[Git][security-tracker-team/security-tracker][master] Fix CVE-2023-28709,tomcat10. (hopefully)
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 71a893a0 by Markus Koschany at 2023-06-18T17:59:20+02:00 Fix CVE-2023-28709,tomcat10. (hopefully) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -12080,7 +12080,7 @@ CVE-2023-1552 (ToolboxST prior to version 7.10 is affected by a deserialization CVE-2023-28709 (The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 ...) [experimental] - tomcat10 10.1.8-1 - tomcat10 10.1.10-1 - -[bookworm] - tomcat10 (Fix when more important issues arise) + [bookworm] - tomcat10 (Fix when more important issues arise) - tomcat9 (Incomplete fix for CVE-2023-24998 not applied) NOTE: https://github.com/apache/tomcat/commit/ba848da71c523d94950d3c53c19ea155189df9dc (10.1.8) NOTE: https://github.com/apache/tomcat/commit/fbd81421629afe8b8a3922d59020cde81caea861 (9.0.74) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/71a893a097fef5b98bf168794849232c8086c54c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/71a893a097fef5b98bf168794849232c8086c54c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: Claim wordpress in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: dd54db9e by Markus Koschany at 2023-06-18T17:50:08+02:00 Claim wordpress in dla-needed.txt - - - - - f43d96eb by Markus Koschany at 2023-06-18T17:52:42+02:00 CVE-2023-28709,tomcat10: bookworm,postponed Fix when more important issues arise - - - - - 4b955102 by Markus Koschany at 2023-06-18T17:54:54+02:00 CVE-2023-28709,tomcat10: fixed in unstable with version 10.1.10-1 - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -12079,7 +12079,8 @@ CVE-2023-1552 (ToolboxST prior to version 7.10 is affected by a deserialization NOT-FOR-US: ToolboxST CVE-2023-28709 (The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 ...) [experimental] - tomcat10 10.1.8-1 - - tomcat10 + - tomcat10 10.1.10-1 + -[bookworm] - tomcat10 (Fix when more important issues arise) - tomcat9 (Incomplete fix for CVE-2023-24998 not applied) NOTE: https://github.com/apache/tomcat/commit/ba848da71c523d94950d3c53c19ea155189df9dc (10.1.8) NOTE: https://github.com/apache/tomcat/commit/fbd81421629afe8b8a3922d59020cde81caea861 (9.0.74) = data/dla-needed.txt = @@ -219,7 +219,7 @@ webkit2gtk (Emilio) NOTE: 20230606: one issue remaining (cmake), but call for testing sent out already: NOTE: 20230606: https://lists.debian.org/debian-lts/2023/06/msg5.html (pochu) -- -wordpress +wordpress (Markus Koschany) NOTE: 20230614: Added by Front-Desk (opal) -- xmltooling (Santiago) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/5cbb107a75d058f9435c189b6ab0ff468c3e11c3...4b9551028d80b5e9abc4920f54d2906af60f186d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/5cbb107a75d058f9435c189b6ab0ff468c3e11c3...4b9551028d80b5e9abc4920f54d2906af60f186d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3456-1 for requests
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 5cbb107a by Markus Koschany at 2023-06-18T17:38:26+02:00 Reserve DLA-3456-1 for requests - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[18 Jun 2023] DLA-3456-1 requests - security update + {CVE-2023-32681} + [buster] - requests 2.21.0-1+deb10u1 [16 Jun 2023] DLA-3455-1 golang-go.crypto - security update {CVE-2019-11840 CVE-2019-11841 CVE-2020-9283} [buster] - golang-go.crypto 1:0.0~git20181203.505ab14-1+deb10u1 = data/dla-needed.txt = @@ -180,9 +180,6 @@ rails NOTE: 20221024: to break thrice in less than 2 month. NOTE: 20230131: Utkarsh to start a thread with sec+ruby team with the possible path forward. (utkarsh) -- -requests (Markus Koschany) - NOTE: 20230612: Added by Front-Desk (apo) --- ring (Thorsten Alteholz) NOTE: 20221120: Added by Front-Desk (ta) NOTE: 20230507: testing package View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5cbb107a75d058f9435c189b6ab0ff468c3e11c3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5cbb107a75d058f9435c189b6ab0ff468c3e11c3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3455-1 for golang-go.crypto
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 178e878e by Markus Koschany at 2023-06-16T23:09:07+02:00 Reserve DLA-3455-1 for golang-go.crypto - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -242406,7 +242406,6 @@ CVE-2020-9284 CVE-2020-9283 (golang.org/x/crypto before v0.0.0-20200220183623-bac4c82f6975 for Go a ...) {DLA-2455-1 DLA-2453-1 DLA-2402-1} - golang-go.crypto 1:0.0~git20200221.2aa609c-1 (bug #952462) - [buster] - golang-go.crypto (Limited support, minor issue, fixed in stretch) [jessie] - golang-go.crypto (Minor issue) NOTE: https://github.com/golang/crypto/commit/bac4c82f69751a6dd76e702d54b3ceb88adab236 CVE-2020-9282 (In Mahara 18.10 before 18.10.5, 19.04 before 19.04.4, and 19.10 before ...) @@ -289552,7 +289551,6 @@ CVE-2019-11843 (The MailPoet plugin before 3.23.2 for WordPress allows remote at CVE-2019-11841 (A message-forgery issue was discovered in crypto/openpgp/clearsign/cle ...) {DLA-2402-1 DLA-1920-1} - golang-go.crypto 1:0.0~git20200221.2aa609c-1 - [buster] - golang-go.crypto (Limited support, fixed in stretch) NOTE: https://go.googlesource.com/crypto/+/c05e17bb3b2dca130fc919668a96b4bec9eb9442 NOTE: Patch fixes the second part of the CVE ("prepend arbitrary text") NOTE: but not the first ("ignores the value of [the Hash] header"), as hinted at reporter's 2019-05-09 note: @@ -289561,7 +289559,6 @@ CVE-2019-11841 (A message-forgery issue was discovered in crypto/openpgp/clearsi CVE-2019-11840 (An issue was discovered in supplementary Go cryptography libraries, ak ...) {DLA-2527-1 DLA-2454-1 DLA-2442-1 DLA-2402-1 DLA-1840-1} - golang-go.crypto 1:0.0~git20200221.2aa609c-1 - [buster] - golang-go.crypto (Limited support, minor issue, fixed in stretch) NOTE: https://github.com/golang/go/issues/30965 NOTE: https://go.googlesource.com/crypto/+/b7391e95e576cacdcdd422573063bc057239113d NOTE: https://groups.google.com/forum/#!msg/golang-announce/tjyNcJxb2vQ/n0NRBziSCAAJ = data/DLA/list = @@ -1,3 +1,6 @@ +[16 Jun 2023] DLA-3455-1 golang-go.crypto - security update + {CVE-2019-11840 CVE-2019-11841 CVE-2020-9283} + [buster] - golang-go.crypto 1:0.0~git20181203.505ab14-1+deb10u1 [13 Jun 2023] DLA-3454-1 ffmpeg - security update {CVE-2022-3109 CVE-2022-3341} [buster] - ffmpeg 7:4.1.11-0+deb10u1 = data/dla-needed.txt = @@ -54,10 +54,6 @@ fusiondirectory (Abhijith PA) glib2.0 NOTE: 20230612: Added by Front-Desk (apo) -- -golang-go.crypto (Markus Koschany) - NOTE: 20220915: Added by Front-Desk (Beuc) - NOTE: 20220915: 3 CVEs fixed in stretch and bullseye (Beuc/front-desk) --- golang-yaml.v2 (sgmoore) NOTE: 20230125: Added by Front-Desk (gladk) NOTE: 20230525: In review with utkarsh. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/178e878ea2a0dc1108234306f9dc67844d0ab7aa -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/178e878ea2a0dc1108234306f9dc67844d0ab7aa You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2023-2426,vim: Buster, not-affected
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 1bf72b36 by Markus Koschany at 2023-06-12T19:36:38+02:00 CVE-2023-2426,vim: Buster, not-affected The vulnerable code was introduced later - - - - - c57e728a by Markus Koschany at 2023-06-12T19:37:33+02:00 Reserve DLA-3453-1 for vim - - - - - 2 changed files: - data/CVE/list - data/DLA/list Changes: = data/CVE/list = @@ -3031,7 +3031,6 @@ CVE-2023-2610 (Integer Overflow or Wraparound in GitHub repository vim/vim prior - vim (bug #1035955) [bookworm] - vim (Minor issue) [bullseye] - vim (Minor issue) - [buster] - vim (Minor issue) NOTE: https://huntr.dev/bounties/31e67340-935b-4f6c-a923-f7246bc29c7d NOTE: https://github.com/vim/vim/commit/ab9a2d884b3a4abe319606ea95a5a6d6b01cd73a (v9.0.1532) CVE-2023-32216 @@ -3397,7 +3396,7 @@ CVE-2023-2428 (Cross-site Scripting (XSS) - Stored in GitHub repository thorsten CVE-2023-2426 (Use of Out-of-range Pointer Offset in GitHub repository vim/vim prior ...) - vim 2:9.0.1378-2 (bug #1035323) [bullseye] - vim (Minor issue) - [buster] - vim (Minor issue) + [buster] - vim (The vulnerable code was introduced later) NOTE: https://huntr.dev/bounties/3451be4c-91c8-4d08-926b-cbff7396f425 NOTE: https://github.com/vim/vim/commit/caf642c25de526229264cab9425e7c9979f3509b (v9.0.1499) CVE-2023-31485 (GitLab::API::v4 through 0.26 does not verify TLS certificates when con ...) @@ -15012,7 +15011,6 @@ CVE-2023-1176 (Absolute Path Traversal in GitHub repository mlflow/mlflow prior CVE-2023-1175 (Incorrect Calculation of Buffer Size in GitHub repository vim/vim prio ...) - vim 2:9.0.1378-1 [bullseye] - vim (Minor issue) - [buster] - vim (Minor issue) NOTE: https://huntr.dev/bounties/7e93fc17-92eb-4ae7-b01a-93bb460b643e NOTE: https://github.com/vim/vim/commit/c99cbf8f289bdda5d4a77d7ec415850a520330ba (v9.0.1378) CVE-2022-4930 (A vulnerability classified as problematic was found in nuxsmin sysPass ...) @@ -30051,7 +30049,6 @@ CVE-2023-22603 CVE-2023-0054 (Out-of-bounds Write in GitHub repository vim/vim prior to 9.0.1145.) - vim 2:9.0.1378-1 (bug #1031875) [bullseye] - vim (Minor issue) - [buster] - vim (Minor issue) NOTE: https://huntr.dev/bounties/b289ee0f-fd16-4147-bd01-c6289c45e49d NOTE: https://github.com/vim/vim/commit/3ac1d97a1d9353490493d30088256360435f7731 (v9.0.1145) CVE-2023-0053 (SAUTER Controls Nova 200\u2013220 Series with firmware version 3.3-006 ...) @@ -39347,7 +39344,6 @@ CVE-2022-4142 (The WordPress Filter Gallery Plugin WordPress plugin before 0.1.6 CVE-2022-4141 (Heap based buffer overflow in vim/vim 9.0.0946 and below by allowing a ...) - vim 2:9.0.1000-1 (bug #1027146) [bullseye] - vim (Minor issue) - [buster] - vim (Minor issue) NOTE: https://huntr.dev/bounties/20ece512-c600-45ac-8a84-d0931e05541f NOTE: https://github.com/vim/vim/commit/cc762a48d42b579fb7bdec2c614636b830342dd5 (v9.0.0947) CVE-2022-4140 (The Welcart e-Commerce WordPress plugin before 2.8.5 does not validate ...) = data/DLA/list = @@ -1,3 +1,6 @@ +[12 Jun 2023] DLA-3453-1 vim - security update + {CVE-2022-4141 CVE-2023-0054 CVE-2023-1175 CVE-2023-2610} + [buster] - vim 2:8.1.0875-5+deb10u5 [12 Jun 2023] DLA-3452-1 thunderbird - security update {CVE-2023-34414 CVE-2023-34416} [buster] - thunderbird 1:102.12.0-1~deb10u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/bd770997d1c66919f1ae1784ba67d2c6aa299ea8...c57e728a31ddd1fee96eadd13cc735a49169f1f9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/bd770997d1c66919f1ae1784ba67d2c6aa299ea8...c57e728a31ddd1fee96eadd13cc735a49169f1f9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 18 commits: CVE-2023-34969,dbus: Buster is no-dsa
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 08791698 by Markus Koschany at 2023-06-12T04:46:59+02:00 CVE-2023-34969,dbus: Buster is no-dsa This is a minor issue. Requires a root user to monitor dbus while another non-privileged user triggers the exploit. Worst case: denial of service which would be immediately detected. - - - - - ad690c3d by Markus Koschany at 2023-06-12T05:01:08+02:00 glib2.0: Link to regression fixes - - - - - 401cd0f3 by Markus Koschany at 2023-06-12T05:30:44+02:00 CVE-2023-28370,python-tornado: Buster is no-dsa Minor issue. - - - - - 0c5c0f42 by Markus Koschany at 2023-06-12T05:39:14+02:00 Add qt4-x11 to dla-needed.txt - - - - - e24c0ae1 by Markus Koschany at 2023-06-12T06:09:18+02:00 Add requests and ruby-redcloth to dla-needed.txt - - - - - 54aa9e5c by Markus Koschany at 2023-06-12T06:09:46+02:00 Claim requests in dla-needed.txt - - - - - bafb419a by Markus Koschany at 2023-06-12T06:20:35+02:00 Triage gpac as EOL in Buster. - - - - - 3ccb2e9e by Markus Koschany at 2023-06-12T06:22:09+02:00 CVE-2023-28439,ckeditor: Buster is no-dsa Minor issue - - - - - 1ee19ec9 by Markus Koschany at 2023-06-12T06:30:57+02:00 CVE-2023-34408,dokuwiki: buster, no-dsa Minor issue - - - - - 2b24e0da by Markus Koschany at 2023-06-12T06:31:31+02:00 CVE-2023-32082,etcd: Buster, no-dsa Minor issue - - - - - cca68ba3 by Markus Koschany at 2023-06-12T06:32:09+02:00 CVE-2023-26125,golang-github-gin-gonic-gin: Buster, no-dsa Minor issue - - - - - 603ad8f9 by Markus Koschany at 2023-06-12T06:33:38+02:00 CVE-2023-30847,h2o: Buster, no-dsa Minor issue - - - - - f2b56d8a by Markus Koschany at 2023-06-12T06:34:13+02:00 CVE-2023-34151,imagemagick: Buster, no-dsa Minor issue - - - - - 1a41b20c by Markus Koschany at 2023-06-12T06:34:42+02:00 CVE-2023-33546,janino: Buster, no-dsa Minor issue - - - - - 6fba314c by Markus Koschany at 2023-06-12T06:35:28+02:00 CVE-2023-30570,libreswan: Buster, no-dsa Minor issue - - - - - b5769898 by Markus Koschany at 2023-06-12T06:36:04+02:00 CVE-2023-28155,node-request: Buster, no-dsa Minor issue. - - - - - 5101feab by Markus Koschany at 2023-06-12T06:36:35+02:00 CVE-2023-28447,smarty3: Buster, no-dsa Minor issue - - - - - cde987e4 by Markus Koschany at 2023-06-12T06:37:04+02:00 CVE-2023-1523,snapd: Buster, no-dsa Minor issue. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -155,6 +155,7 @@ CVE-2023-34969 (D-Bus before 1.15.6 sometimes allows unprivileged users to crash - dbus 1.14.8-1 (bug #1037151) [bookworm] - dbus (Minor issue) [bullseye] - dbus (Minor issue) + [buster] - dbus (Minor issue) NOTE: https://gitlab.freedesktop.org/dbus/dbus/-/issues/457 CVE-2023-34239 (Gradio is an open-source Python library that is used to build machine ...) NOT-FOR-US: Gradio @@ -905,6 +906,7 @@ CVE-2023-33546 (janino 3.1.9 and earlier are subject to denial of service (DOS) - janino [bookworm] - janino (Minor issue) [bullseye] - janino (Minor issue) + [buster] - janino (Minor issue) NOTE: https://github.com/janino-compiler/janino/issues/201 CVE-2023-33544 (hawtio 2.17.2 is vulnerable to Path Traversal. it is possible to input ...) NOT-FOR-US: hawtio @@ -1054,11 +1056,13 @@ CVE-2023-3014 (A vulnerability, which was classified as problematic, was found i CVE-2023-3013 (Unchecked Return Value in GitHub repository gpac/gpac prior to 2.2.2.) - gpac [bullseye] - gpac (Minor issue) + [buster] - gpac (EOL in buster LTS) NOTE: https://huntr.dev/bounties/52f95edc-cc03-4a9f-9bf8-74f641260073 NOTE: https://github.com/gpac/gpac/commit/78e539b43293829a14a32e821f5267e3b7417594 CVE-2023-3012 (NULL Pointer Dereference in GitHub repository gpac/gpac prior to 2.2.2 ...) - gpac [bullseye] - gpac (Minor issue) + [buster] - gpac (EOL in buster LTS) NOTE: https://huntr.dev/bounties/916b787a-c603-409d-afc6-25bb02070e69 NOTE: https://github.com/gpac/gpac/commit/53387aa86c1af1228d0fa57c67f9c7330716d5a7 CVE-2023-3009 (Cross-site Scripting (XSS) - Stored in GitHub repository nilsteampassn ...) @@ -1699,6 +1703,7 @@ CVE-2023-28370 (Open redirect vulnerability in Tornado versions 6.3.1 and earlie - python-tornado (bug #1036875) [bookworm] - python-tornado (Minor issue) [bullseye] - python-tornado (Minor issue) + [buster] - python-tornado (Minor issue) - salt NOTE: https://github.com/tornadoweb/tornado/commit/32ad07c54e607839273b4e1819c347f5c8976b2f (v6.3.2) CVE-2023-27529 (Wacom Tablet Driver installer prior to 6.4.2-1 (for macOS) contains an ...) @@ -2198,6 +2203,7 @@ CVE-2023-32762 (An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, CVE-2023-34408 (DokuWiki
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3451-1 for pypdf2
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: aac833be by Markus Koschany at 2023-06-09T23:36:26+02:00 Reserve DLA-3451-1 for pypdf2 - - - - - 2 changed files: - data/CVE/list - data/DLA/list Changes: = data/CVE/list = @@ -101410,7 +101410,6 @@ CVE-2022-24859 (PyPDF2 is an open source python PDF library capable of splitting {DLA-3039-1} - pypdf2 1.27.9-1 (bug #1009879) [bullseye] - pypdf2 (Minor issue) - [buster] - pypdf2 (Minor issue) NOTE: https://github.com/py-pdf/PyPDF2/security/advisories/GHSA-xcjx-m2pj-8g79 NOTE: https://github.com/py-pdf/PyPDF2/issues/329 NOTE: https://github.com/py-pdf/PyPDF2/pull/740 = data/DLA/list = @@ -1,3 +1,6 @@ +[09 Jun 2023] DLA-3451-1 pypdf2 - security update + {CVE-2022-24859} + [buster] - pypdf2 1.26.0-2+deb10u1 [09 Jun 2023] DLA-3450-1 ruby2.5 - security update {CVE-2021-33621 CVE-2022-28739} [buster] - ruby2.5 2.5.5-3+deb10u6 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aac833bedc452a0cad2d45aef63455f70dc7c4ce -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aac833bedc452a0cad2d45aef63455f70dc7c4ce You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim erlang and golang-go.crypto.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 297878dd by Markus Koschany at 2023-06-03T02:56:27+02:00 Claim erlang and golang-go.crypto. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -35,7 +35,7 @@ docker.io NOTE: 20230320: VCS: https://salsa.debian.org/lts-team/packages/docker.io.git NOTE: 20230424: Is in preparation. (gladk) -- -erlang +erlang (Markus Koschany) NOTE: 20221119: Programming language: Erlang. NOTE: 20221119: at least CVE-2022-37026 needs to be fixed (original request has been for Stretch) NOTE: 20230111: VCS: https://salsa.debian.org/erlang-team/packages/erlang @@ -50,7 +50,7 @@ fusiondirectory (Abhijith PA) NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/fusiondirectory.git NOTE: 20230523: Added upstream commit references to security tracker. Patched our version, testing (abhijith) -- -golang-go.crypto +golang-go.crypto (Markus Koschany) NOTE: 20220915: Programming language: Go. NOTE: 20220915: 3 CVEs fixed in stretch and bullseye (Beuc/front-desk) NOTE: 20220915: Special attention: limited support, cf. buster release notes View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/297878dd5b8c8950dd6756f7b481f828c94f98e8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/297878dd5b8c8950dd6756f7b481f828c94f98e8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3426-2 for netatalk
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: ecc033d6 by Markus Koschany at 2023-06-01T19:40:51+02:00 Reserve DLA-3426-2 for netatalk - - - - - 1 changed file: - data/DLA/list Changes: = data/DLA/list = @@ -1,3 +1,5 @@ +[01 Jun 2023] DLA-3426-2 netatalk - regression update + [buster] - netatalk 3.1.12~ds-3+deb10u2 [31 May 2023] DLA-3427-2 texlive-bin - regression update {CVE-2019-18604} [buster] - texlive-bin 2018.20181218.49446-1+deb10u2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ecc033d66d85f5d363c9579667695dcec545c2e9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ecc033d66d85f5d363c9579667695dcec545c2e9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3427-2 texlive-bin
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 503d755c by Markus Koschany at 2023-05-31T21:03:44+02:00 Reserve DLA-3427-2 texlive-bin - - - - - 2 changed files: - data/CVE/list - data/DLA/list Changes: = data/CVE/list = @@ -265472,7 +265472,6 @@ CVE-2019-18605 RESERVED CVE-2019-18604 (In axohelp.c before 1.3 in axohelp in axodraw2 before 2.1.1b, as distr ...) - texlive-bin 2020.20200327.54578-2 - [buster] - texlive-bin (Minor issue) [stretch] - texlive-bin (Vulnerable code not present) [jessie] - texlive-bin (Vulnerable code not present) NOTE: https://github.com/TeX-Live/texlive-source/commit/9216833a3888a4105a18e8c349f65b045ddb1079#diff-987e40c0e27ee43f6a2414ada73a191a = data/DLA/list = @@ -1,3 +1,6 @@ +[31 May 2023] DLA-3427-2 texlive-bin - regression update + {CVE-2019-18604} + [buster] - texlive-bin 2018.20181218.49446-1+deb10u2 [31 May 2023] DLA-3439-1 libwebp - security update {CVE-2023-1999} [buster] - libwebp 0.6.1-2+deb10u2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/503d755c8bac0a36d3ede1b8720128343677eefa -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/503d755c8bac0a36d3ede1b8720128343677eefa You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Fix textlive <-> texlive typo.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 9b2e8517 by Markus Koschany at 2023-05-20T20:48:54+02:00 Fix textlive <-> texlive typo. - - - - - 1 changed file: - data/DLA/list Changes: = data/DLA/list = @@ -1,6 +1,6 @@ [20 May 2023] DLA-3427-1 texlive-bin - security update {CVE-2023-32700} - [buster] - textlive-bin 2018.20181218.49446-1+deb10u1 + [buster] - texlive-bin 2018.20181218.49446-1+deb10u1 [17 May 2023] DLA-3426-1 netatalk - security update {CVE-2021-31439 CVE-2022-0194 CVE-2022-23121 CVE-2022-23122 CVE-2022-23123 CVE-2022-23124 CVE-2022-23125 CVE-2022-43634 CVE-2022-45188} [buster] - netatalk 3.1.12~ds-3+deb10u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9b2e85171e2d6e1a2ba36236f8e251fd2318b756 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9b2e85171e2d6e1a2ba36236f8e251fd2318b756 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-32668,texlive-bin: Buster is no-dsa
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 468a59d0 by Markus Koschany at 2023-05-20T18:19:23+02:00 CVE-2023-32668,texlive-bin: Buster is no-dsa Minor issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -708,6 +708,7 @@ CVE-2023-2454 [CREATE SCHEMA ... schema_element defeats protective search_path c CVE-2023-32668 (LuaTeX before 1.17.0 enables the socket library by default.) - texlive-bin [bullseye] - texlive-bin (Minor issue) + [buster] - texlive-bin (Minor issue) NOTE: https://tug.org/pipermail/tex-live/2023-May/049188.html NOTE: https://gitlab.lisn.upsaclay.fr/texlive/luatex/-/commit/b266ef076c96b382cd23a4c93204e247bb98626a NOTE: https://gitlab.lisn.upsaclay.fr/texlive/luatex/-/commit/e7df9234420973a2f69aac1b10cbb5f00b0cda4d View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/468a59d04e21adda9cee03bf1149f5f611932620 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/468a59d04e21adda9cee03bf1149f5f611932620 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Fix DLA-3427-1 entries
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: ebd6f3a1 by Markus Koschany at 2023-05-20T18:01:57+02:00 Fix DLA-3427-1 entries - - - - - 2 changed files: - data/CVE/list - data/DLA/list Changes: = data/CVE/list = @@ -19,7 +19,7 @@ CVE-2023-2715 (The Groundhogg plugin for WordPress is vulnerable to unauthorized CVE-2023-2714 (The Groundhogg plugin for WordPress is vulnerable to unauthorized modi ...) NOT-FOR-US: Groundhogg plugin for WordPress CVE-2023-32700 [improperly secured shell-escape in LuaTeX] - {DSA-5406-1} + {DSA-5406-1 DLA-3427-1} - texlive-bin 2022.20220321.62855-5.1 NOTE: https://tug.org/~mseven/luatex.html NOTE: Introduced by: https://gitlab.lisn.upsaclay.fr/texlive/luatex/-/commit/4d8b815d3b53ae72bce12b535d86bdce51834d50 (1.0.4) = data/DLA/list = @@ -1,4 +1,4 @@ -[20 May 2023] DLA-3427-1 textlive-bin - security update +[20 May 2023] DLA-3427-1 texlive-bin - security update {CVE-2023-32700} [buster] - textlive-bin 2018.20181218.49446-1+deb10u1 [17 May 2023] DLA-3426-1 netatalk - security update View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ebd6f3a1497de64d647468645b6d8f017c9887c6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ebd6f3a1497de64d647468645b6d8f017c9887c6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3427-1 for textlive-bin
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 5bc9c211 by Markus Koschany at 2023-05-20T17:59:52+02:00 Reserve DLA-3427-1 for textlive-bin - - - - - 1 changed file: - data/DLA/list Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[20 May 2023] DLA-3427-1 textlive-bin - security update + {CVE-2023-32700} + [buster] - textlive-bin 2018.20181218.49446-1+deb10u1 [17 May 2023] DLA-3426-1 netatalk - security update {CVE-2021-31439 CVE-2022-0194 CVE-2022-23121 CVE-2022-23122 CVE-2022-23123 CVE-2022-23124 CVE-2022-23125 CVE-2022-43634 CVE-2022-45188} [buster] - netatalk 3.1.12~ds-3+deb10u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5bc9c2110f1d4245a317e7cc5160dbf6010d8d25 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5bc9c2110f1d4245a317e7cc5160dbf6010d8d25 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dsa-needed.txt: remove myself from netatalk update for now
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: d2f489b7 by Markus Koschany at 2023-05-18T00:15:50+02:00 dsa-needed.txt: remove myself from netatalk update for now - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -27,8 +27,9 @@ linux (carnil) -- nbconvert -- -netatalk (apo) +netatalk open regression with MacOS, tentative patch not yet merged upstream + See discussion on team mailing list. -- openjdk-11 (jmm) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d2f489b78b7b89ef5493f0ff406cfe10fdb23ee1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d2f489b78b7b89ef5493f0ff406cfe10fdb23ee1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3426-1 for netatalk
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 8009518b by Markus Koschany at 2023-05-17T00:20:16+02:00 Reserve DLA-3426-1 for netatalk - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[17 May 2023] DLA-3426-1 netatalk - security update + {CVE-2021-31439 CVE-2022-0194 CVE-2022-23121 CVE-2022-23122 CVE-2022-23123 CVE-2022-23124 CVE-2022-23125 CVE-2022-43634 CVE-2022-45188} + [buster] - netatalk 3.1.12~ds-3+deb10u1 [16 May 2023] DLA-3425-1 sqlparse - security update {CVE-2023-30608} [buster] - sqlparse 0.2.4-1+deb10u1 = data/dla-needed.txt = @@ -75,12 +75,6 @@ nbconvert NOTE: 20230423: XSS may be worth fixing and this was a lot of them. To consider if this require NOTE: 20230423: more work on user side and that require further analysis. -- -netatalk (Markus Koschany) - NOTE: 20220816: Programming language: C. - NOTE: 20220912: We get errors in the log, not present on bookworm. Needs more investigation. (stefanor) - NOTE: 20221212: VCS: https://salsa.debian.org/lts-team/packages/netatalk - NOTE: 20221212: Work is ongoing. CVE-2022-0194 is probably too intrusive. (gladk) --- node-got NOTE: 2022: Programming language: JavaScript. NOTE: 2022: Follow fixes from bullseye 11.4 (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8009518bc9d84d315e331f3d7c45aec371d440c1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8009518bc9d84d315e331f3d7c45aec371d440c1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim golang-go.crypto in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: bb64d571 by Markus Koschany at 2023-05-14T01:43:06+02:00 Claim golang-go.crypto in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -47,7 +47,7 @@ fusiondirectory (Abhijith PA) NOTE: 20221203: Feel free to marke both CVEs as , if they are not too serious (gladk). NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/fusiondirectory.git -- -golang-go.crypto +golang-go.crypto (Markus Koschany) NOTE: 20220915: Programming language: Go. NOTE: 20220915: 3 CVEs fixed in stretch and bullseye (Beuc/front-desk) NOTE: 20220915: Special attention: limited support, cf. buster release notes View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bb64d571469c140e83f55514488d84b9b0d59888 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bb64d571469c140e83f55514488d84b9b0d59888 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3420-1 for golang-websocket
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 4f8a5df8 by Markus Koschany at 2023-05-14T00:39:58+02:00 Reserve DLA-3420-1 for golang-websocket - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[14 May 2023] DLA-3420-1 golang-websocket - security update + {CVE-2020-27813} + [buster] - golang-websocket 1.4.0-1+deb10u1 [12 May 2023] DLA-3419-1 webkit2gtk - security update {CVE-2022-0108 CVE-2022-32885 CVE-2023-27932 CVE-2023-27954 CVE-2023-28205} [buster] - webkit2gtk 2.38.6-0+deb10u1 = data/dla-needed.txt = @@ -55,12 +55,6 @@ golang-go.crypto NOTE: 20220915: Special attention: also check bullseye status NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/golang-go.crypto.git -- -golang-websocket (Markus Koschany) - NOTE: 20220915: Programming language: Go. - NOTE: 20220915: 1 CVE fixed in stretch and bullseye (golang-github-gorilla-websocket) (Beuc/front-desk) - NOTE: 20220915: Special attention: limited support; requires rebuilding reverse dependencies - NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/golang-websocket.git --- golang-yaml.v2 (sgmoore) NOTE: 20230125: Programming language: Go. NOTE: 20230125: VCS: https://salsa.debian.org/lts-team/packages/golang-yaml.v2.git View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4f8a5df8f3275be63e96e19a6c784d4f673ad2e2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4f8a5df8f3275be63e96e19a6c784d4f673ad2e2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: Claim erlang in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 4cfc99b3 by Markus Koschany at 2023-05-10T00:32:40+02:00 Claim erlang in dla-needed.txt - - - - - e4dcf3e8 by Markus Koschany at 2023-05-10T00:37:11+02:00 Claim golang-websocket in dla-needed.txt - - - - - 909f006d by Markus Koschany at 2023-05-10T00:38:26+02:00 Reserve DLA-3416-1 for emacs - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[10 May 2023] DLA-3416-1 emacs - security update + {CVE-2022-48337 CVE-2022-48339 CVE-2023-28617} + [buster] - emacs 1:26.1+1-3.2+deb10u4 [05 May 2023] DLA-3415-1 python-django - security update {CVE-2023-31047} [buster] - python-django 1:1.11.29-1+deb10u8 = data/dla-needed.txt = @@ -35,16 +35,10 @@ docker.io NOTE: 20230320: VCS: https://salsa.debian.org/lts-team/packages/docker.io.git NOTE: 20230424: Is in preparation. -- -emacs (Markus Koschany) - NOTE: 20230223: Programming language: Lisp. - NOTE: 20230223: VCS: https://salsa.debian.org/lts-team/packages/emacs.git - NOTE: 20230228: Waiting for confirmation that CVE-2022-48337 regression - NOTE: 20230228: is fixed. (bunk) --- epiphany-browser (Adrian Bunk) NOTE: 20230423: Programming language: C. -- -erlang +erlang (Markus Koschany) NOTE: 20221119: Programming language: Erlang. NOTE: 20221119: at least CVE-2022-37026 needs to be fixed (original request has been for Stretch) NOTE: 20230111: VCS: https://salsa.debian.org/erlang-team/packages/erlang @@ -66,7 +60,7 @@ golang-go.crypto NOTE: 20220915: Special attention: also check bullseye status NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/golang-go.crypto.git -- -golang-websocket +golang-websocket (Markus Koschany) NOTE: 20220915: Programming language: Go. NOTE: 20220915: 1 CVE fixed in stretch and bullseye (golang-github-gorilla-websocket) (Beuc/front-desk) NOTE: 20220915: Special attention: limited support; requires rebuilding reverse dependencies View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/6bd1de91f4429bef3c7af49aa72642dd2f69d7b3...909f006d07310970f0703e9c1b466f4c3cd6b44e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/6bd1de91f4429bef3c7af49aa72642dd2f69d7b3...909f006d07310970f0703e9c1b466f4c3cd6b44e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 8 commits: CVE-2021-40647,CVE-2021-40648,man2html: Buster is no-dsa
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 3b9b94f8 by Markus Koschany at 2023-05-08T00:17:08+02:00 CVE-2021-40647,CVE-2021-40648,man2html: Buster is no-dsa Minor issues - - - - - d9d02f10 by Markus Koschany at 2023-05-08T00:19:14+02:00 Remove man2html from dla-needed.txt - - - - - 8ff57b1b by Markus Koschany at 2023-05-08T00:20:08+02:00 Remove r-cran-commonmark from dla-needed.txt - - - - - 40f85448 by Markus Koschany at 2023-05-08T00:37:45+02:00 r-cran-commonmark: triage open CVE for Buster Minor issues. The security impact for r-cran-commonmark is negligible. - - - - - 9d18c172 by Markus Koschany at 2023-05-08T00:55:20+02:00 Remove puppet-module-puppetlabs-mysql from dla-needed.txt - - - - - 9b62c4f4 by Markus Koschany at 2023-05-08T00:55:49+02:00 CVE-2022-3276,puppet-module-puppetlabs-mysql: Buster is no-dsa Minor issue. Hard to exploit. - - - - - cd6969c7 by Markus Koschany at 2023-05-08T01:05:22+02:00 Claim netatalk in dsa-needed.txt - - - - - 6aeebaa4 by Markus Koschany at 2023-05-08T01:06:17+02:00 Claim netatalk in dla-needed.txt - - - - - 3 changed files: - data/CVE/list - data/dla-needed.txt - data/dsa-needed.txt Changes: = data/CVE/list = @@ -14474,6 +14474,7 @@ CVE-2023-26485 (cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and re - r-cran-commonmark (bug #1034173) [bookworm] - r-cran-commonmark (Minor issue) [bullseye] - r-cran-commonmark (Minor issue) + [buster] - r-cran-commonmark (Minor issue) - ruby-commonmarker (bug #1034174) [bookworm] - ruby-commonmarker (Minor issue) [bullseye] - ruby-commonmarker (Minor issue) @@ -19385,6 +19386,7 @@ CVE-2023-24824 (cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and re - r-cran-commonmark (bug #1034173) [bookworm] - r-cran-commonmark (Minor issue) [bullseye] - r-cran-commonmark (Minor issue) + [buster] - r-cran-commonmark (Minor issue) - ruby-commonmarker (bug #1034174) [bookworm] - ruby-commonmarker (Minor issue) [bullseye] - ruby-commonmarker (Minor issue) @@ -27006,6 +27008,7 @@ CVE-2023-22486 (cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and re - r-cran-commonmark (bug #1033112) [bookworm] - r-cran-commonmark (Minor issue) [bullseye] - r-cran-commonmark (Minor issue) + [buster] - r-cran-commonmark (Minor issue) - ruby-commonmarker (bug #1033113) [bookworm] - ruby-commonmarker (Minor issue) [bullseye] - ruby-commonmarker (Minor issue) @@ -27024,6 +27027,7 @@ CVE-2023-22485 (cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and re - r-cran-commonmark (bug #1033112) [bookworm] - r-cran-commonmark (Minor issue) [bullseye] - r-cran-commonmark (Minor issue) + [buster] - r-cran-commonmark (Minor issue) - ruby-commonmarker (bug #1033113) [bookworm] - ruby-commonmarker (Minor issue) [bullseye] - ruby-commonmarker (Minor issue) @@ -27041,6 +27045,7 @@ CVE-2023-22484 (cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and re - r-cran-commonmark (bug #1033112) [bookworm] - r-cran-commonmark (Minor issue) [bullseye] - r-cran-commonmark (Minor issue) + [buster] - r-cran-commonmark (Minor issue) - ruby-commonmarker (bug #1033113) [bookworm] - ruby-commonmarker (Minor issue) [bullseye] - ruby-commonmarker (Minor issue) @@ -27058,6 +27063,7 @@ CVE-2023-22483 (cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and re - r-cran-commonmark (bug #1033112) [bookworm] - r-cran-commonmark (Minor issue) [bullseye] - r-cran-commonmark (Minor issue) + [buster] - r-cran-commonmark (Minor issue) - ruby-commonmarker (bug #1033113) [bookworm] - ruby-commonmarker (Minor issue) [bullseye] - ruby-commonmarker (Minor issue) @@ -51524,6 +51530,7 @@ CVE-2022-3276 (Command injection is possible in the puppetlabs-mysql module prio - puppet-module-puppetlabs-mysql (bug #1027154) [bookworm] - puppet-module-puppetlabs-mysql (Minor issue) [bullseye] - puppet-module-puppetlabs-mysql (Minor issue) + [buster] - puppet-module-puppetlabs-mysql (Minor issue) NOTE: https://puppet.com/security/cve/CVE-2022-3276 NOTE: https://github.com/puppetlabs/puppetlabs-mysql/commit/f83792b256fa6acc1b1375b3bfed257629a5c02d (v13.0.0) NOTE: https://github.com/puppetlabs/puppetlabs-mysql/commit/18813a151f150a374a52141db520ed2a8d38b071 (v13.0.0) @@ -56679,6 +56686,7 @@ CVE-2022-39209 (cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and re [buster] - ruby-commonmarker (Minor issue) - r-cran-commonmark 1.8.1-1 [bullseye
[Git][security-tracker-team/security-tracker][master] 5 commits: Mark pluxml CVE in buster EOL
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 1f8dda2f by Markus Koschany at 2023-05-06T00:14:57+02:00 Mark pluxml CVE in buster EOL pluxml has been removed from Debian. Last upstream activity was in August 2022. Currently there is no sign that any CVE will be addressed in the near future. pluxml is almost not used by any Debian user according to popcon. - - - - - 9a0db038 by Markus Koschany at 2023-05-06T00:20:56+02:00 CVE-2022-23494,tinymce: Mark buster no-dsa This is a minor issue. Only citadel-webcit in Buster might be affected by this issue. I don't think a XSS issue like that warrants a DLA. NOTE: tinymce has been removed from Debian. - - - - - a95b624e by Markus Koschany at 2023-05-06T00:24:19+02:00 Remove tinymce and pluxml from dla-needed.txt - - - - - 1610beb5 by Markus Koschany at 2023-05-06T00:49:33+02:00 Triage CVE-2022-47015,mariadb-10.3 as postponed for Buster Null pointer dereference. Wait for next point release. - - - - - a2dab2f2 by Markus Koschany at 2023-05-06T00:51:28+02:00 Claim emacs in dla-needed.txt - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -97195,11 +97195,13 @@ CVE-2022-25021 RESERVED CVE-2022-25020 (A cross-site scripting (XSS) vulnerability in Pluxml v5.8.7 allows att ...) - pluxml (bug #1008264) + [buster] - pluxml (EOL in buster LTS) NOTE: https://github.com/MoritzHuppert/CVE-2022-25020/blob/main/CVE-2022-25020.pdf CVE-2022-25019 REJECTED CVE-2022-25018 (Pluxml v5.8.7 was discovered to allow attackers to execute arbitrary c ...) - pluxml (bug #1008264) + [buster] - pluxml (EOL in buster LTS) NOTE: https://github.com/MoritzHuppert/CVE-2022-25018/blob/main/CVE-2022-25018.pdf CVE-2022-25017 (Hitron CHITA 7.2.2.0.3b6-CD devices contain a command injection vulner ...) NOT-FOR-US: Hitron CHITA @@ -98744,12 +98746,15 @@ CVE-2022-24588 (Flatpress v1.2.1 was discovered to contain a cross-site scriptin NOT-FOR-US: Flatpress CVE-2022-24587 (A stored cross-site scripting (XSS) vulnerability in the component cor ...) - pluxml (bug #1008264) + [buster] - pluxml (EOL in buster LTS) NOTE: https://github.com/Nguyen-Trung-Kien/CVE/blob/main/CVE-2022-24587/CVE-2022-24587.pdf CVE-2022-24586 (A stored cross-site scripting (XSS) vulnerability in the component /co ...) - pluxml (bug #1008264) + [buster] - pluxml (EOL in buster LTS) NOTE: https://github.com/Nguyen-Trung-Kien/CVE/blob/main/CVE-2022-24586/CVE-2022-24586.pdf CVE-2022-24585 (A stored cross-site scripting (XSS) vulnerability in the component /co ...) - pluxml (bug #1008264) + [buster] - pluxml (EOL in buster LTS) NOTE: https://github.com/Nguyen-Trung-Kien/CVE/blob/main/CVE-2022-24585/CVE-2022-24585.pdf CVE-2022-24584 (Incorrect access control in Yubico OTP functionality of the YubiKey ha ...) NOT-FOR-US: yubico.com @@ -102643,6 +102648,7 @@ CVE-2022-23495 (go-merkledag implements the 'DAGService' interface and adds two NOT-FOR-US: go-merkledag CVE-2022-23494 (tinymce is an open source rich text editor. A cross-site scripting (XS ...) - tinymce + [buster] - tinymce (Minor issue) NOTE: https://github.com/tinymce/tinymce/commit/6923d85eba6de3e08ebc9c5a387b5abdaa21150e NOTE: https://github.com/tinymce/tinymce/commit/8bb2d2646d4e1a718fce61a775fa22e9d317b32d NOTE: https://github.com/tinymce/tinymce/security/advisories/GHSA-gg8r-xjwq-4w92 = data/dla-needed.txt = @@ -35,7 +35,7 @@ docker.io (gladk) NOTE: 20230320: VCS: https://salsa.debian.org/lts-team/packages/docker.io.git NOTE: 20230424: Is in preparation. -- -emacs +emacs (Markus Koschany) NOTE: 20230223: Programming language: Lisp. NOTE: 20230223: VCS: https://salsa.debian.org/lts-team/packages/emacs.git NOTE: 20230228: Waiting for confirmation that CVE-2022-48337 regression @@ -87,7 +87,7 @@ hdf5 linux (Ben Hutchings) NOTE: 20230111: Programming language: C -- -man2html +man2html (Markus Koschany) NOTE: 20221004: Programming language: C. NOTE: 20221004: It looks like not patch is available. NOTE: 20221004: Please evalulate, whether the issue can be marked as . @@ -95,12 +95,6 @@ man2html NOTE: 20230226: I would prefer to fix it instead of ignoring. (gladk) NOTE: 20230226: It looks like upstream is dead. Patch needs to be written. (gladk) -- -mariadb-10.3 - NOTE: 20230225: Programming language: C. - NOTE: 20230225: VCS: https://salsa.debian.org/mariadb-team/mariadb-10.3/-/commits/buster - NOTE: 20230225: Testsuite: https://lists.debian.org/debian-lts/2019/07/msg00049.html - NOTE: 20230225: Maintainer notes: Contact original m
[Git][security-tracker-team/security-tracker][master] Claim r-cran-commonmark,tinymce,pluxml in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 335f7ab9 by Markus Koschany at 2023-05-03T03:31:07+02:00 Claim r-cran-commonmark,tinymce,pluxml in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -165,7 +165,7 @@ php-cas NOTE: 20221110: a DSA is planned (Beuc/front-desk) NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/php-cas.git -- -pluxml +pluxml (Markus Koschany) NOTE: 20220913: Programming language: PHP. NOTE: 20220913: Special attention: orphaned package. NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/pluxml.git @@ -189,7 +189,7 @@ python3.7 NOTE: 20230220: Testsuite: https://lts-team.pages.debian.net/wiki/TestSuites/python.html NOTE: 20230228: Waiting for actual upstream fix for CVE-2023-24329. (bunk) -- -r-cran-commonmark +r-cran-commonmark (Markus Koschany) NOTE: 20221009: Programming language: R. NOTE: 20221009: Please synchronize with ghostwriter. NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/r-cran-commonmark.git @@ -253,7 +253,7 @@ sssd (gladk) NOTE: 20230131: Programming language: C. NOTE: 20230205: VCS: https://salsa.debian.org/lts-team/packages/sssd.git -- -tinymce +tinymce (Markus Koschany) NOTE: 20221227: Programming language: PHP. NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/tinymce.git -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/335f7ab98cd515c2ed80e1ccb6835ac5c140337d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/335f7ab98cd515c2ed80e1ccb6835ac5c140337d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove heimdal from dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: ea923509 by Markus Koschany at 2023-04-21T23:00:32+02:00 Remove heimdal from dla-needed.txt Nothing to do anymore - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -98,11 +98,6 @@ hdf5 NOTE: 20230318: Enrico did some work around hdf5* packaging in the past, probably NOTE: 20230318: sync w/ him. (utkarsh) -- -heimdal (Markus Koschany) - NOTE: 20230416: Programming language: C. - NOTE: 20230416: VCS: https://salsa.debian.org/lts-team/packages/heimdal - NOTE: 20230416: Special attention: Do review patches, even those, coming from upstream.. --- jruby NOTE: 20230403: Programming language: Ruby, Java, C. NOTE: 20230403: Special attention: Not in bullseye View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ea923509871fcdd1b1064b75b30b2399972aa67d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ea923509871fcdd1b1064b75b30b2399972aa67d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim heimdal in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 33de4ef6 by Markus Koschany at 2023-04-21T22:10:45+02:00 Claim heimdal in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -98,7 +98,7 @@ hdf5 NOTE: 20230318: Enrico did some work around hdf5* packaging in the past, probably NOTE: 20230318: sync w/ him. (utkarsh) -- -heimdal +heimdal (Markus Koschany) NOTE: 20230416: Programming language: C. NOTE: 20230416: VCS: https://salsa.debian.org/lts-team/packages/heimdal NOTE: 20230416: Special attention: Do review patches, even those, coming from upstream.. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/33de4ef6b748097559dc70cb8c8b88761c3cfff8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/33de4ef6b748097559dc70cb8c8b88761c3cfff8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove ceph from dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 48662dac by Markus Koschany at 2023-04-21T22:09:14+02:00 Remove ceph from dla-needed.txt Currently there are no open issues in Buster. Everything else are no-dsa, minor issues. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -35,16 +35,6 @@ cairosvg (dleidert) NOTE: 20230323: Programming language: Python. NOTE: 20230411: Proposed solution for CVE-2023-27586 in Buster to backport the --unsafe switch, introduced in 1.0.21, might work (dleidert) -- -ceph - NOTE: 20221031: Programming language: C++. - NOTE: 20221031: To be checked further. Not clear whether the vulnerability can be exploited in a Debian system. - NOTE: 20221031: What should be checked is whether any user with ceph permission can do the actions described in the exploit. (ola/front-desk) - NOTE: 20221130: CVE-2022-3650: The patch is kind of trivial Python stuff backporting work. - NOTE: 20221130: Can someone take care of it in Buster? I'm currently building the Bullseye backport of the fix... - NOTE: 20221130: https://lists.debian.org/debian-lts/2022/11/msg00025.html (zigo/maintainer) - NOTE: 20230102: [buster] - ceph (ceph-crash service added in Ceph 14) (stefanor) - NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/ceph.git --- configobj (Chris Lamb) NOTE: 20230416: Programming language: Python. NOTE: 20230416: Special attention: Low priority but high popcon. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/48662dac1231dd19c87bc17999e900a5767ea86d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/48662dac1231dd19c87bc17999e900a5767ea86d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2023-27534,curl: buster is no-dsa
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 37dff768 by Markus Koschany at 2023-04-21T21:57:38+02:00 CVE-2023-27534,curl: buster is no-dsa Minor issue - - - - - 1bcf7220 by Markus Koschany at 2023-04-21T21:58:32+02:00 Reserve DLA-3398-1 for curl - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -10252,6 +10252,7 @@ CVE-2023-27535 (An authentication bypass vulnerability exists in libcurl <8.0 CVE-2023-27534 (A path traversal vulnerability exists in curl <8.0.0 SFTP implement ...) - curl 7.88.1-7 [bullseye] - curl (Minor issue) + [buster] - curl (Minor issue) NOTE: https://curl.se/docs/CVE-2023-27534.html NOTE: Introduced by: https://github.com/curl/curl/commit/ba6f20a2442ab1ebfe947cff19a552f92114a29a (curl-7_18_0) NOTE: Fixed by: https://github.com/curl/curl/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6 (curl-8_0_0) = data/DLA/list = @@ -1,3 +1,6 @@ +[21 Apr 2023] DLA-3398-1 curl - security update + {CVE-2023-27533 CVE-2023-27535 CVE-2023-27536 CVE-2023-27538} + [buster] - curl 7.64.0-4+deb10u6 [21 Apr 2023] DLA-3397-1 connman - security update {CVE-2023-28488} [buster] - connman 1.36-2.1~deb10u4 = data/dla-needed.txt = @@ -56,12 +56,6 @@ consul NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/consul.git NOTE: 20230423: WIP, Fixed CVE-2018-19653 (abhijith) -- -curl (Markus Koschany) - NOTE: 20230321: Programming language: C. - NOTE: 20230321: VCS: https://salsa.debian.org/lts-team/packages/curl.git - NOTE: 20230321: Testsuite: https://lts-team.pages.debian.net/wiki/TestSuites/curl.html - NOTE: 20230321: Special attention: High popcon! Roberto has some experience with the package.. --- docker.io (gladk) NOTE: 20230303: Programming language: Go. NOTE: 20230303: Follow fixes from bullseye 11.2 (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/8c268dc569a122c034b560e896090301b004c016...1bcf72207413c81a6e2b49c345807903cc5d7d28 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/8c268dc569a122c034b560e896090301b004c016...1bcf72207413c81a6e2b49c345807903cc5d7d28 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3394-1 for asterisk
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: e53f4701 by Markus Koschany at 2023-04-19T00:11:26+02:00 Reserve DLA-3394-1 for asterisk - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[19 Apr 2023] DLA-3394-1 asterisk - security update + {CVE-2023-27585} + [buster] - asterisk 1:16.28.0~dfsg-0+deb10u3 [18 Apr 2023] DLA-3393-1 protobuf - security update {CVE-2021-22569 CVE-2021-22570 CVE-2022-1941} [buster] - protobuf 3.6.1.3-2+deb10u1 = data/dla-needed.txt = @@ -26,11 +26,6 @@ apache2 NOTE: 20230312: Special attention: Double check an update! Package is used by many customers and users!. NOTE: 20230326: VCS: https://salsa.debian.org/apache-team/apache2. Yadd is ok for using apache2 salsa tree -- -asterisk (Markus Koschany) - NOTE: 20230418: Programming language: C. - NOTE: 20230418: VCS: https://salsa.debian.org/lts-team/packages/asterisk.git - NOTE: 20230418: Special attention: pjproject library is included in debian directory!. --- avahi NOTE: 20230418: Programming language: C++. NOTE: 20230418: VCS: https://salsa.debian.org/lts-team/packages/avahi.git View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e53f47010804f537adad2b6b313ed246cf388951 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e53f47010804f537adad2b6b313ed246cf388951 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: CVE-2023-27585,asterisk: Buster is affected
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: ec479a33 by Markus Koschany at 2023-04-18T22:40:56+02:00 CVE-2023-27585,asterisk: Buster is affected The vulnerable code is shipped in debian/pjproject_2.12.1~dfsg.orig.tar.bz2 and applied at build time. In the past the pjproject library has been packaged separately. Debian's maintainer chose to embed it later. - - - - - 1b52d3ba by Markus Koschany at 2023-04-18T22:40:56+02:00 LTS: add asterisk to dla-needed.txt - - - - - 480c118b by Markus Koschany at 2023-04-18T22:40:56+02:00 Claim asterisk in dla-needed.txt - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -9774,7 +9774,6 @@ CVE-2023-27586 (CairoSVG is an SVG converter based on Cairo, a 2D graphics libra NOTE: Introduced in https://github.com/Kozea/CairoSVG/commit/1ee0889f4015ebaddcf9976d43222e673155797c (0.3) CVE-2023-27585 (PJSIP is a free and open source multimedia communication library writt ...) - asterisk - [buster] - asterisk (Vulnerable code not present) - pjproject - ring NOTE: https://github.com/pjsip/pjproject/security/advisories/GHSA-q9cp-8wcq-7pfr = data/dla-needed.txt = @@ -26,6 +26,11 @@ apache2 NOTE: 20230312: Special attention: Double check an update! Package is used by many customers and users!. NOTE: 20230326: VCS: https://salsa.debian.org/apache-team/apache2. Yadd is ok for using apache2 salsa tree -- +asterisk (Markus Koschany) + NOTE: 20230418: Programming language: C. + NOTE: 20230418: VCS: https://salsa.debian.org/lts-team/packages/asterisk.git + NOTE: 20230418: Special attention: pjproject library is included in debian directory!. +-- cairosvg (dleidert) NOTE: 20230323: Programming language: Python. NOTE: 20230411: Proposed solution for CVE-2023-27586 in Buster to backport the --unsafe switch, introduced in 1.0.21, might work (dleidert) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/e743fb4f13168814042a19075075d58420abd969...480c118bf4008af50f77dbd50d34049b2c843df0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/e743fb4f13168814042a19075075d58420abd969...480c118bf4008af50f77dbd50d34049b2c843df0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 6 commits: CVE-2023-29383,shadow: Buster is no-dsa
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: d0686f73 by Markus Koschany at 2023-04-17T00:08:33+02:00 CVE-2023-29383,shadow: Buster is no-dsa Minor issue - - - - - f4dddb00 by Markus Koschany at 2023-04-17T00:48:02+02:00 CVE-2023-26555,ntp: Buster is no-dsa Minor issue - - - - - ced44e69 by Markus Koschany at 2023-04-17T00:49:01+02:00 CVE-2022-48434,ffmpeg: Buster is postponed - - - - - 85af2f26 by Markus Koschany at 2023-04-17T00:50:19+02:00 CVE-2023-28439,ckeditor3: Buster is EOL - - - - - 92833122 by Markus Koschany at 2023-04-17T00:53:01+02:00 Triage cmark-gfm for Buster - - - - - abb9885e by Markus Koschany at 2023-04-17T00:57:47+02:00 Triage python-cmarkgfm for Buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3614,6 +3614,7 @@ CVE-2014-125094 (A vulnerability classified as problematic was found in phpMiniA CVE-2023-29383 (In Shadow 4.13, it is possible to inject control characters into field ...) - shadow (bug #1034482) [bullseye] - shadow (Minor issue) + [buster] - shadow (Minor issue) NOTE: https://github.com/shadow-maint/shadow/pull/687 NOTE: Fixed by: https://github.com/shadow-maint/shadow/commit/e5905c4b84d4fb90aefcd96ee618411ebfac663d NOTE: https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=31797 @@ -4879,6 +4880,7 @@ CVE-2023-1691 CVE-2022-48434 (libavcodec/pthread_frame.c in FFmpeg before 5.1.2, as used in VLC and ...) - ffmpeg 7:5.1.2-1 [bullseye] - ffmpeg (Wait until it lands in 4.3.x) + [buster] - ffmpeg (Wait until the backport to 4.x) NOTE: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/cc867f2c09d2b69cee8a0eccd62aff002cbbfe11 (n6.1-dev) NOTE: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/35aa7e70e7ec350319e7634a30d8d8aa1e6ecdda (n5.1.2) CVE-2022-48433 (In JetBrains IntelliJ IDEA before 2023.1 the NTLM hash could leak thro ...) @@ -6723,6 +6725,7 @@ CVE-2023-28440 CVE-2023-28439 (CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. ...) - ckeditor (bug #1034481) - ckeditor3 + [buster] - ckeditor3 (No longer supported in LTS) NOTE: https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-vh5c-xwqv-cv9g NOTE: https://github.com/ckeditor/ckeditor4/commit/b85af23f020a61397c6c0024aef73f2c7f62bfef (4.21.0) CVE-2023-28438 (Pimcore is an open source data and experience management platform. Pri ...) @@ -11973,6 +11976,7 @@ CVE-2023-26556 CVE-2023-26555 (praecis_parse in ntpd/refclock_palisade.c in NTP 4.2.8p15 has an out-o ...) - ntp [bullseye] - ntp (Minor issue; affects only the clock driver for the Trimble Palisade GPS timing receiver) + [buster] - ntp (Minor issue; affects only the clock driver for the Trimble Palisade GPS timing receiver) NOTE: https://github.com/spwpun/ntp-4.2.8p15-cves/blob/main/CVE-2023-26555 CVE-2023-26554 (mstolfp in libntp/mstolfp.c in NTP 4.2.8p15 has an out-of-bounds write ...) - ntp (unimportant) @@ -12290,9 +12294,11 @@ CVE-2023-26485 (cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and re - cmark-gfm (bug #1034171) [bookworm] - cmark-gfm (Minor issue) [bullseye] - cmark-gfm (Minor issue) + [buster] - cmark-gfm (Minor issue) - python-cmarkgfm (bug #1034172) [bookworm] - python-cmarkgfm (Minor issue) [bullseye] - python-cmarkgfm (Minor issue) + [buster] - python-cmarkgfm (Minor issue) - r-cran-commonmark (bug #1034173) [bookworm] - r-cran-commonmark (Minor issue) [bullseye] - r-cran-commonmark (Minor issue) @@ -17161,9 +17167,11 @@ CVE-2023-24824 (cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and re - cmark-gfm (bug #1034171) [bookworm] - cmark-gfm (Minor issue) [bullseye] - cmark-gfm (Minor issue) + [buster] - cmark-gfm (Minor issue) - python-cmarkgfm (bug #1034172) [bookworm] - python-cmarkgfm (Minor issue) [bullseye] - python-cmarkgfm (Minor issue) + [buster] - python-cmarkgfm (Minor issue) - r-cran-commonmark (bug #1034173) [bookworm] - r-cran-commonmark (Minor issue) [bullseye] - r-cran-commonmark (Minor issue) @@ -24721,9 +24729,11 @@ CVE-2023-22486 (cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and re - cmark-gfm (bug #1033110) [bookworm] - cmark-gfm (Minor issue) [bullseye] - cmark-gfm (Minor issue) + [buster] - cmark-gfm (Minor issue) - python-cmarkgfm (bug #1033111) [bookworm] - python-cmarkgfm (Minor issue) [bullseye] - python-cmarkgfm (Minor issue) + [buster] - python-cmarkgfm (Minor issue) - r-cran-commonmark
[Git][security-tracker-team/security-tracker][master] 8 commits: LTS: add configobj to dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: d336af8c by Markus Koschany at 2023-04-16T23:59:39+02:00 LTS: add configobj to dla-needed.txt - - - - - adfdfed3 by Markus Koschany at 2023-04-16T23:59:40+02:00 CVE-2023-30630,dmidecode: Buster is no-dsa Minor issue - - - - - c4f84a15 by Markus Koschany at 2023-04-16T23:59:42+02:00 CVE-2023-2004,freetype: Buster is postponed Minor issue. Can be fixed later. - - - - - 643484fc by Markus Koschany at 2023-04-16T23:59:42+02:00 LTS: add heimdal to dla-needed.txt - - - - - 0be4c5da by Markus Koschany at 2023-04-16T23:59:42+02:00 LTS: add libxml2 to dla-needed.txt - - - - - 35e1a85d by Markus Koschany at 2023-04-16T23:59:42+02:00 LTS: add asterisk to dla-needed.txt - - - - - 13f2c762 by Markus Koschany at 2023-04-16T23:59:43+02:00 CVE-2022-48468,protobuf-c: Buster is no-dsa Minor issue - - - - - 22df26e1 by Markus Koschany at 2023-04-16T23:59:43+02:00 LTS: add python2.7 to dla-needed.txt - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -358,6 +358,7 @@ CVE-2023-30631 CVE-2023-30630 (Dmidecode before 3.5 allows -dump-bin to overwrite a local file. This ...) - dmidecode (bug #1034483) [bullseye] - dmidecode (Minor issue) + [buster] - dmidecode (Minor issue) NOTE: https://github.com/adamreiser/dmiwrite NOTE: https://lists.nongnu.org/archive/html/dmidecode-devel/2023-03/msg3.html NOTE: https://git.savannah.nongnu.org/cgit/dmidecode.git/commit/?id=d8cfbc808f387e87091c25e7d5b8c2bb348bb206 @@ -639,6 +640,7 @@ CVE-2023-2012 CVE-2022-48468 (protobuf-c before 1.4.1 has an unsigned integer overflow in parse_requ ...) - protobuf-c 1.4.1-1 [bullseye] - protobuf-c (Minor issue) + [buster] - protobuf-c (Minor issue) NOTE: https://github.com/protobuf-c/protobuf-c/commit/289f5c18b195aa43d46a619d1188709abbfa9c82 (v1.4.1) NOTE: https://github.com/protobuf-c/protobuf-c/commit/0d1fd124a4e0a07b524989f6e64410ff648fba61 (v1.4.1) NOTE: https://github.com/protobuf-c/protobuf-c/pull/513 @@ -799,6 +801,7 @@ CVE-2023-2005 RESERVED CVE-2023-2004 (An integer overflow vulnerability was discovered in Freetype in tt_hva ...) - freetype + [buster] - freetype (Minor issue) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50462 NOTE: https://github.com/freetype/freetype/commit/e6fda039ad638866b7a6a5d046f03278ba1b7611 (VER-2-13-0) CVE-2023-2003 = data/dla-needed.txt = @@ -26,6 +26,10 @@ apache2 (rouca) NOTE: 20230312: Special attention: Double check an update! Package is used by many customers and users!. NOTE: 20230326: VCS: https://salsa.debian.org/apache-team/apache2. Yadd is ok for using apache2 salsa tree -- +asterisk + NOTE: 20230416: Programming language: C. + NOTE: 20230416: VCS: https://salsa.debian.org/lts-team/packages/asterisk.git +-- cairosvg (dleidert) NOTE: 20230323: Programming language: Python. NOTE: 20230411: Proposed solution for CVE-2023-27586 in Buster to backport the --unsafe switch, introduced in 1.0.21, might work (dleidert) @@ -40,6 +44,10 @@ ceph NOTE: 20230102: [buster] - ceph (ceph-crash service added in Ceph 14) (stefanor) NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/ceph.git -- +configobj + NOTE: 20230416: Programming language: Python. + NOTE: 20230416: Special attention: Low priority but high popcon. +-- consul (Abhijith PA) NOTE: 20221031: Programming language: Go. NOTE: 20221031: Concluded that the package should be fixed by the CVE description. Source code not analyzed in detail. @@ -112,6 +120,11 @@ hdf5 NOTE: 20230318: Enrico did some work around hdf5* packaging in the past, probably NOTE: 20230318: sync w/ him. (utkarsh) -- +heimdal + NOTE: 20230416: Programming language: C. + NOTE: 20230416: VCS: https://salsa.debian.org/lts-team/packages/heimdal + NOTE: 20230416: Special attention: Do review patches, even those, coming from upstream.. +-- jruby NOTE: 20230403: Programming language: Ruby, Java, C. NOTE: 20230403: Special attention: Not in bullseye @@ -124,6 +137,10 @@ libapache2-mod-auth-openidc (Adrian Bunk) NOTE: 20230404: CVE-2022-23527 will be fixed in Debian 11.7 (#1026447) NOTE: 20230404: Also check if other postponed/open CVEs need to be fixed (Beuc/front-desk) -- +libxml2 + NOTE: 20230416: Programming language: C. + NOTE: 20230416: VCS: https://salsa.debian.org/lts-team/packages/libxml2.git +-- linux (Ben Hutchings) NOTE: 20230111: Programming language: C -- @@ -214,6 +231,11 @@ python-oslo.privsep NOTE: 20221231: Programming language: Python. NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/python-oslo.privsep.git
[Git][security-tracker-team/security-tracker][master] Claim curl in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 3374acc4 by Markus Koschany at 2023-04-10T20:19:23+02:00 Claim curl in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -45,7 +45,7 @@ consul (Abhijith PA) NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/consul.git NOTE: 20230423: WIP, Fixed CVE-2018-19653 (abhijith) -- -curl +curl (Markus Koschany) NOTE: 20230321: Programming language: C. NOTE: 20230321: VCS: https://salsa.debian.org/lts-team/packages/curl.git NOTE: 20230321: Testsuite: https://lts-team.pages.debian.net/wiki/TestSuites/curl.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3374acc4454e86da8a0b8f1e72d3d96baac2faad -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3374acc4454e86da8a0b8f1e72d3d96baac2faad You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3388-1 for keepalived
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: a2f46d09 by Markus Koschany at 2023-04-10T19:58:11+02:00 Reserve DLA-3388-1 for keepalived - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -100600,7 +100600,7 @@ CVE-2022-23133 (An authenticated user can create a hosts group from the configur CVE-2022-23132 (During Zabbix installation from RPM, DAC_OVERRIDE SELinux capability i ...) - zabbix 1:6.0.7+dfsg-2 [bullseye] - zabbix (Minor issue) - [buster] - zabbix (Not using RPM or DAC_OVERRIDE in Debian installs) + [buster] - zabbix (Not using RPM or DAC_OVERRIDE in Debian installs) [stretch] - zabbix (Not using RPM or DAC_OVERRIDE in Debian installs, zbx_ipc_service_init_env() not present) NOTE: https://support.zabbix.com/browse/ZBX-20341 NOTE: https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/019fbd9b5cc9c455304f1a48460435ca474ba2ac (5.0.18) @@ -110325,7 +110325,6 @@ CVE-2021-4022 (A vulnerability was found in rizin. The bug involves an ELF64 bin CVE-2021-44225 (In Keepalived through 2.2.4, the D-Bus policy does not sufficiently re ...) - keepalived 1:2.2.4-0.2 [bullseye] - keepalived 1:2.1.5-0.2+deb11u1 - [buster] - keepalived (Minor issue) [stretch] - keepalived (Minor issue) NOTE: https://github.com/acassen/keepalived/pull/2063 NOTE: https://github.com/acassen/keepalived/commit/7977fec0be89ae6fe87405b3f8da2f0b5e415e3d = data/DLA/list = @@ -1,3 +1,6 @@ +[10 Apr 2023] DLA-3388-1 keepalived - security update + {CVE-2021-44225} + [buster] - keepalived 1:2.0.10-1+deb10u1 [10 Apr 2023] DLA-3387-2 udisks2 - regression update [buster] - udisks2 2.8.1-4+deb10u2 [07 Apr 2023] DLA-3387-1 udisks2 - security update = data/dla-needed.txt = @@ -116,10 +116,6 @@ jruby NOTE: 20230403: Special attention: Not in bullseye NOTE: 20230403: Lots of postponed issues that were fixed in other ruby* packages (Beuc/front-desk) -- -keepalived (Markus Koschany) - NOTE: 20230404: Programming language: C. - NOTE: 20230404: Sync with Debian 11.2 (CVE-2021-44225) (Beuc/front-desk) --- libapache2-mod-auth-openidc (Adrian Bunk) NOTE: 20230404: Programming language: C. NOTE: 20230404: CVE-2019-20479 fixed in all other dists (including DLA-2298-1 for stretch) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a2f46d09308bca3f99c6c02c9bddc2cb0a37a022 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a2f46d09308bca3f99c6c02c9bddc2cb0a37a022 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DSA-5384-1 for openimageio
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 3fe4043d by Markus Koschany at 2023-04-10T11:11:54+02:00 Reserve DSA-5384-1 for openimageio - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,6 @@ +[10 Apr 2023] DSA-5384-1 openimageio - security update + {CVE-2022-36354 CVE-2022-41639 CVE-2022-41649 CVE-2022-41684 CVE-2022-41794 CVE-2022-41837 CVE-2022-41838 CVE-2022-41977 CVE-2022-41981 CVE-2022-41988 CVE-2022-41999 CVE-2022-43592 CVE-2022-43593 CVE-2022-43594 CVE-2022-43595 CVE-2022-43596 CVE-2022-43597 CVE-2022-43598 CVE-2022-43599 CVE-2022-43600 CVE-2022-43601 CVE-2022-43602 CVE-2022-43603} + [bullseye] - openimageio 2.2.10.1+dfsg-1+deb11u1 [05 Apr 2023] DSA-5383-1 ghostscript - security update {CVE-2023-28879} [bullseye] - ghostscript 9.53.3~dfsg-7+deb11u4 = data/dsa-needed.txt = @@ -28,9 +28,6 @@ netatalk -- nodejs (aron) -- -openimageio (apo) - some issues allow for RCE, the other ones can also be ignored for stable --- php-cas -- php-horde-mime-viewer View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3fe4043d42c68417b979019d4fc7ff7920ca37ce -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3fe4043d42c68417b979019d4fc7ff7920ca37ce You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-38143,openimageio: Bullseye is not affected.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 4d7dfcec by Markus Koschany at 2023-04-09T22:51:43+02:00 CVE-2022-38143,openimageio: Bullseye is not affected. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -45885,6 +45885,7 @@ CVE-2022-41639 (A heap based buffer overflow vulnerability exists in tile decodi NOTE: https://github.com/OpenImageIO/oiio/pull/3632 CVE-2022-38143 (A heap out-of-bounds write vulnerability exists in the way OpenImageIO ...) - openimageio 2.4.7.1+dfsg-2 (bug #1027143) + [bullseye] - openimageio (The vulnerable code was introduced later) [buster] - openimageio (The vulnerable code was introduced later) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1630 NOTE: https://github.com/OpenImageIO/oiio/pull/3620 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4d7dfcecfd6cf1a1f7fb93dcaff9f34c9730afba -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4d7dfcecfd6cf1a1f7fb93dcaff9f34c9730afba You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: LTS: add openimageio to dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 3203b758 by Markus Koschany at 2023-04-06T10:34:55+02:00 LTS: add openimageio to dla-needed.txt - - - - - 32c7162b by Markus Koschany at 2023-04-06T10:34:55+02:00 Readd openimageio to dla-needed.txt There are still four open CVE. The initial patch was incomplete and caused regressions. Let's investigate this further. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -190,6 +190,10 @@ nvidia-graphics-drivers-legacy-390xx NOTE: 20230103: https://lists.debian.org/debian-lts/2023/01/msg5.html NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/nvidia-graphics-drivers-legacy-390xx.git -- +openimageio (Markus Koschany) + NOTE: 20230406: Programming language: C. + NOTE: 20230406: VCS: https://salsa.debian.org/lts-team/packages/openimageio.git +-- php-cas NOTE: 20221105: Programming language: PHP. NOTE: 20221105: The fix is not backwards compatible. Should be investigated further whether this issue should be solved or ignored.. (ola) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ba4db50f6b96159e164aeb059c5be592c134c363...32c7162baf5745fdf54a96bb3b867774b0f8f380 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ba4db50f6b96159e164aeb059c5be592c134c363...32c7162baf5745fdf54a96bb3b867774b0f8f380 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3385-1 for trafficserver
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 37314e97 by Markus Koschany at 2023-04-05T23:58:12+02:00 Reserve DLA-3385-1 for trafficserver - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -71078,7 +71078,6 @@ CVE-2022-31779 (Improper Input Validation vulnerability in HTTP/2 header parsing CVE-2022-31778 (Improper Input Validation vulnerability in handling the Transfer-Encod ...) {DSA-5206-1} - trafficserver 9.1.3+ds-1 - [buster] - trafficserver (Minor issue, intrusive to backport) NOTE: https://lists.apache.org/thread/rc64lwbdgrkv674koc3zl1sljr9vwg21 CVE-2022-31777 (A stored cross-site scripting (XSS) vulnerability in Apache Spark 3.2. ...) NOT-FOR-US: Apache Spark = data/DLA/list = @@ -1,3 +1,6 @@ +[05 Apr 2023] DLA-3385-1 trafficserver - security update + {CVE-2022-31778 CVE-2022-31779 CVE-2022-32749 CVE-2022-37392} + [buster] - trafficserver 8.1.6+ds-1~deb10u1 [05 Apr 2023] DLA-3384-1 tomcat9 - security update {CVE-2022-42252 CVE-2023-28708} [buster] - tomcat9 9.0.31-1~deb10u8 = data/dla-needed.txt = @@ -293,16 +293,6 @@ tinymce NOTE: 20221227: Programming language: PHP. NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/tinymce.git -- -trafficserver (Markus Koschany) - NOTE: 20230202: Programming language: C. - NOTE: 20230202: Note recent DLA-3279-1 update. Removed notes (2d9f50586010) suggest CVE-2022-31779 may have already been investigated. (lamby) - NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/trafficserver.git - NOTE: 20230209: very difficult to identify exact patches and on top significant refactoring, especially CVE-2022-31778 - NOTE: 20230209; CVE-2022-32749 is possibly https://github.com/apache/trafficserver/pull/9243, (see security tracker) - NOTE: 20230209: CVE-2022-37392 mihgt be https://github.com/apache/trafficserver/commit/3b9cbf873a77bb7f9297f2b16496a290e0cf7de1 - NOTE: 20230209: could find informatin for CVE-2022-31779, might be the same fix as CVE-2022-31778 (marked as to be ignored), but no proof on that… - NOTE: 20230209: not sure, maybe the safest way would be to update to 8.1.6. --- udisks2 (tobi) NOTE: 20230404: Programming language: C, Python. NOTE: 20230404: CVE-2021-3802 (kernel panic) fixed in all other dists (Debian 11.2, DLA-2809-1 for stretch) (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/37314e97462db45e1a7cf8b9e1e14c73c2cb9870 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/37314e97462db45e1a7cf8b9e1e14c73c2cb9870 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DSA-5381-1 for tomcat9
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: baa5071f by Markus Koschany at 2023-04-05T21:50:16+02:00 Reserve DSA-5381-1 for tomcat9 - - - - - 2 changed files: - data/CVE/list - data/DSA/list Changes: = data/CVE/list = @@ -31967,7 +31967,6 @@ CVE-2022-3933 (The Essential Real Estate WordPress plugin before 3.9.6 does not NOT-FOR-US: WordPress plugin CVE-2022-45143 (The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and ...) - tomcat9 9.0.70-1 - [bullseye] - tomcat9 (Minor issue, fix along in future update) [buster] - tomcat9 (The vulnerable code was introduced later) - tomcat8 NOTE: https://github.com/apache/tomcat/commit/b336f4e58893ea35114f1e4a415657f723b1298e (9.0.69) @@ -42817,7 +42816,6 @@ CVE-2022-42253 RESERVED CVE-2022-42252 (If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10. ...) - tomcat9 9.0.68-1 - [bullseye] - tomcat9 (Minor issue, fix along in future update) - tomcat8 NOTE: https://lists.apache.org/thread/zzcxzvqfdqn515zfs3dxb7n8gty589sq NOTE: https://github.com/apache/tomcat/commit/4c7f4fd09d2cc1692112ef70b8ee23a7a037ae77 (9.0.68) = data/DSA/list = @@ -1,3 +1,6 @@ +[05 Apr 2023] DSA-5381-1 tomcat9 - security update + {CVE-2022-42252 CVE-2022-45143 CVE-2023-28708} + [bullseye] - tomcat9 9.0.43-2~deb11u6 [29 Mar 2023] DSA-5380-1 xorg-server - security update {CVE-2023-1393} [bullseye] - xorg-server 2:1.20.11-1+deb11u6 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/baa5071fa0ec69cb89324abe638a02ca28a68978 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/baa5071fa0ec69cb89324abe638a02ca28a68978 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3384-1 for tomcat9
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 743234c3 by Markus Koschany at 2023-04-05T21:42:21+02:00 Reserve DLA-3384-1 for tomcat9 - - - - - 2 changed files: - data/CVE/list - data/DLA/list Changes: = data/CVE/list = @@ -42818,7 +42818,6 @@ CVE-2022-42253 CVE-2022-42252 (If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10. ...) - tomcat9 9.0.68-1 [bullseye] - tomcat9 (Minor issue, fix along in future update) - [buster] - tomcat9 (Minor issue, occurs when system is explicitly configured in an insecure way) - tomcat8 NOTE: https://lists.apache.org/thread/zzcxzvqfdqn515zfs3dxb7n8gty589sq NOTE: https://github.com/apache/tomcat/commit/4c7f4fd09d2cc1692112ef70b8ee23a7a037ae77 (9.0.68) = data/DLA/list = @@ -1,3 +1,6 @@ +[05 Apr 2023] DLA-3384-1 tomcat9 - security update + {CVE-2022-42252 CVE-2023-28708} + [buster] - tomcat9 9.0.31-1~deb10u8 [05 Apr 2023] DLA-3383-1 grunt - security update {CVE-2022-1537} [buster] - grunt 1.0.1-8+deb10u2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/743234c38e09e5d1474d68e9395e716ad3c2df72 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/743234c38e09e5d1474d68e9395e716ad3c2df72 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-45143,tomcat9: buster is not affected
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 989ac170 by Markus Koschany at 2023-04-05T18:28:24+02:00 CVE-2022-45143,tomcat9: buster is not affected - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -31967,7 +31967,7 @@ CVE-2022-3933 (The Essential Real Estate WordPress plugin before 3.9.6 does not CVE-2022-45143 (The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and ...) - tomcat9 9.0.70-1 [bullseye] - tomcat9 (Minor issue, fix along in future update) - [buster] - tomcat9 (Minor issue, fix along in future update) + [buster] - tomcat9 (The vulnerable code was introduced later) - tomcat8 NOTE: https://github.com/apache/tomcat/commit/b336f4e58893ea35114f1e4a415657f723b1298e (9.0.69) NOTE: https://github.com/apache/tomcat/commit/0cab3a56bd89f70e7481bb0d68395dc7e130dbbf (8.5.84) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/989ac1705dbcd1f07f3fda221fc0dbb0bfaf02f0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/989ac1705dbcd1f07f3fda221fc0dbb0bfaf02f0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Claim trafficserver in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: e5b0afee by Markus Koschany at 2023-04-05T02:05:37+02:00 Claim trafficserver in dla-needed.txt - - - - - 4c54889c by Markus Koschany at 2023-04-05T02:07:36+02:00 Claim keepalived in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -118,7 +118,7 @@ jruby NOTE: 20230403: Special attention: Not in bullseye NOTE: 20230403: Lots of postponed issues that were fixed in other ruby* packages (Beuc/front-desk) -- -keepalived +keepalived (Markus Koschany) NOTE: 20230404: Programming language: C. NOTE: 20230404: Sync with Debian 11.2 (CVE-2021-44225) (Beuc/front-desk) -- @@ -292,7 +292,7 @@ tinymce NOTE: 20221227: Programming language: PHP. NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/tinymce.git -- -trafficserver +trafficserver (Markus Koschany) NOTE: 20230202: Programming language: C. NOTE: 20230202: Note recent DLA-3279-1 update. Removed notes (2d9f50586010) suggest CVE-2022-31779 may have already been investigated. (lamby) NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/trafficserver.git View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/cdf76f767d31e156a778750cef536670cfb80a9e...4c54889ce08082cfd8fc2067fdff8e19dcefd846 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/cdf76f767d31e156a778750cef536670cfb80a9e...4c54889ce08082cfd8fc2067fdff8e19dcefd846 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3382-1 for openimageio
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: cdf76f76 by Markus Koschany at 2023-04-05T00:52:38+02:00 Reserve DLA-3382-1 for openimageio - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -13953,7 +13953,7 @@ CVE-2023-24538 [html/template: backticks not treated as string delimiters] - golang-1.15 - golang-1.11 NOTE: https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8 - NOTE: https://go.dev/issue/59234 + NOTE: https://go.dev/issue/59234 NOTE: https://github.com/golang/go/commit/20374d1d759bc4e17486bde1cb9dca5be37d9e52 (go1.20.3) NOTE: https://github.com/golang/go/commit/b1e3ecfa06b67014429a197ec5e134ce4303ad9b (go1.19.8) CVE-2023-24537 [go/parser: infinite loop in parsing] = data/DLA/list = @@ -1,3 +1,6 @@ +[05 Apr 2023] DLA-3382-1 openimageio - security update + {CVE-2022-36354 CVE-2022-41639 CVE-2022-41838 CVE-2022-41977 CVE-2022-41981 CVE-2022-41988 CVE-2022-41999 CVE-2022-43592 CVE-2022-43593 CVE-2022-43594 CVE-2022-43595 CVE-2022-43596 CVE-2022-43597 CVE-2022-43598 CVE-2022-43599 CVE-2022-43600 CVE-2022-43601 CVE-2022-43602 CVE-2022-43603} + [buster] - openimageio 2.0.5~dfsg0-1+deb10u1 [04 Apr 2023] DLA-3381-1 ghostscript - security update {CVE-2023-28879} [buster] - ghostscript 9.27~dfsg-2+deb10u7 = data/dla-needed.txt = @@ -189,11 +189,6 @@ nvidia-graphics-drivers-legacy-390xx NOTE: 20230103: https://lists.debian.org/debian-lts/2023/01/msg5.html NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/nvidia-graphics-drivers-legacy-390xx.git -- -openimageio - NOTE: 20221225: Programming language: C. - NOTE: 20221225: VCS: https://salsa.debian.org/lts-team/packages/openimageio.git - NOTE: 20220313: will be released today (apo) --- php-cas NOTE: 20221105: Programming language: PHP. NOTE: 20221105: The fix is not backwards compatible. Should be investigated further whether this issue should be solved or ignored.. (ola) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cdf76f767d31e156a778750cef536670cfb80a9e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cdf76f767d31e156a778750cef536670cfb80a9e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 4 commits: CVE-2022-41981,openimageio: Link to fixing commits
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 02b23786 by Markus Koschany at 2023-04-04T22:41:50+02:00 CVE-2022-41981,openimageio: Link to fixing commits We also have to backport the safe_strlen function in order to fix this issue. - - - - - 3b0b9efa by Markus Koschany at 2023-04-04T23:21:58+02:00 CVE-2022-43593,openimageio: Link to fixing commit - - - - - b9b6f1a3 by Markus Koschany at 2023-04-04T23:59:08+02:00 CVE-2022-43602,openimageio: Link to fixing commit - - - - - c69291f9 by Markus Koschany at 2023-04-05T00:01:28+02:00 Claim openimageio in dsa-needed.txt - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -38513,6 +38513,7 @@ CVE-2022-43603 (A denial of service vulnerability exists in the ZfileOutput::clo CVE-2022-43602 (Multiple code execution vulnerabilities exist in the IFFOutput::close( ...) - openimageio 2.4.7.1+dfsg-2 (bug #1027143) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1656 + NOTE: https://github.com/OpenImageIO/oiio/pull/3676 CVE-2022-43601 (Multiple code execution vulnerabilities exist in the IFFOutput::close( ...) - openimageio 2.4.7.1+dfsg-2 (bug #1027143) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1656 @@ -38548,6 +38549,7 @@ CVE-2022-43594 (Multiple denial of service vulnerabilities exist in the image ou CVE-2022-43593 (A denial of service vulnerability exists in the DPXOutput::close() fun ...) - openimageio 2.4.7.1+dfsg-2 (bug #1027143) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1652 + NOTE: https://github.com/OpenImageIO/oiio/pull/3672 CVE-2022-43592 (An information disclosure vulnerability exists in the DPXOutput::close ...) - openimageio 2.4.7.1+dfsg-2 (bug #1027143) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1651 @@ -43050,6 +43052,8 @@ CVE-2022-42002 (SonicJS through 0.6.0 allows file overwrite. It has the followin CVE-2022-41981 (A stack-based buffer overflow vulnerability exists in the TGA file for ...) - openimageio 2.4.7.1+dfsg-2 (bug #1027143) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1628 + NOTE: https://github.com/OpenImageIO/oiio/commit/bc9c931092e973d5250dd22a714cf035827dae6d + NOTE: https://github.com/OpenImageIO/oiio/pull/3622/commits/c412312f978fbbf987f190d0d2a9f6980b7f267f CVE-2022-41977 (An out of bounds read vulnerability exists in the way OpenImageIO vers ...) - openimageio 2.3.21.0+dfsg-1 (bug #1027143) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1627 = data/dsa-needed.txt = @@ -33,7 +33,7 @@ netatalk -- nodejs (aron) -- -openimageio +openimageio (Markus Koschany) some issues allow for RCE, the other ones can also be ignored for stable -- php-cas View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/e0c2220ff75377a083d1d4f559b454affa880ba3...c69291f94771f929f8f96782792503a6c890f65c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/e0c2220ff75377a083d1d4f559b454affa880ba3...c69291f94771f929f8f96782792503a6c890f65c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3371-1 for unbound
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 08d0cf16 by Markus Koschany at 2023-03-29T14:46:34+02:00 Reserve DLA-3371-1 for unbound - - - - - 2 changed files: - data/CVE/list - data/DLA/list Changes: = data/CVE/list = @@ -45401,7 +45401,6 @@ CVE-2022-3205 (Cross site scripting in automation controller UI in Red Hat Ansib CVE-2022-3204 (A vulnerability named 'Non-Responsive Delegation Attack' (NRDelegation ...) - unbound 1.16.3-1 [bullseye] - unbound (Minor issue) - [buster] - unbound (Minor issue) NOTE: https://www.nlnetlabs.nl/downloads/unbound/CVE-2022-3204.txt NOTE: Fixed by: https://github.com/NLnetLabs/unbound/commit/137719522a8ea5b380fbb6206d2466f402f5b554 (release-1.16.3) CVE-2022-3203 (On ORing net IAP-420(+) with FW version 2.0m a telnet server is enable ...) @@ -72626,13 +72625,11 @@ CVE-2022-30700 (An incorrect permission assignment vulnerability in Trend Micro CVE-2022-30699 (NLnet Labs Unbound, up to and including version 1.16.1, is vulnerable ...) - unbound 1.16.2-1 (bug #1016493) [bullseye] - unbound (Minor issue) - [buster] - unbound (Minor issue) NOTE: https://www.nlnetlabs.nl/downloads/unbound/CVE-2022-30698_CVE-2022-30699.txt NOTE: https://github.com/NLnetLabs/unbound/commit/f6753a0f1018133df552347a199e0362fc1dac68 (release-1.16.2) CVE-2022-30698 (NLnet Labs Unbound, up to and including version 1.16.1 is vulnerable t ...) - unbound 1.16.2-1 (bug #1016493) [bullseye] - unbound (Minor issue) - [buster] - unbound (Minor issue) NOTE: https://www.nlnetlabs.nl/downloads/unbound/CVE-2022-30698_CVE-2022-30699.txt NOTE: https://github.com/NLnetLabs/unbound/commit/f6753a0f1018133df552347a199e0362fc1dac68 (release-1.16.2) CVE-2022-30697 (Local privilege escalation due to insecure folder permissions. The fol ...) @@ -177587,7 +177584,6 @@ CVE-2020-28935 (NLnet Labs Unbound, up to and including version 1.12.0, and NLne [buster] - nsd (Minor issue) [stretch] - nsd (Minor issue) - unbound 1.13.0-1 (bug #977165) - [buster] - unbound (Minor issue) [stretch] - unbound (DSA 4694-1) NOTE: https://www.nlnetlabs.nl/downloads/nsd/CVE-2020-28935.txt NOTE: https://github.com/NLnetLabs/nsd/commit/a4caec3137a1bc9eca05d38d66e2bce572ca9bd3 (NSD_4_3_4_RC1) = data/DLA/list = @@ -1,3 +1,6 @@ +[29 Mar 2023] DLA-3371-1 unbound - security update + {CVE-2020-28935 CVE-2022-3204 CVE-2022-30698 CVE-2022-30699} + [buster] - unbound 1.9.0-2+deb10u3 [28 Mar 2023] DLA-3370-1 xrdp - security update {CVE-2022-23468 CVE-2022-23478 CVE-2022-23479 CVE-2022-23483 CVE-2022-23484 CVE-2022-23493} [buster] - xrdp 0.9.9-1+deb10u2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/08d0cf1687b31ab3b4b124a9021b7b9a787c9b2c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/08d0cf1687b31ab3b4b124a9021b7b9a787c9b2c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 10 commits: CVE-2022-41649,openimageio: Link to fixing commit
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: d00da44c by Markus Koschany at 2023-03-19T23:43:52+01:00 CVE-2022-41649,openimageio: Link to fixing commit - - - - - 0b8e81cb by Markus Koschany at 2023-03-19T23:43:53+01:00 CVE-2022-41684,openimageio: Link to fixing commit - - - - - 3c7270da by Markus Koschany at 2023-03-19T23:43:54+01:00 CVE-2022-41794,openimageio: Link to fixing commit - - - - - 6dece549 by Markus Koschany at 2023-03-19T23:43:56+01:00 CVE-2022-41837,openimageio: Link to fixing commit - - - - - 88c8703d by Markus Koschany at 2023-03-19T23:43:57+01:00 CVE-2022-41838,CVE-2022-41999,openimageio: Link to fixing commits - - - - - 83ae7f51 by Markus Koschany at 2023-03-19T23:43:58+01:00 CVE-2022-38143,openimageio: Buster is not affected The vulnerable code was introduced later - - - - - 2e12246c by Markus Koschany at 2023-03-19T23:43:59+01:00 CVE-2022-43592,openimageio: Link to pull request - - - - - 22e314ce by Markus Koschany at 2023-03-19T23:44:01+01:00 CVE-2022-43594,openimageio: Link to pull request - - - - - d1bd600f by Markus Koschany at 2023-03-19T23:44:02+01:00 CVE-2022-43595,openimageio: Link to pull request - - - - - 2b466f30 by Markus Koschany at 2023-03-19T23:44:03+01:00 CVE-2022-43596,CVE-2022-43597,CVE-2022-43598,CVE-2022-43599,CVE-2022-43600 CVE-2022-43601,CVE-2022-43602,openimageio: Link to pull request - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -35990,33 +35990,42 @@ CVE-2022-43602 (Multiple code execution vulnerabilities exist in the IFFOutput:: CVE-2022-43601 (Multiple code execution vulnerabilities exist in the IFFOutput::close( ...) - openimageio 2.4.7.1+dfsg-2 (bug #1027143) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1656 + NOTE: https://github.com/OpenImageIO/oiio/pull/3676 CVE-2022-43600 (Multiple code execution vulnerabilities exist in the IFFOutput::close( ...) - openimageio 2.4.7.1+dfsg-2 (bug #1027143) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1656 + NOTE: https://github.com/OpenImageIO/oiio/pull/3676 CVE-2022-43599 (Multiple code execution vulnerabilities exist in the IFFOutput::close( ...) - openimageio 2.4.7.1+dfsg-2 (bug #1027143) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1656 + NOTE: https://github.com/OpenImageIO/oiio/pull/3676 CVE-2022-43598 (Multiple memory corruption vulnerabilities exist in the IFFOutput alig ...) - openimageio 2.4.7.1+dfsg-2 (bug #1027143) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1655 + NOTE: https://github.com/OpenImageIO/oiio/pull/3676 CVE-2022-43597 (Multiple memory corruption vulnerabilities exist in the IFFOutput alig ...) - openimageio 2.4.7.1+dfsg-2 (bug #1027143) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1655 + NOTE: https://github.com/OpenImageIO/oiio/pull/3676 CVE-2022-43596 (An information disclosure vulnerability exists in the IFFOutput channe ...) - openimageio 2.4.7.1+dfsg-2 (bug #1027143) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1654 + NOTE: https://github.com/OpenImageIO/oiio/pull/3676 CVE-2022-43595 (Multiple denial of service vulnerabilities exist in the image output c ...) - openimageio 2.4.7.1+dfsg-2 (bug #1027143) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1653 + NOTE: https://github.com/OpenImageIO/oiio/pull/3673 CVE-2022-43594 (Multiple denial of service vulnerabilities exist in the image output c ...) - openimageio 2.4.7.1+dfsg-2 (bug #1027143) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1653 + NOTE: https://github.com/OpenImageIO/oiio/pull/3673 CVE-2022-43593 (A denial of service vulnerability exists in the DPXOutput::close() fun ...) - openimageio 2.4.7.1+dfsg-2 (bug #1027143) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1652 CVE-2022-43592 (An information disclosure vulnerability exists in the DPXOutput::close ...) - openimageio 2.4.7.1+dfsg-2 (bug #1027143) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1651 + NOTE: https://github.com/OpenImageIO/oiio/pull/3672 CVE-2022-43591 (A buffer overflow vulnerability exists in the QML QtScript Reflect API ...) - qt6-declarative 6.4.2+dfsg~rc1-2 (unimportant) - qtdeclarative-opensource-src (unimportant) @@ -39205,6 +39214,7 @@ CVE-2022-41999 (A denial of service vulnerability exists in the DDS native tile - openimageio 2.4.7.1+dfsg-2 (bug #1027808) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1635 NOTE: https://github.com/OpenImageIO/oiio
[Git][security-tracker-team/security-tracker][master] 3 commits: CVE-2022-38143,openimageio: Link to pull request
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: f25824d6 by Markus Koschany at 2023-03-06T01:31:29+01:00 CVE-2022-38143,openimageio: Link to pull request - - - - - 07c4bf08 by Markus Koschany at 2023-03-13T10:59:07+01:00 Merge branch 'master' of salsa.debian.org:security-tracker-team/security-tracker - - - - - f9e00d58 by Markus Koschany at 2023-03-13T10:59:44+01:00 Update note for openimageio in dla-needed.txt - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -38931,6 +38931,7 @@ CVE-2022-41639 (A heap based buffer overflow vulnerability exists in tile decodi CVE-2022-38143 (A heap out-of-bounds write vulnerability exists in the way OpenImageIO ...) - openimageio 2.4.7.1+dfsg-2 (bug #1027143) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1630 + NOTE: https://github.com/OpenImageIO/oiio/pull/3620 CVE-2022-36354 (A heap out-of-bounds read vulnerability exists in the RLA format parse ...) - openimageio 2.3.21.0+dfsg-1 (bug #1027143) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1629 = data/dla-needed.txt = @@ -178,9 +178,10 @@ nvidia-graphics-drivers-legacy-390xx NOTE: 20230103: https://lists.debian.org/debian-lts/2023/01/msg5.html NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/nvidia-graphics-drivers-legacy-390xx.git -- -openimageio +openimageio (Markus Koschany) NOTE: 20221225: Programming language: C. NOTE: 20221225: VCS: https://salsa.debian.org/lts-team/packages/openimageio.git + NOTE: 20220313: will be released today (apo) -- pcre2 (guilhem) NOTE: 20230303: Programming language: C. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/cc29fbf953043f3988396be508ac4f6dda551d57...f9e00d58b8c36bb50863947c18f3c011df60b3c3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/cc29fbf953043f3988396be508ac4f6dda551d57...f9e00d58b8c36bb50863947c18f3c011df60b3c3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3342-1 for freeradius
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 9b068ca8 by Markus Koschany at 2023-02-24T17:16:33+01:00 Reserve DLA-3342-1 for freeradius - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -34641,13 +34641,11 @@ CVE-2022-41862 CVE-2022-41861 (A flaw was found in freeradius. A malicious RADIUS client or home serv ...) - freeradius 3.2.0+dfsg-1 [bullseye] - freeradius (Minor issue) - [buster] - freeradius (Minor issue) NOTE: https://github.com/FreeRADIUS/freeradius-server/commit/0ec2b39d260e08e4c3464f6b95005821dc559c62 (release_3_0_26) NOTE: https://freeradius.org/security/ ("Crash on invalid abinary data") CVE-2022-41860 (In freeradius, when an EAP-SIM supplicant sends an unknown SIM option, ...) - freeradius 3.2.0+dfsg-1 [bullseye] - freeradius (Minor issue) - [buster] - freeradius (Minor issue) NOTE: https://github.com/FreeRADIUS/freeradius-server/commit/f1cdbb33ec61c4a64a32e107d4d02f936051c708 (release_3_0_26) NOTE: https://freeradius.org/security/ ("Crash on unknown option in EAP-SIM") CVE-2022-41859 (In freeradius, the EAP-PWD function compute_password_element() leaks i ...) = data/DLA/list = @@ -1,3 +1,6 @@ +[24 Feb 2023] DLA-3342-1 freeradius - security update + {CVE-2022-41859 CVE-2022-41860 CVE-2022-41861} + [buster] - freeradius 3.0.17+dfsg-1.1+deb10u2 [24 Feb 2023] DLA-3341-1 curl - security update {CVE-2023-23916} [buster] - curl 7.64.0-4+deb10u5 = data/dla-needed.txt = @@ -54,10 +54,6 @@ firmware-nonfree NOTE: 20221211: Programming language: Binary blob NOTE: 20221211: VCS: https://salsa.debian.org/lts-team/packages/firmware-nonfree.git -- -freeradius (Markus Koschany) - NOTE: 20230219: Programming language: C. - NOTE: 20230219: VCS: https://salsa.debian.org/lts-team/packages/freeradius.git --- fusiondirectory NOTE: 20221203: Programming language: PHP. NOTE: 20221203: Please evaluate, whether the package can be fixed (gladk). View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9b068ca8eaf9b4a7213248d3fb9a1706ae1f2c57 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9b068ca8eaf9b4a7213248d3fb9a1706ae1f2c57 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim freeradius in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: c858649b by Markus Koschany at 2023-02-23T12:41:54+01:00 Claim freeradius in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -59,7 +59,7 @@ firmware-nonfree NOTE: 20221211: Programming language: Binary blob NOTE: 20221211: VCS: https://salsa.debian.org/lts-team/packages/firmware-nonfree.git -- -freeradius +freeradius (Markus Koschany) NOTE: 20230219: Programming language: C. NOTE: 20230219: VCS: https://salsa.debian.org/lts-team/packages/freeradius.git -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c858649b8ad22e535e4f6a1e7faceb4281a8b1af -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c858649b8ad22e535e4f6a1e7faceb4281a8b1af You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DSA-5358-1 for asterisk
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: f4bbc971 by Markus Koschany at 2023-02-23T10:06:40+01:00 Reserve DSA-5358-1 for asterisk - - - - - 2 changed files: - data/CVE/list - data/DSA/list Changes: = data/CVE/list = @@ -32294,14 +32294,12 @@ CVE-2022-42707 (In Mahara 21.04 before 21.04.7, 21.10 before 21.10.5, 22.04 befo CVE-2022-42706 (An issue was discovered in Sangoma Asterisk through 16.28, 17 and 18 t ...) {DLA-3335-1} - asterisk 1:20.0.1~dfsg+~cs6.12.40431414-1 - [bullseye] - asterisk (Minor issue) NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-30176 NOTE: https://downloads.asterisk.org/pub/security/AST-2022-009.html NOTE: https://git.asterisk.org/gitweb/?p=asterisk/asterisk.git;a=commit;h=81f10e847efdbe8ec264062ee234e1098c29b3f6 CVE-2022-42705 (A use-after-free in res_pjsip_pubsub.c in Sangoma Asterisk 16.28, 18.1 ...) {DLA-3335-1} - asterisk 1:20.0.1~dfsg+~cs6.12.40431414-1 - [bullseye] - asterisk (Minor issue) NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-30244 NOTE: https://downloads.asterisk.org/pub/security/AST-2022-008.html NOTE: https://git.asterisk.org/gitweb/?p=asterisk/asterisk.git;a=commit;h=7684c9e907fb85f5c58b025d9e385ad2600f12a2 @@ -46645,7 +46643,6 @@ CVE-2022-37326 CVE-2022-37325 (In Sangoma Asterisk through 16.28.0, 17.x and 18.x through 18.14.0, an ...) {DLA-3335-1} - asterisk 1:20.0.1~dfsg+~cs6.12.40431414-1 - [bullseye] - asterisk (Minor issue) NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-30103 NOTE: https://downloads.asterisk.org/pub/security/AST-2022-007.html CVE-2022-37324 = data/DSA/list = @@ -1,3 +1,6 @@ +[23 Feb 2023] DSA-5358-1 asterisk - security update + {CVE-2022-23537 CVE-2022-23547 CVE-2022-31031 CVE-2022-37325 CVE-2022-39244 CVE-2022-39269 CVE-2022-42705 CVE-2022-42706} + [bullseye] - asterisk 1:16.28.0~dfsg-0+deb11u2 [23 Feb 2023] DSA-5357-1 git - security update {CVE-2023-22490 CVE-2023-23946} [bullseye] - git 1:2.30.2-1+deb11u2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f4bbc97113aa4d3f1a1c180820ea6e6933ac0526 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f4bbc97113aa4d3f1a1c180820ea6e6933ac0526 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim openimageio in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 23e287e6 by Markus Koschany at 2023-02-22T23:38:48+01:00 Claim openimageio in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -205,7 +205,7 @@ nvidia-graphics-drivers-legacy-390xx NOTE: 20230103: https://lists.debian.org/debian-lts/2023/01/msg5.html NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/nvidia-graphics-drivers-legacy-390xx.git -- -openimageio +openimageio (Markus Koschany) NOTE: 20221225: Programming language: C. NOTE: 20221225: VCS: https://salsa.debian.org/lts-team/packages/openimageio.git -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/23e287e68249adce45adc0e3f41089f832fc03c7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/23e287e68249adce45adc0e3f41089f832fc03c7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2022-39244,CVE-2022-39269, Asterisk: Bullseye is affected
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 7c739f6b by Markus Koschany at 2023-02-22T22:53:14+01:00 CVE-2022-39244,CVE-2022-39269, Asterisk: Bullseye is affected Remove not-affected tag because the vulnerable code is in PJSIP which we ship in the debian directory (tar.bz2 file) - - - - - f4705b58 by Markus Koschany at 2023-02-22T23:20:31+01:00 Reserve DLA-3335-1 for asterisk - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -31916,14 +31916,12 @@ CVE-2022-42707 (In Mahara 21.04 before 21.04.7, 21.10 before 21.10.5, 22.04 befo CVE-2022-42706 (An issue was discovered in Sangoma Asterisk through 16.28, 17 and 18 t ...) - asterisk 1:20.0.1~dfsg+~cs6.12.40431414-1 [bullseye] - asterisk (Minor issue) - [buster] - asterisk (Minor issue) NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-30176 NOTE: https://downloads.asterisk.org/pub/security/AST-2022-009.html NOTE: https://git.asterisk.org/gitweb/?p=asterisk/asterisk.git;a=commit;h=81f10e847efdbe8ec264062ee234e1098c29b3f6 CVE-2022-42705 (A use-after-free in res_pjsip_pubsub.c in Sangoma Asterisk 16.28, 18.1 ...) - asterisk 1:20.0.1~dfsg+~cs6.12.40431414-1 [bullseye] - asterisk (Minor issue) - [buster] - asterisk (Minor issue) NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-30244 NOTE: https://downloads.asterisk.org/pub/security/AST-2022-008.html NOTE: https://git.asterisk.org/gitweb/?p=asterisk/asterisk.git;a=commit;h=7684c9e907fb85f5c58b025d9e385ad2600f12a2 @@ -40591,7 +40589,6 @@ CVE-2022-39270 (DiscoTOC is a Discourse theme component that generates a table o NOT-FOR-US: DiscoTOC Discourse theme CVE-2022-39269 (PJSIP is a free and open source multimedia communication library writt ...) - asterisk - [bullseye] - asterisk (Vulnerable code not present) - pjproject - ring 20230206.0~ds1-1 NOTE: https://github.com/pjsip/pjproject/security/advisories/GHSA-wx5m-cj97-4wwg @@ -40688,7 +40685,6 @@ CVE-2022-39245 (Mist is the command-line interface for the makedeb Package Repos NOT-FOR-US: Makedeb Mist CVE-2022-39244 (PJSIP is a free and open source multimedia communication library writt ...) - asterisk 1:20.0.1~dfsg+~cs6.12.40431414-1 - [bullseye] - asterisk (Vulnerable code not present) - pjproject - ring 20230206.0~ds1-1 NOTE: https://github.com/pjsip/pjproject/security/advisories/GHSA-fq45-m3f7-3mhj @@ -46267,7 +46263,6 @@ CVE-2022-37326 CVE-2022-37325 (In Sangoma Asterisk through 16.28.0, 17.x and 18.x through 18.14.0, an ...) - asterisk 1:20.0.1~dfsg+~cs6.12.40431414-1 [bullseye] - asterisk (Minor issue) - [buster] - asterisk (Minor issue) NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-30103 NOTE: https://downloads.asterisk.org/pub/security/AST-2022-007.html CVE-2022-37324 = data/DLA/list = @@ -1,3 +1,6 @@ +[22 Feb 2023] DLA-3335-1 asterisk - security update + {CVE-2022-23537 CVE-2022-23547 CVE-2022-31031 CVE-2022-37325 CVE-2022-39244 CVE-2022-39269 CVE-2022-42705 CVE-2022-42706} + [buster] - asterisk 1:16.28.0~dfsg-0+deb10u2 [22 Feb 2023] DLA-3334-1 sofia-sip - security update {CVE-2022-47516} [buster] - sofia-sip 1.12.11+20110422.1-2.1+deb10u3 = data/dla-needed.txt = @@ -24,10 +24,6 @@ apache2 (Lee Garrett) NOTE: 20221227: Special attention: Double check an update! Package is used by many customers and users!. NOTE: 20230222: CVE-2019-17567 requires 1000+ LoC patch, too intrusive (lee) -- -asterisk (Markus Koschany) - NOTE: 20221211: Programming language: C. - NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/asterisk.git --- binwalk (Adrian Bunk) NOTE: 20230222: Programming language: Python. -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ab4c0f2c1521d9802ffb2555120b3ca05076cc00...f4705b5844dcb08d08a31a7dfbc2d5dca138b876 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ab4c0f2c1521d9802ffb2555120b3ca05076cc00...f4705b5844dcb08d08a31a7dfbc2d5dca138b876 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 4 commits: Claim asterisk in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 6add35c4 by Markus Koschany at 2023-02-22T00:14:42+01:00 Claim asterisk in dla-needed.txt - - - - - f31bc65e by Markus Koschany at 2023-02-22T00:14:58+01:00 Remove tiff from dla-needed.txt because all CVE have been fixed. - - - - - 10c7f963 by Markus Koschany at 2023-02-22T00:15:24+01:00 Remove snakeyaml from dla-needed.txt - - - - - aaeebf94 by Markus Koschany at 2023-02-22T00:18:08+01:00 Remove nextcloud-desktop from dla-needed.txt and triage the currently open issues as no-dsa because they are minor. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -6496,6 +6496,7 @@ CVE-2023-23943 (Nextcloud mail is an email app for the nextcloud home server pla CVE-2023-23942 (The Nextcloud Desktop Client is a tool to synchronize files from a Nex ...) - nextcloud-desktop 3.6.4-1 [bullseye] - nextcloud-desktop (Minor issue) + [buster] - nextcloud-desktop (Minor issue) NOTE: https://github.com/nextcloud/security-advisories/security/advisories/GHSA-64qc-vf6v-8xgg NOTE: https://github.com/nextcloud/desktop/pull/5233 NOTE: https://github.com/nextcloud/desktop/pull/5240 @@ -33933,6 +33934,7 @@ CVE-2022-41883 (TensorFlow is an open source platform for machine learning. When CVE-2022-41882 (The Nextcloud Desktop Client is a tool to synchronize files from Nextc ...) - nextcloud-desktop 3.6.1-1 [bullseye] - nextcloud-desktop (Minor issue) + [buster] - nextcloud-desktop (Minor issue) NOTE: https://github.com/nextcloud/security-advisories/security/advisories/GHSA-3w86-rm38-8w63 NOTE: https://github.com/nextcloud/desktop/pull/5039 NOTE: https://github.com/nextcloud/server/pull/34559 @@ -40308,24 +40310,28 @@ CVE-2022-39335 CVE-2022-39334 (Nextcloud desktop is the desktop sync client for Nextcloud. Versions p ...) - nextcloud-desktop 3.6.1-1 [bullseye] - nextcloud-desktop (Minor issue) + [buster] - nextcloud-desktop (Minor issue) NOTE: https://github.com/nextcloud/security-advisories/security/advisories/GHSA-82xx-98xv-4jxv NOTE: https://github.com/nextcloud/desktop/issues/4927 NOTE: https://github.com/nextcloud/desktop/pull/5022 CVE-2022-39333 (Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker ...) - nextcloud-desktop 3.6.1-1 [bullseye] - nextcloud-desktop (Minor issue) + [buster] - nextcloud-desktop (Minor issue) NOTE: https://github.com/nextcloud/security-advisories/security/advisories/GHSA-92p9-x79h-2mj8 NOTE: https://github.com/nextcloud/desktop/pull/4972 NOTE: https://hackerone.com/reports/1711847 CVE-2022-39332 (Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker ...) - nextcloud-desktop 3.6.1-1 [bullseye] - nextcloud-desktop (Minor issue) + [buster] - nextcloud-desktop (Minor issue) NOTE: https://github.com/nextcloud/security-advisories/security/advisories/GHSA-q9f6-4r6r-h74p NOTE: https://github.com/nextcloud/desktop/pull/4972 NOTE: https://hackerone.com/reports/1668028 CVE-2022-39331 (Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker ...) - nextcloud-desktop 3.6.1-1 [bullseye] - nextcloud-desktop (Minor issue) + [buster] - nextcloud-desktop (Minor issue) NOTE: https://github.com/nextcloud/security-advisories/security/advisories/GHSA-c3xh-q694-6rc5 NOTE: https://github.com/nextcloud/desktop/pull/4944 NOTE: https://hackerone.com/reports/1668028 = data/dla-needed.txt = @@ -23,7 +23,7 @@ apache2 (Lee Garrett) NOTE: 20221227: VCS: https://salsa.debian.org/lts-team/packages/apache2.git NOTE: 20221227: Special attention: Double check an update! Package is used by many customers and users!. -- -asterisk +asterisk (Markus Koschany) NOTE: 20221211: Programming language: C. NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/asterisk.git -- @@ -154,11 +154,6 @@ netatalk NOTE: 20221212: VCS: https://salsa.debian.org/lts-team/packages/netatalk NOTE: 20221212: Work is ongoing. CVE-2022-0194 is probably too intrusive. (gladk) -- -nextcloud-desktop - NOTE: 20221128: Programming language: C++. - NOTE: 20221128: VCS: https://salsa.debian.org/owncloud-team/nextcloud-desktop - NOTE: 20221128: Please coordinate with maintainer the usage of their git-repo (gladk). --- nheko NOTE: 20230101: Programming language: C++. NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/nheko.git @@ -317,12 +312,6 @@ samba NOTE: 20220904: Special attention: High popcon! Used in many servers. NOTE: 20220904: Many postponed or open CVE in
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3333-1 for tiff
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 1dbc9024 by Markus Koschany at 2023-02-21T23:55:06+01:00 Reserve DLA--1 for tiff - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[21 Feb 2023] DLA--1 tiff - security update + {CVE-2023-0795 CVE-2023-0796 CVE-2023-0797 CVE-2023-0798 CVE-2023-0799 CVE-2023-0800 CVE-2023-0801 CVE-2023-0802 CVE-2023-0803 CVE-2023-0804} + [buster] - tiff 4.1.0+git191117-2~deb10u7 [21 Feb 2023] DLA-3332-1 apr-util - security update {CVE-2022-25147} [buster] - apr-util 1.6.1-4+deb10u1 = data/dla-needed.txt = @@ -336,11 +336,6 @@ sssd NOTE: 20230131: Programming language: C. NOTE: 20230205: VCS: https://salsa.debian.org/lts-team/packages/sssd.git -- -tiff (Markus Koschany) - NOTE: 20230218: Programming language: C. - NOTE: 20230218: VCS: https://salsa.debian.org/lts-team/packages/tiff.git - NOTE: 20230218: Testsuite: https://lts-team.pages.debian.net/wiki/TestSuites/tiff.html --- tinymce NOTE: 20221227: Programming language: PHP. NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/tinymce.git View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1dbc9024bdf45c2e59b8c0cfb6c342b2ad14fd8e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1dbc9024bdf45c2e59b8c0cfb6c342b2ad14fd8e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3327-1 for nss
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 121e7aee by Markus Koschany at 2023-02-20T16:11:24+01:00 Reserve DLA-3327-1 for nss - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -211474,7 +211474,6 @@ CVE-2020-12404 (For native-to-JS bridging the app requires a unique token to be CVE-2020-12403 (A flaw was found in the way CHACHA20-POLY1305 was implemented in NSS i ...) {DLA-2388-1} - nss 2:3.55-1 - [buster] - nss (Minor issue) NOTE: https://hg.mozilla.org/projects/nss/rev/f282556e6cc7715f5754aeaadda6f902590e7e38 NOTE: https://hg.mozilla.org/projects/nss/rev/c25adfdfab34ddb08d3262aac3242e3399de1095 NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1636771 @@ -211488,7 +211487,6 @@ CVE-2020-12401 (During ECDSA signature generation, padding applied in the nonce {DLA-2388-1} - firefox 80.0-1 - nss 2:3.55-1 - [buster] - nss (Minor issue) NOTE: https://hg.mozilla.org/projects/nss/rev/aeb2e583ee957a699d949009c7ba37af76515c20 NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1631573 (private) NOTE: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.55_release_notes @@ -211497,7 +211495,6 @@ CVE-2020-12400 (When converting coordinates from projective to affine, the modul {DLA-2388-1} - firefox 80.0-1 - nss 2:3.55-1 - [buster] - nss (Minor issue) NOTE: https://hg.mozilla.org/projects/nss/rev/e55ab3145546ae3cf1333b43956a974675d2d25c NOTE: https://hg.mozilla.org/projects/nss/rev/3f022d5eca5d3cd0e366a825a5681953d76299d0 NOTE: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.55_release_notes @@ -227156,7 +227153,6 @@ CVE-2020-6829 (When performing EC scalar point multiplication, the wNAF point mu {DLA-2388-1} - firefox 80.0-1 - nss 2:3.55-1 - [buster] - nss (Minor issue) NOTE: https://hg.mozilla.org/projects/nss/rev/e55ab3145546ae3cf1333b43956a974675d2d25c NOTE: https://hg.mozilla.org/projects/nss/rev/3f022d5eca5d3cd0e366a825a5681953d76299d0 NOTE: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.55_release_notes = data/DLA/list = @@ -1,3 +1,6 @@ +[20 Feb 2023] DLA-3327-1 nss - security update + {CVE-2020-6829 CVE-2020-12400 CVE-2020-12401 CVE-2020-12403 CVE-2023-0767} + [buster] - nss 2:3.42.1-1+deb10u6 [20 Feb 2023] DLA-3326-1 isc-dhcp - security update [buster] - isc-dhcp 4.4.1-2+deb10u3 [20 Feb 2023] DLA-3325-1 openssl - security update = data/dla-needed.txt = @@ -199,10 +199,6 @@ nodejs NOTE: 20221105: Source code not checked. It may be so that the vulnerability is not present in buster. NOTE: 20221209: Testsuite: https://lts-team.pages.debian.net/wiki/TestSuites/nodejs.html -- -nss (Markus Koschany) - NOTE: 20230219: Programming language: C. - NOTE: 20230219: VCS: https://salsa.debian.org/lts-team/packages/nss.git --- nvidia-graphics-drivers NOTE: 20221225: Programming language: binary blob. NOTE: 20230103: Cf. on-going discussion on nvidia support (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/121e7aee475909e691d33c6698d0cfed22806fe9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/121e7aee475909e691d33c6698d0cfed22806fe9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 11 commits: Triage gpac for Buster as EOL.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 0efe7456 by Markus Koschany at 2023-02-20T00:28:43+01:00 Triage gpac for Buster as EOL. - - - - - 73e31c31 by Markus Koschany at 2023-02-20T00:28:43+01:00 LTS: add curl to dla-needed.txt - - - - - a035b7b9 by Markus Koschany at 2023-02-20T00:28:43+01:00 LTS: add sofia-sip to dla-needed.txt - - - - - ec9c34ea by Markus Koschany at 2023-02-20T00:28:43+01:00 LTS: add clamav to dla-needed.txt - - - - - e4b1027d by Markus Koschany at 2023-02-20T00:28:43+01:00 CVE-2023-23082,kodi: Buster is no-dsa Minor issue - - - - - 3c8575fd by Markus Koschany at 2023-02-20T00:28:44+01:00 CVE-2022-3560,pesign: Buster is no-dsa Minor issue - - - - - 503c323b by Markus Koschany at 2023-02-20T00:28:44+01:00 CVE-2023-22332,pgpool2: Buster is no-dsa Minor issue - - - - - c35ede04 by Markus Koschany at 2023-02-20T00:28:44+01:00 CVE-2023-24607,qtbase-opensource-src: Buster is no-dsa Minor issue - - - - - 2cb655fd by Markus Koschany at 2023-02-20T00:28:44+01:00 CVE-2023-22799,ruby-globalid: Buster is no-dsa Minor issue - - - - - 7824121b by Markus Koschany at 2023-02-20T00:28:44+01:00 CVE-2023-23627,ruby-sanitize: Buster is no-dsa Minor issue - - - - - 39aeedb1 by Markus Koschany at 2023-02-20T00:28:44+01:00 Triage symfony CVE as no-dsa for Buster Minor issues - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -431,6 +431,7 @@ CVE-2023-0867 CVE-2023-0866 (Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to 2.3 ...) - gpac [bullseye] - gpac (Minor issue) + [buster] - gpac (EOL in buster LTS) NOTE: https://huntr.dev/bounties/7d3c5792-d20b-4cb6-9c6d-bb14f3430d7f NOTE: https://github.com/gpac/gpac/commit/b964fe4226f1424cf676d5822ef898b6b01f5937 CVE-2023-0865 @@ -844,16 +845,19 @@ CVE-2023-0820 CVE-2023-0819 (Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to v2. ...) - gpac [bullseye] - gpac (Minor issue) + [buster] - gpac (EOL in buster LTS) NOTE: https://huntr.dev/bounties/35793610-dccc-46c8-9f55-6a24c621e4ef NOTE: https://github.com/gpac/gpac/commit/d067ab3ccdeaa340e8c045a0fd5bcfc22b809e8f CVE-2023-0818 (Off-by-one Error in GitHub repository gpac/gpac prior to v2.3.0-DEV. ...) - gpac [bullseye] - gpac (Minor issue) + [buster] - gpac (EOL in buster LTS) NOTE: https://huntr.dev/bounties/038e7472-f3e9-46c2-9aea-d6dafb62a18a NOTE: https://github.com/gpac/gpac/commit/377ab25f3e502db2934a9cf4b54739e1c89a02ff CVE-2023-0817 (Buffer Over-read in GitHub repository gpac/gpac prior to v2.3.0-DEV. ...) - gpac [bullseye] - gpac (Vulnerable code not present) + [buster] - gpac (EOL in buster LTS) NOTE: https://huntr.dev/bounties/cb730bc5-d79c-4de6-9e57-10e8c3ce2cf3 NOTE: https://github.com/gpac/gpac/commit/be9f8d395bbd196e3812e9cd80708f06bcc206f7 CVE-2023-25754 @@ -1377,6 +1381,7 @@ CVE-2023-0771 (SQL Injection in GitHub repository ampache/ampache prior to 5.5.7 CVE-2023-0770 (Stack-based Buffer Overflow in GitHub repository gpac/gpac prior to 2. ...) - gpac [bullseye] - gpac (Minor issue) + [buster] - gpac (EOL in buster LTS) NOTE: https://huntr.dev/bounties/e0fdeee5-7909-446e-9bd0-db80fd80e8dd NOTE: https://github.com/gpac/gpac/commit/c31941822ee275a35bc148382bafef1c53ec1c26 CVE-2023-0769 @@ -1467,6 +1472,7 @@ CVE-2023-0761 CVE-2023-0760 (Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to V2. ...) - gpac [bullseye] - gpac (Minor issue) + [buster] - gpac (EOL in buster LTS) NOTE: https://huntr.dev/bounties/d06223df-a473-4c82-96d0-23726b844b21 NOTE: https://github.com/gpac/gpac/commit/ea7395f39f601a7750d48d606e9d10ea0b7beefe CVE-2023-0759 (Privilege Chaining in GitHub repository cockpit-hq/cockpit prior to 2. ...) @@ -4101,6 +4107,7 @@ CVE-2023-24607 [When using the Qt SQL ODBC driver plugin, then it is possible to RESERVED - qtbase-opensource-src [bullseye] - qtbase-opensource-src (Minor issue) + [buster] - qtbase-opensource-src (Minor issue) - qt6-base - qtbase-opensource-src-gles [bullseye] - qtbase-opensource-src-gles (Minor issue) @@ -6850,6 +6857,7 @@ CVE-2023-23628 (Metabase is an open source data analytics platform. Affected ver CVE-2023-23627 (Sanitize is an allowlist-based HTML and CSS sanitizer. Versions 5.0.0 ...) - ruby-sanitize (bug #1030047) [bullseye] - ruby-sanitize (Minor issue) + [buster] - ruby-sanitize (Minor issue) NOTE: https://github.com/rgrove/sanitize/security/advisories/GHSA-fw3g-2h3j-qmm7 NOTE: https://github.com/rgrove/sanitize/commit
[Git][security-tracker-team/security-tracker][master] 11 commits: LTS: add freeradius to dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 92ad2370 by Markus Koschany at 2023-02-19T21:27:08+01:00 LTS: add freeradius to dla-needed.txt - - - - - 7a305a92 by Markus Koschany at 2023-02-19T21:27:09+01:00 CVE-2023-25193,harfbuzz: Buster is no-dsa Minor issue - - - - - aa8f8b08 by Markus Koschany at 2023-02-19T21:27:09+01:00 LTS: add intel-microcode to dla-needed.txt - - - - - 32e325e3 by Markus Koschany at 2023-02-19T21:27:09+01:00 LTS: add nss to dla-needed.txt - - - - - 6e4df0b7 by Markus Koschany at 2023-02-19T21:27:09+01:00 LTS: add python-cryptography to dla-needed.txt - - - - - b7273199 by Markus Koschany at 2023-02-19T21:27:09+01:00 LTS: add python-django to dla-needed.txt - - - - - f00ec304 by Markus Koschany at 2023-02-19T21:27:09+01:00 LTS: add python-werkzeug to dla-needed.txt - - - - - bdad6aed by Markus Koschany at 2023-02-19T21:27:10+01:00 CVE-2022-4254,sssd: Mark Buster as no-dsa Minor issue - - - - - 493b9372 by Markus Koschany at 2023-02-19T21:27:12+01:00 CVE-2022-4254,sssd: Remove superfluous Bullseye entry The issue was fixed in 2.3.1 and Bullseye has 2.4.1 - - - - - 45bb9012 by Markus Koschany at 2023-02-19T21:27:12+01:00 LTS: add amanda to dla-needed.txt - - - - - 900565f6 by Markus Koschany at 2023-02-19T21:27:23+01:00 Claim nss in dla-needed.txt - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -2565,6 +2565,7 @@ CVE-2015-10073 (A vulnerability, which was classified as problematic, was found CVE-2023-25193 (hb-ot-layout-gsubgpos.hh in HarfBuzz through 6.0.0 allows attackers to ...) - harfbuzz (bug #1030612) [bullseye] - harfbuzz (Minor issue) + [buster] - harfbuzz (Minor issue) NOTE: https://github.com/harfbuzz/harfbuzz/commit/85be877925ddbf34f74a1229f3ca1716bb6170dc CVE-2014-125086 (A vulnerability has been found in Gimmie Plugin 1.2.2 and classified a ...) NOT-FOR-US: Gimmie @@ -18036,7 +18037,7 @@ CVE-2022-4255 (An info leak issue was identified in all versions of GitLab EE fr - gitlab (Specific to EE) CVE-2022-4254 (sssd: libsss_certmap fails to sanitise certificate data used in LDAP f ...) - sssd 2.3.1-1 - [bullseye] - sssd (Minor issue) + [buster] - sssd (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2149894 NOTE: https://github.com/SSSD/sssd/issues/5135 NOTE: https://github.com/SSSD/sssd/commit/a2b9a84460429181f2a4fa7e2bb5ab49fd561274 = data/dla-needed.txt = @@ -18,6 +18,11 @@ rather than remove/replace existing ones. NOTE: 20221231: Few users. Low prio. (opal). NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/389-ds-base.git -- +amanda + NOTE: 20230219: Programming language: C. + NOTE: 20230219: VCS: https://salsa.debian.org/lts-team/packages/amanda.git + NOTE: 20230219: Special attention: Privilege escalation. +-- apache2 (Lee Garrett) NOTE: 20221227: Programming language: C. NOTE: 20221227: VCS: https://salsa.debian.org/lts-team/packages/apache2.git @@ -57,6 +62,10 @@ firmware-nonfree NOTE: 20221211: Programming language: Binary blob NOTE: 20221211: VCS: https://salsa.debian.org/lts-team/packages/firmware-nonfree.git -- +freeradius + NOTE: 20230219: Programming language: C. + NOTE: 20230219: VCS: https://salsa.debian.org/lts-team/packages/freeradius.git +-- fusiondirectory NOTE: 20221203: Programming language: PHP. NOTE: 20221203: Please evaluate, whether the package can be fixed (gladk). @@ -103,6 +112,10 @@ imagemagick (Roberto C. Sánchez) NOTE: 20220904: Should be synced with Stretch. (apo) NOTE: 20221212: Integrated patches for 31 CVEs so far and continuing to work. (roberto) -- +intel-microcode + NOTE: 20230219: Programming language: Binary blob. + NOTE: 20230219: VCS: https://salsa.debian.org/lts-team/packages/intel-microcode.git +-- kopanocore NOTE: 20220801: Programming language: C++. NOTE: 20220811: Proposed a patch to CVE-2022-26562 (#1016973) (gusnan/retired) @@ -174,6 +187,10 @@ nodejs NOTE: 20221105: Source code not checked. It may be so that the vulnerability is not present in buster. NOTE: 20221209: Testsuite: https://lts-team.pages.debian.net/wiki/TestSuites/nodejs.html -- +nss (Markus Koschany) + NOTE: 20230219: Programming language: C. + NOTE: 20230219: VCS: https://salsa.debian.org/lts-team/packages/nss.git +-- nvidia-graphics-drivers NOTE: 20221225: Programming language: binary blob. NOTE: 20230103: Cf. on-going discussion on nvidia support (Beuc/front-desk) @@ -216,10 +233,23 @@ puppet-module-puppetlabs-mysql NOTE: 20221107: Programming language: Puppet, Ruby. NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/puppet-module-puppetlabs-mysql.git -- +python
[Git][security-tracker-team/security-tracker][master] 3 commits: CVE-2022-1471,snakeyaml: unimportant
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 8b5ce926 by Markus Koschany at 2023-02-19T17:30:56+01:00 CVE-2022-1471,snakeyaml: unimportant Snakeyaml is not designed to process untrusted YAML input. This has been clarified for users in version 1.33-2 with a README.Debian.security file. See also Debian bug #1030046 - - - - - 823329f4 by Markus Koschany at 2023-02-19T17:33:20+01:00 CVE-2022-41854,snakeyaml: fixed in 1.33-1 According to the Google fuzzer this issue was fixed between 20220911 and 20220912. Version 1.32 was released back then. The first version in Debian was 1.33-1 and I assume this is fixed now. According to the CVE description the parser would crash by stack overflow. A limit to the nesting depth of YAML files has been already introduced with other CVE fixes, so that shouldn't be a problem anymore. - - - - - 8cada0ea by Markus Koschany at 2023-02-19T17:38:31+01:00 CVE-2022-41854,snakeyaml: Buster is not affected because this issue was addressed in version 1.23-1+deb10u1. Bullseye will be fixed with a point update in the near future. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -33392,7 +33392,8 @@ CVE-2022-41856 CVE-2022-41855 REJECTED CVE-2022-41854 (Those using Snakeyaml to parse untrusted YAML files may be vulnerable ...) - - snakeyaml + - snakeyaml 1.33-1 + [buster] - snakeyaml 1.23-1+deb10u1 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50355 TODO: check details CVE-2022-41853 (Those using java.sql.Statement or java.sql.PreparedStatement in hsqldb ...) @@ -66712,7 +66713,7 @@ CVE-2022-1473 (The OPENSSL_LH_flush() function, which empties a hash table, cont CVE-2022-1472 (The Better Find and Replace WordPress plugin before 1.3.6 does not pro ...) NOT-FOR-US: WordPress plugin CVE-2022-1471 (SnakeYaml's Constructor() class does not restrict types which can be i ...) - - snakeyaml + - snakeyaml (unimportant) NOTE: https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2 CVE-2022-1470 (The Ultimate WooCommerce CSV Importer WordPress plugin through 2.0 doe ...) NOT-FOR-US: WordPress plugin View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/7810985b3197b87328b0961c533dab1911a47e9d...8cada0ea4fb8132e0d35bae7b26fd955f3a1fc5f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/7810985b3197b87328b0961c533dab1911a47e9d...8cada0ea4fb8132e0d35bae7b26fd955f3a1fc5f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: LTS: add c-ares to dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 49045c6b by Markus Koschany at 2023-02-18T23:52:59+01:00 LTS: add c-ares to dla-needed.txt - - - - - a51d6d54 by Markus Koschany at 2023-02-18T23:53:33+01:00 Reserve DLA-3323-1 for c-ares - - - - - 1 changed file: - data/DLA/list Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[18 Feb 2023] DLA-3323-1 c-ares - security update + {CVE-2022-4904} + [buster] - c-ares 1.14.0-1+deb10u2 [18 Feb 2023] DLA-3322-1 golang-github-opencontainers-selinux - security update {CVE-2019-16884} [buster] - golang-github-opencontainers-selinux 1.0.0~rc1+git20170621.5.4a2974b-1+deb10u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ed63d00fa8c53fe54dbf90f2e1110af0dee427af...a51d6d54178fff1f1ca94572417aa1c8b1760534 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ed63d00fa8c53fe54dbf90f2e1110af0dee427af...a51d6d54178fff1f1ca94572417aa1c8b1760534 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: LTS: add tiff to dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: d8a8ff27 by Markus Koschany at 2023-02-18T17:42:19+01:00 LTS: add tiff to dla-needed.txt - - - - - 2ea93210 by Markus Koschany at 2023-02-18T17:42:36+01:00 Claim tiff in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -318,6 +318,11 @@ thunderbird (Emilio) NOTE: 20230205: VCS: https://salsa.debian.org/mozilla-team/thunderbird.git NOTE: 20230205: Maintainer notes: Coordinate with maintainer -- +tiff (Markus Koschany) + NOTE: 20230218: Programming language: C. + NOTE: 20230218: VCS: https://salsa.debian.org/lts-team/packages/tiff.git + NOTE: 20230218: Testsuite: https://lts-team.pages.debian.net/wiki/TestSuites/tiff.html +-- tinymce NOTE: 20221227: Programming language: PHP. NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/tinymce.git View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/6affaa070b98408530fd37d305b75198f855ef2a...2ea93210ecaae42818fb24ca2b470d6c6d32890b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/6affaa070b98408530fd37d305b75198f855ef2a...2ea93210ecaae42818fb24ca2b470d6c6d32890b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DSA-5354-1 for snort
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 6affaa07 by Markus Koschany at 2023-02-18T17:33:30+01:00 Reserve DSA-5354-1 for snort - - - - - 1 changed file: - data/DSA/list Changes: = data/DSA/list = @@ -1,3 +1,6 @@ +[18 Feb 2023] DSA-5354-1 snort - security update + {CVE-2020-3299 CVE-2020-3315 CVE-2021-1223 CVE-2021-1224 CVE-2021-1236 CVE-2021-1494 CVE-2021-1495 CVE-2021-34749 CVE-2021-40114} + [bullseye] - snort 2.9.20-0+deb11u1 [17 Feb 2023] DSA-5353-1 nss - security update {CVE-2023-0767} [bullseye] - nss 2:3.61-1+deb11u3 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6affaa070b98408530fd37d305b75198f855ef2a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6affaa070b98408530fd37d305b75198f855ef2a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3321-1 for gnutls28
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 05f03a39 by Markus Koschany at 2023-02-18T17:15:52+01:00 Reserve DLA-3321-1 for gnutls28 - - - - - 1 changed file: - data/DLA/list Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[18 Feb 2023] DLA-3321-1 gnutls28 - security update + {CVE-2023-0361} + [buster] - gnutls28 3.6.7-4+deb10u10 [17 Feb 2023] DLA-3320-1 webkit2gtk - security update {CVE-2023-23529} [buster] - webkit2gtk 2.38.5-1~deb10u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/05f03a3988086cf9eed83a010cce6c92115d9e8b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/05f03a3988086cf9eed83a010cce6c92115d9e8b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: add golang-github-opencontainers-selinux to dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 3fb5a8b1 by Markus Koschany at 2023-02-16T20:23:43+01:00 LTS: add golang-github-opencontainers-selinux to dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -78,6 +78,10 @@ golang-github-nats-io-jwt NOTE: 20221109: Special attention: limited support, cf. buster release notes; not in bullseye NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/golang-github-nats-io-jwt.git -- +golang-github-opencontainers-selinux (Sylvain Beucler) + NOTE: 20230216: Programming language: Go. + NOTE: 20230216: VCS: https://salsa.debian.org/lts-team/packages/golang-github-opencontainers-selinux.git +-- golang-go.crypto NOTE: 20220915: Programming language: Go. NOTE: 20220915: 3 CVEs fixed in stretch and bullseye (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3fb5a8b18f371e1c994a7431b4eba17e97c8b3b9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3fb5a8b18f371e1c994a7431b4eba17e97c8b3b9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-0056,haproxy: Mark Buster as not-affected
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: b4bf1212 by Markus Koschany at 2023-02-14T19:12:41+01:00 CVE-2023-0056,haproxy: Mark Buster as not-affected The interim response flag 1xx was added to the code later. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9096,6 +9096,7 @@ CVE-2023-0057 (Improper Restriction of Rendered UI Layers or Frames in GitHub re CVE-2023-0056 RESERVED - haproxy 2.6.8-1 + [buster] - haproxy (Vulnerable code introduced later) NOTE: https://github.com/haproxy/haproxy/issues/1972 NOTE: https://git.haproxy.org/?p=haproxy-2.6.git;a=commit;h=84f5cba24f59b1c8339bb38323fcb01f434ba8e5 (v2.6.8) NOTE: https://git.haproxy.org/?p=haproxy-2.2.git;a=commit;h=038a7e8aeb1c5b90c18c55d2bcfb3aaa476bce89 (v2.2.27) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b4bf12120dd0b03a9d21e809248854a023344482 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b4bf12120dd0b03a9d21e809248854a023344482 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3318-1 for haproxy
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 7de1aa7f by Markus Koschany at 2023-02-14T18:59:01+01:00 Reserve DLA-3318-1 for haproxy - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[14 Feb 2023] DLA-3318-1 haproxy - security update + {CVE-2023-25725} + [buster] - haproxy 1.8.19-1+deb10u4 [11 Feb 2023] DLA-3317-1 snort - security update {CVE-2020-3299 CVE-2020-3315 CVE-2021-1223 CVE-2021-1224 CVE-2021-1236 CVE-2021-1494 CVE-2021-1495 CVE-2021-34749 CVE-2021-40114} [buster] - snort 2.9.20-0+deb10u1 = data/dla-needed.txt = @@ -97,11 +97,6 @@ golang-yaml.v2 NOTE: 20230125: VCS: https://salsa.debian.org/lts-team/packages/golang-yaml.v2.git NOTE: 20230125: Special attention: limited support; requires rebuilding reverse build dependencies (though recent bullseye updates didn't). -- -haproxy (Markus Koschany) - NOTE: 20230207: Programming language: C. - NOTE: 20230207: VCS: https://salsa.debian.org/haproxy-team/haproxy.git - NOTE: 20230207: method was called h2_frt_decode_headers in buster (pochu) --- imagemagick (Roberto C. Sánchez) NOTE: 20220904: Programming language: C. NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/imagemagick.git View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7de1aa7fdf6f2ffe3004479cb4dc08cc046804b2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7de1aa7fdf6f2ffe3004479cb4dc08cc046804b2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim haproxy in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 33bfbda3 by Markus Koschany at 2023-02-11T00:25:50+01:00 Claim haproxy in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -97,7 +97,7 @@ golang-yaml.v2 NOTE: 20230125: VCS: https://salsa.debian.org/lts-team/packages/golang-yaml.v2.git NOTE: 20230125: Special attention: limited support; requires rebuilding reverse build dependencies (though recent bullseye updates didn't). -- -haproxy +haproxy (Markus Koschany) NOTE: 20230207: Programming language: C. NOTE: 20230207: VCS: https://salsa.debian.org/haproxy-team/haproxy.git NOTE: 20230207: method was called h2_frt_decode_headers in buster (pochu) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/33bfbda30264eea39fc65eac2b76ff38b5b9f93e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/33bfbda30264eea39fc65eac2b76ff38b5b9f93e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3317-1 for snort
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: cd6e2869 by Markus Koschany at 2023-02-11T00:16:34+01:00 Reserve DLA-3317-1 for snort - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[11 Feb 2023] DLA-3317-1 snort - security update + {CVE-2020-3299 CVE-2020-3315 CVE-2021-1223 CVE-2021-1224 CVE-2021-1236 CVE-2021-1494 CVE-2021-1495 CVE-2021-34749 CVE-2021-40114} + [buster] - snort 2.9.20-0+deb10u1 [10 Feb 2023] DLA-3316-1 postgresql-11 - security update {CVE-2022-41862} [buster] - postgresql-11 11.19-0+deb10u1 = data/dla-needed.txt = @@ -303,13 +303,6 @@ snakeyaml NOTE: 20230120: https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64581479 NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/snakeyaml.git -- -snort - NOTE: 20220905: Requires further triaging to conclude exactly which CVEs to be fixed or ignored. - NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/snort.git - NOTE: 20230111: Programming language: C - NOTE: 20230121: Prepared new upstream version for unstable which we could - NOTE: 20230121: backport to buster later. See https://bugs.debian.org/1021276 --- spip NOTE: 20230206: Programming language: PHP. NOTE: 20230206: Special attention: Please contact maintainer regarding VCS usage View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cd6e28690a04ce5c787c5f92a543013211c2b519 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cd6e28690a04ce5c787c5f92a543013211c2b519 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3314-1 for libsdl2
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 85d09bd6 by Markus Koschany at 2023-02-09T00:44:58+01:00 Reserve DLA-3314-1 for libsdl2 - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -10121,7 +10121,6 @@ CVE-2022-4744 CVE-2022-4743 (A potential memory leak issue was discovered in SDL2 in GLES_CreateTex ...) - libsdl2 2.26.0+dfsg-1 [bullseye] - libsdl2 (Minor issue) - [buster] - libsdl2 (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2156290 NOTE: https://github.com/libsdl-org/SDL/pull/6269 NOTE: Fixed by: https://github.com/libsdl-org/SDL/commit/00b67f55727bc0944c3266e2b875440da132ce4b (prerelease-2.25.1) @@ -125975,7 +125974,6 @@ CVE-2021-33657 (There is a heap overflow problem in video/SDL_pixels.c in SDL (S [stretch] - libsdl1.2 (Minor issue) - libsdl2 2.0.20+dfsg-2 [bullseye] - libsdl2 2.0.14+dfsg2-3+deb11u1 - [buster] - libsdl2 (Minor issue) [stretch] - libsdl2 (Minor issue) NOTE: https://github.com/libsdl-org/SDL/commit/8c91cf7dba5193f5ce12d06db1336515851c9ee9 (release-2.0.20) CVE-2021-33656 (When setting font with malicous data by ioctl cmd PIO_FONT,kernel will ...) @@ -204144,13 +204142,11 @@ CVE-2020-14410 (SDL (Simple DirectMedia Layer) through 2.0.12 has a heap-based b {DLA-2536-1} - libsdl1.2 (Only affects SDL2) - libsdl2 2.0.14+dfsg2-2 - [buster] - libsdl2 (Minor issue) NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=5200 NOTE: https://hg.libsdl.org/SDL/rev/3f9b4e92c1d9 CVE-2020-14409 (SDL (Simple DirectMedia Layer) through 2.0.12 has an Integer Overflow ...) {DLA-2536-1} - libsdl2 2.0.14+dfsg2-2 - [buster] - libsdl2 (Minor issue) NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=5200 NOTE: https://hg.libsdl.org/SDL/rev/3f9b4e92c1d9 NOTE: Specific to SDL2, these checks were addresses in SDL 1.2 with CVE-2019-7637 @@ -260560,7 +260556,6 @@ CVE-2019-13627 (It was discovered that there was a ECDSA timing attack in the li NOTE: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=db4e9976cc31b314aafad6626b2894e86ee44d60 (1.8.5) CVE-2019-13626 (SDL (Simple DirectMedia Layer) 2.x through 2.0.9 has a heap-based buff ...) - libsdl2 2.0.10+dfsg1-1 - [buster] - libsdl2 (Minor issue) [stretch] - libsdl2 (Minor issue) [jessie] - libsdl2 (Minor issue) - libsdl1.2 (Vulnerable code added later) @@ -260601,7 +260596,6 @@ CVE-2019-13617 (njs through 0.3.3, used in NGINX, has a heap-based buffer over-r CVE-2019-13616 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 ha ...) {DLA-2804-1 DLA-2536-1} - libsdl2 2.0.10+dfsg1-1 - [buster] - libsdl2 (Minor issue) [jessie] - libsdl2 (can be fixed along with more important patches) - libsdl1.2 1.2.15+dfsg2-5 [buster] - libsdl1.2 1.2.15+dfsg2-4+deb10u1 @@ -279137,7 +279131,6 @@ CVE-2019-7638 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0 - libsdl1.2 1.2.15+dfsg2-5 (bug #924609) [buster] - libsdl1.2 1.2.15+dfsg2-4+deb10u1 - libsdl2 2.0.10+dfsg1-1 (bug #924610) - [buster] - libsdl2 (Minor issue) NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4500 NOTE: https://hg.libsdl.org/SDL/rev/19d8c3b9c251 (SDL-1.2) NOTE: https://hg.libsdl.org/SDL/rev/07c39cbbeacf @@ -279158,7 +279151,6 @@ CVE-2019-7636 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0 - libsdl1.2 1.2.15+dfsg2-5 (bug #924609) [buster] - libsdl1.2 1.2.15+dfsg2-4+deb10u1 - libsdl2 2.0.10+dfsg1-1 (bug #924610) - [buster] - libsdl2 (Minor issue) NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4499 NOTE: https://hg.libsdl.org/SDL/rev/19d8c3b9c251 (SDL-1.2) NOTE: https://hg.libsdl.org/SDL/rev/07c39cbbeacf (SDL-2) @@ -279167,7 +279159,6 @@ CVE-2019-7635 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0 - libsdl1.2 1.2.15+dfsg2-5 (bug #924609) [buster] - libsdl1.2 1.2.15+dfsg2-4+deb10u1 - libsdl2 2.0.10+dfsg1-1 (bug #924610) - [buster] - libsdl2 (Minor issue) - sdl-image1.2 1.2.12-11 (bug #932755) [buster] - sdl-image1.2 1.2.12-10+deb10u1 [stretch] - sdl-image1.2 1.2.12-5+deb9u2 @@ -279309,7 +279300,6 @@ CVE-2019-7578 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0 - libsdl1.2 1.2.15+dfsg2-5 (bug #924609) [buster] - libsdl1.2 1.2.15+dfsg2-4+deb10u1 - libsdl2 2.0.10+dfsg1-1 (bug #924610) - [buster] - libsdl2 (Minor issue) NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4494 NOTE: https
[Git][security-tracker-team/security-tracker][master] 2 commits: Update snort notes in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 1479038b by Markus Koschany at 2023-01-21T23:06:22+01:00 Update snort notes in dla-needed.txt - - - - - 2499a371 by Markus Koschany at 2023-01-22T00:06:32+01:00 Claim libsdl2 in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -129,7 +129,7 @@ libreoffice NOTE: 20221012: Programming language: C++. NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/libreoffice.git -- -libsdl2 +libsdl2 (Markus Koschany) NOTE: 2022: Programming language: C. NOTE: 2022: Sync with jessie/stretch/bullseye (Beuc/front-desk) -- @@ -320,6 +320,8 @@ snort (Markus Koschany) NOTE: 20220905: Requires further triaging to conclude exactly which CVEs to be fixed or ignored. NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/snort.git NOTE: 20230111: Programming language: C + NOTE: 20230121: Prepared new upstream version for unstable which we could + NOTE: 20230121: backport to buster later. See https://bugs.debian.org/1021276 -- sox NOTE: 20220818: Programming language: C. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/4b20b8a6777ca21798563875ff23dd12be08488f...2499a371acc0f64062246a03064759f21ab2172d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/4b20b8a6777ca21798563875ff23dd12be08488f...2499a371acc0f64062246a03064759f21ab2172d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim snort in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: ff8c5d23 by Markus Koschany at 2023-01-20T17:56:20+01:00 Claim snort in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -316,7 +316,7 @@ snakeyaml NOTE: 20230120: There is ongoing upstream discussion at NOTE: 20230120: https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64581479 -- -snort +snort (Markus Koschany) NOTE: 20220905: Requires further triaging to conclude exactly which CVEs to be fixed or ignored. NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/snort.git NOTE: 20230111: Programming language: C View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ff8c5d23993b869a8c384f1315eb91e4873463b7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ff8c5d23993b869a8c384f1315eb91e4873463b7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3277-1 for powerline-gitstatus
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 99db44e1 by Markus Koschany at 2023-01-20T17:40:43+01:00 Reserve DLA-3277-1 for powerline-gitstatus - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[20 Jan 2023] DLA-3277-1 powerline-gitstatus - security update + {CVE-2022-42906} + [buster] - powerline-gitstatus 1.3.2-0+deb10u1 [19 Jan 2023] DLA-3276-1 lava - security update {CVE-2022-44641} [buster] - lava 2019.01-5+deb10u2 = data/dla-needed.txt = @@ -238,10 +238,6 @@ pluxml NOTE: 20220913: Programming language: PHP. NOTE: 20220913: Special attention: orphaned package. -- -powerline-gitstatus (Markus Koschany) - NOTE: 20230105: Programming language: Python. - NOTE: 20230105: Follow fixes from bullseye 11.6 (Beuc/front-desk) --- protobuf NOTE: 20221031: Programming language: Several. NOTE: 20221031: Note the 'Note' that one of the CVEs affects the generated code and must therefore get special attention from the application developer using protobuf. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/99db44e109ae16862ee3efc92b51516d3fac4f39 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/99db44e109ae16862ee3efc92b51516d3fac4f39 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update snakeyaml NOTE and claim powerline-gitstatus in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: cc06d940 by Markus Koschany at 2023-01-20T00:30:48+01:00 Update snakeyaml NOTE and claim powerline-gitstatus in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -230,7 +230,7 @@ pluxml NOTE: 20220913: Programming language: PHP. NOTE: 20220913: Special attention: orphaned package. -- -powerline-gitstatus +powerline-gitstatus (Markus Koschany) NOTE: 20230105: Programming language: Python. NOTE: 20230105: Follow fixes from bullseye 11.6 (Beuc/front-desk) -- @@ -309,6 +309,8 @@ samba -- snakeyaml NOTE: 20230101: Programming language: Java. + NOTE: 20230120: There is ongoing upstream discussion at + NOTE: 20230120: https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64581479 -- snort NOTE: 20220905: Requires further triaging to conclude exactly which CVEs to be fixed or ignored. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cc06d94050c7b8e5d65def945f50f75c9eb2de23 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cc06d94050c7b8e5d65def945f50f75c9eb2de23 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3276-1 for lava
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: ba9705ac by Markus Koschany at 2023-01-19T23:54:45+01:00 Reserve DLA-3276-1 for lava - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[19 Jan 2023] DLA-3276-1 lava - security update + {CVE-2022-44641} + [buster] - lava 2019.01-5+deb10u2 [19 Jan 2023] DLA-3275-1 firefox-esr - security update {CVE-2022-46871 CVE-2022-46877 CVE-2023-23598 CVE-2023-23601 CVE-2023-23602 CVE-2023-23603 CVE-2023-23605} [buster] - firefox-esr 102.7.0esr-1~deb10u1 = data/dla-needed.txt = @@ -110,10 +110,6 @@ kopanocore NOTE: 20220801: Programming language: C++. NOTE: 20220811: Proposed a patch to CVE-2022-26562 (#1016973) (gusnan/retired) -- -lava (Markus Koschany) - NOTE: 20221127: Programming language: Python. - NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/lava.git --- lemonldap-ng (guilhem) NOTE: 20230105: Programming language: Perl. NOTE: 20230105: Follow fixes from bullseye 11.6 (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ba9705ac064f7e089dd4188b81ec075625482231 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ba9705ac064f7e089dd4188b81ec075625482231 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DSA-5323-1 for libitext5-java.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 5e8a38fa by Markus Koschany at 2023-01-19T23:34:29+01:00 Reserve DSA-5323-1 for libitext5-java. - - - - - 1 changed file: - data/DSA/list Changes: = data/DSA/list = @@ -1,3 +1,6 @@ +[19 Jan 2023] DSA-5323-1 libitext5-java - security update + {CVE-2021-43113} + [bullseye] - libitext5-java 5.5.13.2-1+deb11u1 [18 Jan 2023] DSA-5322-1 firefox-esr - security update {CVE-2022-46871 CVE-2022-46877 CVE-2023-23598 CVE-2023-23601 CVE-2023-23602 CVE-2023-23603 CVE-2023-23605} [bullseye] - firefox-esr 102.7.0esr-1~deb11u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5e8a38fadd360c0c3187fb05f5b8d85ef47c99e8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5e8a38fadd360c0c3187fb05f5b8d85ef47c99e8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim lava in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 4fce543a by Markus Koschany at 2023-01-18T23:29:34+01:00 Claim lava in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -112,7 +112,7 @@ kopanocore NOTE: 20220801: Programming language: C++. NOTE: 20220811: Proposed a patch to CVE-2022-26562 (#1016973) (gusnan/retired) -- -lava +lava (Markus Koschany) NOTE: 20221127: Programming language: Python. NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/lava.git -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4fce543ab730acf7eabc3d586b6a695349a99520 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4fce543ab730acf7eabc3d586b6a695349a99520 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3273-1 for libitext5-java
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 93b105cc by Markus Koschany at 2023-01-18T22:59:23+01:00 Reserve DLA-3273-1 for libitext5-java - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[18 Jan 2023] DLA-3273-1 libitext5-java - security update + {CVE-2021-43113} + [buster] - libitext5-java 5.5.13-1+deb10u1 [18 Jan 2023] DLA-3272-1 sudo - security update {CVE-2023-22809} [buster] - sudo 1.8.27-1+deb10u5 = data/dla-needed.txt = @@ -131,10 +131,6 @@ libde265 (tobi) NOTE: 20221215: CVE-2020-21599 CVE-2021-35452 CVE-2021-36408 CVE-2021-36409 CVE-2021-36410 CVE-2021-36411 adressed, remaining CVEs are unfixed upstream. (I've proposed a patch upstream, waiting for feeback) (tobi) NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/libde265.git -- -libitext5-java (Markus Koschany) - NOTE: 20221225: Programming language: Java. - NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/libitext5-java.git --- libreoffice NOTE: 20221012: Programming language: C++. NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/libreoffice.git View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/93b105ccf9612a98cc373a7a6afa0ea138efe5c2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/93b105ccf9612a98cc373a7a6afa0ea138efe5c2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3268-1 for netty
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: d6fe26eb by Markus Koschany at 2023-01-11T23:42:28+01:00 Reserve DLA-3268-1 for netty - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -90449,7 +90449,6 @@ CVE-2021-43798 (Grafana is an open-source platform for monitoring and observabil - grafana CVE-2021-43797 (Netty is an asynchronous event-driven network application framework fo ...) - netty 1:4.1.48-6 (bug #1001437) - [buster] - netty (Minor issue) [stretch] - netty (Minor issue) NOTE: https://github.com/netty/netty/security/advisories/GHSA-wx5j-54mm-rqqq NOTE: https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323 (netty-4.1.71.Final) @@ -110930,13 +110929,11 @@ CVE-2021-37138 RESERVED CVE-2021-37137 (The Snappy frame decoder function doesn't restrict the chunk length wh ...) - netty 1:4.1.48-6 (bug #1014769) - [buster] - netty (Minor issue) [stretch] - netty (Minor issue) NOTE: https://github.com/netty/netty/security/advisories/GHSA-9vjp-v76f-g363 NOTE: Fixed by: https://github.com/netty/netty/commit/6da4956b31023ae967451e1d94ff51a746a9194f (netty-4.1.68.Final) CVE-2021-37136 (The Bzip2 decompression decoder function doesn't allow setting size re ...) - netty 1:4.1.48-6 (bug #1014769) - [buster] - netty (Minor issue) [stretch] - netty (Minor issue) NOTE: https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv NOTE: Fixed by: https://github.com/netty/netty/commit/41d3d61a61608f2223bb364955ab2045dd5e4020 (netty-4.1.68.Final) = data/DLA/list = @@ -1,3 +1,6 @@ +[11 Jan 2023] DLA-3268-1 netty - security update + {CVE-2021-37136 CVE-2021-37137 CVE-2021-43797 CVE-2022-41881 CVE-2022-41915} + [buster] - netty 1:4.1.33-1+deb10u3 [11 Jan 2023] DLA-3267-1 libxstream-java - security update {CVE-2022-41966} [buster] - libxstream-java 1.4.11.1-1+deb10u4 = data/dla-needed.txt = @@ -170,11 +170,6 @@ netatalk NOTE: 20221212: VCS: https://salsa.debian.org/lts-team/packages/netatalk NOTE: 20221212: Work is ongoing. CVE-2022-0194 is probably too intrusive. (gladk) -- -netty (Markus Koschany) - NOTE: 20221225: Programming language: Java. - NOTE: 20221225: VCS: https://salsa.debian.org/lts-team/packages/netty.git - NOTE: 20221225: Testsuite: https://lts-team.pages.debian.net/wiki/TestSuites/netty.html --- nextcloud-desktop NOTE: 20221128: Programming language: C++. NOTE: 20221128: VCS: https://salsa.debian.org/owncloud-team/nextcloud-desktop View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d6fe26ebdd7da582c7dd1db2135dde2457204c8a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d6fe26ebdd7da582c7dd1db2135dde2457204c8a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3267-1 for libxstream-java
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: d55dd260 by Markus Koschany at 2023-01-11T23:40:25+01:00 Reserve DLA-3267-1 for libxstream-java - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[11 Jan 2023] DLA-3267-1 libxstream-java - security update + {CVE-2022-41966} + [buster] - libxstream-java 1.4.11.1-1+deb10u4 [11 Jan 2023] DLA-3266-1 viewvc - security update {CVE-2023-22456 CVE-2023-22464} [buster] - viewvc 1.1.26-1+deb10u1 = data/dla-needed.txt = @@ -147,11 +147,6 @@ libsdl2 libstb NOTE: 2022: Programming language: C. -- -libxstream-java - NOTE: 20221231: Programming language: Java. - NOTE: 20221231: VCS: https://salsa.debian.org/lts-team/packages/libxstream-java.git - NOTE: 20221231: Testsuite: https://lts-team.pages.debian.net/wiki/TestSuites/libxstream-java.html --- linux (Ben Hutchings) NOTE: 20230111: Programming language: C -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d55dd2607d695d1469577091d34509349b5f0e82 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d55dd2607d695d1469577091d34509349b5f0e82 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Reserve DSA-5315-1 libxstream-java
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 179ca9bd by Markus Koschany at 2023-01-11T23:23:33+01:00 Reserve DSA-5315-1 libxstream-java - - - - - a3c975ce by Markus Koschany at 2023-01-11T23:24:43+01:00 Reserve DSA-5316-1 netty - - - - - 3 changed files: - data/CVE/list - data/DSA/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -90449,7 +90449,6 @@ CVE-2021-43798 (Grafana is an open-source platform for monitoring and observabil - grafana CVE-2021-43797 (Netty is an asynchronous event-driven network application framework fo ...) - netty 1:4.1.48-6 (bug #1001437) - [bullseye] - netty (Minor issue) [buster] - netty (Minor issue) [stretch] - netty (Minor issue) NOTE: https://github.com/netty/netty/security/advisories/GHSA-wx5j-54mm-rqqq @@ -110931,14 +110930,12 @@ CVE-2021-37138 RESERVED CVE-2021-37137 (The Snappy frame decoder function doesn't restrict the chunk length wh ...) - netty 1:4.1.48-6 (bug #1014769) - [bullseye] - netty (Minor issue) [buster] - netty (Minor issue) [stretch] - netty (Minor issue) NOTE: https://github.com/netty/netty/security/advisories/GHSA-9vjp-v76f-g363 NOTE: Fixed by: https://github.com/netty/netty/commit/6da4956b31023ae967451e1d94ff51a746a9194f (netty-4.1.68.Final) CVE-2021-37136 (The Bzip2 decompression decoder function doesn't allow setting size re ...) - netty 1:4.1.48-6 (bug #1014769) - [bullseye] - netty (Minor issue) [buster] - netty (Minor issue) [stretch] - netty (Minor issue) NOTE: https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv = data/DSA/list = @@ -1,3 +1,9 @@ +[11 Jan 2023] DSA-5316-1 netty - security update + {CVE-2021-37136 CVE-2021-37137 CVE-2021-43797 CVE-2022-41881 CVE-2022-41915} + [bullseye] - netty 1:4.1.48-4+deb11u1 +[11 Jan 2023] DSA-5315-1 libxstream-java - security update + {CVE-2022-41966} + [bullseye] - libxstream-java 1.4.15-3+deb11u2 [11 Jan 2023] DSA-5314-1 emacs - security update {CVE-2022-45939} [bullseye] - emacs 1:27.1+1-3.1+deb11u1 = data/dsa-needed.txt = @@ -20,8 +20,6 @@ frr lava Maintainer will prepare updates -- -libxstream-java (apo) --- linux (carnil) Wait until more issues have piled up, though try to regulary rebase for point releases to more recent v5.10.y versions View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/1b7f651ab74ba250f51e8b972869f25dd3197d82...a3c975ce4d295451ae4ab4cc28961407abbe4465 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/1b7f651ab74ba250f51e8b972869f25dd3197d82...a3c975ce4d295451ae4ab4cc28961407abbe4465 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-41966,libxstream-java: fixed in unstable
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 4f216301 by Markus Koschany at 2023-01-11T14:05:01+01:00 CVE-2022-41966,libxstream-java: fixed in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -24351,7 +24351,7 @@ CVE-2022-41968 (Nextcloud Server is an open source personal cloud server. Prior CVE-2022-41967 (Dragonfly is a Java runtime dependency management library. Dragonfly v ...) NOT-FOR-US: Dragonfly CVE-2022-41966 (XStream serializes Java objects to XML and back again. Versions prior ...) - - libxstream-java (bug #1027754) + - libxstream-java 1.4.20-1 (bug #1027754) NOTE: https://github.com/x-stream/xstream/security/advisories/GHSA-j563-grx4-pjpv NOTE: https://x-stream.github.io/CVE-2022-41966.html NOTE: Fixed by: https://github.com/x-stream/xstream/commit/e9151f221b4969fb15b1e946d5d61dcdd459a391 (XSTREAM_1_4_20) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4f21630108af7b3af98ad819de4dd658cc51ee91 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4f21630108af7b3af98ad819de4dd658cc51ee91 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim libxstream-java in dsa-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: c5733ce5 by Markus Koschany at 2023-01-11T00:37:14+01:00 Claim libxstream-java in dsa-needed.txt - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -21,7 +21,7 @@ frr -- lava -- -libxstream-java +libxstream-java (apo) -- linux (carnil) Wait until more issues have piled up, though try to regulary rebase for point View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c5733ce526bbe703505702c1b7ae8ffc32aeee24 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c5733ce526bbe703505702c1b7ae8ffc32aeee24 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Reserve DSA-5312-1 for libjettison-java.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: d52efcca by Markus Koschany at 2023-01-10T23:56:35+01:00 Reserve DSA-5312-1 for libjettison-java. - - - - - a920ba6e by Markus Koschany at 2023-01-10T23:57:39+01:00 Reserve DSA-5313-1 for hsqldb - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,9 @@ +[10 Jan 2023] DSA-5313-1 hsqldb - security update + {CVE-2022-41853} + [bullseye] - hsqldb 2.5.1-1+deb11u1 +[10 Jan 2023] DSA-5312-1 libjettison-java - security update + {CVE-2022-40149 CVE-2022-40150 CVE-2022-45685 CVE-2022-45693} + [bullseye] - libjettison-java 1.5.3-1~deb11u1 [08 Jan 2023] DSA-5311-1 trafficserver - security update {CVE-2022-32749 CVE-2022-37392} [bullseye] - trafficserver 8.1.6+ds-1~deb11u1 = data/dsa-needed.txt = @@ -19,8 +19,6 @@ emacs (jmm) -- frr -- -hsqldb (apo) --- lava -- libxstream-java View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/d4b949564d8dbd0556d64b21474c6e285014a06d...a920ba6e9982941d87a3a733437859d4150cc76d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/d4b949564d8dbd0556d64b21474c6e285014a06d...a920ba6e9982941d87a3a733437859d4150cc76d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2021-37136, CVE-2021-37137, CVE-2021-43797, CVE-2022-41881, CVE-2022-41915, netty
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 9dcadd10 by Markus Koschany at 2023-01-01T23:16:55+01:00 CVE-2021-37136,CVE-2021-37137,CVE-2021-43797,CVE-2022-41881,CVE-2022-41915,netty fixed in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -22417,7 +22417,7 @@ CVE-2022-41916 (Heimdal is an implementation of ASN.1/DER, PKIX, and Kerberos. V NOTE: https://github.com/heimdal/heimdal/security/advisories/GHSA-mgqr-gvh6-23cx NOTE: https://github.com/heimdal/heimdal/commit/eb87af0c2d189c25294c7daf483a47b03af80c2c (heimdal-7.7.1) CVE-2022-41915 (Netty project is an event-driven asynchronous network application fram ...) - - netty (bug #1027180) + - netty 1:4.1.48-6 (bug #1027180) NOTE: https://github.com/netty/netty/security/advisories/GHSA-hh82-3pmq-7frp NOTE: Fixed by https://github.com/netty/netty/commit/fe18adff1c2b333acb135ab779a3b9ba3295a1c4 CVE-2022-41914 (Zulip is an open-source team collaboration tool. For organizations wit ...) @@ -22494,7 +22494,7 @@ CVE-2022-41882 (The Nextcloud Desktop Client is a tool to synchronize files from NOTE: https://github.com/nextcloud/server/pull/34559 TODO: check details, is owncloud-client similarly affected? CVE-2022-41881 (Netty project is an event-driven asynchronous network application fram ...) - - netty (bug #1027180) + - netty 1:4.1.48-6 (bug #1027180) NOTE: https://github.com/netty/netty/security/advisories/GHSA-fx2c-96vj-985v NOTE: Fixed by https://github.com/netty/netty/commit/cd91cf3c99123bd1e53fd6a1de0e3d1922f05bb2 CVE-2022-41880 (TensorFlow is an open source platform for machine learning. When the ` ...) @@ -87774,7 +87774,7 @@ CVE-2021-43799 (Zulip is an open-source team collaboration tool. Zulip Server in CVE-2021-43798 (Grafana is an open-source platform for monitoring and observability. G ...) - grafana CVE-2021-43797 (Netty is an asynchronous event-driven network application framework fo ...) - - netty (bug #1001437) + - netty 1:4.1.48-6 (bug #1001437) [bullseye] - netty (Minor issue) [buster] - netty (Minor issue) [stretch] - netty (Minor issue) @@ -108251,14 +108251,14 @@ CVE-2021-37139 CVE-2021-37138 RESERVED CVE-2021-37137 (The Snappy frame decoder function doesn't restrict the chunk length wh ...) - - netty (bug #1014769) + - netty 1:4.1.48-6 (bug #1014769) [bullseye] - netty (Minor issue) [buster] - netty (Minor issue) [stretch] - netty (Minor issue) NOTE: https://github.com/netty/netty/security/advisories/GHSA-9vjp-v76f-g363 NOTE: Fixed by: https://github.com/netty/netty/commit/6da4956b31023ae967451e1d94ff51a746a9194f (netty-4.1.68.Final) CVE-2021-37136 (The Bzip2 decompression decoder function doesn't allow setting size re ...) - - netty (bug #1014769) + - netty 1:4.1.48-6 (bug #1014769) [bullseye] - netty (Minor issue) [buster] - netty (Minor issue) [stretch] - netty (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9dcadd10b32c29b3b837e79432921a1730b91845 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9dcadd10b32c29b3b837e79432921a1730b91845 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2022-41881,netty: Link to fixing commit
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: c4a685e5 by Markus Koschany at 2023-01-01T19:07:24+01:00 CVE-2022-41881,netty: Link to fixing commit - - - - - 18eefb99 by Markus Koschany at 2023-01-01T19:10:06+01:00 CVE-2022-41915,netty: Link to fixing commit - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -22395,6 +22395,7 @@ CVE-2022-41916 (Heimdal is an implementation of ASN.1/DER, PKIX, and Kerberos. V CVE-2022-41915 (Netty project is an event-driven asynchronous network application fram ...) - netty (bug #1027180) NOTE: https://github.com/netty/netty/security/advisories/GHSA-hh82-3pmq-7frp + NOTE: Fixed by https://github.com/netty/netty/commit/fe18adff1c2b333acb135ab779a3b9ba3295a1c4 CVE-2022-41914 (Zulip is an open-source team collaboration tool. For organizations wit ...) NOT-FOR-US: Zulip CVE-2022-41913 (Discourse-calendar is a plugin for the Discourse messaging platform wh ...) @@ -22471,6 +22472,7 @@ CVE-2022-41882 (The Nextcloud Desktop Client is a tool to synchronize files from CVE-2022-41881 (Netty project is an event-driven asynchronous network application fram ...) - netty (bug #1027180) NOTE: https://github.com/netty/netty/security/advisories/GHSA-fx2c-96vj-985v + NOTE: Fixed by https://github.com/netty/netty/commit/cd91cf3c99123bd1e53fd6a1de0e3d1922f05bb2 CVE-2022-41880 (TensorFlow is an open source platform for machine learning. When the ` ...) - tensorflow (bug #804612) CVE-2022-41879 (Parse Server is an open source backend that can be deployed to any inf ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/1b6534f126f121adf1f6864a0025f18df4b0191e...18eefb99268cd90420e582d2f6fd37d629016256 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/1b6534f126f121adf1f6864a0025f18df4b0191e...18eefb99268cd90420e582d2f6fd37d629016256 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3259-1 for libjettison-java
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: b3a5378a by Markus Koschany at 2022-12-31T18:17:33+01:00 Reserve DLA-3259-1 for libjettison-java - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[31 Dec 2022] DLA-3259-1 libjettison-java - security update + {CVE-2022-40150 CVE-2022-45685 CVE-2022-45693} + [buster] - libjettison-java 1.5.3-1~deb10u1 [31 Dec 2022] DLA-3258-1 node-loader-utils - security update {CVE-2022-37601} [buster] - node-loader-utils 1.1.0-2+deb10u1 = data/dla-needed.txt = @@ -117,10 +117,6 @@ libetpan (Utkarsh) libitext5-java (Markus Koschany) NOTE: 20221225: Programming language: Java. -- -libjettison-java (Markus Koschany) - NOTE: 20221225: Programming language: Java. - NOTE: 20221225: VCS: https://salsa.debian.org/lts-team/packages/libjettison-java.git --- libreoffice NOTE: 20221012: Programming language: C++. -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b3a5378ab2a47dc47d8eb7ae482375bde82d57cb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b3a5378ab2a47dc47d8eb7ae482375bde82d57cb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-40150, CVE-2022-45685, CVE-2022-45693,libjettison-java: fixed in
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 8e90802f by Markus Koschany at 2022-12-31T11:30:13+01:00 CVE-2022-40150, CVE-2022-45685, CVE-2022-45693,libjettison-java: fixed in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9048,7 +9048,7 @@ CVE-2022-45695 CVE-2022-45694 RESERVED CVE-2022-45693 (Jettison before v1.5.2 was discovered to contain a stack overflow via ...) - - libjettison-java + - libjettison-java 1.5.3-1 NOTE: https://github.com/jettison-json/jettison/issues/52 CVE-2022-45692 RESERVED @@ -9065,7 +9065,7 @@ CVE-2022-45687 CVE-2022-45686 RESERVED CVE-2022-45685 (A stack overflow in Jettison before v1.5.2 allows attackers to cause a ...) - - libjettison-java + - libjettison-java 1.5.3-1 NOTE: https://github.com/jettison-json/jettison/issues/54 CVE-2022-45684 RESERVED @@ -26728,7 +26728,7 @@ CVE-2022-40151 (Those using Xstream to seralize XML data may be vulnerable to De - libxstream-java NOTE: https://github.com/x-stream/xstream/issues/304 CVE-2022-40150 (Those using Jettison to parse untrusted XML or JSON data may be vulner ...) - - libjettison-java (bug #1022553) + - libjettison-java 1.5.3-1 (bug #1022553) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=46549 NOTE: https://github.com/jettison-json/jettison/issues/45 CVE-2022-40149 (Those using Jettison to parse untrusted XML or JSON data may be vulner ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8e90802f61721ac20a140ba880f96239c1c96ebb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8e90802f61721ac20a140ba880f96239c1c96ebb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DSA-5307-1 libcommons-net-java
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 9f62c0be by Markus Koschany at 2022-12-29T22:08:33+01:00 Reserve DSA-5307-1 libcommons-net-java - - - - - 1 changed file: - data/DSA/list Changes: = data/DSA/list = @@ -1,3 +1,6 @@ +[29 Dec 2022] DSA-5307-1 libcommons-net-java - security update + {CVE-2021-37533} + [bullseye] - libcommons-net-java 3.6-1+deb11u1 [27 Dec 2022] DSA-5306-1 gerbv - security update {CVE-2021-40393 CVE-2021-40394 CVE-2021-40401 CVE-2021-40403} [bullseye] - gerbv 2.7.0-2+deb11u2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9f62c0be03a0bb5162c2c4d5442530ad94396030 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9f62c0be03a0bb5162c2c4d5442530ad94396030 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim libjettison-java, libitext5-java and netty and dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: f9345f84 by Markus Koschany at 2022-12-29T21:46:39+01:00 Claim libjettison-java, libitext5-java and netty and dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -118,10 +118,10 @@ libetpan (Utkarsh) NOTE: 20221203: Programming language: C++. NOTE: 20221203: VCS: https://salsa.debian.org/lts-team/packages/libetpan.git -- -libitext5-java +libitext5-java (Markus Koschany) NOTE: 20221225: Programming language: Java. -- -libjettison-java +libjettison-java (Markus Koschany) NOTE: 20221225: Programming language: Java. NOTE: 20221225: VCS: https://salsa.debian.org/lts-team/packages/libjettison-java.git -- @@ -160,7 +160,7 @@ netatalk (gladk) NOTE: 20221212: VCS: https://salsa.debian.org/lts-team/packages/netatalk NOTE: 20221212: Work is ongoing. CVE-2022-0194 is probably too intrusive. (gladk) -- -netty +netty (Markus Koschany) NOTE: 20221225: Programming language: Java. NOTE: 20221225: VCS: https://salsa.debian.org/lts-team/packages/netty.git NOTE: 20221225: Testsuite: https://lts-team.pages.debian.net/wiki/TestSuites/netty.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f9345f8436ee26bc344d5610b46871fe2ad3a8e9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f9345f8436ee26bc344d5610b46871fe2ad3a8e9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3251-1 for libcommons-net-java
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 2ca527e7 by Markus Koschany at 2022-12-29T21:39:10+01:00 Reserve DLA-3251-1 for libcommons-net-java - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[29 Dec 2022] DLA-3251-1 libcommons-net-java - security update + {CVE-2021-37533} + [buster] - libcommons-net-java 3.6-1+deb10u1 [29 Dec 2022] DLA-3250-1 multipath-tools - security update {CVE-2022-41973 CVE-2022-41974} [buster] - multipath-tools 0.7.9-3+deb10u2 = data/dla-needed.txt = @@ -108,9 +108,6 @@ lava libapreq2 NOTE: 20221031: Programming language: C. -- -libcommons-net-java - NOTE: 20221225: Programming language: Java. --- libde265 NOTE: 20221107: Programming language: C++. NOTE: 20221107: Most vulnerabilities unfixed upstream, but a handful are fixed, and v1.0.9 (2022-10) is a security release (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2ca527e73b5e0bacd5d910f15b2f5805f4710a2d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2ca527e73b5e0bacd5d910f15b2f5805f4710a2d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim hsqldb in dsa-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: ce31cdfb by Markus Koschany at 2022-12-29T21:04:46+01:00 Claim hsqldb in dsa-needed.txt - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -17,7 +17,7 @@ curl -- frr -- -hsqldb +hsqldb (Markus Koschany) -- lava -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ce31cdfb6c135ec3fa9731761f94a8b2b6f41ece -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ce31cdfb6c135ec3fa9731761f94a8b2b6f41ece You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2021-37533,libcommons-net-java: fixed in unstable
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: b5b0644f by Markus Koschany at 2022-12-27T17:14:55+01:00 CVE-2021-37533,libcommons-net-java: fixed in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -106025,7 +106025,7 @@ CVE-2021-37535 (SAP NetWeaver Application Server Java (JMS Connector Service) - CVE-2021-37534 (app/View/GalaxyClusters/add.ctp in MISP 2.4.146 allows Stored XSS when ...) NOT-FOR-US: MISP CVE-2021-37533 (Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host fr ...) - - libcommons-net-java (bug #1025910) + - libcommons-net-java 3.9.0-1 (bug #1025910) NOTE: https://lists.apache.org/thread/o6yn9r9x6s94v97264hmgol1sf48mvx7 NOTE: https://issues.apache.org/jira/browse/NET-711 NOTE: https://github.com/apache/commons-net/commit/b0bff89f70cfea70009e22f87639816cc3993974 (commons-net-3.9.0-RC1) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b5b0644f72a14702b4ab027b04b9971adde8ba57 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b5b0644f72a14702b4ab027b04b9971adde8ba57 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2022-46392,mbedtls: mark Buster as postponed
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: a1370ab8 by Markus Koschany at 2022-12-25T22:52:27+01:00 CVE-2022-46392,mbedtls: mark Buster as postponed Minor issue because an attacker must be able to observe the victim performing a single private-key operation / control the entire operating system which is very hard to achieve. The vulnerable code is most likely in library/bignum.c - - - - - 3d87aedf by Markus Koschany at 2022-12-26T00:27:38+01:00 Reserve DLA-3249-1 for mbedtls - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -5765,7 +5765,9 @@ CVE-2022-46393 (An issue was discovered in Mbed TLS before 2.28.2 and 3.x before NOTE: Fixed by https://github.com/Mbed-TLS/mbedtls/commit/f385fcebee017973cf4137333628a78248f1f443 CVE-2022-46392 (An issue was discovered in Mbed TLS before 2.28.2 and 3.x before 3.3.0 ...) - mbedtls 2.28.2-1 + [buster] - mbedtls (Minor issue) NOTE: https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.2 + NOTE: Issue is most likely related to library/bignum.c and the mbedtls_mpi_exp_mod function. CVE-2022-46391 (AWStats 7.x through 7.8 allows XSS in the hostinfo plugin due to print ...) {DLA-3225-1} - awstats 7.8-3 (bug #1025410) @@ -107695,30 +107697,24 @@ CVE-2020-36427 (GNOME gThumb before 3.10.1 allows an application crash via a mal NOTE: Crash in CLI tool, no security impact CVE-2020-36426 (An issue was discovered in Arm Mbed TLS before 2.24.0. mbedtls_x509_cr ...) - mbedtls 2.16.9-0.1 - [buster] - mbedtls (Minor issue) [stretch] - mbedtls (Minor issue) CVE-2020-36425 (An issue was discovered in Arm Mbed TLS before 2.24.0. It incorrectly ...) - mbedtls 2.16.9-0.1 - [buster] - mbedtls (Minor issue) [stretch] - mbedtls (Minor issue) NOTE: https://github.com/ARMmbed/mbedtls/issues/3340 NOTE: https://github.com/ARMmbed/mbedtls/pull/3433 CVE-2020-36424 (An issue was discovered in Arm Mbed TLS before 2.24.0. An attacker can ...) - mbedtls 2.16.9-0.1 - [buster] - mbedtls (Minor issue) [stretch] - mbedtls (Minor issue) NOTE: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-09-2 CVE-2020-36423 (An issue was discovered in Arm Mbed TLS before 2.23.0. A remote attack ...) - mbedtls 2.16.9-0.1 - [buster] - mbedtls (Minor issue) [stretch] - mbedtls (Minor issue) CVE-2020-36422 (An issue was discovered in Arm Mbed TLS before 2.23.0. A side channel ...) - mbedtls 2.16.9-0.1 - [buster] - mbedtls (Minor issue) [stretch] - mbedtls (Minor issue) CVE-2020-36421 (An issue was discovered in Arm Mbed TLS before 2.23.0. Because of a si ...) - mbedtls 2.16.9-0.1 - [buster] - mbedtls (Minor issue) [stretch] - mbedtls (Minor issue) NOTE: https://github.com/ARMmbed/mbedtls/issues/3394 CVE-2021-36774 (Apache Kylin allows users to read data from other database systems usi ...) @@ -139630,7 +139626,6 @@ CVE-2021-24119 (In Trusted Firmware Mbed TLS 2.24.0, a side-channel vulnerabilit {DLA-2826-1} - mbedtls 2.16.11-0.1 [bullseye] - mbedtls (Minor issue) - [buster] - mbedtls (Minor issue) NOTE: Fixed in 2.26.0: https://github.com/ARMmbed/mbedtls/releases/tag/v2.26.0 CVE-2021-24118 RESERVED @@ -188531,7 +188526,6 @@ CVE-2020-16151 RESERVED CVE-2020-16150 (A Lucky 13 timing side channel in mbedtls_ssl_decrypt_buf in library/s ...) - mbedtls 2.16.9-0.1 (bug #972806) - [buster] - mbedtls (Minor issue) [stretch] - mbedtls (Minor issue) NOTE: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-09-1 CVE-2020-16149 @@ -204034,7 +204028,6 @@ CVE-2020-10942 (In the Linux kernel before 5.5.8, get_raw_socket in drivers/vhos NOTE: https://git.kernel.org/linus/42d84c8490f9f0931786f1623191fcab397c3d64 (5.6-rc4) CVE-2020-10941 (Arm Mbed TLS before 2.16.5 allows attackers to obtain sensitive inform ...) - mbedtls 2.16.5-1 - [buster] - mbedtls (Minor issue) [stretch] - mbedtls (Minor issue) NOTE: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-02 CVE-2020-10940 (Local Privilege Escalation can occur in PHOENIX CONTACT PORTICO SERVER ...) @@ -204078,7 +204071,6 @@ CVE-2020-10933 (An issue was discovered in Ruby 2.5.x through 2.5.7, 2.6.x throu NOTE: and https://github.com/ruby/ruby/commit/ba5eb6458a7e9a41ee76cfe45b84f997600681dc CVE-2020-10932 (An issue was discovered in Arm Mbed TLS before 2.16.6 and 2.7.x before ...) - mbedtls 2.16.9-0.1 (bug #963159) - [buster] - mbedtls (Minor issue) [stretch
[Git][security-tracker-team/security-tracker][master] CVE-2022-46393,mbedtls: buster and bullseye are not affected
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 05d5d72c by Markus Koschany at 2022-12-25T22:15:49+01:00 CVE-2022-46393,mbedtls: buster and bullseye are not affected Correct wrong entry CVE-2022-46393 <-> CVE-2022-46392 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5758,14 +5758,14 @@ CVE-2022-46395 CVE-2022-46394 RESERVED CVE-2022-46393 (An issue was discovered in Mbed TLS before 2.28.2 and 3.x before 3.3.0 ...) - - mbedtls 2.28.2-1 - NOTE: https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.2 -CVE-2022-46392 (An issue was discovered in Mbed TLS before 2.28.2 and 3.x before 3.3.0 ...) - mbedtls 2.28.2-1 [bullseye] - mbedtls (The vulnerable code was introduced later) [buster] - mbedtls (The vulnerable code was introduced later) NOTE: https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.2 NOTE: Fixed by https://github.com/Mbed-TLS/mbedtls/commit/f385fcebee017973cf4137333628a78248f1f443 +CVE-2022-46392 (An issue was discovered in Mbed TLS before 2.28.2 and 3.x before 3.3.0 ...) + - mbedtls 2.28.2-1 + NOTE: https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.2 CVE-2022-46391 (AWStats 7.x through 7.8 allows XSS in the hostinfo plugin due to print ...) {DLA-3225-1} - awstats 7.8-3 (bug #1025410) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/05d5d72cc2db5f09333c6b1d5f0bac4ff037c8a5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/05d5d72cc2db5f09333c6b1d5f0bac4ff037c8a5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: add openimageio to dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 42c380ea by Markus Koschany at 2022-12-25T20:22:56+01:00 LTS: add openimageio to dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -219,6 +219,10 @@ nodejs nvidia-graphics-drivers NOTE: 20221225: Programming language: binary blob. -- +openimageio + NOTE: 20221225: Programming language: C. + NOTE: 20221225: VCS: https://salsa.debian.org/lts-team/packages/openimageio.git +-- php-cas NOTE: 20221105: Programming language: PHP. NOTE: 20221105: The fix is not backwards compatible. Should be investigated further whether this issue should be solved or ignored.. (ola) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/42c380ea744dd969130f1556604a142f3efeab00 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/42c380ea744dd969130f1556604a142f3efeab00 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 18 commits: CVE-2022-46393,mbedtls: Buster and Bullseye are not affected
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 73685136 by Markus Koschany at 2022-12-25T20:12:28+01:00 CVE-2022-46393,mbedtls: Buster and Bullseye are not affected The vulnerable code was introduced later - - - - - 33d7a2d3 by Markus Koschany at 2022-12-25T20:12:29+01:00 CVE-2022-3109,ffmpeg: buster postponed - - - - - 17c970e4 by Markus Koschany at 2022-12-25T20:12:30+01:00 LTS: add xorg-server to dla-needed.txt - - - - - 0d394729 by Markus Koschany at 2022-12-25T20:12:31+01:00 CVE-2022-43272,dcmtk: buster / no-dsa Minor issue - - - - - 4916e729 by Markus Koschany at 2022-12-25T20:12:32+01:00 CVE-2021-4249,haskell-xml-conduit: buster no-dsa Minor issue - - - - - 636a6e4f by Markus Koschany at 2022-12-25T20:12:33+01:00 CVE-2021-4243,jquery-minicolors: buster is no-dsa Minor issue - - - - - fa44a943 by Markus Koschany at 2022-12-25T20:12:34+01:00 CVE-2022-23527,libapache2-mod-auth-openidc: buster is no-dsa Minor issue - - - - - d427ca54 by Markus Koschany at 2022-12-25T20:12:35+01:00 CVE-2020-36619,multimon-ng: buster is no-dsa - - - - - 9c1906c5 by Markus Koschany at 2022-12-25T20:12:35+01:00 LTS: add nvidia-graphics-drivers to dla-needed.txt - - - - - 52e7c0ab by Markus Koschany at 2022-12-25T20:12:36+01:00 CVE-2022-4427,buster: otrs2 no-dsa - - - - - 81316d19 by Markus Koschany at 2022-12-25T20:12:37+01:00 CVE-2022-24439,python-git: buster is no-dsa Minor issue - - - - - 78da581b by Markus Koschany at 2022-12-25T20:12:38+01:00 wireshark,TEMP CVE, buster postponed - - - - - df69a44f by Markus Koschany at 2022-12-25T20:12:38+01:00 LTS: add exuberant-ctags to dla-needed.txt - - - - - ff882d66 by Markus Koschany at 2022-12-25T20:12:39+01:00 LTS: add libcommons-net-java to dla-needed.txt - - - - - b5e4733f by Markus Koschany at 2022-12-25T20:12:39+01:00 LTS: add libitext5-java to dla-needed.txt - - - - - f72541c0 by Markus Koschany at 2022-12-25T20:12:39+01:00 LTS: add libjettison-java to dla-needed.txt - - - - - f0874b72 by Markus Koschany at 2022-12-25T20:12:39+01:00 LTS: add netty to dla-needed.txt - - - - - 174b3d71 by Markus Koschany at 2022-12-25T20:12:39+01:00 LTS: add xrdp to dla-needed.txt - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -1338,6 +1338,7 @@ CVE-2021-4258 (** DISPUTED ** A vulnerability was found in whohas. It has been r CVE-2020-36619 (A vulnerability was found in multimon-ng. It has been rated as critica ...) - multimon-ng 1.2.0+dfsg-1 [bullseye] - multimon-ng (Minor issue) + [buster] - multimon-ng (Minor issue) NOTE: https://github.com/EliasOenal/multimon-ng/commit/e5a51c508ef952e81a6da25b43034dd1ed023c07 (1.2.0) NOTE: https://github.com/EliasOenal/multimon-ng/pull/160 CVE-2020-36618 (A vulnerability classified as critical has been found in Furqan node-w ...) @@ -1435,6 +1436,7 @@ CVE-2022-4592 (A vulnerability was found in luckyshot CRMx and classified as cri CVE-2021-4249 (A vulnerability was found in xml-conduit. It has been classified as pr ...) - haskell-xml-conduit 1.9.1.1-1 [bullseye] - haskell-xml-conduit (Minor issue) + [buster] - haskell-xml-conduit (Minor issue) NOTE: https://github.com/snoyberg/xml/pull/161/commits/2274b3c26fda7406337ce47cdfd862ef187694e2 NOTE: https://github.com/snoyberg/xml/commit/4be1021791dcdee8b164d239433a2043dc0939ea (xml-conduit/1.9.1.0) CVE-2021-4248 (A vulnerability was found in kapetan dns up to 6.1.0. It has been rate ...) @@ -4201,6 +4203,7 @@ CVE-2022-4427 (Improper Input Validation vulnerability in OTRS AG OTRS, OTRS AG - znuny 6.4.5-1 - otrs2 [bullseye] - otrs2 (Non-free not supported) + [buster] - otrs2 (Non-free not supported) NOTE: https://www.znuny.org/en/advisories/zsa-2022-07 CVE-2022-4426 RESERVED @@ -4227,15 +4230,18 @@ CVE-2021-4244 (A vulnerability classified as problematic has been found in yikes CVE-2021-4243 (A vulnerability was found in claviska jquery-minicolors up to 2.3.5. I ...) - jquery-minicolors (bug #1026050) [bullseye] - jquery-minicolors (Minor issue) + [buster] - jquery-minicolors (Minor issue) NOTE: https://github.com/claviska/jquery-minicolors/releases/tag/2.3.6 NOTE: https://github.com/claviska/jquery-minicolors/commit/ef134824a7f4110ada53ea6c173111a4fa2f48f3 CVE-2022- [The BPv6, OpenFlow, and Kafka protocol dissectors could go into an infinite loops] - wireshark 4.0.2-1 [bullseye] - wireshark (Minor issue) + [buster] - wireshark (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2022-09.html CVE-2022- [The Kafka dissector could consume excessive amounts of memory] - wireshark 4.0.2-1 [bullseye] - wireshark (Minor issue) + [buster] - wireshark
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3248-1 for libksba
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: d1252530 by Markus Koschany at 2022-12-24T16:22:33+01:00 Reserve DLA-3248-1 for libksba - - - - - 1 changed file: - data/DLA/list Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[24 Dec 2022] DLA-3248-1 libksba - security update + {CVE-2022-47629} + [buster] - libksba 1.3.5-2+deb10u2 [23 Dec 2022] DLA-3247-1 node-trim-newlines - security update {CVE-2021-33623} [buster] - node-trim-newlines 1.0.0-1+deb10u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d12525309097b83a7c4094c155d17a24a26e4b54 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d12525309097b83a7c4094c155d17a24a26e4b54 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim mbedtls in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 381b2c8f by Markus Koschany at 2022-12-12T01:03:16+01:00 Claim mbedtls in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -128,7 +128,7 @@ man2html NOTE: 20221004: It looks like not patch is available. NOTE: 20221004: Please evalulate, whether the issue can be marked as . -- -mbedtls +mbedtls (Markus Koschany) NOTE: 20220821: Programming language: C. -- modsecurity-crs View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/381b2c8fe915f599aaed6cf39f8dfdd44eb83f40 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/381b2c8fe915f599aaed6cf39f8dfdd44eb83f40 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3236-1 for openexr
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 432e5017 by Markus Koschany at 2022-12-12T00:50:31+01:00 Reserve DLA-3236-1 for openexr - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -74108,7 +74108,6 @@ CVE-2021-45942 (OpenEXR 3.1.x before 3.1.4 has a heap-based buffer overflow in I {DSA-5299-1} [experimental] - openexr 3.1.4-1 - openexr 3.1.5-2 (bug #1014828) - [buster] - openexr (Minor issue) [stretch] - openexr (Minor issue) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=41416 NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/1209 @@ -108269,7 +108268,6 @@ CVE-2021-34696 (A vulnerability in the access control list (ACL) programming of CVE-2021-3605 (There's a flaw in OpenEXR's rleUncompress functionality in versions pr ...) {DSA-5299-1 DLA-2732-1} - openexr 2.5.7-1 (bug #990899) - [buster] - openexr (Minor issue) NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/1036 NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/25259a84827234a283f6f9db72978198c7a3f268 (master) NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/3204008c0bd4c8d7599a052b304d1b44c4511283 (v2.5) @@ -108348,7 +108346,6 @@ CVE-2021-34675 (Basix NEX-Forms through 7.8.7 allows authentication bypass for s CVE-2021-3598 (There's a flaw in OpenEXR's ImfDeepScanLineInputFile functionality in ...) {DSA-5299-1 DLA-2701-1} - openexr 2.5.7-1 (bug #990450) - [buster] - openexr (Minor issue) NOTE: https://github.com/AcademySoftwareFoundation/openexr/issues/1033 NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/1037 NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/566f5241edd87445373885d5f7a904dc81e866c1 (master) @@ -116543,7 +116540,6 @@ CVE-2021-26945 (An integer overflow leading to a heap-buffer overflow was found CVE-2021-26260 (An integer overflow leading to a heap-buffer overflow was found in the ...) {DSA-5299-1 DLA-2701-1} - openexr 2.5.7-1 (bug #992703) - [buster] - openexr (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1947582 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29423 NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/894 @@ -116552,7 +116548,6 @@ CVE-2021-26260 (An integer overflow leading to a heap-buffer overflow was found CVE-2021-23215 (An integer overflow leading to a heap-buffer overflow was found in the ...) {DSA-5299-1 DLA-2701-1} - openexr 2.5.7-1 - [buster] - openexr (Minor issue, might change ABI) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1947586 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29653 NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/901 @@ -121634,14 +121629,12 @@ CVE-2021-3480 (A flaw was found in slapi-nis in versions before 0.56.7. A NULL p CVE-2021-3479 (There's a flaw in OpenEXR's Scanline API functionality in versions bef ...) {DLA-2701-1} - openexr 2.5.4-1 (bug #986796) - [buster] - openexr (Minor issue) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25370 NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/d80f11f4f55100d007ae80a162bf257ec291612c NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/830 CVE-2021-3478 (There's a flaw in OpenEXR's scanline input file functionality in versi ...) {DLA-2701-1} - openexr 2.5.4-1 (bug #986796) - [buster] - openexr (Minor issue) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27409 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1939160 NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/bc88cdb6c97fbf5bc5d11ad8ca55306da931283a (master) @@ -121650,7 +121643,6 @@ CVE-2021-3478 (There's a flaw in OpenEXR's scanline input file functionality in CVE-2021-3477 (There's a flaw in OpenEXR's deep tile sample size calculations in vers ...) {DLA-2701-1} - openexr 2.5.4-1 (bug #986796) - [buster] - openexr (Minor issue) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26956 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1939159 NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/467be80b75642efbbe6bdace558079f68c16acb1 @@ -122248,19 +122240,16 @@ CVE-2021-29425 (In Apache Commons IO before 2.7, When invoking the method FileNa CVE-2021-3476 (A flaw was found in OpenEXR's B44 uncompression functionality in versi ...) {DL
[Git][security-tracker-team/security-tracker][master] Reserve DSA-5299-1 for openexr
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 2163da4a by Markus Koschany at 2022-12-10T17:20:06+01:00 Reserve DSA-5299-1 for openexr - - - - - 3 changed files: - data/CVE/list - data/DSA/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -83542,7 +83542,6 @@ CVE-2021-43557 (The uri-block plugin in Apache APISIX before 2.10.2 uses $reques CVE-2021-3941 (In ImfChromaticities.cpp routine RGBtoXYZ(), there are some division o ...) [experimental] - openexr 3.1.3-1 - openexr 3.1.5-2 (bug #1014828) - [bullseye] - openexr (Minor issue) [stretch] - openexr (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2019789 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39084 @@ -83730,7 +83729,6 @@ CVE-2021-3934 (ohmyzsh is vulnerable to Improper Neutralization of Special Eleme CVE-2021-3933 (An integer overflow could occur when OpenEXR processes a crafted file ...) [experimental] - openexr 3.1.3-1 - openexr 3.1.5-2 (bug #1014828) - [bullseye] - openexr (Minor issue) [stretch] - openexr (Vulnerable code not present) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2019783 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=38912 @@ -108279,7 +108277,6 @@ CVE-2021-34675 (Basix NEX-Forms through 7.8.7 allows authentication bypass for s CVE-2021-3598 (There's a flaw in OpenEXR's ImfDeepScanLineInputFile functionality in ...) {DLA-2701-1} - openexr 2.5.7-1 (bug #990450) - [bullseye] - openexr (Minor issue) [buster] - openexr (Minor issue) NOTE: https://github.com/AcademySoftwareFoundation/openexr/issues/1033 NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/1037 @@ -116475,7 +116472,6 @@ CVE-2021-26945 (An integer overflow leading to a heap-buffer overflow was found CVE-2021-26260 (An integer overflow leading to a heap-buffer overflow was found in the ...) {DLA-2701-1} - openexr 2.5.7-1 (bug #992703) - [bullseye] - openexr (Minor issue) [buster] - openexr (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1947582 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29423 @@ -116485,7 +116481,6 @@ CVE-2021-26260 (An integer overflow leading to a heap-buffer overflow was found CVE-2021-23215 (An integer overflow leading to a heap-buffer overflow was found in the ...) {DLA-2701-1} - openexr 2.5.7-1 - [bullseye] - openexr (Minor issue, might change ABI) [buster] - openexr (Minor issue, might change ABI) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1947586 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29653 = data/DSA/list = @@ -1,3 +1,6 @@ +[10 Dec 2022] DSA-5299-1 openexr - security update + {CVE-2021-3598 CVE-2021-3605 CVE-2021-3933 CVE-2021-3941 CVE-2021-23215 CVE-2021-26260 CVE-2021-45942} + [bullseye] - openexr 2.5.4-2+deb11u1 [09 Dec 2022] DSA-5298-1 cacti - security update {CVE-2022-0730 CVE-2022-46169} [bullseye] - cacti 1.2.16+ds1-2+deb11u1 = data/dsa-needed.txt = @@ -29,8 +29,6 @@ nodejs -- multipath-tools -- -openexr (apo) --- php-cas (jmm) -- php-horde-mime-viewer View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2163da4a801b6b1c642cfacbb2b2495405736514 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2163da4a801b6b1c642cfacbb2b2495405736514 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3234-1 for hsqldb
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: ccf0ccd8 by Markus Koschany at 2022-12-10T17:14:37+01:00 Reserve DLA-3234-1 for hsqldb - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[10 Dec 2022] DLA-3234-1 hsqldb - security update + {CVE-2022-41853} + [buster] - hsqldb 2.4.1-2+deb10u1 [10 Dec 2022] DLA-3190-2 grub2 - security update {CVE-2022-2601 CVE-2022-3775} [buster] - grub2 2.06-3~deb10u3 = data/dla-needed.txt = @@ -84,11 +84,6 @@ golang-websocket NOTE: 20220915: 1 CVE fixed in stretch and bullseye (golang-github-gorilla-websocket) (Beuc/front-desk) NOTE: 20220915: Special attention: limited support; requires rebuilding reverse dependencies -- -hsqldb (Markus Koschany) - NOTE: 20221031: Programming language: Java. - NOTE: 20221031: To be investigated further. A possible outcome is to ignore it. - NOTE: 20221031: https://lists.debian.org/debian-lts/2022/10/msg00060.html. --- imagemagick (Roberto C. Sánchez) NOTE: 20220904: Programming language: C. NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/imagemagick.git View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ccf0ccd8c5a96a5c65a403281cc0f4f21a9d7c8e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ccf0ccd8c5a96a5c65a403281cc0f4f21a9d7c8e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2022-40159,CVE-2022-40160,libcommons-jxpath-java
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 89f32d7a by Markus Koschany at 2022-12-05T14:21:18+01:00 CVE-2022-40159,CVE-2022-40160,libcommons-jxpath-java Both CVE are disputed and will probably be rejected. - - - - - ae73fb32 by Markus Koschany at 2022-12-05T14:22:12+01:00 Remove libcommons-jxpath-java from dla-needed.txt - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -19669,10 +19669,10 @@ CVE-2022-40162 CVE-2022-40161 REJECTED CVE-2022-40160 (** DISPUTED ** This record was originally reported by the oss-fuzz pro ...) - - libcommons-jxpath-java + NOTE: Invalid oss-fuzz report against libcommons-jxpath-java NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47053 CVE-2022-40159 (** DISPUTED ** This record was originally reported by the oss-fuzz pro ...) - - libcommons-jxpath-java + NOTE: Invalid oss-fuzz report against libcommons-jxpath-java NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47057 CVE-2022-40158 REJECTED = data/dla-needed.txt = @@ -104,10 +104,6 @@ lava libapreq2 NOTE: 20221031: Programming language: C. -- -libcommons-jxpath-java - NOTE: 20221027: Programming language: Java. - NOTE: 20221027: Maintainer notes: Wait for the outcome of upstream discussion. See CVE-2022-41852 for pull requests. --- libde265 NOTE: 20221107: Programming language: C++. NOTE: 20221107: Most vulnerabilities unfixed upstream, but a handful are fixed, and v1.0.9 (2022-10) is a security release (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/91e19f5866794bbead12dbe104a1a7fa1c5b5cdb...ae73fb32469a0fe588db79a937dc79de2804fcbe -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/91e19f5866794bbead12dbe104a1a7fa1c5b5cdb...ae73fb32469a0fe588db79a937dc79de2804fcbe You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2022-41853,hsqldb: fixed in unstable
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 5a315e62 by Markus Koschany at 2022-12-04T21:57:51+01:00 CVE-2022-41853,hsqldb: fixed in unstable - - - - - cafb4773 by Markus Koschany at 2022-12-04T22:18:30+01:00 Update firmware-nonfree in dla-needed.txt - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -15388,7 +15388,7 @@ CVE-2022-41854 (Those using Snakeyaml to parse untrusted YAML files may be vulne NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50355 TODO: check details CVE-2022-41853 (Those using java.sql.Statement or java.sql.PreparedStatement in hsqldb ...) - - hsqldb (bug #1023573) + - hsqldb 2.7.1-1 (bug #1023573) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50212#c7 NOTE: http://hsqldb.org/doc/2.0/guide/sqlroutines-chapt.html#src_jrt_access_control NOTE: https://sourceforge.net/p/hsqldb/svn/6614/ = data/dla-needed.txt = @@ -39,6 +39,7 @@ exiv2 -- firmware-nonfree (Markus Koschany) NOTE: 20220906: Consider to check the severity of the issues again and judge whether a correction is worth it. + NOTE: 20221204: Coming soon in the first week of December. (apo) -- fusiondirectory NOTE: 20221203: Programming language: PHP. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/9987a9ec494064e1f356fe9548050e3a9d75ffd3...cafb47737e7036ec9be77a2b0db8f69f413f725e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/9987a9ec494064e1f356fe9548050e3a9d75ffd3...cafb47737e7036ec9be77a2b0db8f69f413f725e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits