[Git][security-tracker-team/security-tracker][master] CVE-2021-26920/druid
Henri Salo pushed to branch master at Debian Security Tracker / security-tracker Commits: 36eba64a by Henri Salo at 2021-07-02T08:59:34+03:00 CVE-2021-26920/druid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -21685,6 +21685,7 @@ CVE-2021-26921 (In util/session/sessionmanager.go in Argo CD before 1.8.4, token NOT-FOR-US: Argo CD CVE-2021-26920 RESERVED + - druid (bug #825797) CVE-2021-26919 (Apache Druid allows users to read data from other database systems usi ...) - druid (bug #825797) CVE-2021-26918 (** DISPUTED ** The ProBot bot through 2021-02-08 for Discord might all ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/36eba64ae238fb4e7cf15389a424a20f053d8b9d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/36eba64ae238fb4e7cf15389a424a20f053d8b9d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 588b8f4e by Moritz Muehlenhoff at 2021-07-01T23:06:02+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1685,9 +1685,9 @@ CVE-2021-35339 CVE-2021-35338 RESERVED CVE-2021-35337 (Sourcecodester Phone Shop Sales Managements System 1.0 is vulnerable t ...) - TODO: check + NOT-FOR-US: Sourcecodester Phone Shop Sales Managements System CVE-2021-35336 (Tieline IP Audio Gateway 2.6.4.8 and below is affected by Incorrect Ac ...) - TODO: check + NOT-FOR-US: Tieline IP Audio Gateway CVE-2021-35335 RESERVED CVE-2021-35334 @@ -7532,11 +7532,11 @@ CVE-2021-32733 CVE-2021-32732 RESERVED CVE-2021-32731 (XWiki Platform is a generic wiki platform offering runtime services fo ...) - TODO: check + NOT-FOR-US: XWiki CVE-2021-32730 (XWiki Platform is a generic wiki platform offering runtime services fo ...) - TODO: check + NOT-FOR-US: XWiki CVE-2021-32729 (XWiki Platform is a generic wiki platform offering runtime services fo ...) - TODO: check + NOT-FOR-US: XWiki CVE-2021-32728 RESERVED CVE-2021-32727 @@ -9874,7 +9874,7 @@ CVE-2021-31815 (GAEN (aka Google/Apple Exposure Notifications) through 2021-04-2 CVE-2021-31814 RESERVED CVE-2021-31813 (Zoho ManageEngine Applications Manager before 15130 is vulnerable to S ...) - TODO: check + NOT-FOR-US: Zoho CVE-2021-31812 (In Apache PDFBox, a carefully crafted PDF file can trigger an infinite ...) - libpdfbox2-java - libpdfbox-java @@ -18104,9 +18104,9 @@ CVE-2021-28426 CVE-2021-28425 RESERVED CVE-2021-28424 (A stored cross-site scripting (XSS) vulnerability in Teachers Record M ...) - TODO: check + NOT-FOR-US: Teachers Record Management CVE-2021-28423 (Multiple SQL Injection vulnerabilities in Teachers Record Management S ...) - TODO: check + NOT-FOR-US: Teachers Record Management CVE-2021-28422 RESERVED CVE-2021-28421 (FluidSynth 2.1.7 contains a use after free vulnerability in sfloader/f ...) @@ -18832,7 +18832,7 @@ CVE-2021-28129 CVE-2021-28128 (In Strapi through 3.6.0, the admin panel allows the changing of one's ...) NOT-FOR-US: Strapi CVE-2021-28127 (An issue was discovered in Stormshield SNS through 4.2.1. A brute-forc ...) - TODO: check + NOT-FOR-US: Stormshield SNS CVE-2021-28126 (index.jsp in TranzWare e-Commerce Payment Gateway (TWEC PG) before 3.1 ...) NOT-FOR-US: TranzWare e-Commerce Payment Gateway (TWEC PG) CVE-2021-28125 (Apache Superset up to and including 1.0.1 allowed for the creation of ...) @@ -19981,9 +19981,9 @@ CVE-2021-27663 CVE-2021-27662 RESERVED CVE-2021-27661 (Successful exploitation of this vulnerability could give an authentica ...) - TODO: check + NOT-FOR-US: Facility Explorer SNC Series Supervisory Controller CVE-2021-27660 (An insecure client auto update feature in C-CURE 9000 can allow remote ...) - TODO: check + NOT-FOR-US: C-CURE 9000 CVE-2021-27659 (exacqVision Web Service 21.03 does not sufficiently validate, filter, ...) NOT-FOR-US: exacqVision Web Service CVE-2021-27658 (exacqVision Enterprise Manager 20.12 does not sufficiently validate, f ...) @@ -20376,7 +20376,7 @@ CVE-2021-27479 (ZOLL Defibrillator Dashboard, v prior to 2.2,The affected produc CVE-2021-27478 RESERVED CVE-2021-27477 (When JTEKT Corporation TOYOPUC PLC versions PC10G-CPU, 2PORT-EFR, Plus ...) - TODO: check + NOT-FOR-US: JTEKT CVE-2021-27476 RESERVED CVE-2021-27475 @@ -32439,15 +32439,15 @@ CVE-2021-22349 (There is an Input Verification Vulnerability in Huawei Smartphon CVE-2021-22348 (There is a Memory Buffer Improper Operation Limit Vulnerability in Hua ...) NOT-FOR-US: Huawei CVE-2021-22347 (There is an Improper Access Control vulnerability in Huawei Smartphone ...) - TODO: check + NOT-FOR-US: Huawei CVE-2021-22346 (There is an Improper Permission Management Vulnerability in Huawei Sma ...) NOT-FOR-US: Huawei CVE-2021-22345 (There is an Input Verification Vulnerability in Huawei Smartphone. Suc ...) NOT-FOR-US: Huawei CVE-2021-22344 (There is an Improper Access Control vulnerability in Huawei Smartphone ...) - TODO: check + NOT-FOR-US: Huawei CVE-2021-22343 (There is a Configuration Defect vulnerability in Huawei Smartphone. Su ...) - TODO: check + NOT-FOR-US: Huawei CVE-2021-22342 (There is an information leak vulnerability in Huawei products. A modul ...) NOT-FOR-US: Huawei CVE-2021-22341 (There is a memory leak vulnerability in Huawei products. A resource ma ...) @@ -37543,7 +37543,7 @@ CVE-2021-20780 CVE-2021-20779 RESERVED CVE-2021-20778
[Git][security-tracker-team/security-tracker][master] kimageformats fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 07ecdb87 by Moritz Muehlenhoff at 2021-07-01T23:00:33+02:00 kimageformats fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -48,7 +48,7 @@ CVE-2021-36084 (The CIL compiler in SELinux 3.2 has a use-after-free in __cil_ve NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/selinux/OSV-2021-417.yaml CVE-2021-36083 (KDE KImageFormats 5.70.0 through 5.81.0 has a stack-based buffer overf ...) [experimental] - kimageformats 5.83.0-1 - - kimageformats (bug #990527) + - kimageformats 5.78.0-5 (bug #990527) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33742 NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/kimageformats/OSV-2021-695.yaml NOTE: https://invent.kde.org/frameworks/kimageformats/commit/297ed9a2fe339bfe36916b9fce628c3242e5be0f View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/07ecdb87bc143b027a3a2a239fb805f498be368b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/07ecdb87bc143b027a3a2a239fb805f498be368b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 37bc4fd5 by security tracker role at 2021-07-01T20:10:34+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,25 @@ +CVE-2021-3632 + RESERVED +CVE-2021-36090 + RESERVED +CVE-2020-36416 + RESERVED +CVE-2020-36415 + RESERVED +CVE-2020-36414 + RESERVED +CVE-2020-36413 + RESERVED +CVE-2020-36412 + RESERVED +CVE-2020-36411 + RESERVED +CVE-2020-36410 + RESERVED +CVE-2020-36409 + RESERVED +CVE-2020-36408 + RESERVED CVE-2021-36089 (Grok 7.6.6 through 9.2.0 has a heap-based buffer overflow in grk::File ...) - libgrokj2k (bug #990525) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33544 @@ -82,9 +104,9 @@ CVE-2020-36396 CVE-2020-36395 RESERVED CVE-2019-25049 (LibreSSL 2.9.1 through 3.2.1 has an out-of-bounds read in asn1_item_pr ...) -- libressl (bug #754513) + - libressl (bug #754513) CVE-2019-25048 (LibreSSL 2.9.1 through 3.2.1 has a heap-based buffer over-read in do_p ...) -- libressl (bug #754513) + - libressl (bug #754513) CVE-2018-25018 (UnRAR 5.6.1.7 through 5.7.4 and 6.0.3 has an out-of-bounds write durin ...) - unrar-nonfree (bug #990541) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9845 @@ -1662,10 +1684,10 @@ CVE-2021-35339 RESERVED CVE-2021-35338 RESERVED -CVE-2021-35337 - RESERVED -CVE-2021-35336 - RESERVED +CVE-2021-35337 (Sourcecodester Phone Shop Sales Managements System 1.0 is vulnerable t ...) + TODO: check +CVE-2021-35336 (Tieline IP Audio Gateway 2.6.4.8 and below is affected by Incorrect Ac ...) + TODO: check CVE-2021-35335 RESERVED CVE-2021-35334 @@ -7509,12 +7531,12 @@ CVE-2021-32733 RESERVED CVE-2021-32732 RESERVED -CVE-2021-32731 - RESERVED -CVE-2021-32730 - RESERVED -CVE-2021-32729 - RESERVED +CVE-2021-32731 (XWiki Platform is a generic wiki platform offering runtime services fo ...) + TODO: check +CVE-2021-32730 (XWiki Platform is a generic wiki platform offering runtime services fo ...) + TODO: check +CVE-2021-32729 (XWiki Platform is a generic wiki platform offering runtime services fo ...) + TODO: check CVE-2021-32728 RESERVED CVE-2021-32727 @@ -9851,8 +9873,8 @@ CVE-2021-31815 (GAEN (aka Google/Apple Exposure Notifications) through 2021-04-2 NOT-FOR-US: GAEN (aka Google/Apple Exposure Notifications) CVE-2021-31814 RESERVED -CVE-2021-31813 - RESERVED +CVE-2021-31813 (Zoho ManageEngine Applications Manager before 15130 is vulnerable to S ...) + TODO: check CVE-2021-31812 (In Apache PDFBox, a carefully crafted PDF file can trigger an infinite ...) - libpdfbox2-java - libpdfbox-java @@ -18081,10 +18103,10 @@ CVE-2021-28426 RESERVED CVE-2021-28425 RESERVED -CVE-2021-28424 - RESERVED -CVE-2021-28423 - RESERVED +CVE-2021-28424 (A stored cross-site scripting (XSS) vulnerability in Teachers Record M ...) + TODO: check +CVE-2021-28423 (Multiple SQL Injection vulnerabilities in Teachers Record Management S ...) + TODO: check CVE-2021-28422 RESERVED CVE-2021-28421 (FluidSynth 2.1.7 contains a use after free vulnerability in sfloader/f ...) @@ -18809,8 +18831,8 @@ CVE-2021-28129 RESERVED CVE-2021-28128 (In Strapi through 3.6.0, the admin panel allows the changing of one's ...) NOT-FOR-US: Strapi -CVE-2021-28127 - RESERVED +CVE-2021-28127 (An issue was discovered in Stormshield SNS through 4.2.1. A brute-forc ...) + TODO: check CVE-2021-28126 (index.jsp in TranzWare e-Commerce Payment Gateway (TWEC PG) before 3.1 ...) NOT-FOR-US: TranzWare e-Commerce Payment Gateway (TWEC PG) CVE-2021-28125 (Apache Superset up to and including 1.0.1 allowed for the creation of ...) @@ -19958,10 +19980,10 @@ CVE-2021-27663 RESERVED CVE-2021-27662 RESERVED -CVE-2021-27661 - RESERVED -CVE-2021-27660 - RESERVED +CVE-2021-27661 (Successful exploitation of this vulnerability could give an authentica ...) + TODO: check +CVE-2021-27660 (An insecure client auto update feature in C-CURE 9000 can allow remote ...) + TODO: check CVE-2021-27659 (exacqVision Web Service 21.03 does not sufficiently validate, filter, ...) NOT-FOR-US: exacqVision Web Service CVE-2021-27658 (exacqVision Enterprise Manager 20.12 does not sufficiently validate, f ...) @@ -20353,8 +20375,8 @@ CVE-2021-27479 (ZOLL Defibrillator Dashboard, v prior to 2.2,The affected produc NOT-FOR-US: ZOLL Defibrillator Dashboard CVE-2021-27478 RESERVED -CVE-2021-27477 - RESERVED +CVE-2021-27477 (When JTEKT Corporation
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-35042/python-django
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2a9feaed by Salvatore Bonaccorso at 2021-07-01T21:36:39+02:00 Add CVE-2021-35042/python-django - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2299,8 +2299,11 @@ CVE-2021-35044 RESERVED CVE-2021-35043 RESERVED -CVE-2021-35042 +CVE-2021-35042 [Potential SQL injection via unsanitized QuerySet.order_by() input] RESERVED + - python-django (Vulnerable code introduced in 3.1) + NOTE: https://www.djangoproject.com/weblog/2021/jul/01/security-releases/ + NOTE: Issue did affect only the experimental version and fixed in 2:3.2.5-1 CVE-2021-35041 (The blockchain node in FISCO-BCOS V2.7.2 may have a bug when dealing w ...) NOT-FOR-US: FISCO-BCOS CVE-2021-3609 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2a9feaedcecb31ab68381f1b8b3c39e6b7320bf8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2a9feaedcecb31ab68381f1b8b3c39e6b7320bf8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update status for CVE-2020-36400/zeromq3
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2ec5fe1d by Salvatore Bonaccorso at 2021-07-01T21:17:50+02:00 Update status for CVE-2020-36400/zeromq3 The issue as introduced and fixed while in development and did not affect a released version. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -66,10 +66,11 @@ CVE-2020-36401 (mruby 2.1.2 has a double free in mrb_default_allocf (called from NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/mruby/OSV-2020-744.yaml NOTE: https://github.com/mruby/mruby/commit/97319697c8f9f6ff27b32589947e1918e3015503 CVE-2020-36400 (ZeroMQ libzmq 4.3.3 has a heap-based buffer overflow in zmq::tcp_read, ...) - - zeromq3 4.3.3-1 + - zeromq3 (Never affected a released version) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26042 NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/libzmq/OSV-2020-1887.yaml - NOTE: https://github.com/zeromq/libzmq/commit/397ac80850bf8d010fae23dd215db0ee2c677306 + NOTE: Introduced by: https://github.com/zeromq/libzmq/commit/b56195e995e0875afabf405826d97b1dd9817bb0 (v4.3.3) + NOTE: Fixed by: https://github.com/zeromq/libzmq/commit/397ac80850bf8d010fae23dd215db0ee2c677306 (v4.3.3) CVE-2020-36399 RESERVED CVE-2020-36398 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2ec5fe1da28d4e98410ec7bd2b65f4828dd844ad -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2ec5fe1da28d4e98410ec7bd2b65f4828dd844ad You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bug nums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 4faea9f9 by Moritz Muehlenhoff at 2021-07-01T19:22:32+02:00 bug nums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -61,7 +61,7 @@ CVE-2020-36403 (HTSlib 1.10 through 1.10.2 allows out-of-bounds write access in CVE-2020-36402 (Solidity 0.7.5 has a stack-use-after-return issue in smtutil::CHCSmtLi ...) NOT-FOR-US: Solidity CVE-2020-36401 (mruby 2.1.2 has a double free in mrb_default_allocf (called from mrb_f ...) - - mruby + - mruby (bug #990540) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=23801 NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/mruby/OSV-2020-744.yaml NOTE: https://github.com/mruby/mruby/commit/97319697c8f9f6ff27b32589947e1918e3015503 @@ -85,7 +85,7 @@ CVE-2019-25049 (LibreSSL 2.9.1 through 3.2.1 has an out-of-bounds read in asn1_i CVE-2019-25048 (LibreSSL 2.9.1 through 3.2.1 has a heap-based buffer over-read in do_p ...) - libressl (bug #754513) CVE-2018-25018 (UnRAR 5.6.1.7 through 5.7.4 and 6.0.3 has an out-of-bounds write durin ...) - - unrar-nonfree + - unrar-nonfree (bug #990541) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9845 NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/unrar/OSV-2018-204.yaml CVE-2018-25017 (RawSpeed (aka librawspeed) 3.1 has a heap-based buffer overflow in Tab ...) @@ -378,7 +378,7 @@ CVE-2021-35943 RESERVED CVE-2021-35942 [Wild read in wordexp (parse_param)] RESERVED - - glibc + - glibc (bug #990542) [bullseye] - glibc (Minor issue) [buster] - glibc (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=28011 @@ -401,19 +401,19 @@ CVE-2021-35940 RESERVED CVE-2021-35939 [checks for unsafe symlinks are not performed for intermediary directories] RESERVED - - rpm + - rpm (bug #990543) [bullseye] - rpm (Minor issue) [buster] - rpm (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1964129 CVE-2021-35938 [races with chown/chmod/capabilities calls during installation] RESERVED - - rpm + - rpm (bug #990543) [bullseye] - rpm (Minor issue) [buster] - rpm (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1964114 CVE-2021-35937 [TOCTOU race in checks for unsafe symlinks] RESERVED - - rpm + - rpm (bug #990543) [bullseye] - rpm (Minor issue) [buster] - rpm (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1964125 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4faea9f9fd4ffe56ef1411a42339ef545ee85ea5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4faea9f9fd4ffe56ef1411a42339ef545ee85ea5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: reclaim shiro
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 1507867a by Roberto C. Sánchez at 2021-07-01T13:17:59-04:00 LTS: reclaim shiro - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -124,7 +124,7 @@ salt scilab (Anton Gladky) NOTE: 20210615: vulnerability in embedded ezXML.(abhijith) -- -shiro +shiro (Roberto C. Sánchez) NOTE: 20200920: WIP NOTE: 20200928: Still awaiting reponse to request for assistance sent to upstream dev list. (roberto) NOTE: 20201004: Sent additional request to upstream dev list; stil no response. (roberto) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1507867a4767b91639dd10856b9e59eaae312a95 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1507867a4767b91639dd10856b9e59eaae312a95 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] record fixed version for darktable
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 6eec4b58 by Moritz Mühlenhoff at 2021-07-01T17:33:44+02:00 record fixed version for darktable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -89,11 +89,12 @@ CVE-2018-25018 (UnRAR 5.6.1.7 through 5.7.4 and 6.0.3 has an out-of-bounds write NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9845 NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/unrar/OSV-2018-204.yaml CVE-2018-25017 (RawSpeed (aka librawspeed) 3.1 has a heap-based buffer overflow in Tab ...) - - darktable + - darktable 2.6.0-1 - photoflow NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5256 NOTE: https://github.com/darktable-org/rawspeed/commit/dbe7591e54bad5e6430d38be6bed051582da76b9 NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/librawspeed/OSV-2018-227.yaml + NOTE: darktable 2.6.0 is the first release to bundle rawspeed 3.2 with the fixes CVE-2017-20006 (UnRAR 5.6.1.2 and 5.6.1.3 has a heap-based buffer overflow in Unpack:: ...) - unrar-nonfree 1:5.6.6-1 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4373 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6eec4b5878a5f3764454ec9fe05251ac18b0012e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6eec4b5878a5f3764454ec9fe05251ac18b0012e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] record zeromq fix
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: e11ba72f by Moritz Mühlenhoff at 2021-07-01T17:22:58+02:00 record zeromq fix - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -66,7 +66,7 @@ CVE-2020-36401 (mruby 2.1.2 has a double free in mrb_default_allocf (called from NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/mruby/OSV-2020-744.yaml NOTE: https://github.com/mruby/mruby/commit/97319697c8f9f6ff27b32589947e1918e3015503 CVE-2020-36400 (ZeroMQ libzmq 4.3.3 has a heap-based buffer overflow in zmq::tcp_read, ...) - - zeromq3 + - zeromq3 4.3.3-1 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26042 NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/libzmq/OSV-2020-1887.yaml NOTE: https://github.com/zeromq/libzmq/commit/397ac80850bf8d010fae23dd215db0ee2c677306 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e11ba72fadff2baa314a2a6623fc62d8a6fadbea -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e11ba72fadff2baa314a2a6623fc62d8a6fadbea You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Fix report-vuln for Python 3
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 84bdb5d9 by Moritz Mühlenhoff at 2021-07-01T17:19:57+02:00 Fix report-vuln for Python 3 - - - - - 1 changed file: - bin/report-vuln Changes: = bin/report-vuln = @@ -247,7 +247,7 @@ def main(): if args.mail: with NamedTemporaryFile(prefix='report-vuln', suffix='.txt') as bugmail: -bugmail.write(text) +bugmail.write(text.encode()) bugmail.flush() os.system(args.mailer.format(bugmail.name)) else: View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/84bdb5d92da1216f6f128471c154ae36cbf141b3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/84bdb5d92da1216f6f128471c154ae36cbf141b3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bullseye triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 7efeedc7 by Moritz Muehlenhoff at 2021-07-01T16:20:49+02:00 bullseye triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -401,14 +401,20 @@ CVE-2021-35940 CVE-2021-35939 [checks for unsafe symlinks are not performed for intermediary directories] RESERVED - rpm + [bullseye] - rpm (Minor issue) + [buster] - rpm (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1964129 CVE-2021-35938 [races with chown/chmod/capabilities calls during installation] RESERVED - rpm + [bullseye] - rpm (Minor issue) + [buster] - rpm (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1964114 CVE-2021-35937 [TOCTOU race in checks for unsafe symlinks] RESERVED - rpm + [bullseye] - rpm (Minor issue) + [buster] - rpm (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1964125 CVE-2021-35936 RESERVED @@ -8985,6 +8991,7 @@ CVE-2021-32063 CVE-2021-32062 (MapServer before 7.0.8, 7.1.x and 7.2.x before 7.2.3, 7.3.x and 7.4.x ...) [experimental] - mapserver 7.6.3-1~exp1 - mapserver 7.6.2-2 (bug #988208) + [bullseye] - mapserver (Minor issue; #988224) [buster] - mapserver (Minor issue; will be fixed via point release) [stretch] - mapserver (Minor issue; can be fixed in next update) NOTE: https://github.com/mapserver/mapserver/issues/6313 @@ -9601,6 +9608,7 @@ CVE-2020-36327 (Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.16 sometimes - bundler [stretch] - bundler (Invasive change, hard to backport; chances of regression) - rubygems + [bullseye] - rubygems (Minor issue) NOTE: https://github.com/rubygems/rubygems/issues/3982 CVE-2021-3521 RESERVED @@ -18523,6 +18531,7 @@ CVE-2021-28214 RESERVED CVE-2021-28213 (Example EDK2 encrypted private key in the IpSecDxe.efi present potenti ...) - edk2 (bug #989988) + [bullseye] - edk2 (Minor issue) [buster] - edk2 (Minor issue) [stretch] - edk2 (Minor issue) NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=1866 @@ -24798,6 +24807,7 @@ CVE-2021-25738 CVE-2021-25737 RESERVED - kubernetes + [bullseye] - kubernetes (Kubernetes in Bullseye only ships the client) NOTE: https://www.openwall.com/lists/oss-security/2021/05/18/4 NOTE: Server components no longer built since 1.20.5+really1.20.2-1 CVE-2021-25736 @@ -24806,6 +24816,7 @@ CVE-2021-25736 CVE-2021-25735 [Validating Admission Webhook does not observe some previous fields] RESERVED - kubernetes + [bullseye] - kubernetes (Kubernetes in Bullseye only ships the client) NOTE: https://www.openwall.com/lists/oss-security/2021/04/14/1 NOTE: https://github.com/kubernetes/kubernetes/issues/100096 NOTE: Server components no longer built since 1.20.5+really1.20.2-1 @@ -3,6 +31122,7 @@ CVE-2021-22896 (Nextcloud Mail before 1.9.5 suffers from improper access control NOT-FOR-US: Nextcloud Mail CVE-2021-22895 (Nextcloud Desktop Client before 3.3.1 is vulnerable to improper certif ...) - nextcloud-desktop (bug #989846) + [bullseye] - nextcloud-desktop (Minor issue) [buster] - nextcloud-desktop (Minor issue) NOTE: https://github.com/nextcloud/desktop/pull/2926 NOTE: https://github.com/nextcloud/desktop/commit/b1ddd0e491b2af0ed040e658d8bcde2a7a61c9fc (stable-3.1) @@ -97109,6 +97121,7 @@ CVE-2020-8563 (In Kubernetes clusters using VSphere as a cloud provider, with a CVE-2020-8562 RESERVED - kubernetes + [bullseye] - kubernetes (Kubernetes in Bullseye only ships the client) NOTE: https://www.openwall.com/lists/oss-security/2021/05/04/8 NOTE: Server components no longer built since 1.20.5+really1.20.2-1 CVE-2020-8561 @@ -97133,6 +97146,7 @@ CVE-2020-8555 (The Kubernetes kube-controller-manager in versions v1.0-1.14, ver NOTE: https://github.com/kubernetes/kubernetes/issues/91542 CVE-2020-8554 (Kubernetes API server in all versions allow an attacker who is able to ...) - kubernetes + [bullseye] - kubernetes (Kubernetes in Bullseye only ships the client) NOTE: https://www.openwall.com/lists/oss-security/2020/12/07/5 NOTE: https://github.com/kubernetes/kubernetes/issues/97076 NOTE: Server components no longer built since 1.20.5+really1.20.2-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7efeedc74f2799809b430c8660204800999fd457 -- View it on GitLab:
[Git][security-tracker-team/security-tracker][master] Remove note wich refers only to releases page
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 09aabc1d by Salvatore Bonaccorso at 2021-07-01T15:03:42+02:00 Remove note wich refers only to releases page - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -87,7 +87,6 @@ CVE-2019-25048 (LibreSSL 2.9.1 through 3.2.1 has a heap-based buffer over-read i CVE-2018-25018 (UnRAR 5.6.1.7 through 5.7.4 and 6.0.3 has an out-of-bounds write durin ...) - unrar-nonfree NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9845 - NOTE: https://github.com/aawc/unrar/releases NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/unrar/OSV-2018-204.yaml CVE-2018-25017 (RawSpeed (aka librawspeed) 3.1 has a heap-based buffer overflow in Tab ...) - darktable View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/09aabc1df7f576792680fe90171e8533e20fa40c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/09aabc1df7f576792680fe90171e8533e20fa40c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Aassociate two libressl CVEs with the old itp bug
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 00c25b7e by Salvatore Bonaccorso at 2021-07-01T14:59:46+02:00 Aassociate two libressl CVEs with the old itp bug - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -81,9 +81,9 @@ CVE-2020-36396 CVE-2020-36395 RESERVED CVE-2019-25049 (LibreSSL 2.9.1 through 3.2.1 has an out-of-bounds read in asn1_item_pr ...) - NOT-FOR-US: LibreSSL +- libressl (bug #754513) CVE-2019-25048 (LibreSSL 2.9.1 through 3.2.1 has a heap-based buffer over-read in do_p ...) - NOT-FOR-US: LibreSSL +- libressl (bug #754513) CVE-2018-25018 (UnRAR 5.6.1.7 through 5.7.4 and 6.0.3 has an out-of-bounds write durin ...) - unrar-nonfree NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9845 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/00c25b7ee3e8d1a235b56432e9f5288ec75e0151 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/00c25b7ee3e8d1a235b56432e9f5288ec75e0151 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2020-36403/htslib fixed in unstable via 1.11-1 upload
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0b9c73b4 by Salvatore Bonaccorso at 2021-07-01T14:54:09+02:00 CVE-2020-36403/htslib fixed in unstable via 1.11-1 upload - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -54,7 +54,7 @@ CVE-2020-36405 (Keystone Engine 0.9.2 has a use-after-free in llvm_ks::X86Operan CVE-2020-36404 (Keystone Engine 0.9.2 has an invalid free in llvm_ks::SmallVectorImpl& ...) NOT-FOR-US: keystone engine CVE-2020-36403 (HTSlib 1.10 through 1.10.2 allows out-of-bounds write access in vcf_pa ...) - - htslib + - htslib 1.11-1 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24097 NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/htslib/OSV-2020-955.yaml NOTE: https://github.com/samtools/htslib/commit/dcd4b7304941a8832fba2d0fc4c1e716e7a4e72c View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0b9c73b42fc6b0a3342e2b6ca18ddebe5883da33 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0b9c73b42fc6b0a3342e2b6ca18ddebe5883da33 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track experimental fix for CVE-2021-36083/kimageformats
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a1dac979 by Salvatore Bonaccorso at 2021-07-01T14:49:59+02:00 Track experimental fix for CVE-2021-36083/kimageformats - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -25,6 +25,7 @@ CVE-2021-36084 (The CIL compiler in SELinux 3.2 has a use-after-free in __cil_ve NOTE: https://github.com/SELinuxProject/selinux/commit/f34d3d30c8325e4847a6b696fe7a3936a8a361f3 NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/selinux/OSV-2021-417.yaml CVE-2021-36083 (KDE KImageFormats 5.70.0 through 5.81.0 has a stack-based buffer overf ...) + [experimental] - kimageformats 5.83.0-1 - kimageformats (bug #990527) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33742 NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/kimageformats/OSV-2021-695.yaml View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a1dac979d371cc86b0b9bc6f5c4dad55de918e01 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a1dac979d371cc86b0b9bc6f5c4dad55de918e01 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Adjust oss-fuzz reference for CVE-2021-36085
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: fd5649d6 by Salvatore Bonaccorso at 2021-07-01T14:45:18+02:00 Adjust oss-fuzz reference for CVE-2021-36085 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -16,7 +16,7 @@ CVE-2021-36086 (The CIL compiler in SELinux 3.2 has a use-after-free in cil_rese NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/selinux/OSV-2021-536.yaml CVE-2021-36085 (The CIL compiler in SELinux 3.2 has a use-after-free in __cil_verify_c ...) - libsepol (bug #990526) - NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31124a + NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31124 NOTE: https://github.com/SELinuxProject/selinux/commit/2d35fcc7e9e976a2346b1de20e54f8663e8a6cba NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/selinux/OSV-2021-421.yaml CVE-2021-36084 (The CIL compiler in SELinux 3.2 has a use-after-free in __cil_verify_c ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fd5649d6329aef80b05b789d143ca7d39e144c56 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fd5649d6329aef80b05b789d143ca7d39e144c56 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] cvelist.el: new defun to add a bug reference
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 0a80525f by Moritz Muehlenhoff at 2021-07-01T14:28:49+02:00 cvelist.el: new defun to add a bug reference - - - - - 1 changed file: - conf/cvelist.el Changes: = conf/cvelist.el = @@ -16,6 +16,7 @@ ;;; (cons '("list" . debian-cvelist-mode) auto-mode-alist)) (setq last-nfu "") +(setq bugnum "") ; TODO: Tab completion for existing NFUs (defun debian-cvelist-insert-not-for-us () @@ -31,6 +32,13 @@ (interactive) (insert "\tNOTE: ")) +(defun debian-cvelist-insert-bug () + "Add bugnumber to end of line." + (setq bugnum (read-string "Bug number (without #): " bugnum)) + (interactive) + (end-of-line) + (insert " (bug #" bugnum ")" )) + ; TODO: Read supported distros from central config and prompt for applicable suites (defun debian-cvelist-insert-nodsa () "Insert no-dsa comment based on the current source entry." @@ -74,6 +82,7 @@ (define-key map (kbd "C-c C-l") 'debian-cvelist-insert-nodsa) (define-key map (kbd "C-c C-a") 'debian-cvelist-insert-srcentry) (define-key map (kbd "C-c C-x") 'debian-cvelist-insert-not-affected) + (define-key map (kbd "C-c C-b") 'debian-cvelist-insert-bug) map) "Keymap for `debian-cvelist-mode'.") View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0a80525f3452446a3ff9b7785b33150f98f0e864 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0a80525f3452446a3ff9b7785b33150f98f0e864 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 038dd3cc by Moritz Muehlenhoff at 2021-07-01T14:01:19+02:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,41 +1,41 @@ CVE-2021-36089 (Grok 7.6.6 through 9.2.0 has a heap-based buffer overflow in grk::File ...) - - libgrokj2k + - libgrokj2k (bug #990525) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33544 NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/grok/OSV-2021-677.yaml CVE-2021-36088 (Fluent Bit (aka fluent-bit) 1.7.0 through 1.7,4 has a double free in f ...) NOT-FOR-US: Fluent Bit CVE-2021-36087 (The CIL compiler in SELinux 3.2 has a heap-based buffer over-read in e ...) - - libsepol + - libsepol (bug #990526) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32675 NOTE: https://github.com/SELinuxProject/selinux/commit/bad0a746e9f4cf260dedba5828d9645d50176aac NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/selinux/OSV-2021-585.yaml CVE-2021-36086 (The CIL compiler in SELinux 3.2 has a use-after-free in cil_reset_clas ...) - - libsepol + - libsepol (bug #990526) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32177 NOTE: https://github.com/SELinuxProject/selinux/commit/c49a8ea09501ad66e799ea41b8154b6770fec2c8 NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/selinux/OSV-2021-536.yaml CVE-2021-36085 (The CIL compiler in SELinux 3.2 has a use-after-free in __cil_verify_c ...) - - libsepol + - libsepol (bug #990526) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31124a NOTE: https://github.com/SELinuxProject/selinux/commit/2d35fcc7e9e976a2346b1de20e54f8663e8a6cba NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/selinux/OSV-2021-421.yaml CVE-2021-36084 (The CIL compiler in SELinux 3.2 has a use-after-free in __cil_verify_c ...) - - libsepol + - libsepol (bug #990526) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31065 NOTE: https://github.com/SELinuxProject/selinux/commit/f34d3d30c8325e4847a6b696fe7a3936a8a361f3 NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/selinux/OSV-2021-417.yaml CVE-2021-36083 (KDE KImageFormats 5.70.0 through 5.81.0 has a stack-based buffer overf ...) - - kimageformats + - kimageformats (bug #990527) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33742 NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/kimageformats/OSV-2021-695.yaml NOTE: https://invent.kde.org/frameworks/kimageformats/commit/297ed9a2fe339bfe36916b9fce628c3242e5be0f CVE-2021-36082 (ntop nDPI 3.4 has a stack-based buffer overflow in processClientServer ...) - - ndpi + - ndpi (bug #990528) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=30393 NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/ndpi/OSV-2021-304.yaml NOTE: https://github.com/ntop/nDPI/commit/1ec621c85b9411cc611652fd57a892cfef478af3 CVE-2021-36081 (Tesseract OCR 5.0.0-alpha-20201231 has a one_ell_conflict use-after-fr ...) - - tesseract + - tesseract (bug #990529) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29698 NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/tesseract-ocr/OSV-2021-211.yaml NOTE: https://github.com/tesseract-ocr/tesseract/commit/e6f15621c2ab2ecbfabf656942d8ef66f03b2d55 @@ -1241,7 +1241,7 @@ CVE-2021-3624 [buffer-overflow caused by integer-overflow in foveon_load_camf()] - dcraw (bug #984761) CVE-2021-3623 [out-of-bounds access when trying to resume the state of the vTPM] RESERVED - - libtpms + - libtpms (bug #990522) NOTE: https://github.com/stefanberger/libtpms/pull/223 NOTE: https://github.com/stefanberger/libtpms/commit/2f30d620d3c053f20d38b54bf76ac0907821d263 NOTE: https://github.com/stefanberger/libtpms/commit/7981d9ad90a5043a05004e4ca7b46beab8ca7809 @@ -7523,11 +7523,11 @@ CVE-2021-32721 (PowerMux is a drop-in replacement for Go's http.ServeMux. In Pow CVE-2021-32720 (Sylius is an Open Source eCommerce platform on top of Symfony. In vers ...) NOT-FOR-US: Sylius CVE-2021-32719 (RabbitMQ is a multi-protocol messaging broker. In rabbitmq-server prio ...) - - rabbitmq-server + - rabbitmq-server (bug #990524) NOTE: https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-5452-hxj4-773x NOTE: https://github.com/rabbitmq/rabbitmq-server/pull/3122 CVE-2021-32718 (RabbitMQ is a multi-protocol messaging broker. In rabbitmq-server prio ...) - - rabbitmq-server
[Git][security-tracker-team/security-tracker][master] libavif already fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 9d0ab439 by Moritz Muehlenhoff at 2021-07-01T13:32:54+02:00 libavif already fixed in sid glibc no-dsa - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -42,7 +42,7 @@ CVE-2021-36081 (Tesseract OCR 5.0.0-alpha-20201231 has a one_ell_conflict use-af CVE-2021-36080 (GNU LibreDWG 0.12.3.4163 through 0.12.3.4191 has a double-free in bit_ ...) - libredwg (bug #595191) CVE-2020-36407 (libavif 0.8.0 and 0.8.1 has an out-of-bounds write in avifDecoderDataF ...) - - libavif + - libavif 0.8.2-1 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24811 NOTE: https://github.com/AOMediaCodec/libavif/commit/0a8e7244d494ae98e9756355dfbfb6697ded2ff9 NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/libavif/OSV-2020-1597.yaml @@ -378,6 +378,8 @@ CVE-2021-35943 CVE-2021-35942 [Wild read in wordexp (parse_param)] RESERVED - glibc + [bullseye] - glibc (Minor issue) + [buster] - glibc (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=28011 NOTE: https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=5adda61f62b77384718b4c0d8336ade8f2b4b35c CVE-2021-35941 (Western Digital WD My Book Live (2.x and later) and WD My Book Live Du ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9d0ab4396a35e37c15251e438ec90558bd2e56cd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9d0ab4396a35e37c15251e438ec90558bd2e56cd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new rar, darktable, photoflow issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: ba911e8a by Moritz Muehlenhoff at 2021-07-01T11:04:59+02:00 new rar, darktable, photoflow issues NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -80,15 +80,25 @@ CVE-2020-36396 CVE-2020-36395 RESERVED CVE-2019-25049 (LibreSSL 2.9.1 through 3.2.1 has an out-of-bounds read in asn1_item_pr ...) - TODO: check + NOT-FOR-US: LibreSSL CVE-2019-25048 (LibreSSL 2.9.1 through 3.2.1 has a heap-based buffer over-read in do_p ...) - TODO: check + NOT-FOR-US: LibreSSL CVE-2018-25018 (UnRAR 5.6.1.7 through 5.7.4 and 6.0.3 has an out-of-bounds write durin ...) - TODO: check + - unrar-nonfree + NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9845 + NOTE: https://github.com/aawc/unrar/releases + NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/unrar/OSV-2018-204.yaml CVE-2018-25017 (RawSpeed (aka librawspeed) 3.1 has a heap-based buffer overflow in Tab ...) - TODO: check + - darktable + - photoflow + NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5256 + NOTE: https://github.com/darktable-org/rawspeed/commit/dbe7591e54bad5e6430d38be6bed051582da76b9 + NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/librawspeed/OSV-2018-227.yaml CVE-2017-20006 (UnRAR 5.6.1.2 and 5.6.1.3 has a heap-based buffer overflow in Unpack:: ...) - TODO: check + - unrar-nonfree 1:5.6.6-1 + NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4373 + NOTE: https://github.com/aawc/unrar/commit/0ff832d31470471803b175cfff4e40c1b08ee779 + NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/unrar/OSV-2017-104.yaml CVE-2021-3631 RESERVED CVE-2021-36079 @@ -310,7 +320,7 @@ CVE-2021-35972 CVE-2021-35971 (Veeam Backup and Replication 10 before 10.0.1.4854 P20210609 and 11 be ...) NOT-FOR-US: Veeam CVE-2021-35970 (Talk 4 in Coral before 4.12.1 allows remote attackers to discover e-ma ...) - TODO: check + NOT-FOR-US: Coral CVE-2021-35969 RESERVED CVE-2021-35968 @@ -7477,7 +7487,7 @@ CVE-2021-32738 CVE-2021-32737 RESERVED CVE-2021-32736 (think-helper defines a set of helper functions for ThinkJS. In version ...) - TODO: check + NOT-FOR-US: think-helper CVE-2021-32735 RESERVED CVE-2021-32734 @@ -10055,7 +10065,7 @@ CVE-2021-31723 CVE-2021-31722 RESERVED CVE-2021-31721 (Chevereto before 3.17.1 allows Cross Site Scripting (XSS) via an image ...) - TODO: check + NOT-FOR-US: Chevereto CVE-2021-31720 RESERVED CVE-2021-31719 @@ -17169,11 +17179,11 @@ CVE-2021-28806 (A DOM-based XSS vulnerability has been reported to affect QNAP N CVE-2021-28805 (Inclusion of sensitive information in the source code has been reporte ...) NOT-FOR-US: QNAP CVE-2021-28804 (A command injection vulnerabilities have been reported to affect QTS a ...) - TODO: check + NOT-FOR-US: QNAP CVE-2021-28803 (This issue affects: QNAP Systems Inc. Q'center versions prior to 1.11. ...) - TODO: check + NOT-FOR-US: QNAP CVE-2021-28802 (A command injection vulnerabilities have been reported to affect QTS a ...) - TODO: check + NOT-FOR-US: QNAP CVE-2021-28801 (An out-of-bounds read vulnerability has been reported to affect certai ...) NOT-FOR-US: QNAP CVE-2021-28800 (A command injection vulnerability has been reported to affect QNAP NAS ...) @@ -25657,11 +25667,11 @@ CVE-2020-36198 (A command injection vulnerability has been reported to affect ce CVE-2020-36197 (An improper access control vulnerability has been reported to affect e ...) NOT-FOR-US: QNAP CVE-2020-36196 (A stored XSS vulnerability has been reported to affect QNAP NAS runnin ...) - TODO: check + NOT-FOR-US: QNAP CVE-2020-36195 (An SQL injection vulnerability has been reported to affect QNAP NAS ru ...) NOT-FOR-US: QNAP CVE-2020-36194 (An XSS vulnerability has been reported to affect QNAP NAS running QTS ...) - TODO: check + NOT-FOR-US: QNAP CVE-2021-3184 (MISP 2.4.136 has XSS via a crafted URL to the app/View/Elements/global ...) NOT-FOR-US: MISP CVE-2021-3183 (Files.com Fat Client 3.3.6 allows authentication bypass because the cl ...) @@ -32378,21 +32388,21 @@ CVE-2021-22354 (There is an Information Disclosure Vulnerability in Huawei Smart CVE-2021-22353 (There is a Memory Buffer Improper Operation Limit Vulnerability in Hua ...) NOT-FOR-US: Huawei CVE-2021-22352 (There is a Configuration Defect Vulnerability in Huawei Smartphone. Su ...) - TODO: check + NOT-FOR-US: Huawei CVE-2021-22351 (There is a Credentials Management Errors Vulnerability in Huawei Smart ...) -
[Git][security-tracker-team/security-tracker][master] new libgrokj2k libsepol kimageformats ndpi tesseract libavif htslib mruby zeromq3 issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 69ed8513 by Moritz Muehlenhoff at 2021-07-01T10:51:36+02:00 new libgrokj2k libsepol kimageformats ndpi tesseract libavif htslib mruby zeromq3 issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,39 +1,74 @@ CVE-2021-36089 (Grok 7.6.6 through 9.2.0 has a heap-based buffer overflow in grk::File ...) - TODO: check + - libgrokj2k + NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33544 + NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/grok/OSV-2021-677.yaml CVE-2021-36088 (Fluent Bit (aka fluent-bit) 1.7.0 through 1.7,4 has a double free in f ...) - TODO: check + NOT-FOR-US: Fluent Bit CVE-2021-36087 (The CIL compiler in SELinux 3.2 has a heap-based buffer over-read in e ...) - TODO: check + - libsepol + NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32675 + NOTE: https://github.com/SELinuxProject/selinux/commit/bad0a746e9f4cf260dedba5828d9645d50176aac + NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/selinux/OSV-2021-585.yaml CVE-2021-36086 (The CIL compiler in SELinux 3.2 has a use-after-free in cil_reset_clas ...) - TODO: check + - libsepol + NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32177 + NOTE: https://github.com/SELinuxProject/selinux/commit/c49a8ea09501ad66e799ea41b8154b6770fec2c8 + NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/selinux/OSV-2021-536.yaml CVE-2021-36085 (The CIL compiler in SELinux 3.2 has a use-after-free in __cil_verify_c ...) - TODO: check + - libsepol + NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31124a + NOTE: https://github.com/SELinuxProject/selinux/commit/2d35fcc7e9e976a2346b1de20e54f8663e8a6cba + NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/selinux/OSV-2021-421.yaml CVE-2021-36084 (The CIL compiler in SELinux 3.2 has a use-after-free in __cil_verify_c ...) - TODO: check + - libsepol + NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31065 + NOTE: https://github.com/SELinuxProject/selinux/commit/f34d3d30c8325e4847a6b696fe7a3936a8a361f3 + NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/selinux/OSV-2021-417.yaml CVE-2021-36083 (KDE KImageFormats 5.70.0 through 5.81.0 has a stack-based buffer overf ...) - TODO: check + - kimageformats + NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33742 + NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/kimageformats/OSV-2021-695.yaml + NOTE: https://invent.kde.org/frameworks/kimageformats/commit/297ed9a2fe339bfe36916b9fce628c3242e5be0f CVE-2021-36082 (ntop nDPI 3.4 has a stack-based buffer overflow in processClientServer ...) - TODO: check + - ndpi + NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=30393 + NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/ndpi/OSV-2021-304.yaml + NOTE: https://github.com/ntop/nDPI/commit/1ec621c85b9411cc611652fd57a892cfef478af3 CVE-2021-36081 (Tesseract OCR 5.0.0-alpha-20201231 has a one_ell_conflict use-after-fr ...) - TODO: check + - tesseract + NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29698 + NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/tesseract-ocr/OSV-2021-211.yaml + NOTE: https://github.com/tesseract-ocr/tesseract/commit/e6f15621c2ab2ecbfabf656942d8ef66f03b2d55 CVE-2021-36080 (GNU LibreDWG 0.12.3.4163 through 0.12.3.4191 has a double-free in bit_ ...) - TODO: check + - libredwg (bug #595191) CVE-2020-36407 (libavif 0.8.0 and 0.8.1 has an out-of-bounds write in avifDecoderDataF ...) - TODO: check + - libavif + NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24811 + NOTE: https://github.com/AOMediaCodec/libavif/commit/0a8e7244d494ae98e9756355dfbfb6697ded2ff9 + NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/libavif/OSV-2020-1597.yaml CVE-2020-36406 (uWebSockets 18.11.0 and 18.12.0 has a stack-based buffer overflow in u ...) - TODO: check + NOT-FOR-US: uWebSockets CVE-2020-36405 (Keystone Engine 0.9.2 has a use-after-free in llvm_ks::X86Operand::get ...) - TODO: check + NOT-FOR-US: keystone engine CVE-2020-36404 (Keystone Engine 0.9.2 has an invalid free in llvm_ks::SmallVectorImpl& ...) - TODO: check + NOT-FOR-US: keystone engine CVE-2020-36403 (HTSlib 1.10 through 1.10.2 allows out-of-bounds write access in vcf_pa ...) - TODO: check + - htslib + NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24097 + NOTE:
[Git][security-tracker-team/security-tracker][master] Reclaim the ruby packages and jetty9 in dla-needed.txt.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: c03bd728 by Markus Koschany at 2021-07-01T10:37:58+02:00 Reclaim the ruby packages and jetty9 in dla-needed.txt. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -64,7 +64,7 @@ intel-microcode NOTE: 20210622: we'll wait for a couple of days more before rolling NOTE: 20210622: out the update. (utkarsh) -- -jetty9 +jetty9 (Markus Koschany) -- libxstream-java (Sylvain Beucler) NOTE: 20210603: upstream changed the default security framework to a whitelist, @@ -94,14 +94,14 @@ python-babel -- rabbitmq-server (Abhijith PA) -- -ruby-actionpack-page-caching +ruby-actionpack-page-caching (Markus Koschany) NOTE: 20200819: Upstream's patch on does not apply due to subsequent NOTE: 20200819: refactoring. However, a quick look at the private NOTE: 20200819: page_cache_file method suggests that the issue exists, as it NOTE: 20200819: uses the path without normalising any "../" etc., simply NOTE: 20200819: URI.parser.unescap-ing it. Requires more investigation. (lamby) -- -ruby-kaminari +ruby-kaminari (Markus Koschany) NOTE: 20200819: The source in Debian (at least in LTS) appears to have a different lineage to NOTE: 20200819: the one upstream or in its many forks. For example, both dthe NOTE: 20200819: kaminari/kaminari and amatsuda/kaminari repositories does no have the View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c03bd7280eda2bde05b261ab615c063593fbf23f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c03bd7280eda2bde05b261ab615c063593fbf23f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] icu fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 541b494b by Moritz Muehlenhoff at 2021-07-01T10:32:15+02:00 icu fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -12757,7 +12757,7 @@ CVE-2021-30536 (Out of bounds read in V8 in Google Chrome prior to 91.0.4472.77 CVE-2021-30535 (Double free in ICU in Google Chrome prior to 91.0.4472.77 allowed a re ...) - chromium (bug #990079) [stretch] - chromium (see DSA 4562) - - icu + - icu 67.1-7 NOTE: https://bugs.chromium.org/p/chromium/issues/detail?id=1194899 (restricted) NOTE: Bugfix: https://github.com/unicode-org/icu/pull/1698/commits/e450fa50fc242282551f56b941dc93b9a8a0bcbb NOTE: Backports: https://chromium-review.googlesource.com/c/chromium/deps/icu/+/2842864 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/541b494b84893f24b16f85e4939781d9a8c95605 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/541b494b84893f24b16f85e4939781d9a8c95605 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: aca222c3 by security tracker role at 2021-07-01T08:10:16+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,59 @@ +CVE-2021-36089 (Grok 7.6.6 through 9.2.0 has a heap-based buffer overflow in grk::File ...) + TODO: check +CVE-2021-36088 (Fluent Bit (aka fluent-bit) 1.7.0 through 1.7,4 has a double free in f ...) + TODO: check +CVE-2021-36087 (The CIL compiler in SELinux 3.2 has a heap-based buffer over-read in e ...) + TODO: check +CVE-2021-36086 (The CIL compiler in SELinux 3.2 has a use-after-free in cil_reset_clas ...) + TODO: check +CVE-2021-36085 (The CIL compiler in SELinux 3.2 has a use-after-free in __cil_verify_c ...) + TODO: check +CVE-2021-36084 (The CIL compiler in SELinux 3.2 has a use-after-free in __cil_verify_c ...) + TODO: check +CVE-2021-36083 (KDE KImageFormats 5.70.0 through 5.81.0 has a stack-based buffer overf ...) + TODO: check +CVE-2021-36082 (ntop nDPI 3.4 has a stack-based buffer overflow in processClientServer ...) + TODO: check +CVE-2021-36081 (Tesseract OCR 5.0.0-alpha-20201231 has a one_ell_conflict use-after-fr ...) + TODO: check +CVE-2021-36080 (GNU LibreDWG 0.12.3.4163 through 0.12.3.4191 has a double-free in bit_ ...) + TODO: check +CVE-2020-36407 (libavif 0.8.0 and 0.8.1 has an out-of-bounds write in avifDecoderDataF ...) + TODO: check +CVE-2020-36406 (uWebSockets 18.11.0 and 18.12.0 has a stack-based buffer overflow in u ...) + TODO: check +CVE-2020-36405 (Keystone Engine 0.9.2 has a use-after-free in llvm_ks::X86Operand::get ...) + TODO: check +CVE-2020-36404 (Keystone Engine 0.9.2 has an invalid free in llvm_ks::SmallVectorImpl& ...) + TODO: check +CVE-2020-36403 (HTSlib 1.10 through 1.10.2 allows out-of-bounds write access in vcf_pa ...) + TODO: check +CVE-2020-36402 (Solidity 0.7.5 has a stack-use-after-return issue in smtutil::CHCSmtLi ...) + TODO: check +CVE-2020-36401 (mruby 2.1.2 has a double free in mrb_default_allocf (called from mrb_f ...) + TODO: check +CVE-2020-36400 (ZeroMQ libzmq 4.3.3 has a heap-based buffer overflow in zmq::tcp_read, ...) + TODO: check +CVE-2020-36399 + RESERVED +CVE-2020-36398 + RESERVED +CVE-2020-36397 + RESERVED +CVE-2020-36396 + RESERVED +CVE-2020-36395 + RESERVED +CVE-2019-25049 (LibreSSL 2.9.1 through 3.2.1 has an out-of-bounds read in asn1_item_pr ...) + TODO: check +CVE-2019-25048 (LibreSSL 2.9.1 through 3.2.1 has a heap-based buffer over-read in do_p ...) + TODO: check +CVE-2018-25018 (UnRAR 5.6.1.7 through 5.7.4 and 6.0.3 has an out-of-bounds write durin ...) + TODO: check +CVE-2018-25017 (RawSpeed (aka librawspeed) 3.1 has a heap-based buffer overflow in Tab ...) + TODO: check +CVE-2017-20006 (UnRAR 5.6.1.2 and 5.6.1.3 has a heap-based buffer overflow in Unpack:: ...) + TODO: check CVE-2021-3631 RESERVED CVE-2021-36079 @@ -13645,55 +13701,55 @@ CVE-2021-30161 (An issue was discovered on LG mobile devices with Android OS 11 NOT-FOR-US: LG mobile devices CVE-2021-26948 RESERVED - {DSA-4928-1} + {DSA-4928-1 DLA-2700-1} - htmldoc 1.9.11-4 (unimportant; bug #989437) NOTE: https://github.com/michaelrsweet/htmldoc/issues/410 NOTE: https://github.com/michaelrsweet/htmldoc/commit/008861d8339c6ec777e487770b70b95b1ed0c1d2 NOTE: Crash in CLI tool, no security impact CVE-2021-26259 RESERVED - {DSA-4928-1} + {DSA-4928-1 DLA-2700-1} - htmldoc 1.9.11-4 (unimportant; bug #989437) NOTE: https://github.com/michaelrsweet/htmldoc/issues/417 NOTE: https://github.com/michaelrsweet/htmldoc/commit/0ddab26a542c74770317b622e985c52430092ba5 NOTE: Crash in CLI tool, no security impact CVE-2021-26252 RESERVED - {DSA-4928-1} + {DSA-4928-1 DLA-2700-1} - htmldoc 1.9.11-4 (unimportant; bug #989437) NOTE: https://github.com/michaelrsweet/htmldoc/issues/412 NOTE: https://github.com/michaelrsweet/htmldoc/commit/369b2ea1fd0d0537ba707f20a2f047b6afd2fbdc NOTE: Crash in CLI tool, no security impact CVE-2021-23206 RESERVED - {DSA-4928-1} + {DSA-4928-1 DLA-2700-1} - htmldoc 1.9.11-4 (unimportant; bug #989437) NOTE: https://github.com/michaelrsweet/htmldoc/issues/416 NOTE: https://github.com/michaelrsweet/htmldoc/commit/ba61a3ece382389ae4482c7027af8b32e8ab4cc8 NOTE: Crash in CLI tool, no security impact CVE-2021-23191 RESERVED - {DSA-4928-1} + {DSA-4928-1 DLA-2700-1} - htmldoc 1.9.11-4 (unimportant; bug #989437) NOTE: https://github.com/michaelrsweet/htmldoc/issues/415 NOTE:
[Git][security-tracker-team/security-tracker][master] Track initially CVE-2021-3618
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8d959cf6 by Salvatore Bonaccorso at 2021-07-01T09:22:43+02:00 Track initially CVE-2021-3618 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1262,6 +1262,8 @@ CVE-2021-35475 (SAS Environment Manager 2.5 allows XSS through the Name field wh NOT-FOR-US: SAS Environment Manager CVE-2021-3618 RESERVED + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1975623 + TODO: check details, protocol implementation issue for various TLS servers implementations CVE-2021-3617 RESERVED CVE-2021-3616 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8d959cf6cf06ea8d44e21a51e32075567b8c9e04 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8d959cf6cf06ea8d44e21a51e32075567b8c9e04 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits