[Git][security-tracker-team/security-tracker][master] LTS: take mosquitto
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: db683d1b by Anton Gladky at 2021-10-16T22:57:15+02:00 LTS: take mosquitto - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -54,7 +54,7 @@ linux (Ben Hutchings) -- linux-4.19 (Ben Hutchings) -- -mosquitto +mosquitto (Anton Gladky) NOTE: 20210805: coordinating upload to buster before DLA for Stretch (codehelp) NOTE: 20210806: CVE-2021-34432 ignored in buster and stretch. Vulnerable code not accessible. (codehelp) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/db683d1b158b5e2c7c12634accaf9c7dfc983ad0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/db683d1b158b5e2c7c12634accaf9c7dfc983ad0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2786-1 for nghttp2
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 1d96f326 by Anton Gladky at 2021-10-16T22:43:13+02:00 Reserve DLA-2786-1 for nghttp2 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[16 Oct 2021] DLA-2786-1 nghttp2 - security update + {CVE-2018-1000168 CVE-2020-11080} + [stretch] - nghttp2 1.18.1-1+deb9u2 [12 Oct 2021] DLA-2785-1 linux-4.19 - security update {CVE-2020-3702 CVE-2020-16119 CVE-2021-3444 CVE-2021-3600 CVE-2021-3612 CVE-2021-3653 CVE-2021-3655 CVE-2021-3656 CVE-2021-3679 CVE-2021-3732 CVE-2021-3743 CVE-2021-3753 CVE-2021-22543 CVE-2021-33624 CVE-2021-34556 CVE-2021-35039 CVE-2021-35477 CVE-2021-37159 CVE-2021-37576 CVE-2021-38160 CVE-2021-38198 CVE-2021-38199 CVE-2021-38204 CVE-2021-38205 CVE-2021-40490 CVE-2021-42008 CVE-2021-42252} [stretch] - linux-4.19 4.19.208-1~deb9u1 = data/dla-needed.txt = @@ -58,9 +58,6 @@ mosquitto NOTE: 20210805: coordinating upload to buster before DLA for Stretch (codehelp) NOTE: 20210806: CVE-2021-34432 ignored in buster and stretch. Vulnerable code not accessible. (codehelp) -- -nghttp2 (Anton Gladky) - NOTE: 20211010: WIP https://salsa.debian.org/lts-team/packages/nghttp2 --- ntfs-3g (Anton Gladky) -- nvidia-graphics-drivers View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1d96f3263c3f4717bd365bd798a3622d98a11523 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1d96f3263c3f4717bd365bd798a3622d98a11523 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 64d3827b by security tracker role at 2021-10-16T20:10:19+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -42606,6 +42606,7 @@ CVE-2021-25635 NOTE: Fixed by: https://github.com/LibreOffice/core/commit/edeb164c1d8ab64116afee4e2140403a362a1358 (7-0) NOTE: Fixed by: https://github.com/LibreOffice/core/commit/a5fe0bea138c5b32268a5cd0093908909d8bc013 (7-1) CVE-2021-25634 (LibreOffice supports digital signatures of ODF documents and macros wi ...) + {DSA-4988-1} - libreoffice 1:7.2.0-2 [buster] - libreoffice (Risk doesn't warrant complex backport) NOTE: https://www.libreoffice.org/about-us/security/advisories/CVE-2021-25634 @@ -42619,6 +42620,7 @@ CVE-2021-25634 (LibreOffice supports digital signatures of ODF documents and mac NOTE: Fixed by: https://github.com/LibreOffice/core/commit/89befefb98487a27bff1003084e1200320828b3f (7-1) NOTE: Fixed by: https://github.com/LibreOffice/core/commit/b776cf1281660cf495e12824872576bb8e99d569 (7-1) CVE-2021-25633 (LibreOffice supports digital signatures of ODF documents and macros wi ...) + {DSA-4988-1} - libreoffice 1:7.2.0-2 [buster] - libreoffice (Risk doesn't warrant complex backport) NOTE: https://www.libreoffice.org/about-us/security/advisories/CVE-2021-25633 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/64d3827b4764e83c5a4aa549c625b62681104316 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/64d3827b4764e83c5a4aa549c625b62681104316 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] libreoffice DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 4b349350 by Moritz Mühlenhoff at 2021-10-16T21:19:50+02:00 libreoffice DSA - - - - - 3 changed files: - data/CVE/list - data/DSA/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -42607,6 +42607,7 @@ CVE-2021-25635 NOTE: Fixed by: https://github.com/LibreOffice/core/commit/a5fe0bea138c5b32268a5cd0093908909d8bc013 (7-1) CVE-2021-25634 (LibreOffice supports digital signatures of ODF documents and macros wi ...) - libreoffice 1:7.2.0-2 + [buster] - libreoffice (Risk doesn't warrant complex backport) NOTE: https://www.libreoffice.org/about-us/security/advisories/CVE-2021-25634 NOTE: https://www.openwall.com/lists/oss-security/2021/10/11/2 NOTE: XAdES/xades:SigningTime support introduced in 5.3, but pre-requisite for CVE-2021-25633/25634 also introduces it @@ -42619,6 +42620,7 @@ CVE-2021-25634 (LibreOffice supports digital signatures of ODF documents and mac NOTE: Fixed by: https://github.com/LibreOffice/core/commit/b776cf1281660cf495e12824872576bb8e99d569 (7-1) CVE-2021-25633 (LibreOffice supports digital signatures of ODF documents and macros wi ...) - libreoffice 1:7.2.0-2 + [buster] - libreoffice (Risk doesn't warrant complex backport) NOTE: https://www.libreoffice.org/about-us/security/advisories/CVE-2021-25633 NOTE: https://www.openwall.com/lists/oss-security/2021/10/11/1 NOTE: Pre-requisites (replacement for XSecParser): = data/DSA/list = @@ -1,3 +1,6 @@ +[16 Oct 2021] DSA-4988-1 libreoffice - security update + {CVE-2021-25633 CVE-2021-25634} + [bullseye] - libreoffice 1:7.0.4-4+deb11u1 [15 Oct 2021] DSA-4987-1 squashfs-tools - security update {CVE-2021-41072} [buster] - squashfs-tools 1:4.3-12+deb10u2 = data/dsa-needed.txt = @@ -28,8 +28,6 @@ ffmpeg/oldstable (jmm) -- icu -- -libreoffice (jmm) --- linux (carnil) Wait until more issues have piled up, though try to regulary rebase for point releases to more recent v4.19.y versions. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4b3493501fd99045fad4003291c4ad65e4e40218 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4b3493501fd99045fad4003291c4ad65e4e40218 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track experimental uploaded fixes for thunderbird (mfsa2021-47)
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3a89fec3 by Salvatore Bonaccorso at 2021-10-16T21:12:15+02:00 Track experimental uploaded fixes for thunderbird (mfsa2021-47) But only those which have an intersect with unstable beeing unfixed. Some of the CVEs are known to be only affecting versions not released in unstable. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -10605,6 +10605,7 @@ CVE-2021-38503 RESERVED CVE-2021-38502 RESERVED + [experimental] - thunderbird 1:91.2.0-1 - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-47/#CVE-2021-38502 TODO: double check, it was only referenced in mfsa2021-47 but not mfsa2021-46, but issue is about attack on SMTP STARTTLS connections @@ -10621,6 +10622,7 @@ CVE-2021-38500 {DSA-4981-1 DLA-2782-1} - firefox 93.0-1 - firefox-esr 91.2.0esr-1 + [experimental] - thunderbird 1:91.2.0-1 - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-43/#CVE-2021-38500 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-44/#CVE-2021-38500 @@ -10652,6 +10654,7 @@ CVE-2021-38496 {DSA-4981-1 DLA-2782-1} - firefox 93.0-1 - firefox-esr 91.2.0esr-1 + [experimental] - thunderbird 1:91.2.0-1 - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-43/#CVE-2021-38496 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-44/#CVE-2021-38496 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3a89fec34ed7d47ebadf281cc804548e16efc3ba -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3a89fec34ed7d47ebadf281cc804548e16efc3ba You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] node-getobject spu/ospu
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 20a650f6 by Moritz Mühlenhoff at 2021-10-16T21:06:39+02:00 node-getobject spu/ospu - - - - - 2 changed files: - data/next-oldstable-point-update.txt - data/next-point-update.txt Changes: = data/next-oldstable-point-update.txt = @@ -76,3 +76,5 @@ CVE-2020-28600 [buster] - openscad 2019.01~RC2-2+deb10u1 CVE-2020-28599 [buster] - openscad 2019.01~RC2-2+deb10u1 +CVE-2020-28282 + [buster] - node-getobject 0.1.0-2+deb10u1 = data/next-point-update.txt = @@ -16,3 +16,5 @@ CVE-2021-3778 [bullseye] - vim 2:8.2.2434-3+deb11u1 CVE-2021-3796 [bullseye] - vim 2:8.2.2434-3+deb11u1 +CVE-2020-28282 + [bullseye] - node-getobject 0.1.0-2+deb11u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/20a650f6e7a7e93a985690ae12b967e2c1dda644 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/20a650f6e7a7e93a985690ae12b967e2c1dda644 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] openrc n/a
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 9713767d by Moritz Mühlenhoff at 2021-10-16T21:04:47+02:00 openrc n/a - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1453,7 +1453,7 @@ CVE-2021-42343 CVE-2021-42342 (An issue was discovered in GoAhead 4.x and 5.x before 5.1.5. In the fi ...) NOT-FOR-US: Embedthis GoAhead CVE-2021-42341 (checkpath in OpenRC before 0.44.7 uses the direct output of strlen() t ...) - - openrc + - openrc (Introduced in 0.44) NOTE: https://github.com/OpenRC/openrc/issues/459 NOTE: https://github.com/OpenRC/openrc/pull/462 NOTE: https://github.com/OpenRC/openrc/commit/bb8334104baf4d5a4a442a8647fb9204738f2204 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9713767dceb792e0eaf22ec679fb8258d8d527ba -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9713767dceb792e0eaf22ec679fb8258d8d527ba You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2021-37146/ros-ros-comm via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9ef811a8 by Salvatore Bonaccorso at 2021-10-16T21:00:29+02:00 Track fixed version for CVE-2021-37146/ros-ros-comm via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13884,7 +13884,7 @@ CVE-2021-37147 RESERVED CVE-2021-37146 (An infinite loop in Open Robotics ros_comm XMLRPC server in ROS Melodi ...) [experimental] - ros-ros-comm 1.15.13+ds1-1 - - ros-ros-comm + - ros-ros-comm 1.15.13+ds1-2 [bullseye] - ros-ros-comm (Minor issue) [buster] - ros-ros-comm (Minor issue) [stretch] - ros-ros-comm (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9ef811a8991e897e0eeb2b7cd275f26e18b11fa1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9ef811a8991e897e0eeb2b7cd275f26e18b11fa1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2021-42326/redmine: reference patch
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: e4a7e423 by Sylvain Beucler at 2021-10-16T18:59:21+02:00 CVE-2021-42326/redmine: reference patch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1715,6 +1715,7 @@ CVE-2021-42326 (Redmine before 4.1.5 and 4.2.x before 4.2.3 may disclose the nam NOTE: https://www.redmine.org/news/133 NOTE: https://www.redmine.org/projects/redmine/wiki/Changelog_4_1#415-2021-10-10 NOTE: https://www.redmine.org/projects/redmine/wiki/Changelog_4_2#423-2021-10-10 + NOTE: https://www.redmine.org/projects/redmine/repository/revisions/21209 CVE-2021-42325 (Froxlor through 0.10.29.1 allows SQL injection in Database/Manager/DbM ...) NOT-FOR-US: Froxlor CVE-2021-42324 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e4a7e42383383a4d4adc5299cacb3635db6ff639 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e4a7e42383383a4d4adc5299cacb3635db6ff639 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: claim redmine
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 5f502b24 by Sylvain Beucler at 2021-10-16T18:44:06+02:00 dla: claim redmine - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -88,7 +88,7 @@ redis (Chris Lamb) NOTE: 20211004: Fixed in sid and experimental. (lamby) NOTE: 20211006: buster-pu filed in #995825. (lamby) -- -redmine +redmine (Sylvain Beucler) NOTE: 20211013: Issue appears to be private, so may require comparison of release NOTE: 20211013: tarballs to find upstream changeset. (lamby) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5f502b244cfd0afdff0cf524ed26c72cae2e298a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5f502b244cfd0afdff0cf524ed26c72cae2e298a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add two NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9b617c59 by Salvatore Bonaccorso at 2021-10-16T18:09:39+02:00 Add two NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2537,6 +2537,7 @@ CVE-2021-41972 RESERVED CVE-2021-41971 RESERVED + NOT-FOR-US: Apache Superset CVE-2021-3856 RESERVED NOT-FOR-US: Keycloak @@ -24688,6 +24689,7 @@ CVE-2021-32610 (In Archive_Tar before 1.4.14, symlinks can refer to targets outs NOTE: https://github.com/pear/Archive_Tar/commit/b5832439b1f37331fb4f87e67fe4f61ca26bf7d4 (1.4.14) CVE-2021-32609 RESERVED + NOT-FOR-US: Apache Superset CVE-2021-32608 (An issue was discovered in Smartstore (aka SmartStoreNET) through 4.1. ...) NOT-FOR-US: Smartstore CVE-2021-32607 (An issue was discovered in Smartstore (aka SmartStoreNET) through 4.1. ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9b617c59eba1512ee7a8a5cc2149bdf43c5e261a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9b617c59eba1512ee7a8a5cc2149bdf43c5e261a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-34866/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: db9e1c2a by Salvatore Bonaccorso at 2021-10-16T09:02:25+02:00 Add CVE-2021-34866/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -19187,6 +19187,11 @@ CVE-2021-34867 RESERVED CVE-2021-34866 RESERVED + - linux 5.14.6-1 + [bullseye] - linux 5.10.70-1 + [buster] - linux (Vulnerable code introduced later) + [stretch] - linux (Vulnerable code introduced later) + NOTE: Fixed by: https://git.kernel.org/linus/5b029a32cfe4600f5e10e36b41778506b90fd4de (5.14) CVE-2021-34865 RESERVED CVE-2021-34864 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/db9e1c2a79ed70ab5cf509a81f228bc12e384cc9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/db9e1c2a79ed70ab5cf509a81f228bc12e384cc9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits