[Git][security-tracker-team/security-tracker][master] Add note for courier-authlib issue
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 91b7d629 by Salvatore Bonaccorso at 2021-03-14T08:04:04+01:00 Add note for courier-authlib issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -573,6 +573,8 @@ CVE-2021-28109 RESERVED CVE-2021- [world-readable user data information] - courier-authlib 0.71.1-2 (bug #984810) + NOTE: Re-introduction of #378571 while migrating from debian/permissions to + NOTE: debian/courier-authdaemon.tmpfiles in 0.66.4-2. CVE-2021-3426 RESERVED - python3.9 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/91b7d629a7739379394bfc8a354b5e97a2fc706f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/91b7d629a7739379394bfc8a354b5e97a2fc706f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update notes for CVE-2019-18790 and CVE-2019-18351 for asterisk
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e54e9076 by Salvatore Bonaccorso at 2021-03-13T21:26:46+01:00 Update notes for CVE-2019-18790 and CVE-2019-18351 for asterisk - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -97998,6 +97998,9 @@ CVE-2019-18790 (An issue was discovered in channels/chan_sip.c in Sangoma Asteri [stretch] - asterisk (Minor issue) NOTE: https://downloads.asterisk.org/pub/security/AST-2019-006.html NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-28589 + NOTE: Technically CVE-2019-18790 exists because of an incomplete fix of CVE-2019-18351, both + NOTE: referring to AST-2019-006. The upstream advisory never used though CVE-2019-18351, but + NOTE: only referenced CVE-2019-18790. CVE-2019-18789 RESERVED CVE-2019-18788 @@ -101477,7 +101480,11 @@ CVE-2019-18353 CVE-2019-18352 (Improper access control exists on PHOENIX CONTACT FL NAT 2208 devices ...) NOT-FOR-US: PHOENIX CONTACT FL NAT 2208 devices CVE-2019-18351 (An issue was discovered in channels/chan_sip.c in Sangoma Asterisk thr ...) - TODO: check + NOTE: https://downloads.asterisk.org/pub/security/AST-2019-006.html + NOTE: Technically CVE-2019-18790 exists because of an incomplete fix of CVE-2019-18351, both + NOTE: referring to AST-2019-006. The upstream advisory never used though CVE-2019-18351, but + NOTE: only referenced CVE-2019-18790. CVE-2019-18351 only got picked up later on. + TODO: check with MITRE if CVE-2019-18351 simply should be dropped CVE-2019-18350 (In Ant Design Pro 4.0.0, reflected XSS in the user/login redirect GET ...) NOT-FOR-US: Ant Design Pro CVE-2019-18349 (HotkeyP through 4.9 r96 allows privilege escalation in the privilege f ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e54e90769e80057ca5469ac296d0f38d58207011 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e54e90769e80057ca5469ac296d0f38d58207011 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process two NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: cab840ef by Salvatore Bonaccorso at 2021-03-13T21:17:26+01:00 Process two NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -15421,7 +15421,7 @@ CVE-2021-21520 CVE-2021-21519 RESERVED CVE-2021-21518 (Dell SupportAssist Client for Consumer PCs versions 3.7.x, 3.6.x, 3.4. ...) - TODO: check + NOT-FOR-US: Dell SupportAssist Client for Consumer PCs CVE-2021-21517 (SRS Policy Manager 6.X is affected by an XML External Entity Injection ...) NOT-FOR-US: SRS Policy Manager CVE-2021-21516 @@ -16694,7 +16694,7 @@ CVE-2020-35684 CVE-2020-35683 RESERVED CVE-2020-35682 (Zoho ManageEngine ServiceDesk Plus before 11134 allows an Authenticati ...) - TODO: check + NOT-FOR-US: Zoho ManageEngine ServiceDesk Plus CVE-2020-35681 (Django Channels 3.x before 3.0.3 allows remote attackers to obtain sen ...) - python-django-channels 3.0.3-1 (bug #979376) [buster] - python-django-channels (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cab840ef112831a0f1ba4da7bcd2e7e6aaf1f168 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cab840ef112831a0f1ba4da7bcd2e7e6aaf1f168 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2a7b9502 by security tracker role at 2021-03-13T20:10:28+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,9 @@ +CVE-2021-28361 (An issue was discovered in Storage Performance Development Kit (SPDK) ...) + TODO: check +CVE-2021-28360 + RESERVED +CVE-2021-28359 + RESERVED CVE-2021-28358 RESERVED CVE-2021-28357 @@ -10538,7 +10544,7 @@ CVE-2021-3115 (Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerab NOTE: explicitly in PATH and running 'go get' outside of a module or with module NOTE: mode disabled. CVE-2021-3114 (In Go before 1.14.14 and 1.15.x before 1.15.7, crypto/elliptic/p224.go ...) - {DSA-4848-1} + {DSA-4848-1 DLA-2592-1 DLA-2591-1} - golang-1.15 1.15.7-1 - golang-1.11 - golang-1.8 @@ -16687,8 +16693,8 @@ CVE-2020-35684 RESERVED CVE-2020-35683 RESERVED -CVE-2020-35682 - RESERVED +CVE-2020-35682 (Zoho ManageEngine ServiceDesk Plus before 11134 allows an Authenticati ...) + TODO: check CVE-2020-35681 (Django Channels 3.x before 3.0.3 allows remote attackers to obtain sen ...) - python-django-channels 3.0.3-1 (bug #979376) [buster] - python-django-channels (Minor issue) @@ -104240,7 +104246,7 @@ CVE-2017-1002201 (In haml versions prior to version 5.0.0.beta.2, when using use NOTE: https://snyk.io/vuln/SNYK-RUBY-HAML-20362 NOTE: https://github.com/haml/haml/commit/18576ae6e9bdcb4303fdbe6b3199869d289d67c2 CVE-2019-17596 (Go before 1.12.11 and 1.3.x before 1.13.2 can panic upon an attempt to ...) - {DSA-4551-1} + {DSA-4551-1 DLA-2592-1 DLA-2591-1} - golang-1.13 1.13.3-1 (bug #942628) - golang-1.12 1.12.12-1 (bug #942629) - golang-1.11 @@ -108006,7 +108012,7 @@ CVE-2019-16319 (In Wireshark 3.0.0 to 3.0.3 and 2.6.0 to 2.6.10, the Gryphon dis NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16020 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=02ddd49885c6a09e936a76aceb726ed06539704a CVE-2019-16276 (Go before 1.12.10 and 1.13.x before 1.13.1 allow HTTP Request Smugglin ...) - {DSA-4534-1} + {DSA-4534-1 DLA-2592-1 DLA-2591-1} - golang-1.13 1.13.1-1 - golang-1.12 1.12.10-1 (bug #941173) - golang-1.11 @@ -129746,7 +129752,7 @@ CVE-2019-9743 (An issue was discovered on PHOENIX CONTACT RAD-80211-XD and RAD-8 CVE-2019-9742 (gdwfpcd.sys in G Data Total Security before 2019-02-22 allows an attac ...) NOT-FOR-US: G Data Total Security CVE-2019-9741 (An issue was discovered in net/http in Go 1.11.5. CRLF injection is po ...) - {DLA-1749-1} + {DLA-2592-1 DLA-2591-1 DLA-1749-1} - golang-1.12 1.12-1 - golang-1.11 1.11.6-1 (bug #924630) - golang-1.8 @@ -163552,6 +163558,7 @@ CVE-2018-16875 (The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1. NOTE: https://github.com/golang/go/commit/df523969435b8945d939c7e2a849b50910ef4c25 (1.11.3) NOTE: https://github.com/golang/go/commit/0a4a37f1f0a36e55d8ae5c34210a79499f9f2a9d (1.10.6) CVE-2018-16874 (In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is ...) + {DLA-2592-1 DLA-2591-1} - golang-1.11 1.11.3-1 - golang-1.10 1.10.6-1 - golang-1.8 @@ -163559,6 +163566,7 @@ CVE-2018-16874 (In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" comma NOTE: https://github.com/golang/go/issues/29231 NOTE: See CVE-2018-16873 for patches and regression fix CVE-2018-16873 (In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is ...) + {DLA-2592-1 DLA-2591-1} - golang-1.11 1.11.3-1 - golang-1.10 1.10.6-1 - golang-1.8 @@ -217601,7 +217609,7 @@ CVE-2017-15042 (An unintended cleartext issue exists in Go before 1.8.4 and 1.9. NOTE: https://golang.org/cl/68210 NOTE: https://groups.google.com/d/msg/golang-dev/RinSE3EiJBI/kYL7zb07AgAJ CVE-2017-15041 (Go before 1.8.4 and 1.9.x before 1.9.1 allows "go get" remote command ...) - {DLA-1148-1} + {DLA-2592-1 DLA-2591-1 DLA-1148-1} - golang-1.9 1.9.1-1 - golang-1.8 1.8.4-1 - golang-1.7 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2a7b9502eb7bc07f29dec21abd912fda5b01ffc2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2a7b9502eb7bc07f29dec21abd912fda5b01ffc2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net
[Git][security-tracker-team/security-tracker][master] Add tracking bug for CVE-2021-21300/git
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 034c0201 by Salvatore Bonaccorso at 2021-03-13T20:43:10+01:00 Add tracking bug for CVE-2021-21300/git - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17132,7 +17132,7 @@ CVE-2021-21302 (PrestaShop is a fully scalable open source e-commerce solution. CVE-2021-21301 (Wire is an open-source collaboration platform. In Wire for iOS (iPhone ...) NOT-FOR-US: Wire CVE-2021-21300 (Git is an open-source distributed revision control system. In affected ...) - - git 1:2.30.2-1 + - git 1:2.30.2-1 (bug #985120) [buster] - git (Minor issue) [stretch] - git (Minor issue) NOTE: https://lore.kernel.org/git/xmqqim6019yd@gitster.c.googlers.com/ View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/034c02016412208c281cdda5b82f7a312d9c3a1a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/034c02016412208c281cdda5b82f7a312d9c3a1a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: claim glib2.0
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 3cc5612c by Sylvain Beucler at 2021-03-13T20:11:00+01:00 dla: claim glib2.0 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -41,7 +41,7 @@ dnsmasq firmware-nonfree NOTE: 20201207: wait for the update in buster and backport that (Emilio) -- -glib2.0 +glib2.0 (Sylvain Beucler) -- golang-github-appc-cni (Thorsten Alteholz) NOTE: 20210221: also taking care of reverse dependencies View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3cc5612c13ca0fc76a129c4561fdcbb0192240b3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3cc5612c13ca0fc76a129c4561fdcbb0192240b3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2593-1 for ca-certificates
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 763e735d by Utkarsh Gupta at 2021-03-14T00:18:31+05:30 Reserve DLA-2593-1 for ca-certificates - - - - - 1 changed file: - data/DLA/list Changes: = data/DLA/list = @@ -1,3 +1,5 @@ +[14 Mar 2021] DLA-2593-1 ca-certificates - whitelist Symantec CA + [stretch] - ca-certificates 20200601~deb9u2 [13 Mar 2021] DLA-2592-1 golang-1.8 - security update {CVE-2017-15041 CVE-2018-16873 CVE-2018-16874 CVE-2019-9741 CVE-2019-16276 CVE-2019-17596 CVE-2021-3114} [stretch] - golang-1.8 1.8.1-1+deb9u3 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/763e735d057dda78ff41043c54666abf76df8648 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/763e735d057dda78ff41043c54666abf76df8648 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Reserve DLA-2591-1 for golang-1.7
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 537bcfc7 by Sylvain Beucler at 2021-03-13T19:10:17+01:00 Reserve DLA-2591-1 for golang-1.7 - - - - - 9dce6244 by Sylvain Beucler at 2021-03-13T19:12:24+01:00 Reserve DLA-2592-1 for golang-1.8 - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -104245,9 +104245,7 @@ CVE-2019-17596 (Go before 1.12.11 and 1.3.x before 1.13.2 can panic upon an atte - golang-1.12 1.12.12-1 (bug #942629) - golang-1.11 - golang-1.8 - [stretch] - golang-1.8 (Minor issue) - golang-1.7 - [stretch] - golang-1.7 (Minor issue) - golang [jessie] - golang (Minor issue) NOTE: https://golang.org/issue/34960 @@ -108013,9 +108011,7 @@ CVE-2019-16276 (Go before 1.12.10 and 1.13.x before 1.13.1 allow HTTP Request Sm - golang-1.12 1.12.10-1 (bug #941173) - golang-1.11 - golang-1.8 - [stretch] - golang-1.8 (Minor issue) - golang-1.7 - [stretch] - golang-1.7 (Minor issue) - golang [jessie] - golang (Minor issue) NOTE: https://groups.google.com/forum/m/#!topic/golang-announce/cszieYyuL9Q @@ -129754,9 +129750,7 @@ CVE-2019-9741 (An issue was discovered in net/http in Go 1.11.5. CRLF injection - golang-1.12 1.12-1 - golang-1.11 1.11.6-1 (bug #924630) - golang-1.8 - [stretch] - golang-1.8 (Minor issue) - golang-1.7 - [stretch] - golang-1.7 (Minor issue) - golang NOTE: https://github.com/golang/go/issues/30794 NOTE: https://github.com/golang/go/commit/829c5df58694b3345cb5ea41206783c8ccf5c3ca#diff-b97af51863ce82bf2a13003b52034aa9 @@ -217610,9 +217604,7 @@ CVE-2017-15041 (Go before 1.8.4 and 1.9.x before 1.9.1 allows "go get" remote co {DLA-1148-1} - golang-1.9 1.9.1-1 - golang-1.8 1.8.4-1 - [stretch] - golang-1.8 (Minor issue) - golang-1.7 - [stretch] - golang-1.7 (Minor issue) - golang [jessie] - golang (Minor issue) NOTE: https://go.googlesource.com/go/+/a4544a0f8af001d1fb6df0e70750f570ec49ccf9%5E%21/ = data/DLA/list = @@ -1,3 +1,9 @@ +[13 Mar 2021] DLA-2592-1 golang-1.8 - security update + {CVE-2017-15041 CVE-2018-16873 CVE-2018-16874 CVE-2019-9741 CVE-2019-16276 CVE-2019-17596 CVE-2021-3114} + [stretch] - golang-1.8 1.8.1-1+deb9u3 +[13 Mar 2021] DLA-2591-1 golang-1.7 - security update + {CVE-2017-15041 CVE-2018-16873 CVE-2018-16874 CVE-2019-9741 CVE-2019-16276 CVE-2019-17596 CVE-2021-3114} + [stretch] - golang-1.7 1.7.4-2+deb9u3 [12 Mar 2021] DLA-2590-1 pygments - security update {CVE-2021-20270} [stretch] - pygments 2.2.0+dfsg-1+deb9u1 = data/dla-needed.txt = @@ -43,14 +43,6 @@ firmware-nonfree -- glib2.0 -- -golang-1.7 (Sylvain Beucler) - NOTE: 20200308: triaged missing CVEs and DebianN->DebianN+1 regressions - NOTE: 20200308: documented test suite and reverse build dependencies - NOTE: 20200308: triaging, fixing and testing remaining CVEs --- -golang-1.8 (Sylvain Beucler) - NOTE: 20200308: cf. golang-1.7 --- golang-github-appc-cni (Thorsten Alteholz) NOTE: 20210221: also taking care of reverse dependencies NOTE: 20210221: also taking care of other suites View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/2bafb7740b6609982a37b656fcf9b57326aefb48...9dce624492092b3dcb39aae7a259a58232a6c24e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/2bafb7740b6609982a37b656fcf9b57326aefb48...9dce624492092b3dcb39aae7a259a58232a6c24e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] rust-arch-swap, rust-smallvec fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 2bafb774 by Moritz Muehlenhoff at 2021-03-13T18:01:23+01:00 rust-arch-swap, rust-smallvec fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -10360,7 +10360,7 @@ CVE-2021-23898 CVE-2021-23897 RESERVED CVE-2021-25900 (An issue was discovered in the smallvec crate before 0.6.14 and 1.x be ...) - - rust-smallvec (bug #984665) + - rust-smallvec 1.4.2-2 (bug #984665) NOTE: https://rustsec.org/advisories/RUSTSEC-2021-0003.html NOTE: https://github.com/servo/rust-smallvec/issues/252 CVE-2021-3127 @@ -16620,7 +16620,7 @@ CVE-2020-35710 (Parallels Remote Application Server (RAS) 18 allows remote attac CVE-2020-35709 (bloofoxCMS 0.5.2.1 allows admins to upload arbitrary .php files (with ...) NOT-FOR-US: bloofoxCMS CVE-2020-35711 (An issue has been discovered in the arc-swap crate before 0.4.8 (and 1 ...) - - rust-arc-swap (bug #985090) + - rust-arc-swap 0.4.8-1 (bug #985090) [buster] - rust-arc-swap (Minor issue) NOTE: https://github.com/vorner/arc-swap/issues/45 NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0091.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2bafb7740b6609982a37b656fcf9b57326aefb48 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2bafb7740b6609982a37b656fcf9b57326aefb48 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for explicitly reported #985142
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: bf56d1f5 by Salvatore Bonaccorso at 2021-03-13T16:45:59+01:00 Add Debian bug reference for explicitly reported #985142 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17409,7 +17409,7 @@ CVE-2021-21194 RESERVED CVE-2021-21193 RESERVED - - chromium + - chromium (bug #985142) [stretch] - chromium (see DSA 4562) CVE-2021-21192 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bf56d1f5ec59371de28675c13e6e9a080eb7b6d1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bf56d1f5ec59371de28675c13e6e9a080eb7b6d1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-27576 as NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2d99d54e by Salvatore Bonaccorso at 2021-03-13T13:34:39+01:00 Add CVE-2021-27576 as NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1788,6 +1788,7 @@ CVE-2021-27577 RESERVED CVE-2021-27576 RESERVED + NOT-FOR-US: Apache OpenMeetings CVE-2021-27575 RESERVED CVE-2021-27574 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2d99d54e543a064748c11dfe2c8a88ae2484efe7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2d99d54e543a064748c11dfe2c8a88ae2484efe7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version via unstable for CVE-2021-28041/openssh
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 05820c94 by Salvatore Bonaccorso at 2021-03-13T13:15:56+01:00 Track fixed version via unstable for CVE-2021-28041/openssh - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -772,7 +772,7 @@ CVE-2021-28042 (Deutsche Post Mailoptimizer 4.3 before 2020-11-09 allows Directo CVE-2021-3423 RESERVED CVE-2021-28041 (ssh-agent in OpenSSH before 8.5 has a double free that may be relevant ...) - - openssh (bug #984940) + - openssh 1:8.4p1-5 (bug #984940) [buster] - openssh (Vulnerable code introduced later) [stretch] - openssh (Vulnerable code introduced later) NOTE: https://www.openwall.com/lists/oss-security/2021/03/03/1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/05820c94b2e383a0c742cdd5cf8cc6436957cbf2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/05820c94b2e383a0c742cdd5cf8cc6436957cbf2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add additionally (more isolated) OpenBSD patch reference for CVE-2021-28041
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1ae973ff by Salvatore Bonaccorso at 2021-03-13T11:21:53+01:00 Add additionally (more isolated) OpenBSD patch reference for CVE-2021-28041 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -777,6 +777,7 @@ CVE-2021-28041 (ssh-agent in OpenSSH before 8.5 has a double free that may be re [stretch] - openssh (Vulnerable code introduced later) NOTE: https://www.openwall.com/lists/oss-security/2021/03/03/1 NOTE: https://github.com/openssh/openssh-portable/commit/e04fd6dde16de1cdc5a4d9946397ff60d96568db + NOTE: https://ftp.openbsd.org/pub/OpenBSD/patches/6.8/common/015_sshagent.patch.sig CVE-2021-28040 (An issue was discovered in OSSEC 3.6.0. An uncontrolled recursion vuln ...) - ossec-hids (bug #361954) CVE-2021-28037 (An issue was discovered in the internment crate before 0.4.2 for Rust. ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1ae973ff71bee16adfa8b034c64920a3864b401d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1ae973ff71bee16adfa8b034c64920a3864b401d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2021-27515/node-url-parse
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 226ce3f1 by Salvatore Bonaccorso at 2021-03-13T11:19:15+01:00 Track fixed version for CVE-2021-27515/node-url-parse - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1911,7 +1911,7 @@ CVE-2021-27517 CVE-2021-27516 (URI.js (aka urijs) before 1.19.6 mishandles certain uses of backslash ...) NOT-FOR-US: urijs CVE-2021-27515 (url-parse before 1.5.0 mishandles certain uses of backslash such as ht ...) - - node-url-parse (bug #985110) + - node-url-parse 1.5.1-1 (bug #985110) [stretch] - node-url-parse (Minor issue) NOTE: https://github.com/unshiftio/url-parse/commit/d1e7e8822f26e8a49794b757123b51386325b2b0 (1.5.0) NOTE: https://github.com/unshiftio/url-parse/pull/197 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/226ce3f172000b8115bbde5b7966b28e2dbe5b24 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/226ce3f172000b8115bbde5b7966b28e2dbe5b24 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2021-23341/node-prismjs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: eb18e249 by Salvatore Bonaccorso at 2021-03-13T11:18:22+01:00 Track fixed version for CVE-2021-23341/node-prismjs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -11534,7 +11534,7 @@ CVE-2021-23343 CVE-2021-23342 (This affects the package docsify before 4.12.0. It is possible to bypa ...) NOT-FOR-US: docsify CVE-2021-23341 (The package prismjs before 1.23.0 are vulnerable to Regular Expression ...) - - node-prismjs (bug #985109) + - node-prismjs 1.23.0+dfsg-1 (bug #985109) NOTE: https://github.com/PrismJS/prism/commit/c2f6a64426f44497a675cb32dccb079b3eff1609 (v1.23.0) NOTE: https://github.com/PrismJS/prism/pull/2584 NOTE: https://github.com/PrismJS/prism/issues/2583 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eb18e2498eb295f2b7fc69b34b5a067463704dbc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eb18e2498eb295f2b7fc69b34b5a067463704dbc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for two node-lodash issues fixed in unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 64868c97 by Salvatore Bonaccorso at 2021-03-13T11:17:25+01:00 Track fixed version for two node-lodash issues fixed in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -11545,7 +11545,7 @@ CVE-2021-23339 (This affects all versions before 10.1.14 and from 10.2.0 to 10.2 CVE-2021-23338 (This affects all versions of package qlib. The workflow function in cl ...) NOT-FOR-US: qlib CVE-2021-23337 (All versions of package lodash; all versions of package org.fujion.web ...) - - node-lodash (bug #985086) + - node-lodash 4.17.21+dfsg+~cs8.31.173-1 (bug #985086) [stretch] - node-lodash (Nodejs in stretch not covered by security support) NOTE: https://snyk.io/vuln/SNYK-JS-LODASH-1040724 CVE-2021-23336 (The package python/cpython from 0 and before 3.6.13, from 3.7.0 and be ...) @@ -27120,7 +27120,7 @@ CVE-2020-28502 (This affects the package xmlhttprequest before 1.7.0; all versio CVE-2020-28501 RESERVED CVE-2020-28500 (All versions of package lodash; all versions of package org.fujion.web ...) - - node-lodash (bug #985086) + - node-lodash 4.17.21+dfsg+~cs8.31.173-1 (bug #985086) [stretch] - node-lodash (Nodejs in stretch not covered by security support) NOTE: https://snyk.io/vuln/SNYK-JS-LODASH-1018905 CVE-2020-28499 (All versions of package merge are vulnerable to Prototype Pollution vi ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/64868c97fb126b1efb50a48c890abcf2b4384f6e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/64868c97fb126b1efb50a48c890abcf2b4384f6e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process two NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a0a1db6f by Salvatore Bonaccorso at 2021-03-13T09:13:56+01:00 Process two NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -20620,9 +20620,9 @@ CVE-2021-20020 CVE-2021-20019 RESERVED CVE-2021-20018 (A post-authenticated vulnerability in SonicWall SMA100 allows an attac ...) - TODO: check + NOT-FOR-US: SonicWall CVE-2021-20017 (A post-authenticated command injection vulnerability in SonicWall SMA1 ...) - TODO: check + NOT-FOR-US: SonicWall CVE-2021-20016 (A SQL-Injection vulnerability in the SonicWall SSLVPN SMA100 product a ...) NOT-FOR-US: SonicWall CVE-2021-20015 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a0a1db6fa35032ecf846136694d39d8a5d78f7b9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a0a1db6fa35032ecf846136694d39d8a5d78f7b9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3487b7a0 by security tracker role at 2021-03-13T08:10:23+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,103 @@ +CVE-2021-28358 + RESERVED +CVE-2021-28357 + RESERVED +CVE-2021-28356 + RESERVED +CVE-2021-28355 + RESERVED +CVE-2021-28354 + RESERVED +CVE-2021-28353 + RESERVED +CVE-2021-28352 + RESERVED +CVE-2021-28351 + RESERVED +CVE-2021-28350 + RESERVED +CVE-2021-28349 + RESERVED +CVE-2021-28348 + RESERVED +CVE-2021-28347 + RESERVED +CVE-2021-28346 + RESERVED +CVE-2021-28345 + RESERVED +CVE-2021-28344 + RESERVED +CVE-2021-28343 + RESERVED +CVE-2021-28342 + RESERVED +CVE-2021-28341 + RESERVED +CVE-2021-28340 + RESERVED +CVE-2021-28339 + RESERVED +CVE-2021-28338 + RESERVED +CVE-2021-28337 + RESERVED +CVE-2021-28336 + RESERVED +CVE-2021-28335 + RESERVED +CVE-2021-28334 + RESERVED +CVE-2021-28333 + RESERVED +CVE-2021-28332 + RESERVED +CVE-2021-28331 + RESERVED +CVE-2021-28330 + RESERVED +CVE-2021-28329 + RESERVED +CVE-2021-28328 + RESERVED +CVE-2021-28327 + RESERVED +CVE-2021-28326 + RESERVED +CVE-2021-28325 + RESERVED +CVE-2021-28324 + RESERVED +CVE-2021-28323 + RESERVED +CVE-2021-28322 + RESERVED +CVE-2021-28321 + RESERVED +CVE-2021-28320 + RESERVED +CVE-2021-28319 + RESERVED +CVE-2021-28318 + RESERVED +CVE-2021-28317 + RESERVED +CVE-2021-28316 + RESERVED +CVE-2021-28315 + RESERVED +CVE-2021-28314 + RESERVED +CVE-2021-28313 + RESERVED +CVE-2021-28312 + RESERVED +CVE-2021-28311 + RESERVED +CVE-2021-28310 + RESERVED +CVE-2021-28309 + RESERVED CVE-2021-28308 (An issue was discovered in the fltk crate before 0.15.3 for Rust. Ther ...) TODO: check CVE-2021-28307 (An issue was discovered in the fltk crate before 0.15.3 for Rust. Ther ...) @@ -304,10 +404,10 @@ CVE-2021-28164 RESERVED CVE-2021-28163 RESERVED -CVE-2021-28162 - RESERVED -CVE-2021-28161 - RESERVED +CVE-2021-28162 (In Eclipse Theia versions up to and including 0.16.0, in the notificat ...) + TODO: check +CVE-2021-28161 (In Eclipse Theia versions up to and including 1.8.0, in the debug cons ...) + TODO: check CVE-2021-28160 RESERVED CVE-2021-28159 @@ -554,8 +654,8 @@ CVE-2021-28094 RESERVED CVE-2021-28093 RESERVED -CVE-2021-28092 - RESERVED +CVE-2021-28092 (The is-svg package 2.1.0 through 4.2.1 for Node.js uses a regular expr ...) + TODO: check CVE-2021-3424 RESERVED NOT-FOR-US: Keycloak @@ -568,6 +668,7 @@ CVE-2021-28089 CVE-2020-36256 RESERVED CVE-2021-21381 (Flatpak is a system for building, distributing, and running sandboxed ...) + {DSA-4868-1} - flatpak 1.10.1-4 (bug #984859) [stretch] - flatpak (Vulnerable code introduced later) NOTE: https://github.com/flatpak/flatpak/issues/4146 @@ -2317,8 +2418,8 @@ CVE-2021-27292 RESERVED CVE-2021-27291 RESERVED -CVE-2021-27290 - RESERVED +CVE-2021-27290 (ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expre ...) + TODO: check CVE-2021-27289 RESERVED CVE-2021-27288 @@ -15311,8 +15412,8 @@ CVE-2021-21520 RESERVED CVE-2021-21519 RESERVED -CVE-2021-21518 - RESERVED +CVE-2021-21518 (Dell SupportAssist Client for Consumer PCs versions 3.7.x, 3.6.x, 3.4. ...) + TODO: check CVE-2021-21517 (SRS Policy Manager 6.X is affected by an XML External Entity Injection ...) NOT-FOR-US: SRS Policy Manager CVE-2021-21516 @@ -19496,7 +19597,7 @@ CVE-2021-20271 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1934125 CVE-2021-20270 RESERVED - {DLA-2590-1} + {DSA-4870-1 DLA-2590-1} - pygments 2.7.1+dfsg-2 (bug #984664) NOTE: https://github.com/pygments/pygments/issues/1625 NOTE: https://github.com/pygments/pygments/commit/f91804ff4772e3ab41f46e28d370f57898700333 @@ -20233,11 +20334,13 @@ CVE-2020-35526 CVE-2020-35525 RESERVED CVE-2020-35524 (A heap-based buffer overflow flaw was found in libtiff in the handling ...) + {DSA-4869-1} - tiff 4.1.0+git201212-1 [stretch] - tiff (can be fixed along in next DLA) NOTE: https://gitlab.com/libtiff/libtiff/-/commit/7be2e452ddcf6d7abca88f41d3761e6edab72b22 NOTE: https://gitlab.com/libtiff/libtiff/-/merge_requests/159 CVE-2020-35523 (An integer overflow flaw was found in libtiff that exists in the tif_g ...) + {DSA-4869-1} - tiff 4.1.0+git201212-1 [stretch] - tiff (can be fixed along in
[Git][security-tracker-team/security-tracker][master] Mark CVE-20218-20871/gridengine as not-affected
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d4c39065 by Salvatore Bonaccorso at 2021-03-13T09:03:41+01:00 Mark CVE-20218-20871/gridengine as not-affected The docker mode feature is specific to the Univa Grid Engine and so affected code is not present in the SGE fork used in Debian. Closes https://salsa.debian.org/security-tracker-team/security-tracker/-/issues/7 Thanks: Wouter Verhelst - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -114479,7 +114479,7 @@ CVE-2019-14439 (A Polymorphic Typing issue was discovered in FasterXML jackson-d NOTE: https://github.com/FasterXML/jackson-databind/issues/2389 NOTE: https://github.com/FasterXML/jackson-databind/commit/ad418eeb974e357f2797aef64aa0e3ffaaa6125b CVE-2018-20871 (In Univa Grid Engine before 8.6.3, when configured for Docker jobs and ...) - - gridengine + - gridengine (Vulnerable code specific to Univa Grid Engine fork) CVE-2015-9290 (In FreeType before 2.6.1, a buffer over-read occurs in type1/t1parse.c ...) {DLA-1887-1} - freetype 2.6.1-0.1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d4c3906504add4eca52fa92dd0f6191f75e5bae3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d4c3906504add4eca52fa92dd0f6191f75e5bae3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits