[Git][security-tracker-team/security-tracker][master] Add CVE-2020-11989/shiro
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 236b92a7 by Salvatore Bonaccorso at 2020-06-23T07:55:43+02:00 Add CVE-2020-11989/shiro - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7292,7 +7292,8 @@ CVE-2020-11991 CVE-2020-11990 RESERVED CVE-2020-11989 (Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic ...) - TODO: check + - shiro + TODO: check details CVE-2020-11988 RESERVED CVE-2020-11987 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/236b92a77d595b0fffbac5634f1e302b5e39e33d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/236b92a77d595b0fffbac5634f1e302b5e39e33d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8a134559 by Salvatore Bonaccorso at 2020-06-23T07:55:13+02:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3,9 +3,9 @@ CVE-2020-14983 CVE-2020-14982 RESERVED CVE-2020-14981 (The ThreatTrack VIPRE Password Vault app through 1.100.1090 for iOS ha ...) - TODO: check + NOT-FOR-US: ThreatTrack VIPRE Password Vault app for IOS CVE-2020-14980 (The Sophos Secure Email application through 3.9.4 for Android has Miss ...) - TODO: check + NOT-FOR-US: Sophos Secure Email application for Android CVE-2020-14979 RESERVED CVE-2020-14978 @@ -19,21 +19,21 @@ CVE-2020-14975 CVE-2020-14974 RESERVED CVE-2020-14973 (The loginForm within the general/login.php webpage in webTareas 2.0p8 ...) - TODO: check + NOT-FOR-US: webTareas CVE-2020-14972 (Multiple SQL injection vulnerabilities in Sourcecodester Pisay Online ...) - TODO: check + NOT-FOR-US: Sourcecodester Pisay Online E-Learning System CVE-2020-14971 RESERVED CVE-2020-14970 RESERVED CVE-2020-14969 (app/Model/Attribute.php in MISP 2.4.127 lacks an ACL lookup on attribu ...) - TODO: check + NOT-FOR-US: MISP CVE-2020-14968 (An issue was discovered in the jsrsasign package before 8.0.17 for Nod ...) - TODO: check + NOT-FOR-US: jsrsasign CVE-2020-14967 (An issue was discovered in the jsrsasign package before 8.0.18 for Nod ...) - TODO: check + NOT-FOR-US: jsrsasign CVE-2020-14966 (An issue was discovered in the jsrsasign package through 8.0.18 for No ...) - TODO: check + NOT-FOR-US: jsrsasign CVE-2020-14965 RESERVED CVE-2020-14964 @@ -1048,7 +1048,7 @@ CVE-2020-14463 CVE-2020-14462 (CALDERA 2.7.0 allows XSS via the Operation Name box. ...) TODO: check CVE-2020-14461 (Zyxel Armor X1 WAP6806 1.00(ABAL.6)C0 devices allow Directory Traversa ...) - TODO: check + NOT-FOR-US: Zyxel CVE-2020-14460 (An issue was discovered in Mattermost Server before 5.19.0, 5.18.1, 5. ...) NOT-FOR-US: Mattermost CVE-2020-14459 (An issue was discovered in Mattermost Server before 5.19.0. Attackers ...) @@ -1904,11 +1904,11 @@ CVE-2020-14206 CVE-2020-14205 RESERVED CVE-2020-14204 (In WebFOCUS Business Intelligence 8.0 (SP6), the administration portal ...) - TODO: check + NOT-FOR-US: WebFOCUS Business Intelligence CVE-2020-14203 (WebFOCUS Business Intelligence 8.0 (SP6) allows a Cross-Site Request F ...) - TODO: check + NOT-FOR-US: WebFOCUS Business Intelligence CVE-2020-14202 (WebFOCUS Business Intelligence 8.0 (SP6) was prone to XSS via arbitrar ...) - TODO: check + NOT-FOR-US: WebFOCUS Business Intelligence CVE-2020-14201 RESERVED CVE-2020-14200 @@ -2282,7 +2282,7 @@ CVE-2020-14051 CVE-2020-14050 RESERVED CVE-2020-14049 (Viber for Windows up to 13.2.0.39 does not properly quote its custom U ...) - TODO: check + NOT-FOR-US: Viber CVE-2020-14048 (Zoho ManageEngine ServiceDesk Plus before 11.1 build 5 allows remo ...) NOT-FOR-US: Zoho CVE-2020-14047 @@ -2661,9 +2661,9 @@ CVE-2020-13890 (The Neon theme 2.0 before 2020-06-03 for Bootstrap allows XSS vi CVE-2020-13889 (showAlert() in the administration panel in Bludit 3.12.0 allows XSS. ...) NOT-FOR-US: Bludit CVE-2020-13888 (Kordil EDMS through 2.2.60rc3 allows stored XSS in users_edit.php, use ...) - TODO: check + NOT-FOR-US: Kordil EDMS CVE-2020-13887 (documents_add.php in Kordil EDMS through 2.2.60rc3 allows Remote Comma ...) - TODO: check + NOT-FOR-US: Kordil EDMS CVE-2020-13895 (Crypt::Perl::ECDSA in the Crypt::Perl (aka p5-Crypt-Perl) module befor ...) - libcrypt-perl-perl (bug #907353) NOTE: https://github.com/FGasper/p5-Crypt-Perl/issues/14 @@ -3363,13 +3363,13 @@ CVE-2020-13642 (An issue was discovered in the SiteOrigin Page Builder plugin be CVE-2020-13641 (An issue was discovered in the Real-Time Find and Replace plugin befor ...) NOT-FOR-US: Real-Time Find and Replace plugin for WordPress CVE-2020-13640 (A SQL injection issue in the gVectors wpDiscuz plugin 5.3.5 and earlie ...) - TODO: check + NOT-FOR-US: gVectors wpDiscuz plugin for WordPress CVE-2020-13639 RESERVED CVE-2020-13638 RESERVED CVE-2020-13637 (An issue was discovered in the stashcat app through 3.9.2 for macOS, W ...) - TODO: check + NOT-FOR-US: stashcat app CVE-2020-13636 RESERVED CVE-2020-13635 @@ -3709,7 +3709,7 @@ CVE-2020-13482 (EM-HTTP-Request 1.1.5 uses the library eventmachine in an insecu CVE-2020-13481 RESERVED CVE-2020-13480 (Verint Workforce Optimization (WFO) 15.2 allows HTML injection via the ...) - TODO:
[Git][security-tracker-team/security-tracker][master] Remove notes from CVE-2020-8331 (withdrawn by its CNA)
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 081288be by Salvatore Bonaccorso at 2020-06-23T07:50:01+02:00 Remove notes from CVE-2020-8331 (withdrawn by its CNA) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17623,7 +17623,6 @@ CVE-2020-8332 RESERVED CVE-2020-8331 REJECTED - NOT-FOR-US: Lenovo CVE-2020-8330 (A denial of service vulnerability was reported in the firmware prior t ...) NOT-FOR-US: Lenovo CVE-2020-8329 (A denial of service vulnerability was reported in the firmware prior t ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/081288bef491977ffb31fbb2a373883ecce9278d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/081288bef491977ffb31fbb2a373883ecce9278d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b489bfa7 by security tracker role at 2020-06-22T20:10:26+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,45 @@ +CVE-2020-14983 + RESERVED +CVE-2020-14982 + RESERVED +CVE-2020-14981 (The ThreatTrack VIPRE Password Vault app through 1.100.1090 for iOS ha ...) + TODO: check +CVE-2020-14980 (The Sophos Secure Email application through 3.9.4 for Android has Miss ...) + TODO: check +CVE-2020-14979 + RESERVED +CVE-2020-14978 + RESERVED +CVE-2020-14977 + RESERVED +CVE-2020-14976 + RESERVED +CVE-2020-14975 + RESERVED +CVE-2020-14974 + RESERVED +CVE-2020-14973 (The loginForm within the general/login.php webpage in webTareas 2.0p8 ...) + TODO: check +CVE-2020-14972 (Multiple SQL injection vulnerabilities in Sourcecodester Pisay Online ...) + TODO: check +CVE-2020-14971 + RESERVED +CVE-2020-14970 + RESERVED +CVE-2020-14969 (app/Model/Attribute.php in MISP 2.4.127 lacks an ACL lookup on attribu ...) + TODO: check +CVE-2020-14968 (An issue was discovered in the jsrsasign package before 8.0.17 for Nod ...) + TODO: check +CVE-2020-14967 (An issue was discovered in the jsrsasign package before 8.0.18 for Nod ...) + TODO: check +CVE-2020-14966 (An issue was discovered in the jsrsasign package through 8.0.18 for No ...) + TODO: check +CVE-2020-14965 + RESERVED +CVE-2020-14964 + RESERVED +CVE-2020-14963 + RESERVED CVE-2020-14962 (Multiple XSS vulnerabilities in the Final Tiles Gallery plugin before ...) NOT-FOR-US: Final Tiles Gallery plugin for WordPress CVE-2020-14961 (Concrete5 before 8.5.3 does not constrain the sort direction to a vali ...) @@ -1005,8 +1047,8 @@ CVE-2020-14463 RESERVED CVE-2020-14462 (CALDERA 2.7.0 allows XSS via the Operation Name box. ...) TODO: check -CVE-2020-14461 - RESERVED +CVE-2020-14461 (Zyxel Armor X1 WAP6806 1.00(ABAL.6)C0 devices allow Directory Traversa ...) + TODO: check CVE-2020-14460 (An issue was discovered in Mattermost Server before 5.19.0, 5.18.1, 5. ...) NOT-FOR-US: Mattermost CVE-2020-14459 (An issue was discovered in Mattermost Server before 5.19.0. Attackers ...) @@ -1861,12 +1903,12 @@ CVE-2020-14206 RESERVED CVE-2020-14205 RESERVED -CVE-2020-14204 - RESERVED -CVE-2020-14203 - RESERVED -CVE-2020-14202 - RESERVED +CVE-2020-14204 (In WebFOCUS Business Intelligence 8.0 (SP6), the administration portal ...) + TODO: check +CVE-2020-14203 (WebFOCUS Business Intelligence 8.0 (SP6) allows a Cross-Site Request F ...) + TODO: check +CVE-2020-14202 (WebFOCUS Business Intelligence 8.0 (SP6) was prone to XSS via arbitrar ...) + TODO: check CVE-2020-14201 RESERVED CVE-2020-14200 @@ -2239,8 +2281,8 @@ CVE-2020-14051 RESERVED CVE-2020-14050 RESERVED -CVE-2020-14049 - RESERVED +CVE-2020-14049 (Viber for Windows up to 13.2.0.39 does not properly quote its custom U ...) + TODO: check CVE-2020-14048 (Zoho ManageEngine ServiceDesk Plus before 11.1 build 5 allows remo ...) NOT-FOR-US: Zoho CVE-2020-14047 @@ -2618,10 +2660,10 @@ CVE-2020-13890 (The Neon theme 2.0 before 2020-06-03 for Bootstrap allows XSS vi NOT-FOR-US: Bootstrap theme CVE-2020-13889 (showAlert() in the administration panel in Bludit 3.12.0 allows XSS. ...) NOT-FOR-US: Bludit -CVE-2020-13888 - RESERVED -CVE-2020-13887 - RESERVED +CVE-2020-13888 (Kordil EDMS through 2.2.60rc3 allows stored XSS in users_edit.php, use ...) + TODO: check +CVE-2020-13887 (documents_add.php in Kordil EDMS through 2.2.60rc3 allows Remote Comma ...) + TODO: check CVE-2020-13895 (Crypt::Perl::ECDSA in the Crypt::Perl (aka p5-Crypt-Perl) module befor ...) - libcrypt-perl-perl (bug #907353) NOTE: https://github.com/FGasper/p5-Crypt-Perl/issues/14 @@ -3666,8 +3708,8 @@ CVE-2020-13482 (EM-HTTP-Request 1.1.5 uses the library eventmachine in an insecu NOT-FOR-US: EM-HTTP-Request CVE-2020-13481 RESERVED -CVE-2020-13480 - RESERVED +CVE-2020-13480 (Verint Workforce Optimization (WFO) 15.2 allows HTML injection via the ...) + TODO: check CVE-2020-13479 RESERVED CVE-2020-13478 @@ -3788,10 +3830,10 @@ CVE-2020-13428 (A heap-based buffer overflow in the hxxx_AnnexB_to_xVC function [jessie] - vlc (Not supported in jessie LTS) NOTE: https://github.com/videolan/vlc-3.0/releases/tag/3.0.11 NOTE: http://git.videolan.org/?p=vlc/vlc-3.0.git;a=commit;h=d5c43c21c747ff30ed19fcca745dea3481c733e0 -CVE-2020-13427 - RESERVED -CVE-2020-13426 - RESERVED +CVE-2020-13427 (Victor CMS 1.0 has Persistent XSS in
[Git][security-tracker-team/security-tracker][master] Update CVE-2020-10749
Shengjing Zhu pushed to branch master at Debian Security Tracker / security-tracker Commits: d7bdc1be by Shengjing Zhu at 2020-06-23T02:39:31+08:00 Update CVE-2020-10749 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -11841,7 +11841,7 @@ CVE-2020-10751 (A flaw was found in the Linux kernels SELinux LSM hook implement CVE-2020-10750 (Sensitive information written to a log file vulnerability was found in ...) TODO: check CVE-2020-10749 (A vulnerability was found in all versions of containernetworking/plugi ...) - - golang-github-containernetworking-plugins + - golang-github-containernetworking-plugins 0.8.6-1 NOTE: https://github.com/containernetworking/plugins/pull/484 NOTE: https://github.com/containernetworking/plugins/commit/219eb9e0464761c47383d239aba206da695e1a43 CVE-2020-10748 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d7bdc1bede722a1c24de1807872e8d703d8b448b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d7bdc1bede722a1c24de1807872e8d703d8b448b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: claim batik
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 6ba51b32 by Emilio Pozuelo Monfort at 2020-06-22T16:40:56+02:00 dla: claim batik - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -30,7 +30,7 @@ apache2 NOTE: 20200604: wating to hear from CVE team for their decision. (utkarsh) NOTE: 20200604: otherwise the patch is ready for upload. (utkarsh) -- -batik +batik (Emilio) -- bison NOTE: 20200619: Patch not explicitly mentioned. Needs deeper research. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6ba51b321f183a67c7952d01f47561200e442114 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6ba51b321f183a67c7952d01f47561200e442114 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: more info for CVE-2019-17566/batik
Thorsten Alteholz pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
6dea5527 by Thorsten Alteholz at 2020-06-22T16:11:33+02:00
more info for CVE-2019-17566/batik
- - - - -
76346772 by Thorsten Alteholz at 2020-06-22T16:11:33+02:00
patch added in CVE list
- - - - -
2 changed files:
- data/CVE/list
- data/dla-needed.txt
Changes:
=
data/CVE/list
=
@@ -43214,6 +43214,8 @@ CVE-2019-17566 [SSRF vulnerability]
RESERVED
- batik
NOTE: https://www.openwall.com/lists/oss-security/2020/06/15/2
+ NOTE: patch: http://svn.apache.org/viewvc?view=revision=1871084
+ NOTE: corresponding bug:
https://issues.apache.org/jira/browse/BATIK-1276
CVE-2019-17565 (There is a vulnerability in Apache Traffic Server 6.0.0 to
6.2.3, 7.0. ...)
{DSA-4672-1}
- trafficserver 8.0.6+ds-1
=
data/dla-needed.txt
=
@@ -31,7 +31,6 @@ apache2
NOTE: 20200604: otherwise the patch is ready for upload. (utkarsh)
--
batik
- NOTE: 20200619: Patch not explicitly mentioned. Needs deeper research.
--
bison
NOTE: 20200619: Patch not explicitly mentioned. Needs deeper research.
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/937b5e60f3cb707c2d9f8547d430ba258709e0e5...76346772f721d7b2e6fddb03ffd953ef39a56335
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/937b5e60f3cb707c2d9f8547d430ba258709e0e5...76346772f721d7b2e6fddb03ffd953ef39a56335
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add fixing commit for CVE-2020-14295/cacti
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 937b5e60 by Salvatore Bonaccorso at 2020-06-22T15:55:59+02:00 Add fixing commit for CVE-2020-14295/cacti - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1667,6 +1667,7 @@ CVE-2020-14295 (A SQL injection issue in color.php in Cacti 1.2.12 allows an adm [stretch] - cacti (Vulnerability introduced later) [jessie] - cacti (Vulnerability introduced later) NOTE: https://github.com/Cacti/cacti/issues/3622 + NOTE: Fixed by: https://github.com/Cacti/cacti/commit/cc1a656f37b08c0c45667c119a44a3751271ac6e NOTE: Introduced with the fix for https://github.com/Cacti/cacti/issues/2839 NOTE: Introduced by: https://github.com/Cacti/cacti/commit/b87747c38ba58e8cf6507d4f1f8476d1df567556 (1.2.6) CVE-2020-14294 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/937b5e60f3cb707c2d9f8547d430ba258709e0e5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/937b5e60f3cb707c2d9f8547d430ba258709e0e5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2013-1753/python: reference sanctioned patch
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: aef44fdd by Sylvain Beucler at 2020-06-22T15:39:28+02:00 CVE-2013-1753/python: reference sanctioned patch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -296700,7 +296700,7 @@ CVE-2013-1753 (The gzip_decode function in the xmlrpc client library in Python 3 [squeeze] - python3.1 (Minor issue) [wheezy] - python3.2 (Minor issue) NOTE: http://bugs.python.org/issue16043 - NOTE: preliminary patch: http://bugs.python.org/file28796/xmlrpc_gzip_27.patch + NOTE: https://github.com/python/cpython/commit/eca72d47f5a639a0ac66a98a2d63b30df2ce310f (3.4) CVE-2013-1752 REJECTED CVE-2013-1751 (TWiki before 5.1.4 allows remote attackers to execute arbitrary shell ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aef44fddce071a8de533c5caf589b116098a4413 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aef44fddce071a8de533c5caf589b116098a4413 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2019-13033/lynis as unimportant
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
2b41a72f by Salvatore Bonaccorso at 2020-06-22T14:32:24+02:00
Mark CVE-2019-13033/lynis as unimportant
Enabling license system in the packaged version is possible, but
enabling it makes little sense as users will end-up quitting on all the
extra tests that are not opensourced (and only present in the enterprise
version).
Thanks: Marc Dequènes for th usefull comments on the feature
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -58280,9 +58280,12 @@ CVE-2019-13045 (Irssi before 1.0.8, 1.1.x before
1.1.3, and 1.2.x before 1.2.1,
NOTE: Fixed in 1.0.8, 1.1.3, 1.2.1
CVE-2019-13033 (In CISOfy Lynis 2.x through 2.7.5, the license key can be
obtained by ...)
{DLA-2253-1}
- - lynis (bug #963161)
+ - lynis (unimportant; bug #963161)
NOTE: https://cisofy.com/security/cve/cve-2019-13033/
NOTE:
https://github.com/CISOfy/lynis/commit/3b9eda53cc20e851c4456618f027bc9ea794ad30
+ NOTE: Enabling license system in the packaged version is possible, but
enabling it
+ NOTE: makes little sense as users will end-up quitting on all the extra
tests that
+ NOTE: are not opensourced (and only present in the enterprise version).
CVE-2019-13032 (An issue was discovered in FlightCrew v0.9.2 and earlier. A
NULL point ...)
- flightcrew 0.7.2+dfsg-14 (unimportant; bug #931246)
[buster] - flightcrew 0.7.2+dfsg-13+deb10u1
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2b41a72f3efdd7e765c4839cba95a70a0521136b
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2b41a72f3efdd7e765c4839cba95a70a0521136b
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: claim python3.4
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 5e2dc34b by Sylvain Beucler at 2020-06-22T14:25:39+02:00 dla: claim python3.4 actually several other minor issues have been piling up - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -106,6 +106,8 @@ php5 (Thorsten Alteholz) pound NOTE: 20200619: No explicit patch mentioned. Needs deeper research. -- +python3.4 (Sylvain Beucler) +-- qemu (Adrian Bunk) NOTE: 20200531: waiting for CVE-2020-13362 fix to be applied upstream (bunk) NOTE: 20200615: work is ongoing (bunk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5e2dc34b00340ff8c0ca45283e88674bfa260d98 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5e2dc34b00340ff8c0ca45283e88674bfa260d98 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: postponed python3.4
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 057f705b by Sylvain Beucler at 2020-06-22T14:15:57+02:00 dla: postponed python3.4 CVE does not justify an independent update - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -1383,6 +1383,7 @@ CVE-2020-14422 (Lib/ipaddress.py in Python through 3.8.3 improperly computes has - python3.7 - python3.5 - python3.4 + [jessie] - python3.4 (Minor issue, DoS with constraints) NOTE: https://bugs.python.org/issue41004 NOTE: https://github.com/python/cpython/pull/20956 CVE-2020-14421 (aaPanel through 6.6.6 allows remote authenticated users to execute arb ...) = data/dla-needed.txt = @@ -106,8 +106,6 @@ php5 (Thorsten Alteholz) pound NOTE: 20200619: No explicit patch mentioned. Needs deeper research. -- -python3.4 --- qemu (Adrian Bunk) NOTE: 20200531: waiting for CVE-2020-13362 fix to be applied upstream (bunk) NOTE: 20200615: work is ongoing (bunk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/057f705b61514b40925bdb80ef76b964d618bef4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/057f705b61514b40925bdb80ef76b964d618bef4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] initial jpeg triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 2b7e23ac by Moritz Muehlenhoff at 2020-06-22T13:46:01+02:00 initial jpeg triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1984,7 +1984,7 @@ CVE-2020-14153 (In IJG JPEG (aka libjpeg) before 9d, jdhuff.c has an out-of-boun CVE-2020-14152 (In IJG JPEG (aka libjpeg) before 9d, jpeg_mem_available() in jmemnobs. ...) TODO: check CVE-2020-14151 (In IJG JPEG (aka libjpeg) before 9d, read_*_pixel() in rdtarga.c in cj ...) - TODO: check + NOTE: Duplicate of CVE-2018-11813, should be rejected CVE-2020-14150 (GNU Bison before 3.5.4 allows attackers to cause a denial of service ( ...) - bison 2:3.6.1+dfsg-1 NOTE: https://lists.gnu.org/archive/html/info-gnu/2020-04/msg0.html @@ -115596,7 +115596,10 @@ CVE-2018-1000203 (Soar Labs Soar Coin version up to and including git commit 4a2 CVE-2018-11814 RESERVED CVE-2018-11813 (libjpeg 9c has a large loop because read_pixel in rdtarga.c mishandles ...) - - libjpeg9 1:9d-1 (low; bug #904719) + - libjpeg9 1:9d-1 (unimportant; bug #904719) + - libjpeg-turbo (unimportant) + NOTE: https://github.com/libjpeg-turbo/libjpeg-turbo/commit/909a8cfc7bca9b2e6707425bdb74da997e8fa499 + NOTE: Infinite loop in CLI tool, no security impact CVE-2018-11812 RESERVED CVE-2018-11811 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2b7e23ac1904a57cef66a3ebd1f09dc198d9235c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2b7e23ac1904a57cef66a3ebd1f09dc198d9235c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 03a022e1 by Salvatore Bonaccorso at 2020-06-22T10:53:04+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,13 +1,13 @@ CVE-2020-14962 (Multiple XSS vulnerabilities in the Final Tiles Gallery plugin before ...) - TODO: check + NOT-FOR-US: Final Tiles Gallery plugin for WordPress CVE-2020-14961 (Concrete5 before 8.5.3 does not constrain the sort direction to a vali ...) - TODO: check + NOT-FOR-US: Concrete5 CVE-2020-14960 (A SQL injection vulnerability in PHP-Fusion 9.03.50 affects the endpoi ...) TODO: check CVE-2020-14959 (Multiple XSS vulnerabilities in the Easy Testimonials plugin before 3. ...) - TODO: check + NOT-FOR-US: Easy Testimonials plugin for WordPress CVE-2020-14958 (In Gogs 0.11.91, MakeEmailPrimary in models/user_mail.go lacks a "not ...) - TODO: check + NOT-FOR-US: Go Git Service CVE-2020-14957 RESERVED CVE-2020-14956 @@ -21,7 +21,7 @@ CVE-2020-14952 CVE-2020-14951 RESERVED CVE-2020-14950 (aaPanel through 6.6.6 allows remote authenticated users to execute arb ...) - TODO: check + NOT-FOR-US: aaPanel CVE-2020-14949 RESERVED CVE-2020-14948 @@ -37,7 +37,7 @@ CVE-2020-14944 CVE-2020-14943 RESERVED CVE-2020-14942 (Tendenci 12.0.10 allows unrestricted deserialization in apps\helpdesk\ ...) - TODO: check + NOT-FOR-US: Tendenci CVE-2020-14941 RESERVED CVE-2020-14940 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/03a022e1c4a3bd46201917997f5148d7923cbe40 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/03a022e1c4a3bd46201917997f5148d7923cbe40 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] chromium fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
1560857f by Moritz Muehlenhoff at 2020-06-22T10:47:23+02:00
chromium fixed in sid
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -21984,15 +21984,15 @@ CVE-2020-6508
RESERVED
CVE-2020-6507
RESERVED
- - chromium
+ - chromium 83.0.4103.106-1
[stretch] - chromium (see DSA 4562)
CVE-2020-6506
RESERVED
- - chromium
+ - chromium 83.0.4103.106-1
[stretch] - chromium (see DSA 4562)
CVE-2020-6505
RESERVED
- - chromium
+ - chromium 83.0.4103.106-1
[stretch] - chromium (see DSA 4562)
CVE-2020-6504 (Insufficient policy enforcement in notifications in Google
Chrome prio ...)
{DSA-4500-1}
@@ -22019,22 +22019,22 @@ CVE-2020-6499 (Inappropriate implementation in
AppCache in Google Chrome prior t
- chromium 80.0.3987.106-1
[stretch] - chromium (see DSA 4562)
CVE-2020-6498 (Incorrect implementation in user interface in Google Chrome on
iOS pri ...)
- - chromium
+ - chromium 83.0.4103.106-1
[stretch] - chromium (see DSA 4562)
CVE-2020-6497 (Insufficient policy enforcement in Omnibox in Google Chrome on
iOS pri ...)
- - chromium
+ - chromium 83.0.4103.106-1
[stretch] - chromium (see DSA 4562)
CVE-2020-6496 (Use after free in payments in Google Chrome on MacOS prior to
83.0.410 ...)
- - chromium
+ - chromium 83.0.4103.106-1
[stretch] - chromium (see DSA 4562)
CVE-2020-6495 (Insufficient policy enforcement in developer tools in Google
Chrome pr ...)
- - chromium
+ - chromium 83.0.4103.106-1
[stretch] - chromium (see DSA 4562)
CVE-2020-6494 (Incorrect security UI in payments in Google Chrome on Android
prior to ...)
- - chromium
+ - chromium 83.0.4103.106-1
[stretch] - chromium (see DSA 4562)
CVE-2020-6493 (Use after free in WebAuthentication in Google Chrome prior to
83.0.410 ...)
- - chromium
+ - chromium 83.0.4103.106-1
[stretch] - chromium (see DSA 4562)
CVE-2020-6492
RESERVED
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1560857fc9e9c5aac4c20fed715ecf237d911518
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1560857fc9e9c5aac4c20fed715ecf237d911518
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 6 commits: Remove old comment about LTS releases
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
52e4c2a7 by Salvatore Bonaccorso at 2020-06-20T09:13:18+02:00
Remove old comment about LTS releases
Signed-off-by: Salvatore Bonaccorso car...@debian.org
- - - - -
dc358ab2 by Salvatore Bonaccorso at 2020-06-22T10:36:33+02:00
add-dsa-needed: Add code comment on intention of package addition
We do this in two steps. In a first step for all supported releases
where there is a common package which needs an update (thus after the
sorting of the common list and filter out only the duplicated lines) we
add those to dsa-needed.txt without suffix to indicate the package needs
an update in multiple (supported) suites.
In the later step, we only -- for each release -- add pkg/release to
dsa-needed.txt to indicate the package needs only an update in the
respective release.
v2: Fix typo in comment about adding packages with /$release suffix
Signed-off-by: Salvatore Bonaccorso car...@debian.org
- - - - -
7a31ddd1 by Salvatore Bonaccorso at 2020-06-22T10:36:49+02:00
Fix indentation in while loop lost in an earlier refactoring
Fixes: 2df873e89355 (Replace tabs with spaces for add-dsa-needed.sh
script)
- - - - -
6a7946cf by Salvatore Bonaccorso at 2020-06-22T10:36:49+02:00
Introduce new pkgs_print() helper function
Depending on if a suffix should be included in the printout of the
package set accordingly the format string for the printf invocation.
The idea is depending on if only on release is supported the listing in
the dsa-needed.txt should be either:
--
pkg
--
if only one suite is supported. In the case multiple suites are
supported but the package needs an update only in one release, the
listing should be
--
$pkg/release
--
Introduce helper function taking arguments as package, flag for suffix
inclusion an to be used suffix.
A later commit will use the new helper function where needed.
Signed-off-by: Salvatore Bonaccorso car...@debian.org
- - - - -
39708979 by Salvatore Bonaccorso at 2020-06-22T10:36:49+02:00
Use the new introduced pkgs_print() helper function
In the former code block we target packages which need an update in
multiple supported release. The later block is iterating only over
individual releases to add packages individually per release where
needed.
Signed-off-by: Salvatore Bonaccorso car...@debian.org
- - - - -
ede574c3 by Salvatore Bonaccorso at 2020-06-22T08:40:03+00:00
Merge branch add-dsa-needed-handle-multiple-suites into
master
add-dsa-needed.sh: Handle multiple suites more consistently
See merge request security-tracker-team/security-tracker!56
- - - - -
1 changed file:
- bin/add-dsa-needed.sh
Changes:
=
bin/add-dsa-needed.sh
=
@@ -34,6 +34,18 @@ cleanup() {
}
trap cleanup EXIT
+pkgs_print() {
+local pkg=$1
+local include_suffix=$2
+local suffix=$3
+
+if $include_suffix ; then
+printf "%s/%s\n--\n" "$pkg" "$suffix"
+else
+printf "%s\n--\n" "$pkg"
+fi
+}
+
output=data/dsa-needed.txt
case "${1:-}" in
--stdout)
@@ -87,16 +99,18 @@ for release in $releases; do
done < $tmpd/$release.txt
done
+# Handle packages which need update in multiple releases
+# These are added without /$release suffix
cat $tmpd/toadd-*.txt | sort | uniq -d |
while read pkg; do
-printf "%s\n--\n" "$pkg" >> $output
+pkgs_print "$pkg" false false >> $output
sed -ri "/^$pkg\$/d" $tmpd/toadd-*.txt
done
-# Skip oldoldstable for now as it is an LTS release, tracked with
-# dla-needed:
+# Handle package which need update in distinct releases
+# and that are added with /$release suffix
for release in $releases; do
while read pkg; do
-printf "%s/%s\n--\n" "$pkg" "$release" >> $output
+pkgs_print "$pkg" "$include_oldstable" "$release" >> $output
done < $tmpd/toadd-$release.txt
done
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/03810e00f4b2138d8b27bb6fde6b3dfad2b5c5cb...ede574c3dca6309d1645a717dee2ab5e9da5e61e
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/03810e00f4b2138d8b27bb6fde6b3dfad2b5c5cb...ede574c3dca6309d1645a717dee2ab5e9da5e61e
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
03810e00 by security tracker role at 2020-06-22T08:10:24+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -1,3 +1,13 @@
+CVE-2020-14962 (Multiple XSS vulnerabilities in the Final Tiles Gallery plugin
before ...)
+ TODO: check
+CVE-2020-14961 (Concrete5 before 8.5.3 does not constrain the sort direction
to a vali ...)
+ TODO: check
+CVE-2020-14960 (A SQL injection vulnerability in PHP-Fusion 9.03.50 affects
the endpoi ...)
+ TODO: check
+CVE-2020-14959 (Multiple XSS vulnerabilities in the Easy Testimonials plugin
before 3. ...)
+ TODO: check
+CVE-2020-14958 (In Gogs 0.11.91, MakeEmailPrimary in models/user_mail.go lacks
a "not ...)
+ TODO: check
CVE-2020-14957
RESERVED
CVE-2020-14956
@@ -984,7 +994,7 @@ CVE-2020-14469
CVE-2020-14468
RESERVED
CVE-2020-14467
- RESERVED
+ REJECTED
CVE-2020-14466
RESERVED
CVE-2020-14465
@@ -1314,7 +1324,7 @@ CVE-2016-11062 (An issue was discovered in Mattermost
Server before 3.5.1. E-mai
CVE-2015-9548 (An issue was discovered in Mattermost Server before 1.2.0. It
allows a ...)
NOT-FOR-US: Mattermost
CVE-2020-14954 (Mutt before 1.14.4 and NeoMutt before 2020-06-19 have a
STARTTLS buffe ...)
- {DSA-4707-1}
+ {DSA-4708-1 DSA-4707-1}
- mutt 1.14.4-1
- neomutt 20200619+dfsg.1-1
NOTE:
https://gitlab.com/muttmua/mutt/commit/c547433cdf2e79191b15c6932c57f1472bfb5ff4
@@ -2122,7 +2132,7 @@ CVE-2017-18869 (A TOCTOU issue in the chownr package
before 1.1.0 for Node.js 10
NOTE: https://github.com/isaacs/chownr/issues/14
NOTE: https://snyk.io/vuln/npm:chownr:20180731
CVE-2020-14093 (Mutt before 1.14.3 allows an IMAP fcc/postpone
man-in-the-middle attac ...)
- {DSA-4707-1}
+ {DSA-4708-1 DSA-4707-1}
- mutt 1.14.3-1 (bug #962897)
- neomutt 20200619+dfsg.1-1
NOTE:
https://gitlab.com/muttmua/mutt/commit/3e88866dc60b5fa6aaba6fd7c1710c12c1c3cd01
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/03810e00f4b2138d8b27bb6fde6b3dfad2b5c5cb
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/03810e00f4b2138d8b27bb6fde6b3dfad2b5c5cb
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Update status of squid3 and imagemagick in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
a1ce3d59 by Markus Koschany at 2020-06-22T09:59:01+02:00
Update status of squid3 and imagemagick in dla-needed.txt
- - - - -
155aade8 by Markus Koschany at 2020-06-22T10:00:17+02:00
CVE-2019-18679,squid3: Correct link to upstream patch
- - - - -
2 changed files:
- data/CVE/list
- data/dla-needed.txt
Changes:
=
data/CVE/list
=
@@ -39335,7 +39335,7 @@ CVE-2019-18679 (An issue was discovered in Squid 2.x,
3.x, and 4.x through 4.8.
{DSA-4682-1 DLA-2028-1}
- squid 4.9-1
- squid3
- NOTE: Squid 4:
http://www.squid-cache.org/Versions/v4/changesets/squid-4-671ba97abe929156dc4c717ee52ad22fba0f7443.patch
+ NOTE: Squid 4:
http://www.squid-cache.org/Versions/v4/changesets/squid-4-6f2841090dffbec1a2b2417e18bb3dc71d62dd2e.patch
NOTE: http://www.squid-cache.org/Advisories/SQUID-2019_11.txt
CVE-2019-18678 (An issue was discovered in Squid 3.x and 4.x through 4.8. It
allows at ...)
{DSA-4682-1 DLA-2028-1}
=
data/dla-needed.txt
=
@@ -53,6 +53,7 @@ freerdp
glib-networking
--
imagemagick (Markus Koschany)
+ NOTE: 20200622: Ongoing work
--
libdatetime-timezone-perl
NOTE: 20200514: LTS update must wait on oldstable update first (via point
release) to prevent newer version in LTS (roberto)
@@ -114,9 +115,9 @@ qemu (Adrian Bunk)
sqlite3 (Abhijith PA)
NOTE: 20200620: WIP (abhijith)
--
-squid3
- NOTE: 20200531: Ongoing work on squid3 in Stretch which will be used for
Jessie
- NOTE: 20200531: and Stretch. (apo)
+squid3 (Markus Koschany)
+ NOTE: 20200622: https://people.debian.org/~apo/lts/squid3/
+ NOTE: 20200622: Patch for CVE-2019-12523 almost complete.
--
sympa
NOTE: 20200525: Incomplete patch. Not the complete patch is made public.
(utkarsh)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/37eb2a38468547b9f4cd3f45543076f28f5cc9d9...155aade8fddf7f5db0a87c52d66d8e2b3837bfbe
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/37eb2a38468547b9f4cd3f45543076f28f5cc9d9...155aade8fddf7f5db0a87c52d66d8e2b3837bfbe
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add fixed version for CVE-2020-14148/ngircd via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
37eb2a38 by Salvatore Bonaccorso at 2020-06-22T09:32:41+02:00
Add fixed version for CVE-2020-14148/ngircd via unstable
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -1982,7 +1982,7 @@ CVE-2020-14149 (In uftpd before 2.12, handle_CWD in
ftpcmd.c mishandled the path
NOT-FOR-US: uftpd
CVE-2020-14148 (The Server-Server protocol implementation in ngIRCd before
26~rc2 allo ...)
{DLA-2252-1}
- - ngircd (bug #963147)
+ - ngircd 26-1 (bug #963147)
[buster] - ngircd (Minor issue)
[stretch] - ngircd (Minor issue)
NOTE: https://github.com/ngircd/ngircd/issues/274
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/37eb2a38468547b9f4cd3f45543076f28f5cc9d9
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/37eb2a38468547b9f4cd3f45543076f28f5cc9d9
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2020-8184/ruby-rack
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d2570f2b by Salvatore Bonaccorso at 2020-06-22T09:13:47+02:00 Add Debian bug reference for CVE-2020-8184/ruby-rack - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17871,7 +17871,7 @@ CVE-2020-8186 CVE-2020-8185 RESERVED CVE-2020-8184 (A reliance on cookies without validation/integrity check security vuln ...) - - ruby-rack + - ruby-rack (bug #963477) NOTE: Fixed by: https://github.com/rack/rack/commit/1f5763de6a9fe515ff84992b343d63c88104654c CVE-2020-8183 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d2570f2b0793230360dffa26f6c8d23d878bd46c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d2570f2b0793230360dffa26f6c8d23d878bd46c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-7011/elasticsearch
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9d540af2 by Salvatore Bonaccorso at 2020-06-22T09:03:01+02:00 Add CVE-2020-7011/elasticsearch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -20737,7 +20737,7 @@ CVE-2020-7013 (Kibana versions before 6.8.9 and 7.7.0 contain a prototype pollut CVE-2020-7012 (Kibana versions 6.7.0 to 6.8.8 and 7.0.0 to 7.6.2 contain a prototype ...) - kibana (bug #700337) CVE-2020-7011 (Elastic App Search versions before 7.7.0 contain a cross site scriptin ...) - TODO: check + - elasticsearch CVE-2020-7010 (Elastic Cloud on Kubernetes (ECK) versions prior to 1.1.0 generate pas ...) TODO: check CVE-2020-7009 (Elasticsearch versions from 6.7.0 before 6.8.8 and 7.0.0 before 7.6.2 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9d540af29321f08429957bf74cf37880daedabf0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9d540af29321f08429957bf74cf37880daedabf0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2020-12402/nss fixed via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: cc575604 by Salvatore Bonaccorso at 2020-06-22T08:59:31+02:00 CVE-2020-12402/nss fixed via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6225,7 +6225,7 @@ CVE-2020-12403 RESERVED CVE-2020-12402 [Side channel vulnerabilities during RSA key generation] RESERVED - - nss (bug #963152) + - nss 2:3.53.1-1 (bug #963152) NOTE: https://hg.mozilla.org/projects/nss/rev/699541a7793bbe9b20f1d73dc49e25c6054aa4c1 NOTE: Fixed upstream in 3.53.1 CVE-2020-12401 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cc575604da3982df75fc3fed9edefa819f65ac7d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cc575604da3982df75fc3fed9edefa819f65ac7d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Fix commit reference for CVE-2020-8184/ruby-rack
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 16784f52 by Salvatore Bonaccorso at 2020-06-22T08:31:56+02:00 Fix commit reference for CVE-2020-8184/ruby-rack - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17872,7 +17872,7 @@ CVE-2020-8185 RESERVED CVE-2020-8184 (A reliance on cookies without validation/integrity check security vuln ...) - ruby-rack - NOTE: Fixed by: https://github.com/rack/rack/1f5763de6a9fe515ff84992b343d63c88104654c + NOTE: Fixed by: https://github.com/rack/rack/commit/1f5763de6a9fe515ff84992b343d63c88104654c CVE-2020-8183 RESERVED CVE-2020-8182 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/16784f525e988d08248ad6aceb69a8eacc95eccd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/16784f525e988d08248ad6aceb69a8eacc95eccd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-14301/libvirt
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e8061766 by Salvatore Bonaccorso at 2020-06-22T08:26:08+02:00 Add CVE-2020-14301/libvirt - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1635,8 +1635,11 @@ CVE-2020-14303 RESERVED CVE-2020-14302 RESERVED -CVE-2020-14301 +CVE-2020-14301 [leak of sensitive cookie information via dumpxml] RESERVED + - libvirt (Vulnerable code introduced with 6.2.0) + NOTE: Fixed by: https://github.com/libvirt/libvirt/commit/a5b064bf4b17a9884d7d361733737fb614ad8979 + NOTE: Fixed by: https://github.com/libvirt/libvirt/commit/524de6cc35d3b222f0e940bb0fd027f5482572c5 CVE-2020-14300 RESERVED CVE-2020-14299 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e8061766f9615ffd6a9dfe5a554fe7e678261da9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e8061766f9615ffd6a9dfe5a554fe7e678261da9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-8184/ruby-rack
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 21ec7e59 by Salvatore Bonaccorso at 2020-06-22T08:23:42+02:00 Add CVE-2020-8184/ruby-rack - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17868,7 +17868,8 @@ CVE-2020-8186 CVE-2020-8185 RESERVED CVE-2020-8184 (A reliance on cookies without validation/integrity check security vuln ...) - TODO: check + - ruby-rack + NOTE: Fixed by: https://github.com/rack/rack/1f5763de6a9fe515ff84992b343d63c88104654c CVE-2020-8183 RESERVED CVE-2020-8182 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/21ec7e5958e9201c067f99c1bc7200b0695248f9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/21ec7e5958e9201c067f99c1bc7200b0695248f9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
