[Git][security-tracker-team/security-tracker][master] Add note for courier-authlib issue
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 91b7d629 by Salvatore Bonaccorso at 2021-03-14T08:04:04+01:00 Add note for courier-authlib issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -573,6 +573,8 @@ CVE-2021-28109 RESERVED CVE-2021- [world-readable user data information] - courier-authlib 0.71.1-2 (bug #984810) + NOTE: Re-introduction of #378571 while migrating from debian/permissions to + NOTE: debian/courier-authdaemon.tmpfiles in 0.66.4-2. CVE-2021-3426 RESERVED - python3.9 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/91b7d629a7739379394bfc8a354b5e97a2fc706f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/91b7d629a7739379394bfc8a354b5e97a2fc706f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update notes for CVE-2019-18790 and CVE-2019-18351 for asterisk
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e54e9076 by Salvatore Bonaccorso at 2021-03-13T21:26:46+01:00 Update notes for CVE-2019-18790 and CVE-2019-18351 for asterisk - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -97998,6 +97998,9 @@ CVE-2019-18790 (An issue was discovered in channels/chan_sip.c in Sangoma Asteri [stretch] - asterisk (Minor issue) NOTE: https://downloads.asterisk.org/pub/security/AST-2019-006.html NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-28589 + NOTE: Technically CVE-2019-18790 exists because of an incomplete fix of CVE-2019-18351, both + NOTE: referring to AST-2019-006. The upstream advisory never used though CVE-2019-18351, but + NOTE: only referenced CVE-2019-18790. CVE-2019-18789 RESERVED CVE-2019-18788 @@ -101477,7 +101480,11 @@ CVE-2019-18353 CVE-2019-18352 (Improper access control exists on PHOENIX CONTACT FL NAT 2208 devices ...) NOT-FOR-US: PHOENIX CONTACT FL NAT 2208 devices CVE-2019-18351 (An issue was discovered in channels/chan_sip.c in Sangoma Asterisk thr ...) - TODO: check + NOTE: https://downloads.asterisk.org/pub/security/AST-2019-006.html + NOTE: Technically CVE-2019-18790 exists because of an incomplete fix of CVE-2019-18351, both + NOTE: referring to AST-2019-006. The upstream advisory never used though CVE-2019-18351, but + NOTE: only referenced CVE-2019-18790. CVE-2019-18351 only got picked up later on. + TODO: check with MITRE if CVE-2019-18351 simply should be dropped CVE-2019-18350 (In Ant Design Pro 4.0.0, reflected XSS in the user/login redirect GET ...) NOT-FOR-US: Ant Design Pro CVE-2019-18349 (HotkeyP through 4.9 r96 allows privilege escalation in the privilege f ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e54e90769e80057ca5469ac296d0f38d58207011 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e54e90769e80057ca5469ac296d0f38d58207011 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process two NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: cab840ef by Salvatore Bonaccorso at 2021-03-13T21:17:26+01:00 Process two NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -15421,7 +15421,7 @@ CVE-2021-21520 CVE-2021-21519 RESERVED CVE-2021-21518 (Dell SupportAssist Client for Consumer PCs versions 3.7.x, 3.6.x, 3.4. ...) - TODO: check + NOT-FOR-US: Dell SupportAssist Client for Consumer PCs CVE-2021-21517 (SRS Policy Manager 6.X is affected by an XML External Entity Injection ...) NOT-FOR-US: SRS Policy Manager CVE-2021-21516 @@ -16694,7 +16694,7 @@ CVE-2020-35684 CVE-2020-35683 RESERVED CVE-2020-35682 (Zoho ManageEngine ServiceDesk Plus before 11134 allows an Authenticati ...) - TODO: check + NOT-FOR-US: Zoho ManageEngine ServiceDesk Plus CVE-2020-35681 (Django Channels 3.x before 3.0.3 allows remote attackers to obtain sen ...) - python-django-channels 3.0.3-1 (bug #979376) [buster] - python-django-channels (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cab840ef112831a0f1ba4da7bcd2e7e6aaf1f168 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cab840ef112831a0f1ba4da7bcd2e7e6aaf1f168 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
2a7b9502 by security tracker role at 2021-03-13T20:10:28+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -1,3 +1,9 @@
+CVE-2021-28361 (An issue was discovered in Storage Performance Development Kit
(SPDK) ...)
+ TODO: check
+CVE-2021-28360
+ RESERVED
+CVE-2021-28359
+ RESERVED
CVE-2021-28358
RESERVED
CVE-2021-28357
@@ -10538,7 +10544,7 @@ CVE-2021-3115 (Go before 1.14.14 and 1.15.x before
1.15.7 on Windows is vulnerab
NOTE: explicitly in PATH and running 'go get' outside of a module or
with module
NOTE: mode disabled.
CVE-2021-3114 (In Go before 1.14.14 and 1.15.x before 1.15.7,
crypto/elliptic/p224.go ...)
- {DSA-4848-1}
+ {DSA-4848-1 DLA-2592-1 DLA-2591-1}
- golang-1.15 1.15.7-1
- golang-1.11
- golang-1.8
@@ -16687,8 +16693,8 @@ CVE-2020-35684
RESERVED
CVE-2020-35683
RESERVED
-CVE-2020-35682
- RESERVED
+CVE-2020-35682 (Zoho ManageEngine ServiceDesk Plus before 11134 allows an
Authenticati ...)
+ TODO: check
CVE-2020-35681 (Django Channels 3.x before 3.0.3 allows remote attackers to
obtain sen ...)
- python-django-channels 3.0.3-1 (bug #979376)
[buster] - python-django-channels (Minor issue)
@@ -104240,7 +104246,7 @@ CVE-2017-1002201 (In haml versions prior to version
5.0.0.beta.2, when using use
NOTE: https://snyk.io/vuln/SNYK-RUBY-HAML-20362
NOTE:
https://github.com/haml/haml/commit/18576ae6e9bdcb4303fdbe6b3199869d289d67c2
CVE-2019-17596 (Go before 1.12.11 and 1.3.x before 1.13.2 can panic upon an
attempt to ...)
- {DSA-4551-1}
+ {DSA-4551-1 DLA-2592-1 DLA-2591-1}
- golang-1.13 1.13.3-1 (bug #942628)
- golang-1.12 1.12.12-1 (bug #942629)
- golang-1.11
@@ -108006,7 +108012,7 @@ CVE-2019-16319 (In Wireshark 3.0.0 to 3.0.3 and 2.6.0
to 2.6.10, the Gryphon dis
NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16020
NOTE:
https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=02ddd49885c6a09e936a76aceb726ed06539704a
CVE-2019-16276 (Go before 1.12.10 and 1.13.x before 1.13.1 allow HTTP Request
Smugglin ...)
- {DSA-4534-1}
+ {DSA-4534-1 DLA-2592-1 DLA-2591-1}
- golang-1.13 1.13.1-1
- golang-1.12 1.12.10-1 (bug #941173)
- golang-1.11
@@ -129746,7 +129752,7 @@ CVE-2019-9743 (An issue was discovered on PHOENIX
CONTACT RAD-80211-XD and RAD-8
CVE-2019-9742 (gdwfpcd.sys in G Data Total Security before 2019-02-22 allows
an attac ...)
NOT-FOR-US: G Data Total Security
CVE-2019-9741 (An issue was discovered in net/http in Go 1.11.5. CRLF
injection is po ...)
- {DLA-1749-1}
+ {DLA-2592-1 DLA-2591-1 DLA-1749-1}
- golang-1.12 1.12-1
- golang-1.11 1.11.6-1 (bug #924630)
- golang-1.8
@@ -163552,6 +163558,7 @@ CVE-2018-16875 (The crypto/x509 package of Go before
1.10.6 and 1.11.x before 1.
NOTE:
https://github.com/golang/go/commit/df523969435b8945d939c7e2a849b50910ef4c25
(1.11.3)
NOTE:
https://github.com/golang/go/commit/0a4a37f1f0a36e55d8ae5c34210a79499f9f2a9d
(1.10.6)
CVE-2018-16874 (In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get"
command is ...)
+ {DLA-2592-1 DLA-2591-1}
- golang-1.11 1.11.3-1
- golang-1.10 1.10.6-1
- golang-1.8
@@ -163559,6 +163566,7 @@ CVE-2018-16874 (In Go before 1.10.6 and 1.11.x before
1.11.3, the "go get" comma
NOTE: https://github.com/golang/go/issues/29231
NOTE: See CVE-2018-16873 for patches and regression fix
CVE-2018-16873 (In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get"
command is ...)
+ {DLA-2592-1 DLA-2591-1}
- golang-1.11 1.11.3-1
- golang-1.10 1.10.6-1
- golang-1.8
@@ -217601,7 +217609,7 @@ CVE-2017-15042 (An unintended cleartext issue exists
in Go before 1.8.4 and 1.9.
NOTE: https://golang.org/cl/68210
NOTE:
https://groups.google.com/d/msg/golang-dev/RinSE3EiJBI/kYL7zb07AgAJ
CVE-2017-15041 (Go before 1.8.4 and 1.9.x before 1.9.1 allows "go get" remote
command ...)
- {DLA-1148-1}
+ {DLA-2592-1 DLA-2591-1 DLA-1148-1}
- golang-1.9 1.9.1-1
- golang-1.8 1.8.4-1
- golang-1.7
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2a7b9502eb7bc07f29dec21abd912fda5b01ffc2
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2a7b9502eb7bc07f29dec21abd912fda5b01ffc2
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
[Git][security-tracker-team/security-tracker][master] Add tracking bug for CVE-2021-21300/git
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 034c0201 by Salvatore Bonaccorso at 2021-03-13T20:43:10+01:00 Add tracking bug for CVE-2021-21300/git - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17132,7 +17132,7 @@ CVE-2021-21302 (PrestaShop is a fully scalable open source e-commerce solution. CVE-2021-21301 (Wire is an open-source collaboration platform. In Wire for iOS (iPhone ...) NOT-FOR-US: Wire CVE-2021-21300 (Git is an open-source distributed revision control system. In affected ...) - - git 1:2.30.2-1 + - git 1:2.30.2-1 (bug #985120) [buster] - git (Minor issue) [stretch] - git (Minor issue) NOTE: https://lore.kernel.org/git/xmqqim6019yd@gitster.c.googlers.com/ View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/034c02016412208c281cdda5b82f7a312d9c3a1a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/034c02016412208c281cdda5b82f7a312d9c3a1a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: claim glib2.0
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 3cc5612c by Sylvain Beucler at 2021-03-13T20:11:00+01:00 dla: claim glib2.0 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -41,7 +41,7 @@ dnsmasq firmware-nonfree NOTE: 20201207: wait for the update in buster and backport that (Emilio) -- -glib2.0 +glib2.0 (Sylvain Beucler) -- golang-github-appc-cni (Thorsten Alteholz) NOTE: 20210221: also taking care of reverse dependencies View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3cc5612c13ca0fc76a129c4561fdcbb0192240b3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3cc5612c13ca0fc76a129c4561fdcbb0192240b3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2593-1 for ca-certificates
Utkarsh Gupta pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
763e735d by Utkarsh Gupta at 2021-03-14T00:18:31+05:30
Reserve DLA-2593-1 for ca-certificates
- - - - -
1 changed file:
- data/DLA/list
Changes:
=
data/DLA/list
=
@@ -1,3 +1,5 @@
+[14 Mar 2021] DLA-2593-1 ca-certificates - whitelist Symantec CA
+ [stretch] - ca-certificates 20200601~deb9u2
[13 Mar 2021] DLA-2592-1 golang-1.8 - security update
{CVE-2017-15041 CVE-2018-16873 CVE-2018-16874 CVE-2019-9741
CVE-2019-16276 CVE-2019-17596 CVE-2021-3114}
[stretch] - golang-1.8 1.8.1-1+deb9u3
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/763e735d057dda78ff41043c54666abf76df8648
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/763e735d057dda78ff41043c54666abf76df8648
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Reserve DLA-2591-1 for golang-1.7
Sylvain Beucler pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
537bcfc7 by Sylvain Beucler at 2021-03-13T19:10:17+01:00
Reserve DLA-2591-1 for golang-1.7
- - - - -
9dce6244 by Sylvain Beucler at 2021-03-13T19:12:24+01:00
Reserve DLA-2592-1 for golang-1.8
- - - - -
3 changed files:
- data/CVE/list
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/CVE/list
=
@@ -104245,9 +104245,7 @@ CVE-2019-17596 (Go before 1.12.11 and 1.3.x before
1.13.2 can panic upon an atte
- golang-1.12 1.12.12-1 (bug #942629)
- golang-1.11
- golang-1.8
- [stretch] - golang-1.8 (Minor issue)
- golang-1.7
- [stretch] - golang-1.7 (Minor issue)
- golang
[jessie] - golang (Minor issue)
NOTE: https://golang.org/issue/34960
@@ -108013,9 +108011,7 @@ CVE-2019-16276 (Go before 1.12.10 and 1.13.x before
1.13.1 allow HTTP Request Sm
- golang-1.12 1.12.10-1 (bug #941173)
- golang-1.11
- golang-1.8
- [stretch] - golang-1.8 (Minor issue)
- golang-1.7
- [stretch] - golang-1.7 (Minor issue)
- golang
[jessie] - golang (Minor issue)
NOTE:
https://groups.google.com/forum/m/#!topic/golang-announce/cszieYyuL9Q
@@ -129754,9 +129750,7 @@ CVE-2019-9741 (An issue was discovered in net/http in
Go 1.11.5. CRLF injection
- golang-1.12 1.12-1
- golang-1.11 1.11.6-1 (bug #924630)
- golang-1.8
- [stretch] - golang-1.8 (Minor issue)
- golang-1.7
- [stretch] - golang-1.7 (Minor issue)
- golang
NOTE: https://github.com/golang/go/issues/30794
NOTE:
https://github.com/golang/go/commit/829c5df58694b3345cb5ea41206783c8ccf5c3ca#diff-b97af51863ce82bf2a13003b52034aa9
@@ -217610,9 +217604,7 @@ CVE-2017-15041 (Go before 1.8.4 and 1.9.x before
1.9.1 allows "go get" remote co
{DLA-1148-1}
- golang-1.9 1.9.1-1
- golang-1.8 1.8.4-1
- [stretch] - golang-1.8 (Minor issue)
- golang-1.7
- [stretch] - golang-1.7 (Minor issue)
- golang
[jessie] - golang (Minor issue)
NOTE:
https://go.googlesource.com/go/+/a4544a0f8af001d1fb6df0e70750f570ec49ccf9%5E%21/
=
data/DLA/list
=
@@ -1,3 +1,9 @@
+[13 Mar 2021] DLA-2592-1 golang-1.8 - security update
+ {CVE-2017-15041 CVE-2018-16873 CVE-2018-16874 CVE-2019-9741
CVE-2019-16276 CVE-2019-17596 CVE-2021-3114}
+ [stretch] - golang-1.8 1.8.1-1+deb9u3
+[13 Mar 2021] DLA-2591-1 golang-1.7 - security update
+ {CVE-2017-15041 CVE-2018-16873 CVE-2018-16874 CVE-2019-9741
CVE-2019-16276 CVE-2019-17596 CVE-2021-3114}
+ [stretch] - golang-1.7 1.7.4-2+deb9u3
[12 Mar 2021] DLA-2590-1 pygments - security update
{CVE-2021-20270}
[stretch] - pygments 2.2.0+dfsg-1+deb9u1
=
data/dla-needed.txt
=
@@ -43,14 +43,6 @@ firmware-nonfree
--
glib2.0
--
-golang-1.7 (Sylvain Beucler)
- NOTE: 20200308: triaged missing CVEs and DebianN->DebianN+1 regressions
- NOTE: 20200308: documented test suite and reverse build dependencies
- NOTE: 20200308: triaging, fixing and testing remaining CVEs
---
-golang-1.8 (Sylvain Beucler)
- NOTE: 20200308: cf. golang-1.7
---
golang-github-appc-cni (Thorsten Alteholz)
NOTE: 20210221: also taking care of reverse dependencies
NOTE: 20210221: also taking care of other suites
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/2bafb7740b6609982a37b656fcf9b57326aefb48...9dce624492092b3dcb39aae7a259a58232a6c24e
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/2bafb7740b6609982a37b656fcf9b57326aefb48...9dce624492092b3dcb39aae7a259a58232a6c24e
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] rust-arch-swap, rust-smallvec fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 2bafb774 by Moritz Muehlenhoff at 2021-03-13T18:01:23+01:00 rust-arch-swap, rust-smallvec fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -10360,7 +10360,7 @@ CVE-2021-23898 CVE-2021-23897 RESERVED CVE-2021-25900 (An issue was discovered in the smallvec crate before 0.6.14 and 1.x be ...) - - rust-smallvec (bug #984665) + - rust-smallvec 1.4.2-2 (bug #984665) NOTE: https://rustsec.org/advisories/RUSTSEC-2021-0003.html NOTE: https://github.com/servo/rust-smallvec/issues/252 CVE-2021-3127 @@ -16620,7 +16620,7 @@ CVE-2020-35710 (Parallels Remote Application Server (RAS) 18 allows remote attac CVE-2020-35709 (bloofoxCMS 0.5.2.1 allows admins to upload arbitrary .php files (with ...) NOT-FOR-US: bloofoxCMS CVE-2020-35711 (An issue has been discovered in the arc-swap crate before 0.4.8 (and 1 ...) - - rust-arc-swap (bug #985090) + - rust-arc-swap 0.4.8-1 (bug #985090) [buster] - rust-arc-swap (Minor issue) NOTE: https://github.com/vorner/arc-swap/issues/45 NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0091.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2bafb7740b6609982a37b656fcf9b57326aefb48 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2bafb7740b6609982a37b656fcf9b57326aefb48 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for explicitly reported #985142
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: bf56d1f5 by Salvatore Bonaccorso at 2021-03-13T16:45:59+01:00 Add Debian bug reference for explicitly reported #985142 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17409,7 +17409,7 @@ CVE-2021-21194 RESERVED CVE-2021-21193 RESERVED - - chromium + - chromium (bug #985142) [stretch] - chromium (see DSA 4562) CVE-2021-21192 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bf56d1f5ec59371de28675c13e6e9a080eb7b6d1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bf56d1f5ec59371de28675c13e6e9a080eb7b6d1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-27576 as NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2d99d54e by Salvatore Bonaccorso at 2021-03-13T13:34:39+01:00 Add CVE-2021-27576 as NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1788,6 +1788,7 @@ CVE-2021-27577 RESERVED CVE-2021-27576 RESERVED + NOT-FOR-US: Apache OpenMeetings CVE-2021-27575 RESERVED CVE-2021-27574 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2d99d54e543a064748c11dfe2c8a88ae2484efe7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2d99d54e543a064748c11dfe2c8a88ae2484efe7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version via unstable for CVE-2021-28041/openssh
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 05820c94 by Salvatore Bonaccorso at 2021-03-13T13:15:56+01:00 Track fixed version via unstable for CVE-2021-28041/openssh - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -772,7 +772,7 @@ CVE-2021-28042 (Deutsche Post Mailoptimizer 4.3 before 2020-11-09 allows Directo CVE-2021-3423 RESERVED CVE-2021-28041 (ssh-agent in OpenSSH before 8.5 has a double free that may be relevant ...) - - openssh (bug #984940) + - openssh 1:8.4p1-5 (bug #984940) [buster] - openssh (Vulnerable code introduced later) [stretch] - openssh (Vulnerable code introduced later) NOTE: https://www.openwall.com/lists/oss-security/2021/03/03/1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/05820c94b2e383a0c742cdd5cf8cc6436957cbf2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/05820c94b2e383a0c742cdd5cf8cc6436957cbf2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add additionally (more isolated) OpenBSD patch reference for CVE-2021-28041
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1ae973ff by Salvatore Bonaccorso at 2021-03-13T11:21:53+01:00 Add additionally (more isolated) OpenBSD patch reference for CVE-2021-28041 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -777,6 +777,7 @@ CVE-2021-28041 (ssh-agent in OpenSSH before 8.5 has a double free that may be re [stretch] - openssh (Vulnerable code introduced later) NOTE: https://www.openwall.com/lists/oss-security/2021/03/03/1 NOTE: https://github.com/openssh/openssh-portable/commit/e04fd6dde16de1cdc5a4d9946397ff60d96568db + NOTE: https://ftp.openbsd.org/pub/OpenBSD/patches/6.8/common/015_sshagent.patch.sig CVE-2021-28040 (An issue was discovered in OSSEC 3.6.0. An uncontrolled recursion vuln ...) - ossec-hids (bug #361954) CVE-2021-28037 (An issue was discovered in the internment crate before 0.4.2 for Rust. ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1ae973ff71bee16adfa8b034c64920a3864b401d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1ae973ff71bee16adfa8b034c64920a3864b401d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2021-27515/node-url-parse
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 226ce3f1 by Salvatore Bonaccorso at 2021-03-13T11:19:15+01:00 Track fixed version for CVE-2021-27515/node-url-parse - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1911,7 +1911,7 @@ CVE-2021-27517 CVE-2021-27516 (URI.js (aka urijs) before 1.19.6 mishandles certain uses of backslash ...) NOT-FOR-US: urijs CVE-2021-27515 (url-parse before 1.5.0 mishandles certain uses of backslash such as ht ...) - - node-url-parse (bug #985110) + - node-url-parse 1.5.1-1 (bug #985110) [stretch] - node-url-parse (Minor issue) NOTE: https://github.com/unshiftio/url-parse/commit/d1e7e8822f26e8a49794b757123b51386325b2b0 (1.5.0) NOTE: https://github.com/unshiftio/url-parse/pull/197 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/226ce3f172000b8115bbde5b7966b28e2dbe5b24 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/226ce3f172000b8115bbde5b7966b28e2dbe5b24 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2021-23341/node-prismjs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: eb18e249 by Salvatore Bonaccorso at 2021-03-13T11:18:22+01:00 Track fixed version for CVE-2021-23341/node-prismjs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -11534,7 +11534,7 @@ CVE-2021-23343 CVE-2021-23342 (This affects the package docsify before 4.12.0. It is possible to bypa ...) NOT-FOR-US: docsify CVE-2021-23341 (The package prismjs before 1.23.0 are vulnerable to Regular Expression ...) - - node-prismjs (bug #985109) + - node-prismjs 1.23.0+dfsg-1 (bug #985109) NOTE: https://github.com/PrismJS/prism/commit/c2f6a64426f44497a675cb32dccb079b3eff1609 (v1.23.0) NOTE: https://github.com/PrismJS/prism/pull/2584 NOTE: https://github.com/PrismJS/prism/issues/2583 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eb18e2498eb295f2b7fc69b34b5a067463704dbc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eb18e2498eb295f2b7fc69b34b5a067463704dbc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for two node-lodash issues fixed in unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 64868c97 by Salvatore Bonaccorso at 2021-03-13T11:17:25+01:00 Track fixed version for two node-lodash issues fixed in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -11545,7 +11545,7 @@ CVE-2021-23339 (This affects all versions before 10.1.14 and from 10.2.0 to 10.2 CVE-2021-23338 (This affects all versions of package qlib. The workflow function in cl ...) NOT-FOR-US: qlib CVE-2021-23337 (All versions of package lodash; all versions of package org.fujion.web ...) - - node-lodash (bug #985086) + - node-lodash 4.17.21+dfsg+~cs8.31.173-1 (bug #985086) [stretch] - node-lodash (Nodejs in stretch not covered by security support) NOTE: https://snyk.io/vuln/SNYK-JS-LODASH-1040724 CVE-2021-23336 (The package python/cpython from 0 and before 3.6.13, from 3.7.0 and be ...) @@ -27120,7 +27120,7 @@ CVE-2020-28502 (This affects the package xmlhttprequest before 1.7.0; all versio CVE-2020-28501 RESERVED CVE-2020-28500 (All versions of package lodash; all versions of package org.fujion.web ...) - - node-lodash (bug #985086) + - node-lodash 4.17.21+dfsg+~cs8.31.173-1 (bug #985086) [stretch] - node-lodash (Nodejs in stretch not covered by security support) NOTE: https://snyk.io/vuln/SNYK-JS-LODASH-1018905 CVE-2020-28499 (All versions of package merge are vulnerable to Prototype Pollution vi ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/64868c97fb126b1efb50a48c890abcf2b4384f6e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/64868c97fb126b1efb50a48c890abcf2b4384f6e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process two NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a0a1db6f by Salvatore Bonaccorso at 2021-03-13T09:13:56+01:00 Process two NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -20620,9 +20620,9 @@ CVE-2021-20020 CVE-2021-20019 RESERVED CVE-2021-20018 (A post-authenticated vulnerability in SonicWall SMA100 allows an attac ...) - TODO: check + NOT-FOR-US: SonicWall CVE-2021-20017 (A post-authenticated command injection vulnerability in SonicWall SMA1 ...) - TODO: check + NOT-FOR-US: SonicWall CVE-2021-20016 (A SQL-Injection vulnerability in the SonicWall SSLVPN SMA100 product a ...) NOT-FOR-US: SonicWall CVE-2021-20015 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a0a1db6fa35032ecf846136694d39d8a5d78f7b9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a0a1db6fa35032ecf846136694d39d8a5d78f7b9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
3487b7a0 by security tracker role at 2021-03-13T08:10:23+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -1,3 +1,103 @@
+CVE-2021-28358
+ RESERVED
+CVE-2021-28357
+ RESERVED
+CVE-2021-28356
+ RESERVED
+CVE-2021-28355
+ RESERVED
+CVE-2021-28354
+ RESERVED
+CVE-2021-28353
+ RESERVED
+CVE-2021-28352
+ RESERVED
+CVE-2021-28351
+ RESERVED
+CVE-2021-28350
+ RESERVED
+CVE-2021-28349
+ RESERVED
+CVE-2021-28348
+ RESERVED
+CVE-2021-28347
+ RESERVED
+CVE-2021-28346
+ RESERVED
+CVE-2021-28345
+ RESERVED
+CVE-2021-28344
+ RESERVED
+CVE-2021-28343
+ RESERVED
+CVE-2021-28342
+ RESERVED
+CVE-2021-28341
+ RESERVED
+CVE-2021-28340
+ RESERVED
+CVE-2021-28339
+ RESERVED
+CVE-2021-28338
+ RESERVED
+CVE-2021-28337
+ RESERVED
+CVE-2021-28336
+ RESERVED
+CVE-2021-28335
+ RESERVED
+CVE-2021-28334
+ RESERVED
+CVE-2021-28333
+ RESERVED
+CVE-2021-28332
+ RESERVED
+CVE-2021-28331
+ RESERVED
+CVE-2021-28330
+ RESERVED
+CVE-2021-28329
+ RESERVED
+CVE-2021-28328
+ RESERVED
+CVE-2021-28327
+ RESERVED
+CVE-2021-28326
+ RESERVED
+CVE-2021-28325
+ RESERVED
+CVE-2021-28324
+ RESERVED
+CVE-2021-28323
+ RESERVED
+CVE-2021-28322
+ RESERVED
+CVE-2021-28321
+ RESERVED
+CVE-2021-28320
+ RESERVED
+CVE-2021-28319
+ RESERVED
+CVE-2021-28318
+ RESERVED
+CVE-2021-28317
+ RESERVED
+CVE-2021-28316
+ RESERVED
+CVE-2021-28315
+ RESERVED
+CVE-2021-28314
+ RESERVED
+CVE-2021-28313
+ RESERVED
+CVE-2021-28312
+ RESERVED
+CVE-2021-28311
+ RESERVED
+CVE-2021-28310
+ RESERVED
+CVE-2021-28309
+ RESERVED
CVE-2021-28308 (An issue was discovered in the fltk crate before 0.15.3 for
Rust. Ther ...)
TODO: check
CVE-2021-28307 (An issue was discovered in the fltk crate before 0.15.3 for
Rust. Ther ...)
@@ -304,10 +404,10 @@ CVE-2021-28164
RESERVED
CVE-2021-28163
RESERVED
-CVE-2021-28162
- RESERVED
-CVE-2021-28161
- RESERVED
+CVE-2021-28162 (In Eclipse Theia versions up to and including 0.16.0, in the
notificat ...)
+ TODO: check
+CVE-2021-28161 (In Eclipse Theia versions up to and including 1.8.0, in the
debug cons ...)
+ TODO: check
CVE-2021-28160
RESERVED
CVE-2021-28159
@@ -554,8 +654,8 @@ CVE-2021-28094
RESERVED
CVE-2021-28093
RESERVED
-CVE-2021-28092
- RESERVED
+CVE-2021-28092 (The is-svg package 2.1.0 through 4.2.1 for Node.js uses a
regular expr ...)
+ TODO: check
CVE-2021-3424
RESERVED
NOT-FOR-US: Keycloak
@@ -568,6 +668,7 @@ CVE-2021-28089
CVE-2020-36256
RESERVED
CVE-2021-21381 (Flatpak is a system for building, distributing, and running
sandboxed ...)
+ {DSA-4868-1}
- flatpak 1.10.1-4 (bug #984859)
[stretch] - flatpak (Vulnerable code introduced later)
NOTE: https://github.com/flatpak/flatpak/issues/4146
@@ -2317,8 +2418,8 @@ CVE-2021-27292
RESERVED
CVE-2021-27291
RESERVED
-CVE-2021-27290
- RESERVED
+CVE-2021-27290 (ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a
regular expre ...)
+ TODO: check
CVE-2021-27289
RESERVED
CVE-2021-27288
@@ -15311,8 +15412,8 @@ CVE-2021-21520
RESERVED
CVE-2021-21519
RESERVED
-CVE-2021-21518
- RESERVED
+CVE-2021-21518 (Dell SupportAssist Client for Consumer PCs versions 3.7.x,
3.6.x, 3.4. ...)
+ TODO: check
CVE-2021-21517 (SRS Policy Manager 6.X is affected by an XML External Entity
Injection ...)
NOT-FOR-US: SRS Policy Manager
CVE-2021-21516
@@ -19496,7 +19597,7 @@ CVE-2021-20271
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1934125
CVE-2021-20270
RESERVED
- {DLA-2590-1}
+ {DSA-4870-1 DLA-2590-1}
- pygments 2.7.1+dfsg-2 (bug #984664)
NOTE: https://github.com/pygments/pygments/issues/1625
NOTE:
https://github.com/pygments/pygments/commit/f91804ff4772e3ab41f46e28d370f57898700333
@@ -20233,11 +20334,13 @@ CVE-2020-35526
CVE-2020-35525
RESERVED
CVE-2020-35524 (A heap-based buffer overflow flaw was found in libtiff in the
handling ...)
+ {DSA-4869-1}
- tiff 4.1.0+git201212-1
[stretch] - tiff (can be fixed along in next DLA)
NOTE:
https://gitlab.com/libtiff/libtiff/-/commit/7be2e452ddcf6d7abca88f41d3761e6edab72b22
NOTE: https://gitlab.com/libtiff/libtiff/-/merge_requests/159
CVE-2020-35523 (An integer overflow flaw was found in libtiff that exists in
the tif_g ...)
+ {DSA-4869-1}
- tiff 4.1.0+git201212-1
[stretch] - tiff (can be fixed along in
[Git][security-tracker-team/security-tracker][master] Mark CVE-20218-20871/gridengine as not-affected
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
d4c39065 by Salvatore Bonaccorso at 2021-03-13T09:03:41+01:00
Mark CVE-20218-20871/gridengine as not-affected
The docker mode feature is specific to the Univa Grid Engine and so
affected code is not present in the SGE fork used in Debian.
Closes
https://salsa.debian.org/security-tracker-team/security-tracker/-/issues/7
Thanks: Wouter Verhelst
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -114479,7 +114479,7 @@ CVE-2019-14439 (A Polymorphic Typing issue was
discovered in FasterXML jackson-d
NOTE: https://github.com/FasterXML/jackson-databind/issues/2389
NOTE:
https://github.com/FasterXML/jackson-databind/commit/ad418eeb974e357f2797aef64aa0e3ffaaa6125b
CVE-2018-20871 (In Univa Grid Engine before 8.6.3, when configured for Docker
jobs and ...)
- - gridengine
+ - gridengine (Vulnerable code specific to Univa Grid
Engine fork)
CVE-2015-9290 (In FreeType before 2.6.1, a buffer over-read occurs in
type1/t1parse.c ...)
{DLA-1887-1}
- freetype 2.6.1-0.1
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d4c3906504add4eca52fa92dd0f6191f75e5bae3
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d4c3906504add4eca52fa92dd0f6191f75e5bae3
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
