[Git][security-tracker-team/security-tracker][master] New front desk file for 2022 based on new dispatch logic.
Jeremiah C. Foster pushed to branch master at Debian Security Tracker / security-tracker Commits: c55791fe by Jeremiah C. Foster at 2022-01-04T22:23:57-05:00 New front desk file for 2022 based on new dispatch logic. - - - - - 1 changed file: - org/lts-frontdesk.2022.txt Changes: = org/lts-frontdesk.2022.txt = @@ -16,50 +16,50 @@ From 10-01 to 16-01:Sylvain Beucler From 17-01 to 23-01:Thorsten Alteholz From 24-01 to 30-01:Utkarsh Gupta From 31-01 to 06-02:Chris Lamb -From 07-02 to 13-02:Thorsten Alteholz -From 14-02 to 20-02:Utkarsh Gupta -From 21-02 to 27-02:Emilio Pozuelo Monfort +From 07-02 to 13-02:Chris Lamb +From 14-02 to 20-02:Emilio Pozuelo Monfort +From 21-02 to 27-02:Markus Koschany From 28-02 to 06-03:Sylvain Beucler -From 07-03 to 13-03:Chris Lamb -From 14-03 to 20-03:Chris Lamb -From 21-03 to 27-03:Utkarsh Gupta -From 28-03 to 03-04:Anton Gladky -From 04-04 to 10-04:Thorsten Alteholz -From 11-04 to 17-04:Thorsten Alteholz +From 07-03 to 13-03:Thorsten Alteholz +From 14-03 to 20-03:Utkarsh Gupta +From 21-03 to 27-03:Chris Lamb +From 28-03 to 03-04:Emilio Pozuelo Monfort +From 04-04 to 10-04:Markus Koschany +From 11-04 to 17-04:Sylvain Beucler From 18-04 to 24-04:Thorsten Alteholz -From 25-04 to 01-05:Emilio Pozuelo Monfort +From 25-04 to 01-05:Utkarsh Gupta From 02-05 to 08-05:Chris Lamb -From 09-05 to 15-05:Ola Lundqvist -From 16-05 to 22-05:Sylvain Beucler -From 23-05 to 29-05:Anton Gladky -From 30-05 to 05-06:Ola Lundqvist -From 06-06 to 12-06:Ola Lundqvist -From 13-06 to 19-06:Thorsten Alteholz -From 20-06 to 26-06:Ola Lundqvist -From 27-06 to 03-07:Anton Gladky -From 04-07 to 10-07:Ola Lundqvist -From 11-07 to 17-07:Emilio Pozuelo Monfort -From 18-07 to 24-07:Emilio Pozuelo Monfort +From 09-05 to 15-05:Emilio Pozuelo Monfort +From 16-05 to 22-05:Markus Koschany +From 23-05 to 29-05:Sylvain Beucler +From 30-05 to 05-06:Thorsten Alteholz +From 06-06 to 12-06:Utkarsh Gupta +From 13-06 to 19-06:Chris Lamb +From 20-06 to 26-06:Emilio Pozuelo Monfort +From 27-06 to 03-07:Markus Koschany +From 04-07 to 10-07:Sylvain Beucler +From 11-07 to 17-07:Thorsten Alteholz +From 18-07 to 24-07:Utkarsh Gupta From 25-07 to 31-07:Chris Lamb -From 01-08 to 07-08:Ola Lundqvist -From 08-08 to 14-08:Emilio Pozuelo Monfort +From 01-08 to 07-08:Emilio Pozuelo Monfort +From 08-08 to 14-08:Markus Koschany From 15-08 to 21-08:Sylvain Beucler -From 22-08 to 28-08:Emilio Pozuelo Monfort -From 29-08 to 04-09:Anton Gladky -From 05-09 to 11-09:Anton Gladky -From 12-09 to 18-09:Sylvain Beucler -From 19-09 to 25-09:Anton Gladky +From 22-08 to 28-08:Thorsten Alteholz +From 29-08 to 04-09:Utkarsh Gupta +From 05-09 to 11-09:Chris Lamb +From 12-09 to 18-09:Emilio Pozuelo Monfort +From 19-09 to 25-09:Markus Koschany From 26-09 to 02-10:Sylvain Beucler -From 03-10 to 09-10:Utkarsh Gupta -From 10-10 to 16-10:Ola Lundqvist -From 17-10 to 23-10:Anton Gladky -From 24-10 to 30-10:Ola Lundqvist -From 31-10 to 06-11:Chris Lamb -From 07-11 to 13-11:Chris Lamb -From 14-11 to 20-11:Emilio Pozuelo Monfort +From 03-10 to 09-10:Thorsten Alteholz +From 10-10 to 16-10:Utkarsh Gupta +From 17-10 to 23-10:Chris Lamb +From 24-10 to 30-10:Emilio Pozuelo Monfort +From 31-10 to 06-11:Markus Koschany +From 07-11 to 13-11:Sylvain Beucler +From 14-11 to 20-11:Thorsten Alteholz From 21-11 to 27-11:Utkarsh Gupta -From 28-11 to 04-12:Utkarsh Gupta -From 05-12 to 11-12:Anton Gladky -From 12-12 to 18-12:Thorsten Alteholz -From 19-12 to 25-12:Thorsten Alteholz -From 26-12 to 01-01:Anton Gladky +From 28-11 to 04-12:Chris Lamb +From 05-12 to 11-12:Emilio Pozuelo Monfort +From 12-12 to 18-12:Markus Koschany +From 19-12 to 25-12:Sylvain Beucler +From 26-12 to 01-01:Thorsten Alteholz View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c55791fe39512633d4f91aced1070b9c22d13a81 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c55791fe39512633d4f91aced1070b9c22d13a81 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: LTS: mark CVE-2020-22674/gpac as for buster
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 31c42d09 by Roberto C. Sánchez at 2022-01-04T21:40:04-05:00 LTS: mark CVE-2020-22674/gpac as not-affected for buster - - - - - c166e99d by Roberto C. Sánchez at 2022-01-04T21:47:37-05:00 LTS: mark CVE-2019-20165/gpac as not-affected for stretch and buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -94268,7 +94268,7 @@ CVE-2020-22675 (An issue was discovered in gpac 0.8.0. The GetGhostNum function NOTE: https://github.com/gpac/gpac/commit/5aa8c4bbd970a3a77517b00528a596063efca1a9 CVE-2020-22674 (An issue was discovered in gpac 0.8.0. An invalid memory dereference e ...) - gpac 1.0.1+dfsg1-2 - [buster] - gpac (Minor issue) + [buster] - gpac (Vulnerable code introduced later, in version 0.7.0) [stretch] - gpac (Vulnerable code introduced later, in version 0.7.0) NOTE: https://github.com/gpac/gpac/issues/1346 NOTE: https://github.com/gpac/gpac/commit/6040a5981a9f51410bd18af8820afbd2748c2d76 @@ -139047,10 +139047,11 @@ CVE-2019-20166 (An issue was discovered in GPAC version 0.8.0 and 0.9.0-developm CVE-2019-20165 (An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20 ...) {DLA-2072-1} - gpac 1.0.1+dfsg1-2 (bug #972053) - [buster] - gpac (Minor issue) - [stretch] - gpac (Minor issue) + [buster] - gpac (Vulnerable code introduced later, in version 0.8.0) + [stretch] - gpac (Vulnerable code introduced later, in version 0.8.0) NOTE: https://github.com/gpac/gpac/issues/1338 NOTE: https://github.com/gpac/gpac/commit/5250afecbc770c8f26829e9566d5b226a3c5fa80 (chunk #1) + NOTE: Introduced by https://github.com/gpac/gpac/commit/86d072b6a13baa1a4a90168098a0f8354c24d8cf CVE-2019-20164 (An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20 ...) - gpac (Vulnerable code introduced in 0.7.0) NOTE: https://github.com/gpac/gpac/issues/1332 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/9160b6122b2c4bf2798e2c327d837d19f21a87e4...c166e99d404462ca25d253157cc25a3a6e62bbd4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/9160b6122b2c4bf2798e2c327d837d19f21a87e4...c166e99d404462ca25d253157cc25a3a6e62bbd4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2021-3842/nltk
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9160b612 by Salvatore Bonaccorso at 2022-01-04T21:50:57+01:00 Add Debian bug reference for CVE-2021-3842/nltk - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -15974,7 +15974,7 @@ CVE-2021-3844 CVE-2021-3843 (A potential vulnerability in the SMI function to access EEPROM in some ...) NOT-FOR-US: Lenovo CVE-2021-3842 (nltk is vulnerable to Inefficient Regular Expression Complexity ...) - - nltk + - nltk (bug #1003142) [bullseye] - nltk (Minor issue) [buster] - nltk (Minor issue) NOTE: https://huntr.dev/bounties/761a761e-2be2-430a-8d92-6f74ffe9866a/ View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9160b6122b2c4bf2798e2c327d837d19f21a87e4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9160b6122b2c4bf2798e2c327d837d19f21a87e4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-3842/nltk
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6ac62753 by Salvatore Bonaccorso at 2022-01-04T21:36:10+01:00 Add CVE-2021-3842/nltk - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -15974,6 +15974,11 @@ CVE-2021-3844 CVE-2021-3843 (A potential vulnerability in the SMI function to access EEPROM in some ...) NOT-FOR-US: Lenovo CVE-2021-3842 (nltk is vulnerable to Inefficient Regular Expression Complexity ...) + - nltk + [bullseye] - nltk (Minor issue) + [buster] - nltk (Minor issue) + NOTE: https://huntr.dev/bounties/761a761e-2be2-430a-8d92-6f74ffe9866a/ + NOTE: https://github.com/nltk/nltk/commit/2a50a3edc9d35f57ae42a921c621edc160877f4d (3.6.6) TODO: check CVE-2021-3841 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6ac6275351fa2d763256bd0dc45a8b4e61daf00a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6ac6275351fa2d763256bd0dc45a8b4e61daf00a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1af50de8 by Salvatore Bonaccorso at 2022-01-04T21:32:13+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -661,7 +661,7 @@ CVE-2022-22295 CVE-2022-22294 RESERVED CVE-2022-0086 (uppy is vulnerable to Server-Side Request Forgery (SSRF) ...) - TODO: check + NOT-FOR-US: Node uppy CVE-2022-0085 RESERVED CVE-2022-0084 @@ -984,11 +984,11 @@ CVE-2021-45982 CVE-2021-45981 RESERVED CVE-2021-45980 (Foxit PDF Reader and PDF Editor before 11.1 on macOS allow remote atta ...) - TODO: check + NOT-FOR-US: Foxit CVE-2021-45979 (Foxit PDF Reader and PDF Editor before 11.1 on macOS allow remote atta ...) - TODO: check + NOT-FOR-US: Foxit CVE-2021-45978 (Foxit PDF Reader and PDF Editor before 11.1 on macOS allow remote atta ...) - TODO: check + NOT-FOR-US: Foxit CVE-2021-45977 RESERVED CVE-2021-45976 @@ -1445,9 +1445,9 @@ CVE-2021-4188 (mruby is vulnerable to NULL Pointer Dereference ...) NOTE: https://huntr.dev/bounties/78533fb9-f3e0-47c2-86dc-d1f96d5bea28 NOTE: Fixed by: https://github.com/mruby/mruby/commit/27d1e0132a0804581dca28df042e7047fd27eaa8 CVE-2021-45913 (A hardcoded key in ControlUp Real-Time Agent (cuAgent.exe) before 8.2. ...) - TODO: check + NOT-FOR-US: ControlUp Real-Time Agent CVE-2021-45912 (An unauthenticated Named Pipe channel in Controlup Real-Time Agent (cu ...) - TODO: check + NOT-FOR-US: ControlUp Real-Time Agent CVE-2021-44775 RESERVED CVE-2021-44465 @@ -3156,7 +3156,7 @@ CVE-2021-45391 CVE-2021-45390 RESERVED CVE-2021-45389 (StarWind SAN NAS build 1578 and StarWind Command Center Build 68 ...) - TODO: check + NOT-FOR-US: StarWind CVE-2021-45388 RESERVED CVE-2021-45387 @@ -6959,7 +6959,7 @@ CVE-2021-44170 CVE-2021-44169 RESERVED CVE-2021-44168 (A download of code without integrity check vulnerability in the "execu ...) - TODO: check + NOT-FOR-US: FortiGuard CVE-2021-44167 RESERVED CVE-2021-44166 @@ -7959,9 +7959,9 @@ CVE-2021-43860 CVE-2021-43859 RESERVED CVE-2021-43858 (MinIO is a Kubernetes native application for cloud storage. Prior to v ...) - TODO: check + NOT-FOR-US: MinIO CVE-2021-43857 (Gerapy is a distributed crawler management framework. Gerapy prior to ...) - TODO: check + NOT-FOR-US: Gerapy CVE-2021-43856 (Wiki.js is a wiki app built on Node.js. Wiki.js 2.5.263 and earlier is ...) NOT-FOR-US: Wiki.js CVE-2021-43855 (Wiki.js is a wiki app built on node.js. Wiki.js 2.5.263 and earlier is ...) @@ -9125,7 +9125,7 @@ CVE-2021-43713 CVE-2021-43712 RESERVED CVE-2021-43711 (The downloadFlile.cgi binary file in TOTOLINK EX200 V4.0.3c.7646_B2020 ...) - TODO: check + NOT-FOR-US: TOTOLINK CVE-2021-43710 RESERVED CVE-2021-43709 @@ -15962,7 +15962,7 @@ CVE-2021-3846 (firefly-iii is vulnerable to Unrestricted Upload of File with Dan CVE-2021-23139 (A null pointer vulnerability in Trend Micro Apex One and Worry-Free Bu ...) NOT-FOR-US: Trend Micro CVE-2021-3845 (ws-scrcpy is vulnerable to External Control of File Name or Path ...) - TODO: check + NOT-FOR-US: ws-scrcpy CVE-2021-41832 (It is possible for an attacker to manipulate documents to appear to be ...) NOT-FOR-US: Apache OpenOffice CVE-2021-41831 (It is possible for an attacker to manipulate the timestamp of signed d ...) @@ -17410,7 +17410,7 @@ CVE-2021-41238 (Hangfire is an open source system to perform background job proc CVE-2021-41237 RESERVED CVE-2021-41236 (OroPlatform is a PHP Business Application Platform. In affected versio ...) - TODO: check + NOT-FOR-US: OroPlatform CVE-2021-41235 RESERVED CVE-2021-41234 @@ -20495,9 +20495,9 @@ CVE-2021-39976 (There is a privilege escalation vulnerability in CloudEngine 580 CVE-2021-39975 (Hilinksvc has a Data Processing Errors vulnerability.Successful exploi ...) TODO: check CVE-2021-39974 (There is an Out-of-bounds read in Smartphones.Successful exploitation ...) - TODO: check + NOT-FOR-US: Huawei CVE-2021-39973 (There is a Null pointer dereference in Smartphones.Successful exploita ...) - TODO: check + NOT-FOR-US: Huawei CVE-2021-39972 (MyHuawei-App has a Exposure of Sensitive Information to an Unauthorize ...) TODO: check CVE-2021-39971 (Password vault has a External Control of System or Configuration Setti ...) @@ -22593,7 +22593,7 @@ CVE-2021-39144 (XStream is a simple library to serialize objects to XML and back NOTE: https://github.com/x-stream/xstream/security/advisories/GHSA-j9h8-phrw-h4fh NOTE:
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 45bad22c by security tracker role at 2022-01-04T20:10:21+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,195 @@ +CVE-2022-22567 + RESERVED +CVE-2022-22566 + RESERVED +CVE-2022-22565 + RESERVED +CVE-2022-22564 + RESERVED +CVE-2022-22563 + RESERVED +CVE-2022-22562 + RESERVED +CVE-2022-22561 + RESERVED +CVE-2022-22560 + RESERVED +CVE-2022-22559 + RESERVED +CVE-2022-22558 + RESERVED +CVE-2022-22557 + RESERVED +CVE-2022-22556 + RESERVED +CVE-2022-22555 + RESERVED +CVE-2022-22554 + RESERVED +CVE-2022-22553 + RESERVED +CVE-2022-22552 + RESERVED +CVE-2022-22551 + RESERVED +CVE-2022-22550 + RESERVED +CVE-2022-22549 + RESERVED +CVE-2022-22548 + RESERVED +CVE-2022-22547 + RESERVED +CVE-2022-22546 + RESERVED +CVE-2022-22545 + RESERVED +CVE-2022-22544 + RESERVED +CVE-2022-22543 + RESERVED +CVE-2022-22542 + RESERVED +CVE-2022-22541 + RESERVED +CVE-2022-22540 + RESERVED +CVE-2022-22539 + RESERVED +CVE-2022-22538 + RESERVED +CVE-2022-22537 + RESERVED +CVE-2022-22536 + RESERVED +CVE-2022-22535 + RESERVED +CVE-2022-22534 + RESERVED +CVE-2022-22533 + RESERVED +CVE-2022-22532 + RESERVED +CVE-2022-22531 + RESERVED +CVE-2022-22530 + RESERVED +CVE-2022-22529 + RESERVED +CVE-2022-22528 + RESERVED +CVE-2022-22527 + RESERVED +CVE-2022-0120 + RESERVED +CVE-2022-0119 + RESERVED +CVE-2022-0118 + RESERVED +CVE-2022-0117 + RESERVED +CVE-2022-0116 + RESERVED +CVE-2022-0115 + RESERVED +CVE-2022-0114 + RESERVED +CVE-2022-0113 + RESERVED +CVE-2022-0112 + RESERVED +CVE-2022-0111 + RESERVED +CVE-2022-0110 + RESERVED +CVE-2022-0109 + RESERVED +CVE-2022-0108 + RESERVED +CVE-2022-0107 + RESERVED +CVE-2022-0106 + RESERVED +CVE-2022-0105 + RESERVED +CVE-2022-0104 + RESERVED +CVE-2022-0103 + RESERVED +CVE-2022-0102 + RESERVED +CVE-2022-0101 + RESERVED +CVE-2022-0100 + RESERVED +CVE-2022-0099 + RESERVED +CVE-2022-0098 + RESERVED +CVE-2022-0097 + RESERVED +CVE-2022-0096 + RESERVED +CVE-2022-0095 + RESERVED +CVE-2022-0094 + RESERVED +CVE-2022-0093 + RESERVED +CVE-2022-0092 + RESERVED +CVE-2022-0091 + RESERVED +CVE-2022-0090 + RESERVED +CVE-2022-0089 + RESERVED +CVE-2022-0088 + RESERVED +CVE-2021-46140 + RESERVED +CVE-2021-46139 + RESERVED +CVE-2021-46138 + RESERVED +CVE-2021-46137 + RESERVED +CVE-2021-46136 + RESERVED +CVE-2021-46135 + RESERVED +CVE-2021-46134 + RESERVED +CVE-2021-46133 + RESERVED +CVE-2021-46132 + RESERVED +CVE-2021-46131 + RESERVED +CVE-2021-45722 + RESERVED +CVE-2021-45110 + RESERVED +CVE-2021-45073 + RESERVED +CVE-2021-44778 + RESERVED +CVE-2021-44468 + RESERVED +CVE-2021-44456 + RESERVED +CVE-2021-44452 + RESERVED +CVE-2021-43352 + RESERVED +CVE-2021-4199 + RESERVED +CVE-2021-4198 + RESERVED +CVE-2021-31564 + RESERVED +CVE-2021-23229 + RESERVED CVE-2022-22526 RESERVED CVE-2022-22525 @@ -468,8 +660,8 @@ CVE-2022-22295 RESERVED CVE-2022-22294 RESERVED -CVE-2022-0086 - RESERVED +CVE-2022-0086 (uppy is vulnerable to Server-Side Request Forgery (SSRF) ...) + TODO: check CVE-2022-0085 RESERVED CVE-2022-0084 @@ -791,12 +983,12 @@ CVE-2021-45982 RESERVED CVE-2021-45981 RESERVED -CVE-2021-45980 - RESERVED -CVE-2021-45979 - RESERVED -CVE-2021-45978 - RESERVED +CVE-2021-45980 (Foxit PDF Reader and PDF Editor before 11.1 on macOS allow remote atta ...) + TODO: check +CVE-2021-45979 (Foxit PDF Reader and PDF Editor before 11.1 on macOS allow remote atta ...) + TODO: check +CVE-2021-45978 (Foxit PDF Reader and PDF Editor before 11.1 on macOS allow remote atta ...) + TODO: check CVE-2021-45977 RESERVED CVE-2021-45976 @@ -1252,10 +1444,10 @@ CVE-2021-4188 (mruby is vulnerable to NULL Pointer Dereference ...) - mruby (Vulnerable code introduced later) NOTE: https://huntr.dev/bounties/78533fb9-f3e0-47c2-86dc-d1f96d5bea28 NOTE: Fixed by: https://github.com/mruby/mruby/commit/27d1e0132a0804581dca28df042e7047fd27eaa8 -CVE-2021-45913 - RESERVED -CVE-2021-45912 - RESERVED +CVE-2021-45913 (A hardcoded key in ControlUp Real-Time Agent (cuAgent.exe) before 8.2. ...) + TODO: check +CVE-2021-45912 (An unauthenticated Named Pipe channel in Controlup Real-Time Agent (cu ...) + TODO: check
[Git][security-tracker-team/security-tracker][master] Add sphinxsearch to dsa-needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: bec0f3c7 by Salvatore Bonaccorso at 2022-01-04T21:08:04+01:00 Add sphinxsearch to dsa-needed list - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -51,6 +51,9 @@ ruby2.7/stable -- runc -- +sphinxsearch/oldstable + Thorsten Alteholz prepared an update +-- trafficserver (jmm) wait until status for CVE-2021-38161 is clarified (upstream patch got reverted) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bec0f3c775ca28134ae356b86a9cf3d77f174166 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bec0f3c775ca28134ae356b86a9cf3d77f174166 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] gm ospu, openvswitch spu
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 1545ede7 by Moritz Mühlenhoff at 2022-01-04T17:33:19+01:00 gm ospu, openvswitch spu - - - - - 2 changed files: - data/next-oldstable-point-update.txt - data/next-point-update.txt Changes: = data/next-oldstable-point-update.txt = @@ -108,3 +108,5 @@ CVE-2021-44540 [buster] - privoxy 3.0.28-2+deb10u2 CVE-2021-44543 [buster] - privoxy 3.0.28-2+deb10u2 +CVE-2020-12672 + [buster] - graphicsmagick 1.4+really1.3.35-1~deb10u2 = data/next-point-update.txt = @@ -24,3 +24,5 @@ CVE-2021-32718 [bullseye] - rabbitmq-server 3.8.9-3+deb11u1 CVE-2021-32719 [bullseye] - rabbitmq-server 3.8.9-3+deb11u1 +CVE-2021-36980 + [bullseye] - openvswitch 2.15.0+ds1-2+deb11u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1545ede7c50282eb325250ba460fc4f49d0a61f8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1545ede7c50282eb325250ba460fc4f49d0a61f8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] apache2 DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: d88350ab by Moritz Mühlenhoff at 2022-01-04T17:28:19+01:00 apache2 DSA - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,7 @@ +[04 Jan 2022] DSA-5035-1 apache2 - security update + {CVE-2021-44224 CVE-2021-44790} + [buster] - apache2 2.4.38-3+deb10u7 + [bullseye] - apache2 2.4.52-1~deb11u2 [02 Jan 2022] DSA-5034-1 thunderbird - security update {CVE-2021-4126 CVE-2021-38496 CVE-2021-38500 CVE-2021-38502 CVE-2021-38503 CVE-2021-38504 CVE-2021-38506 CVE-2021-38507 CVE-2021-38508 CVE-2021-38509 CVE-2021-43528 CVE-2021-43529 CVE-2021-43534 CVE-2021-43535 CVE-2021-43536 CVE-2021-43537 CVE-2021-43538 CVE-2021-43539 CVE-2021-43541 CVE-2021-43542 CVE-2021-43543 CVE-2021-43545 CVE-2021-43546 CVE-2021-44538} [buster] - thunderbird 1:91.4.1-1~deb10u1 = data/dsa-needed.txt = @@ -11,9 +11,6 @@ To pick an issue, simply add your uid behind it. If needed, specify the release by adding a slash after the name of the source package. --- -apache2 (jmm) - Maintainer preparing updates -- asterisk/oldstable -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d88350ab7906a7614273a768821d17e1edec3a96 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d88350ab7906a7614273a768821d17e1edec3a96 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] buster/bullseye triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 38011ab3 by Moritz Mühlenhoff at 2022-01-04T17:16:49+01:00 buster/bullseye triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -834,6 +834,8 @@ CVE-2021-45961 RESERVED CVE-2022-0080 (mruby is vulnerable to Heap-based Buffer Overflow ...) - mruby + [bullseye] - mruby (Minor issue) + [buster] - mruby (Minor issue) NOTE: https://huntr.dev/bounties/59a70392-4864-4ce3-8e35-6ac2111d1e2e/ NOTE: https://github.com/mruby/mruby/commit/28ccc664e5dcd3f9d55173e9afde77c4705a9ab6 CVE-2021-45960 (In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) pla ...) @@ -1087,9 +1089,13 @@ CVE-2021-4189 [ftplib should not use the host from the PASV response] RESERVED - python3.10 (Fixed before initial upload to Debian unstable) - python3.9 3.9.7-1 + [bullseye] - python3.9 (Minor issue) - python3.7 + [buster] - python3.7 (Minor issue) - python3.5 - python2.7 + [bullseye] - python2.7 (Python 2.7 in Bullseye not covered by security support) + [buster] - python2.7 (Minor issue) NOTE: https://bugs.python.org/issue43285 NOTE: https://github.com/python/cpython/commit/0ab152c6b5d95caa2dc1a30fa96e10258b5f188e (master) NOTE: https://github.com/python/cpython/commit/7dcb4baa4f0fde3aef5122a8e9f6a41853ec9335 (v3.9.3) @@ -4298,6 +4304,8 @@ CVE-2021-45041 (SuiteCRM before 7.12.2 and 8.x before 8.0.1 allows authenticated NOT-FOR-US: SuiteCRM CVE-2021-4110 (mruby is vulnerable to NULL Pointer Dereference ...) - mruby (bug #1001768) + [bullseye] - mruby (Minor issue) + [buster] - mruby (Minor issue) [stretch] - mruby (revisit when/if fix is complete) NOTE: https://huntr.dev/bounties/4ce5dc47-2512-4c87-8609-453adc8cad20 NOTE: https://github.com/mruby/mruby/commit/f5e10c5a79a17939af763b1dcf5232ce47e24a34 @@ -4756,6 +4764,8 @@ CVE-2021-44848 (In Cibele Thinfinity VirtualUI before 3.0, /changePassword retur NOT-FOR-US: Cibele Thinfinity VirtualUI CVE-2021-44847 (A stack-based buffer overflow in handle_request function in DHT.c in t ...) - libtoxcore 0.2.13-1 (bug #1001711) + [bullseye] - libtoxcore (Minor issue) + [buster] - libtoxcore (Minor issue) NOTE: https://github.com/TokTok/c-toxcore/pull/1718 NOTE: https://blog.tox.chat/2021/12/stack-based-buffer-overflow-vulnerability-in-udp-packet-handling-in-toxcore-cve-2021-44847/ NOTE: Introduced by: https://github.com/TokTok/c-toxcore/commit/71260e38e8d12547b0e55916daf6cadd72f52e19 (v0.1.9) @@ -16602,11 +16612,13 @@ CVE-2021-41497 (Null pointer reference in CMS_Conservative_increment_obj in RaRe NOT-FOR-US: RaRe-Technologies bounter CVE-2021-41496 (Buffer overflow in the array_from_pyobj function of fortranobject.c in ...) - numpy + [bullseye] - numpy (Minor issue) NOTE: https://github.com/numpy/numpy/issues/19000 NOTE: https://github.com/numpy/numpy/pull/20630 NOTE: https://github.com/numpy/numpy/commit/271010f1037150e95017f803f4214b8861e528f2 CVE-2021-41495 (Null Pointer Dereference vulnerability exists in numpy.sort in NumPy & ...) - numpy + [bullseye] - numpy (Minor issue) NOTE: https://github.com/numpy/numpy/issues/19038 TODO: check for classification/severity CVE-2021-41494 @@ -26994,6 +27006,8 @@ CVE-2021-37233 RESERVED CVE-2021-37232 (A stack overflow vulnerability occurs in Atomicparsley 20210124.204813 ...) - atomicparsley 20210715.151551.e7ad03a-1 (bug #993366) + [bullseye] - atomicparsley (Minor issue) + [buster] - atomicparsley (Minor issue) [stretch] - atomicparsley (Minor issue) - gtkpod (bug #993376) [bullseye] - gtkpod (Minor issue) @@ -27003,6 +27017,8 @@ CVE-2021-37232 (A stack overflow vulnerability occurs in Atomicparsley 20210124. NOTE: https://github.com/wez/atomicparsley/issues/32 CVE-2021-37231 (A stack-buffer-overflow occurs in Atomicparsley 20210124.204813.840499 ...) - atomicparsley 20210715.151551.e7ad03a-1 (bug #993372) + [bullseye] - atomicparsley (Minor issue) + [buster] - atomicparsley (Minor issue) [stretch] - atomicparsley (Minor issue) - gtkpod (bug #993375) [bullseye] - gtkpod (Minor issue) @@ -34279,9 +34295,9 @@ CVE-2021-34142 RESERVED CVE-2021-34141 (Incomplete string comparison in the numpy.core component in NumPy1.9.x ...) - numpy + [bullseye] - numpy (Minor issue) NOTE: https://github.com/numpy/numpy/issues/18993 NOTE: https://github.com/numpy/numpy/commit/eeef9d4646103c3b1afd3085f1393f2b3f9575b2
[Git][security-tracker-team/security-tracker][master] Add reference for reported bug for CVE-2021-44273/e2guadian
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9886e62b by Salvatore Bonaccorso at 2022-01-04T16:58:35+01:00 Add reference for reported bug for CVE-2021-44273/e2guadian - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6347,7 +6347,7 @@ CVE-2021-44275 CVE-2021-44274 RESERVED CVE-2021-44273 (e2guardian v5.4.x = v5.4.3r is affected by missing SSL certificate ...) - - e2guardian + - e2guardian (bug #1003125) [stretch] - e2guardian (Minor issue; can be fixed later) NOTE: https://www.openwall.com/lists/oss-security/2021/12/23/2 NOTE: https://github.com/e2guardian/e2guardian/issues/707 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9886e62b52ac7536a596fa00621d072b2e020c1c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9886e62b52ac7536a596fa00621d072b2e020c1c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for python-django via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 503fb025 by Salvatore Bonaccorso at 2022-01-04T16:42:23+01:00 Track fixed version for python-django via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2777,7 +2777,7 @@ CVE-2021-45453 RESERVED CVE-2021-45452 [Potential directory-traversal via Storage.save()] RESERVED - - python-django (bug #1003113) + - python-django 2:3.2.11-1 (bug #1003113) NOTE: https://www.djangoproject.com/weblog/2022/jan/04/security-releases/ NOTE: https://github.com/django/django/commit/8d2f7cff76200cbd2337b2cf1707e383eb1fb54b (3.2.11) NOTE: https://github.com/django/django/commit/4cb35b384ceef52123fc66411a73c36a706825e1 (2.2.26) @@ -3757,13 +3757,13 @@ CVE-2021-45117 RESERVED CVE-2021-45116 [Potential information disclosure in dictsort template filter] RESERVED - - python-django (bug #1003113) + - python-django 2:3.2.11-1 (bug #1003113) NOTE: https://www.djangoproject.com/weblog/2022/jan/04/security-releases/ NOTE: https://github.com/django/django/commit/c7fe895bca06daf12cc1670b56eaf72a1ef27a16 (3.2.11) NOTE: https://github.com/django/django/commit/c9f648ccfac5ab90fb2829a66da4f77e68c7f93a (2.2.26) CVE-2021-45115 [Denial-of-service possibility in UserAttributeSimilarityValidator] RESERVED - - python-django (bug #1003113) + - python-django 2:3.2.11-1 (bug #1003113) NOTE: https://www.djangoproject.com/weblog/2022/jan/04/security-releases/ NOTE: https://github.com/django/django/commit/a8b32fe13bcaed1c0b772fdc53de84abc224fb20 (3.2.11) NOTE: https://github.com/django/django/commit/2135637fdd5ce994de110affef9e67dffdf77277 (2.2.26) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/503fb025e9ad984393dffa3301afff396e90447c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/503fb025e9ad984393dffa3301afff396e90447c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: data/dla-needed.txt: Triage python-django for stretch LTS (CVE-2021-45115, ...
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: fbb55199 by Chris Lamb at 2022-01-04T15:00:19+00:00 data/dla-needed.txt: Triage python-django for stretch LTS (CVE-2021-45115, CVE-2021-45116 CVE-2021-45452) - - - - - 72091f42 by Chris Lamb at 2022-01-04T15:08:39+00:00 data/dla-needed.txt: Claim python-django. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -89,6 +89,8 @@ php-nette (Utkarsh) pjproject NOTE: 20211230: patch available for the no-dsa issue, check its NOTE (pochu) -- +python-django (Chris Lamb) +-- roundcube -- samba (Utkarsh Gupta) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/7ef567969512bb282e00502c6214458edbe7c560...72091f42387fe47c1199f6939f8701edbb74b9eb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/7ef567969512bb282e00502c6214458edbe7c560...72091f42387fe47c1199f6939f8701edbb74b9eb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add missing colon
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 7ef56796 by Emilio Pozuelo Monfort at 2022-01-04T14:05:24+01:00 Add missing colon - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -23714,7 +23714,7 @@ CVE-2021-38543 (TP-Link UE330 USB splitter devices through 2021-08-09, in certai NOT-FOR-US: TP-Link CVE-2021-38542 RESERVED - NOT-FOR-US Apache James + NOT-FOR-US: Apache James CVE-2021-38541 RESERVED CVE-2021-3699 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7ef567969512bb282e00502c6214458edbe7c560 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7ef567969512bb282e00502c6214458edbe7c560 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
Processing bd14594f4481a1e6b5bdc6877c8bf5c239e0f5ee failed
The error message was: data/CVE/list:23717: expected CVE annotation, got: 'NOT-FOR-US Apache James' make: *** [Makefile:19: all] Error 1 ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information on CVE-2021-45944
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: bd14594f by Salvatore Bonaccorso at 2022-01-04T14:02:03+01:00 Update information on CVE-2021-45944 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -908,10 +908,10 @@ CVE-2021-45946 (Wasm3 0.5.0 has an out-of-bounds write in CompileBlock (called f CVE-2021-45945 (uWebSockets 19.0.0 through 20.8.0 has an out-of-bounds write in std::_ ...) NOT-FOR-US: uWebSockets CVE-2021-45944 (Ghostscript GhostPDL 9.50 through 9.53.3 has a use-after-free in sampl ...) - - ghostscript + - ghostscript 9.54.0~dfsg-5 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29903 NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/ghostscript/OSV-2021-237.yaml - TODO: check, oss-fuzz "fixing commit" cannot be correct as it only removes a documentation snippet. + NOTE: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=7861fcad13c497728189feafb41cd57b5b50ea25 CVE-2021-45943 (GDAL 3.3.0 through 3.4.0 has a heap-based buffer overflow in PCIDSK::C ...) [experimental] - gdal 3.4.1~rc1+dfsg-1~exp1 - gdal View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bd14594f4481a1e6b5bdc6877c8bf5c239e0f5ee -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bd14594f4481a1e6b5bdc6877c8bf5c239e0f5ee You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
Processing 06412638e77ddd1dc0eb5a8c11dd8ebe8536b140 failed
The error message was: data/CVE/list:23717: expected CVE annotation, got: 'NOT-FOR-US Apache James' make: *** [Makefile:19: all] Error 1 ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: NFU
Henri Salo pushed to branch master at Debian Security Tracker / security-tracker Commits: dd79b441 by Henri Salo at 2022-01-04T14:53:37+02:00 NFU - - - - - 06412638 by Henri Salo at 2022-01-04T14:55:16+02:00 NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -18914,6 +18914,7 @@ CVE-2021-40526 (Incorrect calculation of buffer size vulnerability in Peleton TT NOT-FOR-US: Peleton CVE-2021-40525 RESERVED + NOT-FOR-US: Apache James CVE-2021-3776 (showdoc is vulnerable to Cross-Site Request Forgery (CSRF) ...) NOT-FOR-US: showdoc CVE-2021-3775 (showdoc is vulnerable to Cross-Site Request Forgery (CSRF) ...) @@ -19994,8 +19995,10 @@ CVE-2021-40112 (Multiple vulnerabilities in the web-based management interface o NOT-FOR-US: Cisco CVE-2021-40111 RESERVED + NOT-FOR-US: Apache James CVE-2021-40110 RESERVED + NOT-FOR-US: Apache James CVE-2021-40109 (A SSRF issue was discovered in Concrete CMS through 8.5.5. Users can a ...) NOT-FOR-US: Concrete CMS CVE-2021-40108 (An issue was discovered in Concrete CMS through 8.5.5. The Calendar is ...) @@ -23711,6 +23714,7 @@ CVE-2021-38543 (TP-Link UE330 USB splitter devices through 2021-08-09, in certai NOT-FOR-US: TP-Link CVE-2021-38542 RESERVED + NOT-FOR-US Apache James CVE-2021-38541 RESERVED CVE-2021-3699 @@ -32758,6 +32762,7 @@ CVE-2021-3604 (Secure 8 (Evalos) does not validate user input data correctly, al NOT-FOR-US: Secure 8 (Evalos) CVE-2021-34797 RESERVED + NOT-FOR-US: Apache Geode CVE-2021-34796 RESERVED CVE-2021-34795 (Multiple vulnerabilities in the web-based management interface of the ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b074589480797821bc1933c2bc6d3a77e6664aaf...06412638e77ddd1dc0eb5a8c11dd8ebe8536b140 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b074589480797821bc1933c2bc6d3a77e6664aaf...06412638e77ddd1dc0eb5a8c11dd8ebe8536b140 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Record commits for three python-django issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b0745894 by Salvatore Bonaccorso at 2022-01-04T13:35:47+01:00 Record commits for three python-django issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2779,6 +2779,8 @@ CVE-2021-45452 [Potential directory-traversal via Storage.save()] RESERVED - python-django (bug #1003113) NOTE: https://www.djangoproject.com/weblog/2022/jan/04/security-releases/ + NOTE: https://github.com/django/django/commit/8d2f7cff76200cbd2337b2cf1707e383eb1fb54b (3.2.11) + NOTE: https://github.com/django/django/commit/4cb35b384ceef52123fc66411a73c36a706825e1 (2.2.26) CVE-2021-4150 [Block subsystem mishandles reference counts] RESERVED - linux 5.15.3-1 @@ -3757,10 +3759,14 @@ CVE-2021-45116 [Potential information disclosure in dictsort template filter] RESERVED - python-django (bug #1003113) NOTE: https://www.djangoproject.com/weblog/2022/jan/04/security-releases/ + NOTE: https://github.com/django/django/commit/c7fe895bca06daf12cc1670b56eaf72a1ef27a16 (3.2.11) + NOTE: https://github.com/django/django/commit/c9f648ccfac5ab90fb2829a66da4f77e68c7f93a (2.2.26) CVE-2021-45115 [Denial-of-service possibility in UserAttributeSimilarityValidator] RESERVED - python-django (bug #1003113) NOTE: https://www.djangoproject.com/weblog/2022/jan/04/security-releases/ + NOTE: https://github.com/django/django/commit/a8b32fe13bcaed1c0b772fdc53de84abc224fb20 (3.2.11) + NOTE: https://github.com/django/django/commit/2135637fdd5ce994de110affef9e67dffdf77277 (2.2.26) CVE-2021-45106 RESERVED CVE-2021-44463 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b074589480797821bc1933c2bc6d3a77e6664aaf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b074589480797821bc1933c2bc6d3a77e6664aaf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add three new python-django CVEs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 17b38e97 by Salvatore Bonaccorso at 2022-01-04T13:30:56+01:00 Add three new python-django CVEs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2775,8 +2775,10 @@ CVE-2021-45454 RESERVED CVE-2021-45453 RESERVED -CVE-2021-45452 +CVE-2021-45452 [Potential directory-traversal via Storage.save()] RESERVED + - python-django (bug #1003113) + NOTE: https://www.djangoproject.com/weblog/2022/jan/04/security-releases/ CVE-2021-4150 [Block subsystem mishandles reference counts] RESERVED - linux 5.15.3-1 @@ -3751,10 +3753,14 @@ CVE-2021-45118 RESERVED CVE-2021-45117 RESERVED -CVE-2021-45116 +CVE-2021-45116 [Potential information disclosure in dictsort template filter] RESERVED -CVE-2021-45115 + - python-django (bug #1003113) + NOTE: https://www.djangoproject.com/weblog/2022/jan/04/security-releases/ +CVE-2021-45115 [Denial-of-service possibility in UserAttributeSimilarityValidator] RESERVED + - python-django (bug #1003113) + NOTE: https://www.djangoproject.com/weblog/2022/jan/04/security-releases/ CVE-2021-45106 RESERVED CVE-2021-44463 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/17b38e9719d6b8aafc199ebc0eb4ed963f63ddf5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/17b38e9719d6b8aafc199ebc0eb4ed963f63ddf5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: take thunderbird
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: a8c28767 by Emilio Pozuelo Monfort at 2022-01-04T12:32:20+01:00 lts: take thunderbird - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -104,6 +104,9 @@ slurm-llnl (Sylvain Beucler) sphinxsearch (Thorsten Alteholz) NOTE: 20220103: waiting for Buster upload -- +thunderbird (Emilio) + NOTE: 20220104: ftbfs on armhf (pochu) +-- vim (Anton) NOTE: 20211203: adding here as it's in the ela-needed as well NOTE: 20211203: so worth fixing in stretch, too. Co-ordinate w/ View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a8c28767a39d9b26d96f1731dbdf5640c845c472 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a8c28767a39d9b26d96f1731dbdf5640c845c472 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update note
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 199f9402 by Thorsten Alteholz at 2022-01-04T11:52:20+01:00 update note - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -81,8 +81,8 @@ nvidia-graphics-drivers (Markus Koschany) NOTE: 20211108: now fixes all 5 CVEs (bunk) NOTE: 20211229: https://people.debian.org/~apo/lts/nvidia-graphics-drivers/ -- -pgbouncer - NOTE: 20211220: maintainer might want to upload fixed version +pgbouncer (Christoph Berg) + NOTE: 20220104: maintainer might want to upload fixed version -- php-nette (Utkarsh) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/199f94023b070e623fb5e56086510908b00ff52c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/199f94023b070e623fb5e56086510908b00ff52c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2874-1 for thunderbird
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 7b380108 by Emilio Pozuelo Monfort at 2022-01-04T11:04:27+01:00 Reserve DLA-2874-1 for thunderbird - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[04 Jan 2022] DLA-2874-1 thunderbird - security update + {CVE-2021-4126 CVE-2021-38496 CVE-2021-38500 CVE-2021-38502 CVE-2021-38503 CVE-2021-38504 CVE-2021-38506 CVE-2021-38507 CVE-2021-38508 CVE-2021-38509 CVE-2021-43528 CVE-2021-43529 CVE-2021-43534 CVE-2021-43535 CVE-2021-43536 CVE-2021-43537 CVE-2021-43538 CVE-2021-43539 CVE-2021-43541 CVE-2021-43542 CVE-2021-43543 CVE-2021-43545 CVE-2021-43546 CVE-2021-44538} + [stretch] - thunderbird 1:91.4.1-1~deb9u1 [03 Jan 2022] DLA-2480-2 salt - regression update [stretch] - salt 2016.11.2+ds-1+deb9u10 [31 Dec 2021] DLA-2873-1 aria2 - security update = data/dla-needed.txt = @@ -104,12 +104,6 @@ slurm-llnl (Sylvain Beucler) sphinxsearch (Thorsten Alteholz) NOTE: 20220103: waiting for Buster upload -- -thunderbird (Emilio) - NOTE: 20211122: blocked on toolchain backports (pochu) - NOTE: 20211206: progressing on the toolchain front (pochu) - NOTE: 20211220: backport in progress, making it build with python3.5 (pochu) - NOTE: 20210103: DSA released, DLA will follow today (pochu) --- vim (Anton) NOTE: 20211203: adding here as it's in the ela-needed as well NOTE: 20211203: so worth fixing in stretch, too. Co-ordinate w/ View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7b380108b1d10e6cabb78d241ab3a23d5fd2bd8a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7b380108b1d10e6cabb78d241ab3a23d5fd2bd8a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Triage roundcube for stretch LTS.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: d6f4c039 by Chris Lamb at 2022-01-04T09:23:29+00:00 data/dla-needed.txt: Triage roundcube for stretch LTS. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -89,6 +89,8 @@ php-nette (Utkarsh) pjproject NOTE: 20211230: patch available for the no-dsa issue, check its NOTE (pochu) -- +roundcube +-- samba (Utkarsh Gupta) NOTE: 20211128: WIP https://salsa.debian.org/lts-team/packages/samba/ NOTE: 20211212: Fix is too large, coordination with ELTS-upload View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d6f4c039c2c7762f66c15bc8e61cb4e2ef4c414f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d6f4c039c2c7762f66c15bc8e61cb4e2ef4c414f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process two NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5250c2a7 by Salvatore Bonaccorso at 2022-01-04T09:25:55+01:00 Process two NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -776,7 +776,7 @@ CVE-2021- [XSS vulnerability via HTML messages with malicious CSS content] NOTE: https://roundcube.net/news/2021/12/30/update-1.5.2-released NOTE: https://roundcube.net/news/2021/12/30/security-update-1.4.13-released CVE-2022-0083 (livehelperchat is vulnerable to Generation of Error Message Containing ...) - TODO: check + NOT-FOR-US: livehelperchat CVE-2022-0082 RESERVED CVE-2022-22293 (admin/limits.php in Dolibarr 7.0.2 allows HTML injection, as demonstra ...) @@ -7573,7 +7573,7 @@ CVE-2021-43944 CVE-2021-43943 RESERVED CVE-2021-43942 (Affected versions of Atlassian Jira Server and Data Center allow remot ...) - TODO: check + NOT-FOR-US: Atlassian CVE-2021-43941 RESERVED CVE-2021-43940 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5250c2a7899bf55e11861d534dae0947db76317c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5250c2a7899bf55e11861d534dae0947db76317c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove notes from CVE-2021-45817 (duplicate of CVE-2018-11689)
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f566e922 by Salvatore Bonaccorso at 2022-01-04T09:16:48+01:00 Remove notes from CVE-2021-45817 (duplicate of CVE-2018-11689) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1496,7 +1496,6 @@ CVE-2021-45818 (SAFARI Montage 8.7.32 is affected by a CRLF injection vulnerabil NOT-FOR-US: SAFARI Montage CVE-2021-45817 REJECTED - NOT-FOR-US: Web Viewer for Hanwha DVR CVE-2021-45816 RESERVED CVE-2021-45815 (Quectel UC20 UMTS/HSPA+ UC20 6.3.14 is affected by a Cross Site Script ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f566e9225c915b871221fd41cd1ae0b05174f509 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f566e9225c915b871221fd41cd1ae0b05174f509 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1f4aed64 by security tracker role at 2022-01-04T08:10:11+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,447 @@ +CVE-2022-22526 + RESERVED +CVE-2022-22525 + RESERVED +CVE-2022-22524 + RESERVED +CVE-2022-22523 + RESERVED +CVE-2022-22522 + RESERVED +CVE-2022-22521 + RESERVED +CVE-2022-22520 + RESERVED +CVE-2022-22519 + RESERVED +CVE-2022-22518 + RESERVED +CVE-2022-22517 + RESERVED +CVE-2022-22516 + RESERVED +CVE-2022-22515 + RESERVED +CVE-2022-22514 + RESERVED +CVE-2022-22513 + RESERVED +CVE-2022-22512 + RESERVED +CVE-2022-22511 + RESERVED +CVE-2022-22510 + RESERVED +CVE-2022-22509 + RESERVED +CVE-2022-22508 + RESERVED +CVE-2022-22507 + RESERVED +CVE-2022-22506 + RESERVED +CVE-2022-22505 + RESERVED +CVE-2022-22504 + RESERVED +CVE-2022-22503 + RESERVED +CVE-2022-22502 + RESERVED +CVE-2022-22501 + RESERVED +CVE-2022-22500 + RESERVED +CVE-2022-22499 + RESERVED +CVE-2022-22498 + RESERVED +CVE-2022-22497 + RESERVED +CVE-2022-22496 + RESERVED +CVE-2022-22495 + RESERVED +CVE-2022-22494 + RESERVED +CVE-2022-22493 + RESERVED +CVE-2022-22492 + RESERVED +CVE-2022-22491 + RESERVED +CVE-2022-22490 + RESERVED +CVE-2022-22489 + RESERVED +CVE-2022-22488 + RESERVED +CVE-2022-22487 + RESERVED +CVE-2022-22486 + RESERVED +CVE-2022-22485 + RESERVED +CVE-2022-22484 + RESERVED +CVE-2022-22483 + RESERVED +CVE-2022-22482 + RESERVED +CVE-2022-22481 + RESERVED +CVE-2022-22480 + RESERVED +CVE-2022-22479 + RESERVED +CVE-2022-22478 + RESERVED +CVE-2022-22477 + RESERVED +CVE-2022-22476 + RESERVED +CVE-2022-22475 + RESERVED +CVE-2022-22474 + RESERVED +CVE-2022-22473 + RESERVED +CVE-2022-22472 + RESERVED +CVE-2022-22471 + RESERVED +CVE-2022-22470 + RESERVED +CVE-2022-22469 + RESERVED +CVE-2022-22468 + RESERVED +CVE-2022-22467 + RESERVED +CVE-2022-22466 + RESERVED +CVE-2022-22465 + RESERVED +CVE-2022-22464 + RESERVED +CVE-2022-22463 + RESERVED +CVE-2022-22462 + RESERVED +CVE-2022-22461 + RESERVED +CVE-2022-22460 + RESERVED +CVE-2022-22459 + RESERVED +CVE-2022-22458 + RESERVED +CVE-2022-22457 + RESERVED +CVE-2022-22456 + RESERVED +CVE-2022-22455 + RESERVED +CVE-2022-22454 + RESERVED +CVE-2022-22453 + RESERVED +CVE-2022-22452 + RESERVED +CVE-2022-22451 + RESERVED +CVE-2022-22450 + RESERVED +CVE-2022-22449 + RESERVED +CVE-2022-22448 + RESERVED +CVE-2022-22447 + RESERVED +CVE-2022-22446 + RESERVED +CVE-2022-22445 + RESERVED +CVE-2022-22444 + RESERVED +CVE-2022-22443 + RESERVED +CVE-2022-22442 + RESERVED +CVE-2022-22441 + RESERVED +CVE-2022-22440 + RESERVED +CVE-2022-22439 + RESERVED +CVE-2022-22438 + RESERVED +CVE-2022-22437 + RESERVED +CVE-2022-22436 + RESERVED +CVE-2022-22435 + RESERVED +CVE-2022-22434 + RESERVED +CVE-2022-22433 + RESERVED +CVE-2022-22432 + RESERVED +CVE-2022-22431 + RESERVED +CVE-2022-22430 + RESERVED +CVE-2022-22429 + RESERVED +CVE-2022-22428 + RESERVED +CVE-2022-22427 + RESERVED +CVE-2022-22426 + RESERVED +CVE-2022-22425 + RESERVED +CVE-2022-22424 + RESERVED +CVE-2022-22423 + RESERVED +CVE-2022-22422 + RESERVED +CVE-2022-22421 + RESERVED +CVE-2022-22420 + RESERVED +CVE-2022-22419 + RESERVED +CVE-2022-22418 + RESERVED +CVE-2022-22417 + RESERVED +CVE-2022-22416 + RESERVED +CVE-2022-22415 + RESERVED +CVE-2022-22414 + RESERVED +CVE-2022-22413 + RESERVED +CVE-2022-22412 + RESERVED +CVE-2022-22411 + RESERVED +CVE-2022-22410 + RESERVED +CVE-2022-22409 + RESERVED +CVE-2022-22408 + RESERVED +CVE-2022-22407 + RESERVED +CVE-2022-22406 + RESERVED +CVE-2022-22405 + RESERVED +CVE-2022-22404 + RESERVED +CVE-2022-22403 + RESERVED +CVE-2022-22402 + RESERVED +CVE-2022-22401 + RESERVED +CVE-2022-22400 + RESERVED +CVE-2022-22399 + RESERVED +CVE-2022-22398 + RESERVED +CVE-2022-22397 + RESERVED +CVE-2022-22396 + RESERVED +CVE-2022-22395 + RESERVED +CVE-2022-22394 + RESERVED +CVE-2022-22393 + RESERVED +CVE-2022-22392 + RESERVED +CVE-2022-22391 + RESERVED +CVE-2022-22390 + RESERVED +CVE-2022-22389 + RESERVED +CVE-2022-22388 + RESERVED +CVE-2022-22387 + RESERVED +CVE-2022-22386 +