[Git][security-tracker-team/security-tracker][master] 2 commits: Add Debian bug reference for CVE-2020-11935/aufs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b2839b3e by Salvatore Bonaccorso at 2020-07-09T23:09:53+02:00 Add Debian bug reference for CVE-2020-11935/aufs - - - - - d1f2a6b8 by Salvatore Bonaccorso at 2020-07-09T23:12:52+02:00 CVE-2020-11935: Remove doubled parethesis in reason - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9076,8 +9076,8 @@ CVE-2020-11936 RESERVED CVE-2020-11935 RESERVED - - aufs - [buster] - aufs (Minor issue; CONFIG_IMA not enabled in kernel; can be fixed via point release)) + - aufs (bug #964748) + [buster] - aufs (Minor issue; CONFIG_IMA not enabled in kernel; can be fixed via point release) [stretch] - aufs (Minor issue; too many other aufs issues open) NOTE: To exploit the issue CONFIG_IMA in Kernel needs to be enabled. NOTE: linux/4.9.y had the config enabled, but was disabled in later versions View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f4914b78f9162fa87762df75e55c68d3c22b5c81...d1f2a6b8225fd06a474f6d8cf1116b19d52c9fa4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f4914b78f9162fa87762df75e55c68d3c22b5c81...d1f2a6b8225fd06a474f6d8cf1116b19d52c9fa4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2020-15503/libraw
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f4914b78 by Salvatore Bonaccorso at 2020-07-09T23:00:45+02:00 Add Debian bug reference for CVE-2020-15503/libraw - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -329,7 +329,7 @@ CVE-2020-15505 (A remote code execution vulnerability in MobileIron Core and Con CVE-2020-15504 RESERVED CVE-2020-15503 (LibRaw before 0.20-RC1 lacks a thumbnail size range check. This affect ...) - - libraw + - libraw (bug #964747) [buster] - libraw (Minor issue) [stretch] - libraw (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1853477 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f4914b78f9162fa87762df75e55c68d3c22b5c81 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f4914b78f9162fa87762df75e55c68d3c22b5c81 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Adjust status for CVE-2020-15503/libraw
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a7275ed0 by Salvatore Bonaccorso at 2020-07-09T22:52:05+02:00 Adjust status for CVE-2020-15503/libraw The missing check/validation for T.tlength is in src/libraw_cxx.cpp where the malloc occurs. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -331,7 +331,7 @@ CVE-2020-15504 CVE-2020-15503 (LibRaw before 0.20-RC1 lacks a thumbnail size range check. This affect ...) - libraw [buster] - libraw (Minor issue) - [stretch] - libraw (Thumbnailing code not present) + [stretch] - libraw (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1853477 NOTE: https://github.com/LibRaw/LibRaw/commit/20ad21c0d87ca80217aee47533d91e633ce1864d CVE-2020-15502 (** DISPUTED ** The DuckDuckGo application through 5.58.0 for Android, ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a7275ed0884e0ab8214f31bff40898c71a826b8f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a7275ed0884e0ab8214f31bff40898c71a826b8f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2020-15095/npm
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 57e2b61e by Salvatore Bonaccorso at 2020-07-09T22:41:05+02:00 Add Debian bug reference for CVE-2020-15095/npm - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1208,7 +1208,7 @@ CVE-2020-15097 CVE-2020-15096 (In Electron before versions 6.1.1, 7.2.4, 8.2.4, and 9.0.0-beta21, the ...) - electron (bug #842420) CVE-2020-15095 (Versions of the npm CLI prior to 6.14.6 are vulnerable to an informati ...) - - npm + - npm (bug #964746) NOTE: https://github.com/npm/cli/security/advisories/GHSA-93f3-23rq-pjfp NOTE: https://github.com/npm/cli/commit/a9857b8f6869451ff058789c4631fadfde5bbcbc CVE-2020-15094 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/57e2b61eedf57b64612f776470397454032a14be -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/57e2b61eedf57b64612f776470397454032a14be You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-15095/npm
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 78bec8ff by Salvatore Bonaccorso at 2020-07-09T22:33:20+02:00 Add CVE-2020-15095/npm - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1208,7 +1208,9 @@ CVE-2020-15097 CVE-2020-15096 (In Electron before versions 6.1.1, 7.2.4, 8.2.4, and 9.0.0-beta21, the ...) - electron (bug #842420) CVE-2020-15095 (Versions of the npm CLI prior to 6.14.6 are vulnerable to an informati ...) - TODO: check + - npm + NOTE: https://github.com/npm/cli/security/advisories/GHSA-93f3-23rq-pjfp + NOTE: https://github.com/npm/cli/commit/a9857b8f6869451ff058789c4631fadfde5bbcbc CVE-2020-15094 RESERVED CVE-2020-15093 (The tough library (Rust/crates.io) prior to version 0.7.1 does not pro ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/78bec8ff74988ddd97f0c479cd6df93cfd83d004 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/78bec8ff74988ddd97f0c479cd6df93cfd83d004 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process one NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6f635098 by Salvatore Bonaccorso at 2020-07-09T22:32:27+02:00 Process one NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -282,7 +282,7 @@ CVE-2020-15528 (An issue was discovered in GOG Galaxy Client 2.0.17. Local escal CVE-2020-15527 RESERVED CVE-2020-15526 (In Redgate SQL Monitor 7.1.4 through 10.1.6 (inclusive), the scope for ...) - TODO: check + NOT-FOR-US: Redgate SQL Monitor CVE-2020-15525 (GitLab EE 11.3 through 13.1.2 has Incorrect Access Control because of ...) - gitlab (Specific to EE) CVE-2020-15524 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6f6350988a75dd9472f042d5a2f29164ea065a66 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6f6350988a75dd9472f042d5a2f29164ea065a66 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 16f26708 by Salvatore Bonaccorso at 2020-07-09T22:24:44+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -800,7 +800,7 @@ CVE-2020-15301 CVE-2020-15300 RESERVED CVE-2020-15299 (A reflected Cross-Site Scripting (XSS) Vulnerability in the KingCompos ...) - TODO: check + NOT-FOR-US: KingComposer plugin for WordPress CVE-2020-15298 RESERVED CVE-2020-15297 @@ -26521,7 +26521,7 @@ CVE-2020-5368 (Dell EMC VxRail versions 4.7.410 and 4.7.411 contain an improper CVE-2020-5367 (Dell EMC Unisphere for PowerMax versions prior to 9.1.0.17, Dell EMC U ...) NOT-FOR-US: Dell EMC CVE-2020-5366 (Dell EMC iDRAC9 versions prior to 4.20.20.20 contain a Path Traversal ...) - TODO: check + NOT-FOR-US: EMC CVE-2020-5365 (Dell EMC Isilon versions 8.2.2 and earlier contain a remotesupport vul ...) NOT-FOR-US: EMC CVE-2020-5364 (Dell EMC Isilon OneFS versions 8.2.2 and earlier contain an SNMPv2 vul ...) @@ -29239,7 +29239,7 @@ CVE-2020-4307 (IBM Security Guardium 11.1 could allow an attacker on the same ne CVE-2020-4306 (IBM Planning Analytics Local 2.0.0 through 2.0.9 is vulnerable to cros ...) NOT-FOR-US: IBM CVE-2020-4305 (IBM InfoSphere Information Server 11.3, 11.5, and 11.7 could allow a r ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4304 (IBM WebSphere Application Server - Liberty 17.0.0.3 through 20.0.0.3 i ...) NOT-FOR-US: IBM CVE-2020-4303 (IBM WebSphere Application Server - Liberty 17.0.0.3 through 20.0.0.3 i ...) @@ -29503,7 +29503,7 @@ CVE-2020-4175 CVE-2020-4174 RESERVED CVE-2020-4173 (IBM Guardium Activity Insights 10.6 and 11.0 does not set the secure a ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4172 RESERVED CVE-2020-4171 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/16f26708cc71fb1b0e5a4f8783de045c474cf92a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/16f26708cc71fb1b0e5a4f8783de045c474cf92a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: bd8154e9 by security tracker role at 2020-07-09T20:10:16+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -281,8 +281,8 @@ CVE-2020-15528 (An issue was discovered in GOG Galaxy Client 2.0.17. Local escal NOT-FOR-US: GOG Galaxy client CVE-2020-15527 RESERVED -CVE-2020-15526 - RESERVED +CVE-2020-15526 (In Redgate SQL Monitor 7.1.4 through 10.1.6 (inclusive), the scope for ...) + TODO: check CVE-2020-15525 (GitLab EE 11.3 through 13.1.2 has Incorrect Access Control because of ...) - gitlab (Specific to EE) CVE-2020-15524 @@ -320,11 +320,11 @@ CVE-2020-15509 (Nordic Semiconductor Android BLE Library through 2.2.1 and DFU L NOT-FOR-US: Nordic Semiconductor CVE-2020-15508 RESERVED -CVE-2020-15507 (MobileIron Core and Connector before 10.3.0.4, 10.4.x before 10.4.0.4, ...) +CVE-2020-15507 (An arbitrary file reading vulnerability in MobileIron Core and Connect ...) NOT-FOR-US: MobileIron Core and Connector -CVE-2020-15506 (MobileIron Core and Connector before 10.3.0.4, 10.4.x before 10.4.0.4, ...) +CVE-2020-15506 (An Authentication Bypass vulnerability in MobileIron Core and Connecto ...) NOT-FOR-US: MobileIron Core and Connector -CVE-2020-15505 (MobileIron Core and Connector before 10.3.0.4, 10.4.x before 10.4.0.4, ...) +CVE-2020-15505 (A remote code execution vulnerability in MobileIron Core and Connector ...) NOT-FOR-US: MobileIron Core and Connector CVE-2020-15504 RESERVED @@ -799,8 +799,8 @@ CVE-2020-15301 RESERVED CVE-2020-15300 RESERVED -CVE-2020-15299 - RESERVED +CVE-2020-15299 (A reflected Cross-Site Scripting (XSS) Vulnerability in the KingCompos ...) + TODO: check CVE-2020-15298 RESERVED CVE-2020-15297 @@ -1211,10 +1211,10 @@ CVE-2020-15095 (Versions of the npm CLI prior to 6.14.6 are vulnerable to an inf TODO: check CVE-2020-15094 RESERVED -CVE-2020-15093 - RESERVED -CVE-2020-15092 - RESERVED +CVE-2020-15093 (The tough library (Rust/crates.io) prior to version 0.7.1 does not pro ...) + TODO: check +CVE-2020-15092 (In TimelineJS before version 3.7.0, some user data renders as HTML. An ...) + TODO: check CVE-2020-15091 (TenderMint from version 0.33.0 and before version 0.33.6 allows block ...) NOT-FOR-US: TenderMint CVE-2020-15090 @@ -1418,10 +1418,10 @@ CVE-2020-15003 RESERVED CVE-2020-15002 RESERVED -CVE-2020-15001 - RESERVED -CVE-2020-15000 - RESERVED +CVE-2020-15001 (An information leak was discovered on Yubico YubiKey 5 NFC devices 5.0 ...) + TODO: check +CVE-2020-15000 (A PIN management problem was discovered on Yubico YubiKey 5 devices 5. ...) + TODO: check CVE-2020-14999 RESERVED CVE-2020-14998 @@ -3521,10 +3521,10 @@ CVE-2020-14173 (The file upload feature in Atlassian Jira Server and Data Center NOT-FOR-US: Atlassian CVE-2020-14172 (Affected versions of Atlassian Jira Server and Data Center allow remot ...) NOT-FOR-US: Atlassian -CVE-2020-14171 - RESERVED -CVE-2020-14170 - RESERVED +CVE-2020-14171 (Atlassian Bitbucket Server from version 4.9.0 before version 7.2.4 all ...) + TODO: check +CVE-2020-14170 (Webhooks in Atlassian Bitbucket Server from version 5.4.0 before versi ...) + TODO: check CVE-2020-14169 (The quick search component in Atlassian Jira Server and Data Center be ...) NOT-FOR-US: Atlassian CVE-2020-14168 (The email client in Jira Server and Data Center before version 7.13.16 ...) @@ -4008,7 +4008,7 @@ CVE-2020-13999 (ScaleViewPortExtEx in libemf.cpp in libEMF (aka ECMA-234 Metafil - libemf 1.0.13-1 (bug #963778) [buster] - libemf (Minor issue) NOTE: Fixed upstream in 1.0.13 -CVE-2020-13998 (** VERSION NOT SUPPORTED WHEN ASSIGNED ** Citrix XenApp 6.5, when 2FA ...) +CVE-2020-13998 (** UNSUPPORTED WHEN ASSIGNED ** Citrix XenApp 6.5, when 2FA is enabled ...) NOT-FOR-US: Citrix CVE-2020-13997 RESERVED @@ -4016,12 +4016,12 @@ CVE-2020-13996 (The J2Store plugin before 3.3.13 for Joomla! allows a SQL inject NOT-FOR-US: J2Store plugin for Joomla! CVE-2020-13995 RESERVED -CVE-2020-13994 - RESERVED -CVE-2020-13993 - RESERVED -CVE-2020-13992 - RESERVED +CVE-2020-13994 (An issue was discovered in Mods for HESK 3.1.0 through 2019.1.0. A pri ...) + TODO: check +CVE-2020-13993 (An issue was discovered in Mods for HESK 3.1.0 through 2019.1.0. A bli ...) + TODO: check +CVE-2020-13992 (An issue was discovered in Mods for HESK 3.1.0 through 2019.1.0. A Sto ...) + TODO: check CVE-2020-13991 RESERVED CVE-2020-13990 @@ -6099,10 +6099,10 @@ CVE-2020-13134
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-14315/bsdiff
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8b73ae4b by Salvatore Bonaccorso at 2020-07-09T21:26:41+02:00 Add CVE-2020-14315/bsdiff - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3183,6 +3183,9 @@ CVE-2020-14316 RESERVED CVE-2020-14315 RESERVED + - bsdiff + NOTE: https://www.openwall.com/lists/oss-security/2020/07/09/2 + NOTE: https://www.freebsd.org/security/advisories/FreeBSD-SA-16:29.bspatch.asc CVE-2020-14314 [buffer uses out of index in ext3/4 filesystem] RESERVED - linux View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8b73ae4b9e00f6b2cee3ea196785d31fe3740c86 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8b73ae4b9e00f6b2cee3ea196785d31fe3740c86 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Track jackson-databind update via stretch-pu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ade1808d by Salvatore Bonaccorso at 2020-07-09T21:06:55+02:00 Track jackson-databind update via stretch-pu - - - - - 52c5d4f6 by Salvatore Bonaccorso at 2020-07-09T21:07:43+02:00 Indent items via tabs - - - - - 1 changed file: - data/next-oldstable-point-update.txt Changes: = data/next-oldstable-point-update.txt = @@ -53,7 +53,7 @@ CVE-2016-10894 CVE-2019-16275 [stretch] - wpa 2:2.4-1+deb9u6 CVE-2020-3123 -[stretch] - clamav 0.102.2+dfsg-0~deb9u1 + [stretch] - clamav 0.102.2+dfsg-0~deb9u1 CVE-2020-3327 [stretch] - clamav 0.102.3+dfsg-0~deb9u1 CVE-2020-3341 @@ -171,3 +171,43 @@ CVE-2020-15562 [stretch] - roundcube 1.2.3+dfsg.1-4+deb9u6 CVE-2020-7040 [stretch] - storebackup 3.2.1-2~deb9u1 +CVE-2020-9548 + [stretch] - jackson-databind 2.8.6-1+deb9u7 +CVE-2020-9547 + [stretch] - jackson-databind 2.8.6-1+deb9u7 +CVE-2020-9546 + [stretch] - jackson-databind 2.8.6-1+deb9u7 +CVE-2020-8840 + [stretch] - jackson-databind 2.8.6-1+deb9u7 +CVE-2020-14195 + [stretch] - jackson-databind 2.8.6-1+deb9u7 +CVE-2020-14062 + [stretch] - jackson-databind 2.8.6-1+deb9u7 +CVE-2020-14061 + [stretch] - jackson-databind 2.8.6-1+deb9u7 +CVE-2020-14060 + [stretch] - jackson-databind 2.8.6-1+deb9u7 +CVE-2020-11620 + [stretch] - jackson-databind 2.8.6-1+deb9u7 +CVE-2020-11619 + [stretch] - jackson-databind 2.8.6-1+deb9u7 +CVE-2020-3 + [stretch] - jackson-databind 2.8.6-1+deb9u7 +CVE-2020-2 + [stretch] - jackson-databind 2.8.6-1+deb9u7 +CVE-2020-1 + [stretch] - jackson-databind 2.8.6-1+deb9u7 +CVE-2020-10969 + [stretch] - jackson-databind 2.8.6-1+deb9u7 +CVE-2020-10968 + [stretch] - jackson-databind 2.8.6-1+deb9u7 +CVE-2020-10673 + [stretch] - jackson-databind 2.8.6-1+deb9u7 +CVE-2020-10672 + [stretch] - jackson-databind 2.8.6-1+deb9u7 +CVE-2019-20330 + [stretch] - jackson-databind 2.8.6-1+deb9u7 +CVE-2019-17531 + [stretch] - jackson-databind 2.8.6-1+deb9u7 +CVE-2019-17267 + [stretch] - jackson-databind 2.8.6-1+deb9u7 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/fa31a1d00b6697e9206b40bd534c5a4b309920d8...52c5d4f6c270cf5bcd62d0e52f880c9c7f283472 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/fa31a1d00b6697e9206b40bd534c5a4b309920d8...52c5d4f6c270cf5bcd62d0e52f880c9c7f283472 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] buster triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: fa31a1d0 by Moritz Muehlenhoff at 2020-07-09T19:43:51+02:00 buster triage mark Google Closure Library as NFU, if this were a security issue as bundled in Chromium, it would get fixed via Chromium updates anyway - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -178,6 +178,7 @@ CVE-2020-15570 (The parse_report() function in whoopsie.c in Whoopsie through 0. NOT-FOR-US: Whoopsie CVE-2020-15569 (PlayerGeneric.cpp in MilkyTracker through 1.02.00 has a use-after-free ...) - milkytracker + [buster] - milkytracker (Minor issue) NOTE: https://github.com/milkytracker/MilkyTracker/commit/7afd55c42ad80d01a339197a2d8b5461d214edaf CVE-2020-15568 RESERVED @@ -14601,7 +14602,9 @@ CVE-2020-10380 (RMySQL through 0.10.19 allows SQL Injection. ...) NOTE: Test: https://github.com/r-dbi/RMySQL/commit/6137ce887c1e36b278f11656a9a9fc1cae6a5f40 CVE-2020-10379 (In Pillow before 7.1.0, there are two Buffer Overflows in libImaging/T ...) - pillow - [jessie] - pillow (Minor issue) + [buster] - pillow (Support for old-JPEG compressed TIFFs introduced in 6.0.0) + [stretch] - pillow (Support for old-JPEG compressed TIFFs introduced in 6.0.0) + [jessie] - pillow (Support for old-JPEG compressed TIFFs introduced in 6.0.0) NOTE: https://github.com/python-pillow/Pillow/pull/4538 NOTE: Fixed in 6.2.3 and 7.1.0 CVE-2020-10378 (In libImaging/PcxDecode.c in Pillow before before 7.0.1, an out-of-bou ...) @@ -17993,9 +17996,7 @@ CVE-2020-8912 CVE-2020-8911 RESERVED CVE-2020-8910 (A URL parsing issue in goog.uri of the Google Closure Library versions ...) - - chromium - [stretch] - chromium (see DSA 4562) - NOTE: https://github.com/google/closure-library/commit/294fc00b01d248419d8f8de37580adf2a0024fc9 + NOT-FOR-US: Google Closure Library CVE-2020-8909 RESERVED CVE-2020-8908 @@ -18173,6 +18174,7 @@ CVE-2020-8839 (Stored XSS was discovered on CHIYU BF-430 232/485 TCP/IP Converte CVE-2015-9542 (add_password in pam_radius_auth.c in pam_radius 1.4.0 does not correct ...) {DLA-2116-1} - libpam-radius-auth 1.4.0-3 (bug #951396) + [buster] - libpam-radius-auth (Minor issue) NOTE: https://github.com/FreeRADIUS/pam_radius/commit/01173ec NOTE: https://github.com/FreeRADIUS/pam_radius/commit/6bae92d NOTE: https://github.com/FreeRADIUS/pam_radius/commit/ac2c1677 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fa31a1d00b6697e9206b40bd534c5a4b309920d8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fa31a1d00b6697e9206b40bd534c5a4b309920d8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2020-10672,jackson-databind is also fixed in unstable.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 4c6ed981 by Markus Koschany at 2020-07-09T19:16:06+02:00 CVE-2020-10672,jackson-databind is also fixed in unstable. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13904,7 +13904,7 @@ CVE-2020-10673 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the in NOTE: but still an issue when Default Typing is enabled. CVE-2020-10672 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...) {DLA-2153-1} - - jackson-databind + - jackson-databind 2.11.1-1 [buster] - jackson-databind (Minor issue; can be fixed via a point release) [stretch] - jackson-databind (Minor issue; can be fixed via a point release) NOTE: https://github.com/FasterXML/jackson-databind/issues/2659 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4c6ed98140a84926024edfd861c42e42e67bbea1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4c6ed98140a84926024edfd861c42e42e67bbea1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: dla: update rails status
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 19f2464c by Sylvain Beucler at 2020-07-09T17:56:43+02:00 dla: update rails status - - - - - ac173517 by Sylvain Beucler at 2020-07-09T17:56:43+02:00 dla: update python3.5 status - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -122,14 +122,15 @@ puma NOTE: 20200708: Vulnerable to (at least) CVE-2020-11076. (lamby) -- python3.5 (Sylvain Beucler) + NOTE: 20200709: update is ready, only (lotsa) non-critical CVEs so uploading after point release (Beuc) + NOTE: 20200709: https://www.beuc.net/tmp/debian-lts/python3.5/ -- qemu (Utkarsh Gupta) -- rails (Sylvain Beucler) - NOTE: 20200706: coordinating/reviewing stretch update with security and ruby teams - NOTE: 20200706: https://lists.debian.org/debian-lts/2020/06/msg00095.html - NOTE: 20200706: got regression claim but probably erroneous - NOTE: 20200706: https://lists.debian.org/debian-lts/2020/07/msg00033.html + NOTE: 20200706: coordinating/reviewing stretch update with security/ruby/upstream teams (Beuc) + NOTE: 20200706: https://lists.debian.org/debian-lts/2020/07/msg00065.html + NOTE: 20200709: https://www.beuc.net/tmp/debian-lts/rails/ NOTE: 20200709: this deb9u3 includes/supersedes stretch-pu deb9u2 -- ruby-rack (Utkarsh Gupta) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/88a6c1b3be79ed3da2596e7a7f446827029fae2d...ac173517c84a19fa916b7137f8dbafe0796cf294 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/88a6c1b3be79ed3da2596e7a7f446827029fae2d...ac173517c84a19fa916b7137f8dbafe0796cf294 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track proposed update for jackson-databind via buster-pu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 88a6c1b3 by Salvatore Bonaccorso at 2020-07-09T17:40:32+02:00 Track proposed update for jackson-databind via buster-pu - - - - - 1 changed file: - data/next-point-update.txt Changes: = data/next-point-update.txt = @@ -118,6 +118,46 @@ CVE-2020-10759 [buster] - fwupd 1.2.13-1 CVE-2020-7040 [buster] - storebackup 3.2.1-2~deb10u1 +CVE-2020-9548 + [buster] - jackson-databind 2.9.8-3+deb10u2 +CVE-2020-9547 + [buster] - jackson-databind 2.9.8-3+deb10u2 +CVE-2020-9546 + [buster] - jackson-databind 2.9.8-3+deb10u2 +CVE-2020-8840 + [buster] - jackson-databind 2.9.8-3+deb10u2 +CVE-2020-14195 + [buster] - jackson-databind 2.9.8-3+deb10u2 +CVE-2020-14062 + [buster] - jackson-databind 2.9.8-3+deb10u2 +CVE-2020-14061 + [buster] - jackson-databind 2.9.8-3+deb10u2 +CVE-2020-14060 + [buster] - jackson-databind 2.9.8-3+deb10u2 +CVE-2020-11620 + [buster] - jackson-databind 2.9.8-3+deb10u2 +CVE-2020-11619 + [buster] - jackson-databind 2.9.8-3+deb10u2 +CVE-2020-3 + [buster] - jackson-databind 2.9.8-3+deb10u2 +CVE-2020-2 + [buster] - jackson-databind 2.9.8-3+deb10u2 +CVE-2020-1 + [buster] - jackson-databind 2.9.8-3+deb10u2 +CVE-2020-10969 + [buster] - jackson-databind 2.9.8-3+deb10u2 +CVE-2020-10968 + [buster] - jackson-databind 2.9.8-3+deb10u2 +CVE-2020-10673 + [buster] - jackson-databind 2.9.8-3+deb10u2 +CVE-2020-10672 + [buster] - jackson-databind 2.9.8-3+deb10u2 +CVE-2019-20330 + [buster] - jackson-databind 2.9.8-3+deb10u2 +CVE-2019-17531 + [buster] - jackson-databind 2.9.8-3+deb10u2 +CVE-2019-17267 + [buster] - jackson-databind 2.9.8-3+deb10u2 CVE-2019-18885 [buster] - linux 4.19.131-1 CVE-2019-20810 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/88a6c1b3be79ed3da2596e7a7f446827029fae2d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/88a6c1b3be79ed3da2596e7a7f446827029fae2d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track proposed updates for storebackup via {stretch,buster}-pu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 62be6279 by Salvatore Bonaccorso at 2020-07-09T17:36:58+02:00 Track proposed updates for storebackup via {stretch,buster}-pu - - - - - 2 changed files: - data/next-oldstable-point-update.txt - data/next-point-update.txt Changes: = data/next-oldstable-point-update.txt = @@ -169,3 +169,5 @@ CVE-2020-0009 [stretch] - linux 4.9.228-1 CVE-2020-15562 [stretch] - roundcube 1.2.3+dfsg.1-4+deb9u6 +CVE-2020-7040 + [stretch] - storebackup 3.2.1-2~deb9u1 = data/next-point-update.txt = @@ -116,6 +116,8 @@ CVE-2020-11736 [buster] - file-roller 3.30.1-2+deb10u1 CVE-2020-10759 [buster] - fwupd 1.2.13-1 +CVE-2020-7040 + [buster] - storebackup 3.2.1-2~deb10u1 CVE-2019-18885 [buster] - linux 4.19.131-1 CVE-2019-20810 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/62be627927628ba491b875e88858be748120d742 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/62be627927628ba491b875e88858be748120d742 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] jackson-databind: Several CVE are fixed in unstable now.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 858cff0b by Markus Koschany at 2020-07-09T14:44:04+02:00 jackson-databind: Several CVE are fixed in unstable now. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3464,7 +3464,7 @@ CVE-2020-14196 (In PowerDNS Recursor versions up to and including 4.3.1, 4.2.2 a NOTE: https://www.openwall.com/lists/oss-security/2020/07/01/1 CVE-2020-14195 (FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interact ...) {DLA-2270-1} - - jackson-databind + - jackson-databind 2.11.1-1 [buster] - jackson-databind (Minor issue; can be fixed via a point release) [stretch] - jackson-databind (Minor issue; can be fixed via a point release) NOTE: https://github.com/FasterXML/jackson-databind/issues/2765 @@ -3798,7 +3798,7 @@ CVE-2020-14063 RESERVED CVE-2020-14062 (FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interact ...) {DLA-2270-1} - - jackson-databind + - jackson-databind 2.11.1-1 [buster] - jackson-databind (Minor issue; can be fixed via a point release) [stretch] - jackson-databind (Minor issue; can be fixed via a point release) NOTE: https://github.com/FasterXML/jackson-databind/issues/2704 @@ -3806,7 +3806,7 @@ CVE-2020-14062 (FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the in NOTE: but still an issue when Default Typing is enabled. CVE-2020-14061 (FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interact ...) {DLA-2270-1} - - jackson-databind + - jackson-databind 2.11.1-1 [buster] - jackson-databind (Minor issue; can be fixed via a point release) [stretch] - jackson-databind (Minor issue; can be fixed via a point release) NOTE: https://github.com/FasterXML/jackson-databind/issues/2698 @@ -3814,7 +3814,7 @@ CVE-2020-14061 (FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the in NOTE: but still an issue when Default Typing is enabled. CVE-2020-14060 (FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interact ...) {DLA-2270-1} - - jackson-databind + - jackson-databind 2.11.1-1 [buster] - jackson-databind (Minor issue; can be fixed via a point release) [stretch] - jackson-databind (Minor issue; can be fixed via a point release) NOTE: https://github.com/FasterXML/jackson-databind/issues/2688 @@ -10811,7 +10811,7 @@ CVE-2020-11621 RESERVED CVE-2020-11620 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...) {DLA-2179-1} - - jackson-databind + - jackson-databind 2.11.1-1 [buster] - jackson-databind (Minor issue; can be fixed via a point release) [stretch] - jackson-databind (Minor issue; can be fixed via a point release) NOTE: https://github.com/FasterXML/jackson-databind/issues/2682 @@ -10819,7 +10819,7 @@ CVE-2020-11620 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the in NOTE: but still an issue when Default Typing is enabled. CVE-2020-11619 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...) {DLA-2179-1} - - jackson-databind + - jackson-databind 2.11.1-1 [buster] - jackson-databind (Minor issue; can be fixed via a point release) [stretch] - jackson-databind (Minor issue; can be fixed via a point release) NOTE: https://github.com/FasterXML/jackson-databind/issues/2680 @@ -12196,7 +12196,7 @@ CVE-2020-5291 (Bubblewrap (bwrap) before version 0.4.1, if installed in setuid m NOTE: https://github.com/containers/bubblewrap/commit/1f7e2ad948c051054b683461885a0215f1806240 CVE-2020-3 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...) {DLA-2179-1} - - jackson-databind + - jackson-databind 2.11.1-1 [buster] - jackson-databind (Minor issue; can be fixed via a point release) [stretch] - jackson-databind (Minor issue; can be fixed via a point release) NOTE: https://github.com/FasterXML/jackson-databind/issues/2670 @@ -12204,7 +12204,7 @@ CVE-2020-3 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the in NOTE: but still an issue when Default Typing is enabled. CVE-2020-2 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...) {DLA-2179-1} - - jackson-databind + - jackson-databind 2.11.1-1 [buster] - jackson-databind (Minor issue; can be fixed via a point release) [stretch] - jackson-databind (Minor issue; can be fixed via a point release) NOTE: https://github.com/FasterXML/jackson-databind/issues/2666 @@ -12212,7 +12212,7 @@ CVE-2020-2 (FasterXML jackson-databind
[Git][security-tracker-team/security-tracker][master] CVE-2019-9740/python*: reference regression fix
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 4d5c6261 by Sylvain Beucler at 2020-07-09T14:16:42+02:00 CVE-2019-9740/python*: reference regression fix - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -70510,8 +70510,10 @@ CVE-2019-9740 (An issue was discovered in urllib2 in Python 2.x through 2.7.16 a - python2.7 2.7.16-3 [buster] - python2.7 2.7.16-2+deb10u1 [stretch] - python2.7 (Minor issue) - NOTE: https://bugs.python.org/issue36276 NOTE: https://bugs.python.org/issue30458 + NOTE: https://bugs.python.org/issue36276 (duplicate) + NOTE: https://bugs.python.org/issue36274 (common regression fix) + NOTE: https://bugs.python.org/issue38216 (common regression fix) NOTE: CVE-2019-9947 issue fixed with same fix as for CVE-2019-9740 NOTE: Patch 2.7: https://github.com/python/cpython/commit/bb8071a4cae5ab3fe321481dd3d73662ffb26052 CVE-2019-9739 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4d5c62614c467caf762efe8fb4de925fa2b6b609 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4d5c62614c467caf762efe8fb4de925fa2b6b609 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: rails: clarify pu status
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: e1a5df07 by Sylvain Beucler at 2020-07-09T14:05:18+02:00 dla: rails: clarify pu status - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -130,7 +130,7 @@ rails (Sylvain Beucler) NOTE: 20200706: https://lists.debian.org/debian-lts/2020/06/msg00095.html NOTE: 20200706: got regression claim but probably erroneous NOTE: 20200706: https://lists.debian.org/debian-lts/2020/07/msg00033.html - NOTE: 20200709: #954664 is a stretch-pu update for CVE-2020-5267 (bunk) + NOTE: 20200709: this deb9u3 includes/supersedes stretch-pu deb9u2 -- ruby-rack (Utkarsh Gupta) NOTE: probably not affected (parse_cookies_header() is not available in Jessie, but code might hide somewhere else) (thorsten) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e1a5df071623c25872f0ff889bdbecf717bed250 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e1a5df071623c25872f0ff889bdbecf717bed250 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove no-dsa tagged entry, got at same time a DLA
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d2c45588 by Salvatore Bonaccorso at 2020-07-09T12:40:10+02:00 Remove no-dsa tagged entry, got at same time a DLA Still the best solution is not only to cherry-pick the commit as fwupd is not functional in this version but needs a rebase to the 0.8.x series. - - - - - 2 changed files: - data/CVE/list - data/next-oldstable-point-update.txt Changes: = data/CVE/list = @@ -13553,7 +13553,6 @@ CVE-2020-10759 [Possible bypass in signature verification] RESERVED - fwupd 1.3.10-1 (bug #962517) [buster] - fwupd (Will be fixed via point release) - [stretch] - fwupd (Will be fixed via point release) - libjcat 0.1.3-1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1844316 NOTE: https://github.com/justinsteven/advisories/blob/master/2020_fwupd_dangling_s3_bucket_and_CVE-2020-10759_signature_verification_bypass.md = data/next-oldstable-point-update.txt = @@ -169,5 +169,3 @@ CVE-2020-0009 [stretch] - linux 4.9.228-1 CVE-2020-15562 [stretch] - roundcube 1.2.3+dfsg.1-4+deb9u6 -CVE-2020-10759 - [stretch] - fwupd 0.8.3-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d2c455881cef3e8d9138f1d43fec65c8a9df9210 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d2c455881cef3e8d9138f1d43fec65c8a9df9210 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla-needed: Add notes for stretch-pu packages
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: b23b6ec5 by Adrian Bunk at 2020-07-09T13:28:53+03:00 dla-needed: Add notes for stretch-pu packages - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -68,6 +68,7 @@ freerdp glib-networking (Emilio) -- gosa (Chris Lamb) + NOTE: 20200709: #958850 is a stretch-pu update for CVE-2019-14466 (bunk) -- gupnp -- @@ -129,6 +130,7 @@ rails (Sylvain Beucler) NOTE: 20200706: https://lists.debian.org/debian-lts/2020/06/msg00095.html NOTE: 20200706: got regression claim but probably erroneous NOTE: 20200706: https://lists.debian.org/debian-lts/2020/07/msg00033.html + NOTE: 20200709: #954664 is a stretch-pu update for CVE-2020-5267 (bunk) -- ruby-rack (Utkarsh Gupta) NOTE: probably not affected (parse_cookies_header() is not available in Jessie, but code might hide somewhere else) (thorsten) @@ -162,6 +164,7 @@ unbound NOTE: 20200616: https://lists.debian.org/debian-lts/2020/06/msg00038.html (bam) -- wpa (Abhijith PA) + NOTE: 20200709: #949367 is a stretch-pu update for CVE-2019-16275 (bunk) -- xcftools NOTE: 20200111: wrote a patch + reproducer for CVE-2019-5086, waiting for upstream review (hle) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b23b6ec56f72b20b4f720ac0ba8b8a2966ac8336 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b23b6ec56f72b20b4f720ac0ba8b8a2966ac8336 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Triage CVE-2020-15503 in libraw for stretch LTS (thumbnailing code added later)
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 092a9201 by Chris Lamb at 2020-07-09T10:53:58+01:00 Triage CVE-2020-15503 in libraw for stretch LTS (thumbnailing code added later) - - - - - 20fee37f by Chris Lamb at 2020-07-09T10:54:02+01:00 data/dla-needed.txt: Triage gosa for stretch LTS. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -330,6 +330,7 @@ CVE-2020-15504 CVE-2020-15503 (LibRaw before 0.20-RC1 lacks a thumbnail size range check. This affect ...) - libraw [buster] - libraw (Minor issue) + [stretch] - libraw (Thumbnailing code not present) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1853477 NOTE: https://github.com/LibRaw/LibRaw/commit/20ad21c0d87ca80217aee47533d91e633ce1864d CVE-2020-15502 (** DISPUTED ** The DuckDuckGo application through 5.58.0 for Android, ...) = data/dla-needed.txt = @@ -67,6 +67,8 @@ freerdp -- glib-networking (Emilio) -- +gosa +-- gupnp -- imagemagick (Markus Koschany) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/2dc55faf90d1d6accae659fa07c34447f406b751...20fee37f67c5a36c26d463ad219a462afce257bc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/2dc55faf90d1d6accae659fa07c34447f406b751...20fee37f67c5a36c26d463ad219a462afce257bc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Claim gosa.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 389b61df by Chris Lamb at 2020-07-09T10:54:19+01:00 data/dla-needed.txt: Claim gosa. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -67,7 +67,7 @@ freerdp -- glib-networking (Emilio) -- -gosa +gosa (Chris Lamb) -- gupnp -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/389b61df3604d1594aa94adae095649612a02df5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/389b61df3604d1594aa94adae095649612a02df5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixes for fwupd via {stretch,buster}-pu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2dc55faf by Salvatore Bonaccorso at 2020-07-09T11:45:47+02:00 Track fixes for fwupd via {stretch,buster}-pu - - - - - 2 changed files: - data/next-oldstable-point-update.txt - data/next-point-update.txt Changes: = data/next-oldstable-point-update.txt = @@ -169,3 +169,5 @@ CVE-2020-0009 [stretch] - linux 4.9.228-1 CVE-2020-15562 [stretch] - roundcube 1.2.3+dfsg.1-4+deb9u6 +CVE-2020-10759 + [stretch] - fwupd 0.8.3-1 = data/next-point-update.txt = @@ -114,6 +114,8 @@ CVE-2020-13249 [buster] - mariadb-10.3 1:10.3.23-0+deb10u1 CVE-2020-11736 [buster] - file-roller 3.30.1-2+deb10u1 +CVE-2020-10759 + [buster] - fwupd 1.2.13-1 CVE-2019-18885 [buster] - linux 4.19.131-1 CVE-2019-20810 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2dc55faf90d1d6accae659fa07c34447f406b751 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2dc55faf90d1d6accae659fa07c34447f406b751 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: take atril
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: fd4ea19f by Emilio Pozuelo Monfort at 2020-07-09T11:40:21+02:00 dla: take atril - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -21,7 +21,7 @@ ansible NOTE: 20200508: bam: Upstream fix was reverted - https://github.com/ansible/ansible/pull/68983 NOTE: 20200508: bam: See https://github.com/ansible/ansible/issues/67794 -- -atril +atril (Emilio) NOTE: 20200709: Previously fixed in jessie LTS via DLA-1882-1. (lamby) -- batik (Emilio) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fd4ea19f4552ca2cb779eda900f438da833e9f65 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fd4ea19f4552ca2cb779eda900f438da833e9f65 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Mark fwupd as no-dsa (will be fixed via point release)
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e9018b51 by Salvatore Bonaccorso at 2020-07-09T11:37:05+02:00 Mark fwupd as no-dsa (will be fixed via point release) - - - - - 1b137102 by Salvatore Bonaccorso at 2020-07-09T11:39:11+02:00 Merge remote-tracking branch origin/master - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -13551,6 +13551,8 @@ CVE-2020-10760 (A use-after-free flaw was found in all samba LDAP server version CVE-2020-10759 [Possible bypass in signature verification] RESERVED - fwupd 1.3.10-1 (bug #962517) + [buster] - fwupd (Will be fixed via point release) + [stretch] - fwupd (Will be fixed via point release) - libjcat 0.1.3-1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1844316 NOTE: https://github.com/justinsteven/advisories/blob/master/2020_fwupd_dangling_s3_bucket_and_CVE-2020-10759_signature_verification_bypass.md = data/dsa-needed.txt = @@ -14,8 +14,6 @@ If needed, specify the release by adding a slash after the name of the source pa -- curl (ghedo) -- -fwupd --- libopenmpt -- knot-resolver View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ad984a7afb4d191ab596c440ba7337876cd273c6...1b1371027d75b6d5f0ddcda76c37a3fccfab6e26 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ad984a7afb4d191ab596c440ba7337876cd273c6...1b1371027d75b6d5f0ddcda76c37a3fccfab6e26 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2274-1 for fwupd
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: ad984a7a by Chris Lamb at 2020-07-09T10:34:18+01:00 Reserve DLA-2274-1 for fwupd - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[09 Jul 2020] DLA-2274-1 fwupd - security update + {CVE-2020-10759} + [stretch] - fwupd 0.7.4-2+deb9u1 [08 Jul 2020] DLA-2273-1 shiro - security update {CVE-2020-1957 CVE-2020-11989} [stretch] - shiro 1.3.2-1+deb9u1 = data/dla-needed.txt = @@ -65,8 +65,6 @@ freerdp NOTE: 20200510: Vulnerable to at least CVE-2020-11042. (lamby) NOTE: 20200531: Discussing if EOL'ing of freerdp (1.1) makes sense (sunweaver) -- -fwupd (Chris Lamb) --- glib-networking (Emilio) -- gupnp View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ad984a7afb4d191ab596c440ba7337876cd273c6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ad984a7afb4d191ab596c440ba7337876cd273c6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Triage cimg for stretch LTS.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: aacfdb7a by Chris Lamb at 2020-07-09T10:29:01+01:00 data/dla-needed.txt: Triage cimg for stretch LTS. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -36,6 +36,11 @@ ceph NOTE: 20200707: Vulnerable to at least CVE-2018-14662. (lamby) NOTE: 20200707: Some discussion regarding removal <https://lists.debian.org/debian-lts/2020/04/msg00019.html> (lamby) -- +cimg + NOTE: 20200709: Upstream patch is against a newer "load_network_external" + NOTE: 20200709: method (vs "load_network") but is still missing the argument + NOTE: 20200709: sanitisation. (lamby) +-- condor (Roberto C. Sánchez) NOTE: 20200502: Upstream has only released workarounds; complete fix is still embargoed (roberto) NOTE: 20200521: Still embargoed (eg. https://research.cs.wisc.edu/htcondor/security/vulnerabilities/HTCONDOR-2020-0004.html). (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aacfdb7aebf722b59e53e0da01d85444a727ccaa -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aacfdb7aebf722b59e53e0da01d85444a727ccaa You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Add notes on json-c for stretch LTS.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 1c342470 by Chris Lamb at 2020-07-09T10:26:21+01:00 data/dla-needed.txt: Add notes on json-c for stretch LTS. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -73,6 +73,9 @@ jruby NOTE: 20200706: all open CVEs were fixed in jessie (Beuc) -- json-c + NOTE: 20200709: Not all of the patches as part of CVE-2020-12762 do not apply + NOTE: 20200709: directly/cleanly to the version in stretch, but I suspect we + NOTE: 20200709: are still vulnerable. (lamby) -- libopenmpt -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1c342470236bcfeaad4bdd4fff11b8717d4867ab -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1c342470236bcfeaad4bdd4fff11b8717d4867ab You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Triage json-c for stretch LTS.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 98af1799 by Chris Lamb at 2020-07-09T10:21:51+01:00 data/dla-needed.txt: Triage json-c for stretch LTS. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -72,6 +72,8 @@ imagemagick (Markus Koschany) jruby NOTE: 20200706: all open CVEs were fixed in jessie (Beuc) -- +json-c +-- libopenmpt -- linux (Ben Hutchings) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/98af1799a7238f456402e406fecd3aff4cc0922b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/98af1799a7238f456402e406fecd3aff4cc0922b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Triage mailman for stretch LTS.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 44179a62 by Chris Lamb at 2020-07-09T10:18:48+01:00 data/dla-needed.txt: Triage mailman for stretch LTS. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -78,6 +78,8 @@ linux (Ben Hutchings) -- linux-4.9 (Ben Hutchings) -- +mailman +-- mercurial NOTE: 20200706: all open CVEs were fixed in jessie (Beuc) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/44179a62957fbdbe9990ea4d406b33150bdc7a9d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/44179a62957fbdbe9990ea4d406b33150bdc7a9d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2020-11736/file-roller will be fixed via ospu
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: d391dce1 by Emilio Pozuelo Monfort at 2020-07-09T11:15:44+02:00 CVE-2020-11736/file-roller will be fixed via ospu - - - - - 64192f4a by Emilio Pozuelo Monfort at 2020-07-09T11:15:44+02:00 CVE-2020-14928/e-d-s will be fixed via spu - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1610,6 +1610,8 @@ CVE-2020-14929 (Alpine before 2.23 silently proceeds to use an insecure connecti CVE-2020-14928 RESERVED - evolution-data-server 3.36.4-1 + [buster] - evolution-data-server (Will be fixed via spu) + [stretch] - evolution-data-server (Will be fixed via spu) NOTE: https://gitlab.gnome.org/GNOME/evolution-data-server/-/issues/226 NOTE: https://gitlab.gnome.org/GNOME//evolution-data-server/commit/ba82be72cfd427b5d72ff21f929b3a6d8529c4df CVE-2020-14927 (Navigate CMS 2.9 allows XSS via the Alias or Real URL field of the "We ...) @@ -10492,6 +10494,7 @@ CVE-2020-11736 (fr-archive-libarchive.c in GNOME file-roller through 3.36.1 allo {DLA-2180-1} - file-roller 3.36.2-1 (bug #956638) [buster] - file-roller (Minor issue, will be fixed via spu) + [stretch] - file-roller (Minor issue, will be fixed via spu) NOTE: https://gitlab.gnome.org/GNOME/file-roller/-/commit/21dfcdbfe258984db89fb65243a1a888924e45a0 CVE-2020-11734 (cgi-bin/go in CyberSolutions CyberMail 5 or later allows XSS via the A ...) NOT-FOR-US: CyberSolutions CyberMail View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/1964d5b232480835c03e400d43472f93ab95e4fb...64192f4a1ca8ffa05162a5482ba6486610b9771f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/1964d5b232480835c03e400d43472f93ab95e4fb...64192f4a1ca8ffa05162a5482ba6486610b9771f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Triage transmission for stretch LTS.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 98d6f349 by Chris Lamb at 2020-07-09T10:16:28+01:00 data/dla-needed.txt: Triage transmission for stretch LTS. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -142,6 +142,8 @@ sympa tomcat8 (Markus Koschany) NOTE: 20200701: CVE-2020-9484's patch should also be included for Stretch LTS. (utkarsh) -- +transmission +-- unbound NOTE: 20200616: Package unsupported. NOTE: 20200616: Not possible to update debian-security-support package in Jessie. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/98d6f349fbc6ee387a4844c17d11a0a6d420896b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/98d6f349fbc6ee387a4844c17d11a0a6d420896b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Triage atril for stretch LTS.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 1964d5b2 by Chris Lamb at 2020-07-09T10:13:32+01:00 data/dla-needed.txt: Triage atril for stretch LTS. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -21,6 +21,9 @@ ansible NOTE: 20200508: bam: Upstream fix was reverted - https://github.com/ansible/ansible/pull/68983 NOTE: 20200508: bam: See https://github.com/ansible/ansible/issues/67794 -- +atril + NOTE: 20200709: Previously fixed in jessie LTS via DLA-1882-1. (lamby) +-- batik (Emilio) -- cacti (Abhijith PA) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1964d5b232480835c03e400d43472f93ab95e4fb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1964d5b232480835c03e400d43472f93ab95e4fb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Triage libopenmpt for stretch LTS.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 20470ba4 by Chris Lamb at 2020-07-09T10:10:54+01:00 data/dla-needed.txt: Triage libopenmpt for stretch LTS. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -69,6 +69,8 @@ imagemagick (Markus Koschany) jruby NOTE: 20200706: all open CVEs were fixed in jessie (Beuc) -- +libopenmpt +-- linux (Ben Hutchings) -- linux-4.9 (Ben Hutchings) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/20470ba4e44b95dd9c4ea6fd1a474500e966aa13 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/20470ba4e44b95dd9c4ea6fd1a474500e966aa13 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track CVE-202-1507{2,3}/phplist
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 84372ef9 by Salvatore Bonaccorso at 2020-07-09T10:31:15+02:00 Track CVE-202-1507{2,3}/phplist - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1250,9 +1250,9 @@ CVE-2020-15075 CVE-2020-15074 RESERVED CVE-2020-15073 (An issue was discovered in phpList through 3.5.4. An XSS vulnerability ...) - TODO: check + - phplist (bug #612288) CVE-2020-15072 (An issue was discovered in phpList through 3.5.4. An error-based SQL I ...) - TODO: check + - phplist (bug #612288) CVE-2020-15071 RESERVED CVE-2020-15070 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/84372ef91b00a2b7bf1424f96024ffa56a132a95 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/84372ef91b00a2b7bf1424f96024ffa56a132a95 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 73cbb8c7 by security tracker role at 2020-07-09T08:10:17+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1249,10 +1249,10 @@ CVE-2020-15075 RESERVED CVE-2020-15074 RESERVED -CVE-2020-15073 - RESERVED -CVE-2020-15072 - RESERVED +CVE-2020-15073 (An issue was discovered in phpList through 3.5.4. An XSS vulnerability ...) + TODO: check +CVE-2020-15072 (An issue was discovered in phpList through 3.5.4. An error-based SQL I ...) + TODO: check CVE-2020-15071 RESERVED CVE-2020-15070 @@ -2523,7 +2523,7 @@ CVE-2020-14474 (The Cellebrite UFED physical device 5.0 through 7.5.0.845 relies NOT-FOR-US: Cellebrite CVE-2020-14473 (Stack-based buffer overflow vulnerability in Vigor3900, Vigor2960, and ...) NOT-FOR-US: DrayTek -CVE-2020-14472 (DrayTek Vigor3900, Vigor2960, and Vigor300B with firmware before 1.5.1 ...) +CVE-2020-14472 (On Draytek Vigor3900, Vigor2960, and Vigor 300B devices before 1.5.1.1 ...) NOT-FOR-US: DrayTek CVE-2020-14471 RESERVED @@ -4195,6 +4195,7 @@ CVE-2020-13906 (IrfanView 4.54 allows a user-mode write access violation startin CVE-2020-13905 (IrfanView 4.54 allows a user-mode write access violation starting at F ...) NOT-FOR-US: IrfanView CVE-2020-13904 (FFmpeg 4.2.3 has a use-after-free via a crafted EXTINF duration in an ...) + {DSA-4722-1} - ffmpeg NOTE: https://patchwork.ffmpeg.org/project/ffmpeg/patch/20200529033905.41926-1...@chinaffmpeg.org/ NOTE: https://github.com/FFmpeg/FFmpeg/commit/9dfb19baeb86a8bb02c53a441682c6e9a6e104cc @@ -8228,6 +8229,7 @@ CVE-2020-12286 (In Octopus Deploy before 2019.12.9 and 2020 before 2020.1.12, th CVE-2020-12285 RESERVED CVE-2020-12284 (cbs_jpeg_split_fragment in libavcodec/cbs_jpeg.c in FFmpeg 4.2.2 has a ...) + {DSA-4722-1} - ffmpeg 7:4.2.3-1 [stretch] - ffmpeg (Vulnerable code not present) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19734 @@ -22357,7 +22359,7 @@ CVE-2020-7066 (In PHP versions 7.2.x below 7.2.29, 7.3.x below 7.3.16 and 7.4.x NOTE: Fixed in PHP 7.4.4, 7.3.16, 7.2.29 NOTE: PHP Bug: https://bugs.php.net/79329 NOTE: http://git.php.net/?p=php-src.git;a=commit;h=0d139c5b94a5f485a66901919e51faddb0371c43 -CVE-2020-7065 (In PHP versions 7.3.x below 7.3.16 and 7.4.x below 7.4.34, while using ...) +CVE-2020-7065 (In PHP versions 7.3.x below 7.3.16 and 7.4.x below 7.4.4, while using ...) {DSA-4719-1} - php7.4 7.4.5-1 - php7.3 @@ -25197,8 +25199,8 @@ CVE-2020-5976 RESERVED CVE-2020-5975 RESERVED -CVE-2020-5974 - RESERVED +CVE-2020-5974 (NVIDIA JetPack SDK, version 4.2 and 4.3, contains a vulnerability in i ...) + TODO: check CVE-2020-5973 (NVIDIA Virtual GPU Manager and the guest drivers contain a vulnerabili ...) NOT-FOR-US: NVIDIA Virtual GPU Manager CVE-2020-5972 (NVIDIA Virtual GPU Manager contains a vulnerability in the vGPU plugin ...) @@ -25969,8 +25971,8 @@ CVE-2020-5606 RESERVED CVE-2020-5605 RESERVED -CVE-2020-5604 - RESERVED +CVE-2020-5604 (Android App 'Mercari' (Japan version) prior to version 3.52.0 allows a ...) + TODO: check CVE-2020-5603 (Uncontrolled resource consumption vulnerability in Mitsubishi Electori ...) NOT-FOR-US: Mitsubishi CVE-2020-5602 (Mitsubishi Electoric FA Engineering Software (CPU Module Logging Confi ...) @@ -45341,7 +45343,7 @@ CVE-2019-17543 (LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 NOTE: https://github.com/lz4/lz4/pull/756 NOTE: https://github.com/lz4/lz4/pull/760 CVE-2019-17542 (FFmpeg before 4.2 has a heap-based buffer overflow in vqa_decode_chunk ...) - {DLA-2021-1} + {DSA-4722-1 DLA-2021-1} - ffmpeg 7:4.2.1-1 [stretch] - ffmpeg (Minor issue, wait until fixed in 3.2.x branch) - libav @@ -45369,6 +45371,7 @@ CVE-2019-17540 (ImageMagick before 7.0.8-54 has a heap-based buffer overflow in NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/41399a3414069870071e47680b0bbbe0a283db5d NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/4ba4dc73b7e38bb66c57d457f17ab4aeb9b6bbdc CVE-2019-17539 (In FFmpeg before 4.2, avcodec_open2 in libavcodec/utils.c allows a NUL ...) + {DSA-4722-1} - ffmpeg 7:4.2.1-1 (low) [stretch] - ffmpeg (Minor issue, wait until fixed in 3.2.x branch) - libav (low) @@ -59206,6 +59209,7 @@ CVE-2019-13391 (In ImageMagick 7.0.8-50 Q16, ComplexImages in MagickCore/fourier NOTE: Patch is insufficient, partly reverted by the CVE-2019-13308 patch NOTE: which seems
[Git][security-tracker-team/security-tracker][master] Juniper NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 7297383c by Moritz Muehlenhoff at 2020-07-09T09:51:45+02:00 Juniper NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -38971,34 +38971,47 @@ CVE-2020-1656 RESERVED CVE-2020-1655 RESERVED + NOT-FOR-US: Juniper CVE-2020-1654 RESERVED + NOT-FOR-US: Juniper CVE-2020-1653 RESERVED + NOT-FOR-US: Juniper CVE-2020-1652 RESERVED CVE-2020-1651 RESERVED + NOT-FOR-US: Juniper CVE-2020-1650 RESERVED + NOT-FOR-US: Juniper CVE-2020-1649 RESERVED + NOT-FOR-US: Juniper CVE-2020-1648 RESERVED + NOT-FOR-US: Juniper CVE-2020-1647 RESERVED + NOT-FOR-US: Juniper CVE-2020-1646 RESERVED + NOT-FOR-US: Juniper CVE-2020-1645 RESERVED + NOT-FOR-US: Juniper CVE-2020-1644 RESERVED + NOT-FOR-US: Juniper CVE-2020-1643 RESERVED + NOT-FOR-US: Juniper CVE-2020-1642 RESERVED CVE-2020-1641 RESERVED + NOT-FOR-US: Juniper CVE-2020-1640 RESERVED CVE-2020-1639 (When an attacker sends a specific crafted Ethernet Operation, Administ ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7297383c7b4f65d40ab12a13257f1d15adfaa1fe -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7297383c7b4f65d40ab12a13257f1d15adfaa1fe You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-8558/kubernetes
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f8b87105 by Salvatore Bonaccorso at 2020-07-09T08:28:10+02:00 Add CVE-2020-8558/kubernetes - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -18847,6 +18847,9 @@ CVE-2020-8559 RESERVED CVE-2020-8558 RESERVED + - kubernetes + NOTE: Issue: https://github.com/kubernetes/kubernetes/issues/90259 + NOTE: Upstream fix: https://github.com/kubernetes/kubernetes/pull/91569 CVE-2020-8557 RESERVED CVE-2020-8556 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f8b8710550266b84e24944c351641aeef16f9318 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f8b8710550266b84e24944c351641aeef16f9318 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track CVE fixes for linux via buster-pu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 68f67d86 by Salvatore Bonaccorso at 2020-07-09T08:09:38+02:00 Track CVE fixes for linux via buster-pu - - - - - 1 changed file: - data/next-point-update.txt Changes: = data/next-point-update.txt = @@ -114,3 +114,23 @@ CVE-2020-13249 [buster] - mariadb-10.3 1:10.3.23-0+deb10u1 CVE-2020-11736 [buster] - file-roller 3.30.1-2+deb10u1 +CVE-2019-18885 + [buster] - linux 4.19.131-1 +CVE-2019-20810 + [buster] - linux 4.19.131-1 +CVE-2020-10766 + [buster] - linux 4.19.131-1 +CVE-2020-10767 + [buster] - linux 4.19.131-1 +CVE-2020-10768 + [buster] - linux 4.19.131-1 +CVE-2020-12655 + [buster] - linux 4.19.131-1 +CVE-2020-12771 + [buster] - linux 4.19.131-1 +CVE-2020-13974 + [buster] - linux 4.19.131-1 +CVE-2020-15393 + [buster] - linux 4.19.131-1 +CVE-2018-20669 + [buster] - linux 4.19.131-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/68f67d86ebe865f052e4948c905d0c6812375e3b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/68f67d86ebe865f052e4948c905d0c6812375e3b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits