[Git][security-tracker-team/security-tracker][master] reserve DLA-3575-1 for python2.7
Helmut Grohne pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
52f72bfe by Helmut Grohne at 2023-09-20T21:06:37+02:00
reserve DLA-3575-1 for python2.7
- - - - -
3 changed files:
- data/CVE/list
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/CVE/list
=
@@ -3928,8 +3928,7 @@ CVE-2022-48565 (An XML External Entity (XXE) issue was
discovered in Python thro
CVE-2022-48564 (read_ints in plistlib.py in Python through 3.9.1 is vulnerable
to a po ...)
- python3.9 3.9.1~rc1-1
- python3.7
- - python2.7
- [bullseye] - python2.7 (Unsupported in Bullseye, only
included to build a few applications)
+ - python2.7 (In 2.7, the plistlib parser only supports
XML and not the affected binary format)
NOTE: https://bugs.python.org/issue42103
NOTE: https://github.com/python/cpython/issues/86269
NOTE:
https://github.com/python/cpython/commit/34637a0ce21e7261b952fbd9d006474cc29b681f
(v3.10.0a2)
@@ -38302,7 +38301,6 @@ CVE-2023-24329 (An issue in the urllib.parse component
of Python before 3.11.4 a
[buster] - python3.7 (Cf. related CVE-2022-0391)
- python2.7
[bullseye] - python2.7 (Unsupported in Bullseye, only
included to build a few applications)
- [buster] - python2.7 (Cf. related CVE-2022-0391)
NOTE: https://pointernull.com/security/python-url-parse-problem.html
NOTE: https://github.com/python/cpython/pull/99421
NOTE: https://github.com/python/cpython/pull/99446 (backport for 3.11
branch)
@@ -118560,7 +118558,6 @@ CVE-2022-0391 (A flaw was found in Python,
specifically within the urllib.parse
- python3.4
- python2.7
[bullseye] - python2.7 (Unsupported in Bullseye, only
included to build a few applications)
- [buster] - python2.7 (Minor issue, different approach to
sanitization; regressions reports)
NOTE: https://bugs.python.org/issue43882
NOTE: Regressions reported for django, boto-core and cloud-init
NOTE: Fixed by:
https://github.com/python/cpython/commit/76cd81d60310d65d01f9d7b48a8985d8ab89c8b4
(v3.10.0b1)
@@ -189199,7 +189196,6 @@ CVE-2021-23336 (The package python/cpython from 0 and
before 3.6.13, from 3.7.0
[experimental] - python2.7 2.7.18-13.1~exp1
- python2.7 2.7.18-13.1
[bullseye] - python2.7 (Python 2.7 in Bullseye not covered by
security support)
- [buster] - python2.7 (Will break existing applications, don't
backport to released suites)
- pypy3 7.3.3+dfsg-3
[buster] - pypy3 (Minor issue)
NOTE: https://github.com/python/cpython/pull/24297
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[20 Sep 2023] DLA-3575-1 python2.7 - security update
+ {CVE-2021-23336 CVE-2022-0391 CVE-2022-48560 CVE-2022-48565
CVE-2022-48566 CVE-2023-24329 CVE-2023-40217}
+ [buster] - python2.7 2.7.16-2+deb10u3
[20 Sep 2023] DLA-3574-1 mutt - security update
{CVE-2023-4874 CVE-2023-4875}
[buster] - mutt 1.10.1-2.1+deb10u7
=
data/dla-needed.txt
=
@@ -166,13 +166,6 @@ python-os-brick
NOTE: 20230525: Added by Front-Desk (lamby)
NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store,
python-os-brick, nova and cinder.
--
-python2.7 (Helmut Grohne)
- NOTE: 20230826: Added by Front-Desk (utkarsh)
- NOTE: 20230826: some traces of vulnerable code found. My hunch is that it's
not-affected but it needs
- NOTE: 20230826: a deeper triage. Also CVE-2023-24329 is vulnerable and was
partially fixed in some suites
- NOTE: 20230826: and wasn't fixed in Debian, but the extra patch is now
available and can be fixed now. (utkarsh)
- NOTE: 20230826: contact Utkarsh in case you're unable to find the
supplementary patch. (utkarsh)
---
qt4-x11
NOTE: 20230822: Re-added for one remaining open CVE (roberto)
NOTE: 20230822: CVE-2021-28025 maybe a dup of CVE-2021-3481; once resolved,
fix or remove entry from this file (roberto)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/52f72bfe89dd993081fb80d3c93717553ae809e0
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/52f72bfe89dd993081fb80d3c93717553ae809e0
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim python2.7
Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker Commits: b424d5da by Helmut Grohne at 2023-09-08T14:17:54+02:00 LTS: claim python2.7 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -174,7 +174,7 @@ python-os-brick NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. -- -python2.7 +python2.7 (Helmut Grohne) NOTE: 20230826: Added by Front-Desk (utkarsh) NOTE: 20230826: some traces of vulnerable code found. My hunch is that it's not-affected but it needs NOTE: 20230826: a deeper triage. Also CVE-2023-24329 is vulnerable and was partially fixed in some suites View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b424d5dac2f7c796c52e63639247554489907539 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b424d5dac2f7c796c52e63639247554489907539 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3393-1 for protobuf
Helmut Grohne pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
ad65f979 by Helmut Grohne at 2023-04-18T09:03:41+02:00
Reserve DLA-3393-1 for protobuf
- - - - -
3 changed files:
- data/CVE/list
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/CVE/list
=
@@ -170504,7 +170504,6 @@ CVE-2021-22570 (Nullptr dereference when a null char
is present in a proto symbo
[experimental] - protobuf 3.17.1-1
- protobuf 3.21.9-3
[bullseye] - protobuf (Minor issue)
- [buster] - protobuf (Minor issue)
[stretch] - protobuf (Minor issue; clean crash / Dos; patch
needs to be isolated)
NOTE: Fixed upstream in v3.15.0:
https://github.com/protocolbuffers/protobuf/releases/tag/v3.15.0
NOTE: Fixed in merge commit
https://github.com/protocolbuffers/protobuf/a00125024e9231d76746bd394fef8876f5cc15e2
@@ -170513,7 +170512,6 @@ CVE-2021-22569 (An issue in protobuf-java allowed the
interleaving of com.google
[experimental] - protobuf 3.19.3-1
- protobuf 3.21.9-3
[bullseye] - protobuf (Minor issue)
- [buster] - protobuf (Minor issue)
[stretch] - protobuf (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2022/01/12/4
NOTE: https://cloud.google.com/support/bulletins#gcp-2022-001
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[18 Apr 2023] DLA-3393-1 protobuf - security update
+ {CVE-2021-22569 CVE-2021-22570 CVE-2022-1941}
+ [buster] - protobuf 3.6.1.3-2+deb10u1
[17 Apr 2023] DLA-3392-1 ruby-rack - security update
{CVE-2023-27530 CVE-2023-27539}
[buster] - ruby-rack 2.0.6-3+deb10u3
=
data/dla-needed.txt
=
@@ -222,11 +222,6 @@ pluxml
NOTE: 20220913: Special attention: orphaned package.
NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/pluxml.git
--
-protobuf (Helmut Grohne)
- NOTE: 20221031: Programming language: Several.
- NOTE: 20221031: Note the 'Note' that one of the CVEs affects the generated
code and must therefore get special attention from the application developer
using protobuf.
- NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/protobuf.git
---
puppet-module-puppetlabs-mysql
NOTE: 20221107: Programming language: Puppet, Ruby.
NOTE: 20230206: VCS:
https://salsa.debian.org/lts-team/packages/puppet-module-puppetlabs-mysql.git
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ad65f9796ca0a39e10dcadc212513d040387ecb3
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ad65f9796ca0a39e10dcadc212513d040387ecb3
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] ignore protobuf CVEs in buster that are ignored in bullseye
Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker Commits: 32f18fa8 by Helmut Grohne at 2023-04-16T20:21:28+02:00 ignore protobuf CVEs in buster that are ignored in bullseye - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -44697,12 +44697,14 @@ CVE-2022-3510 (A parsing issue similar to CVE-2022-3171, but with Message-Type E [experimental] - protobuf 3.21.7-1 - protobuf 3.21.9-3 [bullseye] - protobuf (Too intrusive to backport, requires significant refactoring via CVE-2022-3171) + [buster] - protobuf (Too intrusive to backport, requires significant refactoring via CVE-2022-3171) NOTE: https://github.com/protocolbuffers/protobuf/commit/db7c17803320525722f45c1d26fc08bc41d1bf48 NOTE: CPU DoS in protobuf-java, requires significant refactoring via CVE-2022-3171 CVE-2022-3509 (A parsing issue similar to CVE-2022-3171, but with textformat in proto ...) [experimental] - protobuf 3.21.7-1 - protobuf 3.21.9-3 [bullseye] - protobuf (Too intrusive to backport, requires significant refactoring via CVE-2022-3171) + [buster] - protobuf (Too intrusive to backport, requires significant refactoring via CVE-2022-3171) NOTE: https://github.com/protocolbuffers/protobuf/commit/a3888f53317a8018e7a439bac4abeb8f3425d5e9 (v21.7, v3.21.7) NOTE: CPU DoS in protobuf-java, requires significant refactoring via CVE-2022-3171 CVE-2022-3508 @@ -51634,7 +51636,8 @@ CVE-2022-3172 CVE-2022-3171 (A parsing issue with binary data in protobuf-java core and lite versio ...) [experimental] - protobuf 3.21.7-1 - protobuf 3.21.9-3 - [bullseye] - protobuf (Too intrusive to backport, requires significant refactoring via CVE-2022-3171) + [bullseye] - protobuf (Too intrusive to backport, requires significant refactoring) + [buster] - protobuf (Too intrusive to backport, requires significant refactoring) NOTE: https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2 NOTE: https://github.com/protocolbuffers/protobuf/pull/10664 NOTE: https://github.com/protocolbuffers/protobuf/pull/10665 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/32f18fa8d455362c1218404bcae2b6fa518a9b37 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/32f18fa8d455362c1218404bcae2b6fa518a9b37 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] fixup protobuf-java triage: tag all fixed versions unimportant
Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker Commits: dfeb6abc by Helmut Grohne at 2023-04-12T09:09:42+02:00 fixup protobuf-java triage: tag all fixed versions unimportant - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -43656,12 +43656,12 @@ CVE-2022-3512 (Using warp-cli command "add-trusted-ssid", a user was able to dis CVE-2022-3511 (The Awesome Support WordPress plugin before 6.1.2 does not ensure that ...) NOT-FOR-US: WordPress plugin CVE-2022-3510 (A parsing issue similar to CVE-2022-3171, but with Message-Type Extens ...) - [experimental] - protobuf 3.21.7-1 + [experimental] - protobuf 3.21.7-1 (unimportant) - protobuf 3.21.9-3 (unimportant) NOTE: https://github.com/protocolbuffers/protobuf/commit/db7c17803320525722f45c1d26fc08bc41d1bf48 NOTE: CPU DoS in protobuf-java, requires significant refactoring via CVE-2022-3171 CVE-2022-3509 (A parsing issue similar to CVE-2022-3171, but with textformat in proto ...) - [experimental] - protobuf 3.21.7-1 + [experimental] - protobuf 3.21.7-1 (unimportant) - protobuf 3.21.9-3 (unimportant) NOTE: https://github.com/protocolbuffers/protobuf/commit/a3888f53317a8018e7a439bac4abeb8f3425d5e9 (v21.7, v3.21.7) NOTE: CPU DoS in protobuf-java, requires significant refactoring via CVE-2022-3171 @@ -50583,7 +50583,7 @@ CVE-2022-3172 NOTE: Server components no longer built since 1.20.5+really1.20.2-1, marking that as fixed version NOTE: The source package itself it still vulnerable, but custom rebuilds are not really a usecase here CVE-2022-3171 (A parsing issue with binary data in protobuf-java core and lite versio ...) - [experimental] - protobuf 3.21.7-1 + [experimental] - protobuf 3.21.7-1 (unimportant) - protobuf 3.21.9-3 (unimportant) NOTE: https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2 NOTE: https://github.com/protocolbuffers/protobuf/pull/10664 10665 10666 10667 10668 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dfeb6abc4fb18a270d8f32e5ff3c4cf737abdcaf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dfeb6abc4fb18a270d8f32e5ff3c4cf737abdcaf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] classify protobuf-java CPU DoS CVEs as unimportant
Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker Commits: b9b23c9c by Helmut Grohne at 2023-04-12T08:30:15+02:00 classify protobuf-java CPU DoS CVEs as unimportant - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -43657,14 +43657,14 @@ CVE-2022-3511 (The Awesome Support WordPress plugin before 6.1.2 does not ensure NOT-FOR-US: WordPress plugin CVE-2022-3510 (A parsing issue similar to CVE-2022-3171, but with Message-Type Extens ...) [experimental] - protobuf 3.21.7-1 - - protobuf 3.21.9-3 - [bullseye] - protobuf (Minor issue) + - protobuf 3.21.9-3 (unimportant) NOTE: https://github.com/protocolbuffers/protobuf/commit/db7c17803320525722f45c1d26fc08bc41d1bf48 + NOTE: CPU DoS in protobuf-java, requires significant refactoring via CVE-2022-3171 CVE-2022-3509 (A parsing issue similar to CVE-2022-3171, but with textformat in proto ...) [experimental] - protobuf 3.21.7-1 - - protobuf 3.21.9-3 - [bullseye] - protobuf (Minor issue) + - protobuf 3.21.9-3 (unimportant) NOTE: https://github.com/protocolbuffers/protobuf/commit/a3888f53317a8018e7a439bac4abeb8f3425d5e9 (v21.7, v3.21.7) + NOTE: CPU DoS in protobuf-java, requires significant refactoring via CVE-2022-3171 CVE-2022-3508 RESERVED CVE-2022-3507 @@ -50584,9 +50584,10 @@ CVE-2022-3172 NOTE: The source package itself it still vulnerable, but custom rebuilds are not really a usecase here CVE-2022-3171 (A parsing issue with binary data in protobuf-java core and lite versio ...) [experimental] - protobuf 3.21.7-1 - - protobuf 3.21.9-3 - [bullseye] - protobuf (Minor issue) + - protobuf 3.21.9-3 (unimportant) NOTE: https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2 + NOTE: https://github.com/protocolbuffers/protobuf/pull/10664 10665 10666 10667 10668 + NOTE: CPU DoS in protobuf-java, fixed by significant refactoring CVE-2022-3170 (An out-of-bounds access issue was found in the Linux kernel sound subs ...) - linux (Vulnerable code not present) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2125879 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b9b23c9c962973b630a627bcd72e6ab8eea8d94e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b9b23c9c962973b630a627bcd72e6ab8eea8d94e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] identify actual fixes for two protobuf issues
Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker Commits: 8f6c6e61 by Helmut Grohne at 2023-04-06T12:46:24+02:00 identify actual fixes for two protobuf issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -71048,6 +71048,7 @@ CVE-2022-1941 (A parsing vulnerability for the MessageSet type in the ProtocolBu NOTE: https://www.openwall.com/lists/oss-security/2022/09/27/1 NOTE: https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-8gq9-2x98-w8hf NOTE: https://github.com/protocolbuffers/protobuf/commit/806d7e4ce6f1fd0545cae226b94cb0249ea495c7 (v3.20.2) + NOTE: main commit 7764c864bd5acdf60230a7b8fd29816170d0d04e CVE-2022-1940 (A Stored Cross-Site Scripting vulnerability in Jira integration in Git ...) - gitlab (Vulnerable code introduced later) NOTE: https://about.gitlab.com/releases/2022/06/01/critical-security-release-gitlab-15-0-1-released/ @@ -166631,6 +166632,7 @@ CVE-2021-22570 (Nullptr dereference when a null char is present in a proto symbo [buster] - protobuf (Minor issue) [stretch] - protobuf (Minor issue; clean crash / Dos; patch needs to be isolated) NOTE: Fixed upstream in v3.15.0: https://github.com/protocolbuffers/protobuf/releases/tag/v3.15.0 + NOTE: Fixed in merge commit a00125024e9231d76746bd394fef8876f5cc15e2 in src/google/protobuf/descriptor.cc CVE-2021-22569 (An issue in protobuf-java allowed the interleaving of com.google.proto ...) [experimental] - protobuf 3.19.3-1 - protobuf 3.21.9-3 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8f6c6e61ae78d3ffc64f1ed51d590585c9e1044d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8f6c6e61ae78d3ffc64f1ed51d590585c9e1044d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] claim protobuf DLA
Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker Commits: 17787b69 by Helmut Grohne at 2023-04-04T10:58:36+02:00 claim protobuf DLA - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -194,7 +194,7 @@ pluxml NOTE: 20220913: Special attention: orphaned package. NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/pluxml.git -- -protobuf +protobuf (Helmut Grohne) NOTE: 20221031: Programming language: Several. NOTE: 20221031: Note the 'Note' that one of the CVEs affects the generated code and must therefore get special attention from the application developer using protobuf. NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/protobuf.git View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/17787b698594695d718de5244be63837959da06e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/17787b698594695d718de5244be63837959da06e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] reserve DLA-3193-2 for joblib
Helmut Grohne pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
a8127e66 by Helmut Grohne at 2023-03-30T19:08:19+02:00
reserve DLA-3193-2 for joblib
- - - - -
2 changed files:
- data/CVE/list
- data/DLA/list
Changes:
=
data/CVE/list
=
@@ -87199,7 +87199,6 @@ CVE-2022-21802 (The package grapesjs before 0.19.5 are
vulnerable to Cross-site
CVE-2022-21797 (The package joblib from 0 and before 1.2.0 are vulnerable to
Arbitrary ...)
- joblib 1.2.0-1 (bug #1020820)
[bullseye] - joblib (Minor issue)
- [buster] - joblib (Minor issue, the fix from +deb10u1 is
incomplete)
NOTE: https://github.com/joblib/joblib/issues/1128
NOTE: https://github.com/joblib/joblib/pull/1321
NOTE: Better fix: https://github.com/joblib/joblib/pull/1327
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[30 Mar 2023] DLA-3193-2 joblib - security update
+ {CVE-2022-21797}
+ [buster] - joblib 0.13.0-2+deb10u2
[29 Mar 2023] DLA-3372-1 xorg-server - security update
{CVE-2023-1393}
[buster] - xorg-server 2:1.20.4-1+deb10u9
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a8127e66c70941c072c2b934e9a3343b0be6959d
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a8127e66c70941c072c2b934e9a3343b0be6959d
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] reserve DLA-3315-2 for sox regression update
Helmut Grohne pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
8dff0de1 by Helmut Grohne at 2023-03-20T10:43:55+01:00
reserve DLA-3315-2 for sox regression update
- - - - -
2 changed files:
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/DLA/list
=
@@ -1,3 +1,5 @@
+[20 Mar 2023] DLA-3315-2 sox - regression update
+ [buster] - sox 14.4.2+git20190427-1+deb10u2
[20 Mar 2023] DLA-3365-1 thunderbird - security update
{CVE-2023-25751 CVE-2023-25752 CVE-2023-28162 CVE-2023-28164
CVE-2023-28176}
[buster] - thunderbird 1:102.9.0-1~deb10u1
=
data/dla-needed.txt
=
@@ -293,10 +293,6 @@ samba
NOTE: 20220904: Special attention: High popcon! Used in many servers.
NOTE: 20220904: Many postponed or open CVE in general. (apo)
--
-sox (Helmut Grohne)
- NOTE: 20230313: Programming language: C.
- NOTE: 20230313: VCS: https://salsa.debian.org/lts-team/packages/sox.git
---
sssd
NOTE: 20230131: Programming language: C.
NOTE: 20230205: VCS: https://salsa.debian.org/lts-team/packages/sssd.git
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8dff0de1cc044537b4d9b36deca58ac71a25bd0d
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8dff0de1cc044537b4d9b36deca58ac71a25bd0d
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] issue DLA-3315-1 for sox
Helmut Grohne pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
729130df by Helmut Grohne at 2023-02-10T07:08:51+01:00
issue DLA-3315-1 for sox
- - - - -
3 changed files:
- data/CVE/list
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/CVE/list
=
@@ -59461,15 +59461,11 @@ CVE-2022-31652
CVE-2022-31651 (In SoX 14.4.2, there is an assertion failure in rate_init in
rate.c in ...)
- sox 14.4.2+git20190427-3.1 (bug #1012516)
[bullseye] - sox (Minor issue)
- [buster] - sox (Minor issue)
- [stretch] - sox (Minor issue)
NOTE: https://sourceforge.net/p/sox/bugs/360/
NOTE: https://www.openwall.com/lists/oss-security/2023/02/03/3
CVE-2022-31650 (In SoX 14.4.2, there is a floating-point exception in
lsx_aiffstartwri ...)
- sox 14.4.2+git20190427-3.1 (bug #1012516)
[bullseye] - sox (Minor issue)
- [buster] - sox (Minor issue)
- [stretch] - sox (Minor issue)
NOTE: https://sourceforge.net/p/sox/bugs/360/
NOTE: https://www.openwall.com/lists/oss-security/2023/02/03/3
CVE-2022-31649 (ownCloud owncloud/core before 10.10.0 Improperly Removes
Sensitive Inf ...)
@@ -118766,8 +118762,6 @@ CVE-2021-36716 (A ReDoS (regular expression denial of
service) flaw was found in
CVE-2021-3643 (A flaw was found in sox 14.4.1. The lsx_adpcm_init function
within lib ...)
- sox 14.4.2+git20190427-3.2 (bug #1010374)
[bullseye] - sox (Minor issue)
- [buster] - sox (Minor issue)
- [stretch] - sox (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1980626
NOTE: Triggered by same reproducer as for CVE-2021-23210
NOTE: https://sourceforge.net/p/sox/bugs/351/
@@ -125578,8 +125572,6 @@ CVE-2021-33841 (SGE-PLC1000 device, in its 0.9.2b
firmware version, does not han
CVE-2021-23210 (A floating point exception (divide-by-zero) issue was
discovered in So ...)
- sox 14.4.2+git20190427-3.2 (bug #1010374)
[bullseye] - sox (Minor issue)
- [buster] - sox (Minor issue)
- [stretch] - sox (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1975670
NOTE: https://sourceforge.net/p/sox/bugs/351/
NOTE: https://www.openwall.com/lists/oss-security/2023/02/03/3
@@ -261790,9 +261782,6 @@ CVE-2019-13591
RESERVED
CVE-2019-13590 (An issue was discovered in libsox.a in SoX 14.4.2. In
sox-fmt.h (start ...)
- sox 14.4.2+git20190427-2 (low; bug #932082)
- [buster] - sox (Minor issue)
- [stretch] - sox (Minor issue)
- [jessie] - sox (Minor issue)
NOTE: https://sourceforge.net/p/sox/bugs/325/
NOTE:
https://sourceforge.net/p/sox/code/ci/7b6a889217d62ed7e28188621403cc7542fd1f7e/
CVE-2019-13589 (The paranoid2 gem 1.1.6 for Ruby, as distributed on
RubyGems.org, incl ...)
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[10 Feb 2023] DLA-3315-1 sox - security update
+ {CVE-2019-13590 CVE-2021-3643 CVE-2021-23159 CVE-2021-23172
CVE-2021-23210 CVE-2021-33844 CVE-2021-40426 CVE-2022-31650 CVE-2022-31651}
+ [buster] - sox 14.4.2+git20190427-1+deb10u1
[09 Feb 2023] DLA-3314-1 libsdl2 - security update
{CVE-2019-7572 CVE-2019-7573 CVE-2019-7574 CVE-2019-7575 CVE-2019-7576
CVE-2019-7577 CVE-2019-7578 CVE-2019-7635 CVE-2019-7636 CVE-2019-7638
CVE-2019-13616 CVE-2019-13626 CVE-2020-14409 CVE-2020-14410 CVE-2021-33657
CVE-2022-4743}
[buster] - libsdl2 2.0.9+dfsg1-1+deb10u1
=
data/dla-needed.txt
=
@@ -310,13 +310,6 @@ snort
NOTE: 20230121: Prepared new upstream version for unstable which we could
NOTE: 20230121: backport to buster later. See https://bugs.debian.org/1021276
--
-sox (Helmut Grohne)
- NOTE: 20220818: Programming language: C.
- NOTE: 20220818: Requires some investigation; see #1012138 etc.
- NOTE: 20221003: https://sourceforge.net/p/sox/bugs/362/ Re-pinged upstream
committer (abhijith)
- NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/sox.git
- NOTE: 20230127: There is no point in dealing with sox. No upstream commit in
1.5 years. No answer to Enrico's upstream ticket. RedHat issued notabug.
Unfixed in stable and unstable. Don't run sox on untrusted input. (Helmut)
---
spip
NOTE: 20230206: Programming language: PHP.
NOTE: 20230206: Special attention: Please contact maintainer regarding VCS
usage
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/729130df3de8c74d3d65f0a8f2c1666dcc175cb2
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/729130df3de8c74d3d65f0a8f2c1666dcc175cb2
You're receiving this email because of your account on salsa.debian.org.
[Git][security-tracker-team/security-tracker][master] record bug number for heimdal CVE-2022-45142
Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker Commits: 2a0a1f7b by Helmut Grohne at 2023-02-08T12:52:37+01:00 record bug number for heimdal CVE-2022-45142 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -20067,7 +20067,7 @@ CVE-2022-45143 (The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0. NOTE: https://www.openwall.com/lists/oss-security/2023/01/03/1 CVE-2022-45142 [gsskrb5: fix accidental logic inversions] RESERVED - - heimdal + - heimdal (bug #1030849) NOTE: https://www.openwall.com/lists/oss-security/2023/02/08/1 NOTE: https://bugzilla.samba.org/show_bug.cgi?id=15296 CVE-2022-45141 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2a0a1f7b28ede4da703f3078b485c6e4432e34ec -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2a0a1f7b28ede4da703f3078b485c6e4432e34ec You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] issue DLA-3311-1 for heimdal CVE-2022-45142
Helmut Grohne pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
41508f7c by Helmut Grohne at 2023-02-08T12:37:05+01:00
issue DLA-3311-1 for heimdal CVE-2022-45142
- - - - -
2 changed files:
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[08 Feb 2023] DLA-3311-1 heimdal - security update
+ {CVE-2022-45142}
+ [buster] - heimdal 7.5.0+dfsg-3+deb10u2
[07 Feb 2023] DLA-3310-1 xorg-server - security update
{CVE-2023-0494}
[buster] - xorg-server 2:1.20.4-1+deb10u8
=
data/dla-needed.txt
=
@@ -102,11 +102,6 @@ haproxy
NOTE: 20230207: VCS: https://salsa.debian.org/haproxy-team/haproxy.git
NOTE: 20230207: method was called h2_frt_decode_headers in buster (pochu)
--
-heimdal (Helmut Grohne)
- NOTE: 20230206: Programming language: C
- NOTE: 20230206: Special attention: Do review patches, even those, coming
from upstream.
- NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/heimdal/
---
imagemagick (Roberto C. Sánchez)
NOTE: 20220904: Programming language: C.
NOTE: 20220904: VCS:
https://salsa.debian.org/lts-team/packages/imagemagick.git
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/41508f7cc45ef642ba5823bbbdd866a6da4cece1
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/41508f7cc45ef642ba5823bbbdd866a6da4cece1
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim heimdal
Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker Commits: ead49fad by Helmut Grohne at 2023-02-06T13:41:16+01:00 LTS: claim heimdal - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -97,6 +97,8 @@ graphite-web (Chris Lamb) NOTE: 20221229: Programming language: Python. NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/graphite-web.git -- +heimdal (Helmut Grohne) +-- imagemagick (Roberto C. Sánchez) NOTE: 20220904: Programming language: C. NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/imagemagick.git View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ead49fad3b3df5e559b3de0486e85473ac1d7cdc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ead49fad3b3df5e559b3de0486e85473ac1d7cdc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] sox: bump fixed version for previously incomplete fixes
Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker Commits: 01fe1096 by Helmut Grohne at 2023-02-05T13:35:06+01:00 sox: bump fixed version for previously incomplete fixes - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -117467,7 +117467,7 @@ CVE-2021-36717 (Synerion TimeNet version 9.21 contains a directory traversal vul CVE-2021-36716 (A ReDoS (regular expression denial of service) flaw was found in the S ...) NOT-FOR-US: Node is-email CVE-2021-3643 (A flaw was found in sox 14.4.1. The lsx_adpcm_init function within lib ...) - - sox 14.4.2+git20190427-3.1 (bug #1010374) + - sox 14.4.2+git20190427-3.2 (bug #1010374) [bullseye] - sox (Minor issue) [buster] - sox (Minor issue) [stretch] - sox (Minor issue) @@ -124279,7 +124279,7 @@ CVE-2021-33842 (Improper Authentication vulnerability in the cookie parameter of CVE-2021-33841 (SGE-PLC1000 device, in its 0.9.2b firmware version, does not handle so ...) NOT-FOR-US: SGE-PLC1000 device CVE-2021-23210 (A floating point exception (divide-by-zero) issue was discovered in So ...) - - sox 14.4.2+git20190427-3.1 (bug #1010374) + - sox 14.4.2+git20190427-3.2 (bug #1010374) [bullseye] - sox (Minor issue) [buster] - sox (Minor issue) [stretch] - sox (Minor issue) @@ -124287,12 +124287,12 @@ CVE-2021-23210 (A floating point exception (divide-by-zero) issue was discovered NOTE: https://sourceforge.net/p/sox/bugs/351/ NOTE: https://www.openwall.com/lists/oss-security/2023/02/03/3 CVE-2021-23172 (A vulnerability was found in SoX, where a heap-buffer-overflow occurs ...) - - sox 14.4.2+git20190427-3.1 (bug #1021134) + - sox 14.4.2+git20190427-3.2 (bug #1021134) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1975666 NOTE: https://sourceforge.net/p/sox/bugs/350/ NOTE: https://www.openwall.com/lists/oss-security/2023/02/03/3 CVE-2021-23159 (A vulnerability was found in SoX, where a heap-buffer-overflow occurs ...) - - sox 14.4.2+git20190427-3.1 (bug #1021133) + - sox 14.4.2+git20190427-3.2 (bug #1021133) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1975671 NOTE: https://sourceforge.net/p/sox/bugs/352/ NOTE: https://www.openwall.com/lists/oss-security/2023/02/03/3 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/01fe1096b727b2f6634bd4a7199f73de414ca7d8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/01fe1096b727b2f6634bd4a7199f73de414ca7d8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla-needed: claim sox
Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker Commits: 164672ee by Helmut Grohne at 2023-01-27T13:38:48+01:00 dla-needed: claim sox - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -343,7 +343,7 @@ sofia-sip (Adrian Bunk) NOTE: 20230125: Programming language: C. NOTE: 20230125: VCS: https://salsa.debian.org/lts-team/packages/sofia-sip.git -- -sox +sox (Helmut Grohne) NOTE: 20220818: Programming language: C. NOTE: 20220818: Requires some investigation; see #1012138 etc. NOTE: 20221003: https://sourceforge.net/p/sox/bugs/362/ Re-pinged upstream committer (abhijith) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/164672eed41572f02ebe4078b478c90eff4767a0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/164672eed41572f02ebe4078b478c90eff4767a0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla-needed: sox is unfixable
Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker Commits: 975dcf7f by Helmut Grohne at 2023-01-27T09:38:00+01:00 dla-needed: sox is unfixable - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -340,6 +340,7 @@ sox NOTE: 20220818: Requires some investigation; see #1012138 etc. NOTE: 20221003: https://sourceforge.net/p/sox/bugs/362/ Re-pinged upstream committer (abhijith) NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/sox.git + NOTE: 20230127: There is no point in dealing with sox. No upstream commit in 1.5 years. No answer to Enrico's upstream ticket. RedHat issued notabug. Unfixed in stable and unstable. Don't run sox on untrusted input. (Helmut) -- thunderbird (Emilio) NOTE: 20230123: Programming language: C++ View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/975dcf7f0487754aad7f1b8b94b15ced03719173 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/975dcf7f0487754aad7f1b8b94b15ced03719173 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] reserve DLA-3265-1 for exiv2
Helmut Grohne pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
64c3ca93 by Helmut Grohne at 2023-01-10T17:44:15+01:00
reserve DLA-3265-1 for exiv2
- - - - -
3 changed files:
- data/CVE/list
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/CVE/list
=
@@ -1506,7 +1506,7 @@ CVE-2018-25061 (A vulnerability was found in rgb2hex up
to 0.1.5. It has been ra
CVE-2017-20160 (A vulnerability was found in flitto express-param up to 0.x.
It has be ...)
NOT-FOR-US: express-param
CVE-2014-125029 (A vulnerability was found in ttskch PaginationServiceProvider
up to 0. ...)
- NOT-FOR-US: ttskch/PaginationServiceProvider
+ NOT-FOR-US: ttskch/PaginationServiceProvider
CVE-2014-125028 (A vulnerability was found in valtech IDP Test Client and
classified as ...)
NOT-FOR-US: valtech IDP Test Client
CVE-2022-4868 (Improper Authorization in GitHub repository froxlor/froxlor
prior to 2 ...)
@@ -108652,21 +108652,18 @@ CVE-2021-37623 (Exiv2 is a command-line utility and
C++ library for reading, wri
CVE-2021-37622 (Exiv2 is a command-line utility and C++ library for reading,
writing, ...)
- exiv2 0.27.5-1
[bullseye] - exiv2 (Minor issue)
- [buster] - exiv2 (Minor issue)
[stretch] - exiv2 (Minor issue)
NOTE:
https://github.com/Exiv2/exiv2/security/advisories/GHSA-9jh3-fcc3-g6hv
NOTE: https://github.com/Exiv2/exiv2/pull/1788
CVE-2021-37621 (Exiv2 is a command-line utility and C++ library for reading,
writing, ...)
- exiv2 0.27.5-1
[bullseye] - exiv2 (Minor issue)
- [buster] - exiv2 (Minor issue)
[stretch] - exiv2 (Minor issue)
NOTE:
https://github.com/Exiv2/exiv2/security/advisories/GHSA-m479-7frc-gqqg
NOTE: https://github.com/Exiv2/exiv2/pull/1778
CVE-2021-37620 (Exiv2 is a command-line utility and C++ library for reading,
writing, ...)
- exiv2 0.27.5-1
[bullseye] - exiv2 (Minor issue)
- [buster] - exiv2 (Minor issue)
[stretch] - exiv2 (Minor issue)
NOTE:
https://github.com/Exiv2/exiv2/security/advisories/GHSA-v5g7-46xf-h728
NOTE: https://github.com/Exiv2/exiv2/pull/1769
@@ -116527,7 +116524,6 @@ CVE-2021-34335 (Exiv2 is a command-line utility and
C++ library for reading, wri
CVE-2021-34334 (Exiv2 is a command-line utility and C++ library for reading,
writing, ...)
- exiv2 0.27.5-1 (bug #992706)
[bullseye] - exiv2 (Minor issue)
- [buster] - exiv2 (Minor issue)
[stretch] - exiv2 (Minor issue)
NOTE:
https://github.com/Exiv2/exiv2/security/advisories/GHSA-hqjh-hpv8-8r9p
NOTE: https://github.com/Exiv2/exiv2/pull/1766
@@ -120321,7 +120317,6 @@ CVE-2021-32816 (ProtonMail Web Client is the official
AngularJS web client for t
CVE-2021-32815 (Exiv2 is a command-line utility and C++ library for reading,
writing, ...)
- exiv2 0.27.5-1 (bug #992705)
[bullseye] - exiv2 (Minor issue)
- [buster] - exiv2 (Minor issue)
[stretch] - exiv2 (Minor issue)
NOTE:
https://github.com/Exiv2/exiv2/security/advisories/GHSA-mv9g-fxh2-m49m
NOTE: https://github.com/Exiv2/exiv2/pull/1739
@@ -129479,7 +129474,6 @@ CVE-2021-29459 (XWiki Platform is a generic wiki
platform offering runtime servi
CVE-2021-29458 (Exiv2 is a command-line utility and C++ library for reading,
writing, ...)
- exiv2 0.27.5-1 (bug #987277)
[bullseye] - exiv2 (Minor issue)
- [buster] - exiv2 (Minor issue)
[stretch] - exiv2 (Minor issue)
NOTE:
https://github.com/Exiv2/exiv2/security/advisories/GHSA-57jj-75fm-9rq5
NOTE: https://github.com/Exiv2/exiv2/issues/1530
@@ -185933,7 +185927,6 @@ CVE-2020-18772
RESERVED
CVE-2020-18771 (Exiv2 0.27.99.0 has a global buffer over-read in
Exiv2::Internal::Niko ...)
- exiv2 0.27.2-6
- [buster] - exiv2 (Minor issue)
[stretch] - exiv2 (Minor issue)
NOTE: https://github.com/Exiv2/exiv2/issues/756
CVE-2020-18770
@@ -240883,7 +240876,6 @@ CVE-2019-17403 (Nokia IMPACT 18A: An
unrestricted File Upload vulnerability
CVE-2019-17402 (Exiv2 0.27.2 allows attackers to trigger a crash in
Exiv2::getULong in ...)
{DLA-2019-1}
- exiv2 0.27.3-1 (bug #946341)
- [buster] - exiv2 (Minor issue)
[stretch] - exiv2 (Minor issue)
NOTE: https://github.com/Exiv2/exiv2/issues/1019
NOTE:
https://github.com/Exiv2/exiv2/commit/88054239e3c914862d13f6ac89a19a104fa2c076
(master)
@@ -250712,7 +250704,6 @@ CVE-2019-14371 (An issue was discovered in Libav
12.3. There is an infinite loop
NOTE: fixed through CVE-2018-11102 /
https://git.ffmpeg.org/gitweb/ffmpeg.git/commitdiff/7abf394814d818973db562102f21ab9d10540840
CVE-2019-14370 (In Exiv2 0.27.99.0, there is an out-of-bounds read in
Exiv2::MrwImage: ...)
- exiv2
[Git][security-tracker-team/security-tracker][master] 2 commits: delete heimdal annotations conflicting with ELTS tracker
Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker Commits: 89e9f403 by Helmut Grohne at 2023-01-10T14:21:19+01:00 delete heimdal annotations conflicting with ELTS tracker - - - - - b632e32d by Helmut Grohne at 2023-01-10T14:21:20+01:00 triage exiv2 * This is mostly adding not-affected for LTS. * Also deleting annotations that conflict with the ELTS tracker. * CVE-2021-31292 is a duplicate of CVE-2021-29458 * Add detail to some CVEs such as patches. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -108646,8 +108646,7 @@ CVE-2021-37624 (FreeSWITCH is a Software Defined Telecom Stack enabling the digi CVE-2021-37623 (Exiv2 is a command-line utility and C++ library for reading, writing, ...) - exiv2 0.27.5-1 [bullseye] - exiv2 (Minor issue) - [buster] - exiv2 (Minor issue) - [stretch] - exiv2 (Minor issue) + [buster] - exiv2 (relevant IPTC parsing added in 0.26) NOTE: https://github.com/Exiv2/exiv2/security/advisories/GHSA-mvc4-g5pv-4qqq NOTE: https://github.com/Exiv2/exiv2/pull/1790 CVE-2021-37622 (Exiv2 is a command-line utility and C++ library for reading, writing, ...) @@ -108674,15 +108673,13 @@ CVE-2021-37620 (Exiv2 is a command-line utility and C++ library for reading, wri CVE-2021-37619 (Exiv2 is a command-line utility and C++ library for reading, writing, ...) - exiv2 0.27.5-1 [bullseye] - exiv2 (Minor issue) - [buster] - exiv2 (Minor issue) - [stretch] - exiv2 (Minor issue) + [buster] - exiv2 (Jp2Image::encodeJp2Header added in 0.26) NOTE: https://github.com/Exiv2/exiv2/security/advisories/GHSA-mxw9-qx4c-6m8v NOTE: https://github.com/Exiv2/exiv2/pull/1752 CVE-2021-37618 (Exiv2 is a command-line utility and C++ library for reading, writing, ...) - exiv2 0.27.5-1 [bullseye] - exiv2 (Minor issue) - [buster] - exiv2 (Minor issue) - [stretch] - exiv2 (Minor issue) + [buster] - exiv2 (Jp2Image::printStructure added in 0.26) NOTE: https://github.com/Exiv2/exiv2/security/advisories/GHSA-583f-w9pm-99r2 NOTE: https://github.com/Exiv2/exiv2/pull/1759 CVE-2021-37617 (The Nextcloud Desktop Client is a tool to synchronize files from Nextc ...) @@ -108691,15 +108688,13 @@ CVE-2021-37617 (The Nextcloud Desktop Client is a tool to synchronize files from CVE-2021-37616 (Exiv2 is a command-line utility and C++ library for reading, writing, ...) - exiv2 0.27.5-1 [bullseye] - exiv2 (Minor issue) - [buster] - exiv2 (Minor issue) - [stretch] - exiv2 (Minor issue) + [buster] - exiv2 (resolveLens0x8ff added in 0.26) NOTE: https://github.com/Exiv2/exiv2/security/advisories/GHSA-54f7-vvj7-545w NOTE: https://github.com/Exiv2/exiv2/pull/1758 CVE-2021-37615 (Exiv2 is a command-line utility and C++ library for reading, writing, ...) - exiv2 0.27.5-1 [bullseye] - exiv2 (Minor issue) - [buster] - exiv2 (Minor issue) - [stretch] - exiv2 (Minor issue) + [buster] - exiv2 (resolveLens0x319 added in 0.26) NOTE: https://github.com/Exiv2/exiv2/security/advisories/GHSA-h9x9-4f77-336w NOTE: https://github.com/Exiv2/exiv2/pull/1758 CVE-2021-37614 (In certain Progress MOVEit Transfer versions before 2021.0.3 (aka 13.0 ...) @@ -116526,8 +116521,7 @@ CVE-2021-34336 CVE-2021-34335 (Exiv2 is a command-line utility and C++ library for reading, writing, ...) - exiv2 0.27.5-1 (bug #992707) [bullseye] - exiv2 (Minor issue) - [buster] - exiv2 (Minor issue) - [stretch] - exiv2 (Minor issue) + [buster] - exiv2 (resolveLens0x added in 0.26) NOTE: https://github.com/Exiv2/exiv2/security/advisories/GHSA-pvjp-m4f6-q984 NOTE: https://github.com/Exiv2/exiv2/pull/1750 CVE-2021-34334 (Exiv2 is a command-line utility and C++ library for reading, writing, ...) @@ -124505,6 +124499,7 @@ CVE-2021-31292 (An integer overflow in CrwMap::encode0x1810 of Exiv2 0.27.3 allo NOTE: https://github.com/Exiv2/exiv2/issues/1530 NOTE: https://github.com/Exiv2/exiv2/commit/9b7a19f957af53304655ed1efe32253a1b11a8d0 NOTE: In older releases affected code is in src/crwimage.cpp + NOTE: This is a duplicate of CVE-2021-29458, but mitre finds the evidence unconvincing. CVE-2021-31291 REJECTED CVE-2021-31290 @@ -129056,8 +129051,7 @@ CVE-2021-29624 (fastify-csrf is an open-source plugin helps developers protect t CVE-2021-29623 (Exiv2 is a C++ library and a command-line utility to read, write, dele ...) - exiv2 0.27.5-1 (bug #988481) [bullseye] - exiv2 (Minor issue) - [buster] - exiv2 (Minor issue) - [stretch] - exiv2 (Minor issue) + [buster] - exiv2 (webpimage support added 0.26) NOTE:
[Git][security-tracker-team/security-tracker][master] triage leptonlib
Helmut Grohne pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
accb17ef by Helmut Grohne at 2023-01-10T11:59:40+01:00
triage leptonlib
* Remove a bunch of annotations that will end up conflicting with the
ELTS tracker.
* Note patch for CVE-2018-7442 and explain that it changes behaviour.
* Note that CVE-2018-7441 is not neutralized, remove unimportant, list
patches.
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -325949,8 +325949,6 @@ CVE-2017-18190 (A localhost.localdomain whitelist
entry in valid_host() in sched
CVE-2018-7186 (Leptonica before 1.75.3 does not limit the number of characters
in a % ...)
{DLA-1302-1}
- leptonlib 1.75.3-2 (low; bug #890548)
- [stretch] - leptonlib (Minor issue)
- [jessie] - leptonlib (Minor issue)
NOTE:
https://github.com/DanBloomberg/leptonica/commit/ee301cb2029db8a6289c5295daa42bba7715e99a
CVE-2018-7180 (SQL Injection exists in the Saxum Astro 4.0.14 component for
Joomla! v ...)
NOT-FOR-US: Saxum Astro component for Joomla!
@@ -335436,17 +335434,19 @@ CVE-2018-3837 (An exploitable information
disclosure vulnerability exists in the
NOTE:
https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0519
CVE-2018-7442 (An issue was discovered in Leptonica through 1.75.3. The
gplotMakeOutp ...)
- leptonlib 1.76.0-1 (bug #898439)
- [stretch] - leptonlib (Minor issue)
- [jessie] - leptonlib (Minor issue)
[wheezy] - leptonlib (Minor issue)
NOTE: https://lists.debian.org/debian-lts/2018/02/msg00086.html
+ NOTE:
https://github.com/DanBloomberg/leptonica/commit/24cca39cbeafd7943fb6ec723c9c1f525c24eb9f
+ NOTE: The patch deactivates debugging functions by default and thus
changes behaviour.
CVE-2018-7441 (Leptonica through 1.75.3 uses hardcoded /tmp pathnames, which
might al ...)
- - leptonlib 1.76.0-1 (unimportant)
+ - leptonlib 1.76.0-1
NOTE: https://lists.debian.org/debian-lts/2018/02/msg00054.html
- NOTE: Neutralised by kernel hardening
+ NOTE: Not neutralised by kernel hardening, because subdirectories of
/tmp are not hardened
+ NOTE:
https://github.com/DanBloomberg/leptonica/commit/dcaf546c748aaf13fd14289677037e83d749455f
+ NOTE: The patch requires CVE-2018-7442 patch as underlying
infrastructure.
+ NOTE: The patch deactivates debugging functions by default and thus
changes behaviour.
CVE-2017-18196 (Leptonica 1.74.4 constructs unintended pathnames (containing
duplicate ...)
- leptonlib 1.74.4-2 (low; bug #885704)
- [stretch] - leptonlib (Minor issue)
[jessie] - leptonlib (Vulnerable code not present)
[wheezy] - leptonlib (Vulnerable code not present)
CVE-2018-7440 (An issue was discovered in Leptonica through 1.75.3. The
gplotMakeOutp ...)
@@ -335459,8 +335459,6 @@ CVE-2018-7440 (An issue was discovered in Leptonica
through 1.75.3. The gplotMak
CVE-2018-3836 (An exploitable command injection vulnerability exists in the
gplotMake ...)
{DLA-1284-1}
- leptonlib 1.75.3-1 (bug #889759)
- [stretch] - leptonlib (Minor issue)
- [jessie] - leptonlib (Minor issue)
NOTE:
https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0516
NOTE: https://github.com/DanBloomberg/leptonica/issues/303
NOTE: When fixing this issue make sure the fix is complete and includes
as well
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/accb17ef45236f07536a694b7f1c6762b87d4b0f
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/accb17ef45236f07536a694b7f1c6762b87d4b0f
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim exiv2
Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker Commits: 3b20e9ff by Helmut Grohne at 2022-12-11T20:52:46+01:00 LTS: claim exiv2 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -42,7 +42,7 @@ erlang NOTE: 20221119: Programming language: Erlang. NOTE: 20221119: at least CVE-2022-37026 needs to be fixed (original request has been for Stretch) -- -exiv2 +exiv2 (Helmut Grohne) NOTE: 20221119: Programming language: C. -- firmware-nonfree (Markus Koschany) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3b20e9ffcee6f952a43144655dfefd7f17aedcca -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3b20e9ffcee6f952a43144655dfefd7f17aedcca You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] reserve DLA-3233-1 for leptonlib
Helmut Grohne pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
205dcddf by Helmut Grohne at 2022-12-08T14:35:04+01:00
reserve DLA-3233-1 for leptonlib
- - - - -
2 changed files:
- data/CVE/list
- data/DLA/list
Changes:
=
data/CVE/list
=
@@ -25939,7 +25939,6 @@ CVE-2022-38267 (School Activity Updates with SMS
Notification v1.0 was discovere
CVE-2022-38266 (An issue in the Leptonica linked library (v1.79.0) allows
attackers to ...)
- leptonlib 1.82.0-1
[bullseye] - leptonlib (Minor issue)
- [buster] - leptonlib (Minor issue, SIGFPE in CLI tools)
NOTE:
https://github.com/DanBloomberg/leptonica/commit/f062b42c0ea8dddebdc6a152fd16152de215d614
(1.81.0)
NOTE: https://github.com/tesseract-ocr/tesseract/issues/3498
CVE-2022-38265 (Apartment Visitor Management System v1.0 was discovered to
contain a S ...)
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[08 Dec 2022] DLA-3233-1 leptonlib - security update
+ {CVE-2022-38266}
+ [buster] - leptonlib 1.76.0-1+deb10u2
[07 Dec 2022] DLA-3232-1 virglrenderer - security update
{CVE-2019-18388 CVE-2019-18389 CVE-2019-18390 CVE-2019-18391
CVE-2020-8002 CVE-2020-8003 CVE-2022-0135}
[buster] - virglrenderer 0.7.0-2+deb10u1
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/205dcddf87393a140d001d7ef40fc1f8955ab280
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/205dcddf87393a140d001d7ef40fc1f8955ab280
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] triage CVE-2018-5710
Helmut Grohne pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
5886baca by Helmut Grohne at 2022-12-08T11:08:05+01:00
triage CVE-2018-5710
This is already marked as a duplicate. Clarify which ids are duplicated
and update the relevant DLAs.
- - - - -
2 changed files:
- data/CVE/list
- data/DLA/list
Changes:
=
data/CVE/list
=
@@ -322988,15 +322988,15 @@ CVE-2018-5711 (gd_gif_in.c in the GD Graphics
Library (aka libgd), as used in PH
NOTE: https://github.com/libgd/libgd/issues/420
NOTE:
https://github.com/libgd/libgd/commit/a11f47475e6443b7f32d21f2271f28f417e2ac04
CVE-2018-5710 (An issue was discovered in MIT Kerberos 5 (aka krb5) through
1.16. The ...)
+ {DLA-2771-1 DLA-1643-1}
- krb5 1.16.1-1 (bug #889685)
- [stretch] - krb5 (Minor issue)
- [jessie] - krb5 (Minor issue)
[wheezy] - krb5 (all strlen() parameters are checked for
NULL)
NOTE:
https://github.com/poojamnit/Kerberos-V5-1.16-Vulnerabilities/tree/master/Denial%20Of%20Service(DoS)
NOTE: The CVE is a duplicate of the #891869 issue(s) due to reporter not
NOTE: having coordinated with upstream and the CVE assignment ist sill
for
NOTE: slight different coverage. Thus keep it distinct (for now) and
mark
NOTE: CVE-2018-5710 issue as well as fixed once #891869 is adressed.
+ NOTE: The duplicated ids are CVE-2018-5729 and CVE-2018-5730.
CVE-2018-5709 (An issue was discovered in MIT Kerberos 5 (aka krb5) through
1.16. The ...)
- krb5 (unimportant; bug #889684)
NOTE:
https://github.com/poojamnit/Kerberos-V5-1.16-Vulnerabilities/tree/master/Integer%20Overflow
=
data/DLA/list
=
@@ -1384,7 +1384,7 @@
{CVE-2017-12678 CVE-2018-11439}
[stretch] - taglib 1.11.1+dfsg.1-0.3+deb9u1
[30 Sep 2021] DLA-2771-1 krb5 - security update
- {CVE-2018-5729 CVE-2018-5730 CVE-2018-20217 CVE-2021-37750}
+ {CVE-2018-5710 CVE-2018-5729 CVE-2018-5730 CVE-2018-20217
CVE-2021-37750}
[stretch] - krb5 1.15-1+deb9u3
[30 Sep 2021] DLA-2770-1 weechat - security update
{CVE-2020-8955 CVE-2020-9759 CVE-2020-9760 CVE-2021-40516}
@@ -4857,7 +4857,7 @@
{CVE-2018-19788 CVE-2019-6133}
[jessie] - policykit-1 0.105-15~deb8u4
[25 Jan 2019] DLA-1643-1 krb5 - security update
- {CVE-2018-5729 CVE-2018-5730 CVE-2018-20217}
+ {CVE-2018-5710 CVE-2018-5729 CVE-2018-5730 CVE-2018-20217}
[jessie] - krb5 1.12.1+dfsg-19+deb8u5
[25 Jan 2019] DLA-1642-1 postgresql-9.4 - new upstream version
[jessie] - postgresql-9.4 9.4.20-0+deb8u1
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5886baca27ccb9b824416c9cc1a4bdd55d24e2d1
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5886baca27ccb9b824416c9cc1a4bdd55d24e2d1
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-21797 still affects joblib in buster
Helmut Grohne pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
5d4c2566 by Helmut Grohne at 2022-12-06T15:13:31+01:00
CVE-2022-21797 still affects joblib in buster
The update to joblib included two fixes. The first attempt was
restricting variables for eval and the second one did away with eval.
While unstable has the second iteration, buster got the eval version and
that one is still vulnerable. Exploit:
eval([x for x in 42 .__class__.__mro__[1].__subclasses__() if x.__name__
==
BuiltinImporter][0]().load_module(os).system(id),
{__builtins__: {}}, {})
- - - - -
2 changed files:
- data/CVE/list
- data/DLA/list
Changes:
=
data/CVE/list
=
@@ -60433,12 +60433,13 @@ CVE-2022-21803 (This affects the package nconf before
0.11.4. When using the mem
CVE-2022-21802 (The package grapesjs before 0.19.5 are vulnerable to
Cross-site Script ...)
NOT-FOR-US: grapejs
CVE-2022-21797 (The package joblib from 0 and before 1.2.0 are vulnerable to
Arbitrary ...)
- {DLA-3193-1}
- joblib 1.2.0-1 (bug #1020820)
[bullseye] - joblib (Minor issue)
+ [buster] - joblib (Minor issue, the fix from +deb10u1 is
incomplete)
NOTE: https://github.com/joblib/joblib/issues/1128
NOTE: https://github.com/joblib/joblib/pull/1321
- NOTE:
https://github.com/joblib/joblib/commit/b90f10efeb670a2cc877fb88ebb3f2019189e059
(1.2.0)
+ NOTE: vulnerable patch
https://github.com/joblib/joblib/commit/b90f10efeb670a2cc877fb88ebb3f2019189e059
(1.2.0)
+ NOTE: better fix https://github.com/joblib/joblib/pull/1327
NOTE: https://security.snyk.io/vuln/SNYK-PYTHON-JOBLIB-3027033
CVE-2022-21235 (The package github.com/masterminds/vcs before 1.13.3 are
vulnerable to ...)
NOT-FOR-US: github.com/masterminds/vcs
=
data/DLA/list
=
@@ -97,7 +97,6 @@
{CVE-2021-37706 CVE-2021-43299 CVE-2021-43300 CVE-2021-43301
CVE-2021-43302 CVE-2021-43303 CVE-2021-43804 CVE-2021-43845 CVE-2021-46837
CVE-2022-21722 CVE-2022-21723 CVE-2022-23608 CVE-2022-24763 CVE-2022-24764
CVE-2022-24786 CVE-2022-24792 CVE-2022-24793 CVE-2022-26498 CVE-2022-26499
CVE-2022-26651}
[buster] - asterisk 1:16.28.0~dfsg-0+deb10u1
[17 Nov 2022] DLA-3193-1 joblib - security update
- {CVE-2022-21797}
[buster] - joblib 0.13.0-2+deb10u1
[17 Nov 2022] DLA-3192-1 lava - security update
{CVE-2022-42902}
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5d4c2566e5ff7fbb12aa80730d49c7085ac77466
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5d4c2566e5ff7fbb12aa80730d49c7085ac77466
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] triage cgal and issue DLA-3226-1
Helmut Grohne pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
3eaeb81f by Helmut Grohne at 2022-12-06T12:43:53+01:00
triage cgal and issue DLA-3226-1
All of the TALOS-2020-1225 vulnerabilities are fixed in the same PR.
While identifying individual commits is possible, the individual patches
are incomplete and need fixes, so it is better to use the whole PR. Ive
noted the merge commit for each CVE.
In one instance, the TALOS report was inaccurate and Ive added a note.
DLA-2649-1 actually did the right thing and applied the whole PR. As
such, it actually did fix all of the issues. We cannot change this
aspect in the elts tracker. Thus doing here.
- - - - -
3 changed files:
- data/CVE/list
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/CVE/list
=
@@ -142100,44 +142100,48 @@ CVE-2020-35637
CVE-2020-35636 (A code execution vulnerability exists in the Nef
polygon-parsing funct ...)
{DLA-2649-1}
- cgal 5.2-3 (bug #985671)
- [buster] - cgal (Minor issue)
NOTE:
https://talosintelligence.com/vulnerability_reports/TALOS-2020-1225
+ NOTE:
https://github.com/CGAL/cgal/commit/e1870c15224ddd5d79b1df5b8248e4c6813d7398
CVE-2020-35635 (A code execution vulnerability exists in the Nef
polygon-parsing funct ...)
{DLA-2649-1}
- cgal 5.2-3 (bug #985671)
- [buster] - cgal (Minor issue)
NOTE:
https://talosintelligence.com/vulnerability_reports/TALOS-2020-1225
+ NOTE:
https://github.com/CGAL/cgal/commit/e1870c15224ddd5d79b1df5b8248e4c6813d7398
CVE-2020-35634 (A code execution vulnerability exists in the Nef
polygon-parsing funct ...)
{DLA-2649-1}
- cgal 5.2-3 (bug #985671)
- [buster] - cgal (Minor issue)
NOTE:
https://talosintelligence.com/vulnerability_reports/TALOS-2020-1225
+ NOTE:
https://github.com/CGAL/cgal/commit/e1870c15224ddd5d79b1df5b8248e4c6813d7398
CVE-2020-35633 (A code execution vulnerability exists in the Nef
polygon-parsing funct ...)
{DLA-2649-1}
- cgal 5.2-3 (bug #985671)
- [buster] - cgal (Minor issue)
NOTE:
https://talosintelligence.com/vulnerability_reports/TALOS-2020-1225
+ NOTE:
https://github.com/CGAL/cgal/commit/e1870c15224ddd5d79b1df5b8248e4c6813d7398
CVE-2020-35632 (Multiple code execution vulnerabilities exists in the Nef
polygon-pars ...)
+ {DLA-2649-1}
- cgal 5.2-3 (bug #985671)
- [buster] - cgal (Minor issue)
NOTE:
https://talosintelligence.com/vulnerability_reports/TALOS-2020-1225
+ NOTE:
https://github.com/CGAL/cgal/commit/e1870c15224ddd5d79b1df5b8248e4c6813d7398
CVE-2020-35631 (Multiple code execution vulnerabilities exists in the Nef
polygon-pars ...)
+ {DLA-2649-1}
- cgal 5.2-3 (bug #985671)
- [buster] - cgal (Minor issue)
NOTE:
https://talosintelligence.com/vulnerability_reports/TALOS-2020-1225
+ NOTE:
https://github.com/CGAL/cgal/commit/e1870c15224ddd5d79b1df5b8248e4c6813d7398
CVE-2020-35630 (Multiple code execution vulnerabilities exists in the Nef
polygon-pars ...)
+ {DLA-2649-1}
- cgal 5.2-3 (bug #985671)
- [buster] - cgal (Minor issue)
NOTE:
https://talosintelligence.com/vulnerability_reports/TALOS-2020-1225
+ NOTE:
https://github.com/CGAL/cgal/commit/e1870c15224ddd5d79b1df5b8248e4c6813d7398
CVE-2020-35629 (Multiple code execution vulnerabilities exists in the Nef
polygon-pars ...)
+ {DLA-2649-1}
- cgal 5.2-3 (bug #985671)
- [buster] - cgal (Minor issue)
NOTE:
https://talosintelligence.com/vulnerability_reports/TALOS-2020-1225
+ NOTE:
https://github.com/CGAL/cgal/commit/e1870c15224ddd5d79b1df5b8248e4c6813d7398
CVE-2020-35628 (A code execution vulnerability exists in the Nef
polygon-parsing funct ...)
{DLA-2649-1}
- cgal 5.2-3 (bug #985671)
- [buster] - cgal (Minor issue)
NOTE:
https://talosintelligence.com/vulnerability_reports/TALOS-2020-1225
+ NOTE:
https://github.com/CGAL/cgal/commit/e1870c15224ddd5d79b1df5b8248e4c6813d7398
CVE-2021-21433 (Discord Recon Server is a bot that allows you to do your
reconnaissanc ...)
NOT-FOR-US: Discord Recon Server
CVE-2021-21432 (Vela is a Pipeline Automation (CI/CD) framework built on Linux
contain ...)
@@ -152568,149 +152572,184 @@ CVE-2020-28637
CVE-2020-28636 (A code execution vulnerability exists in the Nef
polygon-parsing funct ...)
{DLA-2649-1}
- cgal 5.2-3 (bug #985671)
- [buster] - cgal (Minor issue)
NOTE:
https://talosintelligence.com/vulnerability_reports/TALOS-2020-1225
+ NOTE:
https://github.com/CGAL/cgal/commit/e1870c15224ddd5d79b1df5b8248e4c6813d7398
CVE-2020-28635 (Multiple code execution vulnerabilities exists in the Nef
polygon-pars ...)
+ {DLA-2649-1}
- cgal 5.2-3 (bug #985671)
-
[Git][security-tracker-team/security-tracker][master] lts: claim cgal
Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker Commits: 89924e2f by Helmut Grohne at 2022-12-05T17:39:50+01:00 lts: claim cgal - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -21,6 +21,8 @@ ceph NOTE: 20221130: Can someone take care of it in Buster? I'm currently building the Bullseye backport of the fix... NOTE: 20221130: https://lists.debian.org/debian-lts/2022/11/msg00025.html (zigo/maintainer) -- +cgal (Helmut Grohne) +-- consul NOTE: 20221031: Programming language: Go. NOTE: 20221031: Concluded that the package should be fixed by the CVE description. Source code not analyzed in detail. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/89924e2f96a42ec495b3a2ebf278ecf1b811a48e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/89924e2f96a42ec495b3a2ebf278ecf1b811a48e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] triage giflib and reserve DLA-3223-1
Helmut Grohne pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
6c8041f1 by Helmut Grohne at 2022-12-05T12:58:43+01:00
triage giflib and reserve DLA-3223-1
* CVE-2020-23922: verified that reproducer doesnt work anymore
* CVE-2019-15133: fixed
* CVE-2018-11490: fixed
* CVE-2018-11489: locate patch; never affected us, see bug discussion
* CVE-2016-3977: drop ELTS entries
* CVE-2016-: flag unimportant, cannot triage in elts tracker
- - - - -
2 changed files:
- data/CVE/list
- data/DLA/list
Changes:
=
data/CVE/list
=
@@ -166107,6 +166107,7 @@ CVE-2020-23922 (An issue was discovered in giflib
through 5.1.4. DumpScreen2RGB
- giflib (unimportant; bug #988151)
NOTE: https://sourceforge.net/p/giflib/bugs/151/
NOTE: Specific to gif2rgb. Crash in CLI tool, no security impact
+ NOTE: Reproducer does not trigger using giflib 5.2.1-2.5 with asan or
valgrind.
CVE-2020-23921 (An issue was discovered in fast_ber through v0.4. yy::yylex()
in asn_c ...)
NOT-FOR-US: fast_ber
CVE-2020-23920
@@ -238645,9 +238646,6 @@ CVE-2019-15134 (RIOT through 2019.07 contains a
memory leak in the TCP implement
CVE-2019-15133 (In GIFLIB before 2019-02-16, a malformed GIF file triggers a
divide-by ...)
[experimental] - giflib 5.1.8-1
- giflib 5.1.9-1
- [buster] - giflib (Minor issue)
- [stretch] - giflib (Minor issue)
- [jessie] - giflib (Minor issue)
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=13008
NOTE:
https://sourceforge.net/p/giflib/code/ci/799eb6a3af8a3dd81e2429bf11a72a57e541f908/
NOTE: https://sourceforge.net/p/giflib/bugs/119/
@@ -305196,22 +305194,16 @@ CVE-2018-11491 (ASUS HG100 devices with firmware
before 1.05.12 allow unauthenti
CVE-2018-11490 (The DGifDecompressLine function in dgif_lib.c in GIFLIB
(possibly vers ...)
[experimental] - giflib 5.1.7-1
- giflib 5.1.9-1 (bug #904114)
- [buster] - giflib (Minor issue)
- [stretch] - giflib (Minor issue)
- [jessie] - giflib (Minor issue)
NOTE: https://github.com/pts/sam2p/issues/38
NOTE: https://sourceforge.net/p/giflib/bugs/113/
NOTE:
https://sourceforge.net/p/giflib/code/ci/08438a5098f3bb1de23a29334af55eba663f75bd/
NOTE: Issue was reported against sam2p but issue is in dgif_lib.c from
giflib.
CVE-2018-11489 (The DGifDecompressLine function in dgif_lib.c in GIFLIB
(possibly vers ...)
- - giflib (bug #904113)
- [bullseye] - giflib (Minor issue)
- [buster] - giflib (Minor issue)
- [stretch] - giflib (Minor issue)
- [jessie] - giflib (Minor issue)
+ - giflib 4.1.6-11 (bug #904113)
NOTE: https://github.com/pts/sam2p/issues/37
NOTE: https://sourceforge.net/p/giflib/bugs/112/
NOTE: Issue was reported against sam2p but issue is in dgif_lib.c from
giflib.
+ NOTE: https://github.com/pts/sam2p/files/2252965/sam2p_CVEs.patch.txt
CVE-2018-11488 (A stack exhaustion vulnerability in the search function of
dtSearch 7. ...)
NOT-FOR-US: dtSearch
CVE-2018-11487 (PHPMyWind 5.5 has XSS via the cid parameter to newsshow.php,
or the qu ...)
@@ -407539,8 +407531,6 @@ CVE-2016-3981 (Heap-based buffer overflow in the
bmp_read_rows function in pngxr
NOTE: https://sourceforge.net/p/optipng/bugs/56/
CVE-2016-3977 (Heap-based buffer overflow in util/gif2rgb.c in gif2rgb in
giflib 5.1. ...)
- giflib 5.1.4-3 (bug #820526)
- [stretch] - giflib (Minor issue)
- [jessie] - giflib (Minor issue)
[wheezy] - giflib (minor issue)
NOTE: https://sourceforge.net/p/giflib/bugs/87/
NOTE:
https://sourceforge.net/p/giflib/code/ci/ea8dbc5786862a3e16a5acfa3d24e2c2f608cd88/
@@ -413557,12 +413547,13 @@ CVE-2015-8786 (The Management plugin in RabbitMQ
before 3.6.1 allows remote auth
NOTE: https://github.com/rabbitmq/rabbitmq-management/issues/97
CVE-2016- [out of bound read and write issues]
- giflib 5.1.4-0.1 (bug #820594)
- [jessie] - giflib (Minor issue)
+ [jessie] - giflib (unimportant)
[wheezy] - giflib (Minor issue)
[squeeze] - giflib (Minor issue)
NOTE: http://sourceforge.net/p/giflib/bugs/82/
NOTE: CVE Request:
https://www.openwall.com/lists/oss-security/2016/01/26/5
NOTE:
http://sourceforge.net/p/giflib/code/ci/4cc68b315ff9a378aef6664e1be6b2144ad4a5e6/
+ NOTE: Specific to gif2rgb. Crash in CLI tool, no security impact
CVE-2016-2073 (The htmlParseNameComplex function in HTMLparser.c in libxml2
allows at ...)
{DSA-3593-1 DLA-503-1}
- libxml2 2.9.3+dfsg1-1.1 (bug #812807)
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[05 Dec 2022] DLA-3223-1 giflib - security update
+ {CVE-2018-11490 CVE-2019-15133}
[Git][security-tracker-team/security-tracker][master] issue DLA-3214-1 for libraw
Helmut Grohne pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
245c2a39 by Helmut Grohne at 2022-11-30T21:56:35+01:00
issue DLA-3214-1 for libraw
- - - - -
3 changed files:
- data/CVE/list
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/CVE/list
=
@@ -163032,7 +163032,7 @@ CVE-2020-24890 (** DISPUTED ** libraw 20.0 has a null
pointer dereference vulner
NOTE: https://github.com/LibRaw/LibRaw/issues/335#issuecomment-677637276
CVE-2020-24889 (A buffer overflow vulnerability in LibRaw version 20.0
LibRaw::Ge ...)
- libraw 0.20.2-1
- [buster] - libraw (Minor issue)
+ [buster] - libraw (Hassleblad data parser added in 0.20)
[stretch] - libraw (Vulnerable code not present)
NOTE: https://github.com/LibRaw/LibRaw/issues/334
NOTE:
https://github.com/LibRaw/LibRaw/commit/78d323ecbe6a9752aee6e97118a76d40704d73ee
@@ -183716,7 +183716,6 @@ CVE-2020-15504 (A SQL injection vulnerability in the
user and admin web interfac
CVE-2020-15503 (LibRaw before 0.20-RC1 lacks a thumbnail size range check.
This affect ...)
[experimental] - libraw 0.20.0-1
- libraw 0.20.0-4 (bug #964747)
- [buster] - libraw (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1853477
NOTE:
https://github.com/LibRaw/LibRaw/commit/20ad21c0d87ca80217aee47533d91e633ce1864d
CVE-2020-15502 (** DISPUTED ** The DuckDuckGo application through 5.58.0 for
Android, ...)
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[30 Nov 2022] DLA-3214-1 libraw - security update
+ {CVE-2020-15503}
+ [buster] - libraw 0.19.2-2+deb10u2
[29 Nov 2022] DLA-3213-1 krb5 - security update
{CVE-2022-42898}
[buster] - krb5 1.17-3+deb10u5
=
data/dla-needed.txt
=
@@ -121,10 +121,6 @@ libpgjava
NOTE: 20221128: Please check, whether CVE-2022-41946 affects modern systems
(gladk).
NOTE: 20221128: If not - please mark it as (gladk).
--
-libraw
- NOTE: 20221129: Programming language: C++.
- NOTE: 20221129: VCS: https://salsa.debian.org/lts-team/packages/libraw.git
---
libreoffice
NOTE: 20221012: Programming language: C++.
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/245c2a3955a3dafe6de3d55f4c41da07cff276c1
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/245c2a3955a3dafe6de3d55f4c41da07cff276c1
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] libraw ELTS triage
Helmut Grohne pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
7246062f by Helmut Grohne at 2022-11-28T19:36:10+01:00
libraw ELTS triage
Yeah, this doesnt really belong here. However, we need to remove
conflicting declarations to allow adding them to the elts tracker
without messing up the database. This is the bulk of changes.
Im also adding commit references as this is independent of ELTS.
Beyond this, two earlier DLAs have a wrong CVE list. DLA-2903-1 did not
fix CVE-2017-16909. It contains a CVE-2017-16909.patch, which fixes a
different vulnerability. DLA-1734-1 missed CVE-2018-5807 and
CVE-2018-5810, which are fixed by the same commit that fixes
CVE-2018-5808.
Except for the commit id notes, none of this can be fixed in the elts
tracker.
- - - - -
2 changed files:
- data/CVE/list
- data/DLA/list
Changes:
=
data/CVE/list
=
@@ -183005,7 +183005,6 @@ CVE-2020-15503 (LibRaw before 0.20-RC1 lacks a
thumbnail size range check. This
[experimental] - libraw 0.20.0-1
- libraw 0.20.0-4 (bug #964747)
[buster] - libraw (Minor issue)
- [stretch] - libraw (Vulnerable code not present)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1853477
NOTE:
https://github.com/LibRaw/LibRaw/commit/20ad21c0d87ca80217aee47533d91e633ce1864d
CVE-2020-15502 (** DISPUTED ** The DuckDuckGo application through 5.58.0 for
Android, ...)
@@ -306475,15 +306474,11 @@ CVE-2018-10530
RESERVED
CVE-2018-10529 (An issue was discovered in LibRaw 0.18.9. There is an
out-of-bounds re ...)
- libraw 0.18.11-1 (low; bug #897186)
- [stretch] - libraw (Vulnerable code not present)
- [jessie] - libraw (Minor issue)
[wheezy] - libraw (Minor issue)
NOTE:
https://github.com/LibRaw/LibRaw/commit/f0c505a3e5d47989a5f69be2d0d4f250af6b1a6c
NOTE: https://github.com/LibRaw/LibRaw/issues/144
CVE-2018-10528 (An issue was discovered in LibRaw 0.18.9. There is a
stack-based buffe ...)
- libraw 0.18.11-1 (low; bug #897185)
- [stretch] - libraw (Vulnerable code not present)
- [jessie] - libraw (Minor issue)
[wheezy] - libraw (Minor issue)
NOTE:
https://github.com/LibRaw/LibRaw/commit/895529fc2f2eb8bc633edd6b04b5b237eb4db564
NOTE: https://github.com/LibRaw/LibRaw/issues/144
@@ -319914,8 +319909,8 @@ CVE-2018-5816 (An integer overflow error within the
"identify()" function (inter
CVE-2018-5815 (An integer overflow error within the "parse_qt()" function
(internal/d ...)
{DLA-2903-1}
- libraw 0.18.13-1 (low)
- [jessie] - libraw (Minor issue)
NOTE: http://seclists.org/bugtraq/2018/Jul/58
+ NOTE:
https://github.com/LibRaw/LibRaw/commit/1334647862b0c90b2e8cb2f668e66627d9517b17
CVE-2018-5814 (In the Linux Kernel before version 4.16.11, 4.14.43, 4.9.102,
and 4.4. ...)
{DLA-1423-1 DLA-1422-1}
- linux 4.16.12-1
@@ -319925,7 +319920,6 @@ CVE-2018-5814 (In the Linux Kernel before version
4.16.11, 4.14.43, 4.9.102, and
CVE-2018-5813 (An error within the "parse_minolta()" function (dcraw/dcraw.c)
in LibR ...)
{DLA-2903-1}
- libraw 0.18.11-1 (low)
- [jessie] - libraw (Minor issue)
NOTE:
https://secuniaresearch.flexerasoftware.com/secunia_research/2018-13/
CVE-2018-5812 (An error within the "nikon_coolscan_load_raw()" function
(internal/dcr ...)
{DLA-2903-1}
@@ -319942,6 +319936,7 @@ CVE-2018-5810 (An error within the
"rollei_load_raw()" function (internal/dcraw_
- libraw 0.18.11-1
[jessie] - libraw (Minor issue)
NOTE:
https://secuniaresearch.flexerasoftware.com/secunia_research/2018-10/
+ NOTE:
https://github.com/LibRaw/LibRaw/commit/fd6330292501983ac75fe4162275794b18445bd9
CVE-2018-5809 (An error within the "LibRaw::parse_exif()" function
(internal/dcraw_co ...)
- libraw 0.18.11-1
[stretch] - libraw (Vulnerable code not present)
@@ -319958,21 +319953,22 @@ CVE-2018-5807 (An error within the
"samsung_load_raw()" function (internal/dcraw
- libraw 0.18.11-1
[jessie] - libraw (Minor issue)
NOTE:
https://secuniaresearch.flexerasoftware.com/secunia_research/2018-10/
+ NOTE:
https://github.com/LibRaw/LibRaw/commit/fd6330292501983ac75fe4162275794b18445bd9
CVE-2018-5806 (An error within the "leaf_hdr_load_raw()" function
(internal/dcraw_com ...)
{DLA-2903-1}
- libraw 0.18.8-1 (low)
- [jessie] - libraw (Minor issue)
NOTE:
https://secuniaresearch.flexerasoftware.com/secunia_research/2018-03
+ NOTE:
https://github.com/LibRaw/LibRaw/commit/9f26ce37f5be86ea11bfc6831366558650b1f6ff
CVE-2018-5805 (A boundary error within the "quicktake_100_load_raw()" function
(inter ...)
{DLA-2903-1}
- libraw 0.18.8-1 (low)
- [jessie] - libraw (Minor issue)
NOTE:
[Git][security-tracker-team/security-tracker][master] CVE-2017-16909: fix commit id of patch
Helmut Grohne pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
27b04511 by Helmut Grohne at 2022-11-28T08:32:04+01:00
CVE-2017-16909: fix commit id of patch
Ive also re-checked buster to really be fixed. The code has been
significantly redone and includes the necessary checks. Later releases
will be fixed as well.
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -336749,7 +336749,7 @@ CVE-2017-16909 (An error related to the
"LibRaw::panasonic_load_raw()" function
[jessie] - libraw (Minor issue)
[wheezy] - libraw (Minor issue)
NOTE:
https://secuniaresearch.flexerasoftware.com/secunia_research/2017-19
- NOTE:
https://github.com/LibRaw/LibRaw/commit/2f59bac59dbcbf6bbcf01a9f3eed74307e96ca7e
+ NOTE:
https://github.com/LibRaw/LibRaw/commit/f1394822a0152ceed77815eafa5cac4e8baab10a
CVE-2017-16908 (In Horde Groupware 5.2.19, there is XSS via the Name field
during crea ...)
{DLA-2350-1}
- php-horde-kronolith 4.2.24-1 (bug #909738)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/27b045113279caaaf2ddecfc97a35b1377137ee0
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/27b045113279caaaf2ddecfc97a35b1377137ee0
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3204-1 for vim
Helmut Grohne pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
c56dcc47 by Helmut Grohne at 2022-11-24T10:17:12+01:00
Reserve DLA-3204-1 for vim
- - - - -
3 changed files:
- data/CVE/list
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/CVE/list
=
@@ -38291,7 +38291,6 @@ CVE-2022-29890 (In affected versions of Octopus Server
the help sidebar can be c
CVE-2022-2000 (Out-of-bounds Write in GitHub repository vim/vim prior to 8.2.
...)
- vim 2:9.0.0135-1 (bug #1015984)
[bullseye] - vim (Minor issue)
- [buster] - vim (Minor issue)
[stretch] - vim (Minor issue)
NOTE: https://huntr.dev/bounties/f61a64e2-d163-461b-a77e-46ab38e021f0
NOTE:
https://github.com/vim/vim/commit/44a3f3353e0407e9fffee138125a6927d1c9e7e5
(v8.2.5063)
@@ -40093,7 +40092,6 @@ CVE-2022-1943 (A flaw out of bounds memory write in the
Linux kernel UDF file sy
CVE-2022-1942 (Heap-based Buffer Overflow in GitHub repository vim/vim prior
to 8.2. ...)
- vim 2:9.0.0135-1 (bug #1015984)
[bullseye] - vim (Minor issue)
- [buster] - vim (Minor issue)
[stretch] - vim (Minor issue)
NOTE: https://huntr.dev/bounties/67ca4d3b-9175-43c1-925c-72a7091bc071
NOTE:
https://github.com/vim/vim/commit/71223e2db87c2bf3b09aecb46266b56cda26191d
(v8.2.5043)
@@ -40507,7 +40505,6 @@ CVE-2022-1898 (Use After Free in GitHub repository
vim/vim prior to 8.2. ...)
CVE-2022-1897 (Out-of-bounds Write in GitHub repository vim/vim prior to 8.2.
...)
- vim 2:9.0.0135-1 (bug #1015984)
[bullseye] - vim (Minor issue)
- [buster] - vim (Minor issue)
[stretch] - vim (Minor issue)
NOTE: https://huntr.dev/bounties/82c12151-c283-40cf-aa05-2e39efa89118
NOTE:
https://github.com/vim/vim/commit/338f1fc0ee3ca929387448fe464579d6113fa76a
(v8.2.5023)
@@ -42683,7 +42680,6 @@ CVE-2022-1786 (A use-after-free flaw was found in the
Linux kernels io_ur
CVE-2022-1785 (Out-of-bounds Write in GitHub repository vim/vim prior to
8.2.4977. ...)
- vim 2:9.0.0135-1 (bug #1015984)
[bullseye] - vim (Minor issue)
- [buster] - vim (Minor issue)
[stretch] - vim (Minor issue)
NOTE: https://huntr.dev/bounties/8c969cba-eef2-4943-b44a-4e3089599109
NOTE:
https://github.com/vim/vim/commit/e2bd8600b873d2cd1f9d667c28cba8b1dba18839
(v8.2.4977)
@@ -63500,7 +63496,6 @@ CVE-2022-21154 (An integer overflow vulnerability
exists in the fltSaveCMP funct
CVE-2022-0392 (Heap-based Buffer Overflow in GitHub repository vim prior to
8.2. ...)
- vim 2:8.2.4659-1
[bullseye] - vim (Minor issue)
- [buster] - vim (Minor issue)
[stretch] - vim (vulnerable code was introduced later)
NOTE: https://huntr.dev/bounties/d00a2acd-1935-4195-9d5b-4115ef6b3126
NOTE:
https://github.com/vim/vim/commit/806d037671e133bd28a7864248763f643967973a
(v8.2.4218)
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[24 Nov 2022] DLA-3204-1 vim - security update
+ {CVE-2022-0318 CVE-2022-0392 CVE-2022-0629 CVE-2022-0696 CVE-2022-1619
CVE-2022-1621 CVE-2022-1785 CVE-2022-1897 CVE-2022-1942 CVE-2022-2000
CVE-2022-2129 CVE-2022-3235 CVE-2022-3256 CVE-2022-3352}
+ [buster] - vim 2:8.1.0875-5+deb10u4
[23 Nov 2022] DLA-3203-1 nginx - security update
{CVE-2021-3618 CVE-2022-41741 CVE-2022-41742}
[buster] - nginx 1.14.2-2+deb10u5
=
data/dla-needed.txt
=
@@ -339,10 +339,6 @@ varnish
NOTE: 20221109: Programming language: C.
NOTE: 20221109: First DLA, 3 minor CVEs to fix (Beuc/front-desk)
--
-vim (Helmut)
- NOTE: 20221108: Programming language: C.
- NOTE: 20221108: VCS: https://salsa.debian.org/lts-team/packages/vim.git
---
virglrenderer (Thorsten Alteholz)
NOTE: 20221009: Programming language: C.
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c56dcc47493e0659506a4d7cc7f5ff079beac948
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c56dcc47493e0659506a4d7cc7f5ff079beac948
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] drop ELTS annotation for vim to allow changing it in ELTS tracker
Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker Commits: 1564b16c by Helmut Grohne at 2022-11-23T11:39:16+01:00 drop ELTS annotation for vim to allow changing it in ELTS tracker - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -90090,7 +90090,6 @@ CVE-2021-3770 (vim is vulnerable to Heap-based Buffer Overflow ...) - vim 2:8.2.3455-1 (bug #994076) [bullseye] - vim 2:8.2.2434-3+deb11u1 [buster] - vim 2:8.1.0875-5+deb10u1 - [stretch] - vim (Vulnerable code not present) NOTE: https://huntr.dev/bounties/016ad2f2-07c1-4d14-a8ce-6eed10729365/ NOTE: Fixed by: https://github.com/vim/vim/commit/b7081e135a16091c93f6f5f7525a5c58fb7ca9f9 (v8.2.3402) NOTE: Followup fix for introduced memory leak: https://github.com/vim/vim/commit/2ddb89f8a94425cda1e5491efc80c1b6e08e (v8.2.3403) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1564b16c9015e1bc4d03afcef255966277748156 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1564b16c9015e1bc4d03afcef255966277748156 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] triage vim CVEs
Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker Commits: 01f74ec8 by Helmut Grohne at 2022-11-14T11:48:24+01:00 triage vim CVEs apos vim lts upload actually fixed CVE-2021-3872, but he forgot mentioning it. Add number of not-affected for buster and sometimes bullseye. Remove two stretch annotations to avoid conflicts with the ELTS tracker. - - - - - 2 changed files: - data/CVE/list - data/DLA/list Changes: = data/CVE/list = @@ -18497,6 +18497,7 @@ CVE-2022-3038 (Use after free in Network Service in Google Chrome prior to 105.0 [buster] - chromium (see DSA 5046) CVE-2022-3037 (Use After Free in GitHub repository vim/vim prior to 9.0.0322. ...) - vim 2:9.0.0626-1 (bug #1019590) + [buster] - vim (quickfixtextfunc added in 8.2.0869) NOTE: https://huntr.dev/bounties/af4c2f2d-d754-4607-b565-9e92f3f717b5 NOTE: https://github.com/vim/vim/commit/4f1b083be43f351bc107541e7b0c9655a5d2c0bb (v9.0.0322) CVE-2022-3036 (The Gettext override translations WordPress plugin before 2.0.0 does n ...) @@ -19307,6 +19308,7 @@ CVE-2022-2983 RESERVED CVE-2022-2982 (Use After Free in GitHub repository vim/vim prior to 9.0.0260. ...) - vim 2:9.0.0626-1 (bug #1019590) + [buster] - vim (quickfixtextfunc added in 8.2.0869) NOTE: https://huntr.dev/bounties/53f53d9a-ba8a-4985-b7ba-23efbe6833be NOTE: https://github.com/vim/vim/commit/d6c67629ed05aae436164eec474832daf8ba7420 (v9.0.0260) CVE-2022-2981 (The Download Monitor WordPress plugin before 4.5.98 does not ensure th ...) @@ -24133,6 +24135,8 @@ CVE-2022-2581 (Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.0104 NOTE: Crash in CLI tool, no security impact CVE-2022-2580 (Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0 ...) - vim 2:9.0.0135-1 + [bullseye] - vim (interpolation introduced in 8.2.4930) + [buster] - vim (interpolation introduced in 8.2.4930) NOTE: https://huntr.dev/bounties/c5f2f1d4-0441-4881-b19c-055acaa16249/ NOTE: https://github.com/vim/vim/commit/1e56bda9048a9625bce6e660938c834c5c15b07d (v9.0.0104) CVE-2022-2579 (A vulnerability, which was classified as problematic, was found in Sou ...) @@ -29718,6 +29722,8 @@ CVE-2022-2289 (Use After Free in GitHub repository vim/vim prior to 9.0. ...) NOTE: Crash in CLI tool, no security impact CVE-2022-2288 (Out-of-bounds Write in GitHub repository vim/vim prior to 9.0. ...) - vim 2:9.0.0135-1 (bug #1015984) + [bullseye] - vim (vulnerable code introduced in 8.2.4763) + [buster] - vim (vulnerable code introduced in 8.2.4763) NOTE: https://huntr.dev/bounties/a71bdcb7-4e9b-4650-ab6a-fe8e3e9852ad/ NOTE: https://github.com/vim/vim/commit/c6fdb15d423df22e1776844811d082322475e48a (v9.0.0025) CVE-2022-34910 @@ -44910,8 +44916,7 @@ CVE-2022-1421 (The Discy WordPress theme before 5.2 lacks CSRF checks in some AJ CVE-2022-1420 (Use of Out-of-range Pointer Offset in GitHub repository vim/vim prior ...) - vim 2:8.2.4793-1 [bullseye] - vim (Minor issue) - [buster] - vim (Minor issue) - [stretch] - vim (Vulnerable code not present) + [buster] - vim (method call operator -> introduced in 8.1.1803) NOTE: https://huntr.dev/bounties/a4323ef8-90ea-4e1c-90e9-c778f0ecf326 NOTE: https://github.com/vim/vim/commit/8b91e71441069b1dde9ac9ff9d9a829b1b4aecca (v8.2.4774) CVE-2021-46784 (In Squid 3.x through 3.5.28, 4.x through 4.17, and 5.x before 5.6, due ...) @@ -45374,9 +45379,8 @@ CVE-2022-29404 (In Apache HTTP Server 2.4.53 and earlier, a malicious request to NOTE: https://github.com/apache/httpd/commit/ce259c4061905bf834f9af51c92456cfe8335ddc CVE-2022-1381 (global heap buffer overflow in skip_range in GitHub repository vim/vim ...) - vim 2:8.2.4793-1 - [bullseye] - vim (Minor issue) - [buster] - vim (Minor issue) - [stretch] - vim (Vulnerable code not present) + [bullseye] - vim (affects visual range prasing, which was added in 8.2.4633) + [buster] - vim (affects visual range prasing, which was added in 8.2.4633) NOTE: https://huntr.dev/bounties/55f9c0e8-c221-48b6-a00e-bdcaebaba4a4/ NOTE: https://github.com/vim/vim/commit/f50808ed135ab973296bca515ae4029b321afe47 (v8.2.4763) CVE-2022-29403 @@ -66103,6 +66107,7 @@ CVE-2021-46163 (Kentico Xperience 13.0.44 allows XSS via an XML document to the NOT-FOR-US: Kentico Xperience CMS CVE-2022-0156 (vim is vulnerable to Use After Free ...) - vim 2:8.2.4659-1 (unimportant) + [buster] - vim (vim9script functionality not present in buster and earlier) NOTE: https://huntr.dev/bounties/47dded34-3767-4725-8c7c-9dcb68c70b36 NOTE:
[Git][security-tracker-team/security-tracker][master] claim vim dla
Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker Commits: 023a0626 by Helmut Grohne at 2022-11-10T12:30:50+01:00 claim vim dla - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -299,7 +299,7 @@ varnish NOTE: 20221109: Programming language: C. NOTE: 20221109: First DLA, 3 minor CVEs to fix (Beuc/front-desk) -- -vim +vim (Helmut) NOTE: 20221108: Programming language: C. NOTE: 20221108: VCS: https://salsa.debian.org/lts-team/packages/vim.git -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/023a0626fb934a8b7a2093939b6bd07503469167 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/023a0626fb934a8b7a2093939b6bd07503469167 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] delete more conflicting glibc elts annotations
Helmut Grohne pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
67cfa5eb by Helmut Grohne at 2022-11-10T12:23:26+01:00
delete more conflicting glibc elts annotations
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -206128,7 +206128,6 @@ CVE-2020-6097 (An exploitable denial of service
vulnerability exists in the atft
CVE-2020-6096 (An exploitable signed comparison vulnerability exists in the
ARMv7 mem ...)
{DLA-3152-1}
- glibc 2.31-2 (low; bug #961452)
- [stretch] - glibc (Minor issue)
[jessie] - glibc (Vulnerable code not present)
NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=25620
NOTE:
https://talosintelligence.com/vulnerability_reports/TALOS-2020-1019
@@ -260712,8 +260711,6 @@ CVE-2019-6501 (In QEMU 3.1, scsi_handle_inquiry_reply
in hw/scsi/scsi-generic.c
NOTE: vulnerability not present prior 2.12.50
CVE-2016-10739 (In the GNU C Library (aka glibc or libc6) through 2.28, the
getaddrinf ...)
- glibc 2.28-6 (bug #920047)
- [stretch] - glibc (Minor issue)
- [jessie] - glibc (Minor issue)
- eglibc
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1347549
NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=20018
@@ -367666,7 +367663,6 @@ CVE-2017-6077 (ping.cgi on NETGEAR DGN2200 devices
with firmware through 10.0.0.
CVE-2016-10228 (The iconv program in the GNU C Library (aka glibc or libc6)
2.31 and e ...)
{DLA-3152-1}
- glibc 2.31-3 (low; bug #856503)
- [jessie] - glibc (Minor issue)
- eglibc
[wheezy] - eglibc (Minor issue)
NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=19519
@@ -411831,7 +411827,6 @@ CVE-2014-9762 (imlib2 before 1.4.7 allows remote
attackers to cause a denial of
CVE-2014-9761 (Multiple stack-based buffer overflows in the GNU C Library (aka
glibc ...)
{DLA-411-1}
- glibc 2.23-1 (bug #813187)
- [jessie] - glibc (Minor issue)
- eglibc
[wheezy] - eglibc (Minor issue)
NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=16962
@@ -425222,7 +425217,6 @@ CVE-2015-5181 (The JBoss console in A-MQ allows
remote attackers to execute arbi
NOT-FOR-US: A-MQ's Hawtio console
CVE-2015-5180 (res_query in libresolv in glibc before 2.25 allows remote
attackers to ...)
- glibc 2.24-9 (low; bug #796106)
- [jessie] - glibc (Minor issue, too intrusive to backport)
- eglibc (low)
[wheezy] - eglibc (Minor issue)
[squeeze] - eglibc (Minor issue)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/67cfa5eb394182d2d26fc3a9edcbaf1e1091e1be
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/67cfa5eb394182d2d26fc3a9edcbaf1e1091e1be
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] delete glibc annotations conflicting with elts tracker
Helmut Grohne pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
954ccfc8 by Helmut Grohne at 2022-11-07T10:35:21+01:00
delete glibc annotations conflicting with elts tracker
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -63932,13 +63932,11 @@ CVE-2022-23219 (The deprecated compatibility function
clnt_create in the sunrpc
{DLA-3152-1}
- glibc 2.33-3
[bullseye] - glibc 2.31-13+deb11u3
- [stretch] - glibc (Minor issue)
NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22542
CVE-2022-23218 (The deprecated compatibility function svcunix_create in the
sunrpc mod ...)
{DLA-3152-1}
- glibc 2.33-3
[bullseye] - glibc 2.31-13+deb11u3
- [stretch] - glibc (Minor issue)
NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=28768
CVE-2022-23217
RESERVED
@@ -74458,7 +74456,6 @@ CVE-2021-3999 (A flaw was found in glibc. An off-by-one
buffer overflow and unde
{DLA-3152-1}
- glibc 2.33-4
[bullseye] - glibc 2.31-13+deb11u4
- [stretch] - glibc (Minor issue)
NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=28769
NOTE: https://www.openwall.com/lists/oss-security/2022/01/24/4
NOTE:
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=23e0e8f5f1fb5ed150253d986ecccdc90c2dcd5e
@@ -99017,7 +99014,6 @@ CVE-2021-35943 (Couchbase Server 6.5.x and 6.6.x
through 6.6.2 has Incorrect Acc
CVE-2021-35942 (The wordexp function in the GNU C Library (aka glibc) through
2.33 may ...)
{DLA-3152-1}
- glibc 2.31-13 (bug #990542)
- [stretch] - glibc (Minor issue)
NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=28011
NOTE:
https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=5adda61f62b77384718b4c0d8336ade8f2b4b35c
CVE-2021-35941 (Western Digital WD My Book Live (2.x and later) and WD My Book
Live Du ...)
@@ -104600,7 +104596,6 @@ CVE-2021-33574 (The mq_notify function in the GNU C
Library (aka glibc) versions
[experimental] - glibc 2.32-0experimental0
- glibc 2.32-1 (bug #989147)
[bullseye] - glibc 2.31-13+deb11u3
- [stretch] - glibc (Minor issue)
NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=27896
NOTE:
https://sourceware.org/git/?p=glibc.git;a=commit;h=42d359350510506b87101cf77202fefcbfc790cb
NOTE:
https://sourceware.org/git/?p=glibc.git;a=commit;h=217b6dc298156bdb0d6aea9ea93e7e394a5ff091
@@ -123608,7 +123603,6 @@ CVE-2021-26273 (The Agent in NinjaRMM 5.0.909 has
Incorrect Access Control. ...)
CVE-2021-3326 (The iconv function in the GNU C Library (aka glibc or libc6)
2.32 and ...)
{DLA-3152-1}
- glibc 2.31-10 (bug #981198)
- [stretch] - glibc (Minor issue)
NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=2146
NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=27256
NOTE:
https://sourceware.org/pipermail/libc-alpha/2021-January/122058.html
@@ -135695,7 +135689,6 @@ CVE-2020-35931 (An issue was discovered in Foxit
Reader before 10.1.1 (and befor
CVE-2019-25013 (The iconv feature in the GNU C Library (aka glibc or libc6)
through 2. ...)
{DLA-3152-1}
- glibc 2.31-9 (bug #979273)
- [stretch] - glibc (Minor issue; can be fixed in next update)
NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=24973
NOTE: Fixed by:
https://sourceware.org/git/?p=glibc.git;a=commit;h=ee7a3144c9922808181009b7b3e50e852fb4999b
CVE-2019-25012 (The Webform Report project 7.x-1.x-dev for Drupal allows
remote attack ...)
@@ -152223,7 +152216,6 @@ CVE-2020-27619 (In Python 3 through 3.9.0, the
Lib/test/multibytecodec_support.p
CVE-2020-27618 (The iconv function in the GNU C Library (aka glibc or libc6)
2.32 and ...)
{DLA-3152-1}
- glibc 2.31-5 (bug #973914)
- [stretch] - glibc (Minor issue)
NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=26224
NOTE:
https://sourceware.org/git/?p=glibc.git;a=commit;h=9a99c682144bdbd40792ebf822fe9264e0376fb5
CVE-2020-27617 (eth_get_gso_type in net/eth.c in QEMU 4.2.1 allows guest OS
users to t ...)
@@ -195790,8 +195782,6 @@ CVE-2020-10030 (An issue has been found in PowerDNS
Recursor 4.1.0 up to and inc
CVE-2020-10029 (The GNU C Library (aka glibc or libc6) before 2.32 could
overflow an o ...)
{DLA-3152-1}
- glibc 2.30-1 (bug #953108)
- [stretch] - glibc (Minor issue)
- [jessie] - glibc (Minor issue)
NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=25487
NOTE:
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=9333498794cde1d5cca518badf79533a24114b6f
NOTE:
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=c10acd40262486dac597001aecc20ad9d3bd0e4a
@@ -218183,8 +218173,6 @@ CVE-2020-1753 (A security flaw was found
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3152-1 for glibc
Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker Commits: 24ec254d by Helmut Grohne at 2022-10-17T17:39:19+02:00 Reserve DLA-3152-1 for glibc - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -55590,13 +55590,11 @@ CVE-2022-23222 (kernel/bpf/verifier.c in the Linux kernel through 5.15.14 allows CVE-2022-23219 (The deprecated compatibility function clnt_create in the sunrpc module ...) - glibc 2.33-3 [bullseye] - glibc 2.31-13+deb11u3 - [buster] - glibc (Minor issue) [stretch] - glibc (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22542 CVE-2022-23218 (The deprecated compatibility function svcunix_create in the sunrpc mod ...) - glibc 2.33-3 [bullseye] - glibc 2.31-13+deb11u3 - [buster] - glibc (Minor issue) [stretch] - glibc (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=28768 CVE-2022-23217 @@ -66139,7 +66137,6 @@ CVE-2021-4000 (showdoc is vulnerable to URL Redirection to Untrusted Site ...) CVE-2021-3999 (A flaw was found in glibc. An off-by-one buffer overflow and underflow ...) - glibc 2.33-4 [bullseye] - glibc 2.31-13+deb11u4 - [buster] - glibc (Minor issue) [stretch] - glibc (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=28769 NOTE: https://www.openwall.com/lists/oss-security/2022/01/24/4 @@ -90646,7 +90643,6 @@ CVE-2021-35943 (Couchbase Server 6.5.x and 6.6.x through 6.6.2 has Incorrect Acc NOT-FOR-US: Couchbase Server CVE-2021-35942 (The wordexp function in the GNU C Library (aka glibc) through 2.33 may ...) - glibc 2.31-13 (bug #990542) - [buster] - glibc (Minor issue) [stretch] - glibc (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=28011 NOTE: https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=5adda61f62b77384718b4c0d8336ade8f2b4b35c @@ -96227,7 +96223,6 @@ CVE-2021-33574 (The mq_notify function in the GNU C Library (aka glibc) versions [experimental] - glibc 2.32-0experimental0 - glibc 2.32-1 (bug #989147) [bullseye] - glibc 2.31-13+deb11u3 - [buster] - glibc (Minor issue) [stretch] - glibc (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=27896 NOTE: https://sourceware.org/git/?p=glibc.git;a=commit;h=42d359350510506b87101cf77202fefcbfc790cb @@ -111866,7 +111861,6 @@ CVE-2021-27646 (Use After Free vulnerability in iscsi_snapshot_comm_core in Syno NOT-FOR-US: Synology CVE-2021-27645 (The nameserver caching daemon (nscd) in the GNU C Library (aka glibc o ...) - glibc 2.31-10 (bug #983479) - [buster] - glibc (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=27462 NOTE: Introduced by: https://sourceware.org/git/?p=glibc.git;a=commit;h=745664bd798ec8fd50438605948eea594179fba1 (glibc-2.29) NOTE: Fixed by: https://sourceware.org/git/?p=glibc.git;a=commit;h=dca565886b5e8bd7966e15f0ca42ee5cff686673 @@ -115235,7 +115229,6 @@ CVE-2021-26273 (The Agent in NinjaRMM 5.0.909 has Incorrect Access Control. ...) NOT-FOR-US: NinjaRMM CVE-2021-3326 (The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and ...) - glibc 2.31-10 (bug #981198) - [buster] - glibc (Minor issue) [stretch] - glibc (Minor issue) NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=2146 NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=27256 @@ -127324,7 +127317,6 @@ CVE-2020-35931 (An issue was discovered in Foxit Reader before 10.1.1 (and befor NOT-FOR-US: Foxit Reader CVE-2019-25013 (The iconv feature in the GNU C Library (aka glibc or libc6) through 2. ...) - glibc 2.31-9 (bug #979273) - [buster] - glibc (Minor issue) [stretch] - glibc (Minor issue; can be fixed in next update) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=24973 NOTE: Fixed by: https://sourceware.org/git/?p=glibc.git;a=commit;h=ee7a3144c9922808181009b7b3e50e852fb4999b @@ -143848,7 +143840,6 @@ CVE-2020-27619 (In Python 3 through 3.9.0, the Lib/test/multibytecodec_support.p NOTE: Only affects the testsuite CVE-2020-27618 (The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and ...) - glibc 2.31-5 (bug #973914) - [buster] - glibc (Minor issue) [stretch] - glibc (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=26224 NOTE: https://sourceware.org/git/?p=glibc.git;a=commit;h=9a99c682144bdbd40792ebf822fe9264e0376fb5 @@ -187428,7 +187419,6 @@ CVE-2020-10030 (An issue has been found in PowerDNS Recursor 4.1.0 up to and inc NOTE: Non exploitable on Linux
[Git][security-tracker-team/security-tracker][master] drop glibc annotations relevant to ELTS
Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker Commits: 7e2cfc0f by Helmut Grohne at 2022-10-17T12:22:40+02:00 drop glibc annotations relevant to ELTS I talked this through with Emilio: We cannot presently override these in the ELTS tracker (due to failing uniqueness constraints). Changing them here is not appropriate. Thus delete them here and add them in the ELTs tracker. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -111867,7 +111867,6 @@ CVE-2021-27646 (Use After Free vulnerability in iscsi_snapshot_comm_core in Syno CVE-2021-27645 (The nameserver caching daemon (nscd) in the GNU C Library (aka glibc o ...) - glibc 2.31-10 (bug #983479) [buster] - glibc (Minor issue) - [stretch] - glibc (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=27462 NOTE: Introduced by: https://sourceware.org/git/?p=glibc.git;a=commit;h=745664bd798ec8fd50438605948eea594179fba1 (glibc-2.29) NOTE: Fixed by: https://sourceware.org/git/?p=glibc.git;a=commit;h=dca565886b5e8bd7966e15f0ca42ee5cff686673 @@ -209832,8 +209831,6 @@ CVE-2020-1752 (A use-after-free vulnerability introduced in glibc upstream versi CVE-2020-1751 (An out-of-bounds write vulnerability was found in glibc before 2.31 wh ...) - glibc 2.30-3 [buster] - glibc (powerpc is not supported by LTS) - [stretch] - glibc (powerpc is not supported by ELTS) - [jessie] - glibc (powerpc is not supported by ELTS) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=25423 NOTE: Fixed by: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d93769405996dfc11d216ddbe415946617b5a494 CVE-2020-1750 (A flaw was found in the machine-config-operator that causes an OpenShi ...) @@ -245219,8 +245216,6 @@ CVE-2009-5155 (In the GNU C Library (aka glibc or libc6) before 2.28, parse_reg_ [stretch] - gnulib (Minor issue) [jessie] - gnulib (Minor issue) - glibc 2.28-1 - [stretch] - glibc (Minor issue) - [jessie] - glibc (Minor issue) - eglibc NOTE: http://git.savannah.gnu.org/cgit/gnulib.git/commit/?id=5513b40999149090987a0341c018d05d3eea1272 NOTE: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=22793 @@ -292574,7 +292569,6 @@ CVE-2018-11238 CVE-2018-11237 (An AVX-512-optimized implementation of the mempcpy function in the GNU ...) - glibc 2.27-4 (low; bug #899070) [stretch] - glibc 2.24-11+deb9u4 - [jessie] - glibc (Minor issue, can be fixed along in future DSA or point update) - eglibc NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=23196 CVE-2018-11236 (stdlib/canonicalize.c in the GNU C Library (aka glibc or libc6) 2.27 a ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7e2cfc0fdf68e106cc5750b597b6e935b1d726eb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7e2cfc0fdf68e106cc5750b597b6e935b1d726eb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] ignore CVE-2020-1751 in glibc as LTS does not support powerpc
Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker Commits: 28563bd5 by Helmut Grohne at 2022-10-07T21:04:18+02:00 ignore CVE-2020-1751 in glibc as LTS does not support powerpc Please dont scream at me for updating stretch and jessie in the main tracker. If I were to leave these untouched here and change them in the elts tracker, in the best case, it would ignore the updates and keep displaying no-dsa. In the worst case, it would reject the data failing some uniqueness check. Been there on Tuesday... - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -208287,9 +208287,9 @@ CVE-2020-1752 (A use-after-free vulnerability introduced in glibc upstream versi NOTE: Fixed by: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ddc650e9b3dc916eab417ce9f79e67337b05035c CVE-2020-1751 (An out-of-bounds write vulnerability was found in glibc before 2.31 wh ...) - glibc 2.30-3 - [buster] - glibc (Minor issue) - [stretch] - glibc (Minor issue) - [jessie] - glibc (Minor issue) + [buster] - glibc (powerpc is not supported by LTS) + [stretch] - glibc (powerpc is not supported by ELTS) + [jessie] - glibc (powerpc is not supported by ELTS) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=25423 NOTE: Fixed by: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d93769405996dfc11d216ddbe415946617b5a494 CVE-2020-1750 (A flaw was found in the machine-config-operator that causes an OpenShi ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/28563bd510f9a698beddd397d9cae53586a0a5da -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/28563bd510f9a698beddd397d9cae53586a0a5da You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Claim glib.
Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker Commits: 12ee2b42 by Helmut Grohne at 2022-10-07T09:29:56+02:00 data/dla-needed.txt: Claim glib. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -52,7 +52,7 @@ gajim gerbv NOTE: 20220923: Programming language: C. -- -glibc +glibc (Helmut Grohne) NOTE: 20220913: Programming language: C, Assembly. NOTE: 20220913: Harmonize with bullseye: 4 CVEs fixed in Debian 11.3 and Debian 11.5 (Beuc/front-desk) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/12ee2b4223ac0ba3c267b5aa567938cbc31c37d1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/12ee2b4223ac0ba3c267b5aa567938cbc31c37d1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] issue DLA-3133-1 for lighttpd fixing CVE-2022-37797
Helmut Grohne pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
8caef9cb by Helmut Grohne at 2022-10-03T09:48:48+02:00
issue DLA-3133-1 for lighttpd fixing CVE-2022-37797
- - - - -
2 changed files:
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[03 Oct 2022] DLA-3133-1 lighttpd - security update
+ {CVE-2022-37797}
+ [buster] - lighttpd 1.4.53-4+deb10u3
[02 Oct 2022] DLA-3132-1 snakeyaml - security update
{CVE-2022-25857 CVE-2022-38749 CVE-2022-38750 CVE-2022-38751}
[buster] - snakeyaml 1.23-1+deb10u1
=
data/dla-needed.txt
=
@@ -77,9 +77,6 @@ kopanocore
--
libdatetime-timezone-perl (Emilio)
--
-lighttpd (Helmut Grohne)
- NOTE: 20220928: Programming language: C.
---
linux (Ben Hutchings)
--
mbedtls (Utkarsh)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8caef9cb2f7994a4eb6247ae99773baa1b70fb60
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8caef9cb2f7994a4eb6247ae99773baa1b70fb60
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] triage/fix lighttpd CVEs in buster
Helmut Grohne pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
f81458e3 by Helmut Grohne at 2022-10-03T08:11:06+02:00
triage/fix lighttpd CVEs in buster
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -1088,6 +1088,7 @@ CVE-2022-41556 [handle RDHUP when collecting chunked body]
RESERVED
{DSA-5243-1}
- lighttpd 1.4.67-1
+ [buster] - lighttpd (vulnerable code inserted in
lighttpd-1.4.55-211-gbcddbe18)
NOTE: https://github.com/lighttpd/lighttpd1.4/pull/115
NOTE:
https://github.com/lighttpd/lighttpd1.4/commit/b18de6f9264f914f7bf493abd3b6059343548e50
(lighttpd-1.4.67)
CVE-2022-40690
@@ -10692,7 +10693,7 @@ CVE-2022-37798 (Tenda AC1206 V15.03.06.23 was
discovered to contain a stack over
CVE-2022-37797 (In lighttpd 1.4.65, mod_wstunnel does not initialize a handler
functio ...)
{DSA-5243-1}
- lighttpd 1.4.66-1
- [buster] - lighttpd (Minor issue)
+ [buster] - lighttpd 1.4.53-1+deb10u3
NOTE: https://redmine.lighttpd.net/issues/3165
NOTE:
https://git.lighttpd.net/lighttpd/lighttpd1.4/commit/971773f1fae600074b46ef64f3ca1f76c227985f
(lighttpd-1.4.66)
CVE-2022-37796 (In Simple Online Book Store System 1.0 in /admin_book.php the
Title, A ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f81458e34fc0ca1d6adb86b268f55a58c270c95e
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f81458e34fc0ca1d6adb86b268f55a58c270c95e
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] claim lighttpd dla
Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker Commits: 4cc5ac84 by Helmut Grohne at 2022-09-28T21:09:09+02:00 claim lighttpd dla Ive done the DSA already and am outgoing lighttpd maintainer. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -82,7 +82,7 @@ kopanocore NOTE: 20220801: Programming language: C++. NOTE: 20220811: Proposed a patch to CVE-2022-26562 (#1016973) -- -lighttpd +lighttpd (Helmut Grohne) NOTE: 20220928: Programming language: C. -- linux (Ben Hutchings) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4cc5ac84ff7d5c686cf2ff91ad4a569fe34a76cb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4cc5ac84ff7d5c686cf2ff91ad4a569fe34a76cb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] libraw buster DLA-3113-1 issued
Helmut Grohne pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
acfccc61 by Helmut Grohne at 2022-09-16T12:29:24+02:00
libraw buster DLA-3113-1 issued
- - - - -
2 changed files:
- data/CVE/list
- data/dla-needed.txt
Changes:
=
data/CVE/list
=
@@ -126025,30 +126025,38 @@ CVE-2020-35536 (In gcc, an internal compiler error
in match_reload function at l
TODO: check
CVE-2020-35535 (In LibRaw, there is an out-of-bounds read vulnerability within
the "Li ...)
- libraw 0.20.0-4
+ [buster] - libraw (sonySR2 decoder added later)
+ [stretch] - libraw (sonySR2 decoder added later)
NOTE: https://github.com/LibRaw/LibRaw/issues/283
NOTE:
https://github.com/LibRaw/LibRaw/commit/c243f4539233053466c1309bde606815351bee81
(0.20-RC2)
CVE-2020-35534 (In LibRaw, there is a memory corruption vulnerability within
the "crxF ...)
- libraw 0.20.0-4
+ [buster] - libraw (Canon CR3 decoder added later)
+ [stretch] - libraw (Canon CR3 decoder added later)
NOTE:
https://github.com/LibRaw/LibRaw/commit/e41f331e90b383e3208cefb74e006df44bf3a4b8
(0.20-RC2)
NOTE: https://github.com/LibRaw/LibRaw/issues/279
CVE-2020-35533 (In LibRaw, an out-of-bounds read vulnerability exists within
the "LibR ...)
{DLA-3113-1}
- libraw 0.20.0-4
+ [buster] - libraw 0.19.2-2+deb10u1
NOTE:
https://github.com/LibRaw/LibRaw/commit/a6937d4046a7c4742b683a04c8564605fd9be4fb
(0.20-RC2)
NOTE: https://github.com/LibRaw/LibRaw/issues/273
CVE-2020-35532 (In LibRaw, an out-of-bounds read vulnerability exists within
the "simp ...)
{DLA-3113-1}
- libraw 0.20.0-4
+ [buster] - libraw 0.19.2-2+deb10u1
NOTE:
https://github.com/LibRaw/LibRaw/commit/5ab45b085898e379fedc6b113e2e82a890602b1e
(0.20-RC2)
NOTE: https://github.com/LibRaw/LibRaw/issues/271
CVE-2020-35531 (In LibRaw, an out-of-bounds read vulnerability exists within
the get_h ...)
{DLA-3113-1}
- libraw 0.20.0-4
+ [buster] - libraw 0.19.2-2+deb10u1
NOTE:
https://github.com/LibRaw/LibRaw/commit/d75af00681a74dcc8b929207eb895611a6eceb68
(0.20-RC2)
NOTE: https://github.com/LibRaw/LibRaw/issues/270
CVE-2020-35530 (In LibRaw, there is an out-of-bounds write vulnerability
within the "n ...)
{DLA-3113-1}
- libraw 0.20.0-4
+ [buster] - libraw 0.19.2-2+deb10u1
NOTE:
https://github.com/LibRaw/LibRaw/commit/11c4db253ef2c9bb44247b578f5caa57c66a1eeb
(0.20-RC2)
NOTE: https://github.com/LibRaw/LibRaw/issues/272
CVE-2020-35529
=
data/dla-needed.txt
=
@@ -69,9 +69,6 @@ kopanocore
NOTE: 20220801: Programming language: C++.
NOTE: 20220811: Proposed a patch to CVE-2022-26562 (#1016973)
--
-libraw (Helmut Grohne)
- NOTE: 20220904: Programming language: C++.
---
linux (Ben Hutchings)
--
mako
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/acfccc6158c3d493c7d3b4132f852f570a0a0df5
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/acfccc6158c3d493c7d3b4132f852f570a0a0df5
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3113-1 for libraw
Helmut Grohne pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
0cbd88e5 by Helmut Grohne at 2022-09-16T09:43:05+02:00
Reserve DLA-3113-1 for libraw
- - - - -
1 changed file:
- data/DLA/list
Changes:
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[16 Sep 2022] DLA-3113-1 libraw - security update
+ {CVE-2020-35530 CVE-2020-35531 CVE-2020-35532 CVE-2020-35533}
+ [buster] - libraw 0.19.2-2+deb10u1
[16 Sep 2022] DLA-3112-1 bzip2 - bugfix update
[buster] - bzip2 1.0.6-9.2~deb10u2
[15 Sep 2022] DLA-3111-1 mod-wsgi - security update
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0cbd88e588dc669d97d49eaba84371c4722e8001
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0cbd88e588dc669d97d49eaba84371c4722e8001
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: claim libraw
Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker Commits: 1d79b56a by Helmut Grohne at 2022-09-16T07:56:34+02:00 lts: claim libraw - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -72,7 +72,7 @@ kopanocore NOTE: 20220801: Programming language: C++. NOTE: 20220811: Proposed a patch to CVE-2022-26562 (#1016973) -- -libraw +libraw (Helmut Grohne) NOTE: 20220904: Programming language: C++. -- linux (Ben Hutchings) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1d79b56afbd7ee223071917277eb6191d31a898c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1d79b56afbd7ee223071917277eb6191d31a898c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] flag wkhtmltopdf CVE-2022-35583 unimportant
Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker Commits: b46b41cc by Helmut Grohne at 2022-08-31T13:43:11+02:00 flag wkhtmltopdf CVE-2022-35583 unimportant - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -9126,9 +9126,10 @@ CVE-2022-35585 (A stored cross-site scripting (XSS) issue in the ForkCMS version CVE-2022-35584 RESERVED CVE-2022-35583 (wkhtmlTOpdf 0.12.6 is vulnerable to SSRF which allows an attacker to g ...) - - wkhtmltopdf + - wkhtmltopdf (unimportant) NOTE: https://cyber-guy.gitbook.io/cyber-guys-blog/blogs/initial-access-via-pdf-file-silently NOTE: https://github.com/wkhtmltopdf/wkhtmltopdf/issues/5249 + NOTE: By design, wkhtmltopdf retrieves external resources. If it is employed inside a protected network in an automated way, a malicious actor may access internal resources. A user of wkhtmltopdf should restrict such access. CVE-2022-35582 RESERVED CVE-2022-35581 = data/dla-needed.txt = @@ -87,10 +87,6 @@ upx-ucl (Thorsten Alteholz) NOTE: 20220820: Programming language: C. NOTE: 20220820: CVE-2020-27787 may be not-affected. (Chris Lamb) -- -wkhtmltopdf - NOTE: 20220819: Programming language: C++. - NOTE: 20220830: No progress yet, upstream --- zlib (Emilio) NOTE: 20220813: Programming language: C. NOTE: 20220813: VCS: https://salsa.debian.org/lts-team/packages/zlib/ View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b46b41ccb8af865460ef2c1923833d64edd48fe1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b46b41ccb8af865460ef2c1923833d64edd48fe1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: release openscad, unimportant
Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker Commits: 034e1230 by Helmut Grohne at 2022-06-26T21:54:55+02:00 dla: release openscad, unimportant - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -210,10 +210,11 @@ ompl NOTE: 20220622: Programming language: C++. NOTE: 20220622: CVE-2021-42218 and CVE-2021-41490 are fixed in upstream git, memory leaks, unimportant -- -openscad (Helmut Grohne) +openscad NOTE: 20220529: Programming language: C++. NOTE: 20220524: Follow buster: harmonize with with Debian 10.12 (1 CVE) (Beuc/front-desk) NOTE: 20220524: vulnerable code for CVE-2020-28599 is in src/import.cc (Beuc/front-desk) + NOTE: 20220626: Utkarsh said, we won't fix this. Fixed packages at https://subdivi.de/~helmut/openscad_lts/ -- pam-u2f (Andreas Rönnquist) NOTE: 20220529: Programming language: C. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/034e12308e3902ebec6797b84a1f360d08f0fac3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/034e12308e3902ebec6797b84a1f360d08f0fac3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: ompl dla seems unimportang, memory leaks only
Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker Commits: f8d47a16 by Helmut Grohne at 2022-06-22T22:51:54+02:00 ompl dla seems unimportang, memory leaks only - - - - - 0f4069f7 by Helmut Grohne at 2022-06-22T22:52:41+02:00 claim openscad in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -202,8 +202,10 @@ nvidia-graphics-drivers NOTE: 20220209: backport (apo) -- ompl + NOTE: 20220622: Programming language: C++. + NOTE: 20220622: CVE-2021-42218 and CVE-2021-41490 are fixed in upstream git, memory leaks, unimportant -- -openscad +openscad (Helmut Grohne) NOTE: 20220529: Programming language: C++. NOTE: 20220524: Follow buster: harmonize with with Debian 10.12 (1 CVE) (Beuc/front-desk) NOTE: 20220524: vulnerable code for CVE-2020-28599 is in src/import.cc (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/1c777c23beccd0b10babda4ce4c683a4b90f09ea...0f4069f73f25a38b445c627c7a4e8f9054d5fefa -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/1c777c23beccd0b10babda4ce4c683a4b90f09ea...0f4069f73f25a38b445c627c7a4e8f9054d5fefa You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-30780/lighttpd not affected
Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker Commits: 0d0890ff by Glenn Strauss at 2022-06-20T08:29:04+02:00 CVE-2022-30780/lighttpd not affected - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -8388,6 +8388,8 @@ CVE-2022-30781 (Gitea before 1.16.7 does not escape git fetch remote. ...) - gitea CVE-2022-30780 (Lighttpd 1.4.56 through 1.4.58 allows a remote attacker to cause a den ...) - lighttpd 1.4.59-1 + [buster] - lighttpd (lighttpd 1.4.53 not vulnerable) + [stretch] - lighttpd (lighttpd 1.4.45 not vulnerable) NOTE: https://podalirius.net/en/cves/2022-30780/ NOTE: https://github.com/p0dalirius/CVE-2022-30780-lighttpd-denial-of-service NOTE: https://redmine.lighttpd.net/issues/3059 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0d0890ff850230056ff26cd9197cb690b7f8475b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0d0890ff850230056ff26cd9197cb690b7f8475b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
