[Git][security-tracker-team/security-tracker][master] Add note on upstream fix recommendations for CVE-2023-29483
Scott Kitterman pushed to branch master at Debian Security Tracker / security-tracker Commits: af4e408e by Scott Kitterman at 2024-02-17T10:21:36-05:00 Add note on upstream fix recommendations for CVE-2023-29483 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -49448,6 +49448,8 @@ CVE-2023-29483 NOTE: https://www.dnspython.org/news/2.6.0rc1/ NOTE: https://github.com/rthalley/dnspython/commit/f66e25b5f549acf66d1fb6ead13eb3cff7d09af3 (v2.6.0rc1) NOTE: https://github.com/rthalley/dnspython/commit/e093299a49967696b1c58b68e4767de5031a3e46 (v2.6.0) +NOTE: Upstream recommends not backporting fix: +NOTE: https://github.com/rthalley/dnspython/issues/1051#issuecomment-1949383928 CVE-2023-29482 RESERVED CVE-2023-29481 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/af4e408e140b203f29782946d53b361ed25d3e74 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/af4e408e140b203f29782946d53b361ed25d3e74 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add dnspython fixed version for CVE-2023-29483
Scott Kitterman pushed to branch master at Debian Security Tracker / security-tracker Commits: 2809a963 by Scott Kitterman at 2024-02-16T16:00:59-05:00 Add dnspython fixed version for CVE-2023-29483 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -49427,7 +49427,7 @@ CVE-2023-29484 (In Terminalfour before 8.3.16, misconfigured LDAP users are able CVE-2023-29483 RESERVED [experimental] - dnspython 2.6.0~rc1-1 - - dnspython + - dnspython 2.6.0-1 NOTE: https://www.dnspython.org/news/2.6.0rc1/ NOTE: https://github.com/rthalley/dnspython/commit/f66e25b5f549acf66d1fb6ead13eb3cff7d09af3 (v2.6.0rc1) NOTE: https://github.com/rthalley/dnspython/commit/5a441b9854425c4e23abb8f91973361fe8401e33 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2809a96321a608bdd275cc2518e67e5fc3072dce -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2809a96321a608bdd275cc2518e67e5fc3072dce You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-36464 fixed version for pypdf2
Scott Kitterman pushed to branch master at Debian Security Tracker / security-tracker Commits: 6d7ede70 by Scott Kitterman at 2024-01-19T17:28:48-05:00 Add CVE-2023-36464 fixed version for pypdf2 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -33244,7 +33244,7 @@ CVE-2023-3327 CVE-2023-36464 (pypdf is an open source, pure-python PDF library. In affected versions ...) - pypdf 3.17.4-1 (bug #1040338) [bookworm] - pypdf (Minor issue) - - pypdf2 (bug #1040339) + - pypdf2 2.12.1-4 (bug #1040339) [bookworm] - pypdf2 (Minor issue) [bullseye] - pypdf2 (Vulnerable code not present) [buster] - pypdf2 (Vulnerable code not present) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6d7ede700b6d1af081b414c391c9afe136cd3a3f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6d7ede700b6d1af081b414c391c9afe136cd3a3f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-36464 fixed version for pypdf in Bookworm
Scott Kitterman pushed to branch master at Debian Security Tracker / security-tracker Commits: b16f1ece by Scott Kitterman at 2024-01-15T17:44:58-05:00 Add CVE-2023-36464 fixed version for pypdf in Bookworm - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -32179,7 +32179,7 @@ CVE-2023-3327 REJECTED CVE-2023-36464 (pypdf is an open source, pure-python PDF library. In affected versions ...) - pypdf 3.17.4-1 (bug #1040338) - [bookworm] - pypdf (Minor issue) + [bookworm] - pypdf 3.4.1-1+deb12u1 (Minor issue) - pypdf2 (bug #1040339) [bookworm] - pypdf2 (Minor issue) [bullseye] - pypdf2 (Vulnerable code not present) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b16f1ece79a7c16b3747a2f253bf26367edd22f9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b16f1ece79a7c16b3747a2f253bf26367edd22f9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add pypdf fixed version for CVE-2023-36464
Scott Kitterman pushed to branch master at Debian Security Tracker / security-tracker Commits: bfc0e1c1 by Scott Kitterman at 2024-01-14T19:10:27-05:00 Add pypdf fixed version for CVE-2023-36464 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -32018,7 +32018,7 @@ CVE-2023-3330 (Improper Limitation of a Pathname to a Restricted Directory vulne CVE-2023-3327 REJECTED CVE-2023-36464 (pypdf is an open source, pure-python PDF library. In affected versions ...) - - pypdf (bug #1040338) + - pypdf 3.17.4-1 (bug #1040338) [bookworm] - pypdf (Minor issue) - pypdf2 (bug #1040339) [bookworm] - pypdf2 (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bfc0e1c1775b0b97a44ce7387f4a11b2807436db -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bfc0e1c1775b0b97a44ce7387f4a11b2807436db You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add link to SUA for CVE-2023-51764
Scott Kitterman pushed to branch master at Debian Security Tracker / security-tracker Commits: be34ee43 by Scott Kitterman at 2024-01-02T16:15:41-05:00 Add link to SUA for CVE-2023-51764 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1126,6 +1126,7 @@ CVE-2023-51764 (Postfix through 3.8.4 allows SMTP smuggling unless configured wi NOTE: https://www.openwall.com/lists/oss-security/2023/12/21/6 NOTE: https://www.postfix.org/smtp-smuggling.html NOTE: https://www.mail-archive.com/postfix-users@postfix.org/msg100901.html +NOTE: https://lists.debian.org/debian-stable-announce/2023/12/msg4.html NOTE: Short-term Mitigation: smtpd_forbid_unauth_pipelining = yes NOTE: Long-term fix with new (optional) feature that is disabled by default: NOTE: New setting: smtpd_forbid_bare_newline = yes View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/be34ee430715ab10efdabc8ff3cd3ee47383f672 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/be34ee430715ab10efdabc8ff3cd3ee47383f672 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add stable fixed version for CVE 2023-51764
Scott Kitterman pushed to branch master at Debian Security Tracker / security-tracker Commits: bc8c3df8 by Scott Kitterman at 2023-12-27T18:34:09+00:00 Add stable fixed version for CVE 2023-51764 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -300,7 +300,7 @@ CVE-2023-51765 (sendmail through at least 8.14.7 allows SMTP smuggling in certai NOTE: https://www.openwall.com/lists/oss-security/2023/12/26/5 CVE-2023-51764 (Postfix through 3.8.4 allows SMTP smuggling unless configured with smt ...) - postfix 3.8.4-1 (bug #1059230) - [bookworm] - postfix (Minor issue; mitigations exist) + [bookworm] - postfix 3.7.9-0+deb12u1 (Minor issue; mitigations exist) [bullseye] - postfix (Minor issue; mitigations exist) NOTE: https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/ NOTE: https://www.openwall.com/lists/oss-security/2023/12/21/6 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bc8c3df8fb13e63cc20a1f984c07e0f0cd9d7fb3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bc8c3df8fb13e63cc20a1f984c07e0f0cd9d7fb3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add fixed version for CVE-2021-34825 in quassel: 1:0.14.0-1
Scott Kitterman pushed to branch master at Debian Security Tracker / security-tracker Commits: 76014054 by Scott Kitterman at 2022-01-13T00:07:53-05:00 Add fixed version for CVE-2021-34825 in quassel: 1:0.14.0-1 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -35062,7 +35062,7 @@ CVE-2021-3606 (OpenVPN before version 2.5.3 on Windows allows local users to loa CVE-2021-34826 RESERVED CVE-2021-34825 (Quassel through 0.13.1, when --require-ssl is enabled, launches withou ...) - - quassel (bug #990567) + - quassel 1:0.14.0-1 (bug #990567) [bullseye] - quassel (Minor issue) [buster] - quassel (Minor issue) [stretch] - quassel (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/76014054258a1e4f1843214d5a68195418ed0038 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/76014054258a1e4f1843214d5a68195418ed0038 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add jessie status for CVE-2020-6816
Scott Kitterman pushed to branch master at Debian Security Tracker / security-tracker Commits: bdadfef5 by Scott Kitterman at 2020-03-21T01:09:34-04:00 Add jessie status for CVE-2020-6816 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3018,6 +3018,7 @@ CVE-2020-6816 [mutation XSS vulnerability again] {DSA-4643-1} - python-bleach 3.1.3-1 (bug #954236) [stretch] - python-bleach (Requires invasive changes to address issue) + [jessie] - python-bleach (Requires invasive change to address issue) NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1621692 (not public) NOTE: https://github.com/mozilla/bleach/security/advisories/GHSA-m6xf-fq7q-8743 NOTE: https://github.com/mozilla/bleach/commit/175f67740e7951e1d80cefb7831e6c3e4efeb986 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bdadfef555d404a6f6b04ab290523efdf60a9581 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bdadfef555d404a6f6b04ab290523efdf60a9581 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add fixed version for pyyaml, CVE-2020-1747
Scott Kitterman pushed to branch master at Debian Security Tracker / security-tracker Commits: 547cb423 by Scott Kitterman at 2020-03-06T22:08:44-05:00 Add fixed version for pyyaml, CVE-2020-1747 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -20819,7 +20819,7 @@ CVE-2020-1748 RESERVED CVE-2020-1747 [arbitrary command execution through python/object/new when FullLoader is used] RESERVED - - pyyaml (bug #953013) + - pyyaml 5.3-2 (bug #953013) [buster] - pyyaml (Loader/Constructor classes are unsafe in this version) [stretch] - pyyaml (Loader/Constructor classes are unsafe in this version) [jessie] - pyyaml (Loader/Constructor classes are unsafe in this version) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/547cb423032a8c8b8071b8946613526636108f0a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/547cb423032a8c8b8071b8946613526636108f0a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Fix space/tab issue in last commit
Scott Kitterman pushed to branch master at Debian Security Tracker / security-tracker Commits: e1248cc1 by Scott Kitterman at 2020-02-23T08:42:13-05:00 Fix space/tab issue in last commit - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -44,8 +44,8 @@ CVE-2020-9336 (fauzantrif eLection 2.0 has XSS via the Admin Dashboard - Set NOT-FOR-US: fauzantrif eLection CVE-2020- [mutation XSS vulnerability] - python-bleach 3.1.1-1 (bug #951907) -[stretch] - python-bleach (Vulnerable code introduced later) -[jessie] - python-bleach (Vulnerable code introduced later) + [stretch] - python-bleach (Vulnerable code introduced later) + [jessie] - python-bleach (Vulnerable code introduced later) NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1615315 (not public) NOTE: https://github.com/mozilla/bleach/security/advisories/GHSA-q65m-pv3f-wr5r CVE-2020-9335 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e1248cc15da576f0b6b41d524d7aac497f7091b3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e1248cc15da576f0b6b41d524d7aac497f7091b3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update python-bleach TEMP-0951907-7D0FFB (#951907) to indicate jessie/stretch not affected
Scott Kitterman pushed to branch master at Debian Security Tracker / security-tracker Commits: b2007687 by Scott Kitterman at 2020-02-23T08:22:05-05:00 Update python-bleach TEMP-0951907-7D0FFB (#951907) to indicate jessie/stretch not affected - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -44,6 +44,8 @@ CVE-2020-9336 (fauzantrif eLection 2.0 has XSS via the Admin Dashboard - Set NOT-FOR-US: fauzantrif eLection CVE-2020- [mutation XSS vulnerability] - python-bleach 3.1.1-1 (bug #951907) +[stretch] - python-bleach (Vulnerable code introduced later) +[jessie] - python-bleach (Vulnerable code introduced later) NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1615315 (not public) NOTE: https://github.com/mozilla/bleach/security/advisories/GHSA-q65m-pv3f-wr5r CVE-2020-9335 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b2007687dcd7a17c62cfb47af81b08e99add8f08 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b2007687dcd7a17c62cfb47af81b08e99add8f08 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add note for CVE-2020-3123 pointing to upstream announcement
Scott Kitterman pushed to branch master at Debian Security Tracker / security-tracker Commits: 10c52b8a by Scott Kitterman at 2020-02-09T01:21:14-05:00 Add note for CVE-2020-3123 pointing to upstream announcement - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13594,6 +13594,7 @@ CVE-2020-3123 (A vulnerability in the Data-Loss-Prevention (DLP) module in Clam - clamav (bug #950944) [buster] - clamav (ClamAV is updated via -updates) [stretch] - clamav (ClamAV is updated via -updates) + NOTE: https://blog.clamav.net/2020/02/clamav-01022-security-patch-released.html CVE-2020-3122 RESERVED CVE-2020-3121 (A vulnerability in the web-based management interface of Cisco Small B ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/10c52b8ae632cbd7226c4e8b6ed256ce5a5828aa -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/10c52b8ae632cbd7226c4e8b6ed256ce5a5828aa You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits