date:20200717

[Git][security-tracker-team/security-tracker][master] Update information for CVE-2020-15807

2020-07-17 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
f56553cc by Salvatore Bonaccorso at 2020-07-17T22:12:31+02:00
Update information for CVE-2020-15807

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -15,7 +15,7 @@ CVE-2020-15809
 CVE-2020-15808
RESERVED
 CVE-2020-15807 (GNU LibreDWG before 0.11 allows NULL pointer dereferences via 
crafted  ...)
-   TODO: check
+   - libredwg  (bug #595191)
 CVE-2020-15806
RESERVED
 CVE-2020-15805



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f56553ccd335c1737bc63ff3b78e7e5f9647fd24

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f56553ccd335c1737bc63ff3b78e7e5f9647fd24
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Process NFUs

2020-07-17 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
f26ad253 by Salvatore Bonaccorso at 2020-07-17T22:11:30+02:00
Process NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -29531,7 +29531,7 @@ CVE-2020-4466
 CVE-2020-4465
RESERVED
 CVE-2020-4464 (IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 
traditional co ...)
-   TODO: check
+   NOT-FOR-US: IBM
 CVE-2020-4463
RESERVED
 CVE-2020-4462 (IBM Sterling External Authentication Server 6.0.1, 6.0.0, 
2.4.3.2, and ...)
@@ -84088,9 +84088,9 @@ CVE-2019-4750 (IBM Cloud App Management 2019.3.0 and 
2019.4.0 is vulnerable to c
 CVE-2019-4749 (IBM Maximo Asset Management 7.6 is vulnerable to cross-site 
scripting. ...)
NOT-FOR-US: IBM
 CVE-2019-4748 (IBM Jazz Team Server based Applications are vulnerable to 
cross-site s ...)
-   TODO: check
+   NOT-FOR-US: IBM
 CVE-2019-4747 (IBM Team Concert (RTC) is vulnerable to cross-site scripting. 
This vul ...)
-   TODO: check
+   NOT-FOR-US: IBM
 CVE-2019-4746 (IBM DOORS Next Generation (DNG/RRC) 6.0.2. 6.0.6, and 6.0.61 is 
vulner ...)
NOT-FOR-US: IBM
 CVE-2019-4745 (IBM Maximo Asset Management 7.6.1.0 could allow a remote 
attacker to d ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f26ad2537eb6ce460a8d84a870bd84d1704138a6

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f26ad2537eb6ce460a8d84a870bd84d1704138a6
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] automatic update

2020-07-17 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
bcb1a11b by security tracker role at 2020-07-17T20:10:21+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,3 +1,23 @@
+CVE-2020-15815
+   RESERVED
+CVE-2020-15814
+   RESERVED
+CVE-2020-15813 (Graylog before 3.3.3 lacks SSL Certificate Validation for LDAP 
servers ...)
+   TODO: check
+CVE-2020-15812
+   RESERVED
+CVE-2020-15811
+   RESERVED
+CVE-2020-15810
+   RESERVED
+CVE-2020-15809
+   RESERVED
+CVE-2020-15808
+   RESERVED
+CVE-2020-15807 (GNU LibreDWG before 0.11 allows NULL pointer dereferences via 
crafted  ...)
+   TODO: check
+CVE-2020-15806
+   RESERVED
 CVE-2020-15805
RESERVED
 CVE-2020-15804
@@ -368,7 +388,7 @@ CVE-2020-15647
RESERVED
 CVE-2020-15646
RESERVED
-   {DSA-4718-1 DLA-2247-1}
+   {DSA-4718-1}
- thunderbird 1:68.10.0-1
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2020-26/#CVE-2020-15646
 CVE-2020-15645
@@ -513,8 +533,7 @@ CVE-2020-15588
RESERVED
 CVE-2020-15587
RESERVED
-CVE-2020-15586
-   RESERVED
+CVE-2020-15586 (Go before 1.13.13 and 1.14.x before 1.14.5 has a data race in 
some net ...)
- golang-1.15 
- golang-1.14 
- golang-1.11 
@@ -734,8 +753,8 @@ CVE-2020-15499
RESERVED
 CVE-2020-15498
RESERVED
-CVE-2020-15497
-   RESERVED
+CVE-2020-15497 (jcore/portal/ajaxPortal.jsp in Jalios JCMS 10.0.2 
build-20200224104759 ...)
+   TODO: check
 CVE-2020-15496
RESERVED
 CVE-2020-15495
@@ -2004,8 +2023,7 @@ CVE-2020-14929 (Alpine before 2.23 silently proceeds to 
use an insecure connecti
[stretch] - alpine  (Minor issue)
NOTE: 
http://mailman13.u.washington.edu/pipermail/alpine-info/2020-June/008989.html
NOTE: 
https://repo.or.cz/alpine.git/commitdiff/000edd9036b6aea5e6a06900ecd6c58faec665ab
-CVE-2020-14928
-   RESERVED
+CVE-2020-14928 (evolution-data-server (eds) through 3.36.3 has a STARTTLS 
buffering is ...)
{DSA-4725-1 DLA-2281-1}
- evolution-data-server 3.36.4-1
NOTE: https://gitlab.gnome.org/GNOME/evolution-data-server/-/issues/226
@@ -4308,8 +4326,7 @@ CVE-2020-14040 (The x/text package before 0.3.3 for Go 
has a vulnerability in en
NOTE: https://github.com/golang/go/issues/39491
NOTE: 
https://go.googlesource.com/text/+/23ae387dee1f90d29a23c0e87ee0b46038fbed0e
NOTE: 
https://groups.google.com/forum/#!topic/golang-announce/bXVeAmGOqz0
-CVE-2020-14039
-   RESERVED
+CVE-2020-14039 (In Go before 1.13.13 and 1.14.x before 1.14.5, 
Certificate.Verify may  ...)
- golang-1.15  (Windows-specific)
- golang-1.14  (Windows-specific)
- golang-1.11  (Windows-specific)
@@ -4441,8 +4458,8 @@ CVE-2020-14002 (PuTTY 0.68 through 0.73 has an Observable 
Discrepancy leading to
[stretch] - putty  (Minor issue)
[jessie] - putty  (Minor issue)
NOTE: Fixed by: 
https://git.tartarus.org/?p=simon/putty.git;a=commit;h=08f1e2a5066ea95559945af339a60ca14560d764
 (0.74)
-CVE-2020-14001
-   RESERVED
+CVE-2020-14001 (The kramdown gem before 2.3.0 for Ruby processes the template 
option i ...)
+   TODO: check
 CVE-2020-14000 (MIT Lifelong Kindergarten Scratch scratch-vm before 
0.2.0-prerelease.2 ...)
TODO: check
 CVE-2020-13999 (ScaleViewPortExtEx in libemf.cpp in libEMF (aka ECMA-234 
Metafile Libr ...)
@@ -4581,12 +4598,14 @@ CVE-2020-13937
 CVE-2020-13936
RESERVED
 CVE-2020-13935 (The payload length in a WebSocket frame was not correctly 
validated in ...)
+   {DSA-4727-1}
- tomcat9 9.0.37-1
- tomcat8 
NOTE: https://www.openwall.com/lists/oss-security/2020/07/14/3
NOTE: 
https://github.com/apache/tomcat/commit/12d715676038efbf9c728af10163f8277fc019d5
 (8.5.57)
NOTE: 
https://github.com/apache/tomcat/commit/40fa74c74822711ab878079d0a69f7357926723d
 (9.0.37)
 CVE-2020-13934 (An h2c direct connection to Apache Tomcat 10.0.0-M1 to 
10.0.0-M6, 9.0. ...)
+   {DSA-4727-1}
- tomcat9 9.0.37-1
- tomcat8 
NOTE: https://www.openwall.com/lists/oss-security/2020/07/14/4
@@ -8290,7 +8309,7 @@ CVE-2020-12422 (In non-standard configurations, a JPEG 
image created by JavaScri
- firefox 78.0-1
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2020-24/#CVE-2020-12422
 CVE-2020-12421 (When performing add-on updates, certificate chains terminating 
in non- ...)
-   {DSA-4718-1 DSA-4713-1 DLA-2247-1}
+   {DSA-4718-1 DSA-4713-1}
- firefox 78.0-1
- firefox-esr 68.10.0esr-1
- thunderbird 1:68.10.0-1
@@ -8298,7 +8317,7 @@ CVE-2020-12421 (When performing add-on updates, 
certificate chains terminating i
NOTE: 
https://www.mozilla.org/en-US/security/ad

[Git][security-tracker-team/security-tracker][master] Add CVE-2020-15803/zabbix

2020-07-17 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
88e44485 by Salvatore Bonaccorso at 2020-07-17T22:06:09+02:00
Add CVE-2020-15803/zabbix

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -3,7 +3,8 @@ CVE-2020-15805
 CVE-2020-15804
RESERVED
 CVE-2020-15803 (Zabbix before 3.0.32rc1, 4.x before 4.0.22rc1, 4.1.x through 
4.4.x bef ...)
-   TODO: check
+   - zabbix 
+   NOTE: https://support.zabbix.com/browse/ZBX-18057
 CVE-2020-15802
RESERVED
 CVE-2020-15801 (In Python 3.8.4, sys.path restrictions specified in a 
python38._pth fi ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/88e4448594ae59634c3ba63f440de9bc42a76d88

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/88e4448594ae59634c3ba63f440de9bc42a76d88
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add upstream reference for CVE-2020-10781/linux

2020-07-17 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
42d7f71f by Salvatore Bonaccorso at 2020-07-17T22:04:28+02:00
Add upstream reference for CVE-2020-10781/linux

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -13934,6 +13934,7 @@ CVE-2020-10781 [zram sysfs resource consumption]
[stretch] - linux  (Vulnerable code introduced later)
[jessie] - linux  (Vulnerable code introduced later)
NOTE: https://www.openwall.com/lists/oss-security/2020/06/18/1
+   NOTE: 
https://git.kernel.org/linus/853eab68afc80f59f36bbdeb715e5c88c501e680
 CVE-2020-10780
RESERVED
 CVE-2020-10779



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/42d7f71fb5bb30396c1a7712ee8ba06af0acc6b8

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/42d7f71fb5bb30396c1a7712ee8ba06af0acc6b8
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2020-15389/openjpeg2

2020-07-17 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
f3c62f76 by Salvatore Bonaccorso at 2020-07-17T22:00:47+02:00
Add Debian bug reference for CVE-2020-15389/openjpeg2

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -990,7 +990,7 @@ CVE-2020-15390
RESERVED
 CVE-2020-15389 (jp2/opj_decompress.c in OpenJPEG through 2.3.1 has a 
use-after-free th ...)
{DLA-2277-1}
-   - openjpeg2 
+   - openjpeg2  (bug #965220)
[buster] - openjpeg2  (Minor issue)
NOTE: https://github.com/uclouvain/openjpeg/issues/1261
NOTE: 
https://github.com/uclouvain/openjpeg/commit/e8e258ab049240c2dd1f1051b4e773b21e2d3dc0



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f3c62f76011f2649399a7f2f74aa3dae9ebad815

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f3c62f76011f2649399a7f2f74aa3dae9ebad815
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Mark CVE-2020-15389/openjpeg2 as no-dsa

2020-07-17 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
de977aa9 by Salvatore Bonaccorso at 2020-07-17T21:59:19+02:00
Mark CVE-2020-15389/openjpeg2 as no-dsa

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -991,6 +991,7 @@ CVE-2020-15390
 CVE-2020-15389 (jp2/opj_decompress.c in OpenJPEG through 2.3.1 has a 
use-after-free th ...)
{DLA-2277-1}
- openjpeg2 
+   [buster] - openjpeg2  (Minor issue)
NOTE: https://github.com/uclouvain/openjpeg/issues/1261
NOTE: 
https://github.com/uclouvain/openjpeg/commit/e8e258ab049240c2dd1f1051b4e773b21e2d3dc0
 CVE-2020-15388



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/de977aa9a59ac088ffefbee341231603799c69ec

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/de977aa9a59ac088ffefbee341231603799c69ec
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] One veyon issue (#964568, no CVE) fixed via unstable upload

2020-07-17 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
ef99ec0c by Salvatore Bonaccorso at 2020-07-17T21:40:55+02:00
One veyon issue (#964568, no CVE) fixed via unstable upload

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -491,7 +491,7 @@ CVE-2019-20898 (Affected versions of Atlassian Jira Server 
and Data Center allow
 CVE-2019-20897 (The avatar upload feature in affected versions of Atlassian 
Jira Serve ...)
NOT-FOR-US: Atlassian
 CVE-2020- [veyon-configurator tmp handling]
-   - veyon  (bug #964568)
+   - veyon 4.4.1+repack1-1 (bug #964568)
[buster] - veyon  (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2020/07/07/1
 CVE-2020-15595



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ef99ec0c38a7aaa24a84652e5a42829270168981

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ef99ec0c38a7aaa24a84652e5a42829270168981
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Update notes for CVE-2020-15719/openldap

2020-07-17 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
69e0366f by Salvatore Bonaccorso at 2020-07-17T21:21:03+02:00
Update notes for CVE-2020-15719/openldap

In general it looks we might simply consider this a Red Hat specific
problem. The issue was disputed upstream of beeing valid, with the
comment that the behaviour in libldap conforms with RFC4513 and it is
still authoritative for OpenLDAP as RFC6125 does not supersede the rules
for verifying service identity provided in specifications for existing
application like LDAP's. For details see the comments from Ryan Tandy as
raised in ;.

It would seem reasonable to not diverge from upstream in Debian unless
this problem is considered severe enough.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -195,10 +195,13 @@ CVE-2020-15720 (In Dogtag PKI through 10.8.3, the 
pki.client.PKIConnection class
NOTE: 
https://github.com/dogtagpki/pki/commit/50c23ec146ee9abf28c9de87a5f7787d495f0b72
 CVE-2020-15719 (libldap in certain third-party OpenLDAP packages has a 
certificate-val ...)
- openldap  (bug #965184)
-   NOTE: https://bugs.openldap.org/show_bug.cgi?id=9266 (private)
+   NOTE: https://bugs.openldap.org/show_bug.cgi?id=9266
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1740070
-   NOTE: RedHat/CentOS Patch: 
https://git.centos.org/rpms/openldap/raw/67459960064be9d226d57c5f82aaba0929876813/f/SOURCES/openldap-tlso-dont-check-cn-when-bad-san.patch
-   NOTE: Affected file is compiled but Debian openssl uses GnuTLS.
+   NOTE: RedHat/CentOS applied patch: 
https://git.centos.org/rpms/openldap/raw/67459960064be9d226d57c5f82aaba0929876813/f/SOURCES/openldap-tlso-dont-check-cn-when-bad-san.patch
+   NOTE: OpenLDAP upstream did dispute the issue as beeing valid, as the 
current libldap
+   NOTE: behaviour does conform with RFC4513. RFC6125 does not superseed 
the rules for
+   NOTE: verifying service identity provided in specifications for 
existing application
+   NOTE: protocols published prior to RFC6125, like RFC4513 for LDAP.
 CVE-2020-15718 (RosarioSIS 6.7.2 is vulnerable to XSS, caused by improper 
validation o ...)
NOT-FOR-US: RosarioSIS
 CVE-2020-15717 (RosarioSIS 6.7.2 is vulnerable to XSS, caused by improper 
validation o ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/69e0366f2ae0bdfdfc4898690141afa6410b93f1

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/69e0366f2ae0bdfdfc4898690141afa6410b93f1
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add fixed versio nfor CVE-2020-13935/tomcat9 via unstable

2020-07-17 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
76895221 by Salvatore Bonaccorso at 2020-07-17T20:57:00+02:00
Add fixed versio nfor CVE-2020-13935/tomcat9 via unstable

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -4576,7 +4576,7 @@ CVE-2020-13937
 CVE-2020-13936
RESERVED
 CVE-2020-13935 (The payload length in a WebSocket frame was not correctly 
validated in ...)
-   - tomcat9 
+   - tomcat9 9.0.37-1
- tomcat8 
NOTE: https://www.openwall.com/lists/oss-security/2020/07/14/3
NOTE: 
https://github.com/apache/tomcat/commit/12d715676038efbf9c728af10163f8277fc019d5
 (8.5.57)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/76895221311f6c9e86be9d56ce7acd4be04ce621

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/76895221311f6c9e86be9d56ce7acd4be04ce621
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] CVE-2020-13934/tomcat9 fixed in unstable

2020-07-17 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
6aabb78e by Salvatore Bonaccorso at 2020-07-17T20:53:16+02:00
CVE-2020-13934/tomcat9 fixed in unstable

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -4582,7 +4582,7 @@ CVE-2020-13935 (The payload length in a WebSocket frame 
was not correctly valida
NOTE: 
https://github.com/apache/tomcat/commit/12d715676038efbf9c728af10163f8277fc019d5
 (8.5.57)
NOTE: 
https://github.com/apache/tomcat/commit/40fa74c74822711ab878079d0a69f7357926723d
 (9.0.37)
 CVE-2020-13934 (An h2c direct connection to Apache Tomcat 10.0.0-M1 to 
10.0.0-M6, 9.0. ...)
-   - tomcat9 
+   - tomcat9 9.0.37-1
- tomcat8 
NOTE: https://www.openwall.com/lists/oss-security/2020/07/14/4
NOTE: 
https://github.com/apache/tomcat/commit/923d834500802a61779318911d7898bd85fc950e
 (8.5.57)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6aabb78ed6cf6996c20722399a8d0b9a0e1aed29

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6aabb78ed6cf6996c20722399a8d0b9a0e1aed29
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Take ruby-sanitize from DSA needed list

2020-07-17 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
5f2bd634 by Salvatore Bonaccorso at 2020-07-17T20:52:18+02:00
Take ruby-sanitize from DSA needed list

- - - - -


1 changed file:

- data/dsa-needed.txt


Changes:

=
data/dsa-needed.txt
=
@@ -38,7 +38,7 @@ rails
 --
 redis
 --
-ruby-sanitize
+ruby-sanitize (carnil)
 --
 squid (jmm)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5f2bd63453dc1ca2c18a37892e0d9058b0a3ce41

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5f2bd63453dc1ca2c18a37892e0d9058b0a3ce41
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Remove one no-dsa tagged entry for libopenmpt

2020-07-17 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
778adf22 by Salvatore Bonaccorso at 2020-07-17T20:51:31+02:00
Remove one no-dsa tagged entry for libopenmpt

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -56106,7 +56106,6 @@ CVE-2019-14381 (libopenmpt before 0.4.3 allows a crash 
due to a NULL pointer der
NOTE: 
https://lib.openmpt.org/libopenmpt/2019/02/11/security-update-0.4.3/
 CVE-2019-14380 (libopenmpt before 0.4.5 allows a crash during playback due to 
an out-o ...)
- libopenmpt 0.4.5-1 (low)
-   [buster] - libopenmpt  (Minor issue)
[stretch] - libopenmpt  (Vulnerable code not present in 
0.2 branch)
NOTE: 
https://lib.openmpt.org/libopenmpt/2019/05/27/security-update-0.4.5/
 CVE-2019-14379 (SubTypeValidator.java in FasterXML jackson-databind before 
2.9.9.2 mis ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/778adf22e4a74e245ac9f7a01c2ed6f42c848add

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/778adf22e4a74e245ac9f7a01c2ed6f42c848add
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] xen, tomcat9 DSAs

2020-07-17 Thread Moritz Muehlenhoff



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
ba748b9e by Moritz Muehlenhoff at 2020-07-17T20:00:59+02:00
xen, tomcat9 DSAs

- - - - -


2 changed files:

- data/DSA/list
- data/dsa-needed.txt


Changes:

=
data/DSA/list
=
@@ -1,3 +1,9 @@
+[17 Jul 2020] DSA-4727-1 tomcat9 - security update
+   {CVE-2020-9484 CVE-2020-11996 CVE-2020-13934 CVE-2020-13935}
+   [buster] - tomcat9 9.0.31-1~deb10u2
+[17 Jul 2020] DSA-4726-1 nss - security update
+   {CVE-2019-17006 CVE-2019-17023 CVE-2020-12399 CVE-2020-12402}
+   [buster] - nss 2:3.42.1-1+deb10u3
 [15 Jul 2020] DSA-4725-1 evolution-data-server - security update
{CVE-2020-14928}
[buster] - evolution-data-server 3.30.5-1+deb10u1


=
data/dsa-needed.txt
=
@@ -26,13 +26,11 @@ linux (carnil)
 --
 nginx
 --
-nss (jmm)
---
-openjdk-8 (jmm)
+openjdk-11 (jmm)
 --
 poppler (jmm)
 --
-qemu
+qemu (jmm)
   Maintainer proposing a debdiff fixing several CVEs for review
 --
 rails
@@ -46,12 +44,8 @@ squid (jmm)
 --
 teeworlds (jmm)
 --
-tomcat9
---
 xcftools
   Hugo proposed to work on this update
 --
-xen
---
 xrdp
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ba748b9e86baf35af2cbb0d8973a9f82f756b5e6

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ba748b9e86baf35af2cbb0d8973a9f82f756b5e6
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] openjdk-14 fixed in sid

2020-07-17 Thread Moritz Muehlenhoff



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
b88f136b by Moritz Muehlenhoff at 2020-07-17T19:55:40+02:00
openjdk-14 fixed in sid

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -2619,7 +2619,7 @@ CVE-2020-14623 (Vulnerability in the MySQL Server product 
of Oracle MySQL (compo
 CVE-2020-14622 (Vulnerability in the Oracle WebLogic Server product of Oracle 
Fusion M ...)
NOT-FOR-US: Oracle
 CVE-2020-14621 (Vulnerability in the Java SE, Java SE Embedded product of 
Oracle Java  ...)
-   - openjdk-14 
+   - openjdk-14 14.0.2+12-1
- openjdk-11 
- openjdk-8 
 CVE-2020-14620 (Vulnerability in the MySQL Server product of Oracle MySQL 
(component:  ...)
@@ -2677,7 +2677,7 @@ CVE-2020-14595 (Vulnerability in the Oracle iLearning 
product of Oracle iLearnin
 CVE-2020-14594 (Vulnerability in the Oracle Hospitality Reporting and 
Analytics produc ...)
NOT-FOR-US: Oracle
 CVE-2020-14593 (Vulnerability in the Java SE, Java SE Embedded product of 
Oracle Java  ...)
-   - openjdk-14 
+   - openjdk-14 14.0.2+12-1
- openjdk-11 
- openjdk-8 
 CVE-2020-14592 (Vulnerability in the PeopleSoft Enterprise PeopleTools product 
of Orac ...)
@@ -2699,27 +2699,27 @@ CVE-2020-14585 (Vulnerability in the Oracle BI 
Publisher product of Oracle Fusio
 CVE-2020-14584 (Vulnerability in the Oracle BI Publisher product of Oracle 
Fusion Midd ...)
NOT-FOR-US: Oracle
 CVE-2020-14583 (Vulnerability in the Java SE, Java SE Embedded product of 
Oracle Java  ...)
-   - openjdk-14 
+   - openjdk-14 14.0.2+12-1
- openjdk-11 
- openjdk-8 
 CVE-2020-14582 (Vulnerability in the Oracle iStore product of Oracle 
E-Business Suite  ...)
NOT-FOR-US: Oracle
 CVE-2020-14581 (Vulnerability in the Java SE, Java SE Embedded product of 
Oracle Java  ...)
-   - openjdk-14 
+   - openjdk-14 14.0.2+12-1
- openjdk-11 
- openjdk-8 
 CVE-2020-14580 (Vulnerability in the Oracle Communications Session Border 
Controller p ...)
NOT-FOR-US: Oracle
 CVE-2020-14579 (Vulnerability in the Java SE, Java SE Embedded product of 
Oracle Java  ...)
-   - openjdk-14 
+   - openjdk-14 14.0.2+12-1
- openjdk-11 
- openjdk-8 
 CVE-2020-14578 (Vulnerability in the Java SE, Java SE Embedded product of 
Oracle Java  ...)
-   - openjdk-14 
+   - openjdk-14 14.0.2+12-1
- openjdk-11 
- openjdk-8 
 CVE-2020-14577 (Vulnerability in the Java SE, Java SE Embedded product of 
Oracle Java  ...)
-   - openjdk-14 
+   - openjdk-14 14.0.2+12-1
- openjdk-11 
- openjdk-8 
 CVE-2020-14576 (Vulnerability in the MySQL Server product of Oracle MySQL 
(component:  ...)
@@ -2730,7 +2730,7 @@ CVE-2020-14575 (Vulnerability in the MySQL Server product 
of Oracle MySQL (compo
 CVE-2020-14574 (Vulnerability in the Oracle Communications Interactive Session 
Recorde ...)
NOT-FOR-US: Oracle
 CVE-2020-14573 (Vulnerability in the Java SE product of Oracle Java SE 
(component: Hot ...)
-   - openjdk-14 
+   - openjdk-14 14.0.2+12-1
- openjdk-11 
 CVE-2020-14572 (Vulnerability in the Oracle WebLogic Server product of Oracle 
Fusion M ...)
NOT-FOR-US: Oracle
@@ -2754,7 +2754,7 @@ CVE-2020-14564 (Vulnerability in the PeopleSoft 
Enterprise PeopleTools product o
 CVE-2020-14563 (Vulnerability in the Oracle Enterprise Communications Broker 
product o ...)
NOT-FOR-US: Oracle
 CVE-2020-14562 (Vulnerability in the Java SE product of Oracle Java SE 
(component: Ima ...)
-   - openjdk-14 
+   - openjdk-14 14.0.2+12-1
- openjdk-11 
 CVE-2020-14561 (Vulnerability in the Oracle Hospitality Reporting and 
Analytics produc ...)
NOT-FOR-US: Oracle
@@ -2768,7 +2768,7 @@ CVE-2020-14558 (Vulnerability in the PeopleSoft 
Enterprise PeopleTools product o
 CVE-2020-14557 (Vulnerability in the Oracle WebLogic Server product of Oracle 
Fusion M ...)
NOT-FOR-US: Oracle
 CVE-2020-14556 (Vulnerability in the Java SE, Java SE Embedded product of 
Oracle Java  ...)
-   - openjdk-14 
+   - openjdk-14 14.0.2+12-1
- openjdk-11 
- openjdk-8 
 CVE-2020-14555 (Vulnerability in the Oracle Marketing product of Oracle 
E-Business Sui ...)
@@ -6284,7 +6284,7 @@ CVE-2020-13254 (An issue was discovered in Django 2.2 
before 2.2.13 and 3.0 befo
NOTE: 
https://github.com/django/django/commit/07e59caa02831c4569bbebb9eb773bdd9cb4b206
 (2.2 branch)
NOTE: Regression https://code.djangoproject.com/ticket/31654
 CVE-2020-13253 (sd_wp_addr in hw/sd/sd.c in QEMU 4.2.0 uses an unvalidated 
address, wh ...)
-   - qemu 1:5.0-6 (bug #961297)
+   - qemu 1:5.0-8 (bug #961297)
[buster] - qemu  (Minor issue, can be fixed along in next 
DSA)
[stretch] - qemu  (Minor issue, can be fixe

[Git][security-tracker-team/security-tracker][master] Restore CVE list for DLA-2247-1

2020-07-17 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
5680e27c by Salvatore Bonaccorso at 2020-07-17T16:16:52+02:00
Restore CVE list for DLA-2247-1

This partially reverts d7de40a03468, as the CVE fixed was not covered in
the 68.9.0.

- - - - -


1 changed file:

- data/DLA/list


Changes:

=
data/DLA/list
=
@@ -103,7 +103,7 @@
{CVE-2020-0543 CVE-2020-0548 CVE-2020-0549}
[jessie] - intel-microcode 3.20200609.2~deb8u1
 [12 Jun 2020] DLA-2247-1 thunderbird - security update
-   {CVE-2020-12417 CVE-2020-12418 CVE-2020-12419 CVE-2020-12420 
CVE-2020-12421 CVE-2020-15646}
+   {CVE-2020-12398 CVE-2020-12399 CVE-2020-12405 CVE-2020-12406 
CVE-2020-12410}
[jessie] - thunderbird 1:68.9.0-1~deb8u2
 [12 Jun 2020] DLA-2233-2 python-django - regression update
[jessie] - python-django 1.7.11-1+deb8u10



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5680e27c2bc97644a668cc4f995089d88e054fc1

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5680e27c2bc97644a668cc4f995089d88e054fc1
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] bug for openldap

2020-07-17 Thread Moritz Muehlenhoff



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
f3518ff4 by Moritz Muehlenhoff at 2020-07-17T12:47:25+02:00
bug for openldap

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -194,7 +194,7 @@ CVE-2020-15720 (In Dogtag PKI through 10.8.3, the 
pki.client.PKIConnection class
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1855273
NOTE: 
https://github.com/dogtagpki/pki/commit/50c23ec146ee9abf28c9de87a5f7787d495f0b72
 CVE-2020-15719 (libldap in certain third-party OpenLDAP packages has a 
certificate-val ...)
-   - openldap  (unimportant)
+   - openldap  (bug #965184)
NOTE: https://bugs.openldap.org/show_bug.cgi?id=9266 (private)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1740070
NOTE: RedHat/CentOS Patch: 
https://git.centos.org/rpms/openldap/raw/67459960064be9d226d57c5f82aaba0929876813/f/SOURCES/openldap-tlso-dont-check-cn-when-bad-san.patch



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f3518ff426504c893dcc0ab401c175bbdf4a0fcc

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f3518ff426504c893dcc0ab401c175bbdf4a0fcc
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] automatic update

2020-07-17 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
5f5a658f by security tracker role at 2020-07-17T08:10:19+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,3 +1,13 @@
+CVE-2020-15805
+   RESERVED
+CVE-2020-15804
+   RESERVED
+CVE-2020-15803 (Zabbix before 3.0.32rc1, 4.x before 4.0.22rc1, 4.1.x through 
4.4.x bef ...)
+   TODO: check
+CVE-2020-15802
+   RESERVED
+CVE-2020-15801 (In Python 3.8.4, sys.path restrictions specified in a 
python38._pth fi ...)
+   TODO: check
 CVE-2019-20915 (An issue was discovered in GNU LibreDWG through 0.9.3. Crafted 
input w ...)
- libredwg  (bug #595191)
 CVE-2019-20914 (An issue was discovered in GNU LibreDWG through 0.9.3. There 
is a NULL ...)
@@ -354,6 +364,7 @@ CVE-2020-15647
RESERVED
 CVE-2020-15646
RESERVED
+   {DSA-4718-1 DLA-2247-1}
- thunderbird 1:68.10.0-1
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2020-26/#CVE-2020-15646
 CVE-2020-15645
@@ -8274,7 +8285,7 @@ CVE-2020-12422 (In non-standard configurations, a JPEG 
image created by JavaScri
- firefox 78.0-1
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2020-24/#CVE-2020-12422
 CVE-2020-12421 (When performing add-on updates, certificate chains terminating 
in non- ...)
-   {DSA-4718-1 DSA-4713-1}
+   {DSA-4718-1 DSA-4713-1 DLA-2247-1}
- firefox 78.0-1
- firefox-esr 68.10.0esr-1
- thunderbird 1:68.10.0-1
@@ -8282,7 +8293,7 @@ CVE-2020-12421 (When performing add-on updates, 
certificate chains terminating i
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2020-25/#CVE-2020-12421
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2020-26/#CVE-2020-12421
 CVE-2020-12420 (When trying to connect to a STUN server, a race condition 
could have c ...)
-   {DSA-4718-1 DSA-4713-1}
+   {DSA-4718-1 DSA-4713-1 DLA-2247-1}
- firefox 78.0-1
- firefox-esr 68.10.0esr-1
- thunderbird 1:68.10.0-1
@@ -8290,7 +8301,7 @@ CVE-2020-12420 (When trying to connect to a STUN server, 
a race condition could
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2020-25/#CVE-2020-12420
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2020-26/#CVE-2020-12420
 CVE-2020-12419 (When processing callbacks that occurred during window flushing 
in the  ...)
-   {DSA-4718-1 DSA-4713-1}
+   {DSA-4718-1 DSA-4713-1 DLA-2247-1}
- firefox 78.0-1
- firefox-esr 68.10.0esr-1
- thunderbird 1:68.10.0-1
@@ -8298,7 +8309,7 @@ CVE-2020-12419 (When processing callbacks that occurred 
during window flushing i
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2020-25/#CVE-2020-12419
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2020-26/#CVE-2020-12419
 CVE-2020-12418 (Manipulating individual parts of a URL object could have 
caused an out ...)
-   {DSA-4718-1 DSA-4713-1}
+   {DSA-4718-1 DSA-4713-1 DLA-2247-1}
- firefox 78.0-1
- firefox-esr 68.10.0esr-1
- thunderbird 1:68.10.0-1
@@ -8306,7 +8317,7 @@ CVE-2020-12418 (Manipulating individual parts of a URL 
object could have caused
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2020-25/#CVE-2020-12418
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2020-26/#CVE-2020-12418
 CVE-2020-12417 (Due to confusion about ValueTags on JavaScript Objects, an 
object may  ...)
-   {DSA-4718-1 DSA-4713-1}
+   {DSA-4718-1 DSA-4713-1 DLA-2247-1}
- firefox 78.0-1
- firefox-esr 68.10.0esr-1
- thunderbird 1:68.10.0-1
@@ -8331,7 +8342,7 @@ CVE-2020-12411 (Mozilla developers reported memory safety 
bugs present in Firefo
- firefox 77.0-1
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2020-20/#CVE-2020-12411
 CVE-2020-12410 (Mozilla developers reported memory safety bugs present in 
Firefox 76 a ...)
-   {DSA-4702-1 DSA-4695-1 DLA-2247-1 DLA-2243-1}
+   {DSA-4702-1 DSA-4695-1 DLA-2243-1}
- firefox 77.0-1
- firefox-esr 68.9.0esr-1
- thunderbird 1:68.9.0-1
@@ -8348,7 +8359,7 @@ CVE-2020-12407 (Mozilla Developer Nicolas Silva found 
that when using WebRender,
- firefox 77.0-1
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2020-20/#CVE-2020-12407
 CVE-2020-12406 (Mozilla Developer Iain Ireland discovered a missing type check 
during  ...)
-   {DSA-4702-1 DSA-4695-1 DLA-2247-1 DLA-2243-1}
+   {DSA-4702-1 DSA-4695-1 DLA-2243-1}
- firefox 77.0-1
- firefox-esr 68.9.0esr-1
- thunderbird 1:68.9.0-1
@@ -8356,7 +8367,7 @@ CVE-2020-12406 (Mozilla Developer Iain Ireland discovered 
a missing type check d
NOTE: 
https://www.mozi

[Git][security-tracker-team/security-tracker][master] new node-ajv issue

2020-07-17 Thread Moritz Muehlenhoff



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
3249e0b3 by Moritz Muehlenhoff at 2020-07-17T09:54:15+02:00
new node-ajv issue

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1024,7 +1024,8 @@ CVE-2020-15368 (AsrDrv103.sys in the ASRock RGB Driver 
does not properly restric
 CVE-2020-15367 (Venki Supravizio BPM 10.1.2 does not limit the number of 
authenticatio ...)
NOT-FOR-US: Venki
 CVE-2020-15366 (An issue was discovered in ajv.validate() in Ajv (aka Another 
JSON Sch ...)
-   TODO: check
+   - node-ajv 
+   NOTE: https://github.com/ajv-validator/ajv/releases/tag/v6.12.3
 CVE-2020-15365 (LibRaw before 0.20-Beta3 has an out-of-bounds write in 
parse_exif() in ...)
- libraw  (Vulnerable code introduced in 0.20-Beta1)
NOTE: https://github.com/LibRaw/LibRaw/issues/301



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3249e0b3bfa8ec57c4f8b990d1abc73daade5858

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3249e0b3bfa8ec57c4f8b990d1abc73daade5858
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] new ansible, edk2 issues

2020-07-17 Thread Moritz Muehlenhoff



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
d7de40a0 by Moritz Muehlenhoff at 2020-07-17T09:52:15+02:00
new ansible, edk2 issues
one thunderbird issue already fixed in last DSA/DLA

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/DSA/list


Changes:

=
data/CVE/list
=
@@ -354,6 +354,8 @@ CVE-2020-15647
RESERVED
 CVE-2020-15646
RESERVED
+   - thunderbird 1:68.10.0-1
+   NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2020-26/#CVE-2020-15646
 CVE-2020-15645
RESERVED
 CVE-2020-15644
@@ -3550,6 +3552,8 @@ CVE-2020-14333
RESERVED
 CVE-2020-14332
RESERVED
+   - ansible 
+   NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1857805
 CVE-2020-14331
RESERVED
 CVE-2020-14330
@@ -54964,6 +54968,9 @@ CVE-2019-14561
RESERVED
 CVE-2019-14560
RESERVED
+   - edk2 
+   [buster] - edk2  (Minor issue)
+   NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=2167
 CVE-2019-14559 [memory leak in ArpOnFrameRcvdDpc]
RESERVED
- edk2 0~20200229.4c0f6e34-1 (bug #952926; low)


=
data/DLA/list
=
@@ -103,7 +103,7 @@
{CVE-2020-0543 CVE-2020-0548 CVE-2020-0549}
[jessie] - intel-microcode 3.20200609.2~deb8u1
 [12 Jun 2020] DLA-2247-1 thunderbird - security update
-   {CVE-2020-12398 CVE-2020-12399 CVE-2020-12405 CVE-2020-12406 
CVE-2020-12410}
+   {CVE-2020-12417 CVE-2020-12418 CVE-2020-12419 CVE-2020-12420 
CVE-2020-12421 CVE-2020-15646}
[jessie] - thunderbird 1:68.9.0-1~deb8u2
 [12 Jun 2020] DLA-2233-2 python-django - regression update
[jessie] - python-django 1.7.11-1+deb8u10


=
data/DSA/list
=
@@ -22,7 +22,7 @@
{CVE-2019-11048 CVE-2020-7062 CVE-2020-7063 CVE-2020-7064 CVE-2020-7065 
CVE-2020-7066 CVE-2020-7067}
[buster] - php7.3 7.3.19-1~deb10u1
 [05 Jul 2020] DSA-4718-1 thunderbird - security update
-   {CVE-2020-12417 CVE-2020-12418 CVE-2020-12419 CVE-2020-12420 
CVE-2020-12421}
+   {CVE-2020-12417 CVE-2020-12418 CVE-2020-12419 CVE-2020-12420 
CVE-2020-12421 CVE-2020-15646}
[stretch] - thunderbird 1:68.10.0-1~deb9u1
[buster] - thunderbird 1:68.10.0-1~deb10u1
 [05 Jul 2020] DSA-4717-1 php7.0 - security update



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d7de40a034682528e213c473d0740da095d44b37

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d7de40a034682528e213c473d0740da095d44b37
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Update information for CVE-2020-15807

[Git][security-tracker-team/security-tracker][master] Process NFUs

[Git][security-tracker-team/security-tracker][master] automatic update

[Git][security-tracker-team/security-tracker][master] Add CVE-2020-15803/zabbix

[Git][security-tracker-team/security-tracker][master] Add upstream reference for CVE-2020-10781/linux

[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2020-15389/openjpeg2

[Git][security-tracker-team/security-tracker][master] Mark CVE-2020-15389/openjpeg2 as no-dsa

[Git][security-tracker-team/security-tracker][master] One veyon issue (#964568, no CVE) fixed via unstable upload

[Git][security-tracker-team/security-tracker][master] Update notes for CVE-2020-15719/openldap

[Git][security-tracker-team/security-tracker][master] Add fixed versio nfor CVE-2020-13935/tomcat9 via unstable

[Git][security-tracker-team/security-tracker][master] CVE-2020-13934/tomcat9 fixed in unstable

[Git][security-tracker-team/security-tracker][master] Take ruby-sanitize from DSA needed list

[Git][security-tracker-team/security-tracker][master] Remove one no-dsa tagged entry for libopenmpt

[Git][security-tracker-team/security-tracker][master] xen, tomcat9 DSAs

[Git][security-tracker-team/security-tracker][master] openjdk-14 fixed in sid

[Git][security-tracker-team/security-tracker][master] Restore CVE list for DLA-2247-1

[Git][security-tracker-team/security-tracker][master] bug for openldap

[Git][security-tracker-team/security-tracker][master] automatic update

[Git][security-tracker-team/security-tracker][master] new node-ajv issue

[Git][security-tracker-team/security-tracker][master] new ansible, edk2 issues

20 matches

Site Navigation

Mail list logo

Footer information