERVED [experimental] - sane-backends 1.0.30-1~experimental1 - sane-backends (bug #961302) + [jessie] - sane-backends (epsonds backend was added in 1.0.25) NOTE: https://alioth-lists.debian.net/pipermail/sane-announce/2020/41.html CVE-2020-12864 RESERVED [experimental] - sane-backends 1.0.30-1~experimental1 - sane-backends (bug #961302) + [jessie] - sane-backends (epsonds backend was added in 1.0.25) NOTE: https://alioth-lists.debian.net/pipermail/sane-announce/2020/41.html CVE-2020-12863 RESERVED [experimental] - sane-backends 1.0.30-1~experimental1 - sane-backends (bug #961302) + [jessie] - sane-backends (epsonds backend was added in 1.0.25) NOTE: https://alioth-lists.debian.net/pipermail/sane-announce/2020/41.html CVE-2020-12862 RESERVED [experimental] - sane-backends 1.0.30-1~experimental1 - sane-backends (bug #961302) + [jessie] - sane-backends (epsonds backend was added in 1.0.25) NOTE: https://alioth-lists.debian.net/pipermail/sane-announce/2020/41.html CVE-2020-12861 RESERVED [experimental] - sane-backends 1.0.30-1~experimental1 - sane-backends (bug #961302) + [jessie] - sane-backends (epsonds backend was added in 1.0.25) NOTE: https://alioth-lists.debian.net/pipermail/sane-announce/2020/41.html CVE-2020-12860 (COVIDSafe through v1.0.17 allows a remote attacker to access phone nam ...) NOT-FOR-US: COVIDSafe View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/782fe9e65fc81b781c0e88677bce8b409d24b22b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/782fe9e65fc81b781c0e88677bce8b409d24b22b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: Mark ssvnc issues as no-dsa
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b3093774 by Salvatore Bonaccorso at 2020-05-31T21:18:52+02:00 Mark ssvnc issues as no-dsa - - - - - 6b4161ff by Salvatore Bonaccorso at 2020-05-31T21:18:52+02:00 Track proposed fixes for ssnvc via buster-pu - - - - - bde840ec by Salvatore Bonaccorso at 2020-05-31T21:18:52+02:00 Track proposed ssvnc fixes via stretch-pu - - - - - 3 changed files: - data/CVE/list - data/next-oldstable-point-update.txt - data/next-point-update.txt Changes: = data/CVE/list = @@ -86196,6 +86196,8 @@ CVE-2018-20024 (LibVNC before commit 4a21bbd097ef7c44bb000c3bd0907f96a10e4ce7 co - italc [stretch] - italc 1:3.0.3+dfsg1-1+deb9u1 - ssvnc 1.0.29-5 (bug #945827) + [buster] - ssvnc (Minor issue) + [stretch] - ssvnc (Minor issue) - veyon 4.1.4+repack1-1 NOTE: https://github.com/LibVNC/libvncserver/issues/254 NOTE: https://github.com/LibVNC/libvncserver/commit/4a21bbd097ef7c44bb000c3bd0907f96a10e4ce7 @@ -86215,6 +86217,8 @@ CVE-2018-20022 (LibVNC before 2f5b2ad1c6c99b1ac6482c95844a84d66bb52838 contains - italc [stretch] - italc 1:3.0.3+dfsg1-1+deb9u1 - ssvnc 1.0.29-5 (bug #945827) + [buster] - ssvnc (Minor issue) + [stretch] - ssvnc (Minor issue) - tightvnc 1:1.3.9-9.1 [buster] - tightvnc 1:1.3.9-9deb10u1 [stretch] - tightvnc 1:1.3.9-9+deb9u1 @@ -86228,6 +86232,8 @@ CVE-2018-20021 (LibVNC before commit c3115350eb8bb635d0fdb4dbbb0d0541f38ed19c co - italc [stretch] - italc 1:3.0.3+dfsg1-1+deb9u1 - ssvnc 1.0.29-5 (bug #945827) + [buster] - ssvnc (Minor issue) + [stretch] - ssvnc (Minor issue) - tightvnc 1:1.3.9-9.1 [buster] - tightvnc 1:1.3.9-9deb10u1 [stretch] - tightvnc 1:1.3.9-9+deb9u1 @@ -86241,6 +86247,8 @@ CVE-2018-20020 (LibVNC before commit 7b1ef0ffc4815cab9a96c7278394152bdc89dc4d co - italc [stretch] - italc (Incomplete fix for CVE-2018-20019 not applied) - ssvnc 1.0.29-5 (bug #945827) + [buster] - ssvnc (Minor issue) + [stretch] - ssvnc (Minor issue) - veyon 4.1.4+repack1-1 NOTE: https://github.com/LibVNC/libvncserver/issues/250 NOTE: https://github.com/LibVNC/libvncserver/commit/09f2f3fb6a5a163e453e5c2979054670c39694bc = data/next-oldstable-point-update.txt = @@ -96,3 +96,11 @@ CVE-2020-0093 [stretch] - libexif 0.6.21-2+deb9u2 CVE-2020-8034 [stretch] - php-horde-gollem 3.0.10-1+deb9u1 +CVE-2018-20020 + [stretch] - ssvnc 1.0.29-3+deb9u1 +CVE-2018-20021 + [stretch] - ssvnc 1.0.29-3+deb9u1 +CVE-2018-20022 + [stretch] - ssvnc 1.0.29-3+deb9u1 +CVE-2018-20024 + [stretch] - ssvnc 1.0.29-3+deb9u1 = data/next-point-update.txt = @@ -32,3 +32,11 @@ CVE-2020-0093 [buster] - libexif 0.6.21-5.1+deb10u2 CVE-2020-8034 [buster] - php-horde-gollem 3.0.12-3+deb10u1 +CVE-2018-20020 + [buster] - ssvnc 1.0.29-4+deb10u1 +CVE-2018-20021 + [buster] - ssvnc 1.0.29-4+deb10u1 +CVE-2018-20022 + [buster] - ssvnc 1.0.29-4+deb10u1 +CVE-2018-20024 + [buster] - ssvnc 1.0.29-4+deb10u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ec84e3a404ab98086bf3d3e4added420aa14b42c...bde840ec547526586325580b2ae8997ddde92a25 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ec84e3a404ab98086bf3d3e4added420aa14b42c...bde840ec547526586325580b2ae8997ddde92a25 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla-needed: update notes
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: ec84e3a4 by Adrian Bunk at 2020-05-31T22:12:01+03:00 dla-needed: update notes - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -83,7 +83,6 @@ nginx (Mike Gabriel) NOTE: 20200505: Patch for CVE-2020-11724 appears to be fairly invasive and, alas, no tests. (lamby) -- nss (Adrian Bunk) - NOTE: 20200521: bug report is not yet public, so probably Jessie is not affected -- opendmarc (Thorsten Alteholz) NOTE: 20200511: new CVEs arrived (thorsten) @@ -97,7 +96,7 @@ php5 (Thorsten Alteholz) python-httplib2 (Abhijith PA) -- qemu (Adrian Bunk) - NOTE: 20200525: work is ongoing (bunk) + NOTE: 20200531: waiting for CVE-2020-13362 fix to be applied upstream (bunk) -- sane-backends (Adrian Bunk) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ec84e3a404ab98086bf3d3e4added420aa14b42c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ec84e3a404ab98086bf3d3e4added420aa14b42c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track proposed update for php-horde-gollem via {buster,stretch}-pu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: bdfe937e by Salvatore Bonaccorso at 2020-05-31T20:39:30+02:00 Track proposed update for php-horde-gollem via {buster,stretch}-pu - - - - - 2 changed files: - data/next-oldstable-point-update.txt - data/next-point-update.txt Changes: = data/next-oldstable-point-update.txt = @@ -94,3 +94,5 @@ CVE-2020-12767 [stretch] - libexif 0.6.21-2+deb9u2 CVE-2020-0093 [stretch] - libexif 0.6.21-2+deb9u2 +CVE-2020-8034 + [stretch] - php-horde-gollem 3.0.10-1+deb9u1 = data/next-point-update.txt = @@ -30,3 +30,5 @@ CVE-2020-12767 [buster] - libexif 0.6.21-5.1+deb10u2 CVE-2020-0093 [buster] - libexif 0.6.21-5.1+deb10u2 +CVE-2020-8034 + [buster] - php-horde-gollem 3.0.12-3+deb10u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bdfe937ee1611468f1a11a6d9c5875cf60379881 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bdfe937ee1611468f1a11a6d9c5875cf60379881 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Several nethack issues fixed via unstable upload
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d6f936b2 by Salvatore Bonaccorso at 2020-05-31T20:34:23+02:00 Several nethack issues fixed via unstable upload - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -21395,7 +21395,7 @@ CVE-2020-5255 (In Symfony before versions 4.4.7 and 5.0.7, when a `Response` doe NOTE: https://symfony.com/blog/cve-2020-5255-prevent-cache-poisoning-via-a-response-content-type-header NOTE: https://github.com/symfony/symfony/commit/dca343442e6a954f96a2609e7b4e9c21ed6d74e6 CVE-2020-5254 (In NetHack before 3.6.6, some out-of-bound values for the hilite_statu ...) - - nethack (bug #953978) + - nethack 3.6.6-1 (bug #953978) [buster] - nethack (Minor issue) [stretch] - nethack (Vulnerable code introduced in 3.6.1) [jessie] - nethack (Vulnerable code introduced in 3.6.1) @@ -21526,28 +21526,28 @@ CVE-2020-5216 (In Secure Headers (RubyGem secure_headers), a directive injection CVE-2020-5215 (In TensorFlow before 1.15.2 and 2.0.1, converting a string (from Pytho ...) - tensorflow (bug #804612) CVE-2020-5214 (In NetHack before 3.6.5, detecting an unknown configuration file optio ...) - - nethack (unimportant) + - nethack 3.6.6-1 (unimportant) NOTE: https://github.com/NetHack/NetHack/security/advisories/GHSA-p8fw-rq89-xqx6 NOTE: Negligible security impact CVE-2020-5213 (In NetHack before 3.6.5, too long of a value for the SYMBOL configurat ...) - - nethack (unimportant) + - nethack 3.6.6-1 (unimportant) NOTE: https://github.com/NetHack/NetHack/security/advisories/GHSA-rr25-4v34-pr7v NOTE: Negligible security impact CVE-2020-5212 (In NetHack before 3.6.5, an extremely long value for the MENUCOLOR con ...) - - nethack (unimportant) + - nethack 3.6.6-1 (unimportant) NOTE: https://github.com/NetHack/NetHack/security/advisories/GHSA-g89f-m829-4m56 NOTE: Negligible security impact CVE-2020-5211 (In NetHack before 3.6.5, an invalid extended command in value for the ...) - - nethack (unimportant) + - nethack 3.6.6-1 (unimportant) NOTE: https://github.com/NetHack/NetHack/security/advisories/GHSA-r788-4jf4-r9f7 NOTE: Negligible security impact CVE-2020-5210 (In NetHack before 3.6.5, an invalid argument to the -w command line op ...) - - nethack (unimportant) + - nethack 3.6.6-1 (unimportant) NOTE: https://github.com/NetHack/NetHack/security/advisories/GHSA-v5pg-hpjg-9rpp NOTE: https://github.com/NetHack/NetHack/commit/f3def5c0b999478da2d0a8f0b6a7c370a2065f77 NOTE: Negligible security impact CVE-2020-5209 (In NetHack before 3.6.5, unknown options starting with -de and -i can ...) - - nethack (unimportant) + - nethack 3.6.6-1 (unimportant) NOTE: https://github.com/NetHack/NetHack/security/advisories/GHSA-fw72-r8xm-45p8 NOTE: https://github.com/NetHack/NetHack/commit/f3def5c0b999478da2d0a8f0b6a7c370a2065f77 NOTE: Negligible security impact @@ -25315,7 +25315,7 @@ CVE-2019-19906 (cyrus-sasl (aka Cyrus SASL) 2.1.27 has an out-of-bounds write le CVE-2019-16787 REJECTED CVE-2019-19905 (NetHack 3.6.x before 3.6.4 is prone to a buffer overflow vulnerability ...) - - nethack (unimportant; bug #947005) + - nethack 3.6.6-1 (unimportant; bug #947005) NOTE: https://github.com/NetHack/NetHack/commit/f4a840a48f4bcf11757b3d859e9d53cc9d5ef226 NOTE: https://github.com/NetHack/NetHack/commit/f001de79542b8c38b1f8e6d7eaefbbd28ab94b47 NOTE: Negligible security impact View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d6f936b272814da4aa36610bef002d2e607e52ae -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d6f936b272814da4aa36610bef002d2e607e52ae You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2020-11082 for jessie
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 2b1a8128 by Abhijith PA at 2020-05-31T22:43:15+05:30 Mark CVE-2020-11082for jessie - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7242,6 +7242,7 @@ CVE-2020-11083 RESERVED CVE-2020-11082 (In Kaminari before 1.2.1, there is a vulnerability that would allow an ...) - ruby-kaminari (bug #961847) +[jessie] - ruby-kaminari (No reverse dependency) NOTE: https://github.com/kaminari/kaminari/security/advisories/GHSA-r5jw-62xg-j433 NOTE: https://github.com/kaminari/kaminari/commit/8dd52a1aed3d2fa2835d836de23fc0d8c4ff5db8 CVE-2020-11081 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2b1a8128e1e060b1eea46e019f17fd4eddd30760 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2b1a8128e1e060b1eea46e019f17fd4eddd30760 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] gollem fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 0e0c201d by Moritz Muehlenhoff at 2020-05-31T18:55:29+02:00 gollem fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -14804,7 +14804,7 @@ CVE-2020-8035 (The image view functionality in Horde Groupware Webmail Edition b NOTE: https://github.com/horde/base/commit/64127fe3c2b9843c9760218e59dae9731cc56bdf NOTE: https://lists.horde.org/archives/announce/2020/001290.html CVE-2020-8034 (Gollem before 3.0.13, as used in Horde Groupware Webmail Edition 5.2.2 ...) - - php-horde-gollem (bug #961649) + - php-horde-gollem 3.0.12-6 (bug #961649) [buster] - php-horde-gollem (Minor issue) [stretch] - php-horde-gollem (Minor issue) NOTE: https://lists.horde.org/archives/announce/2020/001289.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0e0c201d9e3a96058382d748f0ecd5371850da71 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0e0c201d9e3a96058382d748f0ecd5371850da71 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2228-2 for json-c
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: 5b86eaa2 by Mike Gabriel at 2020-05-31T17:50:21+02:00 Reserve DLA-2228-2 for json-c - - - - - 1 changed file: - data/DLA/list Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[31 May 2020] DLA-2228-2 json-c - regression update + {CVE-2020-12762} + [jessie] - json-c 0.11-4+deb8u2 [31 May 2020] DLA-2229-1 php-horde-gollem - security update {CVE-2020-8034} [jessie] - php-horde-gollem 3.0.3-2+deb8u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5b86eaa2621d4847f89811190e5cbe695d2da844 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5b86eaa2621d4847f89811190e5cbe695d2da844 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2229-1 for php-horde-gollem
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: 56f611d5 by Mike Gabriel at 2020-05-31T16:48:56+02:00 Reserve DLA-2229-1 for php-horde-gollem - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[31 May 2020] DLA-2229-1 php-horde-gollem - security update + {CVE-2020-8034} + [jessie] - php-horde-gollem 3.0.3-2+deb8u1 [31 May 2020] DLA-2228-1 json-c - security update {CVE-2020-12762} [jessie] - json-c 0.11-4+deb8u1 = data/dla-needed.txt = @@ -89,8 +89,6 @@ opendmarc (Thorsten Alteholz) NOTE: 20200511: new CVEs arrived (thorsten) NOTE: 20200524: testing package -- -php-horde-gollem (Mike Gabriel) --- php5 (Thorsten Alteholz) NOTE: 20200427: embedded software "file" needs fix for CVE-2019-18218 NOTE: 20200511: still trying to determine how this CVE affects php View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/56f611d56826545177085504c0af15789654f13e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/56f611d56826545177085504c0af15789654f13e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2020-8034/php-horde-gollem as no-dsa
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2c3da84c by Salvatore Bonaccorso at 2020-05-31T16:25:55+02:00 Mark CVE-2020-8034/php-horde-gollem as no-dsa - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -14805,6 +14805,8 @@ CVE-2020-8035 (The image view functionality in Horde Groupware Webmail Edition b NOTE: https://lists.horde.org/archives/announce/2020/001290.html CVE-2020-8034 (Gollem before 3.0.13, as used in Horde Groupware Webmail Edition 5.2.2 ...) - php-horde-gollem (bug #961649) + [buster] - php-horde-gollem (Minor issue) + [stretch] - php-horde-gollem (Minor issue) NOTE: https://lists.horde.org/archives/announce/2020/001289.html NOTE: https://github.com/horde/gollem/commit/a73bef1aef27d4cbfc7b939c2a81dea69aabb083 CVE-2020-8033 (Ruckus R500 3.4.2.0.384 devices allow XSS via the index.asp Device Nam ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2c3da84c19dd9ebe0befd3b58dc10d8b0dd07a11 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2c3da84c19dd9ebe0befd3b58dc10d8b0dd07a11 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add notes for packages
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: e1a803b3 by Utkarsh Gupta at 2020-05-31T19:26:30+05:30 Add notes for packages - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -24,7 +24,7 @@ ansible apache2 (Utkarsh Gupta) NOTE: 20200501: The problem to solve is this: https://bz.apache.org/bugzilla/show_bug.cgi?id=60251 (Ola) NOTE: 20200501: No CVE yet. (Ola) - NOTE: 20200510: Asking upstream for CVE assignment. (utkarsh) + NOTE: 20200531: Asking upstream for CVE assignment. (utkarsh) -- bluez (Roberto C. Sánchez) NOTE: 20200521: Uploaded backport (version 5.43-2+deb8u1), which now must go through NEW (roberto) @@ -77,6 +77,7 @@ mumble NOTE: 20200504: discussion going on with t...@security.debian.org and mumble maintainer (abhijith) -- netqmail (Utkarsh Gupta) + NOTE: 20200531: Work ongoing. Probably should backport the version. (utkarsh) -- nginx (Mike Gabriel) NOTE: 20200505: Patch for CVE-2020-11724 appears to be fairly invasive and, alas, no tests. (lamby) @@ -114,6 +115,7 @@ sympa (Utkarsh Gupta) NOTE: 20200525: More discussion about this has been shared on the list. (utkarsh) NOTE: 20200525: Anyway, the patch that is made public so far has been uploaded to NOTE: 20200525: https://people.debian.org/~utkarsh/jessie-lts/sympa/ (utkarsh) + NOTE: 20200531: non-public patch received but don't think it should applied (utkarsh) -- tzdata NOTE: 20200514: LTS update must wait on oldstable update first to prevent newer version in LTS (roberto) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e1a803b390bc27033bebc5ddd795267325dfda3e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e1a803b390bc27033bebc5ddd795267325dfda3e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2228-1 for json-c
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: 021ecaae by Mike Gabriel at 2020-05-31T15:46:49+02:00 Reserve DLA-2228-1 for json-c - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[31 May 2020] DLA-2228-1 json-c - security update + {CVE-2020-12762} + [jessie] - json-c 0.11-4+deb8u1 [30 May 2020] DLA-2227-1 bind9 - security update {CVE-2020-8616 CVE-2020-8617} [jessie] - bind9 1:9.9.5.dfsg-9+deb8u19 = data/dla-needed.txt = @@ -51,9 +51,6 @@ graphicsmagick -- imagemagick (Markus Koschany) -- -json-c (Mike Gabriel) - NOTE: 20200514: json-c is currently orphaned, so possibly fix (old)stable, too? (sunweaver) --- libdatetime-timezone-perl NOTE: 20200514: LTS update must wait on oldstable update first to prevent newer version in LTS (roberto) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/021ecaaebd3646c42f62b1176008eda1e4987b20 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/021ecaaebd3646c42f62b1176008eda1e4987b20 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] DLA: update notes for xcftools
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 520dfbbc by Anton Gladky at 2020-05-31T15:16:37+02:00 DLA: update notes for xcftools - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -128,6 +128,7 @@ xcftools (Anton Gladky) NOTE: 20200414: Flurry of activity on/around 20200401 essentially rejecting original patch NOTE: 20200414: from 20200111 as incomplete, but with suggestion on improvement. (lamby) NOTE: 20200517: work is ongoing. (gladk) + NOTE: 20200523: Proposed fix https://github.com/j-jorge/xcftools/pull/15 (gladk) -- xen NOTE: 20200414: debian-security-support has been updated with EOL status View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/520dfbbcccfbc970c382b12a984c869b9a97e0de -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/520dfbbcccfbc970c382b12a984c869b9a97e0de You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2980c3ec by security tracker role at 2020-05-31T08:10:21+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13481,12 +13481,12 @@ CVE-2020-8619 CVE-2020-8618 RESERVED CVE-2020-8617 (Using a specially-crafted message, an attacker may potentially cause a ...) - {DSA-4689-1} + {DSA-4689-1 DLA-2227-1} - bind9 NOTE: https://kb.isc.org/docs/cve-2020-8617 NOTE: https://kb.isc.org/docs/cve-2020-8617-faq-and-supplemental-information CVE-2020-8616 (A malicious actor who intentionally exploits this lack of effective li ...) - {DSA-4689-1} + {DSA-4689-1 DLA-2227-1} - bind9 NOTE: https://kb.isc.org/docs/cve-2020-8616 CVE-2020-8615 (A CSRF vulnerability in the Tutor LMS plugin before 1.5.3 for WordPres ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2980c3ec6caca9bca101713c0afe33186e6be274 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2980c3ec6caca9bca101713c0afe33186e6be274 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2020-1746/ansible fixed in unstable via 2.9.7 upload
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f843c0da by Salvatore Bonaccorso at 2020-05-31T09:47:58+02:00 CVE-2020-1746/ansible fixed in unstable via 2.9.7 upload - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -31584,11 +31584,12 @@ CVE-2020-1747 (A vulnerability was discovered in the PyYAML library in versions [jessie] - pyyaml (Loader/Constructor classes are unsafe in this version) NOTE: https://github.com/yaml/pyyaml/pull/386 CVE-2020-1746 (A flaw was found in the Ansible Engine affecting Ansible Engine versio ...) - - ansible + - ansible 2.9.7+dfsg-1 [stretch] - ansible (Vulnerable code introduced later) [jessie] - ansible (Vulnerable code introduced later) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1805491 NOTE: https://github.com/ansible/ansible/pull/67866 + NOTE: Fixed by: https://github.com/ansible/ansible/commit/d41e38435b1a9e300d8011ac28f16a5add2db119 (v2.9.7) CVE-2020-1745 (A file inclusion vulnerability was found in the AJP connector enabled ...) - undertow 2.0.30-1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1807305 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f843c0da94056e3d483d09b2ef46b52502a34785 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f843c0da94056e3d483d09b2ef46b52502a34785 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information on CVE-2020-1735/ansible
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b472fe52 by Salvatore Bonaccorso at 2020-05-31T09:45:15+02:00 Update information on CVE-2020-1735/ansible - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -31634,12 +31634,15 @@ CVE-2020-1736 (A flaw was found in Ansible Engine when a file is moved using ato NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1802124 NOTE: https://github.com/ansible/ansible/issues/67794 CVE-2020-1735 (A flaw was found in the Ansible Engine when the fetch module is used. ...) - - ansible + - ansible 2.9.7+dfsg-1 [jessie] - ansible (No remote expansion in fetch module) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1802085 NOTE: https://github.com/ansible/ansible/issues/67793 NOTE: https://github.com/ansible/ansible/pull/68720 NOTE: Introduced in https://github.com/ansible/ansible/commit/e47f6137e5b897dec4319e7cb7791fb9b2cffb8d (1.8) + NOTE: Fixed by: https://github.com/ansible/ansible/commit/290bfa820d533dc224e0c3fa7dd7c6b907ed0189 + NOTE: The commit has incorrect CVE reference adressed in + NOTE: https://github.com/ansible/ansible/commit/18f91bbb88a84b1d3614ef41c3550da735592ac1 CVE-2020-1734 (A flaw was found in the pipe lookup plugin of ansible. Arbitrary comma ...) - ansible (unimportant) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1801804 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b472fe52b977ca59c414a68c2a0467f7ad764dd8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b472fe52b977ca59c414a68c2a0467f7ad764dd8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2020-10685/ansible fixed with 2.9.7+dfsg-1 upload
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f080f084 by Salvatore Bonaccorso at 2020-05-31T09:38:29+02:00 CVE-2020-10685/ansible fixed with 2.9.7+dfsg-1 upload - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -8670,7 +8670,7 @@ CVE-2020-10687 CVE-2020-10686 (A flaw was found in Keycloak version 8.0.2 and 9.0.0, and was fixed in ...) NOT-FOR-US: Keycloak CVE-2020-10685 (A flaw was found in Ansible Engine affecting Ansible Engine versions 2 ...) - - ansible + - ansible 2.9.7+dfsg-1 [jessie] - ansible (Vulnerable code introduced later, all decryption in-memory, no transparent file decryption) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1814627 NOTE: https://github.com/ansible/ansible/pull/68433 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f080f084ebb5bd279727b524d4c3cf5affc87ec7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f080f084ebb5bd279727b524d4c3cf5affc87ec7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2020-10684/ansible fixed in 2.9.7
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9f17ef48 by Salvatore Bonaccorso at 2020-05-31T09:36:24+02:00 CVE-2020-10684/ansible fixed in 2.9.7 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -8677,7 +8677,7 @@ CVE-2020-10685 (A flaw was found in Ansible Engine affecting Ansible Engine vers NOTE: https://github.com/ansible/ansible/commit/6452a82452f3a721233b50f62419598206442fd9 NOTE: Introduced in https://github.com/ansible/ansible/commit/cdf6e3e4bf44fdab62c2e4ccd3f5fd67ea554548 (2.1) CVE-2020-10684 (A flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x and 2.9. ...) - - ansible + - ansible 2.9.7+dfsg-1 [jessie] - ansible (Vulnerable code introduced later, 'ansible_facts' variable not exposed) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1815519 NOTE: https://github.com/ansible/ansible/pull/68431 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9f17ef48e3f04004b0fd01312657e67d4d518ddc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9f17ef48e3f04004b0fd01312657e67d4d518ddc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add fixed version for CVE-2020-12399/nss via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 61a19e0c by Salvatore Bonaccorso at 2020-05-31T09:04:50+02:00 Add fixed version for CVE-2020-12399/nss via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2932,7 +2932,7 @@ CVE-2020-12400 RESERVED CVE-2020-12399 [Force a fixed length for DSA exponentiation] RESERVED - - nss (bug #961752) + - nss 2:3.53-1 (bug #961752) NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1631576 (non-public) NOTE: Fixed by: https://hg.mozilla.org/projects/nss/rev/daa823a4a29bcef0fec33a379ec83857429aea2e CVE-2020-12398 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/61a19e0c8be63cd698f76a8707014de957b671f8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/61a19e0c8be63cd698f76a8707014de957b671f8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits