[Git][security-tracker-team/security-tracker][master] Update FD assignement

[Santiago R.R. (@santiago)]

Santiago R.R. pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
52c40523 by Santiago Ruano Rincón at 2024-07-01T10:32:17-03:00
Update FD assignement

- - - - -


1 changed file:

- org/lts-frontdesk.2024.txt


Changes:

=
org/lts-frontdesk.2024.txt
=
@@ -25,7 +25,7 @@ From 10-06 to 16-06:Chris Lamb 
 From 17-06 to 23-06:Sylvain Beucler 
 From 24-06 to 30-06:Thorsten Alteholz 
 From 01-07 to 07-07:Thorsten Alteholz 
-From 08-07 to 14-07:Utkarsh Gupta 
+From 08-07 to 14-07:Santiago Ruano Rincón 
 From 15-07 to 21-07:Chris Lamb 
 From 22-07 to 28-07:Emilio Pozuelo Monfort 
 From 29-07 to 04-08:Markus Koschany 



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/52c40523a5cd328f6345fbcda1ca2bfbd50f35af

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/52c40523a5cd328f6345fbcda1ca2bfbd50f35af
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Revert "Marked CVE-2024-6387 as not affected for buster."

[Santiago R.R. (@santiago)]

Santiago R.R. pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
3c2ae403 by Santiago Ruano Rincón at 2024-07-01T07:07:58-03:00
Revert Marked CVE-2024-6387 as not affected for buster.

This reverts commit d19eb14ce0526f341f84d0971b76ab874bdc72a5.

Buster has been EOLed now. Remaining buster triaging must be done in
the relevant tracker

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,7 +1,6 @@
 CVE-2024-6387
- openssh 
[bullseye] - openssh  (Vulnerable code introduced later)
-   [buster] - openssh  (Vulnerable code introduced later)
NOTE: Introduced with: 
https://github.com/openssh/openssh-portable/commit/752250caabda3dd24635503c4cd689b32a650794
 (V_8_5_P1)
NOTE: Fixed by: 
https://github.com/openssh/openssh-portable/commit/81c1099d22b81ebfd20a334ce986c4f753b0db29
NOTE: 
https://lists.mindrot.org/pipermail/openssh-unix-announce/2024-July/000158.html



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3c2ae4038050fcbba4593bcdfd9670db6f08883f

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3c2ae4038050fcbba4593bcdfd9670db6f08883f
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Revert "Marked CVE-2024-30156 as ignored for buster following decision for bookworm and bullseye."

[Santiago R.R. (@santiago)]

Santiago R.R. pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
afad6a14 by Santiago Ruano Rincón at 2024-07-01T07:05:19-03:00
Revert Marked CVE-2024-30156 as ignored for buster following decision for 
bookworm and bullseye.

This reverts commit 1d65e99e7f85f57828f3d78218dbdb5ae541463e.

Buster LTS is EOLed now. Any remaining triaging must be done in the
relevant tracker.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -33262,7 +33262,6 @@ CVE-2024-30156 (Varnish Cache before 7.3.2 and 7.4.x 
before 7.4.3 (and before 6.
- varnish  (bug #1068455)
[bookworm] - varnish  (Minor issue, too intrusive to backport)
[bullseye] - varnish  (Minor issue, too intrusive to backport)
-   [buster] - varnish  (Minor issue, too intrusive to backport)
NOTE: https://varnish-cache.org/security/VSV00014.html
NOTE: 
https://varnish-cache.org/docs/7.5/whats-new/changes-7.5.html#cve-2024-30156
NOTE: 
https://github.com/varnishcache/varnish-cache/commit/c0201724f0280894ec714fe76fc26ba9831f0551
 (varnish-7.5.0)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/afad6a143c809d97124aabcf6028264984ebfba6

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/afad6a143c809d97124aabcf6028264984ebfba6
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Do yet another buster DLA entry

[Santiago R.R. (@santiago)]

Santiago R.R. pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
195c7eb7 by Santiago Ruano Rincón at 2024-06-30T23:03:05-03:00
Do yet another buster DLA entry

Buster end-of-life is 2024-06-30, and has been EOLed as well from the
security tracker perspective.

This add the last entry for pdns-recursor

Link: https://lists.debian.org/debian-lts-announce/2024/07/msg0.html

- - - - -


1 changed file:

- data/DLA/list


Changes:

=
data/DLA/list
=
@@ -1,5 +1,6 @@
 [01 Jul 2024] DLA-3855-1 pdns-recursor - security update
{CVE-2020-14196 CVE-2020-25829}
+   [buster] - pdns-recursor 4.1.11-1+deb10u2
 [30 Jun 2024] DLA-3854-1 tryton-client - security update
 [30 Jun 2024] DLA-3853-1 tryton-server - security update
 [30 Jun 2024] DLA-3852-1 edk2 - security update



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/195c7eb7f51d16e434be44ddda56c1b12b20a4ac

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/195c7eb7f51d16e434be44ddda56c1b12b20a4ac
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add a couple of buster DLAs entries as they raced with the changes to the tracker

[Santiago R.R. (@santiago)]

Santiago R.R. pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
16163807 by Santiago Ruano Rincón at 2024-06-30T21:51:56-03:00
Add a couple of buster DLAs entries as they raced with the changes to the 
tracker

Buster end-of-life is 2024-06-30, and has been EOLed as well from the
security tracker perspective.

This adds the last entries for gunicorn and edk2.

Link: https://lists.debian.org/debian-lts-announce/2024/06/msg00027.html
Link: https://lists.debian.org/debian-lts-announce/2024/06/msg00028.html

- - - - -


1 changed file:

- data/DLA/list


Changes:

=
data/DLA/list
=
@@ -2,8 +2,10 @@
 [30 Jun 2024] DLA-3853-1 tryton-server - security update
 [30 Jun 2024] DLA-3852-1 edk2 - security update
{CVE-2023-48733}
+   [buster] - edk2 0~20181115.85588389-3+deb10u4
 [30 Jun 2024] DLA-3851-1 gunicorn - security update
{CVE-2024-1135}
+   [buster] - gunicorn 19.9.0-1+deb10u1
 [30 Jun 2024] DLA-3850-1 glibc - security update
{CVE-2024-33599 CVE-2024-33600 CVE-2024-33601 CVE-2024-33602}
[buster] - glibc 2.28-10+deb10u4



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/16163807a4b2fa6326952b30192257c2eb61e514

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/16163807a4b2fa6326952b30192257c2eb61e514
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Fix typo and package sorting in CVE-2023-6135 data

[Santiago R.R. (@santiago)]

Santiago R.R. pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
c0c11dab by Santiago Ruano Rincón at 2024-06-28T20:52:41-03:00
Fix typo and package sorting in CVE-2023-6135 data

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -54297,9 +54297,9 @@ CVE-2023-6856 (The WebGL `DrawElementsInstanced` method 
was susceptible to a hea
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2023-55/#CVE-2023-6856
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2023-54/#CVE-2023-6856
 CVE-2023-6135 (Multiple NSS NIST curves were susceptible to a side-channel 
attack kno ...)
-   - nss 2:3.95-1 (bug #1059054)
- firefox 121.0-1
-   [buster] - nss  (Too invasive to fix; upstream recommends not 
doing it)
+   - nss 2:3.95-1 (bug #1059054)
+   [buster] - nss  (Too invasive to fix; upstream recommends not 
doing it)
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2023-56/#CVE-2023-6135
NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1853908 (not public)
NOTE: Fixed via: https://bugzilla.mozilla.org/show_bug.cgi?id=1861728



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c0c11dabebe2956d76a799d4f0b339c2f8eaf663

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c0c11dabebe2956d76a799d4f0b339c2f8eaf663
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Update FD assignement

[Santiago R.R. (@santiago)]

Santiago R.R. pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
581c577c by Santiago Ruano Rincón at 2024-06-25T19:01:07-03:00
Update FD assignement

- - - - -


1 changed file:

- org/lts-frontdesk.2024.txt


Changes:

=
org/lts-frontdesk.2024.txt
=
@@ -32,21 +32,21 @@ From 29-07 to 04-08:Markus Koschany 
 From 05-08 to 11-08:Sylvain Beucler 
 From 12-08 to 18-08:Sylvain Beucler 
 From 19-08 to 25-08:Thorsten Alteholz 
-From 26-08 to 01-09:Utkarsh Gupta 
+From 26-08 to 01-09:Santiago Ruano Rincón 
 From 02-09 to 08-09:Chris Lamb 
 From 09-09 to 15-09:Emilio Pozuelo Monfort 
 From 16-09 to 22-09:Markus Koschany 
 From 23-09 to 29-09:Chris Lamb 
 From 30-09 to 06-10:Sylvain Beucler 
 From 07-10 to 13-10:Thorsten Alteholz 
-From 14-10 to 20-10:Utkarsh Gupta 
+From 14-10 to 20-10:Santiago Ruano Rincón 
 From 21-10 to 27-10:Chris Lamb 
 From 28-10 to 03-11:Emilio Pozuelo Monfort 
 From 04-11 to 10-11:Markus Koschany 
 From 11-11 to 17-11:Ola Lundqvist 
 From 18-11 to 24-11:Sylvain Beucler 
 From 25-11 to 01-12:Thorsten Alteholz 
-From 02-12 to 08-12:Utkarsh Gupta 
+From 02-12 to 08-12:Santiago Ruano Rincón 
 From 09-12 to 15-12:Chris Lamb 
 From 16-12 to 22-12:Emilio Pozuelo Monfort 
 From 23-12 to 29-12:Markus Koschany 



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/581c577cb482902a2d49db0a49b57e5afd104844

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/581c577cb482902a2d49db0a49b57e5afd104844
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Update dns-root-data's note in dla-needed

[Santiago R.R. (@santiago)]

Santiago R.R. pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
77ce546f by Santiago Ruano Rincón at 2024-06-24T08:53:39-03:00
Update dns-root-datas note in dla-needed

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -59,7 +59,7 @@ dlt-daemon (Markus Koschany)
 dns-root-data (santiago)
   NOTE: 20240607: Added by coordinator (santiago)
   NOTE: 20240607: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054393
-  NOTE: 20240607: Needs bullseye pu to be available first. 
https://bugs.debian.org/1072653
+  NOTE: 20240629: buster release to be uploaded after June 29th (debian 11.10 
point release)
 --
 dnsmasq
   NOTE: 20240303: Added by Front-Desk (apo)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/77ce546f59979d7a737d974ff9946fbb49e2e5dc

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/77ce546f59979d7a737d974ff9946fbb49e2e5dc
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add regression fix reference for tryton-client in the tryton zipbomb DoS issue (no CVE assigned)

[Santiago R.R. (@santiago)]

Santiago R.R. pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
66d6efc6 by Santiago Ruano Rincón at 2024-06-18T13:08:53-03:00
Add regression fix reference for tryton-client in the tryton zipbomb DoS issue 
(no CVE assigned)

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -20503,6 +20503,7 @@ CVE-2024- [tryton zipbomb DoS]
[bullseye] - tryton-server  (Minor issue)
NOTE: https://discuss.tryton.org/t/security-release-for-issue-13142/7196
NOTE: https://foss.heptapod.net/tryton/tryton/-/issues/13142
+   NOTE: Regression in tryton-client fixed by: 
https://foss.heptapod.net/tryton/tryton/-/commit/96ccd17bd4db4be46bb42eb4217ba5c7dcb7de82
 (6.0)
 CVE-2024-26921 (In the Linux kernel, the following vulnerability has been 
resolved:  i ...)
- linux 6.8.9-1
[bookworm] - linux 6.1.85-1



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/66d6efc658e25374a20613a5903622e7e6d69b3a

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/66d6efc658e25374a20613a5903622e7e6d69b3a
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add tryton-client to dla-needed. Add fix commits for tryton client and server

[Santiago R.R. (@santiago)]

Santiago R.R. pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
8bd46f8b by Santiago Ruano Rincón at 2024-06-18T06:31:19-03:00
Add tryton-client to dla-needed. Add fix commits for tryton client and server

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -324,10 +324,17 @@ tinymce
   NOTE: 20231216: upstream's patch is backportable, as the code has changed a
   NOTE: 20231216: lot.  (spwhitton)
 --
+tryton-client
+  NOTE: 20240618: Added by coordinator (santiago)
+  NOTE: 20240618: bookworm pu by maintainer was accepted. LTS Team should take 
care of bullseye pu along with buster, as suggested by maintainer (santiago)
+  NOTE: 20240618: 
https://salsa.debian.org/tryton-team/tryton-client/-/commit/dfa889381d572f5ee229c3eec32cbdff8084d36c
+--
 tryton-server
   NOTE: 20240421: Added by Front-Desk (apo)
   NOTE: 20240421: Fix causes regressions in tryton client. Waiting for that
   NOTE: 20240421: being resolved upstream.
+  NOTE: 20240618: Regressions fixed. bookworm pu by maintainer was accepted. 
LTS Team should take care of bullseye pu along with buster, as suggested by 
maintainer (santiago)
+  NOTE: 20240618: 
https://salsa.debian.org/tryton-team/tryton-server/-/commit/952e147d7732be208d0911d48886380308883498
 --
 varnish
   NOTE: 20231117: Added by Front-Desk (apo)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8bd46f8bce3c60ac35092715e27e0eb9e48b2f25

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8bd46f8bce3c60ac35092715e27e0eb9e48b2f25
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Mark CVE-2023-51698/atril as mitigated by 1.20.3-1+deb10u2

[Santiago R.R. (@santiago)]

Santiago R.R. pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
8163044a by Santiago Ruano Rincón at 2024-06-17T09:06:13-03:00
Mark CVE-2023-51698/atril as mitigated by 1.20.3-1+deb10u2

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=
data/CVE/list
=
@@ -45977,6 +45977,7 @@ CVE-2023-51698 (Atril is a simple multi-page document 
viewer. Atril is vulnerabl
- atril 1.26.1-4 (bug #1060751)
[bookworm] - atril 1.26.0-2+deb12u2
[bullseye] - atril 1.24.0-1+deb11u1
+   [buster] - atril 1.20.3-1+deb10u2
- evince 3.25.92-1
NOTE: 
https://github.com/mate-desktop/atril/security/advisories/GHSA-34rr-j8v9-v4p2
NOTE: Fixed by: 
https://github.com/mate-desktop/atril/commit/ce41df6467521ff9fd4f16514ae7d6ebb62eb1ed


=
data/dla-needed.txt
=
@@ -31,9 +31,6 @@ ansible
   NOTE: 20231228: Made a partial release DLA-3695-1 (rouca), waiting for lee
   NOTE: 20240501: Update for bookworm-proposed-update: #1070193 (lee)
 --
-atril
-  NOTE: 20240616: Added by Front-Desk (lamby)
---
 bind9
   NOTE: 20240518: Added by Front-Desk (utkarsh)
   NOTE: 20240531: Lengthy discussion here 
 (dleidert)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8163044a9c16b50d34da48b1d99ee678491b3b44

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8163044a9c16b50d34da48b1d99ee678491b3b44
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-3828-1 for atril

[Santiago R.R. (@santiago)]

Santiago R.R. pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
9ed6c111 by Santiago Ruano Rincón at 2024-06-14T19:23:56-03:00
Reserve DLA-3828-1 for atril

- - - - -


2 changed files:

- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[14 Jun 2024] DLA-3828-1 atril - security update
+   {CVE-2023-52076}
+   [buster] - atril 1.20.3-1+deb10u2
 [14 Jun 2024] DLA-3827-1 plasma-workspace - security update
{CVE-2024-36041}
[buster] - plasma-workspace 4:5.14.5.1-1+deb10u1


=
data/dla-needed.txt
=
@@ -31,13 +31,6 @@ ansible
   NOTE: 20231228: Made a partial release DLA-3695-1 (rouca), waiting for lee
   NOTE: 20240501: Update for bookworm-proposed-update: #1070193 (lee)
 --
-atril (santiago)
-  NOTE: 20240121: Added by Front-Desk (apo)
-  NOTE: 20240121: Decide whether it makes sense to disable comic feature or 
use libarchive instead.
-  NOTE: 20240319: package ready at: 
https://people.debian.org/~utkarsh/lts/atril/
-  NOTE: 20240319: needs testing as the backport was a bit sensitive. (utkarsh)
-  NOTE: 20240610: somebody should take it from here^. (utkarsh)
---
 bind9
   NOTE: 20240518: Added by Front-Desk (utkarsh)
   NOTE: 20240531: Lengthy discussion here 
 (dleidert)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9ed6c1115e88fb006c2945a06c3df506efcf9958

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9ed6c1115e88fb006c2945a06c3df506efcf9958
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Claim atril in buster LTS

[Santiago R.R. (@santiago)]

Santiago R.R. pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
011c4079 by Santiago Ruano Rincón at 2024-06-13T23:21:31-03:00
Claim atril in buster LTS

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -31,7 +31,7 @@ ansible
   NOTE: 20231228: Made a partial release DLA-3695-1 (rouca), waiting for lee
   NOTE: 20240501: Update for bookworm-proposed-update: #1070193 (lee)
 --
-atril
+atril (santiago)
   NOTE: 20240121: Added by Front-Desk (apo)
   NOTE: 20240121: Decide whether it makes sense to disable comic feature or 
use libarchive instead.
   NOTE: 20240319: package ready at: 
https://people.debian.org/~utkarsh/lts/atril/



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/011c40793528b8ce4b16edbd82c4b4fb81bd5d77

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/011c40793528b8ce4b16edbd82c4b4fb81bd5d77
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add note about dns-root-data. to be uploaded after bullseye pu

[Santiago R.R. (@santiago)]

Santiago R.R. pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
e506c27f by Santiago Ruano Rincón at 2024-06-07T19:08:35-03:00
Add note about dns-root-data. to be uploaded after bullseye pu

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -68,6 +68,7 @@ dnsmasq (dleidert)
 dns-root-data (santiago)
   NOTE: 20240607: Added by coordinator (santiago)
   NOTE: 20240607: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054393
+  NOTE: 20240607: Needs bullseye pu to be available first. 
https://bugs.debian.org/1072653
 --
 docker.io
   NOTE: 20230303: Added by Front-Desk (Beuc)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e506c27fae196ea7484ed681e9e91b665c2a50de

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e506c27fae196ea7484ed681e9e91b665c2a50de
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add and claim dns-root-data to dla-needed.txt

[Santiago R.R. (@santiago)]

Santiago R.R. pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
2db72567 by Santiago Ruano Rincón at 2024-06-07T10:36:32-03:00
Add and claim dns-root-data to dla-needed.txt

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -65,6 +65,10 @@ dnsmasq (dleidert)
   NOTE: 20240327: Claimed by lamby, started thread on deblts-team. (lamby)
   NOTE: 20240403: Re-assigned back to dleidert; see thread on deblts-team 
list. (lamby)
 --
+dns-root-data (santiago)
+  NOTE: 20240607: Added by coordinator (santiago)
+  NOTE: 20240607: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054393
+--
 docker.io
   NOTE: 20230303: Added by Front-Desk (Beuc)
   NOTE: 20230303: Follow fixes from bullseye 11.2 (3 CVEs) (Beuc/front-desk)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2db72567cad8a9244aaf7315d8634b2d907a7d73

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2db72567cad8a9244aaf7315d8634b2d907a7d73
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: fix date in ruby2.5 note

[Santiago R.R. (@santiago)]

Santiago R.R. pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
462a7ae4 by Santiago Ruano Rincón at 2024-05-28T23:09:35-03:00
data/dla-needed.txt: fix date in ruby2.5 note

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -260,7 +260,7 @@ roundcube (guilhem)
 ruby2.5 (utkarsh)
   NOTE: 20240504: Added by Front-Desk (Beuc)
   NOTE: 20240504: Follow DSA-5677-1 (Beuc/front-desk)
-  NOTE: 20240628: have working patches ready, will need extensive testing. 
(utkarsh)
+  NOTE: 20240528: have working patches ready, will need extensive testing. 
(utkarsh)
 --
 runc (dleidert)
   NOTE: 20240312: Added by coordinator (roberto)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/462a7ae49e671cb99a5255be5ff96d5e8902a0e4

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/462a7ae49e671cb99a5255be5ff96d5e8902a0e4
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-3816-1 for bind9

[Santiago R.R. (@santiago)]

Santiago R.R. pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
f404b94c by Santiago Ruano Rincón at 2024-05-17T14:25:59-03:00
Reserve DLA-3816-1 for bind9

- - - - -


2 changed files:

- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[17 May 2024] DLA-3816-1 bind9 - security update
+   {CVE-2023-50387 CVE-2023-50868}
+   [buster] - bind9 1:9.11.5.P4+dfsg-5.1+deb10u11
 [16 May 2024] DLA-3815-1 firefox-esr - security update
{CVE-2024-4367 CVE-2024-4767 CVE-2024-4768 CVE-2024-4769 CVE-2024-4770 
CVE-2024-4777}
[buster] - firefox-esr 115.11.0esr-1~deb10u1


=
data/dla-needed.txt
=
@@ -40,16 +40,6 @@ atril
   NOTE: 20240319: package ready at: 
https://people.debian.org/~utkarsh/lts/atril/
   NOTE: 20240319: needs testing as the backport was a bit sensitive. (utkarsh)
 --
-bind9 (Santiago)
-  NOTE: 20240218: Added by Front-Desk (lamby)
-  NOTE: 20240218: CVE-2023-4408 CVE-2023-50387 CVE-2023-50868 CVE-2023-5517 
CVE-2023-5679 already fixed in bullseye. (lamby)
-  NOTE: 20240418: Patch created for CVE-2023-50387 and CVE-2023-50868 and 
package builds fine.
-  NOTE: 20240418: 
https://salsa.debian.org/lts-team/packages/bind9/-/commit/135e46d2e43b6e499454385c2228338c6a72ba96
-  NOTE: 20240418: All testing activities remains.
-  NOTE: 20240429: Waiting some days to get more information about 
CVE-2023-50387 and CVE-2023-50868. Working on CVE-2023-4408 (Santiago)
-  NOTE: 20240430: CVE-2023-4408 fix introduces ABI changes. Studying how to 
handle them (Santiago)
-  NOTE: 20240513: Trying to reproduce KeyTrap. (Santiago)
---
 bluez
   NOTE: 20240510: Added by Front-Desk (ta)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f404b94c45177e276511ff60082724628965a962

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f404b94c45177e276511ff60082724628965a962
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] dla-needed.txt: fix previous dates on bind9 notes, and add a new one

[Santiago R.R. (@santiago)]

Santiago R.R. pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
e12fb11f by Santiago Ruano Rincón at 2024-05-13T08:32:20-03:00
dla-needed.txt: fix previous dates on bind9 notes, and add a new one

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -46,8 +46,9 @@ bind9 (Santiago)
   NOTE: 20240418: Patch created for CVE-2023-50387 and CVE-2023-50868 and 
package builds fine.
   NOTE: 20240418: 
https://salsa.debian.org/lts-team/packages/bind9/-/commit/135e46d2e43b6e499454385c2228338c6a72ba96
   NOTE: 20240418: All testing activities remains.
-  NOTE: 20240929: Waiting some days to get more information about 
CVE-2023-50387 and CVE-2023-50868. Working on CVE-2023-4408 (Santiago)
-  NOTE: 20240930: CVE-2023-4408 fix introduces ABI changes. Studying how to 
handle them (Santiago)
+  NOTE: 20240429: Waiting some days to get more information about 
CVE-2023-50387 and CVE-2023-50868. Working on CVE-2023-4408 (Santiago)
+  NOTE: 20240430: CVE-2023-4408 fix introduces ABI changes. Studying how to 
handle them (Santiago)
+  NOTE: 20240513: Trying to reproduce KeyTrap. (Santiago)
 --
 bluez
   NOTE: 20240510: Added by Front-Desk (ta)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e12fb11f07b972a25f08de7fda188ad697357fb7

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e12fb11f07b972a25f08de7fda188ad697357fb7
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] dla-needed.txt: Update name for apache2 claim (according to commit message)

[Santiago R.R. (@santiago)]

Santiago R.R. pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
ee7aa391 by Santiago Ruano Rincón at 2024-05-10T21:40:02-03:00
dla-needed.txt: Update name for apache2 claim (according to commit message)

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -31,7 +31,7 @@ ansible (Lee Garrett)
   NOTE: 20231228: Made a partial release DLA-3695-1 (rouca), waiting for lee
   NOTE: 20240501: Update for bookworm-proposed-update: #1070193 (lee)
 --
-apache2 (debian)
+apache2 (Lee Garrett)
   NOTE: 20240418: Added by Front-Desk (apo)
 --
 atril



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ee7aa391c9b79b25e9b4e13ca0ac839e550ed4f3

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ee7aa391c9b79b25e9b4e13ca0ac839e550ed4f3
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add note about bind9 in dla-needed - CVE-2023-4408

[Santiago R.R. (@santiago)]

Santiago R.R. pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
07d65dae by Santiago Ruano Rincón at 2024-04-30T21:25:14-03:00
Add note about bind9 in dla-needed - CVE-2023-4408

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -46,6 +46,7 @@ bind9 (Santiago)
   NOTE: 20240418: 
https://salsa.debian.org/lts-team/packages/bind9/-/commit/135e46d2e43b6e499454385c2228338c6a72ba96
   NOTE: 20240418: All testing activities remains.
   NOTE: 20240929: Waiting some days to get more information about 
CVE-2023-50387 and CVE-2023-50868. Working on CVE-2023-4408 (Santiago)
+  NOTE: 20240930: CVE-2023-4408 fix introduces ABI changes. Studying how to 
handle them (Santiago)
 --
 dcmtk (Adrian Bunk)
   NOTE: 20240428: Added by Front-Desk (ta)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/07d65daeff2ba320321bde866f484f6a04bb1e73

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/07d65daeff2ba320321bde866f484f6a04bb1e73
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add note about bind9 in dla-needed

[Santiago R.R. (@santiago)]

Santiago R.R. pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
1bffabfa by Santiago Ruano Rincón at 2024-04-29T20:56:18-03:00
Add note about bind9 in dla-needed

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -48,6 +48,7 @@ bind9 (Santiago)
   NOTE: 20240418: Patch created for CVE-2023-50387 and CVE-2023-50868 and 
package builds fine.
   NOTE: 20240418: 
https://salsa.debian.org/lts-team/packages/bind9/-/commit/135e46d2e43b6e499454385c2228338c6a72ba96
   NOTE: 20240418: All testing activities remains.
+  NOTE: 20240929: Waiting some days to get more information about 
CVE-2023-50387 and CVE-2023-50868. Working on CVE-2023-4408 (Santiago)
 --
 dcmtk (Adrian Bunk)
   NOTE: 20240428: Added by Front-Desk (ta)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1bffabfadb4550540c86edb4abfaf840eb1ebe1e

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1bffabfadb4550540c86edb4abfaf840eb1ebe1e
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add bind9 upstream patch reference for 2023-50387 and CVE-2023-50868

[Santiago R.R. (@santiago)]

Santiago R.R. pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
fc6727fd by Santiago Ruano Rincón at 2024-04-23T17:57:01-03:00
Add bind9 upstream patch reference for 2023-50387 and CVE-2023-50868

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -20304,6 +20304,7 @@ CVE-2023-50387 (Certain DNSSEC aspects of the DNS 
protocol (in RFC 4033, 4034, 4
NOTE: 
https://gitlab.isc.org/isc-projects/bind9/-/commit/6a65a425283d70da86bf732449acd6d7c8dec718
 (v9.16.48)
NOTE: 
https://gitlab.isc.org/isc-projects/bind9/-/commit/3d206e918b3efbc20074629ad9d99095fbd2e5fd
 (v9.16.48)
NOTE: 
https://gitlab.isc.org/isc-projects/bind9/-/commit/a520fbc0470a0d6b72db6aa0b8deda8798551614
 (v9.16.48)
+   NOTE: 
https://downloads.isc.org/isc/bind9/9.16.48/patches/0005-CVE-2023-50387-CVE-2023-50868.patch
NOTE: 
https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html
NOTE: https://www.knot-resolver.cz/2024-02-13-knot-resolver-5.7.1.html
NOTE: 
https://github.com/CZ-NIC/knot-resolver/commit/7ddabe80fa05b76fc57b5a112a82a2c032032534
@@ -20340,6 +20341,7 @@ CVE-2023-50868 (The Closest Encloser Proof aspect of 
the DNS protocol (in RFC 51
[bullseye] - systemd  (DNSSEC is disabled by default in 
systemd-resolved; can be fixed via point release)
[buster] - systemd  (DNSSEC is disabled by default in 
systemd-resolved; can be fixed via point release)
NOTE: https://kb.isc.org/docs/cve-2023-50868
+   NOTE: 
https://downloads.isc.org/isc/bind9/9.16.48/patches/0005-CVE-2023-50387-CVE-2023-50868.patch
NOTE: 
https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html
NOTE: https://www.knot-resolver.cz/2024-02-13-knot-resolver-5.7.1.html
NOTE: 
https://github.com/CZ-NIC/knot-resolver/commit/e966b7fdb167add0ec37c56a954c2d847f627985
 (v5.7.1)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fc6727fdb5c42e70794c552f992ddbfb79e469bc

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fc6727fdb5c42e70794c552f992ddbfb79e469bc
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Claim bind9 in dla-needed.txt. Thanks to Ola for preparing the patch

[Santiago R.R. (@santiago)]

Santiago R.R. pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
e7dd54c9 by Santiago Ruano Rincón at 2024-04-22T20:47:42-03:00
Claim bind9 in dla-needed.txt. Thanks to Ola for preparing the patch

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -42,7 +42,7 @@ atril
   NOTE: 20240319: package ready at: 
https://people.debian.org/~utkarsh/lts/atril/
   NOTE: 20240319: needs testing as the backport was a bit sensitive. (utkarsh)
 --
-bind9
+bind9 (Santiago)
   NOTE: 20240218: Added by Front-Desk (lamby)
   NOTE: 20240218: CVE-2023-4408 CVE-2023-50387 CVE-2023-50868 CVE-2023-5517 
CVE-2023-5679 already fixed in bullseye. (lamby)
   NOTE: 20240418: Patch created for CVE-2023-50387 and CVE-2023-50868 and 
package builds fine.



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e7dd54c97b3e661240a15958361acc1898e9871d

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e7dd54c97b3e661240a15958361acc1898e9871d
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-3792-1 for samba

[Santiago R.R. (@santiago)]

Santiago R.R. pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
9c3b37c9 by Santiago Ruano Rincón at 2024-04-22T09:06:25-03:00
Reserve DLA-3792-1 for samba

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/CVE/list
=
@@ -288613,7 +288613,6 @@ CVE-2020-14383 (A flaw was found in samba's DNS 
server. An authenticated user co
{DLA-2463-1}
[experimental] - samba 2:4.13.2+dfsg-1
- samba 2:4.13.2+dfsg-2 (bug #973398)
-   [buster] - samba  (Minor issue)
NOTE: https://www.samba.org/samba/security/CVE-2020-14383.html
NOTE: https://bugzilla.samba.org/show_bug.cgi?id=14472
 CVE-2020-14382 (A vulnerability was found in upstream release cryptsetup-2.2.0 
where,  ...)
@@ -288900,7 +288899,6 @@ CVE-2020-14323 (A null pointer dereference flaw was 
found in samba's Winbind ser
{DLA-2463-1}
[experimental] - samba 2:4.13.2+dfsg-1
- samba 2:4.13.2+dfsg-2 (bug #973399)
-   [buster] - samba  (Minor issue)
NOTE: https://www.samba.org/samba/security/CVE-2020-14323.html
NOTE: https://bugzilla.samba.org/show_bug.cgi?id=14436
 CVE-2020-14322 (In Moodle before 3.9.1, 3.8.4, 3.7.7 and 3.5.13, yui_combo 
needed to l ...)
@@ -288915,7 +288913,6 @@ CVE-2020-14318 (A flaw was found in the way samba 
handled file and directory per
{DLA-2463-1}
[experimental] - samba 2:4.13.2+dfsg-1
- samba 2:4.13.2+dfsg-2 (bug #973400)
-   [buster] - samba  (Minor issue)
NOTE: https://www.samba.org/samba/security/CVE-2020-14318.html
NOTE: https://bugzilla.samba.org/show_bug.cgi?id=14434
 CVE-2020-14317 (It was found that the issue for security flaw CVE-2019-3805 
appeared a ...)


=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[22 Apr 2024] DLA-3792-1 samba - security update
+   {CVE-2020-14318 CVE-2020-14323 CVE-2020-14383 CVE-2022-2127 
CVE-2022-3437 CVE-2022-32742 CVE-2023-4091}
+   [buster] - samba 2:4.9.5+dfsg-5+deb10u5
 [22 Apr 2024] DLA-3791-1 thunderbird - security update
{CVE-2024-2609 CVE-2024-3302 CVE-2024-3852 CVE-2024-3854 CVE-2024-3857 
CVE-2024-3859 CVE-2024-3861 CVE-2024-3864}
[buster] - thunderbird 1:115.10.1-1~deb10u1


=
data/dla-needed.txt
=
@@ -281,10 +281,6 @@ runc (dleidert)
   NOTE: 20240314: Several CVEs fixed in LTS remain unfixed (no-dsa) in 
bullseye.
   NOTE: 20240314: Uploads to ospu should be coordinated. (roberto)
 --
-samba (Santiago)
-  NOTE: 20230918: Added by Front-Desk (apo)
-  NOTE: 20240406: Update should be ready. Will upload this Monday. (Santiago)
---
 sendmail (rouca)
   NOTE: 20231224: Added by Front-Desk (ta)
   NOTE: 20240213: Patch need to be extracted (rouca). Upstream does not 
publish patches (CVE-2023-51765)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9c3b37c90df72638fb3c2c96e87b26278e57b94a

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9c3b37c90df72638fb3c2c96e87b26278e57b94a
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add glibc to dla-needed

[Santiago R.R. (@santiago)]

Santiago R.R. pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
223f79e8 by Santiago Ruano Rincón at 2024-04-19T09:27:02-03:00
Add glibc to dla-needed

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -98,6 +98,9 @@ frr (tobi)
   NOTE: 20240206: Continuing fixing the remaining issues (abhijith)
   NOTE: 20240301: continue work (abhijith)
 --
+glibc
+  NOTE: 20240419: Added by coordinator (santiago)
+--
 h2o
   NOTE: 20231228: Added by Front-Desk (lamby)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/223f79e8a91a6b9bc451da969753291e7298f245

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/223f79e8a91a6b9bc451da969753291e7298f245
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add some freeimage URL patch references from fedora

[Santiago R.R. (@santiago)]

Santiago R.R. pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
20155252 by Santiago Ruano Rincón at 2024-04-09T13:33:50-03:00
Add some freeimage URL patch references from fedora

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -21970,6 +21970,7 @@ CVE-2023-47997 (An issue discovered in 
BitmapAccess.cpp::FreeImage_AllocateBitma
[bullseye] - freeimage  (Revisit when fixed upstream)
[buster] - freeimage  (Revisit when fixed upstream)
NOTE: 
https://github.com/thelastede/FreeImage-cve-poc/tree/master/CVE-2023-47997
+   NOTE: Patch in Fedora (not upstream'ed): 
https://src.fedoraproject.org/rpms/freeimage/blob/f39/f/CVE-2023-47997.patch
 CVE-2023-47996 (An integer overflow vulnerability in 
Exif.cpp::jpeg_read_exif_dir in F ...)
- freeimage  (bug #1060691)
[bookworm] - freeimage  (Revisit when fixed upstream)
@@ -21982,6 +21983,7 @@ CVE-2023-47995 (Memory Allocation with Excessive Size 
Value discovered in Bitmap
[bullseye] - freeimage  (Revisit when fixed upstream)
[buster] - freeimage  (Revisit when fixed upstream)
NOTE: 
https://github.com/thelastede/FreeImage-cve-poc/tree/master/CVE-2023-47995
+   NOTE: Patch in Fedora (not upstream'ed): 
https://src.fedoraproject.org/rpms/freeimage/blob/f39/f/CVE-2023-47995.patch
 CVE-2023-47994 (An integer overflow vulnerability in LoadPixelDataRLE4 
function in Plu ...)
- freeimage  (bug #1060691)
[bookworm] - freeimage  (Revisit when fixed upstream)
@@ -188683,6 +188685,7 @@ CVE-2021-40266 (FreeImage before 1.18.0, ReadPalette 
function in PluginTIFF.cpp
[bullseye] - freeimage  (Minor issue)
[buster] - freeimage  (Minor issue)
NOTE: https://sourceforge.net/p/freeimage/bugs/334/
+   NOTE: Patch in Fedora (not upstream'ed): 
https://src.fedoraproject.org/rpms/freeimage/blob/f39/f/CVE-2021-40266.patch
 CVE-2021-40265 (A heap overflow bug exists FreeImage before 1.18.0 via ofLoad 
function ...)
- freeimage  (bug #1055304)
[bookworm] - freeimage  (Minor issue)
@@ -188701,6 +188704,7 @@ CVE-2021-40263 (A heap overflow vulnerability in 
FreeImage 1.18.0 via the ofLoad
[bullseye] - freeimage  (Minor issue)
[buster] - freeimage  (Minor issue)
NOTE: https://sourceforge.net/p/freeimage/bugs/336/
+   NOTE: Patch in Fedora (not upstream'ed): 
https://src.fedoraproject.org/rpms/freeimage/blob/f39/f/CVE-2021-40263.patch
 CVE-2021-40262 (A stack exhaustion issue was discovered in FreeImage before 
1.18.0 via ...)
- freeimage  (bug #1055301)
[bookworm] - freeimage  (Minor issue)
@@ -205900,6 +205904,7 @@ CVE-2021-33367 (Buffer Overflow vulnerability in 
Freeimage v3.18.0 allows attack
[bullseye] - freeimage  (Minor issue)
[buster] - freeimage  (Minor issue)
NOTE: 
https://sourceforge.net/p/freeimage/discussion/36109/thread/1a4db03d58/
+   NOTE: Patch in Fedora (not upstream'ed): 
https://src.fedoraproject.org/rpms/freeimage/blob/f39/f/CVE-2021-33367.patch
 CVE-2021-33366 (Memory leak in the gf_isom_oinf_read_entry function in MP4Box 
in GPAC  ...)
{DSA-5411-1}
- gpac  (unimportant)
@@ -261315,6 +261320,7 @@ CVE-2020-24295 (Buffer Overflow vulnerability in 
PSDParser.cpp::ReadImageLine()
[bullseye] - freeimage  (Revisit when patches are available)
[buster] - freeimage  (Revisit when patches are available)
NOTE: 
https://sourceforge.net/p/freeimage/discussion/36111/thread/afb98701eb/
+   NOTE: Patch in Fedora (not upstream'ed): 
https://src.fedoraproject.org/rpms/freeimage/blob/f39/f/CVE-2020-24295.patch
 CVE-2020-24294 (Buffer Overflow vulnerability in psdParser::UnpackRLE function 
in PSDP ...)
- freeimage  (bug #1059152)
[bookworm] - freeimage  (Revisit when patches are available)
@@ -261327,12 +261333,14 @@ CVE-2020-24293 (Buffer Overflow vulnerability in 
psdThumbnail::Read in PSDParser
[bullseye] - freeimage  (Revisit when patches are available)
[buster] - freeimage  (Revisit when patches are available)
NOTE: 
https://sourceforge.net/p/freeimage/discussion/36111/thread/afb98701eb/
+   NOTE: Patch in Fedora (not upstream'ed): 
https://src.fedoraproject.org/rpms/freeimage/blob/f39/f/CVE-2020-24293.patch
 CVE-2020-24292 (Buffer Overflow vulnerability in load function in 
PluginICO.cpp in Fre ...)
- freeimage  (bug #1059152)
[bookworm] - freeimage  (Revisit when patches are available)
[bullseye] - freeimage  (Revisit when patches are available)
[buster] - freeimage  (Revisit when patches are available)
NOTE: 
https://sourceforge.net/p/freeimage/discussion/36111/thread/afb98701eb/
+   NOTE: Patch in Fedora (not upstream'ed): 
https://src.fedoraproject.org/rpms/freeimage/blob/f39/f/CVE-2020-24292.patch
 CVE-2020-24291
 

[Git][security-tracker-team/security-tracker][master] samba/buster should be ready

[Santiago R.R. (@santiago)]

Santiago R.R. pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
e183ab54 by Santiago Ruano Rincón at 2024-04-06T23:13:10-03:00
samba/buster should be ready

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -252,6 +252,7 @@ runc
 --
 samba (Santiago)
   NOTE: 20230918: Added by Front-Desk (apo)
+  NOTE: 20240406: Update should be ready. Will upload this Monday. (Santiago)
 --
 sendmail (rouca)
   NOTE: 20231224: Added by Front-Desk (ta)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e183ab5432e069ad2ed77af02b87e639690e7f04

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e183ab5432e069ad2ed77af02b87e639690e7f04
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add fixing commit for CVE-2022-48434/ffmpeg in 4.4.3

[Santiago R.R. (@santiago)]

Santiago R.R. pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
9e9ebf11 by Santiago Ruano Rincón at 2024-03-26T16:21:03-03:00
Add fixing commit for CVE-2022-48434/ffmpeg in 4.4.3

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -61360,6 +61360,7 @@ CVE-2022-48434 (libavcodec/pthread_frame.c in FFmpeg 
before 5.1.2, as used in VL
[buster] - ffmpeg  (Wait until the backport to 4.x)
NOTE: 
https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/cc867f2c09d2b69cee8a0eccd62aff002cbbfe11
 (n6.1-dev)
NOTE: 
https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/35aa7e70e7ec350319e7634a30d8d8aa1e6ecdda
 (n5.1.2)
+   NOTE: 
https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/d4b7b3c03ee2baf0166ce49dff17ec9beff684db
 (n4.4.3)
 CVE-2022-48433 (In JetBrains IntelliJ IDEA before 2023.1 the NTLM hash could 
leak thro ...)
- intellij-idea  (bug #747616)
 CVE-2022-48432 (In JetBrains IntelliJ IDEA before 2023.1 the bundled version 
of Chromi ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9e9ebf11028f6b743a7fd0c5f65a2ed41c68bcd6

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9e9ebf11028f6b743a7fd0c5f65a2ed41c68bcd6
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Claim samba in dla-needed.txt

[Santiago R.R. (@santiago)]

Santiago R.R. pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
4c52001f by Santiago Ruano Rincón at 2024-03-22T18:05:49-03:00
Claim samba in dla-needed.txt

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -245,7 +245,7 @@ runc
   NOTE: 20240314: Several CVEs fixed in LTS remain unfixed (no-dsa) in 
bullseye.
   NOTE: 20240314: Uploads to ospu should be coordinated. (roberto)
 --
-samba
+samba (Santiago)
   NOTE: 20230918: Added by Front-Desk (apo)
 --
 sendmail (rouca)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4c52001f2c6696b2683a4289ff3ab21e40fca34c

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4c52001f2c6696b2683a4289ff3ab21e40fca34c
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] A couple more of samba AD DC CVEs to be ignored: CVE-2019-14861, CVE-2019-14870

[Santiago R.R. (@santiago)]

Santiago R.R. pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
ff0ed187 by Santiago Ruano Rincón at 2024-03-22T14:51:54-03:00
A couple more of samba AD DC CVEs to be ignored: CVE-2019-14861, CVE-2019-14870

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -330688,7 +330688,7 @@ CVE-2019-14871 (The REENT_CHECK macro (see 
newlib/libc/include/sys/reent.h) as u
 CVE-2019-14870 (All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 
and 4.11 ...)
{DLA-3206-1 DLA-2668-1}
- samba 2:4.11.3+dfsg-1
-   [buster] - samba  (Minor issue)
+   [buster] - samba  (Domain controller functionality is EOLed, 
see DSA-5015-1)
[jessie] - samba  (Minor issue)
- heimdal 7.7.0+dfsg-1 (bug #946786)
[stretch] - heimdal  (Minor issue)
@@ -330755,7 +330755,7 @@ CVE-2019-14862 (There is a vulnerability in knockout 
before version 3.5.0-beta,
 CVE-2019-14861 (All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 
and 4.11 ...)
{DLA-2668-1}
- samba 2:4.11.3+dfsg-1
-   [buster] - samba  (Minor issue)
+   [buster] - samba  (Domain controller functionality is EOLed, 
see DSA-5015-1)
[jessie] - samba  (Minor issue)
NOTE: https://www.samba.org/samba/security/CVE-2019-14861.html
 CVE-2019-14860 (It was found that the Syndesis configuration for Cross-Origin 
Resource ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ff0ed18761573261ba763fe17d4b0be63be1b12b

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ff0ed18761573261ba763fe17d4b0be63be1b12b
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Mark samba's CVE-2023-0614 and CVE-2022-38023 as ignored. Add note about CVE-2022-42898

[Santiago R.R. (@santiago)]

Santiago R.R. pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
7d7a215d by Santiago Ruano Rincón at 2024-03-22T11:23:58-03:00
Mark sambas CVE-2023-0614 and CVE-2022-38023 as ignored. Add note about 
CVE-2022-42898

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -73235,6 +73235,8 @@ CVE-2023-0615 (A memory leak flaw and potential divide 
by zero and Integer overf
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2166287
 CVE-2023-0614 (The fix in 4.6.16, 4.7.9, 4.8.4 and 4.9.7 for CVE-2018-10919 
Confident ...)
- samba 2:4.17.7+dfsg-1
+   [bullseye] - samba  (Domain controller functionality is EOLed, 
see DSA DSA-5477-1)
+   [buster] - samba  (Domain controller functionality is EOLed, 
see DSA-5015-1)
NOTE: https://www.samba.org/samba/security/CVE-2023-0614.html
 CVE-2023-0613 (A vulnerability has been found in TRENDnet TEW-811DRU 1.0.10.0 
and cla ...)
NOT-FOR-US: TRENDnet
@@ -101925,6 +101927,7 @@ CVE-2022-42898 (PAC parsing in MIT Kerberos 5 (aka 
krb5) before 1.19.4 and 1.20.
- samba 2:4.17.3+dfsg-1
NOTE: https://www.samba.org/samba/security/CVE-2022-42898.html
NOTE: https://bugzilla.samba.org/show_bug.cgi?id=15203
+   NOTE: samba: only exploitable in 32-bit systems, according to upstream 
advisory
NOTE: MIT-krb5: 
https://github.com/krb5/krb5/commit/ea92d2f0fcceb54a70910fa32e9a0d7a5afc3583 
(master)
NOTE: MIT-krb5: 
https://github.com/krb5/krb5/commit/b99de751dd35360c0fccac74a40f4a60dbf1ceea 
(krb5-1.20.1-final)
NOTE: MIT-krb5: 
https://github.com/krb5/krb5/commit/4e661f0085ec5f969c76c0896a34322c6c432de4 
(krb5-1.19.4-final)
@@ -115321,6 +115324,8 @@ CVE-2022-38024
RESERVED
 CVE-2022-38023 (Netlogon RPC Elevation of Privilege Vulnerability)
- samba 2:4.17.4+dfsg-1
+   [bullseye] - samba  (Domain controller functionality is EOLed, 
see DSA DSA-5477-1)
+   [buster] - samba  (Domain controller functionality is EOLed, 
see DSA-5015-1)
NOTE: https://www.samba.org/samba/security/CVE-2022-38023.html
NOTE: possible samba 4.13,4.15 regression: 
https://bugzilla.samba.org/show_bug.cgi?id=15243
NOTE: and https://bugs.launchpad.net/ubuntu/+source/samba/+bug/2003867



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7d7a215d0862978966af171aea64b5823b540a9f

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7d7a215d0862978966af171aea64b5823b540a9f
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] CVE-2021-20251/samba note: AD DC functionality EOL'ed in buster too

[Santiago R.R. (@santiago)]

Santiago R.R. pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
0161ad5c by Santiago Ruano Rincón at 2024-03-20T16:54:06-03:00
CVE-2021-20251/samba note: AD DC functionality EOLed in buster too

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -234862,6 +234862,7 @@ CVE-2021-20251 (A flaw was found in samba. A race 
condition in the password lock
[experimental] - samba 2:4.17.1+dfsg-1
- samba 2:4.17.2+dfsg-3
[bullseye] - samba  (Domain controller functionality is EOLed, 
see DSA DSA-5477-1)
+   [buster] - samba  (Domain controller functionality is EOLed, 
see DSA-5015-1)
NOTE: https://bugzilla.samba.org/show_bug.cgi?id=14611
NOTE: https://gitlab.com/samba-team/samba/-/merge_requests/2708
 CVE-2021-20250 (A flaw was found in wildfly. The JBoss EJB client has publicly 
accessi ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0161ad5c2009ee044a9e6bad0a4f68073102d0d4

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0161ad5c2009ee044a9e6bad0a4f68073102d0d4
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add fix commit links for CVE-2023-4091/samba

[Santiago R.R. (@santiago)]

Santiago R.R. pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
a70b8ccf by Santiago Ruano Rincón at 2024-03-19T16:35:51-03:00
Add fix commit links for CVE-2023-4091/samba

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -32362,6 +32362,8 @@ CVE-2023-4091 (A vulnerability was discovered in Samba, 
where the flaw allows SM
- samba 2:4.19.1+dfsg-1
NOTE: https://www.samba.org/samba/security/CVE-2023-4091.html
NOTE: In scope for continued Samba support
+   NOTE: Fixed by: 
https://git.samba.org/?p=samba.git;a=commit;h=b08a60160e6ab8d982d31844bcbf7ab67ff3a8de
 (samba-4.17.12)
+   NOTE: Fixed by: 
https://git.samba.org/?p=samba.git;a=commit;h=8b26f634372f11edcbea33dfd68a3d57889dfcc5
 (samba-4.17.12)
 CVE-2023-4154 (A design flaw was found in Samba's DirSync control 
implementation, whi ...)
{DSA-5525-1}
- samba 2:4.19.1+dfsg-1



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a70b8ccfbef90eb51837fe3dbcab0dd928e55031

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a70b8ccfbef90eb51837fe3dbcab0dd928e55031
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add note about samba/buster for CVE-2023-34966, CVE-2023-34967 and CVE-2023-34968

[Santiago R.R. (@santiago)]

Santiago R.R. pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
22cebdf4 by Santiago Ruano Rincón at 2024-03-19T16:33:05-03:00
Add note about samba/buster for CVE-2023-34966, CVE-2023-34967 and 
CVE-2023-34968

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -43998,7 +43998,9 @@ CVE-2023-3347 (A vulnerability was found in Samba's 
SMB2 packet signing mechanis
 CVE-2023-34968 (A path disclosure vulnerability was found in Samba. As part of 
the Spo ...)
{DSA-5477-1}
- samba 2:4.18.5+dfsg-1
+   [buster] - samba  (spotlight enabled in 4.13.13+dfsg-1 - 
bullseye)
NOTE: https://www.samba.org/samba/security/CVE-2023-34968.html
+   NOTE: severity:unimportant for buster backwards, but we don't have 
suite-specific severity annotations
 CVE-2023-42464 (A Type Confusion vulnerability was found in the Spotlight RPC 
function ...)
{DSA-5503-1 DLA-3584-1}
- netatalk 3.1.17~ds-1 (bug #1052087)
@@ -44009,11 +44011,15 @@ CVE-2023-42464 (A Type Confusion vulnerability was 
found in the Spotlight RPC fu
 CVE-2023-34967 (A Type Confusion vulnerability was found in Samba's mdssvc RPC 
service ...)
{DSA-5477-1}
- samba 2:4.18.5+dfsg-1
+   [buster] - samba  (spotlight enabled in 4.13.13+dfsg-1 - 
bullseye)
NOTE: https://www.samba.org/samba/security/CVE-2023-34967.html
+   NOTE: severity:unimportant for buster backwards, but we don't have 
suite-specific severity annotations
 CVE-2023-34966 (An infinite loop vulnerability was found in Samba's mdssvc RPC 
service ...)
{DSA-5477-1}
- samba 2:4.18.5+dfsg-1
+   [buster] - samba  (spotlight enabled in 4.13.13+dfsg-1 - 
bullseye)
NOTE: https://www.samba.org/samba/security/CVE-2023-34966.html
+   NOTE: severity:unimportant for buster backwards, but we don't have 
suite-specific severity annotations
 CVE-2023-3750 (A flaw was found in libvirt. The virStoragePoolObjListSearch 
function  ...)
- libvirt 9.6.0-1 (bug #1041811)
[bookworm] - libvirt  (Minor issue)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/22cebdf452b5f354d4903713723d818e445f7e6d

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/22cebdf452b5f354d4903713723d818e445f7e6d
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add note on CVE-2019-12290/libidn2

[Santiago R.R. (@santiago)]

Santiago R.R. pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
2b67cb4d by Santiago Ruano Rincón at 2024-03-06T12:44:40-03:00
Add note on CVE-2019-12290/libidn2

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -335470,6 +335470,7 @@ CVE-2019-12290 (GNU libidn2 before 2.2.0 fails to 
perform the roundtrip checks s
[buster] - libidn2  (Minor issue; intrusive to backport)
NOTE: 
https://gitlab.com/libidn/libidn2/commit/241e8f486134793cb0f4a5b0e5817a97883401f5
 (2.2.0)
NOTE: https://gitlab.com/libidn/libidn2/merge_requests/71
+   NOTE: Backport available: 
https://git.launchpad.net/ubuntu/+source/libidn2/commit/?id=0aa447342fbf0fc37d7887982e0daf817db08b1d
 CVE-2019-12289 (An issue was discovered in upgrade_firmware.cgi on VStarcam 
100T (C782 ...)
NOT-FOR-US: VStarcam
 CVE-2019-12288 (An issue was discovered in upgrade_htmls.cgi on VStarcam 100T 
(C7824WI ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2b67cb4d0b3d44871d5a16a4bf31c6ca7abfe87d

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2b67cb4d0b3d44871d5a16a4bf31c6ca7abfe87d
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add note about CVE-2018-14550

[Santiago R.R. (@santiago)]

Santiago R.R. pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
d2e8f6b3 by Santiago Ruano Rincón at 2024-03-06T10:07:38-03:00
Add note about CVE-2018-14550

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -383834,6 +383834,7 @@ CVE-2018-14550 (An issue has been found in 
third-party PNM decoding associated w
- libpng  (unimportant)
NOTE: https://github.com/glennrp/libpng/issues/246
NOTE: 
https://github.com/glennrp/libpng/commit/1f0221fad7e7888ada87eda511dcbfd701de7d21
+   NOTE: pnm2png is not shipped in Debian
 CVE-2018-14549 (An issue has been found in libwav through 2017-04-20. It is a 
SEGV in  ...)
NOT-FOR-US: libwav
 CVE-2018-14548



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d2e8f6b316d79d5b07ea772df252f8e5089638ee

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d2e8f6b316d79d5b07ea772df252f8e5089638ee
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 2 commits: Triage wpa for buster LTS

[Santiago R.R. (@santiago)]

Santiago R.R. pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
9ddb52de by Santiago Ruano Rincón at 2024-02-23T14:53:47-03:00
Triage wpa for buster LTS

- - - - -
65ea860b by Santiago Ruano Rincón at 2024-02-23T14:53:47-03:00
Add a couple of notes about CVE-2023-52160/wpa

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=
data/CVE/list
=
@@ -1479,6 +1479,8 @@ CVE-2023-52160 (The implementation of PEAP in 
wpa_supplicant through 2.10 allows
- wpa  (bug #1064061)
NOTE: 
https://w1.fi/cgit/hostap/commit/?id=8e6485a1bcb0baffdea9e55255a81270b768439c
NOTE: https://www.top10vpn.com/research/wifi-vulnerabilities/
+   NOTE: 
https://lists.infradead.org/pipermail/hostap/2024-February/042362.html
+   NOTE: 
https://lists.infradead.org/pipermail/hostap/2024-February/042364.html
 CVE-2023-52161 (The Access Point functionality in eapol_auth_key_handle in 
eapol.c in  ...)
{DLA-3738-1}
- iwd 2.14-1 (bug #1064062)


=
data/dla-needed.txt
=
@@ -313,6 +313,9 @@ wireshark
   NOTE: 20231204: DLA pending (bunk)
   NOTE: 20231218: Debugging a problem with the update. (bunk)
 --
+wpa
+  NOTE: 20240222: Added by Front-Desk (santiago)
+--
 zabbix
   NOTE: 20240212: Added by Front-Desk (utkarsh)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/cb852d9d986418df5728340884c079bcf8a70eb4...65ea860bb6392366d6d8db0a0ddd82e2531a7fa5

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/cb852d9d986418df5728340884c079bcf8a70eb4...65ea860bb6392366d6d8db0a0ddd82e2531a7fa5
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add some fixing commits for bind9 issues

[Santiago R.R. (@santiago)]

Santiago R.R. pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
9b7664c8 by Santiago Ruano Rincón at 2024-02-22T18:52:05-03:00
Add some fixing commits for bind9 issues

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -2245,6 +2245,8 @@ CVE-2023-4408 (The DNS message parsing code in `named` 
includes a section whose
{DSA-5621-1}
- bind9 1:9.19.21-1
NOTE: https://kb.isc.org/docs/cve-2023-4408
+   NOTE: 
https://gitlab.isc.org/isc-projects/bind9/-/commit/0bbb0065e63c3231b320bd20d1121aed6c4d00d8
 (9.16)
+   NOTE: 
https://gitlab.isc.org/isc-projects/bind9/-/commit/f397ff5bb81413004fa6367f63a833fe70a3ac59
 (9.16)
 CVE-2023-5517 (A flaw in query-handling code can cause `named` to exit 
prematurely wi ...)
{DSA-5621-1}
- bind9 1:9.19.21-1
@@ -2275,6 +2277,7 @@ CVE-2023-50387 (Certain DNSSEC aspects of the DNS 
protocol (in RFC 4033, 4034, 4
NOTE: https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/
NOTE: 
https://nlnetlabs.nl/downloads/unbound/CVE-2023-50387_CVE-2023-50868.txt
NOTE: Fixed by: 
https://github.com/NLnetLabs/unbound/commit/882903f2fa800c4cb6f5e225b728e2887bb7b9ae
 (release-1.19.1)
+   NOTE: 
https://gitlab.isc.org/isc-projects/bind9/-/commit/a520fbc0470a0d6b72db6aa0b8deda8798551614
 and four previous commits (bind9 9.16)
 CVE-2023-50868 (The Closest Encloser Proof aspect of the DNS protocol (in RFC 
5155 whe ...)
{DSA-5626-1 DSA-5621-1 DSA-5620-1 DLA-3736-1}
- bind9 1:9.19.21-1



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9b7664c8d9bdee2d9cec58cc3db3c30c3ff68e56

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9b7664c8d9bdee2d9cec58cc3db3c30c3ff68e56
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Mark CVE-2023-5679/bind9/buster as not affected

[Santiago R.R. (@santiago)]

Santiago R.R. pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
4396c971 by Santiago Ruano Rincón at 2024-02-22T15:07:44-03:00
Mark CVE-2023-5679/bind9/buster as not affected

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -2155,6 +2155,7 @@ CVE-2023-5517 (A flaw in query-handling code can cause 
`named` to exit premature
 CVE-2023-5679 (A bad interaction between DNS64 and serve-stale may cause 
`named` to c ...)
{DSA-5621-1}
- bind9 1:9.19.21-1
+   [buster] - bind9  (Vulnerable code only in 9.16.y series)
NOTE: https://kb.isc.org/docs/cve-2023-5679
 CVE-2023-6516 (To keep its cache database efficient, `named` running as a 
recursive r ...)
- bind9 1:9.17.19-1



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4396c9718c6c36063849f7dc402740e1274ca597

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4396c9718c6c36063849f7dc402740e1274ca597
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Claim bind9 in dla-needed.txt

[Santiago R.R. (@santiago)]

Santiago R.R. pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
033d9d04 by Santiago Ruano Rincón at 2024-02-19T19:14:36-03:00
Claim bind9 in dla-needed.txt

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -34,7 +34,7 @@ atril
   NOTE: 20240121: Added by Front-Desk (apo)
   NOTE: 20240121: Decide whether it makes sense to disable comic feature or 
use libarchive instead.
 --
-bind9
+bind9 (santiago)
   NOTE: 20240218: Added by Front-Desk (lamby)
   NOTE: 20240218: CVE-2023-4408 CVE-2023-50387 CVE-2023-50868 CVE-2023-5517 
CVE-2023-5679 already fixed in bullseye. (lamby)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/033d9d0433aa62d22cfcf13e11ed1c51478c0bf2

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/033d9d0433aa62d22cfcf13e11ed1c51478c0bf2
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity

[Santiago R.R. (@santiago)]

Santiago R.R. pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
2ff9650f by Santiago Ruano Rincón at 2024-02-12T11:59:43-03:00
semi-automatic unclaim after 2 weeks of inactivity

Signed-off-by: Santiago Ruano Rincón santiag...@riseup.net

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -92,7 +92,7 @@ frr (Abhijith PA)
   NOTE: 20231119: Added by Front-Desk (apo)
   NOTE: 20240206: Continuing fixing the remaining issues (abhijith)
 --
-gnutls28 (guilhem)
+gnutls28
   NOTE: 20240122: Added by Front-Desk (Beuc)
   NOTE: 20240122: Incomplete fix for CVE-2023-5981/DLA-3660-1 (Beuc/front-desk)
 --
@@ -186,7 +186,7 @@ nvidia-cuda-toolkit
 openvswitch (tobi)
   NOTE: 20240209: Added by Front-Desk (utkarsh)
 --
-putty (santiago)
+putty
   NOTE: 20231224: Added by Front-Desk (ta)
   NOTE: 20230104: massive code change against bullseye. May be better to 
backport bullseye (rouca)
 --
@@ -248,7 +248,7 @@ squid
   NOTE: 20240109: I ask for another pair of eyes for CVE-2023-5824. The fix
   NOTE: 20240109: appears to be intrusive. I could not locate the fix for 
CVE-2023-49288 yet. (apo)
 --
-suricata (Adrian Bunk)
+suricata
   NOTE: 20230620: Added by Front-Desk (Beuc)
   NOTE: 20230620: 15+ CVEs marked no-dsa; since the package is supported, with 
last LTS update in Jessie,
   NOTE: 20230620: I'd suggest reviewing the CVEs, precise the triage 
(postponed/ignored),
@@ -258,7 +258,7 @@ suricata (Adrian Bunk)
   NOTE: 20231016: Still reviewing+testing CVEs. (bunk)
   NOTE: 20231120: DLA coming soon. (bunk)
 --
-tiff (Adrian Bunk)
+tiff
   NOTE: 20231231: Added by Front-Desk (lamby)
   NOTE: 20231231: CVE-2023-3576 already fixed in bullseye via DSA or point 
release(s). (lamby)
 --
@@ -272,14 +272,14 @@ tinymce
 tomcat9 (Markus Koschany)
   NOTE: 20240121: Added by Front-Desk (apo)
 --
-varnish (Abhijith PA)
+varnish
   NOTE: 20231117: Added by Front-Desk (apo)
   NOTE: 20231204: Working on pre commits for CVE-2023-44487, 
https://github.com/varnishcache/varnish-cache/pull/4004
   NOTE: 20231219: Continuing work
   NOTE: 20240108: Backported security fixes and related commits. Fixing test 
failures. (abhijith)
   NOTE: 20240122: Still fixing tests (abhijith)
 --
-wireshark (Adrian Bunk)
+wireshark
   NOTE: 20231118: Added by Front-Desk (apo)
   NOTE: 20231204: DLA pending (bunk)
   NOTE: 20231218: Debugging a problem with the update. (bunk)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2ff9650fe176bee9250bcec362ff003dfdbbcfe9

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2ff9650fe176bee9250bcec362ff003dfdbbcfe9
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity

[Santiago R.R. (@santiago)]

Santiago R.R. pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
c5ca685e by Santiago Ruano Rincón at 2024-02-05T11:00:06-03:00
semi-automatic unclaim after 2 weeks of inactivity

Signed-off-by: Santiago Ruano Rincón santiag...@riseup.net

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -84,7 +84,7 @@ exiftags
 freeimage
   NOTE: 20240121: Added by Front-Desk (apo)
 --
-frr (Abhijith PA)
+frr
   NOTE: 20231119: Added by Front-Desk (apo)
 --
 gnutls28 (guilhem)
@@ -177,7 +177,7 @@ python-asyncssh (dleidert)
   NOTE: 20240116: Added by Front-Desk (lamby)
   NOTE: 20240131: Patch for CVE-2023-46445 and CVE-2023-46446 backported and 
in Git, but one test is failing. Waiting for feedback before release. (dleidert)
 --
-python-django (Chris Lamb)
+python-django
   NOTE: 20231006: Added by Front-Desk (Beuc)
   NOTE: 20231006: Fix the 4 no-dsa issues that are fixed in all other dists 
(Beuc/front-desk)
   NOTE: 20231020: ^ CVE-2021-28658, CVE-2021-31542, CVE-2021-33203 & 
CVE-2021-33571. (lamby)
@@ -250,7 +250,7 @@ tinymce
   NOTE: 20231216: upstream's patch is backportable, as the code has changed a
   NOTE: 20231216: lot.  (spwhitton)
 --
-tomcat9 (Markus Koschany)
+tomcat9
   NOTE: 20240121: Added by Front-Desk (apo)
 --
 varnish (Abhijith PA)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c5ca685e8e9f80a553d8fdd429a05baa1a8140f1

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c5ca685e8e9f80a553d8fdd429a05baa1a8140f1
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Remove salt from dla-needed.txt. EOL'ed

[Santiago R.R. (@santiago)]

Santiago R.R. pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
93b1348d by Santiago Ruano Rincón at 2024-01-29T16:08:44-03:00
Remove salt from dla-needed.txt. EOLed

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -234,23 +234,6 @@ ring
   NOTE: 20230903: Added by Front-Desk (gladk)
   NOTE: 20230928: will be likely hard to fix see 
https://lists.debian.org/debian-lts/2023/09/msg00035.html (rouca)
 --
-salt
-  NOTE: 20220814: Added by Front-Desk (gladk)
-  NOTE: 20220814: I am not sure, whether it is possible to fix issues
-  NOTE: 20220814: without backporting a newer version. (Anton)
-  NOTE: 20230720: Backport to at least 3002.9 in order to fix protocol flaws 
between client/server
-  NOTE: 20230720: Users will need need both update client and server 
synchronously (flag day).
-  NOTE: 20230720: Unfortunatly upgrading will need to update some 
configuration file
-  NOTE: 20230720: 
https://docs.saltproject.io/en/master/topics/releases/2019.2.0.html#non-backward-compatible-change-to-yaml-renderer
-  NOTE: 20230720: They are also some minor change here:
-  NOTE: 20230720: 
https://docs.saltproject.io/en/master/topics/releases/3002.html#execution-module-changes
-  NOTE: 20230720: Last but not least salt is not present in stable/testing 
(rouca)
-  NOTE: 20230928: Backported 3002.9 first non affected by crypto flaw version
-  NOTE: 20230928: will need python3-saltfactories >= 0.907 (that need 
python3-setuptools (>= 50.3.2),  python3-setuptools-scm (>= 3.4) to be 
investigated)
-  NOTE: 20230928: will need python3-attr (>= 19.1) may from buster-backport ? 
or vendored ?
-  NOTE: 20230928: see https://lists.debian.org/debian-lts/2023/09/msg00033.html
-  NOTE: 20240126: santiago in the process of EOLing the package 
(Beuc/front-desk)
---
 samba
   NOTE: 20230918: Added by Front-Desk (apo)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/93b1348db0bb9705840bb67cb35c3ae6b3daec2c

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/93b1348db0bb9705840bb67cb35c3ae6b3daec2c
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Claim putty in dla-needed

[Santiago R.R. (@santiago)]

Santiago R.R. pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
4ad90679 by Santiago Ruano Rincón at 2024-01-26T07:29:25-03:00
Claim putty in dla-needed

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -189,7 +189,7 @@ openjdk-11 (Emilio)
 pillow (Chris Lamb)
   NOTE: 20240121: Added by Front-Desk (apo)
 --
-putty
+putty (santiago)
   NOTE: 20231224: Added by Front-Desk (ta)
   NOTE: 20230104: massive code change against bullseye. May be better to 
backport bullseye (rouca)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4ad90679a8e729990ef675857ed0c678f30da42a

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4ad90679a8e729990ef675857ed0c678f30da42a
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity

[Santiago R.R. (@santiago)]

Santiago R.R. pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
0fcb51fa by Santiago Ruano Rincón at 2024-01-22T15:06:24-03:00
semi-automatic unclaim after 2 weeks of inactivity

Signed-off-by: Santiago Ruano Rincón santiag...@riseup.net

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -275,7 +275,7 @@ squid
 sudo (rouca)
   NOTE: 20231224: Added by Front-Desk (ta)
 --
-suricata (Adrian Bunk)
+suricata
   NOTE: 20230620: Added by Front-Desk (Beuc)
   NOTE: 20230620: 15+ CVEs marked no-dsa; since the package is supported, with 
last LTS update in Jessie,
   NOTE: 20230620: I'd suggest reviewing the CVEs, precise the triage 
(postponed/ignored),
@@ -306,7 +306,7 @@ varnish (Abhijith PA)
   NOTE: 20240108: Backported security fixes and related commits. Fixing test 
failures. (abhijith)
   NOTE: 20240122: Still fixing tests (abhijith)
 --
-wireshark (Adrian Bunk)
+wireshark
   NOTE: 20231118: Added by Front-Desk (apo)
   NOTE: 20231204: DLA pending (bunk)
   NOTE: 20231218: Debugging a problem with the update. (bunk)
@@ -314,7 +314,7 @@ wireshark (Adrian Bunk)
 xorg-server (Markus Koschany)
   NOTE: 20240117: Added by Front-Desk (lamby)
 --
-zabbix (tobi)
+zabbix
   NOTE: 20231015: Added by Front-Desk (ta)
 --
 zfs-linux (Utkarsh)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0fcb51fa049f1daf1d74b2afb2353692655c491c

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0fcb51fa049f1daf1d74b2afb2353692655c491c
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-3694-1 for openssh

[Santiago R.R. (@santiago)]

Santiago R.R. pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
2261d6ec by Santiago Ruano Rincón at 2023-12-25T16:01:13-05:00
Reserve DLA-3694-1 for openssh

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/CVE/list
=
@@ -160155,7 +160155,6 @@ CVE-2021-3830 (btcpayserver is vulnerable to Improper 
Neutralization of Input Du
 CVE-2021-41617 (sshd in OpenSSH 6.2 through 8.x before 8.8, when certain 
non-default c ...)
- openssh 1:8.7p1-1 (bug #995130)
[bullseye] - openssh 1:8.4p1-5+deb11u3
-   [buster] - openssh  (Minor issue)
[stretch] - openssh  (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2021/09/26/1
NOTE: 
https://github.com/openssh/openssh-portable/commit/f3cbe43e28fe71427d41cfe3a17125b972710455


=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[25 Dec 2023] DLA-3694-1 openssh - security update
+   {CVE-2021-41617 CVE-2023-48795 CVE-2023-51385}
+   [buster] - openssh 1:7.9p1-10+deb10u4
 [23 Dec 2023] DLA-3693-1 osslsigncode - security update
{CVE-2023-36377}
[buster] - osslsigncode 2.0+really2.5-4+deb10u1


=
data/dla-needed.txt
=
@@ -161,9 +161,6 @@ nvidia-cuda-toolkit
   NOTE: 20230610: Details: 
https://lists.debian.org/debian-lts/2023/06/msg00032.html
   NOTE: 20230610: my recommendation would be to put the package on the 
"not-supported" list. (tobi)
 --
-openssh (santiago)
-  NOTE: 20231219: Added by Front-Desk (ta)
---
 paramiko
   NOTE: 20231225: Added by Front-Desk (ta)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2261d6ec610f9e89a62a5df86e7a15bb1a07b79e

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2261d6ec610f9e89a62a5df86e7a15bb1a07b79e
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Claim openssh in dla-needed.txt

[Santiago R.R. (@santiago)]

Santiago R.R. pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
03aa9969 by Santiago Ruano Rincón at 2023-12-22T14:10:41-03:00
Claim openssh in dla-needed.txt

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -158,7 +158,7 @@ nvidia-cuda-toolkit
   NOTE: 20230610: Details: 
https://lists.debian.org/debian-lts/2023/06/msg00032.html
   NOTE: 20230610: my recommendation would be to put the package on the 
"not-supported" list. (tobi)
 --
-openssh
+openssh (santiago)
   NOTE: 20231219: Added by Front-Desk (ta)
 --
 osslsigncode (tobi)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/03aa9969954f5ea2de80776114185ec77a16e9e9

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/03aa9969954f5ea2de80776114185ec77a16e9e9
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] give more info about regressions in some CVE related to samba/bullseye-and-older

[Santiago R.R. (@santiago)]

Santiago R.R. pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
9bc9aafe by Santiago Ruano Rincón at 2023-12-01T11:30:06-03:00
give more info about regressions in some CVE related to samba/bullseye-and-older

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -77177,6 +77177,8 @@ CVE-2022-42898 (PAC parsing in MIT Kerberos 5 (aka 
krb5) before 1.19.4 and 1.20.
NOTE: 
https://github.com/heimdal/heimdal/security/advisories/GHSA-64mq-fvfj-5x3c
NOTE: Heimdal: 
https://github.com/heimdal/heimdal/commit/0c56257bdac80da015878fffdb0f8a42b8d73246
 (heimdal-7.7.1)
NOTE: Heimdal regression: https://github.com/heimdal/heimdal/pull/1025
+   NOTE: possible samba 4.13,4.15 regression: 
https://bugzilla.samba.org/show_bug.cgi?id=15243
+   NOTE: and https://bugs.launchpad.net/ubuntu/+source/samba/+bug/2003867
 CVE-2022-42897 (Array Networks AG/vxAG with ArrayOS AG before 9.4.0.469 allows 
unauthe ...)
NOT-FOR-US: Array Networks
 CVE-2022-3478 (An issue has been discovered in GitLab affecting all versions 
starting ...)
@@ -77756,7 +77758,8 @@ CVE-2022-3437 (A heap-based buffer overflow 
vulnerability was found in Samba wit
NOTE: 
https://github.com/heimdal/heimdal/commit/c8407ca079294d76a5ed140ba5b546f870d23ed2
 (heimdal-7.7.1)
NOTE: 
https://github.com/heimdal/heimdal/commit/8fb508a25a6a47289c73e3f4339352a73a396eef
 (heimdal-7.7.1)
NOTE: In scope for continued Samba support
-   NOTE: Important risk of regression in samba/bullseye (4.13)
+   NOTE: possible samba 4.13,4.15 regression: 
https://bugzilla.samba.org/show_bug.cgi?id=15243
+   NOTE: and https://bugs.launchpad.net/ubuntu/+source/samba/+bug/2003867
 CVE-2021-46845
RESERVED
 CVE-2020-36606
@@ -90562,6 +90565,8 @@ CVE-2022-38024
 CVE-2022-38023 (Netlogon RPC Elevation of Privilege Vulnerability)
- samba 2:4.17.4+dfsg-1
NOTE: https://www.samba.org/samba/security/CVE-2022-38023.html
+   NOTE: possible samba 4.13,4.15 regression: 
https://bugzilla.samba.org/show_bug.cgi?id=15243
+   NOTE: and https://bugs.launchpad.net/ubuntu/+source/samba/+bug/2003867
 CVE-2022-38022 (Windows Kernel Elevation of Privilege Vulnerability. This CVE 
ID is un ...)
NOT-FOR-US: Microsoft
 CVE-2022-38021 (Connected User Experiences and Telemetry Elevation of 
Privilege Vulner ...)
@@ -90677,9 +90682,13 @@ CVE-2022-37967 (Windows Kerberos Elevation of 
Privilege Vulnerability)
[bullseye] - samba  (Domain controller functionality is EOLed, 
see DSA DSA-5477-1)
[buster] - samba  (Domain controller functionality is EOLed, 
see DSA-5015-1)
NOTE: https://www.samba.org/samba/security/CVE-2022-37967.html
+   NOTE: possible samba 4.13,4.15 regression: 
https://bugzilla.samba.org/show_bug.cgi?id=15243
+   NOTE: and https://bugs.launchpad.net/ubuntu/+source/samba/+bug/2003867
 CVE-2022-37966 (Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability)
- samba 2:4.17.4+dfsg-1
NOTE: https://www.samba.org/samba/security/CVE-2022-37966.html
+   NOTE: possible samba 4.13,4.15 regression: 
https://bugzilla.samba.org/show_bug.cgi?id=15243
+   NOTE: and https://bugs.launchpad.net/ubuntu/+source/samba/+bug/2003867
 CVE-2022-37965 (Windows Point-to-Point Tunneling Protocol Denial of Service 
Vulnerabil ...)
NOT-FOR-US: Microsoft
 CVE-2022-37964 (Windows Kernel Elevation of Privilege Vulnerability)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9bc9aafed627e43086d1ed7387da2e7bd0e1f843

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9bc9aafed627e43086d1ed7387da2e7bd0e1f843
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] data/CVE/list: add note about CVE-2022-3437/samba. regression risky

[Santiago R.R. (@santiago)]

Santiago R.R. pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
7b6346ec by Santiago Ruano Rincón at 2023-11-30T12:26:11-03:00
data/CVE/list: add note about CVE-2022-3437/samba. regression risky

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -77344,6 +77344,7 @@ CVE-2022-3437 (A heap-based buffer overflow 
vulnerability was found in Samba wit
NOTE: 
https://github.com/heimdal/heimdal/commit/c8407ca079294d76a5ed140ba5b546f870d23ed2
 (heimdal-7.7.1)
NOTE: 
https://github.com/heimdal/heimdal/commit/8fb508a25a6a47289c73e3f4339352a73a396eef
 (heimdal-7.7.1)
NOTE: In scope for continued Samba support
+   NOTE: Important risk of regression in samba/bullseye (4.13)
 CVE-2021-46845
RESERVED
 CVE-2020-36606



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7b6346ec3e0836b959cc91b08e35a563e9f790fc

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7b6346ec3e0836b959cc91b08e35a563e9f790fc
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] dsa-needed.txt: started to backport samba patches to bullseye - santiago

[Santiago R.R. (@santiago)]

Santiago R.R. pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
bbc3d51a by Santiago Ruano Rincón at 2023-11-29T23:11:05+01:00
dsa-needed.txt: started to backport samba patches to bullseye - santiago

- - - - -


1 changed file:

- data/dsa-needed.txt


Changes:

=
data/dsa-needed.txt
=
@@ -85,6 +85,7 @@ ruby-tzinfo/oldstable
 salt/oldstable
 --
 samba/oldstable
+  santiago started to backport patches to bullseye
 --
 squid
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bbc3d51a9b1f701b51d65b7757a84636201e887b

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bbc3d51a9b1f701b51d65b7757a84636201e887b
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add postgresql-multicorn, python-requestbuilder and reportbug to...

[Santiago R.R. (@santiago)]

Santiago R.R. pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
239bf244 by Santiago Ruano Rincón at 2023-11-08T16:18:54-03:00
Add postgresql-multicorn, python-requestbuilder and reportbug to 
dla-needed.txt, due to incompatibilities with PEP 440

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -176,6 +176,10 @@ osslsigncode
   NOTE: 20230925: Added by Front-Desk (apo)
   NOTE: 20230925: Maybe a new upstream release should just do the trick here.
 --
+postgresql-multicorn
+  NOTE: 20231108: Added by Front-Desk (santiago)
+  NOTE: 20231108: Need to handle incompatibilities with versions in debian 
packages, brought up by PEP 440. See 
https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/70
+--
 python-django (Chris Lamb)
   NOTE: 20231006: Added by Front-Desk (Beuc)
   NOTE: 20231006: Fix the 4 no-dsa issues that are fixed in all other dists 
(Beuc/front-desk)
@@ -192,6 +196,10 @@ python-os-brick
   NOTE: 20230525: Added by Front-Desk (lamby)
   NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, 
python-os-brick, nova and cinder.
 --
+python-requestbuilder
+  NOTE: 20231108: Added by Front-Desk (santiago)
+  NOTE: 20231108: Need to handle incompatibilities with versions in debian 
packages, brought up by PEP 440. See 
https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/70
+--
 rails
   NOTE: 20220909: Re-added due to regression (abhijith)
   NOTE: 20220909: Regression on 2:5.2.2.1+dfsg-1+deb10u4 (abhijith)
@@ -206,6 +214,10 @@ rails
   NOTE: 20230131: Utkarsh to start a thread with sec+ruby team with the 
possible path forward. (utkarsh)
   NOTE: 20230828: want to rollout ruby-rack first. (utkarsh)
 --
+reportbug
+  NOTE: 20231108: Added by Front-Desk (santiago)
+  NOTE: 20231108: Need to handle incompatibilities with versions in debian 
packages, brought up by PEP 440. See 
https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/70
+--
 ring
   NOTE: 20230903: Added by Front-Desk (gladk)
   NOTE: 20230928: will be likely hard to fix see 
https://lists.debian.org/debian-lts/2023/09/msg00035.html (rouca)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/239bf2443e2b5fcd1885d29724e8e2d59c6d4589

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/239bf2443e2b5fcd1885d29724e8e2d59c6d4589
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] co-claim with rouca docker.io in dla-needed.txt, again

[Santiago R.R. (@santiago)]

Santiago R.R. pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
df33b894 by Santiago Ruano Rincón at 2023-10-25T23:11:56-03:00
co-claim with rouca docker.io in dla-needed.txt, again

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -44,7 +44,7 @@ cinder
   NOTE: 20230525: Added by Front-Desk (lamby)
   NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, 
python-os-brick, nova and cinder.
 --
-docker.io
+docker.io (rouca/santiago)
   NOTE: 20230303: Added by Front-Desk (Beuc)
   NOTE: 20230303: Follow fixes from bullseye 11.2 (3 CVEs) (Beuc/front-desk)
   NOTE: 20230424: Is in preparation. (gladk)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/df33b8948ce0bbfeadef2198ae7e595474579055

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/df33b8948ce0bbfeadef2198ae7e595474579055
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add note on request-tracker4 in dla-needed.txt

[Santiago R.R. (@santiago)]

Santiago R.R. pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
eb5351e2 by Santiago Ruano Rincón at 2023-10-25T11:28:09-03:00
Add note on request-tracker4 in dla-needed.txt

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -199,6 +199,7 @@ request-tracker4
   NOTE: 20231024: Added by Front-Desk (gladk)
   NOTE: 20231024: Please check the commit: 
https://github.com/bestpractical/rt/commit/a7a83dfdf591cd4d9f547048e89a5a310eeef32d
   NOTE: 20231024: Please check the commit: 
https://github.com/bestpractical/rt/commit/afb7dcded721e27028e47b62e7e5ed8ffc492beb
+  NOTE: 20231025: Andrew Ruthven is working on the buster-security upload, but 
will let the LTS handle the paperwork
 --
 ring
   NOTE: 20230903: Added by Front-Desk (gladk)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eb5351e258ae47cf98807ff6ce67ce464e9c34a9

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eb5351e258ae47cf98807ff6ce67ce464e9c34a9
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add grub2 to dla-needed.txt

[Santiago R.R. (@santiago)]

Santiago R.R. pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
4895c1ee by Santiago Ruano Rincón at 2023-10-03T16:48:40-03:00
Add grub2 to dla-needed.txt

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -70,6 +70,10 @@ freerdp2 (tobi)
   NOTE: 20230924: Added by Front-Desk (apo)
   NOTE: 20230924: Too many unresolved issues have piled up. High popcon. (apo)
 --
+grub2
+  NOTE: 20231003: Maintainer prepared an uploaded the update
+  NOTE: 20231003: 
https://lists.debian.org/debian-lts-changes/2023/10/msg5.html
+--
 gst-plugins-bad1.0 (Thorsten Alteholz)
   NOTE: 20230928: Added by Frond-Desk (ola)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4895c1ee2a0d1eb39c80a3bb759aba7e04f8ee79

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4895c1ee2a0d1eb39c80a3bb759aba7e04f8ee79
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: dispatch FD slots for first half of 2024

[Santiago R.R. (@santiago)]

Santiago R.R. pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
19c81084 by Santiago Ruano Rincón at 2023-10-03T12:22:04-03:00
LTS: dispatch FD slots for first half of 2024

- - - - -


1 changed file:

- + org/lts-frontdesk.2024.txt


Changes:

=
org/lts-frontdesk.2024.txt
=
@@ -0,0 +1,53 @@
+From 01-01 to 07-01:Emilio Pozuelo Monfort 
+From 08-01 to 14-01:Markus Koschany 
+From 15-01 to 21-01:Ola Lundqvist 
+From 22-01 to 28-01:Sylvain Beucler 
+From 29-01 to 04-02:Thorsten Alteholz 
+From 05-02 to 11-02:Utkarsh Gupta 
+From 12-02 to 18-02:Chris Lamb 
+From 19-02 to 25-02:Emilio Pozuelo Monfort 
+From 26-02 to 03-03:Markus Koschany 
+From 04-03 to 10-03:Ola Lundqvist 
+From 11-03 to 17-03:Sylvain Beucler 
+From 18-03 to 24-03:Thorsten Alteholz 
+From 25-03 to 31-03:Utkarsh Gupta 
+From 01-04 to 07-04:Chris Lamb 
+From 08-04 to 14-04:Emilio Pozuelo Monfort 
+From 15-04 to 21-04:Markus Koschany 
+From 22-04 to 28-04:Ola Lundqvist 
+From 29-04 to 05-05:Sylvain Beucler 
+From 06-05 to 12-05:Thorsten Alteholz 
+From 13-05 to 19-05:Utkarsh Gupta 
+From 20-05 to 26-05:Chris Lamb 
+From 27-05 to 02-06:Emilio Pozuelo Monfort 
+From 03-06 to 09-06:Markus Koschany 
+From 10-06 to 16-06:Ola Lundqvist 
+From 17-06 to 23-06:Sylvain Beucler 
+From 24-06 to 30-06:Thorsten Alteholz 
+From 01-07 to 07-07:
+From 08-07 to 14-07:
+From 15-07 to 21-07:
+From 22-07 to 28-07:
+From 29-07 to 04-08:
+From 05-08 to 11-08:
+From 12-08 to 18-08:
+From 19-08 to 25-08:
+From 26-08 to 01-09:
+From 02-09 to 08-09:
+From 09-09 to 15-09:
+From 16-09 to 22-09:
+From 23-09 to 29-09:
+From 30-09 to 06-10:
+From 07-10 to 13-10:
+From 14-10 to 20-10:
+From 21-10 to 27-10:
+From 28-10 to 03-11:
+From 04-11 to 10-11:
+From 11-11 to 17-11:
+From 18-11 to 24-11:
+From 25-11 to 01-12:
+From 02-12 to 08-12:
+From 09-12 to 15-12:
+From 16-12 to 22-12:
+From 23-12 to 29-12:
+From 30-12 to 05-01:
\ No newline at end of file



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/19c810849308b46cb941b4279a977dbca1e27874

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/19c810849308b46cb941b4279a977dbca1e27874
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-3583-1 for glib2.0

[Santiago R.R. (@santiago)]

Santiago R.R. pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
48c153a2 by Santiago Ruano Rincón at 2023-09-25T13:04:51-03:00
Reserve DLA-3583-1 for glib2.0

- - - - -


2 changed files:

- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[25 Sep 2023] DLA-3583-1 glib2.0 - security update
+   {CVE-2023-29499 CVE-2023-32611 CVE-2023-32665}
+   [buster] - glib2.0 2.58.3-2+deb10u5
 [25 Sep 2023] DLA-3582-1 ghostscript - security update
{CVE-2020-21710 CVE-2020-21890}
[buster] - ghostscript 9.27~dfsg-2+deb10u9


=
data/dla-needed.txt
=
@@ -86,14 +86,6 @@ gerbv (Adrian Bunk)
   NOTE: 20230903: Added by Front-Desk (gladk)
   NOTE: 20230918: DLA coming soon. (bunk)
 --
-glib2.0 (Santiago)
-  NOTE: 20230612: Added by Front-Desk (apo)
-  NOTE: 20230710: WIP (santiago)
-  NOTE: 20230724: buster should be ready. need if it's possible to run same 
reporter's fuzz test
-  NOTE: 20230807: idem.
-  NOTE: 20230820: asked for review/test.
-  NOTE: 20230925: preparing the upload for today
---
 i2p
   NOTE: 20230809: Added by Front-Desk (Beuc)
   NOTE: 20230809: Experimental issue-based workflow: please self-assign and 
follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/28



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/48c153a2ff115cfd3e3cfb0a8c51e6ba34507b90

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/48c153a2ff115cfd3e3cfb0a8c51e6ba34507b90
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reclaim again glib2.0. Currently preparing the upload

[Santiago R.R. (@santiago)]

Santiago R.R. pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
7fa3a2fb by Santiago Ruano Rincón at 2023-09-25T11:26:01-03:00
Reclaim again glib2.0. Currently preparing the upload

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -86,12 +86,13 @@ gerbv (Adrian Bunk)
   NOTE: 20230903: Added by Front-Desk (gladk)
   NOTE: 20230918: DLA coming soon. (bunk)
 --
-glib2.0
+glib2.0 (Santiago)
   NOTE: 20230612: Added by Front-Desk (apo)
   NOTE: 20230710: WIP (santiago)
   NOTE: 20230724: buster should be ready. need if it's possible to run same 
reporter's fuzz test
   NOTE: 20230807: idem.
   NOTE: 20230820: asked for review/test.
+  NOTE: 20230925: preparing the upload for today
 --
 i2p
   NOTE: 20230809: Added by Front-Desk (Beuc)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7fa3a2fb2bb27b3e81b199322afeb85819fc1b22

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7fa3a2fb2bb27b3e81b199322afeb85819fc1b22
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity

[Santiago R.R. (@santiago)]

Santiago R.R. pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
37a6f50b by Santiago Ruano Rincón at 2023-09-25T09:55:42-03:00
semi-automatic unclaim after 2 weeks of inactivity

Signed-off-by: Santiago Ruano Rincón santiag...@riseup.net

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -49,7 +49,7 @@ cinder
 cups (Thorsten Alteholz)
   NOTE: 20230924: Added by Front-Desk (apo)
 --
-docker.io (rouca/santiago)
+docker.io
   NOTE: 20230303: Added by Front-Desk (Beuc)
   NOTE: 20230303: Follow fixes from bullseye 11.2 (3 CVEs) (Beuc/front-desk)
   NOTE: 20230424: Is in preparation. (gladk)
@@ -86,7 +86,7 @@ gerbv (Adrian Bunk)
   NOTE: 20230903: Added by Front-Desk (gladk)
   NOTE: 20230918: DLA coming soon. (bunk)
 --
-glib2.0 (Santiago)
+glib2.0
   NOTE: 20230612: Added by Front-Desk (apo)
   NOTE: 20230710: WIP (santiago)
   NOTE: 20230724: buster should be ready. need if it's possible to run same 
reporter's fuzz test



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/37a6f50bc491dce50b4b06d6997960433e1afc5e

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/37a6f50bc491dce50b4b06d6997960433e1afc5e
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-3574-1 for mutt

[Santiago R.R. (@santiago)]

Santiago R.R. pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
5da84e95 by Santiago Ruano Rincón at 2023-09-20T11:54:36-03:00
Reserve DLA-3574-1 for mutt

- - - - -


2 changed files:

- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[20 Sep 2023] DLA-3574-1 mutt - security update
+   {CVE-2023-4874 CVE-2023-4875}
+   [buster] - mutt 1.10.1-2.1+deb10u7
 [19 Sep 2023] DLA-3573-1 frr - security update
{CVE-2022-36440 CVE-2022-40302 CVE-2022-40318 CVE-2022-43681 
CVE-2023-31490 CVE-2023-38802 CVE-2023-41358 CVE-2023-41360 CVE-2023-41361 
CVE-2023-41909}
[buster] - frr 7.5.1-1.1+deb10u1


=
data/dla-needed.txt
=
@@ -117,11 +117,6 @@ linux (Ben Hutchings)
 lldpd
   NOTE: 20230918: Added by Front-Desk (apo)
 --
-mutt (Santiago)
-  NOTE: 20230915: Added by Front-Desk (Santiago)
-  NOTE: 20230915: Added as LTS co-coordinator
-  NOTE: 20230915: lru is willing to prepare patches
---
 nasm
   NOTE: 20230907: Added by Front-Desk (lamby)
   NOTE: 20230907: Added due to CVE-2020-18780, CVE-2020-21685 & CVE-2020-21686,



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5da84e9556e1a27bf30c23bfab35e787e00bdb77

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5da84e9556e1a27bf30c23bfab35e787e00bdb77
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Take mutt

[Santiago R.R. (@santiago)]

Santiago R.R. pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
f6fc2e05 by Santiago Ruano Rincón at 2023-09-15T18:50:36+05:30
Take mutt

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -113,6 +113,11 @@ libreswan
 linux (Ben Hutchings)
   NOTE: 20230111: perma-added for LTS package-specific delegation (bwh)
 --
+mutt (Santiago)
+  NOTE: 20230915: Added by Front-Desk (Santiago)
+  NOTE: 20230915: Added as LTS co-coordinator
+  NOTE: 20230915: lru is willing to prepare patches
+--
 nasm
   NOTE: 20230907: Added by Front-Desk (lamby)
   NOTE: 20230907: Added due to CVE-2020-18780, CVE-2020-21685 & CVE-2020-21686,



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f6fc2e05451d0e80a6dd3450529c07727fe6ccbd

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f6fc2e05451d0e80a6dd3450529c07727fe6ccbd
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reclaim glib2.0

[Santiago R.R. (@santiago)]

Santiago R.R. pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
2cc6f904 by Santiago Ruano Rincón at 2023-09-11T16:28:19+05:30
Reclaim glib2.0

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -89,7 +89,7 @@ frr (Markus Koschany)
 gerbv (Adrian Bunk)
   NOTE: 20230903: Added by Front-Desk (gladk)
 --
-glib2.0
+glib2.0 (Santiago)
   NOTE: 20230612: Added by Front-Desk (apo)
   NOTE: 20230710: WIP (santiago)
   NOTE: 20230724: buster should be ready. need if it's possible to run same 
reporter's fuzz test



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2cc6f9043dd1d1116cfbdaad89c1bcda8b2f0289

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2cc6f9043dd1d1116cfbdaad89c1bcda8b2f0289
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity

[Santiago R.R. (@santiago)]

Santiago R.R. pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
3f2545a8 by Santiago Ruano Rincón at 2023-09-11T10:57:30+05:30
semi-automatic unclaim after 2 weeks of inactivity

Signed-off-by: Santiago Ruano Rincón santiag...@riseup.net

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -25,7 +25,7 @@ amanda (Thorsten Alteholz)
   NOTE: 20230730: Added by Front-Desk (apo)
   NOTE: 20230910: still testing package (ta)
 --
-c-ares (Utkarsh)
+c-ares
   NOTE: 20230826: Added by Front-Desk (utkarsh)
   NOTE: 20230826: it's a heap buffer overflow. Have mixed feelings about this 
one. Will look thoroughly. (utkarsh)
 --
@@ -73,7 +73,7 @@ file (Thorsten Alteholz)
 firmware-nonfree
   NOTE: 20230820: Added by Front-Desk (ta)
 --
-flac (utkarsh)
+flac
   NOTE: 20230827: Added by Front-Desk (utkarsh)
   NOTE: 20230827: incoming DSA
 --
@@ -192,7 +192,7 @@ qt4-x11
   NOTE: 20230822: Re-added for one remaining open CVE (roberto)
   NOTE: 20230822: CVE-2021-28025 maybe a dup of CVE-2021-3481; once resolved, 
fix or remove entry from this file (roberto)
 --
-rails (utkarsh)
+rails
   NOTE: 20220909: Re-added due to regression (abhijith)
   NOTE: 20220909: Regression on 2:5.2.2.1+dfsg-1+deb10u4 (abhijith)
   NOTE: 20220909: Two issues 
https://lists.debian.org/debian-lts/2022/09/msg00014.html (abhijith)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3f2545a813c7c6a5543d53db242ba749429f1d8a

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3f2545a813c7c6a5543d53db242ba749429f1d8a
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add buster tryton-server 5.0.4-2+deb10u2 entry in data/CVE/list

[Santiago R.R. (@santiago)]

Santiago R.R. pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
fdb067e1 by Santiago Ruano Rincón at 2023-08-29T13:19:11-03:00
Add buster tryton-server 5.0.4-2+deb10u2 entry in data/CVE/list

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -587,6 +587,7 @@ CVE-2023- [tryton-server lack of record validation]
- tryton-server 6.0.34-1
[bookworm] - tryton-server 6.0.29-2+deb12u1
[bullseye] - tryton-server 5.0.33-2+deb11u2
+   [buster] - tryton-server 5.0.4-2+deb10u2
NOTE: https://discuss.tryton.org/t/security-release-for-issue-12428
 CVE-2023-4513 (BT SDP dissector memory leak in Wireshark 4.0.0 to 4.0.7 and 
3.6.0 to  ...)
- wireshark 4.0.8-1



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fdb067e1a312feac5be29e31047dac80828d1552

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fdb067e1a312feac5be29e31047dac80828d1552
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-3547-1 for tryton-server

[Santiago R.R. (@santiago)]

Santiago R.R. pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
af604791 by Santiago Ruano Rincón at 2023-08-29T13:05:47-03:00
Reserve DLA-3547-1 for tryton-server

- - - - -


2 changed files:

- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/DLA/list
=
@@ -1,3 +1,5 @@
+[29 Aug 2023] DLA-3547-1 tryton-server - security update
+   [buster] - tryton-server 5.0.4-2+deb10u2
 [28 Aug 2023] DLA-3546-1 opendmarc - security update
{CVE-2020-12272}
[buster] - opendmarc 1.3.2-6+deb10u3


=
data/dla-needed.txt
=
@@ -242,8 +242,3 @@ trafficserver
   NOTE: 20230826: Ubuntu side and track the fixing commits. I'll update when
   NOTE: 20230826: I have the answer here. (utkarsh)
 --
-tryton-server (santiago)
-  NOTE: 20230826: Added by Front-Desk (utkarsh)
-  NOTE: 20230826: sync with the DSA released. (utkarsh)
-  NOTE: 20230829: Maintainer has prepared the update. I'll do the paperwork 
(santiago)
---



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/af604791ed9f4365108011b715aadc5b151f590e

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/af604791ed9f4365108011b715aadc5b151f590e
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Take tryton-server

[Santiago R.R. (@santiago)]

Santiago R.R. pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
0d19b16c by Santiago Ruano Rincón at 2023-08-29T10:04:21-03:00
Take tryton-server

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -242,7 +242,8 @@ trafficserver
   NOTE: 20230826: Ubuntu side and track the fixing commits. I'll update when
   NOTE: 20230826: I have the answer here. (utkarsh)
 --
-tryton-server
+tryton-server (santiago)
   NOTE: 20230826: Added by Front-Desk (utkarsh)
   NOTE: 20230826: sync with the DSA released. (utkarsh)
+  NOTE: 20230829: Maintainer has prepared the update. I'll do the paperwork 
(santiago)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0d19b16cf40631778aa1577e0fb4417ddaf3b940

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0d19b16cf40631778aa1577e0fb4417ddaf3b940
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add note about glib2.0 in dla-needed.txt

[Santiago R.R. (@santiago)]

Santiago R.R. pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
b515e71b by Santiago Ruano Rincón at 2023-08-20T19:03:31-03:00
Add note about glib2.0 in dla-needed.txt

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -65,6 +65,7 @@ glib2.0 (santiago)
   NOTE: 20230710: WIP (santiago)
   NOTE: 20230724: buster should be ready. need if it's possible to run same 
reporter's fuzz test
   NOTE: 20230807: idem.
+  NOTE: 20230820: asked for review/test.
 --
 gst-plugins-ugly1.0 (Adrian Bunk)
   NOTE: 20230812: Added by Front-Desk (Beuc)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b515e71bb17ee5d1659a32c52c126752cb1be9de

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b515e71bb17ee5d1659a32c52c126752cb1be9de
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Triage samba/buster: mark as samba as AD DC related issues

[Santiago R.R. (@santiago)]

Santiago R.R. pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
0f0e2f40 by Santiago Ruano Rincón at 2023-08-17T12:18:54-03:00
Triage samba/buster: mark as ignored samba as AD DC related issues

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -73539,6 +73539,7 @@ CVE-2022-37968 (Azure Arc-enabled Kubernetes cluster 
Connect Elevation of Privil
 CVE-2022-37967 (Windows Kerberos Elevation of Privilege Vulnerability)
- samba 2:4.17.4+dfsg-1
[bullseye] - samba  (Domain controller functionality is EOLed, 
see DSA DSA-5477-1)
+   [buster] - samba  (Domain controller functionality is EOLed, 
see DSA-5015-1)
NOTE: https://www.samba.org/samba/security/CVE-2022-37967.html
 CVE-2022-37966 (Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability)
- samba 2:4.17.4+dfsg-1
@@ -87526,7 +87527,7 @@ CVE-2022-32747 (A CWE-290: Authentication Bypass by 
Spoofing vulnerability exist
 CVE-2022-32746 (A flaw was found in the Samba AD LDAP server. The AD DC 
database audit ...)
{DSA-5205-1}
- samba 2:4.16.4+dfsg-1 (bug #1016449)
-   [buster] - samba  (Minor issue; affects Samba as AD DC)
+   [buster] - samba  (Minor issue; affects Samba as AD DC; EOLed. 
See DSA-5015-1)
NOTE: https://www.samba.org/samba/security/CVE-2022-32746.html
 CVE-2022-32745 (A flaw was found in Samba. Samba AD users can cause the server 
to acce ...)
{DSA-5205-1}
@@ -87536,7 +87537,7 @@ CVE-2022-32745 (A flaw was found in Samba. Samba AD 
users can cause the server t
 CVE-2022-32744 (A flaw was found in Samba. The KDC accepts kpasswd requests 
encrypted  ...)
{DSA-5205-1}
- samba 2:4.16.4+dfsg-1 (bug #1016449)
-   [buster] - samba  (Minor issue; affects Samba as AD DC)
+   [buster] - samba  (Minor issue; affects Samba as AD DC; EOLed. 
See DSA-5015-1)
NOTE: https://www.samba.org/samba/security/CVE-2022-32744.html
 CVE-2022-32743 (Samba does not validate the Validated-DNS-Host-Name right for 
the dNSH ...)
[experimental] - samba 2:4.17.0+dfsg-1
@@ -87971,7 +87972,7 @@ CVE-2022-2032 (In Pandora FMS v7.0NG.761 and below, in 
the file manager section,
 CVE-2022-2031 (A flaw was found in Samba. The security vulnerability occurs 
when KDC  ...)
{DSA-5205-1}
- samba 2:4.16.4+dfsg-1 (bug #1016449)
-   [buster] - samba  (Minor issue; affects Samba as AD DC)
+   [buster] - samba  (Minor issue; affects Samba as AD DC; EOLed. 
See DSA-5015-1)
NOTE: https://www.samba.org/samba/security/CVE-2022-2031.html
 CVE-2022-2030 (A directory traversal vulnerability caused by specific 
character seque ...)
NOT-FOR-US: Zyxel
@@ -114908,7 +114909,7 @@ CVE-2022-0336 (The Samba AD DC includes checks when 
adding service principals na
[experimental] - samba 2:4.16.0+dfsg-1
- samba 2:4.16.0+dfsg-2 (bug #1004694)
[bullseye] - samba 2:4.13.13+dfsg-1~deb11u3
-   [buster] - samba  (Minor issue; affects Samba as AD DC)
+   [buster] - samba  (Minor issue; affects Samba as AD DC; EOLed. 
See DSA-5015-1)
NOTE: https://www.samba.org/samba/security/CVE-2022-0336.html
NOTE: https://bugzilla.samba.org/show_bug.cgi?id=14950
 CVE-2022-23834
@@ -345258,6 +345259,7 @@ CVE-2018-14628 (An information leak vulnerability was 
discovered in Samba's LDAP
- samba  (bug #1034803)
[bookworm] - samba  (Minor issue, revisit when fixed 
upstream)
[bullseye] - samba  (Domain controller functionality is EOLed, 
see DSA DSA-5477-1)
+   [buster] - samba  (Domain controller functionality is EOLed, 
see DSA-5015-1)
NOTE: https://bugzilla.samba.org/show_bug.cgi?id=13595
 CVE-2018-14627 (The IIOP OpenJDK Subsystem in WildFly before version 14.0.0 
does not h ...)
- wildfly  (bug #752018)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0f0e2f40be358bf57ebf2765dfd6cfe335c6fca9

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0f0e2f40be358bf57ebf2765dfd6cfe335c6fca9
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-3533-1 for lxc

[Santiago R.R. (@santiago)]

Santiago R.R. pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
27d3df15 by Santiago Ruano Rincón at 2023-08-17T06:48:18-03:00
Reserve DLA-3533-1 for lxc

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/CVE/list
=
@@ -40843,7 +40843,6 @@ CVE-2019-25084 (A vulnerability, which was classified 
as problematic, has been f
 CVE-2022-47952 (lxc-user-nic in lxc through 5.0.1 is installed setuid root, 
and may al ...)
- lxc 1:5.0.2-1
[bullseye] - lxc 1:4.0.6-2+deb11u2
-   [buster] - lxc  (Minor issue, minor information leak)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2157281
NOTE: https://github.com/MaherAzzouzi/CVE-2022-47952
NOTE: 
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1783591/comments/45


=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[17 Aug 2023] DLA-3533-1 lxc - security update
+   {CVE-2022-47952}
+   [buster] - lxc 1:3.1.0+really3.0.3-8+deb10u1
 [17 Aug 2023] DLA-3532-1 openssh - security update
{CVE-2023-38408}
[buster] - openssh 1:7.9p1-10+deb10u3


=
data/dla-needed.txt
=
@@ -92,11 +92,6 @@ intel-microcode (utkarsh)
 linux (Ben Hutchings)
   NOTE: 20230111: perma-added for LTS package-specific delegation (bwh)
 --
-lxc (santiago)
-  NOTE: 20230812: Added by Front-Desk (Beuc)
-  NOTE: 20230812: Experimental issue-based workflow: please self-assign and 
follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/44
-  NOTE: 20230812: Follow fixes from bullseye 11.7 (1 CVE) (Beuc/front-desk)
---
 mediawiki (Markus Koschany)
   NOTE: 20230810: Added by Front-Desk (Beuc)
   NOTE: 20230810: Experimental issue-based workflow: please self-assign and 
follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/31



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/27d3df15e73c700bbfa96aad5655b32162685de8

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/27d3df15e73c700bbfa96aad5655b32162685de8
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Revert "Mark CVE-2017-18641/lxc/jessie as ignored"

[Santiago R.R. (@santiago)]

Santiago R.R. pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
0c1e17c4 by Santiago Ruano Rincón at 2023-08-16T21:24:13-03:00
Revert Mark CVE-2017-18641/lxc/jessie as ignored

This reverts commit 319b9d38c5ab7f2494ba644ee0284c44e8531487.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -252276,7 +252276,7 @@ CVE-2017-18641 (In LXC 2.0, many template scripts 
download code over cleartext H
[bullseye] - lxc-templates  (Minor issue)
[buster] - lxc-templates  (Minor issue)
- lxc 1:3.0.3-1 (low)
-   [stretch] - lxc  
(https://lists.debian.org/debian-lts/2023/08/msg00019.html)
+   [stretch] - lxc  (Minor issue)
[jessie] - lxc  
(https://lists.debian.org/debian-lts/2020/02/msg00102.html)
NOTE: LXC 3.0.2 split the templates out to separate lxc-templates.
NOTE: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1661447



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0c1e17c413bd868014535dafef1cae63a086dfb5

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0c1e17c413bd868014535dafef1cae63a086dfb5
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Mark CVE-2017-18641/lxc/jessie as ignored

[Santiago R.R. (@santiago)]

Santiago R.R. pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
319b9d38 by Santiago Ruano Rincón at 2023-08-16T17:06:44-03:00
Mark CVE-2017-18641/lxc/jessie as ignored

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -252194,7 +252194,7 @@ CVE-2017-18641 (In LXC 2.0, many template scripts 
download code over cleartext H
[bullseye] - lxc-templates  (Minor issue)
[buster] - lxc-templates  (Minor issue)
- lxc 1:3.0.3-1 (low)
-   [stretch] - lxc  (Minor issue)
+   [stretch] - lxc  
(https://lists.debian.org/debian-lts/2023/08/msg00019.html)
[jessie] - lxc  
(https://lists.debian.org/debian-lts/2020/02/msg00102.html)
NOTE: LXC 3.0.2 split the templates out to separate lxc-templates.
NOTE: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1661447



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/319b9d38c5ab7f2494ba644ee0284c44e8531487

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/319b9d38c5ab7f2494ba644ee0284c44e8531487
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add NOTE with patch upstream about CVE-2022-47952/lxc in data/CVE/list

[Santiago R.R. (@santiago)]

Santiago R.R. pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
4b195688 by Santiago Ruano Rincón at 2023-08-14T11:20:26-03:00
Add NOTE with patch upstream about CVE-2022-47952/lxc in data/CVE/list

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -40354,6 +40354,7 @@ CVE-2022-47952 (lxc-user-nic in lxc through 5.0.1 is 
installed setuid root, and
NOTE: https://github.com/MaherAzzouzi/CVE-2022-47952
NOTE: 
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1783591/comments/45
NOTE: Different issue than CVE-2018-6556
+NOTE: 
https://github.com/lxc/lxc/commit/80553b5b412365f429aff93cff178e3e952ee6bd
 CVE-2022-47951 (An issue was discovered in OpenStack Cinder before 19.1.2, 
20.x before ...)
{DSA-5338-1 DSA-5337-1 DSA-5336-1 DLA-3302-1 DLA-3301-1 DLA-3300-1}
- nova 2:26.0.0-6 (bug #1029561)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4b1956882745c18ab430414960aee6da2b365dcc

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4b1956882745c18ab430414960aee6da2b365dcc
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Claim lxc in dla-needed.txt

[Santiago R.R. (@santiago)]

Santiago R.R. pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
1b3c6b2a by Santiago Ruano Rincón at 2023-08-13T11:10:55-03:00
Claim lxc in dla-needed.txt

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -98,7 +98,7 @@ libreoffice (rouca)
 linux (Ben Hutchings)
   NOTE: 20230111: perma-added for LTS package-specific delegation (bwh)
 --
-lxc
+lxc (santiago)
   NOTE: 20230812: Added by Front-Desk (Beuc)
   NOTE: 20230812: Experimental issue-based workflow: please self-assign and 
follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/44
   NOTE: 20230812: Follow fixes from bullseye 11.7 (1 CVE) (Beuc/front-desk)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1b3c6b2af5ac5a64c648a5011d08e47d9cd4ecf5

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1b3c6b2af5ac5a64c648a5011d08e47d9cd4ecf5
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add note to glib2.0 in dla-needed.txt

[Santiago R.R. (@santiago)]

Santiago R.R. pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
0dae9517 by Santiago Ruano Rincón at 2023-08-07T08:49:45-03:00
Add note to glib2.0 in dla-needed.txt

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -61,6 +61,7 @@ glib2.0 (santiago)
   NOTE: 20230612: Added by Front-Desk (apo)
   NOTE: 20230710: WIP (santiago)
   NOTE: 20230724: buster should be ready. need if it's possible to run same 
reporter's fuzz test
+  NOTE: 20230807: idem.
 --
 hdf5 (Markus Koschany)
   NOTE: 20230318: Added by Front-Desk (utkarsh)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0dae951726bca68aac6526cbba56af0671dc2897

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0dae951726bca68aac6526cbba56af0671dc2897
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Take libreoffice in dla-needed.txt

[Santiago R.R. (@santiago)]

Santiago R.R. pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
52f1eb24 by Santiago Ruano Rincón at 2023-08-06T19:53:54-03:00
Take libreoffice in dla-needed.txt

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -83,7 +83,7 @@ libhtmlcleaner-java (Markus Koschany)
   NOTE: 20230806: 
https://github.com/amplafi/htmlcleaner/issues/13#issuecomment-1597626510
   NOTE: 20230806: Please, check the upper link, whether the patch can be got 
(gladk)
 --
-libreoffice
+libreoffice (santiago)
   NOTE: 20230530: Added by Front-Desk (pochu)
   NOTE: 20230718: http://people.debian.org/~abhijith/upload/lo (abhijith)
   NOTE: 20230718: CVE-2023-2255.diff fails to build. (abhijith)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/52f1eb249789c2a133c792bf2abd8ae3773e419a

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/52f1eb249789c2a133c792bf2abd8ae3773e419a
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add note to docker.io in dla-needed.txt

[Santiago R.R. (@santiago)]

Santiago R.R. pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
dd50b640 by Santiago Ruano Rincón at 2023-08-01T12:06:57-03:00
Add note to docker.io in dla-needed.txt

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -47,6 +47,7 @@ docker.io
   NOTE: 20230303: Follow fixes from bullseye 11.2 (3 CVEs) (Beuc/front-desk)
   NOTE: 20230424: Is in preparation. (gladk)
   NOTE: 20230706: ask for review testing 
https://lists.debian.org/debian-lts/2023/07/msg00013.html
+  NOTE: 20230801: rouca and santiago testing the swarm overlay network 
(including current buster version)
 --
 dogecoin
   NOTE: 20230619: Added by Front-Desk (Beuc)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dd50b64031f49ae65cc95e85947619ba3c25ec4e

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dd50b64031f49ae65cc95e85947619ba3c25ec4e
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Fix date on latest glib2.0 note

[Santiago R.R. (@santiago)]

Santiago R.R. pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
d93e6131 by Santiago Ruano Rincón at 2023-07-24T10:06:56-03:00
Fix date on latest glib2.0 note

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -45,7 +45,7 @@ dogecoin
 glib2.0 (santiago)
   NOTE: 20230612: Added by Front-Desk (apo)
   NOTE: 20230710: WIP (santiago)
-  NOTE: 20230714: buster should be ready. need if it's possible to run same 
reporter's fuzz test
+  NOTE: 20230724: buster should be ready. need if it's possible to run same 
reporter's fuzz test
 
 --
 grpc (Sylvain Beucler)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d93e61314ace27eaea142035243e2b13fa2b7676

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d93e61314ace27eaea142035243e2b13fa2b7676
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] glib2.0/buster: add note

[Santiago R.R. (@santiago)]

Santiago R.R. pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
ca73969c by Santiago Ruano Rincón at 2023-07-24T10:03:46-03:00
glib2.0/buster: add note

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -45,6 +45,8 @@ dogecoin
 glib2.0 (santiago)
   NOTE: 20230612: Added by Front-Desk (apo)
   NOTE: 20230710: WIP (santiago)
+  NOTE: 20230714: buster should be ready. need if it's possible to run same 
reporter's fuzz test
+
 --
 grpc (Sylvain Beucler)
   NOTE: 20230614: Added by Front-Desk (opal)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ca73969c798c8c5f3adb2a40bfcfa6222959d13f

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ca73969c798c8c5f3adb2a40bfcfa6222959d13f
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add wip note to glib2.0 in dla-needed.txt

[Santiago R.R. (@santiago)]

Santiago R.R. pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
64f0a2e3 by Santiago Ruano Rincón at 2023-07-10T08:15:01-03:00
Add wip note to glib2.0 in dla-needed.txt

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -56,6 +56,7 @@ flatpak
 --
 glib2.0 (santiago)
   NOTE: 20230612: Added by Front-Desk (apo)
+  NOTE: 20230710: WIP (santiago)
 --
 grpc
   NOTE: 20230614: Added by Front-Desk (opal)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/64f0a2e34698e0b4cd7b92b840ecc567bbbff1c5

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/64f0a2e34698e0b4cd7b92b840ecc567bbbff1c5
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add some info to the glib2.0 CVE-2023-24593 and co notes

[Santiago R.R. (@santiago)]

Santiago R.R. pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
9138438a by Santiago Ruano Rincón at 2023-07-08T16:13:01-03:00
Add some info to the glib2.0 CVE-2023-24593 and co notes

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -11538,31 +11538,31 @@ CVE-2023-32665 [GVariant deserialisation does not 
match spec for non-normal data
[bullseye] - glib2.0  (Minor issue)
NOTE: https://gitlab.gnome.org/GNOME/glib/-/issues/2121
NOTE: https://gitlab.gnome.org/GNOME/glib/-/merge_requests/3125
-   NOTE: https://gitlab.gnome.org/GNOME/glib/-/merge_requests/3126
+   NOTE: https://gitlab.gnome.org/GNOME/glib/-/merge_requests/3126 (2.74, 
3125 backport)
NOTE: Merge commit for glib-2-74: 
https://gitlab.gnome.org/GNOME/glib/-/commit/e16fb83755e08a4c2da2b0a8ea0fc2e27b1154bf
 (2.74.4)
NOTE: Be careful. Original fix introduces new bugs.
-   NOTE: https://gitlab.gnome.org/GNOME/glib/-/issues/2840
-   NOTE: https://gitlab.gnome.org/GNOME/glib/-/issues/2841
+   NOTE: https://gitlab.gnome.org/GNOME/glib/-/issues/2840 (CVE-2023-32643)
+   NOTE: https://gitlab.gnome.org/GNOME/glib/-/issues/2841 (CVE-2023-32636)
 CVE-2023-32611 [g_variant_byteswap() can take a long time with some non-normal 
inputs]
- glib2.0 2.74.4-1
[bullseye] - glib2.0  (Minor issue)
NOTE: https://gitlab.gnome.org/GNOME/glib/-/issues/2797
NOTE: https://gitlab.gnome.org/GNOME/glib/-/merge_requests/3125
-   NOTE: https://gitlab.gnome.org/GNOME/glib/-/merge_requests/3126
+   NOTE: https://gitlab.gnome.org/GNOME/glib/-/merge_requests/3126 (2.74, 
3125 backport)
NOTE: Merge commit for glib-2-74: 
https://gitlab.gnome.org/GNOME/glib/-/commit/e16fb83755e08a4c2da2b0a8ea0fc2e27b1154bf
 (2.74.4)
NOTE: Be careful. Original fix introduces new bugs.
-   NOTE: https://gitlab.gnome.org/GNOME/glib/-/issues/2840
-   NOTE: https://gitlab.gnome.org/GNOME/glib/-/issues/2841
+   NOTE: https://gitlab.gnome.org/GNOME/glib/-/issues/2840 (CVE-2023-32643)
+   NOTE: https://gitlab.gnome.org/GNOME/glib/-/issues/2841 (CVE-2023-32636)
 CVE-2023-29499 [GVariant offset table entry size is not checked in is_normal()]
- glib2.0 2.74.4-1
[bullseye] - glib2.0  (Minor issue)
NOTE: https://gitlab.gnome.org/GNOME/glib/-/issues/2794
NOTE: https://gitlab.gnome.org/GNOME/glib/-/merge_requests/3125
-   NOTE: https://gitlab.gnome.org/GNOME/glib/-/merge_requests/3126
+   NOTE: https://gitlab.gnome.org/GNOME/glib/-/merge_requests/3126 (2.74, 
3125 backport)
NOTE: Merge commit for glib-2-74: 
https://gitlab.gnome.org/GNOME/glib/-/commit/e16fb83755e08a4c2da2b0a8ea0fc2e27b1154bf
 (2.74.4)
NOTE: Be careful. Original fix introduces new bugs.
-   NOTE: https://gitlab.gnome.org/GNOME/glib/-/issues/2840
-   NOTE: https://gitlab.gnome.org/GNOME/glib/-/issues/2841
+   NOTE: https://gitlab.gnome.org/GNOME/glib/-/issues/2840 (CVE-2023-32643)
+   NOTE: https://gitlab.gnome.org/GNOME/glib/-/issues/2841 (CVE-2023-32636)
 CVE-2023-29493
RESERVED
 CVE-2023-29492 (Novi Survey before 8.9.43676 allows remote attackers to 
execute arbitr ...)
@@ -14106,22 +14106,22 @@ CVE-2023-25180
[bullseye] - glib2.0  (Minor issue)
NOTE: 
https://discourse.gnome.org/t/multiple-fixes-for-gvariant-normalisation-issues-in-glib/12835
NOTE: https://gitlab.gnome.org/GNOME/glib/-/merge_requests/3125
-   NOTE: https://gitlab.gnome.org/GNOME/glib/-/merge_requests/3126
+   NOTE: https://gitlab.gnome.org/GNOME/glib/-/merge_requests/3126 (2.74, 
3125 backport)
NOTE: Merge commit for glib-2-74: 
https://gitlab.gnome.org/GNOME/glib/-/commit/e16fb83755e08a4c2da2b0a8ea0fc2e27b1154bf
 (2.74.4)
NOTE: Be careful. Original fix introduces new bugs.
-   NOTE: https://gitlab.gnome.org/GNOME/glib/-/issues/2840
-   NOTE: https://gitlab.gnome.org/GNOME/glib/-/issues/2841
+   NOTE: https://gitlab.gnome.org/GNOME/glib/-/issues/2840 (CVE-2023-32643)
+   NOTE: https://gitlab.gnome.org/GNOME/glib/-/issues/2841 (CVE-2023-32636)
 CVE-2023-24593
RESERVED
- glib2.0 2.74.4-1
[bullseye] - glib2.0  (Minor issue)
NOTE: 
https://discourse.gnome.org/t/multiple-fixes-for-gvariant-normalisation-issues-in-glib/12835
NOTE: https://gitlab.gnome.org/GNOME/glib/-/merge_requests/3125
-   NOTE: https://gitlab.gnome.org/GNOME/glib/-/merge_requests/3126
+   NOTE: https://gitlab.gnome.org/GNOME/glib/-/merge_requests/3126 (2.74, 
3125 backport)
NOTE: Merge commit for glib-2-74: 
https://gitlab.gnome.org/GNOME/glib/-/commit/e16fb83755e08a4c2da2b0a8ea0fc2e27b1154bf
 (2.74.4)
NOTE: Be careful. Original fix introduces new bugs.
-   NOTE: https://gitlab.gnome.org/GNOME/glib/-/issues/2840
-   NOTE: 

[Git][security-tracker-team/security-tracker][master] Claim glib2.0 in dla-needed.txt

[Santiago R.R. (@santiago)]

Santiago R.R. pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
d6f69b16 by Santiago Ruano Rincón at 2023-06-24T12:49:03-03:00
Claim glib2.0 in dla-needed.txt

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -74,7 +74,7 @@ fusiondirectory (Abhijith PA)
   NOTE: 20221203: Feel free to marke both CVEs as , if they are not 
too serious (gladk).
   NOTE: 20230523: Added upstream commit references to security tracker. 
Patched our version, testing (abhijith)
 --
-glib2.0
+glib2.0 (santiago)
   NOTE: 20230612: Added by Front-Desk (apo)
 --
 golang-yaml.v2 (sgmoore)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d6f69b16ef6bb97edaf571a9f10e9d7417c760ad

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d6f69b16ef6bb97edaf571a9f10e9d7417c760ad
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 2 commits: Reserve DLA-3464-1 for xmltooling

[Santiago R.R. (@santiago)]

Santiago R.R. pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
f15ffccc by Santiago Ruano Rincón at 2023-06-21T11:21:59-03:00
Reserve DLA-3464-1 for xmltooling

- - - - -
883d5801 by Santiago Ruano Rincón at 2023-06-21T11:22:31-03:00
Merge remote-tracking branch refs/remotes/origin/master

- - - - -


2 changed files:

- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/DLA/list
=
@@ -1,3 +1,5 @@
+[21 Jun 2023] DLA-3464-1 xmltooling - security update
+   [buster] - xmltooling 3.0.4-1+deb10u2
 [21 Jun 2023] DLA-3463-1 opensc - security update
{CVE-2019-6502 CVE-2021-42779 CVE-2021-42780 CVE-2021-42781 
CVE-2021-42782 CVE-2023-2977}
[buster] - opensc 0.19.0-1+deb10u2


=
data/dla-needed.txt
=
@@ -275,9 +275,3 @@ webkit2gtk (Emilio)
   NOTE: 20230606: one issue remaining (cmake), but call for testing sent out 
already:
   NOTE: 20230606: https://lists.debian.org/debian-lts/2023/06/msg5.html 
(pochu)
 --
-xmltooling (Santiago)
-  NOTE: 20230613: Added by Santiago
-  NOTE: 20230613: According to dsa-needed, maintainers will prepare updates.
-  NOTE: 20230613: Will ask if willing to prepare update for buster too. 
(Santiago)
-  NOTE: 20230614: https://lists.debian.org/debian-lts/2023/06/msg00042.html
---



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/5836a12703cbc44bb3ac28f0484b00018e012016...883d58018312975f5eae4f13cb5ce0625c1bc428

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/5836a12703cbc44bb3ac28f0484b00018e012016...883d58018312975f5eae4f13cb5ce0625c1bc428
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add xmltooling to dla-needed

[Santiago R.R. (@santiago)]

Santiago R.R. pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
8219ad3b by Santiago Ruano Rincón at 2023-06-13T22:12:23-03:00
Add xmltooling to dla-needed

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -200,3 +200,8 @@ webkit2gtk (Emilio)
   NOTE: 20230606: one issue remaining (cmake), but call for testing sent out 
already:
   NOTE: 20230606: https://lists.debian.org/debian-lts/2023/06/msg5.html 
(pochu)
 --
+xmltooling (Santiago)
+  NOTE: 20230613: Added by Santiago
+  NOTE: 20230613: According to dsa-needed, maintainers will prepare updates.
+  NOTE: 20230613: Will ask if wiling to prepare update for buster too.
+--



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8219ad3bc0c3291eb7d233530c6baf8298ff28b5

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8219ad3bc0c3291eb7d233530c6baf8298ff28b5
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits