[Git][security-tracker-team/security-tracker][master] Track fixed verison for CVE-2020-5238/cmark-gfm
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1efb3924 by Salvatore Bonaccorso at 2022-01-18T08:19:30+01:00 Track fixed verison for CVE-2020-5238/cmark-gfm - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -141346,7 +141346,7 @@ CVE-2020-5240 (In wagtail-2fa before 1.4.1, any user with access to the CMS can CVE-2020-5239 (In Mailu before version 1.7, an authenticated user can exploit a vulne ...) NOT-FOR-US: Mailu CVE-2020-5238 (The table extension in GitHub Flavored Markdown before version 0.29.0. ...) - - cmark-gfm (bug #965984) + - cmark-gfm 0.29.0.gfm.2-1 (bug #965984) [bullseye] - cmark-gfm (Minor issue) [buster] - cmark-gfm (Minor issue) - python-cmarkgfm (bug #965983) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1efb39245d2a0b5c01b45c68e008462968e67cb8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1efb39245d2a0b5c01b45c68e008462968e67cb8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update NFU comment for CVE-2021-45608
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: bbf0a949 by Salvatore Bonaccorso at 2022-01-18T08:04:18+01:00 Update NFU comment for CVE-2021-45608 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4696,7 +4696,7 @@ CVE-2021-45610 (Certain NETGEAR devices are affected by a buffer overflow by an CVE-2021-45609 (Certain NETGEAR devices are affected by a buffer overflow by an unauth ...) NOT-FOR-US: Netgear CVE-2021-45608 (Certain D-Link, Edimax, NETGEAR, TP-Link, Tenda, and Western Digital d ...) - NOT-FOR-US: Netgear + NOT-FOR-US: D-Link, Edimax, NETGEAR, TP-Link, Tenda, and Western Digital devices CVE-2021-45607 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2021-45606 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bbf0a9492746df8e08bf2a71db10180caeed0c9f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bbf0a9492746df8e08bf2a71db10180caeed0c9f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Expand todos for WebKitGTK issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9db9896a by Salvatore Bonaccorso at 2022-01-18T07:58:38+01:00 Expand todos for WebKitGTK issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4961,11 +4961,11 @@ CVE-2021-45485 (In the IPv6 implementation in the Linux kernel before 5.13.3, ne CVE-2021-45484 (In NetBSD through 9.2, the IPv6 fragment ID generation algorithm emplo ...) NOT-FOR-US: NetBSD CVE-2021-45483 (In WebKitGTK before 2.32.4, there is a use-after-free in WebCore::Fram ...) - TODO: check + TODO: check, claimed to be different than CVE-2021-30889 CVE-2021-45482 (In WebKitGTK before 2.32.4, there is a use-after-free in WebCore::Cont ...) - TODO: check + TODO: check, claimed to be different than CVE-2021-30889 CVE-2021-45481 (In WebKitGTK before 2.32.4, there is incorrect memory allocation in We ...) - TODO: check + TODO: check, claimed to be different than CVE-2021-30889 CVE-2021-45480 (An issue was discovered in the Linux kernel before 5.15.11. There is a ...) - linux [stretch] - linux (Vulnerable code introduced later) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9db9896a60f3296cfe79bb9606ff710a3e228775 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9db9896a60f3296cfe79bb9606ff710a3e228775 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Correct used CVE id for nodejs issue for prototype pollution via console.table properties
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 460c2efd by Salvatore Bonaccorso at 2022-01-18T07:31:20+01:00 Correct used CVE id for nodejs issue for prototype pollution via console.table properties - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7629,8 +7629,6 @@ CVE-2022-21826 RESERVED CVE-2022-21825 RESERVED -CVE-2022-21824 - RESERVED CVE-2022-21823 (A insecure storage of sensitive information vulnerability exists in Iv ...) NOT-FOR-US: Ivanti CVE-2021-44831 @@ -8570,12 +8568,14 @@ CVE-2021-44536 RESERVED CVE-2021-44535 RESERVED -CVE-2021-44534 [Prototype pollution via console.table properties] +CVE-2022-21824 [Prototype pollution via console.table properties] RESERVED - nodejs [stretch] - nodejs (Nodejs in stretch not covered by security support) NOTE: https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/#prototype-pollution-via-console-table-properties-low-cve-2022-21824 NOTE: https://github.com/nodejs/node/commit/be69403528da99bf3df9e1dc47186f18ba59cb5e (v12.x) +CVE-2021-44534 + RESERVED CVE-2021-44533 [Incorrect handling of certificate subject and issuer fields] RESERVED - nodejs View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/460c2efdf689de6012e695d6fcd49032a59c8792 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/460c2efdf689de6012e695d6fcd49032a59c8792 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-4142 as NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f6cb4b98 by Salvatore Bonaccorso at 2022-01-18T07:21:28+01:00 Add CVE-2021-4142 as NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6068,6 +6068,7 @@ CVE-2021-45234 RESERVED CVE-2021-4142 RESERVED + NOT-FOR-US: Red Hat Satellite / Candlepin CVE-2021-4141 RESERVED CVE-2021-4140 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f6cb4b98a0ff2397712bc9873b3b8b2954827df3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f6cb4b98a0ff2397712bc9873b3b8b2954827df3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Jeremiah C. Foster pushed to branch master at Debian Security Tracker / security-tracker Commits: aac050f9 by Jeremiah C. Foster at 2022-01-17T21:03:17-05:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Jeremiah C. Foster- - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -13,7 +13,7 @@ To make it easier to see the entire history of an update, please append notes rather than remove/replace existing ones. -- -ansible (Lee Garrett) +ansible NOTE: 20210411: As discussed with the maintainer I will update Buster first and NOTE: 20210411: after that LTS. (apo) NOTE: 20210426: https://people.debian.org/~apo/lts/ansible/ @@ -36,7 +36,7 @@ debian-archive-keyring -- expat (Markus Koschany) -- -firmware-nonfree (Markus Koschany) +firmware-nonfree NOTE: 20210731: WIP: https://salsa.debian.org/lts-team/packages/firmware-nonfree NOTE: 20210828: Most CVEs are difficult to backport. Contacted Ben regarding possible "ignore" tag NOTE: 20211207: Intend to release this week. @@ -54,7 +54,7 @@ golang-1.7 (Sylvain Beucler) golang-1.8 (Sylvain Beucler) NOTE: 20220114: harmonize with bullseye-11.2 (CVE-2021-36221 CVE-2021-39293 CVE-2021-41771 CVE-2021-44716 CVE-2021-44717) (Beuc) -- -gpac (Roberto C. Sánchez) +gpac NOTE: 20211101: coordinating with secteam for s-p-u since stretch/buster versions match (roberto) NOTE: 20211120: received OK from secteam for buster update, working on stretch/buster in parallel (roberto) NOTE: 20211228: Returning to active work on this now that llvm/rustc update is complete (roberto) @@ -90,7 +90,7 @@ linux (Ben Hutchings) -- linux-4.19 (Ben Hutchings) -- -nvidia-graphics-drivers (Markus Koschany) +nvidia-graphics-drivers NOTE: package is in non-free but also in packages-to-support NOTE: only CVE‑2021‑1076 seems to be fixed in the R390 branch used in Stretch, no fix available for CVE-2021-1077 NOTE: 20211108: nvidia-graphics-drivers-legacy-390xx 390.144-1 in buster/bullseye/bookworm View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aac050f99b03cf57c1551a1e95aecc01589d9528 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aac050f99b03cf57c1551a1e95aecc01589d9528 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-42357 as NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 310e255e by Salvatore Bonaccorso at 2022-01-17T22:31:29+01:00 Add CVE-2021-42357 as NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17231,6 +17231,7 @@ CVE-2021-42358 (The Contact Form With Captcha WordPress plugin is vulnerable to NOT-FOR-US: WordPress plugin CVE-2021-42357 RESERVED + NOT-FOR-US: Apache Knox CVE-2021-42356 RESERVED CVE-2021-42355 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/310e255ea6c022ec72c3a1489cf73d8587ead14d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/310e255ea6c022ec72c3a1489cf73d8587ead14d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3ef00b22 by Salvatore Bonaccorso at 2022-01-17T21:44:01+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -15,17 +15,17 @@ CVE-2022-0260 CVE-2022-0259 RESERVED CVE-2022-0258 (pimcore is vulnerable to Improper Neutralization of Special Elements u ...) - TODO: check + NOT-FOR-US: pimcore CVE-2022-0257 (pimcore is vulnerable to Improper Neutralization of Input During Web P ...) - TODO: check + NOT-FOR-US: pimcore CVE-2022-0256 (pimcore is vulnerable to Improper Neutralization of Input During Web P ...) - TODO: check + NOT-FOR-US: pimcore CVE-2022-0255 RESERVED CVE-2022-0254 RESERVED CVE-2022-0253 (livehelperchat is vulnerable to Improper Neutralization of Input Durin ...) - TODO: check + NOT-FOR-US: livehelperchat CVE-2022-0252 RESERVED CVE-2022-0251 @@ -693,9 +693,9 @@ CVE-2022-0186 CVE-2022-0185 RESERVED CVE-2022-0184 (Insufficiently protected credentials vulnerability in 'TEPRA' PRO SR59 ...) - TODO: check + NOT-FOR-US: TEPRA CVE-2022-0183 (Missing encryption of sensitive data vulnerability in 'MIRUPASS' PW10 ...) - TODO: check + NOT-FOR-US: MIRUPASS CVE-2020-36515 RESERVED CVE-2022-23101 @@ -939,11 +939,11 @@ CVE-2022-21210 CVE-2022-21145 RESERVED CVE-2022-0182 (Stored cross-site scripting vulnerability in Quiz And Survey Master ve ...) - TODO: check + NOT-FOR-US: Quiz And Survey Master CVE-2022-0181 (Reflected cross-site scripting vulnerability in Quiz And Survey Master ...) - TODO: check + NOT-FOR-US: Quiz And Survey Master CVE-2022-0180 (Cross-site request forgery (CSRF) vulnerability in Quiz And Survey Mas ...) - TODO: check + NOT-FOR-US: Quiz And Survey Master CVE-2022-0179 (snipe-it is vulnerable to Improper Access Control ...) NOT-FOR-US: snipe-it CVE-2022-0178 (snipe-it is vulnerable to Improper Access Control ...) @@ -2016,7 +2016,7 @@ CVE-2022-0133 (peertube is vulnerable to Improper Access Control ...) CVE-2022-0132 (peertube is vulnerable to Server-Side Request Forgery (SSRF) ...) - peertube (bug #950821) CVE-2022-0131 (Jimoty App for Android versions prior to 3.7.42 uses a hard-coded API ...) - TODO: check + NOT-FOR-US: Jimoty App for Android CVE-2021-4201 RESERVED CVE-2022-22708 @@ -25748,7 +25748,7 @@ CVE-2021-38967 (IBM MQ Appliance 9.2 CD and 9.2 LTS could allow a local privileg CVE-2021-38966 (IBM Cloud Pak for Automation 21.0.2 is vulnerable to cross-site script ...) NOT-FOR-US: IBM CVE-2021-38965 (IBM FileNet Content Manager 5.5.4, 5.5.6, and 5.5.7 could allow a remo ...) - TODO: check + NOT-FOR-US: IBM CVE-2021-38964 RESERVED CVE-2021-38963 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3ef00b2233fb5e9f4bd7706ff90e0b326a8025d0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3ef00b2233fb5e9f4bd7706ff90e0b326a8025d0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e2c38b1d by security tracker role at 2022-01-17T20:10:21+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,45 @@ +CVE-2022-23307 + RESERVED +CVE-2022-23306 + RESERVED +CVE-2022-23305 + RESERVED +CVE-2022-0263 + RESERVED +CVE-2022-0262 + RESERVED +CVE-2022-0261 + RESERVED +CVE-2022-0260 + RESERVED +CVE-2022-0259 + RESERVED +CVE-2022-0258 (pimcore is vulnerable to Improper Neutralization of Special Elements u ...) + TODO: check +CVE-2022-0257 (pimcore is vulnerable to Improper Neutralization of Input During Web P ...) + TODO: check +CVE-2022-0256 (pimcore is vulnerable to Improper Neutralization of Input During Web P ...) + TODO: check +CVE-2022-0255 + RESERVED +CVE-2022-0254 + RESERVED +CVE-2022-0253 (livehelperchat is vulnerable to Improper Neutralization of Input Durin ...) + TODO: check +CVE-2022-0252 + RESERVED +CVE-2022-0251 + RESERVED +CVE-2022-0250 + RESERVED +CVE-2022-0249 + RESERVED +CVE-2022-0248 + RESERVED +CVE-2022-0247 + RESERVED +CVE-2022-0246 + RESERVED CVE-2022-23304 (The implementations of EAP-pwd in hostapd before 2.10 and wpa_supplica ...) - wpa 2:2.10-1 NOTE: https://w1.fi/security/2022-1/ @@ -7,6 +49,7 @@ CVE-2022-23303 (The implementations of SAE in hostapd before 2.10 and wpa_suppli NOTE: https://w1.fi/security/2022-1/ NOTE: Issue exists because of an incomplete fix for CVE-2019-9494 CVE-2022-0264 [bpf: Fix kernel address leakage in atomic fetch] + RESERVED - linux 5.15.5-2 [bullseye] - linux (Vulnerable code not present) [buster] - linux (Vulnerable code not present) @@ -24,12 +67,12 @@ CVE-2022-22142 RESERVED CVE-2022-21805 RESERVED -CVE-2022-0242 - RESERVED +CVE-2022-0242 (Unrestricted Upload of File with Dangerous Type in GitHub repository c ...) + TODO: check CVE-2022-0241 RESERVED -CVE-2022-0240 - RESERVED +CVE-2022-0240 (mruby is vulnerable to NULL Pointer Dereference ...) + TODO: check CVE-2022-0239 (corenlp is vulnerable to Improper Restriction of XML External Entity R ...) NOT-FOR-US: corenlp CVE-2022-0238 (phoronix-test-suite is vulnerable to Cross-Site Request Forgery (CSRF) ...) @@ -649,10 +692,10 @@ CVE-2022-0186 RESERVED CVE-2022-0185 RESERVED -CVE-2022-0184 - RESERVED -CVE-2022-0183 - RESERVED +CVE-2022-0184 (Insufficiently protected credentials vulnerability in 'TEPRA' PRO SR59 ...) + TODO: check +CVE-2022-0183 (Missing encryption of sensitive data vulnerability in 'MIRUPASS' PW10 ...) + TODO: check CVE-2020-36515 RESERVED CVE-2022-23101 @@ -895,12 +938,12 @@ CVE-2022-21210 RESERVED CVE-2022-21145 RESERVED -CVE-2022-0182 - RESERVED -CVE-2022-0181 - RESERVED -CVE-2022-0180 - RESERVED +CVE-2022-0182 (Stored cross-site scripting vulnerability in Quiz And Survey Master ve ...) + TODO: check +CVE-2022-0181 (Reflected cross-site scripting vulnerability in Quiz And Survey Master ...) + TODO: check +CVE-2022-0180 (Cross-site request forgery (CSRF) vulnerability in Quiz And Survey Mas ...) + TODO: check CVE-2022-0179 (snipe-it is vulnerable to Improper Access Control ...) NOT-FOR-US: snipe-it CVE-2022-0178 (snipe-it is vulnerable to Improper Access Control ...) @@ -1972,8 +2015,8 @@ CVE-2022-0133 (peertube is vulnerable to Improper Access Control ...) - peertube (bug #950821) CVE-2022-0132 (peertube is vulnerable to Server-Side Request Forgery (SSRF) ...) - peertube (bug #950821) -CVE-2022-0131 - RESERVED +CVE-2022-0131 (Jimoty App for Android versions prior to 3.7.42 uses a hard-coded API ...) + TODO: check CVE-2021-4201 RESERVED CVE-2022-22708 @@ -2052,11 +2095,13 @@ CVE-2021-46143 (In doProlog in xmlparse.c in Expat (aka libexpat) before 2.4.3, NOTE: https://github.com/libexpat/libexpat/pull/538 NOTE: https://github.com/libexpat/libexpat/commit/85ae9a2d7d0e9358f356b33977b842df8ebaec2b CVE-2021-46142 (An issue was discovered in uriparser before 0.9.6. It performs invalid ...) + {DLA-2883-1} - uriparser 0.9.6+dfsg-1 NOTE: https://github.com/uriparser/uriparser/issues/122 NOTE: https://github.com/uriparser/uriparser/commit/c0483990e6b5b454f7c8752b36760cfcb0d093f5 (uriparser-0.9.6) NOTE: https://github.com/uriparser/uriparser/pull/124 CVE-2021-46141 (An issue was discovered in uriparser before 0.9.6. It performs invalid ...) + {DLA-2883-1} - uriparser 0.9.6+dfsg-1 NOTE: https://github.com/uriparser/uriparser/issues/121 NOTE: https://git
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2021-42392/h2database
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c62128ab by Salvatore Bonaccorso at 2022-01-17T20:44:54+01:00 Add Debian bug reference for CVE-2021-42392/h2database - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17060,7 +17060,7 @@ CVE-2020-36487 CVE-2020-36486 (Swift File Transfer Mobile v1.1.2 and below was discovered to contain ...) NOT-FOR-US: Swift File Transfer Mobile CVE-2021-42392 (The org.h2.util.JdbcUtils.getConnection method of the H2 database take ...) - - h2database + - h2database (bug #1003894) NOTE: https://github.com/h2database/h2database/security/advisories/GHSA-h376-j262-vhq6 NOTE: https://jfrog.com/blog/the-jndi-strikes-back-unauthenticated-rce-in-h2-database-console/ CVE-2021-42391 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c62128abb9c0a9f03089d1d84177d5563b1d0627 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c62128abb9c0a9f03089d1d84177d5563b1d0627 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track proposed clamav update via buster-pu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 06c6d77e by Salvatore Bonaccorso at 2022-01-17T20:42:51+01:00 Track proposed clamav update via buster-pu - - - - - 1 changed file: - data/next-oldstable-point-update.txt Changes: = data/next-oldstable-point-update.txt = @@ -140,3 +140,5 @@ CVE-2020-25693 [buster] - cimg 2.4.5+dfsg-1+deb10u1 CVE-2020-0499 [buster] - flac 1.3.2-3+deb10u1 +CVE-2022-20698 + [buster] - clamav 0.103.5+dfsg-0+deb10u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/06c6d77e8dc61c1e0d670ce33a7d03db94d468a2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/06c6d77e8dc61c1e0d670ce33a7d03db94d468a2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version via experimental for CVE-2021-22569/protobuf
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6d795683 by Salvatore Bonaccorso at 2022-01-17T20:35:28+01:00 Track fixed version via experimental for CVE-2021-22569/protobuf - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -66398,6 +66398,7 @@ CVE-2021-22571 CVE-2021-22570 RESERVED CVE-2021-22569 (An issue in protobuf-java allowed the interleaving of com.google.proto ...) + [experimental] - protobuf 3.19.3-1 - protobuf NOTE: https://www.openwall.com/lists/oss-security/2022/01/12/4 NOTE: https://cloud.google.com/support/bulletins#gcp-2022-001 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6d7956835f695b4ebd164a1b584a0d42274b3352 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6d7956835f695b4ebd164a1b584a0d42274b3352 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed verison for CVE-2022-2330{3,4}/wpa
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e1fbaacf by Salvatore Bonaccorso at 2022-01-17T20:26:33+01:00 Track fixed verison for CVE-2022-2330{3,4}/wpa - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,9 +1,9 @@ CVE-2022-23304 (The implementations of EAP-pwd in hostapd before 2.10 and wpa_supplica ...) - - wpa + - wpa 2:2.10-1 NOTE: https://w1.fi/security/2022-1/ NOTE: Issue exists because of an incomplete fix for CVE-2019-9495 CVE-2022-23303 (The implementations of SAE in hostapd before 2.10 and wpa_supplicant b ...) - - wpa + - wpa 2:2.10-1 NOTE: https://w1.fi/security/2022-1/ NOTE: Issue exists because of an incomplete fix for CVE-2019-9494 CVE-2022-0264 [bpf: Fix kernel address leakage in atomic fetch] View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e1fbaacf3c8f6a9f4e649cb1f4cdfe4842c0ce85 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e1fbaacf3c8f6a9f4e649cb1f4cdfe4842c0ce85 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: claim golang-1.7,golang-1.8
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 4b2b9484 by Sylvain Beucler at 2022-01-17T20:19:21+01:00 dla: claim golang-1.7,golang-1.8 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -48,10 +48,10 @@ gif2apng NOTE: 20220114: orphaned package with inactive upstream, maybe coordinate with Debian QA to write our own patches (Beuc) NOTE: 20220114: CVEs unrelated to apng2gif's (Beuc) -- -golang-1.7 +golang-1.7 (Sylvain Beucler) NOTE: 20220114: harmonize with bullseye-11.2 (CVE-2021-36221 CVE-2021-39293 CVE-2021-41771 CVE-2021-44716 CVE-2021-44717) (Beuc) -- -golang-1.8 +golang-1.8 (Sylvain Beucler) NOTE: 20220114: harmonize with bullseye-11.2 (CVE-2021-36221 CVE-2021-39293 CVE-2021-41771 CVE-2021-44716 CVE-2021-44717) (Beuc) -- gpac (Roberto C. Sánchez) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4b2b948412fc603b81b27c6ccd4d9fdb4f776218 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4b2b948412fc603b81b27c6ccd4d9fdb4f776218 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-0264/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b85f9dee by Salvatore Bonaccorso at 2022-01-17T19:38:54+01:00 Add CVE-2022-0264/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6,6 +6,12 @@ CVE-2022-23303 (The implementations of SAE in hostapd before 2.10 and wpa_suppli - wpa NOTE: https://w1.fi/security/2022-1/ NOTE: Issue exists because of an incomplete fix for CVE-2019-9494 +CVE-2022-0264 [bpf: Fix kernel address leakage in atomic fetch] + - linux 5.15.5-2 + [bullseye] - linux (Vulnerable code not present) + [buster] - linux (Vulnerable code not present) + [stretch] - linux (Vulnerable code not present) + NOTE: https://git.kernel.org/linus/7d3baf0afa3aa9102d6a521a8e4c41888bb79882 (5.16-rc6) CVE-2022-0245 RESERVED CVE-2022-0244 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b85f9dee0411d79a877d660ffaa4b7ae784d8004 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b85f9dee0411d79a877d660ffaa4b7ae784d8004 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2886-1 for slurm-llnl
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 4ac8fd8a by Sylvain Beucler at 2022-01-17T18:57:12+01:00 Reserve DLA-2886-1 for slurm-llnl - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -85074,7 +85074,6 @@ CVE-2020-27745 (Slurm before 19.05.8 and 20.x before 20.02.6 has an RPC Buffer O {DSA-4841-1} - slurm-wlm (Fixed with first upload to Debian with renamed source package) - slurm-llnl (bug #974721) - [stretch] - slurm-llnl (Minor issue) NOTE: https://www.schedmd.com/news.php?id=240 NOTE: https://lists.schedmd.com/pipermail/slurm-announce/2020/45.html NOTE: https://github.com/SchedMD/slurm/commit/c3142dd87e06621ff148791c3d2f298b5c0b3a81 @@ -120686,7 +120685,6 @@ CVE-2020-12693 (Slurm 19.05.x before 19.05.7 and 20.02.x before 20.02.3, in the {DSA-4841-1} - slurm-wlm (Fixed with first upload to Debian with renamed source package) - slurm-llnl (bug #961406) - [stretch] - slurm-llnl (Minor issue) [jessie] - slurm-llnl (Message Aggregation added in 14.11) NOTE: https://www.schedmd.com/news.php?id=236 NOTE: https://lists.schedmd.com/pipermail/slurm-announce/2020/36.html @@ -175597,7 +175595,6 @@ CVE-2013-7472 (The "Count per Day" plugin before 3.2.6 for WordPress allows XSS CVE-2019-12838 (SchedMD Slurm 17.11.x, 18.08.0 through 18.08.7, and 19.05.0 allows SQL ...) {DSA-4572-1 DLA-2143-1} - slurm-llnl 19.05.3.2-1 (bug #931880) - [stretch] - slurm-llnl (Too intrusive to backport) NOTE: https://github.com/SchedMD/slurm/commit/afa7d743f407c60a7c8a4bd98a10be32c82988b5 NOTE: https://lists.schedmd.com/pipermail/slurm-announce/2019/25.html CVE-2019-12837 (The Java API in accesuniversitat.gencat.cat 1.7.5 allows remote attack ...) = data/DLA/list = @@ -1,3 +1,6 @@ +[17 Jan 2022] DLA-2886-1 slurm-llnl - security update + {CVE-2019-12838 CVE-2020-12693 CVE-2020-27745 CVE-2021-31215} + [stretch] - slurm-llnl 16.05.9-1+deb9u5 [17 Jan 2022] DLA-2885-1 qtsvg-opensource-src - security update {CVE-2021-3481 CVE-2021-45930} [stretch] - qtsvg-opensource-src 5.7.1~20161021-2.1+deb9u1 = data/dla-needed.txt = @@ -119,14 +119,6 @@ samba (Utkarsh Gupta) NOTE: 20211212: Fix is too large, coordination with ELTS-upload NOTE: 20220110: fix applied, but will need a second opinion. (utkarsh) -- -slurm-llnl (Sylvain Beucler) - NOTE: 20211229: CVE-2019-12838 is marked "Too intrusive to backport" but was - NOTE: 20211229: backported to jessie in DLA-2143-1. - NOTE: 20211229: If CVE-2019-12838 gets fixed, then the 4 other "no DSA" CVEs - NOTE: 20211229: should also be checked. (bunk) - NOTE: 20220107: backporting patches (Beuc) - NOTE: 20220114: wait for Thorsten's precisions wrt. CVE-2021-31215 triage --- vim (Emilio) -- zabbix View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4ac8fd8a29d083404da0eb8f448492c433535eb6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4ac8fd8a29d083404da0eb8f448492c433535eb6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update note in dla-needed.txt
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 57541cbd by Abhijith PA at 2022-01-17T22:26:31+05:30 update note in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -80,6 +80,7 @@ libgit2 (Utkarsh) libraw (Abhijith PA) NOTE: 20211227: 7 CVEs that were fixed for jessie in DLA-1734-1 are unfixed NOTE: 20211227: in stretch, plenty other unfixed CVEs (bunk) + NOTE: 20220117: Fixed CVEs other than DLA-1734-1 (abhijith) -- lighttpd (Anton) NOTE: 20220111: a DSA is planned (Beuc) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/57541cbdd9d687cec67b97ce3d44f880bc850ced -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/57541cbdd9d687cec67b97ce3d44f880bc850ced You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new iotjs issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 1b411a0a by Moritz Muehlenhoff at 2022-01-17T17:48:27+01:00 new iotjs issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -25,7 +25,7 @@ CVE-2022-0241 CVE-2022-0240 RESERVED CVE-2022-0239 (corenlp is vulnerable to Improper Restriction of XML External Entity R ...) - TODO: check + NOT-FOR-US: corenlp CVE-2022-0238 (phoronix-test-suite is vulnerable to Cross-Site Request Forgery (CSRF) ...) - phoronix-test-suite CVE-2022-23301 @@ -1417,7 +1417,9 @@ CVE-2021-46172 CVE-2021-46171 (Modex v2.11 was discovered to contain a NULL pointer dereference in se ...) NOT-FOR-US: Modex CVE-2021-46170 (An issue was discovered in JerryScript commit a6ab5e9. There is an Use ...) - TODO: check + - iotjs + NOTE: https://github.com/jerryscript-project/jerryscript/issues/4917 + NOTE: https://github.com/jerryscript-project/jerryscript/pull/4942/commits/5e1fdd1d1e75105b43392b4bb3996099cdc50f3d CVE-2021-46169 (Modex v2.11 was discovered to contain an Use-After-Free vulnerability ...) NOT-FOR-US: Modex CVE-2021-46168 (Spin v6.5.1 was discovered to contain an out-of-bounds write in lex() ...) @@ -1439,7 +1441,7 @@ CVE-2021-4202 [bullseye] - linux 5.10.84-1 NOTE: CONFIG_NFC_NCI not enabled in Debian CVE-2021-23218 (When running with FIPS mode enabled, Mirantis Container Runtime 20.10. ...) - TODO: check + NOT-FOR-US: Mirantis Container Runtime CVE-2021-23154 (In Lens prior to 5.3.4, custom helm chart configuration creates helm c ...) NOT-FOR-US: Lens CVE-2022-0159 (orchardcore is vulnerable to Improper Neutralization of Input During W ...) @@ -2035,7 +2037,7 @@ CVE-2022-22679 CVE-2022-22150 RESERVED CVE-2022-0130 (Tenable.sc versions 5.14.0 through 5.19.1 were found to contain a remo ...) - TODO: check + NOT-FOR-US: Tenable CVE-2021-46145 (The keyfob subsystem in Honda Civic 2012 vehicles allows a replay atta ...) NOT-FOR-US: keyfob subsystem in Honda Civic 2012 vehicles CVE-2021-46143 (In doProlog in xmlparse.c in Expat (aka libexpat) before 2.4.3, an int ...) @@ -4874,7 +4876,7 @@ CVE-2021-45494 (Certain NETGEAR devices are affected by an attacker's ability to CVE-2021-45493 (Certain NETGEAR devices are affected by disclosure of administrative c ...) NOT-FOR-US: Netgear CVE-2021-4170 (calibre-web is vulnerable to Improper Neutralization of Input During W ...) - TODO: check + NOT-FOR-US: calibre-web CVE-2021-4169 (livehelperchat is vulnerable to Improper Neutralization of Input Durin ...) NOT-FOR-US: livehelperchat CVE-2021-45492 @@ -5529,7 +5531,7 @@ CVE-2021-45450 (In Mbed TLS before 2.28.0 and 3.x before 3.1.0, psa_cipher_gener NOTE: https://github.com/ARMmbed/mbedtls/commit/c423acbe0f7957d8ef1e6036c2429c9f79c6f05e (mbedtls-2.28.0) NOTE: https://github.com/ARMmbed/mbedtls/commit/4c224fe3ccbe527a2b7d55a927f1f09511ff1b83 (mbedtls-2.28.0) CVE-2021-45449 (Docker Desktop version 4.3.0 and 4.3.1 has a bug that may log sensitiv ...) - TODO: check + NOT-FOR-US: Docker Desktop on Windows CVE-2021-45448 RESERVED CVE-2021-45447 @@ -6862,7 +6864,7 @@ CVE-2022-21913 (Local Security Authority (Domain Policy) Remote Protocol Securit CVE-2022-21912 (DirectX Graphics Kernel Remote Code Execution Vulnerability. This CVE ...) NOT-FOR-US: Microsoft CVE-2022-21911 (.NET Framework Denial of Service Vulnerability. ...) - TODO: check + NOT-FOR-US: Microsoft .NET CVE-2022-21910 (Microsoft Cluster Port Driver Elevation of Privilege Vulnerability. ...) NOT-FOR-US: Microsoft CVE-2022-21909 @@ -7397,7 +7399,7 @@ CVE-2021-44880 CVE-2021-44879 RESERVED CVE-2021-44878 (Pac4j v5.1 and earlier allows (by default) clients to accept and succe ...) - TODO: check + NOT-FOR-US: Pac4j CVE-2021-44877 (Dalmark Systems Systeam 2.22.8 build 1724 is vulnerable to Incorrect A ...) NOT-FOR-US: Dalmark Systems Systeam CVE-2021-44876 (Dalmark Systems Systeam 2.22.8 build 1724 is vulnerable to User enumer ...) @@ -7585,7 +7587,7 @@ CVE-2021-44830 CVE-2021-44829 RESERVED CVE-2021-44828 (Arm Mali GPU Kernel Driver (Midgard r26p0 through r30p0, Bifrost r0p0 ...) - TODO: check + NOT-FOR-US: ARM CVE-2021-44827 RESERVED CVE-2021-44826 @@ -7899,7 +7901,7 @@ CVE-2021-44454 CVE-2021-43351 RESERVED CVE-2021-4080 (crater is vulnerable to Unrestricted Upload of File with Dangerous Typ ...) - TODO: check + NOT-FOR-US: Crater CVE-2021-26946 RESERVED CVE-2021-26254 @@ -8290,7 +8292,7 @@ CVE-2021-44588 CVE-2021-44587 RESERVED CVE-2021-44586 (An issue was discovered in dst-admin v1.3.0. The product has an u
[Git][security-tracker-team/security-tracker][master] buster/bullseye triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 7155dbe5 by Moritz Muehlenhoff at 2022-01-17T17:26:32+01:00 buster/bullseye triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -6570,12 +6570,16 @@ CVE-2021-45105 (Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12 CVE-2021-31566 [symbolic links incorrectly followed when changing modes, times, ACL and flags of a file while extracting an archive] RESERVED - libarchive 3.5.2-1 (bug #1001990) + [bullseye] - libarchive (Minor issue) + [buster] - libarchive (Minor issue) NOTE: https://github.com/libarchive/libarchive/issues/1566 NOTE: https://github.com/libarchive/libarchive/commit/b41daecb5ccb4c8e3b2c53fd6147109fc12c3043 (v3.5.2) NOTE: https://github.com/libarchive/libarchive/commit/e2ad1a2c3064fa9eba6274b3641c4c1beed25c0b (v3.5.2) CVE-2021-23177 [extracting a symlink with ACLs modifies ACLs of target] RESERVED - libarchive 3.5.2-1 (bug #1001986) + [bullseye] - libarchive (Minor issue) + [buster] - libarchive (Minor issue) NOTE: https://github.com/libarchive/libarchive/issues/1565 NOTE: https://github.com/libarchive/libarchive/commit/fba4f123cc456d2b2538f811bb831483bf336bad (v3.5.2) CVE-2022-21943 @@ -7964,6 +7968,7 @@ CVE-2021-44717 (Go before 1.16.12 and 1.17.x before 1.17.5 on UNIX allows write - golang-1.15 1.15.15-5 [bullseye] - golang-1.15 1.15.15-1~deb11u2 - golang-1.11 + [buster] - golang-1.11 (Minor issue) - golang-1.8 - golang-1.7 NOTE: https://github.com/golang/go/issues/50057 @@ -9803,10 +9808,14 @@ CVE-2021-4000 (showdoc is vulnerable to URL Redirection to Untrusted Site ...) CVE-2021-3999 [Off-by-one buffer overflow/underflow in getcwd()] RESERVED - glibc + [bullseye] - glibc (Minor issue) + [buster] - glibc (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=28769 CVE-2021-3998 [Unexpected return value from realpath() for too long results] RESERVED - glibc + [bullseye] - glibc (Minor issue) + [buster] - glibc (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=28770 NOTE: https://patchwork.sourceware.org/project/glibc/patch/20220113055920.3155918-1-siddh...@sourceware.org/ CVE-2021-3997 [Uncontrolled recursion in systemd's systemd-tmpfiles] @@ -9941,6 +9950,7 @@ CVE-2021-44039 RESERVED CVE-2021-44038 (An issue was discovered in Quagga through 1.2.4. Unsafe chown/chmod op ...) - quagga + [buster] - quagga (Minor issue) [stretch] - quagga (revisit when/if fixed upstream) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1191890 NOTE: Debian installed systemd unit files install the problematic redhat/*.service @@ -39086,6 +39096,7 @@ CVE-2021-33431 RESERVED CVE-2021-33430 (A Buffer Overflow vulnerability exists in NumPy 1.9.x in the PyArray_N ...) - numpy 1:1.21.4-2 + [bullseye] - numpy (Minor issue) NOTE: https://github.com/numpy/numpy/issues/18939 NOTE: https://github.com/numpy/numpy/pull/18989 NOTE: https://github.com/numpy/numpy/commit/16f7824b4d935b6aee98298ca4123d57174a6f2e (v1.22.0.dev0) = data/dsa-needed.txt = @@ -29,12 +29,17 @@ linux (carnil) -- ndpi/oldstable -- +nss +-- nodejs (jmm) -- pillow (jmm) -- python-pysaml2 (jmm) -- +rpki-client/stable + new 7.6 release required libretls, which isn't in Bullseye +-- ruby2.5/oldstable Maintainer is preparing updates -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7155dbe5fe85c561f31a848b8f13a75fef301c81 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7155dbe5fe85c561f31a848b8f13a75fef301c81 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] clamav spu
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 30b6db3d by Moritz Mühlenhoff at 2022-01-17T14:02:46+01:00 clamav spu - - - - - 1 changed file: - data/next-point-update.txt Changes: = data/next-point-update.txt = @@ -36,3 +36,5 @@ CVE-2021-45452 [bullseye] - python-django 2:2.2.26-1~deb11u1 CVE-2022-21670 [bullseye] - node-markdown-it 10.0.0+dfsg-2+deb11u1 +CVE-2022-20698 + [bullseye] - clamav 0.103.5+dfsg-0+deb11u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/30b6db3d1f74a002852ad8349acc83f735e8acee -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/30b6db3d1f74a002852ad8349acc83f735e8acee You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2885-1 for qtsvg-opensource-src
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 8e5c53c9 by Utkarsh Gupta at 2022-01-17T17:27:45+05:30 Reserve DLA-2885-1 for qtsvg-opensource-src - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -48464,7 +48464,6 @@ CVE-2021-3481 [Out of bounds read in function QRadialFetchSimd from crafted svg RESERVED - qtsvg-opensource-src 5.15.2-3 (bug #986798) [buster] - qtsvg-opensource-src (Minor issue) - [stretch] - qtsvg-opensource-src (Minor issue; can be fixed in next update) - qt4-x11 [buster] - qt4-x11 (Minor issue) [stretch] - qt4-x11 (Minor issue; can be fixed in next update) = data/DLA/list = @@ -1,3 +1,6 @@ +[17 Jan 2022] DLA-2885-1 qtsvg-opensource-src - security update + {CVE-2021-3481 CVE-2021-45930} + [stretch] - qtsvg-opensource-src 5.7.1~20161021-2.1+deb9u1 [17 Jan 2022] DLA-2884-1 wordpress - security update {CVE-2022-21661 CVE-2022-21662 CVE-2022-21663 CVE-2022-21664} [stretch] - wordpress 4.7.22+dfsg-0+deb9u1 = data/dla-needed.txt = @@ -113,9 +113,6 @@ python2.7 (Anton) qt4-x11 (Utkarsh) NOTE: 20220112: 2 SVG CVEs (CVE-2021-45930,CVE-2021-34812) to fix in both qtsvg-opensource-src and qt4-x11 (Beuc) -- -qtsvg-opensource-src (Utkarsh) - NOTE: 20220112: 2 SVG CVEs (CVE-2021-45930,CVE-2021-34812) to fix in both qtsvg-opensource-src and qt4-x11 (Beuc) --- samba (Utkarsh Gupta) NOTE: 20211128: WIP https://salsa.debian.org/lts-team/packages/samba/ NOTE: 20211212: Fix is too large, coordination with ELTS-upload View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8e5c53c95b8a1c67adc709e0baf5a9129dbb4411 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8e5c53c95b8a1c67adc709e0baf5a9129dbb4411 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2884-1 for wordpress
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 3937a620 by Utkarsh Gupta at 2022-01-17T16:23:39+05:30 Reserve DLA-2884-1 for wordpress - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[17 Jan 2022] DLA-2884-1 wordpress - security update + {CVE-2022-21661 CVE-2022-21662 CVE-2022-21663 CVE-2022-21664} + [stretch] - wordpress 4.7.22+dfsg-0+deb9u1 [17 Jan 2022] DLA-2883-1 uriparser - security update {CVE-2021-46141 CVE-2021-46142} [stretch] - uriparser 0.8.4-1+deb9u3 = data/dla-needed.txt = @@ -131,8 +131,5 @@ slurm-llnl (Sylvain Beucler) -- vim (Emilio) -- -wordpress (Utkarsh) - NOTE: 20220108: Issues may not warrant a DLA. See comment for commit 3ae7f35d1 re. previous release. (lamby) --- zabbix -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3937a62089a94684be2bad5b7501c07864625fb1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3937a62089a94684be2bad5b7501c07864625fb1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new h2database issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 6da7af6b by Moritz Muehlenhoff at 2022-01-17T11:48:22+01:00 new h2database issue new tripleo issue (removed) concludes external check - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4330,6 +4330,8 @@ CVE-2021-45733 RESERVED CVE-2021-4180 RESERVED + - tripleo-heat-templates + NOTE: https://bugs.launchpad.net/tripleo/+bug/1955397 CVE-2021-4179 (livehelperchat is vulnerable to Improper Neutralization of Input Durin ...) NOT-FOR-US: livehelperchat CVE-2021-45720 (An issue was discovered in the lru crate before 0.7.1 for Rust. The it ...) @@ -17040,7 +17042,9 @@ CVE-2020-36487 CVE-2020-36486 (Swift File Transfer Mobile v1.1.2 and below was discovered to contain ...) NOT-FOR-US: Swift File Transfer Mobile CVE-2021-42392 (The org.h2.util.JdbcUtils.getConnection method of the H2 database take ...) - TODO: check + - h2database + NOTE: https://github.com/h2database/h2database/security/advisories/GHSA-h376-j262-vhq6 + NOTE: https://jfrog.com/blog/the-jndi-strikes-back-unauthenticated-rce-in-h2-database-console/ CVE-2021-42391 RESERVED CVE-2021-42390 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6da7af6b2e20798fcc2b1f101ed64329944fdfbe -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6da7af6b2e20798fcc2b1f101ed64329944fdfbe You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new protobuf issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 345bb88a by Moritz Muehlenhoff at 2022-01-17T11:43:07+01:00 new protobuf issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -66376,7 +66376,10 @@ CVE-2021-22571 CVE-2021-22570 RESERVED CVE-2021-22569 (An issue in protobuf-java allowed the interleaving of com.google.proto ...) - TODO: check + - protobuf + NOTE: https://www.openwall.com/lists/oss-security/2022/01/12/4 + NOTE: https://cloud.google.com/support/bulletins#gcp-2022-001 + NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39330 (unclear, might be bogus) CVE-2021-22568 (When using the dart pub publish command to publish a package to a thir ...) TODO: check CVE-2021-22567 (Bidirectional Unicode text can be interpreted and compiled differently ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/345bb88afca4e683c8ae11f86c725a631757f032 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/345bb88afca4e683c8ae11f86c725a631757f032 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2883-1 for uriparser
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 8dc3123e by Chris Lamb at 2022-01-17T10:27:34+00:00 Reserve DLA-2883-1 for uriparser - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[17 Jan 2022] DLA-2883-1 uriparser - security update + {CVE-2021-46141 CVE-2021-46142} + [stretch] - uriparser 0.8.4-1+deb9u3 [17 Jan 2022] DLA-2882-1 sphinxsearch - security update {CVE-2020-29050} [stretch] - sphinxsearch 2.2.11-1.1+deb9u1 = data/dla-needed.txt = @@ -129,8 +129,6 @@ slurm-llnl (Sylvain Beucler) NOTE: 20220107: backporting patches (Beuc) NOTE: 20220114: wait for Thorsten's precisions wrt. CVE-2021-31215 triage -- -uriparser (Chris Lamb) --- vim (Emilio) -- wordpress (Utkarsh) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8dc3123eda0051758c19bba54684f19e57fae32f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8dc3123eda0051758c19bba54684f19e57fae32f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] buster/bullseye triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 3c26aa00 by Moritz Muehlenhoff at 2022-01-17T09:33:02+01:00 buster/bullseye triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -2389,6 +2389,7 @@ CVE-2022-0120 RESERVED {DSA-5046-1} - chromium 97.0.4692.71-0.1 + [buster] - chromium (see DSA 5046) [stretch] - chromium (see DSA 4562) CVE-2022-0119 RESERVED @@ -2396,116 +2397,139 @@ CVE-2022-0118 RESERVED {DSA-5046-1} - chromium 97.0.4692.71-0.1 + [buster] - chromium (see DSA 5046) [stretch] - chromium (see DSA 4562) CVE-2022-0117 RESERVED {DSA-5046-1} - chromium 97.0.4692.71-0.1 + [buster] - chromium (see DSA 5046) [stretch] - chromium (see DSA 4562) CVE-2022-0116 RESERVED {DSA-5046-1} - chromium 97.0.4692.71-0.1 + [buster] - chromium (see DSA 5046) [stretch] - chromium (see DSA 4562) CVE-2022-0115 RESERVED {DSA-5046-1} - chromium 97.0.4692.71-0.1 + [buster] - chromium (see DSA 5046) [stretch] - chromium (see DSA 4562) CVE-2022-0114 RESERVED {DSA-5046-1} - chromium 97.0.4692.71-0.1 + [buster] - chromium (see DSA 5046) [stretch] - chromium (see DSA 4562) CVE-2022-0113 RESERVED {DSA-5046-1} - chromium 97.0.4692.71-0.1 + [buster] - chromium (see DSA 5046) [stretch] - chromium (see DSA 4562) CVE-2022-0112 RESERVED {DSA-5046-1} - chromium 97.0.4692.71-0.1 + [buster] - chromium (see DSA 5046) [stretch] - chromium (see DSA 4562) CVE-2022-0111 RESERVED {DSA-5046-1} - chromium 97.0.4692.71-0.1 + [buster] - chromium (see DSA 5046) [stretch] - chromium (see DSA 4562) CVE-2022-0110 RESERVED {DSA-5046-1} - chromium 97.0.4692.71-0.1 + [buster] - chromium (see DSA 5046) [stretch] - chromium (see DSA 4562) CVE-2022-0109 RESERVED {DSA-5046-1} - chromium 97.0.4692.71-0.1 + [buster] - chromium (see DSA 5046) [stretch] - chromium (see DSA 4562) CVE-2022-0108 RESERVED {DSA-5046-1} - chromium 97.0.4692.71-0.1 + [buster] - chromium (see DSA 5046) [stretch] - chromium (see DSA 4562) CVE-2022-0107 RESERVED {DSA-5046-1} - chromium 97.0.4692.71-0.1 + [buster] - chromium (see DSA 5046) [stretch] - chromium (see DSA 4562) CVE-2022-0106 RESERVED {DSA-5046-1} - chromium 97.0.4692.71-0.1 + [buster] - chromium (see DSA 5046) [stretch] - chromium (see DSA 4562) CVE-2022-0105 RESERVED {DSA-5046-1} - chromium 97.0.4692.71-0.1 + [buster] - chromium (see DSA 5046) [stretch] - chromium (see DSA 4562) CVE-2022-0104 RESERVED {DSA-5046-1} - chromium 97.0.4692.71-0.1 + [buster] - chromium (see DSA 5046) [stretch] - chromium (see DSA 4562) CVE-2022-0103 RESERVED {DSA-5046-1} - chromium 97.0.4692.71-0.1 + [buster] - chromium (see DSA 5046) [stretch] - chromium (see DSA 4562) CVE-2022-0102 RESERVED {DSA-5046-1} - chromium 97.0.4692.71-0.1 + [buster] - chromium (see DSA 5046) [stretch] - chromium (see DSA 4562) CVE-2022-0101 RESERVED {DSA-5046-1} - chromium 97.0.4692.71-0.1 + [buster] - chromium (see DSA 5046) [stretch] - chromium (see DSA 4562) CVE-2022-0100 RESERVED {DSA-5046-1} - chromium 97.0.4692.71-0.1 + [buster] - chromium (see DSA 5046) [stretch] - chromium (see DSA 4562) CVE-2022-0099 RESERVED {DSA-5046-1} - chromium 97.0.4692.71-0.1 + [buster] - chromium (see DSA 5046) [stretch] - chromium (see DSA 4562) CVE-2022-0098 RESERVED {DSA-5046-1} - chromium 97.0.4692.71-0.1 + [buster] - chromium (see DSA 5046) [stretch] - chromium (see DSA 4562) CVE-2022-0097 RESERVED {DSA-5046-1} - chromium 97.0.4692.71-0.1 + [buster] - chromium (see DSA 5046) [stretch] - chromium (see DSA 4562) CVE-2022-0096 RESERVED {DSA-5046-1} - chromium 97.0.4692.71-0.1 + [buster] - chromium (see DSA 5046) [stretch] - chromium (see DSA 4562) CVE-2022-0095 RESERVED @@ -3479,40 +3503,40 @@ CVE-2021-45958 (UltraJSON (aka ujson) 4.0.2 through 5.0.0 has a stack-based buff NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36009 TODO: claimed to be fixed in range https://github.com/ultrajson/ultrajs
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-2330{3,4}/wpa
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8f1767f0 by Salvatore Bonaccorso at 2022-01-17T09:17:37+01:00 Add CVE-2022-2330{3,4}/wpa - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,7 +1,11 @@ CVE-2022-23304 (The implementations of EAP-pwd in hostapd before 2.10 and wpa_supplica ...) - TODO: check + - wpa + NOTE: https://w1.fi/security/2022-1/ + NOTE: Issue exists because of an incomplete fix for CVE-2019-9495 CVE-2022-23303 (The implementations of SAE in hostapd before 2.10 and wpa_supplicant b ...) - TODO: check + - wpa + NOTE: https://w1.fi/security/2022-1/ + NOTE: Issue exists because of an incomplete fix for CVE-2019-9494 CVE-2022-0245 RESERVED CVE-2022-0244 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8f1767f0730484e62fbaf0e7f82f743c4daf5cfd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8f1767f0730484e62fbaf0e7f82f743c4daf5cfd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: fb053b68 by security tracker role at 2022-01-17T08:10:13+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,13 @@ +CVE-2022-23304 (The implementations of EAP-pwd in hostapd before 2.10 and wpa_supplica ...) + TODO: check +CVE-2022-23303 (The implementations of SAE in hostapd before 2.10 and wpa_supplicant b ...) + TODO: check +CVE-2022-0245 + RESERVED +CVE-2022-0244 + RESERVED +CVE-2022-0243 + RESERVED CVE-2022-23302 RESERVED CVE-2022-22142 @@ -10,8 +20,8 @@ CVE-2022-0241 RESERVED CVE-2022-0240 RESERVED -CVE-2022-0239 - RESERVED +CVE-2022-0239 (corenlp is vulnerable to Improper Restriction of XML External Entity R ...) + TODO: check CVE-2022-0238 (phoronix-test-suite is vulnerable to Cross-Site Request Forgery (CSRF) ...) - phoronix-test-suite CVE-2022-23301 @@ -4833,8 +4843,8 @@ CVE-2021-45494 (Certain NETGEAR devices are affected by an attacker's ability to NOT-FOR-US: Netgear CVE-2021-45493 (Certain NETGEAR devices are affected by disclosure of administrative c ...) NOT-FOR-US: Netgear -CVE-2021-4170 - RESERVED +CVE-2021-4170 (calibre-web is vulnerable to Improper Neutralization of Input During W ...) + TODO: check CVE-2021-4169 (livehelperchat is vulnerable to Improper Neutralization of Input Durin ...) NOT-FOR-US: livehelperchat CVE-2021-45492 @@ -78518,7 +78528,7 @@ CVE-2020-29052 CVE-2020-29051 RESERVED CVE-2020-29050 (SphinxSearch in Sphinx Technologies Sphinx through 3.1.1 allows direct ...) - {DSA-5036-1} + {DSA-5036-1 DLA-2882-1} - sphinxsearch 2.2.11-3 NOTE: Backported for sphinxsearch from: https://github.com/manticoresoftware/manticoresearch/commit/66b5761ad258c60b1866a8e1333f86e74f48035 NOTE: and https://github.com/manticoresoftware/manticoresearch/commit/6e597ff61e1e910559f6ed541ff32520085af6aa View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fb053b68de29f37d5961fd0e361b3f7ed1d2fd66 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fb053b68de29f37d5961fd0e361b3f7ed1d2fd66 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits