[Git][security-tracker-team/security-tracker][master] CVE-2021-36749 TODO
Henri Salo pushed to branch master at Debian Security Tracker / security-tracker Commits: d2c4dd95 by Henri Salo at 2021-09-24T07:44:39+03:00 CVE-2021-36749 TODO - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -11140,6 +11140,8 @@ CVE-2021-36750 RESERVED CVE-2021-36749 RESERVED + NOTE: https://www.openwall.com/lists/oss-security/2021/09/24/1 + TODO: check CVE-2021-3650 RESERVED CVE-2021-3649 (chatwoot is vulnerable to Inefficient Regular Expression Complexity ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d2c4dd95cad217184e5f4d5999c631c0c582062e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d2c4dd95cad217184e5f4d5999c631c0c582062e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Typo fix
Henri Salo pushed to branch master at Debian Security Tracker / security-tracker Commits: 33222c7d by Henri Salo at 2021-09-24T07:43:30+03:00 Typo fix - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -46939,37 +46939,37 @@ CVE-2021-22022 (The vRealize Operations Manager API (8.x prior to 8.5) contains CVE-2021-22021 (VMware vRealize Log Insight (8.x prior to 8.4) contains a Cross Site S ...) NOT-FOR-US: VMware CVE-2021-22020 (The vCenter Server contains a denial-of-service vulnerability in the A ...) - NOT-FOR-US: VMWare + NOT-FOR-US: VMware CVE-2021-22019 (The vCenter Server contains a denial-of-service vulnerability in VAPI ...) - NOT-FOR-US: VMWare + NOT-FOR-US: VMware CVE-2021-22018 (The vCenter Server contains an arbitrary file deletion vulnerability i ...) - NOT-FOR-US: VMWare + NOT-FOR-US: VMware CVE-2021-22017 (Rhttproxy as used in vCenter Server contains a vulnerability due to im ...) - NOT-FOR-US: VMWare + NOT-FOR-US: VMware CVE-2021-22016 (The vCenter Server contains a reflected cross-site scripting vulnerabi ...) - NOT-FOR-US: VMWare + NOT-FOR-US: VMware CVE-2021-22015 (The vCenter Server contains multiple local privilege escalation vulner ...) - NOT-FOR-US: VMWare + NOT-FOR-US: VMware CVE-2021-22014 (The vCenter Server contains an authenticated code execution vulnerabil ...) - NOT-FOR-US: VMWare + NOT-FOR-US: VMware CVE-2021-22013 (The vCenter Server contains a file path traversal vulnerability leadin ...) - NOT-FOR-US: VMWare + NOT-FOR-US: VMware CVE-2021-22012 (The vCenter Server contains an information disclosure vulnerability du ...) - NOT-FOR-US: VMWare + NOT-FOR-US: VMware CVE-2021-22011 (vCenter Server contains an unauthenticated API endpoint vulnerability ...) - NOT-FOR-US: VMWare + NOT-FOR-US: VMware CVE-2021-22010 (The vCenter Server contains a denial-of-service vulnerability in VPXD ...) - NOT-FOR-US: VMWare + NOT-FOR-US: VMware CVE-2021-22009 (The vCenter Server contains multiple denial-of-service vulnerabilities ...) - NOT-FOR-US: VMWare + NOT-FOR-US: VMware CVE-2021-22008 (The vCenter Server contains an information disclosure vulnerability in ...) - NOT-FOR-US: VMWare + NOT-FOR-US: VMware CVE-2021-22007 (The vCenter Server contains a local information disclosure vulnerabili ...) - NOT-FOR-US: VMWare + NOT-FOR-US: VMware CVE-2021-22006 (The vCenter Server contains a reverse proxy bypass vulnerability due t ...) - NOT-FOR-US: VMWare + NOT-FOR-US: VMware CVE-2021-22005 (The vCenter Server contains an arbitrary file upload vulnerability in ...) - NOT-FOR-US: VMWare + NOT-FOR-US: VMware CVE-2021-22004 (An issue was discovered in SaltStack Salt before 3003.3. The salt mini ...) - salt (bug #994016) NOTE: https://saltproject.io/security_announcements/salt-security-advisory-2021-sep-02/ @@ -46995,7 +46995,7 @@ CVE-2021-21995 (OpenSLP as used in ESXi has a denial-of-service vulnerability du CVE-2021-21994 (SFCB (Small Footprint CIM Broker) as used in ESXi has an authenticatio ...) NOT-FOR-US: VMware CVE-2021-21993 (The vCenter Server contains an SSRF (Server Side Request Forgery) vuln ...) - NOT-FOR-US: VMWare + NOT-FOR-US: VMware CVE-2021-21992 (The vCenter Server contains a denial-of-service vulnerability due to i ...) NOT-FOR-US: VMware CVE-2021-21991 (The vCenter Server contains a local privilege escalation vulnerability ...) @@ -312285,8 +312285,8 @@ CVE-2016- [mediawiki issues from 1.26.3, 1.25.6 and 1.23.14] CVE-2016-4952 (QEMU (aka Quick Emulator), when built with VMWARE PVSCSI paravirtual S ...) {DLA-1599-1} - qemu 1:2.6+dfsg-2 (bug #825210) - [wheezy] - qemu (VMWare PVSCSI paravirtual device implementation introduced later) - - qemu-kvm (VMWare PVSCSI paravirtual device implementation introduced later) + [wheezy] - qemu (VMware PVSCSI paravirtual device implementation introduced later) + - qemu-kvm (VMware PVSCSI paravirtual device implementation introduced later) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2016-05/msg03774.html NOTE: Introduced in: http://git.qemu.org/?p=qemu.git;a=commit;h=881d588a98bf0dce98ddb65c15aa0854c0ac41ed (v1.5.0-rc0) CVE-2016-4951 (The tipc_nl_publ_dump function in net/tipc/socket.c in the Linux kerne ...) @@ -375313,15 +375313,15 @@ CVE-2014-1213 (Sophos Anti-Virus engine (SAVi) before 3.50.1, as used in VDL 4.9 CVE-2014-1212 RESERVED CVE-2014-1211 (Cross-site request forgery (CSRF) vulnerability in VMware vCloud Direc ...) - NOT-FOR-US: VMWare + NOT-FOR-US: VMware CVE-2014-1210 (VMware vSphere Client 5.0 before Update 3 and 5.1 before Update 2
[Git][security-tracker-team/security-tracker][master] CVE-2021-40690,CVE-2019-12400,libxml-security-java: Fixed in unstable
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 5f8c7a11 by Markus Koschany at 2021-09-23T23:58:36+02:00 CVE-2021-40690,CVE-2019-12400,libxml-security-java: Fixed in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1923,7 +1923,7 @@ CVE-2021-40692 CVE-2021-40691 RESERVED CVE-2021-40690 (All versions of Apache Santuario - XML Security for Java prior to 2.2. ...) - - libxml-security-java (bug #994569) + - libxml-security-java 2.1.7-1 (bug #994569) NOTE: https://santuario.apache.org/secadv.data/CVE-2021-40690.txt.asc CVE-2021-3780 (peertube is vulnerable to Improper Neutralization of Input During Web ...) - peertube (bug #950821) @@ -155837,7 +155837,7 @@ CVE-2019-12401 (Solr versions 1.3.0 to 1.4.1, 3.1.0 to 3.6.2 and 4.0.0 to 4.10.4 NOTE: disabling coalescing by default which can trigger large memory consumption NOTE: when parsing specially crafted XML data. CVE-2019-12400 (In version 2.0.3 Apache Santuario XML Security for Java, a caching mec ...) - - libxml-security-java (bug #935548) + - libxml-security-java 2.1.7-1 (bug #935548) [bullseye] - libxml-security-java (Minor issue) [buster] - libxml-security-java (Minor issue) [stretch] - libxml-security-java (Vulnerable code introduced in 2.0.3) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5f8c7a112a0a365241ae68b3693d789e6953e34e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5f8c7a112a0a365241ae68b3693d789e6953e34e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process more NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: dc54ad1f by Salvatore Bonaccorso at 2021-09-23T22:33:09+02:00 Process more NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -307,7 +307,7 @@ CVE-2021-41430 CVE-2021-41429 RESERVED CVE-2021-41428 (Insecure permissions in Update Manager = 5.8.0.2300 and DFL = ...) - TODO: check + NOT-FOR-US: DATEV CVE-2021-41427 RESERVED CVE-2021-41426 @@ -402,7 +402,7 @@ CVE-2021-41383 (setup.cgi on NETGEAR R6020 1.0.0.48 devices allows an admin to e CVE-2021-41382 (Plastic SCM before 10.0.16.5622 mishandles the WebAdmin server managem ...) NOT-FOR-US: Plastic SCM CVE-2021-41381 (Payara Micro Community 5.2021.6 and below allows Directory Traversal. ...) - TODO: check + NOT-FOR-US: Payara Micro Community CVE-2021-3816 RESERVED CVE-2021-41380 (RealVNC Viewer 6.21.406 allows remote VNC servers to cause a denial of ...) @@ -10788,9 +10788,9 @@ CVE-2021-36875 CVE-2021-36874 RESERVED CVE-2021-36873 (Authenticated Persistent Cross-Site Scripting (XSS) vulnerability in W ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2021-36872 (Authenticated Persistent Cross-Site Scripting (XSS) vulnerability in W ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2021-36871 (Multiple Authenticated Persistent Cross-Site Scripting (XSS) vulnerabi ...) NOT-FOR-US: Wordpress plugin CVE-2021-36870 (Multiple Authenticated Persistent Cross-Site Scripting (XSS) vulnerabi ...) @@ -10888,7 +10888,7 @@ CVE-2021-36825 CVE-2021-36824 RESERVED CVE-2021-36823 (Authenticated Stored Cross-Site Scripting (XSS) vulnerability in WordP ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2021-36822 RESERVED CVE-2021-36821 @@ -35641,7 +35641,7 @@ CVE-2021-26796 CVE-2021-26795 RESERVED CVE-2021-26794 (Privilege escalation in 'upload.php' in FrogCMS SentCMS v0.9.5 allows ...) - TODO: check + NOT-FOR-US: FrogCMS SentCMS CVE-2021-26793 RESERVED CVE-2021-26792 @@ -44716,15 +44716,15 @@ CVE-2021-22955 CVE-2021-22954 RESERVED CVE-2021-22953 (A CSRF in Concrete CMS version 8.5.5 and below allows an attacker to c ...) - TODO: check + NOT-FOR-US: Concrete CMS CVE-2021-22952 (A vulnerability found in UniFi Talk application V1.12.3 and earlier pe ...) TODO: check CVE-2021-22951 RESERVED CVE-2021-22950 (Concrete CMS prior to 8.5.6 had a CSFR vulnerability allowing attachme ...) - TODO: check + NOT-FOR-US: Concrete CMS CVE-2021-22949 (A CSRF in Concrete CMS version 8.5.5 and below allows an attacker to d ...) - TODO: check + NOT-FOR-US: Concrete CMS CVE-2021-22948 (Vulnerability in the generation of session IDs in revive-adserver ...) TODO: check CVE-2021-22947 [STARTTLS protocol injection via MITM] @@ -44755,7 +44755,7 @@ CVE-2021-22942 [ossible Open Redirect in Host Authorization Middleware] [stretch] - rails (Vulnerable code not present) NOTE: https://www.openwall.com/lists/oss-security/2021/08/20/1 CVE-2021-22941 (Improper Access Control in Citrix ShareFile storage zones controller b ...) - TODO: check + NOT-FOR-US: Citrix CVE-2021-22940 (Node.js before 16.6.1, 14.17.5, and 12.22.5 is vulnerable to a use aft ...) - nodejs 12.22.5~dfsg-1 [bullseye] - nodejs (Incomplete fix for CVE-2021-22930 not applied) @@ -46348,7 +46348,7 @@ CVE-2021-22278 CVE-2021-22277 RESERVED CVE-2021-22276 (The vulnerability allows a successful attacker to bypass the integrity ...) - TODO: check + NOT-FOR-US: ABB CVE-2021-22275 RESERVED CVE-2021-22274 @@ -46939,37 +46939,37 @@ CVE-2021-22022 (The vRealize Operations Manager API (8.x prior to 8.5) contains CVE-2021-22021 (VMware vRealize Log Insight (8.x prior to 8.4) contains a Cross Site S ...) NOT-FOR-US: VMware CVE-2021-22020 (The vCenter Server contains a denial-of-service vulnerability in the A ...) - TODO: check + NOT-FOR-US: VMWare CVE-2021-22019 (The vCenter Server contains a denial-of-service vulnerability in VAPI ...) - TODO: check + NOT-FOR-US: VMWare CVE-2021-22018 (The vCenter Server contains an arbitrary file deletion vulnerability i ...) - TODO: check + NOT-FOR-US: VMWare CVE-2021-22017 (Rhttproxy as used in vCenter Server contains a vulnerability due to im ...) - TODO: check + NOT-FOR-US: VMWare CVE-2021-22016 (The vCenter Server contains a reflected cross-site scripting vulnerabi ...) - TODO: check + NOT-FOR-US: VMWare CVE-2021-22015 (The vCenter Server contains multiple local privilege escalation vulner ...) - TODO: check + NOT-FOR-US: VMWare CVE-2021-22014 (The vCenter
[Git][security-tracker-team/security-tracker][master] Track proposed atftp via {buster,bullseye}-pu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 90299ca4 by Salvatore Bonaccorso at 2021-09-23T22:16:36+02:00 Track proposed atftp via {buster,bullseye}-pu - - - - - 2 changed files: - data/next-oldstable-point-update.txt - data/next-point-update.txt Changes: = data/next-oldstable-point-update.txt = @@ -115,3 +115,5 @@ CVE-2021-2372 [buster] - mariadb-10.3 1:10.3.31-0+deb10u1 CVE-2021-38173 [buster] - btrbk 0.27.1-1+deb10u1 +CVE-2021-41054 + [buster] - atftp 0.7.git20120829-3.2+deb10u2 = data/next-point-update.txt = @@ -46,3 +46,5 @@ CVE-2021-3805 [bullseye] - node-object-path 0.11.5-3+deb11u1 CVE-2021-23440 [bullseye] - node-set-value 3.0.1-2+deb11u1 +CVE-2021-41054 + [bullseye] - atftp 0.7.git20120829-3.3+deb11u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/90299ca4960a956cea9bc435cb369d0e37cacb1b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/90299ca4960a956cea9bc435cb369d0e37cacb1b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: fd951f18 by Salvatore Bonaccorso at 2021-09-23T22:12:59+02:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6158,7 +6158,7 @@ CVE-2021-38879 CVE-2021-38878 RESERVED CVE-2021-38877 (IBM Jazz for Service Management 1.1.3.10 is vulnerable to stored cross ...) - TODO: check + NOT-FOR-US: IBM CVE-2021-38876 RESERVED CVE-2021-38875 @@ -6172,7 +6172,7 @@ CVE-2021-38872 CVE-2021-38871 RESERVED CVE-2021-38870 (IBM Aspera Cloud is vulnerable to stored cross-site scripting. This vu ...) - TODO: check + NOT-FOR-US: IBM CVE-2021-38869 RESERVED CVE-2021-38868 @@ -6184,9 +6184,9 @@ CVE-2021-38866 CVE-2021-38865 RESERVED CVE-2021-38864 (IBM Security Verify Bridge 1.0.5.0 could allow a user to obtain sensit ...) - TODO: check + NOT-FOR-US: IBM CVE-2021-38863 (IBM Security Verify Bridge 1.0.5.0 stores user credentials in plain cl ...) - TODO: check + NOT-FOR-US: IBM CVE-2021-38862 RESERVED CVE-2021-38861 @@ -28123,9 +28123,9 @@ CVE-2021-29907 (IBM OpenPages with Watson 8.1 and 8.2 could allow an authenticat CVE-2021-29906 RESERVED CVE-2021-29905 (IBM Jazz for Service Management 1.1.3.10 and IBM Tivoli Netcool/OMNIbu ...) - TODO: check + NOT-FOR-US: IBM CVE-2021-29904 (IBM Jazz for Service Management 1.1.3.10 and IBM Tivoli Netcool/OMNIbu ...) - TODO: check + NOT-FOR-US: IBM CVE-2021-29903 RESERVED CVE-2021-29902 @@ -28267,9 +28267,9 @@ CVE-2021-29835 CVE-2021-29834 RESERVED CVE-2021-29833 (IBM Jazz for Service Management 1.1.3.10 and IBM Tivoli Netcool/OMNIbu ...) - TODO: check + NOT-FOR-US: IBM CVE-2021-29832 (IBM Jazz for Service Management 1.1.3.10 and IBM Tivoli Netcool/OMNIbu ...) - TODO: check + NOT-FOR-US: IBM CVE-2021-29831 (IBM Jazz for Service Management 1.1.3.10 and IBM Tivoli Netcool/OMNIbu ...) NOT-FOR-US: IBM CVE-2021-29830 @@ -28301,19 +28301,19 @@ CVE-2021-29818 (IBM Jazz for Service Management and IBM Tivoli Netcool/OMNIbus_G CVE-2021-29817 (IBM Jazz for Service Management and IBM Tivoli Netcool/OMNIbus_GUI 8.1 ...) NOT-FOR-US: IBM CVE-2021-29816 (IBM Jazz for Service Management 1.1.3.10 and IBM Tivoli Netcool/OMNIbu ...) - TODO: check + NOT-FOR-US: IBM CVE-2021-29815 (IBM Jazz for Service Management 1.1.3.10 and IBM Tivoli Netcool/OMNIbu ...) - TODO: check + NOT-FOR-US: IBM CVE-2021-29814 (IBM Jazz for Service Management 1.1.3.10 and IBM Tivoli Netcool/OMNIbu ...) - TODO: check + NOT-FOR-US: IBM CVE-2021-29813 (IBM Jazz for Service Management 1.1.3.10 and IBM Tivoli Netcool/OMNIbu ...) - TODO: check + NOT-FOR-US: IBM CVE-2021-29812 (IBM Jazz for Service Management 1.1.3.10 and IBM Tivoli Netcool/OMNIbu ...) - TODO: check + NOT-FOR-US: IBM CVE-2021-29811 (IBM Jazz for Service Management and IBM Tivoli Netcool/OMNIbus_GUI 8.1 ...) NOT-FOR-US: IBM CVE-2021-29810 (IBM Jazz for Service Management 1.1.3.10 and IBM Tivoli Netcool/OMNIbu ...) - TODO: check + NOT-FOR-US: IBM CVE-2021-29809 (IBM Jazz for Service Management and IBM Tivoli Netcool/OMNIbus_GUI 8.1 ...) NOT-FOR-US: IBM CVE-2021-29808 (IBM Jazz for Service Management and IBM Tivoli Netcool/OMNIbus_GUI 8.1 ...) @@ -28333,7 +28333,7 @@ CVE-2021-29802 (IBM Security SOAR performs an operation at a privilege level tha CVE-2021-29801 (IBM AIX 7.1, 7.2, and VIOS 3.1 could allow a non-privileged local user ...) NOT-FOR-US: IBM CVE-2021-29800 (IBM Tivoli Netcool/OMNIbus_GUI and IBM Jazz for Service Management 1.1 ...) - TODO: check + NOT-FOR-US: IBM CVE-2021-29799 RESERVED CVE-2021-29798 @@ -52002,7 +52002,7 @@ CVE-2021-20565 (IBM Cloud Pak for Security (CP4S) 1.4.0.0, 1.5.0.0, 1.5.0.1, 1.6 CVE-2021-20564 (IBM Cloud Pak for Security (CP4S) 1.4.0.0, 1.5.0.0, 1.5.0.1, 1.6.0.0, ...) NOT-FOR-US: IBM CVE-2021-20563 (IBM Sterling File Gateway 2.2.0.0 through 6.1.0.3 could allow a remote ...) - TODO: check + NOT-FOR-US: IBM CVE-2021-20562 (IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 5.2.6.5_3 ...) NOT-FOR-US: IBM CVE-2021-20561 @@ -52158,9 +52158,9 @@ CVE-2021-20487 (IBM Power9 Self Boot Engine(SBE) could allow a privileged user t CVE-2021-20486 (IBM Cloud Pak for Data 3.0 could allow an authenticated user to obtain ...) NOT-FOR-US: IBM CVE-2021-20485 (IBM Sterling File Gateway 2.2.0.0 through 6.1.0.3 could allow a remote ...) - TODO: check + NOT-FOR-US: IBM CVE-2021-20484 (IBM Sterling File Gateway 2.2.0.0 through 6.1.0.3 is vulnerable to cro ...) - TODO: check + NOT-FOR-US: IBM CVE-2021-20483 (IBM
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 34a9e870 by security tracker role at 2021-09-23T20:10:17+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,7 @@ +CVE-2021-41572 + RESERVED +CVE-2021-41571 + RESERVED CVE-2021-41570 RESERVED CVE-2021-41569 @@ -22,8 +26,8 @@ CVE-2021-41561 RESERVED CVE-2021-3825 RESERVED -CVE-2021-3824 - RESERVED +CVE-2021-3824 (OpenVPN Access Server 2.9.0 through 2.9.4 allow remote attackers to in ...) + TODO: check CVE-2021-3823 RESERVED CVE-2021-3822 @@ -302,8 +306,8 @@ CVE-2021-41430 RESERVED CVE-2021-41429 RESERVED -CVE-2021-41428 - RESERVED +CVE-2021-41428 (Insecure permissions in Update Manager = 5.8.0.2300 and DFL = ...) + TODO: check CVE-2021-41427 RESERVED CVE-2021-41426 @@ -397,8 +401,8 @@ CVE-2021-41383 (setup.cgi on NETGEAR R6020 1.0.0.48 devices allows an admin to e NOT-FOR-US: Netgear CVE-2021-41382 (Plastic SCM before 10.0.16.5622 mishandles the WebAdmin server managem ...) NOT-FOR-US: Plastic SCM -CVE-2021-41381 - RESERVED +CVE-2021-41381 (Payara Micro Community 5.2021.6 and below allows Directory Traversal. ...) + TODO: check CVE-2021-3816 RESERVED CVE-2021-41380 (RealVNC Viewer 6.21.406 allows remote VNC servers to cause a denial of ...) @@ -6153,8 +6157,8 @@ CVE-2021-38879 RESERVED CVE-2021-38878 RESERVED -CVE-2021-38877 - RESERVED +CVE-2021-38877 (IBM Jazz for Service Management 1.1.3.10 is vulnerable to stored cross ...) + TODO: check CVE-2021-38876 RESERVED CVE-2021-38875 @@ -6167,8 +6171,8 @@ CVE-2021-38872 RESERVED CVE-2021-38871 RESERVED -CVE-2021-38870 - RESERVED +CVE-2021-38870 (IBM Aspera Cloud is vulnerable to stored cross-site scripting. This vu ...) + TODO: check CVE-2021-38869 RESERVED CVE-2021-38868 @@ -6179,10 +6183,10 @@ CVE-2021-38866 RESERVED CVE-2021-38865 RESERVED -CVE-2021-38864 - RESERVED -CVE-2021-38863 - RESERVED +CVE-2021-38864 (IBM Security Verify Bridge 1.0.5.0 could allow a user to obtain sensit ...) + TODO: check +CVE-2021-38863 (IBM Security Verify Bridge 1.0.5.0 stores user credentials in plain cl ...) + TODO: check CVE-2021-38862 RESERVED CVE-2021-38861 @@ -10783,10 +10787,10 @@ CVE-2021-36875 RESERVED CVE-2021-36874 RESERVED -CVE-2021-36873 - RESERVED -CVE-2021-36872 - RESERVED +CVE-2021-36873 (Authenticated Persistent Cross-Site Scripting (XSS) vulnerability in W ...) + TODO: check +CVE-2021-36872 (Authenticated Persistent Cross-Site Scripting (XSS) vulnerability in W ...) + TODO: check CVE-2021-36871 (Multiple Authenticated Persistent Cross-Site Scripting (XSS) vulnerabi ...) NOT-FOR-US: Wordpress plugin CVE-2021-36870 (Multiple Authenticated Persistent Cross-Site Scripting (XSS) vulnerabi ...) @@ -10883,8 +10887,8 @@ CVE-2021-36825 RESERVED CVE-2021-36824 RESERVED -CVE-2021-36823 - RESERVED +CVE-2021-36823 (Authenticated Stored Cross-Site Scripting (XSS) vulnerability in WordP ...) + TODO: check CVE-2021-36822 RESERVED CVE-2021-36821 @@ -19836,8 +19840,8 @@ CVE-2021-33037 (Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 NOTE: https://github.com/apache/tomcat/commit/8874fa02e9b36baa9ca6b226c0882c0190ca5a02 (8.5.67) CVE-2021-33036 RESERVED -CVE-2021-33035 - RESERVED +CVE-2021-33035 (Apache OpenOffice opens dBase/DBF documents and shows the contents as ...) + TODO: check CVE-2021-33034 (In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use ...) {DLA-2690-1 DLA-2689-1} - linux 5.10.38-1 @@ -19915,8 +19919,8 @@ CVE-2021-33001 RESERVED CVE-2021-33000 (Parsing a maliciously crafted project file may cause a heap-based buff ...) NOT-FOR-US: WebAccess HMI Designer -CVE-2021-32999 - RESERVED +CVE-2021-32999 (Improper handling of exceptional conditions in SuiteLink server while ...) + TODO: check CVE-2021-32998 RESERVED CVE-2021-32997 @@ -19939,8 +19943,8 @@ CVE-2021-32989 RESERVED CVE-2021-32988 (FATEK Automation WinProladder Versions 3.30 and prior are vulnerable t ...) NOT-FOR-US: FATEK Automation WinProladder -CVE-2021-32987 - RESERVED +CVE-2021-32987 (Null pointer dereference in SuiteLink server while processing command ...) + TODO: check CVE-2021-32986 RESERVED CVE-2021-32985 @@ -19955,8 +19959,8 @@ CVE-2021-32981 RESERVED CVE-2021-32980 RESERVED -CVE-2021-32979 - RESERVED +CVE-2021-32979 (Null pointer dereference in SuiteLink server while processing commands ...) + TODO: check
[Git][security-tracker-team/security-tracker][master] Update information on CVE-2019-20079/vim
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f5897553 by Salvatore Bonaccorso at 2021-09-23T22:07:15+02:00 Update information on CVE-2019-20079/vim - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -123731,11 +123731,12 @@ CVE-2019-20080 RESERVED CVE-2019-20079 (The autocmd feature in window.c in Vim before 8.1.2136 accesses freed ...) - vim 2:8.1.2136-1 - [buster] - vim (Minor issue) + [buster] - vim (Vulnerable code introduced later) [stretch] - vim (Vulnerable code introduced later) [jessie] - vim (vulnerable code was introduced later) NOTE: https://github.com/vim/vim/issues/5041 - NOTE: https://github.com/vim/vim/commit/ec66c41d84e574baf8009dbc0bd088d2bc5b2421 + NOTE: Introduced with: https://github.com/vim/vim/commit/a27e1dcddc9e3914ab34b164f71c51b72903b00b (v8.1.2121) + NOTE: Fixed by: https://github.com/vim/vim/commit/ec66c41d84e574baf8009dbc0bd088d2bc5b2421 (v8.1.2136) CVE-2019-20078 RESERVED CVE-2019-20077 (The Typesetter CMS 5.1 logout functionality is affected by a CSRF vuln ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f58975538c96ade3afe66f204f53ee9334011f22 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f58975538c96ade3afe66f204f53ee9334011f22 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove one ignored entry which got an update in DLA-2765-1
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c6492cc3 by Salvatore Bonaccorso at 2021-09-23T20:46:06+02:00 Remove one ignored entry which got an update in DLA-2765-1 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -279961,7 +279961,6 @@ CVE-2017-6061 (Cross-site scripting (XSS) vulnerability in the help component of NOT-FOR-US: SAP CVE-2017-6060 (Stack-based buffer overflow in jstest_main.c in mujstest in Artifex So ...) - mupdf 1.12.0+ds1-1 (unimportant) - [stretch] - mupdf (Vulnerable code not packaged or compiled) [wheezy] - mupdf (Vulnerable code not present) NOTE: Although jstest_main.c compiled during build and mujstest is created NOTE: it is not included in the produced binary packages View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c6492cc3c2b9c2e65800262685fe033294ebb0d2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c6492cc3c2b9c2e65800262685fe033294ebb0d2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2020-21468/redis as unimportant
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 029d966b by Salvatore Bonaccorso at 2021-09-23T20:44:28+02:00 Mark CVE-2020-21468/redis as unimportant - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -79046,9 +79046,9 @@ CVE-2020-21470 CVE-2020-21469 RESERVED CVE-2020-21468 (A segmentation fault in the redis-server component of Redis 5.0.7 lead ...) - - redis + - redis (unimportant) NOTE: https://github.com/redis/redis/issues/6633 - TODO: check + NOTE: Negligible security impact; disputed issue upstream and unreproducible. CVE-2020-21467 RESERVED CVE-2020-21466 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/029d966be38fab45b37ba035111de59ec3d0dff8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/029d966be38fab45b37ba035111de59ec3d0dff8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixes for python3.9 via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b206e7d8 by Salvatore Bonaccorso at 2021-09-23T20:42:25+02:00 Track fixes for python3.9 via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3213,7 +3213,7 @@ CVE-2021-3738 CVE-2021-3737 [client can enter an infinite loop on a 100 Continue response from the server] RESERVED [experimental] - python3.9 3.9.6-1 - - python3.9 + - python3.9 3.9.7-1 [bullseye] - python3.9 (Minor issue) - python3.7 - python3.5 @@ -28082,7 +28082,7 @@ CVE-2021-29922 (library/std/src/net/parser.rs in Rust before 1.53.0 does not pro NOTE: https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-015.md CVE-2021-29921 (In Python before 3,9,5, the ipaddress library mishandles leading zero ...) [experimental] - python3.9 3.9.5-1 - - python3.9 (bug #989195) + - python3.9 3.9.7-1 (bug #989195) [bullseye] - python3.9 (Minor issue) NOTE: https://bugs.python.org/issue36384#msg392423 NOTE: https://github.com/python/cpython/commit/60ce8f0be6354ad565393ab449d8de5d713f35bc (v3.10.0b1) @@ -32518,7 +32518,7 @@ CVE-2021-28374 (The Debian courier-authlib package before 0.71.1-2 for Courier A CVE-2021-3426 (There's a flaw in Python 3's pydoc. A local or adjacent attacker who d ...) {DLA-2619-1} [experimental] - python3.9 3.9.3-1 - - python3.9 + - python3.9 3.9.7-1 [bullseye] - python3.9 (Minor issue) - python3.7 [buster] - python3.7 (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b206e7d842e6153b4cb2563cd2ce46681b1c18e1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b206e7d842e6153b4cb2563cd2ce46681b1c18e1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2765-1 for mupdf
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: f4858ea2 by Anton Gladky at 2021-09-23T20:42:13+02:00 Reserve DLA-2765-1 for mupdf - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[23 Sep 2021] DLA-2765-1 mupdf - security update + {CVE-2016-10246 CVE-2016-10247 CVE-2017-6060 CVE-2018-10289 CVE-2018-136 CVE-2020-19609} + [stretch] - mupdf 1.14.0+ds1-4+deb9u1 [22 Sep 2021] DLA-2764-1 tomcat8 - security update {CVE-2021-41079} [stretch] - tomcat8 8.5.54-0+deb9u8 = data/dla-needed.txt = @@ -60,9 +60,6 @@ mosquitto NOTE: 20210805: coordinating upload to buster before DLA for Stretch (codehelp) NOTE: 20210806: CVE-2021-34432 ignored in buster and stretch. Vulnerable code not accessible. (codehelp) -- -mupdf (Anton Gladky) - NOTE: 20210817: fix for CVE-2020-19609 and CVE-2021-37220 in buster are to be put into a point release. --- ntfs-3g (Abhijith PA) -- nvidia-graphics-drivers View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f4858ea2b01b88925584bcbcf4b9f3edd4936a30 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f4858ea2b01b88925584bcbcf4b9f3edd4936a30 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: unclaim libxstream-java
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: cc744cf2 by Anton Gladky at 2021-09-23T20:10:52+02:00 LTS: unclaim libxstream-java - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -49,7 +49,7 @@ jsoup (Markus Koschany) krb5 (Adrian Bunk) NOTE: 20210905: testing fixes -- -libxstream-java (Anton Gladky) +libxstream-java NOTE: 20210901: See thread at https://www.mail-archive.com/debian-lts@lists.debian.org/msg09588.html -- linux (Ben Hutchings) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cc744cf249af483728b45befab38991764049039 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cc744cf249af483728b45befab38991764049039 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: take ffmpeg
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: be685423 by Anton Gladky at 2021-09-23T19:43:02+02:00 LTS: take ffmpeg - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -35,7 +35,7 @@ debian-archive-keyring (Utkarsh) NOTE: https://lists.debian.org/debian-lts/2021/08/msg00037.html NOTE: 20210920: Raphael answered. will backport today. (utkarsh) -- -ffmpeg +ffmpeg (Anton Gladky) NOTE: probably wait until stuff is fixed in Buster -- fig2dev (Markus Koschany) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/be6854237f1c6096bac104059eed9cf796d9f288 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/be6854237f1c6096bac104059eed9cf796d9f288 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim fig2dev in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 0cff7c47 by Markus Koschany at 2021-09-23T19:40:36+02:00 Claim fig2dev in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -38,7 +38,7 @@ debian-archive-keyring (Utkarsh) ffmpeg NOTE: probably wait until stuff is fixed in Buster -- -fig2dev +fig2dev (Markus Koschany) -- firmware-nonfree NOTE: 20210731: WIP: https://salsa.debian.org/lts-team/packages/firmware-nonfree View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0cff7c47ece1bf430bf4914a516f9e4a61566c50 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0cff7c47ece1bf430bf4914a516f9e4a61566c50 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] follow security team and maintainer and mark two CVEs of gtkpod as for Stretch
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 8911d82e by Thorsten Alteholz at 2021-09-23T18:35:39+02:00 follow security team and maintainer and mark two CVEs of gtkpod as ignored for Stretch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9985,6 +9985,7 @@ CVE-2021-37232 (A stack overflow vulnerability occurs in Atomicparsley 20210124. - gtkpod (bug #993376) [bullseye] - gtkpod (Minor issue) [buster] - gtkpod (Minor issue) + [stretch] - gtkpod (Minor issue) NOTE: https://github.com/wez/atomicparsley/commit/d72ccf06c98259d7261e0f3ac4fd8717778782c1 NOTE: https://github.com/wez/atomicparsley/issues/32 CVE-2021-37231 (A stack-buffer-overflow occurs in Atomicparsley 20210124.204813.840499 ...) @@ -9992,6 +9993,7 @@ CVE-2021-37231 (A stack-buffer-overflow occurs in Atomicparsley 20210124.204813. - gtkpod (bug #993375) [bullseye] - gtkpod (Minor issue) [buster] - gtkpod (Minor issue) + [stretch] - gtkpod (Minor issue) NOTE: https://github.com/wez/atomicparsley/issues/30 NOTE: https://github.com/wez/atomicparsley/pull/31#issue-687280335 CVE-2021-37230 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8911d82e11af24b2cab38dcc3dd8ebdff29831da -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8911d82e11af24b2cab38dcc3dd8ebdff29831da You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla-needed.txt: Update note for redis.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: c6db76fe by Chris Lamb at 2021-09-23T17:08:03+01:00 dla-needed.txt: Update note for redis. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -88,6 +88,7 @@ qtbase-opensource-src (Utkarsh) NOTE: 20210914: needs further checking for vulnerability. (utkarsh) -- redis (Chris Lamb) + NOTE: 20210923: Origins murky; may not even be a security issue. (lamby) -- ruby2.3 NOTE: 20210802: Utkarsh already uploaded a fix for sid/bullseye. (utkarsh) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c6db76fe127c14c822e5a0a88484726829ea2afe -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c6db76fe127c14c822e5a0a88484726829ea2afe You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: add ffmpeg
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 49bfc022 by Thorsten Alteholz at 2021-09-23T17:48:55+02:00 add ffmpeg - - - - - 22a2ee73 by Thorsten Alteholz at 2021-09-23T17:50:01+02:00 follow security team and mark CVE-2021-33362 as ignored for Stretch - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -19017,6 +19017,7 @@ CVE-2021-33362 (Stack buffer overflow in the hevc_parse_vps_extension function i - gpac [bullseye] - gpac (Minor issue) [buster] - gpac (Minor issue) + [stretch] - gpac (Minor issue) - ccextractor 0.93+ds2-1 (bug #994746) [bullseye] - ccextractor (Minor issue) [buster] - ccextractor (Minor issue) = data/dla-needed.txt = @@ -35,6 +35,9 @@ debian-archive-keyring (Utkarsh) NOTE: https://lists.debian.org/debian-lts/2021/08/msg00037.html NOTE: 20210920: Raphael answered. will backport today. (utkarsh) -- +ffmpeg + NOTE: probably wait until stuff is fixed in Buster +-- fig2dev -- firmware-nonfree View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f50af7b6fb69137433480780eb7983eb9d5e2000...22a2ee73cccfaf48613c6d161e6f48ce45b19294 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f50af7b6fb69137433480780eb7983eb9d5e2000...22a2ee73cccfaf48613c6d161e6f48ce45b19294 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: add curl
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 3c7872af by Thorsten Alteholz at 2021-09-23T17:30:38+02:00 add curl - - - - - f50af7b6 by Thorsten Alteholz at 2021-09-23T17:37:01+02:00 add redis - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -29,6 +29,8 @@ cacti (Roberto C. Sánchez) NOTE: 20210829: not really sure whether affected, please recheck NOTE: 20210914: still assessing whether or not affected (roberto) -- +curl (Thorsten Alteholz) +-- debian-archive-keyring (Utkarsh) NOTE: https://lists.debian.org/debian-lts/2021/08/msg00037.html NOTE: 20210920: Raphael answered. will backport today. (utkarsh) @@ -82,6 +84,8 @@ python-babel qtbase-opensource-src (Utkarsh) NOTE: 20210914: needs further checking for vulnerability. (utkarsh) -- +redis (Chris Lamb) +-- ruby2.3 NOTE: 20210802: Utkarsh already uploaded a fix for sid/bullseye. (utkarsh) NOTE: 20210816: wip, backporting patches; a bit hard. (utkarsh) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/30e5ff86074d0b1d1a9624c46f4336d6c2d2f43c...f50af7b6fb69137433480780eb7983eb9d5e2000 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/30e5ff86074d0b1d1a9624c46f4336d6c2d2f43c...f50af7b6fb69137433480780eb7983eb9d5e2000 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: add fig2dev
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: f1305d96 by Thorsten Alteholz at 2021-09-23T17:26:59+02:00 add fig2dev - - - - - e48462ca by Thorsten Alteholz at 2021-09-23T17:27:00+02:00 follow security team and mark CVEs of libsolv as no-dsa - - - - - 30e5ff86 by Thorsten Alteholz at 2021-09-23T17:27:02+02:00 follow security team and mark CVEs of vim as no-dsa - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -1514,6 +1514,7 @@ CVE-2021-3796 (vim is vulnerable to Use After Free ...) - vim (bug #994497) [bullseye] - vim (Minor issue) [buster] - vim (Minor issue) + [stretch] - vim (Minor issue) NOTE: https://huntr.dev/bounties/ab60b7f3-6fb1-4ac2-a4fa-4d592e08008d/ NOTE: https://github.com/vim/vim/commit/35a9a00afcb20897d462a766793ff45534810dc3 (v8.2.3428) CVE-2021-3795 (semver-regex is vulnerable to Inefficient Regular Expression Complexit ...) @@ -1957,6 +1958,7 @@ CVE-2021-3778 (vim is vulnerable to Heap-based Buffer Overflow ...) - vim (bug #994498) [bullseye] - vim (Minor issue) [buster] - vim (Minor issue) + [stretch] - vim (Minor issue) NOTE: https://huntr.dev/bounties/d9c17308-2c99-4f9f-a706-f7f72c24c273 NOTE: https://github.com/vim/vim/commit/65b605665997fad54ef39a93199e305af2fe4d7f (v8.2.3409) CVE-2021-3777 (nodejs-tmpl is vulnerable to Inefficient Regular Expression Complexity ...) @@ -2347,6 +2349,7 @@ CVE-2021-3770 (vim is vulnerable to Heap-based Buffer Overflow ...) - vim (bug #994076) [bullseye] - vim (Minor issue) [buster] - vim (Minor issue) + [stretch] - vim (Minor issue) NOTE: https://huntr.dev/bounties/016ad2f2-07c1-4d14-a8ce-6eed10729365/ NOTE: Fixed by: https://github.com/vim/vim/commit/b7081e135a16091c93f6f5f7525a5c58fb7ca9f9 (v8.2.3402) NOTE: Followup fix for introduced memory leak: https://github.com/vim/vim/commit/2ddb89f8a94425cda1e5491efc80c1b6e08e (v8.2.3403) @@ -17534,6 +17537,7 @@ CVE-2021-33939 CVE-2021-33938 (Buffer overflow vulnerability in function prune_to_recommended in src/ ...) - libsolv 0.7.17-1 [buster] - libsolv (Minor issue) + [stretch] - libsolv (Minor issue) NOTE: https://github.com/openSUSE/libsolv/issues/420 NOTE: https://github.com/openSUSE/libsolv/commit/0077ef29eb46d2e1df2f230fc95a1d9748d49dec (0.7.17) CVE-2021-33937 @@ -17553,16 +17557,19 @@ CVE-2021-33931 CVE-2021-33930 (Buffer overflow vulnerability in function pool_installable_whatprovide ...) - libsolv 0.7.17-1 [buster] - libsolv (Minor issue) + [stretch] - libsolv (Minor issue) NOTE: https://github.com/openSUSE/libsolv/issues/417 NOTE: https://github.com/openSUSE/libsolv/commit/0077ef29eb46d2e1df2f230fc95a1d9748d49dec (0.7.17) CVE-2021-33929 (Buffer overflow vulnerability in function pool_disabled_solvable in sr ...) - libsolv 0.7.17-1 [buster] - libsolv (Minor issue) + [stretch] - libsolv (Minor issue) NOTE: https://github.com/openSUSE/libsolv/issues/417 NOTE: https://github.com/openSUSE/libsolv/commit/0077ef29eb46d2e1df2f230fc95a1d9748d49dec (0.7.17) CVE-2021-33928 (Buffer overflow vulnerability in function pool_installable in src/repo ...) - libsolv 0.7.17-1 [buster] - libsolv (Minor issue) + [stretch] - libsolv (Minor issue) NOTE: https://github.com/openSUSE/libsolv/issues/417 NOTE: https://github.com/openSUSE/libsolv/commit/0077ef29eb46d2e1df2f230fc95a1d9748d49dec (0.7.17) CVE-2021-33927 = data/dla-needed.txt = @@ -33,6 +33,8 @@ debian-archive-keyring (Utkarsh) NOTE: https://lists.debian.org/debian-lts/2021/08/msg00037.html NOTE: 20210920: Raphael answered. will backport today. (utkarsh) -- +fig2dev +-- firmware-nonfree NOTE: 20210731: WIP: https://salsa.debian.org/lts-team/packages/firmware-nonfree NOTE: 20210828: Most CVEs are difficult to backport. Contacted Ben regarding possible "ignore" tag View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ef0fe6e5ab9c57627cfbf720a19fa07b76401bff...30e5ff86074d0b1d1a9624c46f4336d6c2d2f43c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ef0fe6e5ab9c57627cfbf720a19fa07b76401bff...30e5ff86074d0b1d1a9624c46f4336d6c2d2f43c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] buster/bullseye triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: ef0fe6e5 by Moritz Muehlenhoff at 2021-09-23T16:48:29+02:00 buster/bullseye triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1610,6 +1610,7 @@ CVE-2021-40824 (A logic error in the room key sharing functionality of Element A CVE-2021-40823 (A logic error in the room key sharing functionality of matrix-js-sdk ( ...) - element-web (bug #866502) - node-matrix-js-sdk (bug #994213) + [bullseye] - node-matrix-js-sdk (Minor issue) NOTE: https://matrix.org/blog/2021/09/13/vulnerability-disclosure-key-sharing/ NOTE: https://github.com/matrix-org/matrix-js-sdk/commit/894c24880da0e1cc81818f51c0db80e3c9fb2be9 (v12.4.1) CVE-2021-40822 @@ -3210,6 +3211,7 @@ CVE-2021-3737 [client can enter an infinite loop on a 100 Continue response from RESERVED [experimental] - python3.9 3.9.6-1 - python3.9 + [bullseye] - python3.9 (Minor issue) - python3.7 - python3.5 - python3.4 @@ -6771,6 +6773,7 @@ CVE-2021-38598 (OpenStack Neutron before 16.4.1, 17.x before 17.1.3, and 18.0.0 NOTE: https://review.opendev.org/c/openstack/neutron/+/785917/ CVE-2021-38597 (wolfSSL before 4.8.1 incorrectly skips OCSP verification in certain si ...) - wolfssl (bug #992174) + [bullseye] - wolfssl (Minor issue) NOTE: https://github.com/wolfSSL/wolfssl/commit/f93083be72a3b3d956b52a7ec13f307a27b6e093 CVE-2021-38596 RESERVED @@ -6922,6 +6925,8 @@ CVE-2019-25052 (In Linaro OP-TEE before 3.7.0, by using inconsistent or malforme NOT-FOR-US: Linaro/OP-TEE OP-TEE CVE-2021-38511 (An issue was discovered in the tar crate before 0.4.36 for Rust. When ...) - rust-tar (bug #992173) + [bullseye] - rust-tar (Minor issue) + [buster] - rust-tar (Minor issue) NOTE: https://rustsec.org/advisories/RUSTSEC-2021-0080.html NOTE: https://github.com/alexcrichton/tar-rs/issues/238 CVE-2021-38540 (The variable import endpoint was not protected by authentication in Ai ...) @@ -7263,16 +7268,19 @@ CVE-2021-38383 (OwnTone (aka owntone-server) through 28.1 has a use-after-free i NOT-FOR-US: OwnTone CVE-2021-38382 (Live555 through 1.08 does not handle Matroska and Ogg files properly. ...) - liblivemedia + [buster] - liblivemedia (Minor issue) [stretch] - liblivemedia (Minor issue) NOTE: http://lists.live555.com/pipermail/live-devel/2021-August/021959.html NOTE: http://www.live555.com/liveMedia/public/changelog.txt#[2021.08.06] CVE-2021-38381 (Live555 through 1.08 does not handle MPEG-1 or 2 files properly. Sendi ...) - liblivemedia + [buster] - liblivemedia (Minor issue) [stretch] - liblivemedia (Minor issue) NOTE: http://lists.live555.com/pipermail/live-devel/2021-August/021961.html NOTE: http://www.live555.com/liveMedia/public/changelog.txt#[2021.08.09] CVE-2021-38380 (Live555 through 1.08 mishandles huge requests for the same MP3 stream, ...) - liblivemedia + [buster] - liblivemedia (Minor issue) [stretch] - liblivemedia (Minor issue) NOTE: http://lists.live555.com/pipermail/live-devel/2021-August/021954.html NOTE: http://www.live555.com/liveMedia/public/changelog.txt#[2021.08.04] @@ -20262,6 +20270,7 @@ CVE-2021-32840 RESERVED CVE-2021-32839 (sqlparse is a non-validating SQL parser module for Python. In sqlparse ...) - sqlparse (bug #994841) + [bullseye] - sqlparse (Minor issue) [buster] - sqlparse (Vulnerable code introduced later) [stretch] - sqlparse (Vulnerable code introduced later) NOTE: https://github.com/andialbrecht/sqlparse/security/advisories/GHSA-p5w8-wqhj-9hhf @@ -28064,6 +28073,7 @@ CVE-2021-29922 (library/std/src/net/parser.rs in Rust before 1.53.0 does not pro CVE-2021-29921 (In Python before 3,9,5, the ipaddress library mishandles leading zero ...) [experimental] - python3.9 3.9.5-1 - python3.9 (bug #989195) + [bullseye] - python3.9 (Minor issue) NOTE: https://bugs.python.org/issue36384#msg392423 NOTE: https://github.com/python/cpython/commit/60ce8f0be6354ad565393ab449d8de5d713f35bc (v3.10.0b1) NOTE: https://github.com/python/cpython/commit/5374fbc31446364bf5f12e5ab88c5493c35eaf04 (v3.9.5) @@ -65215,6 +65225,7 @@ CVE-2020-27512 RESERVED CVE-2020-27511 (An issue was discovered in the stripTags and unescapeHTML components i ...) - prototypejs (bug #991898) + [bullseye] - prototypejs (Minor issue) NOTE: https://github.com/prototypejs/prototype/blame/dee2f7d8611248abce81287e1be4156011953c90/src/prototype/lang/string.js#L283 NOTE:
[Git][security-tracker-team/security-tracker][master] dla: claim apache2
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 6d191a6c by Sylvain Beucler at 2021-09-23T14:49:42+02:00 dla: claim apache2 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -23,7 +23,7 @@ ansible (Lee Garrett) NOTE: 20210411: after that LTS. (apo) NOTE: 20210426: https://people.debian.org/~apo/lts/ansible/ -- -apache2 +apache2 (Sylvain Beucler) -- cacti (Roberto C. Sánchez) NOTE: 20210829: not really sure whether affected, please recheck View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6d191a6c9da118aa0ee0737d987e0ff5313d4ad4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6d191a6c9da118aa0ee0737d987e0ff5313d4ad4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] nodejs n/a
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 039aa5e5 by Moritz Muehlenhoff at 2021-09-23T14:21:01+02:00 nodejs n/a - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -44759,9 +44759,8 @@ CVE-2021-22933 (A vulnerability in Pulse Connect Secure before 9.1R12 could allo CVE-2021-22932 (An issue has been identified in the CTX269106 mitigation tool for Citr ...) NOT-FOR-US: Citrix CVE-2021-22931 (Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to Remote Co ...) - - nodejs + - nodejs (Debian builds nodejs against src:c-ares) NOTE: https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/#cares-upgrade-improper-handling-of-untypical-characters-in-domain-names-high-cve-2021-22931 - TODO: check, nodejs uses system c-ares which fixed CVE-2021-3672 and so this entry might be not-affected CVE-2021-22930 [Use after free on close http2 on stream canceling] RESERVED - nodejs 12.22.4~dfsg-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/039aa5e57bcddcb4e0441791a42ce32ab7c73232 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/039aa5e57bcddcb4e0441791a42ce32ab7c73232 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Drop wordpress from dla-needed
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 2f833d8f by Utkarsh Gupta at 2021-09-23T16:32:40+05:30 Drop wordpress from dla-needed - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -5454,6 +5454,7 @@ CVE-2021-39202 (WordPress is a free and open-source content management system wr NOTE: https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-fr6h-3855-j297 CVE-2021-39201 (WordPress is a free and open-source content management system written ...) - wordpress 5.8.1+dfsg1-1 (bug #994059) + [stretch] - wordpress (Vulnerable code added later) NOTE: https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-wh69-25hr-h94v CVE-2021-39200 (WordPress is a free and open-source content management system written ...) - wordpress 5.8.1+dfsg1-1 (bug #994060) = data/dla-needed.txt = @@ -105,5 +105,3 @@ squashfs-tools (Thorsten Alteholz) -- tiff (Utkarsh) -- -wordpress --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2f833d8f296e17dd6736de48a3d9807a7108459c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2f833d8f296e17dd6736de48a3d9807a7108459c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Fix one small typo
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c6d2282d by Salvatore Bonaccorso at 2021-09-23T12:42:23+02:00 Fix one small typo - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6203,7 +6203,7 @@ CVE-2021-3712 (ASN.1 strings are represented internally within OpenSSL as an ASN CVE-2021-3711 (In order to decrypt SM2 encrypted data an application is expected to c ...) {DSA-4963-1} - openssl 1.1.1l-1 - [stretch] - openssl (supprt for SM2 decryption added in 1.1.1-pre3) + [stretch] - openssl (support for SM2 decryption added in 1.1.1-pre3) - openssl1.0 (Vulnerability does not affect 1.0.2 series) NOTE: https://www.openssl.org/news/secadv/20210824.txt NOTE: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=59f5e75f3bced8fc0e130d72a3f582cf7b480b46 (OpenSSL_1_1_1l) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c6d2282d87ff10363cfe89ee32bd26d59deb63a1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c6d2282d87ff10363cfe89ee32bd26d59deb63a1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update commit for CVE-2021-40438/apache2
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6376a472 by Salvatore Bonaccorso at 2021-09-23T12:39:56+02:00 Update commit for CVE-2021-40438/apache2 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2519,8 +2519,7 @@ CVE-2021-40439 CVE-2021-40438 (A crafted request uri-path can cause mod_proxy to forward the request ...) - apache2 2.4.49-1 NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-40438 - NOTE: https://github.com/apache/httpd/commit/fe32f679f4f9da07b04a3387a6623ac45fbc15a1 - TODO: check commit + NOTE: https://github.com/apache/httpd/commit/d4901cb32133bc0e59ad193a29d1665597080d67 CVE-2021-40491 (The ftp client in GNU Inetutils before 2.2 does not validate addresses ...) - inetutils 2:2.2-1 (bug #993476) [bullseye] - inetutils (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6376a472dc52c5b813697d91e2a2180f3c96f369 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6376a472dc52c5b813697d91e2a2180f3c96f369 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] add apache2
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: f1c6f9bb by Thorsten Alteholz at 2021-09-23T12:21:43+02:00 add apache2 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -23,6 +23,8 @@ ansible (Lee Garrett) NOTE: 20210411: after that LTS. (apo) NOTE: 20210426: https://people.debian.org/~apo/lts/ansible/ -- +apache2 +-- cacti (Roberto C. Sánchez) NOTE: 20210829: not really sure whether affected, please recheck NOTE: 20210914: still assessing whether or not affected (roberto) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f1c6f9bb7dd11f11d438f7904f9f11b8b480014a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f1c6f9bb7dd11f11d438f7904f9f11b8b480014a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 4 commits: add wordpress
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 0f3c34a2 by Thorsten Alteholz at 2021-09-23T11:57:30+02:00 add wordpress - - - - - c1c66ce6 by Thorsten Alteholz at 2021-09-23T11:59:20+02:00 add squashfs-tools - - - - - 864f0882 by Thorsten Alteholz at 2021-09-23T12:02:03+02:00 follow security team and mark some CVEs from gpac as ignored - - - - - d845a7c9 by Thorsten Alteholz at 2021-09-23T12:04:10+02:00 mark several CVEs from ligde265 as postponed until fixed upstream - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -22000,6 +22000,7 @@ CVE-2021-32139 (The gf_isom_vp_config_get function in GPAC 1.0.1 allows attacker - gpac [bullseye] - gpac (Minor issue) [buster] - gpac (Minor issue) + [stretch] - gpac (Minor issue) - ccextractor 0.93+ds2-1 (bug #994746) [bullseye] - ccextractor (Vulnerable code introduced later) [buster] - ccextractor (Vulnerable code introduced later) @@ -22009,12 +22010,14 @@ CVE-2021-32138 (The DumpTrackInfo function in GPAC 1.0.1 allows attackers to cau - gpac [bullseye] - gpac (Minor issue) [buster] - gpac (Minor issue) + [stretch] - gpac (Minor issue) NOTE: https://github.com/gpac/gpac/commit/289ffce3e0d224d314f5f92a744d5fe35999f20b NOTE: https://github.com/gpac/gpac/issues/1767 CVE-2021-32137 (Heap buffer overflow in the URL_GetProtocolType function in MP4Box in ...) - gpac [bullseye] - gpac (Minor issue) [buster] - gpac (Minor issue) + [stretch] - gpac (Minor issue) - ccextractor 0.93+ds2-1 (bug #994746) [bullseye] - ccextractor (Minor issue) [buster] - ccextractor (Minor issue) @@ -22024,6 +22027,7 @@ CVE-2021-32136 (Heap buffer overflow in the print_udta function in MP4Box in GPA - gpac [bullseye] - gpac (Minor issue) [buster] - gpac (Minor issue) + [stretch] - gpac (Minor issue) NOTE: https://github.com/gpac/gpac/commit/eb71812fcc10e9c5348a5d1c61bd25b6fa06eaed NOTE: https://github.com/gpac/gpac/issues/1765 CVE-2021-32135 (The trak_box_size function in GPAC 1.0.1 allows attackers to cause a d ...) @@ -22037,6 +22041,7 @@ CVE-2021-32134 (The gf_odf_desc_copy function in GPAC 1.0.1 allows attackers to - gpac [bullseye] - gpac (Minor issue) [buster] - gpac (Minor issue) + [stretch] - gpac (Minor issue) - ccextractor 0.93+ds2-1 (bug #994746) [bullseye] - ccextractor (Vulnerable code introduced later) [buster] - ccextractor (Vulnerable code introduced later) @@ -78663,66 +78668,79 @@ CVE-2020-21606 (libde265 v1.0.4 contains a heap buffer overflow fault in the put - libde265 [bullseye] - libde265 (Minor issue, revisit when fixed upstream) [buster] - libde265 (Minor issue, revisit when fixed upstream) + [stretch] - libde265 (Minor issue, revisit when fixed upstream) NOTE: https://github.com/strukturag/libde265/issues/232 CVE-2020-21605 (libde265 v1.0.4 contains a segmentation fault in the apply_sao_interna ...) - libde265 [bullseye] - libde265 (Minor issue, revisit when fixed upstream) [buster] - libde265 (Minor issue, revisit when fixed upstream) + [stretch] - libde265 (Minor issue, revisit when fixed upstream) NOTE: https://github.com/strukturag/libde265/issues/234 CVE-2020-21604 (libde265 v1.0.4 contains a heap buffer overflow fault in the _mm_loadl ...) - libde265 [bullseye] - libde265 (Minor issue, revisit when fixed upstream) [buster] - libde265 (Minor issue, revisit when fixed upstream) + [stretch] - libde265 (Minor issue, revisit when fixed upstream) NOTE: https://github.com/strukturag/libde265/issues/231 CVE-2020-21603 (libde265 v1.0.4 contains a heap buffer overflow in the put_qpel_0_0_fa ...) - libde265 [bullseye] - libde265 (Minor issue, revisit when fixed upstream) [buster] - libde265 (Minor issue, revisit when fixed upstream) + [stretch] - libde265 (Minor issue, revisit when fixed upstream) NOTE: https://github.com/strukturag/libde265/issues/240 CVE-2020-21602 (libde265 v1.0.4 contains a heap buffer overflow in the put_weighted_bi ...) - libde265 [bullseye] - libde265 (Minor issue, revisit when fixed upstream) [buster] - libde265 (Minor issue, revisit when fixed upstream) + [stretch] - libde265 (Minor issue, revisit when fixed upstream) NOTE: https://github.com/strukturag/libde265/issues/242 CVE-2020-21601 (libde265 v1.0.4 contains a stack buffer overflow in the put_qpel_fallb ...) - libde265 [bullseye] - libde265 (Minor issue, revisit when fixed
[Git][security-tracker-team/security-tracker][master] 10 commits: mark CVE-2021-3711 as not-affected for Stretch
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: d20ab257 by Thorsten Alteholz at 2021-09-23T11:05:48+02:00 mark CVE-2021-3711 as not-affected for Stretch - - - - - ed422429 by Thorsten Alteholz at 2021-09-23T11:39:38+02:00 mark CVE-2021-38575 as no-dsa for Stretch - - - - - ef8b13bb by Thorsten Alteholz at 2021-09-23T11:40:55+02:00 mark CVE-2021-32280 as no-dsa for Stretch - - - - - e4dba6cd by Thorsten Alteholz at 2021-09-23T11:42:16+02:00 mark CVE-2021-40812 as no-dsa for Stretch - - - - - 47cc2611 by Thorsten Alteholz at 2021-09-23T11:44:44+02:00 mark CVE-2021-3805 as no-dsa for Stretch - - - - - 6aa32b6a by Thorsten Alteholz at 2021-09-23T11:45:29+02:00 mark CVE-2021-23440 as no-dsa for Stretch - - - - - 7f31d374 by Thorsten Alteholz at 2021-09-23T11:50:12+02:00 mark CVE-2021-3807 as not-affected for Stretch - - - - - 6e88e4b7 by Thorsten Alteholz at 2021-09-23T11:51:42+02:00 mark CVE-2021-40839 as no-dsa for Stretch - - - - - 84036693 by Thorsten Alteholz at 2021-09-23T11:53:35+02:00 mark CVE-2021-39214 as no-dsa for Stretch - - - - - f6bebaed by Thorsten Alteholz at 2021-09-23T11:55:10+02:00 mark CVE-2021-32294 as postponed for Stretch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -575,6 +575,7 @@ CVE-2021-3807 (ansi-regex is vulnerable to Inefficient Regular Expression Comple - node-ansi-regex 5.0.1-1 (bug #994568) [bullseye] - node-ansi-regex (Minor issue) [buster] - node-ansi-regex (Minor issue) + [stretch] - node-ansi-regex (Vulnerable code introduced later) NOTE: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994 NOTE: https://github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f9 (v6.0.1) CVE-2021-3806 (A path traversal vulnerability on Pardus Software Center's "extractArc ...) @@ -583,6 +584,7 @@ CVE-2021-3805 (object-path is vulnerable to Improperly Controlled Modification o - node-object-path 0.11.8-1 [bullseye] - node-object-path (Minor issue) [buster] - node-object-path (Minor issue) + [stretch] - node-object-path (Minor issue) NOTE: https://huntr.dev/bounties/571e3baf-7c46-46e3-9003-ba7e4e623053 NOTE: https://github.com/mariocasciaro/object-path/commit/e6bb638ffdd431176701b3e9024f80050d0ef0a6 CVE-2021-41303 (Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a ...) @@ -1572,6 +1574,7 @@ CVE-2021-40839 (The rencode package through 1.0.6 for Python allows an infinite - python-rencode 1.0.6-2 [bullseye] - python-rencode (Minor issue) [buster] - python-rencode (Minor issue) + [stretch] - python-rencode (Minor issue) NOTE: https://github.com/aresch/rencode/commit/572ff74586d9b1daab904c6f7f7009ce0143bb75 NOTE: https://github.com/aresch/rencode/pull/29 CVE-2021-40838 @@ -1665,6 +1668,7 @@ CVE-2021-40812 (The GD Graphics Library (aka LibGD) through 2.3.2 has an out-of- - libgd2 [bullseye] - libgd2 (Minor issue) [buster] - libgd2 (Minor issue) + [stretch] - libgd2 (Minor issue) NOTE: https://github.com/libgd/libgd/issues/750#issuecomment-914872385 NOTE: https://github.com/libgd/libgd/commit/6f5136821be86e7068fcdf651ae9420b5d42e9a9 CVE-2021-40811 @@ -5410,6 +5414,7 @@ CVE-2021-39214 (mitmproxy is an interactive, SSL/TLS-capable intercepting proxy. - mitmproxy (bug #994570) [bullseye] - mitmproxy (Minor issue) [buster] - mitmproxy (Minor issue) + [stretch] - mitmproxy (Minor issue) NOTE: https://github.com/mitmproxy/mitmproxy/security/advisories/GHSA-22gh-3r9q-xf38 CVE-2021-39213 (GLPI is a free Asset and IT management software package. Starting in v ...) - glpi (unimportant) @@ -6199,6 +6204,7 @@ CVE-2021-3712 (ASN.1 strings are represented internally within OpenSSL as an ASN CVE-2021-3711 (In order to decrypt SM2 encrypted data an application is expected to c ...) {DSA-4963-1} - openssl 1.1.1l-1 + [stretch] - openssl (supprt for SM2 decryption added in 1.1.1-pre3) - openssl1.0 (Vulnerability does not affect 1.0.2 series) NOTE: https://www.openssl.org/news/secadv/20210824.txt NOTE: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=59f5e75f3bced8fc0e130d72a3f582cf7b480b46 (OpenSSL_1_1_1l) @@ -6820,6 +6826,7 @@ CVE-2021-38575 [edk2: remote buffer overflow in IScsiHexToBin function in Networ - edk2 2021.08-1 [bullseye] - edk2 (Minor issue) [buster] - edk2 (Minor issue) + [stretch] - edk2 (Minor issue) NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=3356 NOTE: https://edk2.groups.io/g/devel/message/76198 NOTE: https://github.com/tianocore/edk2/pull/1698 @@ -21645,6 +21652,7 @@ CVE-2021-32294 (An
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 1561d719 by Moritz Muehlenhoff at 2021-09-23T10:23:17+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -8005,7 +8005,7 @@ CVE-2021-3683 CVE-2021-38113 (In addBouquet in js/bqe.js in OpenWebif (aka e2openplugin-OpenWebif) t ...) NOT-FOR-US: OpenWebif (aka e2openplugin-OpenWebif) CVE-2021-38112 (In the Amazon AWS WorkSpaces client before 3.1.9 on Windows, argument ...) - TODO: check + NOT-FOR-US: Amazon AWS client for Windows CVE-2021-38111 (The DEF CON 27 badge allows remote attackers to exploit a buffer overf ...) NOT-FOR-US: DEF CON 27 badge CVE-2021-38110 @@ -141541,7 +141541,7 @@ CVE-2019-16653 (An application plugin in Genius Bytes Genius Server (Genius CDDS CVE-2019-16652 (The BPM component in Genius Bytes Genius Server (Genius CDDS) 3.2.2 al ...) NOT-FOR-US: Genius Bytes Genius Server (Genius CDDS) CVE-2019-16651 (An issue was discovered on Virgin Media Super Hub 3 (based on ARRIS TG ...) - TODO: check + NOT-FOR-US: Virgin Media Super Hub CVE-2019-16650 (On Supermicro X10 and X11 products, a client's access privileges may b ...) NOT-FOR-US: Supermicro CVE-2019-16649 (On Supermicro H11, H12, M11, X9, X10, and X11 products, a combination ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1561d719b09cd8ddc265547a1b892bcf241852c8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1561d719b09cd8ddc265547a1b892bcf241852c8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 43a85d99 by Salvatore Bonaccorso at 2021-09-23T10:21:50+02:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -15653,13 +15653,13 @@ CVE-2021-34772 CVE-2021-34771 (A vulnerability in the Cisco IOS XR Software CLI could allow an authen ...) NOT-FOR-US: Cisco CVE-2021-34770 (A vulnerability in the Control and Provisioning of Wireless Access Poi ...) - TODO: check + NOT-FOR-US: Cisco CVE-2021-34769 (Multiple vulnerabilities in the Control and Provisioning of Wireless A ...) - TODO: check + NOT-FOR-US: Cisco CVE-2021-34768 (Multiple vulnerabilities in the Control and Provisioning of Wireless A ...) - TODO: check + NOT-FOR-US: Cisco CVE-2021-34767 (A vulnerability in IPv6 traffic processing of Cisco IOS XE Wireless Co ...) - TODO: check + NOT-FOR-US: Cisco CVE-2021-34766 RESERVED CVE-2021-34765 (A vulnerability in the web UI for Cisco Nexus Insights could allow an ...) @@ -15713,7 +15713,7 @@ CVE-2021-34742 CVE-2021-34741 RESERVED CVE-2021-34740 (A vulnerability in the WLAN Control Protocol (WCP) implementation for ...) - TODO: check + NOT-FOR-US: Cisco CVE-2021-34739 RESERVED CVE-2021-34738 @@ -15735,19 +15735,19 @@ CVE-2021-34731 CVE-2021-34730 (A vulnerability in the Universal Plug-and-Play (UPnP) service of Cisco ...) NOT-FOR-US: Cisco CVE-2021-34729 (A vulnerability in the CLI of Cisco IOS XE SD-WAN Software and Cisco I ...) - TODO: check + NOT-FOR-US: Cisco CVE-2021-34728 (Multiple vulnerabilities in the CLI of Cisco IOS XR Software could all ...) NOT-FOR-US: Cisco CVE-2021-34727 (A vulnerability in the vDaemon process in Cisco IOS XE SD-WAN Software ...) - TODO: check + NOT-FOR-US: Cisco CVE-2021-34726 (A vulnerability in the CLI of Cisco SD-WAN Software could allow an aut ...) - TODO: check + NOT-FOR-US: Cisco CVE-2021-34725 (A vulnerability in the CLI of Cisco IOS XE SD-WAN Software could allow ...) - TODO: check + NOT-FOR-US: Cisco CVE-2021-34724 (A vulnerability in the Cisco IOS XE SD-WAN Software CLI could allow an ...) - TODO: check + NOT-FOR-US: Cisco CVE-2021-34723 (A vulnerability in a specific CLI command that is run on Cisco IOS XE ...) - TODO: check + NOT-FOR-US: Cisco CVE-2021-34722 (Multiple vulnerabilities in the CLI of Cisco IOS XR Software could all ...) NOT-FOR-US: Cisco CVE-2021-34721 (Multiple vulnerabilities in the CLI of Cisco IOS XR Software could all ...) @@ -15765,11 +15765,11 @@ CVE-2021-34716 (A vulnerability in the web-based management interface of Cisco E CVE-2021-34715 (A vulnerability in the image verification function of Cisco Expressway ...) NOT-FOR-US: Cisco CVE-2021-34714 (A vulnerability in the Unidirectional Link Detection (UDLD) feature of ...) - TODO: check + NOT-FOR-US: Cisco CVE-2021-34713 (A vulnerability in the Layer 2 punt code of Cisco IOS XR Software runn ...) NOT-FOR-US: Cisco CVE-2021-34712 (A vulnerability in the web-based management interface of Cisco SD-WAN ...) - TODO: check + NOT-FOR-US: Cisco CVE-2021-34711 RESERVED CVE-2021-34710 @@ -15783,11 +15783,11 @@ CVE-2021-34707 (A vulnerability in the REST API of Cisco Evolved Programmable Ne CVE-2021-34706 RESERVED CVE-2021-34705 (A vulnerability in the Voice Telephony Service Provider (VTSP) service ...) - TODO: check + NOT-FOR-US: Cisco CVE-2021-34704 RESERVED CVE-2021-34703 (A vulnerability in the Link Layer Discovery Protocol (LLDP) message pa ...) - TODO: check + NOT-FOR-US: Cisco CVE-2021-34702 RESERVED CVE-2021-34701 @@ -15795,13 +15795,13 @@ CVE-2021-34701 CVE-2021-34700 (A vulnerability in the CLI interface of Cisco SD-WAN vManage Software ...) NOT-FOR-US: Cisco CVE-2021-34699 (A vulnerability in the TrustSec CLI parser of Cisco IOS and Cisco IOS ...) - TODO: check + NOT-FOR-US: Cisco CVE-2021-34698 RESERVED CVE-2021-34697 (A vulnerability in the Protection Against Distributed Denial of Servic ...) - TODO: check + NOT-FOR-US: Cisco CVE-2021-34696 (A vulnerability in the access control list (ACL) programming of Cisco ...) - TODO: check + NOT-FOR-US: Cisco CVE-2021-3605 (There's a flaw in OpenEXR's rleUncompress functionality in versions pr ...) {DLA-2732-1} - openexr 2.5.7-1 (bug #990899) @@ -58935,35 +58935,35 @@ CVE-2020-28640 CVE-2020-28639 RESERVED CVE-2021-1625 (A vulnerability in the Zone-Based Policy Firewall feature of Cisco IOS ...) - TODO: check + NOT-FOR-US: Cisco CVE-2021-1624 (A vulnerability in the Rate Limiting Network
[Git][security-tracker-team/security-tracker][master] add status update for ffmpeg
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 5a5cecf8 by Moritz Muehlenhoff at 2021-09-23T10:19:51+02:00 add status update for ffmpeg - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -25,6 +25,7 @@ chromium djvulibre -- ffmpeg/oldstable (jmm) + 4.1.7 fixes a number of bugs, but several further one in the 4.1 branch, reaching out for a 4.1.8 release date -- icu -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5a5cecf8d89f4585e41ef14d2a0a4e46e86754ea -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5a5cecf8d89f4585e41ef14d2a0a4e46e86754ea You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4a695e6a by security tracker role at 2021-09-23T08:10:12+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,9 @@ +CVE-2021-41570 + RESERVED +CVE-2021-41569 + RESERVED +CVE-2021-3826 + RESERVED CVE-2021-41568 RESERVED CVE-2021-41567 @@ -15646,14 +15652,14 @@ CVE-2021-34772 RESERVED CVE-2021-34771 (A vulnerability in the Cisco IOS XR Software CLI could allow an authen ...) NOT-FOR-US: Cisco -CVE-2021-34770 - RESERVED -CVE-2021-34769 - RESERVED -CVE-2021-34768 - RESERVED -CVE-2021-34767 - RESERVED +CVE-2021-34770 (A vulnerability in the Control and Provisioning of Wireless Access Poi ...) + TODO: check +CVE-2021-34769 (Multiple vulnerabilities in the Control and Provisioning of Wireless A ...) + TODO: check +CVE-2021-34768 (Multiple vulnerabilities in the Control and Provisioning of Wireless A ...) + TODO: check +CVE-2021-34767 (A vulnerability in IPv6 traffic processing of Cisco IOS XE Wireless Co ...) + TODO: check CVE-2021-34766 RESERVED CVE-2021-34765 (A vulnerability in the web UI for Cisco Nexus Insights could allow an ...) @@ -15706,8 +15712,8 @@ CVE-2021-34742 RESERVED CVE-2021-34741 RESERVED -CVE-2021-34740 - RESERVED +CVE-2021-34740 (A vulnerability in the WLAN Control Protocol (WCP) implementation for ...) + TODO: check CVE-2021-34739 RESERVED CVE-2021-34738 @@ -15728,20 +15734,20 @@ CVE-2021-34731 RESERVED CVE-2021-34730 (A vulnerability in the Universal Plug-and-Play (UPnP) service of Cisco ...) NOT-FOR-US: Cisco -CVE-2021-34729 - RESERVED +CVE-2021-34729 (A vulnerability in the CLI of Cisco IOS XE SD-WAN Software and Cisco I ...) + TODO: check CVE-2021-34728 (Multiple vulnerabilities in the CLI of Cisco IOS XR Software could all ...) NOT-FOR-US: Cisco -CVE-2021-34727 - RESERVED -CVE-2021-34726 - RESERVED -CVE-2021-34725 - RESERVED -CVE-2021-34724 - RESERVED -CVE-2021-34723 - RESERVED +CVE-2021-34727 (A vulnerability in the vDaemon process in Cisco IOS XE SD-WAN Software ...) + TODO: check +CVE-2021-34726 (A vulnerability in the CLI of Cisco SD-WAN Software could allow an aut ...) + TODO: check +CVE-2021-34725 (A vulnerability in the CLI of Cisco IOS XE SD-WAN Software could allow ...) + TODO: check +CVE-2021-34724 (A vulnerability in the Cisco IOS XE SD-WAN Software CLI could allow an ...) + TODO: check +CVE-2021-34723 (A vulnerability in a specific CLI command that is run on Cisco IOS XE ...) + TODO: check CVE-2021-34722 (Multiple vulnerabilities in the CLI of Cisco IOS XR Software could all ...) NOT-FOR-US: Cisco CVE-2021-34721 (Multiple vulnerabilities in the CLI of Cisco IOS XR Software could all ...) @@ -15758,12 +15764,12 @@ CVE-2021-34716 (A vulnerability in the web-based management interface of Cisco E NOT-FOR-US: Cisco CVE-2021-34715 (A vulnerability in the image verification function of Cisco Expressway ...) NOT-FOR-US: Cisco -CVE-2021-34714 - RESERVED +CVE-2021-34714 (A vulnerability in the Unidirectional Link Detection (UDLD) feature of ...) + TODO: check CVE-2021-34713 (A vulnerability in the Layer 2 punt code of Cisco IOS XR Software runn ...) NOT-FOR-US: Cisco -CVE-2021-34712 - RESERVED +CVE-2021-34712 (A vulnerability in the web-based management interface of Cisco SD-WAN ...) + TODO: check CVE-2021-34711 RESERVED CVE-2021-34710 @@ -15776,26 +15782,26 @@ CVE-2021-34707 (A vulnerability in the REST API of Cisco Evolved Programmable Ne NOT-FOR-US: Cisco CVE-2021-34706 RESERVED -CVE-2021-34705 - RESERVED +CVE-2021-34705 (A vulnerability in the Voice Telephony Service Provider (VTSP) service ...) + TODO: check CVE-2021-34704 RESERVED -CVE-2021-34703 - RESERVED +CVE-2021-34703 (A vulnerability in the Link Layer Discovery Protocol (LLDP) message pa ...) + TODO: check CVE-2021-34702 RESERVED CVE-2021-34701 RESERVED CVE-2021-34700 (A vulnerability in the CLI interface of Cisco SD-WAN vManage Software ...) NOT-FOR-US: Cisco -CVE-2021-34699 - RESERVED +CVE-2021-34699 (A vulnerability in the TrustSec CLI parser of Cisco IOS and Cisco IOS ...) + TODO: check CVE-2021-34698 RESERVED -CVE-2021-34697 - RESERVED -CVE-2021-34696 - RESERVED +CVE-2021-34697 (A vulnerability in the Protection Against Distributed Denial of Servic ...) + TODO: check +CVE-2021-34696 (A vulnerability in the access control list (ACL) programming of Cisco ...) + TODO: check CVE-2021-3605 (There's a flaw in OpenEXR's rleUncompress
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-20315/gnome-shell
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e3b70e89 by Salvatore Bonaccorso at 2021-09-23T08:22:50+02:00 Add CVE-2021-20315/gnome-shell - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -52463,8 +52463,11 @@ CVE-2021-20317 RESERVED CVE-2021-20316 RESERVED -CVE-2021-20315 +CVE-2021-20315 [locking protection bypass allow unauthorized user to kill existing applications or start new ones] RESERVED + - gnome-shell + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2006285 + TODO: check, possibly Red Hat specific as issue introduced of backporting features to CentOS 8 Streams CVE-2021-20314 (Stack buffer overflow in libspf2 versions below 1.2.11 when processing ...) {DSA-4955-1 DLA-2739-1} - libspf2 1.2.10-7.1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e3b70e8924f7abe11a23855b5d49c1d739bca3db -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e3b70e8924f7abe11a23855b5d49c1d739bca3db You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits