[Git][security-tracker-team/security-tracker][master] Add CVE-2021-4028/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2b78c9f6 by Salvatore Bonaccorso at 2021-11-30T08:40:18+01:00 Add CVE-2021-4028/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -242,8 +242,10 @@ CVE-2021-4030 RESERVED CVE-2021-4029 RESERVED -CVE-2021-4028 +CVE-2021-4028 [use-after-free in RDMA listen()] RESERVED + - linux + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2027201 CVE-2021-4027 RESERVED CVE-2021-4026 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2b78c9f6883eecbae6b4b2f526f18e60a232ed1b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2b78c9f6883eecbae6b4b2f526f18e60a232ed1b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2021-4024/libpod
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 06cef81a by Salvatore Bonaccorso at 2021-11-30T07:35:29+01:00 Add Debian bug reference for CVE-2021-4024/libpod - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -368,7 +368,7 @@ CVE-2021-44228 RESERVED CVE-2021-4024 [podman: podman machine spawns gvproxy with port binded to all IPs] RESERVED - - libpod + - libpod (bug #1000844) [bullseye] - libpod (Vulnerable code introduced later) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2026675 NOTE: https://twitter.com/discordianfish/status/1463462371675066371 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/06cef81a7ecf4af4e7a822fc9166c54b4117eac7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/06cef81a7ecf4af4e7a822fc9166c54b4117eac7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Start tracking ksmtp as well for CVE-2020-15954
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4500396d by Salvatore Bonaccorso at 2021-11-30T07:34:27+01:00 Start tracking ksmtp as well for CVE-2020-15954 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -101801,9 +101801,14 @@ CVE-2020-15954 (KDE KMail 19.12.3 (aka 5.13.3) engages in unencrypted POP3 commu [buster] - kdepim-runtime (Minor issue) - kmail-account-wizard 4:20.04.1-2 (bug #97) [buster] - kmail-account-wizard (Minor issue) + - ksmtp + [bullseye] - ksmtp (Minor issue; Upstream changes change API) + [buster] - ksmtp (Minor issue; Upstream changes change API) NOTE: https://bugs.kde.org/show_bug.cgi?id=423426 NOTE: kdepim-runtime: https://invent.kde.org/pim/kdepim-runtime/commit/bd64ab29116aa7318fdee7f95878ff97580162f2 NOTE: kmail-account-wizard: https://invent.kde.org/pim/kmail-account-wizard/commit/a64d80e523edce7d3d59c26834973418fae042f6 + NOTE: https://kde.org/info/security/advisory-2028-1.txt + NOTE: https://bugs.kde.org/show_bug.cgi?id=423423 CVE-2020-15953 (LibEtPan through 1.9.4, as used in MailCore 2 through 0.6.3 and other ...) {DLA-2329-1} - libetpan 1.9.4-3 (bug #966647) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4500396db541507b662263b73203480c31414966 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4500396db541507b662263b73203480c31414966 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: reclaim rustc and update notes
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 0fdffd27 by Roberto C. Sánchez at 2021-11-30T00:49:12-05:00 LTS: reclaim rustc and update notes - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -86,12 +86,13 @@ roundcube (Markus Koschany) -- rsync (Adrian Bunk) -- -rustc +rustc (Roberto C. Sánchez) NOTE: rust-doc in stretch-lts (and jessie-lts) is not installable NOTE: https://bugs.debian.org/928422 NOTE: Perhaps fix with the next rustc update for a new Firefox? (bunk) NOTE: 20211101: working on llvm-toolchain-11 update, which is needed by rustc (roberto) NOTE: 2022: llvm-toolchain-11 update is now uploaded (roberto) + NOTE: 20211130: rustc package is ready; working with SRM on some details (roberto) -- samba (Anton) NOTE: 20211128: WIP https://salsa.debian.org/lts-team/packages/samba/ View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0fdffd2702cb5c8da6baa4ddbfb96b81d9b8a9c7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0fdffd2702cb5c8da6baa4ddbfb96b81d9b8a9c7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update status for CVE-2021-33098/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 744ba6b6 by Salvatore Bonaccorso at 2021-11-30T06:21:05+01:00 Update status for CVE-2021-33098/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -30240,8 +30240,10 @@ CVE-2021-33100 CVE-2021-33099 RESERVED CVE-2021-33098 (Improper input validation in the Intel(R) Ethernet ixgbe driver for Li ...) + - linux 5.10.46-1 + [buster] - linux 4.19.194-1 + NOTE: https://git.kernel.org/linus/63e39d29b3da02e901349f6cd71159818a4737a6 (5.13-rc4) NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00555.html - TODO: check, might affect src:linux CVE-2021-33097 (Time-of-check time-of-use vulnerability in the Crypto API Toolkit for ...) NOT-FOR-US: Intel CVE-2021-33096 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/744ba6b6dcd9792ea20c9926fe69dacd52d6438c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/744ba6b6dcd9792ea20c9926fe69dacd52d6438c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Jeremiah C. Foster pushed to branch master at Debian Security Tracker / security-tracker Commits: fc090df8 by Jeremiah C. Foster at 2021-11-29T19:46:58-05:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Jeremiah C. Foster jerem...@jeremiahfoster.com - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -86,7 +86,7 @@ roundcube (Markus Koschany) -- rsync (Adrian Bunk) -- -rustc (Roberto C. Sánchez) +rustc NOTE: rust-doc in stretch-lts (and jessie-lts) is not installable NOTE: https://bugs.debian.org/928422 NOTE: Perhaps fix with the next rustc update for a new Firefox? (bunk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fc090df852a7756b473c0074d73f4aabf4ab0861 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fc090df852a7756b473c0074d73f4aabf4ab0861 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update status for CVE-2021-4024/libpod
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 53b1d3fd by Salvatore Bonaccorso at 2021-11-29T22:21:36+01:00 Update status for CVE-2021-4024/libpod - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -369,8 +369,12 @@ CVE-2021-44228 CVE-2021-4024 [podman: podman machine spawns gvproxy with port binded to all IPs] RESERVED - libpod + [bullseye] - libpod (Vulnerable code introduced later) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2026675 NOTE: https://twitter.com/discordianfish/status/1463462371675066371 + NOTE: https://github.com/containers/podman/pull/12283 + NOTE: Introduced by: https://github.com/containers/podman/commit/7ef3981abe2412727840a2886489a08c03a05299 (v3.3.0-rc1) + NOTE: Fixed by: https://github.com/containers/podman/commit/295d87bb0b028e57dc2739791dee4820fe5fcc48 CVE-2021-44227 RESERVED CVE-2021-44226 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/53b1d3fd6e1d99e26069979e357d811b527836ca -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/53b1d3fd6e1d99e26069979e357d811b527836ca You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2021-4020/janus
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c755c8b7 by Salvatore Bonaccorso at 2021-11-29T22:11:26+01:00 Add Debian bug reference for CVE-2021-4020/janus - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -404,7 +404,7 @@ CVE-2021-44221 CVE-2021-4021 RESERVED CVE-2021-4020 (janus-gateway is vulnerable to Improper Neutralization of Input During ...) - - janus (unimportant) + - janus (unimportant; bug #1000831) NOTE: https://huntr.dev/bounties/9814baa8-7bdd-4e31-a132-d9d15653409e/ NOTE: https://github.com/meetecho/janus-gateway/commit/ba166e9adebfe5343f826c6a9e02299d35414ffd NOTE: Issues only in janus-demons built from src:janus View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c755c8b78519a02cddf2bb7054d7ffd5ec015c5e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c755c8b78519a02cddf2bb7054d7ffd5ec015c5e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update status for CVE-2021-4020/janus
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 36928a69 by Salvatore Bonaccorso at 2021-11-29T22:01:14+01:00 Update status for CVE-2021-4020/janus - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -404,10 +404,10 @@ CVE-2021-44221 CVE-2021-4021 RESERVED CVE-2021-4020 (janus-gateway is vulnerable to Improper Neutralization of Input During ...) - - janus + - janus (unimportant) NOTE: https://huntr.dev/bounties/9814baa8-7bdd-4e31-a132-d9d15653409e/ - NOTE: https://github.com/meetecho/janus-gateway/commit/d3fc00ec803d6c41d8f98908732f44e7f4911a1c - TODO: check, possibly to be marked unimportant + NOTE: https://github.com/meetecho/janus-gateway/commit/ba166e9adebfe5343f826c6a9e02299d35414ffd + NOTE: Issues only in janus-demons built from src:janus CVE-2021-4019 RESERVED CVE-2021-44220 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/36928a6995f91996ff75feb7dea9e8f29e9c816d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/36928a6995f91996ff75feb7dea9e8f29e9c816d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 26e42f13 by Salvatore Bonaccorso at 2021-11-29T21:18:49+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -449,17 +449,17 @@ CVE-2021-44205 CVE-2021-44204 RESERVED CVE-2021-44203 (Stored cross-site scripting (XSS) was possible in protection plan deta ...) - TODO: check + NOT-FOR-US: Acronis CVE-2021-44202 (Stored cross-site scripting (XSS) was possible in activity details. Th ...) - TODO: check + NOT-FOR-US: Acronis CVE-2021-44201 (Cross-site scripting (XSS) was possible in notification pop-ups. The f ...) - TODO: check + NOT-FOR-US: Acronis CVE-2021-44200 (Self cross-site scripting (XSS) was possible on devices page. The foll ...) - TODO: check + NOT-FOR-US: Acronis CVE-2021-44199 (DLL hijacking could lead to denial of service. The following products ...) - TODO: check + NOT-FOR-US: Acronis CVE-2021-44198 (DLL hijacking could lead to local privilege escalation. The following ...) - TODO: check + NOT-FOR-US: Acronis CVE-2021-44197 RESERVED CVE-2021-44196 @@ -469,7 +469,7 @@ CVE-2021-4016 CVE-2021-4015 RESERVED CVE-2017-20008 (The myCred WordPress plugin before 1.7.8 does not sanitise and escape ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2021-4014 RESERVED CVE-2021-4013 @@ -2655,7 +2655,7 @@ CVE-2021-43699 CVE-2021-43698 (An unspecified version of phpWhois is affected by a Cross Site Scripti ...) TODO: check CVE-2021-43697 (An unspecified version of Workerman-ThinkPHP-Redis is affected by a Cr ...) - TODO: check + NOT-FOR-US: Workerman-ThinkPHP-Redis CVE-2021-43696 (An unspecified version of twmap is affected by a Cross Site Scripting ...) TODO: check CVE-2021-43695 (An unspecified version of issabelPBX is affected by a Cross Site Scrip ...) @@ -2667,7 +2667,7 @@ CVE-2021-43693 (vesta 0.9.8-24 is affected by a file inclusion vulnerability in CVE-2021-43692 (An unspecified version of youtube-php-mirroring is affected by a Cross ...) TODO: check CVE-2021-43691 (An unspecified version of tripexpress is affected by a path manipulati ...) - TODO: check + NOT-FOR-US: tripexpress CVE-2021-43690 RESERVED CVE-2021-43689 @@ -7837,9 +7837,9 @@ CVE-2021-42367 CVE-2021-42366 RESERVED CVE-2021-42365 (The Asgaros Forums WordPress plugin is vulnerable to Stored Cross-Site ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2021-42364 (The Stetic WordPress plugin is vulnerable to Cross-Site Request Forger ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2021-42363 (The Preview E-Mails for WooCommerce WordPress plugin is vulnerable to ...) NOT-FOR-US: WordPress plugin CVE-2021-42362 (The WordPress Popular Posts WordPress plugin is vulnerable to arbitrar ...) @@ -7851,7 +7851,7 @@ CVE-2021-42360 (On sites that also had the Elementor plugin for WordPress instal CVE-2021-42359 (WP DSGVO Tools (GDPR) = 3.1.23 had an AJAX action, admin-di ...) NOT-FOR-US: WP DSGVO Tools (GDPR) CVE-2021-42358 (The Contact Form With Captcha WordPress plugin is vulnerable to Cross- ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2021-42357 RESERVED CVE-2021-42356 @@ -13723,7 +13723,7 @@ CVE-2021-39997 CVE-2021-39996 RESERVED CVE-2021-39995 (Some Huawei products use the OpenHpi software for hardware management. ...) - TODO: check + NOT-FOR-US: Huawei CVE-2021-39994 RESERVED CVE-2021-39993 @@ -17846,7 +17846,7 @@ CVE-2021-38285 CVE-2021-38284 RESERVED CVE-2021-38283 (Wipro Holmes Orchestrator 20.4.1 (20.4.1_02_11_2020) allows remote att ...) - TODO: check + NOT-FOR-US: Wipro Holmes Orchestrator CVE-2021-38282 RESERVED CVE-2021-38281 @@ -18282,7 +18282,7 @@ CVE-2021-38149 (index.php/admin/add_user in Chikitsa Patient Management System 2 CVE-2021-38148 (Obsidian before 0.12.12 does not require user confirmation for non-htt ...) NOT-FOR-US: Obsidian CVE-2021-38147 (Wipro Holmes Orchestrator 20.4.1 (20.4.1_02_11_2020) allows remote att ...) - TODO: check + NOT-FOR-US: Wipro Holmes Orchestrator CVE-2021-38146 (The File Download API in Wipro Holmes Orchestrator 20.4.1 (20.4.1_02_1 ...) NOT-FOR-US: Wipro Holmes Orchestrator CVE-2021-38145 (An issue was discovered in Form Tools through 3.0.20. SQL Injection ca ...) @@ -51115,7 +51115,7 @@ CVE-2021-24929 CVE-2021-24928 RESERVED CVE-2021-24927 (The My Calendar WordPress plugin before 3.2.18 does not sanitise and e ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2021-24926 RESERVED CVE-2021-24925 @@ -51133,13 +51133,13 @@
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ccb171b0 by security tracker role at 2021-11-29T20:10:21+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,249 @@ +CVE-2021-44353 + RESERVED +CVE-2021-44352 + RESERVED +CVE-2021-44351 + RESERVED +CVE-2021-44350 + RESERVED +CVE-2021-44349 + RESERVED +CVE-2021-44348 + RESERVED +CVE-2021-44347 + RESERVED +CVE-2021-44346 + RESERVED +CVE-2021-44345 + RESERVED +CVE-2021-44344 + RESERVED +CVE-2021-44343 + RESERVED +CVE-2021-44342 + RESERVED +CVE-2021-44341 + RESERVED +CVE-2021-44340 + RESERVED +CVE-2021-44339 + RESERVED +CVE-2021-44338 + RESERVED +CVE-2021-44337 + RESERVED +CVE-2021-44336 + RESERVED +CVE-2021-44335 + RESERVED +CVE-2021-44334 + RESERVED +CVE-2021-44333 + RESERVED +CVE-2021-44332 + RESERVED +CVE-2021-44331 + RESERVED +CVE-2021-44330 + RESERVED +CVE-2021-44329 + RESERVED +CVE-2021-44328 + RESERVED +CVE-2021-44327 + RESERVED +CVE-2021-44326 + RESERVED +CVE-2021-44325 + RESERVED +CVE-2021-44324 + RESERVED +CVE-2021-44323 + RESERVED +CVE-2021-44322 + RESERVED +CVE-2021-44321 + RESERVED +CVE-2021-44320 + RESERVED +CVE-2021-44319 + RESERVED +CVE-2021-44318 + RESERVED +CVE-2021-44317 + RESERVED +CVE-2021-44316 + RESERVED +CVE-2021-44315 + RESERVED +CVE-2021-44314 + RESERVED +CVE-2021-44313 + RESERVED +CVE-2021-44312 + RESERVED +CVE-2021-44311 + RESERVED +CVE-2021-44310 + RESERVED +CVE-2021-44309 + RESERVED +CVE-2021-44308 + RESERVED +CVE-2021-44307 + RESERVED +CVE-2021-44306 + RESERVED +CVE-2021-44305 + RESERVED +CVE-2021-44304 + RESERVED +CVE-2021-44303 + RESERVED +CVE-2021-44302 + RESERVED +CVE-2021-44301 + RESERVED +CVE-2021-44300 + RESERVED +CVE-2021-44299 + RESERVED +CVE-2021-44298 + RESERVED +CVE-2021-44297 + RESERVED +CVE-2021-44296 + RESERVED +CVE-2021-44295 + RESERVED +CVE-2021-44294 + RESERVED +CVE-2021-44293 + RESERVED +CVE-2021-44292 + RESERVED +CVE-2021-44291 + RESERVED +CVE-2021-44290 + RESERVED +CVE-2021-44289 + RESERVED +CVE-2021-44288 + RESERVED +CVE-2021-44287 + RESERVED +CVE-2021-44286 + RESERVED +CVE-2021-44285 + RESERVED +CVE-2021-44284 + RESERVED +CVE-2021-44283 + RESERVED +CVE-2021-44282 + RESERVED +CVE-2021-44281 + RESERVED +CVE-2021-44280 + RESERVED +CVE-2021-44279 + RESERVED +CVE-2021-44278 + RESERVED +CVE-2021-44277 + RESERVED +CVE-2021-44276 + RESERVED +CVE-2021-44275 + RESERVED +CVE-2021-44274 + RESERVED +CVE-2021-44273 + RESERVED +CVE-2021-44272 + RESERVED +CVE-2021-44271 + RESERVED +CVE-2021-44270 + RESERVED +CVE-2021-44269 + RESERVED +CVE-2021-44268 + RESERVED +CVE-2021-44267 + RESERVED +CVE-2021-44266 + RESERVED +CVE-2021-44265 + RESERVED +CVE-2021-44264 + RESERVED +CVE-2021-44263 + RESERVED +CVE-2021-44262 + RESERVED +CVE-2021-44261 + RESERVED +CVE-2021-44260 + RESERVED +CVE-2021-44259 + RESERVED +CVE-2021-44258 + RESERVED +CVE-2021-44257 + RESERVED +CVE-2021-44256 + RESERVED +CVE-2021-44255 + RESERVED +CVE-2021-44254 + RESERVED +CVE-2021-44253 + RESERVED +CVE-2021-44252 + RESERVED +CVE-2021-44251 + RESERVED +CVE-2021-44250 + RESERVED +CVE-2021-44249 + RESERVED +CVE-2021-44248 + RESERVED +CVE-2021-44247 + RESERVED +CVE-2021-44246 + RESERVED +CVE-2021-44245 + RESERVED +CVE-2021-44244 + RESERVED +CVE-2021-44243 + RESERVED +CVE-2021-44242 + RESERVED +CVE-2021-44241 + RESERVED +CVE-2021-44240 + RESERVED +CVE-2021-44239 + RESERVED +CVE-2021-44238 + RESERVED +CVE-2021-44237 + RESERVED +CVE-2021-44236 + RESERVED +CVE-2021-4032 + RESERVED +CVE-2021-4031 + RESERVED +CVE-2021-4030 + RESERVED +CVE-2021-4029 + RESERVED +CVE-2021-4028 + RESERVED CVE-2021-4027 RESERVED CVE-2021-4026 @@ -202,18 +448,18 @@ CVE-2021-44205 RESERVED CVE-2021-44204 RESERVED -CVE-2021-44203 - RESERVED -CVE-2021-44202 - RESERVED -CVE-2021-44201 - RESERVED -CVE-2021-44200 - RESERVED -CVE-2021-44199 - RESERVED -CVE-2021-44198 - RESERVED +CVE-2021-44203 (Stored cross-site scripting (XSS) was possible in protection plan deta ...) + TODO: check +CVE-2021-44202 (Stored cross-site scripting (XSS) was possible in activity details. Th ...) + TODO: check +CVE-2021-44201 (Cross-site
[Git][security-tracker-team/security-tracker][master] 2 commits: php8.0 removed from unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: de4502fb by Salvatore Bonaccorso at 2021-11-29T20:39:06+01:00 php8.0 removed from unstable - - - - - 779ce1cb by Salvatore Bonaccorso at 2021-11-29T20:39:34+01:00 Mark php8.0 as removed from everywhere now - - - - - 2 changed files: - data/CVE/list - data/packages/removed-packages Changes: = data/CVE/list = @@ -58289,7 +58289,7 @@ CVE-2021-21708 RESERVED CVE-2021-21707 (In PHP versions 7.3.x below 7.3.33, 7.4.x below 7.4.26 and 8.0.x below ...) - php8.1 8.1.0-1 - - php8.0 + - php8.0 - php7.4 [bullseye] - php7.4 (Minor issue, fix along with next DSA) - php7.3 @@ -58326,7 +58326,7 @@ CVE-2021-21704 (In PHP versions 7.3.x below 7.3.29, 7.4.x below 7.4.21 and 8.0.x NOTE: PHP Bug: https://bugs.php.net/76452 CVE-2021-21703 (In PHP versions 7.3.x up to and including 7.3.31, 7.4.x below 7.4.25 a ...) {DSA-4993-1 DSA-4992-1 DLA-2794-1} - - php8.0 + - php8.0 - php7.4 (bug #997003) - php7.3 - php7.0 = data/packages/removed-packages = @@ -817,3 +817,4 @@ ruby-rexml openjdk-15 nvidia-graphics-drivers-tesla-440 opentmpfiles +php8.0 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/3a9b32bef3bdd79045de2442bfaf2db78487746b...779ce1cbfb81eb5f7cc2695ce746c64d9b59c2b7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/3a9b32bef3bdd79045de2442bfaf2db78487746b...779ce1cbfb81eb5f7cc2695ce746c64d9b59c2b7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFU
Henri Salo pushed to branch master at Debian Security Tracker / security-tracker Commits: 3a9b32be by Henri Salo at 2021-11-29T20:58:42+02:00 NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -65233,10 +65233,14 @@ CVE-2020-35076 REJECTED CVE-2020-35061 RESERVED +CVE-2020-35037 + NOT-FOR-US: WordPress plugin events-manager CVE-2020-35030 RESERVED CVE-2020-35017 RESERVED +CVE-2020-35012 + NOT-FOR-US: WordPress plugin events-manager CVE-2020-35001 RESERVED CVE-2016-15001 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3a9b32bef3bdd79045de2442bfaf2db78487746b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3a9b32bef3bdd79045de2442bfaf2db78487746b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] citadel removed from sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 9c1a22bc by Moritz Muehlenhoff at 2021-11-29T19:39:29+01:00 citadel removed from sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -18752,7 +18752,7 @@ CVE-2021-37846 RESERVED CVE-2021-37845 RESERVED - - citadel + - citadel [buster] - citadel (Minor issue) [stretch] - citadel (Minor issue, revisit when fixed upstream) NOTE: https://uncensored.citadel.org/readfwd?go=Citadel Security?view=0?start_reading_at=2099264259#2099264259 @@ -67218,7 +67218,7 @@ CVE-2020-29548 (An issue was discovered in SmarterTools SmarterMail through 100. NOT-FOR-US: SmarterTools CVE-2020-29547 RESERVED - - citadel + - citadel [buster] - citadel (Minor issue) [stretch] - citadel (Minor issue, revisit when fixed upstream) NOTE: https://uncensored.citadel.org/readfwd?go=Citadel Security?view=0?start_reading_at=2099264259#2099264259 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9c1a22bc3fea9e7b46829512345e20299f6aabb3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9c1a22bc3fea9e7b46829512345e20299f6aabb3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2021-32037: Add reference to upstream issue
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: fdb6dd90 by Salvatore Bonaccorso at 2021-11-29T17:04:59+01:00 CVE-2021-32037: Add reference to upstream issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -32667,6 +32667,7 @@ CVE-2021-32038 RESERVED CVE-2021-32037 (An authorized user may trigger an invariant which may result in denial ...) - mongodb + NOTE: https://jira.mongodb.org/browse/SERVER-59071 CVE-2021-32036 RESERVED CVE-2021-32035 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fdb6dd90dfd7ba3b6d6b2dc714aacb020efa5a1a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fdb6dd90dfd7ba3b6d6b2dc714aacb020efa5a1a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add back not-affected status for CVE-2021-43396
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 767fe56d by Salvatore Bonaccorso at 2021-11-29T17:01:21+01:00 Add back not-affected status for CVE-2021-43396 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3186,6 +3186,8 @@ CVE-2021-43392 RESERVED CVE-2021-43396 (** DISPUTED ** In iconvdata/iso-2022-jp-3.c in the GNU C Library (aka ...) - glibc (unimportant; bug #998622) + [buster] - glibc (Vulnerable code not present) + [stretch] - glibc (Vulnerable code not present) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=28524 NOTE: Fixed by: https://sourceware.org/git/?p=glibc.git;a=commit;h=ff012870b2c02a62598c04daa1e54632e020fd7d NOTE: Introduced by the fix for CVE-2021-3326 / BZ#27256: https://sourceware.org/git/?p=glibc.git;a=commit;h=7d88c6142c6efc160c0ee5e4f85cde382c072888 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/767fe56d0ddd2727dfe266e48fc7f0f77583b563 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/767fe56d0ddd2727dfe266e48fc7f0f77583b563 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] xen fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 37a2af51 by Moritz Muehlenhoff at 2021-11-29T16:22:01+01:00 xen fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -41372,32 +41372,32 @@ CVE-2021-28710 (certain VT-d IOMMUs may not work in shared page table mode For e NOTE: https://www.openwall.com/lists/oss-security/2021/11/19/9 NOTE: https://xenbits.xen.org/xsa/advisory-390.html CVE-2021-28709 (issues with partially successful P2M updates on x86 T[his CNA informat ...) - - xen + - xen 4.14.3+32-g9de3671772-1 [buster] - xen (DSA 4677-1) [stretch] - xen (DSA 4602-1) NOTE: https://xenbits.xen.org/xsa/advisory-389.html CVE-2021-28708 (PoD operations on misaligned GFNs T[his CNA information record relates ...) - - xen + - xen 4.14.3+32-g9de3671772-1 [buster] - xen (DSA 4677-1) [stretch] - xen (DSA 4602-1) NOTE: https://xenbits.xen.org/xsa/advisory-388.html CVE-2021-28707 (PoD operations on misaligned GFNs T[his CNA information record relates ...) - - xen + - xen 4.14.3+32-g9de3671772-1 [buster] - xen (DSA 4677-1) [stretch] - xen (DSA 4602-1) NOTE: https://xenbits.xen.org/xsa/advisory-388.html CVE-2021-28706 (guests may exceed their designated memory limit When a guest is permit ...) - - xen + - xen 4.14.3+32-g9de3671772-1 [buster] - xen (DSA 4677-1) [stretch] - xen (DSA 4602-1) NOTE: https://xenbits.xen.org/xsa/advisory-385.html CVE-2021-28705 (issues with partially successful P2M updates on x86 T[his CNA informat ...) - - xen + - xen 4.14.3+32-g9de3671772-1 [buster] - xen (DSA 4677-1) [stretch] - xen (DSA 4602-1) NOTE: https://xenbits.xen.org/xsa/advisory-389.html CVE-2021-28704 (PoD operations on misaligned GFNs T[his CNA information record relates ...) - - xen + - xen 4.14.3+32-g9de3671772-1 [buster] - xen (DSA 4677-1) [stretch] - xen (DSA 4602-1) NOTE: https://xenbits.xen.org/xsa/advisory-388.html @@ -41412,7 +41412,7 @@ CVE-2021-28703 NOTE: Debian including the fix. NOTE: https://xenbits.xen.org/gitweb/?p=xen.git;a=commit;h=c65ea16dbcafbe4fe21693b18f8c2a3c5d14600e (4.14.0-rc1) CVE-2021-28702 (PCI devices with RMRRs not deassigned correctly Certain PCI devices in ...) - - xen + - xen 4.14.3+32-g9de3671772-1 [bullseye] - xen (Minor issue, fix along with next DSA) [buster] - xen (Vulnerable code introduced later) [stretch] - xen (Vulnerable code introduced later) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/37a2af5177327a5da73afc8bc6b691f2a86d1fcf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/37a2af5177327a5da73afc8bc6b691f2a86d1fcf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] buster/bullseye triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: e688eed0 by Moritz Muehlenhoff at 2021-11-29T16:19:24+01:00 buster/bullseye triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -2893,6 +2893,7 @@ CVE-2021-43520 RESERVED CVE-2021-43519 (Stack overflow in lua_resume of ldo.c in Lua Interpreter 5.1.0~5.4.4 a ...) - lua5.4 (bug #1000228) + [bullseye] - lua5.4 (Minor issue) - lua5.3 [bullseye] - lua5.3 (Minor issue) [buster] - lua5.3 (Minor issue) @@ -3152,6 +3153,8 @@ CVE-2021-3931 (snipe-it is vulnerable to Cross-Site Request Forgery (CSRF) ...) CVE-2021-3930 [off-by-one error in mode_sense_page() in hw/scsi/scsi-disk.c] RESERVED - qemu + [bullseye] - qemu (Minor issue) + [buster] - qemu (Minor issue) [stretch] - qemu (Fix along with a future DLA) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2020588 NOTE: https://gitlab.com/qemu-project/qemu/-/issues/546 @@ -3182,12 +3185,11 @@ CVE-2021-43393 CVE-2021-43392 RESERVED CVE-2021-43396 (** DISPUTED ** In iconvdata/iso-2022-jp-3.c in the GNU C Library (aka ...) - - glibc (bug #998622) - [buster] - glibc (Vulnerable code not present) - [stretch] - glibc (Vulnerable code not present) + - glibc (unimportant; bug #998622) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=28524 NOTE: Fixed by: https://sourceware.org/git/?p=glibc.git;a=commit;h=ff012870b2c02a62598c04daa1e54632e020fd7d NOTE: Introduced by the fix for CVE-2021-3326 / BZ#27256: https://sourceware.org/git/?p=glibc.git;a=commit;h=7d88c6142c6efc160c0ee5e4f85cde382c072888 + NOTE: No security impact per upstream assessment CVE-2021-43391 (An Out-of-Bounds Read vulnerability exists when reading a DXF file usi ...) NOT-FOR-US: Open Design Alliance Drawings SDK CVE-2021-43390 (An Out-of-Bounds Write vulnerability exists when reading a DGN file us ...) @@ -8680,6 +8682,7 @@ CVE-2021-42007 RESERVED CVE-2021-42006 (An out-of-bounds access in GffLine::GffLine in gff.cpp in GCLib 0.12.7 ...) - libgclib 0.12.7+ds-2 (bug #996591) + [bullseye] - libgclib (Minor issue) NOTE: https://github.com/gpertea/gclib/issues/11 CVE-2021-42005 RESERVED @@ -17883,6 +17886,7 @@ CVE-2020-36466 (An issue was discovered in the cgc crate through 2020-12-10 for NOT-FOR-US: Rust crate cgc CVE-2020-36465 (An issue was discovered in the generic-array crate before 0.13.3 for R ...) - rust-generic-array 0.14.4-1 + [buster] - rust-generic-array (Minor issue) NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0146.html CVE-2020-36464 (An issue was discovered in the heapless crate before 0.6.1 for Rust. T ...) NOT-FOR-US: Rust crate heapless @@ -32563,8 +32567,8 @@ CVE-2021-32066 (An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7 {DLA-2780-1} - ruby2.7 2.7.4-1 (bug #990815) - ruby2.5 + [buster] - ruby2.5 (Minor issue) - ruby2.3 - [buster] - ruby2.3 (Minor issue) - jruby [buster] - jruby (Minor issue) [stretch] - jruby (Minor issue) @@ -58284,7 +58288,9 @@ CVE-2021-21707 (In PHP versions 7.3.x below 7.3.33, 7.4.x below 7.4.26 and 8.0.x - php8.1 8.1.0-1 - php8.0 - php7.4 + [bullseye] - php7.4 (Minor issue, fix along with next DSA) - php7.3 + [buster] - php7.3 (Minor issue, fix along with next DSA) - php7.0 NOTE: Fixed in 8.1.0, 8.0.13, 7.4.26, 7.3.33 NOTE: PHP Bug: https://bugs.php.net/79971 @@ -73350,6 +73356,7 @@ CVE-2020-28201 RESERVED CVE-2020-28200 (The Sieve engine in Dovecot before 2.3.15 allows Uncontrolled Resource ...) - dovecot 1:2.3.16+dfsg1-1 (bug #990566; bug #991323) + [bullseye] - dovecot (Minor issue, fix along with next update) [buster] - dovecot (Minor issue, fix along with next update) [stretch] - dovecot (Minor issue) NOTE: https://dovecot.org/pipermail/dovecot-news/2021-June/000460.html @@ -84524,6 +84531,7 @@ CVE-2020-23885 RESERVED CVE-2020-23884 (A buffer overflow in Nomacs v3.15.0 allows attackers to cause a denial ...) - nomacs + [buster] - nomacs (Minor issue) [stretch] - nomacs (Minor issue) NOTE: https://github.com/nomacs/nomacs/issues/516 CVE-2020-23883 = data/dsa-needed.txt = @@ -11,6 +11,8 @@ To pick an issue, simply add your uid behind it. If needed, specify the release by adding a slash after the name of the source package. +-- +asterisk/oldstable -- condor -- @@ -33,6 +35,9 @@ ndpi/oldstable -- nodejs (jmm) --
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: dbe066bd by Moritz Muehlenhoff at 2021-11-29T15:09:03+01:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1391,7 +1391,7 @@ CVE-2021-43787 CVE-2021-43786 RESERVED CVE-2021-43785 (@joeattardi/emoji-button is a Vanilla JavaScript emoji picker componen ...) - TODO: check + NOT-FOR-US: @joeattardi/emoji-button CVE-2021-43784 RESERVED CVE-2021-43783 @@ -5590,7 +5590,7 @@ CVE-2021-42787 CVE-2021-42786 RESERVED CVE-2021-42785 (Buffer Overflow vulnerability in tvnviewer.exe of TightVNC Viewer allo ...) - TODO: check + NOT-FOR-US: TightVNC Viewer CVE-2021-42784 (OS Command Injection vulnerability in debug_fcgi of D-Link DWR-932C E1 ...) NOT-FOR-US: D-Link CVE-2021-42783 (Missing Authentication for Critical Function vulnerability in debug_po ...) @@ -24190,7 +24190,7 @@ CVE-2021-35535 (Insecure Boot Image vulnerability in Hitachi Energy Relion Relio CVE-2021-35534 (Insufficient security control vulnerability in internal database acces ...) NOT-FOR-US: Hitachi CVE-2021-35533 (Improper Input Validation vulnerability in the APDU parser in the Bidi ...) - TODO: check + NOT-FOR-US: Hitachi CVE-2021-35532 RESERVED CVE-2021-35531 @@ -32608,7 +32608,7 @@ CVE-2021-3536 (A flaw was found in Wildfly in versions before 23.0.2.Final while CVE-2021-3535 (Rapid7 Nexpose is vulnerable to a non-persistent cross-site scripting ...) NOT-FOR-US: Rapid7 CVE-2021-32061 (S3Scanner before 2.0.2 allows Directory Traversal via a crafted bucket ...) - TODO: check + NOT-FOR-US: S3Scanner CVE-2021-32060 RESERVED CVE-2021-32059 @@ -32660,7 +32660,7 @@ CVE-2021-32039 CVE-2021-32038 RESERVED CVE-2021-32037 (An authorized user may trigger an invariant which may result in denial ...) - TODO: check + - mongodb CVE-2021-32036 RESERVED CVE-2021-32035 @@ -53549,7 +53549,7 @@ CVE-2021-23734 CVE-2021-23733 RESERVED CVE-2021-23732 (This affects all versions of package docker-cli-js. If the command par ...) - TODO: check + NOT-FOR-US: Node docker-cli-js CVE-2021-23731 RESERVED CVE-2021-23730 @@ -53667,7 +53667,7 @@ CVE-2021-23675 CVE-2021-23674 RESERVED CVE-2021-23673 (This affects all versions of package pekeupload. If an attacker induce ...) - TODO: check + NOT-FOR-US: Node pekeupload CVE-2021-23672 RESERVED CVE-2021-23671 @@ -53705,7 +53705,7 @@ CVE-2021-23656 CVE-2021-23655 RESERVED CVE-2021-23654 (This affects all versions of package html-to-csv. When there is a form ...) - TODO: check + NOT-FOR-US: html-to-csv CVE-2021-23653 RESERVED CVE-2021-23652 @@ -61959,13 +61959,13 @@ CVE-2021-20850 (PowerCMS XMLRPC API of PowerCMS 5.19 and earlier, PowerCMS 4.49 CVE-2021-20849 RESERVED CVE-2021-20848 (Cross-site scripting vulnerability in rwtxt versions prior to v1.8.6 a ...) - TODO: check + NOT-FOR-US: rwtxt CVE-2021-20847 RESERVED CVE-2021-20846 (Cross-site request forgery (CSRF) vulnerability in Push Notifications ...) NOT-FOR-US: WordPress plugin CVE-2021-20845 (Cross-site request forgery (CSRF) vulnerability in Unlimited Sitemap G ...) - TODO: check + NOT-FOR-US: Unlimited Sitemap Generator CVE-2021-20844 (Improper neutralization of HTTP request headers for scripting syntax v ...) NOT-FOR-US: RTX830 CVE-2021-20843 (Cross-site script inclusion vulnerability in the Web GUI of RTX830 Rev ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dbe066bd061a424620950bb766f049d5dd6f4a6d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dbe066bd061a424620950bb766f049d5dd6f4a6d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add notes for libgit2
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 45e897e5 by Utkarsh Gupta at 2021-11-29T18:49:39+05:30 Add notes for libgit2 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -55,6 +55,8 @@ libgit2 (Utkarsh) NOTE: 20211029: taking this with my maintainer hat on; will investigate NOTE: 20211029: and TAL later next week. (utkarsh) NOTE: 2026: backports prepped; checking build and smoke-testing package. (utkarsh) + NOTE: 20211129: readied up everything, using pygit and other wrappers + NOTE: 20211129: around which the code changed. will upload in the next 2 days. (utkarsh) -- librecad (Sylvain Beucler) NOTE: 20211127: also take care of other suites View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/45e897e526fcf8540f7fa63cec2e93fa7e756957 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/45e897e526fcf8540f7fa63cec2e93fa7e756957 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2832-1 for opensc
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: f18b16fc by Adrian Bunk at 2021-11-29T11:06:08+02:00 Reserve DLA-2832-1 for opensc - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -77971,19 +77971,16 @@ CVE-1999-0199 (manual/search.texi in the GNU C Library (aka glibc) before 2.2 la CVE-2020-26572 (The TCOS smart card software driver in OpenSC before 0.21.0-rc1 has a ...) - opensc 0.21.0-1 (bug #972035) [buster] - opensc (Minor issue) - [stretch] - opensc (Minor issue) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=22967 NOTE: https://github.com/OpenSC/OpenSC/commit/9d294de90d1cc66956389856e60b6944b27b4817 (0.21.0-rc1) CVE-2020-26571 (The gemsafe GPK smart card software driver in OpenSC before 0.21.0-rc1 ...) - opensc 0.21.0-1 (bug #972036) [buster] - opensc (Minor issue) - [stretch] - opensc (Minor issue) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20612 NOTE: https://github.com/OpenSC/OpenSC/commit/ed55fcd2996930bf58b9bb57e9ba7b1f3a753c43 (0.21.0-rc1) CVE-2020-26570 (The Oberthur smart card software driver in OpenSC before 0.21.0-rc1 ha ...) - opensc 0.21.0-1 (bug #972037) [buster] - opensc (Minor issue) - [stretch] - opensc (Minor issue) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24316 NOTE: https://github.com/OpenSC/OpenSC/commit/6903aebfddc466d966c7b865fae34572bf3ed23e (0.21.0-rc1) CVE-2020-26569 (In EVPN VxLAN setups in Arista EOS, specific malformed packets can lea ...) @@ -140781,7 +140778,6 @@ CVE-2019-19479 (An issue was discovered in OpenSC through 0.19.0 and 0.20.x thro {DLA-2046-1} - opensc 0.20.0-1 (bug #947383) [buster] - opensc (Minor issue) - [stretch] - opensc (Minor issue) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18693 NOTE: https://github.com/OpenSC/OpenSC/commit/c3f23b836e5a1766c36617fe1da30d22f7b63de2 CVE-2019-19478 @@ -154308,13 +154304,11 @@ CVE-2019-15946 (OpenSC before 0.20.0-rc1 has an out-of-bounds access of an ASN.1 {DLA-1916-1} - opensc 0.20.0-1 (bug #939669) [buster] - opensc (Minor issue) - [stretch] - opensc (Minor issue) NOTE: https://github.com/OpenSC/OpenSC/commit/a3fc7693f3a035a8a7921cffb98432944bb42740 CVE-2019-15945 (OpenSC before 0.20.0-rc1 has an out-of-bounds access of an ASN.1 Bitst ...) {DLA-1916-1} - opensc 0.20.0-1 (bug #939668) [buster] - opensc (Minor issue) - [stretch] - opensc (Minor issue) NOTE: https://github.com/OpenSC/OpenSC/commit/412a6142c27a5973c61ba540e33cdc22d5608e68 CVE-2019-15944 (In Counter-Strike: Global Offensive before 8/29/2019, community game s ...) NOT-FOR-US: Counter-Strike: Global Offensive = data/DLA/list = @@ -1,3 +1,6 @@ +[29 Nov 2021] DLA-2832-1 opensc - security update + {CVE-2019-15945 CVE-2019-15946 CVE-2019-19479 CVE-2020-26570 CVE-2020-26571 CVE-2020-26572} + [stretch] - opensc 0.16.0-3+deb9u2 [28 Nov 2021] DLA-2831-1 libntlm - security update {CVE-2019-17455} [stretch] - libntlm 1.4-8+deb9u1 = data/dla-needed.txt = @@ -74,8 +74,6 @@ nvidia-graphics-drivers NOTE: 20211108: nvidia-graphics-drivers-legacy-390xx 390.144-1 in buster/bullseye/bookworm NOTE: 20211108: now fixes all 5 CVEs (bunk) -- -opensc (Adrian Bunk) --- pgbouncer (Thorsten Alteholz) NOTE: 20211128: also help with other releases -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f18b16fccc3b3116b9b1182abd1b29c979a2700f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f18b16fccc3b3116b9b1182abd1b29c979a2700f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7e33d6eb by Salvatore Bonaccorso at 2021-11-29T09:38:54+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -465,9 +465,9 @@ CVE-2021-44096 CVE-2021-44095 RESERVED CVE-2021-44094 (ZrLog 2.2.2 has a remote command execution vulnerability at plugin dow ...) - TODO: check + NOT-FOR-US: zrlog CVE-2021-44093 (A Remote Command Execution vulnerability on the background in zrlog 2. ...) - TODO: check + NOT-FOR-US: zrlog CVE-2021-44092 RESERVED CVE-2021-44091 @@ -523,7 +523,7 @@ CVE-2021-3992 CVE-2021-44078 RESERVED CVE-2021-44077 (Zoho ManageEngine ServiceDesk Plus before 11306 is vulnerable to unaut ...) - TODO: check + NOT-FOR-US: Zoho ManageEngine CVE-2021-3991 RESERVED CVE-2021-3990 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7e33d6eb60b9820444a6c84b9c79ca56df11997d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7e33d6eb60b9820444a6c84b9c79ca56df11997d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: fe190236 by security tracker role at 2021-11-29T08:10:11+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,7 @@ +CVE-2021-4027 + RESERVED +CVE-2021-4026 + RESERVED CVE-2021-4025 RESERVED CVE-2021-44235 @@ -460,10 +464,10 @@ CVE-2021-44096 RESERVED CVE-2021-44095 RESERVED -CVE-2021-44094 - RESERVED -CVE-2021-44093 - RESERVED +CVE-2021-44094 (ZrLog 2.2.2 has a remote command execution vulnerability at plugin dow ...) + TODO: check +CVE-2021-44093 (A Remote Command Execution vulnerability on the background in zrlog 2. ...) + TODO: check CVE-2021-44092 RESERVED CVE-2021-44091 @@ -518,8 +522,8 @@ CVE-2021-3992 RESERVED CVE-2021-44078 RESERVED -CVE-2021-44077 - RESERVED +CVE-2021-44077 (Zoho ManageEngine ServiceDesk Plus before 11306 is vulnerable to unaut ...) + TODO: check CVE-2021-3991 RESERVED CVE-2021-3990 @@ -32603,8 +32607,8 @@ CVE-2021-3536 (A flaw was found in Wildfly in versions before 23.0.2.Final while - wildfly (bug #752018) CVE-2021-3535 (Rapid7 Nexpose is vulnerable to a non-persistent cross-site scripting ...) NOT-FOR-US: Rapid7 -CVE-2021-32061 - RESERVED +CVE-2021-32061 (S3Scanner before 2.0.2 allows Directory Traversal via a crafted bucket ...) + TODO: check CVE-2021-32060 RESERVED CVE-2021-32059 @@ -58276,8 +58280,7 @@ CVE-2021-21709 RESERVED CVE-2021-21708 RESERVED -CVE-2021-21707 [special character is breaking the path in xml function] - RESERVED +CVE-2021-21707 (In PHP versions 7.3.x below 7.3.33, 7.4.x below 7.4.26 and 8.0.x below ...) - php8.1 8.1.0-1 - php8.0 - php7.4 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fe190236a65a899f30c7782e0eee160fb32fc338 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fe190236a65a899f30c7782e0eee160fb32fc338 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits