date:20211025

[Git][security-tracker-team/security-tracker][master] Add CVE-2021-3802/udisks2

2021-10-25 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
d9662542 by Salvatore Bonaccorso at 2021-10-26T08:22:38+02:00
Add CVE-2021-3802/udisks2

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -5591,6 +5591,9 @@ CVE-2021-3803 (nth-check is vulnerable to Inefficient 
Regular Expression Complex
NOT-FOR-US: nth-check
 CVE-2021-3802
RESERVED
+   - udisks2 2.9.4-1
+   NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2003649
+   NOTE: 
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-045.txt
 CVE-2021-41078
RESERVED
 CVE-2021-3801 (prism is vulnerable to Inefficient Regular Expression 
Complexity ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d966254286064b4d48bce7c20c9f640e1d1be40b

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d966254286064b4d48bce7c20c9f640e1d1be40b
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2021-32286/hcxtools

2021-10-25 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
60e0f47b by Salvatore Bonaccorso at 2021-10-26T06:57:51+02:00
Track fixed version for CVE-2021-32286/hcxtools

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -26575,7 +26575,7 @@ CVE-2021-32288 (An issue was discovered in heif through 
v3.6.2. A global-buffer-
 CVE-2021-32287 (An issue was discovered in heif through v3.6.2. A 
global-buffer-overfl ...)
NOT-FOR-US: Nokia HEIF implementation (different from libheif)
 CVE-2021-32286 (An issue was discovered in hcxtools through 6.1.6. A 
global-buffer-ove ...)
-   - hcxtools  (bug #994790)
+   - hcxtools 6.2.4-1 (bug #994790)
[bullseye] - hcxtools  (Minor issue)
NOTE: https://github.com/ZerBea/hcxtools/issues/155
NOTE: 
https://github.com/ZerBea/hcxtools/commit/e6505ddc262bc3254b39844895ebac70861001d2
 (6.1.2)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/60e0f47b205cfce3c9e033aac9fecf3f466f1791

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/60e0f47b205cfce3c9e033aac9fecf3f466f1791
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Take python3.5

2021-10-25 Thread Utkarsh Gupta (@utkarsh)



Utkarsh Gupta pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
4e0e410a by Utkarsh Gupta at 2021-10-26T04:42:47+05:30
Take python3.5

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -70,7 +70,7 @@ openssh (Utkarsh)
   NOTE: 20211018: the regression doesn't happen for stretch; looking at
   NOTE: 20211018: the other bit. (utkarsh)
 --
-python3.5
+python3.5 (Utkarsh)
   NOTE: 20211003: whilst looks like a no-dsa/postponed candidate on a
   NOTE: 20211003: quick look, Canonical issued an update via the ESM
   NOTE: 20211003: pocket. Needs another look. (utkarsh)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4e0e410a944fafb95e5764624ada934df9dabf8e

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4e0e410a944fafb95e5764624ada934df9dabf8e
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Process several NFUs

2021-10-25 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
6cb3e2bd by Salvatore Bonaccorso at 2021-10-25T22:37:02+02:00
Process several NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -4028,7 +4028,7 @@ CVE-2021-41773 (A flaw was found in a change made to path 
normalization in Apach
 CVE-2021-3839
RESERVED
 CVE-2017-20007 (Ingeteam INGEPAC DA AU AUC_1.13.0.28 (and before) web 
application allo ...)
-   TODO: check
+   NOT-FOR-US: Ingeteam INGEPAC DA AU
 CVE-2021-41772
RESERVED
 CVE-2021-41771
@@ -5350,7 +5350,7 @@ CVE-2021-41178
 CVE-2021-41177
RESERVED
 CVE-2021-41176 (Pterodactyl is an open-source game server management panel 
built with  ...)
-   TODO: check
+   NOT-FOR-US: Pterodactyl
 CVE-2021-41175
RESERVED
 CVE-2021-41174
@@ -6869,9 +6869,9 @@ CVE-2021-40528 (The ElGamal implementation in Libgcrypt 
before 1.9.4 allows plai
NOTE: hardening. We keep the original association as per 2021-09-19 
(until MITRE clarifies on
NOTE: a query).
 CVE-2021-40527 (Exposure of senstive information to an unauthorised actor in 
the "com. ...)
-   TODO: check
+   NOT-FOR-US: "com.onepeloton.erlich" mobile application
 CVE-2021-40526 (Incorrect calculation of buffer size vulnerability in Peleton 
TTR01 up ...)
-   TODO: check
+   NOT-FOR-US: Peleton
 CVE-2021-40525
RESERVED
 CVE-2021-3776
@@ -7250,7 +7250,7 @@ CVE-2021-40373 (playSMS before 1.4.5 allows Arbitrary 
Code Execution by entering
 CVE-2021-40372
RESERVED
 CVE-2021-40371 (Gridpro Request Management for Windows Azure Pack before 
2.0.7912 allo ...)
-   TODO: check
+   NOT-FOR-US: Gridpro Request Management for Windows Azure Pack
 CVE-2021-40370
RESERVED
 CVE-2021-40369
@@ -19507,7 +19507,7 @@ CVE-2021-35233
 CVE-2021-35232
RESERVED
 CVE-2021-35231 (As a result of an unquoted service path vulnerability present 
in the K ...)
-   TODO: check
+   NOT-FOR-US: Kiwi Syslog Server Installation Wizard
 CVE-2021-35230 (As a result of an unquoted service path vulnerability present 
in the K ...)
NOT-FOR-US: Kiwi CatTools Installation Wizard
 CVE-2021-35229
@@ -20306,27 +20306,27 @@ CVE-2021-34866
 CVE-2021-34865
RESERVED
 CVE-2021-34864 (This vulnerability allows local attackers to escalate 
privileges on af ...)
-   TODO: check
+   NOT-FOR-US: Parallels Desktop
 CVE-2021-34863 (This vulnerability allows network-adjacent attackers to 
execute arbitr ...)
-   TODO: check
+   NOT-FOR-US: D-Link
 CVE-2021-34862 (This vulnerability allows network-adjacent attackers to 
execute arbitr ...)
-   TODO: check
+   NOT-FOR-US: D-Link
 CVE-2021-34861 (This vulnerability allows network-adjacent attackers to 
execute arbitr ...)
-   TODO: check
+   NOT-FOR-US: D-Link
 CVE-2021-34860 (This vulnerability allows network-adjacent attackers to 
disclose sensi ...)
-   TODO: check
+   NOT-FOR-US: D-Link
 CVE-2021-34859 (This vulnerability allows remote attackers to execute 
arbitrary code o ...)
-   TODO: check
+   NOT-FOR-US: TeamViewer
 CVE-2021-34858
RESERVED
 CVE-2021-34857 (This vulnerability allows local attackers to escalate 
privileges on af ...)
-   TODO: check
+   NOT-FOR-US: Parallels Desktop
 CVE-2021-34856 (This vulnerability allows local attackers to escalate 
privileges on af ...)
-   TODO: check
+   NOT-FOR-US: Parallels Desktop
 CVE-2021-34855 (This vulnerability allows local attackers to disclose 
sensitive inform ...)
-   TODO: check
+   NOT-FOR-US: Parallels Desktop
 CVE-2021-34854 (This vulnerability allows local attackers to escalate 
privileges on af ...)
-   TODO: check
+   NOT-FOR-US: Parallels Desktop
 CVE-2021-34853 (This vulnerability allows remote attackers to execute 
arbitrary code o ...)
NOT-FOR-US: Foxit PDF Reader
 CVE-2021-34852 (This vulnerability allows remote attackers to execute 
arbitrary code o ...)
@@ -42638,7 +42638,7 @@ CVE-2021-25979
 CVE-2021-25978
RESERVED
 CVE-2021-25977 (In PiranhaCMS, versions 7.0.0 to 9.1.1 are vulnerable to 
stored XSS du ...)
-   TODO: check
+   NOT-FOR-US: PiranhaCMS
 CVE-2021-25976
RESERVED
 CVE-2021-25975
@@ -45423,9 +45423,9 @@ CVE-2021-24887
 CVE-2021-24886
RESERVED
 CVE-2021-24885 (The YOP Poll WordPress plugin before 6.1.2 does not escape the 
perpage ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2021-24884 (The Formidable Form Builder WordPress plugin before 4.09.05 
allows to  ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2021-24883
RESERVED
 CVE-2021-24882
@@ -45623,7 +45623,7 @@ CVE-2021-24787
 CVE-2021-24786
RESERVED
 CVE-2021-24785 (The Great Quotes WordPress plugin through 1.0.0 does not 
sanitise and  ...)
-   TODO: check
+

[Git][security-tracker-team/security-tracker][master] Reserve DSA number for php7.3 update

2021-10-25 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
a337f39d by Salvatore Bonaccorso at 2021-10-25T22:22:03+02:00
Reserve DSA number for php7.3 update

- - - - -


2 changed files:

- data/DSA/list
- data/dsa-needed.txt


Changes:

=
data/DSA/list
=
@@ -1,3 +1,6 @@
+[25 Oct 2021] DSA-4993-1 php7.3 - security update
+   {CVE-2021-21703}
+   [buster] - php7.3 7.3.31-1~deb10u1
 [25 Oct 2021] DSA-4992-1 php7.4 - security update
{CVE-2021-21703}
[bullseye] - php7.4 7.4.25-1+deb11u1


=
data/dsa-needed.txt
=
@@ -39,9 +39,6 @@ nodejs (jmm)
 --
 openjdk-11 (jmm)
 --
-php7.3/oldstable
-  Maintainer prepared updates, needs review/ack
---
 puppetdb (jmm)
 --
 python-pysaml2 (jmm)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a337f39d8911da5fcac2b43ac12c25bb49393424

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a337f39d8911da5fcac2b43ac12c25bb49393424
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DSA number for php7.4 update

2021-10-25 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
60a43a55 by Salvatore Bonaccorso at 2021-10-25T22:14:51+02:00
Reserve DSA number for php7.4 update

- - - - -


2 changed files:

- data/DSA/list
- data/dsa-needed.txt


Changes:

=
data/DSA/list
=
@@ -1,3 +1,6 @@
+[25 Oct 2021] DSA-4992-1 php7.4 - security update
+   {CVE-2021-21703}
+   [bullseye] - php7.4 7.4.25-1+deb11u1
 [22 Oct 2021] DSA-4991-1 mailman - security update
{CVE-2020-12108 CVE-2020-15011 CVE-2021-42096 CVE-2021-42097}
[buster] - mailman 1:2.1.29-1+deb10u2


=
data/dsa-needed.txt
=
@@ -42,9 +42,6 @@ openjdk-11 (jmm)
 php7.3/oldstable
   Maintainer prepared updates, needs review/ack
 --
-php7.4/stable
-  Maintainer prepared updates, needs review/ack
---
 puppetdb (jmm)
 --
 python-pysaml2 (jmm)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/60a43a554c4eaf3c3562e5f73a7ea1546165a94e

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/60a43a554c4eaf3c3562e5f73a7ea1546165a94e
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Remove notes from withdrawn and rejected CVE-2021-23441

2021-10-25 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
1a7afa52 by Salvatore Bonaccorso at 2021-10-25T22:13:02+02:00
Remove notes from withdrawn and rejected CVE-2021-23441

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -48606,7 +48606,6 @@ CVE-2021-23442 (This affects all versions of package 
@cookiex/deep. The global p
NOT-FOR-US: Node @cookiex/deep
 CVE-2021-23441
REJECTED
-   NOT-FOR-US: com.jsoniter:jsoniter
 CVE-2021-23440 (This affects the package set-value before <2.0.1, 
>=3.0.0 <4. ...)
- node-set-value 3.0.1-3 (bug #994448)
[bullseye] - node-set-value 3.0.1-2+deb11u1



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1a7afa52a20bf9f66aadc45a261451dd0073f8c6

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1a7afa52a20bf9f66aadc45a261451dd0073f8c6
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] automatic update

2021-10-25 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
bff60510 by security tracker role at 2021-10-25T20:10:16+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,3 +1,9 @@
+CVE-2021-3904
+   RESERVED
+CVE-2021-3903
+   RESERVED
+CVE-2020-36503
+   RESERVED
 CVE-2021-43010
RESERVED
 CVE-2021-43009
@@ -4021,8 +4027,8 @@ CVE-2021-41773 (A flaw was found in a change made to path 
normalization in Apach
NOTE: https://www.openwall.com/lists/oss-security/2021/10/08/1
 CVE-2021-3839
RESERVED
-CVE-2017-20007
-   RESERVED
+CVE-2017-20007 (Ingeteam INGEPAC DA AU AUC_1.13.0.28 (and before) web 
application allo ...)
+   TODO: check
 CVE-2021-41772
RESERVED
 CVE-2021-41771
@@ -5343,8 +5349,8 @@ CVE-2021-41178
RESERVED
 CVE-2021-41177
RESERVED
-CVE-2021-41176
-   RESERVED
+CVE-2021-41176 (Pterodactyl is an open-source game server management panel 
built with  ...)
+   TODO: check
 CVE-2021-41175
RESERVED
 CVE-2021-41174
@@ -5689,8 +5695,8 @@ CVE-2021-41037
RESERVED
 CVE-2021-41036
RESERVED
-CVE-2021-41035
-   RESERVED
+CVE-2021-41035 (In Eclipse Openj9 before version 0.29.0, the JVM does not 
throw Illega ...)
+   TODO: check
 CVE-2021-41034 (The build of some language stacks of Eclipse Che version 6 
includes pu ...)
NOT-FOR-US: Eclipse Che
 CVE-2021-41033 (In all released versions of Eclipse Equinox, at least until 
version 4. ...)
@@ -6061,8 +6067,7 @@ CVE-2021-3798 [Soft token does not check if an EC key is 
valid]
NOTE: 
https://bugs.launchpad.net/ubuntu/+source/opencryptoki/+bug/1928780
NOTE: Introduced with: 
https://github.com/opencryptoki/opencryptoki/commit/a179fd01a265a98194d9c06ec5958da1dd2ecae3
 (v3.15.0)
NOTE: Fixed by: 
https://github.com/opencryptoki/opencryptoki/commit/4e3b43c3d8844402c04a66b55c6c940f965109f0
-CVE-2021-40865
-   RESERVED
+CVE-2021-40865 (An Unsafe Deserialization vulnerability exists in the worker 
services  ...)
NOT-FOR-US: Apache Storm
 CVE-2021-3797 (hestiacp is vulnerable to Use of Wrong Operator in String 
Comparison ...)
NOT-FOR-US: Hestia Control Panel
@@ -6863,10 +6868,10 @@ CVE-2021-40528 (The ElGamal implementation in Libgcrypt 
before 1.9.4 allows plai
NOTE: CVE-2021-40528 got switched at some point, and CVE-2021-33560 
referring to the blinding
NOTE: hardening. We keep the original association as per 2021-09-19 
(until MITRE clarifies on
NOTE: a query).
-CVE-2021-40527
-   RESERVED
-CVE-2021-40526
-   RESERVED
+CVE-2021-40527 (Exposure of senstive information to an unauthorised actor in 
the "com. ...)
+   TODO: check
+CVE-2021-40526 (Incorrect calculation of buffer size vulnerability in Peleton 
TTR01 up ...)
+   TODO: check
 CVE-2021-40525
RESERVED
 CVE-2021-3776
@@ -10001,10 +10006,10 @@ CVE-2021-39223
RESERVED
 CVE-2021-39222
RESERVED
-CVE-2021-39221
-   RESERVED
-CVE-2021-39220
-   RESERVED
+CVE-2021-39221 (Nextcloud is an open-source, self-hosted productivity 
platform. The Ne ...)
+   TODO: check
+CVE-2021-39220 (Nextcloud is an open-source, self-hosted productivity platform 
The Nex ...)
+   TODO: check
 CVE-2021-39219 (Wasmtime is an open source runtime for WebAssembly & WASI. 
Wasmtim ...)
NOT-FOR-US: wasmtime
 CVE-2021-39218 (Wasmtime is an open source runtime for WebAssembly & WASI. 
In Wasm ...)
@@ -12182,8 +12187,7 @@ CVE-2021-3693 (LedgerSMB does not check the origin of 
HTML fragments merged into
NOTE: https://ledgersmb.org/cve-2021-3693-cross-site-scripting
 CVE-2021-3692 (yii2 is vulnerable to Use of Predictable Algorithm in Random 
Number Ge ...)
- yii  (bug #597899)
-CVE-2021-38294
-   RESERVED
+CVE-2021-38294 (A Command Injection vulnerability exists in the 
getTopologyHistory ser ...)
NOT-FOR-US: Apache Storm
 CVE-2021-38293
RESERVED
@@ -13889,8 +13893,7 @@ CVE-2021-37626 (Contao is an open source CMS that 
allows you to create websites
NOT-FOR-US: Contao CMS
 CVE-2021-37625 (Skytable is an open source NoSQL database. In versions prior 
to 0.6.4  ...)
NOT-FOR-US: Skytable
-CVE-2021-37624
-   RESERVED
+CVE-2021-37624 (FreeSWITCH is a Software Defined Telecom Stack enabling the 
digital tr ...)
- freeswitch  (bug #389591)
NOTE: 
https://github.com/signalwire/freeswitch/security/advisories/GHSA-mjcm-q9h8-9xv3
 CVE-2021-37623 (Exiv2 is a command-line utility and C++ library for reading, 
writing,  ...)
@@ -19503,8 +19506,8 @@ CVE-2021-35233
RESERVED
 CVE-2021-35232
RESERVED
-CVE-2021-35231
-   RESERVED
+CVE-2021-35231 (As a result of an unquoted service path vulnerability present 
in the K ...)
+   TODO: check
 CVE-2021-35230 (As a result of an u

[Git][security-tracker-team/security-tracker][master] Add reference for CVE-2021-21703

2021-10-25 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
660fffe2 by Salvatore Bonaccorso at 2021-10-25T22:07:26+02:00
Add reference for CVE-2021-21703

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -52770,6 +52770,7 @@ CVE-2021-21703 (In PHP versions 7.3.x up to and 
including 7.3.31, 7.4.x below 7.
NOTE: Fixed in 8.0.12, 7.4.25
NOTE: PHP Bug: http://bugs.php.net/81026
NOTE: 
https://github.com/php/php-src/commit/fadb1f8c1d08ae62b4f0a16917040fde57a3b93b
+   NOTE: https://www.ambionics.io/blog/php-fpm-local-root
 CVE-2021-21702 (In PHP versions 7.3.x below 7.3.27, 7.4.x below 7.4.15 and 
8.0.x below ...)
{DSA-4856-1 DLA-2708-1}
- php8.0 8.0.2-1



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/660fffe29cc3aaf0bdbe13df42214cdd80eef0e3

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/660fffe29cc3aaf0bdbe13df42214cdd80eef0e3
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reference upstream commit for CVE-2021-21703/php*

2021-10-25 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
ca8db18e by Salvatore Bonaccorso at 2021-10-25T21:42:30+02:00
Reference upstream commit for CVE-2021-21703/php*

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -52769,6 +52769,7 @@ CVE-2021-21703 (In PHP versions 7.3.x up to and 
including 7.3.31, 7.4.x below 7.
- php7.0 
NOTE: Fixed in 8.0.12, 7.4.25
NOTE: PHP Bug: http://bugs.php.net/81026
+   NOTE: 
https://github.com/php/php-src/commit/fadb1f8c1d08ae62b4f0a16917040fde57a3b93b
 CVE-2021-21702 (In PHP versions 7.3.x below 7.3.27, 7.4.x below 7.4.15 and 
8.0.x below ...)
{DSA-4856-1 DLA-2708-1}
- php8.0 8.0.2-1



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ca8db18e036812af0a98340c3e6b414b7a8ff074

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ca8db18e036812af0a98340c3e6b414b7a8ff074
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Revert "semi-automatic unclaim after 2 weeks of inactivity"

2021-10-25 Thread Jeremiah C. Foster (@jeremiah)



Jeremiah C. Foster pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
92c9f24d by Jeremiah C. Foster at 2021-10-25T15:06:28-04:00
Revert "semi-automatic unclaim after 2 weeks of inactivity"
This was an old commit that is now irrlevant.

This reverts commit 827654f8d1b960cad8ef31edafe83bbdaeb00ce1.

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -12,11 +12,6 @@ 
https://wiki.debian.org/LTS/Development#Triage_new_security_issues
 To make it easier to see the entire history of an update, please append notes
 rather than remove/replace existing ones.
 
---
-amd64-microcode
-  NOTE: 20210831: no binary package was built, possibly due to 
non-free-specific rules
-  NOTE: 20210831: https://lists.debian.org/debian-lts/2021/08/msg00033.html
-  NOTE: 20210912: https://lists.debian.org/debian-lts/2021/09/msg00018.html 
(utkarsh)
 --
 ansible
   NOTE: 20210411: As discussed with the maintainer I will update Buster first 
and
@@ -50,8 +45,6 @@ firmware-nonfree
 --
 gpac (Roberto C. Sánchez)
 --
-libreoffice (Sylvain Beucler)
---
 linux (Ben Hutchings)
 --
 linux-4.19 (Ben Hutchings)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/92c9f24d3d39c0bbd343977109fe85f53d541247

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/92c9f24d3d39c0bbd343977109fe85f53d541247
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 2 commits: semi-automatic unclaim after 2 weeks of inactivity

2021-10-25 Thread Jeremiah C. Foster (@jeremiah)



Jeremiah C. Foster pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
827654f8 by Jeremiah C. Foster at 2021-10-25T14:50:38-04:00
semi-automatic unclaim after 2 weeks of inactivity

Signed-off-by: Jeremiah C. Foster 

- - - - -
f8e29b6a by Jeremiah C. Foster at 2021-10-25T14:50:39-04:00
semi-automatic unclaim after 2 weeks of inactivity

Signed-off-by: Jeremiah C. Foster 

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -12,6 +12,11 @@ 
https://wiki.debian.org/LTS/Development#Triage_new_security_issues
 To make it easier to see the entire history of an update, please append notes
 rather than remove/replace existing ones.
 
+--
+amd64-microcode
+  NOTE: 20210831: no binary package was built, possibly due to 
non-free-specific rules
+  NOTE: 20210831: https://lists.debian.org/debian-lts/2021/08/msg00033.html
+  NOTE: 20210912: https://lists.debian.org/debian-lts/2021/09/msg00018.html 
(utkarsh)
 --
 ansible
   NOTE: 20210411: As discussed with the maintainer I will update Buster first 
and
@@ -37,7 +42,7 @@ ffmpeg (Anton Gladky)
   NOTE: 20211010: WIP https://salsa.debian.org/lts-team/packages/ffmpeg
   NOTE: ffmpeg 3.2.16 has been released
 --
-firefox-esr (Emilio)
+firefox-esr
 --
 firmware-nonfree
   NOTE: 20210731: WIP: 
https://salsa.debian.org/lts-team/packages/firmware-nonfree
@@ -45,6 +50,8 @@ firmware-nonfree
 --
 gpac (Roberto C. Sánchez)
 --
+libreoffice (Sylvain Beucler)
+--
 linux (Ben Hutchings)
 --
 linux-4.19 (Ben Hutchings)
@@ -70,12 +77,12 @@ openssh (Utkarsh)
   NOTE: 20211018: the regression doesn't happen for stretch; looking at
   NOTE: 20211018: the other bit. (utkarsh)
 --
-python3.5 (Utkarsh)
+python3.5
   NOTE: 20211003: whilst looks like a no-dsa/postponed candidate on a
   NOTE: 20211003: quick look, Canonical issued an update via the ESM
   NOTE: 20211003: pocket. Needs another look. (utkarsh)
 --
-redis (Chris Lamb)
+redis
   NOTE: 20211004: Fixed in sid and experimental. (lamby)
   NOTE: 20211006: buster-pu filed in #995825. (lamby)
 --
@@ -91,5 +98,5 @@ salt (Markus Koschany)
   NOTE: 20210607: new CVE patch proposed by damien; donfede to provide a 
debdiff. (utkarsh)
   NOTE: 20210816: will test the provided debdiff; needs testing as regression 
spotted. (utkarsh)
 --
-thunderbird (Emilio)
+thunderbird
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/cb8fc1694a9fa413783b1bfdf9dd33375be09bdd...f8e29b6acbadc30246076fa40005ab89d13f1bdf

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/cb8fc1694a9fa413783b1bfdf9dd33375be09bdd...f8e29b6acbadc30246076fa40005ab89d13f1bdf
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add new freeswitch issues

2021-10-25 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
cb8fc169 by Salvatore Bonaccorso at 2021-10-25T20:42:49+02:00
Add new freeswitch issues

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -5391,8 +5391,12 @@ CVE-2021-41159 (FreeRDP is a free implementation of the 
Remote Desktop Protocol
NOTE: 
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-vh34-m9h7-95xq
 CVE-2021-41158
RESERVED
+   - freeswitch  (bug #389591)
+   NOTE: 
https://github.com/signalwire/freeswitch/security/advisories/GHSA-3v3f-99mv-qvj4
 CVE-2021-41157
RESERVED
+   - freeswitch  (bug #389591)
+   NOTE: 
https://github.com/signalwire/freeswitch/security/advisories/GHSA-g7xg-7c54-rmpj
 CVE-2021-41156 (anuko/timetracker is an, open source time tracking system. In 
affected ...)
NOT-FOR-US: anuko/timetracker
 CVE-2021-41155 (Tuleap is a Free & Open Source Suite to improve management 
of soft ...)
@@ -5421,6 +5425,8 @@ CVE-2021-41146 (qutebrowser is an open source 
keyboard-focused browser with a mi
NOTE: are not fixing a security vulnerability.
 CVE-2021-41145
RESERVED
+   - freeswitch  (bug #389591)
+   NOTE: 
https://github.com/signalwire/freeswitch/security/advisories/GHSA-jvpq-23v4-gp3m
 CVE-2021-41144
RESERVED
 CVE-2021-41143
@@ -5504,6 +5510,8 @@ CVE-2021-41106 (JWT is a library to work with JSON Web 
Token and JSON Web Signat
NOT-FOR-US: PHP lcobucci/jwt
 CVE-2021-41105
RESERVED
+   - freeswitch  (bug #389591)
+   NOTE: 
https://github.com/signalwire/freeswitch/security/advisories/GHSA-jh42-prph-gp36
 CVE-2021-41104 (ESPHome is a system to control the ESP8266/ESP32. Anyone with 
web_serv ...)
NOT-FOR-US: ESPHome
 CVE-2021-41103 (containerd is an open source container runtime with an 
emphasis on sim ...)
@@ -13883,6 +13891,8 @@ CVE-2021-37625 (Skytable is an open source NoSQL 
database. In versions prior to
NOT-FOR-US: Skytable
 CVE-2021-37624
RESERVED
+   - freeswitch  (bug #389591)
+   NOTE: 
https://github.com/signalwire/freeswitch/security/advisories/GHSA-mjcm-q9h8-9xv3
 CVE-2021-37623 (Exiv2 is a command-line utility and C++ library for reading, 
writing,  ...)
- exiv2 
[stretch] - exiv2  (Minor issue)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cb8fc1694a9fa413783b1bfdf9dd33375be09bdd

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cb8fc1694a9fa413783b1bfdf9dd33375be09bdd
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] automatic update

2021-10-25 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
02fdf014 by security tracker role at 2021-10-25T08:10:13+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,3 +1,321 @@
+CVE-2021-43010
+   RESERVED
+CVE-2021-43009
+   RESERVED
+CVE-2021-43008
+   RESERVED
+CVE-2021-43007
+   RESERVED
+CVE-2021-43006
+   RESERVED
+CVE-2021-43005
+   RESERVED
+CVE-2021-43004
+   RESERVED
+CVE-2021-43003
+   RESERVED
+CVE-2021-43002
+   RESERVED
+CVE-2021-43001
+   RESERVED
+CVE-2021-43000
+   RESERVED
+CVE-2021-42999
+   RESERVED
+CVE-2021-42998
+   RESERVED
+CVE-2021-42997
+   RESERVED
+CVE-2021-42996
+   RESERVED
+CVE-2021-42995
+   RESERVED
+CVE-2021-42994
+   RESERVED
+CVE-2021-42993
+   RESERVED
+CVE-2021-42992
+   RESERVED
+CVE-2021-42991
+   RESERVED
+CVE-2021-42990
+   RESERVED
+CVE-2021-42989
+   RESERVED
+CVE-2021-42988
+   RESERVED
+CVE-2021-42987
+   RESERVED
+CVE-2021-42986
+   RESERVED
+CVE-2021-42985
+   RESERVED
+CVE-2021-42984
+   RESERVED
+CVE-2021-42983
+   RESERVED
+CVE-2021-42982
+   RESERVED
+CVE-2021-42981
+   RESERVED
+CVE-2021-42980
+   RESERVED
+CVE-2021-42979
+   RESERVED
+CVE-2021-42978
+   RESERVED
+CVE-2021-42977
+   RESERVED
+CVE-2021-42976
+   RESERVED
+CVE-2021-42975
+   RESERVED
+CVE-2021-42974
+   RESERVED
+CVE-2021-42973
+   RESERVED
+CVE-2021-42972
+   RESERVED
+CVE-2021-42971
+   RESERVED
+CVE-2021-42970
+   RESERVED
+CVE-2021-42969
+   RESERVED
+CVE-2021-42968
+   RESERVED
+CVE-2021-42967
+   RESERVED
+CVE-2021-42966
+   RESERVED
+CVE-2021-42965
+   RESERVED
+CVE-2021-42964
+   RESERVED
+CVE-2021-42963
+   RESERVED
+CVE-2021-42962
+   RESERVED
+CVE-2021-42961
+   RESERVED
+CVE-2021-42960
+   RESERVED
+CVE-2021-42959
+   RESERVED
+CVE-2021-42958
+   RESERVED
+CVE-2021-42957
+   RESERVED
+CVE-2021-42956
+   RESERVED
+CVE-2021-42955
+   RESERVED
+CVE-2021-42954
+   RESERVED
+CVE-2021-42953
+   RESERVED
+CVE-2021-42952
+   RESERVED
+CVE-2021-42951
+   RESERVED
+CVE-2021-42950
+   RESERVED
+CVE-2021-42949
+   RESERVED
+CVE-2021-42948
+   RESERVED
+CVE-2021-42947
+   RESERVED
+CVE-2021-42946
+   RESERVED
+CVE-2021-42945
+   RESERVED
+CVE-2021-42944
+   RESERVED
+CVE-2021-42943
+   RESERVED
+CVE-2021-42942
+   RESERVED
+CVE-2021-42941
+   RESERVED
+CVE-2021-42940
+   RESERVED
+CVE-2021-42939
+   RESERVED
+CVE-2021-42938
+   RESERVED
+CVE-2021-42937
+   RESERVED
+CVE-2021-42936
+   RESERVED
+CVE-2021-42935
+   RESERVED
+CVE-2021-42934
+   RESERVED
+CVE-2021-42933
+   RESERVED
+CVE-2021-42932
+   RESERVED
+CVE-2021-42931
+   RESERVED
+CVE-2021-42930
+   RESERVED
+CVE-2021-42929
+   RESERVED
+CVE-2021-42928
+   RESERVED
+CVE-2021-42927
+   RESERVED
+CVE-2021-42926
+   RESERVED
+CVE-2021-42925
+   RESERVED
+CVE-2021-42924
+   RESERVED
+CVE-2021-42923
+   RESERVED
+CVE-2021-42922
+   RESERVED
+CVE-2021-42921
+   RESERVED
+CVE-2021-42920
+   RESERVED
+CVE-2021-42919
+   RESERVED
+CVE-2021-42918
+   RESERVED
+CVE-2021-42917
+   RESERVED
+CVE-2021-42916
+   RESERVED
+CVE-2021-42915
+   RESERVED
+CVE-2021-42914
+   RESERVED
+CVE-2021-42913
+   RESERVED
+CVE-2021-42912
+   RESERVED
+CVE-2021-42911
+   RESERVED
+CVE-2021-42910
+   RESERVED
+CVE-2021-42909
+   RESERVED
+CVE-2021-42908
+   RESERVED
+CVE-2021-42907
+   RESERVED
+CVE-2021-42906
+   RESERVED
+CVE-2021-42905
+   RESERVED
+CVE-2021-42904
+   RESERVED
+CVE-2021-42903
+   RESERVED
+CVE-2021-42902
+   RESERVED
+CVE-2021-42901
+   RESERVED
+CVE-2021-42900
+   RESERVED
+CVE-2021-42899
+   RESERVED
+CVE-2021-42898
+   RESERVED
+CVE-2021-42897
+   RESERVED
+CVE-2021-42896
+   RESERVED
+CVE-2021-42895
+   RESERVED
+CVE-2021-42894
+   RESERVED
+CVE-2021-42893
+   RESERVED
+CVE-2021-42892
+   RESERVED
+CVE-2021-42891
+   RESERVED
+CVE-2021-42890
+   RESERVED
+CVE-2021-42889
+   RESERVED
+CVE-2021-42888
+   RESERVED
+CVE-2021-42887
+   RESERVED
+CVE-2021-42886
+   RESERVED
+CVE-2021-42885
+   RESERVED
+CVE-2021-42884
+   RESERVED
+CVE-2021-42883
+   RESERVED
+CVE-2021-42882
+   RESERVED
+CVE-2021-42881
+   RESERVED
+CVE-2021-42880
+   RESERVED
+CVE-2021-42879
+   RESERVED
+CVE-2021-42878
+   RESERVED
+CVE-2021-42877
+   RESERVED
+CVE-2021-42876
+   RESERVED
+CVE-2021-42875
+   RESERVED
+CVE-2021-42874
+   RESERVED
+CVE-2021-42873
+   RESERVED
+CVE-2021-42872
+   RESERVED
+CVE-2021-42871
+   RESERVED
+CVE-2021-42870
+   RESE

[Git][security-tracker-team/security-tracker][master] Add php to dsa-needed list

2021-10-25 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
2073dd96 by Salvatore Bonaccorso at 2021-10-25T09:13:58+02:00
Add php to dsa-needed list

- - - - -


1 changed file:

- data/dsa-needed.txt


Changes:

=
data/dsa-needed.txt
=
@@ -39,6 +39,12 @@ nodejs (jmm)
 --
 openjdk-11 (jmm)
 --
+php7.3/oldstable
+  Maintainer prepared updates, needs review/ack
+--
+php7.4/stable
+  Maintainer prepared updates, needs review/ack
+--
 puppetdb (jmm)
 --
 python-pysaml2 (jmm)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2073dd9605c1bb538cfdbfa1aa67414caed4edbf

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2073dd9605c1bb538cfdbfa1aa67414caed4edbf
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Mark CVE-2021-411{59,60}/freerdp2 as no-dsa

2021-10-25 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
2ff6288c by Salvatore Bonaccorso at 2021-10-25T09:12:47+02:00
Mark CVE-2021-411{59,60}/freerdp2 as no-dsa

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -5059,11 +5059,15 @@ CVE-2021-41161
RESERVED
 CVE-2021-41160 (FreeRDP is a free implementation of the Remote Desktop 
Protocol (RDP), ...)
- freerdp2 
+   [bullseye] - freerdp2  (Minor issue)
+   [buster] - freerdp2  (Minor issue)
- freerdp 
[stretch] - freerdp  (Minor issue)
NOTE: 
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-7c9r-6r2q-93qg
 CVE-2021-41159 (FreeRDP is a free implementation of the Remote Desktop 
Protocol (RDP), ...)
- freerdp2 
+   [bullseye] - freerdp2  (Minor issue)
+   [buster] - freerdp2  (Minor issue)
- freerdp 
[stretch] - freerdp  (Minor issue)
NOTE: 
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-vh34-m9h7-95xq



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2ff6288c2d3da7c9bd8b5ad150ab4af8dcbedc35

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2ff6288c2d3da7c9bd8b5ad150ab4af8dcbedc35
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add CVE-2021-3802/udisks2

[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2021-32286/hcxtools

[Git][security-tracker-team/security-tracker][master] Take python3.5

[Git][security-tracker-team/security-tracker][master] Process several NFUs

[Git][security-tracker-team/security-tracker][master] Reserve DSA number for php7.3 update

[Git][security-tracker-team/security-tracker][master] Reserve DSA number for php7.4 update

[Git][security-tracker-team/security-tracker][master] Remove notes from withdrawn and rejected CVE-2021-23441

[Git][security-tracker-team/security-tracker][master] automatic update

[Git][security-tracker-team/security-tracker][master] Add reference for CVE-2021-21703

[Git][security-tracker-team/security-tracker][master] Reference upstream commit for CVE-2021-21703/php*

[Git][security-tracker-team/security-tracker][master] Revert "semi-automatic unclaim after 2 weeks of inactivity"

[Git][security-tracker-team/security-tracker][master] 2 commits: semi-automatic unclaim after 2 weeks of inactivity

[Git][security-tracker-team/security-tracker][master] Add new freeswitch issues

[Git][security-tracker-team/security-tracker][master] automatic update

[Git][security-tracker-team/security-tracker][master] Add php to dsa-needed list

[Git][security-tracker-team/security-tracker][master] Mark CVE-2021-411{59,60}/freerdp2 as no-dsa

16 matches

Site Navigation

Mail list logo

Footer information