[Git][security-tracker-team/security-tracker][master] 2 commits: bin/check-new-issues: Encode some regexp strings with r''
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: f61df406 by Salvatore Bonaccorso at 2024-06-29T16:54:41+02:00 bin/check-new-issues: Encode some regexp strings with r With python 3.12.y the DeprecationWarning is upgraded to a SyntaxWarning so these were now visible when running under current unstable with python 3.12. Signed-off-by: Salvatore Bonaccorso car...@debian.org - - - - - d60b018d by Emilio Pozuelo Monfort at 2024-07-02T09:00:53+00:00 Merge branch check-new-issues-syntaxwarning into master bin/check-new-issues: Encode some regexp strings with r See merge request security-tracker-team/security-tracker!184 - - - - - 1 changed file: - bin/check-new-issues Changes: = bin/check-new-issues = @@ -654,7 +654,7 @@ def present_issue(name): break print(f"back at {name} (you might want to type 'd')") continue -elif re.match("^h$", line): +elif re.match(r"^h$", line): print_commands() continue elif m := re.match(r"^!(.+)$", line): @@ -696,14 +696,14 @@ def present_issue(name): print("New entry set to:") print_cve(new_entry) break -elif m := re.match(f'^r\s+(.*)$', line): +elif m := re.match(r'^r\s+(.*)$', line): pkg = m.group(1).strip() _, tmpname = tempfile.mkstemp() subprocess.run(f"bin/report-vuln {pkg} {name} > {tmpname}", shell=True) subprocess.run(f"{editor} {tmpname}", shell=True) #os.unlink(tmpname) continue -elif m := re.match(f'^n\s+(.*)$', line): +elif m := re.match(r'^n\s+(.*)$', line): nfu = m.group(1).strip() set_cve_nfu(name, nfu) print("New entry set to:") View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/440f393b98476ba7cc50a4406c66255f866f3a17...d60b018dfd41e08c6b8c948b7357b84f6b7eaa39 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/440f393b98476ba7cc50a4406c66255f866f3a17...d60b018dfd41e08c6b8c948b7357b84f6b7eaa39 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3836-1 for thunderbird
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: bee4d020 by Emilio Pozuelo Monfort at 2024-06-19T10:51:56+02:00 Reserve DLA-3836-1 for thunderbird - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[19 Jun 2024] DLA-3836-1 thunderbird - security update + {CVE-2024-5688 CVE-2024-5690 CVE-2024-5691 CVE-2024-5693 CVE-2024-5696 CVE-2024-5700 CVE-2024-5702} + [buster] - thunderbird 1:115.12.0-1~deb10u1 [17 Jun 2024] DLA-3835-1 roundcube - security update {CVE-2024-37383 CVE-2024-37384} [buster] - roundcube 1.3.17+dfsg.1-1~deb10u6 = data/dla-needed.txt = @@ -308,9 +308,6 @@ suricata (Adrian Bunk) NOTE: 20231016: Still reviewing+testing CVEs. (bunk) NOTE: 20231120: DLA coming soon. (bunk) -- -thunderbird (Emilio) - NOTE: 20240614: Added by Front-Desk (lamby) --- tiff (Thorsten Alteholz) NOTE: 20240314: Added by coordinator (roberto) NOTE: 20240314: Several CVEs fixed in LTS remain unfixed (no-dsa) in bullseye and View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bee4d020a473b14b6349f35ac57251686adc11a1 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bee4d020a473b14b6349f35ac57251686adc11a1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: take thunderbird
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 0093ef89 by Emilio Pozuelo Monfort at 2024-06-14T12:10:40+02:00 lts: take thunderbird - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -342,7 +342,7 @@ suricata (Adrian Bunk) NOTE: 20231016: Still reviewing+testing CVEs. (bunk) NOTE: 20231120: DLA coming soon. (bunk) -- -thunderbird +thunderbird (Emilio) NOTE: 20240614: Added by Front-Desk (lamby) -- tiff (Thorsten Alteholz) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0093ef89e658f8a1453e6e71d1a3f737547d1413 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0093ef89e658f8a1453e6e71d1a3f737547d1413 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3825-1 for firefox-esr
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 5206549d by Emilio Pozuelo Monfort at 2024-06-13T13:07:42+02:00 Reserve DLA-3825-1 for firefox-esr - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[13 Jun 2024] DLA-3825-1 firefox-esr - security update + {CVE-2024-5688 CVE-2024-5690 CVE-2024-5691 CVE-2024-5693 CVE-2024-5696 CVE-2024-5700 CVE-2024-5702} + [buster] - firefox-esr 115.12.0esr-1~deb10u1 [30 May 2024] DLA-3824-1 gst-plugins-base1.0 - security update {CVE-2024-4453} [buster] - gst-plugins-base1.0 1.14.4-2+deb10u3 = data/dla-needed.txt = @@ -100,9 +100,6 @@ edk2 NOTE: 20231230: CVE-2019-11098 fixed via bullseye 11.2 (lamby) NOTE: 20240312: CVE-2023-48733 fixed via DSA-5624-1 (Beuc/front-desk) -- -firefox-esr (Emilio) - NOTE: 20240612: Added by Front-Desk (lamby) --- firmware-nonfree NOTE: 20240502: Added by Front-Desk (Beuc) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5206549d77a965ad42a54a3c002f30ff265988ee -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5206549d77a965ad42a54a3c002f30ff265988ee You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: take firefox-esr
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 996160a1 by Emilio Pozuelo Monfort at 2024-06-12T13:37:53+02:00 lts: take firefox-esr - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -99,7 +99,7 @@ edk2 NOTE: 20231230: CVE-2019-11098 fixed via bullseye 11.2 (lamby) NOTE: 20240312: CVE-2023-48733 fixed via DSA-5624-1 (Beuc/front-desk) -- -firefox-esr +firefox-esr (Emilio) NOTE: 20240612: Added by Front-Desk (lamby) -- firmware-nonfree View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/996160a19c84ed0d933692c1d9179c7e7c9d2b5b -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/996160a19c84ed0d933692c1d9179c7e7c9d2b5b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2023-49090/ruby-carrierwave as postponed for buster
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: d0e32cb8 by Emilio Pozuelo Monfort at 2024-06-02T20:39:45+02:00 Mark CVE-2023-49090/ruby-carrierwave as postponed for buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -50778,6 +50778,7 @@ CVE-2023-49091 (Cosmos provides users the ability self-host a home server by act CVE-2023-49090 (CarrierWave is a solution for file uploads for Rails, Sinatra and othe ...) - ruby-carrierwave (bug #1068150) [bookworm] - ruby-carrierwave (Minor issue) + [buster] - ruby-carrierwave (Minor issue) NOTE: https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-gxhx-g4fq-49hj NOTE: Fixed by: https://github.com/carrierwaveuploader/carrierwave/commit/39b282db5c1303899b3d3381ce8a837840f983b5 (v2.2.5) NOTE: Fixed by: https://github.com/carrierwaveuploader/carrierwave/commit/863d425c76eba12c3294227b39018f6b2dccbbf3 (v3.0.5) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d0e32cb8febb0a606a08a00ed93977189bba5a2b -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d0e32cb8febb0a606a08a00ed93977189bba5a2b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Mark CVE-2024-29415/node-ip as postponed on buster
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 34fd4dc9 by Emilio Pozuelo Monfort at 2024-05-31T09:18:00+02:00 Mark CVE-2024-29415/node-ip as postponed on buster - - - - - 22bd0d06 by Emilio Pozuelo Monfort at 2024-05-31T09:22:31+02:00 yyjson has been uploaded to Debian - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -980,6 +980,7 @@ CVE-2024-29415 (The ip package through 2.0.1 for Node.js might allow SSRF becaus - node-ip (bug #1072121) [bookworm] - node-ip (Minor issue) [bullseye] - node-ip (Minor issue) + [buster] - node-ip (Minor issue) NOTE: https://github.com/indutny/node-ip/issues/150 NOTE: https://github.com/indutny/node-ip/pull/144 NOTE: https://github.com/indutny/node-ip/pull/143 @@ -35981,7 +35982,8 @@ CVE-2024-25714 (In Rhonabwy through 1.1.13, HMAC signature verification uses a s [bullseye] - rhonabwy (Minor issue) NOTE: https://github.com/babelouest/rhonabwy/commit/f9fd9a1c77e48b514ebb3baf0360f87eef3d846e CVE-2024-25713 (yyjson through 0.8.0 has a double free, leading to remote code executi ...) - - yyjson (bug #972804) + - yyjson (Fixed before initial upload to Debian) + NOTE: https://github.com/ibireme/yyjson/security/advisories/GHSA-q4m7-9pcm-fpxh CVE-2024-25712 (http-swagger before 1.2.6 allows XSS via PUT requests, because a file ...) NOT-FOR-US: http-swagger CVE-2024-23724 (Ghost through 5.76.0 allows stored XSS, and resultant privilege escala ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/755361b2674067ab3147e7f36d93ee7f24d93421...22bd0d06d14b7ce582d7c916896011e8df8e870a -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/755361b2674067ab3147e7f36d93ee7f24d93421...22bd0d06d14b7ce582d7c916896011e8df8e870a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Triage CVE-2024-22120/zabbix as n/a on buster
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 23d47cfb by Emilio Pozuelo Monfort at 2024-05-30T10:40:44+02:00 Triage CVE-2024-22120/zabbix as n/a on buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5643,6 +5643,7 @@ CVE-2024-22139 (Authentication Bypass by Spoofing vulnerability in Filipe Seabra NOT-FOR-US: WordPress plugin CVE-2024-22120 (Zabbix server can perform command execution for configured scripts. Af ...) - zabbix (bug #1072120) + [buster] - zabbix (Vulnerable code introduced later) NOTE: https://support.zabbix.com/browse/ZBX-24505 CVE-2024-21746 (Authentication Bypass by Spoofing vulnerability in Wpmet Wp Ultimate R ...) NOT-FOR-US: WordPress plugin View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/23d47cfbbf8e84e60cc64133e652ecf98ed83e53 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/23d47cfbbf8e84e60cc64133e652ecf98ed83e53 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2024-4741/openssl as postponed for buster
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: acf51f0e by Emilio Pozuelo Monfort at 2024-05-30T09:35:58+02:00 Mark CVE-2024-4741/openssl as postponed for buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -355,6 +355,7 @@ CVE-2024-4741 [Use After Free with SSL_free_buffers] - openssl (bug #1072113) [bookworm] - openssl (Minor issue, fix along with next update round) [bullseye] - openssl (Minor issue, fix along with next update round) + [buster] - openssl (Minor issue, fix along with next update round) NOTE: https://www.openssl.org/news/secadv/20240528.txt NOTE: https://github.com/openssl/openssl/commit/c1bd38a003fa19fd0d8ade85e1bbc20d8ae59dab (master) NOTE: https://github.com/openssl/openssl/commit/c88c3de51020c37e8706bf7a682a162593053aac (openssl-3.2) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/acf51f0e797c61a77e50d46731c218991a6a5115 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/acf51f0e797c61a77e50d46731c218991a6a5115 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2024-34459/libxml2: restore unimportant tag
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: eb1f7431 by Emilio Pozuelo Monfort at 2024-05-28T13:42:46+02:00 CVE-2024-34459/libxml2: restore unimportant tag Dropped in commit bebdf42f. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7110,7 +7110,7 @@ CVE-2024-34697 (FreeScout is a free, self-hosted help desk and shared mailbox. A CVE-2024-34555 (Unrestricted Upload of File with Dangerous Type vulnerability in URBAN ...) NOT-FOR-US: WordPress plugin CVE-2024-34459 (An issue was discovered in xmllint (from libxml2) before 2.11.8 and 2. ...) - - libxml2 2.12.7+dfsg-1 (bug #1071162) + - libxml2 2.12.7+dfsg-1 (unimportant; bug #1071162) NOTE: https://gitlab.gnome.org/GNOME/libxml2/-/issues/720 NOTE: Fixed by: https://gitlab.gnome.org/GNOME/libxml2/-/commit/8ddc7f13337c9fe7c6b6e616f404b0fffb8a5145 (v2.11.8) NOTE: Fixed by: https://gitlab.gnome.org/GNOME/libxml2/-/commit/2876ac5392a4e891b81e40e592c3ac6cb46016ce (v2.12.7) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eb1f7431f0cbf7ba43569198b9176c342ee72bcd -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eb1f7431f0cbf7ba43569198b9176c342ee72bcd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2024-26256/libarchive n/a on buster
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: a0d4e7fa by Emilio Pozuelo Monfort at 2024-05-28T13:19:35+02:00 CVE-2024-26256/libarchive n/a on buster Looks like bullseye is n/a as well. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -18663,9 +18663,11 @@ CVE-2024-26257 (Microsoft Excel Remote Code Execution Vulnerability) NOT-FOR-US: Microsoft CVE-2024-26256 (libarchive Remote Code Execution Vulnerability) - libarchive + [buster] - libarchive (Vulnerable code introduced in 3.6.0) NOTE: https://github.com/advisories/GHSA-2jc9-36w4-pmqw NOTE: https://github.com/libarchive/libarchive/pull/2135 NOTE: https://github.com/libarchive/libarchive/commit/eb7939b24a681a04648a59cdebd386b1e9dc9237 (v3.7.4) + NOTE: Introduced by: https://github.com/libarchive/libarchive/commit/01a2d329dfc71741892e2b590cf9fb25092474a0 (v.3.6.0) CVE-2024-26255 (Windows Remote Access Connection Manager Information Disclosure Vulner ...) NOT-FOR-US: Microsoft CVE-2024-26254 (Microsoft Virtual Machine Bus (VMBus) Denial of Service Vulnerability) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a0d4e7fabdcab7505e258a1fee3f31716e14b38c -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a0d4e7fabdcab7505e258a1fee3f31716e14b38c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: tracker_service: use revision also for -1 links
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 2c8b8d96 by Emilio Pozuelo Monfort at 2024-05-28T13:08:14+02:00 tracker_service: use revision also for -1 links The debian.org pages now provide links for -1, so we dont need to special-case those. - - - - - e4eac9e5 by Emilio Pozuelo Monfort at 2024-05-28T13:08:14+02:00 tracker_service: dont parse the DSA name We dont need to, as we just use the full DSA name. - - - - - 1 changed file: - bin/tracker_service.py Changes: = bin/tracker_service.py = @@ -3,7 +3,6 @@ import email.utils import json import os.path -import re import sys import time @@ -1548,28 +1547,13 @@ Debian bug number.'''), def url_web_search_bug(self, url, name): return url.absolute("https://duckduckgo.com/html;, q='"%s"' % name) -def url_dsa(self, url, dsa, re_dsa=re.compile(r'^DSA-(\d+)(-\d+)?$')): -match = re_dsa.match(dsa) -if match: -(number,revision) = match.groups() -if revision == "-1": -link = "dsa-%d" % int(number) -else: -link = dsa.lower() -return url.absolute("https://www.debian.org/security/%s; % link) -return None - -def url_dla(self, url, dla, re_dla=re.compile(r'^DLA-(\d+)(-\d+)?$')): -match = re_dla.match(dla) -if match: -(number,revision) = match.groups() -if revision == "-1": -link = "dla-%d" % int(number) -else: -link = dla.lower() -return url.absolute("https://www.debian.org/lts/security/%s; -% link) -return None +def url_dsa(self, url, dsa): +link = dsa.lower() +return url.absolute("https://www.debian.org/security/%s; % link) + +def url_dla(self, url, dla): +link = dla.lower() +return url.absolute("https://www.debian.org/lts/security/%s; % link) def url_debian_bug(self, url, debian): return url.absolute("https://bugs.debian.org/cgi-bin/bugreport.cgi;, View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/be537af61e138068be52aa7b0bb2d0622e47ddc4...e4eac9e567d5764e42152230ee8d038e383c6103 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/be537af61e138068be52aa7b0bb2d0622e47ddc4...e4eac9e567d5764e42152230ee8d038e383c6103 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3817-1 for thunderbird
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: a22949a2 by Emilio Pozuelo Monfort at 2024-05-20T10:14:09+02:00 Reserve DLA-3817-1 for thunderbird - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[20 May 2024] DLA-3817-1 thunderbird - security update + {CVE-2024-4367 CVE-2024-4767 CVE-2024-4768 CVE-2024-4769 CVE-2024-4770 CVE-2024-4777} + [buster] - thunderbird 1:115.11.0-1~deb10u1 [17 May 2024] DLA-3816-1 bind9 - security update {CVE-2023-50387 CVE-2023-50868} [buster] - bind9 1:9.11.5.P4+dfsg-5.1+deb10u11 = data/dla-needed.txt = @@ -301,9 +301,6 @@ suricata (Adrian Bunk) NOTE: 20231016: Still reviewing+testing CVEs. (bunk) NOTE: 20231120: DLA coming soon. (bunk) -- -thunderbird (Emilio) - NOTE: 20240515: Added by pochu --- tiff (Thorsten Alteholz) NOTE: 20240314: Added by coordinator (roberto) NOTE: 20240314: Several CVEs fixed in LTS remain unfixed (no-dsa) in bullseye and View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a22949a22f1e2fe1d59734fa16d159976436c116 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a22949a22f1e2fe1d59734fa16d159976436c116 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3815-1 for firefox-esr
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 7161e965 by Emilio Pozuelo Monfort at 2024-05-16T09:15:11+02:00 Reserve DLA-3815-1 for firefox-esr - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[16 May 2024] DLA-3815-1 firefox-esr - security update + {CVE-2024-4367 CVE-2024-4767 CVE-2024-4768 CVE-2024-4769 CVE-2024-4770 CVE-2024-4777} + [buster] - firefox-esr 115.11.0esr-1~deb10u1 [13 May 2024] DLA-3814-1 glib2.0 - security update {CVE-2024-34397} [buster] - glib2.0 2.58.3-2+deb10u6 = data/dla-needed.txt = @@ -85,9 +85,6 @@ edk2 NOTE: 20231230: CVE-2019-11098 fixed via bullseye 11.2 (lamby) NOTE: 20240312: CVE-2023-48733 fixed via DSA-5624-1 (Beuc/front-desk) -- -firefox-esr (Emilio) - NOTE: 20240515: Added by pochu --- firmware-nonfree (tobi) NOTE: 20240502: Added by Front-Desk (Beuc) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7161e96533dc8ec426316178f875eba4257706ad -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7161e96533dc8ec426316178f875eba4257706ad You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: take firefox-esr and thunderbird
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: cba0 by Emilio Pozuelo Monfort at 2024-05-15T09:26:10+02:00 lts: take firefox-esr and thunderbird - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -85,6 +85,9 @@ edk2 NOTE: 20231230: CVE-2019-11098 fixed via bullseye 11.2 (lamby) NOTE: 20240312: CVE-2023-48733 fixed via DSA-5624-1 (Beuc/front-desk) -- +firefox-esr (Emilio) + NOTE: 20240515: Added by pochu +-- firmware-nonfree (tobi) NOTE: 20240502: Added by Front-Desk (Beuc) -- @@ -290,6 +293,9 @@ suricata (Adrian Bunk) NOTE: 20231016: Still reviewing+testing CVEs. (bunk) NOTE: 20231120: DLA coming soon. (bunk) -- +thunderbird (Emilio) + NOTE: 20240515: Added by pochu +-- tiff (Thorsten Alteholz) NOTE: 20240314: Added by coordinator (roberto) NOTE: 20240314: Several CVEs fixed in LTS remain unfixed (no-dsa) in bullseye and View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cba03f29632e821e872ff0a34e57da567d83 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cba03f29632e821e872ff0a34e57da567d83 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3793-1 for openjdk-11
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 9432f13e by Emilio Pozuelo Monfort at 2024-04-22T15:40:27+02:00 Reserve DLA-3793-1 for openjdk-11 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[22 Apr 2024] DLA-3793-1 openjdk-11 - security update + {CVE-2024-21011 CVE-2024-21012 CVE-2024-21068 CVE-2024-21085 CVE-2024-21094} + [buster] - openjdk-11 11.0.23+9-1~deb10u1 [22 Apr 2024] DLA-3792-1 samba - security update {CVE-2020-14318 CVE-2020-14323 CVE-2020-14383 CVE-2022-2127 CVE-2022-3437 CVE-2022-32742 CVE-2023-4091} [buster] - samba 2:4.9.5+dfsg-5+deb10u5 = data/dla-needed.txt = @@ -224,9 +224,6 @@ nvidia-graphics-drivers-legacy-390xx NOTE: 20240303: Added by Front-Desk (apo) NOTE: 20240303: See comment for nvidia-graphics-drivers. (apo/front-desk) -- -openjdk-11 (Emilio) - NOTE: 20240418: Added by pochu --- org-mode (Sean Whitton) NOTE: 20240405: Added by Front-Desk (lamby) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9432f13e7a54b0fad6fa9bf7d98f216df2e2d80d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9432f13e7a54b0fad6fa9bf7d98f216df2e2d80d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3791-1 for thunderbird
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 149c9011 by Emilio Pozuelo Monfort at 2024-04-22T10:45:29+02:00 Reserve DLA-3791-1 for thunderbird - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[22 Apr 2024] DLA-3791-1 thunderbird - security update + {CVE-2024-2609 CVE-2024-3302 CVE-2024-3852 CVE-2024-3854 CVE-2024-3857 CVE-2024-3859 CVE-2024-3861 CVE-2024-3864} + [buster] - thunderbird 1:115.10.1-1~deb10u1 [19 Apr 2024] DLA-3790-1 firefox-esr - security update {CVE-2024-2609 CVE-2024-3302 CVE-2024-3852 CVE-2024-3854 CVE-2024-3857 CVE-2024-3859 CVE-2024-3861 CVE-2024-3864} [buster] - firefox-esr 115.10.0esr-1~deb10u1 = data/dla-needed.txt = @@ -312,9 +312,6 @@ suricata (Adrian Bunk) NOTE: 20231016: Still reviewing+testing CVEs. (bunk) NOTE: 20231120: DLA coming soon. (bunk) -- -thunderbird (Emilio) - NOTE: 20240422: Added by pochu --- tiff (Thorsten Alteholz) NOTE: 20240314: Added by coordinator (roberto) NOTE: 20240314: Several CVEs fixed in LTS remain unfixed (no-dsa) in bullseye and View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/149c90117adacad9bf88336a7b86d2376b4d9a36 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/149c90117adacad9bf88336a7b86d2376b4d9a36 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: take thunderbird
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 93e291de by Emilio Pozuelo Monfort at 2024-04-22T10:38:15+02:00 lts: take thunderbird - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -312,6 +312,9 @@ suricata (Adrian Bunk) NOTE: 20231016: Still reviewing+testing CVEs. (bunk) NOTE: 20231120: DLA coming soon. (bunk) -- +thunderbird (Emilio) + NOTE: 20240422: Added by pochu +-- tiff (Thorsten Alteholz) NOTE: 20240314: Added by coordinator (roberto) NOTE: 20240314: Several CVEs fixed in LTS remain unfixed (no-dsa) in bullseye and View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/93e291de895e1409cac71ae1187a80ca845f1ce3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/93e291de895e1409cac71ae1187a80ca845f1ce3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3790-1 for firefox-esr
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: f98509b7 by Emilio Pozuelo Monfort at 2024-04-19T12:38:22+02:00 Reserve DLA-3790-1 for firefox-esr - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[19 Apr 2024] DLA-3790-1 firefox-esr - security update + {CVE-2024-2609 CVE-2024-3302 CVE-2024-3852 CVE-2024-3854 CVE-2024-3857 CVE-2024-3859 CVE-2024-3861 CVE-2024-3864} + [buster] - firefox-esr 115.10.0esr-1~deb10u1 [18 Apr 2024] DLA-3789-1 libdatetime-timezone-perl - security update [buster] - libdatetime-timezone-perl 1:2.23-1+2024a [18 Apr 2024] DLA-3788-1 tzdata - new timezone database = data/dla-needed.txt = @@ -82,9 +82,6 @@ emacs (Sean Whitton) NOTE: 20240403: for example, CVE-2024-30202. But I think it is vulnerable NOTE: 20240403: to CVE-2024-30203. (lamby) -- -firefox-esr (Emilio) - NOTE: 20240417: Added by pochu --- freeimage NOTE: 20240320: Added by Front-Desk (ta) NOTE: 20240320: lots of postponed issue could be fixed as well View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f98509b79d30833444c0df77c8033e896b39de4e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f98509b79d30833444c0df77c8033e896b39de4e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: take openjdk-11
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 98107aaa by Emilio Pozuelo Monfort at 2024-04-18T16:46:31+02:00 lts: take openjdk-11 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -204,6 +204,9 @@ nvidia-graphics-drivers-legacy-390xx NOTE: 20240303: Added by Front-Desk (apo) NOTE: 20240303: See comment for nvidia-graphics-drivers. (apo/front-desk) -- +openjdk-11 (Emilio) + NOTE: 20240418: Added by pochu +-- org-mode (Sean Whitton) NOTE: 20240405: Added by Front-Desk (lamby) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/98107aaaea779a8a1f67ed0581373771c4c2649d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/98107aaaea779a8a1f67ed0581373771c4c2649d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3789-1 for libdatetime-timezone-perl
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 86677589 by Emilio Pozuelo Monfort at 2024-04-18T12:28:48+02:00 Reserve DLA-3789-1 for libdatetime-timezone-perl - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,5 @@ +[18 Apr 2024] DLA-3789-1 libdatetime-timezone-perl - security update + [buster] - libdatetime-timezone-perl 1:2.23-1+2024a [18 Apr 2024] DLA-3788-1 tzdata - new timezone database [buster] - tzdata 2024a-0+deb10u1 [15 Apr 2024] DLA-3787-1 xorg-server - security update = data/dla-needed.txt = @@ -121,10 +121,6 @@ knot-resolver (Markus Koschany) NOTE: 20240310: Dropped from dla-needed.txt (ola/front-desk) NOTE: 20240311: Reverted decision to remove from dla-needed since four CVEs has been fixed in bullseye. (ola) -- -libdatetime-timezone-perl (Emilio) - NOTE: 20240327: Added by pochu - NOTE: 20240417: Blocked by tzdata update (Emilio) --- libpgjava (Markus Koschany) NOTE: 20240308: Added by Front-Desk (opal) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/86677589113dd97fbf0559e7e0173ee9efa087ce -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/86677589113dd97fbf0559e7e0173ee9efa087ce You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3788-1 for tzdata
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: f0451d4c by Emilio Pozuelo Monfort at 2024-04-18T12:25:06+02:00 Reserve DLA-3788-1 for tzdata - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,5 @@ +[18 Apr 2024] DLA-3788-1 tzdata - new timezone database + [buster] - tzdata 2024a-0+deb10u1 [15 Apr 2024] DLA-3787-1 xorg-server - security update {CVE-2024-31080 CVE-2024-31081 CVE-2024-31083} [buster] - xorg-server 2:1.20.4-1+deb10u14 = data/dla-needed.txt = @@ -298,10 +298,6 @@ tinymce NOTE: 20231216: upstream's patch is backportable, as the code has changed a NOTE: 20231216: lot. (spwhitton) -- -tzdata (Emilio) - NOTE: 20240327: Added by pochu - NOTE: 20240417: updating to latest upstream instead of cherry-picking (Emilio) --- varnish NOTE: 20231117: Added by Front-Desk (apo) NOTE: 20231204: Working on pre commits for CVE-2023-44487, https://github.com/varnishcache/varnish-cache/pull/4004 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f0451d4c01050da25abbebb401d583bc7d2f9a0d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f0451d4c01050da25abbebb401d583bc7d2f9a0d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: take firefox-esr
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 2d09b63f by Emilio Pozuelo Monfort at 2024-04-17T10:41:55+02:00 lts: take firefox-esr - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -76,6 +76,9 @@ emacs (Sean Whitton) NOTE: 20240403: for example, CVE-2024-30202. But I think it is vulnerable NOTE: 20240403: to CVE-2024-30203. (lamby) -- +firefox-esr (Emilio) + NOTE: 20240417: Added by pochu +-- freeimage NOTE: 20240320: Added by Front-Desk (ta) NOTE: 20240320: lots of postponed issue could be fixed as well View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2d09b63f9a9d435ccf146e2eaed263e8e3be29e8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2d09b63f9a9d435ccf146e2eaed263e8e3be29e8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: take tzdata and libdatetime-timezone-perl
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 564e0e87 by Emilio Pozuelo Monfort at 2024-04-17T10:34:36+02:00 lts: take tzdata and libdatetime-timezone-perl - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -112,8 +112,9 @@ knot-resolver (Markus Koschany) NOTE: 20240310: Dropped from dla-needed.txt (ola/front-desk) NOTE: 20240311: Reverted decision to remove from dla-needed since four CVEs has been fixed in bullseye. (ola) -- -libdatetime-timezone-perl +libdatetime-timezone-perl (Emilio) NOTE: 20240327: Added by pochu + NOTE: 20240417: Blocked by tzdata update (Emilio) -- libpgjava (Markus Koschany) NOTE: 20240308: Added by Front-Desk (opal) @@ -287,8 +288,9 @@ tinymce NOTE: 20231216: upstream's patch is backportable, as the code has changed a NOTE: 20231216: lot. (spwhitton) -- -tzdata +tzdata (Emilio) NOTE: 20240327: Added by pochu + NOTE: 20240417: updating to latest upstream instead of cherry-picking (Emilio) -- varnish NOTE: 20231117: Added by Front-Desk (apo) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/564e0e879335799a577dab57168db7858ded3b07 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/564e0e879335799a577dab57168db7858ded3b07 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Drop buster from backports releases
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: f32ec428 by Emilio Pozuelo Monfort at 2024-04-15T09:44:57+02:00 Drop buster from backports releases buster-backports has been archived. - - - - - 1 changed file: - lib/debian-releases.mk Changes: = lib/debian-releases.mk = @@ -7,7 +7,7 @@ endef MAIN_RELEASES = $(call get_config, '.distributions | to_entries[] | select(.value.release) | .key') SECURITY_RELEASES = $(filter-out sid, $(MAIN_RELEASES)) -BACKPORT_RELEASES = $(SECURITY_RELEASES) +BACKPORT_RELEASES = $(filter-out buster, $(SECURITY_RELEASES)) # Define the variables for the release on the main mirror define add_main_release = View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f32ec428c14d08f392225bb2b29dc92777eb9d70 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f32ec428c14d08f392225bb2b29dc92777eb9d70 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: take tzdata and libdatetime-timezone-perl
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 9e7a0619 by Emilio Pozuelo Monfort at 2024-03-27T11:49:13+01:00 lts: take tzdata and libdatetime-timezone-perl - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -111,6 +111,9 @@ knot-resolver NOTE: 20240310: Dropped from dla-needed.txt (ola/front-desk) NOTE: 20240311: Reverted decision to remove from dla-needed since four CVEs has been fixed in bullseye. (ola) -- +libdatetime-timezone-perl (Emilio) + NOTE: 20240327: Added by pochu +-- libpgjava NOTE: 20240308: Added by Front-Desk (opal) -- @@ -273,6 +276,9 @@ tiff (Abhijith PA) tomcat9 (Markus Koschany) NOTE: 20240121: Added by Front-Desk (apo) -- +tzdata (Emilio) + NOTE: 20240327: Added by pochu +-- varnish NOTE: 20231117: Added by Front-Desk (apo) NOTE: 20231204: Working on pre commits for CVE-2023-44487, https://github.com/varnishcache/varnish-cache/pull/4004 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9e7a0619c39062532f46cf47661e835112f7400e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9e7a0619c39062532f46cf47661e835112f7400e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3775-1 for firefox-esr
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 3bdc3fde by Emilio Pozuelo Monfort at 2024-03-25T16:39:04+01:00 Reserve DLA-3775-1 for firefox-esr - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[25 Mar 2024] DLA-3775-1 firefox-esr - security update + {CVE-2023-5388 CVE-2024-0743 CVE-2024-2607 CVE-2024-2608 CVE-2024-2610 CVE-2024-2611 CVE-2024-2612 CVE-2024-2614 CVE-2024-2616 CVE-2024-29944} + [buster] - firefox-esr 115.9.1esr-1~deb10u1 [25 Mar 2024] DLA-3774-1 gross - security update {CVE-2023-52159} [buster] - gross 1.0.2-4.1~deb10u1 = data/dla-needed.txt = @@ -75,9 +75,6 @@ edk2 expat (tobi) NOTE: 20240306: Added by Front-Desk (opal) -- -firefox-esr (Emilio) - NOTE: 20240320: Added by Front-Desk (ta) --- freeimage NOTE: 20240320: Added by Front-Desk (ta) NOTE: 20240320: lots of postponed issue could be fixed as well View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3bdc3fdeae3de5dbd9e10d29217817e1e77d1ccd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3bdc3fdeae3de5dbd9e10d29217817e1e77d1ccd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: tracker_service: make unimportant issues non-red
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 05e8e523 by Emilio Pozuelo Monfort at 2024-03-21T11:21:59+01:00 tracker_service: make unimportant issues non-red They were marked as red and vulnerable. Since they are marked as unimportant, we should show that to not raise alarms. - - - - - 6331de58 by Emilio Pozuelo Monfort at 2024-03-25T08:39:28+00:00 Merge branch mark-unimportant-issues-non-red into master tracker_service: make unimportant issues non-red See merge request security-tracker-team/security-tracker!167 - - - - - 1 changed file: - bin/tracker_service.py Changes: = bin/tracker_service.py = @@ -439,6 +439,14 @@ data source.""")], page.append(make_table(gen_header())) +def is_unimportant(bug, package): +if bug.notes: +for note in bug.notes: +if note.package == package and str(note.urgency) == 'unimportant': +return True + +return False + if bug.notes: def gen_source(): @@ -453,8 +461,12 @@ data source.""")], self.make_source_package_ref(url, package), " (", self.make_pts_ref(url, package, 'PTS'), ")") if vulnerable == 1: -vuln = self.make_red('vulnerable') -version = self.make_red(version) +if is_unimportant(bug, old_pkg): +vuln = self.make_yellow('vulnerable (unimportant)') +version = self.make_yellow(version) +else: +vuln = self.make_red('vulnerable') +version = self.make_red(version) elif vulnerable == 2: vuln = self.make_purple('undetermined') version = self.make_purple(version) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/5d55976a1e042c0466e5028e30db1e910a577c8b...6331de58722181077a1533dc934eef3c23719237 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/5d55976a1e042c0466e5028e30db1e910a577c8b...6331de58722181077a1533dc934eef3c23719237 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3769-1 for thunderbird
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 062ad09d by Emilio Pozuelo Monfort at 2024-03-23T12:21:50+01:00 Reserve DLA-3769-1 for thunderbird - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[23 Mar 2024] DLA-3769-1 thunderbird - security update + {CVE-2023-5388 CVE-2024-0743 CVE-2024-1936 CVE-2024-2607 CVE-2024-2608 CVE-2024-2610 CVE-2024-2611 CVE-2024-2612 CVE-2024-2614 CVE-2024-2616} + [buster] - thunderbird 1:115.9.0-1~deb10u1 [22 Mar 2024] DLA-3768-1 pillow - security update {CVE-2021-23437 CVE-2022-22817 CVE-2023-44271} [buster] - pillow 5.4.1-2+deb10u5 = data/dla-needed.txt = @@ -284,9 +284,6 @@ suricata (Adrian Bunk) NOTE: 20231016: Still reviewing+testing CVEs. (bunk) NOTE: 20231120: DLA coming soon. (bunk) -- -thunderbird (Emilio) - NOTE: 20240306: Added by Front-Desk (opal) --- tiff (Abhijith PA) NOTE: 20240314: Added by coordinator (roberto) NOTE: 20240314: Several CVEs fixed in LTS remain unfixed (no-dsa) in bullseye and View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/062ad09de1adc5a5ed07a49e266678be5aa6ff09 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/062ad09de1adc5a5ed07a49e266678be5aa6ff09 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker] Deleted branch mark-unimportant-issues-non-red
Emilio Pozuelo Monfort deleted branch mark-unimportant-issues-non-red at Debian Security Tracker / security-tracker -- You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker] Pushed new branch mark-unimportant-issues-non-red
Emilio Pozuelo Monfort pushed new branch mark-unimportant-issues-non-red at Debian Security Tracker / security-tracker -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/tree/mark-unimportant-issues-non-red You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: take firefox-esr
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: ff3cbf06 by Emilio Pozuelo Monfort at 2024-03-21T10:36:47+01:00 lts: take firefox-esr - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -75,7 +75,7 @@ edk2 expat (tobi) NOTE: 20240306: Added by Front-Desk (opal) -- -firefox-esr +firefox-esr (Emilio) NOTE: 20240320: Added by Front-Desk (ta) -- freeimage View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ff3cbf068d3f20c94a42a6ee42cb12d300d6aa06 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ff3cbf068d3f20c94a42a6ee42cb12d300d6aa06 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: take thunderbird
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: d01a78cb by Emilio Pozuelo Monfort at 2024-03-07T10:43:53+01:00 lts: take thunderbird - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -313,7 +313,7 @@ suricata (Adrian Bunk) NOTE: 20231016: Still reviewing+testing CVEs. (bunk) NOTE: 20231120: DLA coming soon. (bunk) -- -thunderbird +thunderbird (Emilio) NOTE: 20240306: Added by Front-Desk (opal) -- tiff (Abhijith PA) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d01a78cb2db5f4285e4b5fbe0239811909d612bd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d01a78cb2db5f4285e4b5fbe0239811909d612bd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3748-1 for thunderbird
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 6638922c by Emilio Pozuelo Monfort at 2024-03-04T08:53:26+01:00 Reserve DLA-3748-1 for thunderbird - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[04 Mar 2024] DLA-3748-1 thunderbird - security update + {CVE-2024-1546 CVE-2024-1547 CVE-2024-1548 CVE-2024-1549 CVE-2024-1550 CVE-2024-1551 CVE-2024-1552 CVE-2024-1553} + [buster] - thunderbird 1:115.8.0-1~deb10u1 [04 Mar 2024] DLA-3747-1 firefox-esr - security update {CVE-2024-1546 CVE-2024-1547 CVE-2024-1548 CVE-2024-1549 CVE-2024-1550 CVE-2024-1551 CVE-2024-1552 CVE-2024-1553} [buster] - firefox-esr 115.8.0esr-1~deb10u1 = data/dla-needed.txt = @@ -272,10 +272,6 @@ suricata (Adrian Bunk) NOTE: 20231016: Still reviewing+testing CVEs. (bunk) NOTE: 20231120: DLA coming soon. (bunk) -- -thunderbird (Emilio) - NOTE: 20240222: Added by Front-Desk (pochu) - NOTE: 20240222: send DLA after maintainer uploads 115.8.0 --- tiff (Abhijith PA) NOTE: 20231231: Added by Front-Desk (lamby) NOTE: 20231231: CVE-2023-3576 already fixed in bullseye via DSA or point release(s). (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6638922c4067bb974dbfa6366466863ff5044812 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6638922c4067bb974dbfa6366466863ff5044812 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3747-1 for firefox-esr
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 14d946b6 by Emilio Pozuelo Monfort at 2024-03-04T08:51:25+01:00 Reserve DLA-3747-1 for firefox-esr - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[04 Mar 2024] DLA-3747-1 firefox-esr - security update + {CVE-2024-1546 CVE-2024-1547 CVE-2024-1548 CVE-2024-1549 CVE-2024-1550 CVE-2024-1551 CVE-2024-1552 CVE-2024-1553} + [buster] - firefox-esr 115.8.0esr-1~deb10u1 [29 Feb 2024] DLA-3746-1 wireshark - security update {CVE-2023-4511 CVE-2023-4513 CVE-2023-6175 CVE-2024-0208} [buster] - wireshark 2.6.20-0+deb10u8 = data/dla-needed.txt = @@ -94,9 +94,6 @@ edk2 exiftags NOTE: 20240121: Added by Front-Desk (apo) -- -firefox-esr (Emilio) - NOTE: 20240222: Added by Front-Desk (pochu) --- freeimage NOTE: 20240121: Added by Front-Desk (apo) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/14d946b6198855bbeb93fa72ca8365bebdbea6b7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/14d946b6198855bbeb93fa72ca8365bebdbea6b7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: take thunderbird
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: c97e7a88 by Emilio Pozuelo Monfort at 2024-03-04T08:49:58+01:00 lts: take thunderbird - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -275,7 +275,7 @@ suricata (Adrian Bunk) NOTE: 20231016: Still reviewing+testing CVEs. (bunk) NOTE: 20231120: DLA coming soon. (bunk) -- -thunderbird +thunderbird (Emilio) NOTE: 20240222: Added by Front-Desk (pochu) NOTE: 20240222: send DLA after maintainer uploads 115.8.0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c97e7a88d4db282b15dfd07be7b36656f19b79ff -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c97e7a88d4db282b15dfd07be7b36656f19b79ff You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: add thunderbird
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 2b41cf60 by Emilio Pozuelo Monfort at 2024-02-22T19:36:59+01:00 lts: add thunderbird - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -280,6 +280,10 @@ suricata NOTE: 20231016: Still reviewing+testing CVEs. (bunk) NOTE: 20231120: DLA coming soon. (bunk) -- +thunderbird + NOTE: 20240222: Added by Front-Desk (pochu) + NOTE: 20240222: send DLA after maintainer uploads 115.8.0 +-- tiff NOTE: 20231231: Added by Front-Desk (lamby) NOTE: 20231231: CVE-2023-3576 already fixed in bullseye via DSA or point release(s). (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2b41cf60d5d814dee838af8c8a2bdff7b78b6dee -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2b41cf60d5d814dee838af8c8a2bdff7b78b6dee You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: take firefox-esr
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 2f82bb5a by Emilio Pozuelo Monfort at 2024-02-22T19:35:15+01:00 lts: take firefox-esr - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -94,6 +94,9 @@ engrampa exiftags NOTE: 20240121: Added by Front-Desk (apo) -- +firefox-esr (Emilio) + NOTE: 20240222: Added by Front-Desk (pochu) +-- freeimage NOTE: 20240121: Added by Front-Desk (apo) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2f82bb5afa8fde2fc0cf8f72e00fa9b2606f3d8b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2f82bb5afa8fde2fc0cf8f72e00fa9b2606f3d8b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add missing reservation for DLA-3735-1
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 20ce78fb by Emilio Pozuelo Monfort at 2024-02-19T10:00:27+01:00 Add missing reservation for DLA-3735-1 https://lists.debian.org/debian-lts/2024/02/msg00016.html - - - - - 2 changed files: - data/CVE/list - data/DLA/list Changes: = data/CVE/list = @@ -161683,7 +161683,6 @@ CVE-2021-43784 (runc is a CLI tool for spawning and running containers on Linux {DLA-2841-1} - runc 1.0.3+ds1-1 [bullseye] - runc (Minor issue; not exploitable in 1.0.0) - [buster] - runc (Minor issue; not exploitable in 1.0.0) NOTE: https://github.com/opencontainers/runc/security/advisories/GHSA-v95c-p5hm-xq8f NOTE: https://www.openwall.com/lists/oss-security/2021/12/06/1 NOTE: Fixed by: https://github.com/opencontainers/runc/commit/d72d057ba794164c3cce9451a00b72a78b25e1ae = data/DLA/list = @@ -1,3 +1,6 @@ +[19 Feb 2024] DLA-3735-1 runc - security update + {CVE-2021-43784 CVE-2024-21626} + [buster] - runc 1.0.0~rc6+dfsg1-3+deb10u3 [17 Feb 2024] DLA-3734-1 openvswitch - security update {CVE-2023-5366} [buster] - openvswitch 2.10.7+ds1-0+deb10u5 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/20ce78fbefbaf1516dbd9e7d6679974b1e985dce -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/20ce78fbefbaf1516dbd9e7d6679974b1e985dce You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3728-1 for openjdk-11
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: cd2b7d69 by Emilio Pozuelo Monfort at 2024-01-31T16:30:47+01:00 Reserve DLA-3728-1 for openjdk-11 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[31 Jan 2024] DLA-3728-1 openjdk-11 - security update + {CVE-2024-20918 CVE-2024-20919 CVE-2024-20921 CVE-2024-20926 CVE-2024-20945 CVE-2024-20952} + [buster] - openjdk-11 11.0.22+7-1~deb10u1 [31 Jan 2024] DLA-3727-1 firefox-esr - security update {CVE-2024-0741 CVE-2024-0742 CVE-2024-0746 CVE-2024-0747 CVE-2024-0749 CVE-2024-0750 CVE-2024-0751 CVE-2024-0753 CVE-2024-0755} [buster] - firefox-esr 115.7.0esr-1~deb10u1 = data/dla-needed.txt = @@ -168,9 +168,6 @@ nvidia-cuda-toolkit NOTE: 20230610: Details: https://lists.debian.org/debian-lts/2023/06/msg00032.html NOTE: 20230610: my recommendation would be to put the package on the "not-supported" list. (tobi) -- -openjdk-11 (Emilio) - NOTE: 20240121: Added by Front-Desk (apo) --- putty (santiago) NOTE: 20231224: Added by Front-Desk (ta) NOTE: 20230104: massive code change against bullseye. May be better to backport bullseye (rouca) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cd2b7d69a2168c3a48c9029464fea5417b6f266d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cd2b7d69a2168c3a48c9029464fea5417b6f266d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3727-1 for firefox-esr
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: a5866bd9 by Emilio Pozuelo Monfort at 2024-01-31T16:14:34+01:00 Reserve DLA-3727-1 for firefox-esr - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[31 Jan 2024] DLA-3727-1 firefox-esr - security update + {CVE-2024-0741 CVE-2024-0742 CVE-2024-0746 CVE-2024-0747 CVE-2024-0749 CVE-2024-0750 CVE-2024-0751 CVE-2024-0753 CVE-2024-0755} + [buster] - firefox-esr 115.7.0esr-1~deb10u1 [30 Jan 2024] DLA-3726-1 bind9 - security update {CVE-2023-3341} [buster] - bind9 1:9.11.5.P4+dfsg-5.1+deb10u10 = data/dla-needed.txt = @@ -80,9 +80,6 @@ edk2 exiftags NOTE: 20240121: Added by Front-Desk (apo) -- -firefox-esr (Emilio) - NOTE: 20240125: Added by pochu --- freeimage NOTE: 20240121: Added by Front-Desk (apo) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a5866bd9075ef7cabfe2d55c99d3cbd757e75e9d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a5866bd9075ef7cabfe2d55c99d3cbd757e75e9d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3720-1 for thunderbird
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: e94fbd17 by Emilio Pozuelo Monfort at 2024-01-25T11:48:41+01:00 Reserve DLA-3720-1 for thunderbird - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[25 Jan 2024] DLA-3720-1 thunderbird - security update + {CVE-2024-0741 CVE-2024-0742 CVE-2024-0746 CVE-2024-0747 CVE-2024-0749 CVE-2024-0750 CVE-2024-0751 CVE-2024-0753 CVE-2024-0755} + [buster] - thunderbird 1:115.7.0-1~deb10u1 [25 Jan 2024] DLA-3719-1 phpseclib - security update {CVE-2023-48795} [buster] - phpseclib 1.0.19-3~deb10u2 = data/dla-needed.txt = @@ -278,9 +278,6 @@ suricata NOTE: 20231016: Still reviewing+testing CVEs. (bunk) NOTE: 20231120: DLA coming soon. (bunk) -- -thunderbird (Emilio) - NOTE: 20240125: Added by pochu --- tiff NOTE: 20231231: Added by Front-Desk (lamby) NOTE: 20231231: CVE-2023-3576 already fixed in bullseye via DSA or point release(s). (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e94fbd171f2fd912f636b1642c7e0a87d82b1d43 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e94fbd171f2fd912f636b1642c7e0a87d82b1d43 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: take firefox-esr and thunderbird
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 78b9cf35 by Emilio Pozuelo Monfort at 2024-01-25T11:13:39+01:00 lts: take firefox-esr and thunderbird - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -85,6 +85,9 @@ edk2 exiftags NOTE: 20240121: Added by Front-Desk (apo) -- +firefox-esr (Emilio) + NOTE: 20240125: Added by pochu +-- freeimage NOTE: 20240121: Added by Front-Desk (apo) -- @@ -275,6 +278,9 @@ suricata NOTE: 20231016: Still reviewing+testing CVEs. (bunk) NOTE: 20231120: DLA coming soon. (bunk) -- +thunderbird (Emilio) + NOTE: 20240125: Added by pochu +-- tiff NOTE: 20231231: Added by Front-Desk (lamby) NOTE: 20231231: CVE-2023-3576 already fixed in bullseye via DSA or point release(s). (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/78b9cf357cbb5246fc5956782c09a4b3da511db6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/78b9cf357cbb5246fc5956782c09a4b3da511db6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: take openjdk-11
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 35fdad6d by Emilio Pozuelo Monfort at 2024-01-22T11:32:58+01:00 lts: take openjdk-11 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -178,7 +178,7 @@ nvidia-cuda-toolkit NOTE: 20230610: Details: https://lists.debian.org/debian-lts/2023/06/msg00032.html NOTE: 20230610: my recommendation would be to put the package on the "not-supported" list. (tobi) -- -openjdk-11 +openjdk-11 (Emilio) NOTE: 20240121: Added by Front-Desk (apo) -- php-phpseclib (guilhem) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/35fdad6dbdff4b5543e97961fc269a70a891705d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/35fdad6dbdff4b5543e97961fc269a70a891705d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3698-1 for thunderbird
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 7c07ad52 by Emilio Pozuelo Monfort at 2023-12-29T11:10:44+01:00 Reserve DLA-3698-1 for thunderbird - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[29 Dec 2023] DLA-3698-1 thunderbird - security update + {CVE-2023-6856 CVE-2023-6857 CVE-2023-6858 CVE-2023-6859 CVE-2023-6860 CVE-2023-6861 CVE-2023-6862 CVE-2023-6864 CVE-2023-6873 CVE-2023-50761 CVE-2023-50762} + [buster] - thunderbird 1:115.6.0-1~deb10u1 [29 Dec 2023] DLA-3697-1 firefox-esr - security update {CVE-2023-6856 CVE-2023-6857 CVE-2023-6858 CVE-2023-6859 CVE-2023-6860 CVE-2023-6861 CVE-2023-6862 CVE-2023-6863 CVE-2023-6864 CVE-2023-6865 CVE-2023-6867} [buster] - firefox-esr 115.6.0esr-1~deb10u1 = data/dla-needed.txt = @@ -250,9 +250,6 @@ suricata (Adrian Bunk) NOTE: 20231016: Still reviewing+testing CVEs. (bunk) NOTE: 20231120: DLA coming soon. (bunk) -- -thunderbird (Emilio) - NOTE: 20231221: Added by pochu --- tinymce NOTE: 20231123: Added by Front-Desk (ola) NOTE: 20231216: Someone with more XSS experience needed to assess the View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7c07ad52b7dff85c540be64bba12b23f43bbf222 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7c07ad52b7dff85c540be64bba12b23f43bbf222 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3697-1 for firefox-esr
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: cf1e760e by Emilio Pozuelo Monfort at 2023-12-29T11:07:50+01:00 Reserve DLA-3697-1 for firefox-esr - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[29 Dec 2023] DLA-3697-1 firefox-esr - security update + {CVE-2023-6856 CVE-2023-6857 CVE-2023-6858 CVE-2023-6859 CVE-2023-6860 CVE-2023-6861 CVE-2023-6862 CVE-2023-6863 CVE-2023-6864 CVE-2023-6865 CVE-2023-6867} + [buster] - firefox-esr 115.6.0esr-1~deb10u1 [28 Dec 2023] DLA-3696-1 asterisk - security update {CVE-2023-37457 CVE-2023-38703 CVE-2023-49294 CVE-2023-49786} [buster] - asterisk 1:16.28.0~dfsg-0+deb10u4 = data/dla-needed.txt = @@ -75,9 +75,6 @@ dropbear (guilhem) exim4 (Markus Koschany) NOTE: 20231224: Added by Front-Desk (ta) -- -firefox-esr (Emilio) - NOTE: 20231221: Added by pochu --- frr NOTE: 20231119: Added by Front-Desk (apo) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cf1e760e9622c4378670cf0057bc642ae85338e8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cf1e760e9622c4378670cf0057bc642ae85338e8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: take firefox-esr and thunderbird
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 9a1eec85 by Emilio Pozuelo Monfort at 2023-12-21T16:00:09+01:00 lts: take firefox-esr and thunderbird - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -73,6 +73,9 @@ dogecoin dropbear (guilhem) NOTE: 20231219: Added by Front-Desk (ta) -- +firefox-esr (Emilio) + NOTE: 20231221: Added by pochu +-- frr NOTE: 20231119: Added by Front-Desk (apo) -- @@ -229,6 +232,9 @@ suricata (Adrian Bunk) NOTE: 20231016: Still reviewing+testing CVEs. (bunk) NOTE: 20231120: DLA coming soon. (bunk) -- +thunderbird (Emilio) + NOTE: 20231221: Added by pochu +-- tinymce NOTE: 20231123: Added by Front-Desk (ola) NOTE: 20231216: Someone with more XSS experience needed to assess the View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9a1eec858c2d864b41e19defb8e3112f024ffc31 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9a1eec858c2d864b41e19defb8e3112f024ffc31 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Makefile: add an update-cve-descriptions target
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: d7e47aa0 by Emilio Pozuelo Monfort at 2023-12-12T16:39:13+01:00 Makefile: add an update-cve-descriptions target This will be used by the tracker service instead of the update-nvd one, which will be removed later. - - - - - 1 changed file: - Makefile Changes: = Makefile = @@ -72,12 +72,15 @@ update-backports: $(foreach release,$(BACKPORT_RELEASES),update-$(release)_backp supported-update-targets: @echo -n "main security backports " @echo -n "$(RELEASES) " - @echo -n "packages lists nvd" + @echo -n "packages lists cve-descriptions nvd" # Other custom update rules update-lists: git fetch -q origin && git checkout -f origin/master -- data +update-cve-descriptions: + bin/update-cve-descriptions + # Since October 16, 2015 the XML data feeds are no longer available for # download in an uncompressed format. # As per October 16, 2019, the XML data feeds were discontinued and NVD @@ -102,4 +105,4 @@ update-compare-nvd: done bin/compare-nvd-cve 2> compare-nvd-cve.log -update-all: update-nvd update-lists update-packages all +update-all: update-cve-descriptions update-lists update-packages all View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d7e47aa04024736d12cb721bbbc5dabd3bbde669 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d7e47aa04024736d12cb721bbbc5dabd3bbde669 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3684-1 for tzdata
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: d7e704dc by Emilio Pozuelo Monfort at 2023-12-07T10:35:12+01:00 Reserve DLA-3684-1 for tzdata - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,5 @@ +[07 Dec 2023] DLA-3684-1 tzdata - new timezone database + [buster] - tzdata 2021a-0+deb10u12 [05 Dec 2023] DLA-3683-1 roundcube - security update {CVE-2023-47272} [buster] - roundcube 1.3.17+dfsg.1-1~deb10u5 = data/dla-needed.txt = @@ -226,9 +226,6 @@ tomcat9 tor NOTE: 20231119: Added by Front-Desk (apo) -- -tzdata (Emilio) - NOTE: 20231206: Added by pochu --- varnish (Abhijith PA) NOTE: 20231117: Added by Front-Desk (apo) NOTE: 20231204: Working on pre commits for CVE-2023-44487, https://github.com/varnishcache/varnish-cache/pull/4004 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d7e704dcd46b9064c7df6bfc96c79d9115802751 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d7e704dcd46b9064c7df6bfc96c79d9115802751 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: take tzdata
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 0f35a06b by Emilio Pozuelo Monfort at 2023-12-06T11:29:10+01:00 lts: take tzdata - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -223,6 +223,9 @@ tomcat9 tor NOTE: 20231119: Added by Front-Desk (apo) -- +tzdata (Emilio) + NOTE: 20231206: Added by pochu +-- varnish (Abhijith PA) NOTE: 20231117: Added by Front-Desk (apo) NOTE: 20231204: Working on pre commits for CVE-2023-44487, https://github.com/varnishcache/varnish-cache/pull/4004 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0f35a06bf4ea12fc9ddc9f3d5e9af720069f983d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0f35a06bf4ea12fc9ddc9f3d5e9af720069f983d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3674-1 for thunderbird
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: d2d19d76 by Emilio Pozuelo Monfort at 2023-11-30T15:25:02+01:00 Reserve DLA-3674-1 for thunderbird - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[30 Nov 2023] DLA-3674-1 thunderbird - security update + {CVE-2023-6204 CVE-2023-6205 CVE-2023-6206 CVE-2023-6207 CVE-2023-6208 CVE-2023-6209 CVE-2023-6212} + [buster] - thunderbird 1:115.5.0-1~deb10u1 [28 Nov 2023] DLA-3673-1 gst-plugins-bad1.0 - security update {CVE-2023-6} [buster] - gst-plugins-bad1.0 1.14.4-1+deb10u5 = data/dla-needed.txt = @@ -222,9 +222,6 @@ suricata (Adrian Bunk) NOTE: 20231016: Still reviewing+testing CVEs. (bunk) NOTE: 20231120: DLA coming soon. (bunk) -- -thunderbird (Emilio) - NOTE: 20231122: Added by Front-Desk (ola) --- tinymce (Sean Whitton) NOTE: 20231123: Added by Front-Desk (ola) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d2d19d76129e8fe47208e4e61965ab89029b7fef -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d2d19d76129e8fe47208e4e61965ab89029b7fef You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3661-1 for firefox-esr
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 9b473de5 by Emilio Pozuelo Monfort at 2023-11-23T23:35:26+01:00 Reserve DLA-3661-1 for firefox-esr - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[23 Nov 2023] DLA-3661-1 firefox-esr - security update + {CVE-2023-6204 CVE-2023-6205 CVE-2023-6206 CVE-2023-6207 CVE-2023-6208 CVE-2023-6209 CVE-2023-6212} + [buster] - firefox-esr 115.5.0esr-1~deb10u1 [22 Nov 2023] DLA-3660-1 gnutls28 - security update {CVE-2023-5981} [buster] - gnutls28 3.6.7-4+deb10u11 = data/dla-needed.txt = @@ -61,9 +61,6 @@ dogecoin NOTE: 20230619: also I just referenced 3 older bitcoin-related CVEs to fix; NOTE: 20230619: dogecoin not present in bullseye/bookworm, so we lead the initiatives. (Beuc/front-desk) -- -firefox-esr (Emilio) - NOTE: 20231122: Added by Front-Desk (ola) --- flatpak NOTE: 20231006: Added by Front-Desk (Beuc) NOTE: 20231006: Follow fixes from bullseye 11.7 (2 CVEs) (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9b473de53704c7757d45a03db485bd9acce40ea2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9b473de53704c7757d45a03db485bd9acce40ea2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: take firefox-esr and thunderbird
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 97415239 by Emilio Pozuelo Monfort at 2023-11-23T10:36:59+01:00 lts: take firefox-esr and thunderbird - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -61,7 +61,7 @@ dogecoin NOTE: 20230619: also I just referenced 3 older bitcoin-related CVEs to fix; NOTE: 20230619: dogecoin not present in bullseye/bookworm, so we lead the initiatives. (Beuc/front-desk) -- -firefox-esr +firefox-esr (Emilio) NOTE: 20231122: Added by Front-Desk (ola) -- flatpak @@ -261,7 +261,7 @@ suricata (Adrian Bunk) symfony (Markus Koschany) NOTE: 20231118: Added by Front-Desk (apo) -- -thunderbird +thunderbird (Emilio) NOTE: 20231122: Added by Front-Desk (ola) -- tor View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/97415239a90462de31fc4d637dfd8b2d8fa6c5f6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/97415239a90462de31fc4d637dfd8b2d8fa6c5f6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3653-1 for libclamunrar
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: cd2eff54 by Emilio Pozuelo Monfort at 2023-11-15T10:41:08+01:00 Reserve DLA-3653-1 for libclamunrar - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[15 Nov 2023] DLA-3653-1 libclamunrar - security update + {CVE-2023-40477} + [buster] - libclamunrar 0.103.10-0+deb10u1 [14 Nov 2023] DLA-3652-1 ruby-sanitize - security update {CVE-2023-36823} [buster] - ruby-sanitize 4.6.6-2.1~deb10u2 = data/dla-needed.txt = @@ -100,10 +100,6 @@ keystone knot-resolver NOTE: 20231029: Added by Front-Desk (gladk) -- -libclamunrar (Emilio) - NOTE: 20231113: Added by Front-Desk (apo) - NOTE: 20231113: Please upgrade to 0.103.10 to include the fix for CVE-2023-40477 --- libreswan NOTE: 20230817: Added by Front-Desk (ta) NOTE: 20230909: Prepared a patch for CVE-2023-38712 and pushed it to View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cd2eff54b4255c7d413ca417fcb54a69b4de3a87 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cd2eff54b4255c7d413ca417fcb54a69b4de3a87 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: drop clamav and add libclamunrar
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 1ed31dca by Emilio Pozuelo Monfort at 2023-11-14T09:49:24+01:00 lts: drop clamav and add libclamunrar The affected code is in src:libclamunrar, which is split from clamav. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -40,10 +40,6 @@ cinder NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. -- -clamav (Emilio) - NOTE: 20231113: Added by Front-Desk (apo) - NOTE: 20231113: Please upgrade to 0.103.10 to include the fix for CVE-2023-40477 (libclamunrar). --- curl NOTE: 20231103: Added by Front-Desk (lamby) NOTE: 20231103: Sync with stable. (lamby) @@ -104,6 +100,10 @@ keystone knot-resolver NOTE: 20231029: Added by Front-Desk (gladk) -- +libclamunrar (Emilio) + NOTE: 20231113: Added by Front-Desk (apo) + NOTE: 20231113: Please upgrade to 0.103.10 to include the fix for CVE-2023-40477 +-- libreswan NOTE: 20230817: Added by Front-Desk (ta) NOTE: 20230909: Prepared a patch for CVE-2023-38712 and pushed it to View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1ed31dca0342aad915b31132a2a7e3264d57b6e1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1ed31dca0342aad915b31132a2a7e3264d57b6e1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: take clamav
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: c2eab86f by Emilio Pozuelo Monfort at 2023-11-14T09:39:08+01:00 lts: take clamav Looks unaffected, but claim it for further investigation. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -40,7 +40,7 @@ cinder NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. -- -clamav +clamav (Emilio) NOTE: 20231113: Added by Front-Desk (apo) NOTE: 20231113: Please upgrade to 0.103.10 to include the fix for CVE-2023-40477 (libclamunrar). -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c2eab86f47509fc19cc53fdf9bb3dcd1fe4903e1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c2eab86f47509fc19cc53fdf9bb3dcd1fe4903e1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3651-1 for postgresql-11
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: bf97a667 by Emilio Pozuelo Monfort at 2023-11-14T09:31:04+01:00 Reserve DLA-3651-1 for postgresql-11 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[14 Nov 2023] DLA-3651-1 postgresql-11 - security update + {CVE-2023-5868 CVE-2023-5869 CVE-2023-5870} + [buster] - postgresql-11 11.22-0+deb10u1 [12 Nov 2023] DLA-3650-1 audiofile - security update {CVE-2019-13147 CVE-2022-24599} [buster] - audiofile 0.3.6-5+deb10u1 = data/dla-needed.txt = @@ -173,9 +173,6 @@ osslsigncode NOTE: 20230925: Added by Front-Desk (apo) NOTE: 20230925: Maybe a new upstream release should just do the trick here. -- -postgresql-11 (Emilio) - NOTE: 20231113: Added by pochu to take care of the announcement --- postgresql-multicorn NOTE: 20231108: Added by Front-Desk (santiago) NOTE: 20231108: Need to handle incompatibilities with versions in debian packages, brought up by PEP 440. See https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/70 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bf97a667cdff45176cfda06b6b3b067b2cdb9aec -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bf97a667cdff45176cfda06b6b3b067b2cdb9aec You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: take postgresql-11
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 124b8dff by Emilio Pozuelo Monfort at 2023-11-13T09:13:57+01:00 lts: take postgresql-11 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -168,6 +168,9 @@ osslsigncode NOTE: 20230925: Added by Front-Desk (apo) NOTE: 20230925: Maybe a new upstream release should just do the trick here. -- +postgresql-11 (Emilio) + NOTE: 20231113: Added by pochu to take care of the announcement +-- postgresql-multicorn NOTE: 20231108: Added by Front-Desk (santiago) NOTE: 20231108: Need to handle incompatibilities with versions in debian packages, brought up by PEP 440. See https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/70 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/124b8dffded463da01410e0547cd1249d5b98305 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/124b8dffded463da01410e0547cd1249d5b98305 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: remove obsolete audiofile note
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: ebea182c by Emilio Pozuelo Monfort at 2023-11-10T13:45:58+01:00 lts: remove obsolete audiofile note - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -26,7 +26,6 @@ amanda -- audiofile (rouca) NOTE: 20230918: Added by Front-Desk (apo) - NOTE: 20230919: unfixed upstream (apo) -- bind9 (Thorsten Alteholz) NOTE: 20230921: Added by Front-Desk (apo) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ebea182ca84c2000e79a2e188ce5977a7c4b2010 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ebea182ca84c2000e79a2e188ce5977a7c4b2010 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: Mark CVE-2023-43642/snappy-java as no-dsa on buster
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 1151e0e3 by Emilio Pozuelo Monfort at 2023-11-10T13:29:37+01:00 Mark CVE-2023-43642/snappy-java as no-dsa on buster - - - - - 29e67e5e by Emilio Pozuelo Monfort at 2023-11-10T13:30:32+01:00 Mark two golang-1.11 issues as no-dsa on buster - - - - - d993030b by Emilio Pozuelo Monfort at 2023-11-10T13:35:36+01:00 Mark CVE-2023-26141/ruby-sidekiq as no-dsa on buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -475,6 +475,7 @@ CVE-2023-45284 (On Windows, The IsLocal function does not correctly detect reser - golang-1.15 [bullseye] - golang-1.15 (Minor issue) - golang-1.11 + [buster] - golang-1.11 (Minor issue) NOTE: https://groups.google.com/g/golang-announce/c/4tU8LZfBFkY NOTE: https://github.com/golang/go/issues/63713 NOTE: https://github.com/golang/go/commit/9e933c189ca3a84f12995b3c799364a06abc4376 (go1.21.4) @@ -488,6 +489,7 @@ CVE-2023-45283 (The filepath package does not recognize paths with a \??\ prefix - golang-1.15 [bullseye] - golang-1.15 (Minor issue) - golang-1.11 + [buster] - golang-1.11 (Minor issue) NOTE: https://groups.google.com/g/golang-announce/c/4tU8LZfBFkY NOTE: https://github.com/golang/go/issues/63713 NOTE: https://github.com/golang/go/commit/9e933c189ca3a84f12995b3c799364a06abc4376 (go1.21.4) @@ -8173,6 +8175,7 @@ CVE-2023-43642 (snappy-java is a Java port of the snappy, a fast C++ compresser/ - snappy-java 1.1.10.5-1 (bug #1053474) [bookworm] - snappy-java (Minor issue) [bullseye] - snappy-java (Minor issue) + [buster] - snappy-java (Minor issue) NOTE: https://github.com/xerial/snappy-java/commit/9f8c3cf74223ed0a8a834134be9c917b9f10ceb5 (v1.1.10.4) NOTE: https://github.com/xerial/snappy-java/security/advisories/GHSA-55g7-9cwv-5qfv CVE-2023-43458 (Cross Site Scripting (XSS) vulnerability in Resort Reservation System ...) @@ -41407,6 +41410,7 @@ CVE-2023-26142 (All versions of the package crow are vulnerable to HTTP Response NOT-FOR-US: Crow CVE-2023-26141 (Versions of the package sidekiq before 7.1.3 are vulnerable to Denial ...) - ruby-sidekiq + [buster] - ruby-sidekiq (Minor issue, DoS still possible) NOTE: https://security.snyk.io/vuln/SNYK-RUBY-SIDEKIQ-5885107 NOTE: https://github.com/sidekiq/sidekiq/commit/62c90d7c5a7d8a378d79909859d87c2e0702bf89 (v7.1.3) CVE-2023-26140 (Versions of the package @excalidraw/excalidraw from 0.0.0 are vulnerab ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/3e1fe0e440a80dbcacc87dfad89b5b4dcb7971f1...d993030b744100af82567168e18fe795962291b0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/3e1fe0e440a80dbcacc87dfad89b5b4dcb7971f1...d993030b744100af82567168e18fe795962291b0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Mark CVE-2023-5072/jenkins-json as no-dsa on buster
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: b6a2615d by Emilio Pozuelo Monfort at 2023-11-10T13:22:34+01:00 Mark CVE-2023-5072/jenkins-json as no-dsa on buster - - - - - 3e1fe0e4 by Emilio Pozuelo Monfort at 2023-11-10T13:23:28+01:00 Fix wrong CVE ID in DLA-3649-1 - - - - - 2 changed files: - data/CVE/list - data/DLA/list Changes: = data/CVE/list = @@ -4729,6 +4729,7 @@ CVE-2023-5072 (Denial of Service in JSON-Java versions up to and including 2023 - jenkins-json (bug #1053883) [bookworm] - jenkins-json (Minor issue) [bullseye] - jenkins-json (Minor issue) + [buster] - jenkins-json (Minor issue) - libjettison-java (bug #1053884) [bookworm] - libjettison-java (Minor issue) [bullseye] - libjettison-java (Minor issue) = data/DLA/list = @@ -1,5 +1,5 @@ [08 Nov 2023] DLA-3649-1 python-urllib3 - security update - {CVE-2023-43803} + {CVE-2023-45803} [buster] - python-urllib3 1.24.1-1+deb10u2 [07 Nov 2023] DLA-3648-1 tang - security update {CVE-2023-1672} View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/0d1a5c4a0c3571d7f6304660fa3cf067d94ccd36...3e1fe0e440a80dbcacc87dfad89b5b4dcb7971f1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/0d1a5c4a0c3571d7f6304660fa3cf067d94ccd36...3e1fe0e440a80dbcacc87dfad89b5b4dcb7971f1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: Triage CVE-2023-5678/openssl as postponed for buster
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: a20d208f by Emilio Pozuelo Monfort at 2023-11-08T12:58:49+01:00 Triage CVE-2023-5678/openssl as postponed for buster - - - - - eeb3ad01 by Emilio Pozuelo Monfort at 2023-11-08T12:58:51+01:00 Mark gpac issues as EOL for buster - - - - - d3d23685 by Emilio Pozuelo Monfort at 2023-11-08T12:58:51+01:00 lts: add ruby-sanitize - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -56,6 +56,7 @@ CVE-2023-46483 (Cross Site Scripting vulnerability in timetec AWDMS v.2.0 allows NOT-FOR-US: timetec AWDMS CVE-2023-46001 (Buffer Overflow vulnerability in gpac MP4Box v.2.3-DEV-rev573-g2013208 ...) - gpac + [buster] - gpac (EOL in buster LTS) NOTE: https://github.com/gpac/gpac/issues/2629 NOTE: https://github.com/gpac/gpac/commit/e79b0cf7e72404750630bc01340e999f3940dbc4 CVE-2023-45380 (In the module "Order Duplicator " Clone and Delete Existing Order" (or ...) @@ -100,6 +101,7 @@ CVE-2023-45283 [path/filepath: recognize \??\ as a Root Local Device path prefix TODO: check if it should be considered "windows only" or still tracked due to issue in path parsing for windows paths CVE-2023-5998 (Out-of-bounds Read in GitHub repository gpac/gpac prior to 2.3.0-DEV.) - gpac + [buster] - gpac (EOL in buster LTS) NOTE: https://huntr.com/bounties/ea02a231-b688-422b-a881-ef415bcf6113 NOTE: https://github.com/gpac/gpac/commit/db74835944548fc3bdf03121b0e012373bdebb3e CVE-2023-5996 @@ -1982,6 +1984,7 @@ CVE-2023-5678 (Issue summary: Generating excessively long X9.42 DH keys or check - openssl (bug #1055473) [bookworm] - openssl (Minor issue; can be fixed along with future update) [bullseye] - openssl (Minor issue; can be fixed along with future update) + [buster] - openssl (Minor issue; can be fixed along with future update) NOTE: https://www.openssl.org/news/secadv/20231106.txt NOTE: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=db925ae2e65d0d925adef429afc37f75bd1c2017 (for 3.0.y) NOTE: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=710fee740904b6290fef0dd5536fbcedbc38ff0c (for 1.1.1y) = data/dla-needed.txt = @@ -210,6 +210,9 @@ ring NOTE: 20230903: Added by Front-Desk (gladk) NOTE: 20230928: will be likely hard to fix see https://lists.debian.org/debian-lts/2023/09/msg00035.html (rouca) -- +ruby-sanitize + NOTE: 20231108: Added by Front-Desk (pochu) +-- salt NOTE: 20220814: Added by Front-Desk (gladk) NOTE: 20220814: I am not sure, whether it is possible to fix issues View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/1ae562751e0b0d6af6c0c1b1491503bccec316f2...d3d23685c73af8d3add9a9f03dc68533d34ec01f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/1ae562751e0b0d6af6c0c1b1491503bccec316f2...d3d23685c73af8d3add9a9f03dc68533d34ec01f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Triage CVE-2023-46361/jbig2dec as no-dsa on buster
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 04c07598 by Emilio Pozuelo Monfort at 2023-11-06T13:20:58+01:00 Triage CVE-2023-46361/jbig2dec as no-dsa on buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -846,6 +846,7 @@ CVE-2023-46361 (Artifex Software jbig2dec v0.20 was discovered to contain a SEGV - jbig2dec (bug #1055387) [bookworm] - jbig2dec (Minor issue) [bullseye] - jbig2dec (Minor issue) + [buster] - jbig2dec (Minor issue) NOTE: https://github.com/Frank-Z7/z-vulnerabilitys/blob/main/jbig2dec-SEGV/jbig2dec-SEGV.md NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=707308 CVE-2023-46356 (In the module "CSV Feeds PRO" (csvfeeds) before 2.6.1 from Bl Modules ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/04c07598ab3785668d24d4eebbf1a46974a85529 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/04c07598ab3785668d24d4eebbf1a46974a85529 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2023-43622/apache2 as n/a on buster
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: cc7269c2 by Emilio Pozuelo Monfort at 2023-11-06T13:17:25+01:00 Mark CVE-2023-43622/apache2 as n/a on buster According to the upstream advisory, it was introduced in 2.4.55. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2798,7 +2798,7 @@ CVE-2023-43622 (An attacker, opening a HTTP/2 connection with an initial window - apache2 2.4.58-1 [bookworm] - apache2 (Minor issue) [bullseye] - apache2 (Minor issue) - [buster] - apache2 (Minor issue) + [buster] - apache2 (Vulnerable code introduced later) NOTE: https://www.openwall.com/lists/oss-security/2023/10/19/5 NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2023-43622 CVE-2023-5654 (The React Developer Tools extension registers a message listener with ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cc7269c2cd003196739da8956f1d025a45c26549 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cc7269c2cd003196739da8956f1d025a45c26549 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: add vlc
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 9e00f4d9 by Emilio Pozuelo Monfort at 2023-11-06T13:02:19+01:00 lts: add vlc - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -247,6 +247,10 @@ tang (Chris Lamb) NOTE: 20231103: Added by Front-Desk (lamby) NOTE: 20231103: Sync with stable. (lamby) -- +vlc + NOTE: 20231106: Added by Front-Desk (pochu) + NOTE: 20231106: Follow bullseye and update to 3.0.20 (pochu) +-- zabbix NOTE: 20231015: Added by Front-Desk (ta) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9e00f4d93eeb0e85957b4e7c95abce0a6dfe31c8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9e00f4d93eeb0e85957b4e7c95abce0a6dfe31c8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3637-1 for thunderbird
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 737b371c by Emilio Pozuelo Monfort at 2023-10-29T10:05:16+01:00 Reserve DLA-3637-1 for thunderbird - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[29 Oct 2023] DLA-3637-1 thunderbird - security update + {CVE-2023-5721 CVE-2023-5724 CVE-2023-5725 CVE-2023-5728 CVE-2023-5730 CVE-2023-5732} + [buster] - thunderbird 1:115.4.1-1~deb10u1 [29 Oct 2023] DLA-3636-1 openjdk-11 - security update {CVE-2023-22081} [buster] - openjdk-11 11.0.21+9-1~deb10u1 = data/dla-needed.txt = @@ -226,9 +226,6 @@ suricata (Adrian Bunk) NOTE: 20230731: Still reviewing+testing CVEs. (bunk) NOTE: 20231016: Still reviewing+testing CVEs. (bunk) -- -thunderbird (Emilio) - NOTE: 20231025: Added by pochu --- trafficserver (Adrian Bunk) NOTE: 20231011: Added by Front-Desk (ta) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/737b371ca077f9a285325a6f030b1dfbce51c28e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/737b371ca077f9a285325a6f030b1dfbce51c28e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3636-1 for openjdk-11
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 47feabec by Emilio Pozuelo Monfort at 2023-10-29T09:13:43+01:00 Reserve DLA-3636-1 for openjdk-11 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[29 Oct 2023] DLA-3636-1 openjdk-11 - security update + {CVE-2023-22081} + [buster] - openjdk-11 11.0.21+9-1~deb10u1 [29 Oct 2023] DLA-3635-1 node-browserify-sign - security update {CVE-2023-46234} [buster] - node-browserify-sign 4.0.4-2+deb10u1 = data/dla-needed.txt = @@ -144,9 +144,6 @@ opendkim NOTE: 20230821: Added by Front-Desk (ta) NOTE: 20231006: Unfixed upstream as of today. (spwhitton) -- -openjdk-11 (Emilio) - NOTE: 20231019: Added by pochu --- osslsigncode NOTE: 20230925: Added by Front-Desk (apo) NOTE: 20230925: Maybe a new upstream release should just do the trick here. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/47feabec02fb72c10cb16014c4a0867c55485d25 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/47feabec02fb72c10cb16014c4a0867c55485d25 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3632-1 for firefox-esr
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 5a4a7257 by Emilio Pozuelo Monfort at 2023-10-27T08:38:33+02:00 Reserve DLA-3632-1 for firefox-esr - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[27 Oct 2023] DLA-3632-1 firefox-esr - security update + {CVE-2023-5721 CVE-2023-5724 CVE-2023-5725 CVE-2023-5728 CVE-2023-5730 CVE-2023-5732} + [buster] - firefox-esr 115.4.0esr-1~deb10u1 [25 Oct 2023] DLA-3631-1 xorg-server - security update {CVE-2023-5367 CVE-2023-5380} [buster] - xorg-server 2:1.20.4-1+deb10u10 = data/dla-needed.txt = @@ -58,9 +58,6 @@ dogecoin NOTE: 20230619: also I just referenced 3 older bitcoin-related CVEs to fix; NOTE: 20230619: dogecoin not present in bullseye/bookworm, so we lead the initiatives. (Beuc/front-desk) -- -firefox-esr (Emilio) - NOTE: 20231024: Added by Front-Desk (gladk) --- flatpak NOTE: 20231006: Added by Front-Desk (Beuc) NOTE: 20231006: Follow fixes from bullseye 11.7 (2 CVEs) (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5a4a72570bfab97f4de3431af8b68989a24c7103 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5a4a72570bfab97f4de3431af8b68989a24c7103 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] check-new-issues: don't exit when auto-setting nfu
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: b7b02b96 by Emilio Pozuelo Monfort at 2023-10-26T13:44:25+02:00 check-new-issues: dont exit when auto-setting nfu present_issue returns true to exit. - - - - - 1 changed file: - bin/check-new-issues Changes: = bin/check-new-issues = @@ -600,7 +600,7 @@ def present_issue(name): print("New entry automatically set to NFU:") entry = cves[name] print_cve(entry) -return True +return False auto_search(name) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b7b02b96d69e12ab8f73f54e6218675e7fc90cdf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b7b02b96d69e12ab8f73f54e6218675e7fc90cdf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: take firefox-esr and thunderbird
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 68a64f9b by Emilio Pozuelo Monfort at 2023-10-25T16:03:58+02:00 lts: take firefox-esr and thunderbird - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -58,7 +58,7 @@ dogecoin NOTE: 20230619: also I just referenced 3 older bitcoin-related CVEs to fix; NOTE: 20230619: dogecoin not present in bullseye/bookworm, so we lead the initiatives. (Beuc/front-desk) -- -firefox-esr +firefox-esr (Emilio) NOTE: 20231024: Added by Front-Desk (gladk) -- flatpak @@ -232,6 +232,9 @@ suricata (Adrian Bunk) NOTE: 20230731: Still reviewing+testing CVEs. (bunk) NOTE: 20231016: Still reviewing+testing CVEs. (bunk) -- +thunderbird (Emilio) + NOTE: 20231025: Added by pochu +-- trafficserver (Adrian Bunk) NOTE: 20231011: Added by Front-Desk (ta) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/68a64f9befcce4f511adcd46ad0f6aa49cf7f868 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/68a64f9befcce4f511adcd46ad0f6aa49cf7f868 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3628-1 for dbus
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 387ed84d by Emilio Pozuelo Monfort at 2023-10-23T15:34:08+02:00 Reserve DLA-3628-1 for dbus - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -18798,7 +18798,6 @@ CVE-2023-34969 (D-Bus before 1.15.6 sometimes allows unprivileged users to crash - dbus 1.14.8-1 (bug #1037151) [bookworm] - dbus 1.14.8-1~deb12u1 [bullseye] - dbus 1.12.28-0+deb11u1 - [buster] - dbus (Minor issue) NOTE: https://gitlab.freedesktop.org/dbus/dbus/-/issues/457 CVE-2023-34239 (Gradio is an open-source Python library that is used to build machine ...) NOT-FOR-US: Gradio = data/DLA/list = @@ -1,3 +1,6 @@ +[23 Oct 2023] DLA-3628-1 dbus - security update + {CVE-2023-34969} + [buster] - dbus 1.12.28-0+deb10u1 [23 Oct 2023] DLA-3627-1 redis - security update {CVE-2023-45145} [buster] - redis 5:5.0.14-1+deb10u5 = data/dla-needed.txt = @@ -48,10 +48,6 @@ cinder NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. -- -dbus (Emilio) - NOTE: 20231007: Added by Front-Desk (Beuc) - NOTE: 20231007: Follow fixes from bullseye 11.8 (1 CVE) (Beuc/front-desk) --- docker.io NOTE: 20230303: Added by Front-Desk (Beuc) NOTE: 20230303: Follow fixes from bullseye 11.2 (3 CVEs) (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/387ed84d4a20d859528a87f0afb0beafdeacc61c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/387ed84d4a20d859528a87f0afb0beafdeacc61c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: take openjdk-11
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 1002c182 by Emilio Pozuelo Monfort at 2023-10-19T12:37:53+02:00 lts: take openjdk-11 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -157,6 +157,9 @@ opendkim NOTE: 20230821: Added by Front-Desk (ta) NOTE: 20231006: Unfixed upstream as of today. (spwhitton) -- +openjdk-11 (Emilio) + NOTE: 20231019: Added by pochu +-- osslsigncode NOTE: 20230925: Added by Front-Desk (apo) NOTE: 20230925: Maybe a new upstream release should just do the trick here. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1002c18253fd085d2f27813235dfbe9905c96b2a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1002c18253fd085d2f27813235dfbe9905c96b2a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3613-1 for curl
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 17dc31e4 by Emilio Pozuelo Monfort at 2023-10-11T13:43:30+02:00 Reserve DLA-3613-1 for curl - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -29879,7 +29879,6 @@ CVE-2023-28322 (An information disclosure vulnerability exists in curl (Minor issue) NOTE: https://curl.se/docs/CVE-2023-28321.html NOTE: Introduced by: https://github.com/curl/curl/commit/9631fa740708b1890197fad01e25b34b7e8eb80e (curl-7_12_0) NOTE: Fixed by: https://github.com/curl/curl/commit/199f2d440d8659b42670c1b796220792b01a97bf (curl-8_1_0) = data/DLA/list = @@ -1,3 +1,6 @@ +[11 Oct 2023] DLA-3613-1 curl - security update + {CVE-2023-28321 CVE-2023-38546} + [buster] - curl 7.64.0-4+deb10u7 [08 Oct 2023] DLA-3612-1 lemonldap-ng - security update {CVE-2023-44469} [buster] - lemonldap-ng 2.0.2+ds-7+deb10u10 = data/dla-needed.txt = @@ -54,11 +54,6 @@ cinder NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. -- -curl (Emilio) - NOTE: 20231007: Added by Front-Desk (Beuc) - NOTE: 20231007: Follow fixes from bullseye 11.8 (3 CVEs) (Beuc/front-desk) - NOTE: 20231007: upcoming high severity CVE (pochu) --- dbus (Emilio) NOTE: 20231007: Added by Front-Desk (Beuc) NOTE: 20231007: Follow fixes from bullseye 11.8 (1 CVE) (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/17dc31e495d3853edfcc5c005e4bf8422ad495cd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/17dc31e495d3853edfcc5c005e4bf8422ad495cd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: check-new-issues: Define set_cve_nfu before using it for automatic processing
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 17fada11 by Salvatore Bonaccorso at 2023-10-06T22:31:07+02:00 check-new-issues: Define set_cve_nfu before using it for automatic processing When automatic NFU entry processing is enabled via the -a flag, then the processing will error out as set_cve_nfu is not known. Move the definition for set_cve_nfu upwards. Signed-off-by: Salvatore Bonaccorso car...@debian.org - - - - - 1071d84b by Emilio Pozuelo Monfort at 2023-10-09T07:00:11+00:00 Merge branch check-new-issues-automatic-processing into master check-new-issues: Define set_cve_nfu before using it for automatic processing See merge request security-tracker-team/security-tracker!150 - - - - - 1 changed file: - bin/check-new-issues Changes: = bin/check-new-issues = @@ -260,6 +260,14 @@ def read_embedded_copies(): else: syntax_error(f"Cannot parse {line}") +def set_cve_nfu(name, desc): +cve = cves[name] +# remove todo: check annotation... +cve.annotations = [ann for ann in cve.annotations if not ann_is_todo_check(ann)] +# ... and add a NFU annotation +ann = parsers.StringAnnotation(0, "NOT-FOR-US", desc) +cve.annotations.append(ann) + def syntax_error(s): print("embedded-code-copies: " + s, file=sys.stderr) sys.exit(1) @@ -466,14 +474,6 @@ if args.auto: save_datafile(cves.values(), datafile) sys.exit(0) -def set_cve_nfu(name, desc): -cve = cves[name] -# remove todo: check annotation... -cve.annotations = [ann for ann in cve.annotations if not ann_is_todo_check(ann)] -# ... and add a NFU annotation -ann = parsers.StringAnnotation(0, "NOT-FOR-US", desc) -cve.annotations.append(ann) - def print_full_entry(name): print("==") print(f"Name: {name}") View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/eda238e52649ab49bf993337da9b2ff0f15c5233...1071d84bc0b1878384b518ecb6936a5a34e69c26 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/eda238e52649ab49bf993337da9b2ff0f15c5233...1071d84bc0b1878384b518ecb6936a5a34e69c26 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: take curl
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: ca4b9e0d by Emilio Pozuelo Monfort at 2023-10-07T18:43:54+02:00 lts: take curl - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -50,9 +50,10 @@ cinder NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. -- -curl +curl (Emilio) NOTE: 20231007: Added by Front-Desk (Beuc) NOTE: 20231007: Follow fixes from bullseye 11.8 (3 CVEs) (Beuc/front-desk) + NOTE: 20231007: upcoming high severity CVE (pochu) -- dbus (Emilio) NOTE: 20231007: Added by Front-Desk (Beuc) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ca4b9e0d9e0f4ba6f49b07746586f36c66a77b00 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ca4b9e0d9e0f4ba6f49b07746586f36c66a77b00 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: take dbus
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 39cc5aad by Emilio Pozuelo Monfort at 2023-10-07T18:42:12+02:00 lts: take dbus - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -54,7 +54,7 @@ curl NOTE: 20231007: Added by Front-Desk (Beuc) NOTE: 20231007: Follow fixes from bullseye 11.8 (3 CVEs) (Beuc/front-desk) -- -dbus +dbus (Emilio) NOTE: 20231007: Added by Front-Desk (Beuc) NOTE: 20231007: Follow fixes from bullseye 11.8 (1 CVE) (Beuc/front-desk) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/39cc5aadfd80c384cd1cba2007220167e6e745bb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/39cc5aadfd80c384cd1cba2007220167e6e745bb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] check-new-issues: read the zip file after downloading it
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 1b1183bc by Emilio Pozuelo Monfort at 2023-10-05T14:00:52+02:00 check-new-issues: read the zip file after downloading it This was working when the file had already been downloaded, but was broken if the file was not present in some code reorganization. - - - - - 1 changed file: - bin/check-new-issues Changes: = bin/check-new-issues = @@ -352,10 +352,6 @@ ignore_bug_file = "data/packages/ignored-debian-bug-packages" wnppurl = "https://qa.debian.org/data/bts/wnpp_rm; wnppfile = "../wnpp_rm" -# used by read_cve5, used as a global so that we don't have to open the -# file repeatedly, since we only read cve5s one by one on demand -cve5_zip = zipfile.ZipFile(cve5_file) - issue_re = re.compile(r'CVE-20(?:0[3-9]|[1-9][0-9])|TEMP') auto_display_limit = 10 #$auto_display_limit = $opts{a} if defined $opts{a} @@ -374,6 +370,10 @@ if not args.no_download: debug("reading data...") +# used by read_cve5, used as a global so that we don't have to open the +# file repeatedly, since we only read cve5s one by one on demand +cve5_zip = zipfile.ZipFile(cve5_file) + # We have CVE 5.0 JSON information coming from MITRE, we use cve5 for those # We also have CVE information coming from our data/CVE/list, we use cve there cves = parse_cves() View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1b1183bc8b2bd875588cfbc21de142cf9c7c6921 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1b1183bc8b2bd875588cfbc21de142cf9c7c6921 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3603-1 for libxpm
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: e733a48c by Emilio Pozuelo Monfort at 2023-10-05T12:40:05+02:00 Reserve DLA-3603-1 for libxpm - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[05 Oct 2023] DLA-3603-1 libxpm - security update + {CVE-2023-43786 CVE-2023-43787 CVE-2023-43788 CVE-2023-43789} + [buster] - libxpm 1:3.5.12-1+deb10u2 [05 Oct 2023] DLA-3602-1 libx11 - security update {CVE-2023-43785 CVE-2023-43786 CVE-2023-43787} [buster] - libx11 2:1.6.7-1+deb10u4 = data/dla-needed.txt = @@ -93,11 +93,6 @@ libreswan NOTE: 20230909: all due to code refactoring. I intend to package the version NOTE: 20230909: from Bullseye instead as soon as the maintainer uploads the fix. (apo) -- -libxpm (Emilio) - NOTE: 20231004: Added by Front-Desk (Beuc) - NOTE: 20231004: Upcoming DSA (Beuc) - NOTE: 20231004: Some of the fixes are hardening for libx11 CVEs (Beuc) --- linux (Ben Hutchings) NOTE: 20230111: perma-added for LTS package-specific delegation (bwh) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e733a48c69399ed4151de4dd77f566105e48324e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e733a48c69399ed4151de4dd77f566105e48324e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3602-1 for libx11
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 25638d2f by Emilio Pozuelo Monfort at 2023-10-05T11:57:18+02:00 Reserve DLA-3602-1 for libx11 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[05 Oct 2023] DLA-3602-1 libx11 - security update + {CVE-2023-43785 CVE-2023-43786 CVE-2023-43787} + [buster] - libx11 2:1.6.7-1+deb10u4 [05 Oct 2023] DLA-3601-1 thunderbird - security update {CVE-2023-5169 CVE-2023-5171 CVE-2023-5176 CVE-2023-5217} [buster] - thunderbird 1:115.3.1-1~deb10u1 = data/dla-needed.txt = @@ -93,10 +93,6 @@ libreswan NOTE: 20230909: all due to code refactoring. I intend to package the version NOTE: 20230909: from Bullseye instead as soon as the maintainer uploads the fix. (apo) -- -libx11 (Emilio) - NOTE: 20231004: Added by Front-Desk (Beuc) - NOTE: 20231004: Upcoming DSA (Beuc) --- libxpm (Emilio) NOTE: 20231004: Added by Front-Desk (Beuc) NOTE: 20231004: Upcoming DSA (Beuc) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/25638d2fef351e86aa509428498262d0cbe58ca2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/25638d2fef351e86aa509428498262d0cbe58ca2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3601-1 for thunderbird
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 6b7d0cc7 by Emilio Pozuelo Monfort at 2023-10-05T09:34:48+02:00 Reserve DLA-3601-1 for thunderbird - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[05 Oct 2023] DLA-3601-1 thunderbird - security update + {CVE-2023-5169 CVE-2023-5171 CVE-2023-5176 CVE-2023-5217} + [buster] - thunderbird 1:115.3.1-1~deb10u1 [04 Oct 2023] DLA-3600-1 postgresql-11 - security update {CVE-2023-39417} [buster] - postgresql-11 11.21-0+deb10u2 = data/dla-needed.txt = @@ -215,7 +215,3 @@ suricata (Adrian Bunk) NOTE: 20230714: Still reviewing+testing CVEs. (bunk) NOTE: 20230731: Still reviewing+testing CVEs. (bunk) -- -thunderbird (Emilio) - NOTE: 20230926: Added by pochu - NOTE: 20230926: updating to 115.3 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6b7d0cc7483b66eb40b16801c6a7cdc833d48fd5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6b7d0cc7483b66eb40b16801c6a7cdc833d48fd5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: take libx11 and libxpm
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 02727e2f by Emilio Pozuelo Monfort at 2023-10-04T15:27:24+02:00 lts: take libx11 and libxpm - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -93,11 +93,11 @@ libreswan NOTE: 20230909: all due to code refactoring. I intend to package the version NOTE: 20230909: from Bullseye instead as soon as the maintainer uploads the fix. (apo) -- -libx11 +libx11 (Emilio) NOTE: 20231004: Added by Front-Desk (Beuc) NOTE: 20231004: Upcoming DSA (Beuc) -- -libxpm +libxpm (Emilio) NOTE: 20231004: Added by Front-Desk (Beuc) NOTE: 20231004: Upcoming DSA (Beuc) NOTE: 20231004: Some of the fixes are hardening for libx11 CVEs (Beuc) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/02727e2fc4d8306ef5bf6b2c039942dae366ac2b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/02727e2fc4d8306ef5bf6b2c039942dae366ac2b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: drop zabbix, no remaining issues
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 4aa3fb5f by Emilio Pozuelo Monfort at 2023-10-04T09:11:44+02:00 lts: drop zabbix, no remaining issues - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -210,6 +210,3 @@ thunderbird (Emilio) NOTE: 20230926: Added by pochu NOTE: 20230926: updating to 115.3 -- -zabbix - NOTE: 20230924: Added by Front-Desk (apo) --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4aa3fb5f4f3601a341ad96e0ee9c81a4b543bf1b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4aa3fb5f4f3601a341ad96e0ee9c81a4b543bf1b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: mark CVE-2021-28025/qt4-x11 as no-dsa on buster
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 6c002401 by Emilio Pozuelo Monfort at 2023-10-03T09:03:11+02:00 lts: mark CVE-2021-28025/qt4-x11 as no-dsa on buster Its likely fixed, but theres no point in having it listed in dla-needed indefinitely. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -179627,6 +179627,7 @@ CVE-2021-28025 (Integer Overflow vulnerability in qsvghandler.cpp in Qt qtsvg ve [bullseye] - qtsvg-opensource-src (Minor issue) [buster] - qtsvg-opensource-src (Minor issue) - qt4-x11 + [buster] - qt4-x11 (Minor issue) NOTE: https://bugreports.qt.io/browse/QTBUG-91507 NOTE: https://code.qt.io/cgit/qt/qtsvg.git/commit/?id=7bbf88403fd2d1fe79fab7c8e469f8aeafeb7372 (v5.15.4-lts-lgpl) NOTE: Potentially to be considered a duplicte of CVE-2021-3481, ongoing clarification = data/dla-needed.txt = @@ -154,10 +154,6 @@ qemu (Sean Whitton) NOTE: 20230924: Added by Front-Desk (apo) NOTE: 20230924: Consider fixing postponed issues as well. (apo) -- -qt4-x11 - NOTE: 20230822: Re-added for one remaining open CVE (roberto) - NOTE: 20230822: CVE-2021-28025 maybe a dup of CVE-2021-3481; once resolved, fix or remove entry from this file (roberto) --- rails NOTE: 20220909: Re-added due to regression (abhijith) NOTE: 20220909: Regression on 2:5.2.2.1+dfsg-1+deb10u4 (abhijith) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6c0024016213ebcb9f4f72ef8118322e005e5b71 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6c0024016213ebcb9f4f72ef8118322e005e5b71 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Revert "Document file move for prometheus-alertmanager for CVE-2023-40577"
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: a5c81d86 by Emilio Pozuelo Monfort at 2023-10-02T23:37:53+02:00 Revert Document file move for prometheus-alertmanager for CVE-2023-40577 This belonged in data/dla-needed.txt, not here. This reverts commit 0d5f7c539cab1a93524828c15d3fc2dca76bce5f. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5213,7 +5213,6 @@ CVE-2023-40577 (Alertmanager handles alerts sent by client applications such as - prometheus-alertmanager 0.26.0+ds-1 (bug #1050558) NOTE: https://github.com/prometheus/alertmanager/security/advisories/GHSA-v86x-5fm3-5p7j NOTE: https://github.com/prometheus/alertmanager/commit/8b9f2fd20c25e0d1e76aa0b407f7e354996d8e72 (v0.25.1) - NOTE: vulnerability before 625604df90b0f2e080f7d32fea4aa891675276d6 in 56 ui/app/src/Views/AlertList/AlertView.elm CVE-2023-40576 (FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), ...) - freerdp2 (Vulnerable code not present) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-x3x5-r7jm-5pq2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a5c81d860667a98e21fa5ead0d71775c48f2eb1a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a5c81d860667a98e21fa5ead0d71775c48f2eb1a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3598-1 for libvpx
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 569711cf by Emilio Pozuelo Monfort at 2023-10-01T22:10:18+02:00 Reserve DLA-3598-1 for libvpx - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -7047,7 +7047,7 @@ CVE-2023-39417 (IN THE EXTENSION SCRIPT, a SQL Injection vulnerability was found - postgresql-13 [bullseye] - postgresql-13 (Minor issue, fix along with next round of updates) - postgresql-11 - [buster] - postgresql-11 (Minor issue) + [buster] - postgresql-11 (Minor issue) NOTE: https://www.postgresql.org/support/security/CVE-2023-39417/ NOTE: https://www.postgresql.org/about/news/postgresql-154-149-1312-1216-1121-and-postgresql-16-beta-3-released-2689/ NOTE: https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=de494ec14f6bd7f2676623a5934723a6c8ba51c2 (REL_15_4) = data/DLA/list = @@ -1,3 +1,6 @@ +[01 Oct 2023] DLA-3598-1 libvpx - security update + {CVE-2023-5217 CVE-2023-44488} + [buster] - libvpx 1.7.0-3+deb10u2 [01 Oct 2023] DLA-3597-1 open-vm-tools - security update {CVE-2023-20900} [buster] - open-vm-tools 2:10.3.10-1+deb10u5 = data/dla-needed.txt = @@ -92,9 +92,6 @@ libreswan NOTE: 20230909: all due to code refactoring. I intend to package the version NOTE: 20230909: from Bullseye instead as soon as the maintainer uploads the fix. (apo) -- -libvpx (Emilio) - NOTE: 20231001: Added by pochu --- linux (Ben Hutchings) NOTE: 20230111: perma-added for LTS package-specific delegation (bwh) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/569711cf59c05c781d8d822786e8d68232c299ba -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/569711cf59c05c781d8d822786e8d68232c299ba You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: add libvpx
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 2dc610a7 by Emilio Pozuelo Monfort at 2023-10-01T00:59:44+02:00 lts: add libvpx - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -92,6 +92,9 @@ libreswan NOTE: 20230909: all due to code refactoring. I intend to package the version NOTE: 20230909: from Bullseye instead as soon as the maintainer uploads the fix. (apo) -- +libvpx (Emilio) + NOTE: 20231001: Added by pochu +-- linux (Ben Hutchings) NOTE: 20230111: perma-added for LTS package-specific delegation (bwh) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2dc610a7e2dd09f8fb3350e1628455f780389f78 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2dc610a7e2dd09f8fb3350e1628455f780389f78 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3591-1 for firefox-esr
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: cbb77d03 by Emilio Pozuelo Monfort at 2023-09-30T12:15:44+02:00 Reserve DLA-3591-1 for firefox-esr - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[30 Sep 2023] DLA-3591-1 firefox-esr - security update + {CVE-2023-5217} + [buster] - firefox-esr 115.3.1esr-1~deb10u1 [29 Sep 2023] DLA-3590-1 python-reportlab - security update {CVE-2019-19450 CVE-2020-28463} [buster] - python-reportlab 3.5.13-1+deb10u2 = data/dla-needed.txt = @@ -66,9 +66,6 @@ dogecoin exim4 NOTE: 20230928: Added by Front-Desk (ola) -- -firefox-esr (Emilio) - NOTE: 20230929: Added by pochu --- firmware-nonfree (tobi) NOTE: 20230820: Added by Front-Desk (ta) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cbb77d03520a9eb9187fe26548f6eb01be3c16dc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cbb77d03520a9eb9187fe26548f6eb01be3c16dc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: take firefox-esr
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 17194f99 by Emilio Pozuelo Monfort at 2023-09-29T20:04:37+02:00 lts: take firefox-esr - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -66,6 +66,9 @@ dogecoin exim4 NOTE: 20230928: Added by Front-Desk (ola) -- +firefox-esr (Emilio) + NOTE: 20230929: Added by pochu +-- firmware-nonfree (tobi) NOTE: 20230820: Added by Front-Desk (ta) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/17194f992760fefc3c8e30ff29c85c65afe6edc2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/17194f992760fefc3c8e30ff29c85c65afe6edc2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Further triage CVE-2020-18831/exiv2
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 3591a7af by Emilio Pozuelo Monfort at 2023-09-29T18:43:39+02:00 Further triage CVE-2020-18831/exiv2 Mark the introductory commit, verified by source inspection and by testing it to trigger the invalid read. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -232124,10 +232124,11 @@ CVE-2020-18832 RESERVED CVE-2020-18831 (Buffer Overflow vulnerability in tEXtToDataBuf function in pngimage.cp ...) - exiv2 0.27.2-6 - [buster] - exiv2 (exiv2 -pR flags introduced later and poc fail with "Exiv2 exception in print action for file poc.png". Introduced later by chunked read.) + [buster] - exiv2 (Vulnerable code introduced later) NOTE: https://github.com/Exiv2/exiv2/issues/828 NOTE: https://github.com/Exiv2/exiv2/pull/862 - NOTE: https://github.com/Exiv2/exiv2/commit/6068df4c01ce915befb763bd0fd718d16a5df130 (v0.27.2-RC1) + NOTE: Introduced by: https://github.com/Exiv2/exiv2/commit/4617dc37284bb14c15fb884a7252de7c2b8b8854 + NOTE: Fixed by: https://github.com/Exiv2/exiv2/commit/6068df4c01ce915befb763bd0fd718d16a5df130 (v0.27.2-RC1) CVE-2020-18830 RESERVED CVE-2020-18829 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3591a7afcc995b33143f7ea9de0581c789b53498 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3591a7afcc995b33143f7ea9de0581c789b53498 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3587-1 for firefox-esr
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: e446e29d by Emilio Pozuelo Monfort at 2023-09-29T14:31:53+02:00 Reserve DLA-3587-1 for firefox-esr - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[29 Sep 2023] DLA-3587-1 firefox-esr - security update + {CVE-2023-5169 CVE-2023-5171 CVE-2023-5176} + [buster] - firefox-esr 115.3.0esr-1~deb10u1 [28 Sep 2023] DLA-3586-1 ncurses - security update {CVE-2020-19189} [buster] - ncurses 6.1+20181013-2+deb10u4 = data/dla-needed.txt = @@ -69,10 +69,6 @@ exiv2 exim4 NOTE: 20230928: Added by Front-Desk (ola) -- -firefox-esr (Emilio) - NOTE: 20230926: Added by pochu - NOTE: 20230926: updating to ESR 115.3 --- firmware-nonfree (tobi) NOTE: 20230820: Added by Front-Desk (ta) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e446e29d2238f8a69d7558136be5874ece01af0b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e446e29d2238f8a69d7558136be5874ece01af0b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Improve triaging for CVE-2020-21686
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: f960db9c by Emilio Pozuelo Monfort at 2023-09-27T09:39:12+02:00 Improve triaging for CVE-2020-21686 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -225262,9 +225262,9 @@ CVE-2020-21687 (Buffer Overflow vulnerability in scan function in stdscan.c in n NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392645 NOTE: Crash in CLI tool, no security impact CVE-2020-21686 (A stack-use-after-scope issue discovered in expand_mmac_params functio ...) - - nasm 2.15.04-1 (unimportant) + - nasm 2.15.04-1 + [buster] - nasm (Minor issue) NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392643 - NOTE: Crash in CLI tool, no security impact CVE-2020-21685 (Buffer Overflow vulnerability in hash_findi function in hashtbl.c in n ...) - nasm 2.15.04-1 (unimportant) NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392644 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f960db9c8af4b663e7d437507784f4ba9206df81 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f960db9c8af4b663e7d437507784f4ba9206df81 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: take firefox-esr and thunderbird
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 25e94294 by Emilio Pozuelo Monfort at 2023-09-26T12:08:56+02:00 lts: take firefox-esr and thunderbird - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -66,6 +66,10 @@ dogecoin exiv2 NOTE: 20230906: Added by Front-Desk (lamby) -- +firefox-esr (Emilio) + NOTE: 20230926: Added by pochu + NOTE: 20230926: updating to ESR 115.3 +-- firmware-nonfree (tobi) NOTE: 20230820: Added by Front-Desk (ta) -- @@ -228,6 +232,10 @@ suricata (tobi) NOTE: 20230714: Still reviewing+testing CVEs. (bunk) NOTE: 20230731: Still reviewing+testing CVEs. (bunk) -- +thunderbird (Emilio) + NOTE: 20230926: Added by pochu + NOTE: 20230926: updating to 115.3 +-- trafficserver (Adrian Bunk) NOTE: 20230826: Added by Front-Desk (utkarsh) NOTE: 20230826: have pinged Leo in Ubuntu to clarify the status on the View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/25e942942f299f9247a3d0e3f5d7dec8fbefd515 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/25e942942f299f9247a3d0e3f5d7dec8fbefd515 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] nasm issues unimportant
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 992d54cd by Emilio Pozuelo Monfort at 2023-09-26T11:49:49+02:00 nasm issues unimportant - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -225123,8 +225123,9 @@ CVE-2020-21687 (Buffer Overflow vulnerability in scan function in stdscan.c in n NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392645 NOTE: Crash in CLI tool, no security impact CVE-2020-21686 (A stack-use-after-scope issue discovered in expand_mmac_params functio ...) - - nasm 2.15.04-1 + - nasm 2.15.04-1 (unimportant) NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392643 + NOTE: Crash in CLI tool, no security impact CVE-2020-21685 (Buffer Overflow vulnerability in hash_findi function in hashtbl.c in n ...) - nasm 2.15.04-1 (unimportant) NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392644 @@ -231362,9 +231363,10 @@ CVE-2020-18781 (Heap buffer overflow vulnerability in FilePOSIX::read in File.cp - audiofile NOTE: https://github.com/mpruett/audiofile/issues/56 CVE-2020-18780 (A Use After Free vulnerability in function new_Token in asm/preproc.c ...) - - nasm 2.15.04-1 + - nasm 2.15.04-1 (unimportant) NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392634 NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392711 + NOTE: Crash in CLI tool, no security impact NOTE: https://github.com/netwide-assembler/nasm/commit/7c88289e222dc5ef9f53f9e86ecaab1924744b88 (nasm-2.15.04rc6) CVE-2020-18779 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/992d54cdaf224e5c00d7ac0564162bcba6d6aa17 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/992d54cdaf224e5c00d7ac0564162bcba6d6aa17 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3571-1 for openjdk-11
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 0bf80032 by Emilio Pozuelo Monfort at 2023-09-19T09:44:51+02:00 Reserve DLA-3571-1 for openjdk-11 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[19 Sep 2023] DLA-3571-1 openjdk-11 - security update + {CVE-2023-21930 CVE-2023-21937 CVE-2023-21938 CVE-2023-21939 CVE-2023-21954 CVE-2023-21967 CVE-2023-21968 CVE-2023-22006 CVE-2023-22036 CVE-2023-22041 CVE-2023-22045 CVE-2023-22049} + [buster] - openjdk-11 11.0.20+8-1~deb10u1 [18 Sep 2023] DLA-3570-1 libwebp - security update {CVE-2023-4863} [buster] - libwebp 0.6.1-2+deb10u3 = data/dla-needed.txt = @@ -155,14 +155,6 @@ open-vm-tools (Sean Whitton) opendkim NOTE: 20230821: Added by Front-Desk (ta) -- -openjdk-11 (Emilio) - NOTE: 20230419: Added by Front-Desk (ola) - NOTE: 20230522: waiting for sid update (pochu) - NOTE: 20230612: sid updated, preparing backport (pochu) - NOTE: 20230717: waiting for DSA, might wait for next CPU (pochu) - NOTE: 20230802: update prepared for new CPU, waiting for DSA and checking - NOTE: 20230802: whether to change jtreg version (pochu) --- poppler NOTE: 20230908: Added by Front-Desk (lamby) NOTE: 20230908: Added due to CVE-2020-23804. However, please check CVE-2020-18839 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0bf8003287c67db532ff4b25805ebd7ea0d1f169 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0bf8003287c67db532ff4b25805ebd7ea0d1f169 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: reclaim openjdk-11
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 44d34756 by Emilio Pozuelo Monfort at 2023-09-19T09:43:46+02:00 lts: reclaim openjdk-11 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -155,7 +155,7 @@ open-vm-tools (Sean Whitton) opendkim NOTE: 20230821: Added by Front-Desk (ta) -- -openjdk-11 +openjdk-11 (Emilio) NOTE: 20230419: Added by Front-Desk (ola) NOTE: 20230522: waiting for sid update (pochu) NOTE: 20230612: sid updated, preparing backport (pochu) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/44d3475662d73abccad563300da61ae1d87ea39b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/44d3475662d73abccad563300da61ae1d87ea39b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3570-1 for libwebp
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 26d1e74f by Emilio Pozuelo Monfort at 2023-09-18T14:05:27+02:00 Reserve DLA-3570-1 for libwebp - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[18 Sep 2023] DLA-3570-1 libwebp - security update + {CVE-2023-4863} + [buster] - libwebp 0.6.1-2+deb10u3 [17 Sep 2023] DLA-3569-1 thunderbird - security update {CVE-2023-4863} [buster] - thunderbird 1:102.15.1-1~deb10u1 = data/dla-needed.txt = @@ -109,9 +109,6 @@ libreswan NOTE: 20230909: all due to code refactoring. I intend to package the version NOTE: 20230909: from Bullseye instead as soon as the maintainer uploads the fix. (apo) -- -libwebp (Emilio) - NOTE: 20230918: Added by Front-Desk (pochu) --- linux (Ben Hutchings) NOTE: 20230111: perma-added for LTS package-specific delegation (bwh) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/26d1e74fd09a3589d9008f85384b1910cad05a2a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/26d1e74fd09a3589d9008f85384b1910cad05a2a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: take libwebp
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: a1eeb221 by Emilio Pozuelo Monfort at 2023-09-18T10:03:36+02:00 lts: take libwebp - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -109,6 +109,9 @@ libreswan NOTE: 20230909: all due to code refactoring. I intend to package the version NOTE: 20230909: from Bullseye instead as soon as the maintainer uploads the fix. (apo) -- +libwebp (Emilio) + NOTE: 20230918: Added by Front-Desk (pochu) +-- linux (Ben Hutchings) NOTE: 20230111: perma-added for LTS package-specific delegation (bwh) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a1eeb22107e3042cd6d5369c420b4d91426f7453 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a1eeb22107e3042cd6d5369c420b4d91426f7453 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3569-1 for thunderbird
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 043bf358 by Emilio Pozuelo Monfort at 2023-09-17T11:41:51+02:00 Reserve DLA-3569-1 for thunderbird - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[17 Sep 2023] DLA-3569-1 thunderbird - security update + {CVE-2023-4863} + [buster] - thunderbird 1:102.15.1-1~deb10u1 [16 Sep 2023] DLA-3568-1 firefox-esr - security update {CVE-2023-4863} [buster] - firefox-esr 102.15.1esr-1~deb10u1 = data/dla-needed.txt = @@ -220,9 +220,6 @@ suricata NOTE: 20230714: Still reviewing+testing CVEs. (bunk) NOTE: 20230731: Still reviewing+testing CVEs. (bunk) -- -thunderbird (Emilio) - NOTE: 20230915: Added by Front-Desk (pochu) --- tiff (gladk) NOTE: 20230826: Added by Front-Desk (utkarsh) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/043bf35861920ff907500669900281997f5e75c1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/043bf35861920ff907500669900281997f5e75c1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3568-1 for firefox-esr
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 9183dab6 by Emilio Pozuelo Monfort at 2023-09-16T11:03:32+02:00 Reserve DLA-3568-1 for firefox-esr - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[16 Sep 2023] DLA-3568-1 firefox-esr - security update + {CVE-2023-4863} + [buster] - firefox-esr 102.15.1esr-1~deb10u1 [15 Sep 2023] DLA-3567-1 c-ares - security update {CVE-2020-22217} [buster] - c-ares 1.14.0-1+deb10u4 = data/dla-needed.txt = @@ -62,9 +62,6 @@ exiv2 file (Thorsten Alteholz) NOTE: 20230901: Added by Front-Desk (gladk) -- -firefox-esr (Emilio) - NOTE: 20230915: Added by Front-Desk (pochu) --- firmware-nonfree NOTE: 20230820: Added by Front-Desk (ta) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9183dab68b2603067b14804e49cc754f78e25c93 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9183dab68b2603067b14804e49cc754f78e25c93 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Triage webkit2gtk CVEs as EOL on buster
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 81a98c4b by Emilio Pozuelo Monfort at 2023-09-15T11:38:22+02:00 Triage webkit2gtk CVEs as EOL on buster - - - - - 07708193 by Emilio Pozuelo Monfort at 2023-09-15T11:39:06+02:00 Mark CVE-2023-41000/gpac as EOL on buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -625,6 +625,7 @@ CVE-2023-41103 (Interact 7.9.79.5 allows stored Cross-site Scripting (XSS) attac CVE-2023-41000 (GPAC through 2.2.1 has a use-after-free vulnerability in the function ...) - gpac (bug #1051955) [bullseye] - gpac (Minor issue) + [buster] - gpac (EOL in buster LTS) NOTE: https://github.com/gpac/gpac/issues/2550 NOTE: Fixed by: https://github.com/gpac/gpac/commit/0018b5e4e07a1465287e7dff69b387929f5a75fa CVE-2023-40946 (Schoolmate 1.3 is vulnerable to SQL Injection in the variable $usernam ...) @@ -903,6 +904,7 @@ CVE-2023-41053 (Redis is an in-memory database that persists on disk. Redis does CVE-2023-40397 (The issue was addressed with improved checks. This issue is fixed in m ...) {DSA-5468-1} - webkit2gtk 2.40.5-1 + [buster] - webkit2gtk (webkit2gtk EOL in buster) - wpewebkit 2.40.5-1 [bookworm] - wpewebkit (wpewebkit not covered by security support in Bookworm) NOTE: https://webkitgtk.org/security/WSA-2023-0008.html @@ -1129,6 +1131,7 @@ CVE-2023-32379 (A buffer overflow issue was addressed with improved memory handl CVE-2023-32370 (A logic issue was addressed with improved validation. This issue is fi ...) {DSA-5396-1} - webkit2gtk 2.40.1-1 + [buster] - webkit2gtk (webkit2gtk EOL in buster) - wpewebkit 2.40.2-2 [bookworm] - wpewebkit (wpewebkit not covered by security support in Bookworm) NOTE: https://webkitgtk.org/security/WSA-2023-0008.html @@ -26017,6 +26020,7 @@ CVE-2023-28199 (An out-of-bounds read issue existed that led to the disclosure o CVE-2023-28198 (A use-after-free issue was addressed with improved memory management. ...) {DSA-5396-1} - webkit2gtk 2.40.1-1 + [buster] - webkit2gtk (webkit2gtk EOL in buster) - wpewebkit 2.40.2-2 [bookworm] - wpewebkit (wpewebkit not covered by security support in Bookworm) NOTE: https://webkitgtk.org/security/WSA-2023-0008.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/e2136716a9d0336a9b5c8a65c62c180c5b9c3c03...07708193c722a0aa4c24b5aebb0167ca7f497e9f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/e2136716a9d0336a9b5c8a65c62c180c5b9c3c03...07708193c722a0aa4c24b5aebb0167ca7f497e9f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits