[Git][security-tracker-team/security-tracker][master] 2 commits: Track upstream commit for CVE-2017-16014/node-http-proxy
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 40edfdad by Salvatore Bonaccorso at 2021-11-21T08:36:48+01:00 Track upstream commit for CVE-2017-16014/node-http-proxy - - - - - 804961e2 by Salvatore Bonaccorso at 2021-11-21T08:37:32+01:00 Update status for CVE-2017-16014/node-http-proxy - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -259078,9 +259078,10 @@ CVE-2017-16016 (Sanitize-html is a library for scrubbing html input of malicious CVE-2017-16015 (Forms is a library for easily creating HTML forms. Versions before 1.3 ...) NOT-FOR-US: Forms CVE-2017-16014 (Http-proxy is a proxying library. Because of the way errors are handle ...) - - node-http-proxy + - node-http-proxy (Fixed before initial upload to Debian) NOTE: https://nodesecurity.io/advisories/323 NOTE: https://github.com/nodejitsu/node-http-proxy/pull/101 + NOTE: https://github.com/http-party/node-http-proxy/commit/07c8d2ee6017264c3d4deac9f42ca264a3740b48 (v0.7.0) CVE-2017-16013 (hapi is a web and services application framework. When hapi = 15.0 ...) NOT-FOR-US: hapi CVE-2017-16012 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/eb5228190a2002170bf9a2f1bcc29197e2a1487b...804961e260a7f4f0ab01c153644824b0a8887a0e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/eb5228190a2002170bf9a2f1bcc29197e2a1487b...804961e260a7f4f0ab01c153644824b0a8887a0e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] node-http-proxy is now in Debian.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: eb522819 by Markus Koschany at 2021-11-21T00:35:32+01:00 node-http-proxy is now in Debian. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -259078,7 +259078,7 @@ CVE-2017-16016 (Sanitize-html is a library for scrubbing html input of malicious CVE-2017-16015 (Forms is a library for easily creating HTML forms. Versions before 1.3 ...) NOT-FOR-US: Forms CVE-2017-16014 (Http-proxy is a proxying library. Because of the way errors are handle ...) - - node-http-proxy (bug #896978) + - node-http-proxy NOTE: https://nodesecurity.io/advisories/323 NOTE: https://github.com/nodejitsu/node-http-proxy/pull/101 CVE-2017-16013 (hapi is a web and services application framework. When hapi = 15.0 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eb5228190a2002170bf9a2f1bcc29197e2a1487b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eb5228190a2002170bf9a2f1bcc29197e2a1487b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
Processing 82160e66359134d235b263cd53548b64a681d856 failed
The error message was: data/CVE/list:259080: ITPed package node-http-proxy is in the archive make: *** [Makefile:19: all] Error 1 ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2823-2 for salt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 82160e66 by Markus Koschany at 2021-11-21T00:17:03+01:00 Reserve DLA-2823-2 for salt - - - - - 1 changed file: - data/DLA/list Changes: = data/DLA/list = @@ -1,3 +1,5 @@ +[21 Nov 2021] DLA-2823-2 salt - regression update + [stretch] - salt 2016.11.2+ds-1+deb9u9 [20 Nov 2021] DLA-2824-1 firebird3.0 - security update {CVE-2017-11509} [stretch] - firebird3.0 3.0.1.32609.ds4-14+deb9u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/82160e66359134d235b263cd53548b64a681d856 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/82160e66359134d235b263cd53548b64a681d856 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
Processing 4b6ff0e3729cff2b1fb6d5c725bce42f4b671ee4 failed
The error message was: data/CVE/list:259080: ITPed package node-http-proxy is in the archive make: *** [Makefile:19: all] Error 1 ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process four new NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4b6ff0e3 by Salvatore Bonaccorso at 2021-11-20T21:12:50+01:00 Process four new NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -45045,11 +45045,11 @@ CVE-2021-26937 (encoding.c in GNU Screen through 4.8.0 allows remote attackers t NOTE: https://savannah.gnu.org/bugs/?60030 NOTE: First patch applied in -4, but revised patch applied in -5 which fixed regressions CVE-2021-23219 (NVIDIA GPU and Tegra hardware contain a vulnerability in the internal ...) - TODO: check + NOT-FOR-US: NVIDIA CVE-2021-23217 (NVIDIA GPU and Tegra hardware contain a vulnerability in the internal ...) - TODO: check + NOT-FOR-US: NVIDIA CVE-2021-23201 (NVIDIA GPU and Tegra hardware contain a vulnerability in an internal m ...) - TODO: check + NOT-FOR-US: NVIDIA CVE-2020-36244 (The daemon in GENIVI diagnostic log and trace (DLT), is vulnerable to ...) - dlt-daemon 2.18.6-1 [buster] - dlt-daemon (Minor issue) @@ -70066,7 +70066,7 @@ CVE-2020-28578 (A vulnerability in Trend Micro InterScan Web Security Virtual Ap CVE-2020-28577 (An improper access control information disclosure vulnerability in Tre ...) NOT-FOR-US: Trend Micro CVE-2021-1125 (NVIDIA GPU and Tegra hardware contain a vulnerability in the internal ...) - TODO: check + NOT-FOR-US: NVIDIA CVE-2021-1124 RESERVED CVE-2021-1123 (NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manag ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4b6ff0e3729cff2b1fb6d5c725bce42f4b671ee4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4b6ff0e3729cff2b1fb6d5c725bce42f4b671ee4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 655f115d by security tracker role at 2021-11-20T20:10:20+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,19 @@ +CVE-2021-44078 + RESERVED +CVE-2021-44077 + RESERVED +CVE-2021-3991 + RESERVED +CVE-2021-3990 + RESERVED +CVE-2021-3989 + RESERVED +CVE-2021-3988 + RESERVED +CVE-2021-3987 + RESERVED +CVE-2021-3986 + RESERVED CVE-2021-44076 RESERVED CVE-2021-44075 @@ -9917,7 +9933,6 @@ CVE-2021-41229 (BlueZ is a Bluetooth protocol stack for Linux. In affected versi [stretch] - bluez (Minor issue) NOTE: https://github.com/bluez/bluez/security/advisories/GHSA-3fqg-r8j5-f5xq NOTE: Introduced by: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=d939483328489fb835bb425d36f7c7c73d52c388 (4.0) - NOTE: Fixed by: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=e79417ed7185b150a056d4eb3a1ab528b91d2fc0 CVE-2021-41228 (TensorFlow is an open source platform for machine learning. In affecte ...) - tensorflow (bug #804612) @@ -26273,10 +26288,10 @@ CVE-2021-34402 RESERVED CVE-2021-34401 RESERVED -CVE-2021-34400 - RESERVED -CVE-2021-34399 - RESERVED +CVE-2021-34400 (NVIDIA GPU and Tegra hardware contain a vulnerability in the internal ...) + TODO: check +CVE-2021-34399 (NVIDIA GPU and Tegra hardware contain a vulnerability in the internal ...) + TODO: check CVE-2021-34398 (NVIDIA DCGM, all versions prior to 2.2.9, contains a vulnerability in ...) NOT-FOR-US: NVIDIA CVE-2021-34397 (Bootloader contains a vulnerability in NVIDIA MB2, which may cause fre ...) @@ -45029,12 +45044,12 @@ CVE-2021-26937 (encoding.c in GNU Screen through 4.8.0 allows remote attackers t NOTE: https://www.openwall.com/lists/oss-security/2021/02/09/3 NOTE: https://savannah.gnu.org/bugs/?60030 NOTE: First patch applied in -4, but revised patch applied in -5 which fixed regressions -CVE-2021-23219 - RESERVED -CVE-2021-23217 - RESERVED -CVE-2021-23201 - RESERVED +CVE-2021-23219 (NVIDIA GPU and Tegra hardware contain a vulnerability in the internal ...) + TODO: check +CVE-2021-23217 (NVIDIA GPU and Tegra hardware contain a vulnerability in the internal ...) + TODO: check +CVE-2021-23201 (NVIDIA GPU and Tegra hardware contain a vulnerability in an internal m ...) + TODO: check CVE-2020-36244 (The daemon in GENIVI diagnostic log and trace (DLT), is vulnerable to ...) - dlt-daemon 2.18.6-1 [buster] - dlt-daemon (Minor issue) @@ -70050,8 +70065,8 @@ CVE-2020-28578 (A vulnerability in Trend Micro InterScan Web Security Virtual Ap NOT-FOR-US: Trend Micro CVE-2020-28577 (An improper access control information disclosure vulnerability in Tre ...) NOT-FOR-US: Trend Micro -CVE-2021-1125 - RESERVED +CVE-2021-1125 (NVIDIA GPU and Tegra hardware contain a vulnerability in the internal ...) + TODO: check CVE-2021-1124 RESERVED CVE-2021-1123 (NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manag ...) @@ -70090,8 +70105,8 @@ CVE-2021-1107 (NVIDIA Linux kernel distributions contain a vulnerability in nvma NOT-FOR-US: NVIDIA CVE-2021-1106 (NVIDIA Linux kernel distributions contain a vulnerability in nvmap, wh ...) NOT-FOR-US: NVIDIA -CVE-2021-1105 - RESERVED +CVE-2021-1105 (NVIDIA GPU and Tegra hardware contain a vulnerability in the internal ...) + TODO: check CVE-2021-1104 (The RISC-V Instruction Set Manual contains a documented ambiguity for ...) NOT-FOR-US: RISC-V CVE-2021-1103 (NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manag ...) @@ -70158,8 +70173,8 @@ CVE-2021-1090 (NVIDIA GPU Display Driver for Windows and Linux contains a vulner NOTE: CVE description is wrong, per https://nvidia.custhelp.com/app/answers/detail/a_id/5211 only for Windows CVE-2021-1089 (NVIDIA GPU Display Driver for Windows contains a vulnerability in nvid ...) NOT-FOR-US: NVIDIA GPU Display Driver for Windows -CVE-2021-1088 - RESERVED +CVE-2021-1088 (NVIDIA GPU and Tegra hardware contain a vulnerability in the internal ...) + TODO: check CVE-2021-1087 (NVIDIA vGPU driver contains a vulnerability in the Virtual GPU Manager ...) NOT-FOR-US: NVIDIA vGPU driver CVE-2021-1086 (NVIDIA vGPU driver contains a vulnerability in the Virtual GPU Manager ...) @@ -272978,7 +272993,7 @@ CVE-2017-11511 (The ManageEngine ServiceDesk 9.3.9328 is vulnerable to arbitrary CVE-2017-11510 (An information leak exists in Wanscam's HW0021 network camera that all ...) NOT-FOR-US: Wanscam's HW0021 network camera CVE-2017-11509 (An
[Git][security-tracker-team/security-tracker][master] Mark for now CVE-2021-22096 as no-dsa
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6d822cf4 by Salvatore Bonaccorso at 2021-11-20T21:02:41+01:00 Mark for now CVE-2021-22096 as no-dsa - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -56644,6 +56644,8 @@ CVE-2021-22097 (In Spring AMQP versions 2.2.0 - 2.2.18 and 2.3.0 - 2.3.10, the S NOT-FOR-US: Spring AMQP CVE-2021-22096 (In Spring Framework versions 5.3.0 - 5.3.10, 5.2.0 - 5.2.17, and older ...) - libspring-java + [bullseye] - libspring-java (Minor issue) + [buster] - libspring-java (Minor issue) [stretch] - libspring-java (Minor issue, no known patch) NOTE: https://github.com/spring-projects/spring-framework/issues/27647 (patch unidentifiable) CVE-2021-22095 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6d822cf4a7b317a626440238064e7f2da414bc0c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6d822cf4a7b317a626440238064e7f2da414bc0c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim roundcube in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: a1a80c83 by Markus Koschany at 2021-11-20T20:25:14+01:00 Claim roundcube in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -79,7 +79,7 @@ nvidia-graphics-drivers NOTE: 20211108: nvidia-graphics-drivers-legacy-390xx 390.144-1 in buster/bullseye/bookworm NOTE: 20211108: now fixes all 5 CVEs (bunk) -- -roundcube +roundcube (Markus Koschany) -- rustc (Roberto C. Sánchez) NOTE: rust-doc in stretch-lts (and jessie-lts) is not installable View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a1a80c83bd2516896dd606f294225898df69e2fa -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a1a80c83bd2516896dd606f294225898df69e2fa You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Triage roundcube for stretch LTS (CVE-2021-44025 & CVE-2021-44026)
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 27fb44e8 by Chris Lamb at 2021-11-20T08:58:12-08:00 data/dla-needed.txt: Triage roundcube for stretch LTS (CVE-2021-44025 CVE-2021-44026) - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -79,6 +79,8 @@ nvidia-graphics-drivers NOTE: 20211108: nvidia-graphics-drivers-legacy-390xx 390.144-1 in buster/bullseye/bookworm NOTE: 20211108: now fixes all 5 CVEs (bunk) -- +roundcube +-- rustc (Roberto C. Sánchez) NOTE: rust-doc in stretch-lts (and jessie-lts) is not installable NOTE: https://bugs.debian.org/928422 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/27fb44e8a72e2b346afc482cca6af3d1c2bfa5bf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/27fb44e8a72e2b346afc482cca6af3d1c2bfa5bf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: re-claim gpac in dla-needed.txt, update notes
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: dc137674 by Roberto C. Sánchez at 2021-11-20T10:48:55-05:00 LTS: re-claim gpac in dla-needed.txt, update notes - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -44,8 +44,9 @@ gerbv (Anton) -- gmp (Anton) -- -gpac +gpac (Roberto C. Sánchez) NOTE: 20211101: coordinating with secteam for s-p-u since stretch/buster versions match (roberto) + NOTE: 20211120: received OK from secteam for buster update, working on stretch/buster in parallel (roberto) -- kodi (Adrian Bunk) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dc137674b69ecdc968e86315dc577765893e06b5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dc137674b69ecdc968e86315dc577765893e06b5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2021-22096/libspring-java: stretch ignored
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 55ffc977 by Sylvain Beucler at 2021-11-20T16:13:10+01:00 CVE-2021-22096/libspring-java: stretch ignored - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -56644,8 +56644,8 @@ CVE-2021-22097 (In Spring AMQP versions 2.2.0 - 2.2.18 and 2.3.0 - 2.3.10, the S NOT-FOR-US: Spring AMQP CVE-2021-22096 (In Spring Framework versions 5.3.0 - 5.3.10, 5.2.0 - 5.2.17, and older ...) - libspring-java - [stretch] - libspring-java (Minor issue) - NOTE: request for commit info https://github.com/spring-projects/spring-framework/issues/27647 + [stretch] - libspring-java (Minor issue, no known patch) + NOTE: https://github.com/spring-projects/spring-framework/issues/27647 (patch unidentifiable) CVE-2021-22095 RESERVED CVE-2021-22094 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/55ffc977c3543be3663f80c405b519dc45b98668 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/55ffc977c3543be3663f80c405b519dc45b98668 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2021-41229/bluez
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1dbcf3c4 by Salvatore Bonaccorso at 2021-11-20T15:49:26+01:00 Add Debian bug reference for CVE-2021-41229/bluez - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9911,7 +9911,7 @@ CVE-2021-41231 CVE-2021-41230 (Pomerium is an open source identity-aware access proxy. In affected ve ...) NOT-FOR-US: Pomerium CVE-2021-41229 (BlueZ is a Bluetooth protocol stack for Linux. In affected versions a ...) - - bluez + - bluez (bug #1000262) [bullseye] - bluez (Minor issue) [buster] - bluez (Minor issue) [stretch] - bluez (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1dbcf3c4be61dc3a328428d047de631906919800 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1dbcf3c4be61dc3a328428d047de631906919800 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add roundcube to dsa-needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 267e8d4f by Salvatore Bonaccorso at 2021-11-20T15:45:04+01:00 Add roundcube to dsa-needed list - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -41,6 +41,9 @@ python-pysaml2 (jmm) -- rabbitmq-server -- +roundcube + Maintainer prepared and proposed update, needs review and ack +-- runc -- samba/oldstable (carnil) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/267e8d4fab33f30810b174e1c0749ca700e7ede4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/267e8d4fab33f30810b174e1c0749ca700e7ede4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track upstream commit information for CVE-2021-41229/bluez
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c928a149 by Salvatore Bonaccorso at 2021-11-20T15:39:48+01:00 Track upstream commit information for CVE-2021-41229/bluez - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9916,6 +9916,9 @@ CVE-2021-41229 (BlueZ is a Bluetooth protocol stack for Linux. In affected versi [buster] - bluez (Minor issue) [stretch] - bluez (Minor issue) NOTE: https://github.com/bluez/bluez/security/advisories/GHSA-3fqg-r8j5-f5xq + NOTE: Introduced by: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=d939483328489fb835bb425d36f7c7c73d52c388 (4.0) + + NOTE: Fixed by: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=e79417ed7185b150a056d4eb3a1ab528b91d2fc0 CVE-2021-41228 (TensorFlow is an open source platform for machine learning. In affecte ...) - tensorflow (bug #804612) CVE-2021-41227 (TensorFlow is an open source platform for machine learning. In affecte ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c928a149327707472f90781db1e3f9247a2dccc6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c928a149327707472f90781db1e3f9247a2dccc6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track proposed update for wavpack via buster-pu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 21e9313d by Salvatore Bonaccorso at 2021-11-20T15:26:48+01:00 Track proposed update for wavpack via buster-pu - - - - - 1 changed file: - data/next-oldstable-point-update.txt Changes: = data/next-oldstable-point-update.txt = @@ -82,3 +82,7 @@ CVE-2021-38714 [buster] - plib 1.8.5-8+deb10u1 CVE-2020-12268 [buster] - jbig2dec 0.16-1+deb10u1 +CVE-2019-1010317 + [buster] - wavpack 5.1.0-6+deb10u1 +CVE-2019-1010319 + [buster] - wavpack 5.1.0-6+deb10u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/21e9313d845a5be5ae48a3359d0a6c192de5eb40 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/21e9313d845a5be5ae48a3359d0a6c192de5eb40 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2824-1 for firebird3.0
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: cb738231 by Sylvain Beucler at 2021-11-20T11:29:34+01:00 Reserve DLA-2824-1 for firebird3.0 - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -272975,7 +272975,6 @@ CVE-2017-11510 (An information leak exists in Wanscam's HW0021 network camera th CVE-2017-11509 (An authenticated remote attacker can execute arbitrary code in Firebir ...) {DLA-2129-1 DLA-1374-1} - firebird3.0 3.0.3.32900.ds4-3 - [stretch] - firebird3.0 (Minor issue, can be fixed along in a future update) - firebird2.5 NOTE: https://www.tenable.com/security/research/tra-2017-36 NOTE: https://github.com/FirebirdSQL/firebird/issues/5787 = data/DLA/list = @@ -1,3 +1,6 @@ +[20 Nov 2021] DLA-2824-1 firebird3.0 - security update + {CVE-2017-11509} + [stretch] - firebird3.0 3.0.1.32609.ds4-14+deb9u1 [19 Nov 2021] DLA-2823-1 salt - security update {CVE-2021-21996} [stretch] - salt 2016.11.2+ds-1+deb9u8 = data/dla-needed.txt = @@ -30,10 +30,6 @@ debian-archive-keyring exiv2 (Thorsten Alteholz) NOTE: 20211109: testing package -- -firebird3.0 (Sylvain Beucler) - NOTE: 2028: CVE-2017-11509 was fixed in firebird2.5 in wheezy (DLA-1374-1) - NOTE: 2028: and jessie (DLA-2129-1) but is unfixed in firebird in stretch. (bunk) --- firefox-esr (Emilio) NOTE: 2026: blocked on toolchain backports (pochu) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cb73823153415dc3e82841f0a8fbd29f4abf7124 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cb73823153415dc3e82841f0a8fbd29f4abf7124 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update notes on CVE-2021-41190
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d56d88cc by Salvatore Bonaccorso at 2021-11-20T10:20:37+01:00 Update notes on CVE-2021-41190 This is bit cumbersome to track. My understanding is that the CVE is specifically for the specification issue. Several container projects have mitigated the issue by releasing updates. Such as the mentioned containerd and golang-github-opencontainers-image-spec. As such keep it for now as NFU, tough making a note on the mitigations in software. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9993,7 +9993,12 @@ CVE-2021-41192 CVE-2021-41191 (Roblox-Purchasing-Hub is an open source Roblox product purchasing hub. ...) NOT-FOR-US: Roblox-Purchasing-Hub CVE-2021-41190 (The OCI Distribution Spec project defines an API protocol to facilitat ...) - NOT-FOR-US: OCI Distribution Spec + NOT-FOR-US: OCI Distribution Specification + NOTE: Issue in the OCI Distribution Specification. Software mitigations are applied to + NOTE: containerd/1.5.8~ds1-1 and golang-github-opencontainers-image-spec/1.0.2-1 + NOTE: https://www.openwall.com/lists/oss-security/2021/11/19/10 + NOTE: https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m + NOTE: https://github.com/opencontainers/image-spec/security/advisories/GHSA-77vh-xpmg-72qh CVE-2021-41189 (DSpace is an open source turnkey repository application. In version 7. ...) NOT-FOR-US: DSpace CVE-2021-41188 (Shopware is open source e-commerce software. Versions prior to 5.7.6 c ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d56d88cc5c785d969a508f0628331a10384de55d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d56d88cc5c785d969a508f0628331a10384de55d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-37592/suricata
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3b261c57 by Salvatore Bonaccorso at 2021-11-20T10:10:38+01:00 Add CVE-2021-37592/suricata - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -18804,7 +18804,9 @@ CVE-2021-37594 (In FreeRDP before 2.4.0 on Windows, wf_cliprdr_server_file_conte CVE-2021-37593 (PEEL Shopping version 9.4.0 allows remote SQL injection. A public user ...) NOT-FOR-US: PEEL Shopping CVE-2021-37592 (Suricata before 5.0.8 and 6.x before 6.0.4 allows TCP evasion via a cl ...) - TODO: check + - suricata 1:6.0.4-1 + NOTE: https://forum.suricata.io/t/suricata-6-0-4-and-5-0-8-released/1942 + NOTE: https://redmine.openinfosecfoundation.org/issues/4569 (not public) CVE-2021-37591 RESERVED CVE-2021-37590 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3b261c578f4cff666b1c38918ebb34ac701b9e1b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3b261c578f4cff666b1c38918ebb34ac701b9e1b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 294d4c52 by Salvatore Bonaccorso at 2021-11-20T10:05:23+01:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4067,7 +4067,7 @@ CVE-2021-43204 CVE-2021-3921 (firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF) ...) NOT-FOR-US: firefly-iii CVE-2021-3920 (grav-plugin-admin is vulnerable to Improper Neutralization of Input Du ...) - TODO: check + NOT-FOR-US: Grav CMS CVE-2021-3919 RESERVED CVE-2021-43203 (In JetBrains Ktor before 1.6.4, nonce verification during the OAuth2 a ...) @@ -9802,7 +9802,7 @@ CVE-2021-41282 CVE-2021-41281 RESERVED CVE-2021-41280 (Sharetribe Go is a source available marketplace software. In affected ...) - TODO: check + NOT-FOR-US: Sharetribe Go CVE-2021-41279 RESERVED CVE-2021-41278 (Functions SDK for EdgeX is meant to provide all the plumbing necessary ...) @@ -14828,7 +14828,7 @@ CVE-2021-39200 (WordPress is a free and open-source content management system wr CVE-2021-39199 (remark-html is an open source nodejs library which compiles Markdown t ...) NOT-FOR-US: Node remark-html CVE-2021-39198 (OroCRM is an open source Client Relationship Management (CRM) applicat ...) - TODO: check + NOT-FOR-US: OroCRM CVE-2021-39197 (better_errors is an open source replacement for the standard Rails err ...) - ruby-better-errors (bug #739168) CVE-2021-39196 (pcapture is an open source dumpcap web service interface . In affected ...) @@ -15967,7 +15967,7 @@ CVE-2021-38683 CVE-2021-38682 RESERVED CVE-2021-38681 (A reflected cross-site scripting (XSS) vulnerability has been reported ...) - TODO: check + NOT-FOR-US: QNAP CVE-2021-38680 RESERVED CVE-2021-38679 @@ -21695,13 +21695,13 @@ CVE-2021-36324 (Dell BIOS contains an improper input validation vulnerability. A CVE-2021-36323 (Dell BIOS contains an improper input validation vulnerability. A local ...) NOT-FOR-US: Dell CVE-2021-36322 (Dell Networking X-Series firmware versions prior to 3.0.1.8 contain a ...) - TODO: check + NOT-FOR-US: Dell CVE-2021-36321 (Dell Networking X-Series firmware versions prior to 3.0.1.8 contain an ...) - TODO: check + NOT-FOR-US: Dell CVE-2021-36320 (Dell Networking X-Series firmware versions prior to 3.0.1.8 contain an ...) - TODO: check + NOT-FOR-US: Dell CVE-2021-36319 (Dell Networking OS10 versions 10.4.3.x, 10.5.0.x and 10.5.1.x contain ...) - TODO: check + NOT-FOR-US: Dell CVE-2021-36318 RESERVED CVE-2021-36317 @@ -21719,15 +21719,15 @@ CVE-2021-36312 CVE-2021-36311 RESERVED CVE-2021-36310 (Dell Networking OS10, versions 10.4.3.x, 10.5.0.x, 10.5.1.x 10.5 ...) - TODO: check + NOT-FOR-US: Dell CVE-2021-36309 (Dell Enterprise SONiC OS, versions 3.3.0 and earlier, contains a sensi ...) NOT-FOR-US: Dell CVE-2021-36308 (Networking OS10, versions prior to October 2021 with Smart Fabric Serv ...) - TODO: check + NOT-FOR-US: Dell CVE-2021-36307 (Networking OS10, versions prior to October 2021 with RESTCONF API enab ...) - TODO: check + NOT-FOR-US: Dell CVE-2021-36306 (Networking OS10, versions prior to October 2021 with RESTCONF API enab ...) - TODO: check + NOT-FOR-US: Dell CVE-2021-36305 (Dell PowerScale OneFS contains an Unsynchronized Access to Shared Data ...) NOT-FOR-US: Dell CVE-2021-36304 @@ -26352,7 +26352,7 @@ CVE-2021-34360 CVE-2021-34359 RESERVED CVE-2021-34358 (We have already fixed this vulnerability in the following versions of ...) - TODO: check + NOT-FOR-US: QNAP CVE-2021-34357 (A cross-site scripting (XSS) vulnerability has been reported to affect ...) NOT-FOR-US: QNAP CVE-2021-34356 (A cross-site scripting (XSS) vulnerability has been reported to affect ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/294d4c5291f2ef87733b9e4424d5253ed18743c0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/294d4c5291f2ef87733b9e4424d5253ed18743c0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process one NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: dbc050e3 by Salvatore Bonaccorso at 2021-11-20T10:01:57+01:00 Process one NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -21659,7 +21659,7 @@ CVE-2021-36342 CVE-2021-36341 RESERVED CVE-2021-36340 (Dell EMC SCG 5.00.00.10 and earlier, contain a sensitive information d ...) - TODO: check + NOT-FOR-US: EMC CVE-2021-36339 RESERVED CVE-2021-36338 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dbc050e36ca65fa16fed4cc89ca49ed2a7a01392 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dbc050e36ca65fa16fed4cc89ca49ed2a7a01392 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d12733ea by security tracker role at 2021-11-20T08:10:10+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,81 @@ +CVE-2021-44076 + RESERVED +CVE-2021-44075 + RESERVED +CVE-2021-44074 + RESERVED +CVE-2021-44073 + RESERVED +CVE-2021-44072 + RESERVED +CVE-2021-44071 + RESERVED +CVE-2021-44070 + RESERVED +CVE-2021-44069 + RESERVED +CVE-2021-44068 + RESERVED +CVE-2021-44067 + RESERVED +CVE-2021-44066 + RESERVED +CVE-2021-44065 + RESERVED +CVE-2021-44064 + RESERVED +CVE-2021-44063 + RESERVED +CVE-2021-44062 + RESERVED +CVE-2021-44061 + RESERVED +CVE-2021-44060 + RESERVED +CVE-2021-44059 + RESERVED +CVE-2021-44058 + RESERVED +CVE-2021-44057 + RESERVED +CVE-2021-44056 + RESERVED +CVE-2021-44055 + RESERVED +CVE-2021-44054 + RESERVED +CVE-2021-44053 + RESERVED +CVE-2021-44052 + RESERVED +CVE-2021-44051 + RESERVED +CVE-2021-44050 + RESERVED +CVE-2021-44049 + RESERVED +CVE-2021-44048 + RESERVED +CVE-2021-44047 + RESERVED +CVE-2021-44046 + RESERVED +CVE-2021-44045 + RESERVED +CVE-2021-44044 + RESERVED +CVE-2021-44043 + RESERVED +CVE-2021-44042 + RESERVED +CVE-2021-44041 + RESERVED +CVE-2021-3985 + RESERVED +CVE-2021-3984 + RESERVED +CVE-2021-3983 + RESERVED CVE-2022-21742 RESERVED CVE-2021-44040 @@ -9723,8 +9801,8 @@ CVE-2021-41282 RESERVED CVE-2021-41281 RESERVED -CVE-2021-41280 - RESERVED +CVE-2021-41280 (Sharetribe Go is a source available marketplace software. In affected ...) + TODO: check CVE-2021-41279 RESERVED CVE-2021-41278 (Functions SDK for EdgeX is meant to provide all the plumbing necessary ...) @@ -14749,8 +14827,8 @@ CVE-2021-39200 (WordPress is a free and open-source content management system wr NOTE: https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-m9hc-7v5q-x8q5 CVE-2021-39199 (remark-html is an open source nodejs library which compiles Markdown t ...) NOT-FOR-US: Node remark-html -CVE-2021-39198 - RESERVED +CVE-2021-39198 (OroCRM is an open source Client Relationship Management (CRM) applicat ...) + TODO: check CVE-2021-39197 (better_errors is an open source replacement for the standard Rails err ...) - ruby-better-errors (bug #739168) CVE-2021-39196 (pcapture is an open source dumpcap web service interface . In affected ...) @@ -15888,8 +15966,8 @@ CVE-2021-38683 RESERVED CVE-2021-38682 RESERVED -CVE-2021-38681 - RESERVED +CVE-2021-38681 (A reflected cross-site scripting (XSS) vulnerability has been reported ...) + TODO: check CVE-2021-38680 RESERVED CVE-2021-38679 @@ -21580,8 +21658,8 @@ CVE-2021-36342 RESERVED CVE-2021-36341 RESERVED -CVE-2021-36340 - RESERVED +CVE-2021-36340 (Dell EMC SCG 5.00.00.10 and earlier, contain a sensitive information d ...) + TODO: check CVE-2021-36339 RESERVED CVE-2021-36338 @@ -21616,14 +21694,14 @@ CVE-2021-36324 (Dell BIOS contains an improper input validation vulnerability. A NOT-FOR-US: Dell CVE-2021-36323 (Dell BIOS contains an improper input validation vulnerability. A local ...) NOT-FOR-US: Dell -CVE-2021-36322 - RESERVED -CVE-2021-36321 - RESERVED -CVE-2021-36320 - RESERVED -CVE-2021-36319 - RESERVED +CVE-2021-36322 (Dell Networking X-Series firmware versions prior to 3.0.1.8 contain a ...) + TODO: check +CVE-2021-36321 (Dell Networking X-Series firmware versions prior to 3.0.1.8 contain an ...) + TODO: check +CVE-2021-36320 (Dell Networking X-Series firmware versions prior to 3.0.1.8 contain an ...) + TODO: check +CVE-2021-36319 (Dell Networking OS10 versions 10.4.3.x, 10.5.0.x and 10.5.1.x contain ...) + TODO: check CVE-2021-36318 RESERVED CVE-2021-36317 @@ -21640,16 +21718,16 @@ CVE-2021-36312 RESERVED CVE-2021-36311 RESERVED -CVE-2021-36310 - RESERVED +CVE-2021-36310 (Dell Networking OS10, versions 10.4.3.x, 10.5.0.x, 10.5.1.x 10.5 ...) + TODO: check CVE-2021-36309 (Dell Enterprise SONiC OS, versions 3.3.0 and earlier, contains a sensi ...) NOT-FOR-US: Dell -CVE-2021-36308 - RESERVED -CVE-2021-36307 - RESERVED -CVE-2021-36306 - RESERVED +CVE-2021-36308 (Networking OS10, versions prior to October 2021 with Smart Fabric Serv ...) + TODO: check +CVE-2021-36307 (Networking OS10, versions prior to October 2021 with RESTCONF API enab ...) + TODO: check +CVE-2021-36306 (Networking OS10, versions prior to October 2021 with RESTCONF API enab ...) +