[Git][security-tracker-team/security-tracker][master] reserve DLA-3575-1 for python2.7
Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker Commits: 52f72bfe by Helmut Grohne at 2023-09-20T21:06:37+02:00 reserve DLA-3575-1 for python2.7 - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -3928,8 +3928,7 @@ CVE-2022-48565 (An XML External Entity (XXE) issue was discovered in Python thro CVE-2022-48564 (read_ints in plistlib.py in Python through 3.9.1 is vulnerable to a po ...) - python3.9 3.9.1~rc1-1 - python3.7 - - python2.7 - [bullseye] - python2.7 (Unsupported in Bullseye, only included to build a few applications) + - python2.7 (In 2.7, the plistlib parser only supports XML and not the affected binary format) NOTE: https://bugs.python.org/issue42103 NOTE: https://github.com/python/cpython/issues/86269 NOTE: https://github.com/python/cpython/commit/34637a0ce21e7261b952fbd9d006474cc29b681f (v3.10.0a2) @@ -38302,7 +38301,6 @@ CVE-2023-24329 (An issue in the urllib.parse component of Python before 3.11.4 a [buster] - python3.7 (Cf. related CVE-2022-0391) - python2.7 [bullseye] - python2.7 (Unsupported in Bullseye, only included to build a few applications) - [buster] - python2.7 (Cf. related CVE-2022-0391) NOTE: https://pointernull.com/security/python-url-parse-problem.html NOTE: https://github.com/python/cpython/pull/99421 NOTE: https://github.com/python/cpython/pull/99446 (backport for 3.11 branch) @@ -118560,7 +118558,6 @@ CVE-2022-0391 (A flaw was found in Python, specifically within the urllib.parse - python3.4 - python2.7 [bullseye] - python2.7 (Unsupported in Bullseye, only included to build a few applications) - [buster] - python2.7 (Minor issue, different approach to sanitization; regressions reports) NOTE: https://bugs.python.org/issue43882 NOTE: Regressions reported for django, boto-core and cloud-init NOTE: Fixed by: https://github.com/python/cpython/commit/76cd81d60310d65d01f9d7b48a8985d8ab89c8b4 (v3.10.0b1) @@ -189199,7 +189196,6 @@ CVE-2021-23336 (The package python/cpython from 0 and before 3.6.13, from 3.7.0 [experimental] - python2.7 2.7.18-13.1~exp1 - python2.7 2.7.18-13.1 [bullseye] - python2.7 (Python 2.7 in Bullseye not covered by security support) - [buster] - python2.7 (Will break existing applications, don't backport to released suites) - pypy3 7.3.3+dfsg-3 [buster] - pypy3 (Minor issue) NOTE: https://github.com/python/cpython/pull/24297 = data/DLA/list = @@ -1,3 +1,6 @@ +[20 Sep 2023] DLA-3575-1 python2.7 - security update + {CVE-2021-23336 CVE-2022-0391 CVE-2022-48560 CVE-2022-48565 CVE-2022-48566 CVE-2023-24329 CVE-2023-40217} + [buster] - python2.7 2.7.16-2+deb10u3 [20 Sep 2023] DLA-3574-1 mutt - security update {CVE-2023-4874 CVE-2023-4875} [buster] - mutt 1.10.1-2.1+deb10u7 = data/dla-needed.txt = @@ -166,13 +166,6 @@ python-os-brick NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. -- -python2.7 (Helmut Grohne) - NOTE: 20230826: Added by Front-Desk (utkarsh) - NOTE: 20230826: some traces of vulnerable code found. My hunch is that it's not-affected but it needs - NOTE: 20230826: a deeper triage. Also CVE-2023-24329 is vulnerable and was partially fixed in some suites - NOTE: 20230826: and wasn't fixed in Debian, but the extra patch is now available and can be fixed now. (utkarsh) - NOTE: 20230826: contact Utkarsh in case you're unable to find the supplementary patch. (utkarsh) --- qt4-x11 NOTE: 20230822: Re-added for one remaining open CVE (roberto) NOTE: 20230822: CVE-2021-28025 maybe a dup of CVE-2021-3481; once resolved, fix or remove entry from this file (roberto) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/52f72bfe89dd993081fb80d3c93717553ae809e0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/52f72bfe89dd993081fb80d3c93717553ae809e0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim python2.7
Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker Commits: b424d5da by Helmut Grohne at 2023-09-08T14:17:54+02:00 LTS: claim python2.7 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -174,7 +174,7 @@ python-os-brick NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. -- -python2.7 +python2.7 (Helmut Grohne) NOTE: 20230826: Added by Front-Desk (utkarsh) NOTE: 20230826: some traces of vulnerable code found. My hunch is that it's not-affected but it needs NOTE: 20230826: a deeper triage. Also CVE-2023-24329 is vulnerable and was partially fixed in some suites View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b424d5dac2f7c796c52e63639247554489907539 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b424d5dac2f7c796c52e63639247554489907539 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3393-1 for protobuf
Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker Commits: ad65f979 by Helmut Grohne at 2023-04-18T09:03:41+02:00 Reserve DLA-3393-1 for protobuf - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -170504,7 +170504,6 @@ CVE-2021-22570 (Nullptr dereference when a null char is present in a proto symbo [experimental] - protobuf 3.17.1-1 - protobuf 3.21.9-3 [bullseye] - protobuf (Minor issue) - [buster] - protobuf (Minor issue) [stretch] - protobuf (Minor issue; clean crash / Dos; patch needs to be isolated) NOTE: Fixed upstream in v3.15.0: https://github.com/protocolbuffers/protobuf/releases/tag/v3.15.0 NOTE: Fixed in merge commit https://github.com/protocolbuffers/protobuf/a00125024e9231d76746bd394fef8876f5cc15e2 @@ -170513,7 +170512,6 @@ CVE-2021-22569 (An issue in protobuf-java allowed the interleaving of com.google [experimental] - protobuf 3.19.3-1 - protobuf 3.21.9-3 [bullseye] - protobuf (Minor issue) - [buster] - protobuf (Minor issue) [stretch] - protobuf (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2022/01/12/4 NOTE: https://cloud.google.com/support/bulletins#gcp-2022-001 = data/DLA/list = @@ -1,3 +1,6 @@ +[18 Apr 2023] DLA-3393-1 protobuf - security update + {CVE-2021-22569 CVE-2021-22570 CVE-2022-1941} + [buster] - protobuf 3.6.1.3-2+deb10u1 [17 Apr 2023] DLA-3392-1 ruby-rack - security update {CVE-2023-27530 CVE-2023-27539} [buster] - ruby-rack 2.0.6-3+deb10u3 = data/dla-needed.txt = @@ -222,11 +222,6 @@ pluxml NOTE: 20220913: Special attention: orphaned package. NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/pluxml.git -- -protobuf (Helmut Grohne) - NOTE: 20221031: Programming language: Several. - NOTE: 20221031: Note the 'Note' that one of the CVEs affects the generated code and must therefore get special attention from the application developer using protobuf. - NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/protobuf.git --- puppet-module-puppetlabs-mysql NOTE: 20221107: Programming language: Puppet, Ruby. NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/puppet-module-puppetlabs-mysql.git View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ad65f9796ca0a39e10dcadc212513d040387ecb3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ad65f9796ca0a39e10dcadc212513d040387ecb3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] ignore protobuf CVEs in buster that are ignored in bullseye
Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker Commits: 32f18fa8 by Helmut Grohne at 2023-04-16T20:21:28+02:00 ignore protobuf CVEs in buster that are ignored in bullseye - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -44697,12 +44697,14 @@ CVE-2022-3510 (A parsing issue similar to CVE-2022-3171, but with Message-Type E [experimental] - protobuf 3.21.7-1 - protobuf 3.21.9-3 [bullseye] - protobuf (Too intrusive to backport, requires significant refactoring via CVE-2022-3171) + [buster] - protobuf (Too intrusive to backport, requires significant refactoring via CVE-2022-3171) NOTE: https://github.com/protocolbuffers/protobuf/commit/db7c17803320525722f45c1d26fc08bc41d1bf48 NOTE: CPU DoS in protobuf-java, requires significant refactoring via CVE-2022-3171 CVE-2022-3509 (A parsing issue similar to CVE-2022-3171, but with textformat in proto ...) [experimental] - protobuf 3.21.7-1 - protobuf 3.21.9-3 [bullseye] - protobuf (Too intrusive to backport, requires significant refactoring via CVE-2022-3171) + [buster] - protobuf (Too intrusive to backport, requires significant refactoring via CVE-2022-3171) NOTE: https://github.com/protocolbuffers/protobuf/commit/a3888f53317a8018e7a439bac4abeb8f3425d5e9 (v21.7, v3.21.7) NOTE: CPU DoS in protobuf-java, requires significant refactoring via CVE-2022-3171 CVE-2022-3508 @@ -51634,7 +51636,8 @@ CVE-2022-3172 CVE-2022-3171 (A parsing issue with binary data in protobuf-java core and lite versio ...) [experimental] - protobuf 3.21.7-1 - protobuf 3.21.9-3 - [bullseye] - protobuf (Too intrusive to backport, requires significant refactoring via CVE-2022-3171) + [bullseye] - protobuf (Too intrusive to backport, requires significant refactoring) + [buster] - protobuf (Too intrusive to backport, requires significant refactoring) NOTE: https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2 NOTE: https://github.com/protocolbuffers/protobuf/pull/10664 NOTE: https://github.com/protocolbuffers/protobuf/pull/10665 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/32f18fa8d455362c1218404bcae2b6fa518a9b37 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/32f18fa8d455362c1218404bcae2b6fa518a9b37 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] fixup protobuf-java triage: tag all fixed versions unimportant
Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker Commits: dfeb6abc by Helmut Grohne at 2023-04-12T09:09:42+02:00 fixup protobuf-java triage: tag all fixed versions unimportant - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -43656,12 +43656,12 @@ CVE-2022-3512 (Using warp-cli command "add-trusted-ssid", a user was able to dis CVE-2022-3511 (The Awesome Support WordPress plugin before 6.1.2 does not ensure that ...) NOT-FOR-US: WordPress plugin CVE-2022-3510 (A parsing issue similar to CVE-2022-3171, but with Message-Type Extens ...) - [experimental] - protobuf 3.21.7-1 + [experimental] - protobuf 3.21.7-1 (unimportant) - protobuf 3.21.9-3 (unimportant) NOTE: https://github.com/protocolbuffers/protobuf/commit/db7c17803320525722f45c1d26fc08bc41d1bf48 NOTE: CPU DoS in protobuf-java, requires significant refactoring via CVE-2022-3171 CVE-2022-3509 (A parsing issue similar to CVE-2022-3171, but with textformat in proto ...) - [experimental] - protobuf 3.21.7-1 + [experimental] - protobuf 3.21.7-1 (unimportant) - protobuf 3.21.9-3 (unimportant) NOTE: https://github.com/protocolbuffers/protobuf/commit/a3888f53317a8018e7a439bac4abeb8f3425d5e9 (v21.7, v3.21.7) NOTE: CPU DoS in protobuf-java, requires significant refactoring via CVE-2022-3171 @@ -50583,7 +50583,7 @@ CVE-2022-3172 NOTE: Server components no longer built since 1.20.5+really1.20.2-1, marking that as fixed version NOTE: The source package itself it still vulnerable, but custom rebuilds are not really a usecase here CVE-2022-3171 (A parsing issue with binary data in protobuf-java core and lite versio ...) - [experimental] - protobuf 3.21.7-1 + [experimental] - protobuf 3.21.7-1 (unimportant) - protobuf 3.21.9-3 (unimportant) NOTE: https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2 NOTE: https://github.com/protocolbuffers/protobuf/pull/10664 10665 10666 10667 10668 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dfeb6abc4fb18a270d8f32e5ff3c4cf737abdcaf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dfeb6abc4fb18a270d8f32e5ff3c4cf737abdcaf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] classify protobuf-java CPU DoS CVEs as unimportant
Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker Commits: b9b23c9c by Helmut Grohne at 2023-04-12T08:30:15+02:00 classify protobuf-java CPU DoS CVEs as unimportant - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -43657,14 +43657,14 @@ CVE-2022-3511 (The Awesome Support WordPress plugin before 6.1.2 does not ensure NOT-FOR-US: WordPress plugin CVE-2022-3510 (A parsing issue similar to CVE-2022-3171, but with Message-Type Extens ...) [experimental] - protobuf 3.21.7-1 - - protobuf 3.21.9-3 - [bullseye] - protobuf (Minor issue) + - protobuf 3.21.9-3 (unimportant) NOTE: https://github.com/protocolbuffers/protobuf/commit/db7c17803320525722f45c1d26fc08bc41d1bf48 + NOTE: CPU DoS in protobuf-java, requires significant refactoring via CVE-2022-3171 CVE-2022-3509 (A parsing issue similar to CVE-2022-3171, but with textformat in proto ...) [experimental] - protobuf 3.21.7-1 - - protobuf 3.21.9-3 - [bullseye] - protobuf (Minor issue) + - protobuf 3.21.9-3 (unimportant) NOTE: https://github.com/protocolbuffers/protobuf/commit/a3888f53317a8018e7a439bac4abeb8f3425d5e9 (v21.7, v3.21.7) + NOTE: CPU DoS in protobuf-java, requires significant refactoring via CVE-2022-3171 CVE-2022-3508 RESERVED CVE-2022-3507 @@ -50584,9 +50584,10 @@ CVE-2022-3172 NOTE: The source package itself it still vulnerable, but custom rebuilds are not really a usecase here CVE-2022-3171 (A parsing issue with binary data in protobuf-java core and lite versio ...) [experimental] - protobuf 3.21.7-1 - - protobuf 3.21.9-3 - [bullseye] - protobuf (Minor issue) + - protobuf 3.21.9-3 (unimportant) NOTE: https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2 + NOTE: https://github.com/protocolbuffers/protobuf/pull/10664 10665 10666 10667 10668 + NOTE: CPU DoS in protobuf-java, fixed by significant refactoring CVE-2022-3170 (An out-of-bounds access issue was found in the Linux kernel sound subs ...) - linux (Vulnerable code not present) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2125879 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b9b23c9c962973b630a627bcd72e6ab8eea8d94e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b9b23c9c962973b630a627bcd72e6ab8eea8d94e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] identify actual fixes for two protobuf issues
Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker Commits: 8f6c6e61 by Helmut Grohne at 2023-04-06T12:46:24+02:00 identify actual fixes for two protobuf issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -71048,6 +71048,7 @@ CVE-2022-1941 (A parsing vulnerability for the MessageSet type in the ProtocolBu NOTE: https://www.openwall.com/lists/oss-security/2022/09/27/1 NOTE: https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-8gq9-2x98-w8hf NOTE: https://github.com/protocolbuffers/protobuf/commit/806d7e4ce6f1fd0545cae226b94cb0249ea495c7 (v3.20.2) + NOTE: main commit 7764c864bd5acdf60230a7b8fd29816170d0d04e CVE-2022-1940 (A Stored Cross-Site Scripting vulnerability in Jira integration in Git ...) - gitlab (Vulnerable code introduced later) NOTE: https://about.gitlab.com/releases/2022/06/01/critical-security-release-gitlab-15-0-1-released/ @@ -166631,6 +166632,7 @@ CVE-2021-22570 (Nullptr dereference when a null char is present in a proto symbo [buster] - protobuf (Minor issue) [stretch] - protobuf (Minor issue; clean crash / Dos; patch needs to be isolated) NOTE: Fixed upstream in v3.15.0: https://github.com/protocolbuffers/protobuf/releases/tag/v3.15.0 + NOTE: Fixed in merge commit a00125024e9231d76746bd394fef8876f5cc15e2 in src/google/protobuf/descriptor.cc CVE-2021-22569 (An issue in protobuf-java allowed the interleaving of com.google.proto ...) [experimental] - protobuf 3.19.3-1 - protobuf 3.21.9-3 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8f6c6e61ae78d3ffc64f1ed51d590585c9e1044d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8f6c6e61ae78d3ffc64f1ed51d590585c9e1044d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] claim protobuf DLA
Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker Commits: 17787b69 by Helmut Grohne at 2023-04-04T10:58:36+02:00 claim protobuf DLA - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -194,7 +194,7 @@ pluxml NOTE: 20220913: Special attention: orphaned package. NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/pluxml.git -- -protobuf +protobuf (Helmut Grohne) NOTE: 20221031: Programming language: Several. NOTE: 20221031: Note the 'Note' that one of the CVEs affects the generated code and must therefore get special attention from the application developer using protobuf. NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/protobuf.git View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/17787b698594695d718de5244be63837959da06e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/17787b698594695d718de5244be63837959da06e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] reserve DLA-3193-2 for joblib
Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker Commits: a8127e66 by Helmut Grohne at 2023-03-30T19:08:19+02:00 reserve DLA-3193-2 for joblib - - - - - 2 changed files: - data/CVE/list - data/DLA/list Changes: = data/CVE/list = @@ -87199,7 +87199,6 @@ CVE-2022-21802 (The package grapesjs before 0.19.5 are vulnerable to Cross-site CVE-2022-21797 (The package joblib from 0 and before 1.2.0 are vulnerable to Arbitrary ...) - joblib 1.2.0-1 (bug #1020820) [bullseye] - joblib (Minor issue) - [buster] - joblib (Minor issue, the fix from +deb10u1 is incomplete) NOTE: https://github.com/joblib/joblib/issues/1128 NOTE: https://github.com/joblib/joblib/pull/1321 NOTE: Better fix: https://github.com/joblib/joblib/pull/1327 = data/DLA/list = @@ -1,3 +1,6 @@ +[30 Mar 2023] DLA-3193-2 joblib - security update + {CVE-2022-21797} + [buster] - joblib 0.13.0-2+deb10u2 [29 Mar 2023] DLA-3372-1 xorg-server - security update {CVE-2023-1393} [buster] - xorg-server 2:1.20.4-1+deb10u9 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a8127e66c70941c072c2b934e9a3343b0be6959d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a8127e66c70941c072c2b934e9a3343b0be6959d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] reserve DLA-3315-2 for sox regression update
Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker Commits: 8dff0de1 by Helmut Grohne at 2023-03-20T10:43:55+01:00 reserve DLA-3315-2 for sox regression update - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,5 @@ +[20 Mar 2023] DLA-3315-2 sox - regression update + [buster] - sox 14.4.2+git20190427-1+deb10u2 [20 Mar 2023] DLA-3365-1 thunderbird - security update {CVE-2023-25751 CVE-2023-25752 CVE-2023-28162 CVE-2023-28164 CVE-2023-28176} [buster] - thunderbird 1:102.9.0-1~deb10u1 = data/dla-needed.txt = @@ -293,10 +293,6 @@ samba NOTE: 20220904: Special attention: High popcon! Used in many servers. NOTE: 20220904: Many postponed or open CVE in general. (apo) -- -sox (Helmut Grohne) - NOTE: 20230313: Programming language: C. - NOTE: 20230313: VCS: https://salsa.debian.org/lts-team/packages/sox.git --- sssd NOTE: 20230131: Programming language: C. NOTE: 20230205: VCS: https://salsa.debian.org/lts-team/packages/sssd.git View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8dff0de1cc044537b4d9b36deca58ac71a25bd0d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8dff0de1cc044537b4d9b36deca58ac71a25bd0d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] issue DLA-3315-1 for sox
Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker Commits: 729130df by Helmut Grohne at 2023-02-10T07:08:51+01:00 issue DLA-3315-1 for sox - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -59461,15 +59461,11 @@ CVE-2022-31652 CVE-2022-31651 (In SoX 14.4.2, there is an assertion failure in rate_init in rate.c in ...) - sox 14.4.2+git20190427-3.1 (bug #1012516) [bullseye] - sox (Minor issue) - [buster] - sox (Minor issue) - [stretch] - sox (Minor issue) NOTE: https://sourceforge.net/p/sox/bugs/360/ NOTE: https://www.openwall.com/lists/oss-security/2023/02/03/3 CVE-2022-31650 (In SoX 14.4.2, there is a floating-point exception in lsx_aiffstartwri ...) - sox 14.4.2+git20190427-3.1 (bug #1012516) [bullseye] - sox (Minor issue) - [buster] - sox (Minor issue) - [stretch] - sox (Minor issue) NOTE: https://sourceforge.net/p/sox/bugs/360/ NOTE: https://www.openwall.com/lists/oss-security/2023/02/03/3 CVE-2022-31649 (ownCloud owncloud/core before 10.10.0 Improperly Removes Sensitive Inf ...) @@ -118766,8 +118762,6 @@ CVE-2021-36716 (A ReDoS (regular expression denial of service) flaw was found in CVE-2021-3643 (A flaw was found in sox 14.4.1. The lsx_adpcm_init function within lib ...) - sox 14.4.2+git20190427-3.2 (bug #1010374) [bullseye] - sox (Minor issue) - [buster] - sox (Minor issue) - [stretch] - sox (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1980626 NOTE: Triggered by same reproducer as for CVE-2021-23210 NOTE: https://sourceforge.net/p/sox/bugs/351/ @@ -125578,8 +125572,6 @@ CVE-2021-33841 (SGE-PLC1000 device, in its 0.9.2b firmware version, does not han CVE-2021-23210 (A floating point exception (divide-by-zero) issue was discovered in So ...) - sox 14.4.2+git20190427-3.2 (bug #1010374) [bullseye] - sox (Minor issue) - [buster] - sox (Minor issue) - [stretch] - sox (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1975670 NOTE: https://sourceforge.net/p/sox/bugs/351/ NOTE: https://www.openwall.com/lists/oss-security/2023/02/03/3 @@ -261790,9 +261782,6 @@ CVE-2019-13591 RESERVED CVE-2019-13590 (An issue was discovered in libsox.a in SoX 14.4.2. In sox-fmt.h (start ...) - sox 14.4.2+git20190427-2 (low; bug #932082) - [buster] - sox (Minor issue) - [stretch] - sox (Minor issue) - [jessie] - sox (Minor issue) NOTE: https://sourceforge.net/p/sox/bugs/325/ NOTE: https://sourceforge.net/p/sox/code/ci/7b6a889217d62ed7e28188621403cc7542fd1f7e/ CVE-2019-13589 (The paranoid2 gem 1.1.6 for Ruby, as distributed on RubyGems.org, incl ...) = data/DLA/list = @@ -1,3 +1,6 @@ +[10 Feb 2023] DLA-3315-1 sox - security update + {CVE-2019-13590 CVE-2021-3643 CVE-2021-23159 CVE-2021-23172 CVE-2021-23210 CVE-2021-33844 CVE-2021-40426 CVE-2022-31650 CVE-2022-31651} + [buster] - sox 14.4.2+git20190427-1+deb10u1 [09 Feb 2023] DLA-3314-1 libsdl2 - security update {CVE-2019-7572 CVE-2019-7573 CVE-2019-7574 CVE-2019-7575 CVE-2019-7576 CVE-2019-7577 CVE-2019-7578 CVE-2019-7635 CVE-2019-7636 CVE-2019-7638 CVE-2019-13616 CVE-2019-13626 CVE-2020-14409 CVE-2020-14410 CVE-2021-33657 CVE-2022-4743} [buster] - libsdl2 2.0.9+dfsg1-1+deb10u1 = data/dla-needed.txt = @@ -310,13 +310,6 @@ snort NOTE: 20230121: Prepared new upstream version for unstable which we could NOTE: 20230121: backport to buster later. See https://bugs.debian.org/1021276 -- -sox (Helmut Grohne) - NOTE: 20220818: Programming language: C. - NOTE: 20220818: Requires some investigation; see #1012138 etc. - NOTE: 20221003: https://sourceforge.net/p/sox/bugs/362/ Re-pinged upstream committer (abhijith) - NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/sox.git - NOTE: 20230127: There is no point in dealing with sox. No upstream commit in 1.5 years. No answer to Enrico's upstream ticket. RedHat issued notabug. Unfixed in stable and unstable. Don't run sox on untrusted input. (Helmut) --- spip NOTE: 20230206: Programming language: PHP. NOTE: 20230206: Special attention: Please contact maintainer regarding VCS usage View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/729130df3de8c74d3d65f0a8f2c1666dcc175cb2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/729130df3de8c74d3d65f0a8f2c1666dcc175cb2 You're receiving this email because of your account on salsa.debian.org.
[Git][security-tracker-team/security-tracker][master] record bug number for heimdal CVE-2022-45142
Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker Commits: 2a0a1f7b by Helmut Grohne at 2023-02-08T12:52:37+01:00 record bug number for heimdal CVE-2022-45142 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -20067,7 +20067,7 @@ CVE-2022-45143 (The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0. NOTE: https://www.openwall.com/lists/oss-security/2023/01/03/1 CVE-2022-45142 [gsskrb5: fix accidental logic inversions] RESERVED - - heimdal + - heimdal (bug #1030849) NOTE: https://www.openwall.com/lists/oss-security/2023/02/08/1 NOTE: https://bugzilla.samba.org/show_bug.cgi?id=15296 CVE-2022-45141 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2a0a1f7b28ede4da703f3078b485c6e4432e34ec -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2a0a1f7b28ede4da703f3078b485c6e4432e34ec You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] issue DLA-3311-1 for heimdal CVE-2022-45142
Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker Commits: 41508f7c by Helmut Grohne at 2023-02-08T12:37:05+01:00 issue DLA-3311-1 for heimdal CVE-2022-45142 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[08 Feb 2023] DLA-3311-1 heimdal - security update + {CVE-2022-45142} + [buster] - heimdal 7.5.0+dfsg-3+deb10u2 [07 Feb 2023] DLA-3310-1 xorg-server - security update {CVE-2023-0494} [buster] - xorg-server 2:1.20.4-1+deb10u8 = data/dla-needed.txt = @@ -102,11 +102,6 @@ haproxy NOTE: 20230207: VCS: https://salsa.debian.org/haproxy-team/haproxy.git NOTE: 20230207: method was called h2_frt_decode_headers in buster (pochu) -- -heimdal (Helmut Grohne) - NOTE: 20230206: Programming language: C - NOTE: 20230206: Special attention: Do review patches, even those, coming from upstream. - NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/heimdal/ --- imagemagick (Roberto C. Sánchez) NOTE: 20220904: Programming language: C. NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/imagemagick.git View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/41508f7cc45ef642ba5823bbbdd866a6da4cece1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/41508f7cc45ef642ba5823bbbdd866a6da4cece1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim heimdal
Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker Commits: ead49fad by Helmut Grohne at 2023-02-06T13:41:16+01:00 LTS: claim heimdal - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -97,6 +97,8 @@ graphite-web (Chris Lamb) NOTE: 20221229: Programming language: Python. NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/graphite-web.git -- +heimdal (Helmut Grohne) +-- imagemagick (Roberto C. Sánchez) NOTE: 20220904: Programming language: C. NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/imagemagick.git View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ead49fad3b3df5e559b3de0486e85473ac1d7cdc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ead49fad3b3df5e559b3de0486e85473ac1d7cdc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] sox: bump fixed version for previously incomplete fixes
Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker Commits: 01fe1096 by Helmut Grohne at 2023-02-05T13:35:06+01:00 sox: bump fixed version for previously incomplete fixes - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -117467,7 +117467,7 @@ CVE-2021-36717 (Synerion TimeNet version 9.21 contains a directory traversal vul CVE-2021-36716 (A ReDoS (regular expression denial of service) flaw was found in the S ...) NOT-FOR-US: Node is-email CVE-2021-3643 (A flaw was found in sox 14.4.1. The lsx_adpcm_init function within lib ...) - - sox 14.4.2+git20190427-3.1 (bug #1010374) + - sox 14.4.2+git20190427-3.2 (bug #1010374) [bullseye] - sox (Minor issue) [buster] - sox (Minor issue) [stretch] - sox (Minor issue) @@ -124279,7 +124279,7 @@ CVE-2021-33842 (Improper Authentication vulnerability in the cookie parameter of CVE-2021-33841 (SGE-PLC1000 device, in its 0.9.2b firmware version, does not handle so ...) NOT-FOR-US: SGE-PLC1000 device CVE-2021-23210 (A floating point exception (divide-by-zero) issue was discovered in So ...) - - sox 14.4.2+git20190427-3.1 (bug #1010374) + - sox 14.4.2+git20190427-3.2 (bug #1010374) [bullseye] - sox (Minor issue) [buster] - sox (Minor issue) [stretch] - sox (Minor issue) @@ -124287,12 +124287,12 @@ CVE-2021-23210 (A floating point exception (divide-by-zero) issue was discovered NOTE: https://sourceforge.net/p/sox/bugs/351/ NOTE: https://www.openwall.com/lists/oss-security/2023/02/03/3 CVE-2021-23172 (A vulnerability was found in SoX, where a heap-buffer-overflow occurs ...) - - sox 14.4.2+git20190427-3.1 (bug #1021134) + - sox 14.4.2+git20190427-3.2 (bug #1021134) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1975666 NOTE: https://sourceforge.net/p/sox/bugs/350/ NOTE: https://www.openwall.com/lists/oss-security/2023/02/03/3 CVE-2021-23159 (A vulnerability was found in SoX, where a heap-buffer-overflow occurs ...) - - sox 14.4.2+git20190427-3.1 (bug #1021133) + - sox 14.4.2+git20190427-3.2 (bug #1021133) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1975671 NOTE: https://sourceforge.net/p/sox/bugs/352/ NOTE: https://www.openwall.com/lists/oss-security/2023/02/03/3 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/01fe1096b727b2f6634bd4a7199f73de414ca7d8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/01fe1096b727b2f6634bd4a7199f73de414ca7d8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla-needed: claim sox
Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker Commits: 164672ee by Helmut Grohne at 2023-01-27T13:38:48+01:00 dla-needed: claim sox - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -343,7 +343,7 @@ sofia-sip (Adrian Bunk) NOTE: 20230125: Programming language: C. NOTE: 20230125: VCS: https://salsa.debian.org/lts-team/packages/sofia-sip.git -- -sox +sox (Helmut Grohne) NOTE: 20220818: Programming language: C. NOTE: 20220818: Requires some investigation; see #1012138 etc. NOTE: 20221003: https://sourceforge.net/p/sox/bugs/362/ Re-pinged upstream committer (abhijith) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/164672eed41572f02ebe4078b478c90eff4767a0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/164672eed41572f02ebe4078b478c90eff4767a0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla-needed: sox is unfixable
Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker Commits: 975dcf7f by Helmut Grohne at 2023-01-27T09:38:00+01:00 dla-needed: sox is unfixable - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -340,6 +340,7 @@ sox NOTE: 20220818: Requires some investigation; see #1012138 etc. NOTE: 20221003: https://sourceforge.net/p/sox/bugs/362/ Re-pinged upstream committer (abhijith) NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/sox.git + NOTE: 20230127: There is no point in dealing with sox. No upstream commit in 1.5 years. No answer to Enrico's upstream ticket. RedHat issued notabug. Unfixed in stable and unstable. Don't run sox on untrusted input. (Helmut) -- thunderbird (Emilio) NOTE: 20230123: Programming language: C++ View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/975dcf7f0487754aad7f1b8b94b15ced03719173 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/975dcf7f0487754aad7f1b8b94b15ced03719173 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] reserve DLA-3265-1 for exiv2
Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker Commits: 64c3ca93 by Helmut Grohne at 2023-01-10T17:44:15+01:00 reserve DLA-3265-1 for exiv2 - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -1506,7 +1506,7 @@ CVE-2018-25061 (A vulnerability was found in rgb2hex up to 0.1.5. It has been ra CVE-2017-20160 (A vulnerability was found in flitto express-param up to 0.x. It has be ...) NOT-FOR-US: express-param CVE-2014-125029 (A vulnerability was found in ttskch PaginationServiceProvider up to 0. ...) - NOT-FOR-US: ttskch/PaginationServiceProvider + NOT-FOR-US: ttskch/PaginationServiceProvider CVE-2014-125028 (A vulnerability was found in valtech IDP Test Client and classified as ...) NOT-FOR-US: valtech IDP Test Client CVE-2022-4868 (Improper Authorization in GitHub repository froxlor/froxlor prior to 2 ...) @@ -108652,21 +108652,18 @@ CVE-2021-37623 (Exiv2 is a command-line utility and C++ library for reading, wri CVE-2021-37622 (Exiv2 is a command-line utility and C++ library for reading, writing, ...) - exiv2 0.27.5-1 [bullseye] - exiv2 (Minor issue) - [buster] - exiv2 (Minor issue) [stretch] - exiv2 (Minor issue) NOTE: https://github.com/Exiv2/exiv2/security/advisories/GHSA-9jh3-fcc3-g6hv NOTE: https://github.com/Exiv2/exiv2/pull/1788 CVE-2021-37621 (Exiv2 is a command-line utility and C++ library for reading, writing, ...) - exiv2 0.27.5-1 [bullseye] - exiv2 (Minor issue) - [buster] - exiv2 (Minor issue) [stretch] - exiv2 (Minor issue) NOTE: https://github.com/Exiv2/exiv2/security/advisories/GHSA-m479-7frc-gqqg NOTE: https://github.com/Exiv2/exiv2/pull/1778 CVE-2021-37620 (Exiv2 is a command-line utility and C++ library for reading, writing, ...) - exiv2 0.27.5-1 [bullseye] - exiv2 (Minor issue) - [buster] - exiv2 (Minor issue) [stretch] - exiv2 (Minor issue) NOTE: https://github.com/Exiv2/exiv2/security/advisories/GHSA-v5g7-46xf-h728 NOTE: https://github.com/Exiv2/exiv2/pull/1769 @@ -116527,7 +116524,6 @@ CVE-2021-34335 (Exiv2 is a command-line utility and C++ library for reading, wri CVE-2021-34334 (Exiv2 is a command-line utility and C++ library for reading, writing, ...) - exiv2 0.27.5-1 (bug #992706) [bullseye] - exiv2 (Minor issue) - [buster] - exiv2 (Minor issue) [stretch] - exiv2 (Minor issue) NOTE: https://github.com/Exiv2/exiv2/security/advisories/GHSA-hqjh-hpv8-8r9p NOTE: https://github.com/Exiv2/exiv2/pull/1766 @@ -120321,7 +120317,6 @@ CVE-2021-32816 (ProtonMail Web Client is the official AngularJS web client for t CVE-2021-32815 (Exiv2 is a command-line utility and C++ library for reading, writing, ...) - exiv2 0.27.5-1 (bug #992705) [bullseye] - exiv2 (Minor issue) - [buster] - exiv2 (Minor issue) [stretch] - exiv2 (Minor issue) NOTE: https://github.com/Exiv2/exiv2/security/advisories/GHSA-mv9g-fxh2-m49m NOTE: https://github.com/Exiv2/exiv2/pull/1739 @@ -129479,7 +129474,6 @@ CVE-2021-29459 (XWiki Platform is a generic wiki platform offering runtime servi CVE-2021-29458 (Exiv2 is a command-line utility and C++ library for reading, writing, ...) - exiv2 0.27.5-1 (bug #987277) [bullseye] - exiv2 (Minor issue) - [buster] - exiv2 (Minor issue) [stretch] - exiv2 (Minor issue) NOTE: https://github.com/Exiv2/exiv2/security/advisories/GHSA-57jj-75fm-9rq5 NOTE: https://github.com/Exiv2/exiv2/issues/1530 @@ -185933,7 +185927,6 @@ CVE-2020-18772 RESERVED CVE-2020-18771 (Exiv2 0.27.99.0 has a global buffer over-read in Exiv2::Internal::Niko ...) - exiv2 0.27.2-6 - [buster] - exiv2 (Minor issue) [stretch] - exiv2 (Minor issue) NOTE: https://github.com/Exiv2/exiv2/issues/756 CVE-2020-18770 @@ -240883,7 +240876,6 @@ CVE-2019-17403 (Nokia IMPACT 18A: An unrestricted File Upload vulnerability CVE-2019-17402 (Exiv2 0.27.2 allows attackers to trigger a crash in Exiv2::getULong in ...) {DLA-2019-1} - exiv2 0.27.3-1 (bug #946341) - [buster] - exiv2 (Minor issue) [stretch] - exiv2 (Minor issue) NOTE: https://github.com/Exiv2/exiv2/issues/1019 NOTE: https://github.com/Exiv2/exiv2/commit/88054239e3c914862d13f6ac89a19a104fa2c076 (master) @@ -250712,7 +250704,6 @@ CVE-2019-14371 (An issue was discovered in Libav 12.3. There is an infinite loop NOTE: fixed through CVE-2018-11102 / https://git.ffmpeg.org/gitweb/ffmpeg.git/commitdiff/7abf394814d818973db562102f21ab9d10540840 CVE-2019-14370 (In Exiv2 0.27.99.0, there is an out-of-bounds read in Exiv2::MrwImage: ...) - exiv2
[Git][security-tracker-team/security-tracker][master] 2 commits: delete heimdal annotations conflicting with ELTS tracker
Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker Commits: 89e9f403 by Helmut Grohne at 2023-01-10T14:21:19+01:00 delete heimdal annotations conflicting with ELTS tracker - - - - - b632e32d by Helmut Grohne at 2023-01-10T14:21:20+01:00 triage exiv2 * This is mostly adding not-affected for LTS. * Also deleting annotations that conflict with the ELTS tracker. * CVE-2021-31292 is a duplicate of CVE-2021-29458 * Add detail to some CVEs such as patches. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -108646,8 +108646,7 @@ CVE-2021-37624 (FreeSWITCH is a Software Defined Telecom Stack enabling the digi CVE-2021-37623 (Exiv2 is a command-line utility and C++ library for reading, writing, ...) - exiv2 0.27.5-1 [bullseye] - exiv2 (Minor issue) - [buster] - exiv2 (Minor issue) - [stretch] - exiv2 (Minor issue) + [buster] - exiv2 (relevant IPTC parsing added in 0.26) NOTE: https://github.com/Exiv2/exiv2/security/advisories/GHSA-mvc4-g5pv-4qqq NOTE: https://github.com/Exiv2/exiv2/pull/1790 CVE-2021-37622 (Exiv2 is a command-line utility and C++ library for reading, writing, ...) @@ -108674,15 +108673,13 @@ CVE-2021-37620 (Exiv2 is a command-line utility and C++ library for reading, wri CVE-2021-37619 (Exiv2 is a command-line utility and C++ library for reading, writing, ...) - exiv2 0.27.5-1 [bullseye] - exiv2 (Minor issue) - [buster] - exiv2 (Minor issue) - [stretch] - exiv2 (Minor issue) + [buster] - exiv2 (Jp2Image::encodeJp2Header added in 0.26) NOTE: https://github.com/Exiv2/exiv2/security/advisories/GHSA-mxw9-qx4c-6m8v NOTE: https://github.com/Exiv2/exiv2/pull/1752 CVE-2021-37618 (Exiv2 is a command-line utility and C++ library for reading, writing, ...) - exiv2 0.27.5-1 [bullseye] - exiv2 (Minor issue) - [buster] - exiv2 (Minor issue) - [stretch] - exiv2 (Minor issue) + [buster] - exiv2 (Jp2Image::printStructure added in 0.26) NOTE: https://github.com/Exiv2/exiv2/security/advisories/GHSA-583f-w9pm-99r2 NOTE: https://github.com/Exiv2/exiv2/pull/1759 CVE-2021-37617 (The Nextcloud Desktop Client is a tool to synchronize files from Nextc ...) @@ -108691,15 +108688,13 @@ CVE-2021-37617 (The Nextcloud Desktop Client is a tool to synchronize files from CVE-2021-37616 (Exiv2 is a command-line utility and C++ library for reading, writing, ...) - exiv2 0.27.5-1 [bullseye] - exiv2 (Minor issue) - [buster] - exiv2 (Minor issue) - [stretch] - exiv2 (Minor issue) + [buster] - exiv2 (resolveLens0x8ff added in 0.26) NOTE: https://github.com/Exiv2/exiv2/security/advisories/GHSA-54f7-vvj7-545w NOTE: https://github.com/Exiv2/exiv2/pull/1758 CVE-2021-37615 (Exiv2 is a command-line utility and C++ library for reading, writing, ...) - exiv2 0.27.5-1 [bullseye] - exiv2 (Minor issue) - [buster] - exiv2 (Minor issue) - [stretch] - exiv2 (Minor issue) + [buster] - exiv2 (resolveLens0x319 added in 0.26) NOTE: https://github.com/Exiv2/exiv2/security/advisories/GHSA-h9x9-4f77-336w NOTE: https://github.com/Exiv2/exiv2/pull/1758 CVE-2021-37614 (In certain Progress MOVEit Transfer versions before 2021.0.3 (aka 13.0 ...) @@ -116526,8 +116521,7 @@ CVE-2021-34336 CVE-2021-34335 (Exiv2 is a command-line utility and C++ library for reading, writing, ...) - exiv2 0.27.5-1 (bug #992707) [bullseye] - exiv2 (Minor issue) - [buster] - exiv2 (Minor issue) - [stretch] - exiv2 (Minor issue) + [buster] - exiv2 (resolveLens0x added in 0.26) NOTE: https://github.com/Exiv2/exiv2/security/advisories/GHSA-pvjp-m4f6-q984 NOTE: https://github.com/Exiv2/exiv2/pull/1750 CVE-2021-34334 (Exiv2 is a command-line utility and C++ library for reading, writing, ...) @@ -124505,6 +124499,7 @@ CVE-2021-31292 (An integer overflow in CrwMap::encode0x1810 of Exiv2 0.27.3 allo NOTE: https://github.com/Exiv2/exiv2/issues/1530 NOTE: https://github.com/Exiv2/exiv2/commit/9b7a19f957af53304655ed1efe32253a1b11a8d0 NOTE: In older releases affected code is in src/crwimage.cpp + NOTE: This is a duplicate of CVE-2021-29458, but mitre finds the evidence unconvincing. CVE-2021-31291 REJECTED CVE-2021-31290 @@ -129056,8 +129051,7 @@ CVE-2021-29624 (fastify-csrf is an open-source plugin helps developers protect t CVE-2021-29623 (Exiv2 is a C++ library and a command-line utility to read, write, dele ...) - exiv2 0.27.5-1 (bug #988481) [bullseye] - exiv2 (Minor issue) - [buster] - exiv2 (Minor issue) - [stretch] - exiv2 (Minor issue) + [buster] - exiv2 (webpimage support added 0.26) NOTE:
[Git][security-tracker-team/security-tracker][master] triage leptonlib
Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker Commits: accb17ef by Helmut Grohne at 2023-01-10T11:59:40+01:00 triage leptonlib * Remove a bunch of annotations that will end up conflicting with the ELTS tracker. * Note patch for CVE-2018-7442 and explain that it changes behaviour. * Note that CVE-2018-7441 is not neutralized, remove unimportant, list patches. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -325949,8 +325949,6 @@ CVE-2017-18190 (A localhost.localdomain whitelist entry in valid_host() in sched CVE-2018-7186 (Leptonica before 1.75.3 does not limit the number of characters in a % ...) {DLA-1302-1} - leptonlib 1.75.3-2 (low; bug #890548) - [stretch] - leptonlib (Minor issue) - [jessie] - leptonlib (Minor issue) NOTE: https://github.com/DanBloomberg/leptonica/commit/ee301cb2029db8a6289c5295daa42bba7715e99a CVE-2018-7180 (SQL Injection exists in the Saxum Astro 4.0.14 component for Joomla! v ...) NOT-FOR-US: Saxum Astro component for Joomla! @@ -335436,17 +335434,19 @@ CVE-2018-3837 (An exploitable information disclosure vulnerability exists in the NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0519 CVE-2018-7442 (An issue was discovered in Leptonica through 1.75.3. The gplotMakeOutp ...) - leptonlib 1.76.0-1 (bug #898439) - [stretch] - leptonlib (Minor issue) - [jessie] - leptonlib (Minor issue) [wheezy] - leptonlib (Minor issue) NOTE: https://lists.debian.org/debian-lts/2018/02/msg00086.html + NOTE: https://github.com/DanBloomberg/leptonica/commit/24cca39cbeafd7943fb6ec723c9c1f525c24eb9f + NOTE: The patch deactivates debugging functions by default and thus changes behaviour. CVE-2018-7441 (Leptonica through 1.75.3 uses hardcoded /tmp pathnames, which might al ...) - - leptonlib 1.76.0-1 (unimportant) + - leptonlib 1.76.0-1 NOTE: https://lists.debian.org/debian-lts/2018/02/msg00054.html - NOTE: Neutralised by kernel hardening + NOTE: Not neutralised by kernel hardening, because subdirectories of /tmp are not hardened + NOTE: https://github.com/DanBloomberg/leptonica/commit/dcaf546c748aaf13fd14289677037e83d749455f + NOTE: The patch requires CVE-2018-7442 patch as underlying infrastructure. + NOTE: The patch deactivates debugging functions by default and thus changes behaviour. CVE-2017-18196 (Leptonica 1.74.4 constructs unintended pathnames (containing duplicate ...) - leptonlib 1.74.4-2 (low; bug #885704) - [stretch] - leptonlib (Minor issue) [jessie] - leptonlib (Vulnerable code not present) [wheezy] - leptonlib (Vulnerable code not present) CVE-2018-7440 (An issue was discovered in Leptonica through 1.75.3. The gplotMakeOutp ...) @@ -335459,8 +335459,6 @@ CVE-2018-7440 (An issue was discovered in Leptonica through 1.75.3. The gplotMak CVE-2018-3836 (An exploitable command injection vulnerability exists in the gplotMake ...) {DLA-1284-1} - leptonlib 1.75.3-1 (bug #889759) - [stretch] - leptonlib (Minor issue) - [jessie] - leptonlib (Minor issue) NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0516 NOTE: https://github.com/DanBloomberg/leptonica/issues/303 NOTE: When fixing this issue make sure the fix is complete and includes as well View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/accb17ef45236f07536a694b7f1c6762b87d4b0f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/accb17ef45236f07536a694b7f1c6762b87d4b0f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim exiv2
Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker Commits: 3b20e9ff by Helmut Grohne at 2022-12-11T20:52:46+01:00 LTS: claim exiv2 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -42,7 +42,7 @@ erlang NOTE: 20221119: Programming language: Erlang. NOTE: 20221119: at least CVE-2022-37026 needs to be fixed (original request has been for Stretch) -- -exiv2 +exiv2 (Helmut Grohne) NOTE: 20221119: Programming language: C. -- firmware-nonfree (Markus Koschany) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3b20e9ffcee6f952a43144655dfefd7f17aedcca -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3b20e9ffcee6f952a43144655dfefd7f17aedcca You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] reserve DLA-3233-1 for leptonlib
Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker Commits: 205dcddf by Helmut Grohne at 2022-12-08T14:35:04+01:00 reserve DLA-3233-1 for leptonlib - - - - - 2 changed files: - data/CVE/list - data/DLA/list Changes: = data/CVE/list = @@ -25939,7 +25939,6 @@ CVE-2022-38267 (School Activity Updates with SMS Notification v1.0 was discovere CVE-2022-38266 (An issue in the Leptonica linked library (v1.79.0) allows attackers to ...) - leptonlib 1.82.0-1 [bullseye] - leptonlib (Minor issue) - [buster] - leptonlib (Minor issue, SIGFPE in CLI tools) NOTE: https://github.com/DanBloomberg/leptonica/commit/f062b42c0ea8dddebdc6a152fd16152de215d614 (1.81.0) NOTE: https://github.com/tesseract-ocr/tesseract/issues/3498 CVE-2022-38265 (Apartment Visitor Management System v1.0 was discovered to contain a S ...) = data/DLA/list = @@ -1,3 +1,6 @@ +[08 Dec 2022] DLA-3233-1 leptonlib - security update + {CVE-2022-38266} + [buster] - leptonlib 1.76.0-1+deb10u2 [07 Dec 2022] DLA-3232-1 virglrenderer - security update {CVE-2019-18388 CVE-2019-18389 CVE-2019-18390 CVE-2019-18391 CVE-2020-8002 CVE-2020-8003 CVE-2022-0135} [buster] - virglrenderer 0.7.0-2+deb10u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/205dcddf87393a140d001d7ef40fc1f8955ab280 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/205dcddf87393a140d001d7ef40fc1f8955ab280 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] triage CVE-2018-5710
Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker Commits: 5886baca by Helmut Grohne at 2022-12-08T11:08:05+01:00 triage CVE-2018-5710 This is already marked as a duplicate. Clarify which ids are duplicated and update the relevant DLAs. - - - - - 2 changed files: - data/CVE/list - data/DLA/list Changes: = data/CVE/list = @@ -322988,15 +322988,15 @@ CVE-2018-5711 (gd_gif_in.c in the GD Graphics Library (aka libgd), as used in PH NOTE: https://github.com/libgd/libgd/issues/420 NOTE: https://github.com/libgd/libgd/commit/a11f47475e6443b7f32d21f2271f28f417e2ac04 CVE-2018-5710 (An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. The ...) + {DLA-2771-1 DLA-1643-1} - krb5 1.16.1-1 (bug #889685) - [stretch] - krb5 (Minor issue) - [jessie] - krb5 (Minor issue) [wheezy] - krb5 (all strlen() parameters are checked for NULL) NOTE: https://github.com/poojamnit/Kerberos-V5-1.16-Vulnerabilities/tree/master/Denial%20Of%20Service(DoS) NOTE: The CVE is a duplicate of the #891869 issue(s) due to reporter not NOTE: having coordinated with upstream and the CVE assignment ist sill for NOTE: slight different coverage. Thus keep it distinct (for now) and mark NOTE: CVE-2018-5710 issue as well as fixed once #891869 is adressed. + NOTE: The duplicated ids are CVE-2018-5729 and CVE-2018-5730. CVE-2018-5709 (An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. The ...) - krb5 (unimportant; bug #889684) NOTE: https://github.com/poojamnit/Kerberos-V5-1.16-Vulnerabilities/tree/master/Integer%20Overflow = data/DLA/list = @@ -1384,7 +1384,7 @@ {CVE-2017-12678 CVE-2018-11439} [stretch] - taglib 1.11.1+dfsg.1-0.3+deb9u1 [30 Sep 2021] DLA-2771-1 krb5 - security update - {CVE-2018-5729 CVE-2018-5730 CVE-2018-20217 CVE-2021-37750} + {CVE-2018-5710 CVE-2018-5729 CVE-2018-5730 CVE-2018-20217 CVE-2021-37750} [stretch] - krb5 1.15-1+deb9u3 [30 Sep 2021] DLA-2770-1 weechat - security update {CVE-2020-8955 CVE-2020-9759 CVE-2020-9760 CVE-2021-40516} @@ -4857,7 +4857,7 @@ {CVE-2018-19788 CVE-2019-6133} [jessie] - policykit-1 0.105-15~deb8u4 [25 Jan 2019] DLA-1643-1 krb5 - security update - {CVE-2018-5729 CVE-2018-5730 CVE-2018-20217} + {CVE-2018-5710 CVE-2018-5729 CVE-2018-5730 CVE-2018-20217} [jessie] - krb5 1.12.1+dfsg-19+deb8u5 [25 Jan 2019] DLA-1642-1 postgresql-9.4 - new upstream version [jessie] - postgresql-9.4 9.4.20-0+deb8u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5886baca27ccb9b824416c9cc1a4bdd55d24e2d1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5886baca27ccb9b824416c9cc1a4bdd55d24e2d1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-21797 still affects joblib in buster
Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker Commits: 5d4c2566 by Helmut Grohne at 2022-12-06T15:13:31+01:00 CVE-2022-21797 still affects joblib in buster The update to joblib included two fixes. The first attempt was restricting variables for eval and the second one did away with eval. While unstable has the second iteration, buster got the eval version and that one is still vulnerable. Exploit: eval([x for x in 42 .__class__.__mro__[1].__subclasses__() if x.__name__ == BuiltinImporter][0]().load_module(os).system(id), {__builtins__: {}}, {}) - - - - - 2 changed files: - data/CVE/list - data/DLA/list Changes: = data/CVE/list = @@ -60433,12 +60433,13 @@ CVE-2022-21803 (This affects the package nconf before 0.11.4. When using the mem CVE-2022-21802 (The package grapesjs before 0.19.5 are vulnerable to Cross-site Script ...) NOT-FOR-US: grapejs CVE-2022-21797 (The package joblib from 0 and before 1.2.0 are vulnerable to Arbitrary ...) - {DLA-3193-1} - joblib 1.2.0-1 (bug #1020820) [bullseye] - joblib (Minor issue) + [buster] - joblib (Minor issue, the fix from +deb10u1 is incomplete) NOTE: https://github.com/joblib/joblib/issues/1128 NOTE: https://github.com/joblib/joblib/pull/1321 - NOTE: https://github.com/joblib/joblib/commit/b90f10efeb670a2cc877fb88ebb3f2019189e059 (1.2.0) + NOTE: vulnerable patch https://github.com/joblib/joblib/commit/b90f10efeb670a2cc877fb88ebb3f2019189e059 (1.2.0) + NOTE: better fix https://github.com/joblib/joblib/pull/1327 NOTE: https://security.snyk.io/vuln/SNYK-PYTHON-JOBLIB-3027033 CVE-2022-21235 (The package github.com/masterminds/vcs before 1.13.3 are vulnerable to ...) NOT-FOR-US: github.com/masterminds/vcs = data/DLA/list = @@ -97,7 +97,6 @@ {CVE-2021-37706 CVE-2021-43299 CVE-2021-43300 CVE-2021-43301 CVE-2021-43302 CVE-2021-43303 CVE-2021-43804 CVE-2021-43845 CVE-2021-46837 CVE-2022-21722 CVE-2022-21723 CVE-2022-23608 CVE-2022-24763 CVE-2022-24764 CVE-2022-24786 CVE-2022-24792 CVE-2022-24793 CVE-2022-26498 CVE-2022-26499 CVE-2022-26651} [buster] - asterisk 1:16.28.0~dfsg-0+deb10u1 [17 Nov 2022] DLA-3193-1 joblib - security update - {CVE-2022-21797} [buster] - joblib 0.13.0-2+deb10u1 [17 Nov 2022] DLA-3192-1 lava - security update {CVE-2022-42902} View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5d4c2566e5ff7fbb12aa80730d49c7085ac77466 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5d4c2566e5ff7fbb12aa80730d49c7085ac77466 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] triage cgal and issue DLA-3226-1
Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker Commits: 3eaeb81f by Helmut Grohne at 2022-12-06T12:43:53+01:00 triage cgal and issue DLA-3226-1 All of the TALOS-2020-1225 vulnerabilities are fixed in the same PR. While identifying individual commits is possible, the individual patches are incomplete and need fixes, so it is better to use the whole PR. Ive noted the merge commit for each CVE. In one instance, the TALOS report was inaccurate and Ive added a note. DLA-2649-1 actually did the right thing and applied the whole PR. As such, it actually did fix all of the issues. We cannot change this aspect in the elts tracker. Thus doing here. - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -142100,44 +142100,48 @@ CVE-2020-35637 CVE-2020-35636 (A code execution vulnerability exists in the Nef polygon-parsing funct ...) {DLA-2649-1} - cgal 5.2-3 (bug #985671) - [buster] - cgal (Minor issue) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1225 + NOTE: https://github.com/CGAL/cgal/commit/e1870c15224ddd5d79b1df5b8248e4c6813d7398 CVE-2020-35635 (A code execution vulnerability exists in the Nef polygon-parsing funct ...) {DLA-2649-1} - cgal 5.2-3 (bug #985671) - [buster] - cgal (Minor issue) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1225 + NOTE: https://github.com/CGAL/cgal/commit/e1870c15224ddd5d79b1df5b8248e4c6813d7398 CVE-2020-35634 (A code execution vulnerability exists in the Nef polygon-parsing funct ...) {DLA-2649-1} - cgal 5.2-3 (bug #985671) - [buster] - cgal (Minor issue) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1225 + NOTE: https://github.com/CGAL/cgal/commit/e1870c15224ddd5d79b1df5b8248e4c6813d7398 CVE-2020-35633 (A code execution vulnerability exists in the Nef polygon-parsing funct ...) {DLA-2649-1} - cgal 5.2-3 (bug #985671) - [buster] - cgal (Minor issue) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1225 + NOTE: https://github.com/CGAL/cgal/commit/e1870c15224ddd5d79b1df5b8248e4c6813d7398 CVE-2020-35632 (Multiple code execution vulnerabilities exists in the Nef polygon-pars ...) + {DLA-2649-1} - cgal 5.2-3 (bug #985671) - [buster] - cgal (Minor issue) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1225 + NOTE: https://github.com/CGAL/cgal/commit/e1870c15224ddd5d79b1df5b8248e4c6813d7398 CVE-2020-35631 (Multiple code execution vulnerabilities exists in the Nef polygon-pars ...) + {DLA-2649-1} - cgal 5.2-3 (bug #985671) - [buster] - cgal (Minor issue) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1225 + NOTE: https://github.com/CGAL/cgal/commit/e1870c15224ddd5d79b1df5b8248e4c6813d7398 CVE-2020-35630 (Multiple code execution vulnerabilities exists in the Nef polygon-pars ...) + {DLA-2649-1} - cgal 5.2-3 (bug #985671) - [buster] - cgal (Minor issue) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1225 + NOTE: https://github.com/CGAL/cgal/commit/e1870c15224ddd5d79b1df5b8248e4c6813d7398 CVE-2020-35629 (Multiple code execution vulnerabilities exists in the Nef polygon-pars ...) + {DLA-2649-1} - cgal 5.2-3 (bug #985671) - [buster] - cgal (Minor issue) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1225 + NOTE: https://github.com/CGAL/cgal/commit/e1870c15224ddd5d79b1df5b8248e4c6813d7398 CVE-2020-35628 (A code execution vulnerability exists in the Nef polygon-parsing funct ...) {DLA-2649-1} - cgal 5.2-3 (bug #985671) - [buster] - cgal (Minor issue) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1225 + NOTE: https://github.com/CGAL/cgal/commit/e1870c15224ddd5d79b1df5b8248e4c6813d7398 CVE-2021-21433 (Discord Recon Server is a bot that allows you to do your reconnaissanc ...) NOT-FOR-US: Discord Recon Server CVE-2021-21432 (Vela is a Pipeline Automation (CI/CD) framework built on Linux contain ...) @@ -152568,149 +152572,184 @@ CVE-2020-28637 CVE-2020-28636 (A code execution vulnerability exists in the Nef polygon-parsing funct ...) {DLA-2649-1} - cgal 5.2-3 (bug #985671) - [buster] - cgal (Minor issue) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1225 + NOTE: https://github.com/CGAL/cgal/commit/e1870c15224ddd5d79b1df5b8248e4c6813d7398 CVE-2020-28635 (Multiple code execution vulnerabilities exists in the Nef polygon-pars ...) + {DLA-2649-1} - cgal 5.2-3 (bug #985671) -
[Git][security-tracker-team/security-tracker][master] lts: claim cgal
Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker Commits: 89924e2f by Helmut Grohne at 2022-12-05T17:39:50+01:00 lts: claim cgal - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -21,6 +21,8 @@ ceph NOTE: 20221130: Can someone take care of it in Buster? I'm currently building the Bullseye backport of the fix... NOTE: 20221130: https://lists.debian.org/debian-lts/2022/11/msg00025.html (zigo/maintainer) -- +cgal (Helmut Grohne) +-- consul NOTE: 20221031: Programming language: Go. NOTE: 20221031: Concluded that the package should be fixed by the CVE description. Source code not analyzed in detail. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/89924e2f96a42ec495b3a2ebf278ecf1b811a48e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/89924e2f96a42ec495b3a2ebf278ecf1b811a48e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] triage giflib and reserve DLA-3223-1
Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker Commits: 6c8041f1 by Helmut Grohne at 2022-12-05T12:58:43+01:00 triage giflib and reserve DLA-3223-1 * CVE-2020-23922: verified that reproducer doesnt work anymore * CVE-2019-15133: fixed * CVE-2018-11490: fixed * CVE-2018-11489: locate patch; never affected us, see bug discussion * CVE-2016-3977: drop ELTS entries * CVE-2016-: flag unimportant, cannot triage in elts tracker - - - - - 2 changed files: - data/CVE/list - data/DLA/list Changes: = data/CVE/list = @@ -166107,6 +166107,7 @@ CVE-2020-23922 (An issue was discovered in giflib through 5.1.4. DumpScreen2RGB - giflib (unimportant; bug #988151) NOTE: https://sourceforge.net/p/giflib/bugs/151/ NOTE: Specific to gif2rgb. Crash in CLI tool, no security impact + NOTE: Reproducer does not trigger using giflib 5.2.1-2.5 with asan or valgrind. CVE-2020-23921 (An issue was discovered in fast_ber through v0.4. yy::yylex() in asn_c ...) NOT-FOR-US: fast_ber CVE-2020-23920 @@ -238645,9 +238646,6 @@ CVE-2019-15134 (RIOT through 2019.07 contains a memory leak in the TCP implement CVE-2019-15133 (In GIFLIB before 2019-02-16, a malformed GIF file triggers a divide-by ...) [experimental] - giflib 5.1.8-1 - giflib 5.1.9-1 - [buster] - giflib (Minor issue) - [stretch] - giflib (Minor issue) - [jessie] - giflib (Minor issue) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=13008 NOTE: https://sourceforge.net/p/giflib/code/ci/799eb6a3af8a3dd81e2429bf11a72a57e541f908/ NOTE: https://sourceforge.net/p/giflib/bugs/119/ @@ -305196,22 +305194,16 @@ CVE-2018-11491 (ASUS HG100 devices with firmware before 1.05.12 allow unauthenti CVE-2018-11490 (The DGifDecompressLine function in dgif_lib.c in GIFLIB (possibly vers ...) [experimental] - giflib 5.1.7-1 - giflib 5.1.9-1 (bug #904114) - [buster] - giflib (Minor issue) - [stretch] - giflib (Minor issue) - [jessie] - giflib (Minor issue) NOTE: https://github.com/pts/sam2p/issues/38 NOTE: https://sourceforge.net/p/giflib/bugs/113/ NOTE: https://sourceforge.net/p/giflib/code/ci/08438a5098f3bb1de23a29334af55eba663f75bd/ NOTE: Issue was reported against sam2p but issue is in dgif_lib.c from giflib. CVE-2018-11489 (The DGifDecompressLine function in dgif_lib.c in GIFLIB (possibly vers ...) - - giflib (bug #904113) - [bullseye] - giflib (Minor issue) - [buster] - giflib (Minor issue) - [stretch] - giflib (Minor issue) - [jessie] - giflib (Minor issue) + - giflib 4.1.6-11 (bug #904113) NOTE: https://github.com/pts/sam2p/issues/37 NOTE: https://sourceforge.net/p/giflib/bugs/112/ NOTE: Issue was reported against sam2p but issue is in dgif_lib.c from giflib. + NOTE: https://github.com/pts/sam2p/files/2252965/sam2p_CVEs.patch.txt CVE-2018-11488 (A stack exhaustion vulnerability in the search function of dtSearch 7. ...) NOT-FOR-US: dtSearch CVE-2018-11487 (PHPMyWind 5.5 has XSS via the cid parameter to newsshow.php, or the qu ...) @@ -407539,8 +407531,6 @@ CVE-2016-3981 (Heap-based buffer overflow in the bmp_read_rows function in pngxr NOTE: https://sourceforge.net/p/optipng/bugs/56/ CVE-2016-3977 (Heap-based buffer overflow in util/gif2rgb.c in gif2rgb in giflib 5.1. ...) - giflib 5.1.4-3 (bug #820526) - [stretch] - giflib (Minor issue) - [jessie] - giflib (Minor issue) [wheezy] - giflib (minor issue) NOTE: https://sourceforge.net/p/giflib/bugs/87/ NOTE: https://sourceforge.net/p/giflib/code/ci/ea8dbc5786862a3e16a5acfa3d24e2c2f608cd88/ @@ -413557,12 +413547,13 @@ CVE-2015-8786 (The Management plugin in RabbitMQ before 3.6.1 allows remote auth NOTE: https://github.com/rabbitmq/rabbitmq-management/issues/97 CVE-2016- [out of bound read and write issues] - giflib 5.1.4-0.1 (bug #820594) - [jessie] - giflib (Minor issue) + [jessie] - giflib (unimportant) [wheezy] - giflib (Minor issue) [squeeze] - giflib (Minor issue) NOTE: http://sourceforge.net/p/giflib/bugs/82/ NOTE: CVE Request: https://www.openwall.com/lists/oss-security/2016/01/26/5 NOTE: http://sourceforge.net/p/giflib/code/ci/4cc68b315ff9a378aef6664e1be6b2144ad4a5e6/ + NOTE: Specific to gif2rgb. Crash in CLI tool, no security impact CVE-2016-2073 (The htmlParseNameComplex function in HTMLparser.c in libxml2 allows at ...) {DSA-3593-1 DLA-503-1} - libxml2 2.9.3+dfsg1-1.1 (bug #812807) = data/DLA/list = @@ -1,3 +1,6 @@ +[05 Dec 2022] DLA-3223-1 giflib - security update + {CVE-2018-11490 CVE-2019-15133}
[Git][security-tracker-team/security-tracker][master] issue DLA-3214-1 for libraw
Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker Commits: 245c2a39 by Helmut Grohne at 2022-11-30T21:56:35+01:00 issue DLA-3214-1 for libraw - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -163032,7 +163032,7 @@ CVE-2020-24890 (** DISPUTED ** libraw 20.0 has a null pointer dereference vulner NOTE: https://github.com/LibRaw/LibRaw/issues/335#issuecomment-677637276 CVE-2020-24889 (A buffer overflow vulnerability in LibRaw version 20.0 LibRaw::Ge ...) - libraw 0.20.2-1 - [buster] - libraw (Minor issue) + [buster] - libraw (Hassleblad data parser added in 0.20) [stretch] - libraw (Vulnerable code not present) NOTE: https://github.com/LibRaw/LibRaw/issues/334 NOTE: https://github.com/LibRaw/LibRaw/commit/78d323ecbe6a9752aee6e97118a76d40704d73ee @@ -183716,7 +183716,6 @@ CVE-2020-15504 (A SQL injection vulnerability in the user and admin web interfac CVE-2020-15503 (LibRaw before 0.20-RC1 lacks a thumbnail size range check. This affect ...) [experimental] - libraw 0.20.0-1 - libraw 0.20.0-4 (bug #964747) - [buster] - libraw (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1853477 NOTE: https://github.com/LibRaw/LibRaw/commit/20ad21c0d87ca80217aee47533d91e633ce1864d CVE-2020-15502 (** DISPUTED ** The DuckDuckGo application through 5.58.0 for Android, ...) = data/DLA/list = @@ -1,3 +1,6 @@ +[30 Nov 2022] DLA-3214-1 libraw - security update + {CVE-2020-15503} + [buster] - libraw 0.19.2-2+deb10u2 [29 Nov 2022] DLA-3213-1 krb5 - security update {CVE-2022-42898} [buster] - krb5 1.17-3+deb10u5 = data/dla-needed.txt = @@ -121,10 +121,6 @@ libpgjava NOTE: 20221128: Please check, whether CVE-2022-41946 affects modern systems (gladk). NOTE: 20221128: If not - please mark it as (gladk). -- -libraw - NOTE: 20221129: Programming language: C++. - NOTE: 20221129: VCS: https://salsa.debian.org/lts-team/packages/libraw.git --- libreoffice NOTE: 20221012: Programming language: C++. -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/245c2a3955a3dafe6de3d55f4c41da07cff276c1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/245c2a3955a3dafe6de3d55f4c41da07cff276c1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] libraw ELTS triage
Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker Commits: 7246062f by Helmut Grohne at 2022-11-28T19:36:10+01:00 libraw ELTS triage Yeah, this doesnt really belong here. However, we need to remove conflicting declarations to allow adding them to the elts tracker without messing up the database. This is the bulk of changes. Im also adding commit references as this is independent of ELTS. Beyond this, two earlier DLAs have a wrong CVE list. DLA-2903-1 did not fix CVE-2017-16909. It contains a CVE-2017-16909.patch, which fixes a different vulnerability. DLA-1734-1 missed CVE-2018-5807 and CVE-2018-5810, which are fixed by the same commit that fixes CVE-2018-5808. Except for the commit id notes, none of this can be fixed in the elts tracker. - - - - - 2 changed files: - data/CVE/list - data/DLA/list Changes: = data/CVE/list = @@ -183005,7 +183005,6 @@ CVE-2020-15503 (LibRaw before 0.20-RC1 lacks a thumbnail size range check. This [experimental] - libraw 0.20.0-1 - libraw 0.20.0-4 (bug #964747) [buster] - libraw (Minor issue) - [stretch] - libraw (Vulnerable code not present) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1853477 NOTE: https://github.com/LibRaw/LibRaw/commit/20ad21c0d87ca80217aee47533d91e633ce1864d CVE-2020-15502 (** DISPUTED ** The DuckDuckGo application through 5.58.0 for Android, ...) @@ -306475,15 +306474,11 @@ CVE-2018-10530 RESERVED CVE-2018-10529 (An issue was discovered in LibRaw 0.18.9. There is an out-of-bounds re ...) - libraw 0.18.11-1 (low; bug #897186) - [stretch] - libraw (Vulnerable code not present) - [jessie] - libraw (Minor issue) [wheezy] - libraw (Minor issue) NOTE: https://github.com/LibRaw/LibRaw/commit/f0c505a3e5d47989a5f69be2d0d4f250af6b1a6c NOTE: https://github.com/LibRaw/LibRaw/issues/144 CVE-2018-10528 (An issue was discovered in LibRaw 0.18.9. There is a stack-based buffe ...) - libraw 0.18.11-1 (low; bug #897185) - [stretch] - libraw (Vulnerable code not present) - [jessie] - libraw (Minor issue) [wheezy] - libraw (Minor issue) NOTE: https://github.com/LibRaw/LibRaw/commit/895529fc2f2eb8bc633edd6b04b5b237eb4db564 NOTE: https://github.com/LibRaw/LibRaw/issues/144 @@ -319914,8 +319909,8 @@ CVE-2018-5816 (An integer overflow error within the "identify()" function (inter CVE-2018-5815 (An integer overflow error within the "parse_qt()" function (internal/d ...) {DLA-2903-1} - libraw 0.18.13-1 (low) - [jessie] - libraw (Minor issue) NOTE: http://seclists.org/bugtraq/2018/Jul/58 + NOTE: https://github.com/LibRaw/LibRaw/commit/1334647862b0c90b2e8cb2f668e66627d9517b17 CVE-2018-5814 (In the Linux Kernel before version 4.16.11, 4.14.43, 4.9.102, and 4.4. ...) {DLA-1423-1 DLA-1422-1} - linux 4.16.12-1 @@ -319925,7 +319920,6 @@ CVE-2018-5814 (In the Linux Kernel before version 4.16.11, 4.14.43, 4.9.102, and CVE-2018-5813 (An error within the "parse_minolta()" function (dcraw/dcraw.c) in LibR ...) {DLA-2903-1} - libraw 0.18.11-1 (low) - [jessie] - libraw (Minor issue) NOTE: https://secuniaresearch.flexerasoftware.com/secunia_research/2018-13/ CVE-2018-5812 (An error within the "nikon_coolscan_load_raw()" function (internal/dcr ...) {DLA-2903-1} @@ -319942,6 +319936,7 @@ CVE-2018-5810 (An error within the "rollei_load_raw()" function (internal/dcraw_ - libraw 0.18.11-1 [jessie] - libraw (Minor issue) NOTE: https://secuniaresearch.flexerasoftware.com/secunia_research/2018-10/ + NOTE: https://github.com/LibRaw/LibRaw/commit/fd6330292501983ac75fe4162275794b18445bd9 CVE-2018-5809 (An error within the "LibRaw::parse_exif()" function (internal/dcraw_co ...) - libraw 0.18.11-1 [stretch] - libraw (Vulnerable code not present) @@ -319958,21 +319953,22 @@ CVE-2018-5807 (An error within the "samsung_load_raw()" function (internal/dcraw - libraw 0.18.11-1 [jessie] - libraw (Minor issue) NOTE: https://secuniaresearch.flexerasoftware.com/secunia_research/2018-10/ + NOTE: https://github.com/LibRaw/LibRaw/commit/fd6330292501983ac75fe4162275794b18445bd9 CVE-2018-5806 (An error within the "leaf_hdr_load_raw()" function (internal/dcraw_com ...) {DLA-2903-1} - libraw 0.18.8-1 (low) - [jessie] - libraw (Minor issue) NOTE: https://secuniaresearch.flexerasoftware.com/secunia_research/2018-03 + NOTE: https://github.com/LibRaw/LibRaw/commit/9f26ce37f5be86ea11bfc6831366558650b1f6ff CVE-2018-5805 (A boundary error within the "quicktake_100_load_raw()" function (inter ...) {DLA-2903-1} - libraw 0.18.8-1 (low) - [jessie] - libraw (Minor issue) NOTE:
[Git][security-tracker-team/security-tracker][master] CVE-2017-16909: fix commit id of patch
Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker Commits: 27b04511 by Helmut Grohne at 2022-11-28T08:32:04+01:00 CVE-2017-16909: fix commit id of patch Ive also re-checked buster to really be fixed. The code has been significantly redone and includes the necessary checks. Later releases will be fixed as well. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -336749,7 +336749,7 @@ CVE-2017-16909 (An error related to the "LibRaw::panasonic_load_raw()" function [jessie] - libraw (Minor issue) [wheezy] - libraw (Minor issue) NOTE: https://secuniaresearch.flexerasoftware.com/secunia_research/2017-19 - NOTE: https://github.com/LibRaw/LibRaw/commit/2f59bac59dbcbf6bbcf01a9f3eed74307e96ca7e + NOTE: https://github.com/LibRaw/LibRaw/commit/f1394822a0152ceed77815eafa5cac4e8baab10a CVE-2017-16908 (In Horde Groupware 5.2.19, there is XSS via the Name field during crea ...) {DLA-2350-1} - php-horde-kronolith 4.2.24-1 (bug #909738) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/27b045113279caaaf2ddecfc97a35b1377137ee0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/27b045113279caaaf2ddecfc97a35b1377137ee0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3204-1 for vim
Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker Commits: c56dcc47 by Helmut Grohne at 2022-11-24T10:17:12+01:00 Reserve DLA-3204-1 for vim - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -38291,7 +38291,6 @@ CVE-2022-29890 (In affected versions of Octopus Server the help sidebar can be c CVE-2022-2000 (Out-of-bounds Write in GitHub repository vim/vim prior to 8.2. ...) - vim 2:9.0.0135-1 (bug #1015984) [bullseye] - vim (Minor issue) - [buster] - vim (Minor issue) [stretch] - vim (Minor issue) NOTE: https://huntr.dev/bounties/f61a64e2-d163-461b-a77e-46ab38e021f0 NOTE: https://github.com/vim/vim/commit/44a3f3353e0407e9fffee138125a6927d1c9e7e5 (v8.2.5063) @@ -40093,7 +40092,6 @@ CVE-2022-1943 (A flaw out of bounds memory write in the Linux kernel UDF file sy CVE-2022-1942 (Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2. ...) - vim 2:9.0.0135-1 (bug #1015984) [bullseye] - vim (Minor issue) - [buster] - vim (Minor issue) [stretch] - vim (Minor issue) NOTE: https://huntr.dev/bounties/67ca4d3b-9175-43c1-925c-72a7091bc071 NOTE: https://github.com/vim/vim/commit/71223e2db87c2bf3b09aecb46266b56cda26191d (v8.2.5043) @@ -40507,7 +40505,6 @@ CVE-2022-1898 (Use After Free in GitHub repository vim/vim prior to 8.2. ...) CVE-2022-1897 (Out-of-bounds Write in GitHub repository vim/vim prior to 8.2. ...) - vim 2:9.0.0135-1 (bug #1015984) [bullseye] - vim (Minor issue) - [buster] - vim (Minor issue) [stretch] - vim (Minor issue) NOTE: https://huntr.dev/bounties/82c12151-c283-40cf-aa05-2e39efa89118 NOTE: https://github.com/vim/vim/commit/338f1fc0ee3ca929387448fe464579d6113fa76a (v8.2.5023) @@ -42683,7 +42680,6 @@ CVE-2022-1786 (A use-after-free flaw was found in the Linux kernels io_ur CVE-2022-1785 (Out-of-bounds Write in GitHub repository vim/vim prior to 8.2.4977. ...) - vim 2:9.0.0135-1 (bug #1015984) [bullseye] - vim (Minor issue) - [buster] - vim (Minor issue) [stretch] - vim (Minor issue) NOTE: https://huntr.dev/bounties/8c969cba-eef2-4943-b44a-4e3089599109 NOTE: https://github.com/vim/vim/commit/e2bd8600b873d2cd1f9d667c28cba8b1dba18839 (v8.2.4977) @@ -63500,7 +63496,6 @@ CVE-2022-21154 (An integer overflow vulnerability exists in the fltSaveCMP funct CVE-2022-0392 (Heap-based Buffer Overflow in GitHub repository vim prior to 8.2. ...) - vim 2:8.2.4659-1 [bullseye] - vim (Minor issue) - [buster] - vim (Minor issue) [stretch] - vim (vulnerable code was introduced later) NOTE: https://huntr.dev/bounties/d00a2acd-1935-4195-9d5b-4115ef6b3126 NOTE: https://github.com/vim/vim/commit/806d037671e133bd28a7864248763f643967973a (v8.2.4218) = data/DLA/list = @@ -1,3 +1,6 @@ +[24 Nov 2022] DLA-3204-1 vim - security update + {CVE-2022-0318 CVE-2022-0392 CVE-2022-0629 CVE-2022-0696 CVE-2022-1619 CVE-2022-1621 CVE-2022-1785 CVE-2022-1897 CVE-2022-1942 CVE-2022-2000 CVE-2022-2129 CVE-2022-3235 CVE-2022-3256 CVE-2022-3352} + [buster] - vim 2:8.1.0875-5+deb10u4 [23 Nov 2022] DLA-3203-1 nginx - security update {CVE-2021-3618 CVE-2022-41741 CVE-2022-41742} [buster] - nginx 1.14.2-2+deb10u5 = data/dla-needed.txt = @@ -339,10 +339,6 @@ varnish NOTE: 20221109: Programming language: C. NOTE: 20221109: First DLA, 3 minor CVEs to fix (Beuc/front-desk) -- -vim (Helmut) - NOTE: 20221108: Programming language: C. - NOTE: 20221108: VCS: https://salsa.debian.org/lts-team/packages/vim.git --- virglrenderer (Thorsten Alteholz) NOTE: 20221009: Programming language: C. -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c56dcc47493e0659506a4d7cc7f5ff079beac948 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c56dcc47493e0659506a4d7cc7f5ff079beac948 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] drop ELTS annotation for vim to allow changing it in ELTS tracker
Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker Commits: 1564b16c by Helmut Grohne at 2022-11-23T11:39:16+01:00 drop ELTS annotation for vim to allow changing it in ELTS tracker - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -90090,7 +90090,6 @@ CVE-2021-3770 (vim is vulnerable to Heap-based Buffer Overflow ...) - vim 2:8.2.3455-1 (bug #994076) [bullseye] - vim 2:8.2.2434-3+deb11u1 [buster] - vim 2:8.1.0875-5+deb10u1 - [stretch] - vim (Vulnerable code not present) NOTE: https://huntr.dev/bounties/016ad2f2-07c1-4d14-a8ce-6eed10729365/ NOTE: Fixed by: https://github.com/vim/vim/commit/b7081e135a16091c93f6f5f7525a5c58fb7ca9f9 (v8.2.3402) NOTE: Followup fix for introduced memory leak: https://github.com/vim/vim/commit/2ddb89f8a94425cda1e5491efc80c1b6e08e (v8.2.3403) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1564b16c9015e1bc4d03afcef255966277748156 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1564b16c9015e1bc4d03afcef255966277748156 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] triage vim CVEs
Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker Commits: 01f74ec8 by Helmut Grohne at 2022-11-14T11:48:24+01:00 triage vim CVEs apos vim lts upload actually fixed CVE-2021-3872, but he forgot mentioning it. Add number of not-affected for buster and sometimes bullseye. Remove two stretch annotations to avoid conflicts with the ELTS tracker. - - - - - 2 changed files: - data/CVE/list - data/DLA/list Changes: = data/CVE/list = @@ -18497,6 +18497,7 @@ CVE-2022-3038 (Use after free in Network Service in Google Chrome prior to 105.0 [buster] - chromium (see DSA 5046) CVE-2022-3037 (Use After Free in GitHub repository vim/vim prior to 9.0.0322. ...) - vim 2:9.0.0626-1 (bug #1019590) + [buster] - vim (quickfixtextfunc added in 8.2.0869) NOTE: https://huntr.dev/bounties/af4c2f2d-d754-4607-b565-9e92f3f717b5 NOTE: https://github.com/vim/vim/commit/4f1b083be43f351bc107541e7b0c9655a5d2c0bb (v9.0.0322) CVE-2022-3036 (The Gettext override translations WordPress plugin before 2.0.0 does n ...) @@ -19307,6 +19308,7 @@ CVE-2022-2983 RESERVED CVE-2022-2982 (Use After Free in GitHub repository vim/vim prior to 9.0.0260. ...) - vim 2:9.0.0626-1 (bug #1019590) + [buster] - vim (quickfixtextfunc added in 8.2.0869) NOTE: https://huntr.dev/bounties/53f53d9a-ba8a-4985-b7ba-23efbe6833be NOTE: https://github.com/vim/vim/commit/d6c67629ed05aae436164eec474832daf8ba7420 (v9.0.0260) CVE-2022-2981 (The Download Monitor WordPress plugin before 4.5.98 does not ensure th ...) @@ -24133,6 +24135,8 @@ CVE-2022-2581 (Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.0104 NOTE: Crash in CLI tool, no security impact CVE-2022-2580 (Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0 ...) - vim 2:9.0.0135-1 + [bullseye] - vim (interpolation introduced in 8.2.4930) + [buster] - vim (interpolation introduced in 8.2.4930) NOTE: https://huntr.dev/bounties/c5f2f1d4-0441-4881-b19c-055acaa16249/ NOTE: https://github.com/vim/vim/commit/1e56bda9048a9625bce6e660938c834c5c15b07d (v9.0.0104) CVE-2022-2579 (A vulnerability, which was classified as problematic, was found in Sou ...) @@ -29718,6 +29722,8 @@ CVE-2022-2289 (Use After Free in GitHub repository vim/vim prior to 9.0. ...) NOTE: Crash in CLI tool, no security impact CVE-2022-2288 (Out-of-bounds Write in GitHub repository vim/vim prior to 9.0. ...) - vim 2:9.0.0135-1 (bug #1015984) + [bullseye] - vim (vulnerable code introduced in 8.2.4763) + [buster] - vim (vulnerable code introduced in 8.2.4763) NOTE: https://huntr.dev/bounties/a71bdcb7-4e9b-4650-ab6a-fe8e3e9852ad/ NOTE: https://github.com/vim/vim/commit/c6fdb15d423df22e1776844811d082322475e48a (v9.0.0025) CVE-2022-34910 @@ -44910,8 +44916,7 @@ CVE-2022-1421 (The Discy WordPress theme before 5.2 lacks CSRF checks in some AJ CVE-2022-1420 (Use of Out-of-range Pointer Offset in GitHub repository vim/vim prior ...) - vim 2:8.2.4793-1 [bullseye] - vim (Minor issue) - [buster] - vim (Minor issue) - [stretch] - vim (Vulnerable code not present) + [buster] - vim (method call operator -> introduced in 8.1.1803) NOTE: https://huntr.dev/bounties/a4323ef8-90ea-4e1c-90e9-c778f0ecf326 NOTE: https://github.com/vim/vim/commit/8b91e71441069b1dde9ac9ff9d9a829b1b4aecca (v8.2.4774) CVE-2021-46784 (In Squid 3.x through 3.5.28, 4.x through 4.17, and 5.x before 5.6, due ...) @@ -45374,9 +45379,8 @@ CVE-2022-29404 (In Apache HTTP Server 2.4.53 and earlier, a malicious request to NOTE: https://github.com/apache/httpd/commit/ce259c4061905bf834f9af51c92456cfe8335ddc CVE-2022-1381 (global heap buffer overflow in skip_range in GitHub repository vim/vim ...) - vim 2:8.2.4793-1 - [bullseye] - vim (Minor issue) - [buster] - vim (Minor issue) - [stretch] - vim (Vulnerable code not present) + [bullseye] - vim (affects visual range prasing, which was added in 8.2.4633) + [buster] - vim (affects visual range prasing, which was added in 8.2.4633) NOTE: https://huntr.dev/bounties/55f9c0e8-c221-48b6-a00e-bdcaebaba4a4/ NOTE: https://github.com/vim/vim/commit/f50808ed135ab973296bca515ae4029b321afe47 (v8.2.4763) CVE-2022-29403 @@ -66103,6 +66107,7 @@ CVE-2021-46163 (Kentico Xperience 13.0.44 allows XSS via an XML document to the NOT-FOR-US: Kentico Xperience CMS CVE-2022-0156 (vim is vulnerable to Use After Free ...) - vim 2:8.2.4659-1 (unimportant) + [buster] - vim (vim9script functionality not present in buster and earlier) NOTE: https://huntr.dev/bounties/47dded34-3767-4725-8c7c-9dcb68c70b36 NOTE:
[Git][security-tracker-team/security-tracker][master] claim vim dla
Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker Commits: 023a0626 by Helmut Grohne at 2022-11-10T12:30:50+01:00 claim vim dla - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -299,7 +299,7 @@ varnish NOTE: 20221109: Programming language: C. NOTE: 20221109: First DLA, 3 minor CVEs to fix (Beuc/front-desk) -- -vim +vim (Helmut) NOTE: 20221108: Programming language: C. NOTE: 20221108: VCS: https://salsa.debian.org/lts-team/packages/vim.git -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/023a0626fb934a8b7a2093939b6bd07503469167 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/023a0626fb934a8b7a2093939b6bd07503469167 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] delete more conflicting glibc elts annotations
Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker Commits: 67cfa5eb by Helmut Grohne at 2022-11-10T12:23:26+01:00 delete more conflicting glibc elts annotations - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -206128,7 +206128,6 @@ CVE-2020-6097 (An exploitable denial of service vulnerability exists in the atft CVE-2020-6096 (An exploitable signed comparison vulnerability exists in the ARMv7 mem ...) {DLA-3152-1} - glibc 2.31-2 (low; bug #961452) - [stretch] - glibc (Minor issue) [jessie] - glibc (Vulnerable code not present) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=25620 NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1019 @@ -260712,8 +260711,6 @@ CVE-2019-6501 (In QEMU 3.1, scsi_handle_inquiry_reply in hw/scsi/scsi-generic.c NOTE: vulnerability not present prior 2.12.50 CVE-2016-10739 (In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinf ...) - glibc 2.28-6 (bug #920047) - [stretch] - glibc (Minor issue) - [jessie] - glibc (Minor issue) - eglibc NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1347549 NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=20018 @@ -367666,7 +367663,6 @@ CVE-2017-6077 (ping.cgi on NETGEAR DGN2200 devices with firmware through 10.0.0. CVE-2016-10228 (The iconv program in the GNU C Library (aka glibc or libc6) 2.31 and e ...) {DLA-3152-1} - glibc 2.31-3 (low; bug #856503) - [jessie] - glibc (Minor issue) - eglibc [wheezy] - eglibc (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=19519 @@ -411831,7 +411827,6 @@ CVE-2014-9762 (imlib2 before 1.4.7 allows remote attackers to cause a denial of CVE-2014-9761 (Multiple stack-based buffer overflows in the GNU C Library (aka glibc ...) {DLA-411-1} - glibc 2.23-1 (bug #813187) - [jessie] - glibc (Minor issue) - eglibc [wheezy] - eglibc (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=16962 @@ -425222,7 +425217,6 @@ CVE-2015-5181 (The JBoss console in A-MQ allows remote attackers to execute arbi NOT-FOR-US: A-MQ's Hawtio console CVE-2015-5180 (res_query in libresolv in glibc before 2.25 allows remote attackers to ...) - glibc 2.24-9 (low; bug #796106) - [jessie] - glibc (Minor issue, too intrusive to backport) - eglibc (low) [wheezy] - eglibc (Minor issue) [squeeze] - eglibc (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/67cfa5eb394182d2d26fc3a9edcbaf1e1091e1be -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/67cfa5eb394182d2d26fc3a9edcbaf1e1091e1be You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] delete glibc annotations conflicting with elts tracker
Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker Commits: 954ccfc8 by Helmut Grohne at 2022-11-07T10:35:21+01:00 delete glibc annotations conflicting with elts tracker - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -63932,13 +63932,11 @@ CVE-2022-23219 (The deprecated compatibility function clnt_create in the sunrpc {DLA-3152-1} - glibc 2.33-3 [bullseye] - glibc 2.31-13+deb11u3 - [stretch] - glibc (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22542 CVE-2022-23218 (The deprecated compatibility function svcunix_create in the sunrpc mod ...) {DLA-3152-1} - glibc 2.33-3 [bullseye] - glibc 2.31-13+deb11u3 - [stretch] - glibc (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=28768 CVE-2022-23217 RESERVED @@ -74458,7 +74456,6 @@ CVE-2021-3999 (A flaw was found in glibc. An off-by-one buffer overflow and unde {DLA-3152-1} - glibc 2.33-4 [bullseye] - glibc 2.31-13+deb11u4 - [stretch] - glibc (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=28769 NOTE: https://www.openwall.com/lists/oss-security/2022/01/24/4 NOTE: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=23e0e8f5f1fb5ed150253d986ecccdc90c2dcd5e @@ -99017,7 +99014,6 @@ CVE-2021-35943 (Couchbase Server 6.5.x and 6.6.x through 6.6.2 has Incorrect Acc CVE-2021-35942 (The wordexp function in the GNU C Library (aka glibc) through 2.33 may ...) {DLA-3152-1} - glibc 2.31-13 (bug #990542) - [stretch] - glibc (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=28011 NOTE: https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=5adda61f62b77384718b4c0d8336ade8f2b4b35c CVE-2021-35941 (Western Digital WD My Book Live (2.x and later) and WD My Book Live Du ...) @@ -104600,7 +104596,6 @@ CVE-2021-33574 (The mq_notify function in the GNU C Library (aka glibc) versions [experimental] - glibc 2.32-0experimental0 - glibc 2.32-1 (bug #989147) [bullseye] - glibc 2.31-13+deb11u3 - [stretch] - glibc (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=27896 NOTE: https://sourceware.org/git/?p=glibc.git;a=commit;h=42d359350510506b87101cf77202fefcbfc790cb NOTE: https://sourceware.org/git/?p=glibc.git;a=commit;h=217b6dc298156bdb0d6aea9ea93e7e394a5ff091 @@ -123608,7 +123603,6 @@ CVE-2021-26273 (The Agent in NinjaRMM 5.0.909 has Incorrect Access Control. ...) CVE-2021-3326 (The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and ...) {DLA-3152-1} - glibc 2.31-10 (bug #981198) - [stretch] - glibc (Minor issue) NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=2146 NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=27256 NOTE: https://sourceware.org/pipermail/libc-alpha/2021-January/122058.html @@ -135695,7 +135689,6 @@ CVE-2020-35931 (An issue was discovered in Foxit Reader before 10.1.1 (and befor CVE-2019-25013 (The iconv feature in the GNU C Library (aka glibc or libc6) through 2. ...) {DLA-3152-1} - glibc 2.31-9 (bug #979273) - [stretch] - glibc (Minor issue; can be fixed in next update) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=24973 NOTE: Fixed by: https://sourceware.org/git/?p=glibc.git;a=commit;h=ee7a3144c9922808181009b7b3e50e852fb4999b CVE-2019-25012 (The Webform Report project 7.x-1.x-dev for Drupal allows remote attack ...) @@ -152223,7 +152216,6 @@ CVE-2020-27619 (In Python 3 through 3.9.0, the Lib/test/multibytecodec_support.p CVE-2020-27618 (The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and ...) {DLA-3152-1} - glibc 2.31-5 (bug #973914) - [stretch] - glibc (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=26224 NOTE: https://sourceware.org/git/?p=glibc.git;a=commit;h=9a99c682144bdbd40792ebf822fe9264e0376fb5 CVE-2020-27617 (eth_get_gso_type in net/eth.c in QEMU 4.2.1 allows guest OS users to t ...) @@ -195790,8 +195782,6 @@ CVE-2020-10030 (An issue has been found in PowerDNS Recursor 4.1.0 up to and inc CVE-2020-10029 (The GNU C Library (aka glibc or libc6) before 2.32 could overflow an o ...) {DLA-3152-1} - glibc 2.30-1 (bug #953108) - [stretch] - glibc (Minor issue) - [jessie] - glibc (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=25487 NOTE: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=9333498794cde1d5cca518badf79533a24114b6f NOTE: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=c10acd40262486dac597001aecc20ad9d3bd0e4a @@ -218183,8 +218173,6 @@ CVE-2020-1753 (A security flaw was found
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3152-1 for glibc
Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker Commits: 24ec254d by Helmut Grohne at 2022-10-17T17:39:19+02:00 Reserve DLA-3152-1 for glibc - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -55590,13 +55590,11 @@ CVE-2022-23222 (kernel/bpf/verifier.c in the Linux kernel through 5.15.14 allows CVE-2022-23219 (The deprecated compatibility function clnt_create in the sunrpc module ...) - glibc 2.33-3 [bullseye] - glibc 2.31-13+deb11u3 - [buster] - glibc (Minor issue) [stretch] - glibc (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22542 CVE-2022-23218 (The deprecated compatibility function svcunix_create in the sunrpc mod ...) - glibc 2.33-3 [bullseye] - glibc 2.31-13+deb11u3 - [buster] - glibc (Minor issue) [stretch] - glibc (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=28768 CVE-2022-23217 @@ -66139,7 +66137,6 @@ CVE-2021-4000 (showdoc is vulnerable to URL Redirection to Untrusted Site ...) CVE-2021-3999 (A flaw was found in glibc. An off-by-one buffer overflow and underflow ...) - glibc 2.33-4 [bullseye] - glibc 2.31-13+deb11u4 - [buster] - glibc (Minor issue) [stretch] - glibc (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=28769 NOTE: https://www.openwall.com/lists/oss-security/2022/01/24/4 @@ -90646,7 +90643,6 @@ CVE-2021-35943 (Couchbase Server 6.5.x and 6.6.x through 6.6.2 has Incorrect Acc NOT-FOR-US: Couchbase Server CVE-2021-35942 (The wordexp function in the GNU C Library (aka glibc) through 2.33 may ...) - glibc 2.31-13 (bug #990542) - [buster] - glibc (Minor issue) [stretch] - glibc (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=28011 NOTE: https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=5adda61f62b77384718b4c0d8336ade8f2b4b35c @@ -96227,7 +96223,6 @@ CVE-2021-33574 (The mq_notify function in the GNU C Library (aka glibc) versions [experimental] - glibc 2.32-0experimental0 - glibc 2.32-1 (bug #989147) [bullseye] - glibc 2.31-13+deb11u3 - [buster] - glibc (Minor issue) [stretch] - glibc (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=27896 NOTE: https://sourceware.org/git/?p=glibc.git;a=commit;h=42d359350510506b87101cf77202fefcbfc790cb @@ -111866,7 +111861,6 @@ CVE-2021-27646 (Use After Free vulnerability in iscsi_snapshot_comm_core in Syno NOT-FOR-US: Synology CVE-2021-27645 (The nameserver caching daemon (nscd) in the GNU C Library (aka glibc o ...) - glibc 2.31-10 (bug #983479) - [buster] - glibc (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=27462 NOTE: Introduced by: https://sourceware.org/git/?p=glibc.git;a=commit;h=745664bd798ec8fd50438605948eea594179fba1 (glibc-2.29) NOTE: Fixed by: https://sourceware.org/git/?p=glibc.git;a=commit;h=dca565886b5e8bd7966e15f0ca42ee5cff686673 @@ -115235,7 +115229,6 @@ CVE-2021-26273 (The Agent in NinjaRMM 5.0.909 has Incorrect Access Control. ...) NOT-FOR-US: NinjaRMM CVE-2021-3326 (The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and ...) - glibc 2.31-10 (bug #981198) - [buster] - glibc (Minor issue) [stretch] - glibc (Minor issue) NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=2146 NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=27256 @@ -127324,7 +127317,6 @@ CVE-2020-35931 (An issue was discovered in Foxit Reader before 10.1.1 (and befor NOT-FOR-US: Foxit Reader CVE-2019-25013 (The iconv feature in the GNU C Library (aka glibc or libc6) through 2. ...) - glibc 2.31-9 (bug #979273) - [buster] - glibc (Minor issue) [stretch] - glibc (Minor issue; can be fixed in next update) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=24973 NOTE: Fixed by: https://sourceware.org/git/?p=glibc.git;a=commit;h=ee7a3144c9922808181009b7b3e50e852fb4999b @@ -143848,7 +143840,6 @@ CVE-2020-27619 (In Python 3 through 3.9.0, the Lib/test/multibytecodec_support.p NOTE: Only affects the testsuite CVE-2020-27618 (The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and ...) - glibc 2.31-5 (bug #973914) - [buster] - glibc (Minor issue) [stretch] - glibc (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=26224 NOTE: https://sourceware.org/git/?p=glibc.git;a=commit;h=9a99c682144bdbd40792ebf822fe9264e0376fb5 @@ -187428,7 +187419,6 @@ CVE-2020-10030 (An issue has been found in PowerDNS Recursor 4.1.0 up to and inc NOTE: Non exploitable on Linux
[Git][security-tracker-team/security-tracker][master] drop glibc annotations relevant to ELTS
Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker Commits: 7e2cfc0f by Helmut Grohne at 2022-10-17T12:22:40+02:00 drop glibc annotations relevant to ELTS I talked this through with Emilio: We cannot presently override these in the ELTS tracker (due to failing uniqueness constraints). Changing them here is not appropriate. Thus delete them here and add them in the ELTs tracker. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -111867,7 +111867,6 @@ CVE-2021-27646 (Use After Free vulnerability in iscsi_snapshot_comm_core in Syno CVE-2021-27645 (The nameserver caching daemon (nscd) in the GNU C Library (aka glibc o ...) - glibc 2.31-10 (bug #983479) [buster] - glibc (Minor issue) - [stretch] - glibc (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=27462 NOTE: Introduced by: https://sourceware.org/git/?p=glibc.git;a=commit;h=745664bd798ec8fd50438605948eea594179fba1 (glibc-2.29) NOTE: Fixed by: https://sourceware.org/git/?p=glibc.git;a=commit;h=dca565886b5e8bd7966e15f0ca42ee5cff686673 @@ -209832,8 +209831,6 @@ CVE-2020-1752 (A use-after-free vulnerability introduced in glibc upstream versi CVE-2020-1751 (An out-of-bounds write vulnerability was found in glibc before 2.31 wh ...) - glibc 2.30-3 [buster] - glibc (powerpc is not supported by LTS) - [stretch] - glibc (powerpc is not supported by ELTS) - [jessie] - glibc (powerpc is not supported by ELTS) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=25423 NOTE: Fixed by: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d93769405996dfc11d216ddbe415946617b5a494 CVE-2020-1750 (A flaw was found in the machine-config-operator that causes an OpenShi ...) @@ -245219,8 +245216,6 @@ CVE-2009-5155 (In the GNU C Library (aka glibc or libc6) before 2.28, parse_reg_ [stretch] - gnulib (Minor issue) [jessie] - gnulib (Minor issue) - glibc 2.28-1 - [stretch] - glibc (Minor issue) - [jessie] - glibc (Minor issue) - eglibc NOTE: http://git.savannah.gnu.org/cgit/gnulib.git/commit/?id=5513b40999149090987a0341c018d05d3eea1272 NOTE: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=22793 @@ -292574,7 +292569,6 @@ CVE-2018-11238 CVE-2018-11237 (An AVX-512-optimized implementation of the mempcpy function in the GNU ...) - glibc 2.27-4 (low; bug #899070) [stretch] - glibc 2.24-11+deb9u4 - [jessie] - glibc (Minor issue, can be fixed along in future DSA or point update) - eglibc NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=23196 CVE-2018-11236 (stdlib/canonicalize.c in the GNU C Library (aka glibc or libc6) 2.27 a ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7e2cfc0fdf68e106cc5750b597b6e935b1d726eb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7e2cfc0fdf68e106cc5750b597b6e935b1d726eb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] ignore CVE-2020-1751 in glibc as LTS does not support powerpc
Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker Commits: 28563bd5 by Helmut Grohne at 2022-10-07T21:04:18+02:00 ignore CVE-2020-1751 in glibc as LTS does not support powerpc Please dont scream at me for updating stretch and jessie in the main tracker. If I were to leave these untouched here and change them in the elts tracker, in the best case, it would ignore the updates and keep displaying no-dsa. In the worst case, it would reject the data failing some uniqueness check. Been there on Tuesday... - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -208287,9 +208287,9 @@ CVE-2020-1752 (A use-after-free vulnerability introduced in glibc upstream versi NOTE: Fixed by: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ddc650e9b3dc916eab417ce9f79e67337b05035c CVE-2020-1751 (An out-of-bounds write vulnerability was found in glibc before 2.31 wh ...) - glibc 2.30-3 - [buster] - glibc (Minor issue) - [stretch] - glibc (Minor issue) - [jessie] - glibc (Minor issue) + [buster] - glibc (powerpc is not supported by LTS) + [stretch] - glibc (powerpc is not supported by ELTS) + [jessie] - glibc (powerpc is not supported by ELTS) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=25423 NOTE: Fixed by: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d93769405996dfc11d216ddbe415946617b5a494 CVE-2020-1750 (A flaw was found in the machine-config-operator that causes an OpenShi ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/28563bd510f9a698beddd397d9cae53586a0a5da -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/28563bd510f9a698beddd397d9cae53586a0a5da You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Claim glib.
Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker Commits: 12ee2b42 by Helmut Grohne at 2022-10-07T09:29:56+02:00 data/dla-needed.txt: Claim glib. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -52,7 +52,7 @@ gajim gerbv NOTE: 20220923: Programming language: C. -- -glibc +glibc (Helmut Grohne) NOTE: 20220913: Programming language: C, Assembly. NOTE: 20220913: Harmonize with bullseye: 4 CVEs fixed in Debian 11.3 and Debian 11.5 (Beuc/front-desk) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/12ee2b4223ac0ba3c267b5aa567938cbc31c37d1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/12ee2b4223ac0ba3c267b5aa567938cbc31c37d1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] issue DLA-3133-1 for lighttpd fixing CVE-2022-37797
Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker Commits: 8caef9cb by Helmut Grohne at 2022-10-03T09:48:48+02:00 issue DLA-3133-1 for lighttpd fixing CVE-2022-37797 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[03 Oct 2022] DLA-3133-1 lighttpd - security update + {CVE-2022-37797} + [buster] - lighttpd 1.4.53-4+deb10u3 [02 Oct 2022] DLA-3132-1 snakeyaml - security update {CVE-2022-25857 CVE-2022-38749 CVE-2022-38750 CVE-2022-38751} [buster] - snakeyaml 1.23-1+deb10u1 = data/dla-needed.txt = @@ -77,9 +77,6 @@ kopanocore -- libdatetime-timezone-perl (Emilio) -- -lighttpd (Helmut Grohne) - NOTE: 20220928: Programming language: C. --- linux (Ben Hutchings) -- mbedtls (Utkarsh) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8caef9cb2f7994a4eb6247ae99773baa1b70fb60 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8caef9cb2f7994a4eb6247ae99773baa1b70fb60 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] triage/fix lighttpd CVEs in buster
Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker Commits: f81458e3 by Helmut Grohne at 2022-10-03T08:11:06+02:00 triage/fix lighttpd CVEs in buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1088,6 +1088,7 @@ CVE-2022-41556 [handle RDHUP when collecting chunked body] RESERVED {DSA-5243-1} - lighttpd 1.4.67-1 + [buster] - lighttpd (vulnerable code inserted in lighttpd-1.4.55-211-gbcddbe18) NOTE: https://github.com/lighttpd/lighttpd1.4/pull/115 NOTE: https://github.com/lighttpd/lighttpd1.4/commit/b18de6f9264f914f7bf493abd3b6059343548e50 (lighttpd-1.4.67) CVE-2022-40690 @@ -10692,7 +10693,7 @@ CVE-2022-37798 (Tenda AC1206 V15.03.06.23 was discovered to contain a stack over CVE-2022-37797 (In lighttpd 1.4.65, mod_wstunnel does not initialize a handler functio ...) {DSA-5243-1} - lighttpd 1.4.66-1 - [buster] - lighttpd (Minor issue) + [buster] - lighttpd 1.4.53-1+deb10u3 NOTE: https://redmine.lighttpd.net/issues/3165 NOTE: https://git.lighttpd.net/lighttpd/lighttpd1.4/commit/971773f1fae600074b46ef64f3ca1f76c227985f (lighttpd-1.4.66) CVE-2022-37796 (In Simple Online Book Store System 1.0 in /admin_book.php the Title, A ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f81458e34fc0ca1d6adb86b268f55a58c270c95e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f81458e34fc0ca1d6adb86b268f55a58c270c95e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] claim lighttpd dla
Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker Commits: 4cc5ac84 by Helmut Grohne at 2022-09-28T21:09:09+02:00 claim lighttpd dla Ive done the DSA already and am outgoing lighttpd maintainer. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -82,7 +82,7 @@ kopanocore NOTE: 20220801: Programming language: C++. NOTE: 20220811: Proposed a patch to CVE-2022-26562 (#1016973) -- -lighttpd +lighttpd (Helmut Grohne) NOTE: 20220928: Programming language: C. -- linux (Ben Hutchings) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4cc5ac84ff7d5c686cf2ff91ad4a569fe34a76cb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4cc5ac84ff7d5c686cf2ff91ad4a569fe34a76cb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] libraw buster DLA-3113-1 issued
Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker Commits: acfccc61 by Helmut Grohne at 2022-09-16T12:29:24+02:00 libraw buster DLA-3113-1 issued - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -126025,30 +126025,38 @@ CVE-2020-35536 (In gcc, an internal compiler error in match_reload function at l TODO: check CVE-2020-35535 (In LibRaw, there is an out-of-bounds read vulnerability within the "Li ...) - libraw 0.20.0-4 + [buster] - libraw (sonySR2 decoder added later) + [stretch] - libraw (sonySR2 decoder added later) NOTE: https://github.com/LibRaw/LibRaw/issues/283 NOTE: https://github.com/LibRaw/LibRaw/commit/c243f4539233053466c1309bde606815351bee81 (0.20-RC2) CVE-2020-35534 (In LibRaw, there is a memory corruption vulnerability within the "crxF ...) - libraw 0.20.0-4 + [buster] - libraw (Canon CR3 decoder added later) + [stretch] - libraw (Canon CR3 decoder added later) NOTE: https://github.com/LibRaw/LibRaw/commit/e41f331e90b383e3208cefb74e006df44bf3a4b8 (0.20-RC2) NOTE: https://github.com/LibRaw/LibRaw/issues/279 CVE-2020-35533 (In LibRaw, an out-of-bounds read vulnerability exists within the "LibR ...) {DLA-3113-1} - libraw 0.20.0-4 + [buster] - libraw 0.19.2-2+deb10u1 NOTE: https://github.com/LibRaw/LibRaw/commit/a6937d4046a7c4742b683a04c8564605fd9be4fb (0.20-RC2) NOTE: https://github.com/LibRaw/LibRaw/issues/273 CVE-2020-35532 (In LibRaw, an out-of-bounds read vulnerability exists within the "simp ...) {DLA-3113-1} - libraw 0.20.0-4 + [buster] - libraw 0.19.2-2+deb10u1 NOTE: https://github.com/LibRaw/LibRaw/commit/5ab45b085898e379fedc6b113e2e82a890602b1e (0.20-RC2) NOTE: https://github.com/LibRaw/LibRaw/issues/271 CVE-2020-35531 (In LibRaw, an out-of-bounds read vulnerability exists within the get_h ...) {DLA-3113-1} - libraw 0.20.0-4 + [buster] - libraw 0.19.2-2+deb10u1 NOTE: https://github.com/LibRaw/LibRaw/commit/d75af00681a74dcc8b929207eb895611a6eceb68 (0.20-RC2) NOTE: https://github.com/LibRaw/LibRaw/issues/270 CVE-2020-35530 (In LibRaw, there is an out-of-bounds write vulnerability within the "n ...) {DLA-3113-1} - libraw 0.20.0-4 + [buster] - libraw 0.19.2-2+deb10u1 NOTE: https://github.com/LibRaw/LibRaw/commit/11c4db253ef2c9bb44247b578f5caa57c66a1eeb (0.20-RC2) NOTE: https://github.com/LibRaw/LibRaw/issues/272 CVE-2020-35529 = data/dla-needed.txt = @@ -69,9 +69,6 @@ kopanocore NOTE: 20220801: Programming language: C++. NOTE: 20220811: Proposed a patch to CVE-2022-26562 (#1016973) -- -libraw (Helmut Grohne) - NOTE: 20220904: Programming language: C++. --- linux (Ben Hutchings) -- mako View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/acfccc6158c3d493c7d3b4132f852f570a0a0df5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/acfccc6158c3d493c7d3b4132f852f570a0a0df5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3113-1 for libraw
Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker Commits: 0cbd88e5 by Helmut Grohne at 2022-09-16T09:43:05+02:00 Reserve DLA-3113-1 for libraw - - - - - 1 changed file: - data/DLA/list Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[16 Sep 2022] DLA-3113-1 libraw - security update + {CVE-2020-35530 CVE-2020-35531 CVE-2020-35532 CVE-2020-35533} + [buster] - libraw 0.19.2-2+deb10u1 [16 Sep 2022] DLA-3112-1 bzip2 - bugfix update [buster] - bzip2 1.0.6-9.2~deb10u2 [15 Sep 2022] DLA-3111-1 mod-wsgi - security update View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0cbd88e588dc669d97d49eaba84371c4722e8001 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0cbd88e588dc669d97d49eaba84371c4722e8001 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: claim libraw
Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker Commits: 1d79b56a by Helmut Grohne at 2022-09-16T07:56:34+02:00 lts: claim libraw - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -72,7 +72,7 @@ kopanocore NOTE: 20220801: Programming language: C++. NOTE: 20220811: Proposed a patch to CVE-2022-26562 (#1016973) -- -libraw +libraw (Helmut Grohne) NOTE: 20220904: Programming language: C++. -- linux (Ben Hutchings) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1d79b56afbd7ee223071917277eb6191d31a898c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1d79b56afbd7ee223071917277eb6191d31a898c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] flag wkhtmltopdf CVE-2022-35583 unimportant
Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker Commits: b46b41cc by Helmut Grohne at 2022-08-31T13:43:11+02:00 flag wkhtmltopdf CVE-2022-35583 unimportant - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -9126,9 +9126,10 @@ CVE-2022-35585 (A stored cross-site scripting (XSS) issue in the ForkCMS version CVE-2022-35584 RESERVED CVE-2022-35583 (wkhtmlTOpdf 0.12.6 is vulnerable to SSRF which allows an attacker to g ...) - - wkhtmltopdf + - wkhtmltopdf (unimportant) NOTE: https://cyber-guy.gitbook.io/cyber-guys-blog/blogs/initial-access-via-pdf-file-silently NOTE: https://github.com/wkhtmltopdf/wkhtmltopdf/issues/5249 + NOTE: By design, wkhtmltopdf retrieves external resources. If it is employed inside a protected network in an automated way, a malicious actor may access internal resources. A user of wkhtmltopdf should restrict such access. CVE-2022-35582 RESERVED CVE-2022-35581 = data/dla-needed.txt = @@ -87,10 +87,6 @@ upx-ucl (Thorsten Alteholz) NOTE: 20220820: Programming language: C. NOTE: 20220820: CVE-2020-27787 may be not-affected. (Chris Lamb) -- -wkhtmltopdf - NOTE: 20220819: Programming language: C++. - NOTE: 20220830: No progress yet, upstream --- zlib (Emilio) NOTE: 20220813: Programming language: C. NOTE: 20220813: VCS: https://salsa.debian.org/lts-team/packages/zlib/ View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b46b41ccb8af865460ef2c1923833d64edd48fe1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b46b41ccb8af865460ef2c1923833d64edd48fe1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: release openscad, unimportant
Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker Commits: 034e1230 by Helmut Grohne at 2022-06-26T21:54:55+02:00 dla: release openscad, unimportant - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -210,10 +210,11 @@ ompl NOTE: 20220622: Programming language: C++. NOTE: 20220622: CVE-2021-42218 and CVE-2021-41490 are fixed in upstream git, memory leaks, unimportant -- -openscad (Helmut Grohne) +openscad NOTE: 20220529: Programming language: C++. NOTE: 20220524: Follow buster: harmonize with with Debian 10.12 (1 CVE) (Beuc/front-desk) NOTE: 20220524: vulnerable code for CVE-2020-28599 is in src/import.cc (Beuc/front-desk) + NOTE: 20220626: Utkarsh said, we won't fix this. Fixed packages at https://subdivi.de/~helmut/openscad_lts/ -- pam-u2f (Andreas Rönnquist) NOTE: 20220529: Programming language: C. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/034e12308e3902ebec6797b84a1f360d08f0fac3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/034e12308e3902ebec6797b84a1f360d08f0fac3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: ompl dla seems unimportang, memory leaks only
Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker Commits: f8d47a16 by Helmut Grohne at 2022-06-22T22:51:54+02:00 ompl dla seems unimportang, memory leaks only - - - - - 0f4069f7 by Helmut Grohne at 2022-06-22T22:52:41+02:00 claim openscad in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -202,8 +202,10 @@ nvidia-graphics-drivers NOTE: 20220209: backport (apo) -- ompl + NOTE: 20220622: Programming language: C++. + NOTE: 20220622: CVE-2021-42218 and CVE-2021-41490 are fixed in upstream git, memory leaks, unimportant -- -openscad +openscad (Helmut Grohne) NOTE: 20220529: Programming language: C++. NOTE: 20220524: Follow buster: harmonize with with Debian 10.12 (1 CVE) (Beuc/front-desk) NOTE: 20220524: vulnerable code for CVE-2020-28599 is in src/import.cc (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/1c777c23beccd0b10babda4ce4c683a4b90f09ea...0f4069f73f25a38b445c627c7a4e8f9054d5fefa -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/1c777c23beccd0b10babda4ce4c683a4b90f09ea...0f4069f73f25a38b445c627c7a4e8f9054d5fefa You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-30780/lighttpd not affected
Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker Commits: 0d0890ff by Glenn Strauss at 2022-06-20T08:29:04+02:00 CVE-2022-30780/lighttpd not affected - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -8388,6 +8388,8 @@ CVE-2022-30781 (Gitea before 1.16.7 does not escape git fetch remote. ...) - gitea CVE-2022-30780 (Lighttpd 1.4.56 through 1.4.58 allows a remote attacker to cause a den ...) - lighttpd 1.4.59-1 + [buster] - lighttpd (lighttpd 1.4.53 not vulnerable) + [stretch] - lighttpd (lighttpd 1.4.45 not vulnerable) NOTE: https://podalirius.net/en/cves/2022-30780/ NOTE: https://github.com/p0dalirius/CVE-2022-30780-lighttpd-denial-of-service NOTE: https://redmine.lighttpd.net/issues/3059 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0d0890ff850230056ff26cd9197cb690b7f8475b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0d0890ff850230056ff26cd9197cb690b7f8475b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits