[Git][security-tracker-team/security-tracker][master] Add CVE-2020-1313{1,2}/yubico-piv-tool
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: caa58172 by Salvatore Bonaccorso at 2020-07-15T07:17:02+02:00 Add CVE-2020-1313{1,2}/yubico-piv-tool - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6387,9 +6387,12 @@ CVE-2020-13134 CVE-2020-13133 RESERVED CVE-2020-13132 (An issue was discovered in Yubico libykpiv before 2.1.0. An attacker c ...) - TODO: check + - yubico-piv-tool + NOTE: https://www.yubico.com/support/security-advisories/ysa-2020-02/ + NOTE: https://blog.inhq.net/posts/yubico-libykpiv-vuln/ CVE-2020-13131 (An issue was discovered in Yubico libykpiv before 2.1.0. lib/util.c in ...) - TODO: check + - yubico-piv-tool + NOTE: https://blog.inhq.net/posts/yubico-libykpiv-vuln/ CVE-2020-13143 (gadget_dev_desc_UDC_store in drivers/usb/gadget/configfs.c in the Linu ...) {DSA-4699-1 DSA-4698-1 DLA-2242-1 DLA-2241-1} - linux 5.6.14-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/caa5817223e73bb8206b74265184842ae33a8cde -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/caa5817223e73bb8206b74265184842ae33a8cde You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-15720/dogtag-pki
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1ca5ed43 by Salvatore Bonaccorso at 2020-07-15T07:16:42+02:00 Add CVE-2020-15720/dogtag-pki - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -91,7 +91,9 @@ CVE-2020-15722 CVE-2020-15721 (RosarioSIS through 6.8-beta allows modules/Custom/NotifyParents.php XS ...) NOT-FOR-US: RosarioSIS CVE-2020-15720 (In Dogtag PKI through 10.8.3, the pki.client.PKIConnection class did n ...) - TODO: check + - dogtag-pki + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1855273 + NOTE: https://github.com/dogtagpki/pki/commit/50c23ec146ee9abf28c9de87a5f7787d495f0b72 CVE-2020-15719 (libldap in certain third-party OpenLDAP packages has a certificate-val ...) TODO: check CVE-2020-15718 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1ca5ed43aa65fc49514111ee179dc8a2a62827e8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1ca5ed43aa65fc49514111ee179dc8a2a62827e8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8df742ba by Salvatore Bonaccorso at 2020-07-15T07:15:50+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -89,7 +89,7 @@ CVE-2020-15723 CVE-2020-15722 RESERVED CVE-2020-15721 (RosarioSIS through 6.8-beta allows modules/Custom/NotifyParents.php XS ...) - TODO: check + NOT-FOR-US: RosarioSIS CVE-2020-15720 (In Dogtag PKI through 10.8.3, the pki.client.PKIConnection class did n ...) TODO: check CVE-2020-15719 (libldap in certain third-party OpenLDAP packages has a certificate-val ...) @@ -109,7 +109,7 @@ CVE-2020-15713 CVE-2020-15712 RESERVED CVE-2020-15711 (In MISP before 2.4.129, setting a favourite homepage was not CSRF prot ...) - TODO: check + NOT-FOR-US: MISP CVE-2020-15710 RESERVED CVE-2020-15709 @@ -1682,9 +1682,9 @@ CVE-2020-15003 CVE-2020-15002 RESERVED CVE-2020-15001 (An information leak was discovered on Yubico YubiKey 5 NFC devices 5.0 ...) - TODO: check + NOT-FOR-US: Yubico YubiKey 5 NFC devices CVE-2020-15000 (A PIN management problem was discovered on Yubico YubiKey 5 devices 5. ...) - TODO: check + NOT-FOR-US: Yubico YubiKey 5 devices CVE-2020-14999 RESERVED CVE-2020-14998 @@ -9149,7 +9149,7 @@ CVE-2020-12027 CVE-2020-12026 (Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0. Mult ...) NOT-FOR-US: Advantech WebAccess Node CVE-2020-12025 (Rockwell Automation Logix Designer Studio 5000 Versions 32.00, 32.01, ...) - TODO: check + NOT-FOR-US: Rockwell Automation CVE-2020-12024 (Baxter ExactaMix EM 2400 versions 1.10, 1.11, 1.13, 1.14 and ExactaMix ...) NOT-FOR-US: Baxter CVE-2020-12023 (Philips IntelliBridge Enterprise (IBE), Versions B.12 and prior, Intel ...) @@ -9307,17 +9307,17 @@ CVE-2020-11958 (re2c 1.3 has a heap-based buffer overflow in Scanner::fill in pa CVE-2020-11957 (The Bluetooth Low Energy implementation in Cypress PSoC Creator BLE 4. ...) NOT-FOR-US: Cypress CVE-2020-11956 (An issue was discovered on Rittal PDU-3C002DEC through 5.17.10 and CMC ...) - TODO: check + NOT-FOR-US: Rittal PDU-3C002DEC CVE-2020-11955 (An issue was discovered on Rittal PDU-3C002DEC through 5.15.70 and CMC ...) - TODO: check + NOT-FOR-US: Rittal PDU-3C002DEC CVE-2020-11954 RESERVED CVE-2020-11953 (An issue was discovered on Rittal PDU-3C002DEC through 5.15.40 and CMC ...) - TODO: check + NOT-FOR-US: Rittal PDU-3C002DEC CVE-2020-11952 (An issue was discovered on Rittal PDU-3C002DEC through 5.17.10 and CMC ...) - TODO: check + NOT-FOR-US: Rittal PDU-3C002DEC CVE-2020-11951 (An issue was discovered on Rittal PDU-3C002DEC through 5.17.10 and CMC ...) - TODO: check + NOT-FOR-US: Rittal PDU-3C002DEC CVE-2020-11950 (VIVOTEK Network Cameras before X-VVTK-2.2002.xx.01x (and before XX ...) NOT-FOR-US: VIVOTEK Network Cameras CVE-2020-11949 (testserver.cgi of the web service on VIVOTEK Network Cameras before XX ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8df742ba8eb96d8ff1d7ea42669c222378f5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8df742ba8eb96d8ff1d7ea42669c222378f5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ce697acb by Salvatore Bonaccorso at 2020-07-15T06:50:35+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -24815,39 +24815,39 @@ CVE-2020-6294 CVE-2020-6293 RESERVED CVE-2020-6292 (Logout mechanism in SAP Disclosure Management, version 10.1, does not ...) - TODO: check + NOT-FOR-US: SAP CVE-2020-6291 (SAP Disclosure Management, version 10.1, session mechanism does not ha ...) - TODO: check + NOT-FOR-US: SAP CVE-2020-6290 (SAP Disclosure Management, version 10.1, is vulnerable to Session Fixa ...) - TODO: check + NOT-FOR-US: SAP CVE-2020-6289 (SAP Disclosure Management, version 10.1, had insufficient protection a ...) - TODO: check + NOT-FOR-US: SAP CVE-2020-6288 RESERVED CVE-2020-6287 (SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31 ...) - TODO: check + NOT-FOR-US: SAP CVE-2020-6286 (The insufficient input path validation of certain parameter in the web ...) - TODO: check + NOT-FOR-US: SAP CVE-2020-6285 (SAP NetWeaver - XML Toolkit for JAVA (ENGINEAPI) (versions- 7.10, 7.11 ...) - TODO: check + NOT-FOR-US: SAP CVE-2020-6284 RESERVED CVE-2020-6283 RESERVED CVE-2020-6282 (SAP NetWeaver AS JAVA (IIOP service) (SERVERCORE), versions 7.10, 7.11 ...) - TODO: check + NOT-FOR-US: SAP CVE-2020-6281 (SAP Business Objects Business Intelligence Platform (BI Launchpad), ve ...) - TODO: check + NOT-FOR-US: SAP CVE-2020-6280 (SAP NetWeaver (ABAP Server) and ABAP Platform, versions 731, 740, 750, ...) - TODO: check + NOT-FOR-US: SAP CVE-2020-6279 (OData APIs and JobApplicationInterview and JobApplication export permi ...) NOT-FOR-US: SAP CVE-2020-6278 (SAP Business Objects Business Intelligence Platform (BI Launchpad and ...) - TODO: check + NOT-FOR-US: SAP CVE-2020-6277 RESERVED CVE-2020-6276 (SAP Business Objects Business Intelligence Platform (bipodata), versio ...) - TODO: check + NOT-FOR-US: SAP CVE-2020-6275 (SAP Netweaver AS ABAP, versions 700, 701, 702, 710, 711, 730, 731, 740 ...) NOT-FOR-US: SAP CVE-2020-6274 @@ -24865,7 +24865,7 @@ CVE-2020-6269 (Under certain conditions SAP Business Objects Business Intelligen CVE-2020-6268 (Statutory Reporting for Insurance Companies in SAP ERP (EA-FINSERV ver ...) NOT-FOR-US: SAP CVE-2020-6267 (Some sensitive cookies in SAP Disclosure Management, version 10.1, are ...) - TODO: check + NOT-FOR-US: SAP CVE-2020-6266 (SAP Fiori for SAP S/4HANA, versions - 100, 200, 300, 400, allows an at ...) NOT-FOR-US: SAP CVE-2020-6265 (SAP Commerce, versions - 6.7, 1808, 1811, 1905, and SAP Commerce (Data ...) @@ -29168,13 +29168,13 @@ CVE-2020-4515 CVE-2020-4514 RESERVED CVE-2020-4513 (IBM QRadar SIEM 7.3 and 7.4 is vulnerable to cross-site scripting. Thi ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4512 (IBM QRadar SIEM 7.3 and 7.4 could allow a remote privileged user to ex ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4511 (IBM QRadar SIEM 7.3 and 7.4 could allow an authenticated user to cause ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4510 (IBM QRadar SIEM 7.3 and 7.4 is vulnerable to an XML External Entity In ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4509 (IBM QRadar SIEM 7.3 and 7.4 is vulnerable to an XML External Entity In ...) NOT-FOR-US: IBM CVE-2020-4508 @@ -29466,7 +29466,7 @@ CVE-2020-4366 (IBM Planning Analytics Local 2.0 is vulnerable to cross-site scri CVE-2020-4365 (IBM WebSphere Application Server 8.5 is vulnerable to server-side requ ...) NOT-FOR-US: IBM CVE-2020-4364 (IBM QRadar SIEM 7.3 and 7.4 is vulnerable to cross-site scripting. Thi ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4363 (IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, ...) NOT-FOR-US: IBM CVE-2020-4362 (IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 traditional is ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ce697acbf310a62f95267b110156f719454e1b28 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ce697acbf310a62f95267b110156f719454e1b28 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 01e67074 by security tracker role at 2020-07-14T20:10:28+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,115 @@ +CVE-2020-15766 + RESERVED +CVE-2020-15765 + RESERVED +CVE-2020-15764 + RESERVED +CVE-2020-15763 + RESERVED +CVE-2020-15762 + RESERVED +CVE-2020-15761 + RESERVED +CVE-2020-15760 + RESERVED +CVE-2020-15759 + RESERVED +CVE-2020-15758 + RESERVED +CVE-2020-15757 + RESERVED +CVE-2020-15756 + RESERVED +CVE-2020-15755 + RESERVED +CVE-2020-15754 + RESERVED +CVE-2020-15753 + RESERVED +CVE-2020-15752 + RESERVED +CVE-2020-15751 + RESERVED +CVE-2020-15750 + RESERVED +CVE-2020-15749 + RESERVED +CVE-2020-15748 + RESERVED +CVE-2020-15747 + RESERVED +CVE-2020-15746 + RESERVED +CVE-2020-15745 + RESERVED +CVE-2020-15744 + RESERVED +CVE-2020-15743 + RESERVED +CVE-2020-15742 + RESERVED +CVE-2020-15741 + RESERVED +CVE-2020-15740 + RESERVED +CVE-2020-15739 + RESERVED +CVE-2020-15738 + RESERVED +CVE-2020-15737 + RESERVED +CVE-2020-15736 + RESERVED +CVE-2020-15735 + RESERVED +CVE-2020-15734 + RESERVED +CVE-2020-15733 + RESERVED +CVE-2020-15732 + RESERVED +CVE-2020-15731 + RESERVED +CVE-2020-15730 + RESERVED +CVE-2020-15729 + RESERVED +CVE-2020-15728 + RESERVED +CVE-2020-15727 + RESERVED +CVE-2020-15726 + RESERVED +CVE-2020-15725 + RESERVED +CVE-2020-15724 + RESERVED +CVE-2020-15723 + RESERVED +CVE-2020-15722 + RESERVED +CVE-2020-15721 (RosarioSIS through 6.8-beta allows modules/Custom/NotifyParents.php XS ...) + TODO: check +CVE-2020-15720 (In Dogtag PKI through 10.8.3, the pki.client.PKIConnection class did n ...) + TODO: check +CVE-2020-15719 (libldap in certain third-party OpenLDAP packages has a certificate-val ...) + TODO: check +CVE-2020-15718 + RESERVED +CVE-2020-15717 + RESERVED +CVE-2020-15716 + RESERVED +CVE-2020-15715 + RESERVED +CVE-2020-15714 + RESERVED +CVE-2020-15713 + RESERVED +CVE-2020-15712 + RESERVED +CVE-2020-15711 (In MISP before 2.4.129, setting a favourite homepage was not CSRF prot ...) + TODO: check CVE-2020-15710 RESERVED CVE-2020-15709 @@ -1400,8 +1512,8 @@ CVE-2020-15076 RESERVED CVE-2020-15075 RESERVED -CVE-2020-15074 - RESERVED +CVE-2020-15074 (OpenVPN Access Server older than version 2.8.4 generates new user auth ...) + TODO: check CVE-2020-15073 (An issue was discovered in phpList through 3.5.4. An XSS vulnerability ...) - phplist (bug #612288) CVE-2020-15072 (An issue was discovered in phpList through 3.5.4. An error-based SQL I ...) @@ -4295,15 +4407,13 @@ CVE-2020-13937 RESERVED CVE-2020-13936 RESERVED -CVE-2020-13935 - RESERVED +CVE-2020-13935 (The payload length in a WebSocket frame was not correctly validated in ...) - tomcat9 - tomcat8 NOTE: https://www.openwall.com/lists/oss-security/2020/07/14/3 NOTE: https://github.com/apache/tomcat/commit/12d715676038efbf9c728af10163f8277fc019d5 (8.5.57) NOTE: https://github.com/apache/tomcat/commit/40fa74c74822711ab878079d0a69f7357926723d (9.0.37) -CVE-2020-13934 - RESERVED +CVE-2020-13934 (An h2c direct connection to Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0. ...) - tomcat9 - tomcat8 NOTE: https://www.openwall.com/lists/oss-security/2020/07/14/4 @@ -4323,11 +4433,9 @@ CVE-2020-13928 RESERVED CVE-2020-13927 RESERVED -CVE-2020-13926 - RESERVED +CVE-2020-13926 (Kylin concatenates and executes a Hive SQL in Hive CLI or beeline when ...) NOT-FOR-US: Apache Kylin (different from Kylin desktop environment) -CVE-2020-13925 - RESERVED +CVE-2020-13925 (Similar to CVE-2020-1956, Kylin has one more restful API which concate ...) NOT-FOR-US: Apache Kylin (different from Kylin desktop environment) CVE-2020-13924 RESERVED @@ -4530,16 +4638,13 @@ CVE-2020-13848 (Portable UPnP SDK (aka libupnp) 1.12.1 and earlier allows remote [stretch] - libupnp (Minor issue) NOTE: https://github.com/pupnp/pupnp/issues/177 NOTE: https://github.com/pupnp/pupnp/commit/c805c1de1141cb22f74c0d94dd5664bda37398e0 -CVE-2020-13847 - RESERVED +CVE-2020-13847 (Sylabs Singularity 3.0 through 3.5 lacks support for an Integrity Chec ...) - singularity-container (bug #965040) NOTE: https://github.com/hpcng/singularity/security/advisories/GHSA-m7j2-9565-4h9v -CVE-2020-13846 - RESERVED +CVE-2020-13846 (Sylabs Singularity 3.5.0 through 3.5.3 fails to report an
[Git][security-tracker-team/security-tracker][master] older XFS issue unimportant
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 60d2f7da by Moritz Muehlenhoff at 2020-07-14T22:03:49+02:00 older XFS issue unimportant - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -205810,10 +205810,11 @@ CVE-2016-8666 (The IP stack in the Linux kernel before 4.6 allows remote attacke NOTE: Introduced by: htttps://git.kernel.org/linus/bf5a755f5e9186406bbf50f4087100af5bd68e40 NOTE: http://www.openwall.com/lists/oss-security/2016/10/13/11 CVE-2016-8660 (The XFS subsystem in the Linux kernel through 4.8.2 allows local users ...) - - linux (low) + - linux (unimportant) [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) - - linux-4.9 (low) + - linux-4.9 (unimportant) + NOTE: Not a security bug per upstream at https://marc.info/?l=linux-fsdevel&m=147639177409294&w=2 CVE-2016-8659 (Bubblewrap before 0.1.3 sets the PR_SET_DUMPABLE flag, which might all ...) - bubblewrap 0.1.2-2 (bug #840605) NOTE: https://github.com/projectatomic/bubblewrap/issues/107 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/60d2f7da9113847b729b1122b746365c478239cf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/60d2f7da9113847b729b1122b746365c478239cf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for singularity-container issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 725c1fb3 by Salvatore Bonaccorso at 2020-07-14T21:46:10+02:00 Add Debian bug reference for singularity-container issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4532,15 +4532,15 @@ CVE-2020-13848 (Portable UPnP SDK (aka libupnp) 1.12.1 and earlier allows remote NOTE: https://github.com/pupnp/pupnp/commit/c805c1de1141cb22f74c0d94dd5664bda37398e0 CVE-2020-13847 RESERVED - - singularity-container + - singularity-container (bug #965040) NOTE: https://github.com/hpcng/singularity/security/advisories/GHSA-m7j2-9565-4h9v CVE-2020-13846 RESERVED - - singularity-container + - singularity-container (bug #965040) NOTE: https://github.com/hpcng/singularity/security/advisories/GHSA-6w7g-p4jh-rf92 CVE-2020-13845 RESERVED - - singularity-container + - singularity-container (bug #965040) NOTE: https://github.com/hpcng/singularity/security/advisories/GHSA-pmfr-63c2-jr5c CVE-2020-13844 (Arm Armv8-A core implementations utilizing speculative execution past ...) NOTE: https://lists.llvm.org/pipermail/llvm-dev/2020-June/142109.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/725c1fb3a3c657ff8406c58a9ada0265a70e313c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/725c1fb3a3c657ff8406c58a9ada0265a70e313c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-1384{5,6,7}/singularity-container
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2b766379 by Salvatore Bonaccorso at 2020-07-14T21:35:36+02:00 Add CVE-2020-1384{5,6,7}/singularity-container - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4532,10 +4532,16 @@ CVE-2020-13848 (Portable UPnP SDK (aka libupnp) 1.12.1 and earlier allows remote NOTE: https://github.com/pupnp/pupnp/commit/c805c1de1141cb22f74c0d94dd5664bda37398e0 CVE-2020-13847 RESERVED + - singularity-container + NOTE: https://github.com/hpcng/singularity/security/advisories/GHSA-m7j2-9565-4h9v CVE-2020-13846 RESERVED + - singularity-container + NOTE: https://github.com/hpcng/singularity/security/advisories/GHSA-6w7g-p4jh-rf92 CVE-2020-13845 RESERVED + - singularity-container + NOTE: https://github.com/hpcng/singularity/security/advisories/GHSA-pmfr-63c2-jr5c CVE-2020-13844 (Arm Armv8-A core implementations utilizing speculative execution past ...) NOTE: https://lists.llvm.org/pipermail/llvm-dev/2020-June/142109.html NOTE: https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability/downloads/straight-line-speculation View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2b766379295c6d46cfcf685d06dcd865e769 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2b766379295c6d46cfcf685d06dcd865e769 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add upstream commit references for CVE-2020-1393{4,5}/tomcat
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ca91b22e by Salvatore Bonaccorso at 2020-07-14T21:22:38+02:00 Add upstream commit references for CVE-2020-1393{4,5}/tomcat - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4300,11 +4300,15 @@ CVE-2020-13935 - tomcat9 - tomcat8 NOTE: https://www.openwall.com/lists/oss-security/2020/07/14/3 + NOTE: https://github.com/apache/tomcat/commit/12d715676038efbf9c728af10163f8277fc019d5 (8.5.57) + NOTE: https://github.com/apache/tomcat/commit/40fa74c74822711ab878079d0a69f7357926723d (9.0.37) CVE-2020-13934 RESERVED - tomcat9 - tomcat8 NOTE: https://www.openwall.com/lists/oss-security/2020/07/14/4 + NOTE: https://github.com/apache/tomcat/commit/923d834500802a61779318911d7898bd85fc950e (8.5.57) + NOTE: https://github.com/apache/tomcat/commit/172977f04a5215128f1e278a688983dcd230f399 (9.0.37) CVE-2020-13933 RESERVED CVE-2020-13932 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ca91b22e7dcbb61e5138f042854ccfb788cb79bd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ca91b22e7dcbb61e5138f042854ccfb788cb79bd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Adjust one oss-security reference for CVE-2020-13935/tomcat
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e07eb6f8 by Salvatore Bonaccorso at 2020-07-14T21:19:46+02:00 Adjust one oss-security reference for CVE-2020-13935/tomcat - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4299,7 +4299,7 @@ CVE-2020-13935 RESERVED - tomcat9 - tomcat8 - NOTE: https://www.openwall.com/lists/oss-security/2020/07/14/4 + NOTE: https://www.openwall.com/lists/oss-security/2020/07/14/3 CVE-2020-13934 RESERVED - tomcat9 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e07eb6f8686f721b3b2081099cca000893c84bd8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e07eb6f8686f721b3b2081099cca000893c84bd8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] embedded-code-copies: Indent via tabs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7f1ec819 by Salvatore Bonaccorso at 2020-07-14T21:12:57+02:00 embedded-code-copies: Indent via tabs - - - - - 1 changed file: - data/embedded-code-copies Changes: = data/embedded-code-copies = @@ -1838,8 +1838,8 @@ yui - otrs2 2.4.7+dfsg1-1 (embed; bug #592146) quake3 (vanilla source not packaged in debian) -- ioquake3 (fork) -- iortcw (fork) + - ioquake3 (fork) + - iortcw (fork) - openarena (partial fork) - openjk (fork) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7f1ec81939130b41d50f4387de4fe7f020135ed4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7f1ec81939130b41d50f4387de4fe7f020135ed4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] buster triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: f5565e7e by Moritz Muehlenhoff at 2020-07-14T18:08:51+02:00 buster triage mark one wp issue as undetermined, no actionable information except some second hand media reports - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -12765,6 +12765,7 @@ CVE-2020-11021 (Actions Http-Client (NPM @actions/http-client) before version 1. NOT-FOR-US: Actions Http-Client CVE-2020-11020 (Faye (NPM, RubyGem) versions greater than 0.5.0 and before 1.0.4, 1.1. ...) - ruby-faye (bug #959392) + [buster] - ruby-faye (Minor issue) NOTE: https://github.com/faye/faye/security/advisories/GHSA-qpg4-4w7w-2mq5 NOTE: https://github.com/faye/faye/commit/65d297d341b607f3cb0b5fa6021a625a991cc30e CVE-2020-11019 (In FreeRDP less than or equal to 2.0.0, when running with logger set t ...) @@ -13834,6 +13835,7 @@ CVE-2020-10731 RESERVED CVE-2020-10730 (A NULL pointer dereference, or possible use-after-free flaw was found ...) - ldb 2:2.1.4-1 + [buster] - ldb (Minor issue) - samba 2:4.12.5+dfsg-1 [buster] - samba (Minor issue, fix along in next DSA) [stretch] - ldb (Vulnerable code introduced later) @@ -105388,8 +105390,7 @@ CVE-2018-1000801 (okular version 18.08 and earlier contains a Directory Traversa CVE-2018-1000800 (zephyr-rtos version 1.12.0 contains a NULL base pointer reference vuln ...) NOT-FOR-US: zephyr-rtos CVE-2018-1000773 (WordPress version 4.9.8 and earlier contains a CWE-20 Input Validation ...) - - wordpress - [jessie] - wordpress (cf. CVE-2017-1000600) + - wordpress NOTE: This CVE exists due to an incomplete fix in 4.9 for CVE-2017-1000600. CVE-2018-1000673 REJECTED = data/dsa-needed.txt = @@ -41,6 +41,8 @@ squid (jmm) -- teeworlds (jmm) -- +tomcat9 +-- xcftools Hugo proposed to work on this update -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f5565e7ef2599faa3e60703e8e0263c2872f285c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f5565e7ef2599faa3e60703e8e0263c2872f285c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new tomcat issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 880a0d0a by Moritz Muehlenhoff at 2020-07-14T17:45:37+02:00 new tomcat issues python no-dsa - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -47,10 +47,12 @@ CVE-2020-15688 CVE-2020-15687 RESERVED CVE-2019-20907 (In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craf ...) - - python3.8 - - python3.7 - - python3.5 - - python2.7 + - python3.8 (low) + - python3.7 (low) + [buster] - python3.7 (Minor issue) + - python3.5 (low) + - python2.7 (low) + [buster] - python2.7 (Minor issue) NOTE: https://bugs.python.org/issue39017 NOTE: Proposed fix: https://github.com/python/cpython/pull/21454 CVE-2020-15686 @@ -4295,8 +4297,14 @@ CVE-2020-13936 RESERVED CVE-2020-13935 RESERVED + - tomcat9 + - tomcat8 + NOTE: https://www.openwall.com/lists/oss-security/2020/07/14/4 CVE-2020-13934 RESERVED + - tomcat9 + - tomcat8 + NOTE: https://www.openwall.com/lists/oss-security/2020/07/14/4 CVE-2020-13933 RESERVED CVE-2020-13932 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/880a0d0a9652c9339658accd7848a4bd68adb761 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/880a0d0a9652c9339658accd7848a4bd68adb761 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: mark CVE-2018-1000038 as not-affected for Stretch
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 71bb370f by Thorsten Alteholz at 2020-07-14T15:20:15+02:00 mark CVE-2018-138 as not-affected for Stretch - - - - - 42be60d1 by Thorsten Alteholz at 2020-07-14T15:32:04+02:00 mark CVE-2018-139 as not-affected for Stretch - - - - - 160b42e1 by Thorsten Alteholz at 2020-07-14T15:48:56+02:00 mark CVE-2019-6131 as not-affected for Stretch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -80286,7 +80286,7 @@ CVE-2019-6132 (An issue was discovered in Bento4 v1.5.1-627. There is a memory l NOT-FOR-US: Bento4 CVE-2019-6131 (svg-run.c in Artifex MuPDF 1.14.0 has infinite recursion with stack co ...) - mupdf 1.14.0+ds1-3 (bug #918970) - [stretch] - mupdf (Minor issue) + [stretch] - mupdf (vulnerable code not present) [jessie] - mupdf (vulnerable code not present) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=700442 NOTE: http://www.ghostscript.com/cgi-bin/findgit.cgi?c8f7e48ff74720a5e984ae19d978a5ab4d5dde5b @@ -132508,6 +132508,7 @@ CVE-2018-140 (In MuPDF 1.12.0 and earlier, multiple use of uninitialized val NOTE: http://git.ghostscript.com/?p=mupdf.git;a=commitdiff;h=83d4dae44c71816c084a635550acc1a51529b881;hp=f597300439e62f5e921f0d7b1e880b5c1a1f1607 CVE-2018-139 (In MuPDF 1.12.0 and earlier, multiple heap use after free bugs in the ...) - mupdf 1.13.0+ds1-1 + [stretch] - mupdf (vulnerable code not present) [jessie] - mupdf (vulnerable code not present) [wheezy] - mupdf (vulnerable code not present) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5492 @@ -132519,6 +132520,7 @@ CVE-2018-139 (In MuPDF 1.12.0 and earlier, multiple heap use after free bugs NOTE: http://git.ghostscript.com/?p=mupdf.git;a=commitdiff;h=f597300439e62f5e921f0d7b1e880b5c1a1f1607;hp=093fc3b098dc5fadef5d8ad4b225db9fb124758b CVE-2018-138 (In MuPDF 1.12.0 and earlier, a stack buffer overflow in function pdf_l ...) - mupdf 1.13.0+ds1-1 + [stretch] - mupdf (vulnerable code not present) [jessie] - mupdf (vulnerable code not present) [wheezy] - mupdf (vulnerable code not present) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5494 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/06739ba25a19083042f7a0cc86ca585295014a55...160b42e1309e0604b91008e96ba7b01b99c8d74a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/06739ba25a19083042f7a0cc86ca585295014a55...160b42e1309e0604b91008e96ba7b01b99c8d74a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] claim mupdf
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 06739ba2 by Thorsten Alteholz at 2020-07-14T15:19:03+02:00 claim mupdf - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -107,7 +107,7 @@ mumble NOTE: 20200420: Upstream patch is incomplete. Version in stretch is also vulnerable (abhijith) NOTE: 20200504: discussion going on with t...@security.debian.org and mumble maintainer (abhijith) -- -mupdf +mupdf (Thorsten Alteholz) NOTE: 20200708: Vulnerable to at least CVE-2019-13290. (lamby) -- nginx (Sylvain Beucler) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/06739ba25a19083042f7a0cc86ca585295014a55 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/06739ba25a19083042f7a0cc86ca585295014a55 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update Quake family of game engines
Simon McVittie pushed to branch master at Debian Security Tracker / security-tracker Commits: c8b1a28d by Simon McVittie at 2020-07-14T13:03:48+00:00 Update Quake family of game engines - - - - - 1 changed file: - data/embedded-code-copies Changes: = data/embedded-code-copies = @@ -1838,14 +1838,19 @@ yui - otrs2 2.4.7+dfsg1-1 (embed; bug #592146) quake3 (vanilla source not packaged in debian) - - openarena (fork) +- ioquake3 (fork) +- iortcw (fork) + - openarena (partial fork) + - openjk (fork) quake2 (vanilla source not packaged in debian) - alien-arena (fork) - warsow (fork) + - yquake2 (fork) quake (vanilla source not packaged in debian) - darkplaces (fork) + - ezquake (fork) - quakespasm (fork) - nexuiz 2.5.2+dp-1 (old-version) NOTE: before 2.5.2+dp this was an outdated version of darkplaces View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c8b1a28d21e73a0f0d0c0743167d6c03f159c95d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c8b1a28d21e73a0f0d0c0743167d6c03f159c95d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] nginx fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 5504c288 by Moritz Muehlenhoff at 2020-07-14T14:22:07+02:00 nginx fixed in sid mark old linux issue as unimportant - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -10672,7 +10672,7 @@ CVE-2020-11727 (A cross-site scripting (XSS) vulnerability in the AlgolPlus Adva CVE-2020-11726 RESERVED CVE-2020-11724 (An issue was discovered in OpenResty before 1.15.8.4. ngx_http_lua_sub ...) - - nginx (bug #964950) + - nginx 1.18.0-5 (bug #964950) NOTE: https://github.com/openresty/lua-nginx-module/commit/9ab38e8ee35fc08a57636b1b6190dca70b0076fa (ngx_lua 0.10.17, with tests) NOTE: https://github.com/openresty/openresty/commit/4e8b4c395f842a078e429c80dd063b232357 (ngx_lua 0.10.15) NOTE: nginx packages include ngx_lua in debian/modules/ @@ -121295,9 +121295,10 @@ CVE-2018-10683 (** DISPUTED ** An issue was discovered in WildFly 10.1.2.Final. CVE-2018-10682 (** DISPUTED ** An issue was discovered in WildFly 10.1.2.Final. It is ...) - wildfly (bug #752018) CVE-2016-10723 (** DISPUTED ** An issue was discovered in the Linux kernel through 4.1 ...) - - linux - - linux-4.9 + - linux (unimportant) + - linux-4.9 (unimportant) NOTE: https://patchwork.kernel.org/patch/10395909/ + NOTE: Negligible security impact, long standing limitation CVE-2016-10722 (partclone.fat in Partclone before 0.2.88 is prone to a heap-based buff ...) - partclone 0.2.88-1 [jessie] - partclone (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5504c288d1619d9774a8ac3d903d6f4b3e532e45 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5504c288d1619d9774a8ac3d903d6f4b3e532e45 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2020-14928/e-d-s will actually get a DSA/DLA
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 41edc128 by Emilio Pozuelo Monfort at 2020-07-14T11:33:22+02:00 CVE-2020-14928/e-d-s will actually get a DSA/DLA - - - - - 3 changed files: - data/CVE/list - data/dla-needed.txt - data/dsa-needed.txt Changes: = data/CVE/list = @@ -1762,8 +1762,6 @@ CVE-2020-14929 (Alpine before 2.23 silently proceeds to use an insecure connecti CVE-2020-14928 RESERVED - evolution-data-server 3.36.4-1 - [buster] - evolution-data-server (Will be fixed via spu) - [stretch] - evolution-data-server (Will be fixed via spu) NOTE: https://gitlab.gnome.org/GNOME/evolution-data-server/-/issues/226 NOTE: https://gitlab.gnome.org/GNOME//evolution-data-server/commit/ba82be72cfd427b5d72ff21f929b3a6d8529c4df CVE-2020-14927 (Navigate CMS 2.9 allows XSS via the Alias or Real URL field of the "We ...) = data/dla-needed.txt = @@ -46,6 +46,8 @@ condor (Roberto C. Sánchez) -- curl (Thorsten Alteholz) -- +evolution-data-server (Emilio) +-- ffmpeg (Adrian Bunk) NOTE: 20200707: Vulnerable to at least CVE-2020-13904. (lamby) NOTE: 20200707: According to jmm, ffmpeg in stretch follows the 3.2.x releases = data/dsa-needed.txt = @@ -14,6 +14,8 @@ If needed, specify the release by adding a slash after the name of the source pa -- curl (ghedo) -- +evolution-data-server (jmm) +-- libopenmpt -- knot-resolver View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/41edc128feaf49f2c595dc8c2fbf1eccdb1665f9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/41edc128feaf49f2c595dc8c2fbf1eccdb1665f9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 5a41f9a8 by Moritz Muehlenhoff at 2020-07-14T11:16:07+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -41,7 +41,7 @@ CVE-2020-15691 CVE-2020-15690 RESERVED CVE-2020-15689 (Appweb before 7.2.2 and 8.x before 8.1.0, when built with CGI support, ...) - TODO: check + NOT-FOR-US: Appweb CVE-2020-15688 RESERVED CVE-2020-15687 @@ -1334,7 +1334,7 @@ CVE-2020-15107 CVE-2020-15106 RESERVED CVE-2020-15105 (Django Two-Factor Authentication before 1.12, stores the user's passwo ...) - TODO: check + NOT-FOR-US: Django Two-Factor Authentication CVE-2020-15104 RESERVED CVE-2020-15103 @@ -1363,7 +1363,7 @@ CVE-2020-15094 CVE-2020-15093 (The tough library (Rust/crates.io) prior to version 0.7.1 does not pro ...) TODO: check CVE-2020-15092 (In TimelineJS before version 3.7.0, some user data renders as HTML. An ...) - TODO: check + NOT-FOR-US: TimelineJS CVE-2020-15091 (TenderMint from version 0.33.0 and before version 0.33.6 allows block ...) NOT-FOR-US: TenderMint CVE-2020-15090 @@ -1447,7 +1447,7 @@ CVE-2020-15052 CVE-2020-15051 RESERVED CVE-2020-15050 (An issue was discovered in the Video Extension in Suprema BioStar 2 be ...) - TODO: check + NOT-FOR-US: Suprema BioStar CVE-2020-15049 (An issue was discovered in http/ContentLengthInterpreter.cc in Squid b ...) - squid 4.12-1 - squid3 @@ -4315,10 +4315,10 @@ CVE-2020-13927 RESERVED CVE-2020-13926 RESERVED - NOT-FOR-US: Apache Kylin + NOT-FOR-US: Apache Kylin (different from Kylin desktop environment) CVE-2020-13925 RESERVED - NOT-FOR-US: Apache Kylin + NOT-FOR-US: Apache Kylin (different from Kylin desktop environment) CVE-2020-13924 RESERVED CVE-2020-13923 @@ -8084,7 +8084,8 @@ CVE-2020-12405 (When browsing a malicious page, a race condition in our SharedWo NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-21/#CVE-2020-12405 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-22/#CVE-2020-12405 CVE-2020-12404 (For native-to-JS bridging the app requires a unique token to be passed ...) - TODO: check + - firefox (Specific to iOS) + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-19/#CVE-2020-12404 CVE-2020-12403 RESERVED CVE-2020-12402 (During RSA key generation, bignum implementations used a variation of ...) @@ -10594,7 +10595,7 @@ CVE-2020-11751 CVE-2020-11750 RESERVED CVE-2020-11749 (Pandora FMS 7.0 NG <= 746 suffers from Multiple XSS vulnerabilities ...) - TODO: check + NOT-FOR-US: Pandora FMS CVE-2020-11748 RESERVED CVE-2020-11747 @@ -12860,13 +12861,13 @@ CVE-2020-10991 (Mulesoft APIkit through 1.3.0 allows XXE because of validation/R CVE-2020-10990 (An XXE issue exists in Accenture Mercury before 1.12.28 because of the ...) NOT-FOR-US: Accenture Mercury CVE-2020-10989 (An XSS issue in the /goform/WifiBasicSet endpoint of Tenda AC15 AC1900 ...) - TODO: check + NOT-FOR-US: Tenda CVE-2020-10988 (A hard-coded telnet credential in the tenda_login binary of Tenda AC15 ...) - TODO: check + NOT-FOR-US: Tenda CVE-2020-10987 (The goform/setUsbUnload endpoint of Tenda AC15 AC1900 version 15.03.05 ...) - TODO: check + NOT-FOR-US: Tenda CVE-2020-10986 (A CSRF issue in the /goform/SysToolReboot endpoint of Tenda AC15 AC190 ...) - TODO: check + NOT-FOR-US: Tenda CVE-2020-10985 RESERVED CVE-2020-10984 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5a41f9a89d3ab2cd6e3db9ddafe655d646c91249 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5a41f9a89d3ab2cd6e3db9ddafe655d646c91249 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] stable triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 5f1a9760 by Moritz Muehlenhoff at 2020-07-14T11:10:24+02:00 stable triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -1737,6 +1737,7 @@ CVE-2020-14930 (An issue was discovered in BT CTROMS Terminal OS Port Portal CT- NOT-FOR-US: BT CTROMS Terminal OS Port Portal CT-464 CVE-2019-20892 (net-snmp before 5.8.1.pre1 has a double free in usm_free_usmStateRefer ...) - net-snmp 5.8+dfsg-3 (bug #963713) + [buster] - net-snmp (Minor issue) [stretch] - net-snmp (Vulnerable code introduced later) NOTE: https://www.openwall.com/lists/oss-security/2020/06/25/4 NOTE: https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/1877027 @@ -3372,6 +3373,7 @@ CVE-2020-14304 [ethtool when reading eeprom of device could lead to memory leak] - linux (bug #960702) CVE-2020-14303 (A flaw was found in the AD DC NBT server in all Samba versions before ...) - samba 2:4.12.5+dfsg-1 + [buster] - samba (Minor issue, fix along in next DSA) NOTE: https://www.samba.org/samba/security/CVE-2020-14303.html CVE-2020-14302 RESERVED @@ -4022,6 +4024,7 @@ CVE-2020-14041 CVE-2020-14040 (The x/text package before 0.3.3 for Go has a vulnerability in encoding ...) - golang-golang-x-text 0.3.3-1 (bug #964272) - golang-x-text (bug #964271) + [buster] - golang-x-text (Minor issue) NOTE: https://github.com/golang/go/issues/39491 NOTE: https://go.googlesource.com/text/+/23ae387dee1f90d29a23c0e87ee0b46038fbed0e NOTE: https://groups.google.com/forum/#!topic/golang-announce/bXVeAmGOqz0 @@ -7313,6 +7316,7 @@ CVE-2020-12696 (The iframe plugin before 4.5 for WordPress does not sanitize a U NOT-FOR-US: iframe plugin for WordPress CVE-2020-12695 (The Open Connectivity Foundation UPnP specification before 2020-04-17 ...) - wpa + [buster] - wpa (Minor issue) - gupnp 1.2.3-1 NOTE: https://w1.fi/security/2020-1/upnp-subscribe-misbehavior-wps-ap.txt NOTE: https://w1.fi/security/2020-1/0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch @@ -12841,7 +12845,8 @@ CVE-2020-10995 (PowerDNS Recursor from 4.1.0 up to and including 4.3.0 does not NOTE: https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-01.html NOTE: https://www.openwall.com/lists/oss-security/2020/05/19/3 CVE-2020-10994 (In libImaging/Jpeg2KDecode.c in Pillow before 7.1.0, there are multipl ...) - - pillow + - pillow (low) + [buster] - pillow (Minor issue) [jessie] - pillow (Minor issue) NOTE: https://github.com/python-pillow/Pillow/pull/4505 NOTE: https://github.com/python-pillow/Pillow/pull/4538 @@ -13697,6 +13702,7 @@ CVE-2020-10761 (An assertion failure issue was found in the Network Block Device NOTE: Introduced in: https://git.qemu.org/?p=qemu.git;a=commit;h=93676c88d7a5cd5971de94f9091eff8e9773b1af CVE-2020-10760 (A use-after-free flaw was found in all samba LDAP server versions befo ...) - samba 2:4.12.5+dfsg-1 + [buster] - samba (Minor issue, fix along in next DSA) NOTE: https://www.samba.org/samba/security/CVE-2020-10760.html CVE-2020-10759 [Possible bypass in signature verification] RESERVED @@ -13767,6 +13773,7 @@ CVE-2020-10746 RESERVED CVE-2020-10745 (A flaw was found in all Samba versions before 4.10.17, before 4.11.11 ...) - samba 2:4.12.5+dfsg-1 + [buster] - samba (Minor issue, fix along in next DSA) NOTE: https://www.samba.org/samba/security/CVE-2020-10745.html CVE-2020-10744 (An incomplete fix was found for the fix of the flaw CVE-2020-1733 ansi ...) - ansible @@ -13821,6 +13828,7 @@ CVE-2020-10731 CVE-2020-10730 (A NULL pointer dereference, or possible use-after-free flaw was found ...) - ldb 2:2.1.4-1 - samba 2:4.12.5+dfsg-1 + [buster] - samba (Minor issue, fix along in next DSA) [stretch] - ldb (Vulnerable code introduced later) NOTE: https://www.samba.org/samba/security/CVE-2020-10730.html NOTE: https://git.samba.org/?p=samba.git;a=commitdiff;h=9dd458956d7af1b4bbe505ba2ab72235e81c27d0 (for ldb) @@ -14022,6 +14030,7 @@ CVE-2020-10684 (A flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x an CVE-2020-10683 (dom4j before 2.1.3 allows external DTDs and External Entities by defau ...) {DLA-2191-1} - dom4j (bug #958055) + [buster] - dom4j (Minor issue) NOTE: https://github.com/dom4j/dom4j/commit/1707bf3d898a8ada3b213acb0e3b38f16eaae73d (the fix?) NOTE: https://github.com/dom4j/dom4j/commit/a8228522a99a02146106672a34c104adbda5c658 (post-fix refactor?) CVE-2020-10682 (The Fi
[Git][security-tracker-team/security-tracker][master] NFU
Henri Salo pushed to branch master at Debian Security Tracker / security-tracker Commits: 6b151b38 by Henri Salo at 2020-07-14T11:51:02+03:00 NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4312,8 +4312,10 @@ CVE-2020-13927 RESERVED CVE-2020-13926 RESERVED + NOT-FOR-US: Apache Kylin CVE-2020-13925 RESERVED + NOT-FOR-US: Apache Kylin CVE-2020-13924 RESERVED CVE-2020-13923 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6b151b3876046ea7924e3b123cddead3ef2d1b20 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6b151b3876046ea7924e3b123cddead3ef2d1b20 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 30bb48d8 by security tracker role at 2020-07-14T08:10:17+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,23 @@ +CVE-2020-15710 + RESERVED +CVE-2020-15709 + RESERVED +CVE-2020-15708 + RESERVED +CVE-2020-15707 + RESERVED +CVE-2020-15706 + RESERVED +CVE-2020-15705 + RESERVED +CVE-2020-15704 + RESERVED +CVE-2020-15703 + RESERVED +CVE-2020-15702 + RESERVED +CVE-2020-15701 + RESERVED CVE-2020-15700 RESERVED CVE-2020-15699 @@ -1426,8 +1446,8 @@ CVE-2020-15052 RESERVED CVE-2020-15051 RESERVED -CVE-2020-15050 - RESERVED +CVE-2020-15050 (An issue was discovered in the Video Extension in Suprema BioStar 2 be ...) + TODO: check CVE-2020-15049 (An issue was discovered in http/ContentLengthInterpreter.cc in Squid b ...) - squid 4.12-1 - squid3 @@ -3360,13 +3380,11 @@ CVE-2020-14301 [leak of sensitive cookie information via dumpxml] - libvirt (Vulnerable code introduced with 6.2.0) NOTE: Fixed by: https://github.com/libvirt/libvirt/commit/a5b064bf4b17a9884d7d361733737fb614ad8979 NOTE: Fixed by: https://github.com/libvirt/libvirt/commit/524de6cc35d3b222f0e940bb0fd027f5482572c5 -CVE-2020-14300 - RESERVED +CVE-2020-14300 (The docker packages version docker-1.13.1-108.git4ef4b30.el7 as releas ...) - docker.io (Red Hat specific regression) CVE-2020-14299 RESERVED -CVE-2020-14298 - RESERVED +CVE-2020-14298 (The version of docker as released for Red Hat Enterprise Linux 7 Extra ...) - docker.io (Red Hat specific regression) CVE-2020-14297 RESERVED @@ -4830,6 +4848,7 @@ CVE-2020-13755 RESERVED CVE-2020-13753 RESERVED + {DSA-4724-1} - webkit2gtk 2.28.3-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) @@ -15886,6 +15905,7 @@ CVE-2020-9852 (An integer overflow was addressed through improved input validati CVE-2020-9851 (An access issue was addressed with improved access restrictions. This ...) NOT-FOR-US: Apple CVE-2020-9850 (A logic issue was addressed with improved restrictions. This issue is ...) + {DSA-4724-1} - webkit2gtk 2.28.3-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) @@ -15904,6 +15924,7 @@ CVE-2020-9845 CVE-2020-9844 (A double free issue was addressed with improved memory management. Thi ...) NOT-FOR-US: Apple CVE-2020-9843 (An input validation issue was addressed with improved input validation ...) + {DSA-4724-1} - webkit2gtk 2.28.3-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) @@ -15980,18 +16001,21 @@ CVE-2020-9809 (An information disclosure issue was addressed with improved state CVE-2020-9808 (A memory corruption issue was addressed with improved state management ...) NOT-FOR-US: Apple CVE-2020-9807 (A memory corruption issue was addressed with improved state management ...) + {DSA-4724-1} - webkit2gtk 2.28.3-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) - wpewebkit 2.28.3-1 NOTE: https://webkitgtk.org/security/WSA-2020-0006.html CVE-2020-9806 (A memory corruption issue was addressed with improved state management ...) + {DSA-4724-1} - webkit2gtk 2.28.3-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) - wpewebkit 2.28.3-1 NOTE: https://webkitgtk.org/security/WSA-2020-0006.html CVE-2020-9805 (A logic issue was addressed with improved restrictions. This issue is ...) + {DSA-4724-1} - webkit2gtk 2.28.3-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) @@ -16000,12 +16024,14 @@ CVE-2020-9805 (A logic issue was addressed with improved restrictions. This issu CVE-2020-9804 (A logic issue was addressed with improved restrictions. This issue is ...) NOT-FOR-US: Apple CVE-2020-9803 (A memory corruption issue was addressed with improved validation. This ...) + {DSA-4724-1} - webkit2gtk 2.28.3-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) - w