date:20210221

[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity

2021-02-21 Thread Holger Levsen



Holger Levsen pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
7cef3ab6 by Holger Levsen at 2021-02-22T08:19:06+01:00
semi-automatic unclaim after 2 weeks of inactivity

Signed-off-by: Holger Levsen hol...@layer-acht.org

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -77,7 +77,7 @@ opendmarc
 --
 php-pear
 --
-python-pysaml2 (Abhijith PA)
+python-pysaml2
 --
 python3.5
   NOTE: 20210217: Fairly invasive change, changing/augmenting API of standard 
library. (lamby)
@@ -108,7 +108,7 @@ ruby-kaminari
   NOTE: 20201009: This (↑) is an app-level patch for a rails app. A 
library-level patch
   NOTE: 20201009: will needed to be written. Opened an issue at upstream, 
though somewhat inactive. (utkarsh)
 --
-shiro (Roberto C. Sánchez)
+shiro
   NOTE: 20200920: WIP
   NOTE: 20200928: Still awaiting reponse to request for assistance sent to 
upstream dev list. (roberto)
   NOTE: 20201004: Sent additional request to upstream dev list; stil no 
response. (roberto)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7cef3ab6060793c1b7de1aedb6f74b70178bab76

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7cef3ab6060793c1b7de1aedb6f74b70178bab76
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: update notes for xmlbeans

2021-02-21 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
0ceb844e by Roberto C. Sánchez at 2021-02-21T22:42:03-05:00
LTS: update notes for xmlbeans

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -124,6 +124,9 @@ subversion (Thorsten Alteholz)
   NOTE: 20210221: solving build problems
 --
 xmlbeans (Roberto C. Sánchez)
+  NOTE: 20210222: Affected code changed significantly from 2.6.0 to 3.0.0 (the
+  NOTE: 20210222: upstream release with the fix).  Trying to determine how to
+  NOTE: 20210222: implement the changes without introducing too much new code. 
(roberto)
 --
 zeromq3 (Anton Gladky)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0ceb844e7e90a0121d1c570e6ab2d08379c0cdee

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0ceb844e7e90a0121d1c570e6ab2d08379c0cdee
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] buster triage

2021-02-21 Thread Moritz Muehlenhoff



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
fc55a768 by Moritz Muehlenhoff at 2021-02-21T22:24:20+01:00
buster triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -605,6 +605,7 @@ CVE-2021-27230
 CVE-2021-27229 (Mumble before 1.3.4 allows remote code execution if a victim 
navigates ...)
{DLA-2562-1}
- mumble  (bug #982904)
+   [buster] - mumble  (Minor issue)
NOTE: 
https://github.com/mumble-voip/mumble/commit/e59ee87abe249f345908c7d568f6879d16bfd648
NOTE: https://github.com/mumble-voip/mumble/pull/4733
 CVE-2021-27228
@@ -17481,24 +17482,28 @@ CVE-2021-20247
 CVE-2021-20246 [Division by zero in ScaleResampleFilter in 
MagickCore/resample.c]
RESERVED
- imagemagick 
+   [buster] - imagemagick  (Minor issue)
NOTE: https://github.com/ImageMagick/ImageMagick/issues/3195
NOTE: ImageMagick: 
https://github.com/ImageMagick/ImageMagick/commit/8d25d94a363b104acd6ff23df7470aeedb806c51
NOTE: ImageMagick6: 
https://github.com/ImageMagick/ImageMagick6/commit/f3190d4a6e6e8556575c84b5d976f77d111caa74
 CVE-2021-20245 [Division by zero in WriteAnimatedWEBPImage() in coders/webp.c]
RESERVED
- imagemagick 
+   [buster] - imagemagick  (Minor issue)
NOTE: https://github.com/ImageMagick/ImageMagick/issues/3176
NOTE: ImageMagick: 
https://github.com/ImageMagick/ImageMagick/commit/ffb683e62ddedc6436a1b88388eb690d7ca57bf2
NOTE: ImageMagick6: 
https://github.com/ImageMagick/ImageMagick6/commit/a78d92dc0f468e79c3d761aae9707042952cdaca
 CVE-2021-20244 [Division by zero in ImplodeImage in 
MagickCore/visual-effects.c]
RESERVED
- imagemagick 
+   [buster] - imagemagick  (Minor issue)
NOTE: https://github.com/ImageMagick/ImageMagick/pull/3194
NOTE: ImageMagick: 
https://github.com/ImageMagick/ImageMagick/commit/329dd528ab79531d884c0ba131e97d43f872ab5d
TODO: check
 CVE-2021-20243 [Division by zero in GetResizeFilterWeight in 
MagickCore/resize.c]
RESERVED
- imagemagick 
+   [buster] - imagemagick  (Minor issue)
NOTE: https://github.com/ImageMagick/ImageMagick/pull/3193
NOTE: ImageMagick: 
https://github.com/ImageMagick/ImageMagick/commit/9751bd619872c8e58609fbed56c4827afa083b40
TODO: check
@@ -17508,6 +17513,7 @@ CVE-2021-20242
 CVE-2021-20241 [Division by zero in WriteJP2Image() in coders/jp2.c]
RESERVED
- imagemagick 
+   [buster] - imagemagick  (Minor issue)
NOTE: https://github.com/ImageMagick/ImageMagick/pull/3177
NOTE: ImageMagick: 
https://github.com/ImageMagick/ImageMagick/commit/dd33b451c3e01098efad34bbaca2df78d5391dc8
NOTE: ImageMagick6: 
https://github.com/ImageMagick/ImageMagick6/commit/53cb91b3e7bf95d0e372cbc745e0055ac6054745



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fc55a768dcc06e99727a4b8ee3430b4bdbd6d315

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fc55a768dcc06e99727a4b8ee3430b4bdbd6d315
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2021-27097/u-boot

2021-02-21 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
b0e3f876 by Salvatore Bonaccorso at 2021-02-21T21:42:27+01:00
Add Debian bug reference for CVE-2021-27097/u-boot

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -901,7 +901,7 @@ CVE-2021-27099
 CVE-2021-27098
RESERVED
 CVE-2021-27097 (The boot loader in Das U-Boot before 2021.04-rc2 mishandles a 
modified ...)
-   - u-boot 
+   - u-boot  (bug #983270)
[buster] - u-boot  (Minor issue)
[stretch] - u-boot  (Minor issue; can be fixed in next DLA)
NOTE: 
https://github.com/u-boot/u-boot/commit/6f3c2d8aa5e6cbd80b5e869bbbddecb66c329d01



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b0e3f876c4bb970366a030be5d168bb9cc306ff7

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b0e3f876c4bb970366a030be5d168bb9cc306ff7
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2021-27138/u-boot

2021-02-21 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
769fca59 by Salvatore Bonaccorso at 2021-02-21T21:41:39+01:00
Add Debian bug reference for CVE-2021-27138/u-boot

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -808,7 +808,7 @@ CVE-2021-27140 (An issue was discovered on FiberHome 
HG6245D devices through RP2
 CVE-2021-27139 (An issue was discovered on FiberHome HG6245D devices through 
RP2613. I ...)
NOT-FOR-US: FiberHome devices
 CVE-2021-27138 (The boot loader in Das U-Boot before 2021.04-rc2 mishandles 
use of uni ...)
-   - u-boot 
+   - u-boot  (bug #983269)
[buster] - u-boot  (Minor issue)
[stretch] - u-boot  (Minor issue; can be fixed in next DLA)
NOTE: 
https://github.com/u-boot/u-boot/commit/3f04db891a353f4b127ed57279279f851c6b4917



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/769fca59f4d957da7ad7afee5977aa81ebe3ee2b

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/769fca59f4d957da7ad7afee5977aa81ebe3ee2b
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2021-27211/steghide

2021-02-21 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
f607a0b5 by Salvatore Bonaccorso at 2021-02-21T21:40:57+01:00
Add Debian bug reference for CVE-2021-27211/steghide

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -644,7 +644,7 @@ CVE-2021-27212 (In OpenLDAP through 2.4.57 and 2.5.x 
through 2.5.1alpha, an asse
NOTE: trunk: 
https://git.openldap.org/openldap/openldap/-/commit/3539fc33212b528c56b716584f2c2994af7c30b0
NOTE: REL_ENG 2.4.x: 
https://git.openldap.org/openldap/openldap/-/commit/9badb73425a67768c09bcaed1a9c26c684af6c30
 CVE-2021-27211 (steghide 0.5.1 relies on a certain 32-bit seed value, which 
makes it e ...)
-   - steghide 
+   - steghide  (bug #983267)
[buster] - steghide  (Minor issue)
[stretch] - steghide  (Minor issue; can be fixed in next DLA)
NOTE: https://github.com/b4shfire/stegcrack



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f607a0b55e9bb25fd99f1587e17a91b96ad5167e

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f607a0b55e9bb25fd99f1587e17a91b96ad5167e
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Update information on CVE-2021-20228/ansible

2021-02-21 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
4c5ad78f by Salvatore Bonaccorso at 2021-02-21T21:39:07+01:00
Update information on CVE-2021-20228/ansible

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -17577,9 +17577,11 @@ CVE-2021-20229 [postgres: information leak in some 
select statements]
NOTE: 
https://www.postgresql.org/about/news/postgresql-132-126--1016-9621-and-9525-released-2165/
 CVE-2021-20228 [basic.py no_log with fallback option]
RESERVED
-   - ansible 
+   - ansible 2.10.7-1
+   - ansible-base 
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1925002
-   TODO: check details
+   NOTE: https://github.com/ansible/ansible/pull/73487
+   NOTE: Mark ansible/2.10.7-1 fixing which is moving the code to 
ansible-base
 CVE-2021-20227
RESERVED
- sqlite3 3.34.1-1



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4c5ad78f8be326ac87947e51895677417082be0e

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4c5ad78f8be326ac87947e51895677417082be0e
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Update status for CVE-2021-27379/xen

2021-02-21 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
02ae04e9 by Salvatore Bonaccorso at 2021-02-21T21:13:16+01:00
Update status for CVE-2021-27379/xen

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -295,9 +295,12 @@ CVE-2021-27381
 CVE-2021-27380
RESERVED
 CVE-2021-27379 (An issue was discovered in Xen through 4.11.x, allowing x86 
Intel HVM  ...)
-   - xen 
+   - xen 4.14.0+80-gd101b417b7-1
[stretch] - xen  (Incomplete fix for CVE-2020-15565 not 
applied)
NOTE: https://xenbits.xen.org/xsa/advisory-366.html
+   NOTE: Mark first version in 4.14.x which landed in unstable as fixed, 
though
+   NOTE: the issue more precisely only affects Xen versions up to 4.11 
with version
+   NOTE: containing broken backport for XSA-321 / CVE-2020-15565
 CVE-2021-27378 (An issue was discovered in the rand_core crate before 0.6.2 
for Rust.  ...)
- rust-rand-core 
NOTE: https://rustsec.org/advisories/RUSTSEC-2021-0023.html



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/02ae04e969d1030371c0e5370dac4e77ee41e524

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/02ae04e969d1030371c0e5370dac4e77ee41e524
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Update status for CVE-2021-27379

2021-02-21 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
8eac1a80 by Salvatore Bonaccorso at 2021-02-21T21:09:44+01:00
Update status for CVE-2021-27379

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -296,7 +296,7 @@ CVE-2021-27380
RESERVED
 CVE-2021-27379 (An issue was discovered in Xen through 4.11.x, allowing x86 
Intel HVM  ...)
- xen 
-   [stretch] - xen  (DSA 4602-1)
+   [stretch] - xen  (Incomplete fix for CVE-2020-15565 not 
applied)
NOTE: https://xenbits.xen.org/xsa/advisory-366.html
 CVE-2021-27378 (An issue was discovered in the rand_core crate before 0.6.2 
for Rust.  ...)
- rust-rand-core 



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8eac1a80e120f1a529641638c8ea0880229eeb0b

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8eac1a80e120f1a529641638c8ea0880229eeb0b
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add CVE-2021-20066/node-jsdom

2021-02-21 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
9077f265 by Salvatore Bonaccorso at 2021-02-21T21:02:32+01:00
Add CVE-2021-20066/node-jsdom

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -18046,7 +18046,9 @@ CVE-2021-20068 (Racom's MIDGE Firmware 4.4.40.105 
contains an issue that allows
 CVE-2021-20067 (Racom's MIDGE Firmware 4.4.40.105 contains an issue that 
allows attack ...)
NOT-FOR-US: Racom's MIDGE Firmware
 CVE-2021-20066 (JSDom improperly allows the loading of local resources, which 
allows f ...)
-   TODO: check
+   - node-jsdom 
+   NOTE: https://www.tenable.com/security/research/tra-2021-05
+   TODO: check details
 CVE-2020-35547 (A library index page in NuPoint Messenger in Mitel MiCollab 
before 9.2 ...)
NOT-FOR-US: Mitel
 CVE-2020-35546



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9077f265ab420adcb87565a2caaef33de28e73bc

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9077f265ab420adcb87565a2caaef33de28e73bc
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add CVE-2021-20255/qemu

2021-02-21 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
4a9b0f8c by Salvatore Bonaccorso at 2021-02-21T20:59:22+01:00
Add CVE-2021-20255/qemu

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -17452,8 +17452,11 @@ CVE-2021-20257
 CVE-2021-20256
RESERVED
NOT-FOR-US: Red Hat Satellite
-CVE-2021-20255
+CVE-2021-20255 [net: eepro100: stack overflow via infinite recursion]
RESERVED
+   - qemu 
+   NOTE: 
https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html
+   NOTE: 
https://ruhr-uni-bochum.sciebo.de/s/NNWP2GfwzYKeKwE?path=%2Feepro100_stackoverflow1
 CVE-2021-20254
RESERVED
 CVE-2021-20253



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4a9b0f8c017c56fafd094d032bb09b7e691336ca

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4a9b0f8c017c56fafd094d032bb09b7e691336ca
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add CVE-2021-20256

2021-02-21 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
79e60cb3 by Salvatore Bonaccorso at 2021-02-21T20:57:12+01:00
Add CVE-2021-20256

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -17451,6 +17451,7 @@ CVE-2021-20257
RESERVED
 CVE-2021-20256
RESERVED
+   NOT-FOR-US: Red Hat Satellite
 CVE-2021-20255
RESERVED
 CVE-2021-20254



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/79e60cb350f04093c9ba688a24ccafef6ff05f7e

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/79e60cb350f04093c9ba688a24ccafef6ff05f7e
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add note for CVE-2021-26714

2021-02-21 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
01aa05c5 by Salvatore Bonaccorso at 2021-02-21T20:55:58+01:00
Add note for CVE-2021-26714

Clarifying with Red Hat if CVE-2021-26714 was just a typo for the
assigned CVE-2021-26713.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1772,6 +1772,7 @@ CVE-2021-26715
RESERVED
 CVE-2021-26714
RESERVED
+   NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1930888#c3
 CVE-2021-26713 (A stack-based buffer overflow in res_rtp_asterisk.c in Sangoma 
Asteris ...)
- asterisk  (Only affects 16.16.0 onwards)
NOTE: https://downloads.asterisk.org/pub/security/AST-2021-004.html



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/01aa05c5b9a4f8a8117f02f07e2aadfd77551416

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/01aa05c5b9a4f8a8117f02f07e2aadfd77551416
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add docker.io to dsa-needed list

2021-02-21 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
d122ce94 by Salvatore Bonaccorso at 2021-02-21T20:43:59+01:00
Add docker.io to dsa-needed list

- - - - -


1 changed file:

- data/dsa-needed.txt


Changes:

=
data/dsa-needed.txt
=
@@ -11,6 +11,10 @@ To pick an issue, simply add your uid behind it.
 
 If needed, specify the release by adding a slash after the name of the source 
package.
 
+--
+docker.io
+  Felix Geyer proposing an update in 
<0465ff3c-6d00-51f0-9b3f-cc7a02a73...@debian.org>
+  which needs review and decision on DSA
 --
 knot-resolver
   Santiago Ruano Rincón proposed a debdiff for review



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d122ce9499611b8c843235bd52cb54f5b7dae578

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d122ce9499611b8c843235bd52cb54f5b7dae578
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] update notes

2021-02-21 Thread Thorsten Alteholz



Thorsten Alteholz pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
532f3a0c by Thorsten Alteholz at 2021-02-21T15:46:19+01:00
update notes

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -53,6 +53,7 @@ golang-1.7 (Sylvain Beucler)
 golang-1.8 (Sylvain Beucler)
 --
 golang-github-appc-cni (Thorsten Alteholz)
+  NOTE: 20210221: also taking care of reverse dependencies
 --
 golang-gogoprotobuf
   NOTE: 20210218: If you have any idea why this is called the "skippy peanut 
butter" issue, I would be mildly interested. (lamby)
@@ -63,6 +64,7 @@ guacamole-server (Anton Gladky)
 jackson-dataformat-cbor
 --
 libebml (Thorsten Alteholz)
+  NOTE: 20210221: testing package
 --
 linux (Ben Hutchings)
 --
@@ -119,6 +121,7 @@ spotweb
   NOTE: 20210127: Upstream says "we can fix this but it may take some time", 
revisit later (Beuc)
 --
 subversion (Thorsten Alteholz)
+  NOTE: 20210221: solving build problems
 --
 xmlbeans (Roberto C. Sánchez)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/532f3a0c052db82e5fdbab7a78322d01a4a0fbf0

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/532f3a0c052db82e5fdbab7a78322d01a4a0fbf0
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Mark CVE-2021-3405 as fixed in libebml/1.4.2-1

2021-02-21 Thread Sebastian Ramacher



Sebastian Ramacher pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
f80abbd7 by Sebastian Ramacher at 2021-02-21T15:43:30+01:00
Mark CVE-2021-3405 as fixed in libebml/1.4.2-1

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -881,7 +881,7 @@ CVE-2021-3406
RESERVED
 CVE-2021-3405
RESERVED
-   - libebml  (bug #982597)
+   - libebml 1.4.2-1 (bug #982597)
NOTE: https://github.com/Matroska-Org/libebml/issues/74
 CVE-2021-27104 (Accellion FTA 9_12_370 and earlier is affected by OS command 
execution ...)
NOT-FOR-US: Accellion FTA



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f80abbd71d42ddec01279b64de496e2bc199cb30

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f80abbd71d42ddec01279b64de496e2bc199cb30
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add pupnp-1.8/libupnp as well for CVE-2020-12695

2021-02-21 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
962cf95d by Salvatore Bonaccorso at 2021-02-21T14:01:59+01:00
Add pupnp-1.8/libupnp as well for CVE-2020-12695

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -62945,11 +62945,16 @@ CVE-2020-12695 (The Open Connectivity Foundation UPnP 
specification before 2020-
- gupnp 1.2.3-1
[buster] - gupnp 1.0.5-0+deb10u1
- minidlna 1.2.1+dfsg-3 (bug #976594)
+   - pupnp-1.8  (bug #983206)
+   [buster] - pupnp-1.8  (Minor issue)
+   - libupnp 
NOTE: 
https://w1.fi/security/2020-1/upnp-subscribe-misbehavior-wps-ap.txt
NOTE: 
https://w1.fi/security/2020-1/0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch
NOTE: 
https://w1.fi/security/2020-1/0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch
NOTE: 
https://w1.fi/security/2020-1/0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch
NOTE: 
https://sourceforge.net/p/minidlna/git/ci/06ee114731612462eb1eb1266f0431ccf59269d2
 (v1_3_0)
+   NOTE: 
https://github.com/pupnp/pupnp/commit/5f76bf2858dd601bd985bf37a1db9f262c0ff7bf 
(release-1.14.0)
+   NOTE: 
https://github.com/pupnp/pupnp/commit/7b3f0f5f497f9f493c82307af495b87fa9ebdacb 
(release-1.14.0)
 CVE-2020-12694
RESERVED
 CVE-2020-12693 (Slurm 19.05.x before 19.05.7 and 20.02.x before 20.02.3, in 
the rare c ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/962cf95dbe3c4126d076e42a6155ae744290f718

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/962cf95dbe3c4126d076e42a6155ae744290f718
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 2 commits: Triage CVE-2021-22880 in rails for stretch LTS.

2021-02-21 Thread Chris Lamb



Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker


Commits:
7917fc91 by Chris Lamb at 2021-02-21T09:53:28+00:00
Triage CVE-2021-22880 in rails for stretch LTS.

- - - - -
1b4f09fa by Chris Lamb at 2021-02-21T09:57:56+00:00
Triage CVE-2021-22881 in rails for stretch LTS.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -10408,12 +10408,14 @@ CVE-2021-22882
RESERVED
 CVE-2021-22881 (The Host Authorization middleware in Action Pack before 
6.1.2.1, 6.0.3 ...)
- rails 2:6.0.3.5+dfsg-1
+   [stretch] - rails  (host_authorization.rb added later)
NOTE: 
https://discuss.rubyonrails.org/t/cve-2021-22881-possible-open-redirect-in-host-authorization-middleware/77130
NOTE: https://hackerone.com/reports/1047447
NOTE: 
https://github.com/rails/rails/commit/83a6ac3fee8fd538ce7e0088913ff54f0f9bcb6f 
(main)
NOTE: 
https://github.com/rails/rails/commit/e33092740b3cc05f5abee197a5982eac31947e92 
(v6.0.3.5)
 CVE-2021-22880 (The PostgreSQL adapter in Active Record before 6.1.2.1, 
6.0.3.5, 5.2.4 ...)
- rails 2:6.0.3.5+dfsg-1
+   [stretch] - rails  (Vulnerable asterisk in regex added 
later)
NOTE: 
https://discuss.rubyonrails.org/t/cve-2021-22880-possible-dos-vulnerability-in-active-record-postgresql-adapter/77129
NOTE: https://hackerone.com/reports/1023899
NOTE: 
https://github.com/rails/rails/commit/eddda4d8fb6b6508e11196b14494ceac37b57339 
(main)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/e1da263408fef20c107aa9fdb63a3cefa3ee0c9d...1b4f09fa5f9fc66270ab52045953441aff5c7ca7

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/e1da263408fef20c107aa9fdb63a3cefa3ee0c9d...1b4f09fa5f9fc66270ab52045953441aff5c7ca7
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DSA number for screen

2021-02-21 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
e1da2634 by Salvatore Bonaccorso at 2021-02-21T09:21:20+01:00
Reserve DSA number for screen

- - - - -


2 changed files:

- data/DSA/list
- data/dsa-needed.txt


Changes:

=
data/DSA/list
=
@@ -1,3 +1,6 @@
+[21 Feb 2021] DSA-4861-1 screen - security update
+   {CVE-2021-26937}
+   [buster] - screen 4.6.2-3+deb10u1
 [20 Feb 2021] DSA-4860-1 openldap - security update
{CVE-2021-27212}
[buster] - openldap 2.4.47+dfsg-3+deb10u6


=
data/dsa-needed.txt
=
@@ -24,9 +24,6 @@ netty
 --
 python-pysaml2
 --
-screen (carnil)
-  Maintainer (abe) will take care
---
 xcftools
   Hugo proposed to work on this update
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e1da263408fef20c107aa9fdb63a3cefa3ee0c9d

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e1da263408fef20c107aa9fdb63a3cefa3ee0c9d
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Take screen from dsa-needed list

2021-02-21 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
c4622ec9 by Salvatore Bonaccorso at 2021-02-21T09:14:37+01:00
Take screen from dsa-needed list

- - - - -


1 changed file:

- data/dsa-needed.txt


Changes:

=
data/dsa-needed.txt
=
@@ -24,7 +24,7 @@ netty
 --
 python-pysaml2
 --
-screen
+screen (carnil)
   Maintainer (abe) will take care
 --
 xcftools



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c4622ec92dff8762290d8c0acb050d9d17e1e48b

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c4622ec92dff8762290d8c0acb050d9d17e1e48b
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] automatic update

2021-02-21 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
e46b8920 by security tracker role at 2021-02-21T08:10:14+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,3 +1,9 @@
+CVE-2021-27511
+   RESERVED
+CVE-2021-27510
+   RESERVED
+CVE-2020-36253
+   RESERVED
 CVE-2021-27509 (In Visualware MyConnection Server before 11.0b build 5382, 
each publis ...)
NOT-FOR-US: Visualware MyConnection Server
 CVE-2021-27508
@@ -1760,8 +1766,8 @@ CVE-2021-26717 (An issue was discovered in Sangoma 
Asterisk 16.x before 16.16.1,
[buster] - asterisk  (Introduced in 16.15.0)
[stretch] - asterisk  (Introduced in 16.15.0)
NOTE: https://downloads.asterisk.org/pub/security/AST-2021-002.html
-CVE-2021-26716
-   RESERVED
+CVE-2021-26716 (Modules/input/Views/schedule.php in Emoncms through 10.2.7 
allows XSS  ...)
+   TODO: check
 CVE-2021-26715
RESERVED
 CVE-2021-26714



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e46b8920e78ac0f9c66b0e676cf62a46111b8c84

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e46b8920e78ac0f9c66b0e676cf62a46111b8c84
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity

[Git][security-tracker-team/security-tracker][master] LTS: update notes for xmlbeans

[Git][security-tracker-team/security-tracker][master] buster triage

[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2021-27097/u-boot

[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2021-27138/u-boot

[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2021-27211/steghide

[Git][security-tracker-team/security-tracker][master] Update information on CVE-2021-20228/ansible

[Git][security-tracker-team/security-tracker][master] Update status for CVE-2021-27379/xen

[Git][security-tracker-team/security-tracker][master] Update status for CVE-2021-27379

[Git][security-tracker-team/security-tracker][master] Add CVE-2021-20066/node-jsdom

[Git][security-tracker-team/security-tracker][master] Add CVE-2021-20255/qemu

[Git][security-tracker-team/security-tracker][master] Add CVE-2021-20256

[Git][security-tracker-team/security-tracker][master] Add note for CVE-2021-26714

[Git][security-tracker-team/security-tracker][master] Add docker.io to dsa-needed list

[Git][security-tracker-team/security-tracker][master] update notes

[Git][security-tracker-team/security-tracker][master] Mark CVE-2021-3405 as fixed in libebml/1.4.2-1

[Git][security-tracker-team/security-tracker][master] Add pupnp-1.8/libupnp as well for CVE-2020-12695

[Git][security-tracker-team/security-tracker][master] 2 commits: Triage CVE-2021-22880 in rails for stretch LTS.

[Git][security-tracker-team/security-tracker][master] Reserve DSA number for screen

[Git][security-tracker-team/security-tracker][master] Take screen from dsa-needed list

[Git][security-tracker-team/security-tracker][master] automatic update

21 matches

Site Navigation

Mail list logo

Footer information