[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Holger Levsen pushed to branch master at Debian Security Tracker / security-tracker Commits: 7cef3ab6 by Holger Levsen at 2021-02-22T08:19:06+01:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Holger Levsen hol...@layer-acht.org - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -77,7 +77,7 @@ opendmarc -- php-pear -- -python-pysaml2 (Abhijith PA) +python-pysaml2 -- python3.5 NOTE: 20210217: Fairly invasive change, changing/augmenting API of standard library. (lamby) @@ -108,7 +108,7 @@ ruby-kaminari NOTE: 20201009: This (↑) is an app-level patch for a rails app. A library-level patch NOTE: 20201009: will needed to be written. Opened an issue at upstream, though somewhat inactive. (utkarsh) -- -shiro (Roberto C. Sánchez) +shiro NOTE: 20200920: WIP NOTE: 20200928: Still awaiting reponse to request for assistance sent to upstream dev list. (roberto) NOTE: 20201004: Sent additional request to upstream dev list; stil no response. (roberto) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7cef3ab6060793c1b7de1aedb6f74b70178bab76 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7cef3ab6060793c1b7de1aedb6f74b70178bab76 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: update notes for xmlbeans
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 0ceb844e by Roberto C. Sánchez at 2021-02-21T22:42:03-05:00 LTS: update notes for xmlbeans - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -124,6 +124,9 @@ subversion (Thorsten Alteholz) NOTE: 20210221: solving build problems -- xmlbeans (Roberto C. Sánchez) + NOTE: 20210222: Affected code changed significantly from 2.6.0 to 3.0.0 (the + NOTE: 20210222: upstream release with the fix). Trying to determine how to + NOTE: 20210222: implement the changes without introducing too much new code. (roberto) -- zeromq3 (Anton Gladky) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0ceb844e7e90a0121d1c570e6ab2d08379c0cdee -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0ceb844e7e90a0121d1c570e6ab2d08379c0cdee You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] buster triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: fc55a768 by Moritz Muehlenhoff at 2021-02-21T22:24:20+01:00 buster triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -605,6 +605,7 @@ CVE-2021-27230 CVE-2021-27229 (Mumble before 1.3.4 allows remote code execution if a victim navigates ...) {DLA-2562-1} - mumble (bug #982904) + [buster] - mumble (Minor issue) NOTE: https://github.com/mumble-voip/mumble/commit/e59ee87abe249f345908c7d568f6879d16bfd648 NOTE: https://github.com/mumble-voip/mumble/pull/4733 CVE-2021-27228 @@ -17481,24 +17482,28 @@ CVE-2021-20247 CVE-2021-20246 [Division by zero in ScaleResampleFilter in MagickCore/resample.c] RESERVED - imagemagick + [buster] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/3195 NOTE: ImageMagick: https://github.com/ImageMagick/ImageMagick/commit/8d25d94a363b104acd6ff23df7470aeedb806c51 NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/f3190d4a6e6e8556575c84b5d976f77d111caa74 CVE-2021-20245 [Division by zero in WriteAnimatedWEBPImage() in coders/webp.c] RESERVED - imagemagick + [buster] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/3176 NOTE: ImageMagick: https://github.com/ImageMagick/ImageMagick/commit/ffb683e62ddedc6436a1b88388eb690d7ca57bf2 NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/a78d92dc0f468e79c3d761aae9707042952cdaca CVE-2021-20244 [Division by zero in ImplodeImage in MagickCore/visual-effects.c] RESERVED - imagemagick + [buster] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/pull/3194 NOTE: ImageMagick: https://github.com/ImageMagick/ImageMagick/commit/329dd528ab79531d884c0ba131e97d43f872ab5d TODO: check CVE-2021-20243 [Division by zero in GetResizeFilterWeight in MagickCore/resize.c] RESERVED - imagemagick + [buster] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/pull/3193 NOTE: ImageMagick: https://github.com/ImageMagick/ImageMagick/commit/9751bd619872c8e58609fbed56c4827afa083b40 TODO: check @@ -17508,6 +17513,7 @@ CVE-2021-20242 CVE-2021-20241 [Division by zero in WriteJP2Image() in coders/jp2.c] RESERVED - imagemagick + [buster] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/pull/3177 NOTE: ImageMagick: https://github.com/ImageMagick/ImageMagick/commit/dd33b451c3e01098efad34bbaca2df78d5391dc8 NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/53cb91b3e7bf95d0e372cbc745e0055ac6054745 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fc55a768dcc06e99727a4b8ee3430b4bdbd6d315 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fc55a768dcc06e99727a4b8ee3430b4bdbd6d315 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2021-27097/u-boot
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b0e3f876 by Salvatore Bonaccorso at 2021-02-21T21:42:27+01:00 Add Debian bug reference for CVE-2021-27097/u-boot - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -901,7 +901,7 @@ CVE-2021-27099 CVE-2021-27098 RESERVED CVE-2021-27097 (The boot loader in Das U-Boot before 2021.04-rc2 mishandles a modified ...) - - u-boot + - u-boot (bug #983270) [buster] - u-boot (Minor issue) [stretch] - u-boot (Minor issue; can be fixed in next DLA) NOTE: https://github.com/u-boot/u-boot/commit/6f3c2d8aa5e6cbd80b5e869bbbddecb66c329d01 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b0e3f876c4bb970366a030be5d168bb9cc306ff7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b0e3f876c4bb970366a030be5d168bb9cc306ff7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2021-27138/u-boot
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 769fca59 by Salvatore Bonaccorso at 2021-02-21T21:41:39+01:00 Add Debian bug reference for CVE-2021-27138/u-boot - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -808,7 +808,7 @@ CVE-2021-27140 (An issue was discovered on FiberHome HG6245D devices through RP2 CVE-2021-27139 (An issue was discovered on FiberHome HG6245D devices through RP2613. I ...) NOT-FOR-US: FiberHome devices CVE-2021-27138 (The boot loader in Das U-Boot before 2021.04-rc2 mishandles use of uni ...) - - u-boot + - u-boot (bug #983269) [buster] - u-boot (Minor issue) [stretch] - u-boot (Minor issue; can be fixed in next DLA) NOTE: https://github.com/u-boot/u-boot/commit/3f04db891a353f4b127ed57279279f851c6b4917 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/769fca59f4d957da7ad7afee5977aa81ebe3ee2b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/769fca59f4d957da7ad7afee5977aa81ebe3ee2b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2021-27211/steghide
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f607a0b5 by Salvatore Bonaccorso at 2021-02-21T21:40:57+01:00 Add Debian bug reference for CVE-2021-27211/steghide - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -644,7 +644,7 @@ CVE-2021-27212 (In OpenLDAP through 2.4.57 and 2.5.x through 2.5.1alpha, an asse NOTE: trunk: https://git.openldap.org/openldap/openldap/-/commit/3539fc33212b528c56b716584f2c2994af7c30b0 NOTE: REL_ENG 2.4.x: https://git.openldap.org/openldap/openldap/-/commit/9badb73425a67768c09bcaed1a9c26c684af6c30 CVE-2021-27211 (steghide 0.5.1 relies on a certain 32-bit seed value, which makes it e ...) - - steghide + - steghide (bug #983267) [buster] - steghide (Minor issue) [stretch] - steghide (Minor issue; can be fixed in next DLA) NOTE: https://github.com/b4shfire/stegcrack View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f607a0b55e9bb25fd99f1587e17a91b96ad5167e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f607a0b55e9bb25fd99f1587e17a91b96ad5167e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information on CVE-2021-20228/ansible
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4c5ad78f by Salvatore Bonaccorso at 2021-02-21T21:39:07+01:00 Update information on CVE-2021-20228/ansible - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17577,9 +17577,11 @@ CVE-2021-20229 [postgres: information leak in some select statements] NOTE: https://www.postgresql.org/about/news/postgresql-132-126--1016-9621-and-9525-released-2165/ CVE-2021-20228 [basic.py no_log with fallback option] RESERVED - - ansible + - ansible 2.10.7-1 + - ansible-base NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1925002 - TODO: check details + NOTE: https://github.com/ansible/ansible/pull/73487 + NOTE: Mark ansible/2.10.7-1 fixing which is moving the code to ansible-base CVE-2021-20227 RESERVED - sqlite3 3.34.1-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4c5ad78f8be326ac87947e51895677417082be0e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4c5ad78f8be326ac87947e51895677417082be0e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update status for CVE-2021-27379/xen
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 02ae04e9 by Salvatore Bonaccorso at 2021-02-21T21:13:16+01:00 Update status for CVE-2021-27379/xen - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -295,9 +295,12 @@ CVE-2021-27381 CVE-2021-27380 RESERVED CVE-2021-27379 (An issue was discovered in Xen through 4.11.x, allowing x86 Intel HVM ...) - - xen + - xen 4.14.0+80-gd101b417b7-1 [stretch] - xen (Incomplete fix for CVE-2020-15565 not applied) NOTE: https://xenbits.xen.org/xsa/advisory-366.html + NOTE: Mark first version in 4.14.x which landed in unstable as fixed, though + NOTE: the issue more precisely only affects Xen versions up to 4.11 with version + NOTE: containing broken backport for XSA-321 / CVE-2020-15565 CVE-2021-27378 (An issue was discovered in the rand_core crate before 0.6.2 for Rust. ...) - rust-rand-core NOTE: https://rustsec.org/advisories/RUSTSEC-2021-0023.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/02ae04e969d1030371c0e5370dac4e77ee41e524 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/02ae04e969d1030371c0e5370dac4e77ee41e524 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update status for CVE-2021-27379
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8eac1a80 by Salvatore Bonaccorso at 2021-02-21T21:09:44+01:00 Update status for CVE-2021-27379 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -296,7 +296,7 @@ CVE-2021-27380 RESERVED CVE-2021-27379 (An issue was discovered in Xen through 4.11.x, allowing x86 Intel HVM ...) - xen - [stretch] - xen (DSA 4602-1) + [stretch] - xen (Incomplete fix for CVE-2020-15565 not applied) NOTE: https://xenbits.xen.org/xsa/advisory-366.html CVE-2021-27378 (An issue was discovered in the rand_core crate before 0.6.2 for Rust. ...) - rust-rand-core View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8eac1a80e120f1a529641638c8ea0880229eeb0b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8eac1a80e120f1a529641638c8ea0880229eeb0b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-20066/node-jsdom
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9077f265 by Salvatore Bonaccorso at 2021-02-21T21:02:32+01:00 Add CVE-2021-20066/node-jsdom - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -18046,7 +18046,9 @@ CVE-2021-20068 (Racom's MIDGE Firmware 4.4.40.105 contains an issue that allows CVE-2021-20067 (Racom's MIDGE Firmware 4.4.40.105 contains an issue that allows attack ...) NOT-FOR-US: Racom's MIDGE Firmware CVE-2021-20066 (JSDom improperly allows the loading of local resources, which allows f ...) - TODO: check + - node-jsdom + NOTE: https://www.tenable.com/security/research/tra-2021-05 + TODO: check details CVE-2020-35547 (A library index page in NuPoint Messenger in Mitel MiCollab before 9.2 ...) NOT-FOR-US: Mitel CVE-2020-35546 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9077f265ab420adcb87565a2caaef33de28e73bc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9077f265ab420adcb87565a2caaef33de28e73bc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-20255/qemu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4a9b0f8c by Salvatore Bonaccorso at 2021-02-21T20:59:22+01:00 Add CVE-2021-20255/qemu - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17452,8 +17452,11 @@ CVE-2021-20257 CVE-2021-20256 RESERVED NOT-FOR-US: Red Hat Satellite -CVE-2021-20255 +CVE-2021-20255 [net: eepro100: stack overflow via infinite recursion] RESERVED + - qemu + NOTE: https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html + NOTE: https://ruhr-uni-bochum.sciebo.de/s/NNWP2GfwzYKeKwE?path=%2Feepro100_stackoverflow1 CVE-2021-20254 RESERVED CVE-2021-20253 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4a9b0f8c017c56fafd094d032bb09b7e691336ca -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4a9b0f8c017c56fafd094d032bb09b7e691336ca You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-20256
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 79e60cb3 by Salvatore Bonaccorso at 2021-02-21T20:57:12+01:00 Add CVE-2021-20256 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17451,6 +17451,7 @@ CVE-2021-20257 RESERVED CVE-2021-20256 RESERVED + NOT-FOR-US: Red Hat Satellite CVE-2021-20255 RESERVED CVE-2021-20254 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/79e60cb350f04093c9ba688a24ccafef6ff05f7e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/79e60cb350f04093c9ba688a24ccafef6ff05f7e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add note for CVE-2021-26714
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 01aa05c5 by Salvatore Bonaccorso at 2021-02-21T20:55:58+01:00 Add note for CVE-2021-26714 Clarifying with Red Hat if CVE-2021-26714 was just a typo for the assigned CVE-2021-26713. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1772,6 +1772,7 @@ CVE-2021-26715 RESERVED CVE-2021-26714 RESERVED + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1930888#c3 CVE-2021-26713 (A stack-based buffer overflow in res_rtp_asterisk.c in Sangoma Asteris ...) - asterisk (Only affects 16.16.0 onwards) NOTE: https://downloads.asterisk.org/pub/security/AST-2021-004.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/01aa05c5b9a4f8a8117f02f07e2aadfd77551416 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/01aa05c5b9a4f8a8117f02f07e2aadfd77551416 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add docker.io to dsa-needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d122ce94 by Salvatore Bonaccorso at 2021-02-21T20:43:59+01:00 Add docker.io to dsa-needed list - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -11,6 +11,10 @@ To pick an issue, simply add your uid behind it. If needed, specify the release by adding a slash after the name of the source package. +-- +docker.io + Felix Geyer proposing an update in <0465ff3c-6d00-51f0-9b3f-cc7a02a73...@debian.org> + which needs review and decision on DSA -- knot-resolver Santiago Ruano Rincón proposed a debdiff for review View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d122ce9499611b8c843235bd52cb54f5b7dae578 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d122ce9499611b8c843235bd52cb54f5b7dae578 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update notes
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 532f3a0c by Thorsten Alteholz at 2021-02-21T15:46:19+01:00 update notes - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -53,6 +53,7 @@ golang-1.7 (Sylvain Beucler) golang-1.8 (Sylvain Beucler) -- golang-github-appc-cni (Thorsten Alteholz) + NOTE: 20210221: also taking care of reverse dependencies -- golang-gogoprotobuf NOTE: 20210218: If you have any idea why this is called the "skippy peanut butter" issue, I would be mildly interested. (lamby) @@ -63,6 +64,7 @@ guacamole-server (Anton Gladky) jackson-dataformat-cbor -- libebml (Thorsten Alteholz) + NOTE: 20210221: testing package -- linux (Ben Hutchings) -- @@ -119,6 +121,7 @@ spotweb NOTE: 20210127: Upstream says "we can fix this but it may take some time", revisit later (Beuc) -- subversion (Thorsten Alteholz) + NOTE: 20210221: solving build problems -- xmlbeans (Roberto C. Sánchez) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/532f3a0c052db82e5fdbab7a78322d01a4a0fbf0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/532f3a0c052db82e5fdbab7a78322d01a4a0fbf0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2021-3405 as fixed in libebml/1.4.2-1
Sebastian Ramacher pushed to branch master at Debian Security Tracker / security-tracker Commits: f80abbd7 by Sebastian Ramacher at 2021-02-21T15:43:30+01:00 Mark CVE-2021-3405 as fixed in libebml/1.4.2-1 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -881,7 +881,7 @@ CVE-2021-3406 RESERVED CVE-2021-3405 RESERVED - - libebml (bug #982597) + - libebml 1.4.2-1 (bug #982597) NOTE: https://github.com/Matroska-Org/libebml/issues/74 CVE-2021-27104 (Accellion FTA 9_12_370 and earlier is affected by OS command execution ...) NOT-FOR-US: Accellion FTA View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f80abbd71d42ddec01279b64de496e2bc199cb30 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f80abbd71d42ddec01279b64de496e2bc199cb30 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add pupnp-1.8/libupnp as well for CVE-2020-12695
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 962cf95d by Salvatore Bonaccorso at 2021-02-21T14:01:59+01:00 Add pupnp-1.8/libupnp as well for CVE-2020-12695 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -62945,11 +62945,16 @@ CVE-2020-12695 (The Open Connectivity Foundation UPnP specification before 2020- - gupnp 1.2.3-1 [buster] - gupnp 1.0.5-0+deb10u1 - minidlna 1.2.1+dfsg-3 (bug #976594) + - pupnp-1.8 (bug #983206) + [buster] - pupnp-1.8 (Minor issue) + - libupnp NOTE: https://w1.fi/security/2020-1/upnp-subscribe-misbehavior-wps-ap.txt NOTE: https://w1.fi/security/2020-1/0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch NOTE: https://w1.fi/security/2020-1/0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch NOTE: https://w1.fi/security/2020-1/0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch NOTE: https://sourceforge.net/p/minidlna/git/ci/06ee114731612462eb1eb1266f0431ccf59269d2 (v1_3_0) + NOTE: https://github.com/pupnp/pupnp/commit/5f76bf2858dd601bd985bf37a1db9f262c0ff7bf (release-1.14.0) + NOTE: https://github.com/pupnp/pupnp/commit/7b3f0f5f497f9f493c82307af495b87fa9ebdacb (release-1.14.0) CVE-2020-12694 RESERVED CVE-2020-12693 (Slurm 19.05.x before 19.05.7 and 20.02.x before 20.02.3, in the rare c ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/962cf95dbe3c4126d076e42a6155ae744290f718 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/962cf95dbe3c4126d076e42a6155ae744290f718 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Triage CVE-2021-22880 in rails for stretch LTS.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 7917fc91 by Chris Lamb at 2021-02-21T09:53:28+00:00 Triage CVE-2021-22880 in rails for stretch LTS. - - - - - 1b4f09fa by Chris Lamb at 2021-02-21T09:57:56+00:00 Triage CVE-2021-22881 in rails for stretch LTS. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -10408,12 +10408,14 @@ CVE-2021-22882 RESERVED CVE-2021-22881 (The Host Authorization middleware in Action Pack before 6.1.2.1, 6.0.3 ...) - rails 2:6.0.3.5+dfsg-1 + [stretch] - rails (host_authorization.rb added later) NOTE: https://discuss.rubyonrails.org/t/cve-2021-22881-possible-open-redirect-in-host-authorization-middleware/77130 NOTE: https://hackerone.com/reports/1047447 NOTE: https://github.com/rails/rails/commit/83a6ac3fee8fd538ce7e0088913ff54f0f9bcb6f (main) NOTE: https://github.com/rails/rails/commit/e33092740b3cc05f5abee197a5982eac31947e92 (v6.0.3.5) CVE-2021-22880 (The PostgreSQL adapter in Active Record before 6.1.2.1, 6.0.3.5, 5.2.4 ...) - rails 2:6.0.3.5+dfsg-1 + [stretch] - rails (Vulnerable asterisk in regex added later) NOTE: https://discuss.rubyonrails.org/t/cve-2021-22880-possible-dos-vulnerability-in-active-record-postgresql-adapter/77129 NOTE: https://hackerone.com/reports/1023899 NOTE: https://github.com/rails/rails/commit/eddda4d8fb6b6508e11196b14494ceac37b57339 (main) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/e1da263408fef20c107aa9fdb63a3cefa3ee0c9d...1b4f09fa5f9fc66270ab52045953441aff5c7ca7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/e1da263408fef20c107aa9fdb63a3cefa3ee0c9d...1b4f09fa5f9fc66270ab52045953441aff5c7ca7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DSA number for screen
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e1da2634 by Salvatore Bonaccorso at 2021-02-21T09:21:20+01:00 Reserve DSA number for screen - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,6 @@ +[21 Feb 2021] DSA-4861-1 screen - security update + {CVE-2021-26937} + [buster] - screen 4.6.2-3+deb10u1 [20 Feb 2021] DSA-4860-1 openldap - security update {CVE-2021-27212} [buster] - openldap 2.4.47+dfsg-3+deb10u6 = data/dsa-needed.txt = @@ -24,9 +24,6 @@ netty -- python-pysaml2 -- -screen (carnil) - Maintainer (abe) will take care --- xcftools Hugo proposed to work on this update -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e1da263408fef20c107aa9fdb63a3cefa3ee0c9d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e1da263408fef20c107aa9fdb63a3cefa3ee0c9d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Take screen from dsa-needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c4622ec9 by Salvatore Bonaccorso at 2021-02-21T09:14:37+01:00 Take screen from dsa-needed list - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -24,7 +24,7 @@ netty -- python-pysaml2 -- -screen +screen (carnil) Maintainer (abe) will take care -- xcftools View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c4622ec92dff8762290d8c0acb050d9d17e1e48b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c4622ec92dff8762290d8c0acb050d9d17e1e48b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e46b8920 by security tracker role at 2021-02-21T08:10:14+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,9 @@ +CVE-2021-27511 + RESERVED +CVE-2021-27510 + RESERVED +CVE-2020-36253 + RESERVED CVE-2021-27509 (In Visualware MyConnection Server before 11.0b build 5382, each publis ...) NOT-FOR-US: Visualware MyConnection Server CVE-2021-27508 @@ -1760,8 +1766,8 @@ CVE-2021-26717 (An issue was discovered in Sangoma Asterisk 16.x before 16.16.1, [buster] - asterisk (Introduced in 16.15.0) [stretch] - asterisk (Introduced in 16.15.0) NOTE: https://downloads.asterisk.org/pub/security/AST-2021-002.html -CVE-2021-26716 - RESERVED +CVE-2021-26716 (Modules/input/Views/schedule.php in Emoncms through 10.2.7 allows XSS ...) + TODO: check CVE-2021-26715 RESERVED CVE-2021-26714 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e46b8920e78ac0f9c66b0e676cf62a46111b8c84 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e46b8920e78ac0f9c66b0e676cf62a46111b8c84 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits