[Git][security-tracker-team/security-tracker][master] Add note for qemu
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 2b30c173 by Utkarsh Gupta at 2020-09-01T04:29:13+05:30 Add note for qemu - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -130,6 +130,7 @@ puma -- qemu (Abhijith PA) NOTE: 20200824: currently all are minor issues. Reduce frequent upload (abhijith) + NOTE: 20200901: CVE-2020-14364 is rather not a minor issue. check for stretch. (utkarsh) -- qt4-x11 (Adrian Bunk) NOTE: 20200815: Minor issue, but easy to fix (CVE-2020-17507). Low prio. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2b30c1735325c59d3e22204986eb0346a04c80b1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2b30c1735325c59d3e22204986eb0346a04c80b1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2020-8244/node-bl as no-dsa for Stretch
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: ef3dd8e6 by Utkarsh Gupta at 2020-09-01T04:25:08+05:30 Mark CVE-2020-8244/node-bl as no-dsa for Stretch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -39490,6 +39490,7 @@ CVE-2020-8245 CVE-2020-8244 (A buffer over-read vulnerability exists in bl <4.0.3, <3.0.1 and ...) - node-bl 4.0.3-1 (bug #969309) [buster] - node-bl (Minor issue) + [stretch] - node-bl (Minor issue) NOTE: https://hackerone.com/reports/966347 NOTE: https://github.com/rvagg/bl/commit/d3e240e3b8ba4048d3c76ef5fb9dd1f8872d3190 CVE-2020-8243 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ef3dd8e61ce514dc4ca915660ca8f40462f926f6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ef3dd8e61ce514dc4ca915660ca8f40462f926f6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Clarify slirm comment in dla-needed.txt
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: c9ce0e7f by Brian May at 2020-09-01T08:05:10+10:00 Clarify slirm comment in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -177,7 +177,9 @@ samba (Ola Lundqvist) shiro -- slirp - NOTE: 20200724: Version in stretch also requires backport of patch from CVE-2020-7039 (lamby) + NOTE: Upstream patch for CVE-2020-8608 requires patches for NOTE: + NOTE: CVE-2020-7039 to be applied patched first, as they both patch NOTE: + NOTE: the same lines of code in tcp_subr.c (bam). -- snmptt -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c9ce0e7f9e4177122e468a54475a8fe2e8c9bce1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c9ce0e7f9e4177122e468a54475a8fe2e8c9bce1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-13655/collabtive
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4fb22147 by Salvatore Bonaccorso at 2020-08-31T23:27:53+02:00 Add CVE-2020-13655/collabtive - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -24519,7 +24519,7 @@ CVE-2020-13657 (An elevation of privilege vulnerability exists in Avast Free Ant CVE-2020-13656 (In Morgan Stanley Hobbes through 2020-05-21, the array implementation ...) NOT-FOR-US: Hobbes CVE-2020-13655 (An issue was discovered in Collabtive 3.0 and later. managefile.php is ...) - TODO: check + - collabtive CVE-2020-13654 RESERVED CVE-2020-13653 (An XSS vulnerability exists in the Webmail component of Zimbra Collabo ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4fb22147ffa1ee09af70c289ce3a2f0c2dcc9e66 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4fb22147ffa1ee09af70c289ce3a2f0c2dcc9e66 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-13828/dolibarr
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3cf1ec28 by Salvatore Bonaccorso at 2020-08-31T23:27:20+02:00 Add CVE-2020-13828/dolibarr - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -23992,7 +23992,7 @@ CVE-2020-13830 (An issue was discovered on Samsung mobile devices with P(9.0) so CVE-2020-13829 (An issue was discovered on Samsung mobile devices with P(9.0) and Q(10 ...) NOT-FOR-US: Samsung mobile devices CVE-2020-13828 (Dolibarr 11.0.4 is affected by multiple stored Cross-Site Scripting (X ...) - TODO: check + - dolibarr CVE-2020-13827 (phpList before 3.5.4 allows XSS via /lists/admin/user.php and /lists/a ...) - phplist (bug #612288) CVE-2020-13826 (A CSV injection (aka Excel Macro Injection or Formula Injection) issue ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3cf1ec288a9a18d50699e33a8e97d726b03765e7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3cf1ec288a9a18d50699e33a8e97d726b03765e7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 04909edc by Salvatore Bonaccorso at 2020-08-31T23:26:14+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -516,7 +516,7 @@ CVE-2020-24788 CVE-2020-24787 RESERVED CVE-2020-24786 (An issue was discovered in Zoho ManageEngine Exchange Reporter Plus be ...) - TODO: check + NOT-FOR-US: Zoho ManageEngine CVE-2020-24785 RESERVED CVE-2020-24784 @@ -1397,7 +1397,7 @@ CVE-2020-24365 CVE-2020-24364 (MineTime through 1.8.5 allows arbitrary command execution via the note ...) NOT-FOR-US: MineTime CVE-2020-24363 (TP-Link TL-WA855RE V5 20200415-rel37464 devices allow an unauthenticat ...) - TODO: check + NOT-FOR-US: TP-Link CVE-2016-11085 (php/qmn_options_questions_tab.php in the quiz-master-next plugin befor ...) NOT-FOR-US: Wordpress plugin CVE-2020-24362 @@ -1418,7 +1418,7 @@ CVE-2020-24356 CVE-2020-24355 RESERVED CVE-2020-24354 (Zyxel VMG5313-B30B router on firmware 5.13(ABCJ.6)b3_1127, and possibl ...) - TODO: check + NOT-FOR-US: Zyxel CVE-2020-24353 RESERVED CVE-2020-24352 @@ -1925,7 +1925,7 @@ CVE-2020-24117 CVE-2020-24116 RESERVED CVE-2020-24115 (In projectworlds Online Book Store 1.0 Use of Hard-coded Credentials i ...) - TODO: check + NOT-FOR-US: projectworlds Online Book Store CVE-2020-24114 RESERVED CVE-2020-24113 @@ -1947,7 +1947,7 @@ CVE-2020-24106 CVE-2020-24105 RESERVED CVE-2020-24104 (XSS on the PIX-Link Repeater/Router LV-WR07 with firmware v28K.Router. ...) - TODO: check + NOT-FOR-US: PIX-Link Repeater/Router LV-WR07 CVE-2020-24103 RESERVED CVE-2020-24102 @@ -8899,13 +8899,13 @@ CVE-2020-20630 CVE-2020-20629 RESERVED CVE-2020-20628 (controller/controller-comments.php in WP GDPR plugin through 2.1.1 has ...) - TODO: check + NOT-FOR-US: WP GDPR plugin CVE-2020-20627 (The includes/gateways/stripe/includes/admin/admin-actions.php in GiveW ...) NOT-FOR-US: includes/gateways/stripe/includes/admin/admin-actions.php in GiveWP plugin for WordPress CVE-2020-20626 (lara-google-analytics.php in Lara Google Analytics plugin through 2.0. ...) - TODO: check + NOT-FOR-US: Lara Google Analytics plugin for WordPress CVE-2020-20625 (Sliced Invoices plugin for WordPress 3.8.2 and earlier allows unauthen ...) - TODO: check + NOT-FOR-US: Sliced Invoices plugin for WordPress CVE-2020-20624 RESERVED CVE-2020-20623 @@ -15251,7 +15251,7 @@ CVE-2020-17467 CVE-2020-17466 (Turcom TRCwifiZone through 2020-08-10 allows authentication bypass by ...) NOT-FOR-US: Turcom TRCwifiZone CVE-2020-17465 (Dashboards and progressiveProfileForms in ForgeRock Identity Manager b ...) - TODO: check + NOT-FOR-US: Dashboards and progressiveProfileForms in ForgeRock Identity Manager CVE-2020-17464 REJECTED CVE-2020-17463 (FUEL CMS 1.4.7 allows SQL Injection via the col parameter to /pages/it ...) @@ -19118,7 +19118,7 @@ CVE-2020-15689 (Appweb before 7.2.2 and 8.x before 8.1.0, when built with CGI su CVE-2020-15688 (The HTTP Digest Authentication in the GoAhead web server before 5.1.2 ...) NOT-FOR-US: Embedthis GoAhead CVE-2020-15687 (Missing access control restrictions in the Hypervisor component of the ...) - TODO: check + NOT-FOR-US: ACRN Project CVE-2019-20908 (An issue was discovered in drivers/firmware/efi/efi.c in the Linux ker ...) - linux 5.2.6-1 [buster] - linux 4.19.132-1 @@ -24935,25 +24935,25 @@ CVE-2020-13474 CVE-2020-13473 RESERVED CVE-2020-13472 (The flash memory readout protection in Gigadevice GD32F103 devices all ...) - TODO: check + NOT-FOR-US: Gigadevice GD32F103 devices CVE-2020-13471 (Apex Microelectronics APM32F103 devices allow physical attackers to ex ...) - TODO: check + NOT-FOR-US: Apex Microelectronics APM32F103 devices CVE-2020-13470 (Gigadevice GD32F103 and GD32F130 devices allow physical attackers to e ...) - TODO: check + NOT-FOR-US: Gigadevice GD32F103 and GD32F130 devices CVE-2020-13469 (The flash memory readout protection in Gigadevice GD32VF103 devices al ...) - TODO: check + NOT-FOR-US: Gigadevice GD32VF103 devices CVE-2020-13468 (Gigadevice GD32F130 devices allow physical attackers to escalate their ...) - TODO: check + NOT-FOR-US: Gigadevice GD32F130 devices CVE-2020-13467 (The flash memory readout protection in China Key Systems & Integra ...) - TODO: check + NOT-FOR-US: China Key Systems & Integrated Circuit CKS32F103 devices CVE-2020-13466 (STMicroelectronics STM32F103 devices through 2020-05-20 allow physical ...) - TODO: check + NOT-FOR-US: STMicroelectronics STM3
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-25031/checkinstall
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 20900f9f by Salvatore Bonaccorso at 2020-08-31T23:20:36+02:00 Add CVE-2020-25031/checkinstall - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -22,7 +22,8 @@ CVE-2020-25032 (An issue was discovered in Flask-CORS (aka CORS Middleware for F - python-flask-cors NOTE: https://github.com/corydolphin/flask-cors/commit/67c4b2cc98ae87cf1fa7df4f97fd81b40c79b895 CVE-2020-25031 (checkinstall 1.6.2, when used to create a package that contains a syml ...) - TODO: check + - checkinstall + NOTE: https://bugs.launchpad.net/ubuntu/+source/checkinstall/+bug/1861281 CVE-2020-25030 RESERVED CVE-2020-25029 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/20900f9fc4347e27e20ccd6e320faddf64d996fa -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/20900f9fc4347e27e20ccd6e320faddf64d996fa You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-25032/python-flask-cors
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5e359d85 by Salvatore Bonaccorso at 2020-08-31T23:17:18+02:00 Add CVE-2020-25032/python-flask-cors - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -19,7 +19,8 @@ CVE-2020-25034 CVE-2020-25033 (The Blubrry subscribe-sidebar (aka Subscribe Sidebar) plugin 1.3.1 for ...) NOT-FOR-US: Blubrry subscribe-sidebar (aka Subscribe Sidebar) plugin for WordPress CVE-2020-25032 (An issue was discovered in Flask-CORS (aka CORS Middleware for Flask) ...) - TODO: check + - python-flask-cors + NOTE: https://github.com/corydolphin/flask-cors/commit/67c4b2cc98ae87cf1fa7df4f97fd81b40c79b895 CVE-2020-25031 (checkinstall 1.6.2, when used to create a package that contains a syml ...) TODO: check CVE-2020-25030 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5e359d8572ff8d25c71cfa3292be6b7c0f57ca8a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5e359d8572ff8d25c71cfa3292be6b7c0f57ca8a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f6a319f4 by Salvatore Bonaccorso at 2020-08-31T23:13:07+02:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17,7 +17,7 @@ CVE-2020-25035 CVE-2020-25034 RESERVED CVE-2020-25033 (The Blubrry subscribe-sidebar (aka Subscribe Sidebar) plugin 1.3.1 for ...) - TODO: check + NOT-FOR-US: Blubrry subscribe-sidebar (aka Subscribe Sidebar) plugin for WordPress CVE-2020-25032 (An issue was discovered in Flask-CORS (aka CORS Middleware for Flask) ...) TODO: check CVE-2020-25031 (checkinstall 1.6.2, when used to create a package that contains a syml ...) @@ -688,7 +688,7 @@ CVE-2020-24701 CVE-2020-24700 RESERVED CVE-2020-24699 (The Chamber Dashboard Business Directory plugin 3.2.8 for WordPress al ...) - TODO: check + NOT-FOR-US: Chamber Dashboard Business Directory plugin for WordPress CVE-2020-24698 RESERVED CVE-2020-24697 @@ -8899,7 +8899,7 @@ CVE-2020-20629 CVE-2020-20628 (controller/controller-comments.php in WP GDPR plugin through 2.1.1 has ...) TODO: check CVE-2020-20627 (The includes/gateways/stripe/includes/admin/admin-actions.php in GiveW ...) - TODO: check + NOT-FOR-US: includes/gateways/stripe/includes/admin/admin-actions.php in GiveWP plugin for WordPress CVE-2020-20626 (lara-google-analytics.php in Lara Google Analytics plugin through 2.0. ...) TODO: check CVE-2020-20625 (Sliced Invoices plugin for WordPress 3.8.2 and earlier allows unauthen ...) @@ -20755,7 +20755,7 @@ CVE-2020-15022 CVE-2020-15021 RESERVED CVE-2020-15020 (An issue was discovered in the Elementor plugin through 2.9.13 for Wor ...) - TODO: check + NOT-FOR-US: Elementor plugin for WordPress CVE-2020-15019 RESERVED CVE-2020-15018 (playSMS through 1.4.3 is vulnerable to session fixation. ...) @@ -49016,7 +49016,7 @@ CVE-2020-4494 (IBM Spectrum Protect Client 8.1.7.0 through 8.1.9.1 (Linux and Wi CVE-2020-4493 RESERVED CVE-2020-4492 (IBM Spectrum Scale V5.0.0.0 through V5.0.4.3 and V4.2.0.0 through V4.2 ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4491 RESERVED CVE-2020-4490 (IBM Business Automation Workflow 18 and 19, and IBM Business Process M ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f6a319f45bd6eaa22075a4810ffe8c91eb996c25 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f6a319f45bd6eaa22075a4810ffe8c91eb996c25 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 00e78ba1 by security tracker role at 2020-08-31T20:10:24+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,21 @@ +CVE-2020-25042 + RESERVED +CVE-2020-25041 + RESERVED +CVE-2020-25040 + RESERVED +CVE-2020-25039 + RESERVED +CVE-2020-25038 + RESERVED +CVE-2020-25037 + RESERVED +CVE-2020-25036 + RESERVED +CVE-2020-25035 + RESERVED +CVE-2020-25034 + RESERVED CVE-2020-25033 (The Blubrry subscribe-sidebar (aka Subscribe Sidebar) plugin 1.3.1 for ...) TODO: check CVE-2020-25032 (An issue was discovered in Flask-CORS (aka CORS Middleware for Flask) ...) @@ -495,8 +513,8 @@ CVE-2020-24788 RESERVED CVE-2020-24787 RESERVED -CVE-2020-24786 - RESERVED +CVE-2020-24786 (An issue was discovered in Zoho ManageEngine Exchange Reporter Plus be ...) + TODO: check CVE-2020-24785 RESERVED CVE-2020-24784 @@ -669,8 +687,8 @@ CVE-2020-24701 RESERVED CVE-2020-24700 RESERVED -CVE-2020-24699 - RESERVED +CVE-2020-24699 (The Chamber Dashboard Business Directory plugin 3.2.8 for WordPress al ...) + TODO: check CVE-2020-24698 RESERVED CVE-2020-24697 @@ -1376,8 +1394,8 @@ CVE-2020-24365 RESERVED CVE-2020-24364 (MineTime through 1.8.5 allows arbitrary command execution via the note ...) NOT-FOR-US: MineTime -CVE-2020-24363 - RESERVED +CVE-2020-24363 (TP-Link TL-WA855RE V5 20200415-rel37464 devices allow an unauthenticat ...) + TODO: check CVE-2016-11085 (php/qmn_options_questions_tab.php in the quiz-master-next plugin befor ...) NOT-FOR-US: Wordpress plugin CVE-2020-24362 @@ -1397,8 +1415,8 @@ CVE-2020-24356 RESERVED CVE-2020-24355 RESERVED -CVE-2020-24354 - RESERVED +CVE-2020-24354 (Zyxel VMG5313-B30B router on firmware 5.13(ABCJ.6)b3_1127, and possibl ...) + TODO: check CVE-2020-24353 RESERVED CVE-2020-24352 @@ -1904,8 +1922,8 @@ CVE-2020-24117 RESERVED CVE-2020-24116 RESERVED -CVE-2020-24115 - RESERVED +CVE-2020-24115 (In projectworlds Online Book Store 1.0 Use of Hard-coded Credentials i ...) + TODO: check CVE-2020-24114 RESERVED CVE-2020-24113 @@ -8878,14 +8896,14 @@ CVE-2020-20630 RESERVED CVE-2020-20629 RESERVED -CVE-2020-20628 - RESERVED -CVE-2020-20627 - RESERVED -CVE-2020-20626 - RESERVED -CVE-2020-20625 - RESERVED +CVE-2020-20628 (controller/controller-comments.php in WP GDPR plugin through 2.1.1 has ...) + TODO: check +CVE-2020-20627 (The includes/gateways/stripe/includes/admin/admin-actions.php in GiveW ...) + TODO: check +CVE-2020-20626 (lara-google-analytics.php in Lara Google Analytics plugin through 2.0. ...) + TODO: check +CVE-2020-20625 (Sliced Invoices plugin for WordPress 3.8.2 and earlier allows unauthen ...) + TODO: check CVE-2020-20624 RESERVED CVE-2020-20623 @@ -15230,8 +15248,8 @@ CVE-2020-17467 RESERVED CVE-2020-17466 (Turcom TRCwifiZone through 2020-08-10 allows authentication bypass by ...) NOT-FOR-US: Turcom TRCwifiZone -CVE-2020-17465 - RESERVED +CVE-2020-17465 (Dashboards and progressiveProfileForms in ForgeRock Identity Manager b ...) + TODO: check CVE-2020-17464 REJECTED CVE-2020-17463 (FUEL CMS 1.4.7 allows SQL Injection via the col parameter to /pages/it ...) @@ -19097,8 +19115,8 @@ CVE-2020-15689 (Appweb before 7.2.2 and 8.x before 8.1.0, when built with CGI su NOT-FOR-US: Appweb CVE-2020-15688 (The HTTP Digest Authentication in the GoAhead web server before 5.1.2 ...) NOT-FOR-US: Embedthis GoAhead -CVE-2020-15687 - RESERVED +CVE-2020-15687 (Missing access control restrictions in the Hypervisor component of the ...) + TODO: check CVE-2019-20908 (An issue was discovered in drivers/firmware/efi/efi.c in the Linux ker ...) - linux 5.2.6-1 [buster] - linux 4.19.132-1 @@ -19160,7 +19178,7 @@ CVE-2020-15670 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-36/#CVE-2020-15670 CVE-2020-15669 RESERVED - {DSA-4754-1 DSA-4749-1 DLA-2346-1} + {DSA-4754-1 DSA-4749-1 DLA-2360-1 DLA-2346-1} - firefox-esr 68.12.0esr-1 - thunderbird 1:68.12.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-37/#CVE-2020-15669 @@ -19183,7 +19201,7 @@ CVE-2020-15665 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-36/#CVE-2020-15665 CVE-2020-15664 RESERVED - {DSA-4754-1 DSA-4749-1 DLA-2346-1} + {DSA-4754-1 DSA-4749-1 DLA-2360-1 DLA-2346-1} - firefox 80.0-1 - firefox-esr 68.12.0esr-1 - thunderbird 1:68.12.0-1 @@ -20736,
[Git][security-tracker-team/security-tracker][master] Track proposed fix for CVE-2020-14367/chrony via buster-pu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 25efe282 by Salvatore Bonaccorso at 2020-08-31T21:50:18+02:00 Track proposed fix for CVE-2020-14367/chrony via buster-pu - - - - - 1 changed file: - data/next-point-update.txt Changes: = data/next-point-update.txt = @@ -56,3 +56,5 @@ CVE-2020-11061 [buster] - bacula 9.4.2-2+deb10u1 CVE-2020-8244 [buster] - node-bl 1.1.2-1+deb10u1 +CVE-2020-14367 + [buster] - chrony 3.4-4+deb10u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/25efe2827b3a408f8a2405e49b6bc4e58425c7ac -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/25efe2827b3a408f8a2405e49b6bc4e58425c7ac You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track proposed fix for CVE-2020-8244/node-bl via buster-pu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 11de1a16 by Salvatore Bonaccorso at 2020-08-31T21:49:00+02:00 Track proposed fix for CVE-2020-8244/node-bl via buster-pu - - - - - 1 changed file: - data/next-point-update.txt Changes: = data/next-point-update.txt = @@ -54,3 +54,5 @@ CVE-2020-14405 [buster] - libvncserver 0.9.11+dfsg-1.3+deb10u4 CVE-2020-11061 [buster] - bacula 9.4.2-2+deb10u1 +CVE-2020-8244 + [buster] - node-bl 1.1.2-1+deb10u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/11de1a167d17681d7b8e7658e8ade022543ecad6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/11de1a167d17681d7b8e7658e8ade022543ecad6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2020-8244/node-bl fixed via unstable upload
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5b171ec8 by Salvatore Bonaccorso at 2020-08-31T21:16:17+02:00 CVE-2020-8244/node-bl fixed via unstable upload - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -39467,7 +39467,7 @@ CVE-2020-8246 CVE-2020-8245 RESERVED CVE-2020-8244 (A buffer over-read vulnerability exists in bl <4.0.3, <3.0.1 and ...) - - node-bl (bug #969309) + - node-bl 4.0.3-1 (bug #969309) [buster] - node-bl (Minor issue) NOTE: https://hackerone.com/reports/966347 NOTE: https://github.com/rvagg/bl/commit/d3e240e3b8ba4048d3c76ef5fb9dd1f8872d3190 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5b171ec84f1c75c02a635b46b94077422d0e4d11 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5b171ec84f1c75c02a635b46b94077422d0e4d11 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] xorg-server issues fixed via unstable upload
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ff789401 by Salvatore Bonaccorso at 2020-08-31T20:52:46+02:00 xorg-server issues fixed via unstable upload - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -22517,13 +22517,13 @@ CVE-2020-14363 [Double free in libX11 locale handling code] CVE-2020-14362 RESERVED {DLA-2359-1} - - xorg-server + - xorg-server 2:1.20.9-1 NOTE: https://lists.x.org/archives/xorg-announce/2020-August/003058.html NOTE: https://gitlab.freedesktop.org/xorg/xserver/-/commit/2902b78535ecc6821cc027351818b28a5c7fdbdc CVE-2020-14361 RESERVED {DLA-2359-1} - - xorg-server + - xorg-server 2:1.20.9-1 NOTE: https://lists.x.org/archives/xorg-announce/2020-August/003058.html NOTE: https://gitlab.freedesktop.org/xorg/xserver/-/commit/144849ea27230962227e62a943b399e2ab304787 CVE-2020-14360 @@ -22574,19 +22574,19 @@ CVE-2020-14348 NOT-FOR-US: AMQ Online CVE-2020-14347 (A flaw was found in the way xserver memory was not properly initialize ...) {DLA-2359-1} - - xorg-server (bug #968986) + - xorg-server 2:1.20.9-1 (bug #968986) NOTE: https://lists.x.org/archives/xorg-announce/2020-July/003051.html NOTE: https://gitlab.freedesktop.org/xorg/xserver/-/commit/aac28e162e5108510065ad4c323affd6deffd816 CVE-2020-14346 RESERVED {DLA-2359-1} - - xorg-server + - xorg-server 2:1.20.9-1 NOTE: https://lists.x.org/archives/xorg-announce/2020-August/003058.html NOTE: https://gitlab.freedesktop.org/xorg/xserver/-/commit/c940cc8b6c0a2983c1ec974f1b3f019795dd4cff CVE-2020-14345 RESERVED {DLA-2359-1} - - xorg-server + - xorg-server 2:1.20.9-1 NOTE: https://lists.x.org/archives/xorg-announce/2020-August/003058.html NOTE: https://gitlab.freedesktop.org/xorg/xserver/-/commit/f7cd1276bbd4fe3a9700096dec33b52b8440788d CVE-2020-14344 (An integer overflow leading to a heap-buffer overflow was found in The ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ff789401e9e0e7ef6143618553a731f4e2b7c8ab -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ff789401e9e0e7ef6143618553a731f4e2b7c8ab You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] buster triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: dcaf52a8 by Moritz Muehlenhoff at 2020-08-31T19:55:46+02:00 buster triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -342,6 +342,7 @@ CVE-2020-24862 RESERVED CVE-2020-25016 (A safety violation was discovered in the rgb crate before 0.8.20 for R ...) - rust-rgb (bug #969213) + [buster] - rust-rgb (Minor issue) NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0029.html NOTE: https://github.com/kornelski/rust-rgb/issues/35 CVE-2020-24861 @@ -15163,6 +15164,7 @@ CVE-2020-17496 (vBulletin 5.5.4 through 5.6.2 allows remote command execution vi NOT-FOR-US: vBulletin CVE-2020-17495 (django-celery-results through 1.2.1 stores task results in the databas ...) - python-django-celery-results (bug #968305) + [buster] - python-django-celery-results (Minor issue) NOTE: https://github.com/celery/django-celery-results/issues/142 CVE-2020-17494 RESERVED @@ -19981,6 +19983,7 @@ CVE-2020-15357 RESERVED CVE-2020-15358 (In SQLite before 3.32.3, select.c mishandles query-flattener optimizat ...) - sqlite3 3.32.3-1 + [buster] - sqlite3 (Minor issue) [stretch] - sqlite3 (Vulnerable code introduced in 3.25.0) [jessie] - sqlite3 (Vulnerable code introduced in 3.25.0) NOTE: https://www.sqlite.org/src/info/10fa79d00f8091e5 @@ -27597,6 +27600,7 @@ CVE-2020-12404 (For native-to-JS bridging the app requires a unique token to be CVE-2020-12403 RESERVED - nss 2:3.55-1 + [buster] - nss (Minor issue) NOTE: https://hg.mozilla.org/projects/nss/rev/f282556e6cc7715f5754aeaadda6f902590e7e38 NOTE: https://hg.mozilla.org/projects/nss/rev/c25adfdfab34ddb08d3262aac3242e3399de1095 NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1636771 @@ -39714,6 +39718,7 @@ CVE-2020-8160 RESERVED CVE-2020-8159 (There is a vulnerability in actionpack_page-caching gem < v1.2.1 th ...) - ruby-actionpack-page-caching 1.2.2-1 (bug #960680) + [buster] - ruby-actionpack-page-caching (Minor issue) NOTE: https://groups.google.com/forum/#!topic/rubyonrails-security/CFRVkEytdP8 CVE-2020-8158 RESERVED @@ -86149,6 +86154,7 @@ CVE-2019-11028 (GAT-Ship Web Module before 1.40 suffers from a vulnerability all NOT-FOR-US: GAT-Ship Web Module CVE-2015-9284 (The request phase of the OmniAuth Ruby gem (1.9.1 and earlier) is vuln ...) - ruby-omniauth + [buster] - ruby-omniauth (Minor issue) [stretch] - ruby-omniauth (Minor issue) [jessie] - ruby-omniauth (Fix is in additional gem and needs CSRF protection in apps) NOTE: https://github.com/omniauth/omniauth/pull/809 = data/dsa-needed.txt = @@ -22,6 +22,8 @@ knot-resolver linux (carnil) Wait until more issues have piled up -- +qemu +-- rails (jmm) Sylvain Beucler proposed to help for the update, remaining CVEs to be done -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dcaf52a8d35f813ca8125f4425ed4a2c7b953bcb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dcaf52a8d35f813ca8125f4425ed4a2c7b953bcb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] asyncpg is uploaded, announcement is left
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 98e5caa0 by Utkarsh Gupta at 2020-08-31T20:52:53+05:30 asyncpg is uploaded, announcement is left - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -33,8 +33,9 @@ ark (Abhijith PA) NOTE: 20200801: though testing with other PoC's available over internet seems exploitable (abhijith) NOTE: 20200820: pinged upstream for help (abhijith) -- -asyncpg +asyncpg (Utkarsh Gupta) NOTE: 20200815: Minor issue, but easy to fix. (sunweaver) + NOTE: 20200831: has already been uploaded to the archive, just sending out the announcement is left. (utkarsh) -- cacti NOTE: 20200529: A patch need to be cooked up. Upstream patch not fit for jessie version (abhijith) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/98e5caa0acdd899344dc93e276e7f4779b927c64 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/98e5caa0acdd899344dc93e276e7f4779b927c64 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DSA number for apache2 update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 22b08050 by Salvatore Bonaccorso at 2020-08-31T17:01:49+02:00 Reserve DSA number for apache2 update - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,6 @@ +[31 Aug 2020] DSA-4757-1 apache2 - security update + {CVE-2020-1927 CVE-2020-1934 CVE-2020-9490 CVE-2020-11984 CVE-2020-11993} + [buster] - apache2 2.4.38-3+deb10u4 [29 Aug 2020] DSA-4756-1 lilypond - security update {CVE-2020-17353} [buster] - lilypond 2.19.81+really-2.18.2-13+deb10u1 = data/dsa-needed.txt = @@ -11,8 +11,6 @@ To pick an issue, simply add your uid behind it. If needed, specify the release by adding a slash after the name of the source package. --- -apache2 (carnil) -- chromium -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/22b08050a838cb8a8bb6ecad8b2679b0d7972397 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/22b08050a838cb8a8bb6ecad8b2679b0d7972397 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] gen-DSA: require DEBFULLNAME env variable
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 3d2fc7af by Emilio Pozuelo Monfort at 2020-08-31T14:09:50+02:00 gen-DSA: require DEBFULLNAME env variable - - - - - 1 changed file: - bin/gen-DSA Changes: = bin/gen-DSA = @@ -333,6 +333,10 @@ if [ $REFERENCES -gt 1 ]; then sed -ri 's/this problem has/these problems have/' $tmpf fi +if [ -z "$DEBFULLNAME" ]; then +"error: DEBFULLNAME env variable required" +exit 1 +fi SPACEDDEBFULLNAME="$(left_space "$DEBFULLNAME" "$NAME_SPACING")" DATE="$(date +"%B %d, %Y")" View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3d2fc7afc71af5372156e0e90ff331970b028ec6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3d2fc7afc71af5372156e0e90ff331970b028ec6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2360-1 for thunderbird
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 1eb54ef2 by Emilio Pozuelo Monfort at 2020-08-31T14:01:57+02:00 Reserve DLA-2360-1 for thunderbird - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[31 Aug 2020] DLA-2360-1 thunderbird - security update + {CVE-2020-15664 CVE-2020-15669} + [stretch] - thunderbird 1:68.12.0-1~deb9u1 [30 Aug 2020] DLA-2359-1 xorg-server - security update {CVE-2020-14345 CVE-2020-14346 CVE-2020-14347 CVE-2020-14361 CVE-2020-14362} [stretch] - xorg-server 2:1.19.2-1+deb9u6 = data/dla-needed.txt = @@ -196,8 +196,6 @@ sympa NOTE: 20200604: the non-public patch is being discussed internally. (utkarsh) NOTE: 20200604: shall process the upload once the confirmation is given. (utkarsh) -- -thunderbird (Emilio) --- uwsgi (Utkarsh Gupta) NOTE: 20200828: been affected by CVE-2020-11984, which was affecting NOTE: 20200828: apache2, but it uses src:uwsgi instead. (utkarsh) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1eb54ef2aef20bbee33840c0c703c865f16fb8cf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1eb54ef2aef20bbee33840c0c703c865f16fb8cf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update hashbang for remaining python2 scripts
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 44ec51aa by Emilio Pozuelo Monfort at 2020-08-31T12:15:53+02:00 Update hashbang for remaining python2 scripts These are all currently unused, so it's a bit hard to test them when porting them to Python 3. So rather than doing that, let's explicitly mark them as being Python 2. Before porting them we may want to check if they are still useful or if they should be removed instead. - - - - - 5 changed files: - bin/list-queue - bin/mass-bug-filer - bin/secmaster.py - check-external/unknown-packages.py - data/DTSA/dtsa Changes: = bin/list-queue = @@ -1,4 +1,4 @@ -#!/usr/bin/python +#!/usr/bin/python2 # list-queue -- list security-master queue contents # Copyright (C) 2011 Florian Weimer # = bin/mass-bug-filer = @@ -1,4 +1,4 @@ -#!/usr/bin/python +#!/usr/bin/python2 from __future__ import print_function import sys = bin/secmaster.py = @@ -1,4 +1,4 @@ -#!/usr/bin/python +#!/usr/bin/python2 # secmaster -- access to data on security-master.debian.org # Copyright (C) 2011 Florian Weimer # = check-external/unknown-packages.py = @@ -1,4 +1,4 @@ -#!/usr/bin/python +#!/usr/bin/python2 import urllib2 import SOAPpy import os = data/DTSA/dtsa = @@ -1,4 +1,4 @@ -#!/usr/bin/python +#!/usr/bin/python2 import sys, getopt, os, glob View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/44ec51aaee9146d7f53b74ccec6c715afc005434 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/44ec51aaee9146d7f53b74ccec6c715afc005434 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2020-8244/node-bl as no-dsa
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ffe4b151 by Salvatore Bonaccorso at 2020-08-31T12:09:07+02:00 Mark CVE-2020-8244/node-bl as no-dsa - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -39464,6 +39464,7 @@ CVE-2020-8245 RESERVED CVE-2020-8244 (A buffer over-read vulnerability exists in bl <4.0.3, <3.0.1 and ...) - node-bl (bug #969309) + [buster] - node-bl (Minor issue) NOTE: https://hackerone.com/reports/966347 NOTE: https://github.com/rvagg/bl/commit/d3e240e3b8ba4048d3c76ef5fb9dd1f8872d3190 CVE-2020-8243 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ffe4b15147d826fb9bb7b871ae414f01e508cb64 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ffe4b15147d826fb9bb7b871ae414f01e508cb64 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track proposed fix for CVE-2020-11061/bacula via buster-pu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 72c8518d by Salvatore Bonaccorso at 2020-08-31T11:43:10+02:00 Track proposed fix for CVE-2020-11061/bacula via buster-pu - - - - - 1 changed file: - data/next-point-update.txt Changes: = data/next-point-update.txt = @@ -52,3 +52,5 @@ CVE-2020-14404 [buster] - libvncserver 0.9.11+dfsg-1.3+deb10u4 CVE-2020-14405 [buster] - libvncserver 0.9.11+dfsg-1.3+deb10u4 +CVE-2020-11061 + [buster] - bacula 9.4.2-2+deb10u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/72c8518d744d1e72bb729475ea92fb0792920655 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/72c8518d744d1e72bb729475ea92fb0792920655 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: retake firefox-esr, update notes on ESR 78 progress
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 1afaecbc by Emilio Pozuelo Monfort at 2020-08-31T11:21:50+02:00 lts: retake firefox-esr, update notes on ESR 78 progress - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -69,9 +69,9 @@ f2fs-tools NOTE: 20200815: About CVE-2020-6070. The fix got introduced between 1.12.0 and 1.13.0, but it is not trivial to NOTE: 20200815: to detect which of the patches correlates to the CVE. Contacting upstream might be necessary. (sunweaver) -- -firefox-esr +firefox-esr (Emilio) NOTE: 20200720: working on ESR 78 backport. (pochu) - NOTE: 20200810: backported llvm 10, looking into wasi-libc and rustc/cargo (pochu) + NOTE: 20200831: backported llvm 10 and wasi-libc, looking into rustc/cargo (pochu) -- fossil (Mike Gabriel) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1afaecbc0b8081e01a5876299fc1604f267f16ef -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1afaecbc0b8081e01a5876299fc1604f267f16ef You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2020-13941,lucene-solr: Mark as ignored for Stretch and Buster.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: f0e367a3 by Markus Koschany at 2020-08-31T10:56:03+02:00 CVE-2020-13941,lucene-solr: Mark as ignored for Stretch and Buster. Remove lucene-solr from dla-needed.txt. CVE-2020-13941 is about adding a new parameter to the CoreAdminAPI that validates whether a user is allowed to write or read data to or from a different directory than the default dataDir directory. In Debian the default dataDir directory is /var/lib/solr/data. This is specified in /etc/solr/conf/solrconfig.xml. See also set-data-dir.patch and solr-common.README.Debian. The only way to change that is to edit /etc/solr/conf/solrconfig.xml. The value in solrconfig.xml overrides any dataDir value that is passed to the dynamic core admin interface. That means that only system administrators should be able to change that value. This makes CVE-2020-13941 a rather minor issue for Debian and backporting the new configuration option does not seem strictly necessary. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -23679,6 +23679,8 @@ CVE-2020-13942 RESERVED CVE-2020-13941 (Reported in SOLR-14515 (private) and fixed in SOLR-14561 (public), rel ...) - lucene-solr + [buster] - lucene-solr (Minor issue) + [stretch] - lucene-solr (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2020/08/15/1 NOTE: https://issues.apache.org/jira/browse/SOLR-14561 NOTE: https://github.com/apache/lucene-solr/commit/936b9d770e769c9018a9f408d576f52e7c4e8be2 = data/dla-needed.txt = @@ -102,8 +102,6 @@ linux-4.9 (Ben Hutchings) -- lua5.3 -- -lucene-solr (Markus Koschany) --- mumble NOTE: 20200325: Regression in last upload, forgot to follow up. NOTE: 20200325: https://github.com/mumble-voip/mumble/issues/3605 (abhijith) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f0e367a3d1e318d240b4e758b7d142f91a045b98 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f0e367a3d1e318d240b4e758b7d142f91a045b98 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] refpolicy n/a
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: d5fdb6d1 by Moritz Muehlenhoff at 2020-08-31T10:52:43+02:00 refpolicy n/a - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -850,7 +850,9 @@ CVE-2020-24613 (wolfSSL before 4.5.0 mishandles TLS 1.3 server data in the WAIT_ - wolfssl NOTE: https://research.nccgroup.com/2020/08/24/technical-advisory-wolfssl-tls-1-3-client-man-in-the-middle-attack/ CVE-2020-24612 (An issue was discovered in the selinux-policy (aka Reference Policy) p ...) - TODO: check + - refpolicy (Debian package doesn't ship pam-u2f config) + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1860888 + NOTE: https://github.com/fedora-selinux/selinux-policy/commit/71e1989028802c7875d3436fd3966c587fa383fb CVE-2020-24611 RESERVED CVE-2020-24610 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d5fdb6d1041a88fc9c5b60da6ae87e9e7a96e35e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d5fdb6d1041a88fc9c5b60da6ae87e9e7a96e35e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: re-claim guacamole-client
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: a3d8dbe6 by Mike Gabriel at 2020-08-31T10:31:18+02:00 data/dla-needed.txt: re-claim guacamole-client - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -84,7 +84,7 @@ golang-go.crypto -- golang-golang-x-net-dev -- -guacamole-client +guacamole-client (Mike Gabriel) -- imagemagick (Markus Koschany) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a3d8dbe6030a3b7fa8cba6f9e955dc9ed0daacb9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a3d8dbe6030a3b7fa8cba6f9e955dc9ed0daacb9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 41b7929a by security tracker role at 2020-08-31T08:10:20+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,9 @@ +CVE-2020-25033 (The Blubrry subscribe-sidebar (aka Subscribe Sidebar) plugin 1.3.1 for ...) + TODO: check +CVE-2020-25032 (An issue was discovered in Flask-CORS (aka CORS Middleware for Flask) ...) + TODO: check +CVE-2020-25031 (checkinstall 1.6.2, when used to create a package that contains a syml ...) + TODO: check CVE-2020-25030 RESERVED CVE-2020-25029 @@ -1642,7 +1648,7 @@ CVE-2020-24241 (In Netwide Assembler (NASM) 2.15rc10, there is heap use-after-fr NOTE: https://github.com/netwide-assembler/nasm/commit/6ac6ac57e3d01ea8ed4ea47706eb724b59176461 NOTE: https://github.com/netwide-assembler/nasm/commit/78df8828a0a5d8e2d8ff3dced562bf1778ce2e6c NOTE: Crash in CLI tool, no security impact -CVE-2020-24240 (GNU Bison 3.7 has a use after free (UAF) vulnerability. A local attack ...) +CVE-2020-24240 (GNU Bison before 3.7.1 has a use-after-free in _obstack_free in lib/ob ...) - bison (unimportant) NOTE: https://github.com/akimd/bison/commit/be95a4fe2951374676efc9454ffee8638faaf68d (v3.7.1) NOTE: https://lists.gnu.org/r/bug-bison/2020-07/msg00051.html @@ -1917,8 +1923,8 @@ CVE-2020-24106 RESERVED CVE-2020-24105 RESERVED -CVE-2020-24104 - RESERVED +CVE-2020-24104 (XSS on the PIX-Link Repeater/Router LV-WR07 with firmware v28K.Router. ...) + TODO: check CVE-2020-24103 RESERVED CVE-2020-24102 @@ -22505,11 +22511,13 @@ CVE-2020-14363 [Double free in libX11 locale handling code] NOTE: https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/acdaaadcb3d85c61fd43669fc5dddf0f8c3f911d CVE-2020-14362 RESERVED + {DLA-2359-1} - xorg-server NOTE: https://lists.x.org/archives/xorg-announce/2020-August/003058.html NOTE: https://gitlab.freedesktop.org/xorg/xserver/-/commit/2902b78535ecc6821cc027351818b28a5c7fdbdc CVE-2020-14361 RESERVED + {DLA-2359-1} - xorg-server NOTE: https://lists.x.org/archives/xorg-announce/2020-August/003058.html NOTE: https://gitlab.freedesktop.org/xorg/xserver/-/commit/144849ea27230962227e62a943b399e2ab304787 @@ -22560,16 +22568,19 @@ CVE-2020-14348 RESERVED NOT-FOR-US: AMQ Online CVE-2020-14347 (A flaw was found in the way xserver memory was not properly initialize ...) + {DLA-2359-1} - xorg-server (bug #968986) NOTE: https://lists.x.org/archives/xorg-announce/2020-July/003051.html NOTE: https://gitlab.freedesktop.org/xorg/xserver/-/commit/aac28e162e5108510065ad4c323affd6deffd816 CVE-2020-14346 RESERVED + {DLA-2359-1} - xorg-server NOTE: https://lists.x.org/archives/xorg-announce/2020-August/003058.html NOTE: https://gitlab.freedesktop.org/xorg/xserver/-/commit/c940cc8b6c0a2983c1ec974f1b3f019795dd4cff CVE-2020-14345 RESERVED + {DLA-2359-1} - xorg-server NOTE: https://lists.x.org/archives/xorg-announce/2020-August/003058.html NOTE: https://gitlab.freedesktop.org/xorg/xserver/-/commit/f7cd1276bbd4fe3a9700096dec33b52b8440788d @@ -39846,8 +39857,8 @@ CVE-2020-8099 (A vulnerability in the improper handling of junctions in Bitdefen NOT-FOR-US: Bitdefender Antivirus Free CVE-2020-8098 RESERVED -CVE-2020-8097 - RESERVED +CVE-2020-8097 (An improper authentication vulnerability in Bitdefender Endpoint Secur ...) + TODO: check CVE-2020-8096 (Untrusted Search Path vulnerability in Bitdefender High-Level Antimalw ...) NOT-FOR-US: Bitdefender CVE-2020-8095 (A vulnerability in the improper handling of junctions before deletion ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/41b7929a81d237d46eb93bb0762509aa8c96add5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/41b7929a81d237d46eb93bb0762509aa8c96add5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: data/CVE/list: Mark CVE-2019-12094/php-horde as ignored for all releases of Debian.
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: 51f575ae by Mike Gabriel at 2020-08-31T10:00:12+02:00 data/CVE/list: Mark CVE-2019-12094/php-horde as ignored for all releases of Debian. cf. https://bugs.horde.org/ticket/14926#c4 - - - - - 33a68a1d by Mike Gabriel at 2020-08-31T10:00:13+02:00 data/CVE/list: Mark CVE-2019-12095/php-horde-trean as ignored for all releases of Debian. cf. https://bugs.horde.org/ticket/14926#c4 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -83038,9 +83038,9 @@ CVE-2019-12096 CVE-2019-12095 (Horde Trean, as used in Horde Groupware Webmail Edition through 5.2.22 ...) {DLA-2033-1} - php-horde-trean - [buster] - php-horde-trean (Minor issue) - [stretch] - php-horde-trean (Minor issue) - [jessie] - php-horde-trean (Minor issue) + [buster] - php-horde-trean (Minor issue) + [stretch] - php-horde-trean (Minor issue) + [jessie] - php-horde-trean (Minor issue) - php-horde 5.2.21+debian0-1 [buster] - php-horde 5.2.20+debian0-1+deb10u1 [stretch] - php-horde 5.2.13+debian0-1+deb9u1 @@ -83048,9 +83048,9 @@ CVE-2019-12095 (Horde Trean, as used in Horde Groupware Webmail Edition through NOTE: https://bugs.horde.org/ticket/14926 (for the stored XSS) CVE-2019-12094 (Horde Groupware Webmail Edition through 5.2.22 allows XSS via an admin ...) - php-horde - [buster] - php-horde (Minor issue) - [stretch] - php-horde (Minor issue) - [jessie] - php-horde (Minor issue) + [buster] - php-horde (Minor issue) + [stretch] - php-horde (Minor issue) + [jessie] - php-horde (Minor issue) NOTE: https://bugs.horde.org/ticket/14926 (for the reflected XSS) CVE-2019-12093 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/232bd5ad9baa63af3422edcc4ef97c9cf6cbdb63...33a68a1d8da5bd07a06335fb4f0c4f4e4c1fa299 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/232bd5ad9baa63af3422edcc4ef97c9cf6cbdb63...33a68a1d8da5bd07a06335fb4f0c4f4e4c1fa299 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2020-8244/node-bl
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 232bd5ad by Salvatore Bonaccorso at 2020-08-31T09:08:24+02:00 Add Debian bug reference for CVE-2020-8244/node-bl - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -39448,7 +39448,7 @@ CVE-2020-8246 CVE-2020-8245 RESERVED CVE-2020-8244 (A buffer over-read vulnerability exists in bl <4.0.3, <3.0.1 and ...) - - node-bl + - node-bl (bug #969309) NOTE: https://hackerone.com/reports/966347 NOTE: https://github.com/rvagg/bl/commit/d3e240e3b8ba4048d3c76ef5fb9dd1f8872d3190 CVE-2020-8243 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/232bd5ad9baa63af3422edcc4ef97c9cf6cbdb63 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/232bd5ad9baa63af3422edcc4ef97c9cf6cbdb63 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits