[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2020-17497/iwd via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f57ebea6 by Salvatore Bonaccorso at 2020-09-05T21:25:54+02:00 Track fixed version for CVE-2020-17497/iwd via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -15556,7 +15556,7 @@ CVE-2020-17498 (In Wireshark 3.2.0 to 3.2.5, the Kafka protocol dissector could NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=76afda963de4f0b9be24f2d8e873990a5cbf221b NOTE: https://www.wireshark.org/security/wnpa-sec-2020-10.html CVE-2020-17497 (eapol.c in iNet wireless daemon (IWD) through 1.8 allows attackers to ...) - - iwd (bug #968996) + - iwd 1.9-1 (bug #968996) [buster] - iwd (Minor issue) NOTE: https://lists.01.org/hyperkitty/list/i...@lists.01.org/thread/4GUXL4Z6KZWWZINATGHNJVAEUTS3I7PG/ NOTE: https://git.kernel.org/pub/scm/network/wireless/iwd.git/commit/?id=f22ba5aebb569ca54521afd2babdc1f67e3904ea View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f57ebea6f1e7deb1f3d36e46d0ef92467795f040 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f57ebea6f1e7deb1f3d36e46d0ef92467795f040 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim libxml2 in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 6e248911 by Markus Koschany at 2020-09-05T19:51:36+02:00 Claim libxml2 in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -86,6 +86,8 @@ jetty9 (Markus Koschany) jupyter-notebook NOTE: 20200711: Vulnerable to (at least) CVE-2018-19351. (lamby) -- +libxml2 (Markus Koschany) +-- linux (Ben Hutchings) -- linux-4.9 (Ben Hutchings) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6e2489111ba9adb7775aef83580a88d35a0c6cba -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6e2489111ba9adb7775aef83580a88d35a0c6cba You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: wordpress: update status
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 641d1f88 by Sylvain Beucler at 2020-09-05T18:43:20+02:00 dla: wordpress: update status - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -184,6 +184,7 @@ sympa NOTE: 20200604: shall process the upload once the confirmation is given. (utkarsh) -- wordpress (Sylvain Beucler) + NOTE: 20200905: backporting new upstream version -- xcftools NOTE: 20200111: wrote a patch + reproducer for CVE-2019-5086, waiting for upstream review (hle) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/641d1f88f81f50702e0ec9497663895b0ad04c51 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/641d1f88f81f50702e0ec9497663895b0ad04c51 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track four CVEs for src:linux fixed via 5.8.7-1 upload
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f1c83412 by Salvatore Bonaccorso at 2020-09-05T17:02:22+02:00 Track four CVEs for src:linux fixed via 5.8.7-1 upload - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -22865,11 +22865,11 @@ CVE-2020-14387 [rsync-ssl does not verify the hostname in the server certificate NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1875549 CVE-2020-14386 [af_packet memory corruption] RESERVED - - linux + - linux 5.8.7-1 NOTE: https://www.openwall.com/lists/oss-security/2020/09/03/3 CVE-2020-14385 [xfs: fix boundary test in xfs_attr_shortform_verify] RESERVED - - linux + - linux 5.8.7-1 [stretch] - linux (Vulnerable code introduced later) NOTE: https://git.kernel.org/linus/f4020438fab05364018c91f7e02ebdd192085933 CVE-2020-14384 @@ -23142,7 +23142,7 @@ CVE-2020-14315 NOTE: https://www.freebsd.org/security/advisories/FreeBSD-SA-16:29.bspatch.asc CVE-2020-14314 [buffer uses out of index in ext3/4 filesystem] RESERVED - - linux + - linux 5.8.7-1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1853922 NOTE: https://git.kernel.org/linus/5872331b3d91820e14716632ebb56b1399b34fe1 CVE-2020-14313 (An information disclosure vulnerability was found in Red Hat Quay in v ...) @@ -26743,7 +26743,7 @@ CVE-2020-12890 CVE-2020-12889 (MISP MISP-maltego 1.4.4 incorrectly shares a MISP connection across us ...) NOT-FOR-US: MISP CVE-2020-12888 (The VFIO PCI driver in the Linux kernel through 5.6.13 mishandles atte ...) - - linux + - linux 5.8.7-1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1836244 CVE-2020-12887 (Memory leaks were discovered in the CoAP library in Arm Mbed OS 5.15.3 ...) NOT-FOR-US: Mbed CoAP (diffrent from src:mbedtls) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f1c8341234ec9cb54b378118a0e22a62e2cf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f1c8341234ec9cb54b378118a0e22a62e2cf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Correct tracking for CVE-2019-13389/rainloop
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 53cb0e75 by Salvatore Bonaccorso at 2020-09-05T15:54:23+02:00 Correct tracking for CVE-2019-13389/rainloop The CVE was marked as NFU earlier. But there is src:rainloop for the Rainloop Webmail. The issue was already fixed with the 1.14.0-1 upload to unstable. Fixes: 10cf9cb957ad (Process NFUs) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -79918,7 +79918,8 @@ CVE-2019-13390 (In FFmpeg 4.1.3, there is a division by zero at adx_write_traile NOTE: https://trac.ffmpeg.org/ticket/7979 NOTE: https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=aef24efb0c1e65097ab77a4bf9264189bdf3ace3 CVE-2019-13389 (RainLoop Webmail before 1.13.0 lacks XSS protection mechanisms such as ...) - NOT-FOR-US: RainLoop Webmail + - rainloop 1.14.0-1 + NOTE: https://github.com/RainLoop/rainloop-webmail/commit/8eb4588917b4741889fdd905d4c32e3e86317693 CVE-2019-13388 RESERVED CVE-2019-13387 (In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.846, Reflected ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/53cb0e75d1406f2e9f01dbfe77ef107ae7e04ac4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/53cb0e75d1406f2e9f01dbfe77ef107ae7e04ac4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8321ac3b by Salvatore Bonaccorso at 2020-09-05T10:21:36+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -445,9 +445,9 @@ CVE-2020-24989 CVE-2020-24988 RESERVED CVE-2020-24987 (Tenda AC18 Router through V15.03.05.05_EN and through V15.03.05.19(631 ...) - TODO: check + NOT-FOR-US: Tenda AC18 Router CVE-2020-24986 (Concrete5 up to and including 8.5.2 allows Unrestricted Upload of File ...) - TODO: check + NOT-FOR-US: Concrete5 CVE-2020-24985 RESERVED CVE-2020-24984 @@ -457,7 +457,7 @@ CVE-2020-24983 CVE-2020-24982 RESERVED CVE-2020-24981 (An Incorrect Access Control vulnerability exists in /ucms/chk.php in U ...) - TODO: check + NOT-FOR-US: UCMS CVE-2020-24980 (An assertion failure was found in src/parse-gram.c in GNU bison 3.7.1. ...) - bison (unimportant) NOTE: https://github.com/akimd/bison/commit/b801b7b670872b8a31d11b3683b4afc3e45a07f8 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8321ac3bb2d8191370bfe0a11071025f9a511fda -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8321ac3bb2d8191370bfe0a11071025f9a511fda You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-20916/python-pip
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b4f2e07a by Salvatore Bonaccorso at 2020-09-05T10:16:29+02:00 Add CVE-2019-20916/python-pip - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5,7 +5,9 @@ CVE-2020-25201 CVE-2020-25200 RESERVED CVE-2019-20916 (The pip package before 19.2 for Python allows Directory Traversal when ...) - TODO: check + - python-pip 20.0.2-1 + NOTE: https://github.com/pypa/pip/issues/6413 + NOTE: https://github.com/pypa/pip/commit/a4c735b14a62f9cb864533808ac63936704f2ace (19.2) CVE-2020-25199 RESERVED CVE-2020-25198 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b4f2e07adb6ea60ba5f34594899f208288988817 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b4f2e07adb6ea60ba5f34594899f208288988817 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c840b418 by security tracker role at 2020-09-05T08:10:18+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,11 @@ +CVE-2020-25202 + RESERVED +CVE-2020-25201 + RESERVED +CVE-2020-25200 + RESERVED +CVE-2019-20916 (The pip package before 19.2 for Python allows Directory Traversal when ...) + TODO: check CVE-2020-25199 RESERVED CVE-2020-25198 @@ -434,10 +442,10 @@ CVE-2020-24989 RESERVED CVE-2020-24988 RESERVED -CVE-2020-24987 - RESERVED -CVE-2020-24986 - RESERVED +CVE-2020-24987 (Tenda AC18 Router through V15.03.05.05_EN and through V15.03.05.19(631 ...) + TODO: check +CVE-2020-24986 (Concrete5 up to and including 8.5.2 allows Unrestricted Upload of File ...) + TODO: check CVE-2020-24985 RESERVED CVE-2020-24984 @@ -446,8 +454,8 @@ CVE-2020-24983 RESERVED CVE-2020-24982 RESERVED -CVE-2020-24981 - RESERVED +CVE-2020-24981 (An Incorrect Access Control vulnerability exists in /ucms/chk.php in U ...) + TODO: check CVE-2020-24980 (An assertion failure was found in src/parse-gram.c in GNU bison 3.7.1. ...) - bison (unimportant) NOTE: https://github.com/akimd/bison/commit/b801b7b670872b8a31d11b3683b4afc3e45a07f8 @@ -19410,8 +19418,7 @@ CVE-2020-15711 (In MISP before 2.4.129, setting a favourite homepage was not CSR NOT-FOR-US: MISP CVE-2020-15710 RESERVED -CVE-2020-15709 - RESERVED +CVE-2020-15709 (Versions of add-apt-repository before 0.98.9.2, 0.96.24.32.14, 0.96.20 ...) {DLA-2339-1} - software-properties (bug #968850) [buster] - software-properties (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c840b418300414cfae2796866771f408165872e3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c840b418300414cfae2796866771f408165872e3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2020-13802: Reference upstream pull request
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7fdcdd77 by Salvatore Bonaccorso at 2020-09-05T09:15:08+02:00 CVE-2020-13802: Reference upstream pull request - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -24465,6 +24465,7 @@ CVE-2020-13803 (An issue was discovered in Foxit PhantomPDF Mac and Foxit Reader NOT-FOR-US: Foxit Reader CVE-2020-13802 (Rebar3 versions 3.0.0-beta.3 to 3.13.2 are vulnerable to OS command in ...) - rebar3 (bug #824773) + NOTE: https://github.com/erlang/rebar3/pull/2302 TODO: check, whether this affects src:rebar (but the security implications seems a little far-fetched anyway) CVE-2020-13801 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7fdcdd7730865a887b1ec6a0c2058e6173602fe3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7fdcdd7730865a887b1ec6a0c2058e6173602fe3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track rebar3 itp/rfp bug under two CVEs for Rebar3
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 98d79aa9 by Salvatore Bonaccorso at 2020-09-05T09:14:00+02:00 Track rebar3 itp/rfp bug under two CVEs for Rebar3 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -24464,6 +24464,7 @@ CVE-2020-13804 (An issue was discovered in Foxit Reader and PhantomPDF before 9. CVE-2020-13803 (An issue was discovered in Foxit PhantomPDF Mac and Foxit Reader for M ...) NOT-FOR-US: Foxit Reader CVE-2020-13802 (Rebar3 versions 3.0.0-beta.3 to 3.13.2 are vulnerable to OS command in ...) + - rebar3 (bug #824773) TODO: check, whether this affects src:rebar (but the security implications seems a little far-fetched anyway) CVE-2020-13801 RESERVED @@ -97629,6 +97630,7 @@ CVE-2019-115 (Chamilo Chamilo-lms version 1.11.8 and earlier contains a Cros NOT-FOR-US: Chamilo Chamilo-lms CVE-2019-114 (Erlang/OTP Rebar3 version 3.7.0 through 3.7.5 contains a Signing oracl ...) - rebar (vulnerable code is not present) + - rebar3 (bug #824773) NOTE: https://github.com/erlang/rebar3/pull/1986 CVE-2019-113 (Hex package manager hex_core version 0.3.0 and earlier contains a Sign ...) NOT-FOR-US: Hex package manager View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/98d79aa95098f8a9fadda4f68d37bfb26512f69c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/98d79aa95098f8a9fadda4f68d37bfb26512f69c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits