[Git][security-tracker-team/security-tracker][master] Reserve DLA-2100-1 for libexif
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: 3b1702bf by Hugo Lefeuvre at 2020-02-10T14:09:43+01:00 Reserve DLA-2100-1 for libexif - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[10 Feb 2020] DLA-2100-1 libexif - security update + {CVE-2019-9278} + [jessie] - libexif 0.6.21-2+deb8u1 [10 Feb 2020] DLA-2099-1 checkstyle - security update {CVE-2019-10782} [jessie] - checkstyle 5.9-1+deb8u2 = data/dla-needed.txt = @@ -27,16 +27,6 @@ intel-microcode jackson-databind NOTE: 20200105: Can be postponed again. (apo) -- -libexif - NOTE: 2019: Contacted upstream for relevant commits of CVE-2019-9278. (utkarsh2102) - NOTE: 20191114: Pinged upstream; just have the Android patch yet. (utkarsh2102) - NOTE: 20191118: No patch yet. Shall claim and fix once the patch is available. (utkarsh2102) - NOTE: 20191201: Pinged the upstream yet again. (utkarsh2102) - NOTE: 20191216: The android patch does not apply but is easy to manually apply. (ola) - NOTE: 20191216: The problem is the file to trigger the fault is not known. (ola) - NOTE: 20200111: Investigated the issue, currently in contact with Ray Essick @google - NOTE: 20200111: to get access to the reproducer. (hle) --- libmatio (Adrian Bunk) NOTE: fairly high number of open issues. Not sure why we never had a look at them. NOTE: triage work needed, help security team for fixes if needed. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3b1702bffe1719c0a61c23522f81f8be5757e6a8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3b1702bffe1719c0a61c23522f81f8be5757e6a8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla-needed: reclaim xereces-c
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: a671f6cb by Hugo Lefeuvre at 2020-02-10T10:36:47+01:00 dla-needed: reclaim xereces-c - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -136,9 +136,10 @@ xcftools (Hugo Lefeuvre) -- xen -- -xerces-c +xerces-c (Hugo Lefeuvre) NOTE: 20191231: There is no upstream patch yet. (apo) NOTE: 20200118: There is still no upstream patch. (lamby) + NOTE: 20200210: working on a patch, see ML (hle) -- yara NOTE: 20191212: no upstream fix yet View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a671f6cbd9434828b14875b1b18cfc8fe87997bd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a671f6cbd9434828b14875b1b18cfc8fe87997bd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla-needed: update notes for clamav, python-reportlab and xcftools
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: 99c3bff4 by Hugo Lefeuvre at 2020-01-27T12:03:36+01:00 dla-needed: update notes for clamav, python-reportlab and xcftools - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -12,8 +12,8 @@ https://wiki.debian.org/LTS/Development#Triage_new_security_issues -- cacti (Chris Lamb) -- -clamav - NOTE: 20200111: waiting for 0.102.1 to enter stretch/buster. +clamav (Hugo Lefeuvre) + NOTE: 20200127: waiting for 0.102.1 to enter stretch/buster. NOTE: 0.102.* introduces a fair amount of ABI changes, and the migration NOTE: does not seem very smooth from the perspective of users. The release NOTE: team would like to wait for an init script for the new clamonacc @@ -84,8 +84,8 @@ openjpeg2 (Mike Gabriel) -- python-pysaml2 (Abhijith PA) -- -python-reportlab - NOTE: 20200111: still no upstream fix +python-reportlab (Hugo Lefeuvre) + NOTE: 20200127: upstream fix was published, but potentially unsuitable. currently investigating. -- qemu (Utkarsh Gupta) NOTE: 20200118: embedded libslirp in qemu/jessie is affected. (sunweaver) @@ -139,10 +139,11 @@ wordpress NOTE: 20200118: Maybe affected, needs deeper triaging, no obvious commits NOTE: 20200118: referenced upstream. (sunweaver) -- -xcftools +xcftools (Hugo Lefeuvre) NOTE: 20200111: wrote a patch + reproducer for CVE-2019-5086, waiting for review. NOTE: but I might just not receive any review any time soon, so I will now attempt to NOTE: fix the second issue and move on with the update. + NOTE: 20200127: ongoing -- xen -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/99c3bff48a352fa3fdd78da34a262da0fd6088eb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/99c3bff48a352fa3fdd78da34a262da0fd6088eb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2019-17627/python-reportlab: add upstream fix
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: 94ed93a2 by Hugo Lefeuvre at 2020-01-25T09:04:37+01:00 CVE-2019-17627/python-reportlab: add upstream fix - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -22969,6 +22969,7 @@ CVE-2019-17627 (The Yale Bluetooth Key application for mobile devices allows una CVE-2019-17626 (ReportLab through 3.5.26 allows remote code execution because of toCol ...) - python-reportlab (bug #942763) NOTE: https://bitbucket.org/rptlab/reportlab/issues/199/eval-in-colorspy-leads-to-remote-code + NOTE: https://hg.reportlab.com/hg-public/reportlab/rev/51a521ad7dd3 CVE-2019-17625 (There is a stored XSS in Rambox 0.6.9 that can lead to code execution. ...) NOT-FOR-US: Rambox CVE-2019-17624 ("" In X.Org X Server 1.20.4, there is a stack-based buffer overflow in ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/94ed93a2f71a80ca345596d0a055e5cd7d0266c2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/94ed93a2f71a80ca345596d0a055e5cd7d0266c2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla-needed: claim xerces-c
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: 13466eff by Hugo Lefeuvre at 2020-01-24T09:01:10+01:00 dla-needed: claim xerces-c - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -155,7 +155,7 @@ xcftools (Hugo Lefeuvre) -- xen -- -xerces-c +xerces-c (Hugo Lefeuvre) NOTE: 20191231: There is no upstream patch yet. (apo) NOTE: 20200118: There is still no upstream patch. (lamby) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/13466eff305e451d9de38ec80feac86bec63b1c4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/13466eff305e451d9de38ec80feac86bec63b1c4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2020-6851/openjpeg2: add upstream fix
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: 06748838 by Hugo Lefeuvre at 2020-01-24T08:48:39+01:00 CVE-2020-6851/openjpeg2: add upstream fix - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2325,6 +2325,7 @@ CVE-2020-6852 CVE-2020-6851 (OpenJPEG through 2.3.1 has a heap-based buffer overflow in opj_t1_clbl ...) - openjpeg2 NOTE: https://github.com/uclouvain/openjpeg/issues/1228 + NOTE: https://github.com/uclouvain/openjpeg/commit/024b8407392cb0b82b04b58ed256094ed5799e04 CVE-2020-6850 RESERVED CVE-2020-6849 (The marketo-forms-and-tracking plugin through 1.0.2 for WordPress allo ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/067488382eb07610e8f4ec7a3007650c1883f630 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/067488382eb07610e8f4ec7a3007650c1883f630 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2020-7106/cacti: add followup patch
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: bfb2cc04 by Hugo Lefeuvre at 2020-01-24T08:34:55+01:00 CVE-2020-7106/cacti: add followup patch - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -1775,6 +1775,7 @@ CVE-2020-7106 (Cacti 1.2.8 has stored XSS in data_sources.php, color_templates_i NOTE: https://github.com/Cacti/cacti/issues/3191 NOTE: https://github.com/Cacti/cacti/commit/4cbb045e03ee20a2bd09094a201a925fbb8a39d9 NOTE: https://github.com/Cacti/cacti/commit/47a000b5aba4af16967e249b25f25397506e3464 + NOTE: https://github.com/Cacti/cacti/commit/b1c70e19466a6e69284e24cde437b55ccc454bee CVE-2020-7105 (async.c and dict.c in libhiredis.a in hiredis through 0.14.0 allow a N ...) - hiredis NOTE: https://github.com/redis/hiredis/issues/754 = data/dla-needed.txt = @@ -11,10 +11,6 @@ https://wiki.debian.org/LTS/Development#Triage_new_security_issues -- cacti (Chris Lamb) - NOTE: CVE-2020-7106: one more followup fix is coming (currently PRed by - NOTE: @smutranchi), we should probably wait for the fix to stabilize & - NOTE: potential regression reports to come up before releasing a regression - NOTE: update (2020-01-23, hle) -- clamav (Hugo Lefeuvre) NOTE: 20200111: waiting for 0.102.1 to enter stretch/buster. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/bfb2cc0469ff9bad20582185965a14beb711ff98 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/bfb2cc0469ff9bad20582185965a14beb711ff98 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2020-7106/cacti: postponed in stretch & buster
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: a3df52a2 by Hugo Lefeuvre at 2020-01-23T08:09:03+01:00 CVE-2020-7106/cacti: postponed in stretch & buster XSS can only be triggered in administration areas only accessible by users with administration privileges. Fix this along with more important issues in a future DSA. - - - - - 79e2cd5b by Hugo Lefeuvre at 2020-01-23T08:14:43+01:00 dla-needed: update cacti notes (regression update) - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -1625,6 +1625,8 @@ CVE-2020-7107 (The Ultimate FAQ plugin before 1.8.30 for WordPress allows XSS vi CVE-2020-7106 (Cacti 1.2.8 has stored XSS in data_sources.php, color_templates_item.p ...) {DLA-2069-1} - cacti + [buster] - cacti (can be fixed along with more important issues) + [stretch] - cacti (can be fixed along with more important issues) NOTE: https://github.com/Cacti/cacti/issues/3191 NOTE: https://github.com/Cacti/cacti/commit/4cbb045e03ee20a2bd09094a201a925fbb8a39d9 NOTE: https://github.com/Cacti/cacti/commit/47a000b5aba4af16967e249b25f25397506e3464 = data/dla-needed.txt = @@ -11,6 +11,10 @@ https://wiki.debian.org/LTS/Development#Triage_new_security_issues -- cacti (Chris Lamb) + NOTE: CVE-2020-7106: one more followup fix is coming (currently PRed by + NOTE: @smutranchi), we should probably wait for the fix to stabilize & + NOTE: potential regression reports to come up before releasing a regression + NOTE: update (2020-01-23, hle) -- clamav (Hugo Lefeuvre) NOTE: 20200111: waiting for 0.102.1 to enter stretch/buster. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/e334c939d43c225c3c253aa275e037f9fbd03ebc...79e2cd5b82bc0dfaabc4ff1b29ae5a772e5772b1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/e334c939d43c225c3c253aa275e037f9fbd03ebc...79e2cd5b82bc0dfaabc4ff1b29ae5a772e5772b1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2020-7106/cacti: add followup patch
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: a61d3ef2 by Hugo Lefeuvre at 2020-01-19T16:26:33+01:00 CVE-2020-7106/cacti: add followup patch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -251,6 +251,7 @@ CVE-2020-7106 (Cacti 1.2.8 has stored XSS in data_sources.php, color_templates_i - cacti NOTE: https://github.com/Cacti/cacti/issues/3191 NOTE: https://github.com/Cacti/cacti/commit/4cbb045e03ee20a2bd09094a201a925fbb8a39d9 + NOTE: https://github.com/Cacti/cacti/commit/47a000b5aba4af16967e249b25f25397506e3464 CVE-2020-7105 (async.c and dict.c in libhiredis.a in hiredis through 0.14.0 allow a N ...) - hiredis NOTE: https://github.com/redis/hiredis/issues/747 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a61d3ef20c4d05549828bed28b939620564a1a48 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a61d3ef20c4d05549828bed28b939620564a1a48 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DSA-4604-1 for cacti
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: 37560ac7 by Hugo Lefeuvre at 2020-01-18T16:59:29+01:00 Reserve DSA-4604-1 for cacti - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,7 @@ +[18 Jan 2020] DSA-4604-1 cacti - security update + {CVE-2019-16723 CVE-2019-17357 CVE-2019-17358} + [stretch] - cacti 0.8.8h+ds1-10+deb9u1 + [buster] - cacti 1.2.2+ds1-2+deb10u2 [17 Jan 2020] DSA-4603-1 thunderbird - security update {CVE-2019-17016 CVE-2019-17017 CVE-2019-17022 CVE-2019-17024 CVE-2019-17026} [stretch] - thunderbird 1:68.4.1-1~deb9u1 = data/dsa-needed.txt = @@ -11,9 +11,6 @@ To pick an issue, simply add your uid behind it. If needed, specify the release by adding a slash after the name of the source package. --- -cacti (hle) - Maintainer proposed an update, currently reviewing it. -- chromium -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/37560ac7beeefce9faf1f65df60e4ab79823b865 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/37560ac7beeefce9faf1f65df60e4ab79823b865 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2019-16723/cacti: one more followup patch...
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: 5a517b60 by Hugo Lefeuvre at 2020-01-12T16:55:10+01:00 CVE-2019-16723/cacti: one more followup patch... - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -23032,6 +23032,7 @@ CVE-2019-16723 (In Cacti through 1.2.6, authenticated users may bypass authoriza NOTE: which turned out to be insufficient to fix the issue, follow up patches: NOTE: https://github.com/Cacti/cacti/commit/9a1d2ec46d2dde23826c134ca70a0cd3bef43ee7 NOTE: https://github.com/Cacti/cacti/commit/d5f98679a06aa96adfe04f60908f9108cfc9f7f7 + NOTE: https://github.com/Cacti/cacti/commit/4cecb19f6be8b84fa1c7b6450b66176007cb53df NOTE: The original issue mentions only a bypass via graph_json.php but there are NOTE: additional permission checks missed while checking the issue fixed with the NOTE: upstream commits. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5a517b60775a2d5c3fa1d3b15f24151ec411d32b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5a517b60775a2d5c3fa1d3b15f24151ec411d32b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2019-16723/cacti: add followup patches
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: 36092749 by Hugo Lefeuvre at 2020-01-12T16:45:05+01:00 CVE-2019-16723/cacti: add followup patches - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -23029,6 +23029,9 @@ CVE-2019-16723 (In Cacti through 1.2.6, authenticated users may bypass authoriza NOTE: https://github.com/Cacti/cacti/commit/c7cf4a26e4848872b48094e67f8d0a01dd7613d2 NOTE: after further discussion, upstream issued a new fix which reverts previous commits NOTE: https://github.com/Cacti/cacti/commit/cfb0733597af97abc92270de4f47cbfa32f9ce8b + NOTE: which turned out to be insufficient to fix the issue, follow up patches: + NOTE: https://github.com/Cacti/cacti/commit/9a1d2ec46d2dde23826c134ca70a0cd3bef43ee7 + NOTE: https://github.com/Cacti/cacti/commit/d5f98679a06aa96adfe04f60908f9108cfc9f7f7 NOTE: The original issue mentions only a bypass via graph_json.php but there are NOTE: additional permission checks missed while checking the issue fixed with the NOTE: upstream commits. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/360927495dda095e9e008798031b453409ac908b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/360927495dda095e9e008798031b453409ac908b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla-needed: update notes on my claimed packages
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: 74653fcd by Hugo Lefeuvre at 2020-01-11T09:35:18+01:00 dla-needed: update notes on my claimed packages - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -18,7 +18,11 @@ ansible apache-log4j1.2 (Markus Koschany) -- clamav (Hugo Lefeuvre) - NOTE: 20191227: waiting for 0.102.1 to enter stretch/buster. + NOTE: 20200111: waiting for 0.102.1 to enter stretch/buster. + NOTE: 0.102.* introduces a fair amount of ABI changes, and the migration + NOTE: does not seem very smooth from the perspective of users. The release + NOTE: team would like to wait for an init script for the new clamonacc + NOTE: binary, see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946557 -- gpac NOTE: 20200105: All open issues are unfixed. Adding it here for future @@ -43,6 +47,8 @@ libexif (Hugo Lefeuvre) NOTE: 20191201: Pinged the upstream yet again. (utkarsh2102) NOTE: 20191216: The android patch does not apply but is easy to manually apply. (ola) NOTE: 20191216: The problem is the file to trigger the fault is not known. (ola) + NOTE: 20200111: Investigated the issue, currently in contact with Ray Essick @google + NOTE: 20200111: to get access to the reproducer. (hle) -- libjackson-json-java (Adrian Bunk) NOTE: 20191230: work is ongoing @@ -78,7 +84,7 @@ opendmarc (Thorsten Alteholz) NOTE: 20200105: still testing package, original patch does not seem to be enough, still ongoing -- python-reportlab (Hugo Lefeuvre) - NOTE: 20191227: still no upstream fix + NOTE: 20200111: still no upstream fix -- radare2 NOTE: 20190816: Affected by CVE-2019-14745. Vulnerable code is in @@ -128,7 +134,9 @@ x2goclient NOTE: 20191221: https://code.x2go.org/gitweb?p=x2goclient.git;a=commitdiff;h=ce559d1 -- xcftools (Hugo Lefeuvre) - NOTE: wrote a patch + reproducer for CVE-2019-5086, waiting for review. + NOTE: 20200111: wrote a patch + reproducer for CVE-2019-5086, waiting for review. + NOTE: but I might just not receive any review any time soon, so I will now attempt to + NOTE: fix the second issue and move on with the update. -- xen -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/74653fcd9093a37d7a28b1ccef8adfd03551fd44 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/74653fcd9093a37d7a28b1ccef8adfd03551fd44 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2019-17357/cacti: stretch not-affected
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: f10ec44b by Hugo Lefeuvre at 2019-12-30T10:09:07Z CVE-2019-17357/cacti: stretch not-affected 0.8.8h does sanitize template_id, the check was removed later. see #947374 for more information. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -14708,6 +14708,7 @@ CVE-2019-17358 (Cacti through 1.2.7 is affected by multiple instances of lib/fun CVE-2019-17357 RESERVED - cacti 1.2.8+ds1-1 (bug #947374) + [stretch] - cacti (Vulnerable code not present) [jessie] - cacti (Vulnerable code not present) NOTE: https://github.com/Cacti/cacti/issues/3025 NOTE: https://github.com/Cacti/cacti/commit/d6dc48503bbcde0717e7a93df7638fd4796200f4 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f10ec44bf4986b539888523bbb46dc9169dc3253 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f10ec44bf4986b539888523bbb46dc9169dc3253 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2049-1 for imagemagick
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: 97f6b727 by Hugo Lefeuvre at 2019-12-29T12:21:03Z Reserve DLA-2049-1 for imagemagick - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[29 Dec 2019] DLA-2049-1 imagemagick - security update + {CVE-2019-19948 CVE-2019-19949} + [jessie] - imagemagick 8:6.8.9.9-5+deb8u19 [28 Dec 2019] DLA-2048-1 libxml2 - security update {CVE-2019-19956} [jessie] - libxml2 2.9.1+dfsg1-5+deb8u8 = data/dla-needed.txt = @@ -29,8 +29,6 @@ ibus (Emilio) NOTE: 20191210: See https://bugs.debian.org/941018 NOTE: 20191210: See https://gitlab.gnome.org/GNOME/glib/merge_requests/1176 -- -imagemagick (Hugo Lefeuvre) --- intel-microcode (Markus Koschany) NOTE: 20191218: Should be based on DSA-4565-2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/97f6b72768f57eb7ad2b1edb09de445bb9203fb3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/97f6b72768f57eb7ad2b1edb09de445bb9203fb3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla-needed: take libexif
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: 646f227e by Hugo Lefeuvre at 2019-12-29T10:03:19Z dla-needed: take libexif - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -37,7 +37,7 @@ intel-microcode (Markus Koschany) jhead (Adrian Bunk) NOTE: 20191216: work is ongoing -- -libexif +libexif (Hugo Lefeuvre) NOTE: 2019: Contacted upstream for relevant commits of CVE-2019-9278. (utkarsh2102) NOTE: 20191114: Pinged upstream; just have the Android patch yet. (utkarsh2102) NOTE: 20191118: No patch yet. Shall claim and fix once the patch is available. (utkarsh2102) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/646f227e9ede99fde965c394faf244d2010d8cb5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/646f227e9ede99fde965c394faf244d2010d8cb5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dsa-needed: take xcftools, add note to cacti
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: 93fda85b by Hugo Lefeuvre at 2019-12-28T09:25:58Z dsa-needed: take xcftools, add note to cacti - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -16,6 +16,7 @@ If needed, specify the release by adding a slash after the name of the source pa Thorsten Alteholz proposed an update -- cacti (hle) + Maintainer proposed an update, currently reviewing it. -- chromium -- @@ -61,7 +62,7 @@ wordpress (seb) 2019-11-19: ask about stretch-security 2019-11-06: maintainer proposed debdiff for buster-security -- -xcftools +xcftools (hle) -- xen -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/93fda85b3c15f1bafce5910c480ce44e08693ba9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/93fda85b3c15f1bafce5910c480ce44e08693ba9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DSA-4593-1 for freeimage
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: 22d7d2e4 by Hugo Lefeuvre at 2019-12-27T21:30:06Z Reserve DSA-4593-1 for freeimage - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,7 @@ +[27 Dec 2019] DSA-4593-1 freeimage - security update + {CVE-2019-12211 CVE-2019-12213} + [stretch] - freeimage 3.17.0+ds1-5+deb9u1 + [buster] - freeimage 3.18.0+ds2-1+deb10u1 [26 Dec 2019] DSA-4592-1 mediawiki - security update {CVE-2019-19709} [stretch] - mediawiki 1:1.27.7-1~deb9u3 = data/dsa-needed.txt = @@ -26,8 +26,6 @@ debian-lan-config -- evince/oldstable -- -freeimage (hle) --- glusterfs/oldstable -- graphicsmagick/oldstable View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/22d7d2e480a33d62643d3cc49fac0d2f628d4a17 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/22d7d2e480a33d62643d3cc49fac0d2f628d4a17 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla-needed: take imagemagick, update notes
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: ff5fa5f8 by Hugo Lefeuvre at 2019-12-27T14:32:37Z dla-needed: take imagemagick, update notes - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -20,7 +20,7 @@ apache-log4j1.2 (Chris Lamb) NOTE: 20191221: as recommended for oldstable by the secteam. (sunweaver) -- clamav (Hugo Lefeuvre) - NOTE: 20191216: waiting for 0.102.1 to enter stretch/buster. + NOTE: 20191227: waiting for 0.102.1 to enter stretch/buster. -- git (Roberto C. Sánchez) NOTE: 20191226: Patches integrated for 4 of 5 CVEs. The last, CVE-2019-1387, @@ -31,7 +31,7 @@ ibus (Emilio) NOTE: 20191210: See https://bugs.debian.org/941018 NOTE: 20191210: See https://gitlab.gnome.org/GNOME/glib/merge_requests/1176 -- -imagemagick +imagemagick (Hugo Lefeuvre) -- intel-microcode (Markus Koschany) NOTE: 20191218: Should be based on DSA-4565-2 @@ -90,7 +90,7 @@ otrs2 (Abhijith PA) php5 (Thorsten Alteholz) -- python-reportlab (Hugo Lefeuvre) - NOTE: 20191209: still no upstream fix + NOTE: 20191227: still no upstream fix -- radare2 NOTE: 20190816: Affected by CVE-2019-14745. Vulnerable code is in @@ -138,6 +138,7 @@ x2goclient (Mike Gabriel) NOTE: 20191221: https://code.x2go.org/gitweb?p=x2goclient.git;a=commitdiff;h=ce559d1 -- xcftools (Hugo Lefeuvre) + NOTE: wrote a patch + reproducer for CVE-2019-5086, waiting for review. -- xen -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ff5fa5f80d6d99c71f6e3bebc92366eb90a16c4c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ff5fa5f80d6d99c71f6e3bebc92366eb90a16c4c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] freeimage/jessie: postpone CVE-2019-1221{4, 2}
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: 3020fa4d by Hugo Lefeuvre at 2019-12-16T12:45:30Z freeimage/jessie: postpone CVE-2019-1221{4, 2} CVE-2019-12214: without any more information, fixing or even reproducing this is going to require an insane amount of work. CVE-2019-12212: this is a crasher, at most. We can wait for upstream fixes. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -29225,7 +29225,11 @@ CVE-2019-12214 (In FreeImage 3.18.0, an out-of-bounds access occurs because of m - freeimage (bug #929597) [buster] - freeimage (Revisit when upstream fixes are available) [stretch] - freeimage (Revisit when upstream fixes are available) + [jessie] - freeimage (Revisit when upstream fixes are available) NOTE: https://sourceforge.net/p/freeimage/discussion/36111/thread/e06734bed5/ + NOTE: very few information regarding this vulnerability, which is seemingly located + NOTE: in libopenjpeg, not freeimage. Without reproducer or stacktrace, this is + NOTE: nearly unfixable. CVE-2019-12213 (When FreeImage 3.18.0 reads a special TIFF file, the TIFFReadDirectory ...) {DLA-2031-1} - freeimage (bug #929597) @@ -29237,6 +29241,7 @@ CVE-2019-12212 (When FreeImage 3.18.0 reads a special JXR file, the StreamCalcIF - freeimage (bug #929597) [buster] - freeimage (Revisit when upstream fixes are available) [stretch] - freeimage (Revisit when upstream fixes are available) + [jessie] - freeimage (Revisit when upstream fixes are available) NOTE: https://sourceforge.net/p/freeimage/discussion/36111/thread/e06734bed5/ CVE-2019-12211 (When FreeImage 3.18.0 reads a tiff file, it will be handed to the Load ...) {DLA-2031-1} = data/dla-needed.txt = @@ -16,14 +16,10 @@ ansible NOTE: CVE-2019-14858's upstream patch is too big; fails to work properly. (utkarsh2102) -- clamav (Hugo Lefeuvre) - NOTE: waiting for 0.102.1 to enter stretch/buster. + NOTE: 20191216: waiting for 0.102.1 to enter stretch/buster. -- cups (Thorsten Alteholz) -- -freeimage (Hugo Lefeuvre) - NOTE: 20191210: already released DLA-2031-1, still working on CVE-2019-12214 and CVE-2019-12212. - NOTE: CVE-2019-12214: fuzzed with an ancient version of openjpeg, needs more investigation --- git (Roberto C. Sánchez) -- ibus View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3020fa4d8e85ab7ba7ca2fd670ccd4e223c90b9f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3020fa4d8e85ab7ba7ca2fd670ccd4e223c90b9f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla-needed: take xcftools
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: 13e841ad by Hugo Lefeuvre at 2019-12-12T14:44:51Z dla-needed: take xcftools - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -118,7 +118,7 @@ tightvnc wordpress NOTE: 20191106: no upstream fix found for CVE-2019-17672 and CVE-2019-17674. Rest uploaded. (abhijith) -- -xcftools +xcftools (Hugo Lefeuvre) -- xen -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/13e841ad0b433d260b9d97053775d788b52c057d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/13e841ad0b433d260b9d97053775d788b52c057d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2031-1 for freeimage
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: 5bfc70e8 by Hugo Lefeuvre at 2019-12-10T16:28:30Z Reserve DLA-2031-1 for freeimage - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[10 Dec 2019] DLA-2031-1 freeimage - security update + {CVE-2019-12211 CVE-2019-12213} + [jessie] - freeimage 3.15.4-4.2+deb8u2 [10 Dec 2019] DLA-2030-1 jackson-databind - security update {CVE-2019-17267 CVE-2019-17531} [jessie] - jackson-databind 2.4.2-2+deb8u10 = data/dla-needed.txt = @@ -21,8 +21,8 @@ clamav (Hugo Lefeuvre) davical (Roberto C. Sánchez) -- freeimage (Hugo Lefeuvre) - NOTE: 20191028: submitted a patch for CVE-2019-12211, see Debian bug report - NOTE: 20191209: upload pending + NOTE: 20191210: already released DLA-2031-1, still working on CVE-2019-12214 and CVE-2019-12212. + NOTE: CVE-2019-12214: fuzzed with an ancient version of openjpeg, needs more investigation -- ibus NOTE: 20191210: Requires glib2.0 to be patched also. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5bfc70e8dfca761d3814b984f3d982cc96115cc2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5bfc70e8dfca761d3814b984f3d982cc96115cc2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: update notes, reclaim clamav, freeimage and reportlab
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: 43581d33 by Hugo Lefeuvre at 2019-12-09T12:43:27Z dla: update notes, reclaim clamav, freeimage and reportlab - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -15,15 +15,16 @@ ansible NOTE: CVE-2019-14846 should be an easy fix. NOTE: CVE-2019-14858's upstream patch is too big; fails to work properly. (utkarsh2102) -- -clamav +clamav (Hugo Lefeuvre) + NOTE: waiting for 0.102.1 to enter stretch/buster. -- davical (Roberto C. Sánchez) -- firefox-esr (Emilio) -- -freeimage +freeimage (Hugo Lefeuvre) NOTE: 20191028: submitted a patch for CVE-2019-12211, see Debian bug report - NOTE: 20191123: upstream appears to have merged a modified version of my patch + NOTE: 20191209: upload pending -- ibus NOTE: 20191210: Requires glib2.0 to be patched also. @@ -90,8 +91,8 @@ php-horde-trean (Roberto C. Sánchez) python-oslo.utils (Abhijith PA) NOTE: Affected code seems to be in oslo/utils/strutils.py. (utkarsh2102) -- -python-reportlab - NOTE: 20191123: still no upstream fix +python-reportlab (Hugo Lefeuvre) + NOTE: 20191209: still no upstream fix -- radare2 NOTE: 20190816: Affected by CVE-2019-14745. Vulnerable code is in View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/43581d33a4670734daa55274867993301c434804 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/43581d33a4670734daa55274867993301c434804 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla-needed: take xcftools
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: 0d0e809f by Hugo Lefeuvre at 2019-11-24T10:27:24Z dla-needed: take xcftools - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -135,7 +135,7 @@ vino (Mike Gabriel) wordpress NOTE: 20191106: no upstream fix found for CVE-2019-17672 and CVE-2019-17674. Rest uploaded. (abhijith) -- -xcftools +xcftools (hle) -- xen -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0d0e809fb7da3f780764f2e4020f408395a53da8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0d0e809fb7da3f780764f2e4020f408395a53da8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla-needed: take clamav
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: c82e3b0c by Hugo Lefeuvre at 2019-11-24T10:03:39Z dla-needed: take clamav - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -23,7 +23,7 @@ ansible bind9 (Thorsten Alteholz) NOTE: no point release in Jessie, so fix it here -- -clamav +clamav (hle) -- freeimage (hle) NOTE: 20191028: submitted a patch for CVE-2019-12211, see Debian bug report View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c82e3b0c857c3eb3bf2bacec8a23c7350003271c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c82e3b0c857c3eb3bf2bacec8a23c7350003271c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: dla-needed: update freeimage
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: 4b644870 by Hugo Lefeuvre at 2019-11-23T09:27:06Z dla-needed: update freeimage - - - - - a4ccc7dc by Hugo Lefeuvre at 2019-11-23T09:27:06Z CVE-2019-1221{1,3}/freeimage: add commit links - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -23697,6 +23697,7 @@ CVE-2019-12213 (When FreeImage 3.18.0 reads a special TIFF file, the TIFFReadDir [buster] - freeimage (Revisit when upstream fixes are available) [stretch] - freeimage (Revisit when upstream fixes are available) NOTE: https://sourceforge.net/p/freeimage/discussion/36111/thread/e06734bed5/ + NOTE: https://sourceforge.net/p/freeimage/svn/1825/ CVE-2019-12212 (When FreeImage 3.18.0 reads a special JXR file, the StreamCalcIFDSize ...) - freeimage (bug #929597) [buster] - freeimage (Revisit when upstream fixes are available) @@ -23707,6 +23708,7 @@ CVE-2019-12211 (When FreeImage 3.18.0 reads a tiff file, it will be handed to th [buster] - freeimage (Revisit when upstream fixes are available) [stretch] - freeimage (Revisit when upstream fixes are available) NOTE: https://sourceforge.net/p/freeimage/discussion/36111/thread/e06734bed5/ + NOTE: https://sourceforge.net/p/freeimage/svn/1825/ CVE-2019-12210 (In Yubico pam-u2f 1.0.7, when configured with debug and a custom debug ...) - pam-u2f 1.0.8-1 (low; bug #930023) [buster] - pam-u2f 1.0.7-1+deb10u1 = data/dla-needed.txt = @@ -24,10 +24,8 @@ bind9 (Thorsten Alteholz) NOTE: no point release in Jessie, so fix it here -- freeimage (hle) - NOTE: Maintainer will take care of the update. - NOTE: https://lists.debian.org/debian-lts/2019/05/msg00079.html - NOTE: 20190707: maintainer is waiting for upstream https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929597 NOTE: 20191028: submitted a patch for CVE-2019-12211, see Debian bug report + NOTE: 20191123: upstream appears to have merged a modified version of my patch -- ibus NOTE: 20191020: Fix for regression in KDE apps still not available (apo) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/a524583d2345743e834ef71e0d40548097c15055...a4ccc7dcb8112cd2d816c9aaa0d7bb57cc9b0a39 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/a524583d2345743e834ef71e0d40548097c15055...a4ccc7dcb8112cd2d816c9aaa0d7bb57cc9b0a39 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2000-1 for pam-python
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: 4f7d26d3 by Hugo Lefeuvre at 2019-11-23T08:43:54Z Reserve DLA-2000-1 for pam-python - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[23 Nov 2019] DLA-2000-1 pam-python - security update + {CVE-2019-16729} + [jessie] - pam-python 1.0.4-1.1+deb8u1 [18 Nov 2019] DLA-1999-1 symfony - security update {CVE-2019-18886 CVE-2019-18887 CVE-2019-1} [jessie] - symfony 2.3.21+dfsg-4+deb8u6 = data/dla-needed.txt = @@ -94,21 +94,13 @@ openjdk-7 (Markus Koschany) otrs2 (Abhijith PA) NOTE: otrs2 is in jessie/main so it should be taken care off -- -pam-python (hle) - NOTE: 20190927: Upstream appear to not have a distinct revision for this fix, - NOTE: using a single commit for the entire release which changes many things. (lamby) - NOTE: 20191017: opened bug report and asked Russell (both Debian maintainer & upstream) - NOTE: for more information. - NOTE: 20191028: ongoing, maintainer will probably handle part or all of the update - NOTE: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942514 --- php-horde (Roberto C. Sánchez) -- php-horde-trean NOTE: 20191118: Upstream closed the ticket related to CVE-2019-12095, indicating that it is low priority for them. (roberto) -- python-reportlab (Hugo Lefeuvre) - NOTE: 20191104: still no upstream fix + NOTE: 20191123: still no upstream fix -- radare2 NOTE: 20190816: Affected by CVE-2019-14745. Vulnerable code is in View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4f7d26d308dae643972e568afaea4090e0f301d4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4f7d26d308dae643972e568afaea4090e0f301d4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla-needed: reclaim pam-python and freeimage
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: ba6e32e2 by Hugo Lefeuvre at 2019-11-23T08:26:20Z dla-needed: reclaim pam-python and freeimage - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -23,7 +23,7 @@ ansible bind9 (Thorsten Alteholz) NOTE: no point release in Jessie, so fix it here -- -freeimage +freeimage (hle) NOTE: Maintainer will take care of the update. NOTE: https://lists.debian.org/debian-lts/2019/05/msg00079.html NOTE: 20190707: maintainer is waiting for upstream https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929597 @@ -94,7 +94,7 @@ openjdk-7 (Markus Koschany) otrs2 (Abhijith PA) NOTE: otrs2 is in jessie/main so it should be taken care off -- -pam-python +pam-python (hle) NOTE: 20190927: Upstream appear to not have a distinct revision for this fix, NOTE: using a single commit for the entire release which changes many things. (lamby) NOTE: 20191017: opened bug report and asked Russell (both Debian maintainer & upstream) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ba6e32e2b0a40f77c5c3f83712688c5e4a70a98a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ba6e32e2b0a40f77c5c3f83712688c5e4a70a98a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dsa-needed: add cacti and take it
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: cc7745e9 by Hugo Lefeuvre at 2019-11-02T08:38:42Z dsa-needed: add cacti and take it related to fixing CVE-2019-16723 in buster. - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -15,6 +15,8 @@ If needed, specify the release by adding a slash after the name of the source pa 389-ds-base (fw) Thorsten Alteholz proposed an update -- +cacti (hle) +-- chromium -- curl (ghedo) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/cc7745e95f11df1065f0b4606ffb04b720f3b500 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/cc7745e95f11df1065f0b4606ffb04b720f3b500 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla-needed: update pam-python, freeimage and p-reportlab
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: e7c2b6cc by Hugo Lefeuvre at 2019-10-28T09:41:43Z dla-needed: update pam-python, freeimage and p-reportlab - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -27,6 +27,7 @@ freeimage (Hugo Lefeuvre) NOTE: Maintainer will take care of the update. NOTE: https://lists.debian.org/debian-lts/2019/05/msg00079.html NOTE: 20190707: maintainer is waiting for upstream https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929597 + NOTE: 20191028: submitted a patch for CVE-2019-12211, see Debian bug report -- gdal (Utkarsh Gupta) -- @@ -95,12 +96,15 @@ pam-python (Hugo Lefeuvre) NOTE: using a single commit for the entire release which changes many things. (lamby) NOTE: 20191017: opened bug report and asked Russell (both Debian maintainer & upstream) NOTE: for more information. + NOTE: 20191028: ongoing, maintainer will probably handle part or all of the update + NOTE: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942514 -- polarssl -- python-ecdsa (Markus Koschany) -- python-reportlab (Hugo Lefeuvre) + NOTE: 20191028: still no upstream fix -- radare2 NOTE: 20190816: Affected by CVE-2019-14745. Vulnerable code is in View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e7c2b6cc10c6f8966cd45e8bf3496dcf65b89f09 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e7c2b6cc10c6f8966cd45e8bf3496dcf65b89f09 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2019-{14981,11470}: remove triage
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: 84b9f3a7 by Hugo Lefeuvre at 2019-10-21T08:47:57Z CVE-2019-{14981,11470}: remove <postponed> triage fixed via DLA-1968-1 - - - - - 785616ac by Hugo Lefeuvre at 2019-10-21T08:52:05Z dsa-needed: add python-reportlab, take it CVE-2019-17626, remote code execution - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -9605,7 +9605,6 @@ CVE-2019-14982 (In Exiv2 before v0.27.2, there is an integer overflow vulnerabil NOTE: https://github.com/Exiv2/exiv2/pull/962/commits/e925bc5addd881543fa503470c8a859e112cca62 CVE-2019-14981 (In ImageMagick 7.x before 7.0.8-41 and 6.x before 6.9.10-41, there is ...) - imagemagick - [jessie] - imagemagick (can be fixed along with more important issues) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1552 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/b522d2d857d2f75b659936b59b0da9df1682c256 CVE-2019-14980 (In ImageMagick 7.x before 7.0.8-42 and 6.x before 6.9.10-42, there is ...) @@ -20721,7 +20720,6 @@ CVE-2019-11470 (The cineon parsing component in ImageMagick 7.0.8-26 Q16 allows - imagemagick (low; bug #927830) [buster] - imagemagick (Minor issue) [stretch] - imagemagick (Minor issue) - [jessie] - imagemagick (can be fixed along with more important issues) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1472 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/a0473b29add9521ffd4c74f6f623b418811762b0 CVE-2018-20822 (LibSass 3.5.4 allows attackers to cause a denial-of-service (uncontrol ...) = data/dsa-needed.txt = @@ -53,6 +53,8 @@ poppler (jmm) -- python3.5 (jmm) -- +python-reportlab (hle) +-- simplesamlphp/oldstable -- slurm-llnl (jmm) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/0b128825ec0ad730303a944b6d0c446a8d3a9613...785616ac9bdcc615cf3514f61acaebf7881ddc74 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/0b128825ec0ad730303a944b6d0c446a8d3a9613...785616ac9bdcc615cf3514f61acaebf7881ddc74 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-1968-1 for imagemagick
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: 0b128825 by Hugo Lefeuvre at 2019-10-21T08:44:03Z Reserve DLA-1968-1 for imagemagick - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[21 Oct 2019] DLA-1968-1 imagemagick - security update + {CVE-2019-11470 CVE-2019-14981 CVE-2019-15139 CVE-2019-15140} + [jessie] - imagemagick 8:6.8.9.9-5+deb8u18 [21 Oct 2019] DLA-1967-1 libpcap - security update {CVE-2019-15165} [jessie] - libpcap 1.6.2-2+deb8u1 = data/dla-needed.txt = @@ -32,16 +32,6 @@ hdf5 ibus NOTE: 20191020: Fix for regression in KDE apps still not available (apo) -- -imagemagick (Hugo Lefeuvre) - NOTE: CVE-2019-13391, CVE-2019-13308: patch is large, undocumented and potentially - NOTE: insufficient. wait for upstream to answer on bug report, or tag . - NOTE: CVE-2019-10131: patch is sufficient, but technically so-so in my opinion: - NOTE: instead of avoiding off-by-one reads (check length BEFORE reading, not after!) - NOTE: we allocate one more byte. this works, but does not 'obviously' fix the issue and - NOTE: can be misleading... DEP3 comments would be nice. (hle) - NOTE: 20191019: preparing an update for the new batch of CVEs. - NOTE: CVE-2019-17540: unclear upstream fixes in ImageMagick6, this is very messy. --- imapfilter NOTE: 20190910: No patch exists but a possible solution. Note that openssl in NOTE: Jessie is < 1.0.2. (apo) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0b128825ec0ad730303a944b6d0c446a8d3a9613 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0b128825ec0ad730303a944b6d0c446a8d3a9613 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2019-17626/python-reportlab: add Debian bug report
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: f90538b4 by Hugo Lefeuvre at 2019-10-21T08:32:39Z CVE-2019-17626/python-reportlab: add Debian bug report - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2177,7 +2177,7 @@ CVE-2019-17628 CVE-2019-17627 (The Yale Bluetooth Key application for mobile devices allows unauthori ...) NOT-FOR-US: Yale Bluetooth Key application for mobile devices CVE-2019-17626 (ReportLab through 3.5.26 allows remote code execution because of toCol ...) - - python-reportlab + - python-reportlab (bug #942763) NOTE: https://bitbucket.org/rptlab/reportlab/issues/199/eval-in-colorspy-leads-to-remote-code CVE-2019-17625 (There is a stored XSS in Rambox 0.6.9 that can lead to code execution. ...) NOT-FOR-US: Rambox View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f90538b473ffdbc897502103c97a66e0fb47ccf3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f90538b473ffdbc897502103c97a66e0fb47ccf3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla-needed: take python-reportlab
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: 17f106e9 by Hugo Lefeuvre at 2019-10-21T07:59:36Z dla-needed: take python-reportlab - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -113,7 +113,7 @@ polarssl -- python-ecdsa (Markus Koschany) -- -python-reportlab +python-reportlab (Hugo Lefeuvre) -- radare2 NOTE: 20190816: Affected by CVE-2019-14745. Vulnerable code is in View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/17f106e904478cd8139fec6bbae459e1079a5faa -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/17f106e904478cd8139fec6bbae459e1079a5faa You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2018-18024/imagemagick: in jessie
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: 52104f91 by Hugo Lefeuvre at 2019-10-20T13:46:11Z CVE-2018-18024/imagemagick: <ignored> in jessie patch is undocumented, and probably insufficient. cherry picking this is probably not a good idea. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -56713,7 +56713,7 @@ CVE-2018-18025 (In ImageMagick 7.0.8-13 Q16, there is a heap-based buffer over-r CVE-2018-18024 (In ImageMagick 7.0.8-13 Q16, there is an infinite loop in the ReadBMPI ...) - imagemagick 8:6.9.10.14+dfsg-1 (low) [stretch] - imagemagick (Minor issue) - [jessie] - imagemagick (Minor issue) + [jessie] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1337 NOTE: https://github.com/ImageMagick/ImageMagick/commit/948f1c86d649a29df08a38d2ff8b91cdf3e92b82 NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/b268ce7a59440972f4476b9fd98104b6a836d971 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/52104f9133d3d49ddb94f681673b7962d83c5a85 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/52104f9133d3d49ddb94f681673b7962d83c5a85 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2019-17541/imagemagick: tag
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: 7cc65c08 by Hugo Lefeuvre at 2019-10-20T13:26:53Z CVE-2019-17541/imagemagick: tag <not-affected> vulnerable code was introduced after 6.9.10-54 and fixed a few days later, no Debian release affected. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2515,11 +2515,13 @@ CVE-2019-17542 (FFmpeg before 4.2 has a heap-based buffer overflow in vqa_decode - libav NOTE: https://github.com/FFmpeg/FFmpeg/commit/02f909dc24b1f05cfbba75077c7707b905e63cd2 CVE-2019-17541 (ImageMagick before 7.0.8-55 has a use-after-free in DestroyStringInfo ...) - - imagemagick + - imagemagick (Vulnerable code introduced later) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15827 NOTE: https://github.com/ImageMagick/ImageMagick/commit/39f226a9c137f547e12afde972eeba7551124493 NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/c1a5aa3f4214ad6e4748de84dad44398959014e1 NOTE: https://github.com/ImageMagick/ImageMagick/issues/1641 + NOTE: vulnerable code introduced in + NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/edb32b1780e23c76b5d6dd735f89959a0b7e3867 CVE-2019-17540 (ImageMagick before 7.0.8-54 has a heap-based buffer overflow in ReadPS ...) - imagemagick (bug #942578) (Vulnerable code introduced later) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15826 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7cc65c089e024f901f102bc13329efab3741fd77 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7cc65c089e024f901f102bc13329efab3741fd77 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2019-17540/imagemagick: tag
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: b941ef4d by Hugo Lefeuvre at 2019-10-20T13:06:49Z CVE-2019-17540/imagemagick: tag <not-affected> The timespan between introduction of the vulnerability and fix is very short (a few days). Because of that, no Debian release is affected by this issue. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2521,7 +2521,7 @@ CVE-2019-17541 (ImageMagick before 7.0.8-55 has a use-after-free in DestroyStrin NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/c1a5aa3f4214ad6e4748de84dad44398959014e1 NOTE: https://github.com/ImageMagick/ImageMagick/issues/1641 CVE-2019-17540 (ImageMagick before 7.0.8-54 has a heap-based buffer overflow in ReadPS ...) - - imagemagick (bug #942578) + - imagemagick (bug #942578) (Vulnerable code introduced later) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15826 NOTE: vulnerable code introduced in NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/bfb5bdd6b41dac60d5171108fc02ecaf8735c4a8 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b941ef4dfb35326da1e5a8f317fc1a4150403f68 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b941ef4dfb35326da1e5a8f317fc1a4150403f68 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2019-17540/imagemagick: fixing commits for IM6
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: eb792984 by Hugo Lefeuvre at 2019-10-20T08:40:59Z CVE-2019-17540/imagemagick: fixing commits for IM6 add link to commit which introduced vulnerable code. vulnerable code was introduced very recently. it is very unlikely that any Debian release is affected. these fixing commits are quite messy, in any case I do not recommend to cherry pick them. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2523,11 +2523,17 @@ CVE-2019-17541 (ImageMagick before 7.0.8-55 has a use-after-free in DestroyStrin CVE-2019-17540 (ImageMagick before 7.0.8-54 has a heap-based buffer overflow in ReadPS ...) - imagemagick (bug #942578) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15826 + NOTE: vulnerable code introduced in + NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/bfb5bdd6b41dac60d5171108fc02ecaf8735c4a8 NOTE: no upstream bug report, four commits: - NOTE: https://github.com/ImageMagick/ImageMagick/commit/668d6a970553a94b0a2e378afda1d37abac94b5c - NOTE: https://github.com/ImageMagick/ImageMagick/commit/9667a9034a5eeedb30dfb18cfd1083ff32fd679b - NOTE: https://github.com/ImageMagick/ImageMagick/commit/73dd03cfb57f8f8c0a732fa062b9966ec7bf2f91 - NOTE: https://github.com/ImageMagick/ImageMagick/commit/e868e227085463932c5db32e5e0f27e306a0eb95 + NOTE: ImageMagick: https://github.com/ImageMagick/ImageMagick/commit/668d6a970553a94b0a2e378afda1d37abac94b5c + NOTE: ImageMagick: https://github.com/ImageMagick/ImageMagick/commit/9667a9034a5eeedb30dfb18cfd1083ff32fd679b + NOTE: ImageMagick: https://github.com/ImageMagick/ImageMagick/commit/73dd03cfb57f8f8c0a732fa062b9966ec7bf2f91 + NOTE: ImageMagick: https://github.com/ImageMagick/ImageMagick/commit/e868e227085463932c5db32e5e0f27e306a0eb95 + NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/b9261b1bce3dbfeecc445e092d207434b41c0752 + NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/5a4c9cfb76ee82bda0cd970cc9e58499b09cc137 + NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/41399a3414069870071e47680b0bbbe0a283db5d + NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/4ba4dc73b7e38bb66c57d457f17ab4aeb9b6bbdc CVE-2019-17539 (In FFmpeg before 4.2, avcodec_open2 in libavcodec/utils.c allows a NUL ...) - ffmpeg (low) [buster] - ffmpeg (Minor issue, wait until fixed in 4.1.x branch) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/eb792984ad47bf3484aedb6b8b7894f636410d63 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/eb792984ad47bf3484aedb6b8b7894f636410d63 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla-needed: update imagemagick notes
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: d24f85ca by Hugo Lefeuvre at 2019-10-19T15:19:55Z dla-needed: update imagemagick notes - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -33,16 +33,14 @@ ibus (Markus Koschany) NOTE: beware of the regression introduced by upstreams first patch -- imagemagick (Hugo Lefeuvre) - NOTE: 20190902: several minor postponed issues with simple patch: preparing an update - NOTE: just for them would be wasting time, but let's include these patches in a - NOTE: future update when new issues appear. NOTE: CVE-2019-13391, CVE-2019-13308: patch is large, undocumented and potentially NOTE: insufficient. wait for upstream to answer on bug report, or tag . NOTE: CVE-2019-10131: patch is sufficient, but technically so-so in my opinion: NOTE: instead of avoiding off-by-one reads (check length BEFORE reading, not after!) NOTE: we allocate one more byte. this works, but does not 'obviously' fix the issue and NOTE: can be misleading... DEP3 comments would be nice. (hle) - NOTE: 20191015: two new CVEs, check. + NOTE: 20191019: preparing an update for the new batch of CVEs. + NOTE: CVE-2019-17540: unclear upstream fixes in ImageMagick6, this is very messy. -- imapfilter NOTE: 20190910: No patch exists but a possible solution. Note that openssl in View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d24f85ca6fc0382a1664e04b1e4c501b81a82f94 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d24f85ca6fc0382a1664e04b1e4c501b81a82f94 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2019-15139/imagemagick: add followup patch
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: 1bf395d4 by Hugo Lefeuvre at 2019-10-19T14:48:29Z CVE-2019-15139/imagemagick: add followup patch partly reverts 6d46f0a046a5... - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9012,6 +9012,8 @@ CVE-2019-15139 (The XWD image (X Window System window dumping file) parsing comp - imagemagick (bug #941670) NOTE: https://github.com/ImageMagick/ImageMagick/commit/c78993d138bf480ab4652b5a48379d4ff75ba5f7 NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/6d46f0a046a58e7c4567a86ba1b9cb847d5b1968 + NOTE: ImageMagick6: followup, partly reverts previous patch: + NOTE: https://github.com/ImageMagick/ImageMagick6/commit/e295b8193a1413a39d5c0b3e18fa7ca952c35cdf NOTE: https://github.com/ImageMagick/ImageMagick/issues/1553 CVE-2019-15138 (The html-pdf package 2.2.0 for Node.js has an arbitrary file read vuln ...) NOT-FOR-US: node html-pdf View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1bf395d42203b9b986d14f9a80dd400b41381df3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1bf395d42203b9b986d14f9a80dd400b41381df3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2019-15140/imagemagick: add followup patch
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: 57ce08d1 by Hugo Lefeuvre at 2019-10-19T14:26:52Z CVE-2019-15140/imagemagick: add followup patch this is probably minor, but still nice to take into account when cherry picking 5caef6e97f3f575 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9005,6 +9005,8 @@ CVE-2019-15140 (coders/mat.c in ImageMagick 7.0.8-43 Q16 allows remote attackers - imagemagick (bug #941671) NOTE: https://github.com/ImageMagick/ImageMagick/commit/f7206618d27c2e69d977abf40e3035a33e5f6be0 NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/5caef6e97f3f575cf7bea497865a4c1e624b8010 + NOTE: followup, previous patch introduced compiler warnings + NOTE: https://github.com/ImageMagick/ImageMagick6/commit/5caef6e97f3f575cf7bea497865a4c1e624b8010 NOTE: https://github.com/ImageMagick/ImageMagick/issues/1554 CVE-2019-15139 (The XWD image (X Window System window dumping file) parsing component ...) - imagemagick (bug #941670) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/57ce08d11f984f13eafbfbee3ffb50f80a18c5b3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/57ce08d11f984f13eafbfbee3ffb50f80a18c5b3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2019-16723/cacti: upstream published a new fix
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: 6f11ca68 by Hugo Lefeuvre at 2019-10-19T13:35:55Z CVE-2019-16723/cacti: upstream published a new fix - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4512,10 +4512,12 @@ CVE-2019-16723 (In Cacti through 1.2.6, authenticated users may bypass authoriza [jessie] - cacti (vulnerability introduced later) NOTE: vulnerability introduced in NOTE: https://github.com/Cacti/cacti/commit/cf73ae1a9f65b5a27d7f9d10c8e14835c3a76326 - NOTE: see Debian bug report for more explanations + NOTE: see Debian bug report for more information NOTE: https://github.com/Cacti/cacti/issues/2964 NOTE: https://github.com/Cacti/cacti/commit/7a6a17252a1cbda180b61fff244cb3ce797d5264 NOTE: https://github.com/Cacti/cacti/commit/c7cf4a26e4848872b48094e67f8d0a01dd7613d2 + NOTE: after further discussion, upstream issued a new fix which reverts previous commits + NOTE: https://github.com/Cacti/cacti/commit/cfb0733597af97abc92270de4f47cbfa32f9ce8b NOTE: The original issue mentions only a bypass via graph_json.php but there are NOTE: additional permission checks missed while checking the issue fixed with the NOTE: upstream commits. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6f11ca684174bef20adc6db080021b94089fc751 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6f11ca684174bef20adc6db080021b94089fc751 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2019-17540/imagemagick: remove TODO, add commit links
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: 584b7cbe by Hugo Lefeuvre at 2019-10-18T16:38:58Z CVE-2019-17540/imagemagick: remove TODO, add commit links Remove the <undetermined>. Dirk Lemstra confirmed that those commits resolved CVE-2019-17540. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2467,9 +2467,13 @@ CVE-2019-17541 (ImageMagick before 7.0.8-55 has a use-after-free in DestroyStrin NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/c1a5aa3f4214ad6e4748de84dad44398959014e1 NOTE: https://github.com/ImageMagick/ImageMagick/issues/1641 CVE-2019-17540 (ImageMagick before 7.0.8-54 has a heap-based buffer overflow in ReadPS ...) - - imagemagick (bug #942578) + - imagemagick (bug #942578) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15826 - TODO: check, unclear upstream issue and needed fixing commit + NOTE: no upstream bug report, four commits: + NOTE: https://github.com/ImageMagick/ImageMagick/commit/668d6a970553a94b0a2e378afda1d37abac94b5c + NOTE: https://github.com/ImageMagick/ImageMagick/commit/9667a9034a5eeedb30dfb18cfd1083ff32fd679b + NOTE: https://github.com/ImageMagick/ImageMagick/commit/73dd03cfb57f8f8c0a732fa062b9966ec7bf2f91 + NOTE: https://github.com/ImageMagick/ImageMagick/commit/e868e227085463932c5db32e5e0f27e306a0eb95 CVE-2019-17539 (In FFmpeg before 4.2, avcodec_open2 in libavcodec/utils.c allows a NUL ...) - ffmpeg (low) [buster] - ffmpeg (Minor issue, wait until fixed in 4.1.x branch) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/584b7cbef81b56ff5c6ec9c910d3fb25f4c3ffb7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/584b7cbef81b56ff5c6ec9c910d3fb25f4c3ffb7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2019-17540/imagemagick: add Debian bug report
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: 4013a8ee by Hugo Lefeuvre at 2019-10-18T12:34:29Z CVE-2019-17540/imagemagick: add Debian bug report see Debian bug report for more information, waiting for confirmation from upstream before updating undetermined status - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2467,7 +2467,7 @@ CVE-2019-17541 (ImageMagick before 7.0.8-55 has a use-after-free in DestroyStrin NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/c1a5aa3f4214ad6e4748de84dad44398959014e1 NOTE: https://github.com/ImageMagick/ImageMagick/issues/1641 CVE-2019-17540 (ImageMagick before 7.0.8-54 has a heap-based buffer overflow in ReadPS ...) - - imagemagick + - imagemagick (bug #942578) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15826 TODO: check, unclear upstream issue and needed fixing commit CVE-2019-17539 (In FFmpeg before 4.2, avcodec_open2 in libavcodec/utils.c allows a NUL ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4013a8ee9b5bc17e09a545e1d6c07cacd152b751 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4013a8ee9b5bc17e09a545e1d6c07cacd152b751 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] next-point-update.txt: add openjpeg2/2.3.0-2+deb10u1
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: 56b1afac by Hugo Lefeuvre at 2019-10-18T11:31:12Z next-point-update.txt: add openjpeg2/2.3.0-2+deb10u1 - - - - - 1 changed file: - data/next-point-update.txt Changes: = data/next-point-update.txt = @@ -56,3 +56,7 @@ CVE-2017-18638 [buster] - graphite-web 1.1.4-3+deb10u1 CVE-2019-15718 [buster] - systemd 241-7~deb10u2 +CVE-2018-21010 + [buster] - openjpeg2 2.3.0-2+deb10u1 +CVE-2018-20847 + [buster] - openjpeg2 2.3.0-2+deb10u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/56b1afac8f2ad69a6574fd57df624ce39fd35228 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/56b1afac8f2ad69a6574fd57df624ce39fd35228 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2019-16723/cacti: jessie/stretch not affected
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: e35e4bf7 by Hugo Lefeuvre at 2019-10-17T11:59:10Z CVE-2019-16723/cacti: jessie/stretch not affected c.f. Debian bug report for more information, upstream ack-ed on upstream bug report. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -2357,6 +2357,11 @@ CVE-2019-16724 (File Sharing Wizard 1.5.0 allows a remote attacker to obtain arb NOT-FOR-US: File Sharing Wizard CVE-2019-16723 (In Cacti through 1.2.6, authenticated users may bypass authorization c ...) - cacti 1.2.7+ds1-1 (bug #941036) + [stretch] - cacti (vulnerability introduced later) + [jessie] - cacti (vulnerability introduced later) + NOTE: vulnerability introduced in + NOTE: https://github.com/Cacti/cacti/commit/cf73ae1a9f65b5a27d7f9d10c8e14835c3a76326 + NOTE: see Debian bug report for more explanations NOTE: https://github.com/Cacti/cacti/issues/2964 NOTE: https://github.com/Cacti/cacti/commit/7a6a17252a1cbda180b61fff244cb3ce797d5264 NOTE: https://github.com/Cacti/cacti/commit/c7cf4a26e4848872b48094e67f8d0a01dd7613d2 = data/dla-needed.txt = @@ -16,13 +16,6 @@ ampache (Roberto C. Sánchez) ansible (Utkarsh Gupta) NOTE: 20191011: Code appears to be in lib/ansible/callbacks.py in jessie's version. (lamby) -- -cacti (Hugo Lefeuvre) - NOTE: 20191016: jessie and stretch don't seem to be affected, see - NOTE: https://lists.debian.org/debian-lts/2019/10/msg00081.html for more details - NOTE: waiting for feedback from upstream: https://github.com/Cacti/cacti/issues/2964 - NOTE: 20190117: upstream answered positively. waiting for him to rework a few things - NOTE: before updating the tracker. --- freeimage (Hugo Lefeuvre) NOTE: Maintainer will take care of the update. NOTE: https://lists.debian.org/debian-lts/2019/05/msg00079.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e35e4bf731f3e261e92f30d5b16cd43632acd70a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e35e4bf731f3e261e92f30d5b16cd43632acd70a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: dla-needed: update cacti and pam-python notes
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: 7dfe49f8 by Hugo Lefeuvre at 2019-10-17T11:45:39Z dla-needed: update cacti and pam-python notes claim freeimage - - - - - 0c972428 by Hugo Lefeuvre at 2019-10-17T11:45:40Z add Debian bug for CVE-2019-16729 - - - - - f8931f4d by Hugo Lefeuvre at 2019-10-17T11:45:40Z dsa-needed: claim freeimage - - - - - 3 changed files: - data/CVE/list - data/dla-needed.txt - data/dsa-needed.txt Changes: = data/CVE/list = @@ -2408,7 +2408,7 @@ CVE-2019-16706 (kkcms v1.3 has a CSRF vulnerablity that can add an user account CVE-2018-21019 (Home Assistant before 0.67.0 was vulnerable to an information disclosu ...) NOT-FOR-US: Home Assistant CVE-2019-16729 (pam-python before 1.0.7-1 has an issue in regard to the default enviro ...) - - pam-python 1.0.7-1 + - pam-python 1.0.7-1 (bug #942514) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1150510#c1 NOTE: https://sourceforge.net/p/pam-python/code/ci/0247ab687b4347cc52859ca461fb0126dd7e2ebe/ CVE-2019-16714 (In the Linux kernel before 5.2.14, rds6_inc_info_copy in net/rds/recv. ...) = data/dla-needed.txt = @@ -20,8 +20,10 @@ cacti (Hugo Lefeuvre) NOTE: 20191016: jessie and stretch don't seem to be affected, see NOTE: https://lists.debian.org/debian-lts/2019/10/msg00081.html for more details NOTE: waiting for feedback from upstream: https://github.com/Cacti/cacti/issues/2964 + NOTE: 20190117: upstream answered positively. waiting for him to rework a few things + NOTE: before updating the tracker. -- -freeimage +freeimage (Hugo Lefeuvre) NOTE: Maintainer will take care of the update. NOTE: https://lists.debian.org/debian-lts/2019/05/msg00079.html NOTE: 20190707: maintainer is waiting for upstream https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929597 @@ -111,7 +113,10 @@ opendmarc (Thorsten Alteholz) NOTE: 20191013: testing package -- pam-python (Hugo Lefeuvre) - NOTE: 20190927: Upstream appear to not have a distinct revision for this fix, using a single commit for the entire release which changes many things. (lamby) + NOTE: 20190927: Upstream appear to not have a distinct revision for this fix, + NOTE: using a single commit for the entire release which changes many things. (lamby) + NOTE: 20191017: opened bug report and asked Russell (both Debian maintainer & upstream) + NOTE: for more information. -- polarssl -- = data/dsa-needed.txt = @@ -21,7 +21,7 @@ curl (ghedo) -- evince/oldstable -- -freeimage +freeimage (hle) -- glusterfs/oldstable -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/9230da06754e42eee20625be473660607c8b59f2...f8931f4d2d26ab44f5e16b42fea51b74db347fab -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/9230da06754e42eee20625be473660607c8b59f2...f8931f4d2d26ab44f5e16b42fea51b74db347fab You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-1714-2 for libsdl2
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: aea6df93 by Hugo Lefeuvre at 2019-10-16T20:22:48Z Reserve DLA-1714-2 for libsdl2 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,5 @@ +[16 Oct 2019] DLA-1714-2 libsdl2 - regression update + [jessie] - libsdl2 2.0.2+dfsg1-6+deb8u2 [16 Oct 2019] DLA-1960-1 wordpress - security update {CVE-2019-16217 CVE-2019-16218 CVE-2019-16219 CVE-2019-16220 CVE-2019-16221 CVE-2019-16222 CVE-2019-16223} [jessie] - wordpress 4.1.27+dfsg-1+deb8u1 = data/dla-needed.txt = @@ -95,12 +95,6 @@ libqb NOTE: 20190616: wherever it uses c->pid w/NAME_MAX. (lamby) NOTE: 20190619: See https://lists.debian.org/debian-lts/2019/06/msg00015.html -- -libsdl2 (Hugo Lefeuvre) - NOTE: another regression: patches from libsdl1.2 have been applied to libsdl2, - NOTE: see https://lists.debian.org/debian-lts/2019/10/msg00039.html - NOTE: 20191012: the update fixing this issue is ready, but I might have found - NOTE: additional issues, planning to upload before 20191013 --- linux (Ben Hutchings) -- linux-4.9 (Ben Hutchings) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/aea6df931f9dd4b5d781cb99906bfbedc38e2a82 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/aea6df931f9dd4b5d781cb99906bfbedc38e2a82 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla-needed: update cacti, hdf5 and imagemagick notes
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: 633cabab by Hugo Lefeuvre at 2019-10-15T14:15:09Z dla-needed: update cacti, hdf5 and imagemagick notes - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -17,6 +17,8 @@ ansible (Utkarsh Gupta) NOTE: 20191011: Code appears to be in lib/ansible/callbacks.py in jessie's version. (lamby) -- cacti (Hugo Lefeuvre) + NOTE: 20191015: jessie and stretch don't seem to be affected. I will produce a detailed analysis + NOTE: and try to get confirmation from upstream. -- freeimage NOTE: Maintainer will take care of the update. @@ -26,14 +28,14 @@ freeimage graphite-web -- hdf5 - NOTE: 20190825: Upstream is aware of currently open issues. Progress is slow, + NOTE: 20191015: Upstream is aware of currently open issues. Progress is slow, NOTE: wait for the next HDF5 point release and either do full package upgrade NOTE: or cherry pick fixes (hle) -- ibus (Markus Koschany) NOTE: beware of the regression introduced by upstreams first patch -- -imagemagick +imagemagick (Hugo Lefeuvre) NOTE: 20190902: several minor postponed issues with simple patch: preparing an update NOTE: just for them would be wasting time, but let's include these patches in a NOTE: future update when new issues appear. @@ -43,6 +45,7 @@ imagemagick NOTE: instead of avoiding off-by-one reads (check length BEFORE reading, not after!) NOTE: we allocate one more byte. this works, but does not 'obviously' fix the issue and NOTE: can be misleading... DEP3 comments would be nice. (hle) + NOTE: 20191015: two new CVEs, check. -- imapfilter NOTE: 20190910: No patch exists but a possible solution. Note that openssl in View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/633cababc06fd4a1e6a423ab8250285999596ec7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/633cababc06fd4a1e6a423ab8250285999596ec7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-1713-2 for libsdl1.2
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: e3920803 by Hugo Lefeuvre at 2019-10-14T14:43:37Z Reserve DLA-1713-2 for libsdl1.2 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,5 @@ +[14 Oct 2019] DLA-1713-2 libsdl1.2 - regression update + [jessie] - libsdl1.2 1.2.15-10+deb8u2 [14 Oct 2019] DLA-1953-2 clamav - regression update [jessie] - clamav 0.101.4+dfsg-0+deb8u2 [14 Oct 2019] DLA-1958-1 libdatetime-timezone-perl - new upstream version = data/dla-needed.txt = @@ -91,10 +91,6 @@ libqb NOTE: 20190616: wherever it uses c->pid w/NAME_MAX. (lamby) NOTE: 20190619: See https://lists.debian.org/debian-lts/2019/06/msg00015.html -- -libsdl1.2 (Hugo Lefeuvre) - NOTE: regression introduced by the patch for CVE-2019-7637, several games broken: - NOTE: followup patch https://hg.libsdl.org/SDL/rev/32075e9e2135 is missing --- libsdl2 (Hugo Lefeuvre) NOTE: another regression: patches from libsdl1.2 have been applied to libsdl2, NOTE: see https://lists.debian.org/debian-lts/2019/10/msg00039.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e3920803d29e9913ced90488c629092bd90af860 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e3920803d29e9913ced90488c629092bd90af860 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-1953-2 for clamav
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: 2b8f214c by Hugo Lefeuvre at 2019-10-14T11:23:59Z Reserve DLA-1953-2 for clamav - - - - - 1 changed file: - data/DLA/list Changes: = data/DLA/list = @@ -1,3 +1,5 @@ +[14 Oct 2019] DLA-1953-2 clamav - regression update + [jessie] - clamav 0.101.4+dfsg-0+deb8u2 [14 Oct 2019] DLA-1958-1 libdatetime-timezone-perl - new upstream version [jessie] - libdatetime-timezone-perl 1:1.75-2+2019c [14 Oct 2019] DLA-1957-1 tzdata - new upstream version View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2b8f214c237d2099b8d118d862177ef321d0369a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2b8f214c237d2099b8d118d862177ef321d0369a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2019-7574/libsdl{1.2,2}: add commit links
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: 9aa0a135 by Hugo Lefeuvre at 2019-10-13T13:49:39Z CVE-2019-7574/libsdl{1.2,2}: add commit links - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -29344,7 +29344,9 @@ CVE-2019-7574 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0 [buster] - libsdl2 (Minor issue) [stretch] - libsdl2 (Minor issue) NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4496 - NOTE: Proposed patch: https://bugzilla-attachments.libsdl.org/attachment.cgi?id=3610 + NOTE: https://hg.libsdl.org/SDL/rev/a6e3d2f5183e (SDL-1.2) + NOTE: SDL2 was probably fixed during a refactoring, no targeted fix available: + NOTE: https://hg.libsdl.org/SDL/rev/b06fa7da012b (SDL-2) CVE-2019-7573 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 ha ...) {DLA-1714-1 DLA-1713-1} - libsdl1.2 1.2.15+dfsg2-5 (bug #924609) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9aa0a13527e5fbf8b96f33567f4472e437660b3e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9aa0a13527e5fbf8b96f33567f4472e437660b3e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2019-7573/libsdl{1.2,2}: add commit links
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: a96850c3 by Hugo Lefeuvre at 2019-10-13T13:38:55Z CVE-2019-7573/libsdl{1.2,2}: add commit links - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -29354,7 +29354,10 @@ CVE-2019-7573 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0 [buster] - libsdl2 (Minor issue) [stretch] - libsdl2 (Minor issue) NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4491 - NOTE: Proposed patch: https://bugzilla-attachments.libsdl.org/attachment.cgi?id=3620 + NOTE: same patch as CVE-2019-7576 + NOTE: https://hg.libsdl.org/SDL/rev/fcbecae42795 (SDL-1.2) + NOTE: SDL2 was probably fixed during a refactoring, no targeted fix available: + NOTE: https://hg.libsdl.org/SDL/rev/b06fa7da012b (SDL-2) CVE-2019-7572 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 ha ...) {DLA-1714-1 DLA-1713-1} - libsdl1.2 1.2.15+dfsg2-5 (bug #924609) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a96850c3e42255ae841a7fe61310d675094fb9f0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a96850c3e42255ae841a7fe61310d675094fb9f0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2019-7575/libsdl{1.2,2}: add commit links
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: 7c0d0e3d by Hugo Lefeuvre at 2019-10-13T13:26:44Z CVE-2019-7575/libsdl{1.2,2}: add commit links - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -29329,7 +29329,9 @@ CVE-2019-7575 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0 [buster] - libsdl2 (Minor issue) [stretch] - libsdl2 (Minor issue) NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4493 - NOTE: Proposed patch: https://bugzilla-attachments.libsdl.org/attachment.cgi?id=3609 + NOTE: https://hg.libsdl.org/SDL/rev/a936f9bd3e38 (SDL-1.2) + NOTE: SDL2 was probably fixed during a refactoring, no targeted fix available: + NOTE: https://hg.libsdl.org/SDL/rev/b06fa7da012b (SDL-2) CVE-2019-7574 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 ha ...) {DLA-1714-1 DLA-1713-1} - libsdl1.2 1.2.15+dfsg2-5 (bug #924609) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7c0d0e3dd375e96cfa3bf3c62881f962a44ceb24 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7c0d0e3dd375e96cfa3bf3c62881f962a44ceb24 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2019-7578/libsdl{1.2,2}: add commit links
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: cde9c40f by Hugo Lefeuvre at 2019-10-13T13:21:07Z CVE-2019-7578/libsdl{1.2,2}: add commit links - - - - - 2e204326 by Hugo Lefeuvre at 2019-10-13T13:21:08Z CVE-2019-7577/libsdl{1.2,2}: add commit links - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -29294,7 +29294,8 @@ CVE-2019-7578 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0 [buster] - libsdl2 (Minor issue) [stretch] - libsdl2 (Minor issue) NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4494 - NOTE: Proposed patch: https://bugzilla-attachments.libsdl.org/attachment.cgi?id=3623 + NOTE: https://hg.libsdl.org/SDL/rev/388987dff7bf (SDL-1.2) + NOTE: https://hg.libsdl.org/SDL/rev/f9a9d6c76b21 (SDL-2) CVE-2019-7577 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 ha ...) {DLA-1714-1 DLA-1713-1} - libsdl1.2 1.2.15+dfsg2-5 (bug #924609) @@ -29304,8 +29305,10 @@ CVE-2019-7577 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0 [buster] - libsdl2 (Minor issue) [stretch] - libsdl2 (Minor issue) NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4492 - NOTE: Proposed patch: https://bugzilla-attachments.libsdl.org/attachment.cgi?id=3608 - NOTE: Proposed patch: https://bugzilla-attachments.libsdl.org/attachment.cgi?id=3694 + NOTE: https://hg.libsdl.org/SDL/rev/faf9abbcfb5f (SDL-1.2) + NOTE: https://hg.libsdl.org/SDL/rev/416136310b88 (SDL-1.2) + NOTE: SDL2 was probably fixed during a refactoring, no targeted fix available: + NOTE: https://hg.libsdl.org/SDL/rev/b06fa7da012b (SDL-2) CVE-2019-7576 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 ha ...) {DLA-1714-1 DLA-1713-1} - libsdl1.2 1.2.15+dfsg2-5 (bug #924609) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/d107172f79ae78e55768500878aaba36ebc6a7ba...2e204326ebc9d28819dfb1cd146082953605c9ec -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/d107172f79ae78e55768500878aaba36ebc6a7ba...2e204326ebc9d28819dfb1cd146082953605c9ec You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2019-7572/libsdl{1.2,2}: add upstream patches
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: 269f4823 by Hugo Lefeuvre at 2019-10-10T15:09:11Z CVE-2019-7572/libsdl{1.2,2}: add upstream patches Proposed patches have been merged. Warning: those are _SDL-1.2_ patches, not SDL-2... - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -28993,8 +28993,10 @@ CVE-2019-7572 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0 [buster] - libsdl2 (Minor issue) [stretch] - libsdl2 (Minor issue) NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4495 - NOTE: Proposed patch: https://bugzilla-attachments.libsdl.org/attachment.cgi?id=3612 - NOTE: Proposed patch: https://bugzilla-attachments.libsdl.org/attachment.cgi?id=3618 + NOTE: https://hg.libsdl.org/SDL/rev/e52413f52586 (SDL-1.2) + NOTE: https://hg.libsdl.org/SDL/rev/a8afedbcaea0 (SDL-1.2) + NOTE: SDL2 was probably fixed during a refactoring, no targeted fix available: + NOTE: https://hg.libsdl.org/SDL/rev/b06fa7da012b (SDL-2) CVE-2019-7571 RESERVED CVE-2019-7570 (A CSRF vulnerability was found in PbootCMS v1.3.6 that can delete user ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/269f482391ebc791014c63d915f175ca82c70cc6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/269f482391ebc791014c63d915f175ca82c70cc6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2019-7635/libsdl1.2: clarify notes
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: 4f3223e7 by Hugo Lefeuvre at 2019-10-10T14:26:22Z CVE-2019-7635/libsdl1.2: clarify notes - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -28794,8 +28794,11 @@ CVE-2019-7635 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0 [stretch] - libsdl2-image 2.0.1+dfsg-2+deb9u2 NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4498 NOTE: https://hg.libsdl.org/SDL/rev/7c643f1c1887 (SDL-2) + NOTE: two patches initially merged for SDL-1.2: NOTE: https://hg.libsdl.org/SDL/rev/08f3b4992538 (SDL-1.2) (correct) NOTE: https://hg.libsdl.org/SDL/rev/4646533663ae (SDL-1.2) (broken) + NOTE: the second one is incorrect as was reverted in + NOTE: https://hg.libsdl.org/SDL/rev/33940ce0a0ba NOTE: https://hg.libsdl.org/SDL_image/rev/03bd33e8cb49 (SDL_image-2) NOTE: https://hg.libsdl.org/SDL_image/rev/a3a7cac00d5f (SDL_image-1.2) CVE-2018-20764 (A buffer overflow exists in HelpSystems tcpcrypt on Linux, used for Bo ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4f3223e706c0468f7242fc270ac3cc787d8c1d97 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4f3223e706c0468f7242fc270ac3cc787d8c1d97 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla-needed: clarify libsdl{1.2, 2} regressions
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: 8d7d4822 by Hugo Lefeuvre at 2019-10-10T13:19:43Z dla-needed: clarify libsdl{1.2, 2} regressions there are two different regressions: one in libsdl1.2 (a followup patch is missing), and another one in libsdl2 (libsdl1.2 patches have been applied to libsdl2, but they were not intended for libsdl2). - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -78,7 +78,11 @@ libqb NOTE: 20190619: See https://lists.debian.org/debian-lts/2019/06/msg00015.html -- libsdl1.2 (Hugo Lefeuvre) - NOTE: regression introduced by the patch for CVE-2019-7637, several games broken + NOTE: regression introduced by the patch for CVE-2019-7637, several games broken: + NOTE: followup patch https://hg.libsdl.org/SDL/rev/32075e9e2135 is missing +-- +libsdl2 (Hugo Lefeuvre) + NOTE: another regression: patches from libsdl1.2 have been applied to libsdl2, NOTE: see https://lists.debian.org/debian-lts/2019/10/msg00039.html -- linux (Ben Hutchings) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8d7d4822d69650796fe23eb34e4f8af83000cabb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8d7d4822d69650796fe23eb34e4f8af83000cabb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-1953-1 for clamav
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: 342562a0 by Hugo Lefeuvre at 2019-10-10T10:49:20Z Reserve DLA-1953-1 for clamav - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[10 Oct 2019] DLA-1953-1 clamav - security update + {CVE-2019-12625 CVE-2019-12900} + [jessie] - clamav 0.101.4+dfsg-0+deb8u1 [09 Oct 2019] DLA-1952-1 rsyslog - security update {CVE-2019-17041 CVE-2019-17042} [jessie] - rsyslog 8.4.2-1+deb8u3 = data/dla-needed.txt = @@ -15,15 +15,6 @@ ampache (Roberto C. Sánchez) -- cacti (Hugo Lefeuvre) -- -clamav (Hugo Lefeuvre) - NOTE: 20191002: we are backporting 0.101.4+dfsg-0+deb9u1 to jessie, meaning - NOTE: that we are subject to the 0.101.1 transition (see #924278). This - NOTE: requires additional uploads to dansguardian, havp, python-pyclamav and - NOTE: c-icap-modules. - NOTE: see https://lists.debian.org/debian-lts/2019/10/msg00012.html - NOTE: 20191008: uploaded clamav, currently waiting for ftpmaster's approval - NOTE: since it is now in the NEW queue. I have e-mailed them, but no answer yet. --- freeimage NOTE: Maintainer will take care of the update. NOTE: https://lists.debian.org/debian-lts/2019/05/msg00079.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/342562a06080aed973c8b5256fb09c4a98d967c3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/342562a06080aed973c8b5256fb09c4a98d967c3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] openjpeg2 2.1.2-1.1+deb9u4: update next-oldstable-point-update.txt
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: 4f8afde7 by Hugo Lefeuvre at 2019-10-09T08:27:59Z openjpeg2 2.1.2-1.1+deb9u4: update next-oldstable-point-update.txt Remove openjpeg2 dsa-needed entry as CVE-2018-21010 will be fixed via point update in stretch and buster. - - - - - 2 changed files: - data/dsa-needed.txt - data/next-oldstable-point-update.txt Changes: = data/dsa-needed.txt = @@ -49,8 +49,6 @@ nodejs nss/oldstable (jmm) Roberto proposed an update including fixes for CVE-2018-12404 and CVE-2018-18508 -- -openjpeg2 --- pam-python -- poppler (jmm) = data/next-oldstable-point-update.txt = @@ -56,3 +56,9 @@ CVE-2018-14072 [stretch] - libsixel 1.5.2-2+deb9u1 CVE-2018-14073 [stretch] - libsixel 1.5.2-2+deb9u1 +CVE-2018-21010 + [stretch] - openjpeg2 2.1.2-1.1+deb9u4 +CVE-2018-20847 + [stretch] - openjpeg2 2.1.2-1.1+deb9u4 +CVE-2016-9112 + [stretch] - openjpeg2 2.1.2-1.1+deb9u4 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4f8afde77f1ea949e1f16139b73aab883deda6ee -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4f8afde77f1ea949e1f16139b73aab883deda6ee You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla-needed: add libsdl1.2
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: 71151a11 by Hugo Lefeuvre at 2019-10-09T08:04:03Z dla-needed: add libsdl1.2 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -88,6 +88,10 @@ libqb NOTE: 20190616: wherever it uses c->pid w/NAME_MAX. (lamby) NOTE: 20190619: See https://lists.debian.org/debian-lts/2019/06/msg00015.html -- +libsdl1.2 (Hugo Lefeuvre) + NOTE: regression introduced by the patch for CVE-2019-7637, several games broken + NOTE: see https://lists.debian.org/debian-lts/2019/10/msg00039.html +-- linux (Ben Hutchings) -- linux-4.9 (Ben Hutchings) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/71151a114c661e9c59a997213924b7d8419a0f11 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/71151a114c661e9c59a997213924b7d8419a0f11 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2018-20847/openjpeg2: add missing commit link
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: a6bff21f by Hugo Lefeuvre at 2019-10-09T06:34:47Z CVE-2018-20847/openjpeg2: add missing commit link - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13469,8 +13469,9 @@ CVE-2018-20847 (An improper computation of p_tx0, p_tx1, p_ty0 and p_ty1 in the - openjpeg2 2.3.1-1 (low; bug #931294) [buster] - openjpeg2 (Minor issue) [stretch] - openjpeg2 (Minor issue) - NOTE: https://github.com/uclouvain/openjpeg/commit/5d00b719f4b93b1445e6fb4c766b9a9883c57949 NOTE: https://github.com/uclouvain/openjpeg/issues/431 + NOTE: https://github.com/uclouvain/openjpeg/commit/5d00b719f4b93b1445e6fb4c766b9a9883c57949 + NOTE: https://github.com/uclouvain/openjpeg/commit/2d24b6000d5611615e3e6d799e20d5fdbe4e2a1e NOTE: https://github.com/uclouvain/openjpeg/commit/c58df149900df862806d0e892859b41115875845 CVE-2018-20846 (Out-of-bounds accesses in the functions pi_next_lrcp, pi_next_rlcp, pi ...) - openjpeg2 (unimportant) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a6bff21fae65afdfc65ef6dfdcaddb8ad1ed3501 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a6bff21fae65afdfc65ef6dfdcaddb8ad1ed3501 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-1950-1 for openjpeg2
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: 3e3a195a by Hugo Lefeuvre at 2019-10-08T13:59:55Z Reserve DLA-1950-1 for openjpeg2 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[08 Oct 2019] DLA-1950-1 openjpeg2 - security update + {CVE-2018-21010} + [jessie] - openjpeg2 2.1.0-2+deb8u8 [08 Oct 2019] DLA-1949-1 xen - security update {CVE-2019-17341 CVE-2019-17342 CVE-2019-17343 CVE-2018-19961 CVE-2018-19962 CVE-2018-19966} [jessie] - xen 4.4.4lts5-0+deb8u1 = data/dla-needed.txt = @@ -110,10 +110,6 @@ nghttp2 (Mike Gabriel) opendmarc (Thorsten Alteholz) NOTE: 20190929: testing package -- -openjpeg2 (Hugo Lefeuvre) - NOTE: 20191008: planning to provide an update for CVE-2018-21010, and a stretch-pu - NOTE: for recent issues. --- pam-python NOTE: 20190927: Upstream appear to not have a distinct revision for this fix, using a single commit for the entire release which changes many things. (lamby) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3e3a195abcfa111ea7121bccdb3febe05431445c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3e3a195abcfa111ea7121bccdb3febe05431445c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla-needed: update clamav and openjpeg2
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: dad09634 by Hugo Lefeuvre at 2019-10-08T12:39:43Z dla-needed: update clamav and openjpeg2 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -21,6 +21,8 @@ clamav (Hugo Lefeuvre) NOTE: requires additional uploads to dansguardian, havp, python-pyclamav and NOTE: c-icap-modules. NOTE: see https://lists.debian.org/debian-lts/2019/10/msg00012.html + NOTE: 20191008: uploaded clamav, currently waiting for ftpmaster's approval + NOTE: since it is now in the NEW queue. I have e-mailed them, but no answer yet. -- freeimage NOTE: Maintainer will take care of the update. @@ -109,6 +111,8 @@ opendmarc (Thorsten Alteholz) NOTE: 20190929: testing package -- openjpeg2 (Hugo Lefeuvre) + NOTE: 20191008: planning to provide an update for CVE-2018-21010, and a stretch-pu + NOTE: for recent issues. -- pam-python NOTE: 20190927: Upstream appear to not have a distinct revision for this fix, using a single commit for the entire release which changes many things. (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/dad096348b40fe7ac6169f4ab2956527ef60b46e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/dad096348b40fe7ac6169f4ab2956527ef60b46e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2018-{21010,20847,5727}/openjpeg2 fixed in sid
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: e388cd94 by Hugo Lefeuvre at 2019-10-08T12:24:35Z CVE-2018-{21010,20847,5727}/openjpeg2 fixed in sid via 2.3.1-1. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3599,7 +3599,7 @@ CVE-2019-15925 (An issue was discovered in the Linux kernel before 5.2.3. An out [jessie] - linux (Vulnerable code introduced later) NOTE: https://git.kernel.org/linus/04f25edb48c441fc278ecc154c270f16966cbb90 CVE-2018-21010 (OpenJPEG before 2.3.1 has a heap buffer overflow in color_apply_icc_pr ...) - - openjpeg2 (bug #939553) + - openjpeg2 2.3.1-1 (bug #939553) [buster] - openjpeg2 (Minor issue) [stretch] - openjpeg2 (Minor issue) NOTE: https://github.com/uclouvain/openjpeg/commit/2e5ab1d9987831c981ff05862e8ccf1381ed58ea @@ -13449,7 +13449,7 @@ CVE-2019-12966 (FeHelper through 2019-06-19 allows arbitrary code execution duri NOT-FOR-US: FeHelper CVE-2018-20847 (An improper computation of p_tx0, p_tx1, p_ty0 and p_ty1 in the functi ...) {DLA-1851-1} - - openjpeg2 (low; bug #931294) + - openjpeg2 2.3.1-1 (low; bug #931294) [buster] - openjpeg2 (Minor issue) [stretch] - openjpeg2 (Minor issue) NOTE: https://github.com/uclouvain/openjpeg/commit/5d00b719f4b93b1445e6fb4c766b9a9883c57949 @@ -87301,7 +87301,7 @@ CVE-2018-5729 (MIT krb5 1.6 or later allows an authenticated kadmin with permiss CVE-2018-5728 (Cobham Sea Tel 121 build 222701 devices allow remote attackers to obta ...) NOT-FOR-US: Cobham Sea Tel 121 build 222701 devices CVE-2018-5727 (In OpenJPEG 2.3.0, there is an integer overflow vulnerability in the o ...) - - openjpeg2 (unimportant; bug #888532) + - openjpeg2 2.3.1-1 (unimportant; bug #888532) NOTE: https://github.com/uclouvain/openjpeg/issues/1053 NOTE: https://github.com/rouault/openjpeg/commit/a1d32a596a94280178c44a55d7e NOTE: ubsan error (integer overflow), no security impact per se and unlikely View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e388cd944d34bb7404f63561b5d6108f5fb115ab -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e388cd944d34bb7404f63561b5d6108f5fb115ab You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2018-5727/openjpeg2: add commit link
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: 3a5bda42 by Hugo Lefeuvre at 2019-10-07T12:45:47Z CVE-2018-5727/openjpeg2: add commit link - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -87135,6 +87135,7 @@ CVE-2018-5728 (Cobham Sea Tel 121 build 222701 devices allow remote attackers to CVE-2018-5727 (In OpenJPEG 2.3.0, there is an integer overflow vulnerability in the o ...) - openjpeg2 (unimportant; bug #888532) NOTE: https://github.com/uclouvain/openjpeg/issues/1053 + NOTE: https://github.com/rouault/openjpeg/commit/a1d32a596a94280178c44a55d7e NOTE: ubsan error (integer overflow), no security impact per se and unlikely NOTE: to trigger any security relevant issue CVE-2018-5726 (MASTER IPCAMERA01 3.3.4.2103 devices allow remote attackers to obtain ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3a5bda42ca2028827a2a08e1365cacc436f2e952 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3a5bda42ca2028827a2a08e1365cacc436f2e952 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: dla-needed: claim cacti
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: 862bf5a5 by Hugo Lefeuvre at 2019-10-07T09:05:00Z dla-needed: claim cacti - - - - - 9519c666 by Hugo Lefeuvre at 2019-10-07T09:05:01Z openjpeg2/CVE-2018-21010: no-dsa in stretch/buster as discussed in https://bugs.debian.org/939553 - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -3447,6 +3447,8 @@ CVE-2019-15925 (An issue was discovered in the Linux kernel before 5.2.3. An out NOTE: https://git.kernel.org/linus/04f25edb48c441fc278ecc154c270f16966cbb90 CVE-2018-21010 (OpenJPEG before 2.3.1 has a heap buffer overflow in color_apply_icc_pr ...) - openjpeg2 (bug #939553) + [buster] - openjpeg2 (Minor issue) + [stretch] - openjpeg2 (Minor issue) NOTE: https://github.com/uclouvain/openjpeg/commit/2e5ab1d9987831c981ff05862e8ccf1381ed58ea CVE-2018-21009 (Poppler before 0.66.0 has an integer overflow in Parser::makeStream in ...) {DLA-1939-1} = data/dla-needed.txt = @@ -13,7 +13,7 @@ https://wiki.debian.org/LTS/Development#Triage_new_security_issues ampache (Roberto C. Sánchez) NOTE: package only in Jessie -- -cacti +cacti (Hugo Lefeuvre) -- clamav (Hugo Lefeuvre) NOTE: 20191002: we are backporting 0.101.4+dfsg-0+deb9u1 to jessie, meaning View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/1c9417dbd01cb0ab1374128a38aef8b8c995f967...9519c6667b3aeb7b9d17688a6c2e5679f4366247 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/1c9417dbd01cb0ab1374128a38aef8b8c995f967...9519c6667b3aeb7b9d17688a6c2e5679f4366247 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla-needed: clamav: document libclamav 7 -> 9 transition
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: c756be1c by Hugo Lefeuvre at 2019-10-02T20:36:04Z dla-needed: clamav: document libclamav 7 -> 9 transition - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -16,8 +16,11 @@ ampache cacti -- clamav (Hugo Lefeuvre) - NOTE: update ready, currently testing it. - NOTE: based on stretch, but non trivial changes were needed + NOTE: 20191002: we are backporting 0.101.4+dfsg-0+deb9u1 to jessie, meaning + NOTE: that we are subject to the 0.101.1 transition (see #924278). This + NOTE: requires additional uploads to dansguardian, havp, python-pyclamav and + NOTE: c-icap-modules. + NOTE: see https://lists.debian.org/debian-lts/2019/10/msg00012.html -- freeimage NOTE: Maintainer will take care of the update. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c756be1cee8c019570356d8a9ecd2f8fde875f8f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c756be1cee8c019570356d8a9ecd2f8fde875f8f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla-needed: update clamav notes
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: f5de2625 by Hugo Lefeuvre at 2019-10-02T13:10:06Z dla-needed: update clamav notes - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -16,11 +16,8 @@ ampache cacti -- clamav (Hugo Lefeuvre) - NOTE: wait for definitive patch to be available, then upgrade to latest upstream - NOTE: release (follow stretch changes) (hle) - NOTE: https://lists.debian.org/debian-lts/2019/08/msg00023.html - NOTE: 20190822: upstream has released 0.101.4, wait for stretch update (see bug - NOTE: report) (hle) + NOTE: update ready, currently testing it. + NOTE: based on stretch, but non trivial changes were needed -- freeimage NOTE: Maintainer will take care of the update. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f5de262517923b4d263f61255e8cfcd5ea5a3703 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f5de262517923b4d263f61255e8cfcd5ea5a3703 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla-needed: claim clamav and openjpeg2
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: 6dbde8cf by Hugo Lefeuvre at 2019-10-01T08:46:18Z dla-needed: claim clamav and openjpeg2 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -15,7 +15,7 @@ ampache -- cacti -- -clamav +clamav (Hugo Lefeuvre) NOTE: wait for definitive patch to be available, then upgrade to latest upstream NOTE: release (follow stretch changes) (hle) NOTE: https://lists.debian.org/debian-lts/2019/08/msg00023.html @@ -107,7 +107,7 @@ nghttp2 (Mike Gabriel) opendmarc (Thorsten Alteholz) NOTE: 20190929: testing package -- -openjpeg2 +openjpeg2 (Hugo Lefeuvre) -- pam-python NOTE: 20190927: Upstream appear to not have a distinct revision for this fix, using a single commit for the entire release which changes many things. (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6dbde8cff5d95fc917094a2e2623ebb99930 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6dbde8cff5d95fc917094a2e2623ebb99930 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] reserve DSA-4522-1 for faad2
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: aa768969 by Hugo Lefeuvre at 2019-09-13T16:57:43Z reserve DSA-4522-1 for faad2 - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,6 @@ +[13 Sep 2019] DSA-4522-1 faad2 - security update + {CVE-2018-19502 CVE-2018-19503 CVE-2018-19504 CVE-2018-20194 CVE-2018-20195 CVE-2018-20197 CVE-2018-20198 CVE-2018-20357 CVE-2018-20358 CVE-2018-20359 CVE-2018-20361 CVE-2018-20362 CVE-2019-15296} + [stretch] - faad2 2.8.0~cvs20161113-1+deb9u2 [09 Sep 2019] DSA-4521-1 docker.io - security update {CVE-2019-13139 CVE-2019-13509 CVE-2019-14271} [buster] - docker.io 18.09.1+dfsg1-7.1+deb10u1 = data/dsa-needed.txt = @@ -22,8 +22,6 @@ chromium -- evince/oldstable -- -faad2 (hle) --- freeimage -- glusterfs/oldstable View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/aa7689699c6263537aa820942363868621e732e4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/aa7689699c6263537aa820942363868621e732e4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dsa-needed: claim faad2
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: b2cdb5f4 by Hugo Lefeuvre at 2019-09-04T20:00:16Z dsa-needed: claim faad2 - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -26,8 +26,7 @@ evince/oldstable -- exim4 (carnil) -- -faad2 - not yet fixed upstream +faad2 (hle) -- firefox-esr (jmm) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b2cdb5f46bba9a38251b3c3890e57242d071d52b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b2cdb5f46bba9a38251b3c3890e57242d071d52b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla-needed: update imagemagick entry
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: 1033631d by Hugo Lefeuvre at 2019-09-02T13:10:18Z dla-needed: update imagemagick entry see https://lists.debian.org/debian-lts/2019/09/msg4.html - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -50,10 +50,15 @@ hdf5 (Hugo Lefeuvre) icedtea-web (Markus Koschany) -- imagemagick - NOTE: 20190829: Several and issues some of them with simple patch - NOTE: 20190829: are still open for jessie. Should be revisited with policy in mind that - NOTE: 20190829: we also work on issues whereas the security team would not. - NOTE: 20190829: Only claim this, if nothing more urgent is available in dla-needed.txt. + NOTE: 20190902: several minor postponed issues with simple patch: preparing an update + NOTE: just for them would be wasting time, but let's include these patches in a + NOTE: future update when new issues appear. + NOTE: CVE-2019-13391, CVE-2019-13308: patch is large, undocumented and potentially + NOTE: insufficient. wait for upstream to answer on bug report, or tag . + NOTE: CVE-2019-10131: patch is sufficient, but technically so-so in my opinion: + NOTE: instead of avoiding off-by-one reads (check length BEFORE reading, not after!) + NOTE: we allocate one more byte. this works, but does not 'obviously' fix the issue and + NOTE: can be misleading... DEP3 comments would be nice. (hle) -- libav (Mike Gabriel) NOTE: 20190831: There are currently 19 CVE issues known for libav in jessie, View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1033631d635e0c96f59ede88e5fd72b9cde7bd33 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1033631d635e0c96f59ede88e5fd72b9cde7bd33 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] imagemagick triage for jessie
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: 743cfa0f by Hugo Lefeuvre at 2019-08-31T22:10:18Z imagemagick triage for jessie - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2443,7 +2443,7 @@ CVE-2019-14982 (In Exiv2 before v0.27.2, there is an integer overflow vulnerabil TODO: check CVE-2019-14981 (In ImageMagick 7.x before 7.0.8-41 and 6.x before 6.9.10-41, there is ...) - imagemagick - [jessie] - imagemagick (minor issue, low security impact) + [jessie] - imagemagick (can be fixed along with more important issues) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1552 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/b522d2d857d2f75b659936b59b0da9df1682c256 CVE-2019-14980 (In ImageMagick 7.x before 7.0.8-42 and 6.x before 6.9.10-42, there is ...) @@ -8223,7 +8223,7 @@ CVE-2019-13308 (ImageMagick 7.0.8-50 Q16 has a heap-based buffer overflow in Mag NOTE: https://github.com/ImageMagick/ImageMagick6/commit/19651f3db63fa1511ed83a348c4c82fa553f8d01 CVE-2019-13307 (ImageMagick 7.0.8-50 Q16 has a heap-based buffer overflow at MagickCor ...) - imagemagick (bug #931448) - [jessie] - imagemagick (Low tier issue, patch fairly intrusive) + [jessie] - imagemagick (minor issue, patch fairly intrusive) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1615 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/91e58d967a92250439ede038ccfb0913a81e59fe NOTE: incomplete, introduces a memory leak, follow-up patches: @@ -8261,7 +8261,7 @@ CVE-2019-13301 (ImageMagick 7.0.8-50 Q16 has memory leaks in AcquireMagickMemory NOTE: https://github.com/ImageMagick/ImageMagick6/commit/0b7d3675438cbcde824e751895847a0794406e08 CVE-2019-13300 (ImageMagick 7.0.8-50 Q16 has a heap-based buffer overflow at MagickCor ...) - imagemagick (bug #931454) - [jessie] - imagemagick (Low tier issue, patch fairly intrusive) + [jessie] - imagemagick (minor issue, patch fairly intrusive) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1586 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/5e409ae7a389cdf2ed17469303be3f3f21cec450 CVE-2019-13299 (ImageMagick 7.0.8-50 Q16 has a heap-based buffer over-read at MagickCo ...) @@ -9164,17 +9164,17 @@ CVE-2019-12980 (In Ming (aka libming) 0.4.8, there is an integer overflow (cause NOTE: https://github.com/libming/libming/pull/179/commits/2223f7a1e431455a1411bee77c90db94a6f8e8fe CVE-2019-12979 (ImageMagick 7.0.8-34 has a "use of uninitialized value" vulnerability ...) - imagemagick (bug #931189) - [jessie] - imagemagick (minor security impact) + [jessie] - imagemagick (minor security impact) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1522 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/27b1c74979ac473a430e266ff6c4b645664bc805 CVE-2019-12978 (ImageMagick 7.0.8-34 has a "use of uninitialized value" vulnerability ...) - imagemagick (bug #931190) - [jessie] - imagemagick (minor security impact) + [jessie] - imagemagick (minor security impact) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1519 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/ae1ded6140bfa8ae9f6dcba5413b72d98ed94614 CVE-2019-12977 (ImageMagick 7.0.8-34 has a "use of uninitialized value" vulnerability ...) - imagemagick (bug #931191) - [jessie] - imagemagick (minor security impact) + [jessie] - imagemagick (minor security impact) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1518 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/e6103897fae2ed47e24b9cf7de719eea877b0504 CVE-2019-12976 (ImageMagick 7.0.8-34 has a memory leak in the ReadPCLImage function in ...) @@ -13171,7 +13171,7 @@ CVE-2019-11470 (The cineon parsing component in ImageMagick 7.0.8-26 Q16 allows - imagemagick (low; bug #927830) [buster] - imagemagick (Minor issue) [stretch] - imagemagick (Minor issue) - [jessie] - imagemagick (Minor issue) + [jessie] - imagemagick (can be fixed along with more important issues) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1472 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/a0473b29add9521ffd4c74f6f623b418811762b0 CVE-2018-20822 (LibSass 3.5.4 allows attackers to cause a denial-of-service (uncontrol ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/743cfa0f2fccd37aaa6729cd2f5472205b618632 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/743cfa0f2fccd37aaa6729cd2f5472205b618632 You're receiving
[Git][security-tracker-team/security-tracker][master] CVE-2019-5058/sdl-image1.2,libsdl2-image: fixed in jessie
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: 07e6ef1c by Hugo Lefeuvre at 2019-08-29T13:59:28Z CVE-2019-5058/sdl-image1.2,libsdl2-image: fixed in jessie The patch was included in 2.0.0+dfsg-3+deb8u2 and 1.2.12-5+deb8u2, before CVE assignation. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -30423,11 +30423,11 @@ CVE-2019-5058 (An exploitable code execution vulnerability exists in the XCF ima - libsdl2-image 2.0.5+dfsg1-1 (bug #932754) [buster] - libsdl2-image (Minor issue) [stretch] - libsdl2-image (Minor issue) - [jessie] - libsdl2-image (Minor issue) + [jessie] - libsdl2-image 2.0.0+dfsg-3+deb8u2 - sdl-image1.2 1.2.12-11 (bug #932755) [buster] - sdl-image1.2 (Minor issue) [stretch] - sdl-image1.2 (Minor issue) - [jessie] - sdl-image1.2 (Minor issue) + [jessie] - sdl-image1.2 1.2.12-5+deb8u2 NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2019-0842 NOTE: https://hg.libsdl.org/SDL_image/rev/b1a80aec2b10 NOTE: CVE-2019-5058 can be considered a CVE for an incomplete fix for CVE-2018-3977. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/07e6ef1cd33b9a619e90efefbcded96277ccabd5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/07e6ef1cd33b9a619e90efefbcded96277ccabd5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-1899-1 for faad2
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: 0106b94f by Hugo Lefeuvre at 2019-08-28T19:14:23Z Reserve DLA-1899-1 for faad2 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[28 Aug 2019] DLA-1899-1 faad2 - security update + {CVE-2018-19502 CVE-2018-20196 CVE-2018-20199 CVE-2018-20360 CVE-2019-6956 CVE-2019-15296} + [jessie] - faad2 2.7-8+deb8u3 [26 Aug 2019] DLA-1898-1 xymon - security update {CVE-2019-13273 CVE-2019-13274 CVE-2019-13451 CVE-2019-13452 CVE-2019-13455 CVE-2019-13484 CVE-2019-13485 CVE-2019-13486} [jessie] - xymon 4.3.17-6+deb8u2 = data/dla-needed.txt = @@ -36,10 +36,6 @@ djvulibre (Thorsten Alteholz) -- dnsmasq (Mike Gabriel) -- -faad2 (Hugo Lefeuvre) - NOTE: 20190826: all patches have been merged upstream now, upload with last batch of patches - NOTE: will happen in shortly --- freeimage NOTE: Maintainer will take care of the update. NOTE: https://lists.debian.org/debian-lts/2019/05/msg00079.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0106b94f4de59d6f471b72292a8d78a880102042 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0106b94f4de59d6f471b72292a8d78a880102042 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] faad2 issues fixed in 2.8.8-3.1
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: 0da91b2b by Hugo Lefeuvre at 2019-08-28T15:54:05Z faad2 issues fixed in 2.8.8-3.1 see #914641 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -25538,7 +25538,7 @@ CVE-2019-6958 (A recently discovered security vulnerability affects all Bosch Vi CVE-2019-6957 (A recently discovered security vulnerability affects all Bosch Video M ...) NOT-FOR-US: Bosch CVE-2019-6956 (An issue was discovered in Freeware Advanced Audio Decoder 2 (FAAD2) 2 ...) - - faad2 (bug #914641) + - faad2 2.8.8-3.1 (bug #914641) [buster] - faad2 (Minor issue) [stretch] - faad2 (Minor issue) NOTE: https://sourceforge.net/p/faac/bugs/240/ @@ -34857,7 +34857,7 @@ CVE-2018-20361 (An invalid memory address dereference was discovered in the hf_a NOTE: https://github.com/knik0/faad2/issues/30 NOTE: https://github.com/knik0/faad2/commit/6b4a7cde30f2e2c CVE-2018-20360 (An invalid memory address dereference was discovered in the sbr_proces ...) - - faad2 (low) + - faad2 2.8.8-3.1 (low) [buster] - faad2 (Minor issue) [stretch] - faad2 (Minor issue) NOTE: https://github.com/knik0/faad2/issues/32 @@ -35462,7 +35462,7 @@ CVE-2018-20200 (** DISPUTED ** CertificatePinner.java in OkHttp 3.x through 3.12 NOTE: https://github.com/square/okhttp/issues/4967 NOTE: No practicable security imapacting relevance CVE-2018-20199 (A NULL pointer dereference was discovered in ifilter_bank of libfaad/f ...) - - faad2 (low) + - faad2 2.8.8-3.1 (low) [buster] - faad2 (Minor issue) [stretch] - faad2 (Minor issue) NOTE: https://github.com/knik0/faad2/issues/24 @@ -35481,7 +35481,7 @@ CVE-2018-20197 (There is a stack-based buffer underflow in the third instance of NOTE: very similar to CVE-2018-20194, same fix: NOTE: https://github.com/knik0/faad2/commit/6b4a7cde30f2e2c CVE-2018-20196 (There is a stack-based buffer overflow in the third instance of the ca ...) - - faad2 + - faad2 2.8.8-3.1 NOTE: https://github.com/knik0/faad2/issues/19 NOTE: https://github.com/knik0/faad2/commit/6aeeaa1af0caf986daf22852a97f7c13c5edd879 CVE-2018-20195 (A NULL pointer dereference was discovered in ic_predict of libfaad/ic_ ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0da91b2b337efeb86901ab24df9a4d319003fe61 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0da91b2b337efeb86901ab24df9a4d319003fe61 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-1898-1 for xymon
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: 17c5172a by Hugo Lefeuvre at 2019-08-26T13:33:52Z Reserve DLA-1898-1 for xymon - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[26 Aug 2019] DLA-1898-1 xymon - security update + {CVE-2019-13273 CVE-2019-13274 CVE-2019-13451 CVE-2019-13452 CVE-2019-13455 CVE-2019-13484 CVE-2019-13485 CVE-2019-13486} + [jessie] - xymon 4.3.17-6+deb8u2 [25 Aug 2019] DLA-1897-1 tiff - security update {CVE-2019-14973} [jessie] - tiff 4.0.3-12.3+deb8u9 = data/dla-needed.txt = @@ -138,6 +138,3 @@ xen xtrlock (Chris Lamb) NOTE: 20190822: WIP on #830726 (lamby) -- -xymon (Hugo Lefeuvre) - NOTE: 20190825: backported 4.3.28-2+deb9u1 to jessie, currently testing it. --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/17c5172aaf3ca9dc3ae866ec799ae31245680a48 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/17c5172aaf3ca9dc3ae866ec799ae31245680a48 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] faad2: add upstream commit links
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: 55754cb1 by Hugo Lefeuvre at 2019-08-26T12:55:57Z faad2: add upstream commit links My last pull request was merged, including fixes for CVE-2019-6956, CVE-2018-20360 and CVE-2018-20199. See upstream bug report and PR for more information. Update dla-needed entry. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -25098,6 +25098,7 @@ CVE-2019-6956 (An issue was discovered in Freeware Advanced Audio Decoder 2 (FAA [stretch] - faad2 (Minor issue) NOTE: https://sourceforge.net/p/faac/bugs/240/ NOTE: https://github.com/knik0/faad2/issues/39 + NOTE: https://github.com/knik0/faad2/commit/6823e6610c9af1b0080cb22b9da03efb208d7d57 CVE-2019-6955 RESERVED CVE-2019-6954 @@ -34414,6 +34415,7 @@ CVE-2018-20360 (An invalid memory address dereference was discovered in the sbr_ [buster] - faad2 (Minor issue) [stretch] - faad2 (Minor issue) NOTE: https://github.com/knik0/faad2/issues/32 + NOTE: https://github.com/knik0/faad2/commit/3b80a57483a6bc822d3ce3cc640fa81737a87c54 CVE-2018-20359 (An invalid memory address dereference was discovered in the sbrDecodeS ...) - faad2 2.8.8-2 (low) [stretch] - faad2 (Minor issue) @@ -35018,6 +35020,7 @@ CVE-2018-20199 (A NULL pointer dereference was discovered in ifilter_bank of lib [buster] - faad2 (Minor issue) [stretch] - faad2 (Minor issue) NOTE: https://github.com/knik0/faad2/issues/24 + NOTE: https://github.com/knik0/faad2/commit/3b80a57483a6bc822d3ce3cc640fa81737a87c54 CVE-2018-20198 (A NULL pointer dereference was discovered in ifilter_bank of libfaad/f ...) {DLA-1791-1} - faad2 2.8.8-2 (low) = data/dla-needed.txt = @@ -32,8 +32,8 @@ djvulibre (Thorsten Alteholz) dnsmasq (Mike Gabriel) -- faad2 (Hugo Lefeuvre) - NOTE: 20190823: Last PR pending review: https://github.com/knik0/faad2/pull/38 - NOTE: Upload with last batch of patches will happen soon. + NOTE: 20190826: all patches have been merged upstream now, upload with last batch of patches + NOTE: will happen in shortly -- freeimage NOTE: Maintainer will take care of the update. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/55754cb140e6795174d96b1847517111cbc3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/55754cb140e6795174d96b1847517111cbc3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla-needed: update xymon notes
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: 3a1dbac2 by Hugo Lefeuvre at 2019-08-25T13:47:36Z dla-needed: update xymon notes - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -44,7 +44,7 @@ golang-go.crypto NOTE: 20190707: Check that an upload of this will not require reverse build-deps to also be recompiled (see previous golang uploads?). (lamby) -- hdf5 (Hugo Lefeuvre) - NOTE: 20190818: Upstream is aware of currently open issues. Progress is slow, + NOTE: 20190825: Upstream is aware of currently open issues. Progress is slow, NOTE: wait for the next HDF5 point release and either do full package upgrade NOTE: or cherry pick fixes (hle) -- @@ -139,5 +139,5 @@ xtrlock (Chris Lamb) NOTE: 20190822: WIP on #830726 (lamby) -- xymon (Hugo Lefeuvre) - NOTE: 20190823: 4.3.29 introduced regressions, wait for 4.3.30. + NOTE: 20190825: backported 4.3.28-2+deb9u1 to jessie, currently testing it. -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3a1dbac27c457f3a0db9bd6f6c07f87fcf323c27 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3a1dbac27c457f3a0db9bd6f6c07f87fcf323c27 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla-needed: update faad2, tika and xymon notes
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: 112970dd by Hugo Lefeuvre at 2019-08-23T12:49:41Z dla-needed: update faad2, tika and xymon notes - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -31,10 +31,8 @@ dnsmasq (Mike Gabriel) djvulibre (Thorsten Alteholz) -- faad2 (Hugo Lefeuvre) - NOTE: 20190820: Last PR pending review: https://github.com/knik0/faad2/pull/38 - NOTE: Upload with recent patches will happen soon. - NOTE: Still many open duplicates, currently triaging. - NOTE: Requested CVE number for temporary entry. (hpe) + NOTE: 20190823: Last PR pending review: https://github.com/knik0/faad2/pull/38 + NOTE: Upload with last batch of patches will happen soon. -- freeimage NOTE: Maintainer will take care of the update. @@ -123,7 +121,7 @@ subversion (Roberto C. Sánchez) NOTE: 20190804: For (at least) CVE-2018-11782 the svn_err_trace that is in the diff has not been added yet. (lamby) -- tika (Hugo Lefeuvre) - NOTE: 20190813: found commit links and reproducers. + NOTE: 20190823: found commit links and reproducers. NOTE: currently having difficulties to reproduce issues. Asked maintainer for help (c.f. debian-lts ML) -- tiff (Thorsten Alteholz) @@ -138,4 +136,5 @@ xtrlock (Chris Lamb) NOTE: 20190822: WIP on #830726 (lamby) -- xymon (Hugo Lefeuvre) + NOTE: 20190823: 4.3.29 introduced regressions, wait for 4.3.30. -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/112970dd727ac552ddacf036f5a3567103633f7b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/112970dd727ac552ddacf036f5a3567103633f7b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2019-6956/faad2: add upstream bug report
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: a498aff5 by Hugo Lefeuvre at 2019-08-22T19:42:30Z CVE-2019-6956/faad2: add upstream bug report - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -24496,6 +24496,7 @@ CVE-2019-6956 (An issue was discovered in Freeware Advanced Audio Decoder 2 (FAA [buster] - faad2 (Minor issue) [stretch] - faad2 (Minor issue) NOTE: https://sourceforge.net/p/faac/bugs/240/ + NOTE: https://github.com/knik0/faad2/issues/39 CVE-2019-6955 RESERVED CVE-2019-6954 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a498aff5dead8297f65c25b6f3f83e17b7f0b1eb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a498aff5dead8297f65c25b6f3f83e17b7f0b1eb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla-needed: update clamav entry
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: 03c9de45 by Hugo Lefeuvre at 2019-08-22T19:39:54Z dla-needed: update clamav entry - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -16,8 +16,8 @@ clamav (Hugo Lefeuvre) NOTE: wait for definitive patch to be available, then upgrade to latest upstream NOTE: release (follow stretch changes) (hle) NOTE: https://lists.debian.org/debian-lts/2019/08/msg00023.html - NOTE: 20190818: upstream has released a new patch, waiting for the final - NOTE: release to come out (hle) + NOTE: 20190822: upstream has released 0.101.4, wait for stretch update (see bug + NOTE: report) (hle) -- cups (Thorsten Alteholz) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/03c9de45a02287c3ed4d25e09ceb54a84df1c5df -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/03c9de45a02287c3ed4d25e09ceb54a84df1c5df You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2019-15232/liblivemedia: postponed in jessie
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: 9293ac44 by Hugo Lefeuvre at 2019-08-21T06:35:48Z CVE-2019-15232/liblivemedia: postponed in jessie - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -24,6 +24,7 @@ CVE-2019-15233 RESERVED CVE-2019-15232 (Live555 before 2019.08.16 has a Use-After-Free because GenericMediaSer ...) - liblivemedia + [jessie] - liblivemedia (Can be fixed along with more important patches) NOTE: Fixed upstream in 2019.08.16 according to available information. CVE-2019-15231 (Webmin 1.890, in a default installation, contains a backdoor that allo ...) - webmin View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9293ac448c29bdbd5f9f03dd54238886baca9d5d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9293ac448c29bdbd5f9f03dd54238886baca9d5d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2018-20357/faad2: same as CVE-2018-20194
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: 51fbc02e by Hugo Lefeuvre at 2019-08-20T17:15:09Z CVE-2018-20357/faad2: same as CVE-2018-20194 Fixed in 2.8.8-2, and 2.7-8+deb8u2. Update faad2 entry in dla-needed. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -33468,10 +33468,11 @@ CVE-2018-20358 (An invalid memory address dereference was discovered in the lt_p NOTE: https://github.com/knik0/faad2/issues/31 NOTE: https://github.com/knik0/faad2/commit/466b01d504d7e45 CVE-2018-20357 (A NULL pointer dereference was discovered in sbr_process_channel of li ...) - - faad2 (low) - [buster] - faad2 (Minor issue) + - faad2 2.8.8-2 (low) [stretch] - faad2 (Minor issue) + [jessie] - faad2 2.7-8+deb8u2 NOTE: https://github.com/knik0/faad2/issues/28 + NOTE: https://github.com/knik0/faad2/commit/6b4a7cde30f2e2c CVE-2018-20356 (An invalid read of 8 bytes due to a use-after-free vulnerability in th ...) NOT-FOR-US: Cesanta Mongoose NOTE: smplayer embeds a copy, which is unused in any released version and disabled since 18.5.0~ds1-1 = data/dla-needed.txt = @@ -24,10 +24,10 @@ cups (Thorsten Alteholz) dnsmasq (Mike Gabriel) -- faad2 (Hugo Lefeuvre) - NOTE: 20190819: Last PR pending review: https://github.com/knik0/faad2/pull/38 + NOTE: 20190820: Last PR pending review: https://github.com/knik0/faad2/pull/38 NOTE: Upload with recent patches will happen soon. NOTE: Still many open duplicates, currently triaging. - NOTE: temporary entry contains two different issues, one is CVE-2018-19502 + NOTE: Requested CVE number for temporary entry. -- freeimage NOTE: Maintainer will take care of the update. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/51fbc02e6b520d49495bde31b82b329439959beb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/51fbc02e6b520d49495bde31b82b329439959beb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2018-20359/faad2: same as CVE-2018-20194
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: d45d3dc6 by Hugo Lefeuvre at 2019-08-20T13:13:51Z CVE-2018-20359/faad2: same as CVE-2018-20194 Fixed in 2.8.8-2, and 2.7-8+deb8u2. Same underlying issue, different consequences with different paths. It is therefore unlikely that MITRE will recognize these issues as duplicates. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -33454,10 +33454,11 @@ CVE-2018-20360 (An invalid memory address dereference was discovered in the sbr_ [stretch] - faad2 (Minor issue) NOTE: https://github.com/knik0/faad2/issues/32 CVE-2018-20359 (An invalid memory address dereference was discovered in the sbrDecodeS ...) - - faad2 (low) - [buster] - faad2 (Minor issue) + - faad2 2.8.8-2 (low) [stretch] - faad2 (Minor issue) + [jessie] - faad2 2.7-8+deb8u2 NOTE: https://github.com/knik0/faad2/issues/29 + NOTE: https://github.com/knik0/faad2/commit/6b4a7cde30f2e2cb03e78ef476cc73179cfffda3 CVE-2018-20358 (An invalid memory address dereference was discovered in the lt_predict ...) - faad2 2.8.8-2 (low) [buster] - faad2 (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d45d3dc69f77f467a8d2fe03e37a18f2bf772baf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d45d3dc69f77f467a8d2fe03e37a18f2bf772baf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2018-20195/faad2: same as CVE-2018-20362
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: a96e5425 by Hugo Lefeuvre at 2019-08-20T12:51:15Z CVE-2018-20195/faad2: same as CVE-2018-20362 Fixed in 2.8.8-2, and 2.7-8+deb8u2. See upstream bug report for more information. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -34072,10 +34072,11 @@ CVE-2018-20196 (There is a stack-based buffer overflow in the third instance of NOTE: https://github.com/knik0/faad2/issues/19 NOTE: https://github.com/knik0/faad2/commit/6aeeaa1af0caf986daf22852a97f7c13c5edd879 CVE-2018-20195 (A NULL pointer dereference was discovered in ic_predict of libfaad/ic_ ...) - - faad2 (low) - [buster] - faad2 (Minor issue) + - faad2 2.8.8-2 (low) [stretch] - faad2 (Minor issue) + [jessie] - faad2 2.7-8+deb8u2 NOTE: https://github.com/knik0/faad2/issues/25 + NOTE: https://github.com/knik0/faad2/commit/466b01d504d7e45f1e9169ac90b3e34ab94aed14 CVE-2018-20194 (There is a stack-based buffer underflow in the third instance of the c ...) {DLA-1791-1} - faad2 2.8.8-2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a96e54258b2f4e7fa02082af0f6c5d3fc0177bd6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a96e54258b2f4e7fa02082af0f6c5d3fc0177bd6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2018-19502/faad2: fixed in 2.8.8-3
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: 0085fd01 by Hugo Lefeuvre at 2019-08-20T12:16:16Z CVE-2018-19502/faad2: fixed in 2.8.8-3 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -42611,7 +42611,7 @@ CVE-2018-19503 (An issue was discovered in Freeware Advanced Audio Decoder 2 (FA NOTE: https://github.com/knik0/faad2/issues/18 NOTE: https://github.com/knik0/faad2/commit/6b4a7cde30f2e2cb03e78ef476cc73179cfffda3 CVE-2018-19502 (An issue was discovered in Freeware Advanced Audio Decoder 2 (FAAD2) 2 ...) - - faad2 (bug #914641) + - faad2 2.8.8-3 (bug #914641) NOTE: https://sourceforge.net/p/faac/bugs/240/ NOTE: https://github.com/knik0/faad2/issues/22 NOTE: https://github.com/knik0/faad2/commit/942c3e0aee748ea6fe97cb2c1aa5893225316174 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0085fd0179569915d1f7907ee3602c1859428fc7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0085fd0179569915d1f7907ee3602c1859428fc7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla-needed: update faad2 entry
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: 81cf688a by Hugo Lefeuvre at 2019-08-19T17:03:56Z dla-needed: update faad2 entry - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -24,9 +24,10 @@ cups (Thorsten Alteholz) dnsmasq (Mike Gabriel) -- faad2 (Hugo Lefeuvre) - NOTE: 20190818: I have done a second review of my patches and ping Fabian to get them - NOTE: merged at some point. see https://github.com/knik0/faad2/pull/36 - NOTE: working on more patches (hle) + NOTE: 20190819: Last PR pending review: https://github.com/knik0/faad2/pull/38 + NOTE: Upload with recent patches will happen soon. + NOTE: Still many open duplicates, currently triaging. + NOTE: temporary entry contains two different issues, one is CVE-2018-19502 -- flask (Abhijith PA) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/81cf688a9f936e5a7b606682b60722d8148e40da -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/81cf688a9f936e5a7b606682b60722d8148e40da You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2018-19504/faad2: dup, fixed in 2.8.8-2 and jessie
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: 3cacd9ed by Hugo Lefeuvre at 2019-08-19T16:31:22Z CVE-2018-19504/faad2: dup, fixed in 2.8.8-2 and jessie Duplicate of CVE-2018-20362. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -42327,11 +42327,12 @@ CVE-2018-19506 (Zurmo 3.2.4 has XSS via an admin's use of the name parameter in CVE-2018-19505 (Remedy AR System Server in BMC Remedy 7.1 may fail to set the correct ...) NOT-FOR-US: Remedy AR System Server in BMC Remedy CVE-2018-19504 (An issue was discovered in Freeware Advanced Audio Decoder 2 (FAAD2) 2 ...) - - faad2 (low; bug #914641) - [buster] - faad2 (Minor issue) + - faad2 2.8.8-2 (low; bug #914641) [stretch] - faad2 (Minor issue) - [jessie] - faad2 (Minor issue) + [jessie] - faad2 2.7-8+deb8u2 NOTE: https://sourceforge.net/p/faac/bugs/240/ + NOTE: https://github.com/knik0/faad2/issues/26 + NOTE: https://github.com/knik0/faad2/commit/466b01d504d7e45 CVE-2018-19503 (An issue was discovered in Freeware Advanced Audio Decoder 2 (FAAD2) 2 ...) - faad2 2.8.8-2 (bug #914641) [jessie] - faad2 2.7-8+deb8u2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3cacd9ed24ed2fa1612a772570d644534c81aa69 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3cacd9ed24ed2fa1612a772570d644534c81aa69 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2018-19504/faad2: dup, fixed in jessie+testing
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: 1ced31b2 by Hugo Lefeuvre at 2019-08-19T16:10:28Z CVE-2018-19504/faad2: dup, fixed in jessie+testing Same as CVE-2018-20194. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -42333,8 +42333,11 @@ CVE-2018-19504 (An issue was discovered in Freeware Advanced Audio Decoder 2 (FA [jessie] - faad2 (Minor issue) NOTE: https://sourceforge.net/p/faac/bugs/240/ CVE-2018-19503 (An issue was discovered in Freeware Advanced Audio Decoder 2 (FAAD2) 2 ...) - - faad2 (bug #914641) + - faad2 2.8.8-2 (bug #914641) + [jessie] - faad2 2.7-8+deb8u2 NOTE: https://sourceforge.net/p/faac/bugs/240/ + NOTE: https://github.com/knik0/faad2/issues/18 + NOTE: https://github.com/knik0/faad2/commit/6b4a7cde30f2e2cb03e78ef476cc73179cfffda3 CVE-2018-19502 (An issue was discovered in Freeware Advanced Audio Decoder 2 (FAAD2) 2 ...) - faad2 (bug #914641) NOTE: https://sourceforge.net/p/faac/bugs/240/ View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1ced31b23cb23d5665c0b470873ef15afd163225 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1ced31b23cb23d5665c0b470873ef15afd163225 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2018-{20196,19502}: add commit links
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: df166f4b by Hugo Lefeuvre at 2019-08-19T16:00:31Z CVE-2018-{20196,19502}: add commit links See upstream bug report for more information. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -33799,6 +33799,7 @@ CVE-2018-20197 (There is a stack-based buffer underflow in the third instance of CVE-2018-20196 (There is a stack-based buffer overflow in the third instance of the ca ...) - faad2 NOTE: https://github.com/knik0/faad2/issues/19 + NOTE: https://github.com/knik0/faad2/commit/6aeeaa1af0caf986daf22852a97f7c13c5edd879 CVE-2018-20195 (A NULL pointer dereference was discovered in ic_predict of libfaad/ic_ ...) - faad2 (low) [buster] - faad2 (Minor issue) @@ -42338,6 +42339,7 @@ CVE-2018-19502 (An issue was discovered in Freeware Advanced Audio Decoder 2 (FA - faad2 (bug #914641) NOTE: https://sourceforge.net/p/faac/bugs/240/ NOTE: https://github.com/knik0/faad2/issues/22 + NOTE: https://github.com/knik0/faad2/commit/942c3e0aee748ea6fe97cb2c1aa5893225316174 CVE-2018-19501 RESERVED CVE-2018-19500 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/df166f4b34c7bc633f86afb6559cf814e6fb9f12 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/df166f4b34c7bc633f86afb6559cf814e6fb9f12 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla-needed: claim xymon
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: 5316c077 by Hugo Lefeuvre at 2019-08-19T11:51:47Z dla-needed: claim xymon - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -124,5 +124,5 @@ xen -- xtrlock (Chris Lamb) -- -xymon +xymon (Hugo Lefeuvre) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5316c077d620fad12009540dcefa3d9d597fa72e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5316c077d620fad12009540dcefa3d9d597fa72e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2018-19502/faad2: add upstream bug report
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: 2c80468a by Hugo Lefeuvre at 2019-08-18T15:29:08Z CVE-2018-19502/faad2: add upstream bug report Not reported by the same team, but very same issue. Use the same CVE number. I have a candidate patch for this, will be PRed in the next batch of security fixes. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -42221,6 +42221,7 @@ CVE-2018-19503 (An issue was discovered in Freeware Advanced Audio Decoder 2 (FA CVE-2018-19502 (An issue was discovered in Freeware Advanced Audio Decoder 2 (FAAD2) 2 ...) - faad2 (bug #914641) NOTE: https://sourceforge.net/p/faac/bugs/240/ + NOTE: https://github.com/knik0/faad2/issues/22 CVE-2018-19501 RESERVED CVE-2018-19500 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2c80468a3755c51e3eafc39e8489b4c13be9e754 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2c80468a3755c51e3eafc39e8489b4c13be9e754 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2018-203{58,61}/faad2: fixed jessie/unstable
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: c521ab5f by Hugo Lefeuvre at 2019-08-18T14:57:56Z CVE-2018-203{58,61}/faad2: fixed jessie/unstable Both issues are fixed by patches shipped in 2.8.8-2 and 2.7-8+deb8u2. See upstream bug report for more info. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -33054,10 +33054,12 @@ CVE-2018-20362 (A NULL pointer dereference was discovered in ifilter_bank of lib NOTE: https://github.com/knik0/faad2/issues/26 NOTE: https://github.com/knik0/faad2/commit/466b01d504d7e45 CVE-2018-20361 (An invalid memory address dereference was discovered in the hf_assembl ...) - - faad2 (low) + - faad2 2.8.8-2 (low) [buster] - faad2 (Minor issue) [stretch] - faad2 (Minor issue) + [jessie] - faad2 2.7-8+deb8u2 NOTE: https://github.com/knik0/faad2/issues/30 + NOTE: https://github.com/knik0/faad2/commit/6b4a7cde30f2e2c CVE-2018-20360 (An invalid memory address dereference was discovered in the sbr_proces ...) - faad2 (low) [buster] - faad2 (Minor issue) @@ -33069,10 +33071,12 @@ CVE-2018-20359 (An invalid memory address dereference was discovered in the sbrD [stretch] - faad2 (Minor issue) NOTE: https://github.com/knik0/faad2/issues/29 CVE-2018-20358 (An invalid memory address dereference was discovered in the lt_predict ...) - - faad2 (low) + - faad2 2.8.8-2 (low) [buster] - faad2 (Minor issue) [stretch] - faad2 (Minor issue) + [jessie] - faad2 2.7-8+deb8u2 NOTE: https://github.com/knik0/faad2/issues/31 + NOTE: https://github.com/knik0/faad2/commit/466b01d504d7e45 CVE-2018-20357 (A NULL pointer dereference was discovered in sbr_process_channel of li ...) - faad2 (low) [buster] - faad2 (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c521ab5fb632b1ac53a496ca37015fc4d46b42f8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c521ab5fb632b1ac53a496ca37015fc4d46b42f8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2019-10224: stretch/jessie not affected, affects python-lib389
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: 04b58a02 by Hugo Lefeuvre at 2019-08-18T13:24:47Z CVE-2019-10224: stretch/jessie not affected, affects python-lib389 This information disclosure vulnerability affects lib389, the Python 389DS module. This code was introduced in the 389-ds-base source in buster. This code is completely absent from jessie. This code is absent from the 389-ds-base source in stretch. However, this code is present in stretch in a different source package: python-lib389. This package _is_ affected. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -14260,6 +14260,9 @@ CVE-2019-10225 CVE-2019-10224 [using dscreate in verbose mode results in information disclosure] RESERVED - 389-ds-base 1.4.1.5-1 + [stretch] - 389-ds-base (vulnerable code not present) + [jessie] - 389-ds-base (vulnerable code not present) + - python-lib389 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1677147 NOTE: https://pagure.io/389-ds-base/issue/50251 NOTE: https://pagure.io/389-ds-base/c/632ecb90d96ac0535656f5aaf67fd2be4b81d310 = data/dla-needed.txt = @@ -9,8 +9,6 @@ To pick an issue, simply add your name behind it. To learn more about how this list is updated have a look at https://wiki.debian.org/LTS/Development#Triage_new_security_issues --- -389-ds-base (Hugo Lefeuvre) -- apache2 (Markus Koschany) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/04b58a029a27dc78a32a9cfc79469be6fad477dc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/04b58a029a27dc78a32a9cfc79469be6fad477dc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2019-136{26,36}/libsdl{1.2,2}: jessie triage
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: 070fcfb1 by Hugo Lefeuvre at 2019-08-18T11:45:23Z CVE-2019-136{26,36}/libsdl{1.2,2}: jessie triage CVE-2019-13626: patch too large, too many non-security relevant changes, issue can be ignored. CVE-2019-13616: patch straightforward, this is worth fixing along with more important changes. dla-needed: minor NOTES updates. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -4405,9 +4405,11 @@ CVE-2019-13626 (SDL (Simple DirectMedia Layer) 2.x through 2.0.9 has a heap-base - libsdl2 [buster] - libsdl2 (Minor issue) [stretch] - libsdl2 (Minor issue) + [jessie] - libsdl2 (Minor issue) - libsdl1.2 [buster] - libsdl1.2 (Minor issue) [stretch] - libsdl1.2 (Minor issue) + [jessie] - libsdl1.2 (Minor issue) NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4522 CVE-2019-13625 (NSA Ghidra before 9.0.1 allows XXE when a project is opened or restore ...) - ghidra (bug #923851) @@ -4442,9 +,11 @@ CVE-2019-13616 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2. - libsdl2 [buster] - libsdl2 (Minor issue) [stretch] - libsdl2 (Minor issue) + [jessie] - libsdl2 (can be fixed along with more important patches) - libsdl1.2 [buster] - libsdl1.2 (Minor issue) [stretch] - libsdl1.2 (Minor issue) + [jessie] - libsdl1.2 (can be fixed along with more important patches) - libsdl2-image [buster] - libsdl2-image (Minor issue) [stretch] - libsdl2-image (Minor issue) = data/dla-needed.txt = @@ -18,13 +18,15 @@ clamav (Hugo Lefeuvre) NOTE: wait for definitive patch to be available, then upgrade to latest upstream NOTE: release (follow stretch changes) (hle) NOTE: https://lists.debian.org/debian-lts/2019/08/msg00023.html + NOTE: 20190818: upstream has released a new patch, waiting for the final + NOTE: release to come out (hle) -- cups (Thorsten Alteholz) -- dnsmasq (Mike Gabriel) -- faad2 (Hugo Lefeuvre) - NOTE: 20190810: I have done a second review of my patches and ping Fabian to get them + NOTE: 20190818: I have done a second review of my patches and ping Fabian to get them NOTE: merged at some point. see https://github.com/knik0/faad2/pull/36 NOTE: working on more patches (hle) -- @@ -39,7 +41,7 @@ golang-go.crypto NOTE: 20190707: Check that an upload of this will not require reverse build-deps to also be recompiled (see previous golang uploads?). (lamby) -- hdf5 (Hugo Lefeuvre) - NOTE: 20190810: Upstream is aware of currently open issues. Progress is slow, + NOTE: 20190818: Upstream is aware of currently open issues. Progress is slow, NOTE: wait for the next HDF5 point release and either do full package upgrade NOTE: or cherry pick fixes (hle) -- @@ -73,14 +75,6 @@ libqb libreoffice NOTE: probably Jessie is affected as well -- -libsdl1.2 (Hugo Lefeuvre) - NOTE: see libsdl2 entry. --- -libsdl2 (Hugo Lefeuvre) - NOTE: 20190809: probable fix for CVE-2019-13626: https://hg.libsdl.org/SDL/rev/b06fa7da012b - NOTE: waiting for somebody to confirm. if this is right I'd just mark this issue no-dsa, - NOTE: the issue is quite minor and the patch extremely big and full of unrelated changes. --- linux (Ben Hutchings) -- linux-4.9 (Ben Hutchings) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/070fcfb1c8e33650a35c945b31a0be49a5a6e41d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/070fcfb1c8e33650a35c945b31a0be49a5a6e41d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla-needed: add 389-ds-base, claim it
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: e43f3dbd by Hugo Lefeuvre at 2019-08-18T11:35:25Z dla-needed: add 389-ds-base, claim it - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -9,6 +9,8 @@ To pick an issue, simply add your name behind it. To learn more about how this list is updated have a look at https://wiki.debian.org/LTS/Development#Triage_new_security_issues +-- +389-ds-base (Hugo Lefeuvre) -- apache2 (Markus Koschany) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e43f3dbd97d2840adb448875638d6db0c6014776 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e43f3dbd97d2840adb448875638d6db0c6014776 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] imagemagick triage for jessie
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: 6fa83c37 by Hugo Lefeuvre at 2019-08-16T14:41:26Z imagemagick triage for jessie CVE-2019-14981 is an arithmetic exception, security impact is low. Can still be fixed along with more important patches later, but no-dsa for now. CVE-2019-13391 and CVE-2019-13308 would be nice to fix, but the patch is badly documented and blindly applying a 50+ lines diff won't do any good. Wait for upstream to answer questions about the changes. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -468,6 +468,7 @@ CVE-2019-14982 (In Exiv2 before v0.27.2, there is an integer overflow vulnerabil TODO: check CVE-2019-14981 (In ImageMagick 7.x before 7.0.8-41 and 6.x before 6.9.10-41, there is ...) - imagemagick + [jessie] - imagemagick (minor issue, low security impact) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1552 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/b522d2d857d2f75b659936b59b0da9df1682c256 CVE-2019-14980 (In ImageMagick 7.x before 7.0.8-42 and 6.x before 6.9.10-42, there is ...) @@ -5927,6 +5928,7 @@ CVE-2019-13392 RESERVED CVE-2019-13391 (In ImageMagick 7.0.8-50 Q16, ComplexImages in MagickCore/fourier.c has ...) - imagemagick (bug #931633) + [jessie] - imagemagick (minor, wait for upstream to clear patch-related questions) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1588 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/f6ffc702c6eecd963587273a429dcd608c648984 NOTE: Patch is insufficient, partly reverted by the CVE-2019-13308 patch @@ -6129,6 +6131,7 @@ CVE-2019-13309 (ImageMagick 7.0.8-50 Q16 has memory leaks at AcquireMagickMemory NOTE: https://github.com/ImageMagick/ImageMagick6/commit/5982632109cad48bc6dab867298fdea4dea57c51 CVE-2019-13308 (ImageMagick 7.0.8-50 Q16 has a heap-based buffer overflow in MagickCor ...) - imagemagick (bug #931447) + [jessie] - imagemagick (minor, wait for upstream to clear patch-related questions) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1595 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/19651f3db63fa1511ed83a348c4c82fa553f8d01 CVE-2019-13307 (ImageMagick 7.0.8-50 Q16 has a heap-based buffer overflow at MagickCor ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6fa83c375ddad275bffe9aa828674819d3f783f8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6fa83c375ddad275bffe9aa828674819d3f783f8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-1888-1 for imagemagick
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: 62c9ce5a by Hugo Lefeuvre at 2019-08-16T13:54:12Z Reserve DLA-1888-1 for imagemagick - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[16 Aug 2019] DLA-1888-1 imagemagick - security update + {CVE-2019-12974 CVE-2019-13135 CVE-2019-13295 CVE-2019-13297 CVE-2019-13304 CVE-2019-13305 CVE-2019-13306} + [jessie] - imagemagick 8:6.8.9.9-5+deb8u17 [15 Aug 2019] DLA-1887-1 freetype - security update {CVE-2015-9290} [jessie] - freetype 2.5.2-3+deb8u3 = data/dla-needed.txt = @@ -37,11 +37,6 @@ hdf5 (Hugo Lefeuvre) NOTE: wait for the next HDF5 point release and either do full package upgrade NOTE: or cherry pick fixes (hle) -- -imagemagick (Hugo Lefeuvre) - NOTE: 20190809: almost done with triage. one issue really deserves a DLA, a few others - NOTE: can be shiped along (good patches, low regression risk). triaged the rest no-dsa. - NOTE: waiting for upstream to answer my questions before proceeding further. --- kde4libs (Markus Koschany) -- libav (Mike Gabriel) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/62c9ce5a2f0cbae58206921eb9d300a2876c45df -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/62c9ce5a2f0cbae58206921eb9d300a2876c45df You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits