[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Holger Levsen pushed to branch master at Debian Security Tracker / security-tracker Commits: a0f2dc9f by Holger Levsen at 2020-11-02T08:01:22+01:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Holger Levsen- - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -125,7 +125,7 @@ pluxml -- poppler (Markus Koschany) -- -python3.5 (Thorsten Alteholz) +python3.5 NOTE: 20201011: testing package NOTE: 20201018: recovering from a broken computer :-( -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a0f2dc9f0da6159e683ce069877f95b25d61dc51 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a0f2dc9f0da6159e683ce069877f95b25d61dc51 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Marked CVE-2018-19352 as not-affected. Vulnerable code introduced
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 3892e3d4 by Abhijith PA at 2020-11-02T12:27:47+05:30 Marked CVE-2018-19352 as not-affected. Vulnerable code introduced after 4.2.3 (stretch version). See commit https://github.com/jupyter/notebook/commit/9ce534c020da37e6c8367884133eece5efc9ca82 Remove no-dsa tag for CVE-2018-8768 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -125418,6 +125418,7 @@ CVE-2018-19353 (The ansilove_ansi function in loaders/ansi.c in libansilove 1.0. NOT-FOR-US: libansilove CVE-2018-19352 (Jupyter Notebook before 5.7.2 allows XSS via a crafted directory name ...) - jupyter-notebook 5.7.4-1 (bug #917408) + [stretch] - jupyter-notebook (Vulnerable code not present) NOTE: https://github.com/jupyter/notebook/commit/288b73e1edbf527740e273fcc69b889460871648 CVE-2018-19351 (Jupyter Notebook before 5.7.1 allows XSS via an untrusted notebook bec ...) - jupyter-notebook 5.7.4-1 (bug #917409) @@ -154186,7 +154187,6 @@ CVE-2017-18239 (A time-sensitive equality check on the JWT signature in the Json NOT-FOR-US: authentikat-jwt CVE-2018-8768 (In Jupyter Notebook before 5.4.1, a maliciously forged notebook file c ...) - jupyter-notebook 5.4.1-1 (bug #893436) - [stretch] - jupyter-notebook (Minor issue) - ipython 5.1.0-2 [jessie] - ipython (Minor issue) [wheezy] - ipython (Too invasive to fix) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3892e3d41ad137d12c43eeaf1d23579702e4ca5e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3892e3d41ad137d12c43eeaf1d23579702e4ca5e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add wordpress to dsa-needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c76a7782 by Salvatore Bonaccorso at 2020-11-02T07:50:42+01:00 Add wordpress to dsa-needed list - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -29,6 +29,8 @@ netty -- pdns-recursor -- +wordpress +-- xcftools Hugo proposed to work on this update -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c76a77829dcb73ff3e95b9e0012e5cfdcf49f114 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c76a77829dcb73ff3e95b9e0012e5cfdcf49f114 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for wordpress issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 31e47650 by Salvatore Bonaccorso at 2020-11-02T06:40:34+01:00 Add Debian bug reference for wordpress issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -11,38 +11,38 @@ CVE-2020-28042 (ServiceStack before 5.9.2 mishandles JWT signature verification CVE-2020-28041 (The SIP ALG implementation on NETGEAR Nighthawk R7000 1.0.9.64_10.2.64 ...) NOT-FOR-US: Netgear CVE-2020-28040 (WordPress before 5.5.2 allows CSRF attacks that change a theme's backg ...) - - wordpress + - wordpress (bug #973562) NOTE: https://blog.wpscan.com/2020/10/30/wordpress-5.5.2-security-release.html NOTE: https://wordpress.org/news/2020/10/wordpress-5-5-2-security-and-maintenance-release/ CVE-2020-28039 (is_protected_meta in wp-includes/meta.php in WordPress before 5.5.2 al ...) - - wordpress + - wordpress (bug #973562) NOTE: https://github.com/WordPress/wordpress-develop/commit/d5ddd6d4be1bc9fd16b7796842e6fb26315705ad NOTE: https://wordpress.org/news/2020/10/wordpress-5-5-2-security-and-maintenance-release/ NOTE: https://wpscan.com/vulnerability/10452 CVE-2020-28038 (WordPress before 5.5.2 allows stored XSS via post slugs. ...) - - wordpress + - wordpress (bug #973562) NOTE: https://wordpress.org/news/2020/10/wordpress-5-5-2-security-and-maintenance-release/ CVE-2020-28037 (is_blog_installed in wp-includes/functions.php in WordPress before 5.5 ...) - - wordpress + - wordpress (bug #973562) NOTE: https://github.com/WordPress/wordpress-develop/commit/2ca15d1e5ce70493c5c0c096ca0c76503d6da07c NOTE: https://wordpress.org/news/2020/10/wordpress-5-5-2-security-and-maintenance-release/ NOTE: https://wpscan.com/vulnerability/10450 CVE-2020-28036 (wp-includes/class-wp-xmlrpc-server.php in WordPress before 5.5.2 allow ...) - - wordpress + - wordpress (bug #973562) NOTE: https://github.com/WordPress/wordpress-develop/commit/c9e6b98968025b1629015998d12c3102165a7d32 NOTE: https://wordpress.org/news/2020/10/wordpress-5-5-2-security-and-maintenance-release/ NOTE: https://wpscan.com/vulnerability/10449 CVE-2020-28035 (WordPress before 5.5.2 allows attackers to gain privileges via XML-RPC ...) - - wordpress + - wordpress (bug #973562) NOTE: https://wordpress.org/news/2020/10/wordpress-5-5-2-security-and-maintenance-release/ CVE-2020-28034 (WordPress before 5.5.2 allows XSS associated with global variables. ...) - - wordpress + - wordpress (bug #973562) NOTE: https://wordpress.org/news/2020/10/wordpress-5-5-2-security-and-maintenance-release/ CVE-2020-28033 (WordPress before 5.5.2 mishandles embeds from disabled sites on a mult ...) - - wordpress + - wordpress (bug #973562) NOTE: https://wordpress.org/news/2020/10/wordpress-5-5-2-security-and-maintenance-release/ CVE-2020-28032 (WordPress before 5.5.2 mishandles deserialization requests in wp-inclu ...) - - wordpress + - wordpress (bug #973562) NOTE: https://github.com/WordPress/wordpress-develop/commit/add6bedf3a53b647d0ebda2970057912d3cd79d3 NOTE: https://wordpress.org/news/2020/10/wordpress-5-5-2-security-and-maintenance-release/ NOTE: https://wpscan.com/vulnerability/10446 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/31e4765002100164c64dc4d7e996cd40cff355ee -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/31e4765002100164c64dc4d7e996cd40cff355ee You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2020-15250,junit4: fixed in unstable
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 3e63f8e2 by Markus Koschany at 2020-11-01T22:35:17+01:00 CVE-2020-15250,junit4: fixed in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -27623,7 +27623,7 @@ CVE-2020-15251 (In the Channelmgnt plug-in for Sopel (a Python IRC bot) before v NOT-FOR-US: Channelmgnt plug-in for Sopel CVE-2020-15250 (In JUnit4 from version 4.7 and before 4.13.1, the test rule TemporaryF ...) {DLA-2426-1} - - junit4 (bug #972231) + - junit4 4.13.1-1 (bug #972231) NOTE: https://github.com/junit-team/junit4/security/advisories/GHSA-269g-pwp5-87pp NOTE: https://github.com/junit-team/junit4/commit/610155b8c22138329f0723eec22521627dbc52ae CVE-2020-15249 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3e63f8e26c9a428e09bdc7e8c31c7da9b5cca415 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3e63f8e26c9a428e09bdc7e8c31c7da9b5cca415 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e40e2f6a by Salvatore Bonaccorso at 2020-11-01T21:28:08+01:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,11 +1,11 @@ CVE-2020-28046 (An issue was discovered in ProlinOS through 2.4.161.8859R. An attacker ...) - TODO: check + NOT-FOR-US: ProlinOS CVE-2020-28045 (An unsigned-library issue was discovered in ProlinOS through 2.4.161.8 ...) - TODO: check + NOT-FOR-US: ProlinOS CVE-2020-28044 (An attacker with physical access to a PAX Point Of Sale device with Pr ...) - TODO: check + NOT-FOR-US: ProlinOS CVE-2020-28043 (MISP through 2.4.133 allows SSRF in the REST client via the use_full_p ...) - TODO: check + NOT-FOR-US: MISP CVE-2020-28042 (ServiceStack before 5.9.2 mishandles JWT signature verification unless ...) TODO: check CVE-2020-28041 (The SIP ALG implementation on NETGEAR Nighthawk R7000 1.0.9.64_10.2.64 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e40e2f6a42deb71aace87cc12f195aa8f881db17 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e40e2f6a42deb71aace87cc12f195aa8f881db17 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4b436b08 by security tracker role at 2020-11-01T20:10:29+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,11 @@ +CVE-2020-28046 (An issue was discovered in ProlinOS through 2.4.161.8859R. An attacker ...) + TODO: check +CVE-2020-28045 (An unsigned-library issue was discovered in ProlinOS through 2.4.161.8 ...) + TODO: check +CVE-2020-28044 (An attacker with physical access to a PAX Point Of Sale device with Pr ...) + TODO: check +CVE-2020-28043 (MISP through 2.4.133 allows SSRF in the REST client via the use_full_p ...) + TODO: check CVE-2020-28042 (ServiceStack before 5.9.2 mishandles JWT signature verification unless ...) TODO: check CVE-2020-28041 (The SIP ALG implementation on NETGEAR Nighthawk R7000 1.0.9.64_10.2.64 ...) @@ -5235,8 +5243,8 @@ CVE-2020-25851 RESERVED CVE-2020-25850 RESERVED -CVE-2020-25849 - RESERVED +CVE-2020-25849 (MailGates and MailAudit products contain Command Injection flaw, which ...) + TODO: check CVE-2020-25848 RESERVED CVE-2020-25847 @@ -27614,6 +27622,7 @@ CVE-2020-15252 (In XWiki before version 12.5 and 11.10.6, any user with SCRIPT r CVE-2020-15251 (In the Channelmgnt plug-in for Sopel (a Python IRC bot) before version ...) NOT-FOR-US: Channelmgnt plug-in for Sopel CVE-2020-15250 (In JUnit4 from version 4.7 and before 4.13.1, the test rule TemporaryF ...) + {DLA-2426-1} - junit4 (bug #972231) NOTE: https://github.com/junit-team/junit4/security/advisories/GHSA-269g-pwp5-87pp NOTE: https://github.com/junit-team/junit4/commit/610155b8c22138329f0723eec22521627dbc52ae @@ -30084,7 +30093,7 @@ CVE-2020-14356 (A flaw null pointer dereference in the Linux kernel cgroupv2 sub [buster] - linux 4.19.146-1 NOTE: Fixed by: https://git.kernel.org/linus/ad0f75e5f57ccbceec13274e1e242f2b5a6397ed CVE-2020-14355 (Multiple buffer overflow vulnerabilities were found in the QUIC image ...) - {DSA-4771-1} + {DSA-4771-1 DLA-2428-1 DLA-2427-1} - spice 0.14.3-2 (bug #971750) - spice-gtk (bug #971751) [buster] - spice-gtk (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4b436b08d0b7eb04a5a6f7cda14b42bb4099d14f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4b436b08d0b7eb04a5a6f7cda14b42bb4099d14f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-202-2567{0,1,2,3}/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3b407c16 by Salvatore Bonaccorso at 2020-11-01T18:01:45+01:00 Add CVE-202-2567{0,1,2,3}/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5650,12 +5650,20 @@ CVE-2020-25674 RESERVED CVE-2020-25673 RESERVED + - linux + NOTE: https://www.openwall.com/lists/oss-security/2020/11/01/1 CVE-2020-25672 RESERVED + - linux + NOTE: https://www.openwall.com/lists/oss-security/2020/11/01/1 CVE-2020-25671 RESERVED + - linux + NOTE: https://www.openwall.com/lists/oss-security/2020/11/01/1 CVE-2020-25670 RESERVED + - linux + NOTE: https://www.openwall.com/lists/oss-security/2020/11/01/1 CVE-2020-25669 RESERVED CVE-2020-25668 [concurrency use-after-free in vt] View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3b407c1660675d9d6137e34e3bff1916bb48297a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3b407c1660675d9d6137e34e3bff1916bb48297a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2428-1 for spice-gtk
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: e7eeb0b8 by Utkarsh Gupta at 2020-11-01T22:19:18+05:30 Reserve DLA-2428-1 for spice-gtk - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[01 Nov 2020] DLA-2428-1 spice-gtk - security update + {CVE-2020-14355} + [stretch] - spice-gtk 0.33-3.3+deb9u2 [01 Nov 2020] DLA-2427-1 spice - security update {CVE-2020-14355} [stretch] - spice 0.12.8-2.1+deb9u4 = data/dla-needed.txt = @@ -177,10 +177,6 @@ slirp NOTE: CVE-2020-7039 to be applied patched first, as they both patch NOTE: the same lines of code in tcp_subr.c (bam). -- -spice-gtk (Utkarsh) - NOTE: 20201027: already uploaded to jessie, was waiting to hear back if there's regression. - NOTE: 20201027: will upload soon to stretch as well. (utkarsh) --- sympa NOTE: 20201007: I issued DLA-2401-1 to address overdue critical vulnerability. NOTE: 20201007: Lesser issues should pop up soon following work with upstream: View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e7eeb0b8107a47d2ecbbcb5d0f1fe6db521d780b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e7eeb0b8107a47d2ecbbcb5d0f1fe6db521d780b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2427-1 for spice
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 73a2c546 by Utkarsh Gupta at 2020-11-01T22:18:51+05:30 Reserve DLA-2427-1 for spice - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[01 Nov 2020] DLA-2427-1 spice - security update + {CVE-2020-14355} + [stretch] - spice 0.12.8-2.1+deb9u4 [01 Nov 2020] DLA-2426-1 junit4 - security update {CVE-2020-15250} [stretch] - junit4 4.12-4+deb9u1 = data/dla-needed.txt = @@ -177,10 +177,6 @@ slirp NOTE: CVE-2020-7039 to be applied patched first, as they both patch NOTE: the same lines of code in tcp_subr.c (bam). -- -spice (Utkarsh) - NOTE: 20201027: already uploaded to jessie, was waiting to hear back if there's regression. - NOTE: 20201027: will upload soon to stretch as well. (utkarsh) --- spice-gtk (Utkarsh) NOTE: 20201027: already uploaded to jessie, was waiting to hear back if there's regression. NOTE: 20201027: will upload soon to stretch as well. (utkarsh) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/73a2c54612a5c3797ab28f1e5cde2dddf3b0d986 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/73a2c54612a5c3797ab28f1e5cde2dddf3b0d986 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Claim jupyter-notebook
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 9b9bb599 by Abhijith PA at 2020-11-01T22:08:48+05:30 data/dla-needed.txt: Claim jupyter-notebook - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -81,7 +81,7 @@ guacamole-server (Markus Koschany) NOTE: guacamole-client. Backporting the upstream patch seems viable. NOTE: release will be this week -- -jupyter-notebook +jupyter-notebook (Abhijith PA) NOTE: 20200711: Vulnerable to (at least) CVE-2018-19351. (lamby) -- lemonldap-ng View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9b9bb59907df8d9e94e2f73ca8a3ab430c745fb1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9b9bb59907df8d9e94e2f73ca8a3ab430c745fb1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2426-1 for junit4
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: d853e4ab by Abhijith PA at 2020-11-01T21:45:35+05:30 Reserve DLA-2426-1 for junit4 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[01 Nov 2020] DLA-2426-1 junit4 - security update + {CVE-2020-15250} + [stretch] - junit4 4.12-4+deb9u1 [01 Nov 2020] DLA-2425-1 openldap - security update [stretch] - openldap 2.4.44+dfsg-5+deb9u5 [31 Oct 2020] DLA-2424-1 tzdata - new upstream version = data/dla-needed.txt = @@ -81,8 +81,6 @@ guacamole-server (Markus Koschany) NOTE: guacamole-client. Backporting the upstream patch seems viable. NOTE: release will be this week -- -junit4 (Abhijith PA) --- jupyter-notebook NOTE: 20200711: Vulnerable to (at least) CVE-2018-19351. (lamby) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d853e4ab1545a8d561a034bcca674b1a9c819493 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d853e4ab1545a8d561a034bcca674b1a9c819493 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2020-5991/nvidia-cuda-toolkit
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: cfe76abc by Salvatore Bonaccorso at 2020-11-01T15:54:46+01:00 Add Debian bug reference for CVE-2020-5991/nvidia-cuda-toolkit - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -53013,7 +53013,7 @@ CVE-2020-5993 CVE-2020-5992 RESERVED CVE-2020-5991 (NVIDIA CUDA Toolkit, all versions prior to 11.1.1, contains a vulnerab ...) - - nvidia-cuda-toolkit + - nvidia-cuda-toolkit (bug #973543) [buster] - nvidia-cuda-toolkit (Non-free not supported) [stretch] - nvidia-cuda-toolkit (Non-free not supported) NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5094 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cfe76abcc8819b5eb2b372d17c5be654918dd958 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cfe76abcc8819b5eb2b372d17c5be654918dd958 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2020-25659/python-cryptography
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 61bbafa7 by Salvatore Bonaccorso at 2020-11-01T15:52:54+01:00 Track fixed version for CVE-2020-25659/python-cryptography - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5680,7 +5680,7 @@ CVE-2020-25660 RESERVED CVE-2020-25659 [bleichenbacher timing oracle attack against RSA decryption] RESERVED - - python-cryptography (bug #973247) + - python-cryptography 3.2.1-1 (bug #973247) [stretch] - python-cryptography (Minor issue; risk of regression & marginal benefit) NOTE: https://github.com/pyca/cryptography/security/advisories/GHSA-hggm-jpg3-v476 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1889988 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/61bbafa71378264e4e585573cc2169fdf889e465 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/61bbafa71378264e4e585573cc2169fdf889e465 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add fixed version via unstable for CVE-2020-25739/ruby-gon
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b08823be by Salvatore Bonaccorso at 2020-11-01T14:30:46+01:00 Add fixed version via unstable for CVE-2020-25739/ruby-gon - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5510,7 +5510,7 @@ CVE-2020-25740 RESERVED CVE-2020-25739 (An issue was discovered in the gon gem before gon-6.4.0 for Ruby. Mult ...) {DLA-2380-1} - - ruby-gon (bug #970938) + - ruby-gon 6.4.0-1 (bug #970938) [buster] - ruby-gon (Minor issue) NOTE: https://github.com/gazay/gon/commit/fe3c7b2191a992386dc9edd37de5447a4e809bc7 CVE-2020-25738 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b08823be5519de4b651f21462d300b820a40c8be -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b08823be5519de4b651f21462d300b820a40c8be You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2020-5991/nvidia-cude-toolkit as ignored for stretch
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: c0724959 by Utkarsh Gupta at 2020-11-01T17:13:56+05:30 Mark CVE-2020-5991/nvidia-cude-toolkit as ignored for stretch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -53015,6 +53015,7 @@ CVE-2020-5992 CVE-2020-5991 (NVIDIA CUDA Toolkit, all versions prior to 11.1.1, contains a vulnerab ...) - nvidia-cuda-toolkit [buster] - nvidia-cuda-toolkit (Non-free not supported) + [stretch] - nvidia-cuda-toolkit (Non-free not supported) NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5094 CVE-2020-5990 (NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a ...) NOT-FOR-US: NVIDIA GeForce Experience View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c07249597efd31056df5252f109b817a42b4723b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c07249597efd31056df5252f109b817a42b4723b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2020-26566/motion as not-affected for stretch
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 309279be by Utkarsh Gupta at 2020-11-01T17:09:41+05:30 Mark CVE-2020-26566/motion as not-affected for stretch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3706,6 +3706,7 @@ CVE-2020-26567 (An issue was discovered on D-Link DSR-250N before 3.17B devices. CVE-2020-26566 (A Denial of Service condition in Motion-Project Motion 3.2 through 4.3 ...) - motion (bug #972986) [buster] - motion (Vulnerable code introduced in 4.2) + [stretch] - motion (Vulnerable code introduced in 4.2) NOTE: https://github.com/Motion-Project/motion/security/advisories/GHSA-6f7x-grw7-fw24 NOTE: https://github.com/Motion-Project/motion/issues/1227#issuecomment-715927776 NOTE: https://github.com/Motion-Project/motion/pull/1232 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/309279bef7a0bf305da2af6f48e92b46dfdaf350 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/309279bef7a0bf305da2af6f48e92b46dfdaf350 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Triage python-cryptography, blueman, and wordpress
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: e9d04c2d by Utkarsh Gupta at 2020-11-01T17:07:36+05:30 Triage python-cryptography, blueman, and wordpress - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -5680,6 +5680,7 @@ CVE-2020-25660 CVE-2020-25659 [bleichenbacher timing oracle attack against RSA decryption] RESERVED - python-cryptography (bug #973247) + [stretch] - python-cryptography (Minor issue; risk of regression & marginal benefit) NOTE: https://github.com/pyca/cryptography/security/advisories/GHSA-hggm-jpg3-v476 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1889988 NOTE: https://github.com/pyca/cryptography/commit/58494b41d6ecb0f56b7c5f05d5f5e3ca0320d494 (3.2) = data/dla-needed.txt = @@ -28,6 +28,8 @@ ark NOTE: 20200907: patch https://people.debian.org/~abhijith/upload/backport_to_1608.patch crashes (abhijith) NOTE: 20200921: CLI works but GUI not, It seems the fix is not compatible with the old architecture (abhijith) -- +blueman +-- brotli (Roberto C. Sánchez) NOTE: 20201025: Requested patch review on debian-lts@l.d.o (roberto) -- @@ -200,6 +202,8 @@ wireshark (Adrian Bunk) NOTE: 20201026: will backport 2.6.8-1.1 first, and then try to update in the NOTE: 20201026: next buster point release followed by another backport (bunk) -- +wordpress (Utkarsh) +-- xcftools NOTE: 20200111: wrote a patch + reproducer for CVE-2019-5086, waiting for upstream review (hle) NOTE: 20200414: Flurry of activity on/around 20200401 essentially rejecting original patch View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e9d04c2dd6b55122522b265ac53cd4b24ee57e24 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e9d04c2dd6b55122522b265ac53cd4b24ee57e24 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e0099239 by Salvatore Bonaccorso at 2020-11-01T09:37:59+01:00 Process NFUs - - - - - 309e46a2 by Salvatore Bonaccorso at 2020-11-01T09:38:15+01:00 Add new issues for nextcloud-server (itp'ed) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,7 +1,7 @@ CVE-2020-28042 (ServiceStack before 5.9.2 mishandles JWT signature verification unless ...) TODO: check CVE-2020-28041 (The SIP ALG implementation on NETGEAR Nighthawk R7000 1.0.9.64_10.2.64 ...) - TODO: check + NOT-FOR-US: Netgear CVE-2020-28040 (WordPress before 5.5.2 allows CSRF attacks that change a theme's backg ...) - wordpress NOTE: https://blog.wpscan.com/2020/10/30/wordpress-5.5.2-security-release.html @@ -25842,7 +25842,7 @@ CVE-2020-15916 (goform/AdvSetLanip endpoint on Tenda AC15 AC1900 15.03.05.19 dev CVE-2020-15915 RESERVED CVE-2020-15914 (A cross-site scripting (XSS) vulnerability exists in the Origin Client ...) - TODO: check + NOT-FOR-US: EA Origin Client CVE-2020-15913 RESERVED CVE-2020-15912 (** DISPUTED ** Tesla Model 3 vehicles allow attackers to open a door b ...) @@ -27540,15 +27540,15 @@ CVE-2020-15279 CVE-2020-15278 (Red Discord Bot before version 3.4.1 has an unauthorized privilege esc ...) NOT-FOR-US: Red Discord Bot CVE-2020-15277 (baserCMS before version 4.4.1 is affected by Remote Code Execution (RC ...) - TODO: check + NOT-FOR-US: baserCMS CVE-2020-15276 (baserCMS before version 4.4.1 is vulnerable to Cross-Site Scripting. A ...) - TODO: check + NOT-FOR-US: baserCMS CVE-2020-15275 RESERVED CVE-2020-15274 (In Wiki.js before version 2.5.162, an XSS payload can be injected in a ...) NOT-FOR-US: Wiki.js CVE-2020-15273 (baserCMS before version 4.4.1 is vulnerable to Cross-Site Scripting. T ...) - TODO: check + NOT-FOR-US: baserCMS CVE-2020-15272 (In the git-tag-annotation-action (open source GitHub Action) before ve ...) NOT-FOR-US: git-tag-annotation-action CVE-2020-15271 (In lookatme (python/pypi package) versions prior to 2.3.0, the package ...) @@ -47200,7 +47200,7 @@ CVE-2020-8238 (A vulnerability in the authenticated user web interface of Pulse CVE-2020-8237 (Prototype pollution in json-bigint npm package < 1.0.0 may lead to ...) NOT-FOR-US: Node json-bigint CVE-2020-8236 (A wrong configuration in Nextcloud Server 19.0.1 incorrectly made the ...) - TODO: check + - nextcloud-server (bug #941708) CVE-2020-8235 (Missing access control in Nextcloud Deck 1.0.4 caused an insecure dire ...) NOT-FOR-US: Nextcloud Deck CVE-2020-8234 (A vulnerability exists in The EdgeMax EdgeSwitch firmware
[Git][security-tracker-team/security-tracker][master] Add version for openldap until we can drop it with the CVE assignment
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4360691c by Salvatore Bonaccorso at 2020-11-01T09:17:18+01:00 Add version for openldap until we can drop it with the CVE assignment - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -94,6 +94,7 @@ CVE-2020-28007 CVE-2020- [vulnerability with slapd normalization handling with modrdn] - openldap 2.4.55+dfsg-1 [buster] - openldap 2.4.47+dfsg-3+deb10u3 + [stretch] - openldap 2.4.44+dfsg-5+deb9u5 NOTE: https://bugs.openldap.org/show_bug.cgi?id=9370 NOTE: https://git.openldap.org/openldap/openldap/-/commit/4c774220a752bf8e3284984890dc0931fe73165d CVE-2020-28006 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4360691cb759d1f19f5e0f3525a777fbea5514c4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4360691cb759d1f19f5e0f3525a777fbea5514c4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4a4bd8dd by security tracker role at 2020-11-01T08:10:16+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,7 @@ +CVE-2020-28042 (ServiceStack before 5.9.2 mishandles JWT signature verification unless ...) + TODO: check +CVE-2020-28041 (The SIP ALG implementation on NETGEAR Nighthawk R7000 1.0.9.64_10.2.64 ...) + TODO: check CVE-2020-28040 (WordPress before 5.5.2 allows CSRF attacks that change a theme's backg ...) - wordpress NOTE: https://blog.wpscan.com/2020/10/30/wordpress-5.5.2-security-release.html @@ -54231,8 +54235,8 @@ CVE-2020-5427 RESERVED CVE-2020-5426 RESERVED -CVE-2020-5425 - RESERVED +CVE-2020-5425 (Single Sign-On for Vmware Tanzu all versions prior to 1.11.3 ,1.12.x v ...) + TODO: check CVE-2020-5424 RESERVED CVE-2020-5423 @@ -90297,6 +90301,7 @@ CVE-2019-12297 (An issue was discovered in scopd on Motorola routers CX2 1.01 an CVE-2019-12296 RESERVED CVE-2019-12295 (In Wireshark 3.0.0 to 3.0.1, 2.6.0 to 2.6.8, and 2.4.0 to 2.4.14, the ...) + {DLA-2423-1} - wireshark 2.6.8-1.1 (low; bug #929446) [jessie] - wireshark (Minor, can be fixed along in a future update) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15778 @@ -94295,7 +94300,7 @@ CVE-2019-10904 (Roundup 1.6 allows XSS via the URI because frontends/roundup.cgi NOTE: https://issues.roundup-tracker.org/issue2551035 NOTE: https://bitbucket.org/python/roundup/commits/51682dc2cd7e28421d749117c25bec58f632ee5f CVE-2019-10903 (In Wireshark 2.4.0 to 2.4.13, 2.6.0 to 2.6.7, and 3.0.0, the DCERPC SP ...) - {DLA-1802-1} + {DLA-2423-1 DLA-1802-1} - wireshark 2.6.8-1 (low; bug #926718) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15568 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=eafdcfa4b6d5187a5326442a82608ab03d9dddcb @@ -94308,7 +94313,7 @@ CVE-2019-10902 (In Wireshark 3.0.0, the TSDNS dissector could crash. This was ad NOTE: bug was never in Debian apart experimental released versions: NOTE: Dissector introduced in 3.0.0 and CVE fixed in 3.0.1 CVE-2019-10901 (In Wireshark 2.4.0 to 2.4.13, 2.6.0 to 2.6.7, and 3.0.0, the LDSS diss ...) - {DLA-1802-1} + {DLA-2423-1 DLA-1802-1} - wireshark 2.6.8-1 (low; bug #926718) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15620 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=cf801a25074f76dc3ae62d8ec53ace75f56ce2cd @@ -94319,7 +94324,7 @@ CVE-2019-10900 (In Wireshark 3.0.0, the Rbm dissector could go into an infinite NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=26eee01f57f0a86fb375892c7937eac24ede4610 NOTE: https://www.wireshark.org/security/wnpa-sec-2019-13.html CVE-2019-10899 (In Wireshark 2.4.0 to 2.4.13, 2.6.0 to 2.6.7, and 3.0.0, the SRVLOC di ...) - {DLA-1802-1} + {DLA-2423-1 DLA-1802-1} - wireshark 2.6.8-1 (low; bug #926718) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15546 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=b16fea2f175a3297edac118c8844c7987d31c1cb @@ -94335,13 +94340,14 @@ CVE-2019-10897 (In Wireshark 3.0.0, the IEEE 802.11 dissector could go into an i NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=00d5e9e9fb377f52ab7696f25c1dbc011ef0244d NOTE: https://www.wireshark.org/security/wnpa-sec-2019-11.html CVE-2019-10896 (In Wireshark 2.4.0 to 2.4.13, 2.6.0 to 2.6.7, and 3.0.0, the DOF disse ...) + {DLA-2423-1} - wireshark 2.6.8-1 (low; bug #926718) [jessie] - wireshark (vulnerable code is not present) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15617 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=441b6d9071d6341e58dfe10719375489c5b8e3f0 NOTE: https://www.wireshark.org/security/wnpa-sec-2019-15.html CVE-2019-10895 (In Wireshark 2.4.0 to 2.4.13, 2.6.0 to 2.6.7, and 3.0.0, the NetScaler ...) - {DLA-1802-1} + {DLA-2423-1 DLA-1802-1} - wireshark 2.6.8-1 (low; bug #926718) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15497 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=2fbbde780e5d5d82e31dca656217daf278cf62bb @@ -94350,7 +94356,7 @@ CVE-2019-10895 (In Wireshark 2.4.0 to 2.4.13, 2.6.0 to 2.6.7, and 3.0.0, the Net NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=cab0cff6abdd7a5b5b0bfa4ee204eea951e129e9 NOTE: https://www.wireshark.org/security/wnpa-sec-2019-09.html CVE-2019-108
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2425-1 for openldap
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 4bc621fb by Utkarsh Gupta at 2020-11-01T12:43:50+05:30 Reserve DLA-2425-1 for openldap - - - - - 1 changed file: - data/DLA/list Changes: = data/DLA/list = @@ -1,3 +1,5 @@ +[01 Nov 2020] DLA-2425-1 openldap - security update + [stretch] - openldap 2.4.44+dfsg-5+deb9u5 [31 Oct 2020] DLA-2424-1 tzdata - new upstream version [stretch] - tzdata 2020d-0+deb9u1 [31 Oct 2020] DLA-2423-1 wireshark - security update View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4bc621fb7b1d0bf3bcd65edaaec7fa295ee32b27 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4bc621fb7b1d0bf3bcd65edaaec7fa295ee32b27 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits