date:20210301

[Git][security-tracker-team/security-tracker][master] Stretch triage

2021-03-01 Thread Abhijith PA



Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
15c99ffc by Abhijith PA at 2021-03-02T13:19:11+05:30
Stretch triage

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=
data/CVE/list
=
@@ -3516,6 +3516,7 @@ CVE-2018-25005
RESERVED
 CVE-2018-25004 (A user authorized to performing a specific type of query may 
trigger a ...)
- mongodb 
+   [stretch] - mongodb  
(https://lists.debian.org/debian-lts/2020/11/msg00058.html)
NOTE: https://jira.mongodb.org/browse/SERVER-38275
 CVE-2021-3345 (_gcry_md_block_write in cipher/hash-common.c in Libgcrypt 
version 1.9. ...)
[experimental] - libgcrypt20 1.9.1-1 (bug #981370)
@@ -77569,6 +77570,7 @@ CVE-2020-7930
RESERVED
 CVE-2020-7929 (A user authorized to perform database queries may trigger 
denial of se ...)
- mongodb 
+   [stretch] - mongodb  
(https://lists.debian.org/debian-lts/2020/11/msg00058.html)
NOTE: https://jira.mongodb.org/browse/SERVER-51083
 CVE-2020-7928 (A user authorized to perform database queries may trigger a 
read overr ...)
- mongodb 


=
data/dla-needed.txt
=
@@ -69,6 +69,9 @@ jackson-dataformat-cbor (Abhijith PA)
 libebml (Thorsten Alteholz)
   NOTE: 20210221: testing package
 --
+libupnp
+  NOTE: 20210302: since utkarsh working wpa, might want to handle this as well 
? (abhijith)
+--
 linux (Ben Hutchings)
 --
 linux-4.19 (Ben Hutchings)
@@ -132,6 +135,10 @@ spotweb
 subversion (Thorsten Alteholz)
   NOTE: 20210221: solving build problems
 --
+tomcat7
+--
+tomcat8
+--
 wpa (Utkarsh)
 --
 xmlbeans (Roberto C. Sánchez)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/15c99ffcd4b7e27977bae1d8a99f71e9c0a28e67

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/15c99ffcd4b7e27977bae1d8a99f71e9c0a28e67
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add CVE-2021-3419/qemu

2021-03-01 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
51b2db4e by Salvatore Bonaccorso at 2021-03-02T08:36:03+01:00
Add CVE-2021-3419/qemu

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,3 +1,7 @@
+CVE-2021-3419 [net: rtl8139: stack-based buffer overflow induced by infinite 
recursion issue]
+   - qemu 
+   NOTE: https://bugs.launchpad.net/qemu/+bug/1910826
+   NOTE: 
https://lists.gnu.org/archive/html/qemu-devel/2021-03/msg00010.html
 CVE-2021-3418
RESERVED
 CVE-2021-27875



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/51b2db4eeb6b2b9118e1294dd5a3a1d3fd3b2743

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/51b2db4eeb6b2b9118e1294dd5a3a1d3fd3b2743
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] CVE-2021-2403{1,2}/libzstd assigned

2021-03-01 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
d476a732 by Salvatore Bonaccorso at 2021-03-02T08:05:18+01:00
CVE-2021-2403{1,2}/libzstd assigned

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/DSA/list


Changes:

=
data/CVE/list
=
@@ -2226,15 +2226,11 @@ CVE-2021-26910 (Firejail before 0.9.64.4 allows 
attackers to bypass intended acc
NOTE: Fix (disabled overlayfs): 
https://github.com/netblue30/firejail/commit/97d8a03cad19501f017587cc4e47d8418273834b
NOTE: 
https://unparalleled.eu/publications/2021/advisory-unpar-2021-0.txt
NOTE: 
https://unparalleled.eu/blog/2021/20210208-rigged-race-against-firejail-for-local-root/
-CVE-2021- [zstd allows for race-opening files being compressed or 
uncompressed]
+CVE-2021-24032 [zstd allows for race-opening files being compressed or 
uncompressed]
- libzstd 1.4.8+dfsg-2 (bug #982519)
-   [buster] - libzstd 1.3.8+dfsg-3+deb10u2
-   [stretch] - libzstd 1.1.2-1+deb9u1
NOTE: https://github.com/facebook/zstd/issues/2491
-CVE-2019- [zstd adds read permissions to files while being compressed or 
uncompressed]
+CVE-2021-24031 [zstd adds read permissions to files while being compressed or 
uncompressed]
- libzstd 1.4.8+dfsg-1 (bug #981404)
-   [buster] - libzstd 1.3.8+dfsg-3+deb10u1
-   [stretch] - libzstd 1.1.2-1+deb9u1
NOTE: https://github.com/facebook/zstd/issues/1630
 CVE-2021-26852
RESERVED
@@ -8765,10 +8761,6 @@ CVE-2021-24034
RESERVED
 CVE-2021-24033
RESERVED
-CVE-2021-24032
-   RESERVED
-CVE-2021-24031
-   RESERVED
 CVE-2021-24030
RESERVED
 CVE-2021-24029


=
data/DLA/list
=
@@ -14,6 +14,7 @@
{CVE-2021-27212}
[stretch] - openldap 2.4.44+dfsg-5+deb9u8
 [20 Feb 2021] DLA-2573-1 libzstd - security update
+   {CVE-2021-24031 CVE-2021-24032}
[stretch] - libzstd 1.1.2-1+deb9u1
 [20 Feb 2021] DLA-2572-1 wpa - security update
{CVE-2021-0326}


=
data/DSA/list
=
@@ -20,6 +20,7 @@
{CVE-2021-27212}
[buster] - openldap 2.4.47+dfsg-3+deb10u6
 [20 Feb 2021] DSA-4859-1 libzstd - security update
+   {CVE-2021-24032}
[buster] - libzstd 1.3.8+dfsg-3+deb10u2
 [19 Feb 2021] DSA-4858-1 chromium - security update
{CVE-2021-21148 CVE-2021-21149 CVE-2021-21150 CVE-2021-21151 
CVE-2021-21152 CVE-2021-21153 CVE-2021-21154 CVE-2021-21155 CVE-2021-21156 
CVE-2021-21157}
@@ -45,6 +46,7 @@
{CVE-2020-17525}
[buster] - subversion 1.10.4-1+deb10u2
 [10 Feb 2021] DSA-4850-1 libzstd - security update
+   {CVE-2021-24031}
[buster] - libzstd 1.3.8+dfsg-3+deb10u1
 [09 Feb 2021] DSA-4849-1 firejail - security update
{CVE-2021-26910}



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d476a73235fb12334b2d8fbae0421c31257a61f5

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d476a73235fb12334b2d8fbae0421c31257a61f5
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add CVE-2020-1926 as NFU

2021-03-01 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
bf50fd77 by Salvatore Bonaccorso at 2021-03-02T08:00:08+01:00
Add CVE-2020-1926 as NFU

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -93784,6 +93784,7 @@ CVE-2020-1927 (In Apache HTTP Server 2.4.0 to 2.4.41, 
redirects configured with
NOTE: https://svn.apache.org/r1874191
 CVE-2020-1926
RESERVED
+   NOT-FOR-US: Apache Hive
 CVE-2020-1925 (Apache Olingo versions 4.0.0 to 4.7.0 provide the 
AsyncRequestWrapperI ...)
NOT-FOR-US: Olingo
 CVE-2019-19517 (Intelbras RF1200 1.1.3 devices allow CSRF to bypass the 
login.html for ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bf50fd7745c82b6106606d6238ff3f011e9659cd

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bf50fd7745c82b6106606d6238ff3f011e9659cd
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add CVE-2020-7929/mongodb

2021-03-01 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
d53cb810 by Salvatore Bonaccorso at 2021-03-01T21:34:40+01:00
Add CVE-2020-7929/mongodb

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -77572,7 +77572,8 @@ CVE-2020-7931 (In JFrog Artifactory 5.x and 6.x, 
insecure FreeMarker template pr
 CVE-2020-7930
RESERVED
 CVE-2020-7929 (A user authorized to perform database queries may trigger 
denial of se ...)
-   TODO: check
+   - mongodb 
+   NOTE: https://jira.mongodb.org/browse/SERVER-51083
 CVE-2020-7928 (A user authorized to perform database queries may trigger a 
read overr ...)
- mongodb 
[stretch] - mongodb  (Vulnerable code introduced later)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d53cb810ad8976564fa3e9d8b93bcb75bb665fc9

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d53cb810ad8976564fa3e9d8b93bcb75bb665fc9
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Process NFUs

2021-03-01 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
a4e2ed90 by Salvatore Bonaccorso at 2021-03-01T21:34:07+01:00
Process NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -4927,15 +4927,15 @@ CVE-2021-25835 (Cosmos Network Ethermint = v0.4.0 
is affected by a cross-cha
 CVE-2021-25834 (Cosmos Network Ethermint = v0.4.0 is affected by a 
transaction rep ...)
NOT-FOR-US: Cosmos Network Ethermint
 CVE-2021-25833 (A file extension handling issue was found in [server] module 
of ONLYOF ...)
-   TODO: check
+   NOT-FOR-US: ONLYOFFICE DocumentServer
 CVE-2021-25832 (A heap buffer overflow vulnerability inside of BMP image 
processing wa ...)
-   TODO: check
+   NOT-FOR-US: ONLYOFFICE DocumentServer
 CVE-2021-25831 (A file extension handling issue was found in [core] module of 
ONLYOFFI ...)
-   TODO: check
+   NOT-FOR-US: ONLYOFFICE DocumentServer
 CVE-2021-25830 (A file extension handling issue was found in [core] module of 
ONLYOFFI ...)
-   TODO: check
+   NOT-FOR-US: ONLYOFFICE DocumentServer
 CVE-2021-25829 (An improper binary stream data handling issue was found in the 
[core]  ...)
-   TODO: check
+   NOT-FOR-US: ONLYOFFICE DocumentServer
 CVE-2021-25828
RESERVED
 CVE-2021-25827



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a4e2ed906002df6cfced34c9b8eb24bb06609ea2

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a4e2ed906002df6cfced34c9b8eb24bb06609ea2
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add CVE-2018-25004/mongodb

2021-03-01 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
9dbecd0a by Salvatore Bonaccorso at 2021-03-01T21:33:26+01:00
Add CVE-2018-25004/mongodb

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -3515,7 +3515,8 @@ CVE-2018-25006
 CVE-2018-25005
RESERVED
 CVE-2018-25004 (A user authorized to performing a specific type of query may 
trigger a ...)
-   TODO: check
+   - mongodb 
+   NOTE: https://jira.mongodb.org/browse/SERVER-38275
 CVE-2021-3345 (_gcry_md_block_write in cipher/hash-common.c in Libgcrypt 
version 1.9. ...)
[experimental] - libgcrypt20 1.9.1-1 (bug #981370)
- libgcrypt20  (Only affected 1.9)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9dbecd0adc17d934932c8610a8e09ea98c30279f

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9dbecd0adc17d934932c8610a8e09ea98c30279f
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] automatic update

2021-03-01 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
2b3b0b17 by security tracker role at 2021-03-01T20:10:31+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,3 +1,141 @@
+CVE-2021-3418
+   RESERVED
+CVE-2021-27875
+   RESERVED
+CVE-2021-27874
+   RESERVED
+CVE-2021-27873
+   RESERVED
+CVE-2021-27872
+   RESERVED
+CVE-2021-27871
+   RESERVED
+CVE-2021-27870
+   RESERVED
+CVE-2021-27869
+   RESERVED
+CVE-2021-27868
+   RESERVED
+CVE-2021-27867
+   RESERVED
+CVE-2021-27866
+   RESERVED
+CVE-2021-27865
+   RESERVED
+CVE-2021-27864
+   RESERVED
+CVE-2021-27863
+   RESERVED
+CVE-2021-27862
+   RESERVED
+CVE-2021-27861
+   RESERVED
+CVE-2021-27860
+   RESERVED
+CVE-2021-27859
+   RESERVED
+CVE-2021-27858
+   RESERVED
+CVE-2021-27857
+   RESERVED
+CVE-2021-27856
+   RESERVED
+CVE-2021-27855
+   RESERVED
+CVE-2021-27854
+   RESERVED
+CVE-2021-27853
+   RESERVED
+CVE-2021-27852
+   RESERVED
+CVE-2021-27851
+   RESERVED
+CVE-2021-27850
+   RESERVED
+CVE-2021-27849
+   RESERVED
+CVE-2021-27848
+   RESERVED
+CVE-2021-27847
+   RESERVED
+CVE-2021-27846
+   RESERVED
+CVE-2021-27845
+   RESERVED
+CVE-2021-27844
+   RESERVED
+CVE-2021-27843
+   RESERVED
+CVE-2021-27842
+   RESERVED
+CVE-2021-27841
+   RESERVED
+CVE-2021-27840
+   RESERVED
+CVE-2021-27839
+   RESERVED
+CVE-2021-27838
+   RESERVED
+CVE-2021-27837
+   RESERVED
+CVE-2021-27836
+   RESERVED
+CVE-2021-27835
+   RESERVED
+CVE-2021-27834
+   RESERVED
+CVE-2021-27833
+   RESERVED
+CVE-2021-27832
+   RESERVED
+CVE-2021-27831
+   RESERVED
+CVE-2021-27830
+   RESERVED
+CVE-2021-27829
+   RESERVED
+CVE-2021-27828
+   RESERVED
+CVE-2021-27827
+   RESERVED
+CVE-2021-27826
+   RESERVED
+CVE-2021-27825
+   RESERVED
+CVE-2021-27824
+   RESERVED
+CVE-2021-27823
+   RESERVED
+CVE-2021-27822
+   RESERVED
+CVE-2021-27821
+   RESERVED
+CVE-2021-27820
+   RESERVED
+CVE-2021-27819
+   RESERVED
+CVE-2021-27818
+   RESERVED
+CVE-2021-27817
+   RESERVED
+CVE-2021-27816
+   RESERVED
+CVE-2021-27815
+   RESERVED
+CVE-2021-27814
+   RESERVED
+CVE-2021-27813
+   RESERVED
+CVE-2021-27812
+   RESERVED
+CVE-2021-27811
+   RESERVED
+CVE-2021-27810
+   RESERVED
+CVE-2021-27809
+   RESERVED
+CVE-2021-27808
+   RESERVED
 CVE-2021-27807
RESERVED
 CVE-2021-27806
@@ -3376,8 +3514,8 @@ CVE-2018-25006
RESERVED
 CVE-2018-25005
RESERVED
-CVE-2018-25004
-   RESERVED
+CVE-2018-25004 (A user authorized to performing a specific type of query may 
trigger a ...)
+   TODO: check
 CVE-2021-3345 (_gcry_md_block_write in cipher/hash-common.c in Libgcrypt 
version 1.9. ...)
[experimental] - libgcrypt20 1.9.1-1 (bug #981370)
- libgcrypt20  (Only affected 1.9)
@@ -3500,8 +3638,8 @@ CVE-2021-26276 (** DISPUTED ** scripts/cli.js in the 
GoDaddy node-config-shield
NOT-FOR-US: GoDaddy node-config-shield
 CVE-2021-26275
RESERVED
-CVE-2020-36240
-   RESERVED
+CVE-2020-36240 (The ResourceDownloadRewriteRule class in Crowd before version 
4.0.4, a ...)
+   TODO: check
 CVE-2020-36239
RESERVED
 CVE-2020-36238
@@ -4352,8 +4490,8 @@ CVE-2021-25916
RESERVED
 CVE-2021-25915
RESERVED
-CVE-2021-25914
-   RESERVED
+CVE-2021-25914 (Prototype pollution vulnerability in 'object-collider' 
versions 1.0.0  ...)
+   TODO: check
 CVE-2021-25913 (Prototype pollution vulnerability in 'set-or-get' version 
1.0.0 throug ...)
NOT-FOR-US: Node set-or-get
 CVE-2021-25912 (Prototype pollution vulnerability in 'dotty' versions 0.0.1 
through 0. ...)
@@ -4787,16 +4925,16 @@ CVE-2021-25835 (Cosmos Network Ethermint = v0.4.0 
is affected by a cross-cha
NOT-FOR-US: Cosmos Network Ethermint
 CVE-2021-25834 (Cosmos Network Ethermint = v0.4.0 is affected by a 
transaction rep ...)
NOT-FOR-US: Cosmos Network Ethermint
-CVE-2021-25833
-   RESERVED
-CVE-2021-25832
-   RESERVED
-CVE-2021-25831
-   RESERVED
-CVE-2021-25830
-   RESERVED
-CVE-2021-25829
-   RESERVED
+CVE-2021-25833 (A file extension handling issue was found in [server] module 
of ONLYOF ...)
+   TODO: check
+CVE-2021-25832 (A heap buffer overflow vulnerability inside of BMP image 
processing wa ...)
+   TODO: check
+CVE-2021-25831 (A file extension handling issue was found in [core] module of 
ONLYOFFI ...)
+   TODO: check
+CVE-2021-25830 (A file extension handling issue was found in [core] module of 
ONLYOFFI ...)
+   TODO: check
+CVE-2021-25829 (An improper binary stream data handling issue was found in the 
[core]  ...)
+   TODO: check
 CVE-2021-25828
RESERVED

[Git][security-tracker-team/security-tracker][master] 5 commits: Track fixed version via unstable for CVE-2021-25329/tomcat9

2021-03-01 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
1183aa74 by Salvatore Bonaccorso at 2021-03-01T17:14:40+01:00
Track fixed version via unstable for CVE-2021-25329/tomcat9

- - - - -
1769f634 by Salvatore Bonaccorso at 2021-03-01T17:15:09+01:00
Track fixed version for CVE-2021-25122/tomcat9 via unstable

- - - - -
30bee309 by Salvatore Bonaccorso at 2021-03-01T17:15:39+01:00
Add note on incomplete fix for CVE-2020-9484

- - - - -
4fe8600e by Salvatore Bonaccorso at 2021-03-01T17:27:04+01:00
Reference upstream commits for CVE-2021-25329

- - - - -
3c61027d by Salvatore Bonaccorso at 2021-03-01T17:27:25+01:00
Reference upstream commits for CVE-2021-25122

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -5867,10 +5867,14 @@ CVE-2021-3180
RESERVED
 CVE-2021-25329
RESERVED
-   - tomcat9 
+   - tomcat9 9.0.43-1
- tomcat8 
- tomcat7 
NOTE: https://www.openwall.com/lists/oss-security/2021/03/01/2
+   NOTE: 
https://github.com/apache/tomcat/commit/4785433a226a20df6acbea49296e1ce7e23de453
 (9.0.43)
+   NOTE: 
https://github.com/apache/tomcat/commit/93f0cc403a9210d469afc2bd9cf03ab3251c6f35
 (8.5.63)
+   NOTE: 
https://github.com/apache/tomcat/commit/74b105657ffbd1d1de80455f03446c3bbf30d1f5
 (7.0.108)
+   NOTE: CVE is for incomplete fix for CVE-2020-9484.
 CVE-2021-25328
RESERVED
 CVE-2021-25327
@@ -6404,10 +6408,12 @@ CVE-2021-25123 (The Baseboard Management 
Controller(BMC) in HPE Cloudline CL5800
NOT-FOR-US: HPE
 CVE-2021-25122
RESERVED
-   - tomcat9 
+   - tomcat9 9.0.43-1
- tomcat8 
- tomcat7 
NOTE: https://www.openwall.com/lists/oss-security/2021/03/01/1
+   NOTE: 
https://github.com/apache/tomcat/commit/d47c20a776e8919eaca8da9390a32bc8bf8210b1
 (9.0.43)
+   NOTE: 
https://github.com/apache/tomcat/commit/bb0e7c1e0d737a0de7d794572517bce0e91d30fa
 (8.5.63)
 CVE-2021-25121
RESERVED
 CVE-2021-25120



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/5327ecf031f0abb387bc0e4e2357cdc845b3bcd7...3c61027d3edd6dc37525993b21928c5e6aa4b3e0

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/5327ecf031f0abb387bc0e4e2357cdc845b3bcd7...3c61027d3edd6dc37525993b21928c5e6aa4b3e0
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2020-28493/jinja2 in unstable

2021-03-01 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
5327ecf0 by Salvatore Bonaccorso at 2021-03-01T16:49:11+01:00
Track fixed version for CVE-2020-28493/jinja2 in unstable

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -25600,7 +25600,7 @@ CVE-2020-28495 (This affects the package total.js 
before 3.4.7. The set function
 CVE-2020-28494 (This affects the package total.js before 3.4.7. The issue 
occurs in th ...)
NOT-FOR-US: Node total.js
 CVE-2020-28493 (This affects the package jinja2 from 0.0.0 and before 2.11.3. 
The ReDo ...)
-   - jinja2  (bug #982736)
+   - jinja2 2.11.3-1 (bug #982736)
[stretch] - jinja2  (Minor issue)
NOTE: https://github.com/pallets/jinja/pull/1343
NOTE: https://snyk.io/vuln/SNYK-PYTHON-JINJA2-1012994



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5327ecf031f0abb387bc0e4e2357cdc845b3bcd7

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5327ecf031f0abb387bc0e4e2357cdc845b3bcd7
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] mumble fixed in sid

2021-03-01 Thread Moritz Muehlenhoff



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
0950d65d by Moritz Muehlenhoff at 2021-03-01T16:01:15+01:00
mumble fixed in sid

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1229,7 +1229,7 @@ CVE-2021-27230
RESERVED
 CVE-2021-27229 (Mumble before 1.3.4 allows remote code execution if a victim 
navigates ...)
{DLA-2562-1}
-   - mumble  (bug #982904)
+   - mumble 1.3.4-1 (bug #982904)
[buster] - mumble  (Minor issue)
NOTE: 
https://github.com/mumble-voip/mumble/commit/e59ee87abe249f345908c7d568f6879d16bfd648
NOTE: https://github.com/mumble-voip/mumble/pull/4733



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0950d65d0481817674f133574997c5f50ec438ca

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0950d65d0481817674f133574997c5f50ec438ca
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] gitlab fixes in experimental

2021-03-01 Thread Moritz Muehlenhoff



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
0cb934b5 by Moritz Muehlenhoff at 2021-03-01T15:47:38+01:00
gitlab fixes in experimental

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -12689,6 +12689,7 @@ CVE-2021-22172
- gitlab 
NOTE: 
https://about.gitlab.com/releases/2021/02/01/security-release-gitlab-13-8-2-released/
 CVE-2021-22171 (Insufficient validation of authentication parameters in GitLab 
Pages f ...)
+   [experimental] - gitlab 13.6.6-1
- gitlab 
 CVE-2021-22170
RESERVED
@@ -12697,8 +12698,10 @@ CVE-2021-22169
- gitlab  (Specific to EE)
NOTE: 
https://about.gitlab.com/releases/2021/02/01/security-release-gitlab-13-8-2-released/
 CVE-2021-22168 (A regular expression denial of service issue has been 
discovered in Nu ...)
+   [experimental] - gitlab 13.6.6-1
- gitlab 
 CVE-2021-22167 (An issue has been discovered in GitLab affecting all versions 
starting ...)
+   [experimental] - gitlab 13.6.6-1
- gitlab 
 CVE-2021-22166 (An attacker could cause a Prometheus denial of service in 
GitLab 13.7+ ...)
- gitlab  (Only affects Gitlab 13.7.x)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0cb934b5464ff4cc1aca34b6ce0a37949cba39c8

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0cb934b5464ff4cc1aca34b6ce0a37949cba39c8
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-2578-1 for thunderbird

2021-03-01 Thread Emilio Pozuelo Monfort



Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
d09feeb4 by Emilio Pozuelo Monfort at 2021-03-01T15:40:48+01:00
Reserve DLA-2578-1 for thunderbird

- - - - -


2 changed files:

- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[01 Mar 2021] DLA-2578-1 thunderbird - security update
+   {CVE-2021-23968 CVE-2021-23969 CVE-2021-23973 CVE-2021-23978}
+   [stretch] - thunderbird 1:78.8.0-1~deb9u1
 [26 Feb 2021] DLA-2577-1 python-pysaml2 - security update
{CVE-2017-1000433 CVE-2021-21239}
[stretch] - python-pysaml2 3.0.0-5+deb9u2


=
data/dla-needed.txt
=
@@ -132,8 +132,6 @@ spotweb
 subversion (Thorsten Alteholz)
   NOTE: 20210221: solving build problems
 --
-thunderbird (Emilio)
---
 wpa (Utkarsh)
 --
 xmlbeans (Roberto C. Sánchez)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d09feeb44fef4f4abaf6cf6331b95f1a69756fc6

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d09feeb44fef4f4abaf6cf6331b95f1a69756fc6
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] new tomat issues

2021-03-01 Thread Moritz Muehlenhoff



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
c96a5ad8 by Moritz Muehlenhoff at 2021-03-01T14:29:51+01:00
new tomat issues

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -5867,6 +5867,10 @@ CVE-2021-3180
RESERVED
 CVE-2021-25329
RESERVED
+   - tomcat9 
+   - tomcat8 
+   - tomcat7 
+   NOTE: https://www.openwall.com/lists/oss-security/2021/03/01/2
 CVE-2021-25328
RESERVED
 CVE-2021-25327
@@ -6400,6 +6404,10 @@ CVE-2021-25123 (The Baseboard Management Controller(BMC) 
in HPE Cloudline CL5800
NOT-FOR-US: HPE
 CVE-2021-25122
RESERVED
+   - tomcat9 
+   - tomcat8 
+   - tomcat7 
+   NOTE: https://www.openwall.com/lists/oss-security/2021/03/01/1
 CVE-2021-25121
RESERVED
 CVE-2021-25120



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c96a5ad867323131769769b5ec22ccbfd0b2bba9

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c96a5ad867323131769769b5ec22ccbfd0b2bba9
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] OTRS n/a

2021-03-01 Thread Moritz Muehlenhoff



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
c4f2f279 by Moritz Muehlenhoff at 2021-03-01T14:16:35+01:00
OTRS n/a

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -14907,9 +14907,7 @@ CVE-2021-21437
 CVE-2021-21436 (Agents are able to see and link Config Items without 
permissions, whic ...)
NOT-FOR-US: OTRSCIsInCustomerFrontend (OTRS addon)
 CVE-2021-21435 (Article Bcc fields and agent personal information are shown 
when custo ...)
-   - otrs2  (bug #982586)
-   [buster] - otrs2  (Non-free not supported)
-   [stretch] - otrs2  (Non-free not supported)
+   - otrs2  (Doesn't affect OTRS as packaged in Debian, see 
bug #982586)
NOTE: https://otrs.com/release-notes/otrs-security-advisory-2021-02/
 CVE-2021-21434 (Survey administrator can craft a survey in such way that 
malicious cod ...)
NOT-FOR-US: OTRS Survey addon
@@ -160478,13 +160476,11 @@ CVE-2018-17439 (An issue was discovered in the HDF 
HDF5 1.10.3 library. There is
NOTE: 
https://github.com/SegfaultMasters/covering360/tree/master/HDF5/vuln5#stack-overflow-in-h5s_extent_get_dims
NOTE: https://jira.hdfgroup.org/browse/HDFFV-10589
 CVE-2018-17438 (A SIGFPE signal is raised in the function H5D__select_io() of 
H5Dselec ...)
-   - hdf5  (low)
-   [buster] - hdf5  (Minor issue)
-   [stretch] - hdf5  (Minor issue)
-   [jessie] - hdf5  (Minor issue)
+   - hdf5 1.10.6+repack-1 (unimportant)
NOTE: 
https://github.com/SegfaultMasters/covering360/tree/master/HDF5/vuln4#divided-by-zero---poc_h5d__select_io_h5dselect
NOTE: https://jira.hdfgroup.org/browse/HDFFV-10587
NOTE: fix in develop branch: 
https://bitbucket.hdfgroup.org/projects/HDFFV/repos/hdf5/commits/7add52ff4f2443357648d53d52add274d1b18b5f
+   NOTE: Negligible security impact
 CVE-2018-17437 (Memory leak in the H5O_dtype_decode_helper() function in 
H5Odtype.c in ...)
- hdf5 1.10.6+repack-2 (low)
[buster] - hdf5  (Minor issue)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c4f2f27997735e0ce69c6986ae6cc2a382b65b2f

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c4f2f27997735e0ce69c6986ae6cc2a382b65b2f
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity

2021-03-01 Thread Holger Levsen



Holger Levsen pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
91eac4b3 by Holger Levsen at 2021-03-01T11:25:41+01:00
semi-automatic unclaim after 2 weeks of inactivity

Signed-off-by: Holger Levsen hol...@layer-acht.org

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -23,7 +23,7 @@ ansible (Markus Koschany)
   20210215: As discussed with the maintainer I will update Buster first and
   20210215: after that LTS.
 --
-ceph (Emilio)
+ceph
   NOTE: 20200707: Vulnerable to at least CVE-2018-14662. (lamby)
   NOTE: 20200707: Some discussion regarding removal 
 (lamby)
   NOTE: 20200913: Patches prepared. Build in progress (hope this 45 G build 
goes fine). (ola)
@@ -41,7 +41,7 @@ condor
   NOTE: 20200727: Waiting on maintainer feedback: 
https://lists.debian.org/debian-lts/2020/07/msg00108.html (roberto)
   NOTE: 20210205: Some patches seems to be available but not clear if it 
solves the whole issue or not. (ola)
 --
-dnsmasq (Utkarsh)
+dnsmasq
   NOTE: 20210208: wip; difficult to backport the patches. (utkarsh)
 --
 firmware-nonfree



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/91eac4b3d8ba0cdb2328f256e37ade550c9c095f

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/91eac4b3d8ba0cdb2328f256e37ade550c9c095f
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 2 commits: Process some NFUs

2021-03-01 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
5c6ce967 by Salvatore Bonaccorso at 2021-03-01T09:33:22+01:00
Process some NFUs

- - - - -
c850aa28 by Salvatore Bonaccorso at 2021-03-01T09:33:37+01:00
Add CVE-2020-28646/owncloud

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1240,7 +1240,7 @@ CVE-2021-27227
 CVE-2021-27226
RESERVED
 CVE-2021-27225 (In Dataiku DSS before 8.0.6, insufficient access control in 
the Jupyte ...)
-   TODO: check
+   NOT-FOR-US: Dataiku DSS
 CVE-2021-27224 (The WPG plugin before 3.1.0.0 for IrfanView 4.57 has a 
user-mode write ...)
NOT-FOR-US: WPG plugin for IrfanView
 CVE-2021-27223
@@ -9138,7 +9138,7 @@ CVE-2021-23835 (An issue was discovered in flatCore 
before 2.0.0 build 139. A lo
 CVE-2021-3125
RESERVED
 CVE-2021-3124 (Stored cross-site scripting (XSS) in form field in 
robust.systems prod ...)
-   TODO: check
+   NOT-FOR-US: WordPress Plugin Custom Global Variables
 CVE-2021-3123
RESERVED
 CVE-2021-3122 (CMCAgent in NCR Command Center Agent 16.3 on Aloha POS/BOH 
servers per ...)
@@ -13104,7 +13104,7 @@ CVE-2021-3012
 CVE-2021-3011 (An electromagnetic-wave side-channel issue was discovered on 
NXP Smart ...)
NOT-FOR-US: NXP
 CVE-2021-3010 (There are multiple persistent cross-site scripting (XSS) 
vulnerabiliti ...)
-   TODO: check
+   NOT-FOR-US: OpenText Content Server
 CVE-2021-3009
RESERVED
 CVE-2021-3008
@@ -24097,7 +24097,7 @@ CVE-2020-28648 (Improper input validation in the 
Auto-Discovery component of Nag
 CVE-2020-28647 (In Progress MOVEit Transfer before 2020.1, a malicious user 
could craf ...)
NOT-FOR-US: Progress MOVEit Transfer
 CVE-2020-28646 (ownCloud owncloud/client before 2.7 allows DLL Injection. The 
desktop  ...)
-   TODO: check
+   - owncloud 
 CVE-2020-28645 (Deleting users with certain names caused system files to be 
deleted. R ...)
- owncloud 
 CVE-2020-28644 (The CSRF (Cross Site Request Forgery) token check was 
improperly imple ...)
@@ -2,7 +2,7 @@ CVE-2020-28201
 CVE-2020-28200
RESERVED
 CVE-2020-28199 (best it Amazon Pay Plugin before 9.4.2 for Shopware exposes 
Sensitive  ...)
-   TODO: check
+   NOT-FOR-US: Amazon Pay Plugin for Shopware
 CVE-2020-28198
RESERVED
 CVE-2020-28197
@@ -33121,7 +33121,7 @@ CVE-2020-26202
 CVE-2020-26201 (Askey AP5100W_Dual_SIG_1.01.097 and all prior versions use a 
weak pass ...)
NOT-FOR-US: Askey
 CVE-2020-26200 (A component of Kaspersky custom boot loader allowed loading of 
untrust ...)
-   TODO: check
+   NOT-FOR-US: Kaspersky products
 CVE-2020-26199 (Dell EMC Unity, Unity XT, and UnityVSA versions prior to 
5.0.4.0.5.012 ...)
NOT-FOR-US: EMC
 CVE-2020-26198 (Dell EMC iDRAC9 versions prior to 4.32.10.00 and 4.40.00.00 
contain a  ...)
@@ -36745,7 +36745,7 @@ CVE-2020-24688
 CVE-2020-24687
RESERVED
 CVE-2020-24686 (The vulnerabilities can be exploited to cause the web 
visualization co ...)
-   TODO: check
+   NOT-FOR-US: ABB AC500 V2 products
 CVE-2020-24685 (An unauthenticated specially crafted packet sent by an 
attacker over t ...)
NOT-FOR-US: ABB
 CVE-2020-24684
@@ -121685,7 +121685,7 @@ CVE-2019-11686 (Western Digital SanDisk X300, X300s, 
X400, and X600 devices: A v
 CVE-2019-11685
RESERVED
 CVE-2019-11684 (Improper Access Control in the RCP+ server of the Bosch Video 
Recordin ...)
-   TODO: check
+   NOT-FOR-US: Bosch
 CVE-2019-11683 (udp_gro_receive_segment in net/ipv4/udp_offload.c in the Linux 
kernel  ...)
- linux  (Vulnerable code introduced later)
NOTE: Fixed by: 
https://git.kernel.org/linus/4dd2b82d5adfbe0b1587ccad7a8f76d826120f37



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/5833afdbfe92c03d6e4a8ca7d9dae0530d97760e...c850aa289fdd44155f2dcddf23c00c7368dc7ffa

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/5833afdbfe92c03d6e4a8ca7d9dae0530d97760e...c850aa289fdd44155f2dcddf23c00c7368dc7ffa
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2020-27223/jetty9

2021-03-01 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
5833afdb by Salvatore Bonaccorso at 2021-03-01T09:12:31+01:00
Track fixed version for CVE-2020-27223/jetty9

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -30748,7 +30748,7 @@ CVE-2020-27225
 CVE-2020-27224 (In Eclipse Theia versions up to and including 1.2.0, the 
Markdown Prev ...)
NOT-FOR-US: Eclipse Theia
 CVE-2020-27223 (In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 
(inclusive), 10.0 ...)
-   - jetty9 
+   - jetty9 9.4.38-1
NOTE: https://bugs.eclipse.org/bugs/show_bug.cgi?id=571128
NOTE: 
https://github.com/eclipse/jetty.project/security/advisories/GHSA-m394-8rww-3jr7
 CVE-2020-27222 (In Eclipse Californium version 2.3.0 to 2.6.0, the certificate 
based ( ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5833afdbfe92c03d6e4a8ca7d9dae0530d97760e

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5833afdbfe92c03d6e4a8ca7d9dae0530d97760e
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] automatic update

2021-03-01 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
69f808de by security tracker role at 2021-03-01T08:10:18+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -12,7 +12,7 @@ CVE-2021-27801
RESERVED
 CVE-2021-27800
RESERVED
-CVE-2021-27799 (ean_leading_zeroes in backend/upcean.c in Zint Barcode 
Generator 2.19. ...)
+CVE-2021-27799 (ean_leading_zeroes in backend/upcean.c in Zint Barcode 
Generator 2.9.1 ...)
- zint  (bug #983610)
NOTE: https://sourceforge.net/p/zint/tickets/218/
NOTE: 
https://sourceforge.net/p/zint/code/ci/7f8c8114f31c09a986597e0ba63a49f96150368a/
@@ -1239,8 +1239,8 @@ CVE-2021-27227
RESERVED
 CVE-2021-27226
RESERVED
-CVE-2021-27225
-   RESERVED
+CVE-2021-27225 (In Dataiku DSS before 8.0.6, insufficient access control in 
the Jupyte ...)
+   TODO: check
 CVE-2021-27224 (The WPG plugin before 3.1.0.0 for IrfanView 4.57 has a 
user-mode write ...)
NOT-FOR-US: WPG plugin for IrfanView
 CVE-2021-27223



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/69f808def50e3b678c704611e9e84b407fd043ab

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/69f808def50e3b678c704611e9e84b407fd043ab
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Track status for CVE-2021-3349

2021-03-01 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
ee57d9cd by Salvatore Bonaccorso at 2021-03-01T09:03:10+01:00
Track status for CVE-2021-3349

This is disputed on GNOME Evolution side, and defered completely by
upsream to GnuPG. Though the reporter claims that GnuPG aleady provides
what would be needed to fix (additionally) in evolution.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -2897,7 +2897,13 @@ CVE-2021-3351
 CVE-2021-3350 (deleteaccount.php in the Delete Account plugin 1.4 for MyBB 
allows XSS ...)
NOT-FOR-US: Delete Account plugin for MyBB
 CVE-2021-3349 (** DISPUTED ** GNOME Evolution through 3.38.3 produces a "Valid 
signat ...)
-   TODO: check
+   - evolution  (unimportant)
+   NOTE: GNOME Evlolution upstreams claims that the issue should be fixed 
completely
+   NOTE: on the GnuPG side, whilst the reporter claims theat GnuPG 
provides what is
+   NOTE: needed to adress it on evolution's side.
+   NOTE: https://dev.gnupg.org/T4735
+   NOTE: https://gitlab.gnome.org/GNOME/evolution/-/issues/299
+   NOTE: https://mgorny.pl/articles/evolution-uid-trust-extrapolation.html
 CVE-2021-26538
RESERVED
 CVE-2021-26537



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ee57d9cd1bb843361df2a79c914f166a57963a47

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ee57d9cd1bb843361df2a79c914f166a57963a47
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Stretch triage

[Git][security-tracker-team/security-tracker][master] Add CVE-2021-3419/qemu

[Git][security-tracker-team/security-tracker][master] CVE-2021-2403{1,2}/libzstd assigned

[Git][security-tracker-team/security-tracker][master] Add CVE-2020-1926 as NFU

[Git][security-tracker-team/security-tracker][master] Add CVE-2020-7929/mongodb

[Git][security-tracker-team/security-tracker][master] Process NFUs

[Git][security-tracker-team/security-tracker][master] Add CVE-2018-25004/mongodb

[Git][security-tracker-team/security-tracker][master] automatic update

[Git][security-tracker-team/security-tracker][master] 5 commits: Track fixed version via unstable for CVE-2021-25329/tomcat9

[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2020-28493/jinja2 in unstable

[Git][security-tracker-team/security-tracker][master] mumble fixed in sid

[Git][security-tracker-team/security-tracker][master] gitlab fixes in experimental

[Git][security-tracker-team/security-tracker][master] Reserve DLA-2578-1 for thunderbird

[Git][security-tracker-team/security-tracker][master] new tomat issues

[Git][security-tracker-team/security-tracker][master] OTRS n/a

[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity

[Git][security-tracker-team/security-tracker][master] 2 commits: Process some NFUs

[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2020-27223/jetty9

[Git][security-tracker-team/security-tracker][master] automatic update

[Git][security-tracker-team/security-tracker][master] Track status for CVE-2021-3349

20 matches

Site Navigation

Mail list logo

Footer information