[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Claim sqlite3 and cacti again
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: a0e326db by Abhijith PA at 2020-06-16T10:13:22+05:30 data/dla-needed.txt: Claim sqlite3 and cacti again - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -28,8 +28,9 @@ apache2 NOTE: 20200604: wating to hear from CVE team for their decision. (utkarsh) NOTE: 20200604: otherwise the patch is ready for upload. (utkarsh) -- -cacti +cacti (Abhijith PA) NOTE: 20200529: A patch need to be cooked up. Upstream patch not fit for jessie version (abhijith) + NOTE: 20200620: WIP (abhijith) -- condor NOTE: 20200502: Upstream has only released workarounds; complete fix is still embargoed (roberto) @@ -104,7 +105,8 @@ qemu (Adrian Bunk) -- rails (Sylvain Beucler) -- -sqlite3 +sqlite3 (Abhijith PA) + NOTE: 20200620: WIP (abhijith) -- squid3 NOTE: 20200531: Ongoing work on squid3 in Stretch which will be used for Jessie View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a0e326dba6dcf1ad52fa746c3301144524e200e8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a0e326dba6dcf1ad52fa746c3301144524e200e8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2020-13428 fixed in vlc 3.0.11-1
Sebastian Ramacher pushed to branch master at Debian Security Tracker / security-tracker Commits: c4d55e5d by Sebastian Ramacher at 2020-06-15T23:31:09+02:00 CVE-2020-13428 fixed in vlc 3.0.11-1 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1774,7 +1774,7 @@ CVE-2020-13430 (Grafana before 7.0.0 allows tag value XSS via the OpenTSDB datas CVE-2020-13429 (legend.ts in the piechart-panel (aka Pie Chart Panel) plugin before 1. ...) NOT-FOR-US: piechart-panel plugin for Grafana CVE-2020-13428 (A heap-based buffer overflow in the hxxx_AnnexB_to_xVC function in mod ...) - - vlc + - vlc 3.0.11-1 [jessie] - vlc (Not supported in jessie LTS) NOTE: https://github.com/videolan/vlc-3.0/releases/tag/3.0.11 NOTE: http://git.videolan.org/?p=vlc/vlc-3.0.git;a=commit;h=d5c43c21c747ff30ed19fcca745dea3481c733e0 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c4d55e5d70f547900bea19b85565744e6f2622c8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c4d55e5d70f547900bea19b85565744e6f2622c8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add notes to dla-needed.txt about unbound
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: 32016fc7 by Brian May at 2020-06-16T07:15:50+10:00 Add notes to dla-needed.txt about unbound - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -125,6 +125,9 @@ tzdata NOTE: 20200514: LTS update must wait on oldstable update first (via point release) to prevent newer version in LTS (roberto) -- unbound + NOTE: 20200616: Package unsupported. + NOTE: 20200616: Not possible to update debian-security-support package in Jessie. + NOTE: 20200616: https://lists.debian.org/debian-lts/2020/06/msg00038.html -- wordpress (Utkarsh Gupta) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/32016fc7b6b2e864919bc98074d3b8b018a49ee5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/32016fc7b6b2e864919bc98074d3b8b018a49ee5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2018-21246/caddy
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8ee1fd74 by Salvatore Bonaccorso at 2020-06-15T22:47:53+02:00 Add CVE-2018-21246/caddy - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -146,7 +146,7 @@ CVE-2019-20838 (libpcre in PCRE before 8.43 allows a subject buffer over-read in - pcre3 NOTE: Fixed by: https://vcs.pcre.org/pcre?view=revision=1740 (8.43) CVE-2018-21246 (Caddy before 0.10.13 mishandles TLS client authentication, as demonstr ...) - TODO: check + - caddy (bug #810890) CVE-2018-21245 (Pound before 2.8 allows HTTP request smuggling, a related issue to CVE ...) TODO: check CVE-2017-18869 (A TOCTOU issue in the chownr package before 1.1.0 for Node.js 10.10 co ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8ee1fd745af7783e8109f9dfeea2f3eae8202548 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8ee1fd745af7783e8109f9dfeea2f3eae8202548 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 74f45cf5 by Salvatore Bonaccorso at 2020-06-15T22:46:34+02:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5,13 +5,13 @@ CVE-2020-14161 CVE-2020-14160 RESERVED CVE-2020-14159 (By using an Automate API in ConnectWise Automate before 2020.5.178, a ...) - TODO: check + NOT-FOR-US: ConnectWise CVE-2020-14158 RESERVED CVE-2020-14157 RESERVED CVE-2020-14156 (user_channel/passwd_mgr.cpp in OpenBMC phosphor-host-ipmid before 2020 ...) - TODO: check + NOT-FOR-US: OpenBMC CVE-2020-14155 (libpcre in PCRE before 8.44 allows an integer overflow via a large num ...) - pcre3 NOTE: Fixed by: https://vcs.pcre.org/pcre?view=revision=1761 (8.44) @@ -31,13 +31,13 @@ CVE-2020-14150 (GNU Bison before 3.5.4 allows attackers to cause a denial of ser - bison 2:3.6.1+dfsg-1 NOTE: https://lists.gnu.org/archive/html/info-gnu/2020-04/msg0.html CVE-2020-14149 (In uftpd before 2.12, handle_CWD in ftpcmd.c mishandled the path provi ...) - TODO: check + NOT-FOR-US: uftpd CVE-2020-14148 (The Server-Server protocol implementation in ngIRCd before 26~rc2 allo ...) TODO: check CVE-2020-14147 (An integer overflow in the getnum function in lua_struct.c in Redis be ...) TODO: check CVE-2020-14146 (KumbiaPHP through 1.1.1, in Development mode, allows XSS via the publi ...) - TODO: check + NOT-FOR-US: KumbiaPHP CVE-2020-14145 RESERVED CVE-2020-14144 @@ -187,7 +187,7 @@ CVE-2020-14078 (TRENDnet TEW-827DRU devices through 2.06B04 contain a stack-base CVE-2020-14077 (TRENDnet TEW-827DRU devices through 2.06B04 contain a stack-based buff ...) NOT-FOR-US: TRENDnet CVE-2020-14076 (TRENDnet TEW-827DRU devices through 2.06B04 contain a stack-based buff ...) - TODO: check + NOT-FOR-US: TRENDnet TEW-827DRU devices CVE-2020-14075 (TRENDnet TEW-827DRU devices through 2.06B04 contain multiple command i ...) NOT-FOR-US: TRENDnet CVE-2020-14074 (TRENDnet TEW-827DRU devices through 2.06B04 contain a stack-based buff ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/74f45cf5f982df670637a76e0232b411a76997c0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/74f45cf5f982df670637a76e0232b411a76997c0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-14150/bison
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a0050fa0 by Salvatore Bonaccorso at 2020-06-15T22:41:40+02:00 Add CVE-2020-14150/bison - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -28,7 +28,8 @@ CVE-2020-14152 (In IJG JPEG (aka libjpeg) before 9d, jpeg_mem_available() in jme CVE-2020-14151 (In IJG JPEG (aka libjpeg) before 9d, read_*_pixel() in rdtarga.c in cj ...) TODO: check CVE-2020-14150 (GNU Bison before 3.5.4 allows attackers to cause a denial of service ( ...) - TODO: check + - bison 2:3.6.1+dfsg-1 + NOTE: https://lists.gnu.org/archive/html/info-gnu/2020-04/msg0.html CVE-2020-14149 (In uftpd before 2.12, handle_CWD in ftpcmd.c mishandled the path provi ...) TODO: check CVE-2020-14148 (The Server-Server protocol implementation in ngIRCd before 26~rc2 allo ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a0050fa033546c70e549276ca365b6c4199def6b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a0050fa033546c70e549276ca365b6c4199def6b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-20838/pcre3
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a086c811 by Salvatore Bonaccorso at 2020-06-15T22:33:18+02:00 Add CVE-2019-20838/pcre3 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -142,7 +142,8 @@ CVE-2020-14095 CVE-2020-14094 RESERVED CVE-2019-20838 (libpcre in PCRE before 8.43 allows a subject buffer over-read in JIT w ...) - TODO: check + - pcre3 + NOTE: Fixed by: https://vcs.pcre.org/pcre?view=revision=1740 (8.43) CVE-2018-21246 (Caddy before 0.10.13 mishandles TLS client authentication, as demonstr ...) TODO: check CVE-2018-21245 (Pound before 2.8 allows HTTP request smuggling, a related issue to CVE ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a086c81166138455f01b5b841ce9a9fa9130c747 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a086c81166138455f01b5b841ce9a9fa9130c747 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-14155/pcre3
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8672925c by Salvatore Bonaccorso at 2020-06-15T22:31:20+02:00 Add CVE-2020-14155/pcre3 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13,7 +13,8 @@ CVE-2020-14157 CVE-2020-14156 (user_channel/passwd_mgr.cpp in OpenBMC phosphor-host-ipmid before 2020 ...) TODO: check CVE-2020-14155 (libpcre in PCRE before 8.44 allows an integer overflow via a large num ...) - TODO: check + - pcre3 + NOTE: Fixed by: https://vcs.pcre.org/pcre?view=revision=1761 (8.44) CVE-2020-14154 (Mutt before 1.14.3 proceeds with a connection even if, in response to ...) - mutt NOTE: http://lists.mutt.org/pipermail/mutt-announce/Week-of-Mon-20200608/22.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8672925c91bc99f0e6a810e91a0131068f083e97 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8672925c91bc99f0e6a810e91a0131068f083e97 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-14154/mutt
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6553d662 by Salvatore Bonaccorso at 2020-06-15T22:24:09+02:00 Add CVE-2020-14154/mutt This corresponds to the second issue from http://lists.mutt.org/pipermail/mutt-announce/Week-of-Mon-20200608/22.html;. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -15,7 +15,11 @@ CVE-2020-14156 (user_channel/passwd_mgr.cpp in OpenBMC phosphor-host-ipmid befor CVE-2020-14155 (libpcre in PCRE before 8.44 allows an integer overflow via a large num ...) TODO: check CVE-2020-14154 (Mutt before 1.14.3 proceeds with a connection even if, in response to ...) - TODO: check + - mutt + NOTE: http://lists.mutt.org/pipermail/mutt-announce/Week-of-Mon-20200608/22.html + NOTE: https://github.com/muttmua/mutt/commit/bb0e6277a45a5d4c3a30d3b968eeb31d78124e95 + NOTE: https://github.com/muttmua/mutt/commit/5fccf603ebcf352ba783136d6b2d2600d811fb3b + NOTE: https://github.com/muttmua/mutt/commit/f64ec1deefb67d471a642004e102cd1c501a1db3 CVE-2020-14153 (In IJG JPEG (aka libjpeg) before 9d, jdhuff.c has an out-of-bounds arr ...) TODO: check CVE-2020-14152 (In IJG JPEG (aka libjpeg) before 9d, jpeg_mem_available() in jmemnobs. ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6553d662db16b819b2ef82fb5dd2f9e8f4517c73 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6553d662db16b819b2ef82fb5dd2f9e8f4517c73 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5384eab1 by Salvatore Bonaccorso at 2020-06-15T22:17:55+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -24904,7 +24904,7 @@ CVE-2020-4496 CVE-2020-4495 RESERVED CVE-2020-4494 (IBM Spectrum Protect Client 8.1.7.0 through 8.1.9.1 (Linux and Windows ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4493 RESERVED CVE-2020-4492 @@ -24938,7 +24938,7 @@ CVE-2020-4479 CVE-2020-4478 RESERVED CVE-2020-4477 (IBM Spectrum Protect Plus 10.1.0 through 10.1.5 discloses highly sensi ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4476 RESERVED CVE-2020-4475 @@ -24950,11 +24950,11 @@ CVE-2020-4473 CVE-2020-4472 RESERVED CVE-2020-4471 (IBM Spectrum Protect Plus 10.1.0 through 10.1.5 could allow an unauthe ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4470 (IBM Spectrum Protect Plus 10.1.0 through 10.1.5 Administrative Console ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4469 (IBM Spectrum Protect Plus 10.1.0 through 10.1.5 could allow a remote a ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4468 (IBM i2 Intelligent Analyis Platform 9.2.1 could allow a remote attacke ...) NOT-FOR-US: IBM CVE-2020-4467 (IBM i2 Intelligent Analyis Platform 9.2.1 could allow a remote attacke ...) @@ -25080,7 +25080,7 @@ CVE-2020-4408 CVE-2020-4407 RESERVED CVE-2020-4406 (IBM Spectrum Protect Client 8.1.7.0 through 8.1.9.1 (Linux and Windows ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4405 RESERVED CVE-2020-4404 @@ -25460,7 +25460,7 @@ CVE-2020-4218 CVE-2020-4217 (The IBM Spectrum Scale 4.2 and 5.0 file system component is affected b ...) NOT-FOR-US: IBM CVE-2020-4216 (IBM Spectrum Protect Plus 10.1.0 through 10.1.5 contains hard-coded cr ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4215 RESERVED CVE-2020-4214 (IBM Spectrum Protect Plus 10.1.0 through 10.1.5 could allow a remote a ...) @@ -33926,13 +33926,13 @@ CVE-2019-19114 CVE-2019-19113 (main/resources/mapper/NewBeeMallGoodsMapper.xml in newbee-mall (aka Ne ...) NOT-FOR-US: newbee-mall CVE-2019-19112 (The wpForo plugin 1.6.5 for WordPress allows XSS involving the wpf-dw- ...) - TODO: check + NOT-FOR-US: wpForo plugin for WordPress CVE-2019-19111 (The wpForo plugin 1.6.5 for WordPress allows XSS via the wp-admin/admi ...) - TODO: check + NOT-FOR-US: wpForo plugin for WordPress CVE-2019-19110 (The wpForo plugin 1.6.5 for WordPress allows XSS via the wp-admin/admi ...) - TODO: check + NOT-FOR-US: wpForo plugin for WordPress CVE-2019-19109 (The wpForo plugin 1.6.5 for WordPress allows wp-admin/admin.php?page=w ...) - TODO: check + NOT-FOR-US: wpForo plugin for WordPress CVE-2019-19108 (An authentication weakness in the SNMP service in BR Automation R ...) NOT-FOR-US: B Automation Runtime CVE-2019-19107 (The Configuration pages in ABB Telephone Gateway TG/S 3.2 and Busch-Ja ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5384eab1e6ad4f8e64435bf9f8fcca25269aad6e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5384eab1e6ad4f8e64435bf9f8fcca25269aad6e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bustre/stretch triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 4856645b by Moritz Muehlenhoff at 2020-06-15T22:15:18+02:00 bustre/stretch triage new kfreebsd issue - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -780,7 +780,9 @@ CVE-2020-13819 CVE-2020-13818 (In Zoho ManageEngine OpManager before 125144, when cachestart ...) NOT-FOR-US: Zoho ManageEngine OpManager CVE-2020-13817 (ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 allows remote att ...) - - ntp 1:4.2.8p14+dfsg-1 + - ntp 1:4.2.8p14+dfsg-1 (low) + [buster] - ntp (Minor issue) + [stretch] - ntp (Minor issue) [jessie] - ntp (Too intrusive to backport, requires new configuration) NOTE: http://support.ntp.org/bin/view/Main/NtpBug3596 NOTE: https://bugs.ntp.org/show_bug.cgi?id=3596 @@ -931,6 +933,8 @@ CVE-2020-13791 (hw/pci/pci.c in QEMU 4.2.0 allows guest OS users to trigger an o NOTE: https://lists.gnu.org/archive/html/qemu-devel/2020-06/msg00831.html CVE-2020-13790 (libjpeg-turbo 2.0.4, and mozjpeg 4.0.0, has a heap-based buffer over-r ...) - libjpeg-turbo (bug #962829) + [buster] - libjpeg-turbo (Minor issue) + [stretch] - libjpeg-turbo (Minor issue) [jessie] - libjpeg-turbo (No package in Debian jessie uses the TurboJPEG API) NOTE: https://github.com/libjpeg-turbo/libjpeg-turbo/issues/433 NOTE: https://github.com/libjpeg-turbo/libjpeg-turbo/commit/1bfb0b5247f4fc8f6677639781ce468543490216 (1.5.x) @@ -1032,6 +1036,8 @@ CVE-2020-13758 (modules/security/classes/general.post_filter.php/post_filter.php NOT-FOR-US: Bitrix24 CVE-2020-13757 (Python-RSA before 4.1 ignores leading '\0' bytes during decryption of ...) - python-rsa (bug #962142) + [buster] - python-rsa (Minor issue) + [stretch] - python-rsa (Minor issue) [jessie] - python-rsa (No reverse dependencies) NOTE: https://github.com/sybrenstuvel/python-rsa/issues/146 CVE-2020-13756 (Sabberworm PHP CSS Parser before 8.3.1 calls eval on uncontrolled data ...) @@ -1160,6 +1166,7 @@ CVE-2020-13697 CVE-2020-13696 (An issue was discovered in LinuxTV xawtv before 3.107. The function de ...) {DLA-2246-1} - xawtv (bug #962221) + [stretch] - xawtv (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2020/06/04/6 NOTE: Fixed by: https://git.linuxtv.org/xawtv3.git/commit/?id=31f31f9cbaee7be806cba38e0ff5431bd44b20a3 NOTE: Fixed by: https://git.linuxtv.org/xawtv3.git/commit/?id=36dc44e68e5886339b4a0fbe3f404fb1a4fd2292 @@ -1241,6 +1248,8 @@ CVE-2020-13660 (CMS Made Simple through 2.2.14 allows XSS via a crafted File Pic NOT-FOR-US: CMS Made Simple CVE-2020-13659 (address_space_map in exec.c in QEMU 4.2.0 can trigger a NULL pointer d ...) - qemu + [buster] - qemu (Minor issue) + [stretch] - qemu (Minor issue) NOTE: https://bugs.launchpad.net/qemu/+bug/1878259 NOTE: https://lists.gnu.org/archive/html/qemu-devel/2020-05/msg07313.html CVE-2020-13658 @@ -4120,7 +4129,9 @@ CVE-2020-12430 (An issue was discovered in qemuDomainGetStatsIOThread in qemu/qe NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1804548 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1828190 CVE-2019-20792 (OpenSC before 0.20.0 has a double free in coolkey_free_private_data be ...) - - opensc 0.20.0-1 + - opensc 0.20.0-1 (low) + [buster] - opensc (Minor issue) + [stretch] - opensc (Minor issue) [jessie] - opensc (Minor issue but can be worth fixing later) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19208 NOTE: https://github.com/OpenSC/OpenSC/commit/c246f6f69a749d4f68626b40795a4f69168008f4 @@ -9837,6 +9848,7 @@ CVE-2020-10738 (A flaw was found in Moodle versions 3.8 before 3.8.3, 3.7 before CVE-2020-10737 (A race condition was found in the mkhomedir tool shipped with the oddj ...) - oddjob 0.34.6-1 (bug #960089) [buster] - oddjob (Minor issue) + [stretch] - oddjob (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1833042 NOTE: https://pagure.io/oddjob/c/10b8aaa1564b723a005b53acc069df71313f4cac CVE-2020-10736 [authorization bypass in mons & mgrs] @@ -39329,6 +39341,8 @@ CVE-2020-0199 (In TimeCheck::TimeCheckThread::threadLoop of TimeCheck.cpp, there CVE-2020-0198 (In exif_data_load_data_content of exif-data.c, there is a possible UBS ...) {DLA-2249-1} - libexif 0.6.22-2 (bug #962345) + [buster] - libexif (Minor issue) + [stretch] - libexif (Minor issue) NOTE: https://android.googlesource.com/platform/external/libexif/+/1e187b62682ffab5003c702657d6d725b4278f16%5E%21/#F0 NOTE:
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ab8f7334 by security tracker role at 2020-06-15T20:10:41+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,149 @@ +CVE-2020-14162 + RESERVED +CVE-2020-14161 + RESERVED +CVE-2020-14160 + RESERVED +CVE-2020-14159 (By using an Automate API in ConnectWise Automate before 2020.5.178, a ...) + TODO: check +CVE-2020-14158 + RESERVED +CVE-2020-14157 + RESERVED +CVE-2020-14156 (user_channel/passwd_mgr.cpp in OpenBMC phosphor-host-ipmid before 2020 ...) + TODO: check +CVE-2020-14155 (libpcre in PCRE before 8.44 allows an integer overflow via a large num ...) + TODO: check +CVE-2020-14154 (Mutt before 1.14.3 proceeds with a connection even if, in response to ...) + TODO: check +CVE-2020-14153 (In IJG JPEG (aka libjpeg) before 9d, jdhuff.c has an out-of-bounds arr ...) + TODO: check +CVE-2020-14152 (In IJG JPEG (aka libjpeg) before 9d, jpeg_mem_available() in jmemnobs. ...) + TODO: check +CVE-2020-14151 (In IJG JPEG (aka libjpeg) before 9d, read_*_pixel() in rdtarga.c in cj ...) + TODO: check +CVE-2020-14150 (GNU Bison before 3.5.4 allows attackers to cause a denial of service ( ...) + TODO: check +CVE-2020-14149 (In uftpd before 2.12, handle_CWD in ftpcmd.c mishandled the path provi ...) + TODO: check +CVE-2020-14148 (The Server-Server protocol implementation in ngIRCd before 26~rc2 allo ...) + TODO: check +CVE-2020-14147 (An integer overflow in the getnum function in lua_struct.c in Redis be ...) + TODO: check +CVE-2020-14146 (KumbiaPHP through 1.1.1, in Development mode, allows XSS via the publi ...) + TODO: check +CVE-2020-14145 + RESERVED +CVE-2020-14144 + RESERVED +CVE-2020-14143 + RESERVED +CVE-2020-14142 + RESERVED +CVE-2020-14141 + RESERVED +CVE-2020-14140 + RESERVED +CVE-2020-14139 + RESERVED +CVE-2020-14138 + RESERVED +CVE-2020-14137 + RESERVED +CVE-2020-14136 + RESERVED +CVE-2020-14135 + RESERVED +CVE-2020-14134 + RESERVED +CVE-2020-14133 + RESERVED +CVE-2020-14132 + RESERVED +CVE-2020-14131 + RESERVED +CVE-2020-14130 + RESERVED +CVE-2020-14129 + RESERVED +CVE-2020-14128 + RESERVED +CVE-2020-14127 + RESERVED +CVE-2020-14126 + RESERVED +CVE-2020-14125 + RESERVED +CVE-2020-14124 + RESERVED +CVE-2020-14123 + RESERVED +CVE-2020-14122 + RESERVED +CVE-2020-14121 + RESERVED +CVE-2020-14120 + RESERVED +CVE-2020-14119 + RESERVED +CVE-2020-14118 + RESERVED +CVE-2020-14117 + RESERVED +CVE-2020-14116 + RESERVED +CVE-2020-14115 + RESERVED +CVE-2020-14114 + RESERVED +CVE-2020-14113 + RESERVED +CVE-2020-14112 + RESERVED +CVE-2020-14111 + RESERVED +CVE-2020-14110 + RESERVED +CVE-2020-14109 + RESERVED +CVE-2020-14108 + RESERVED +CVE-2020-14107 + RESERVED +CVE-2020-14106 + RESERVED +CVE-2020-14105 + RESERVED +CVE-2020-14104 + RESERVED +CVE-2020-14103 + RESERVED +CVE-2020-14102 + RESERVED +CVE-2020-14101 + RESERVED +CVE-2020-14100 + RESERVED +CVE-2020-14099 + RESERVED +CVE-2020-14098 + RESERVED +CVE-2020-14097 + RESERVED +CVE-2020-14096 + RESERVED +CVE-2020-14095 + RESERVED +CVE-2020-14094 + RESERVED +CVE-2019-20838 (libpcre in PCRE before 8.43 allows a subject buffer over-read in JIT w ...) + TODO: check +CVE-2018-21246 (Caddy before 0.10.13 mishandles TLS client authentication, as demonstr ...) + TODO: check +CVE-2018-21245 (Pound before 2.8 allows HTTP request smuggling, a related issue to CVE ...) + TODO: check +CVE-2017-18869 (A TOCTOU issue in the chownr package before 1.1.0 for Node.js 10.10 co ...) + TODO: check CVE-2020-14093 (Mutt before 1.14.3 allows an IMAP fcc/postpone man-in-the-middle attac ...) - mutt (bug #962897) NOTE: https://github.com/muttmua/mutt/commit/3e88866dc60b5fa6aaba6fd7c1710c12c1c3cd01 @@ -33,8 +179,8 @@ CVE-2020-14078 (TRENDnet TEW-827DRU devices through 2.06B04 contain a stack-base NOT-FOR-US: TRENDnet CVE-2020-14077 (TRENDnet TEW-827DRU devices through 2.06B04 contain a stack-based buff ...) NOT-FOR-US: TRENDnet -CVE-2020-14076 - RESERVED +CVE-2020-14076 (TRENDnet TEW-827DRU devices through 2.06B04 contain a stack-based buff ...) + TODO: check CVE-2020-14075 (TRENDnet TEW-827DRU devices through 2.06B04 contain multiple command i ...) NOT-FOR-US: TRENDnet CVE-2020-14074 (TRENDnet TEW-827DRU devices through 2.06B04 contain a stack-based buff ...) @@ -92,8 +238,8 @@ CVE-2020-14056 RESERVED CVE-2020-14055 RESERVED -CVE-2020-14054 -
[Git][security-tracker-team/security-tracker][master] Remove open-iscsi, now defintively out of scope and unlikely to be updated
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b2420b60 by Salvatore Bonaccorso at 2020-06-15T21:20:34+02:00 Remove open-iscsi, now defintively out of scope and unlikely to be updated - - - - - 1 changed file: - data/next-oldstable-point-update.txt Changes: = data/next-oldstable-point-update.txt = @@ -10,8 +10,6 @@ CVE-2017-15873 [stretch] - busybox 1:1.22.0-19+deb9u1 CVE-2017-16544 [stretch] - busybox 1:1.22.0-19+deb9u1 -CVE-2017-17840 - [stretch] - open-iscsi 2.0.874-3~deb9u2 CVE-2018-16336 [stretch] - exiv2 0.25-3.1+deb9u2 CVE-2019-8907 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b2420b6046afe56dc24fefe218231fb0f844dbab -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b2420b6046afe56dc24fefe218231fb0f844dbab You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reference revisited patch for CVE-2020-13754/qemu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b2bdc30b by Salvatore Bonaccorso at 2020-06-15T20:10:02+02:00 Reference revisited patch for CVE-2020-13754/qemu - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -998,7 +998,7 @@ CVE-2019-20809 (The price oracle in PriceOracle.sol in Compound Finance Compound NOT-FOR-US: Compound Finance Compound Price Oracle CVE-2020-13754 (hw/pci/msix.c in QEMU 4.2.0 allows guest OS users to trigger an out-of ...) - qemu - NOTE: https://lists.gnu.org/archive/html/qemu-devel/2020-06/msg4.html + NOTE: https://lists.gnu.org/archive/html/qemu-devel/2020-06/msg03732.html CVE-2020-13702 (** DISPUTED ** The Rolling Proximity Identifier used in the Apple/Goog ...) NOT-FOR-US: Apple/Google Exposure Notification API CVE-2020-13701 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b2bdc30b3d24a0b786d21e5c5e1d0b78cab022d4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b2bdc30b3d24a0b786d21e5c5e1d0b78cab022d4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-1406{0,1,2}/jackson-databind
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 952261e0 by Salvatore Bonaccorso at 2020-06-15T19:34:40+02:00 Add CVE-2020-1406{0,1,2}/jackson-databind - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -62,11 +62,26 @@ CVE-2020-14064 CVE-2020-14063 RESERVED CVE-2020-14062 (FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interact ...) - TODO: check + - jackson-databind + [buster] - jackson-databind (Minor issue; can be fixed via a point release) + [stretch] - jackson-databind (Minor issue; can be fixed via a point release) + NOTE: https://github.com/FasterXML/jackson-databind/issues/2704 + NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default + NOTE: but still an issue when Default Typing is enabled. CVE-2020-14061 (FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interact ...) - TODO: check + - jackson-databind + [buster] - jackson-databind (Minor issue; can be fixed via a point release) + [stretch] - jackson-databind (Minor issue; can be fixed via a point release) + NOTE: https://github.com/FasterXML/jackson-databind/issues/2698 + NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default + NOTE: but still an issue when Default Typing is enabled. CVE-2020-14060 (FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interact ...) - TODO: check + - jackson-databind + [buster] - jackson-databind (Minor issue; can be fixed via a point release) + [stretch] - jackson-databind (Minor issue; can be fixed via a point release) + NOTE: https://github.com/FasterXML/jackson-databind/issues/2688 + NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default + NOTE: but still an issue when Default Typing is enabled. CVE-2020-14059 RESERVED CVE-2020-14058 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/952261e0ac9fcd5f4643c70c4722dd0b219a17e4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/952261e0ac9fcd5f4643c70c4722dd0b219a17e4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2020-14093/mutt
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7c0a8561 by Salvatore Bonaccorso at 2020-06-15T18:56:38+02:00 Add Debian bug reference for CVE-2020-14093/mutt - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,5 +1,5 @@ CVE-2020-14093 (Mutt before 1.14.3 allows an IMAP fcc/postpone man-in-the-middle attac ...) - - mutt + - mutt (bug #962897) NOTE: https://github.com/muttmua/mutt/commit/3e88866dc60b5fa6aaba6fd7c1710c12c1c3cd01 CVE-2020-14092 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7c0a856158640349f3212dcf8795464451570464 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7c0a856158640349f3212dcf8795464451570464 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Holger Levsen pushed to branch master at Debian Security Tracker / security-tracker Commits: 0ab48f8e by Holger Levsen at 2020-06-15T06:28:04+02:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Holger Levsen hol...@layer-acht.org - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -28,7 +28,7 @@ apache2 NOTE: 20200604: wating to hear from CVE team for their decision. (utkarsh) NOTE: 20200604: otherwise the patch is ready for upload. (utkarsh) -- -cacti (Abhijith PA) +cacti NOTE: 20200529: A patch need to be cooked up. Upstream patch not fit for jessie version (abhijith) -- condor @@ -39,7 +39,7 @@ condor -- drupal7 (Brian May) -- -freerdp (Mike Gabriel) +freerdp NOTE: 20200510: Vulnerable to at least CVE-2020-11042. (lamby) NOTE: 20200531: Discussing if EOL'ing of freerdp (1.1) makes sense (sunweaver) -- @@ -104,9 +104,9 @@ qemu (Adrian Bunk) -- rails (Sylvain Beucler) -- -sqlite3 (Abhijith PA) +sqlite3 -- -squid3 (Markus Koschany) +squid3 NOTE: 20200531: Ongoing work on squid3 in Stretch which will be used for Jessie NOTE: 20200531: and Stretch. -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0ab48f8ed5658ed5b4b79216652f2553b492e1dd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0ab48f8ed5658ed5b4b79216652f2553b492e1dd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new mutt issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: fb89fcd4 by Moritz Muehlenhoff at 2020-06-15T11:46:37+02:00 new mutt issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,5 +1,6 @@ CVE-2020-14093 (Mutt before 1.14.3 allows an IMAP fcc/postpone man-in-the-middle attac ...) - TODO: check + - mutt + NOTE: https://github.com/muttmua/mutt/commit/3e88866dc60b5fa6aaba6fd7c1710c12c1c3cd01 CVE-2020-14092 RESERVED CVE-2020-14091 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fb89fcd45b277f2d706578cc8b5179d15ed325f7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fb89fcd45b277f2d706578cc8b5179d15ed325f7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 30c66c19 by Moritz Muehlenhoff at 2020-06-15T11:03:45+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -23,21 +23,21 @@ CVE-2020-14083 CVE-2020-14082 RESERVED CVE-2020-14081 (TRENDnet TEW-827DRU devices through 2.06B04 contain multiple command i ...) - TODO: check + NOT-FOR-US: TRENDnet CVE-2020-14080 (TRENDnet TEW-827DRU devices through 2.06B04 contain a stack-based buff ...) - TODO: check + NOT-FOR-US: TRENDnet CVE-2020-14079 (TRENDnet TEW-827DRU devices through 2.06B04 contain a stack-based buff ...) - TODO: check + NOT-FOR-US: TRENDnet CVE-2020-14078 (TRENDnet TEW-827DRU devices through 2.06B04 contain a stack-based buff ...) - TODO: check + NOT-FOR-US: TRENDnet CVE-2020-14077 (TRENDnet TEW-827DRU devices through 2.06B04 contain a stack-based buff ...) - TODO: check + NOT-FOR-US: TRENDnet CVE-2020-14076 RESERVED CVE-2020-14075 (TRENDnet TEW-827DRU devices through 2.06B04 contain multiple command i ...) - TODO: check + NOT-FOR-US: TRENDnet CVE-2020-14074 (TRENDnet TEW-827DRU devices through 2.06B04 contain a stack-based buff ...) - TODO: check + NOT-FOR-US: TRENDnet CVE-2020-14073 RESERVED CVE-2020-14072 @@ -51,7 +51,7 @@ CVE-2020-14069 CVE-2020-14068 RESERVED CVE-2020-14067 (The install_from_hash functionality in Navigate CMS 2.9 does not consi ...) - TODO: check + NOT-FOR-US: Navigate CMS CVE-2020-14066 RESERVED CVE-2020-14065 @@ -984,7 +984,7 @@ CVE-2020-13754 (hw/pci/msix.c in QEMU 4.2.0 allows guest OS users to trigger an - qemu NOTE: https://lists.gnu.org/archive/html/qemu-devel/2020-06/msg4.html CVE-2020-13702 (** DISPUTED ** The Rolling Proximity Identifier used in the Apple/Goog ...) - TODO: check + NOT-FOR-US: Apple/Google Exposure Notification API CVE-2020-13701 RESERVED CVE-2020-13700 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/30c66c1986c60a7ef65d8efafb6ae2640dca2f00 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/30c66c1986c60a7ef65d8efafb6ae2640dca2f00 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 586b180a by security tracker role at 2020-06-15T08:10:20+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,71 @@ +CVE-2020-14093 (Mutt before 1.14.3 allows an IMAP fcc/postpone man-in-the-middle attac ...) + TODO: check +CVE-2020-14092 + RESERVED +CVE-2020-14091 + RESERVED +CVE-2020-14090 + RESERVED +CVE-2020-14089 + RESERVED +CVE-2020-14088 + RESERVED +CVE-2020-14087 + RESERVED +CVE-2020-14086 + RESERVED +CVE-2020-14085 + RESERVED +CVE-2020-14084 + RESERVED +CVE-2020-14083 + RESERVED +CVE-2020-14082 + RESERVED +CVE-2020-14081 (TRENDnet TEW-827DRU devices through 2.06B04 contain multiple command i ...) + TODO: check +CVE-2020-14080 (TRENDnet TEW-827DRU devices through 2.06B04 contain a stack-based buff ...) + TODO: check +CVE-2020-14079 (TRENDnet TEW-827DRU devices through 2.06B04 contain a stack-based buff ...) + TODO: check +CVE-2020-14078 (TRENDnet TEW-827DRU devices through 2.06B04 contain a stack-based buff ...) + TODO: check +CVE-2020-14077 (TRENDnet TEW-827DRU devices through 2.06B04 contain a stack-based buff ...) + TODO: check +CVE-2020-14076 + RESERVED +CVE-2020-14075 (TRENDnet TEW-827DRU devices through 2.06B04 contain multiple command i ...) + TODO: check +CVE-2020-14074 (TRENDnet TEW-827DRU devices through 2.06B04 contain a stack-based buff ...) + TODO: check +CVE-2020-14073 + RESERVED +CVE-2020-14072 + RESERVED +CVE-2020-14071 + RESERVED +CVE-2020-14070 + RESERVED +CVE-2020-14069 + RESERVED +CVE-2020-14068 + RESERVED +CVE-2020-14067 (The install_from_hash functionality in Navigate CMS 2.9 does not consi ...) + TODO: check +CVE-2020-14066 + RESERVED +CVE-2020-14065 + RESERVED +CVE-2020-14064 + RESERVED +CVE-2020-14063 + RESERVED +CVE-2020-14062 (FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interact ...) + TODO: check +CVE-2020-14061 (FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interact ...) + TODO: check +CVE-2020-14060 (FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interact ...) + TODO: check CVE-2020-14059 RESERVED CVE-2020-14058 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/586b180a459b5df6f1f168ce76919d57e78df433 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/586b180a459b5df6f1f168ce76919d57e78df433 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-10773/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 353582f1 by Salvatore Bonaccorso at 2020-06-15T09:22:12+02:00 Add CVE-2020-10773/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9475,8 +9475,10 @@ CVE-2020-10775 RESERVED CVE-2020-10774 RESERVED -CVE-2020-10773 +CVE-2020-10773 [kernel stack information leak on s390/s390x] RESERVED + - linux + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1846380 CVE-2020-10772 RESERVED - unbound (Red Hat specific regression in backport) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/353582f1b5c29235f337f822eff5aebafc16b232 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/353582f1b5c29235f337f822eff5aebafc16b232 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] wordpress issues fixed in unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: bf73345d by Salvatore Bonaccorso at 2020-06-15T08:34:27+02:00 wordpress issues fixed in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -41,29 +41,29 @@ CVE-2020-14040 CVE-2020-14039 RESERVED CVE-2020- [Editor: Ensure latest comments can only be viewed from public posts] - - wordpress (bug #962685) + - wordpress 5.4.2+dfsg1-1 (bug #962685) NOTE: https://core.trac.wordpress.org/changeset/47984 CVE-2020-4050 (In affected versions of WordPress, misuse of the `set-screen-option` f ...) - - wordpress (bug #962685) + - wordpress 5.4.2+dfsg1-1 (bug #962685) NOTE: https://core.trac.wordpress.org/changeset/47951 NOTE: https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-4vpv-fgg2-gcqc NOTE: https://github.com/WordPress/wordpress-develop/commit/b8dea76b495f0072523106c6ec46b9ea0d2a0920 CVE-2020-4049 (In affected versions of WordPress, when uploading themes, the name of ...) - - wordpress (bug #962685) + - wordpress 5.4.2+dfsg1-1 (bug #962685) NOTE: https://core.trac.wordpress.org/changeset/47950 NOTE: https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-87h4-phjv-rm6p NOTE: https://github.com/WordPress/wordpress-develop/commit/404f397b4012fd9d382e55bf7d206c1317f01148 CVE-2020-4048 (In affected versions of WordPress, due to an issue in wp_validate_redi ...) - - wordpress (bug #962685) + - wordpress 5.4.2+dfsg1-1 (bug #962685) NOTE: https://core.trac.wordpress.org/changeset/47949 NOTE: https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-q6pw-gvf4-5fj5 NOTE: https://github.com/WordPress/wordpress-develop/commit/6ef777e9a022bee2a80fa671118e7e2657e52693 CVE-2020-4046 (In affected versions of WordPress, users with low privileges (like con ...) - - wordpress (bug #962685) + - wordpress 5.4.2+dfsg1-1 (bug #962685) NOTE: https://core.trac.wordpress.org/changeset/47947 NOTE: https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-rpwf-hrh2-39jf CVE-2020-4047 (In affected versions of WordPress, authenticated users with upload per ...) - - wordpress (bug #962685) + - wordpress 5.4.2+dfsg1-1 (bug #962685) NOTE: https://core.trac.wordpress.org/changeset/47948 NOTE: https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-8q2w-5m27-wm27 NOTE: https://github.com/WordPress/wordpress-develop/commit/0977c0d6b241479ecedfe19e96be69f727c3f81f View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bf73345da8989fcb7d0dda3cd0065070ebc3d84e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bf73345da8989fcb7d0dda3cd0065070ebc3d84e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: ongoing
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: 4e93975b by Adrian Bunk at 2020-06-15T09:27:41+03:00 lts: ongoing - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -71,7 +71,7 @@ libmatio (Adrian Bunk) NOTE: 20190428: is likely vulnerable NOTE: 20190428: some CVE testcases still fail after applying the fix, NOTE: 20190428: older changes seem to also be required for them - NOTE: 20200518: work is ongoing (bunk) + NOTE: 20200615: work is ongoing (bunk) -- linux (Ben Hutchings) -- @@ -87,6 +87,7 @@ nginx NOTE: 20200505: Patch for CVE-2020-11724 appears to be fairly invasive and, alas, no tests. (lamby) -- nss (Adrian Bunk) + NOTE: 20200615: work is ongoing (bunk) -- opendmarc (Thorsten Alteholz) NOTE: 20200511: new CVEs arrived (thorsten) @@ -99,6 +100,7 @@ php5 (Thorsten Alteholz) -- qemu (Adrian Bunk) NOTE: 20200531: waiting for CVE-2020-13362 fix to be applied upstream (bunk) + NOTE: 20200615: work is ongoing (bunk) -- rails (Sylvain Beucler) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4e93975b297d0febbdf00eb478a2cd35480b8e3e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4e93975b297d0febbdf00eb478a2cd35480b8e3e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update CVE-2018-2055{2,3}/tcpreplay after upstream feedback
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: cb4dc076 by Salvatore Bonaccorso at 2020-06-15T08:04:16+02:00 Update CVE-2018-2055{2,3}/tcpreplay after upstream feedback The issues were fixed and got some additional hardening addressed in 4.4.3. For details please see https://bugs.debian.org/917574 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -82491,27 +82491,23 @@ CVE-2018-20555 (The Design Chemical Social Network Tabs plugin 1.7.1 for WordPre CVE-2018-20554 RESERVED CVE-2018-20553 (Tcpreplay before 4.3.1 has a heap-based buffer over-read in get_l2len ...) - - tcpreplay (low; bug #917574) - [buster] - tcpreplay (Minor issue) + - tcpreplay 4.3.1-1 (low; bug #917574) [stretch] - tcpreplay (Minor issue) [jessie] - tcpreplay (hard to exploit) NOTE: https://github.com/appneta/tcpreplay/issues/530 NOTE: https://github.com/appneta/tcpreplay/pull/532/commits/6b830a1640ca20528032c89a4fdd8291a4d2d8b2 - NOTE: initial set of fixes were incorrect, see: + NOTE: initial set of fixes got additional hardening, see: NOTE: https://github.com/appneta/tcpreplay/issues/530#issuecomment-480312372 - NOTE: and fixed later with NOTE: https://github.com/appneta/tcpreplay/pull/584 CVE-2018-20552 (Tcpreplay before 4.3.1 has a heap-based buffer over-read in packet2tre ...) - - tcpreplay (low; bug #917574) - [buster] - tcpreplay (Minor issue) + - tcpreplay 4.3.1-1 (low; bug #917574) [stretch] - tcpreplay (Minor issue) [jessie] - tcpreplay (hard to exploit) NOTE: https://github.com/appneta/tcpreplay/issues/530 NOTE: https://github.com/appneta/tcpreplay/pull/532/commits/6b830a1640ca20528032c89a4fdd8291a4d2d8b2 - NOTE: initial set of fixes were incorrect, see: + NOTE: initial set of fixes got additional hardening, see: NOTE: https://github.com/appneta/tcpreplay/issues/530#issuecomment-480312372 - NOTE: and fixed later with - NOTE: https://github.com/appneta/tcpreplay/pull/609 + NOTE: https://github.com/appneta/tcpreplay/pull/584 CVE-2018-1000893 RESERVED CVE-2018-1000892 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cb4dc0769d2632104365929b813eede1b696660c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cb4dc0769d2632104365929b813eede1b696660c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits