[Git][security-tracker-team/security-tracker][master] 2 commits: detailed triage for ghostscript in buster
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: d33f6566 by Roberto C. Sánchez at 2024-06-29T13:49:17-04:00 detailed triage for ghostscript in buster mark CVE-2023-52722, CVE-2024-29510, CVE-33871 as ignored The commits which fix these vulnerabilities rely on API concepts and functions introduced for version 9.50. It does not make sense to backport these fixes without the associated API concepts and functions. The diff containing the necessary changes is 10k lines, which would be far too intrusive to backport to the older version (9.27) in buster. - - - - - 1f4583a0 by Roberto C. Sánchez at 2024-06-29T13:58:23-04:00 LTS: drop ghostscript from dla-needed.txt, all CVEs are ignored - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -17114,15 +17114,21 @@ CVE-2023-5971 (The Save as PDF Plugin by Pdfcrowd WordPress plugin before 3.2.0 CVE-2024-29510 {DSA-5692-1} - ghostscript 10.03.1~dfsg~git20240518-1 + [bullseye] - ghostscript (fix requires API functions introduced in 9.50) NOTE: https://ghostscript.readthedocs.io/en/gs10.03.1/News.html NOTE: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=3b1735085ecef20b29e8db3416ab36de93e86d1f (ghostpdl-10.03.1) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=707662 + NOTE: API functions used by fixing commit were introduced in: + NOTE: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=9de16a6637b73e35f79d2d622de403b24e6502f2 CVE-2024-33871 {DSA-5692-1} - ghostscript 10.03.1~dfsg~git20240518-1 + [bullseye] - ghostscript (fix requires API functions introduced in 9.50) NOTE: https://ghostscript.readthedocs.io/en/gs10.03.1/News.html NOTE: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=7145885041bb52cc23964f0aa2aec1b1c82b5908 (ghostpdl-10.03.1) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=707754 + NOTE: API functions used by fixing commit were introduced in: + NOTE: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=9de16a6637b73e35f79d2d622de403b24e6502f2 CVE-2024-33870 {DSA-5692-1} - ghostscript 10.03.1~dfsg~git20240518-1 @@ -21909,8 +21915,11 @@ CVE-2024-25050 (IBM i 7.2, 7.3, 7.4, 7.5 and IBM Rational Development Studio for CVE-2023-52722 (An issue was discovered in Artifex Ghostscript through 10.01.0. psi/zm ...) {DSA-5692-1} - ghostscript 10.02.0~dfsg-1 + [bullseye] - ghostscript (fix requires API functions introduced in 9.50) NOTE: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=afd7188f74918cb51b5fb89f52b54eb16e8acfd1 (ghostpdl-10.03.0rc1) NOTE: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=1ff9a695947967d2d327c45bf5145dd381fc1745 (ghostpdl-10.02.0) + NOTE: API functions used by fixing commit were introduced in: + NOTE: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=9de16a6637b73e35f79d2d622de403b24e6502f2 CVE-2022-48685 (An issue was discovered in Logpoint 7.1 before 7.1.2. The daily execut ...) NOT-FOR-US: Logpoint CVE-2022-48684 (An issue was discovered in Logpoint before 7.1.1. Template injection w ...) = data/dla-needed.txt = @@ -94,14 +94,6 @@ freeimage NOTE: 20240412: ELTS also have a need to update this package. NOTE: 20240412: We should open upstream bug reports and push fixes. See above email discussion. (ola) -- -ghostscript - NOTE: 20240510: Added by Front-Desk (ta) - NOTE: 20240621: I am returning the package so that someone else can assess - NOTE: 20240621: whether we can fix the problems or have to ignore them. - NOTE: 20240621: The patches rely on newly introduced API,e.g. - NOTE: 20240621: gs_activate_path_control,gs_is_path_control_active. I don't - NOTE: 20240621: think it makes sense to introduce those changes without those functions. --- glibc (Adrian Bunk) NOTE: 20240504: Re-add for remaining CVEs. (bunk) NOTE: 20240520: Testing fixes. (bunk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b25d2ce47e04bc3dd9b2c05c2c285a462738276c...1f4583a0442ab914830efdab6ded5d6e9c687206 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b25d2ce47e04bc3dd9b2c05c2c285a462738276c...1f4583a0442ab914830efdab6ded5d6e9c687206 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: a7e16152 by Roberto C. Sánchez at 2024-06-17T09:15:22-04:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Roberto C. Sánchez robe...@connexer.com - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -61,7 +61,7 @@ dns-root-data (santiago) NOTE: 20240607: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054393 NOTE: 20240607: Needs bullseye pu to be available first. https://bugs.debian.org/1072653 -- -dnsmasq (dleidert) +dnsmasq NOTE: 20240303: Added by Front-Desk (apo) NOTE: 20240325: Automatically unassigned (lamby) NOTE: 20240327: Claimed by lamby, started thread on deblts-team. (lamby) @@ -117,7 +117,7 @@ git (Sean Whitton) NOTE: 20240610: Fix for CVE-2024-32465 apparently fixes CVE-2024-32004 as a NOTE: 20240610: byproduct. I am working on testing that claim. (spwhitton) -- -glibc (Adrian Bunk) +glibc NOTE: 20240504: Re-add for remaining CVEs. (bunk) NOTE: 20240520: Testing fixes. (bunk) NOTE: 20240603: Testing fixes. (bunk) @@ -193,7 +193,7 @@ netty (Markus Koschany) NOTE: 20240511: Added by (apo) NOTE: 20240610: Doing some final tests. (apo) -- -nodejs (guilhem) +nodejs NOTE: 20240406: Added by Front-Desk (lamby) -- nova @@ -272,14 +272,14 @@ ring NOTE: 20230903: Added by Front-Desk (gladk) NOTE: 20230928: will be likely hard to fix see https://lists.debian.org/debian-lts/2023/09/msg00035.html (rouca) -- -roundcube (guilhem) +roundcube NOTE: 20240524: Added by Front-Desk (lamby) -- ruby2.5 NOTE: 20240504: Added by Front-Desk (Beuc) NOTE: 20240504: Follow DSA-5677-1 (Beuc/front-desk) -- -runc (dleidert) +runc NOTE: 20240312: Added by coordinator (roberto) NOTE: 20240314: Several CVEs fixed in LTS remain unfixed (no-dsa) in bullseye. NOTE: 20240314: Uploads to ospu should be coordinated. (roberto) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a7e1615285743337fedb0b3dd77fc395bb72ecdd -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a7e1615285743337fedb0b3dd77fc395bb72ecdd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 3f00fef1 by Roberto C. Sánchez at 2024-06-10T19:56:02-04:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Roberto C. Sánchez robe...@connexer.com - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -52,7 +52,7 @@ cacti cyrus-imapd NOTE: 20240609: Added by Front-Desk (apo) -- -dcmtk (Adrian Bunk) +dcmtk NOTE: 20240428: Added by Front-Desk (ta) -- dlt-daemon @@ -307,7 +307,7 @@ runc (dleidert) NOTE: 20240521: Already started to work on it. Upload will haben until end of month. (dleidert) NOTE: 20240531: Waiting for ok to upload to bullseye-pu <https://bugs.debian.org/1072248> (dleidert) -- -sendmail (rouca) +sendmail NOTE: 20231224: Added by Front-Desk (ta) NOTE: 20240213: Patch need to be extracted (rouca). Upstream does not publish patches (CVE-2023-51765) NOTE: 20240217: Patch extracted and being reviewed (rouca) @@ -331,7 +331,7 @@ squid sredird NOTE: 20240610: Added by Front-Desk (apo) -- -suricata (Adrian Bunk) +suricata NOTE: 20230620: Added by Front-Desk (Beuc) NOTE: 20230620: 15+ CVEs marked no-dsa; since the package is supported, with last LTS update in Jessie, NOTE: 20230620: I'd suggest reviewing the CVEs, precise the triage (postponed/ignored), View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3f00fef168d88211a61d540b07bccb2f0ec9a16c -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3f00fef168d88211a61d540b07bccb2f0ec9a16c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update FD assignment
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 8455f2c0 by Roberto C. Sánchez at 2024-06-04T06:38:00-04:00 Update FD assignment - - - - - 1 changed file: - org/lts-frontdesk.2024.txt Changes: = org/lts-frontdesk.2024.txt = @@ -29,7 +29,7 @@ From 08-07 to 14-07:Utkarsh Gupta From 15-07 to 21-07:Chris Lamb From 22-07 to 28-07:Emilio Pozuelo Monfort From 29-07 to 04-08:Markus Koschany -From 05-08 to 11-08:Ola Lundqvist +From 05-08 to 11-08:Sylvain Beucler From 12-08 to 18-08:Sylvain Beucler From 19-08 to 25-08:Thorsten Alteholz From 26-08 to 01-09:Utkarsh Gupta View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8455f2c0e6081083859ee8f0fa574c91322f108e -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8455f2c0e6081083859ee8f0fa574c91322f108e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update FD assignment
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 77b4beb1 by Roberto C. Sánchez at 2024-06-03T13:04:52-04:00 Update FD assignment - - - - - 1 changed file: - org/lts-frontdesk.2024.txt Changes: = org/lts-frontdesk.2024.txt = @@ -21,7 +21,7 @@ From 13-05 to 19-05:Utkarsh Gupta From 20-05 to 26-05:Chris Lamb From 27-05 to 02-06:Emilio Pozuelo Monfort From 03-06 to 09-06:Markus Koschany -From 10-06 to 16-06:Ola Lundqvist +From 10-06 to 16-06:Chris Lamb From 17-06 to 23-06:Sylvain Beucler From 24-06 to 30-06:Thorsten Alteholz From 01-07 to 07-07:Thorsten Alteholz @@ -36,7 +36,7 @@ From 26-08 to 01-09:Utkarsh Gupta From 02-09 to 08-09:Chris Lamb From 09-09 to 15-09:Emilio Pozuelo Monfort From 16-09 to 22-09:Markus Koschany -From 23-09 to 29-09:Ola Lundqvist +From 23-09 to 29-09:Chris Lamb From 30-09 to 06-10:Sylvain Beucler From 07-10 to 13-10:Thorsten Alteholz From 14-10 to 20-10:Utkarsh Gupta @@ -50,4 +50,4 @@ From 02-12 to 08-12:Utkarsh Gupta From 09-12 to 15-12:Chris Lamb From 16-12 to 22-12:Emilio Pozuelo Monfort From 23-12 to 29-12:Markus Koschany -From 30-12 to 05-01:Ola Lundqvist \ No newline at end of file +From 30-12 to 05-01:Ola Lundqvist View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/77b4beb1b5b0c1f8d9be669229a01964267ea1ee -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/77b4beb1b5b0c1f8d9be669229a01964267ea1ee You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: ac90b4d2 by Roberto C. Sánchez at 2024-05-27T11:34:08-04:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Roberto C. Sánchez robe...@connexer.com - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -47,7 +47,7 @@ cacti NOTE: 20240519: I'd have postponed them but let's fix it before buster NOTE: 20240519: goes EOL. (utkarsh) -- -dcmtk (Adrian Bunk) +dcmtk NOTE: 20240428: Added by Front-Desk (ta) -- dlt-daemon (utkarsh) @@ -56,7 +56,7 @@ dlt-daemon (utkarsh) NOTE: 20240519: can postpone these but I am in split mind. Will take it myself NOTE: 20240519: and decide further. (utkarsh) -- -dnsmasq (dleidert) +dnsmasq NOTE: 20240303: Added by Front-Desk (apo) NOTE: 20240325: Automatically unassigned (lamby) NOTE: 20240327: Claimed by lamby, started thread on deblts-team. (lamby) @@ -99,7 +99,7 @@ freeimage NOTE: 20240412: ELTS also have a need to update this package. NOTE: 20240412: We should open upstream bug reports and push fixes. See above email discussion. (ola) -- -ghostscript (Markus Koschany) +ghostscript NOTE: 20240510: Added by Front-Desk (ta) -- git (Sean Whitton) @@ -178,10 +178,10 @@ linux (Ben Hutchings) linux-5.10 NOTE: 20231005: perma-added for LTS package-specific delegation (bwh) -- -netty (Markus Koschany) +netty NOTE: 20240511: Added by (apo) -- -nodejs (guilhem) +nodejs NOTE: 20240406: Added by Front-Desk (lamby) -- nova @@ -292,7 +292,7 @@ squid NOTE: 20240109: I ask for another pair of eyes for CVE-2023-5824. The fix NOTE: 20240109: appears to be intrusive. I could not locate the fix for CVE-2023-49288 yet. (apo) -- -suricata (Adrian Bunk) +suricata NOTE: 20230620: Added by Front-Desk (Beuc) NOTE: 20230620: 15+ CVEs marked no-dsa; since the package is supported, with last LTS update in Jessie, NOTE: 20230620: I'd suggest reviewing the CVEs, precise the triage (postponed/ignored), View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ac90b4d2c99f12a8d60c65011166d77545dcf4d7 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ac90b4d2c99f12a8d60c65011166d77545dcf4d7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 96cf8bf6 by Roberto C. Sánchez at 2024-05-20T10:09:34-04:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Roberto C. Sánchez robe...@connexer.com - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -21,7 +21,7 @@ To make it easier to see the entire history of an update, please append notes rather than remove/replace existing ones. -- -ansible (Lee Garrett) +ansible NOTE: 20231202: Added by Front-Desk (Beuc) NOTE: 20231202: Supported package, but there's a CVE backlog, and no updates since 2021 NOTE: 20231202: (neither in LTS nor in stable/oldstable), so this is an opportunity to @@ -91,7 +91,7 @@ edk2 NOTE: 20231230: CVE-2019-11098 fixed via bullseye 11.2 (lamby) NOTE: 20240312: CVE-2023-48733 fixed via DSA-5624-1 (Beuc/front-desk) -- -firmware-nonfree (tobi) +firmware-nonfree NOTE: 20240502: Added by Front-Desk (Beuc) -- freeimage @@ -135,7 +135,7 @@ jenkins-htmlunit-core-js NOTE: 20231231: … TransformerFactory without setting the ~secure flag, so it may NOTE: 20231231: … indeed be vulnerable. (lamby) -- -less (Abhijith PA) +less NOTE: 20240418: Added by Front-Desk (apo) NOTE: 20240506: Pushed CVE-2022-48624 fix to git repo. (abhijith) -- @@ -228,7 +228,7 @@ pdns-recursor NOTE: 20240306: Added by Front-Desk (opal) NOTE: 20240319: Upload postponed due to #1067124 (dleidert) -- -putty (rouca) +putty NOTE: 20231224: Added by Front-Desk (ta) NOTE: 20240104: massive code change against bullseye. May be better to backport bullseye (rouca) NOTE: 20240324: Backport is straighforward (rouca) @@ -264,11 +264,11 @@ ring NOTE: 20230903: Added by Front-Desk (gladk) NOTE: 20230928: will be likely hard to fix see https://lists.debian.org/debian-lts/2023/09/msg00035.html (rouca) -- -ruby2.5 (utkarsh) +ruby2.5 NOTE: 20240504: Added by Front-Desk (Beuc) NOTE: 20240504: Follow DSA-5677-1 (Beuc/front-desk) -- -runc (dleidert) +runc NOTE: 20240312: Added by coordinator (roberto) NOTE: 20240314: Several CVEs fixed in LTS remain unfixed (no-dsa) in bullseye. NOTE: 20240314: Uploads to ospu should be coordinated. (roberto) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/96cf8bf6d295d8fe7900965e332625a668454cc4 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/96cf8bf6d295d8fe7900965e332625a668454cc4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 54749cd0 by Roberto C. Sánchez at 2024-05-13T07:49:26-04:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Roberto C. Sánchez robe...@connexer.com - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -53,7 +53,7 @@ bind9 (Santiago) bluez NOTE: 20240510: Added by Front-Desk (ta) -- -dcmtk (Adrian Bunk) +dcmtk NOTE: 20240428: Added by Front-Desk (ta) -- dnsmasq (dleidert) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/54749cd0b4af6425deb10b32992984f6333d912c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/54749cd0b4af6425deb10b32992984f6333d912c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 00d4c0ed by Roberto C. Sánchez at 2024-05-06T13:12:54-04:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Roberto C. Sánchez robe...@connexer.com - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -98,7 +98,7 @@ freeimage glibc (Adrian Bunk) NOTE: 20240504: Re-add for remaining CVEs. (bunk) -- -h2o (dleidert) +h2o NOTE: 20231228: Added by Front-Desk (lamby) -- i2p @@ -164,7 +164,7 @@ linux-5.10 netty NOTE: 20240419: Added by Front-Desk (apo) -- -nodejs (guilhem) +nodejs NOTE: 20240406: Added by Front-Desk (lamby) -- nova @@ -206,7 +206,7 @@ pdns-recursor NOTE: 20240306: Added by Front-Desk (opal) NOTE: 20240319: Upload postponed due to #1067124 (dleidert) -- -php7.3 (Markus Koschany) +php7.3 NOTE: 20240421: Added by Front-Desk (apo) -- putty (rouca) @@ -282,7 +282,7 @@ squid NOTE: 20240109: I ask for another pair of eyes for CVE-2023-5824. The fix NOTE: 20240109: appears to be intrusive. I could not locate the fix for CVE-2023-49288 yet. (apo) -- -suricata (Adrian Bunk) +suricata NOTE: 20230620: Added by Front-Desk (Beuc) NOTE: 20230620: 15+ CVEs marked no-dsa; since the package is supported, with last LTS update in Jessie, NOTE: 20230620: I'd suggest reviewing the CVEs, precise the triage (postponed/ignored), @@ -305,7 +305,7 @@ tinymce NOTE: 20231216: upstream's patch is backportable, as the code has changed a NOTE: 20231216: lot. (spwhitton) -- -tryton-server (Markus Koschany) +tryton-server NOTE: 20240421: Added by Front-Desk (apo) NOTE: 20240421: Fix causes regressions in tryton client. Waiting for that NOTE: 20240421: being resolved upstream. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/00d4c0edea45c8fe89736b0b4030cf2314365c91 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/00d4c0edea45c8fe89736b0b4030cf2314365c91 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 285adc61 by Roberto C. Sánchez at 2024-04-30T11:56:07-04:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Roberto C. Sánchez robe...@connexer.com - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -258,7 +258,7 @@ sendmail (rouca) NOTE: 20240324: some issue coordinate with myself and security team (rouca) NOTE: 20240425: need more time to investigate issue -- -shim (rouca) +shim NOTE: 20240306: Added by Front-Desk (opal) NOTE: 20240415: https://salsa.debian.org/efi-team/shim/-/merge_requests/13 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/285adc61dd43c76f596eaa37a5fb694331a42c71 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/285adc61dd43c76f596eaa37a5fb694331a42c71 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 95e3d866 by Roberto C. Sánchez at 2024-04-22T10:01:40-04:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Roberto C. Sánchez robe...@connexer.com - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -49,7 +49,7 @@ bind9 NOTE: 20240418: https://salsa.debian.org/lts-team/packages/bind9/-/commit/135e46d2e43b6e499454385c2228338c6a72ba96 NOTE: 20240418: All testing activities remains. -- -dnsmasq (dleidert) +dnsmasq NOTE: 20240303: Added by Front-Desk (apo) NOTE: 20240325: Automatically unassigned (lamby) NOTE: 20240327: Claimed by lamby, started thread on deblts-team. (lamby) @@ -124,7 +124,7 @@ jenkins-htmlunit-core-js NOTE: 20231231: … TransformerFactory without setting the ~secure flag, so it may NOTE: 20231231: … indeed be vulnerable. (lamby) -- -knot-resolver (Markus Koschany) +knot-resolver NOTE: 20231029: Added by Front-Desk (gladk) NOTE: 20240310: Dropped from dla-needed.txt (ola/front-desk) NOTE: 20240311: Reverted decision to remove from dla-needed since four CVEs has been fixed in bullseye. (ola) @@ -135,7 +135,7 @@ less (Abhijith PA) libmojolicious-perl NOTE: 20240421: Added by Front-Desk (apo) -- -libpgjava (Markus Koschany) +libpgjava NOTE: 20240308: Added by Front-Desk (opal) -- libreswan @@ -176,7 +176,7 @@ linux (Ben Hutchings) linux-5.10 NOTE: 20231005: perma-added for LTS package-specific delegation (bwh) -- -mediawiki (guilhem) +mediawiki NOTE: 20240406: Added by Front-Desk (lamby) NOTE: 20240406: Added to address "TEMP-000-519C2D" at the time of writing. (lamby) -- @@ -186,7 +186,7 @@ netty nghttp2 NOTE: 20240421: Added by Front-Desk (apo) -- -nodejs (guilhem) +nodejs NOTE: 20240406: Added by Front-Desk (lamby) -- nova @@ -224,7 +224,7 @@ nvidia-graphics-drivers-legacy-390xx NOTE: 20240303: Added by Front-Desk (apo) NOTE: 20240303: See comment for nvidia-graphics-drivers. (apo/front-desk) -- -org-mode (Sean Whitton) +org-mode NOTE: 20240405: Added by Front-Desk (lamby) -- pdns-recursor @@ -297,7 +297,7 @@ squid NOTE: 20240109: I ask for another pair of eyes for CVE-2023-5824. The fix NOTE: 20240109: appears to be intrusive. I could not locate the fix for CVE-2023-49288 yet. (apo) -- -suricata (Adrian Bunk) +suricata NOTE: 20230620: Added by Front-Desk (Beuc) NOTE: 20230620: 15+ CVEs marked no-dsa; since the package is supported, with last LTS update in Jessie, NOTE: 20230620: I'd suggest reviewing the CVEs, precise the triage (postponed/ignored), @@ -335,7 +335,7 @@ varnish NOTE: 20240122: Still fixing tests (abhijith) NOTE: 20240213: Fixing tests.(abhijith) -- -wordpress (Markus Koschany) +wordpress NOTE: 20240314: Added by coordinator (roberto) NOTE: 20240314: Several CVEs fixed in LTS remain unfixed (no-dsa) in bullseye and NOTE: 20240314: bookwork. Uploads to spu and ospu should be coordinated. (roberto) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/95e3d866f7aea1bbf188b118535b284f4a88cc62 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/95e3d866f7aea1bbf188b118535b284f4a88cc62 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 9d68ec60 by Roberto C. Sánchez at 2024-04-15T12:38:51-04:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Roberto C. Sánchez robe...@connexer.com - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -92,7 +92,7 @@ frr (tobi) NOTE: 20240206: Continuing fixing the remaining issues (abhijith) NOTE: 20240301: continue work (abhijith) -- -h2o (Adrian Bunk) +h2o NOTE: 20231228: Added by Front-Desk (lamby) -- i2p @@ -112,7 +112,7 @@ knot-resolver (Markus Koschany) NOTE: 20240310: Dropped from dla-needed.txt (ola/front-desk) NOTE: 20240311: Reverted decision to remove from dla-needed since four CVEs has been fixed in bullseye. (ola) -- -libdatetime-timezone-perl (Emilio) +libdatetime-timezone-perl NOTE: 20240327: Added by pochu -- libpgjava (Markus Koschany) @@ -287,7 +287,7 @@ tinymce NOTE: 20231216: upstream's patch is backportable, as the code has changed a NOTE: 20231216: lot. (spwhitton) -- -tzdata (Emilio) +tzdata NOTE: 20240327: Added by pochu -- varnish @@ -306,6 +306,6 @@ wordpress (Markus Koschany) zabbix (Adrian Bunk) NOTE: 20240212: Added by Front-Desk (utkarsh) -- -zookeeper (rouca) +zookeeper NOTE: 20240324: Added by Front-Desk (ta) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9d68ec6044fdb8346f7100ad087ec9139d9fbc3f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9d68ec6044fdb8346f7100ad087ec9139d9fbc3f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: re-assign 22nd April FD slot
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: d586da79 by Roberto C. Sánchez at 2024-04-12T10:32:01-04:00 LTS: re-assign 22nd April FD slot - - - - - 1 changed file: - org/lts-frontdesk.2024.txt Changes: = org/lts-frontdesk.2024.txt = @@ -14,7 +14,7 @@ From 25-03 to 31-03:Utkarsh Gupta From 01-04 to 07-04:Chris Lamb From 08-04 to 14-04:Emilio Pozuelo Monfort From 15-04 to 21-04:Markus Koschany -From 22-04 to 28-04:Ola Lundqvist +From 22-04 to 28-04:Thorsten Alteholz From 29-04 to 05-05:Sylvain Beucler From 06-05 to 12-05:Thorsten Alteholz From 13-05 to 19-05:Utkarsh Gupta View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d586da7983eb729ddef3ac666de43f7e7e60ec80 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d586da7983eb729ddef3ac666de43f7e7e60ec80 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: dispatch FD slots for second half of 2024
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 7a3dc8da by Roberto C. Sánchez at 2024-04-08T12:30:00-04:00 LTS: dispatch FD slots for second half of 2024 - - - - - 1 changed file: - org/lts-frontdesk.2024.txt Changes: = org/lts-frontdesk.2024.txt = @@ -24,30 +24,30 @@ From 03-06 to 09-06:Markus Koschany From 10-06 to 16-06:Ola Lundqvist From 17-06 to 23-06:Sylvain Beucler From 24-06 to 30-06:Thorsten Alteholz -From 01-07 to 07-07: -From 08-07 to 14-07: -From 15-07 to 21-07: -From 22-07 to 28-07: -From 29-07 to 04-08: -From 05-08 to 11-08: -From 12-08 to 18-08: -From 19-08 to 25-08: -From 26-08 to 01-09: -From 02-09 to 08-09: -From 09-09 to 15-09: -From 16-09 to 22-09: -From 23-09 to 29-09: -From 30-09 to 06-10: -From 07-10 to 13-10: -From 14-10 to 20-10: -From 21-10 to 27-10: -From 28-10 to 03-11: -From 04-11 to 10-11: -From 11-11 to 17-11: -From 18-11 to 24-11: -From 25-11 to 01-12: -From 02-12 to 08-12: -From 09-12 to 15-12: -From 16-12 to 22-12: -From 23-12 to 29-12: -From 30-12 to 05-01: +From 01-07 to 07-07:Thorsten Alteholz +From 08-07 to 14-07:Utkarsh Gupta +From 15-07 to 21-07:Chris Lamb +From 22-07 to 28-07:Emilio Pozuelo Monfort +From 29-07 to 04-08:Markus Koschany +From 05-08 to 11-08:Ola Lundqvist +From 12-08 to 18-08:Sylvain Beucler +From 19-08 to 25-08:Thorsten Alteholz +From 26-08 to 01-09:Utkarsh Gupta +From 02-09 to 08-09:Chris Lamb +From 09-09 to 15-09:Emilio Pozuelo Monfort +From 16-09 to 22-09:Markus Koschany +From 23-09 to 29-09:Ola Lundqvist +From 30-09 to 06-10:Sylvain Beucler +From 07-10 to 13-10:Thorsten Alteholz +From 14-10 to 20-10:Utkarsh Gupta +From 21-10 to 27-10:Chris Lamb +From 28-10 to 03-11:Emilio Pozuelo Monfort +From 04-11 to 10-11:Markus Koschany +From 11-11 to 17-11:Ola Lundqvist +From 18-11 to 24-11:Sylvain Beucler +From 25-11 to 01-12:Thorsten Alteholz +From 02-12 to 08-12:Utkarsh Gupta +From 09-12 to 15-12:Chris Lamb +From 16-12 to 22-12:Emilio Pozuelo Monfort +From 23-12 to 29-12:Markus Koschany +From 30-12 to 05-01:Ola Lundqvist \ No newline at end of file View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7a3dc8daf1f017c8be9fe2920ada1b7e6b4c9128 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7a3dc8daf1f017c8be9fe2920ada1b7e6b4c9128 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 161c3266 by Roberto C. Sánchez at 2024-04-08T12:15:01-04:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Roberto C. Sánchez robe...@connexer.com - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -30,13 +30,13 @@ ansible NOTE: 20231217: Triaging done a few mail send upstream for claryfication purposes (rouca) NOTE: 20231228: Made a partial release DLA-3695-1 (rouca), waiting for lee -- -atril (utkarsh) +atril NOTE: 20240121: Added by Front-Desk (apo) NOTE: 20240121: Decide whether it makes sense to disable comic feature or use libarchive instead. NOTE: 20240319: package ready at: https://people.debian.org/~utkarsh/lts/atril/ NOTE: 20240319: needs testing as the backport was a bit sensitive. (utkarsh) -- -bind9 (Sean Whitton) +bind9 NOTE: 20240218: Added by Front-Desk (lamby) NOTE: 20240218: CVE-2023-4408 CVE-2023-50387 CVE-2023-50868 CVE-2023-5517 CVE-2023-5679 already fixed in bullseye. (lamby) -- @@ -203,14 +203,14 @@ nvidia-graphics-drivers-legacy-390xx org-mode (Sean Whitton) NOTE: 20240405: Added by Front-Desk (lamby) -- -pdns-recursor (dleidert) +pdns-recursor NOTE: 20240306: Added by Front-Desk (opal) NOTE: 20240319: Upload postponed due to #1067124 (dleidert) -- pillow (Adrian Bunk) NOTE: 20240403: Added by Front-Desk (lamby) -- -putty (rouca) +putty NOTE: 20231224: Added by Front-Desk (ta) NOTE: 20230104: massive code change against bullseye. May be better to backport bullseye (rouca) NOTE: 20230324: Backport is straighforward (rouca) @@ -246,7 +246,7 @@ samba (Santiago) NOTE: 20230918: Added by Front-Desk (apo) NOTE: 20240406: Update should be ready. Will upload this Monday. (Santiago) -- -sendmail (rouca) +sendmail NOTE: 20231224: Added by Front-Desk (ta) NOTE: 20240213: Patch need to be extracted (rouca). Upstream does not publish patches (CVE-2023-51765) NOTE: 20240217: Patch extracted and being reviewed (rouca) @@ -307,7 +307,7 @@ xorg-server (Adrian Bunk) NOTE: 20240404: (may) affect xorg-server in LTS. (lamby) NOTE: 20240408: CVE fixes caused regression in unstable: https://bugs.debian.org/1068470 (bunk) -- -zabbix (utkarsh) +zabbix NOTE: 20240212: Added by Front-Desk (utkarsh) -- zookeeper (rouca) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/161c326678765cd6a1e2dd8e3dd278930e99f54f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/161c326678765cd6a1e2dd8e3dd278930e99f54f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 8e9e0d47 by Roberto C. Sánchez at 2024-04-01T11:36:21-04:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Roberto C. Sánchez robe...@connexer.com - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -83,7 +83,7 @@ frr gnutls28 (guilhem) NOTE: 20240323: Added by Front-Desk (ta) -- -gtkwave (Adrian Bunk) +gtkwave NOTE: 20240116: Added by Front-Desk (lamby) NOTE: 20240116: For CVE-2023-32650 etc. (lamby) NOTE: 20240316: https://bugs.debian.org/1060407 (bunk) @@ -253,7 +253,7 @@ squid NOTE: 20240109: I ask for another pair of eyes for CVE-2023-5824. The fix NOTE: 20240109: appears to be intrusive. I could not locate the fix for CVE-2023-49288 yet. (apo) -- -suricata (Adrian Bunk) +suricata NOTE: 20230620: Added by Front-Desk (Beuc) NOTE: 20230620: 15+ CVEs marked no-dsa; since the package is supported, with last LTS update in Jessie, NOTE: 20230620: I'd suggest reviewing the CVEs, precise the triage (postponed/ignored), @@ -263,7 +263,7 @@ suricata (Adrian Bunk) NOTE: 20231016: Still reviewing+testing CVEs. (bunk) NOTE: 20231120: DLA coming soon. (bunk) -- -tiff (Abhijith PA) +tiff NOTE: 20240314: Added by coordinator (roberto) NOTE: 20240314: Several CVEs fixed in LTS remain unfixed (no-dsa) in bullseye and NOTE: 20240314: bookworm. Uploads to spu and ospu should be coordinated. (roberto) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8e9e0d47177975fabb329f75bec0f97cde10faef -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8e9e0d47177975fabb329f75bec0f97cde10faef You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 11d6f758 by Roberto C. Sánchez at 2024-03-25T19:56:46-04:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Roberto C. Sánchez robe...@connexer.com - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -47,7 +47,7 @@ composer (rouca) NOTE: 20240315: DSA 5632-1 is out (Beuc/front-desk) NOTE: 20240316: Ask clarification about some fixes on DSA 5632-1 without CVE -- -dnsmasq (dleidert) +dnsmasq NOTE: 20240303: Added by Front-Desk (apo) -- docker.io @@ -237,7 +237,7 @@ ring NOTE: 20230903: Added by Front-Desk (gladk) NOTE: 20230928: will be likely hard to fix see https://lists.debian.org/debian-lts/2023/09/msg00035.html (rouca) -- -ruby-rack (Adrian Bunk) +ruby-rack NOTE: 20240306: Added by Front-Desk (opal) -- runc View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/11d6f7582aaee581759834b8aedd76ba4efe4ab2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/11d6f7582aaee581759834b8aedd76ba4efe4ab2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 7da61237 by Roberto C. Sánchez at 2024-03-18T13:06:26-04:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Roberto C. Sánchez robe...@connexer.com - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -90,7 +90,7 @@ expat (tobi) freeipa (Chris Lamb) NOTE: 20240307: Added by Front-Desk (opal) -- -frr (Abhijith PA) +frr NOTE: 20231119: Added by Front-Desk (apo) NOTE: 20240206: Continuing fixing the remaining issues (abhijith) NOTE: 20240301: continue work (abhijith) @@ -130,7 +130,7 @@ knot-resolver NOTE: 20240310: Dropped from dla-needed.txt (ola/front-desk) NOTE: 20240311: Reverted decision to remove from dla-needed since four CVEs has been fixed in bullseye. (ola) -- -libcommons-compress-java (Markus Koschany) +libcommons-compress-java NOTE: 20240303: Added by Front-Desk (apo) -- libpgjava View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7da6123735a50973bd6dab6383c982f023199201 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7da6123735a50973bd6dab6383c982f023199201 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: re-add some packages that still need work
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: f6de72b5 by Roberto C. Sánchez at 2024-03-14T16:24:30-04:00 LTS: re-add some packages that still need work - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -158,6 +158,17 @@ libssh NOTE: 20240227: <https://archive.libssh.org/libssh/2024-02/009.html> NOTE: 20240227: (spwhitton). -- +libstb + NOTE: 20231029: Added by Front-Desk (gladk) + NOTE: 20231029: A lot of open CVEs. Maybe duplicates. + NOTE: 20231029: If you take a package, please evaluate it as well as its importance. + NOTE: 20231119: None of the new CVE fixes has been reviewed by upstream so far, + NOTE: 20231119: and in the past CVE fixes have caused regressions. + NOTE: 20231119: Wait for upstream merge of fixes (and fixing in unstable). (bunk) + NOTE: 20230314: Reverted decision to remove from this file since + NOTE: 20240314: several CVEs fixed in DLA-3305-1 remain unfixed (no-dsa) in bullseye + NOTE: 20240314: and bookwork. Uploads to spu and ospu should be coordinated. (roberto) +-- linux (Ben Hutchings) NOTE: 20230111: perma-added for LTS package-specific delegation (bwh) -- @@ -239,6 +250,11 @@ ring ruby-rack (Adrian Bunk) NOTE: 20240306: Added by Front-Desk (opal) -- +runc + NOTE: 20240312: Added by coordinator (roberto) + NOTE: 20240314: Several CVEs fixed in LTS remain unfixed (no-dsa) in bullseye. + NOTE: 20240314: Uploads to ospu should be coordinated. (roberto) +-- samba NOTE: 20230918: Added by Front-Desk (apo) -- @@ -276,6 +292,11 @@ suricata (Adrian Bunk) thunderbird (Emilio) NOTE: 20240306: Added by Front-Desk (opal) -- +tiff + NOTE: 20240314: Added by coordinator (roberto) + NOTE: 20240314: Several CVEs fixed in LTS remain unfixed (no-dsa) in bullseye and + NOTE: 20240314: bookworm. Uploads to spu and ospu should be coordinated. (roberto) +-- tinymce (Ola) NOTE: 20231123: Added by Front-Desk (ola) NOTE: 20231216: Someone with more XSS experience needed to assess the @@ -298,6 +319,11 @@ varnish NOTE: 20240122: Still fixing tests (abhijith) NOTE: 20240213: Fixing tests.(abhijith) -- +wordpress + NOTE: 20240314: Added by coordinator (roberto) + NOTE: 20240314: Several CVEs fixed in LTS remain unfixed (no-dsa) in bullseye and + NOTE: 20240314: bookwork. Uploads to spu and ospu should be coordinated. (roberto) +-- zabbix NOTE: 20240212: Added by Front-Desk (utkarsh) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f6de72b5ec2b6af6c959a91b15f8685e8eee -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f6de72b5ec2b6af6c959a91b15f8685e8eee You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 920ce66f by Roberto C. Sánchez at 2024-03-11T16:43:30-04:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Roberto C. Sánchez robe...@connexer.com - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -34,7 +34,7 @@ atril NOTE: 20240121: Added by Front-Desk (apo) NOTE: 20240121: Decide whether it makes sense to disable comic feature or use libarchive instead. -- -bind9 (santiago) +bind9 NOTE: 20240218: Added by Front-Desk (lamby) NOTE: 20240218: CVE-2023-4408 CVE-2023-50387 CVE-2023-50868 CVE-2023-5517 CVE-2023-5679 already fixed in bullseye. (lamby) -- @@ -149,7 +149,7 @@ linux-5.10 lucene-solr NOTE: 20240213: Added by Front-Desk (lamby) -- -nodejs (guilhem) +nodejs NOTE: 20240218: Added by Front-Desk (lamby) -- nova @@ -233,7 +233,7 @@ squid NOTE: 20240109: I ask for another pair of eyes for CVE-2023-5824. The fix NOTE: 20240109: appears to be intrusive. I could not locate the fix for CVE-2023-49288 yet. (apo) -- -suricata (Adrian Bunk) +suricata NOTE: 20230620: Added by Front-Desk (Beuc) NOTE: 20230620: 15+ CVEs marked no-dsa; since the package is supported, with last LTS update in Jessie, NOTE: 20230620: I'd suggest reviewing the CVEs, precise the triage (postponed/ignored), View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/920ce66f91c279b56d225b357dc8a52d7a265d41 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/920ce66f91c279b56d225b357dc8a52d7a265d41 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 709ac131 by Roberto C. Sánchez at 2024-03-04T09:38:20-05:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Roberto C. Sánchez robe...@connexer.com - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -60,7 +60,7 @@ cinder NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. -- -composer (rouca) +composer NOTE: 20240209: Added by Front-Desk (utkarsh) -- cpio @@ -283,7 +283,7 @@ runc samba NOTE: 20230918: Added by Front-Desk (apo) -- -sendmail (rouca) +sendmail NOTE: 20231224: Added by Front-Desk (ta) NOTE: 20240213: Patch need to be extracted (rouca). Upstream does not publish patches NOTE: 20240217: Patch extracted and being reviewed (rouca) @@ -317,7 +317,7 @@ tinymce tomcat9 NOTE: 20240121: Added by Front-Desk (apo) -- -varnish (Abhijith PA) +varnish NOTE: 20231117: Added by Front-Desk (apo) NOTE: 20231204: Working on pre commits for CVE-2023-44487, https://github.com/varnishcache/varnish-cache/pull/4004 NOTE: 20231219: Continuing work View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/709ac131b56f3c19e0baa0eb900fbfe9ef45999c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/709ac131b56f3c19e0baa0eb900fbfe9ef45999c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 04357b21 by Roberto C. Sánchez at 2024-02-26T12:25:51-05:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Roberto C. Sánchez robe...@connexer.com - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -102,7 +102,7 @@ firefox-esr (Emilio) freeimage NOTE: 20240121: Added by Front-Desk (apo) -- -frr (Abhijith PA) +frr NOTE: 20231119: Added by Front-Desk (apo) NOTE: 20240206: Continuing fixing the remaining issues (abhijith) -- @@ -133,10 +133,10 @@ jenkins-htmlunit-core-js NOTE: 20231231: … TransformerFactory without setting the ~secure flag, so it may NOTE: 20231231: … indeed be vulnerable. (lamby) -- -knot-resolver (Markus Koschany) +knot-resolver NOTE: 20231029: Added by Front-Desk (gladk) -- -libgit2 (utkarsh) +libgit2 NOTE: 20240212: Added by Front-Desk (utkarsh) NOTE: 20240212: taking with my maintainer hat on (utkarsh) -- @@ -191,7 +191,7 @@ nova NOTE: 20230302: zigo currently has no time and requests the LTS team to do it (IRC #debian-lts 2023-03-02). (Beuc/front-desk) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. (lamby) -- -nss (tobi) +nss NOTE: 20240121: Added by Front-Desk (apo) NOTE: 20240209: There is currently no (public) patch for CVE-2023-5388 - RedHat seems to have one in private… (tobi) NOTE: 20240209: Tried to backport patches for CVE-2023-6135, however it is unclear which bits are required or if the @@ -297,7 +297,7 @@ tinymce NOTE: 20231216: upstream's patch is backportable, as the code has changed a NOTE: 20231216: lot. (spwhitton) -- -tomcat9 (Markus Koschany) +tomcat9 NOTE: 20240121: Added by Front-Desk (apo) -- varnish (Abhijith PA) @@ -319,7 +319,7 @@ wpa (Chris Lamb) zabbix NOTE: 20240212: Added by Front-Desk (utkarsh) -- -zfs-linux (utkarsh) +zfs-linux NOTE: 20231127: Added by Front-Desk (Beuc) NOTE: 20240801: the fix for other CVE wasn't obvious but about to be ready; D/ELA to be out soon. (utkarsh) NOTE: 20240209: I was out last to last week so couldn't process this but it's nearly ready. (utkarsh) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/04357b2a54d720ecfc6657fb78d2b7c69949 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/04357b2a54d720ecfc6657fb78d2b7c69949 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 5f7e3e98 by Roberto C. Sánchez at 2024-02-19T12:47:23-05:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Roberto C. Sánchez robe...@connexer.com - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -60,7 +60,7 @@ cinder composer (rouca) NOTE: 20240209: Added by Front-Desk (utkarsh) -- -curl (rouca) +curl NOTE: 20231229: Added by Front-Desk (lamby) NOTE: 20231229: CVE-2023-27534 fixed in bullseye via DSA or point release. (lamby) NOTE: https://salsa.debian.org/debian/curl/-/merge_requests/21 @@ -153,7 +153,7 @@ libreswan NOTE: 20230909: all due to code refactoring. I intend to package the version NOTE: 20230909: from Bullseye instead as soon as the maintainer uploads the fix. (apo) -- -libssh (Sean Whitton) +libssh NOTE: 20231219: Added by Front-Desk (ta) NOTE: 20240111: Still working on backporting the patches (spwhitton). -- @@ -208,11 +208,11 @@ putty NOTE: 20231224: Added by Front-Desk (ta) NOTE: 20230104: massive code change against bullseye. May be better to backport bullseye (rouca) -- -python-asyncssh (dleidert) +python-asyncssh NOTE: 20240116: Added by Front-Desk (lamby) NOTE: 20240131: Patch for CVE-2023-46445 and CVE-2023-46446 backported and in Git, but one test is failing. Waiting for feedback before release. (dleidert) -- -python-django (Chris Lamb) +python-django NOTE: 20231006: Added by Front-Desk (Beuc) NOTE: 20231006: Fix the 4 no-dsa issues that are fixed in all other dists (Beuc/front-desk) NOTE: 20231020: ^ CVE-2021-28658, CVE-2021-31542, CVE-2021-33203 & CVE-2021-33571. (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5f7e3e98d43ed2c4ec3281ff929ce4a56bc52130 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5f7e3e98d43ed2c4ec3281ff929ce4a56bc52130 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: Re-assign libssh, which was incorrectly unclaimed
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 4e1cbb6c by Roberto C. Sánchez at 2024-01-29T12:55:40-05:00 LTS: Re-assign libssh, which was incorrectly unclaimed - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -135,7 +135,7 @@ libreswan NOTE: 20230909: all due to code refactoring. I intend to package the version NOTE: 20230909: from Bullseye instead as soon as the maintainer uploads the fix. (apo) -- -libssh +libssh (Sean Whitton) NOTE: 20231219: Added by Front-Desk (ta) NOTE: 20240111: Still working on backporting the patches (spwhitton). -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4e1cbb6c409789d317bf4ab32364f3079a492326 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4e1cbb6c409789d317bf4ab32364f3079a492326 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: ae85d382 by Roberto C. Sánchez at 2024-01-29T12:03:02-05:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Roberto C. Sánchez robe...@connexer.com - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -124,7 +124,7 @@ jenkins-htmlunit-core-js NOTE: 20231231: … TransformerFactory without setting the ~secure flag, so it may NOTE: 20231231: … indeed be vulnerable. (lamby) -- -knot-resolver (Markus Koschany) +knot-resolver NOTE: 20231029: Added by Front-Desk (gladk) -- libreswan @@ -135,7 +135,7 @@ libreswan NOTE: 20230909: all due to code refactoring. I intend to package the version NOTE: 20230909: from Bullseye instead as soon as the maintainer uploads the fix. (apo) -- -libssh (Sean Whitton) +libssh NOTE: 20231219: Added by Front-Desk (ta) NOTE: 20240111: Still working on backporting the patches (spwhitton). -- @@ -300,7 +300,7 @@ wireshark (Adrian Bunk) NOTE: 20231204: DLA pending (bunk) NOTE: 20231218: Debugging a problem with the update. (bunk) -- -zfs-linux (Utkarsh) +zfs-linux NOTE: 20231127: Added by Front-Desk (Beuc) NOTE: 20240801: the fix for other CVE wasn't obvious but about to be ready; D/ELA to be out soon. (utkarsh) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ae85d382ab49e5b2d462c1ece4ab65ce0fb5b9b8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ae85d382ab49e5b2d462c1ece4ab65ce0fb5b9b8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 280db614 by Roberto C. Sánchez at 2024-01-15T14:54:52-05:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Roberto C. Sánchez robe...@connexer.com - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -178,7 +178,7 @@ putty NOTE: 20231224: Added by Front-Desk (ta) NOTE: 20230104: massive code change against bullseye. May be better to backport bullseye (rouca) -- -python-django (Chris Lamb) +python-django NOTE: 20231006: Added by Front-Desk (Beuc) NOTE: 20231006: Fix the 4 no-dsa issues that are fixed in all other dists (Beuc/front-desk) NOTE: 20231020: ^ CVE-2021-28658, CVE-2021-31542, CVE-2021-33203 & CVE-2021-33571. (lamby) @@ -239,7 +239,7 @@ squid NOTE: 20240109: I ask for another pair of eyes for CVE-2023-5824. The fix NOTE: 20240109: appears to be intrusive. I could not locate the fix for CVE-2023-49288 yet. (apo) -- -sudo (Adrian Bunk) +sudo NOTE: 20231224: Added by Front-Desk (ta) -- suricata (Adrian Bunk) @@ -252,7 +252,7 @@ suricata (Adrian Bunk) NOTE: 20231016: Still reviewing+testing CVEs. (bunk) NOTE: 20231120: DLA coming soon. (bunk) -- -tiff (Adrian Bunk) +tiff NOTE: 20231231: Added by Front-Desk (lamby) NOTE: 20231231: CVE-2023-3576 already fixed in bullseye via DSA or point release(s). (lamby) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/280db6145557f744afe55a74e09f7cb2d2dc597f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/280db6145557f744afe55a74e09f7cb2d2dc597f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: change FD assignment due to unavailability of Ola
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 7f373d76 by Roberto C. Sánchez at 2024-01-08T22:29:54-05:00 LTS: change FD assignment due to unavailability of Ola - - - - - 1 changed file: - org/lts-frontdesk.2024.txt Changes: = org/lts-frontdesk.2024.txt = @@ -1,6 +1,6 @@ From 01-01 to 07-01:Emilio Pozuelo Monfort From 08-01 to 14-01:Markus Koschany -From 15-01 to 21-01:Ola Lundqvist +From 15-01 to 21-01:Markus Koschany From 22-01 to 28-01:Sylvain Beucler From 29-01 to 04-02:Thorsten Alteholz From 05-02 to 11-02:Utkarsh Gupta @@ -50,4 +50,4 @@ From 02-12 to 08-12: From 09-12 to 15-12: From 16-12 to 22-12: From 23-12 to 29-12: -From 30-12 to 05-01: \ No newline at end of file +From 30-12 to 05-01: View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7f373d763b04b785f33c37fcd3ff3fbd1c7151c3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7f373d763b04b785f33c37fcd3ff3fbd1c7151c3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 97a09030 by Roberto C. Sánchez at 2024-01-08T15:10:36-05:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Roberto C. Sánchez robe...@connexer.com - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -69,7 +69,7 @@ dogecoin NOTE: 20230619: also I just referenced 3 older bitcoin-related CVEs to fix; NOTE: 20230619: dogecoin not present in bullseye/bookworm, so we lead the initiatives. (Beuc/front-desk) -- -dropbear (guilhem) +dropbear NOTE: 20231219: Added by Front-Desk (ta) -- edk2 @@ -122,7 +122,7 @@ libreswan NOTE: 20230909: all due to code refactoring. I intend to package the version NOTE: 20230909: from Bullseye instead as soon as the maintainer uploads the fix. (apo) -- -libssh (Sean Whitton) +libssh NOTE: 20231219: Added by Front-Desk (ta) -- libstb @@ -227,7 +227,7 @@ samba sendmail NOTE: 20231224: Added by Front-Desk (ta) -- -squid (Markus Koschany) +squid NOTE: 20231102: Added by Front-Desk (lamby) NOTE: 20231218: Investigating new CVE. (apo) NOTE: 20231223: The update requires a few more tests. Intend to release after the holidays. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/97a090308aed690ec3b3384990c44a1a2bed453e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/97a090308aed690ec3b3384990c44a1a2bed453e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 8bf16639 by Roberto C. Sánchez at 2024-01-01T07:48:37-05:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Roberto C. Sánchez robe...@connexer.com - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -30,7 +30,7 @@ ansible NOTE: 20231217: Triaging done a few mail send upstream for claryfication purposes (rouca) NOTE: 20231228: Made a partial release DLA-3695-1 (rouca), waiting for lee -- -bind9 (Thorsten Alteholz) +bind9 NOTE: 20230921: Added by Front-Desk (apo) NOTE: 20231008: backporting patches NOTE: 20231217: almost done with testing @@ -180,7 +180,7 @@ postfix putty NOTE: 20231224: Added by Front-Desk (ta) -- -python-django (Chris Lamb) +python-django NOTE: 20231006: Added by Front-Desk (Beuc) NOTE: 20231006: Fix the 4 no-dsa issues that are fixed in all other dists (Beuc/front-desk) NOTE: 20231020: ^ CVE-2021-28658, CVE-2021-31542, CVE-2021-33203 & CVE-2021-33571. (lamby) @@ -244,7 +244,7 @@ squid (Markus Koschany) sudo (Adrian Bunk) NOTE: 20231224: Added by Front-Desk (ta) -- -suricata (Adrian Bunk) +suricata NOTE: 20230620: Added by Front-Desk (Beuc) NOTE: 20230620: 15+ CVEs marked no-dsa; since the package is supported, with last LTS update in Jessie, NOTE: 20230620: I'd suggest reviewing the CVEs, precise the triage (postponed/ignored), @@ -275,7 +275,7 @@ varnish (Abhijith PA) NOTE: 20231204: Working on pre commits for CVE-2023-44487, https://github.com/varnishcache/varnish-cache/pull/4004 NOTE: 20231219: Continuing work -- -wireshark (Adrian Bunk) +wireshark NOTE: 20231118: Added by Front-Desk (apo) NOTE: 20231204: DLA pending (bunk) NOTE: 20231218: Debugging a problem with the update. (bunk) @@ -283,6 +283,6 @@ wireshark (Adrian Bunk) zabbix NOTE: 20231015: Added by Front-Desk (ta) -- -zfs-linux (utkarsh) +zfs-linux NOTE: 20231127: Added by Front-Desk (Beuc) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8bf16639f38a39b0a73ab806ce55145b04b5c9f1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8bf16639f38a39b0a73ab806ce55145b04b5c9f1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 0a86e288 by Roberto C. Sánchez at 2023-12-25T09:49:34-05:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Roberto C. Sánchez robe...@connexer.com - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -135,7 +135,7 @@ linux-5.10 mariadb-10.3 NOTE: 20231129: Added by Front-Desk (Beuc) -- -netatalk (Abhijith PA) +netatalk NOTE: 20231119: Added by Front-Desk (apo) -- node-webpack View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0a86e288e007f0117b82c7bdd54c5a381e21a6a4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0a86e288e007f0117b82c7bdd54c5a381e21a6a4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: f66e7e98 by Roberto C. Sánchez at 2023-12-18T08:33:35-05:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Roberto C. Sánchez robe...@connexer.com - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -37,7 +37,7 @@ bind9 (Thorsten Alteholz) NOTE: 20231008: backporting patches NOTE: 20231217: almost done with testing -- -bouncycastle (Markus Koschany) +bouncycastle NOTE: 20231127: Added by Front-Desk (Beuc) NOTE: 20231127: Also fix pending no-dsa CVEs, in particular CVE-2020-26939 was fixed in stretch-lts (Beuc/front-desk) NOTE: 20231128: I can't find changes in PEMParser.java related to CVE-2023-33202, maybe contact upstream (Beuc/front-desk) @@ -205,7 +205,7 @@ salt samba NOTE: 20230918: Added by Front-Desk (apo) -- -squid (Markus Koschany) +squid NOTE: 20231102: Added by Front-Desk (lamby) -- suricata (Adrian Bunk) @@ -229,7 +229,7 @@ tomcat9 NOTE: 20231129: Added by Front-Desk (Beuc) NOTE: 20131217: I have made a fix, tests are ok but due to high popcon prefer a review by apo (rouca) -- -varnish (Abhijith PA) +varnish NOTE: 20231117: Added by Front-Desk (apo) NOTE: 20231204: Working on pre commits for CVE-2023-44487, https://github.com/varnishcache/varnish-cache/pull/4004 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f66e7e984d16655c06ff4a66a0198c487ab2472b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f66e7e984d16655c06ff4a66a0198c487ab2472b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 3f988905 by Roberto C. Sánchez at 2023-12-11T12:08:10-05:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Roberto C. Sánchez robe...@connexer.com - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -154,7 +154,7 @@ osslsigncode NOTE: 20230925: Added by Front-Desk (apo) NOTE: 20230925: Maybe a new upstream release should just do the trick here. -- -python-django (Chris Lamb) +python-django NOTE: 20231006: Added by Front-Desk (Beuc) NOTE: 20231006: Fix the 4 no-dsa issues that are fixed in all other dists (Beuc/front-desk) NOTE: 20231020: ^ CVE-2021-28658, CVE-2021-31542, CVE-2021-33203 & CVE-2021-33571. (lamby) @@ -170,7 +170,7 @@ python-os-brick NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. -- -rabbitmq-server (Markus Koschany) +rabbitmq-server NOTE: 20231119: Added by Front-Desk (apo) -- rails View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3f9889059c55765adfab7b21c3376c20e0e7c597 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3f9889059c55765adfab7b21c3376c20e0e7c597 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 165ae4f9 by Roberto C. Sánchez at 2023-12-04T11:05:44-05:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Roberto C. Sánchez robe...@connexer.com - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -110,7 +110,7 @@ linux-5.10 mariadb-10.3 NOTE: 20231129: Added by Front-Desk (Beuc) -- -netatalk (gladk) +netatalk NOTE: 20231119: Added by Front-Desk (apo) -- node-webpack @@ -207,7 +207,7 @@ spip (guilhem) squid (Markus Koschany) NOTE: 20231102: Added by Front-Desk (lamby) -- -suricata (Adrian Bunk) +suricata NOTE: 20230620: Added by Front-Desk (Beuc) NOTE: 20230620: 15+ CVEs marked no-dsa; since the package is supported, with last LTS update in Jessie, NOTE: 20230620: I'd suggest reviewing the CVEs, precise the triage (postponed/ignored), View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/165ae4f95219d9c3ce54fa44daa25ea503182cb3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/165ae4f95219d9c3ce54fa44daa25ea503182cb3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 2e8a90ad by Roberto C. Sánchez at 2023-11-27T04:23:35-05:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Roberto C. Sánchez robe...@connexer.com - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -113,7 +113,7 @@ linux (Ben Hutchings) linux-5.10 NOTE: 20231005: perma-added for LTS package-specific delegation (bwh) -- -mediawiki (guilhem) +mediawiki NOTE: 20231011: Added by Front-Desk (ta) -- minizip (Thorsten Alteholz) @@ -158,7 +158,7 @@ postgresql-multicorn (rouca) NOTE: 20231108: Added by Front-Desk (santiago) NOTE: 20231108: Need to handle incompatibilities with versions in debian packages, brought up by PEP 440. See https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/70 -- -python-django (Chris Lamb) +python-django NOTE: 20231006: Added by Front-Desk (Beuc) NOTE: 20231006: Fix the 4 no-dsa issues that are fixed in all other dists (Beuc/front-desk) NOTE: 20231020: ^ CVE-2021-28658, CVE-2021-31542, CVE-2021-33203 & CVE-2021-33571. (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2e8a90ae8d2faea4e41267f9d9b064b944c3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2e8a90ae8d2faea4e41267f9d9b064b944c3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: c5e85dbf by Roberto C. Sánchez at 2023-11-20T12:59:21-05:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Roberto C. Sánchez robe...@connexer.com - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -245,7 +245,7 @@ salt NOTE: 20230928: will need python3-attr (>= 19.1) may from buster-backport ? or vendored ? NOTE: 20230928: see https://lists.debian.org/debian-lts/2023/09/msg00033.html -- -samba (Lee Garrett) +samba NOTE: 20230918: Added by Front-Desk (apo) -- squid View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c5e85dbfd2249a20e31e5f264e25aec4a608b5cf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c5e85dbfd2249a20e31e5f264e25aec4a608b5cf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: d9321df2 by Roberto C. Sánchez at 2023-11-13T11:20:27-05:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Roberto C. Sánchez robe...@connexer.com - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -44,7 +44,7 @@ curl NOTE: 20231103: Added by Front-Desk (lamby) NOTE: 20231103: Sync with stable. (lamby) -- -docker.io (rouca/santiago) +docker.io NOTE: 20230303: Added by Front-Desk (Beuc) NOTE: 20230303: Follow fixes from bullseye 11.2 (3 CVEs) (Beuc/front-desk) NOTE: 20230424: Is in preparation. (gladk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d9321df25fffd2d528ad4fd147a83d33e5851e43 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d9321df25fffd2d528ad4fd147a83d33e5851e43 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: ad3688b7 by Roberto C. Sánchez at 2023-11-06T13:05:47-05:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Roberto C. Sánchez robe...@connexer.com - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -33,7 +33,7 @@ bind9 (Thorsten Alteholz) NOTE: 20231008: backporting patches NOTE: 20231105: still testing package -- -cacti (guilhem) +cacti NOTE: 20230906: Added by Front-Desk (lamby) -- cairosvg @@ -72,7 +72,7 @@ freeimage (gladk) NOTE: 20230826: about this. Anyway, too many CVEs piled up. I feel we should roll NOTE: 20230826: out the DLA/ELA now. (utkarsh) -- -freerdp2 (tobi) +freerdp2 NOTE: 20230924: Added by Front-Desk (apo) NOTE: 20230924: Too many unresolved issues have piled up. High popcon. (apo) NOTE: 20231007: First round done, unfortunatly missed a few CVES while updating, will do an follow up. @@ -129,7 +129,7 @@ lwip NOTE: 20231101: Added by Front-Desk (lamby) NOTE: 20231101: Sync with bullseye (CVE-2020-22283 & CVE-2020-22284). (lamby) -- -mediawiki (guilhem) +mediawiki NOTE: 20231011: Added by Front-Desk (ta) -- mosquitto (Markus Koschany) @@ -175,7 +175,7 @@ osslsigncode NOTE: 20230925: Added by Front-Desk (apo) NOTE: 20230925: Maybe a new upstream release should just do the trick here. -- -python-django (Chris Lamb) +python-django NOTE: 20231006: Added by Front-Desk (Beuc) NOTE: 20231006: Fix the 4 no-dsa issues that are fixed in all other dists (Beuc/front-desk) NOTE: 20231020: ^ CVE-2021-28658, CVE-2021-31542, CVE-2021-33203 & CVE-2021-33571. (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ad3688b71c91edf5c404838f7fa14b1eb339c8c4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ad3688b71c91edf5c404838f7fa14b1eb339c8c4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: ff404e88 by Roberto C. Sánchez at 2023-10-30T07:51:06-04:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Roberto C. Sánchez robe...@connexer.com - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -62,7 +62,7 @@ flatpak NOTE: 20231006: Added by Front-Desk (Beuc) NOTE: 20231006: Follow fixes from bullseye 11.7 (2 CVEs) (Beuc/front-desk) -- -freeimage (gladk) +freeimage NOTE: 20230826: Added by Front-Desk (utkarsh) NOTE: 20230826: Anton Gladky is the maintainer. Please sync with him about the NOTE: 20230826: about this. Anyway, too many CVEs piled up. I feel we should roll @@ -226,7 +226,7 @@ salt samba NOTE: 20230918: Added by Front-Desk (apo) -- -suricata (Adrian Bunk) +suricata NOTE: 20230620: Added by Front-Desk (Beuc) NOTE: 20230620: 15+ CVEs marked no-dsa; since the package is supported, with last LTS update in Jessie, NOTE: 20230620: I'd suggest reviewing the CVEs, precise the triage (postponed/ignored), View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ff404e889f7029f106cb3958c537e3fbc2e55449 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ff404e889f7029f106cb3958c537e3fbc2e55449 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: update request-tracker4 notes with patch info
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 40b8de3b by Roberto C. Sánchez at 2023-10-28T08:55:56-04:00 LTS: update request-tracker4 notes with patch info - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -193,6 +193,7 @@ request-tracker4 NOTE: 20231024: Please check the commit: https://github.com/bestpractical/rt/commit/a7a83dfdf591cd4d9f547048e89a5a310eeef32d NOTE: 20231024: Please check the commit: https://github.com/bestpractical/rt/commit/afb7dcded721e27028e47b62e7e5ed8ffc492beb NOTE: 20231025: Andrew Ruthven is working on the buster-security upload, but will let the LTS handle the paperwork + NOTE: 20231028: Andrew has provided the buster patch, it has been posted to the team mailing list (Message-ID: ) -- ring NOTE: 20230903: Added by Front-Desk (gladk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/40b8de3b1ce6d2f7d728fba1e8aa941840349d68 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/40b8de3b1ce6d2f7d728fba1e8aa941840349d68 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 4082b043 by Roberto C. Sánchez at 2023-10-23T11:58:14-04:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Roberto C. Sánchez robe...@connexer.com - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -111,13 +111,13 @@ libspf2 (Thorsten Alteholz) linux (Ben Hutchings) NOTE: 20230111: perma-added for LTS package-specific delegation (bwh) -- -linux-5.10 (Ben Hutchings) +linux-5.10 NOTE: 20231005: perma-added for LTS package-specific delegation (bwh) -- mediawiki (guilhem) NOTE: 20231011: Added by Front-Desk (ta) -- -mosquitto (Markus Koschany) +mosquitto NOTE: 20230924: Added by Front-Desk (apo) NOTE: 20231009: Waiting for upstream clarification how to proceed with open CVE. (apo) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4082b043a5d001ae0dcb2db1213f3425817b60a8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4082b043a5d001ae0dcb2db1213f3425817b60a8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: f15dea8f by Roberto C. Sánchez at 2023-10-16T09:58:32-04:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Roberto C. Sánchez robe...@connexer.com - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -167,7 +167,7 @@ osslsigncode NOTE: 20230925: Added by Front-Desk (apo) NOTE: 20230925: Maybe a new upstream release should just do the trick here. -- -phppgadmin (Abhijith PA) +phppgadmin NOTE: 20230925: Added by Front-Desk (apo) -- python-django @@ -205,7 +205,7 @@ ring ruby-rmagick NOTE: 20230808: Added by Front-Desk on rouca's (imagemagick package maintainer) request (Beuc) -- -salt (rouca) +salt NOTE: 20220814: Added by Front-Desk (gladk) NOTE: 20220814: I am not sure, whether it is possible to fix issues NOTE: 20220814: without backporting a newer version. (Anton) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f15dea8f24a9258c0ad3c7ef6e9234335a8ed7b6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f15dea8f24a9258c0ad3c7ef6e9234335a8ed7b6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 85bd55dc by Roberto C. Sánchez at 2023-10-09T09:39:26-04:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Roberto C. Sánchez robe...@connexer.com - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -81,7 +81,7 @@ flatpak NOTE: 20231006: Added by Front-Desk (Beuc) NOTE: 20231006: Follow fixes from bullseye 11.7 (2 CVEs) (Beuc/front-desk) -- -freeimage (gladk) +freeimage NOTE: 20230826: Added by Front-Desk (utkarsh) NOTE: 20230826: Anton Gladky is the maintainer. Please sync with him about the NOTE: 20230826: about this. Anyway, too many CVEs piled up. I feel we should roll @@ -121,7 +121,7 @@ linux (Ben Hutchings) linux-5.10 (Ben Hutchings) NOTE: 20231005: perma-added for LTS package-specific delegation (bwh) -- -mosquitto (Markus Koschany) +mosquitto NOTE: 20230924: Added by Front-Desk (apo) -- node-webpack @@ -168,7 +168,7 @@ poppler (Adrian Bunk) NOTE: 20230908: as I suspect this is a duplicate of CVE-2020-27778 (which has already NOTE: 20230908: been fixed). (lamby) -- -puma (Abhijith PA) +puma NOTE: 20230925: Added by Front-Desk (apo) -- python-django View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/85bd55dcfaf1a9bf135f09add05a37202e468a24 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/85bd55dcfaf1a9bf135f09add05a37202e468a24 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: f25c389f by Roberto C. Sánchez at 2023-09-18T21:02:16-04:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Roberto C. Sánchez robe...@connexer.com - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -155,7 +155,7 @@ open-vm-tools (Sean Whitton) opendkim NOTE: 20230821: Added by Front-Desk (ta) -- -openjdk-11 (Emilio) +openjdk-11 NOTE: 20230419: Added by Front-Desk (ola) NOTE: 20230522: waiting for sid update (pochu) NOTE: 20230612: sid updated, preparing backport (pochu) @@ -233,7 +233,7 @@ suricata NOTE: 20230714: Still reviewing+testing CVEs. (bunk) NOTE: 20230731: Still reviewing+testing CVEs. (bunk) -- -tiff (gladk) +tiff NOTE: 20230826: Added by Front-Desk (utkarsh) -- trafficserver (Adrian Bunk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f25c389f6f4f0da918b9b9d4eb05ad45eed89875 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f25c389f6f4f0da918b9b9d4eb05ad45eed89875 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 97526450 by Roberto C. Sánchez at 2023-09-05T10:24:07-04:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Roberto C. Sánchez robe...@connexer.com - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -79,7 +79,7 @@ frr gerbv (Adrian Bunk) NOTE: 20230903: Added by Front-Desk (gladk) -- -glib2.0 (santiago) +glib2.0 NOTE: 20230612: Added by Front-Desk (apo) NOTE: 20230710: WIP (santiago) NOTE: 20230724: buster should be ready. need if it's possible to run same reporter's fuzz test @@ -141,7 +141,7 @@ orthanc (gladk) NOTE: 20230812: Experimental issue-based workflow: please self-assign and follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/41 NOTE: 20230812: Check DSA-5473-1 (Beuc/front-desk) -- -php7.3 (guilhem) +php7.3 NOTE: 20230820: Added by Front-Desk (ta) -- python-glance-store @@ -219,7 +219,7 @@ samba NOTE: 20230807: CVEs/bugfixes don't have test coverage. NOTE: 20230822: https://lists.debian.org/debian-lts/2023/08/msg00027.html (lee) -- -suricata (Adrian Bunk) +suricata NOTE: 20230620: Added by Front-Desk (Beuc) NOTE: 20230620: 15+ CVEs marked no-dsa; since the package is supported, with last LTS update in Jessie, NOTE: 20230620: I'd suggest reviewing the CVEs, precise the triage (postponed/ignored), View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9752645033eebb0b4677cda8c625cfc15769ce69 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9752645033eebb0b4677cda8c625cfc15769ce69 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 8ee67bf4 by Roberto C. Sánchez at 2023-08-28T11:29:06-04:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Roberto C. Sánchez robe...@connexer.com - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -83,7 +83,7 @@ i2p NOTE: 20230809: Added by Front-Desk (Beuc) NOTE: 20230809: Experimental issue-based workflow: please self-assign and follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/28 -- -imagemagick (rouca) +imagemagick NOTE: 20230622: Added by Front-Desk (Beuc) NOTE: 20230622: Requested by maintainer (rouca) to tidy remaining open CVEs (Beuc/front-desk) -- @@ -115,7 +115,7 @@ nvidia-cuda-toolkit opendkim NOTE: 20230821: Added by Front-Desk (ta) -- -opendmarc (Chris Lamb) +opendmarc NOTE: 20230811: Added by Front-Desk (Beuc) NOTE: 20230810: Experimental issue-based workflow: please self-assign and follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/34 -- @@ -127,7 +127,7 @@ openjdk-11 NOTE: 20230802: update prepared for new CPU, waiting for DSA and checking NOTE: 20230802: whether to change jtreg version (pochu) -- -orthanc (gladk) +orthanc NOTE: 20230812: Added by Front-Desk (Beuc) NOTE: 20230812: Experimental issue-based workflow: please self-assign and follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/41 NOTE: 20230812: Check DSA-5473-1 (Beuc/front-desk) @@ -198,7 +198,7 @@ ruby-rails-html-sanitizer NOTE: 20230303: this cannot be fixed unless ruby-loofah is fixed with appropriate methods. (utkarsh) NOTE: 20230808: utkarsh mentions on IRC he's busy with other packages, this is "free to claim atm". (Beuc/front-desk) -- -ruby-rmagick (rouca) +ruby-rmagick NOTE: 20230808: Added by Front-Desk on rouca's (imagemagick package maintainer) request (Beuc) -- salt View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8ee67bf40b3293c778b227d0e0cbc621e699727c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8ee67bf40b3293c778b227d0e0cbc621e699727c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: re-add qt4-x11, which still has an open CVE
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: b01d919b by Roberto C. Sánchez at 2023-08-22T18:57:23-04:00 LTS: re-add qt4-x11, which still has an open CVE - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -152,6 +152,10 @@ python-os-brick qpdf (Thorsten Alteholz) NOTE: 20230820: Added by Front-Desk (ta) -- +qt4-x11 + NOTE: 20230822: Re-added for one remaining open CVE (roberto) + NOTE: 20230822: CVE-2021-28025 maybe a dup of CVE-2021-3481; once resolved, fix or remove entry from this file (roberto) +-- rails (utkarsh) NOTE: 20220909: Re-added due to regression (abhijith) NOTE: 20220909: Regression on 2:5.2.2.1+dfsg-1+deb10u4 (abhijith) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b01d919b07f718ad24684990c700979139341195 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b01d919b07f718ad24684990c700979139341195 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3539-1 for qt4-x11
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: eb7935a5 by Roberto C. Sánchez at 2023-08-22T18:34:01-04:00 Reserve DLA-3539-1 for qt4-x11 - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -121452,7 +121452,6 @@ CVE-2021-45930 (Qt SVG in Qt 5.0.0 through 5.15.2 and 6.0.0 through 6.2.1 has an [bullseye] - qtsvg-opensource-src (Minor issue) [buster] - qtsvg-opensource-src (Minor issue) - qt4-x11 - [buster] - qt4-x11 (Minor issue) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=37025 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=37306 NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/qt/OSV-2021-1121.yaml @@ -168533,7 +168532,6 @@ CVE-2021-3481 (A flaw was found in Qt. An out-of-bounds read vulnerability was f - qtsvg-opensource-src 5.15.2-3 (bug #986798) [buster] - qtsvg-opensource-src (Minor issue) - qt4-x11 - [buster] - qt4-x11 (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1931444 NOTE: https://bugreports.qt.io/browse/QTBUG-91507 NOTE: https://codereview.qt-project.org/gitweb?p=qt%2Fqtsvg.git;a=commit;h=bfd6ee0d8cf34b63d32adf10ed93daa0086b359f (qt/qtsvg/dev) = data/DLA/list = @@ -1,3 +1,6 @@ +[22 Aug 2023] DLA-3539-1 qt4-x11 - security update + {CVE-2021-3481 CVE-2021-45930 CVE-2023-32573 CVE-2023-32763 CVE-2023-34410 CVE-2023-37369 CVE-2023-38197} + [buster] - qt4-x11 4:4.8.7+dfsg-18+deb10u2 [22 Aug 2023] DLA-3538-1 zabbix - security update {CVE-2013-7484 CVE-2019-17382 CVE-2022-35229 CVE-2022-43515 CVE-2023-29450 CVE-2023-29451 CVE-2023-29454 CVE-2023-29455 CVE-2023-29456 CVE-2023-29457} [buster] - zabbix 1:4.0.4+dfsg-1+deb10u2 = data/dla-needed.txt = @@ -157,11 +157,6 @@ python-os-brick qpdf (Thorsten Alteholz) NOTE: 20230820: Added by Front-Desk (ta) -- -qt4-x11 (Roberto C. Sánchez) - NOTE: 20230612: Added by Front-Desk (apo) - NOTE: 20230615: VCS: https://salsa.debian.org/qt-kde-team/qt/qt4-x11 - NOTE: 20230822: New CVEs have been reported (roberto) --- rails (utkarsh) NOTE: 20220909: Re-added due to regression (abhijith) NOTE: 20220909: Regression on 2:5.2.2.1+dfsg-1+deb10u4 (abhijith) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eb7935a5dfd17f87c28ebb94f1b84c6a3bf334b9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eb7935a5dfd17f87c28ebb94f1b84c6a3bf334b9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-38197: add security blog article link
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 0c30e532 by Roberto C. Sánchez at 2023-08-22T09:39:03-04:00 CVE-2023-38197: add security blog article link - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4917,6 +4917,7 @@ CVE-2023-38197 (An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, [bullseye] - qtbase-opensource-src (Minor issue) [buster] - qtbase-opensource-src (Minor issue) - qt4-x11 + NOTE: https://www.qt.io/blog/security-advisory-qxmlstreamreader-1 NOTE: https://codereview.qt-project.org/c/qt/qtbase/+/488960 CVE-2023-37568 (ELECOM wireless LAN routers WRC-1167GHBK-S v1.03 and earlier, and WRC- ...) NOT-FOR-US: ELECOM View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0c30e532045b464c3de6e52eb788dbc1530d85c2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0c30e532045b464c3de6e52eb788dbc1530d85c2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] fix typo
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: e8544a1f by Roberto C. Sánchez at 2023-08-22T06:31:36-04:00 fix typo - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -160,7 +160,7 @@ qpdf (Thorsten Alteholz) qt4-x11 (Roberto C. Sánchez) NOTE: 20230612: Added by Front-Desk (apo) NOTE: 20230615: VCS: https://salsa.debian.org/qt-kde-team/qt/qt4-x11 - NOTE: 20230822: New CVS have been reported (roberto) + NOTE: 20230822: New CVEs have been reported (roberto) -- rails (utkarsh) NOTE: 20220909: Re-added due to regression (abhijith) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e8544a1ff94edf460e57a1502651b65202ab7642 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e8544a1ff94edf460e57a1502651b65202ab7642 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: reclaim qt4-x11
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: c4535ef9 by Roberto C. Sánchez at 2023-08-22T06:30:45-04:00 LTS: reclaim qt4-x11 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -157,9 +157,10 @@ python-os-brick qpdf (Thorsten Alteholz) NOTE: 20230820: Added by Front-Desk (ta) -- -qt4-x11 +qt4-x11 (Roberto C. Sánchez) NOTE: 20230612: Added by Front-Desk (apo) NOTE: 20230615: VCS: https://salsa.debian.org/qt-kde-team/qt/qt4-x11 + NOTE: 20230822: New CVS have been reported (roberto) -- rails (utkarsh) NOTE: 20220909: Re-added due to regression (abhijith) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c4535ef9e532624219a038b63bbb3118f5698ffd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c4535ef9e532624219a038b63bbb3118f5698ffd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: c3eea4e3 by Roberto C. Sánchez at 2023-08-21T15:14:07-04:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Roberto C. Sánchez robe...@connexer.com - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -58,7 +58,7 @@ flask-security (Sean Whitton) NOTE: 20230811: Experimental issue-based workflow: please self-assign and follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/37 NOTE: 20230811: Follow fixes from bullseye 11.7 (1 CVE) (Beuc/front-desk) -- -gawk (Adrian Bunk) +gawk NOTE: 20230806: Added by Front-Desk (gladk) NOTE: 20230806: Please, check, whether CVE is applicable for buster NOTE: 20230806: poc are available in the mailing list (gladk) @@ -128,7 +128,7 @@ opendmarc (Chris Lamb) NOTE: 20230811: Added by Front-Desk (Beuc) NOTE: 20230810: Experimental issue-based workflow: please self-assign and follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/34 -- -openjdk-11 (Emilio) +openjdk-11 NOTE: 20230419: Added by Front-Desk (ola) NOTE: 20230522: waiting for sid update (pochu) NOTE: 20230612: sid updated, preparing backport (pochu) @@ -166,7 +166,7 @@ python-os-brick qpdf (Thorsten Alteholz) NOTE: 20230820: Added by Front-Desk (ta) -- -qt4-x11 (Roberto C. Sánchez) +qt4-x11 NOTE: 20230612: Added by Front-Desk (apo) NOTE: 20230615: VCS: https://salsa.debian.org/qt-kde-team/qt/qt4-x11 -- @@ -215,7 +215,7 @@ salt NOTE: 20230720: https://docs.saltproject.io/en/master/topics/releases/3002.html#execution-module-changes NOTE: 20230720: Last but not least salt is not present in stable/testing (rouca) -- -samba (Lee Garrett) +samba NOTE: 20220904: Added by Front-Desk (apo) NOTE: 20220904: Many postponed or open CVE in general. (apo) NOTE: 20230323: Still working on the long list of CVEs, will likely release an intermittent package first (lee) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c3eea4e3c40fd4527de5b188803eea9083b7221c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c3eea4e3c40fd4527de5b188803eea9083b7221c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2019-14889/stretch is being fixed
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 3bf17820 by Roberto C. Sánchez at 2023-08-16T19:16:52-04:00 CVE-2019-14889/stretch is being fixed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -288176,7 +288176,6 @@ CVE-2019-14890 (A vulnerability was found in Ansible Tower before 3.6.1 where an CVE-2019-14889 (A flaw was found with the libssh API function ssh_scp_new() in version ...) {DLA-3437-1 DLA-2038-1} - libssh 0.9.3-1 (bug #946548) - [stretch] - libssh (Minor issue) NOTE: https://www.libssh.org/security/advisories/CVE-2019-14889.txt NOTE: https://bugs.libssh.org/T181 NOTE: The fix in libssh makes an update in x2goclient necessary, cf: View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3bf178205e3dae68a4688d54f0efb2b52c88e802 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3bf178205e3dae68a4688d54f0efb2b52c88e802 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: e7cec407 by Roberto C. Sánchez at 2023-08-14T13:14:53-04:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Roberto C. Sánchez robe...@connexer.com - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -25,7 +25,7 @@ amanda (Thorsten Alteholz) NOTE: 20230730: Added by Front-Desk (apo) NOTE: 20230813: testing packages (ta) -- -cairosvg (gladk) +cairosvg NOTE: 20230323: Added by Front-Desk (gladk) NOTE: 20230411: Proposed solution for CVE-2023-27586 in Buster to backport the --unsafe switch, introduced in 1.0.21, might work (dleidert/inactive) -- @@ -104,7 +104,7 @@ mediawiki NOTE: 20230810: Experimental issue-based workflow: please self-assign and follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/31 NOTE: 20230810: Check DSA-5447-1 (Beuc/front-desk) -- -nodejs (guilhem) +nodejs NOTE: 20230731: Added by Front-Desk (apo) -- nova @@ -126,7 +126,7 @@ nvidia-cuda-toolkit NOTE: 20230610: Details: https://lists.debian.org/debian-lts/2023/06/msg00032.html NOTE: 20230610: my recommendation would be to put the package on the "not-supported" list. (tobi) -- -open-vm-tools (Abhijith PA) +open-vm-tools NOTE: 20230731: Added by Front-Desk (apo) -- opendmarc (Chris Lamb) @@ -141,7 +141,7 @@ openjdk-11 (Emilio) NOTE: 20230802: update prepared for new CPU, waiting for DSA and checking NOTE: 20230802: whether to change jtreg version (pochu) -- -openssl (gladk) +openssl NOTE: 20230731: Added by Front-Desk (apo) -- orthanc (gladk) @@ -228,7 +228,7 @@ samba (Lee Garrett) NOTE: 20230807: functional test framework is however needed (WIP) as most NOTE: 20230807: CVEs/bugfixes don't have test coverage. -- -suricata (Adrian Bunk) +suricata NOTE: 20230620: Added by Front-Desk (Beuc) NOTE: 20230620: 15+ CVEs marked no-dsa; since the package is supported, with last LTS update in Jessie, NOTE: 20230620: I'd suggest reviewing the CVEs, precise the triage (postponed/ignored), View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e7cec4073c0ea3df68a9067f30c0c6ff0499078c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e7cec4073c0ea3df68a9067f30c0c6ff0499078c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: reclaim qt4-x11
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: f7d8d726 by Roberto C. Sánchez at 2023-08-01T15:47:05-04:00 LTS: reclaim qt4-x11 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -136,7 +136,7 @@ python-os-brick NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. -- -qt4-x11 +qt4-x11 (Roberto C. Sánchez) NOTE: 20230612: Added by Front-Desk (apo) NOTE: 20230615: VCS: https://salsa.debian.org/qt-kde-team/qt/qt4-x11 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f7d8d726db51438676bed130fd03059fbb8e9b15 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f7d8d726db51438676bed130fd03059fbb8e9b15 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 4bcb8a1f by Roberto C. Sánchez at 2023-08-01T09:47:14-04:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Roberto C. Sánchez robe...@connexer.com - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -42,7 +42,7 @@ cinder cjose (guilhem) NOTE: 20230730: Added by Front-Desk (apo) -- -docker.io (rouca) +docker.io NOTE: 20230303: Added by Front-Desk (Beuc) NOTE: 20230303: Follow fixes from bullseye 11.2 (3 CVEs) (Beuc/front-desk) NOTE: 20230424: Is in preparation. (gladk) @@ -76,7 +76,7 @@ imagemagick NOTE: 20230622: Added by Front-Desk (Beuc) NOTE: 20230622: Requested by maintainer (rouca) to tidy remaining open CVEs (Beuc/front-desk) -- -libreoffice (Abhijith PA) +libreoffice NOTE: 20230530: Added by Front-Desk (pochu) NOTE: 20230718: http://people.debian.org/~abhijith/upload/lo (abhijith) NOTE: 20230718: CVE-2023-2255.diff fails to build. (abhijith) @@ -113,7 +113,7 @@ openimageio (Markus Koschany) NOTE: 20230406: Re-added due to regressions (apo) NOTE: 20230612: Backporting is mostly done, but still some failures. (gladk) -- -openjdk-11 (Emilio) +openjdk-11 NOTE: 20230419: Added by Front-Desk (ola) NOTE: 20230522: waiting for sid update (pochu) NOTE: 20230612: sid updated, preparing backport (pochu) @@ -135,7 +135,7 @@ python-os-brick NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. -- -qt4-x11 (Roberto C. Sánchez) +qt4-x11 NOTE: 20230612: Added by Front-Desk (apo) NOTE: 20230615: VCS: https://salsa.debian.org/qt-kde-team/qt/qt4-x11 -- @@ -195,7 +195,7 @@ suricata (Adrian Bunk) NOTE: 20230714: Still reviewing+testing CVEs. (bunk) NOTE: 20230731: Still reviewing+testing CVEs. (bunk) -- -xqilla (tobi) +xqilla NOTE: 20230706: Added by Front-Desk (gladk) NOTE: 20230715: not vulnerable, the embedded yajl is ancient (around 0.2.2), not having the vulnerable code. -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4bcb8a1fb3a07c16968ed14da11cace5da3bfada -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4bcb8a1fb3a07c16968ed14da11cace5da3bfada You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] fix email address format
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: c489f6e1 by Roberto C. Sánchez at 2023-08-01T09:43:27-04:00 fix email address format - - - - - 1 changed file: - org/lts-frontdesk.2023.txt Changes: = org/lts-frontdesk.2023.txt = @@ -28,7 +28,7 @@ From 03-07 to 09-07:Anton Gladky From 10-07 to 16-07:Chris Lamb From 17-07 to 23-07:Emilio Pozuelo Monfort From 24-07 to 30-07:Markus Koschany -From 31-07 to 06-08:Anton Gladky +From 31-07 to 06-08:Anton Gladky From 07-08 to 13-08:Sylvain Beucler From 14-08 to 20-08:Thorsten Alteholz From 21-08 to 27-08:Utkarsh Gupta View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c489f6e18a7307b56cdbd9e35d37c4b6c3da2f12 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c489f6e18a7307b56cdbd9e35d37c4b6c3da2f12 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 0567bb72 by Roberto C. Sánchez at 2023-07-17T12:43:24-04:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Roberto C. Sánchez robe...@connexer.com - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -84,11 +84,11 @@ imagemagick -- iperf3 (Markus Koschany) -- -libapache2-mod-auth-openidc (gladk) +libapache2-mod-auth-openidc NOTE: 20230620: Added by Front-Desk (Beuc) NOTE: 20230620: Follow fix from bullseye 11.7 (CVE-2022-23527) + 1 postponed CVE-2021-39191 (Beuc/front-desk) -- -libreoffice (Abhijith PA) +libreoffice NOTE: 20230530: Added by Front-Desk (pochu) -- linux (Ben Hutchings) @@ -113,11 +113,11 @@ nvidia-cuda-toolkit NOTE: 20230610: Details: https://lists.debian.org/debian-lts/2023/06/msg00032.html NOTE: 20230610: my recommendation would be to put the package on the "not-supported" list. (tobi) -- -openimageio (gladk) +openimageio NOTE: 20230406: Re-added due to regressions (apo) NOTE: 20230612: Backporting is mostly done, but still some failures. -- -openjdk-11 (Emilio) +openjdk-11 NOTE: 20230419: Added by Front-Desk (ola) NOTE: 20230522: waiting for sid update (pochu) NOTE: 20230612: sid updated, preparing backport (pochu) @@ -187,7 +187,7 @@ salt NOTE: 20220814: I am not sure, whether it is possible to fix issues NOTE: 20220814: without backporting a newer version. (Anton) -- -samba (Lee Garrett) +samba NOTE: 20220904: Added by Front-Desk (apo) NOTE: 20220904: Many postponed or open CVE in general. (apo) NOTE: 20230323: Still working on the long list of CVEs, will likely release an intermittent package first (lee) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0567bb7216a82d332b11233bcffa3a2a2fc06d88 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0567bb7216a82d332b11233bcffa3a2a2fc06d88 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 6719c1d6 by Roberto C. Sánchez at 2023-07-10T12:05:21-04:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Roberto C. Sánchez robe...@debian.org - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -21,7 +21,7 @@ To make it easier to see the entire history of an update, please append notes rather than remove/replace existing ones. -- -bind9 (Chris Lamb) +bind9 NOTE: 20230623: Added by Front-Desk (Beuc) NOTE: 20230623: Upcoming DSA prepared by maintainer (Beuc/front-desk) -- @@ -83,7 +83,7 @@ hdf5 NOTE: 20230520: additionally couldn't convince the build system to build for buster, something with the autogenerated .install files, NOTE: 20230520: so giving up on the package. (tobi) -- -imagemagick (rouca) +imagemagick NOTE: 20230622: Added by Front-Desk (Beuc) NOTE: 20230622: Requested by maintainer (rouca) to tidy remaining open CVEs (Beuc/front-desk) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6719c1d602dc010ccac3f4b16b2446ad30b4dce4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6719c1d602dc010ccac3f4b16b2446ad30b4dce4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] DLA-3479-1 for golang-yaml.v2
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 2aa48306 by Roberto C. Sánchez at 2023-07-05T16:26:20-04:00 DLA-3479-1 for golang-yaml.v2 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[05 Jul 2023] DLA-3479-1 golang-yaml.v2 - security update + {CVE-2021-4235 CVE-2022-3064} + [buster] - golang-yaml.v2 2.2.2-1+deb10u1 [02 Jul 2023] DLA-3478-1 yajl - security update {CVE-2023-33460} [buster] - yajl 2.1.0-3+deb10u1 = data/dla-needed.txt = @@ -74,10 +74,6 @@ fusiondirectory (Abhijith PA) glib2.0 (santiago) NOTE: 20230612: Added by Front-Desk (apo) -- -golang-yaml.v2 (Roberto C. Sánchez) - NOTE: 20230125: Added by Front-Desk (gladk) - NOTE: 20230525: In review with utkarsh. --- grpc NOTE: 20230614: Added by Front-Desk (opal) NOTE: 20230618: CVE-2023-32731 fix will need a massive rewrite (rouca) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2aa483061113fd74f45298401642109cd35b4f81 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2aa483061113fd74f45298401642109cd35b4f81 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: CVE-2021-4235/golang-yaml.v2 will be fixed
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: d3257ff8 by Roberto C. Sánchez at 2023-07-05T14:52:58-04:00 LTS: CVE-2021-4235/golang-yaml.v2 will be fixed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -69485,7 +69485,6 @@ CVE-2021-4236 (Web Sockets do not execute any AuthenticateMethod methods which m NOT-FOR-US: ecnepsnai/web CVE-2021-4235 (Due to unbounded alias chasing, a maliciously crafted YAML file can ca ...) - golang-yaml.v2 2.2.8-1 - [buster] - golang-yaml.v2 (Limited support, minor issue, DoS) NOTE: https://github.com/go-yaml/yaml/commit/bb4e33bf68bf89cad44d386192cbed201f35b241 (v2.2.3) NOTE: https://github.com/go-yaml/yaml/pull/375 NOTE: https://pkg.go.dev/vuln/GO-2021-0061 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d3257ff86a47f193bbdf7224f89487bec036f58c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d3257ff86a47f193bbdf7224f89487bec036f58c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: take over golang-yaml.v2 and qt4-x11
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: eb2475ef by Roberto C. Sánchez at 2023-07-05T13:16:02-04:00 LTS: take over golang-yaml.v2 and qt4-x11 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -74,7 +74,7 @@ fusiondirectory (Abhijith PA) glib2.0 (santiago) NOTE: 20230612: Added by Front-Desk (apo) -- -golang-yaml.v2 (sgmoore) +golang-yaml.v2 (Roberto C. Sánchez) NOTE: 20230125: Added by Front-Desk (gladk) NOTE: 20230525: In review with utkarsh. -- @@ -184,7 +184,7 @@ python-os-brick NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. -- -qt4-x11 (sgmoore) +qt4-x11 (Roberto C. Sánchez) NOTE: 20230612: Added by Front-Desk (apo) NOTE: 20230615: VCS: https://salsa.debian.org/qt-kde-team/qt/qt4-x11 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eb2475ef3e46af8022bc8d417eae65ecfbccc5e5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eb2475ef3e46af8022bc8d417eae65ecfbccc5e5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: drop python-oslo.privsep, only open is marked 'unimportant'
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 05d31bc6 by Roberto C. Sánchez at 2023-07-04T15:32:12-04:00 LTS: drop python-oslo.privsep, only open is marked unimportant - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -175,11 +175,6 @@ python-os-brick NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. -- -python-oslo.privsep - NOTE: 20221231: Added by Front-Desk (ola) - NOTE: 20230525: CVE-2022-38065 has been marked as Won't-fix/Hardening opportunity. - NOTE: 20230525: It was mentioned the fix was easy but tedious. It is consumer design flaw issue. (sgmoore) --- qt4-x11 NOTE: 20230612: Added by Front-Desk (apo) NOTE: 20230615: VCS: https://salsa.debian.org/qt-kde-team/qt/qt4-x11 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/05d31bc6210fae329e16df6baa5f942cfc5d8623 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/05d31bc6210fae329e16df6baa5f942cfc5d8623 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 0285f0d7 by Roberto C. Sánchez at 2023-07-03T12:33:58-04:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Roberto C. Sánchez robe...@debian.org - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -115,7 +115,7 @@ libapache2-mod-auth-openidc (gladk) libreoffice (Abhijith PA) NOTE: 20230530: Added by Front-Desk (pochu) -- -libusrsctp (rouca) +libusrsctp NOTE: 20230612: Added by Front-Desk (opal) NOTE: 20230618: May need a backport see https://lists.debian.org/debian-lts/2023/06/msg00050.html (rouca) NOTE: 20230618: Waiting for comments @@ -180,7 +180,7 @@ python-oslo.privsep NOTE: 20230525: CVE-2022-38065 has been marked as Won't-fix/Hardening opportunity. NOTE: 20230525: It was mentioned the fix was easy but tedious. It is consumer design flaw issue. (sgmoore) -- -qt4-x11 (sgmoore) +qt4-x11 NOTE: 20230612: Added by Front-Desk (apo) NOTE: 20230615: VCS: https://salsa.debian.org/qt-kde-team/qt/qt4-x11 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0285f0d730f5c6a75497e392cde2de3ea21ba4c2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0285f0d730f5c6a75497e392cde2de3ea21ba4c2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: c6287148 by Roberto C. Sánchez at 2023-06-26T19:51:05-04:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Roberto C. Sánchez robe...@debian.org - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -38,7 +38,7 @@ debian-archive-keyring (jspricke) NOTE: 20230619: Add bookworm keys as in #1033157; see DLA-2948-1 for a similar update NOTE: 20230619: See also https://lists.debian.org/debian-lts/2021/08/msg00037.html for context (Beuc/front-desk) -- -docker-registry (rouca) +docker-registry NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230608: Waiting for review (rouca) -- @@ -54,7 +54,7 @@ dogecoin NOTE: 20230619: also I just referenced 3 older bitcoin-related CVEs to fix; NOTE: 20230619: dogecoin not present in bullseye/bookworm, so we lead the initiatives. (Beuc/front-desk) -- -erlang (Markus Koschany) +erlang NOTE: 20221119: Added by Front-Desk (ta) NOTE: 20221119: at least CVE-2022-37026 needs to be fixed (original request has been for Stretch) -- @@ -62,7 +62,7 @@ flatpak NOTE: 20230620: Added by Front-Desk (Beuc) NOTE: 20230620: Follow fixes from bullseye 11.7 (2 CVEs) (Beuc/front-desk) -- -fusiondirectory (Abhijith PA) +fusiondirectory NOTE: 20221203: Added by Front-Desk (gladk) NOTE: 20221203: Please evaluate, whether the package can be fixed (gladk). NOTE: 20221203: Two CVEs have only mitigation, fix in a new version (gladk). @@ -73,7 +73,7 @@ fusiondirectory (Abhijith PA) glib2.0 (santiago) NOTE: 20230612: Added by Front-Desk (apo) -- -golang-yaml.v2 (sgmoore) +golang-yaml.v2 NOTE: 20230125: Added by Front-Desk (gladk) NOTE: 20230525: In review with utkarsh. -- @@ -105,7 +105,7 @@ libapache2-mod-auth-openidc (gladk) NOTE: 20230620: Added by Front-Desk (Beuc) NOTE: 20230620: Follow fix from bullseye 11.7 (CVE-2022-23527) + 1 postponed CVE-2021-39191 (Beuc/front-desk) -- -libreoffice (Abhijith PA) +libreoffice NOTE: 20230530: Added by Front-Desk (pochu) -- libusrsctp (rouca) @@ -128,21 +128,21 @@ nova NOTE: 20230302: zigo currently has no time and requests the LTS team to do it (IRC #debian-lts 2023-03-02). (Beuc/front-desk) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. (lamby) -- -nvidia-cuda-toolkit (tobi) +nvidia-cuda-toolkit NOTE: 20230514: Added by Front-Desk (utkarsh) NOTE: 20230514: package listed in packages-to-support; a bunch of CVEs have NOTE: 20230514: piled up. (utkarsh) -- -openimageio (gladk) +openimageio NOTE: 20230406: Re-added due to regressions (apo) NOTE: 20230612: Backporting is mostly done, but still some failures. -- -openjdk-11 (Emilio) +openjdk-11 NOTE: 20230419: Added by Front-Desk (ola) NOTE: 20230522: waiting for sid update (pochu) NOTE: 20230612: sid updated, preparing backport (pochu) -- -php-cas (tobi) +php-cas NOTE: 20221105: Added by Front-Desk (ola) NOTE: 20221105: The fix is not backwards compatible. Should be investigated further whether this issue should be solved or ignored.. (ola) NOTE: 20221107: php-cas only has 2 reverse-deps in buster (fusiondirectory, ocsinventory-reports), @@ -223,7 +223,7 @@ salt NOTE: 20220814: I am not sure, whether it is possible to fix issues NOTE: 20220814: without backporting a newer verion. (Anton) -- -samba (Lee Garrett) +samba NOTE: 20220904: Added by Front-Desk (apo) NOTE: 20220904: Many postponed or open CVE in general. (apo) NOTE: 20230323: Still working on the long list of CVEs, will likely release an intermittent package first (lee) @@ -249,7 +249,7 @@ trafficserver (Adrian Bunk) NOTE: 20230618: Added by Front-Desk (opal) NOTE: 20230618: Low prio due to the few number of users. -- -webkit2gtk (Emilio) +webkit2gtk NOTE: 20230512: Re-added (pochu) NOTE: 20230512: checking if upgrade to 2.40.x is possible, otherwise we'll have to EOL webkit (pochu) NOTE: 20230529: made some progress on the backport, but there are still some blockers, View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c6287148b6665880ede66401c40d18a2d24e7a13 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c6287148b6665880ede66401c40d18a2d24e7a13 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: Mark CVE-2019-8457/{db5.3,sqlite3} as ignored
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: fd91ffaa by Roberto C. Sánchez at 2023-06-03T09:44:52-04:00 LTS: Mark CVE-2019-8457/{db5.3,sqlite3} as ignored - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -298717,11 +298717,11 @@ CVE-2019-8458 (Check Point Endpoint Security Client for Windows, with Anti-Malwa CVE-2019-8457 (SQLite3 from 3.6.0 to and including 3.27.2 is vulnerable to heap out-o ...) - db5.3 5.3.28+dfsg1-0.9 (bug #1010974) [bullseye] - db5.3 (Minor issue) - [buster] - db5.3 (Minor issue) - [stretch] - db5.3 (Minor issue) + [buster] - db5.3 (vulnerable code is present but unused in Debian, and fix is too risky to backport) + [stretch] - db5.3 (vulnerable code is present but unused in Debian, and fix is too risky to backport) - sqlite3 3.27.2-3 (bug #929775) - [stretch] - sqlite3 (Minor issue; can be fixed via point release) - [jessie] - sqlite3 (Minor issue) + [stretch] - sqlite3 (vulnerable code is present but unused in Debian, and fix is too risky to backport) + [jessie] - sqlite3 (vulnerable code is present but unused in Debian, and fix is too risky to backport) - sqlite (rtree extension not present in v2) NOTE: Fixed by: https://www.sqlite.org/src/info/90acdbfce9c08858 NOTE: Make the internal dynamic string interface available to extensions: View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fd91ffaa5d850d1ec5fecd0fb75ed4d28ba468f0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fd91ffaa5d850d1ec5fecd0fb75ed4d28ba468f0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 5e0d39da by Roberto C. Sánchez at 2023-05-29T16:09:05-04:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Roberto C. Sánchez robe...@debian.org - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -35,7 +35,7 @@ docker.io NOTE: 20230320: VCS: https://salsa.debian.org/lts-team/packages/docker.io.git NOTE: 20230424: Is in preparation. (gladk) -- -erlang (Markus Koschany) +erlang NOTE: 20221119: Programming language: Erlang. NOTE: 20221119: at least CVE-2022-37026 needs to be fixed (original request has been for Stretch) NOTE: 20230111: VCS: https://salsa.debian.org/erlang-team/packages/erlang @@ -50,7 +50,7 @@ fusiondirectory (Abhijith PA) NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/fusiondirectory.git NOTE: 20230523: Added upstream commit references to security tracker. Patched our version, testing (abhijith) -- -golang-go.crypto (Markus Koschany) +golang-go.crypto NOTE: 20220915: Programming language: Go. NOTE: 20220915: 3 CVEs fixed in stretch and bullseye (Beuc/front-desk) NOTE: 20220915: Special attention: limited support, cf. buster release notes @@ -131,7 +131,7 @@ openjdk-11 (Emilio) NOTE: 20230419: VCS: https://salsa.debian.org/lts-team/packages/openjdk-11.git NOTE: 20230522: waiting for sid/bullseye update (pochu) -- -owslib (Adrian Bunk) +owslib NOTE: 20230514: Programming language: Python. NOTE: 20230514: VCS: https://salsa.debian.org/lts-team/packages/owslib.git NOTE: 20230514: also in dsa-needed. (utkarsh) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5e0d39dacc8d06872ee70c9cc8b88829409ed454 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5e0d39dacc8d06872ee70c9cc8b88829409ed454 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 0664c38f by Roberto C. Sánchez at 2023-05-22T09:52:17-04:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Roberto C. Sánchez robe...@debian.org - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -30,7 +30,7 @@ erlang (Markus Koschany) NOTE: 20230111: VCS: https://salsa.debian.org/erlang-team/packages/erlang NOTE: 20230111: Maintainer notes: Coordinate with maintainer, whether their VCS can be used. Mail send to mailing list. -- -fusiondirectory (Abhijith PA) +fusiondirectory NOTE: 20221203: Programming language: PHP. NOTE: 20221203: Please evaluate, whether the package can be fixed (gladk). NOTE: 20221203: Two CVEs have only mitigation, fix in a new version (gladk). @@ -115,12 +115,12 @@ nvidia-cuda-toolkit NOTE: 20230514: package listed in packages-to-support; a bunch of CVEs have NOTE: 20230514: piled up. (utkarsh) -- -openimageio (gladk) +openimageio NOTE: 20230406: Programming language: C. NOTE: 20230406: VCS: https://salsa.debian.org/lts-team/packages/openimageio.git NOTE: 20230508: WIP -- -openjdk-11 (Emilio) +openjdk-11 NOTE: 20230419: Programming language: Java. NOTE: 20230419: VCS: https://salsa.debian.org/lts-team/packages/openjdk-11.git NOTE: 20230508: waiting for sid/bullseye update (pochu) @@ -210,7 +210,7 @@ samba NOTE: 20220904: Many postponed or open CVE in general. (apo) NOTE: 20230323: Still working on the long list of CVEs, will likely release an intermittent package first (lee) -- -sssd (gladk) +sssd NOTE: 20230131: Programming language: C. NOTE: 20230205: VCS: https://salsa.debian.org/lts-team/packages/sssd.git NOTE: 20230508: WIP View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0664c38fafcc52104e01bfb8a77154f46ea0837f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0664c38fafcc52104e01bfb8a77154f46ea0837f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: VCS link for cairosvg in dla-needed.txt
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: c83b117a by Roberto C. Sánchez at 2023-05-19T11:03:00-04:00 LTS: VCS link for cairosvg in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -16,6 +16,7 @@ rather than remove/replace existing ones. cairosvg NOTE: 20230323: Programming language: Python. NOTE: 20230411: Proposed solution for CVE-2023-27586 in Buster to backport the --unsafe switch, introduced in 1.0.21, might work (dleidert) + NOTE: 20230519: VCS: https://salsa.debian.org/lts-team/packages/cairosvg.git -- cups-filters (Thorsten Alteholz) NOTE: 20230517: Programming language: C. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c83b117a3d8f2ec06fe0c2f7ac84b59d335c0ae7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c83b117a3d8f2ec06fe0c2f7ac84b59d335c0ae7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: e8d2689b by Roberto C. Sánchez at 2023-05-15T09:46:51-04:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Roberto C. Sánchez robe...@debian.org - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -23,7 +23,7 @@ docker.io NOTE: 20230320: VCS: https://salsa.debian.org/lts-team/packages/docker.io.git NOTE: 20230424: Is in preparation. -- -epiphany-browser (Adrian Bunk) +epiphany-browser NOTE: 20230423: Programming language: C. -- erlang (Markus Koschany) @@ -190,7 +190,7 @@ ruby-loofah NOTE: 20230403: See "RFC: ruby-loofah 2.2.3-1+deb10u2" thread on debian-lts list. (lamby) NOTE: 20230403: Everything ready, just waiting for ruby-rails-html-sanitizer/utkarsh (dleidert) -- -ruby-rails-html-sanitizer (Utkarsh) +ruby-rails-html-sanitizer NOTE: 20221231: Programming language: Ruby. NOTE: 20221231: VCS: https://salsa.debian.org/lts-team/packages/ruby-rails-html-sanitizer.git NOTE: 20230303: this cannot be fixed unless ruby-loofah is fixed with appropriate methods. (utkarsh) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e8d2689bc2b50ab794ddd37fbeae427a6052853d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e8d2689bc2b50ab794ddd37fbeae427a6052853d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: update NOTE to include date
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: e406734a by Roberto C. Sánchez at 2023-05-15T09:43:21-04:00 LTS: update NOTE to include date - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -218,5 +218,5 @@ sssd (gladk) NOTE: 20230508: WIP -- webkit2gtk (Emilio) - NOTE: checking if upgrade to 2.40.x is possible, otherwise we'll have to EOL webkit (pochu) + NOTE: 20230512: checking if upgrade to 2.40.x is possible, otherwise we'll have to EOL webkit (pochu) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e406734a3d47e1f4b8ab4e81dbe5f4aac7c38788 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e406734a3d47e1f4b8ab4e81dbe5f4aac7c38788 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 52544f46 by Roberto C. Sánchez at 2023-05-08T11:09:39-04:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Roberto C. Sánchez robe...@debian.org - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -13,7 +13,7 @@ To make it easier to see the entire history of an update, please append notes rather than remove/replace existing ones. -- -cairosvg (dleidert) +cairosvg NOTE: 20230323: Programming language: Python. NOTE: 20230411: Proposed solution for CVE-2023-27586 in Buster to backport the --unsafe switch, introduced in 1.0.21, might work (dleidert) -- @@ -22,14 +22,14 @@ configobj (Chris Lamb) NOTE: 20230416: Special attention: Low priority but high popcon. NOTE: 20230502: No upstream-blessed patch yet. (lamby) -- -consul (Abhijith PA) +consul NOTE: 20221031: Programming language: Go. NOTE: 20221031: Concluded that the package should be fixed by the CVE description. Source code not analyzed in detail. NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/consul.git NOTE: 20230423: WIP, Fixed CVE-2018-19653 (abhijith) NOTE: 20230422: Resume work. (abhijith) -- -docker.io (gladk) +docker.io NOTE: 20230303: Programming language: Go. NOTE: 20230303: Follow fixes from bullseye 11.2 (Beuc/front-desk) NOTE: 20230320: VCS: https://salsa.debian.org/lts-team/packages/docker.io.git View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/52544f46e863de727ddcf186212c379ca3dea711 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/52544f46e863de727ddcf186212c379ca3dea711 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 3abc0b73 by Roberto C. Sánchez at 2023-04-24T21:04:46-04:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Roberto C. Sánchez robe...@debian.org - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -96,7 +96,7 @@ jruby NOTE: 20230403: Special attention: Not in bullseye NOTE: 20230403: Lots of postponed issues that were fixed in other ruby* packages (Beuc/front-desk) -- -libapache2-mod-auth-openidc (Adrian Bunk) +libapache2-mod-auth-openidc NOTE: 20230404: Programming language: C. NOTE: 20230404: CVE-2019-20479 fixed in all other dists (including DLA-2298-1 for stretch) NOTE: 20230404: CVE-2021-39191 fixed in Debian 11.4 @@ -172,7 +172,7 @@ nvidia-graphics-drivers-legacy-390xx NOTE: 20230103: https://lists.debian.org/debian-lts/2023/01/msg5.html NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/nvidia-graphics-drivers-legacy-390xx.git -- -openimageio (Markus Koschany) +openimageio NOTE: 20230406: Programming language: C. NOTE: 20230406: VCS: https://salsa.debian.org/lts-team/packages/openimageio.git -- @@ -250,7 +250,7 @@ ring (Thorsten Alteholz) NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/ring.git NOTE: 20230423: move CVEs appeared -- -ruby-loofah (dleidert) +ruby-loofah NOTE: 20221231: Programming language: Ruby. NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/ruby-loofah.git NOTE: 20230313: Pinged Daniel re. patches in repo ^. (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3abc0b739af856b1f205571ba5dbd562157d741e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3abc0b739af856b1f205571ba5dbd562157d741e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: dispatch FD for second half of 2023
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 6114a666 by Roberto C. Sánchez at 2023-04-17T12:01:06-04:00 LTS: dispatch FD for second half of 2023 - - - - - 1 changed file: - org/lts-frontdesk.2023.txt Changes: = org/lts-frontdesk.2023.txt = @@ -24,29 +24,29 @@ From 05-06 to 11-06:Markus Koschany From 12-06 to 18-06:Ola Lundqvist From 19-06 to 25-06:Sylvain Beucler From 26-06 to 02-07:Thorsten Alteholz -From 03-07 to 09-07: -From 10-07 to 16-07: -From 17-07 to 23-07: -From 24-07 to 30-07: -From 31-07 to 06-08: -From 07-08 to 13-08: -From 14-08 to 20-08: -From 21-08 to 27-08: -From 28-08 to 03-09: -From 04-09 to 10-09: -From 11-09 to 17-09: -From 18-09 to 24-09: -From 25-09 to 01-10: -From 02-10 to 08-10: -From 09-10 to 15-10: -From 16-10 to 22-10: -From 23-10 to 29-10: -From 30-10 to 05-11: -From 06-11 to 12-11: -From 13-11 to 19-11: -From 20-11 to 26-11: -From 27-11 to 03-12: -From 04-12 to 10-12: -From 11-12 to 17-12: -From 18-12 to 24-12: -From 25-12 to 31-12: +From 03-07 to 09-07:Anton Gladky +From 10-07 to 16-07:Chris Lamb +From 17-07 to 23-07:Emilio Pozuelo Monfort +From 24-07 to 30-07:Markus Koschany +From 31-07 to 06-08:Ola Lundqvist +From 07-08 to 13-08:Sylvain Beucler +From 14-08 to 20-08:Thorsten Alteholz +From 21-08 to 27-08:Utkarsh Gupta +From 28-08 to 03-09:Anton Gladky +From 04-09 to 10-09:Chris Lamb +From 11-09 to 17-09:Emilio Pozuelo Monfort +From 18-09 to 24-09:Markus Koschany +From 25-09 to 01-10:Ola Lundqvist +From 02-10 to 08-10:Sylvain Beucler +From 09-10 to 15-10:Thorsten Alteholz +From 16-10 to 22-10:Utkarsh Gupta +From 23-10 to 29-10:Anton Gladky +From 30-10 to 05-11:Chris Lamb +From 06-11 to 12-11:Emilio Pozuelo Monfort +From 13-11 to 19-11:Markus Koschany +From 20-11 to 26-11:Ola Lundqvist +From 27-11 to 03-12:Sylvain Beucler +From 04-12 to 10-12:Thorsten Alteholz +From 11-12 to 17-12:Utkarsh Gupta +From 18-12 to 24-12:Anton Gladky +From 25-12 to 31-12:Chris Lamb \ No newline at end of file View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6114a666d83eb56e75358394625139a029cdc4c4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6114a666d83eb56e75358394625139a029cdc4c4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: f5471ef6 by Roberto C. Sánchez at 2023-04-17T11:46:33-04:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Roberto C. Sánchez robe...@debian.org - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -20,7 +20,7 @@ rather than remove/replace existing ones. NOTE: 20230327: test new CI NOTE: 20230410: WIP -- -apache2 (rouca) +apache2 NOTE: 20230312: Programming language: C. NOTE: 20230312: VCS: https://salsa.debian.org/lts-team/packages/apache2.git NOTE: 20230312: Special attention: Double check an update! Package is used by many customers and users!. @@ -49,7 +49,7 @@ configobj (Chris Lamb) NOTE: 20230416: Special attention: Low priority but high popcon. NOTE: 20230417: No upstream-blessed patch yet. (lamby) -- -consul (Abhijith PA) +consul NOTE: 20221031: Programming language: Go. NOTE: 20221031: Concluded that the package should be fixed by the CVE description. Source code not analyzed in detail. NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/consul.git View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f5471ef642e7b192bba0a05cbe0308b8f45e245e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f5471ef642e7b192bba0a05cbe0308b8f45e245e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3316-1 for postgresql-11
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: e5583053 by Roberto C. Sánchez at 2023-02-10T08:29:02-05:00 Reserve DLA-3316-1 for postgresql-11 - - - - - 1 changed file: - data/DLA/list Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[10 Feb 2023] DLA-3316-1 postgresql-11 - security update + {CVE-2022-41862} + [buster] - postgresql-11 11.19-0+deb10u1 [10 Feb 2023] DLA-3315-1 sox - security update {CVE-2019-13590 CVE-2021-3643 CVE-2021-23159 CVE-2021-23172 CVE-2021-23210 CVE-2021-33844 CVE-2021-40426 CVE-2022-31650 CVE-2022-31651} [buster] - sox 14.4.2+git20190427-1+deb10u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e55830534d2280e2862ab255f32f818e6ed4796f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e55830534d2280e2862ab255f32f818e6ed4796f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3288-1 for curl
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 317c1f24 by Roberto C. Sánchez at 2023-01-28T16:07:54-05:00 Reserve DLA-3288-1 for curl - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[28 Jan 2023] DLA-3288-1 curl - security update + {CVE-2022-27774 CVE-2022-32221 CVE-2022-35252 CVE-2022-43552} + [buster] - curl 7.64.0-4+deb10u4 [28 Jan 2023] DLA-3287-1 lemonldap-ng - security update {CVE-2020-16093 CVE-2022-37186} [buster] - lemonldap-ng 2.0.2+ds-7+deb10u8 = data/dla-needed.txt = @@ -44,15 +44,6 @@ consul NOTE: 20221031: Programming language: Go. NOTE: 20221031: Concluded that the package should be fixed by the CVE description. Source code not analyzed in detail. -- -curl (Roberto C. Sánchez) - NOTE: 20220901: Programming language: C. - NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/curl.git - NOTE: 20220904: Special attention: high popcon!. - NOTE: 20221209: Testsuite: https://lts-team.pages.debian.net/wiki/TestSuites/curl.html - NOTE: 20230103: Sorted out issue with broken CVE fix in stable, working with secteam to land the fix (roberto) - NOTE: 20230103: Packages ready for bullseye and buster, syncing ELTS releases (roberto) - NOTE: 20230126: Builds for all releases are ready, working on final coordination (roberto) --- dojo (guilhem) NOTE: 20230105: Programming language: JavaScript. NOTE: 20230105: Follow fixes from bullseye 11.6 (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/317c1f24f651b23e936a3793b7b8f45db8e05377 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/317c1f24f651b23e936a3793b7b8f45db8e05377 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: remove tag from CVE-2022-27774, which has been fixed
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 4bd5c236 by Roberto C. Sánchez at 2023-01-28T15:58:03-05:00 LTS: remove postponed tag from CVE-2022-27774, which has been fixed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -68282,7 +68282,6 @@ CVE-2022-27775 (An information disclosure vulnerability exists in curl 7.65.0 to CVE-2022-27774 (An insufficiently protected credentials vulnerability exists in curl 4 ...) {DSA-5197-1} - curl 7.83.0-1 (bug #1010254) - [buster] - curl (Needs further investigation) NOTE: https://curl.se/docs/CVE-2022-27774.html NOTE: Fixed by: https://github.com/curl/curl/commit/620ea21410030a9977396b4661806bc187231b79 (curl-7_83_0) NOTE: Followup: https://github.com/curl/curl/commit/139a54ed0a172adaaf1a78d6f4fff50b2c3f9e08 (curl-7_83_0) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4bd5c236bc2d3adc62084835552e9d3fa2ae9c28 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4bd5c236bc2d3adc62084835552e9d3fa2ae9c28 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: reclaim curl ange imagemagick; update notes
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 6a8d3ae6 by Roberto C. Sánchez at 2023-01-26T08:14:13-05:00 LTS: reclaim curl ange imagemagick; update notes - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -44,13 +44,14 @@ consul NOTE: 20221031: Programming language: Go. NOTE: 20221031: Concluded that the package should be fixed by the CVE description. Source code not analyzed in detail. -- -curl +curl (Roberto C. Sánchez) NOTE: 20220901: Programming language: C. NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/curl.git NOTE: 20220904: Special attention: high popcon!. NOTE: 20221209: Testsuite: https://lts-team.pages.debian.net/wiki/TestSuites/curl.html NOTE: 20230103: Sorted out issue with broken CVE fix in stable, working with secteam to land the fix (roberto) NOTE: 20230103: Packages ready for bullseye and buster, syncing ELTS releases (roberto) + NOTE: 20230126: Builds for all releases are ready, working on final coordination (roberto) -- dojo NOTE: 20230105: Programming language: JavaScript. @@ -110,7 +111,7 @@ golang-yaml.v2 graphite-web NOTE: 20221229: Programming language: Python. -- -imagemagick +imagemagick (Roberto C. Sánchez) NOTE: 20220904: Programming language: C. NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/imagemagick.git NOTE: 20220904: Should be synced with Stretch. (apo) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6a8d3ae6cc8e910c1d86d3d3102b426f55066fc7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6a8d3ae6cc8e910c1d86d3d3102b426f55066fc7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: reclaim curl, update notes in dla-needed.txt
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: ec26a836 by Roberto C. Sánchez at 2023-01-03T10:55:51-05:00 LTS: reclaim curl, update notes in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -37,11 +37,13 @@ consul NOTE: 20221031: Programming language: Go. NOTE: 20221031: Concluded that the package should be fixed by the CVE description. Source code not analyzed in detail. -- -curl +curl (Roberto C. Sánchez) NOTE: 20220901: Programming language: C. NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/curl.git NOTE: 20220904: Special attention: high popcon!. NOTE: 20221209: Testsuite: https://lts-team.pages.debian.net/wiki/TestSuites/curl.html + NOTE: 20230103: Sorted out issue with broken CVE fix in stable, working with secteam to land the fix (roberto) + NOTE: 20230103: Packages ready for bullseye and buster, syncing ELTS releases (roberto) -- erlang NOTE: 20221119: Programming language: Erlang. @@ -88,7 +90,7 @@ golang-websocket graphite-web NOTE: 20221229: Programming language: Python. -- -imagemagick +imagemagick (Roberto C. Sánchez) NOTE: 20220904: Programming language: C. NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/imagemagick.git NOTE: 20220904: Should be synced with Stretch. (apo) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ec26a836a68e837b4b489ea9ec144854e9384bca -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ec26a836a68e837b4b489ea9ec144854e9384bca You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: reclaim imagemagick and update notes
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: c2f6e6cc by Roberto C. Sánchez at 2022-12-12T17:00:20-05:00 LTS: reclaim imagemagick and update notes - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -87,10 +87,11 @@ golang-websocket NOTE: 20220915: 1 CVE fixed in stretch and bullseye (golang-github-gorilla-websocket) (Beuc/front-desk) NOTE: 20220915: Special attention: limited support; requires rebuilding reverse dependencies -- -imagemagick +imagemagick (Roberto C. Sánchez) NOTE: 20220904: Programming language: C. NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/imagemagick.git NOTE: 20220904: Should be synced with Stretch. (apo) + NOTE: 20221212: Integrated patches for 31 CVEs so far and continuing to work. (roberto) -- kopanocore NOTE: 20220801: Programming language: C++. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c2f6e6cc17589e192a8ce1851d83643641db11b8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c2f6e6cc17589e192a8ce1851d83643641db11b8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: mark CVE-2021-4219 as for buster, add notes on introducing upstream commits
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 5a853b8d by Roberto C. Sánchez at 2022-11-30T17:53:05-05:00 LTS: mark CVE-2021-4219 as not-affected for buster, add notes on introducing upstream commits - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -61043,8 +61043,9 @@ CVE-2021-4220 CVE-2021-4219 (A flaw was found in ImageMagick. The vulnerability occurs due to impro ...) - imagemagick (bug #1013282) [bullseye] - imagemagick (Minor issue) - [buster] - imagemagick (Minor issue) + [buster] - imagemagick (Vulnerable code introduced later) [stretch] - imagemagick (Minor issue, DoS) + NOTE: introduced by https://github.com/ImageMagick/ImageMagick6/commit/b51ead044753d771646fe1dfd6fb1db0b562a5f0 NOTE: https://github.com/ImageMagick/ImageMagick/issues/4626 NOTE: https://github.com/ImageMagick/ImageMagick/commit/d7f1b2b9b816baaa956381ff80c3b120e83faa95 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/c10351c16b8d2cabd11d2627a02de522570f6ceb View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5a853b8d59f3084ad130bf649944e9607b249ebf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5a853b8d59f3084ad130bf649944e9607b249ebf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add closing commit for CVE-2021-4219/imagemagick
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: e77db619 by Roberto C. Sánchez at 2022-11-30T07:44:10-05:00 Add closing commit for CVE-2021-4219/imagemagick - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -60962,6 +60962,7 @@ CVE-2021-4219 (A flaw was found in ImageMagick. The vulnerability occurs due to [buster] - imagemagick (Minor issue) [stretch] - imagemagick (Minor issue, DoS) NOTE: https://github.com/ImageMagick/ImageMagick/issues/4626 + NOTE: https://github.com/ImageMagick/ImageMagick/commit/d7f1b2b9b816baaa956381ff80c3b120e83faa95 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/c10351c16b8d2cabd11d2627a02de522570f6ceb CVE-2022-25212 (A cross-site request forgery (CSRF) vulnerability in Jenkins SWAMP Plu ...) NOT-FOR-US: Jenkins plugin View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e77db6194ab9c97d970bd7c8b9dde074912da861 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e77db6194ab9c97d970bd7c8b9dde074912da861 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Additional fixing commits for CVE-2020-27759
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 58166046 by Roberto C. Sánchez at 2022-11-26T17:28:55-05:00 Additional fixing commits for CVE-2020-27759 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -154339,6 +154339,8 @@ CVE-2020-27759 (In IntensityCompare() of /MagickCore/quantize.c, a double value NOTE: https://github.com/ImageMagick/ImageMagick/issues/1720 NOTE: ImageMagick: https://github.com/ImageMagick/ImageMagick/commit/d44f8a35558951a21367d306a42e5a097f3a43fe NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/460dea07066e2001bc4671fcd8d53233f0fc29b3 + NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/2000dd1a7da8098483b8937b53ff3b6ff3048c97 + NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/8c5cbc85c397fff55b859b50c4bc2ab7a79571da CVE-2020-27758 (A flaw was found in ImageMagick in coders/txt.c. An attacker who submi ...) {DLA-2602-1} - imagemagick 8:6.9.11.24+dfsg-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/581660460a4cd037a6acf831d04141a6dfa5cb02 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/581660460a4cd037a6acf831d04141a6dfa5cb02 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Additional fixing commit for CVE-2020-25666
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: beb676c6 by Roberto C. Sánchez at 2022-11-26T14:55:03-05:00 Additional fixing commit for CVE-2020-25666 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -159923,6 +159923,7 @@ CVE-2020-25666 (There are 4 places in HistogramCompare() in MagickCore/histogram NOTE: https://github.com/ImageMagick/ImageMagick/issues/1750 NOTE: ImageMagick: https://github.com/ImageMagick/ImageMagick/commit/94691f00839dbdf43edb1508af945ab19b388573 NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/91ae12c57f3b9b23f2072462c27a8378b59f395e + NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/245d884e1868ff9b932adad5fcacf9e3e1eb4c7f CVE-2020-25665 (The PALM image coder at coders/palm.c makes an improper call to Acquir ...) {DLA-2523-1} - imagemagick 8:6.9.11.24+dfsg-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/beb676c67f2520297419a7dea599cd70915f8aec -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/beb676c67f2520297419a7dea599cd70915f8aec You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: mark CVE-2020-10251 as for buster, add notes on introducing upstream commits
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: e21261cf by Roberto C. Sánchez at 2022-11-26T13:18:20-05:00 LTS: mark CVE-2020-10251 as not-affected for buster, add notes on introducing upstream commits - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -198175,9 +198175,12 @@ CVE-2020-10252 (An issue was discovered in ownCloud before 10.4. Because of an S - owncloud CVE-2020-10251 (In ImageMagick 7.0.9, an out-of-bounds read vulnerability exists withi ...) - imagemagick 8:6.9.11.24+dfsg-1 (low; bug #953741) - [buster] - imagemagick (Minor issue) + [buster] - imagemagick (Vulnerable code introduced later with HEIC color profiles support) [stretch] - imagemagick (Vulnerable code introduced later with HEIC image format support) [jessie] - imagemagick (Vulnerable code introduced later with HEIC image format support) + NOTE: introduced by https://github.com/ImageMagick/ImageMagick6/commit/0a28a9416018661ecc52e908205c738ce5e17e40 + NOTE: introduced by https://github.com/ImageMagick/ImageMagick6/commit/8b5a3f92ef102d6f76a51fa20b408795952fc1b0 + NOTE: introduced by https://github.com/ImageMagick/ImageMagick6/commit/c6c591c3ec9b043593262a3f3b848355a4804758 NOTE: https://github.com/ImageMagick/ImageMagick/issues/1859 NOTE: ImageMagick: https://github.com/ImageMagick/ImageMagick/commit/868aad754ee599eb7153b84d610f2ecdf7b339f6 NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/3456724dff047db5adb32f8cf70c903c1b7d16d4 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e21261cf7472b3e58339630b676cd521f844f12b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e21261cf7472b3e58339630b676cd521f844f12b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim imagemagick in dla-needed.txt
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: e771cd3e by Roberto C. Sánchez at 2022-11-26T12:16:20-05:00 LTS: claim imagemagick in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -87,7 +87,7 @@ hsqldb NOTE: 20221031: To be investigated further. A possible outcome is to ignore it. NOTE: 20221031: https://lists.debian.org/debian-lts/2022/10/msg00060.html. -- -imagemagick +imagemagick (Roberto C. Sánchez) NOTE: 20220904: Programming language: C. NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/imagemagick.git NOTE: 20220904: Should be synced with Stretch. (apo) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e771cd3e489f111a781c0b074d591134ec3795e4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e771cd3e489f111a781c0b074d591134ec3795e4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim curl in dla-needed.txt
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 92825cd5 by Roberto C. Sánchez at 2022-11-23T21:45:46-05:00 LTS: claim curl in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -29,7 +29,7 @@ consul NOTE: 20221031: Programming language: Go. NOTE: 20221031: Concluded that the package should be fixed by the CVE description. Source code not analyzed in detail. -- -curl +curl (Roberto C. Sánchez) NOTE: 20220901: Programming language: C. NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/curl.git NOTE: 20220904: Special attention: high popcon!. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/92825cd50cd6241b0aec3bd93ba6443e1cb5896e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/92825cd50cd6241b0aec3bd93ba6443e1cb5896e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: unclaim exiv2
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 45eeacad by Roberto C. Sánchez at 2022-09-22T09:09:24-04:00 LTS: unclaim exiv2 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -32,7 +32,7 @@ dovecot NOTE: 20220913: VCS: https://salsa.debian.org/lts-team/packages/dovecot.git NOTE: 20220913: Harmonize with bullseye: 1 CVE fixed in Debian 11.5 + 2 other postponed CVEs (Beuc/front-desk) -- -exiv2 (Roberto C. Sánchez) +exiv2 NOTE: 20220819: Programming language: C++. NOTE: 20220819: https://github.com/Exiv2/exiv2/commit/109d5df7abd329f141b500c92a00178d35a6bef3#diff-bd28aafd4c87975a3a236af74c2200db447587fa0bb4f43ba9beb98738c77b2aL292 does not directly apply, but a very quick glance suggests the earlier code may be equally vulnerable. (Chris Lamb) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/45eeacad1b55cbaba3699528695e3c6b36db1f9a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/45eeacad1b55cbaba3699528695e3c6b36db1f9a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: reclaim exiv2 in dla-needed.txt
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 441f90d9 by Roberto C. Sánchez at 2022-09-15T09:57:23-04:00 LTS: reclaim exiv2 in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -35,7 +35,7 @@ dovecot NOTE: 20220913: VCS: https://salsa.debian.org/lts-team/packages/dovecot.git NOTE: 20220913: Harmonize with bullseye: 1 CVE fixed in Debian 11.5 + 2 other postponed CVEs (Beuc/front-desk) -- -exiv2 +exiv2 (Roberto C. Sánchez) NOTE: 20220819: Programming language: C++. NOTE: 20220819: https://github.com/Exiv2/exiv2/commit/109d5df7abd329f141b500c92a00178d35a6bef3#diff-bd28aafd4c87975a3a236af74c2200db447587fa0bb4f43ba9beb98738c77b2aL292 does not directly apply, but a very quick glance suggests the earlier code may be equally vulnerable. (Chris Lamb) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/441f90d999c7b3b38c3642c077f1ad77ade8defe -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/441f90d999c7b3b38c3642c077f1ad77ade8defe You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: drop apache2 from dla-needed.txt, as it was just released in the buster point release today
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 4c1a30ab by Roberto C. Sánchez at 2022-09-10T19:12:51-04:00 LTS: drop apache2 from dla-needed.txt, as it was just released in the buster point release today - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -16,13 +16,6 @@ NOTE: IMPORTANT: during 2022-08, make sure you do NOT conflict with a NOTE: IMPORTANT: prepared upload for buster's last point release, see: NOTE: IMPORTANT: https://bugs.debian.org/cgi-bin/pkgreport.cgi?users=release.debian@packages.debian.org;tag=pu --- -apache2 - NOTE: 20220811: Programming language: C. - NOTE: 20220811: VCS: https://salsa.debian.org/lts-team/packages/apache2.git - NOTE: 20220723: Prepared update 2.4.38-3+deb10u8 and filed #1014346 requesting SRM approval for upload to final buster point release (roberto) - NOTE: 20220723: Received upload approval from SRM and uploaded to buster (roberto) - NOTE: 20220809: Package is in oldstable-proposed-updates and will be in final buster point release (roberto) -- asterisk (Markus Koschany) NOTE: 20220810: Programming language: C. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4c1a30abb4a7210a520f0adc6acce54b3f1b2046 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4c1a30abb4a7210a520f0adc6acce54b3f1b2046 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: take exiv2 in dla-needed.txt
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: fb9544ae by Roberto C. Sánchez at 2022-08-22T11:08:43-04:00 LTS: take exiv2 in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -33,7 +33,7 @@ curl (Markus Koschany) exim4 NOTE: 20220820: Programming language: C. -- -exiv2 +exiv2 (Roberto C. Sánchez) NOTE: 20220819: Programming language: C++. NOTE: 20220819: https://github.com/Exiv2/exiv2/commit/109d5df7abd329f141b500c92a00178d35a6bef3#diff-bd28aafd4c87975a3a236af74c2200db447587fa0bb4f43ba9beb98738c77b2aL292 does not directly apply, but a very quick glance suggests the earlier code may be equally vulnerable. (Chris Lamb) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fb9544ae786824b3f21a0a4fe9a6e1441cf19973 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fb9544ae786824b3f21a0a4fe9a6e1441cf19973 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: update notes on apache2
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: b38106f7 by Roberto C. Sánchez at 2022-08-09T17:02:58-04:00 LTS: update notes on apache2 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -20,6 +20,7 @@ NOTE: IMPORTANT: https://bugs.debian.org/cgi-bin/pkgreport.cgi?users=release.deb apache2 (Roberto C. Sánchez) NOTE: 20220723: Prepared update 2.4.38-3+deb10u8 and filed #1014346 requesting SRM approval for upload to final buster point release (roberto) NOTE: 20220723: Received upload approval from SRM and uploaded to buster (roberto) + NOTE: 20220809: Package is in oldstable-proposed-updates and will be in final buster point release (roberto) -- curl (Markus Koschany) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b38106f75730d2f03c2d27857ff5c3b06e5e4880 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b38106f75730d2f03c2d27857ff5c3b06e5e4880 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: update apache2 notes
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: b04cf9e5 by Roberto C. Sánchez at 2022-07-23T16:00:10-04:00 LTS: update apache2 notes - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -19,6 +19,7 @@ NOTE: https://lists.debian.org/debian-lts/2022/07/msg00025.html -- apache2 (Roberto C. Sánchez) NOTE: 20220723: Prepared update 2.4.38-3+deb10u8 and filed #1014346 requesting SRM approval for upload to final buster point release (roberto) + NOTE: 20220723: Received upload approval from SRM and uploaded to buster (roberto) -- linux (Ben Hutchings) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b04cf9e58204fd3a52415cf71e0300ac03d68269 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b04cf9e58204fd3a52415cf71e0300ac03d68269 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: update apache2 notes
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 57b760a2 by Roberto C. Sánchez at 2022-07-23T13:20:55-04:00 LTS: update apache2 notes - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -17,7 +17,8 @@ NOTE: only add packages planned for the next buster point release NOTE: https://lists.debian.org/debian-lts/2022/07/msg00025.html -- -apache2 (Roberto Sanchez) +apache2 (Roberto C. Sánchez) + NOTE: 20220723: Prepared update 2.4.38-3+deb10u8 and filed #1014346 requesting SRM approval for upload to final buster point release (roberto) -- linux (Ben Hutchings) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/57b760a2f3d28ac76d1929048a55e615224154b5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/57b760a2f3d28ac76d1929048a55e615224154b5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: update postgresql-9.6 notes in dla-needed.txt
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 74996229 by Roberto C. Sánchez at 2022-06-27T18:21:25-04:00 LTS: update postgresql-9.6 notes in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -218,7 +218,7 @@ pdns php-horde-turba NOTE: 20220603: Programming language: PHP. -- -postgresql-9.6 +postgresql-9.6 (Roberto C. Sánchez) NOTE: 20220529: Programming language: C. NOTE: 20220523: cf. DSA-5135-1/DSA-5136-1 (Beuc/front-desk) NOTE: 20220523: 9.6 is EOL'd upstream (Beuc/front-desk) @@ -226,6 +226,7 @@ postgresql-9.6 NOTE: 20220523: https://lists.debian.org/debian-lts/2022/05/msg00054.html NOTE: 20220608: Prepared backport of upstream patches and requested upstream review (roberto) NOTE: 20220608: Upstream recommended waiting until a reported regression has been resolved (roberto) + NOTE: 20220627: Awaiting upstream resolution of regression in original fix (roberto) -- puppet-module-puppetlabs-firewall NOTE: 20220529: Programming language: Ruby. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/74996229babe3094ef7fe8df3da03ddfe071b9be -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/74996229babe3094ef7fe8df3da03ddfe071b9be You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update apache2 CVE notes with commit references
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: dee9682f by Roberto C. Sánchez at 2022-06-18T20:13:57-04:00 update apache2 CVE notes with commit references - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5145,6 +5145,7 @@ CVE-2022-31813 (Apache HTTP Server 2.4.53 and earlier may not send the X-Forward [buster] - apache2 (Minor issue; can be fixed in point release) NOTE: https://www.openwall.com/lists/oss-security/2022/06/08/8 NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2022-31813 + NOTE: https://github.com/apache/httpd/commit/956f708b094698ac9ad570d640d4f30eb0df7305 CVE-2022-31812 RESERVED CVE-2022-31811 @@ -8821,6 +8822,7 @@ CVE-2022-30556 (Apache HTTP Server 2.4.53 and earlier may return lengths to appl [buster] - apache2 (Minor issue; can be fixed in point release) NOTE: https://www.openwall.com/lists/oss-security/2022/06/08/7 NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2022-30556 + NOTE: https://github.com/apache/httpd/commit/3a561759fcb37af179585adb8478922dc9bc6a85 CVE-2022-30555 RESERVED CVE-2022-30554 @@ -9002,6 +9004,8 @@ CVE-2022-30522 (If Apache HTTP Server 2.4.53 is configured to do transformations [buster] - apache2 (Minor issue; can be fixed in point release) NOTE: https://www.openwall.com/lists/oss-security/2022/06/08/6 NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2022-30522 + NOTE: https://github.com/apache/httpd/commit/db47781128e42bd49f55076665b3f6ca4e2bc5e2 + NOTE: https://github.com/apache/httpd/commit/96c75bba15b6ce20eb8d34aad717a046c000b233 CVE-2022-1642 (A program using swift-corelibs-foundation is vulnerable to a denial of ...) TODO: check CVE-2022-1641 @@ -12302,6 +12306,7 @@ CVE-2022-29404 (In Apache HTTP Server 2.4.53 and earlier, a malicious request to - apache2 2.4.54-1 (bug #1012513) NOTE: https://www.openwall.com/lists/oss-security/2022/06/08/5 NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2022-29404 + NOTE: https://github.com/apache/httpd/commit/ce259c4061905bf834f9af51c92456cfe8335ddc CVE-2022-1381 (global heap buffer overflow in skip_range in GitHub repository vim/vim ...) - vim 2:8.2.4793-1 [bullseye] - vim (Minor issue) @@ -14508,12 +14513,14 @@ CVE-2022-28615 (Apache HTTP Server 2.4.53 and earlier may crash or disclose info [buster] - apache2 (Minor issue; can be fixed in point release) NOTE: https://www.openwall.com/lists/oss-security/2022/06/08/9 NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2022-28615 + NOTE: https://github.com/apache/httpd/commit/6503d09ab51047554c384a6d03646ce1a8848120 CVE-2022-28614 (The ap_rwrite() function in Apache HTTP Server 2.4.53 and earlier may ...) - apache2 2.4.54-1 (bug #1012513) [bullseye] - apache2 (Minor issue; can be fixed in point release) [buster] - apache2 (Minor issue; can be fixed in point release) NOTE: https://www.openwall.com/lists/oss-security/2022/06/08/4 NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2022-28614 + NOTE: https://github.com/apache/httpd/commit/8c14927162cf3b4f810683e1c5505e9ef9e1f123 CVE-2022-28613 (A vulnerability in the HCI Modbus TCP COMPONENT of Hitachi Energy RTU5 ...) NOT-FOR-US: HCI Modbus TCP COMPONENT of Hitachi Energy RTU500 series CMU Firmware CVE-2022-28610 @@ -20998,6 +21005,7 @@ CVE-2022-26377 (Inconsistent Interpretation of HTTP Requests ('HTTP Request Smug [buster] - apache2 (Minor issue; can be fixed in point release) NOTE: https://www.openwall.com/lists/oss-security/2022/06/08/2 NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2022-26377 + NOTE: https://github.com/apache/httpd/commit/f7f15f3d8bfe3032926c8c39eb8434529f680bd4 CVE-2022-26073 (A denial of service vulnerability exists in the libxm_av.so DemuxCmdIn ...) NOT-FOR-US: Anker Eufy Homebase CVE-2022-25989 (An authentication bypass vulnerability exists in the libxm_av.so getpe ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dee9682f1fe4d2de0ca88fa71c12788b9bd4a8be -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dee9682f1fe4d2de0ca88fa71c12788b9bd4a8be You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim apache2 in dla-needed.txt
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 3f57cdb9 by Roberto C. Sánchez at 2022-06-18T10:24:25-04:00 LTS: claim apache2 in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -21,7 +21,7 @@ rather than remove/replace existing ones. amd64-microcode NOTE: 20220529: Programming language: binary blob. -- -apache2 +apache2 (Roberto C. Sánchez) NOTE: 20220618: Programming language: C. -- blender (Thorsten Alteholz) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3f57cdb9c2ae0011a0b80420e51f5ee2da9d32d5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3f57cdb9c2ae0011a0b80420e51f5ee2da9d32d5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: update notes on postgresql-9.6
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 72905579 by Roberto C. Sánchez at 2022-06-08T21:09:33-04:00 LTS: update notes on postgresql-9.6 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -227,6 +227,8 @@ postgresql-9.6 (Roberto C. Sánchez) NOTE: 20220523: 9.6 is EOL'd upstream (Beuc/front-desk) NOTE: 20220523: Christoph Berg won't handle this update (Beuc/front-desk) NOTE: 20220523: https://lists.debian.org/debian-lts/2022/05/msg00054.html + NOTE: 20220608: Prepared backport of upstream patches and requested upstream review (roberto) + NOTE: 20220608: Upstream recommended waiting until a reported regression has been resolved (roberto) -- puppet-module-puppetlabs-firewall NOTE: 20220529: Programming language: Ruby. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/72905579bea208f14cd8a4fe6866b3150f02ebf1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/72905579bea208f14cd8a4fe6866b3150f02ebf1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim postgresql-9.6 in dla-needed.txt
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 7199e5b2 by Roberto C. Sánchez at 2022-06-06T17:27:55-04:00 LTS: claim postgresql-9.6 in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -228,7 +228,7 @@ plinth NOTE: 20220529: Programming language: Python. NOTE: 20220524: Follow buster: harmonize with with Debian 10.7 and 10.10 (2 CVEs) (Beuc/front-desk) -- -postgresql-9.6 +postgresql-9.6 (Roberto C. Sánchez) NOTE: 20220529: Programming language: C. NOTE: 20220523: cf. DSA-5135-1/DSA-5136-1 (Beuc/front-desk) NOTE: 20220523: 9.6 is EOL'd upstream (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7199e5b287f43dced8caee7b0c8fd6a6710bf804 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7199e5b287f43dced8caee7b0c8fd6a6710bf804 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: mark CVE-2021-28544/subversion as for stretch
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 503e2b2b by Roberto C. Sánchez at 2022-06-06T17:15:36-04:00 LTS: mark CVE-2021-28544/subversion as not-affected for stretch - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -81144,6 +81144,7 @@ CVE-2021-28545 (Acrobat Reader DC versions versions 2020.013.20074 (and earlier) CVE-2021-28544 (Apache Subversion SVN authz protected copyfrom paths regression Subver ...) {DSA-5119-1} - subversion 1.14.2-1 + [stretch] - subversion (New upstream regression/unit test passes, so no leak in this version) NOTE: https://subversion.apache.org/security/CVE-2021-28544-advisory.txt CVE-2021-28543 (Varnish varnish-modules before 0.17.1 allows remote attackers to cause ...) - varnish-modules (Vulnerable code ot present; bug #985947) = data/dla-needed.txt = @@ -304,16 +304,6 @@ sox spip NOTE: 20220529: Programming language: PHP. -- -subversion (Roberto C. Sánchez) - NOTE: 20220529: Programming language: C. - NOTE: 20220422: Upstream's patch for CVE-2021-28544 does not cleanly apply (eg. "copyfrom_path = apr_pstrdup(...)" assignment) - NOTE: 20220422: and, once applied manually, appears to break multiple and possibly unrelated parts of the testsuite. (lamby) - NOTE: 20220501: Done some analysis, worked on a patch, cannot find a way to test it, mailed results to Roberto C. Sánchez (enrico) - NOTE: 20220525: Based on the results of Enrico's analysis and some further work, I was able to have the test execute reliably (roberto) - NOTE: 20220525: The test passes, which seems to indicate that the vulnerability does not affect 1.9.5 (roberto) - NOTE: 20220525: I have asked Enrico to replicate my findings (roberto) - NOTE: 20220606: I replicated and confirm Roberto's findings (enrico) --- systemd NOTE: 20220529: Programming language: C. NOTE: 20220524: CVE-2020-1712 marked for update but didn't make it to 9.13 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/503e2b2b36a85c5635ce28123eb492c6f5fcfdaa -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/503e2b2b36a85c5635ce28123eb492c6f5fcfdaa You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits