date:20200601

[Git][security-tracker-team/security-tracker][master] Add tracking bug for perl issues fixed in 5.30.3-1

2020-06-01 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
4cf7075f by Salvatore Bonaccorso at 2020-06-02T06:38:49+02:00
Add tracking bug for perl issues fixed in 5.30.3-1

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -2322,7 +2322,7 @@ CVE-2020-12724
RESERVED
 CVE-2020-12723 [Buffer overflow caused by a crafted regular expression]
RESERVED
-   - perl 5.30.3-1
+   - perl 5.30.3-1 (bug #962005)
[buster] - perl  (Minor issue)
[stretch] - perl  (Minor issue)
NOTE: 
https://github.com/perl/perl5/commit/66bbb51b93253a3f87d11c2695cfb7bdb782184a 
(v5.30.3)
@@ -8088,7 +8088,7 @@ CVE-2020-10879 (rConfig before 3.9.5 allows command 
injection by sending a craft
NOT-FOR-US: rConfig
 CVE-2020-10878 [Integer overflow via malformed bytecode produced by a crafted 
regular expression]
RESERVED
-   - perl 5.30.3-1
+   - perl 5.30.3-1 (bug #962005)
[buster] - perl  (Minor issue)
[stretch] - perl  (Minor issue)
NOTE: 
https://github.com/perl/perl5/commit/0a320d753fe7fca03df259a4dfd8e641e51edaa8 
(v5.30.3)
@@ -9233,7 +9233,7 @@ CVE-2009-5159 (Invision Power Board (aka IPB or IP.Board) 
2.x through 3.0.4, whe
NOT-FOR-US: Invision Power Board
 CVE-2020-10543 [Buffer overflow caused by a crafted regular expression]
RESERVED
-   - perl 5.30.3-1
+   - perl 5.30.3-1 (bug #962005)
[buster] - perl  (Minor issue)
[stretch] - perl  (Minor issue)
NOTE: 
https://github.com/perl/perl5/commit/897d1f7fd515b828e4b198d8b8bef76c6faf03ed 
(v5.30.3)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4cf7075fc64bd7729a09b1cc8ad2d42c67ae02bc

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4cf7075fc64bd7729a09b1cc8ad2d42c67ae02bc
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] dla: reclaim libmatio

2020-06-01 Thread Adrian Bunk



Adrian Bunk pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
8e3ffa04 by Adrian Bunk at 2020-06-02T07:29:42+03:00
dla: reclaim libmatio

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -56,7 +56,7 @@ imagemagick (Markus Koschany)
 libdatetime-timezone-perl
   NOTE: 20200514: LTS update must wait on oldstable update first to prevent 
newer version in LTS (roberto)
 --
-libmatio
+libmatio (Adrian Bunk)
   NOTE: fairly high number of open issues. Not sure why we never had a look at 
them.
   NOTE: triage work needed, help security team for fixes if needed.
   NOTE: 20190428: most patches can be applied after context adaption



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8e3ffa04718ffe2b86fbd95cb6dd4e15e21c6e61

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8e3ffa04718ffe2b86fbd95cb6dd4e15e21c6e61
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] perl: CVE-2020-12723, CVE-2020-10878 and CVE-2020-10543 fixed in unstable

2020-06-01 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
3c3554cc by Salvatore Bonaccorso at 2020-06-02T06:16:09+02:00
perl: CVE-2020-12723, CVE-2020-10878 and CVE-2020-10543 fixed in unstable

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -2322,7 +2322,7 @@ CVE-2020-12724
RESERVED
 CVE-2020-12723 [Buffer overflow caused by a crafted regular expression]
RESERVED
-   - perl 
+   - perl 5.30.3-1
[buster] - perl  (Minor issue)
[stretch] - perl  (Minor issue)
NOTE: 
https://github.com/perl/perl5/commit/66bbb51b93253a3f87d11c2695cfb7bdb782184a 
(v5.30.3)
@@ -8088,7 +8088,7 @@ CVE-2020-10879 (rConfig before 3.9.5 allows command 
injection by sending a craft
NOT-FOR-US: rConfig
 CVE-2020-10878 [Integer overflow via malformed bytecode produced by a crafted 
regular expression]
RESERVED
-   - perl 
+   - perl 5.30.3-1
[buster] - perl  (Minor issue)
[stretch] - perl  (Minor issue)
NOTE: 
https://github.com/perl/perl5/commit/0a320d753fe7fca03df259a4dfd8e641e51edaa8 
(v5.30.3)
@@ -9233,7 +9233,7 @@ CVE-2009-5159 (Invision Power Board (aka IPB or IP.Board) 
2.x through 3.0.4, whe
NOT-FOR-US: Invision Power Board
 CVE-2020-10543 [Buffer overflow caused by a crafted regular expression]
RESERVED
-   - perl 
+   - perl 5.30.3-1
[buster] - perl  (Minor issue)
[stretch] - perl  (Minor issue)
NOTE: 
https://github.com/perl/perl5/commit/897d1f7fd515b828e4b198d8b8bef76c6faf03ed 
(v5.30.3)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3c3554cc070e97faaf5eb1a3a2d11cb571da5762

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3c3554cc070e97faaf5eb1a3a2d11cb571da5762
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2020-10737/oddjob via unstable

2020-06-01 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
c08b4406 by Salvatore Bonaccorso at 2020-06-02T06:13:31+02:00
Track fixed version for CVE-2020-10737/oddjob via unstable

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -8624,7 +8624,7 @@ CVE-2020-10739
 CVE-2020-10738 (A flaw was found in Moodle versions 3.8 before 3.8.3, 3.7 
before 3.7.6 ...)
- moodle 
 CVE-2020-10737 (A race condition was found in the mkhomedir tool shipped with 
the oddj ...)
-   - oddjob  (bug #960089)
+   - oddjob 0.34.6-1 (bug #960089)
[buster] - oddjob  (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1833042
NOTE: 
https://pagure.io/oddjob/c/10b8aaa1564b723a005b53acc069df71313f4cac



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c08b4406787324d58899afad38c1910719e87969

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c08b4406787324d58899afad38c1910719e87969
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Update notes for CVE-2020-12740

2020-06-01 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
e6e86210 by Salvatore Bonaccorso at 2020-06-02T06:11:36+02:00
Update notes for CVE-2020-12740

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -2284,6 +2284,8 @@ CVE-2020-12740 (tcprewrite in Tcpreplay through 4.3.2 has 
a heap-based buffer ov
- tcpreplay  (unimportant)
[jessie] - tcpreplay  (Vulnerable code added later)
NOTE: https://github.com/appneta/tcpreplay/issues/576
+   NOTE: https://github.com/appneta/tcpreplay/pull/590
+   NOTE: Fixed with: https://github.com/appneta/tcpreplay/issues/578
NOTE: --fuzz-seed in PoC not present until version 4.2.0
NOTE: Crash in CLI tool, no security impact
 CVE-2020-12739



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e6e8621066c481aa5091bee088bc4724e749394a

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e6e8621066c481aa5091bee088bc4724e749394a
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Remove note from CVE-2019-9374

2020-06-01 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
3daf6227 by Salvatore Bonaccorso at 2020-06-02T06:06:53+02:00
Remove note from CVE-2019-9374

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -66290,7 +66290,6 @@ CVE-2019-9375 (In hostapd, there is a possible out of 
bounds write due to a race
NOT-FOR-US: Android
 CVE-2019-9374
REJECTED
-   NOT-FOR-US: Android
 CVE-2019-9373 (In JobStore, there is a mismatched 
serialization/deserialization for t ...)
NOT-FOR-US: Android
 CVE-2019-9372 (In libskia, there is a possible crash due to a missing null 
check. Thi ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3daf62273c6bbfd463acefe8e05a02616c478bf0

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3daf62273c6bbfd463acefe8e05a02616c478bf0
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] automatic update

2020-06-01 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
a10e9c42 by security tracker role at 2020-06-01T20:10:24+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,3 +1,115 @@
+CVE-2020-13758 
(modules/security/classes/general.post_filter.php/post_filter.php in th ...)
+   TODO: check
+CVE-2020-13757 (Python-RSA 4.0 ignores leading '\0' bytes during decryption of 
ciphert ...)
+   TODO: check
+CVE-2020-13756
+   RESERVED
+CVE-2020-13755
+   RESERVED
+CVE-2020-13753
+   RESERVED
+CVE-2020-13752
+   RESERVED
+CVE-2020-13751
+   RESERVED
+CVE-2020-13750
+   RESERVED
+CVE-2020-13749
+   RESERVED
+CVE-2020-13748
+   RESERVED
+CVE-2020-13747
+   RESERVED
+CVE-2020-13746
+   RESERVED
+CVE-2020-13745
+   RESERVED
+CVE-2020-13744
+   RESERVED
+CVE-2020-13743
+   RESERVED
+CVE-2020-13742
+   RESERVED
+CVE-2020-13741
+   RESERVED
+CVE-2020-13740
+   RESERVED
+CVE-2020-13739
+   RESERVED
+CVE-2020-13738
+   RESERVED
+CVE-2020-13737
+   RESERVED
+CVE-2020-13736
+   RESERVED
+CVE-2020-13735
+   RESERVED
+CVE-2020-13734
+   RESERVED
+CVE-2020-13733
+   RESERVED
+CVE-2020-13732
+   RESERVED
+CVE-2020-13731
+   RESERVED
+CVE-2020-13730
+   RESERVED
+CVE-2020-13729
+   RESERVED
+CVE-2020-13728
+   RESERVED
+CVE-2020-13727
+   RESERVED
+CVE-2020-13726
+   RESERVED
+CVE-2020-13725
+   RESERVED
+CVE-2020-13724
+   RESERVED
+CVE-2020-13723
+   RESERVED
+CVE-2020-13722
+   RESERVED
+CVE-2020-13721
+   RESERVED
+CVE-2020-13720
+   RESERVED
+CVE-2020-13719
+   RESERVED
+CVE-2020-13718
+   RESERVED
+CVE-2020-13717
+   RESERVED
+CVE-2020-13716
+   RESERVED
+CVE-2020-13715
+   RESERVED
+CVE-2020-13714
+   RESERVED
+CVE-2020-13713
+   RESERVED
+CVE-2020-13712
+   RESERVED
+CVE-2020-13711
+   RESERVED
+CVE-2020-13710
+   RESERVED
+CVE-2020-13709
+   RESERVED
+CVE-2020-13708
+   RESERVED
+CVE-2020-13707
+   RESERVED
+CVE-2020-13706
+   RESERVED
+CVE-2020-13705
+   RESERVED
+CVE-2020-13704
+   RESERVED
+CVE-2020-13703
+   RESERVED
+CVE-2019-20809
+   RESERVED
 CVE-2020-13754 [msix: OOB access during mmio operations may lead to DoS]
RESERVED
- qemu 
@@ -16,10 +128,10 @@ CVE-2020-13697
RESERVED
 CVE-2020-13696
RESERVED
-CVE-2020-13695
-   RESERVED
-CVE-2020-13694
-   RESERVED
+CVE-2020-13695 (In QuickBox Community Edition through 2.5.5 and Pro Edition 
through 2. ...)
+   TODO: check
+CVE-2020-13694 (In QuickBox Community Edition through 2.5.5 and Pro Edition 
through 2. ...)
+   TODO: check
 CVE-2020-13693 (An unauthenticated privilege-escalation issue exists in the 
bbPress pl ...)
NOT-FOR-US: bbPress plugin for WordPress
 CVE-2020-13692
@@ -542,8 +654,8 @@ CVE-2020-13450
RESERVED
 CVE-2020-13449
RESERVED
-CVE-2020-13448
-   RESERVED
+CVE-2020-13448 (QuickBox Community Edition through 2.5.5 and Pro Edition 
through 2.1.8 ...)
+   TODO: check
 CVE-2020-13447
RESERVED
 CVE-2020-13446
@@ -749,8 +861,8 @@ CVE-2019-20806 (An issue was discovered in the Linux kernel 
before 5.2. There is
[buster] - linux 4.19.118-1
[jessie] - linux  (Vulnerable code introduced later)
NOTE: 
https://git.kernel.org/linus/2e7682ebfc750177a4944eeb56e97a3f05734528
-CVE-2019-20805
-   RESERVED
+CVE-2019-20805 (p_lx_elf.cpp in UPX before 3.96 has an integer overflow during 
unpacki ...)
+   TODO: check
 CVE-2019-20804 (Gila CMS before 1.11.6 allows CSRF with resultant XSS via the 
admin/th ...)
NOT-FOR-US: Gila CMS
 CVE-2019-20803 (Gila CMS before 1.11.6 has reflected XSS via the 
admin/content/postcat ...)
@@ -1803,8 +1915,7 @@ CVE-2020-12869
RESERVED
 CVE-2020-12868
RESERVED
-CVE-2020-12867
-   RESERVED
+CVE-2020-12867 (A NULL pointer dereference in sanei_epson_net_read in SANE 
Backends th ...)
{DLA-2231-1}
[experimental] - sane-backends 1.0.30-1~experimental1
- sane-backends  (bug #961302)
@@ -3785,8 +3896,8 @@ CVE-2020-12063 (** DISPUTED ** A certain Postfix 2.10.1-7 
package could allow an
NOTE: https://www.openwall.com/lists/oss-security/2020/04/23/3
NOTE: https://www.openwall.com/lists/oss-security/2020/04/23/12
NOTE: Not considered a Postfix vulnerability and scope is outside of 
the design goals
-CVE-2020-12062
-   RESERVED
+CVE-2020-12062 (** DISPUTED ** The scp client in OpenSSH 8.2 incorrectly sends 
duplica ...)
+   TODO: check
 CVE-2020-12061
RESERVED
 CVE-2020-12060
@@ -7285,6 +7396,7 @@ CVE-2020-11080
 CVE-2020-11079 (node-dns-sync (npm module dns-sync) through 0.2.0 allows 
execution of  ...)
TODO: check
 CVE-2020-11078 (In httplib2 before ve

[Git][security-tracker-team/security-tracker][master] Sync CVE-2020-10732 with kernel-sec triage

2020-06-01 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
59bbff89 by Salvatore Bonaccorso at 2020-06-01T21:44:31+02:00
Sync CVE-2020-10732 with kernel-sec triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -8533,6 +8533,7 @@ CVE-2020-10733
 CVE-2020-10732 [uninitialized kernel data leak in userspace coredumps]
RESERVED
- linux 
+   [jessie] - linux  (Does not affect supported architectures)
NOTE: https://www.openwall.com/lists/oss-security/2020/05/06/1
NOTE: 
https://git.kernel.org/linus/1d605416fb7175e1adf094251466caa52093b413
 CVE-2020-10731



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/59bbff89ff78344b362154389a293981209fc272

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/59bbff89ff78344b362154389a293981209fc272
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add three new perl issues

2020-06-01 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
da3760e4 by Salvatore Bonaccorso at 2020-06-01T21:41:19+02:00
Add three new perl issues

All are intrusive and minor and after the unstable upload an update via
point releases might be considered.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -2207,8 +2207,12 @@ CVE-2020-12725
RESERVED
 CVE-2020-12724
RESERVED
-CVE-2020-12723
+CVE-2020-12723 [Buffer overflow caused by a crafted regular expression]
RESERVED
+   - perl 
+   [buster] - perl  (Minor issue)
+   [stretch] - perl  (Minor issue)
+   NOTE: 
https://github.com/perl/perl5/commit/66bbb51b93253a3f87d11c2695cfb7bdb782184a 
(v5.30.3)
 CVE-2020-12722
RESERVED
 CVE-2020-12721
@@ -7968,8 +7972,13 @@ CVE-2020-10880
RESERVED
 CVE-2020-10879 (rConfig before 3.9.5 allows command injection by sending a 
crafted GET ...)
NOT-FOR-US: rConfig
-CVE-2020-10878
+CVE-2020-10878 [Integer overflow via malformed bytecode produced by a crafted 
regular expression]
RESERVED
+   - perl 
+   [buster] - perl  (Minor issue)
+   [stretch] - perl  (Minor issue)
+   NOTE: 
https://github.com/perl/perl5/commit/0a320d753fe7fca03df259a4dfd8e641e51edaa8 
(v5.30.3)
+   NOTE: 
https://github.com/perl/perl5/commit/3295b48defa0f8570114877b063fe546dd348b3c 
(v5.30.3)
 CVE-2020-10877
RESERVED
 CVE-2020-10876 (The OKLOK (3.1.1) mobile companion app for Fingerprint 
Bluetooth Padlo ...)
@@ -9107,8 +9116,12 @@ CVE-2020-10544 (An XSS issue was discovered in 
tooltip/tooltip.js in PrimeTek Pr
NOT-FOR-US: PrimeTek PrimeFaces
 CVE-2009-5159 (Invision Power Board (aka IPB or IP.Board) 2.x through 3.0.4, 
when Int ...)
NOT-FOR-US: Invision Power Board
-CVE-2020-10543
+CVE-2020-10543 [Buffer overflow caused by a crafted regular expression]
RESERVED
+   - perl 
+   [buster] - perl  (Minor issue)
+   [stretch] - perl  (Minor issue)
+   NOTE: 
https://github.com/perl/perl5/commit/897d1f7fd515b828e4b198d8b8bef76c6faf03ed 
(v5.30.3)
 CVE-2020-10542
RESERVED
 CVE-2020-10541 (Zoho ManageEngine OpManager before 12.4.179 allows remote code 
executi ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/da3760e403b2e4b47fb58de63b76998ebd904b1a

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/da3760e403b2e4b47fb58de63b76998ebd904b1a
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] CVE-2020-861{6,7}/bind9 fixed in unstable

2020-06-01 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
9f4398a9 by Salvatore Bonaccorso at 2020-06-01T21:10:37+02:00
CVE-2020-861{6,7}/bind9 fixed in unstable

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -13524,12 +13524,12 @@ CVE-2020-8618
RESERVED
 CVE-2020-8617 (Using a specially-crafted message, an attacker may potentially 
cause a ...)
{DSA-4689-1 DLA-2227-1}
-   - bind9  (bug #961939)
+   - bind9 1:9.16.3-1 (bug #961939)
NOTE: https://kb.isc.org/docs/cve-2020-8617
NOTE: 
https://kb.isc.org/docs/cve-2020-8617-faq-and-supplemental-information
 CVE-2020-8616 (A malicious actor who intentionally exploits this lack of 
effective li ...)
{DSA-4689-1 DLA-2227-1}
-   - bind9  (bug #961939)
+   - bind9 1:9.16.3-1 (bug #961939)
NOTE: https://kb.isc.org/docs/cve-2020-8616
 CVE-2020-8615 (A CSRF vulnerability in the Tutor LMS plugin before 1.5.3 for 
WordPres ...)
NOT-FOR-US: Tutor LMS plugin for WordPress



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9f4398a9b32393949d36d0320d25f81869dc5ed1

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9f4398a9b32393949d36d0320d25f81869dc5ed1
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add CVE-2020-13659/qemu

2020-06-01 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
f644fde6 by Salvatore Bonaccorso at 2020-06-01T21:06:14+02:00
Add CVE-2020-13659/qemu

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -86,8 +86,11 @@ CVE-2020-13661
RESERVED
 CVE-2020-13660 (CMS Made Simple through 2.2.14 allows XSS via a crafted File 
Picker pr ...)
NOT-FOR-US: CMS Made Simple
-CVE-2020-13659
+CVE-2020-13659 [exec: address_space_map returns NULL without setting length to 
zero may lead to DoS]
RESERVED
+   - qemu 
+   NOTE: https://bugs.launchpad.net/qemu/+bug/1878259
+   NOTE: 
https://lists.gnu.org/archive/html/qemu-devel/2020-05/msg07313.html
 CVE-2020-13658
RESERVED
 CVE-2020-13657



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f644fde6de40ab8bdf50c5ce9eeed77dbc5383b6

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f644fde6de40ab8bdf50c5ce9eeed77dbc5383b6
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add CVE-2020-13754/qemu

2020-06-01 Thread László Böszörményi



László Böszörményi pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
12131d07 by Laszlo Boszormenyi (GCS) at 2020-06-01T20:56:42+02:00
Add CVE-2020-13754/qemu

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,3 +1,7 @@
+CVE-2020-13754 [msix: OOB access during mmio operations may lead to DoS]
+   RESERVED
+   - qemu 
+   NOTE: 
https://lists.gnu.org/archive/html/qemu-devel/2020-06/msg4.html
 CVE-2020-13702
RESERVED
 CVE-2020-13701



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/12131d07b14b253fc557560cf66cc0d1e27fe31b

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/12131d07b14b253fc557560cf66cc0d1e27fe31b
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reclaim imagemagick in dla-needed.txt

2020-06-01 Thread Markus Koschany



Markus Koschany pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
2ba1c4b3 by Markus Koschany at 2020-06-01T16:13:21+02:00
Reclaim imagemagick in dla-needed.txt

That will take a few more days to complete.

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -51,7 +51,7 @@ graphicsmagick (Roberto C. Sánchez)
   NOTE: 20200514: no upstream patch available, yet, for CVE-2020-12672 
(sunweaver)
   NOTE: 20200529: still no upstream patch available, yet, for CVE-2020-12672 
(roberto)
 --
-imagemagick
+imagemagick (Markus Koschany)
 --
 libdatetime-timezone-perl
   NOTE: 20200514: LTS update must wait on oldstable update first to prevent 
newer version in LTS (roberto)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2ba1c4b3b41a2fb82db51af251535740a1c45972

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2ba1c4b3b41a2fb82db51af251535740a1c45972
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Claim cups

2020-06-01 Thread Utkarsh Gupta



Utkarsh Gupta pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
eb3bd8a7 by Utkarsh Gupta at 2020-06-01T19:42:21+05:30
Claim cups

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -38,7 +38,7 @@ condor
   NOTE: 20200525: Fix: 
https://github.com/htcondor/htcondor/compare/V8_8_7...V8_8_8 (utkarsh)
   NOTE: 20200531: Patches are linked from 
https://security-tracker.debian.org/tracker/CVE-2019-18823 (bunk)
 --
-cups
+cups (Utkarsh Gupta)
   NOTE: 20200514: Two open  issues. Added on request from Anton 
Gladky. (sunweaver)
 --
 drupal7



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eb3bd8a7be4890117f9a6107c62759f6158b1232

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eb3bd8a7be4890117f9a6107c62759f6158b1232
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity

2020-06-01 Thread Holger Levsen



Holger Levsen pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
f20e8b38 by Holger Levsen at 2020-06-01T14:04:12+02:00
semi-automatic unclaim after 2 weeks of inactivity

Signed-off-by: Holger Levsen 

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -38,7 +38,7 @@ condor
   NOTE: 20200525: Fix: 
https://github.com/htcondor/htcondor/compare/V8_8_7...V8_8_8 (utkarsh)
   NOTE: 20200531: Patches are linked from 
https://security-tracker.debian.org/tracker/CVE-2019-18823 (bunk)
 --
-cups (Anton Gladky)
+cups
   NOTE: 20200514: Two open  issues. Added on request from Anton 
Gladky. (sunweaver)
 --
 drupal7
@@ -51,12 +51,12 @@ graphicsmagick (Roberto C. Sánchez)
   NOTE: 20200514: no upstream patch available, yet, for CVE-2020-12672 
(sunweaver)
   NOTE: 20200529: still no upstream patch available, yet, for CVE-2020-12672 
(roberto)
 --
-imagemagick (Markus Koschany)
+imagemagick
 --
 libdatetime-timezone-perl
   NOTE: 20200514: LTS update must wait on oldstable update first to prevent 
newer version in LTS (roberto)
 --
-libmatio (Adrian Bunk)
+libmatio
   NOTE: fairly high number of open issues. Not sure why we never had a look at 
them.
   NOTE: triage work needed, help security team for fixes if needed.
   NOTE: 20190428: most patches can be applied after context adaption
@@ -81,7 +81,7 @@ mumble
 netqmail (Utkarsh Gupta)
   NOTE: 20200531: Work ongoing. Probably should backport the version. (utkarsh)
 --
-nginx (Mike Gabriel)
+nginx
   NOTE: 20200505: Patch for CVE-2020-11724 appears to be fairly invasive and, 
alas, no tests. (lamby)
 --
 nss (Adrian Bunk)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f20e8b38e6a923f64ab5c7e3858aae0c9ad4b8c4

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f20e8b38e6a923f64ab5c7e3858aae0c9ad4b8c4
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Mark CVE-2020-10754 as unimportant

2020-06-01 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
4be89666 by Salvatore Bonaccorso at 2020-06-01T10:55:33+02:00
Mark CVE-2020-10754 as unimportant

The issue is present source-wise but it effectively only affects builds
with the ifcfg-rh settings plugin enabled. This is (and cannot be) for
Debian builds.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -8446,9 +8446,12 @@ CVE-2020-10755
RESERVED
 CVE-2020-10754 [user configuration not honoured leaving the connection 
unauthenticated via insecure defaults]
RESERVED
-   - network-manager 
+   - network-manager  (unimportant)
NOTE: 
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/448
NOTE: 
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/commit/8affcc19b61fc3c516474ba075e61b82030feeb4
+   NOTE: Only affects builds enabling ifcfg-rh settings plugin, 
source-wise only
+   NOTE: affected but not the Debian binary builds (and is RedHat/Fedora 
specific
+   NOTE: plugin).
 CVE-2020-10753
RESERVED
 CVE-2020-10752



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4be896667b2205e3e5b3f97ed3d6928cbbce3a24

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4be896667b2205e3e5b3f97ed3d6928cbbce3a24
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 2 commits: Mark CVE-2018-3741/ruby-rails-html-sanitizer as no-dsa

2020-06-01 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
8d266c5f by Salvatore Bonaccorso at 2020-06-01T10:45:09+02:00
Mark CVE-2018-3741/ruby-rails-html-sanitizer as no-dsa

- - - - -
9168297a by Salvatore Bonaccorso at 2020-06-01T10:46:07+02:00
Mark CVE-2018-1687{7,8}/pacemaker as no-dsa

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -98650,12 +98650,14 @@ CVE-2018-16879 (Ansible Tower before version 3.3.3 
does not set a secure channel
NOT-FOR-US: Ansible Tower
 CVE-2018-16878 (A flaw was found in pacemaker up to and including version 
2.0.1. An in ...)
- pacemaker 2.0.1-3 (bug #927714)
+   [stretch] - pacemaker  (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2019/04/17/1
NOTE: https://github.com/ClusterLabs/pacemaker/pull/1749 (master)
NOTE: https://github.com/ClusterLabs/pacemaker/pull/1750 (1.1)
NOTE: https://lists.clusterlabs.org/pipermail/users/2019-May/025822.html
 CVE-2018-16877 (A flaw was found in the way pacemaker's client-server 
authentication w ...)
- pacemaker 2.0.1-3 (bug #927714)
+   [stretch] - pacemaker  (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2019/04/17/1
NOTE: https://github.com/ClusterLabs/pacemaker/pull/1749 (master)
NOTE: https://github.com/ClusterLabs/pacemaker/pull/1750 (1.1)
@@ -135076,6 +135078,7 @@ CVE-2018-3742
REJECTED
 CVE-2018-3741 (There is a possible XSS vulnerability in all 
rails-html-sanitizer gem  ...)
- ruby-rails-html-sanitizer 1.0.4-1 (bug #893994)
+   [stretch] - ruby-rails-html-sanitizer  (Minor issue; can be 
fixed via point release)
NOTE: 
https://github.com/rails/rails-html-sanitizer/commit/f3ba1a839a35f2ba7f941c15e239a1cb379d56ae
 CVE-2018-3740 (A specially crafted HTML fragment can cause Sanitize gem for 
Ruby to a ...)
{DSA-4358-1}



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/03cbd54692f5b96204c490562e7869a6810ffca1...9168297aaf874ae06580779946e34db20a4d08f7

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/03cbd54692f5b96204c490562e7869a6810ffca1...9168297aaf874ae06580779946e34db20a4d08f7
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 2 commits: Reference upstream commit for CVE-2020-10732/linux

2020-06-01 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
8c398c83 by Salvatore Bonaccorso at 2020-06-01T10:39:19+02:00
Reference upstream commit for CVE-2020-10732/linux

- - - - -
03cbd546 by Salvatore Bonaccorso at 2020-06-01T10:40:29+02:00
Merge remote-tracking branch 'origin/master'

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -8515,6 +8515,7 @@ CVE-2020-10732 [uninitialized kernel data leak in 
userspace coredumps]
RESERVED
- linux 
NOTE: https://www.openwall.com/lists/oss-security/2020/05/06/1
+   NOTE: 
https://git.kernel.org/linus/1d605416fb7175e1adf094251466caa52093b413
 CVE-2020-10731
RESERVED
 CVE-2020-10730



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/e511206c46796007d86639c661418cdd4250be44...03cbd54692f5b96204c490562e7869a6810ffca1

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/e511206c46796007d86639c661418cdd4250be44...03cbd54692f5b96204c490562e7869a6810ffca1
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-2232-1 for python-httplib2

2020-06-01 Thread Abhijith PA



Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
e511206c by Abhijith PA at 2020-06-01T14:09:35+05:30
Reserve DLA-2232-1 for python-httplib2

- - - - -


2 changed files:

- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[01 Jun 2020] DLA-2232-1 python-httplib2 - security update
+   {CVE-2020-11078}
+   [jessie] - python-httplib2 0.9+dfsg-2+deb8u1
 [31 May 2020] DLA-2231-1 sane-backends - security update
{CVE-2020-12867}
[jessie] - sane-backends 1.0.24-8+deb8u3


=
data/dla-needed.txt
=
@@ -95,8 +95,6 @@ php5 (Thorsten Alteholz)
   NOTE: 20200511: still trying to determine how this CVE affects php
   NOTE: 20200524: new CVE arrived (thorsten)
 --
-python-httplib2 (Abhijith PA)
---
 qemu (Adrian Bunk)
   NOTE: 20200531: waiting for CVE-2020-13362 fix to be applied upstream (bunk)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e511206c46796007d86639c661418cdd4250be44

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e511206c46796007d86639c661418cdd4250be44
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Mark CVE-2020-11078 as no-dsa

2020-06-01 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
30288d7f by Salvatore Bonaccorso at 2020-06-01T10:23:06+02:00
Mark CVE-2020-11078 as no-dsa

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -7275,6 +7275,8 @@ CVE-2020-11079 (node-dns-sync (npm module dns-sync) 
through 0.2.0 allows executi
TODO: check
 CVE-2020-11078 (In httplib2 before version 0.18.0, an attacker controlling 
unescaped p ...)
- python-httplib2 0.18.1-1
+   [buster] - python-httplib2  (Minor issue)
+   [stretch] - python-httplib2  (Minor issue)
NOTE: 
https://github.com/httplib2/httplib2/security/advisories/GHSA-gg84-qgv9-w4pq
NOTE: 
https://github.com/httplib2/httplib2/commit/a1457cc31f3206cf691d11d2bf34e98865873e9e
 CVE-2020-11077 (In Puma (RubyGem) before 4.3.5 and 3.12.6, a client could 
smuggle a re ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/30288d7f5b205b401afcb72978e249a259b28773

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/30288d7f5b205b401afcb72978e249a259b28773
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Process several NFUs

2020-06-01 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
59201973 by Salvatore Bonaccorso at 2020-06-01T10:16:59+02:00
Process several NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -7285,7 +7285,7 @@ CVE-2020-11076 (In Puma (RubyGem) before 4.3.4 and 
3.12.5, an attacker could smu
NOTE: 
https://github.com/puma/puma/security/advisories/GHSA-x7jg-6pwg-fx5h
NOTE: 
https://github.com/puma/puma/commit/f24d5521295a2152c286abb0a45a1e1e2bd275bd
 CVE-2020-11075 (In Anchore Engine version 0.7.0, a specially crafted container 
image m ...)
-   TODO: check
+   NOT-FOR-US: Anchore Engine
 CVE-2020-11074
RESERVED
 CVE-2020-11073 (In Autoswitch Python Virtualenv before version 0.16.0, a user 
who ente ...)
@@ -7323,7 +7323,7 @@ CVE-2020-11060 (In GLPI before 9.4.6, an attacker can 
execute system commands by
NOTE: 
https://github.com/glpi-project/glpi/commit/ad748d59c94da177a3ed25111c453902396f320c
NOTE: Only supported behind an authenticated HTTP zone
 CVE-2020-11059 (In AEgir greater than or equal to 21.7.0 and less than 
21.10.1, aegir  ...)
-   TODO: check
+   NOT-FOR-US: AEgir
 CVE-2020-11058 (In FreeRDP after 1.1 and before 2.0.0, a stream out-of-bounds 
seek in  ...)
- freerdp2 2.1.1+dfsg1-1
[buster] - freerdp2  (Minor issue)
@@ -15463,7 +15463,7 @@ CVE-2020-7814
 CVE-2020-7813 (Ezhttptrans.ocx ActiveX Control in Kaoni ezHTTPTrans 1.0.0.70 
and prio ...)
NOT-FOR-US: Kaoni
 CVE-2020-7812 (Ezhttptrans.ocx ActiveX Control in Kaoni ezHTTPTrans 1.0.0.70 
and prio ...)
-   TODO: check
+   NOT-FOR-US: Kaoni ezHTTPTrans
 CVE-2020-7811
RESERVED
 CVE-2020-7810
@@ -24417,27 +24417,27 @@ CVE-2020-4025
 CVE-2020-4024
RESERVED
 CVE-2020-4023 (The review coverage resource in Atlassian Fisheye and Crucible 
before  ...)
-   TODO: check
+   NOT-FOR-US: Atlassian Fisheye and Crucible
 CVE-2020-4022
RESERVED
 CVE-2020-4021 (Affected versions are: Before 8.5.5, and from 8.6.0 before 
8.8.1 of At ...)
-   TODO: check
+   NOT-FOR-US: Atlassian
 CVE-2020-4020 (The file downloading functionality in the Atlassian Companion 
App befo ...)
-   TODO: check
+   NOT-FOR-US: Atlassian
 CVE-2020-4019 (The file editing functionality in the Atlassian Companion App 
before v ...)
-   TODO: check
+   NOT-FOR-US: Atlassian
 CVE-2020-4018 (The setup resources in Atlassian Fisheye and Crucible before 
version 4 ...)
-   TODO: check
+   NOT-FOR-US: Atlassian
 CVE-2020-4017 (The /rest/jira-ril/1.0/jira-rest/applinks resource in the 
crucible-jir ...)
-   TODO: check
+   NOT-FOR-US: Atlassian
 CVE-2020-4016 (The /plugins/servlet/jira-blockers/ resource in the 
crucible-jira-ril  ...)
-   TODO: check
+   NOT-FOR-US: Atlassian
 CVE-2020-4015 (The /json/fe/activeUserFinder.do resource in Altassian Fisheye 
and Cru ...)
-   TODO: check
+   NOT-FOR-US: Atlassian
 CVE-2020-4014 (The /profile/deleteWatch.do resource in Atlassian Fisheye and 
Crucible ...)
-   TODO: check
+   NOT-FOR-US: Atlassian
 CVE-2020-4013 (The review resource in Atlassian Fisheye and Crucible before 
version 4 ...)
-   TODO: check
+   NOT-FOR-US: Atlassian
 CVE-2020-4012
RESERVED
 CVE-2020-4011



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5920197339774079929ea836f7c3d7edf1edc8a7

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5920197339774079929ea836f7c3d7edf1edc8a7
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] automatic update

2020-06-01 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
3502a473 by security tracker role at 2020-06-01T08:10:19+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1798,6 +1798,7 @@ CVE-2020-12868
RESERVED
 CVE-2020-12867
RESERVED
+   {DLA-2231-1}
[experimental] - sane-backends 1.0.30-1~experimental1
- sane-backends  (bug #961302)
NOTE: https://gitlab.com/sane-project/backends/-/issues/279
@@ -14827,6 +14828,7 @@ CVE-2020-8037
 CVE-2020-8036
RESERVED
 CVE-2020-8035 (The image view functionality in Horde Groupware Webmail Edition 
before ...)
+   {DLA-2230-1}
- php-horde 
[buster] - php-horde  (Minor issue; can be fixed via point 
release)
[stretch] - php-horde  (Minor issue; can be fixed via point 
release)
@@ -24414,28 +24416,28 @@ CVE-2020-4025
RESERVED
 CVE-2020-4024
RESERVED
-CVE-2020-4023
-   RESERVED
+CVE-2020-4023 (The review coverage resource in Atlassian Fisheye and Crucible 
before  ...)
+   TODO: check
 CVE-2020-4022
RESERVED
-CVE-2020-4021
-   RESERVED
-CVE-2020-4020
-   RESERVED
-CVE-2020-4019
-   RESERVED
-CVE-2020-4018
-   RESERVED
-CVE-2020-4017
-   RESERVED
-CVE-2020-4016
-   RESERVED
-CVE-2020-4015
-   RESERVED
-CVE-2020-4014
-   RESERVED
-CVE-2020-4013
-   RESERVED
+CVE-2020-4021 (Affected versions are: Before 8.5.5, and from 8.6.0 before 
8.8.1 of At ...)
+   TODO: check
+CVE-2020-4020 (The file downloading functionality in the Atlassian Companion 
App befo ...)
+   TODO: check
+CVE-2020-4019 (The file editing functionality in the Atlassian Companion App 
before v ...)
+   TODO: check
+CVE-2020-4018 (The setup resources in Atlassian Fisheye and Crucible before 
version 4 ...)
+   TODO: check
+CVE-2020-4017 (The /rest/jira-ril/1.0/jira-rest/applinks resource in the 
crucible-jir ...)
+   TODO: check
+CVE-2020-4016 (The /plugins/servlet/jira-blockers/ resource in the 
crucible-jira-ril  ...)
+   TODO: check
+CVE-2020-4015 (The /json/fe/activeUserFinder.do resource in Altassian Fisheye 
and Cru ...)
+   TODO: check
+CVE-2020-4014 (The /profile/deleteWatch.do resource in Atlassian Fisheye and 
Crucible ...)
+   TODO: check
+CVE-2020-4013 (The review resource in Atlassian Fisheye and Crucible before 
version 4 ...)
+   TODO: check
 CVE-2020-4012
RESERVED
 CVE-2020-4011



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3502a4734d3323a632d901d0004c7a5d53bcd959

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3502a4734d3323a632d901d0004c7a5d53bcd959
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Map specific GHSL issues for sane-backends directly to assigned CVEs

2020-06-01 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
3f12e361 by Salvatore Bonaccorso at 2020-06-01T09:27:25+02:00
Map specific GHSL issues for sane-backends directly to assigned CVEs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1801,6 +1801,7 @@ CVE-2020-12867
[experimental] - sane-backends 1.0.30-1~experimental1
- sane-backends  (bug #961302)
NOTE: https://gitlab.com/sane-project/backends/-/issues/279
+   NOTE: 
https://gitlab.com/sane-project/backends/-/issues/279#issue-1-ghsl-2020-075-null-pointer-dereference-in-sanei_epson_net_read
NOTE: 
https://alioth-lists.debian.net/pipermail/sane-announce/2020/41.html
 CVE-2020-12866
RESERVED
@@ -1808,6 +1809,7 @@ CVE-2020-12866
- sane-backends  (bug #961302)
[jessie] - sane-backends  (epsonds backend was added in 
1.0.25)
NOTE: https://gitlab.com/sane-project/backends/-/issues/279
+   NOTE: 
https://gitlab.com/sane-project/backends/-/issues/279#issue-2-ghsl-2020-079-null-pointer-dereference-in-epsonds_net_read
NOTE: 
https://alioth-lists.debian.net/pipermail/sane-announce/2020/41.html
 CVE-2020-12865
RESERVED
@@ -1815,6 +1817,7 @@ CVE-2020-12865
- sane-backends  (bug #961302)
[jessie] - sane-backends  (epsonds backend was added in 
1.0.25)
NOTE: https://gitlab.com/sane-project/backends/-/issues/279
+   NOTE: 
https://gitlab.com/sane-project/backends/-/issues/279#issue-9-ghsl-2020-084-buffer-overflow-in-esci2_img
NOTE: 
https://alioth-lists.debian.net/pipermail/sane-announce/2020/41.html
 CVE-2020-12864
RESERVED
@@ -1822,6 +1825,7 @@ CVE-2020-12864
- sane-backends  (bug #961302)
[jessie] - sane-backends  (epsonds backend was added in 
1.0.25)
NOTE: https://gitlab.com/sane-project/backends/-/issues/279
+   NOTE: 
https://gitlab.com/sane-project/backends/-/issues/279#issue-4-ghsl-2020-081-reading-uninitialized-data-in-epsonds_net_read
NOTE: 
https://alioth-lists.debian.net/pipermail/sane-announce/2020/41.html
 CVE-2020-12863
RESERVED
@@ -1829,6 +1833,7 @@ CVE-2020-12863
- sane-backends  (bug #961302)
[jessie] - sane-backends  (epsonds backend was added in 
1.0.25)
NOTE: https://gitlab.com/sane-project/backends/-/issues/279
+   NOTE: 
https://gitlab.com/sane-project/backends/-/issues/279#issue-7-ghsl-2020-083-out-of-bounds-read-in-esci2_check_header
NOTE: 
https://alioth-lists.debian.net/pipermail/sane-announce/2020/41.html
 CVE-2020-12862
RESERVED
@@ -1836,6 +1841,7 @@ CVE-2020-12862
- sane-backends  (bug #961302)
[jessie] - sane-backends  (epsonds backend was added in 
1.0.25)
NOTE: https://gitlab.com/sane-project/backends/-/issues/279
+   NOTE: 
https://gitlab.com/sane-project/backends/-/issues/279#issue-5-ghsl-2020-082-out-of-bounds-read-in-decode_binary
NOTE: 
https://alioth-lists.debian.net/pipermail/sane-announce/2020/41.html
 CVE-2020-12861
RESERVED
@@ -1843,6 +1849,7 @@ CVE-2020-12861
- sane-backends  (bug #961302)
[jessie] - sane-backends  (epsonds backend was added in 
1.0.25)
NOTE: https://gitlab.com/sane-project/backends/-/issues/279
+   NOTE: 
https://gitlab.com/sane-project/backends/-/issues/279#issue-3-ghsl-2020-080-heap-buffer-overflow-in-epsonds_net_read
NOTE: 
https://alioth-lists.debian.net/pipermail/sane-announce/2020/41.html
 CVE-2020-12860 (COVIDSafe through v1.0.17 allows a remote attacker to access 
phone nam ...)
NOT-FOR-US: COVIDSafe



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3f12e3611ab7a319a611761f4a42c46df53b210d

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3f12e3611ab7a319a611761f4a42c46df53b210d
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reference upstream issue for sane-backends

2020-06-01 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
ab9470ff by Salvatore Bonaccorso at 2020-06-01T09:19:25+02:00
Reference upstream issue for sane-backends

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1800,42 +1800,49 @@ CVE-2020-12867
RESERVED
[experimental] - sane-backends 1.0.30-1~experimental1
- sane-backends  (bug #961302)
+   NOTE: https://gitlab.com/sane-project/backends/-/issues/279
NOTE: 
https://alioth-lists.debian.net/pipermail/sane-announce/2020/41.html
 CVE-2020-12866
RESERVED
[experimental] - sane-backends 1.0.30-1~experimental1
- sane-backends  (bug #961302)
[jessie] - sane-backends  (epsonds backend was added in 
1.0.25)
+   NOTE: https://gitlab.com/sane-project/backends/-/issues/279
NOTE: 
https://alioth-lists.debian.net/pipermail/sane-announce/2020/41.html
 CVE-2020-12865
RESERVED
[experimental] - sane-backends 1.0.30-1~experimental1
- sane-backends  (bug #961302)
[jessie] - sane-backends  (epsonds backend was added in 
1.0.25)
+   NOTE: https://gitlab.com/sane-project/backends/-/issues/279
NOTE: 
https://alioth-lists.debian.net/pipermail/sane-announce/2020/41.html
 CVE-2020-12864
RESERVED
[experimental] - sane-backends 1.0.30-1~experimental1
- sane-backends  (bug #961302)
[jessie] - sane-backends  (epsonds backend was added in 
1.0.25)
+   NOTE: https://gitlab.com/sane-project/backends/-/issues/279
NOTE: 
https://alioth-lists.debian.net/pipermail/sane-announce/2020/41.html
 CVE-2020-12863
RESERVED
[experimental] - sane-backends 1.0.30-1~experimental1
- sane-backends  (bug #961302)
[jessie] - sane-backends  (epsonds backend was added in 
1.0.25)
+   NOTE: https://gitlab.com/sane-project/backends/-/issues/279
NOTE: 
https://alioth-lists.debian.net/pipermail/sane-announce/2020/41.html
 CVE-2020-12862
RESERVED
[experimental] - sane-backends 1.0.30-1~experimental1
- sane-backends  (bug #961302)
[jessie] - sane-backends  (epsonds backend was added in 
1.0.25)
+   NOTE: https://gitlab.com/sane-project/backends/-/issues/279
NOTE: 
https://alioth-lists.debian.net/pipermail/sane-announce/2020/41.html
 CVE-2020-12861
RESERVED
[experimental] - sane-backends 1.0.30-1~experimental1
- sane-backends  (bug #961302)
[jessie] - sane-backends  (epsonds backend was added in 
1.0.25)
+   NOTE: https://gitlab.com/sane-project/backends/-/issues/279
NOTE: 
https://alioth-lists.debian.net/pipermail/sane-announce/2020/41.html
 CVE-2020-12860 (COVIDSafe through v1.0.17 allows a remote attacker to access 
phone nam ...)
NOT-FOR-US: COVIDSafe



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab9470ffbb4f91cc2597b22a0c172a0665d3d9ac

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab9470ffbb4f91cc2597b22a0c172a0665d3d9ac
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add tracking bug for perl issues fixed in 5.30.3-1

[Git][security-tracker-team/security-tracker][master] dla: reclaim libmatio

[Git][security-tracker-team/security-tracker][master] perl: CVE-2020-12723, CVE-2020-10878 and CVE-2020-10543 fixed in unstable

[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2020-10737/oddjob via unstable

[Git][security-tracker-team/security-tracker][master] Update notes for CVE-2020-12740

[Git][security-tracker-team/security-tracker][master] Remove note from CVE-2019-9374

[Git][security-tracker-team/security-tracker][master] automatic update

[Git][security-tracker-team/security-tracker][master] Sync CVE-2020-10732 with kernel-sec triage

[Git][security-tracker-team/security-tracker][master] Add three new perl issues

[Git][security-tracker-team/security-tracker][master] CVE-2020-861{6,7}/bind9 fixed in unstable

[Git][security-tracker-team/security-tracker][master] Add CVE-2020-13659/qemu

[Git][security-tracker-team/security-tracker][master] Add CVE-2020-13754/qemu

[Git][security-tracker-team/security-tracker][master] Reclaim imagemagick in dla-needed.txt

[Git][security-tracker-team/security-tracker][master] Claim cups

[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity

[Git][security-tracker-team/security-tracker][master] Mark CVE-2020-10754 as unimportant

[Git][security-tracker-team/security-tracker][master] 2 commits: Mark CVE-2018-3741/ruby-rails-html-sanitizer as no-dsa

[Git][security-tracker-team/security-tracker][master] 2 commits: Reference upstream commit for CVE-2020-10732/linux

[Git][security-tracker-team/security-tracker][master] Reserve DLA-2232-1 for python-httplib2

[Git][security-tracker-team/security-tracker][master] Mark CVE-2020-11078 as no-dsa

[Git][security-tracker-team/security-tracker][master] Process several NFUs

[Git][security-tracker-team/security-tracker][master] automatic update

[Git][security-tracker-team/security-tracker][master] Map specific GHSL issues for sane-backends directly to assigned CVEs

[Git][security-tracker-team/security-tracker][master] Reference upstream issue for sane-backends

24 matches

Site Navigation

Mail list logo

Footer information