[Git][security-tracker-team/security-tracker][master] Unclaim packages; inactive from hereon..
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: e474b912 by Utkarsh Gupta at 2024-06-10T14:35:30+05:30 Unclaim packages; inactive from hereon.. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -31,12 +31,12 @@ ansible NOTE: 20231228: Made a partial release DLA-3695-1 (rouca), waiting for lee NOTE: 20240501: Update for bookworm-proposed-update: #1070193 (lee) -- -atril (utkarsh) +atril NOTE: 20240121: Added by Front-Desk (apo) NOTE: 20240121: Decide whether it makes sense to disable comic feature or use libarchive instead. NOTE: 20240319: package ready at: https://people.debian.org/~utkarsh/lts/atril/ NOTE: 20240319: needs testing as the backport was a bit sensitive. (utkarsh) - NOTE: 20240603: have an update proposed, waiting on some feedback for lts-coordinator. (utkarsh) + NOTE: 20240610: somebody should take it from here^. (utkarsh) -- bind9 NOTE: 20240518: Added by Front-Desk (utkarsh) @@ -55,12 +55,12 @@ cyrus-imapd dcmtk (Adrian Bunk) NOTE: 20240428: Added by Front-Desk (ta) -- -dlt-daemon (utkarsh) +dlt-daemon NOTE: 20240519: Added by Front-Desk (utkarsh) NOTE: 20240519: 1 buffer-overflow, 1 memory leak, and 2 crashes. I think we NOTE: 20240519: can postpone these but I am in split mind. Will take it myself NOTE: 20240519: and decide further. (utkarsh) - NOTE: 20240603: have an update proposed, waiting on some feedback for lts-coordinator. (utkarsh) + NOTE: 20240610: somebody should take it from here. (utkarsh) -- dnsmasq (dleidert) NOTE: 20240303: Added by Front-Desk (apo) @@ -296,10 +296,9 @@ ring roundcube (guilhem) NOTE: 20240524: Added by Front-Desk (lamby) -- -ruby2.5 (utkarsh) +ruby2.5 NOTE: 20240504: Added by Front-Desk (Beuc) NOTE: 20240504: Follow DSA-5677-1 (Beuc/front-desk) - NOTE: 20240528: have working patches ready, will need extensive testing. (utkarsh) -- runc (dleidert) NOTE: 20240312: Added by coordinator (roberto) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e474b9121403e51ce46c6d0de4e88a839e4c701f -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e474b9121403e51ce46c6d0de4e88a839e4c701f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] add notes for packages
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: d33779db by Utkarsh Gupta at 2024-06-03T19:52:04+05:30 add notes for packages - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -31,11 +31,12 @@ ansible NOTE: 20231228: Made a partial release DLA-3695-1 (rouca), waiting for lee NOTE: 20240501: Update for bookworm-proposed-update: #1070193 (lee) -- -atril +atril (utkarsh) NOTE: 20240121: Added by Front-Desk (apo) NOTE: 20240121: Decide whether it makes sense to disable comic feature or use libarchive instead. NOTE: 20240319: package ready at: https://people.debian.org/~utkarsh/lts/atril/ NOTE: 20240319: needs testing as the backport was a bit sensitive. (utkarsh) + NOTE: 20240603: have an update proposed, waiting on some feedback for lts-coordinator. (utkarsh) -- bind9 NOTE: 20240518: Added by Front-Desk (utkarsh) @@ -55,7 +56,8 @@ dlt-daemon (utkarsh) NOTE: 20240519: Added by Front-Desk (utkarsh) NOTE: 20240519: 1 buffer-overflow, 1 memory leak, and 2 crashes. I think we NOTE: 20240519: can postpone these but I am in split mind. Will take it myself - NOTE: 20240519: and decide further. (utkarsh) + NOTE: 20240519: and decide further. (utkarsh) + NOTE: 20240603: have an update proposed, waiting on some feedback for lts-coordinator. (utkarsh) -- dnsmasq (dleidert) NOTE: 20240303: Added by Front-Desk (apo) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d33779dbdef08fcfb02b21d961364498e027a796 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d33779dbdef08fcfb02b21d961364498e027a796 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Take ruby2.5
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 0b3c5d8c by Utkarsh Gupta at 2024-05-29T07:11:32+05:30 Take ruby2.5 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -257,9 +257,10 @@ ring roundcube (guilhem) NOTE: 20240524: Added by Front-Desk (lamby) -- -ruby2.5 +ruby2.5 (utkarsh) NOTE: 20240504: Added by Front-Desk (Beuc) NOTE: 20240504: Follow DSA-5677-1 (Beuc/front-desk) + NOTE: 20240628: have working patches ready, will need extensive testing. (utkarsh) -- runc (dleidert) NOTE: 20240312: Added by coordinator (roberto) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0b3c5d8c6cd853bb897daf0f09938a61432b0886 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0b3c5d8c6cd853bb897daf0f09938a61432b0886 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2023-50967/jose as postponed for buster
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 33bcd586 by Utkarsh Gupta at 2024-05-20T06:50:50+05:30 Mark CVE-2023-50967/jose as postponed for buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -20761,6 +20761,7 @@ CVE-2023-51444 (GeoServer is an open source software server written in Java that NOT-FOR-US: GeoServer CVE-2023-50967 (latchset jose through version 11 allows attackers to cause a denial of ...) - jose 13-1 (bug #1067457) + [buster] - jose (DoS via a large p2c value but still appears minor; similar to CVE-2023-50966) NOTE: https://github.com/P3ngu1nW/CVE_Request/blob/main/latch-jose.md NOTE: https://github.com/latchset/jose/issues/151 NOTE: Fixed by: https://github.com/latchset/jose/commit/4ee7708bf6dbfaa712749f081eec1f0d122fa001 (v13) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/33bcd58601e7a09f4416e53323dcb3e8288bc56a -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/33bcd58601e7a09f4416e53323dcb3e8288bc56a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2024-1681/python-flask-cors as postponed for buster
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: bbf92348 by Utkarsh Gupta at 2024-05-20T06:47:22+05:30 Mark CVE-2024-1681/python-flask-cors as postponed for buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -10544,6 +10544,7 @@ CVE-2024-21846 (An unauthenticated attacker can reset the board and stop transmi NOT-FOR-US: Electrolink CVE-2024-1681 (corydolphin/flask-cors is vulnerable to log injection when the log lev ...) - python-flask-cors 4.0.1-1 (bug #1069764) + [buster] - python-flask-cors (Minor issue) NOTE: https://huntr.com/bounties/25a7a0ba-9fa2-4777-acb6-03e5539bb644 NOTE: https://github.com/corydolphin/flask-cors/issues/349 NOTE: Fixed by: https://github.com/corydolphin/flask-cors/commit/6172c2000dba965fedb8e9a8a916ad56f0fb2630 (4.0.1) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bbf923486b263cba6220df573f9819fafea83d47 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bbf923486b263cba6220df573f9819fafea83d47 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2024-34462/sogo as postponed for buster
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 3a0e3a0b by Utkarsh Gupta at 2024-05-20T06:42:58+05:30 Mark CVE-2024-34462/sogo as postponed for buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5222,6 +5222,7 @@ CVE-2024-34467 (ThinkPHP 8.0.3 allows remote attackers to discover the PHPSESSIO NOT-FOR-US: ThinkPHP CVE-2024-34462 (Alinto SOGo through 5.10.0 allows XSS during attachment preview.) - sogo (bug #1071163) + [buster] - sogo (Minor issue) NOTE: https://github.com/Alinto/sogo/commit/2e37e59ed140d4aee0ff2fba579ca5f83f2c5920 CVE-2023-52729 (TCPServer.cpp in SimpleNetwork through 29bc615 has an off-by-one error ...) NOT-FOR-US: SimpleNetwork View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3a0e3a0b0525f2ba6829e40fad6571b11a20f583 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3a0e3a0b0525f2ba6829e40fad6571b11a20f583 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2023-49606/tinyproxy as postponed for buster
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: d1f33e10 by Utkarsh Gupta at 2024-05-20T06:41:57+05:30 Mark CVE-2023-49606/tinyproxy as postponed for buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7518,6 +7518,7 @@ CVE-2023-7241 (Privilege Escalationin WRSA.EXE in Webroot Antivirus 8.0.1X- 9.0. NOT-FOR-US: Webroot Antivirus CVE-2023-49606 (A use-after-free vulnerability exists in the HTTP Connection Headers p ...) - tinyproxy 1.11.1-4 (bug #1070395) + [buster] - tinyproxy (Not exploitable easily for RCE; but fix with next update) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2023-1889 NOTE: https://github.com/tinyproxy/tinyproxy/issues/533 NOTE: https://github.com/tinyproxy/tinyproxy/commit/12a8484265f7b00591293da492bb3c9987001956 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d1f33e10b8bc8824a71fa6b23ebd6e18c0c1a742 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d1f33e10b8bc8824a71fa6b23ebd6e18c0c1a742 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2024-485{3,4,5}/wireshark as postponed for buster
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 335bf071 by Utkarsh Gupta at 2024-05-20T06:35:15+05:30 Mark CVE-2024-485{3,4,5}/wireshark as postponed for buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2904,18 +2904,21 @@ CVE-2024-4764 (Multiple WebRTC threads could have claimed a newly connected audi NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-21/#CVE-2024-4764 CVE-2024-4855 (Use after free issue in editcap could cause denial of service via craf ...) - wireshark 4.2.5-1 + [buster] - wireshark (can be piggyback'd with the next update) NOTE: https://www.wireshark.org/security/wnpa-sec-2024-09.html NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19782 NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19783 NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19784 CVE-2024-4854 (MONGO and ZigBee TLV dissector infinite loops in Wireshark 4.2.0 to 4. ...) - wireshark 4.2.5-1 + [buster] - wireshark (can be piggyback'd with the next update) NOTE: https://www.wireshark.org/security/wnpa-sec-2024-07.html NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19726 NOTE: https://gitlab.com/wireshark/wireshark/-/merge_requests/15047 NOTE: https://gitlab.com/wireshark/wireshark/-/merge_requests/15499 CVE-2024-4853 (Memory handling issue in editcap could cause denial of service via cra ...) - wireshark 4.2.5-1 + [buster] - wireshark (can be piggyback'd with the next update) NOTE: https://www.wireshark.org/security/wnpa-sec-2024-08.html NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19724 CVE-2024-4840 (An flaw was found in the OpenStack Platform (RHOSP) director, a toolse ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/335bf071ad6d8da730a99877f13b04c6fe451452 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/335bf071ad6d8da730a99877f13b04c6fe451452 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2024-3817/*go-getter as not-affected for buster
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 32c1aa9e by Utkarsh Gupta at 2024-05-20T03:12:53+05:30 Mark CVE-2024-3817/*go-getter as not-affected for buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -10989,6 +10989,7 @@ CVE-2024-3825 (Versions of the BlazeMeter Jenkins plugin prior to 4.22 contain a NOT-FOR-US: Jenkins plugin CVE-2024-3817 (HashiCorp\u2019s go-getter library is vulnerable to argument injection ...) - golang-github-hashicorp-go-getter + [buster] - golang-github-hashicorp-go-getter (Vulnerable code not present) NOTE: https://discuss.hashicorp.com/t/hcsec-2024-09-hashicorp-go-getter-vulnerable-to-argument-injection-when-fetching-remote-default-git-branches/66040 CVE-2024- (The Essential Addons for Elementor plugin for WordPress is vulnerable ...) NOT-FOR-US: WordPress plugin View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/32c1aa9e41ec061d3420f0ac21425ddffccb72a2 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/32c1aa9e41ec061d3420f0ac21425ddffccb72a2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2023-50966/erlang-jose as postponed for buster
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 600066d0 by Utkarsh Gupta at 2024-05-20T02:51:06+05:30 Mark CVE-2023-50966/erlang-jose as postponed for buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -21254,6 +21254,7 @@ CVE-2023-6597 (An issue was found in the CPython `tempfile.TemporaryDirectory` c NOTE: Introduced by: https://github.com/python/cpython/commit/e9b51c0ad81da1da11ae65840ac8b50a8521373c (v3.8.0b1) CVE-2023-50966 (erlang-jose (aka JOSE for Erlang and Elixir) through 1.11.6 allow atta ...) - erlang-jose (bug #1067456) + [buster] - erlang-jose (DoS via a large p2c value but still appears minor) NOTE: https://github.com/potatosalad/erlang-jose/issues/156 NOTE: https://github.com/P3ngu1nW/CVE_Request/blob/main/erlang-jose.md CVE-2023-4426 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/600066d0e4a00aa7fab3ce3b0f8ca5d8ff9f6054 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/600066d0e4a00aa7fab3ce3b0f8ca5d8ff9f6054 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add dlt-daemon to dla-needed
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: d971782f by Utkarsh Gupta at 2024-05-20T02:24:17+05:30 Add dlt-daemon to dla-needed - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -56,6 +56,12 @@ cacti dcmtk (Adrian Bunk) NOTE: 20240428: Added by Front-Desk (ta) -- +dlt-daemon (utkarsh) + NOTE: 20240519: Added by Front-Desk (utkarsh) + NOTE: 20240519: 1 buffer-overflow, 1 memory leak, and 2 crashes. I think we + NOTE: 20240519: can postpone these but I am in split mind. Will take it myself + NOTE: 20240519: and decide further. (utkarsh) +-- dnsmasq (dleidert) NOTE: 20240303: Added by Front-Desk (apo) NOTE: 20240325: Automatically unassigned (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d971782f9d76400cba15158bd828dee383a85f42 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d971782f9d76400cba15158bd828dee383a85f42 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2024-31755/cjson as postponed for buster
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 269925bb by Utkarsh Gupta at 2024-05-20T01:58:36+05:30 Mark CVE-2024-31755/cjson as postponed for buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9408,6 +9408,7 @@ CVE-2024-32404 (Server-Side Template Injection (SSTI) vulnerability in inducer r NOT-FOR-US: inducer relate CVE-2024-31755 (cJSON v1.7.17 was discovered to contain a segmentation violation, whic ...) - cjson + [buster] - cjson (Sefault only; can be piggy-backed with future DLAs) NOTE: https://github.com/DaveGamble/cJSON/issues/839 NOTE: https://github.com/DaveGamble/cJSON/pull/840 NOTE: https://github.com/DaveGamble/cJSON/commit/7e4d5dabe7a9b754c601f214e65b544e67ba9f59 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/269925bbd9a960d798bb2e13a15e436ab75f2d71 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/269925bbd9a960d798bb2e13a15e436ab75f2d71 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add cacti to dla-needed
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 0dfb0744 by Utkarsh Gupta at 2024-05-20T01:55:47+05:30 Add cacti to dla-needed - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -46,6 +46,13 @@ bind9 bluez NOTE: 20240510: Added by Front-Desk (ta) -- +cacti + NOTE: 20240519: Added by Front-Desk (utkarsh) + NOTE: 20240519: whilst most of them are moderate severity SQL injections + NOTE: 20240519: issues, but there's also XML and RCE with higher severity. + NOTE: 20240519: I'd have postponed them but let's fix it before buster + NOTE: 20240519: goes EOL. (utkarsh) +-- dcmtk (Adrian Bunk) NOTE: 20240428: Added by Front-Desk (ta) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0dfb0744fb030243479ec9253cc04619f6e0b5fd -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0dfb0744fb030243479ec9253cc04619f6e0b5fd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add git to dla-needed
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 93723124 by Utkarsh Gupta at 2024-05-20T01:51:27+05:30 Add git to dla-needed - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -95,6 +95,11 @@ freeimage ghostscript (Markus Koschany) NOTE: 20240510: Added by Front-Desk (ta) -- +git + NOTE: 20240519: Added by Front-Desk (utkarsh) + NOTE: 20240519: there are other no-dsa/postponed issues as well, please batch + NOTE: 20240519: them, too. Newer ones are RCE and have high severity. (utkarsh) +-- glibc (Adrian Bunk) NOTE: 20240504: Re-add for remaining CVEs. (bunk) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/93723124ae24ff8718311b9b26498138796c9b40 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/93723124ae24ff8718311b9b26498138796c9b40 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Add bind9 to dla-needed
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 321fcf3e by Utkarsh Gupta at 2024-05-18T02:54:14+05:30 Add bind9 to dla-needed - - - - - 2c982078 by Utkarsh Gupta at 2024-05-18T02:55:05+05:30 Add libreoffice to dla-needed - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -40,6 +40,9 @@ atril NOTE: 20240319: package ready at: https://people.debian.org/~utkarsh/lts/atril/ NOTE: 20240319: needs testing as the backport was a bit sensitive. (utkarsh) -- +bind9 + NOTE: 20240518: Added by Front-Desk (utkarsh) +-- bluez NOTE: 20240510: Added by Front-Desk (ta) -- @@ -120,6 +123,9 @@ less (Abhijith PA) libmojolicious-perl NOTE: 20240421: Added by Front-Desk (apo) -- +libreoffice + NOTE: 20240518: Added by Front-Desk (utkarsh) +-- libreswan NOTE: 20230817: Added by Front-Desk (ta) NOTE: 20230909: Prepared a patch for CVE-2023-38712 and pushed it to View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/4c9cdf7a3c54093da6322afc1ac9ed54f4bac6f9...2c982078f0709196bd2c8446596f988e7961fad3 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/4c9cdf7a3c54093da6322afc1ac9ed54f4bac6f9...2c982078f0709196bd2c8446596f988e7961fad3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 6 commits: Mark CVE-2024-29857/bc as postponed for buster
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 2a632f0c by Utkarsh Gupta at 2024-05-18T02:08:17+05:30 Mark CVE-2024-29857/bc as postponed for buster - - - - - 8f8971df by Utkarsh Gupta at 2024-05-18T02:08:19+05:30 Mark CVE-2024-30172/bc as postponed for buster - - - - - 1bbb0496 by Utkarsh Gupta at 2024-05-18T02:08:21+05:30 Mark CVE-2024-34447/bc as postponed for buster - - - - - 9d900a5e by Utkarsh Gupta at 2024-05-18T02:08:23+05:30 Mark CVE-2024-372/golang-github-opencontainers-go-digest as postponed for buster - - - - - e5ad0e1e by Utkarsh Gupta at 2024-05-18T02:08:24+05:30 Mark CVE-2024-4068/node-braces as postponed for buster - - - - - 28b62822 by Utkarsh Gupta at 2024-05-18T02:08:26+05:30 Mark CVE-2024-4067/node-micromatch as postponed for buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2051,11 +2051,13 @@ CVE-2024-4068 (The NPM package `braces` fails to limit the number of characters - node-braces [bookworm] - node-braces (Minor issue) [bullseye] - node-braces (Minor issue) + [buster] - node-braces (Minor issue) NOTE: https://github.com/micromatch/braces/issues/35 CVE-2024-4067 (The NPM package `micromatch` is vulnerable to Regular Expression Denia ...) - node-micromatch [bookworm] - node-micromatch (Minor issue) [bullseye] - node-micromatch (Minor issue) + [buster] - node-micromatch (Minor issue) NOTE: https://github.com/micromatch/micromatch/issues/243 NOTE: https://github.com/micromatch/micromatch/pull/247 CVE-2024-3462 (Ant Media Server Community Edition in a default configuration is vulne ...) @@ -2745,6 +2747,7 @@ CVE-2024-3727 (A flaw was found in the github.com/containers/image library. This - golang-github-opencontainers-go-digest (bug #1070858) [bookworm] - golang-github-opencontainers-go-digest (Minor issue) [bullseye] - golang-github-opencontainers-go-digest (Minor issue) + [buster] - golang-github-opencontainers-go-digest (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2274767 CVE-2024-3722 (The Swift Performance Lite plugin for WordPress is vulnerable to unaut ...) NOT-FOR-US: WordPress plugin @@ -4099,12 +4102,14 @@ CVE-2024-29857 (An issue was discovered in ECCurve.java and ECCurve.cs in Bouncy - bouncycastle (bug #1070655) [bookworm] - bouncycastle (Minor issue) [bullseye] - bouncycastle (Minor issue) + [buster] - bouncycastle (Minor issue) NOTE: https://github.com/bcgit/bc-java/issues/1635 NOTE: https://www.bouncycastle.org/latest_releases.html CVE-2024-30172 (An issue was discovered in Bouncy Castle Java Cryptography APIs before ...) - bouncycastle (bug #1070655) [bookworm] - bouncycastle (Minor issue) [bullseye] - bouncycastle (Minor issue) + [buster] - bouncycastle (Minor issue) NOTE: https://github.com/bcgit/bc-java/issues/1599 NOTE: https://www.bouncycastle.org/latest_releases.html NOTE: https://github.com/bcgit/bc-java/commit/9c165791b68a204678b48ec11e4e579754c2ea49 (r1rv78v1) @@ -4437,6 +4442,7 @@ CVE-2024-34447 (An issue was discovered in Bouncy Castle Java Cryptography APIs - bouncycastle (bug #1070655) [bookworm] - bouncycastle (Minor issue) [bullseye] - bouncycastle (Minor issue) + [buster] - bouncycastle (Minor issue) NOTE: https://www.bouncycastle.org/latest_releases.html CVE-2024-34446 (Mullvad VPN through 2024.1 on Android does not set a DNS server in the ...) NOT-FOR-US: Mullvad VPN View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/297d11c339e2aa0a4bc925604dd879bd678c9eb6...28b62822162b37fc54c35154ab2105093463bad6 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/297d11c339e2aa0a4bc925604dd879bd678c9eb6...28b62822162b37fc54c35154ab2105093463bad6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Take ruby*
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 9ab9cd65 by Utkarsh Gupta at 2024-05-05T23:09:52+05:30 Take ruby* - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -254,7 +254,7 @@ ring NOTE: 20230903: Added by Front-Desk (gladk) NOTE: 20230928: will be likely hard to fix see https://lists.debian.org/debian-lts/2023/09/msg00035.html (rouca) -- -ruby2.5 +ruby2.5 (utkarsh) NOTE: 20240504: Added by Front-Desk (Beuc) NOTE: 20240504: Follow DSA-5677-1 (Beuc/front-desk) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9ab9cd6593088407ed03cf350c3f2b4afc009183 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9ab9cd6593088407ed03cf350c3f2b4afc009183 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Take zabbix and atril
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: d470e376 by Utkarsh Gupta at 2024-03-19T03:34:43+05:30 Take zabbix and atril - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -30,9 +30,11 @@ ansible NOTE: 20231217: Triaging done a few mail send upstream for claryfication purposes (rouca) NOTE: 20231228: Made a partial release DLA-3695-1 (rouca), waiting for lee -- -atril +atril (utkarsh) NOTE: 20240121: Added by Front-Desk (apo) NOTE: 20240121: Decide whether it makes sense to disable comic feature or use libarchive instead. + NOTE: 20240319: package ready at: https://people.debian.org/~utkarsh/lts/atril/ + NOTE: 20240319: needs testing as the backport was a bit sensitive. (utkarsh) -- bind9 NOTE: 20240218: Added by Front-Desk (lamby) @@ -296,6 +298,6 @@ wordpress NOTE: 20240314: Several CVEs fixed in LTS remain unfixed (no-dsa) in bullseye and NOTE: 20240314: bookwork. Uploads to spu and ospu should be coordinated. (roberto) -- -zabbix +zabbix (utkarsh) NOTE: 20240212: Added by Front-Desk (utkarsh) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d470e3761391258b8000d605d6fd9f625c75638d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d470e3761391258b8000d605d6fd9f625c75638d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3766-1 for zfs-linux
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 2775fe02 by Utkarsh Gupta at 2024-03-19T02:30:51+05:30 Reserve DLA-3766-1 for zfs-linux - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[19 Mar 2024] DLA-3766-1 zfs-linux - security update + {CVE-2013-20001 CVE-2023-49298} + [buster] - zfs-linux 0.7.12-2+deb10u3 [18 Mar 2024] DLA-3765-1 cacti - security update {CVE-2023-39357 CVE-2023-39360 CVE-2023-39361 CVE-2023-39362 CVE-2023-39364 CVE-2023-39365 CVE-2023-39513 CVE-2023-39515 CVE-2023-39516 CVE-2023-49084 CVE-2023-49085 CVE-2023-49086 CVE-2023-49088} [buster] - cacti 1.2.2+ds1-2+deb10u6 = data/dla-needed.txt = @@ -299,10 +299,3 @@ wordpress zabbix NOTE: 20240212: Added by Front-Desk (utkarsh) -- -zfs-linux (utkarsh) - NOTE: 20231127: Added by Front-Desk (Beuc) - NOTE: 20240108: the fix for other CVE wasn't obvious but about to be ready; D/ELA to be out soon. (utkarsh) - NOTE: 20240209: I was out last to last week so couldn't process this but it's nearly ready. (utkarsh) - NOTE: 20240318: upload ready at https://people.debian.org/~utkarsh/lts/zfs-linux/. (utkarsh) - NOTE: 20240318: TODO: one last smoke test before upload. (utkarsh) --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2775fe024763e7a5c2ecd7154edf9fbfb3e27f54 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2775fe024763e7a5c2ecd7154edf9fbfb3e27f54 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Take zfs-linux
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 6059d5b7 by Utkarsh Gupta at 2024-03-18T04:00:09+05:30 Take zfs-linux - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -316,8 +316,10 @@ wordpress zabbix NOTE: 20240212: Added by Front-Desk (utkarsh) -- -zfs-linux +zfs-linux (utkarsh) NOTE: 20231127: Added by Front-Desk (Beuc) NOTE: 20240108: the fix for other CVE wasn't obvious but about to be ready; D/ELA to be out soon. (utkarsh) NOTE: 20240209: I was out last to last week so couldn't process this but it's nearly ready. (utkarsh) + NOTE: 20240318: upload ready at https://people.debian.org/~utkarsh/lts/zfs-linux/. (utkarsh) + NOTE: 20240318: TODO: one last smoke test before upload. (utkarsh) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6059d5b700ff540658eb34f9ea36bfe8b7b02bb4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6059d5b700ff540658eb34f9ea36bfe8b7b02bb4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: Add and claim libgit2 in dla-needed
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: c1cb5d7a by Utkarsh Gupta at 2024-02-12T18:17:25+05:30 Add and claim libgit2 in dla-needed - - - - - 8ff24ba1 by Utkarsh Gupta at 2024-02-12T18:23:47+05:30 Mark CVE-2024-21490/angular.js as postponed for buster - - - - - 86f93413 by Utkarsh Gupta at 2024-02-12T18:25:45+05:30 Mark CVE-2024-25711/diffoscope as no-dsa for buster - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -151,6 +151,7 @@ CVE-2024-21624 (nonebot2 is a cross-platform Python asynchronous chatbot framewo TODO: check CVE-2024-21490 (This affects versions of the package angular from 1.3.0. A regular exp ...) - angular.js + [buster] - angular.js (Fix along with the next DLA) NOTE: https://security.snyk.io/vuln/SNYK-JS-ANGULAR-6091113 CVE-2024-1406 (A vulnerability was found in Linksys WRT54GL 4.30.18. It has been decl ...) NOT-FOR-US: Linksys @@ -176,6 +177,7 @@ CVE-2023-45696 (Sametime is impacted by sensitive fields with autocomplete enabl NOT-FOR-US: HCL / Sametime application CVE-2024-25711 (diffoscope before 256 allows directory traversal via an embedded filen ...) - diffoscope 256 + [buster] - diffoscope (Minor issue; fix it along the next DLA) NOTE: https://salsa.debian.org/reproducible-builds/diffoscope/-/issues/361 NOTE: https://salsa.debian.org/reproducible-builds/diffoscope/-/commit/458f7f04bc053a0066aa7d2fd3251747d4899476 (256) CVE-2024-25679 (In PQUIC before 5bde5bb, retention of unused initial encryption keys a ...) = data/dla-needed.txt = @@ -126,6 +126,10 @@ jenkins-htmlunit-core-js knot-resolver (Markus Koschany) NOTE: 20231029: Added by Front-Desk (gladk) -- +libgit2 (utkarsh) + NOTE: 20240212: Added by Front-Desk (utkarsh) + NOTE: 20240212: taking with my maintainer hat on (utkarsh) +-- libreswan NOTE: 20230817: Added by Front-Desk (ta) NOTE: 20230909: Prepared a patch for CVE-2023-38712 and pushed it to View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/386fab4b6169694777d815bbe08a7880c3ab7745...86f93413de91470181035a616bf6bd60112e1d8f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/386fab4b6169694777d815bbe08a7880c3ab7745...86f93413de91470181035a616bf6bd60112e1d8f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 6 commits: Mark CVE-2024-1062/389-ds-base as no-dsa for buster
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 5ae7abee by Utkarsh Gupta at 2024-02-12T18:13:37+05:30 Mark CVE-2024-1062/389-ds-base as no-dsa for buster - - - - - 63f7f54d by Utkarsh Gupta at 2024-02-12T18:14:03+05:30 Mark CVE-2024-25062/libxml2 as no-dsa for buster - - - - - 9c07d9b1 by Utkarsh Gupta at 2024-02-12T18:14:31+05:30 Mark CVE-2021-4435/node-yarnpkg as no-dsa for buster - - - - - 385365ef by Utkarsh Gupta at 2024-02-12T18:15:04+05:30 Mark CVE-2024-23334/python-aiohttp as no-dsa for buster - - - - - e62809b1 by Utkarsh Gupta at 2024-02-12T18:15:24+05:30 Mark CVE-2024-23829/python-aiohttp as no-dsa for buster - - - - - 386fab4b by Utkarsh Gupta at 2024-02-12T18:15:45+05:30 Mark CVE-2024-22667/vim as no-dsa for buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1350,6 +1350,7 @@ CVE-2024-22667 (Vim before 9.0.2142 has a stack-based buffer overflow because di - vim 2:9.0.2189-1 [bookworm] - vim (Minor issue) [bullseye] - vim (Minor issue) + [buster] - vim (Minor issue) NOTE: https://github.com/vim/vim/commit/b39b240c386a5a29241415541f1c99e2e6b8ce47 (v9.0.2142) NOTE: https://gist.githubusercontent.com/henices/2467e7f22dcc2aa97a2453e197b55a0c/raw/7b54bccc9a129c604fb139266f4497ab7aaa94c7/gistfile1.txt CVE-2024-22386 (A race condition was found in the Linux kernel's drm/exynos device dri ...) @@ -1399,6 +1400,7 @@ CVE-2024-25062 (An issue was discovered in libxml2 before 2.11.7 and 2.12.x befo - libxml2 (bug #1063234) [bookworm] - libxml2 (Minor issue) [bullseye] - libxml2 (Minor issue) + [buster] - libxml2 (Minor issue) NOTE: https://gitlab.gnome.org/GNOME/libxml2/-/issues/604 NOTE: https://gitlab.gnome.org/GNOME/libxml2/-/commit/2b0aac140d739905c7848a42efc60bfe783a39b7 (v2.11.7) NOTE: https://gitlab.gnome.org/GNOME/libxml2/-/commit/92721970884fcc13305cb8e23cdc5f0dd7667c2c (v2.12.5) @@ -2174,6 +2176,7 @@ CVE-2024-1062 [a heap overflow leading to denail-of-servce while writing a value - 389-ds-base [bookworm] - 389-ds-base (Minor issue) [bullseye] - 389-ds-base (Minor issue) + [buster] - 389-ds-base (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2261879 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2256711 NOTE: https://github.com/389ds/389-ds-base/issues/5647 @@ -2339,6 +2342,7 @@ CVE-2024-23829 (aiohttp is an asynchronous HTTP client/server framework for asyn - python-aiohttp (bug #1062708) [bookworm] - python-aiohttp (Minor issue) [bullseye] - python-aiohttp (Minor issue) + [buster] - python-aiohttp (Minor issue) NOTE: https://github.com/aio-libs/aiohttp/security/advisories/GHSA-8qpw-xqxj-h4r2 NOTE: https://github.com/aio-libs/aiohttp/pull/8074 NOTE: https://github.com/aio-libs/aiohttp/commit/33ccdfb0a12690af5bb49bda2319ec0907fa7827 (master) @@ -2347,6 +2351,7 @@ CVE-2024-23334 (aiohttp is an asynchronous HTTP client/server framework for asyn - python-aiohttp (bug #1062709) [bookworm] - python-aiohttp (Minor issue) [bullseye] - python-aiohttp (Minor issue) + [buster] - python-aiohttp (Minor issue) NOTE: https://github.com/aio-libs/aiohttp/security/advisories/GHSA-5h86-8mv2-jq9f NOTE: https://github.com/aio-libs/aiohttp/pull/8079 NOTE: https://github.com/aio-libs/aiohttp/commit/1c335944d6a8b1298baf179b7c0b3069f10c514b (master) @@ -4423,6 +4428,7 @@ CVE-2023-48339 (In jpg driver, there is a possible missing permission check. Thi CVE-2021-4435 (An untrusted search path vulnerability was found in Yarn. When a victi ...) - node-yarnpkg 1.22.19+~cs24.27.18-1 [bullseye] - node-yarnpkg (Minor issue) + [buster] - node-yarnpkg (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2262284 NOTE: Fixed by: https://github.com/yarnpkg/yarn/commit/67fcce88935e45092ffa2674c08053f1ef5268a1 (v1.22.12) TODO: check, too few details in RHBZ#2262284 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/8be3d2ae6c4b537410f882a74537b85d4de3bd56...386fab4b6169694777d815bbe08a7880c3ab7745 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/8be3d2ae6c4b537410f882a74537b85d4de3bd56...386fab4b6169694777d815bbe08a7880c3ab7745 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] add zabbix to dla-needed
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 8be3d2ae by Utkarsh Gupta at 2024-02-12T18:12:44+05:30 add zabbix to dla-needed - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -280,6 +280,9 @@ wireshark (Adrian Bunk) NOTE: 20231204: DLA pending (bunk) NOTE: 20231218: Debugging a problem with the update. (bunk) -- +zabbix + NOTE: 20240212: Added by Front-Desk (utkarsh) +-- zfs-linux (utkarsh) NOTE: 20231127: Added by Front-Desk (Beuc) NOTE: 20240801: the fix for other CVE wasn't obvious but about to be ready; D/ELA to be out soon. (utkarsh) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8be3d2ae6c4b537410f882a74537b85d4de3bd56 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8be3d2ae6c4b537410f882a74537b85d4de3bd56 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Re-claim zfs-linux
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 61078537 by Utkarsh Gupta at 2024-02-09T20:16:43+05:30 Re-claim zfs-linux - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -273,7 +273,8 @@ wireshark (Adrian Bunk) NOTE: 20231204: DLA pending (bunk) NOTE: 20231218: Debugging a problem with the update. (bunk) -- -zfs-linux +zfs-linux (utkarsh) NOTE: 20231127: Added by Front-Desk (Beuc) NOTE: 20240801: the fix for other CVE wasn't obvious but about to be ready; D/ELA to be out soon. (utkarsh) + NOTE: 20240209: I was out last to last week so couldn't process this but it's nearly ready. (utkarsh) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/61078537e9df6b1b9cedb1b69a281a42559e66a9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/61078537e9df6b1b9cedb1b69a281a42559e66a9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add composer and openvswitch to dla-needed
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 921a0538 by Utkarsh Gupta at 2024-02-09T20:01:44+05:30 Add composer and openvswitch to dla-needed - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -51,6 +51,9 @@ cinder NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. -- +composer + NOTE: 20240209: Added by Front-Desk (utkarsh) +-- curl (rouca) NOTE: 20231229: Added by Front-Desk (lamby) NOTE: 20231229: CVE-2023-27534 fixed in bullseye via DSA or point release. (lamby) @@ -170,6 +173,9 @@ nvidia-cuda-toolkit NOTE: 20230610: Details: https://lists.debian.org/debian-lts/2023/06/msg00032.html NOTE: 20230610: my recommendation would be to put the package on the "not-supported" list. (tobi) -- +openvswitch + NOTE: 20240209: Added by Front-Desk (utkarsh) +-- putty (santiago) NOTE: 20231224: Added by Front-Desk (ta) NOTE: 20230104: massive code change against bullseye. May be better to backport bullseye (rouca) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/921a0538d7d597bbe9507945e4011acaac2dc8df -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/921a0538d7d597bbe9507945e4011acaac2dc8df You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2024-2426{5,6,7}/gpac as end-of-life for buster
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 0dc42cee by Utkarsh Gupta at 2024-02-09T19:58:24+05:30 Mark CVE-2024-2426{5,6,7}/gpac as end-of-life for buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -939,13 +939,16 @@ CVE-2024-24396 (Cross Site Scripting vulnerability in Stimulsoft GmbH Stimulsoft CVE-2024-24267 (gpac v2.2.1 was discovered to contain a memory leak via the gfio_blob ...) - gpac [bullseye] - gpac (Minor issue) + [buster] - gpac (EOL in buster LTS) NOTE: https://github.com/yinluming13579/gpac_defects/blob/main/gpac_3.md CVE-2024-24266 (gpac v2.2.1 was discovered to contain a Use-After-Free (UAF) vulnerabi ...) - gpac + [buster] - gpac (EOL in buster LTS) NOTE: https://github.com/yinluming13579/gpac_defects/blob/main/gpac_2.md CVE-2024-24265 (gpac v2.2.1 was discovered to contain a memory leak via the dst_props ...) - gpac [bullseye] - gpac (Minor issue) + [buster] - gpac (EOL in buster LTS) NOTE: https://github.com/yinluming13579/gpac_defects/blob/main/gpac_1.md CVE-2024-24263 (Lotos WebServer v0.1.1 was discovered to contain a Use-After-Free (UAF ...) NOT-FOR-US: Lotos WebServer View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0dc42ceeb1d057a50084fed97cf6cd5f9a75eb13 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0dc42ceeb1d057a50084fed97cf6cd5f9a75eb13 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Mark CVE-2024-24815/ckeditor3 as end-of-life for buster
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 26aecaa5 by Utkarsh Gupta at 2024-02-09T19:47:09+05:30 Mark CVE-2024-24815/ckeditor3 as end-of-life for buster - - - - - f079697f by Utkarsh Gupta at 2024-02-09T19:47:33+05:30 Mark CVE-2024-24816/ckeditor3 as end-of-life for buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -295,11 +295,13 @@ CVE-2024-24822 (Pimcore's Admin Classic Bundle provides a backend user interface CVE-2024-24816 (CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. ...) - ckeditor - ckeditor3 + [buster] - ckeditor3 (No longer supported in LTS) NOTE: https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-mw2c-vx6j-mg76 NOTE: https://github.com/ckeditor/ckeditor4/commit/8ed1a3c93d0ae5f49f4ecff5738ab8a2972194cb CVE-2024-24815 (CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. ...) - ckeditor - ckeditor3 + [buster] - ckeditor3 (No longer supported in LTS) NOTE: https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-fq6h-4g8v-qqvm NOTE: https://github.com/ckeditor/ckeditor4/commit/8ed1a3c93d0ae5f49f4ecff5738ab8a2972194cb CVE-2024-24812 (Frappe is a full-stack web application framework that uses Python and ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/c333b87de1ef9112ecdaf08effcdfad9ff527057...f079697fecf613b065add6eec8fe6b7ea4b920a8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/c333b87de1ef9112ecdaf08effcdfad9ff527057...f079697fecf613b065add6eec8fe6b7ea4b920a8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add notes for zfs-linux
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 31f56196 by Utkarsh Gupta at 2024-01-09T01:54:05+05:30 Add notes for zfs-linux - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -270,6 +270,7 @@ wireshark (Adrian Bunk) zabbix (tobi) NOTE: 20231015: Added by Front-Desk (ta) -- -zfs-linux +zfs-linux (Utkarsh) NOTE: 20231127: Added by Front-Desk (Beuc) + NOTE: 20240801: the fix for other CVE wasn't obvious but about to be ready; D/ELA to be out soon. (utkarsh) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/31f561967aab7f2956b6ce7687851f547b5373e1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/31f561967aab7f2956b6ce7687851f547b5373e1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Drop haproxy from dla-needed; CVE-2023-45539 is already fixed
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 8fc25128 by Utkarsh Gupta at 2023-12-29T18:52:29+05:30 Drop haproxy from dla-needed; CVE-2023-45539 is already fixed - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -88,9 +88,6 @@ golang-go.crypto h2o NOTE: 20231228: Added by Front-Desk (lamby) -- -haproxy (tobi) - NOTE: 20231217: Added by Front-Desk (utkarsh) --- i2p NOTE: 20230809: Added by Front-Desk (Beuc) NOTE: 20230809: Experimental issue-based workflow: please self-assign and follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/28 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8fc25128a9e4084cc2337d7de2e1d0440bc3d160 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8fc25128a9e4084cc2337d7de2e1d0440bc3d160 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Take zfs-linux
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 430bc6e3 by Utkarsh Gupta at 2023-12-17T20:56:15+05:30 Take zfs-linux - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -240,6 +240,6 @@ wireshark (Adrian Bunk) zabbix NOTE: 20231015: Added by Front-Desk (ta) -- -zfs-linux +zfs-linux (utkarsh) NOTE: 20231127: Added by Front-Desk (Beuc) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/430bc6e3abf827dc6797bda997597a685d3b3910 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/430bc6e3abf827dc6797bda997597a685d3b3910 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 7 commits: Mark slurm-llnl CVEs as end-of-life for buster
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: c32ef381 by Utkarsh Gupta at 2023-12-17T20:17:47+05:30 Mark slurm-llnl CVEs as end-of-life for buster - - - - - e2ab2d4d by Utkarsh Gupta at 2023-12-17T20:20:22+05:30 Mark TEMP-000-7CC552/tor as end-of-life for buster - - - - - e03912f0 by Utkarsh Gupta at 2023-12-17T20:21:38+05:30 Mark CVE-2023-4934{2-6}/budgie-extras as no-dsa for buster - - - - - 35f694a8 by Utkarsh Gupta at 2023-12-17T20:22:16+05:30 Mark CVE-2023-5616/gnome-control-center as no-dsa for buster - - - - - c59096a3 by Utkarsh Gupta at 2023-12-17T20:22:49+05:30 Mark CVE-2023-50495/ncurses as no-dsa for buster - - - - - ef7bfb59 by Utkarsh Gupta at 2023-12-17T20:23:12+05:30 Mark CVE-2023-46750/shiro as no-dsa for buster - - - - - 7600ad6e by Utkarsh Gupta at 2023-12-17T20:26:36+05:30 Mark CVE-2023-489{45-52}/virtuoso-opensource as no-dsa for buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -810,6 +810,7 @@ CVE-2023-46750 (URL Redirection to Untrusted Site ('Open Redirect') vulnerabilit - shiro [bookworm] - shiro (Minor issue) [bullseye] - shiro (Minor issue) + [buster] - shiro (Minor issue) NOTE: https://lists.apache.org/thread/hoc9zdyzmmrfj1zhctsvvtx844tcq6w9 CVE-2023-46348 (SQL njection vulnerability in SunnyToo sturls before version 1.1.13, a ...) NOT-FOR-US: PrestaShop module @@ -895,6 +896,7 @@ CVE-2023-49346 (Temporary data passed between application components by Budgie E - budgie-extras 1.7.1-1 [bookworm] - budgie-extras (Minor issue) [bullseye] - budgie-extras (Minor issue) + [buster] - budgie-extras (Minor issue) NOTE: https://bugs.launchpad.net/bugs/2044373 NOTE: https://www.openwall.com/lists/oss-security/2023/12/14/1 NOTE: https://github.com/UbuntuBudgie/budgie-extras/commit/0092025ef25b48c287a75946c0ee797d3c142760 (v1.7.1) @@ -902,6 +904,7 @@ CVE-2023-49345 (Temporary data passed between application components by Budgie E - budgie-extras 1.7.1-1 [bookworm] - budgie-extras (Minor issue) [bullseye] - budgie-extras (Minor issue) + [buster] - budgie-extras (Minor issue) NOTE: https://bugs.launchpad.net/bugs/2044373 NOTE: https://www.openwall.com/lists/oss-security/2023/12/14/1 NOTE: https://github.com/UbuntuBudgie/budgie-extras/commit/588cbe6ffa72df904213d77728a3fd5bfae7195e (v1.7.1) @@ -909,6 +912,7 @@ CVE-2023-49344 (Temporary data passed between application components by Budgie E - budgie-extras 1.7.1-1 [bookworm] - budgie-extras (Minor issue) [bullseye] - budgie-extras (Minor issue) + [buster] - budgie-extras (Minor issue) NOTE: https://bugs.launchpad.net/bugs/2044373 NOTE: https://www.openwall.com/lists/oss-security/2023/12/14/1 NOTE: https://github.com/UbuntuBudgie/budgie-extras/commit/11b02011ad2f6d46485b292713af09f7314843a5 (v1.7.1) @@ -916,6 +920,7 @@ CVE-2023-49343 (Temporary data passed between application components by Budgie E - budgie-extras 1.7.1-1 [bookworm] - budgie-extras (Minor issue) [bullseye] - budgie-extras (Minor issue) + [buster] - budgie-extras (Minor issue) NOTE: https://bugs.launchpad.net/bugs/2044373 NOTE: https://www.openwall.com/lists/oss-security/2023/12/14/1 NOTE: https://github.com/UbuntuBudgie/budgie-extras/commit/e75c94af249191bdbd33eebf7a62d4234a0d8be5 (v1.7.1) @@ -923,6 +928,7 @@ CVE-2023-49342 (Temporary data passed between application components by Budgie E - budgie-extras 1.7.1-1 [bookworm] - budgie-extras (Minor issue) [bullseye] - budgie-extras (Minor issue) + [buster] - budgie-extras (Minor issue) NOTE: https://bugs.launchpad.net/bugs/2044373 NOTE: https://www.openwall.com/lists/oss-security/2023/12/14/1 NOTE: https://github.com/UbuntuBudgie/budgie-extras/commit/d03083732569126d2f21c8810d5a69554ccc5900 (v1.7.1) @@ -1039,18 +1045,22 @@ CVE-2023-49934 (An issue was discovered in SchedMD Slurm 23.11.x. There is SQL I CVE-2023-49933 (An issue was discovered in SchedMD Slurm 22.05.x, 23.02.x, and 23.11.x ...) - slurm-wlm (bug #1058720) - slurm-llnl + [buster] - slurm-llnl (EOL in buster LTS) NOTE: https://lists.schedmd.com/pipermail/slurm-announce/2023/000103.html CVE-2023-49937 (An issue was discovered in SchedMD Slurm 22.05.x, 23.02.x, and 23.11.x ...) - slurm-wlm (bug #1058720) - slurm-llnl + [buster] - slurm-llnl (EOL in buster LTS) NOTE: https://lists.schedmd.com/pipermail/slurm-announce/2023/000103.html CVE-2023-49936 (An issue was discovered in SchedMD Slurm 22.05.x, 23.02.x, and 23.11.x ...) - slurm-wlm (bug #1058720) -
[Git][security-tracker-team/security-tracker][master] Mark CVE-2023-4999{0-5}/espeak-ng as no-dsa for buster
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: ef521425 by Utkarsh Gupta at 2023-12-17T19:27:32+05:30 Mark CVE-2023-4999{0-5}/espeak-ng as no-dsa for buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1467,26 +1467,31 @@ CVE-2023-49994 (Espeak-ng 1.52-dev was discovered to contain a Floating Point Ex - espeak-ng [bookworm] - espeak-ng (Minor issue) [bullseye] - espeak-ng (Minor issue) + [buster] - espeak-ng (Minor issue) NOTE: https://github.com/espeak-ng/espeak-ng/issues/1823 CVE-2023-49993 (Espeak-ng 1.52-dev was discovered to contain a Buffer Overflow via the ...) - espeak-ng [bookworm] - espeak-ng (Minor issue) [bullseye] - espeak-ng (Minor issue) + [buster] - espeak-ng (Minor issue) NOTE: https://github.com/espeak-ng/espeak-ng/issues/1826 CVE-2023-49992 (Espeak-ng 1.52-dev was discovered to contain a Stack Buffer Overflow v ...) - espeak-ng [bookworm] - espeak-ng (Minor issue) [bullseye] - espeak-ng (Minor issue) + [buster] - espeak-ng (Minor issue) NOTE: https://github.com/espeak-ng/espeak-ng/issues/1827 CVE-2023-49991 (Espeak-ng 1.52-dev was discovered to contain a Stack Buffer Underflow ...) - espeak-ng [bookworm] - espeak-ng (Minor issue) [bullseye] - espeak-ng (Minor issue) + [buster] - espeak-ng (Minor issue) NOTE: https://github.com/espeak-ng/espeak-ng/issues/1825 CVE-2023-49990 (Espeak-ng 1.52-dev was discovered to contain a buffer-overflow via the ...) - espeak-ng [bookworm] - espeak-ng (Minor issue) [bullseye] - espeak-ng (Minor issue) + [buster] - espeak-ng (Minor issue) NOTE: https://github.com/espeak-ng/espeak-ng/issues/1824 CVE-2023-49874 (Mattermost fails to check whether a user is a guest when updating the ...) - mattermost-server (bug #823556) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ef5214257c5013c0150c6070d3c92c6ccdb3ae21 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ef5214257c5013c0150c6070d3c92c6ccdb3ae21 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2023-39804/tar as no-dsa for buster
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 53c35547 by Utkarsh Gupta at 2023-12-17T19:23:23+05:30 Mark CVE-2023-39804/tar as no-dsa for buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1733,6 +1733,7 @@ CVE-2023-39804 [Incorrectly handled extension attributes in PAX archives can lea - tar 1.34+dfsg-1.3 (bug #1058079) [bookworm] - tar (Minor issue) [bullseye] - tar (Minor issue) + [buster] - tar (Minor issue) NOTE: Fixed by: https://git.savannah.gnu.org/cgit/tar.git/commit/?id=a339f05cd269013fa133d2f148d73f6f7d4247e4 (v1.35) CVE-2023-6679 (A null pointer dereference vulnerability was found in dpll_pin_parent_ ...) - linux (Vulnerable code not present) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/53c35547f38eb8c4ed5e64cfc6892aea2959a8a3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/53c35547f38eb8c4ed5e64cfc6892aea2959a8a3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Mark CVE-2023-50781/m2crypto as no-dsa for buster
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 80784869 by Utkarsh Gupta at 2023-12-17T19:11:18+05:30 Mark CVE-2023-50781/m2crypto as no-dsa for buster - - - - - 0984517a by Utkarsh Gupta at 2023-12-17T19:12:38+05:30 Mark CVE-2023-50782/python-cryptography as no-dsa for buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1020,12 +1020,14 @@ CVE-2023-31546 (Cross Site Scripting (XSS) vulnerability in DedeBIZ v6.0.3 allow NOT-FOR-US: DedeBIZ CVE-2023-50782 [Bleichenbacher timing oracle attack against RSA decryption - incomplete fix for CVE-2020-25659] - python-cryptography + [buster] - python-cryptography (Minor issue; it's an incomplete fix of CVE-2020-25659) NOTE: https://github.com/pyca/cryptography/issues/9785 NOTE: https://people.redhat.com/~hkario/marvin/ NOTE: https://github.com/openssl/openssl/pull/13817 NOTE: CVE is for incomplete fix of CVE-2020-25659 CVE-2023-50781 [Bleichenbacher timing attacks in the RSA decryption API - incomplete fix for CVE-2020-25657] - m2crypto + [buster] - m2crypto (Minor issue; it's an incomplete fix of CVE-2020-25657) NOTE: https://gitlab.com/m2crypto/m2crypto/-/issues/342 NOTE: https://people.redhat.com/~hkario/marvin/ NOTE: https://github.com/openssl/openssl/pull/13817 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/6ddd928fb898804ab7bd2397eca2ba0450f1b020...0984517a81a03ab3c8e02802b7ff172805778e6f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/6ddd928fb898804ab7bd2397eca2ba0450f1b020...0984517a81a03ab3c8e02802b7ff172805778e6f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add libreoffice and haproxy to dla-needed
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 6ddd928f by Utkarsh Gupta at 2023-12-17T19:09:42+05:30 Add libreoffice and haproxy to dla-needed - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -75,6 +75,9 @@ dogecoin frr NOTE: 20231119: Added by Front-Desk (apo) -- +haproxy + NOTE: 20231217: Added by Front-Desk (utkarsh) +-- i2p NOTE: 20230809: Added by Front-Desk (Beuc) NOTE: 20230809: Experimental issue-based workflow: please self-assign and follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/28 @@ -91,6 +94,9 @@ keystone knot-resolver NOTE: 20231029: Added by Front-Desk (gladk) -- +libreoffice + NOTE: 20231217: Added by Front-Desk (utkarsh) +-- libreswan NOTE: 20230817: Added by Front-Desk (ta) NOTE: 20230909: Prepared a patch for CVE-2023-38712 and pushed it to View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6ddd928fb898804ab7bd2397eca2ba0450f1b020 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6ddd928fb898804ab7bd2397eca2ba0450f1b020 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3605-1 for grub2
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 16492221 by Utkarsh Gupta at 2023-10-06T03:12:18+05:30 Reserve DLA-3605-1 for grub2 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[06 Oct 2023] DLA-3605-1 grub2 - security update + {CVE-2023-4692 CVE-2023-4693} + [buster] - grub2 2.06-3~deb10u4 [05 Oct 2023] DLA-3604-1 qemu - security update {CVE-2020-24165 CVE-2023-0330 CVE-2023-3180} [buster] - qemu 1:3.1+dfsg-8+deb10u11 = data/dla-needed.txt = @@ -70,10 +70,6 @@ freerdp2 (tobi) NOTE: 20230924: Added by Front-Desk (apo) NOTE: 20230924: Too many unresolved issues have piled up. High popcon. (apo) -- -grub2 (utkarsh) - NOTE: 20231003: Maintainer prepared an uploaded the update - NOTE: 20231003: https://lists.debian.org/debian-lts-changes/2023/10/msg5.html --- gst-plugins-bad1.0 (Thorsten Alteholz) NOTE: 20230928: Added by Frond-Desk (ola) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/16492221ead98a5cc29e689c85a7b6aa3845e23c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/16492221ead98a5cc29e689c85a7b6aa3845e23c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Take grub2 announement
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 0c748ef4 by Utkarsh Gupta at 2023-10-04T03:16:18+05:30 Take grub2 announement - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -70,7 +70,7 @@ freerdp2 (tobi) NOTE: 20230924: Added by Front-Desk (apo) NOTE: 20230924: Too many unresolved issues have piled up. High popcon. (apo) -- -grub2 +grub2 (utkarsh) NOTE: 20231003: Maintainer prepared an uploaded the update NOTE: 20231003: https://lists.debian.org/debian-lts-changes/2023/10/msg5.html -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0c748ef47a01ea4706c08149df753f2449ba4b32 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0c748ef47a01ea4706c08149df753f2449ba4b32 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3600-1 for postgresql-11
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 1c0dce80 by Utkarsh Gupta at 2023-10-04T03:15:50+05:30 Reserve DLA-3600-1 for postgresql-11 - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -7448,7 +7448,6 @@ CVE-2023-39417 (IN THE EXTENSION SCRIPT, a SQL Injection vulnerability was found - postgresql-13 [bullseye] - postgresql-13 (Minor issue, fix along with next round of updates) - postgresql-11 - [buster] - postgresql-11 (Minor issue) NOTE: https://www.postgresql.org/support/security/CVE-2023-39417/ NOTE: https://www.postgresql.org/about/news/postgresql-154-149-1312-1216-1121-and-postgresql-16-beta-3-released-2689/ NOTE: https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=de494ec14f6bd7f2676623a5934723a6c8ba51c2 (REL_15_4) = data/DLA/list = @@ -1,3 +1,6 @@ +[04 Oct 2023] DLA-3600-1 postgresql-11 - security update + {CVE-2023-39417} + [buster] - postgresql-11 11.21-0+deb10u2 [02 Oct 2023] DLA-3599-1 exim4 - security update {CVE-2023-42114 CVE-2023-42116} [buster] - exim4 4.92-8+deb10u8 = data/dla-needed.txt = @@ -134,9 +134,6 @@ poppler (Adrian Bunk) NOTE: 20230908: as I suspect this is a duplicate of CVE-2020-27778 (which has already NOTE: 20230908: been fixed). (lamby) -- -postgresql-11 (Utkarsh) - NOTE: 20231001: Myon uploaded and asked on #debian-lts to do the paperwork. (utkarsh) --- prometheus-alertmanager (rouca) NOTE: 20230925: Added by Front-Desk (apo) NOTE: 20230925: Vulnerable code is in ui/app/src/Views/AlertList/AlertView.elm View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1c0dce8074f7d577d32768f9d93fd093c8c98fc2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1c0dce8074f7d577d32768f9d93fd093c8c98fc2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Take postgresql-11 for paperwork
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: be91c8bb by Utkarsh Gupta at 2023-10-02T02:13:12+05:30 Take postgresql-11 for paperwork - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -133,6 +133,9 @@ poppler (Adrian Bunk) NOTE: 20230908: as I suspect this is a duplicate of CVE-2020-27778 (which has already NOTE: 20230908: been fixed). (lamby) -- +postgresql-11 (Utkarsh) + NOTE: 20231001: Myon uploaded and asked on #debian-lts to do the paperwork. (utkarsh) +-- prometheus-alertmanager (rouca) NOTE: 20230925: Added by Front-Desk (apo) NOTE: 20230925: Vulnerable code is in ui/app/src/Views/AlertList/AlertView.elm View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/be91c8bb92974c9bc7a6fc7ad791276a065685f0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/be91c8bb92974c9bc7a6fc7ad791276a065685f0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2021-32292/json-c as not-affected for buster
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 6239900d by Utkarsh Gupta at 2023-09-05T04:37:01+05:30 Mark CVE-2021-32292/json-c as not-affected for buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -164115,6 +164115,7 @@ CVE-2021-32293 CVE-2021-32292 (An issue was discovered in json-c through 0.15-20200726. A stack-buffe ...) {DSA-5486-1} - json-c 0.16-1 + [buster] - json-c (Vulnerable code was introduced later) NOTE: https://github.com/json-c/json-c/issues/654 NOTE: https://github.com/json-c/json-c/pull/655 NOTE: https://github.com/json-c/json-c/commit/4e9e44e5258dee7654f74948b0dd5da39c28beec (json-c-0.16-20220414) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6239900dd5e2a04e4ed3fae98461259a5871d5c9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6239900dd5e2a04e4ed3fae98461259a5871d5c9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Take flac
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: e6410196 by Utkarsh Gupta at 2023-08-28T09:12:28+05:30 Take flac - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -57,7 +57,7 @@ dogecoin firmware-nonfree NOTE: 20230820: Added by Front-Desk (ta) -- -flac +flac (utkarsh) NOTE: 20230827: Added by Front-Desk (utkarsh) NOTE: 20230827: incoming DSA -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e64101968cc7e58b8c887c4c3a5adfff3851f27b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e64101968cc7e58b8c887c4c3a5adfff3851f27b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update notes
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 47559126 by Utkarsh Gupta at 2023-08-28T07:45:20+05:30 Update notes - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -184,6 +184,7 @@ rails (utkarsh) NOTE: 20221024: Delay upload, see above comment, users have done workaround. Not a good idea NOTE: 20221024: to break thrice in less than 2 month. NOTE: 20230131: Utkarsh to start a thread with sec+ruby team with the possible path forward. (utkarsh) + NOTE: 20230828: want to rollout ruby-rack first. (utkarsh) -- ring (Thorsten Alteholz) NOTE: 20221120: Added by Front-Desk (ta) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/47559126daaf1b4a5373f5e9130b7804dddcdf7b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/47559126daaf1b4a5373f5e9130b7804dddcdf7b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3544-1 for clamav
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: d4b4f1da by Utkarsh Gupta at 2023-08-28T06:53:52+05:30 Reserve DLA-3544-1 for clamav - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[28 Aug 2023] DLA-3544-1 clamav - security update + {CVE-2023-20197} + [buster] - clamav 0.103.9+dfsg-0+deb10u1 [27 Aug 2023] DLA-3543-1 rar - security update {CVE-2023-40477} [buster] - rar 2:6.23-1~deb10u1 = data/dla-needed.txt = @@ -40,9 +40,6 @@ cinder NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. -- -clamav (Utkarsh) - NOTE: 20230821: Added by Front-Desk (ta) --- docker.io NOTE: 20230303: Added by Front-Desk (Beuc) NOTE: 20230303: Follow fixes from bullseye 11.2 (3 CVEs) (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d4b4f1daf757ade98bef88cc8e968cf750456ae1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d4b4f1daf757ade98bef88cc8e968cf750456ae1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: Mark poppler CVEs as no-dsa for buster
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 5ca099e7 by Utkarsh Gupta at 2023-08-26T15:03:57+05:30 Mark poppler CVEs as no-dsa for buster - - - - - 99b5d438 by Utkarsh Gupta at 2023-08-26T15:06:07+05:30 Mark wireshark CVEs as no-dsa for buster - - - - - 3f37c81e by Utkarsh Gupta at 2023-08-26T15:11:45+05:30 Add tryton-server to dla-needed - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -64,6 +64,7 @@ CVE-2023-2906 (Due to a failure in validating the length provided by an attacker - wireshark 4.0.8-1 [bookworm] - wireshark (Minor issue) [bullseye] - wireshark (Minor issue) + [buster] - wireshark (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2023-26.html NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19229 CVE-2023-4534 (A vulnerability, which was classified as problematic, was found in Neo ...) @@ -309,18 +310,21 @@ CVE-2023-4513 (BT SDP dissector memory leak in Wireshark 4.0.0 to 4.0.7 and 3.6. - wireshark 4.0.8-1 [bookworm] - wireshark (Minor issue) [bullseye] - wireshark (Minor issue) + [buster] - wireshark (Minor issue) NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19259 NOTE: https://www.wireshark.org/security/wnpa-sec-2023-25.html CVE-2023-4512 (CBOR dissector crash in Wireshark 4.0.0 to 4.0.6 allows denial of serv ...) - wireshark 4.0.8-1 [bookworm] - wireshark (Minor issue) [bullseye] - wireshark (Minor issue) + [buster] - wireshark (Minor issue) NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19144 NOTE: https://www.wireshark.org/security/wnpa-sec-2023-23.html CVE-2023-4511 (BT SDP dissector infinite loop in Wireshark 4.0.0 to 4.0.7 and 3.6.0 t ...) - wireshark 4.0.8-1 [bookworm] - wireshark (Minor issue) [bullseye] - wireshark (Minor issue) + [buster] - wireshark (Minor issue) NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19258 NOTE: https://www.wireshark.org/security/wnpa-sec-2023-24.html CVE-2023-4230 (A vulnerability has been identified in ioLogik 4000 Series (ioLogik E4 ...) @@ -73733,6 +73737,7 @@ CVE-2022-38350 CVE-2022-38349 (An issue was discovered in Poppler 22.08.0. There is a reachable asser ...) - poppler 22.12.0-2 [bullseye] - poppler (Minor issue) + [buster] - poppler (Minor issue) NOTE: https://gitlab.freedesktop.org/poppler/poppler/-/issues/1282 NOTE: Fixed by: https://gitlab.freedesktop.org/poppler/poppler/-/commit/4564a002bcb6094cc460bc0d5ddff9423fe6dd28 (poppler-22.09.0) CVE-2022-38348 @@ -77123,16 +77128,19 @@ CVE-2022-37053 (TRENDnet TEW733GR v1.03B01 is vulnerable to Command injection vi CVE-2022-37052 (A reachable Object::getString assertion in Poppler 22.07.0 allows atta ...) - poppler 22.08.0-2 [bullseye] - poppler (Minor issue) + [buster] - poppler (Minor issue) NOTE: https://gitlab.freedesktop.org/poppler/poppler/-/issues/1278 NOTE: Fixed by: https://gitlab.freedesktop.org/poppler/poppler/-/commit/8677500399fc2548fa816b619580c2c07915a98c (poppler-22.08.0) CVE-2022-37051 (An issue was discovered in Poppler 22.07.0. There is a reachable abort ...) - poppler 22.08.0-2 [bullseye] - poppler (Minor issue) + [buster] - poppler (Minor issue) NOTE: https://gitlab.freedesktop.org/poppler/poppler/-/issues/1276 NOTE: Fixed by: https://gitlab.freedesktop.org/poppler/poppler/-/commit/4631115647c1e4f0482ffe0491c2f38d2231337b (poppler-22.08.0) CVE-2022-37050 (In Poppler 22.07.0, PDFDoc::savePageAs in PDFDoc.c callows attackers t ...) - poppler 22.08.0-2 [bullseye] - poppler (Minor issue) + [buster] - poppler (Minor issue) NOTE: https://gitlab.freedesktop.org/poppler/poppler/-/issues/1274 NOTE: Fixed by: https://gitlab.freedesktop.org/poppler/poppler/-/commit/dcd5bd8238ea448addd102ff045badd0aca1b990 (poppler-22.08.0) CVE-2022-37049 (The component tcpprep in Tcpreplay v4.4.1 was discovered to contain a ...) = data/dla-needed.txt = @@ -246,3 +246,7 @@ trafficserver NOTE: 20230826: Ubuntu side and track the fixing commits. I'll update when NOTE: 20230826: I have the answer here. (utkarsh) -- +tryton-server + NOTE: 20230826: Added by Front-Desk (utkarsh) + NOTE: 20230826: sync with the DSA released. (utkarsh) +-- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/89d4f988a5442d2dbb52bd91084907ffb7bb6960...3f37c81eb9e0f7a6de071fc7d29e254029f62858 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/co
[Git][security-tracker-team/security-tracker][master] 19 commits: Add trafficserver to dla-needed
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: fd0c184e by Utkarsh Gupta at 2023-08-26T14:20:24+05:30 Add trafficserver to dla-needed - - - - - cd8a6baa by Utkarsh Gupta at 2023-08-26T14:23:19+05:30 Add freeimage to dla-needed - - - - - 18ad23b8 by Utkarsh Gupta at 2023-08-26T14:42:11+05:30 Add python2.7 to dla-needed - - - - - d9f282f4 by Utkarsh Gupta at 2023-08-26T14:46:13+05:30 Add c-ares to dla-needed - - - - - ebf6bd82 by Utkarsh Gupta at 2023-08-26T14:47:42+05:30 Mark CVE-2022-447{29,30}/batik as no-dsa for buster - - - - - 6faeaf9d by Utkarsh Gupta at 2023-08-26T14:48:11+05:30 Mark CVE-2022-48174/busybox as no-dsa for buster - - - - - dc545b60 by Utkarsh Gupta at 2023-08-26T14:48:43+05:30 Mark CVE-2022-41444/cacti as no-dsa for buster - - - - - 2d3d57b8 by Utkarsh Gupta at 2023-08-26T14:49:10+05:30 Mark CVE-2022-34038/etcd as no-dsa for buster - - - - - 18591a2c by Utkarsh Gupta at 2023-08-26T14:49:43+05:30 Mark CVE-2020-24904/gnome-gmail as no-dsa for buster - - - - - aab0ef6c by Utkarsh Gupta at 2023-08-26T14:50:06+05:30 Mark CVE-2022-45582/horizon as no-dsa for buster - - - - - 593e97c7 by Utkarsh Gupta at 2023-08-26T14:51:05+05:30 Mark CVE-2020-24187/iotjs as ignored for buster - - - - - e613c18c by Utkarsh Gupta at 2023-08-26T14:51:45+05:30 Mark CVE-2023-38961/iotjs as ignored for buster - - - - - 93239e0d by Utkarsh Gupta at 2023-08-26T14:52:43+05:30 Mark CVE-2022-4857libcrypto++ as no-dsa for buster - - - - - f587f8fe by Utkarsh Gupta at 2023-08-26T14:53:09+05:30 Mark CVE-2022-43358/libsass as no-dsa for buster - - - - - 19eff1f2 by Utkarsh Gupta at 2023-08-26T14:53:35+05:30 Mark CVE-2020-21896/mupdf as no-dsa for buster - - - - - 815e4e60 by Utkarsh Gupta at 2023-08-26T14:53:56+05:30 Mark CVE-2022-29654/nasm as no-das for buster - - - - - 74f6d092 by Utkarsh Gupta at 2023-08-26T14:54:19+05:30 Mark CVE-2021-34193/opensc as no-dsa for buster - - - - - f7f4a9b6 by Utkarsh Gupta at 2023-08-26T14:54:43+05:30 Mark CVE-2022-36648/qemu as postponed for buster - - - - - 89d4f988 by Utkarsh Gupta at 2023-08-26T14:55:20+05:30 Mark CVE-2021-28025/qtsvg-opensource-src as no-dsa for buster - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -564,6 +564,7 @@ CVE-2022-48570 (Crypto++ through 8.4 contains a timing side channel in ECDSA sig - libcrypto++ [bookworm] - libcrypto++ (Minor issue) [bullseye] - libcrypto++ (Minor issue) + [buster] - libcrypto++ (Minor issue) NOTE: https://github.com/weidai11/cryptopp/issues/992 NOTE: This issue exists because the CVE-2019-14318 fix was intentionally removed for NOTE: functionality reasons. @@ -701,6 +702,7 @@ CVE-2023-38976 (An issue in weaviate v.1.20.0 allows a remote attacker to cause CVE-2023-38961 (Buffer Overflwo vulnerability in JerryScript Project jerryscript v.3.0 ...) - iotjs [bullseye] - iotjs (Minor issue) + [buster] - iotjs (Minor issue) NOTE: https://github.com/jerryscript-project/jerryscript/issues/5092 CVE-2023-38899 (SQL injection vulnerability in berkaygediz O_Blog v.1.0 allows a local ...) NOT-FOR-US: berkaygediz O_Blog @@ -41110,6 +41112,7 @@ CVE-2022-48174 (There is a stack overflow vulnerability in ash.c:6030 in busybox - busybox [bookworm] - busybox (Minor issue) [bullseye] - busybox (Minor issue) + [buster] - busybox (Minor issue) NOTE: https://bugs.busybox.net/show_bug.cgi?id=15216 NOTE: https://git.busybox.net/busybox/commit/?id=d417193cf37ca1005830d7e16f5fa7e1d8a44209 CVE-2022-48173 @@ -50550,6 +50553,7 @@ CVE-2022-45582 (Open Redirect vulnerability in Horizon Web Dashboard 19.4.0 thru - horizon 3:23.1.0-3 [bookworm] - horizon (Minor issue) [bullseye] - horizon (Minor issue) + [buster] - horizon (Minor issue) NOTE: https://bugs.launchpad.net/horizon/+bug/1982676 NOTE: https://opendev.org/openstack/horizon/commit/beed6bf6f6f83df9972db5fb539d64175ce12ce9 (19.4.0) NOTE: https://opendev.org/openstack/horizon/commit/2f600272bfffb3024e6f06a369f9b4768dd1a0b0 (20.1.4) @@ -53269,12 +53273,14 @@ CVE-2022-44730 (Server-Side Request Forgery (SSRF) vulnerability in Apache Softw - batik 1.17+dfsg-1 [bookworm] - batik (Minor issue) [bullseye] - batik (Minor issue) + [buster] - batik (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2023/08/22/3 NOTE: https://issues.apache.org/jira/browse/BATIK-1347 CVE-2022-44729 (Server-Side Request Forgery (SSRF) vulnerability in Apache Software Fo ...) - batik 1.17+dfsg-1 [bookworm] - batik (Minor issue) [bullseye] - batik (Minor issue) + [buster] - batik (Minor issue) NOTE: https://www.openwall.com/lists
[Git][security-tracker-team/security-tracker][master] Add tiff to dla-needed
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: db782f45 by Utkarsh Gupta at 2023-08-26T14:16:57+05:30 Add tiff to dla-needed - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -220,3 +220,6 @@ suricata (Adrian Bunk) NOTE: 20230714: Still reviewing+testing CVEs. (bunk) NOTE: 20230731: Still reviewing+testing CVEs. (bunk) -- +tiff + NOTE: 20230826: Added by Front-Desk (utkarsh) +-- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/db782f459563dab35f523af6a619a1a1f1e68ed9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/db782f459563dab35f523af6a619a1a1f1e68ed9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add flac to dla-needed
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 8122a805 by Utkarsh Gupta at 2023-08-26T14:15:39+05:30 Add flac to dla-needed - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -56,6 +56,10 @@ dogecoin firmware-nonfree NOTE: 20230820: Added by Front-Desk (ta) -- +flac + NOTE: 20230827: Added by Front-Desk (utkarsh) + NOTE: 20230827: incoming DSA +-- flask-security (Sean Whitton) NOTE: 20230811: Added by Front-Desk (Beuc) NOTE: 20230811: Experimental issue-based workflow: please self-assign and follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/37 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8122a80577b21d25913c60ae1b7f27dfb61c8a8c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8122a80577b21d25913c60ae1b7f27dfb61c8a8c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2023-20212/clamav as not-affected ofr buster and bullseye
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 721a6199 by Utkarsh Gupta at 2023-08-27T01:06:46+05:30 Mark CVE-2023-20212/clamav as not-affected ofr buster and bullseye - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -57636,7 +57636,8 @@ CVE-2023-20213 CVE-2023-20212 (A vulnerability in the AutoIt module of ClamAV could allow an unauthen ...) - clamav 1.0.2+dfsg-1 (bug #1050057) [bookworm] - clamav (clamav is updated via -updates) - [bullseye] - clamav (clamav is updated via -updates) + [bullseye] - clamav (only affects v1.0.0 and v1.0.1) + [buster] - clamav (only affects v1.0.0 and v1.0.1) NOTE: https://blog.clamav.net/2023/07/2023-08-16-releases.html CVE-2023-20211 (A vulnerability in the web-based management interface of Cisco Unified ...) NOT-FOR-US: Cisco View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/721a6199a93ed7ec47f40598374e7d4ef22fb4f2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/721a6199a93ed7ec47f40598374e7d4ef22fb4f2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3537-1 for intel-microcode
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 9820f03d by Utkarsh Gupta at 2023-08-22T06:36:43+05:30 Reserve DLA-3537-1 for intel-microcode - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[22 Aug 2023] DLA-3537-1 intel-microcode - security update + {CVE-2022-40982 CVE-2022-41804 CVE-2023-23908} + [buster] - intel-microcode 3.20230808.1~deb10u1 [20 Aug 2023] DLA-3536-1 flask - security update {CVE-2023-30861} [buster] - flask 1.0.2-3+deb10u1 = data/dla-needed.txt = @@ -82,15 +82,6 @@ imagemagick (rouca) NOTE: 20230622: Added by Front-Desk (Beuc) NOTE: 20230622: Requested by maintainer (rouca) to tidy remaining open CVEs (Beuc/front-desk) -- -intel-microcode (utkarsh) - NOTE: 20230809: Added by Front-Desk (Beuc) - NOTE: 20230809: Please coordinate with the upcoming linux update (with bwh) so users don't have to reboot twice. - NOTE: 20230809: Upcoming DSA. (Beuc/front-desk) - NOTE: 20230809: will co-ordinate with hmh. (utkarsh) - NOTE: 20230815: Utkarsh prepared update and is available at - NOTE: 20230815: https://salsa.debian.org/lts-team/packages/intel-microcode/-/commits/releases/buster - NOTE: 20230815: waiting for hmh to review. (utkarsh) --- libreswan NOTE: 20230817: Added by Front-Desk (ta) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9820f03d09701c8ccbce146f49355ba0c8631de9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9820f03d09701c8ccbce146f49355ba0c8631de9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Take clamav
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 38d15b87 by Utkarsh Gupta at 2023-08-21T05:58:22+05:30 Take clamav - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -33,7 +33,7 @@ cinder NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. -- -clamav +clamav (Utkarsh) NOTE: 20230821: Added by Front-Desk (ta) -- docker.io View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/38d15b87add18856f83e8bdc4f6252faa4cc3232 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/38d15b87add18856f83e8bdc4f6252faa4cc3232 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3532-1 for openssh
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 5d3f1312 by Utkarsh Gupta at 2023-08-17T06:40:29+05:30 Reserve DLA-3532-1 for openssh - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -3562,7 +3562,6 @@ CVE-2023-38408 (The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an - openssh 1:9.3p2-1 (bug #1042460) [bookworm] - openssh (Minor issue; needs specific conditions and forwarding was always subject to caution warning) [bullseye] - openssh (Minor issue; needs specific conditions and forwarding was always subject to caution warning) - [buster] - openssh (Minor issue; needs specific conditions and forwarding was always subject to caution warning) NOTE: https://www.openwall.com/lists/oss-security/2023/07/19/9 NOTE: https://github.com/openssh/openssh-portable/commit/892506b13654301f69f9545f48213fc210e5c5cc NOTE: https://github.com/openssh/openssh-portable/commit/1f2731f5d7a8f8a8385c6031667ed29072c0d92a = data/DLA/list = @@ -1,3 +1,6 @@ +[17 Aug 2023] DLA-3532-1 openssh - security update + {CVE-2023-38408} + [buster] - openssh 1:7.9p1-10+deb10u3 [16 Aug 2023] DLA-3531-1 open-vm-tools - security update {CVE-2023-20867} [buster] - open-vm-tools 2:10.3.10-1+deb10u4 = data/dla-needed.txt = @@ -133,10 +133,6 @@ openjdk-11 (Emilio) NOTE: 20230802: update prepared for new CPU, waiting for DSA and checking NOTE: 20230802: whether to change jtreg version (pochu) -- -openssh (utkarsh) - NOTE: 20230814: Added by Front-Desk (ta) - NOTE: 20230816: taking this one as it's high prio, given one of the customers pinged. (utkarsh) --- orthanc (gladk) NOTE: 20230812: Added by Front-Desk (Beuc) NOTE: 20230812: Experimental issue-based workflow: please self-assign and follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/41 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5d3f13122ea6ebd155d8184c713a2dcd6e6d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5d3f13122ea6ebd155d8184c713a2dcd6e6d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3531-1 for open-vm-tools
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: deb3e9e9 by Utkarsh Gupta at 2023-08-16T22:43:36+05:30 Reserve DLA-3531-1 for open-vm-tools - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -191,7 +191,7 @@ CVE-2023-38898 (An issue in Python cpython v.3.7 allows an attacker to obtain se NOTE: https://github.com/python/cpython/commit/9e6f8d46150c1a0af09d68ce63c603cf321994aa NOTE: https://github.com/python/cpython/issues/105987 CVE-2023-38896 (An issue in Harrison Chase langchain v.0.0.194 and before allows a rem ...) - NOT-FOR-US: Harrison Chase langchain + NOT-FOR-US: Harrison Chase langchain CVE-2023-38889 (An issue in Alluxio v.2.9.3 and before allows an attacker to execute a ...) NOT-FOR-US: Alluxio CVE-2023-38866 (COMFAST CF-XR11 V2.7.2 has a command injection vulnerability detected ...) = data/DLA/list = @@ -1,3 +1,6 @@ +[16 Aug 2023] DLA-3531-1 open-vm-tools - security update + {CVE-2023-20867} + [buster] - open-vm-tools 2:10.3.10-1+deb10u4 [15 Aug 2023] DLA-3530-1 openssl - security update {CVE-2023-3446 CVE-2023-3817} [buster] - openssl 1.1.1n-0+deb10u6 = data/dla-needed.txt = @@ -121,9 +121,6 @@ nvidia-cuda-toolkit NOTE: 20230610: Details: https://lists.debian.org/debian-lts/2023/06/msg00032.html NOTE: 20230610: my recommendation would be to put the package on the "not-supported" list. (tobi) -- -open-vm-tools (Utkarsh) - NOTE: 20230731: Added by Front-Desk (apo) --- opendmarc (Chris Lamb) NOTE: 20230811: Added by Front-Desk (Beuc) NOTE: 20230810: Experimental issue-based workflow: please self-assign and follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/34 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/deb3e9e990d6bd05c59e35591dad6b69f1bb5919 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/deb3e9e990d6bd05c59e35591dad6b69f1bb5919 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2009-1143/open-vm-tools as ignored for buster
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: c5d8f3ab by Utkarsh Gupta at 2023-08-16T22:38:25+05:30 Mark CVE-2009-1143/open-vm-tools as ignored for buster It's a very minor issue and mount.vmhgfs is not suid in Debian. Also, dropping that from buster entirely might break some users and we don't want that. So let's leave it as-is. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -594931,7 +594931,7 @@ CVE-2009-1144 (Untrusted search path vulnerability in the Gentoo package of Xpdf CVE-2009-1143 (An issue was discovered in open-vm-tools 2009.03.18-154848. Local user ...) - open-vm-tools 2:12.0.0-1 [bullseye] - open-vm-tools (Minor issue; mount.vmhgfs not suid root in Debian) - [buster] - open-vm-tools (Minor issue; mount.vmhgfs not suid root in Debian) + [buster] - open-vm-tools (Minor issue; mount.vmhgfs not suid root in Debian) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=372070 NOTE: Removing hgfsmounter/mount.vmhgfs: https://github.com/vmware/open-vm-tools/commit/61331a189a0eeb76f014db28288b06c0323bc0b9 (stable-12.0.0) CVE-2009-1142 (An issue was discovered in open-vm-tools 2009.03.18-154848. Local user ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c5d8f3abd729786d3c84e44f5edc8c036033265d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c5d8f3abd729786d3c84e44f5edc8c036033265d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Take openssh for buster
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 34e3570a by Utkarsh Gupta at 2023-08-16T13:58:52+05:30 Take openssh for buster - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -136,8 +136,9 @@ openjdk-11 (Emilio) NOTE: 20230802: update prepared for new CPU, waiting for DSA and checking NOTE: 20230802: whether to change jtreg version (pochu) -- -openssh +openssh (utkarsh) NOTE: 20230814: Added by Front-Desk (ta) + NOTE: 20230816: taking this one as it's high prio, given one of the customers pinged. (utkarsh) -- orthanc (gladk) NOTE: 20230812: Added by Front-Desk (Beuc) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/34e3570ab50342536d5432e8a6563547ac950d4e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/34e3570ab50342536d5432e8a6563547ac950d4e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3529-1 for datatables.js
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 4e8120e5 by Utkarsh Gupta at 2023-08-15T19:19:39+05:30 Reserve DLA-3529-1 for datatables.js - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -183539,7 +183539,6 @@ CVE-2021-23446 (The package handsontable before 10.0.0; the package handsontable CVE-2021-23445 (This affects the package datatables.net before 1.11.3. If an array is ...) - datatables.js 1.10.21+dfsg-3 (bug #995229) [bullseye] - datatables.js 1.10.21+dfsg-2+deb11u1 - [buster] - datatables.js (Minor issue) [stretch] - datatables.js (Minor issue) NOTE: https://github.com/DataTables/Dist-DataTables/commit/59a8d3f8a3c1138ab08704e783bc52bfe88d7c9b (v1.11.3) CVE-2021-23444 (This affects the package jointjs before 3.4.2. A type confusion vulner ...) = data/DLA/list = @@ -1,3 +1,6 @@ +[15 Aug 2023] DLA-3529-1 datatables.js - security update + {CVE-2021-23445} + [buster] - datatables.js 1.10.19+dfsg-1+deb10u1 [14 Aug 2023] DLA-3528-1 poppler - security update {CVE-2020-36023 CVE-2020-36024} [buster] - poppler 0.71.0-5+deb10u2 = data/dla-needed.txt = @@ -33,11 +33,6 @@ cinder NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. -- -datatables.js (Utkarsh) - NOTE: 20230809: Added by Front-Desk (Beuc) - NOTE: 20230809: Experimental issue-based workflow: please self-assign and follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/29 - NOTE: 20230809: Follow fixes from bullseye 11.2 (1 CVE) (Beuc/front-desk) --- docker.io NOTE: 20230303: Added by Front-Desk (Beuc) NOTE: 20230303: Follow fixes from bullseye 11.2 (3 CVEs) (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4e8120e5f13bbb0e2b41530ab14d99f96cae1b22 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4e8120e5f13bbb0e2b41530ab14d99f96cae1b22 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: Take over datatables.js
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 70c2c9a7 by Utkarsh Gupta at 2023-08-15T19:15:50+05:30 Take over datatables.js - - - - - 2277872a by Utkarsh Gupta at 2023-08-15T19:16:25+05:30 Take open-vm-tools - - - - - 0d1860bd by Utkarsh Gupta at 2023-08-15T19:18:07+05:30 Add notes for intel-microcode - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -33,7 +33,7 @@ cinder NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. -- -datatables.js (guilhem) +datatables.js (Utkarsh) NOTE: 20230809: Added by Front-Desk (Beuc) NOTE: 20230809: Experimental issue-based workflow: please self-assign and follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/29 NOTE: 20230809: Follow fixes from bullseye 11.2 (1 CVE) (Beuc/front-desk) @@ -90,6 +90,9 @@ intel-microcode (utkarsh) NOTE: 20230809: Please coordinate with the upcoming linux update (with bwh) so users don't have to reboot twice. NOTE: 20230809: Upcoming DSA. (Beuc/front-desk) NOTE: 20230809: will co-ordinate with hmh. (utkarsh) + NOTE: 20230815: Utkarsh prepared update and is available at + NOTE: 20230815: https://salsa.debian.org/lts-team/packages/intel-microcode/-/commits/releases/buster + NOTE: 20230815: waiting for hmh to review. (utkarsh) -- linux (Ben Hutchings) NOTE: 20230111: perma-added for LTS package-specific delegation (bwh) @@ -123,7 +126,7 @@ nvidia-cuda-toolkit NOTE: 20230610: Details: https://lists.debian.org/debian-lts/2023/06/msg00032.html NOTE: 20230610: my recommendation would be to put the package on the "not-supported" list. (tobi) -- -open-vm-tools +open-vm-tools (Utkarsh) NOTE: 20230731: Added by Front-Desk (apo) -- opendmarc (Chris Lamb) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/aefa3287d465d20a69eac71594abd0321448493f...0d1860bd9e02db1174005544ede20ad104257257 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/aefa3287d465d20a69eac71594abd0321448493f...0d1860bd9e02db1174005544ede20ad104257257 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Take rails
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 5b857919 by Utkarsh Gupta at 2023-08-09T14:26:30+05:30 Take rails - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -131,7 +131,7 @@ qt4-x11 (Roberto C. Sánchez) NOTE: 20230612: Added by Front-Desk (apo) NOTE: 20230615: VCS: https://salsa.debian.org/qt-kde-team/qt/qt4-x11 -- -rails +rails (utkarsh) NOTE: 20220909: Re-added due to regression (abhijith) NOTE: 20220909: Regression on 2:5.2.2.1+dfsg-1+deb10u4 (abhijith) NOTE: 20220909: Two issues https://lists.debian.org/debian-lts/2022/09/msg00014.html (abhijith) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5b85791986d6b93222e64bd13d3c7bf4df288a6a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5b85791986d6b93222e64bd13d3c7bf4df288a6a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Take intel-microcode
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: caf6e7d6 by Utkarsh Gupta at 2023-08-09T14:25:34+05:30 Take intel-microcode - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -64,10 +64,11 @@ imagemagick (rouca) NOTE: 20230622: Added by Front-Desk (Beuc) NOTE: 20230622: Requested by maintainer (rouca) to tidy remaining open CVEs (Beuc/front-desk) -- -intel-microcode +intel-microcode (utkarsh) NOTE: 20230809: Added by Front-Desk (Beuc) NOTE: 20230809: Please coordinate with the upcoming linux update (with bwh) so users don't have to reboot twice. NOTE: 20230809: Upcoming DSA. (Beuc/front-desk) + NOTE: 20230809: will co-ordinate with hmh. (utkarsh) -- libreoffice (santiago) NOTE: 20230530: Added by Front-Desk (pochu) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/caf6e7d68722f33a6cf8547562711e3555bbf64d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/caf6e7d68722f33a6cf8547562711e3555bbf64d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3450-1 for ruby2.5
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 6fcf3a56 by Utkarsh Gupta at 2023-06-09T15:44:31+05:30 Reserve DLA-3450-1 for ruby2.5 - - - - - 2 changed files: - data/CVE/list - data/DLA/list Changes: = data/CVE/list = @@ -89913,7 +89913,6 @@ CVE-2022-28739 (There is a buffer over-read in Ruby before 2.6.10, 2.7.x before - ruby2.7 (bug #1009957) [bullseye] - ruby2.7 (Minor issue, fix with next Ruby security release) - ruby2.5 - [buster] - ruby2.5 (Minor issue, fix with next Ruby security release) - ruby2.3 [stretch] - ruby2.3 (Minor issue; fix in next LTS release) NOTE: https://github.com/ruby/ruby/commit/69f9992ed41920389d4185141a14f02f89a4d306 (v2_6_10) @@ -148294,7 +148293,6 @@ CVE-2021-33621 (The cgi gem before 0.1.0.2, 0.2.x before 0.2.2, and 0.3.x before - ruby2.7 [bullseye] - ruby2.7 (Minor issue) - ruby2.5 - [buster] - ruby2.5 (Minor issue) NOTE: https://www.ruby-lang.org/en/news/2022/11/22/http-response-splitting-in-cgi-cve-2021-33621/ NOTE: Fixed by: https://github.com/ruby/cgi/commit/64c5045c0a6b84fdb938a8465a0890e5f7162708 (v0.3.4) NOTE: Possible followup needed: https://github.com/ruby/cgi/commit/b46d41c36380e04f6388970b5ef05c687f4d1819 (v0.3.5) = data/DLA/list = @@ -1,3 +1,6 @@ +[09 Jun 2023] DLA-3450-1 ruby2.5 - security update + {CVE-2021-33621 CVE-2022-28739} + [buster] - ruby2.5 2.5.5-3+deb10u6 [08 Jun 2023] DLA-3449-1 openssl - security update {CVE-2023-0464 CVE-2023-0465 CVE-2023-0466 CVE-2023-2650} [buster] - openssl 1.1.1n-0+deb10u5 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6fcf3a56a93629973139b0980db1168ee2983f7b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6fcf3a56a93629973139b0980db1168ee2983f7b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add nvidia-cuda-toolkit to dla-needed
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 29d9dd56 by Utkarsh Gupta at 2023-05-15T11:01:03+05:30 Add nvidia-cuda-toolkit to dla-needed - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -106,6 +106,12 @@ nova NOTE: 20230302: We can either rework the patch, or disable .vmdk support entirely. NOTE: 20230302: zigo currently has no time and requests the LTS team to do it (IRC #debian-lts 2023-03-02). (Beuc/front-desk) -- +nvidia-cuda-toolkit + NOTE: 20230514: Programming language: binary blobs. + NOTE: 20230514: VCS: https://salsa.debian.org/lts-team/packages/nvidia-cuda-toolkit.git + NOTE: 20230514: package listed in packages-to-support; a bunch of CVEs have + NOTE: 20230514: piled up. (utkarsh) +-- openimageio (gladk) NOTE: 20230406: Programming language: C. NOTE: 20230406: VCS: https://salsa.debian.org/lts-team/packages/openimageio.git View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/29d9dd56bea63a8456a58d29036583e23c00dc24 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/29d9dd56bea63a8456a58d29036583e23c00dc24 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: Mark CVE-2023-31555/libpodofo as no-dsa for buster
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 842a0cf5 by Utkarsh Gupta at 2023-05-15T10:50:22+05:30 Mark CVE-2023-31555/libpodofo as no-dsa for buster - - - - - eb607fa1 by Utkarsh Gupta at 2023-05-15T10:52:33+05:30 Mark CVE-2023-31566-67/libpodofo as no-dsa for buster - - - - - 20824c93 by Utkarsh Gupta at 2023-05-15T10:53:10+05:30 Mark CVE-2023-29491/ncurses as no-dsa for buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -240,11 +240,13 @@ CVE-2023-31567 (Podofo v0.10.0 was discovered to contain a heap buffer overflow - libpodofo [bookworm] - libpodofo (Minor issue) [bullseye] - libpodofo (Minor issue) + [buster] - libpodofo (Minor issue) NOTE: https://github.com/podofo/podofo/issues/71 CVE-2023-31566 (Podofo v0.10.0 was discovered to contain a heap-use-after-free via the ...) - libpodofo [bookworm] - libpodofo (Minor issue) [bullseye] - libpodofo (Minor issue) + [buster] - libpodofo (Minor issue) NOTE: https://github.com/podofo/podofo/issues/70 CVE-2023-31557 (xpdf pdfimages v4.04 was discovered to contain a stack overflow in the ...) TODO: check @@ -256,6 +258,7 @@ CVE-2023-31556 (podofoinfo 0.10.0 was discovered to contain a segmentation viola CVE-2023-31555 (podofoinfo 0.10.0 was discovered to contain a segmentation violation v ...) - libpodofo (Vulnerable code not present) [bullseye] - libpodofo (Minor issue) + [buster] - libpodofo (Minor issue) NOTE: https://github.com/podofo/podofo/issues/67 NOTE: Fixed by: https://github.com/podofo/podofo/commit/3759eb6aae7c01f2d8670f16ac46f5e116c7f468 NOTE: Introduced by: https://github.com/podofo/podofo/commit/a2eca000e5a4337fb79ee8215d06413785653184 @@ -5732,6 +5735,7 @@ CVE-2023-29492 (Novi Survey before 8.9.43676 allows remote attackers to execute CVE-2023-29491 (ncurses before 6.4 20230408, when used by a setuid application, allows ...) - ncurses (bug #1034372) [bullseye] - ncurses (Minor issue) + [buster] - ncurses (Minor issue) NOTE: https://invisible-island.net/ncurses/NEWS.html#index-t20230408 NOTE: http://ncurses.scripts.mit.edu/?p=ncurses.git;a=commitdiff;h=eb51b1ea1f75a0ec17c9c5937cb28df1e8eeec56 NOTE: https://github.com/ThomasDickey/ncurses-snapshots/commit/a6d3f92bb5bba1a71c7c3df39497abbe5fe999ff View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/37f2f02b581e7c4e8063b16df657bf335703ec48...20824c93746e330a22509eebbfe4d6f83c47fe40 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/37f2f02b581e7c4e8063b16df657bf335703ec48...20824c93746e330a22509eebbfe4d6f83c47fe40 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Mark CVE-2023-29839/hoteldruid as no-dsa for bullseye
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: cdbf8473 by Utkarsh Gupta at 2023-05-15T10:48:43+05:30 Mark CVE-2023-29839/hoteldruid as no-dsa for bullseye - - - - - 37f2f02b by Utkarsh Gupta at 2023-05-15T10:48:46+05:30 Mark iotjs CVEs as ignored for buster; following bullseye - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -214,18 +214,22 @@ CVE-2023-32070 (XWiki Platform is a generic wiki platform. Prior to version 14.6 CVE-2023-31910 (Jerryscript 3.0 (commit 05dbbd1) was discovered to contain a heap-buff ...) - iotjs [bullseye] - iotjs (Minor issue) + [buster] - iotjs (Minor issue) NOTE: https://github.com/jerryscript-project/jerryscript/issues/5076 CVE-2023-31908 (Jerryscript 3.0 (commit 05dbbd1) was discovered to contain a heap-buff ...) - iotjs [bullseye] - iotjs (Minor issue) + [buster] - iotjs (Minor issue) NOTE: https://github.com/jerryscript-project/jerryscript/issues/5067 CVE-2023-31907 (Jerryscript 3.0.0 was discovered to contain a heap-buffer-overflow via ...) - iotjs [bullseye] - iotjs (Minor issue) + [buster] - iotjs (Minor issue) NOTE: https://github.com/jerryscript-project/jerryscript/issues/5073 CVE-2023-31906 (Jerryscript 3.0.0(commit 1a2c047) was discovered to contain a heap-buf ...) - iotjs [bullseye] - iotjs (Minor issue) + [buster] - iotjs (Minor issue) NOTE: https://github.com/jerryscript-project/jerryscript/issues/5066 CVE-2023-31568 (Podofo v0.10.0 was discovered to contain a heap buffer overflow via th ...) - libpodofo (Vulnerable code not present) @@ -3661,6 +3665,7 @@ CVE-2023-30415 CVE-2023-30414 (Jerryscript commit 1a2c047 was discovered to contain a stack overflow ...) - iotjs [bullseye] - iotjs (Minor issue) + [buster] - iotjs (Minor issue) NOTE: https://github.com/jerryscript-project/jerryscript/issues/5051 CVE-2023-30413 RESERVED @@ -3671,18 +3676,21 @@ CVE-2023-30411 CVE-2023-30410 (Jerryscript commit 1a2c047 was discovered to contain a stack overflow ...) - iotjs [bullseye] - iotjs (Minor issue) + [buster] - iotjs (Minor issue) NOTE: https://github.com/jerryscript-project/jerryscript/issues/5052 CVE-2023-30409 RESERVED CVE-2023-30408 (Jerryscript commit 1a2c047 was discovered to contain a segmentation vi ...) - iotjs [bullseye] - iotjs (Minor issue) + [buster] - iotjs (Minor issue) NOTE: https://github.com/jerryscript-project/jerryscript/issues/5057 CVE-2023-30407 RESERVED CVE-2023-30406 (Jerryscript commit 1a2c047 was discovered to contain a segmentation vi ...) - iotjs [bullseye] - iotjs (Minor issue) + [buster] - iotjs (Minor issue) NOTE: https://github.com/jerryscript-project/jerryscript/issues/5058 CVE-2023-30405 (A cross-site scripting (XSS) vulnerability in Aigital Wireless-N Repea ...) NOT-FOR-US: Aigital @@ -4865,6 +4873,7 @@ CVE-2023-29840 CVE-2023-29839 (A Stored Cross Site Scripting (XSS) vulnerability exists in multiple p ...) - hoteldruid (bug #1035671) [bullseye] - hoteldruid (Minor issue) + [buster] - hoteldruid (Minor issue) NOTE: https://github.com/jichngan/CVE-2023-29839 NOTE: Fixed upstream in 3.0.5 CVE-2023-29838 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/4b679aefb7a1c68fdaf21219621bf851445a0641...37f2f02b581e7c4e8063b16df657bf335703ec48 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/4b679aefb7a1c68fdaf21219621bf851445a0641...37f2f02b581e7c4e8063b16df657bf335703ec48 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add owslib to dla-needed
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 1c2adf9e by Utkarsh Gupta at 2023-05-15T00:52:19+05:30 Add owslib to dla-needed - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -116,6 +116,11 @@ openjdk-11 (Emilio) NOTE: 20230419: VCS: https://salsa.debian.org/lts-team/packages/openjdk-11.git NOTE: 20230508: waiting for sid/bullseye update (pochu) -- +owslib + NOTE: 20230514: Programming language: Python. + NOTE: 20230514: VCS: https://salsa.debian.org/lts-team/packages/owslib.git + NOTE: 20230514: also in dsa-needed. (utkarsh) +-- php-cas NOTE: 20221105: Programming language: PHP. NOTE: 20221105: The fix is not backwards compatible. Should be investigated further whether this issue should be solved or ignored.. (ola) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1c2adf9e5e9d6cdf6b5a8078f512b8803e87c968 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1c2adf9e5e9d6cdf6b5a8078f512b8803e87c968 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Take ruby-rails-html-sanitizer
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 82c9b724 by Utkarsh Gupta at 2023-04-27T00:18:03+02:00 Take ruby-rails-html-sanitizer - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -257,7 +257,7 @@ ruby-loofah NOTE: 20230403: See "RFC: ruby-loofah 2.2.3-1+deb10u2" thread on debian-lts list. (lamby) NOTE: 20230403: Everything ready, just waiting for ruby-rails-html-sanitizer/utkarsh (dleidert) -- -ruby-rails-html-sanitizer +ruby-rails-html-sanitizer (Utkarsh) NOTE: 20221231: Programming language: Ruby. NOTE: 20221231: VCS: https://salsa.debian.org/lts-team/packages/ruby-rails-html-sanitizer.git NOTE: 20230303: this cannot be fixed unless ruby-loofah is fixed with appropriate methods. (utkarsh) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/82c9b724202c3c65deb90355d132a238e72e14e5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/82c9b724202c3c65deb90355d132a238e72e14e5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 5 commits: Mark CVE-2023-2848{6,7}/sudo as no-dsa for buster
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 958767fb by Utkarsh Gupta at 2023-03-18T18:38:53+05:30 Mark CVE-2023-2848{6,7}/sudo as no-dsa for buster - - - - - f67cb5c5 by Utkarsh Gupta at 2023-03-18T18:39:22+05:30 Mark CVE-2023-1175/vim as no-dsa for buster - - - - - 28fa556a by Utkarsh Gupta at 2023-03-18T18:41:09+05:30 Mark CVE-2021-33391/tidy-html5 as no-dsa for buster - - - - - 42acdb7f by Utkarsh Gupta at 2023-03-18T18:41:33+05:30 Mark CVE-2023-1161/wireshark as no-dsa for buster - - - - - 512eab88 by Utkarsh Gupta at 2023-03-18T18:42:42+05:30 Add hdf5 to dla-needed - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -349,10 +349,12 @@ CVE-2023-28488 CVE-2023-28487 (Sudo before 1.9.13 does not escape control characters in sudoreplay ou ...) - sudo 1.9.13p1-1 [bullseye] - sudo (Minor issue) + [buster] - sudo (Minor issue) NOTE: https://github.com/sudo-project/sudo/commit/334daf92b31b79ce68ed75e2ee14fca265f029ca CVE-2023-28486 (Sudo before 1.9.13 does not escape control characters in log messages. ...) - sudo 1.9.13p1-1 [bullseye] - sudo (Minor issue) + [buster] - sudo (Minor issue) NOTE: https://github.com/sudo-project/sudo/commit/334daf92b31b79ce68ed75e2ee14fca265f029ca CVE-2023-28485 RESERVED @@ -3063,6 +3065,7 @@ CVE-2023-1176 CVE-2023-1175 (Incorrect Calculation of Buffer Size in GitHub repository vim/vim prio ...) - vim 2:9.0.1378-1 [bullseye] - vim (Minor issue) + [buster] - vim (Minor issue) NOTE: https://huntr.dev/bounties/7e93fc17-92eb-4ae7-b01a-93bb460b643e NOTE: https://github.com/vim/vim/commit/c99cbf8f289bdda5d4a77d7ec415850a520330ba (v9.0.1378) CVE-2022-4930 (A vulnerability classified as problematic was found in nuxsmin sysPass ...) @@ -3285,6 +3288,7 @@ CVE-2023-1162 (A vulnerability, which was classified as critical, was found in D CVE-2023-1161 (ISO 15765 and ISO 10681 dissector crash in Wireshark 4.0.0 to 4.0.3 an ...) - wireshark [bullseye] - wireshark (Minor issue) + [buster] - wireshark (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2023-08.html NOTE: https://gitlab.com/wireshark/wireshark/-/issues/18839 CVE-2023-1160 (Use of Platform-Dependent Third Party Components in GitHub repository ...) @@ -135849,6 +135853,7 @@ CVE-2021-33392 CVE-2021-33391 (An issue in HTACG HTML Tidy v5.7.28 allows attacker to execute arbitra ...) - tidy-html5 (bug #1032665) [bullseye] - tidy-html5 (Minor issue) + [buster] - tidy-html5 (Minor issue) NOTE: https://github.com/htacg/tidy-html5/issues/946 NOTE: https://github.com/htacg/tidy-html5/commit/efa61528aa500a1efbd2768121820742d3bb709b CVE-2021-33390 = data/dla-needed.txt = @@ -101,6 +101,13 @@ golang-yaml.v2 NOTE: 20230125: VCS: https://salsa.debian.org/lts-team/packages/golang-yaml.v2.git NOTE: 20230125: Special attention: limited support; requires rebuilding reverse build dependencies (though recent bullseye updates didn't). -- +hdf5 + NOTE: 20230318: Programming language: C. + NOTE: 20230318: VCS: https://salsa.debian.org/lts-team/packages/hdf5.git + NOTE: 20230318: Consider fixing all the no-dsa and postponed issues as well. (utkarsh) + NOTE: 20230318: Enrico did some work around hdf5* packaging in the past, probably + NOTE: 20230318: sync w/ him. (utkarsh) +-- intel-microcode (tobi) NOTE: 20230219: Programming language: Binary blob. NOTE: 20230219: VCS: https://salsa.debian.org/lts-team/packages/intel-microcode.git View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/95bc6bb4b83952fbd90456ae3a1c68595fb93f3c...512eab88ab049ae26b675a88c03dda88b6e04c38 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/95bc6bb4b83952fbd90456ae3a1c68595fb93f3c...512eab88ab049ae26b675a88c03dda88b6e04c38 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3360-1 for ruby-sidekiq
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 63a9de7a by Utkarsh Gupta at 2023-03-13T02:10:30+05:30 Reserve DLA-3360-1 for ruby-sidekiq - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -143137,7 +143137,6 @@ CVE-2021-30151 (Sidekiq through 5.1.3 and 6.x through 6.2.0 allows XSS via the q {DLA-2943-1} - ruby-sidekiq 6.3.1+dfsg-1 (bug #987354) [bullseye] - ruby-sidekiq (Minor issue) - [buster] - ruby-sidekiq (Minor issue) NOTE: https://github.com/mperham/sidekiq/issues/4852 NOTE: https://github.com/mperham/sidekiq/commit/64f70339d1dcf50a55c00d36bfdb61d97ec63ed8 (v6.2.1) CVE-2021-30150 (Composr 10.0.36 allows XSS in an XML script. ...) = data/DLA/list = @@ -1,3 +1,6 @@ +[13 Mar 2023] DLA-3360-1 ruby-sidekiq - security update + {CVE-2021-30151 CVE-2022-23837} + [buster] - ruby-sidekiq 5.2.3+dfsg-1+deb10u1 [13 Mar 2023] DLA-3359-1 libapache2-mod-auth-mellon - security update {CVE-2019-13038 CVE-2021-3639} [buster] - libapache2-mod-auth-mellon 0.14.2-1+deb10u1 = data/dla-needed.txt = @@ -259,12 +259,6 @@ ruby-rails-html-sanitizer NOTE: 20221231: VCS: https://salsa.debian.org/lts-team/packages/ruby-rails-html-sanitizer.git NOTE: 20230303: this cannot be fixed unless ruby-loofah is fixed with appropriate methods. (utkarsh) -- -ruby-sidekiq (Utkarsh) - NOTE: 20221231: Programming language: Ruby. - NOTE: 20221231: CVE-2022-23837 was fixed in stretch so should be fixed in buster for consistency even though it is not that severe. (opal). - NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/ruby-sidekiq.git - NOTE: 20230220: almost done-ish. Will roll out the DLA this week. (utkarsh) --- runc (Sylvain Beucler) NOTE: 20220905: Programming language: Go. NOTE: 20220905: Special attention: Sync with Bullseye. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/63a9de7a3f01e7fb42aadea5f5b70aa575a0d605 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/63a9de7a3f01e7fb42aadea5f5b70aa575a0d605 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Add note for ruby-rails-html-sanitizer
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 998b1e5e by Utkarsh Gupta at 2023-03-13T02:08:00+05:30 Add note for ruby-rails-html-sanitizer - - - - - 4dacbb52 by Utkarsh Gupta at 2023-03-13T02:08:55+05:30 Reserve DLA-3359-1 for libapache2-mod-auth-mellon - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -127080,7 +127080,6 @@ CVE-2021-3640 (A flaw use-after-free in function sco_sock_sendmsg() of the Linux CVE-2021-3639 (A flaw was found in mod_auth_mellon where it does not sanitize logout ...) - libapache2-mod-auth-mellon 0.18.0-1 (bug #991730) [bullseye] - libapache2-mod-auth-mellon 0.17.0-1+deb11u1 - [buster] - libapache2-mod-auth-mellon (Minor issue) [stretch] - libapache2-mod-auth-mellon (Minor issue) NOTE: https://github.com/latchset/mod_auth_mellon/commit/42a11261b9dad2e48d70bdff7c53dd57a12db6f5 CVE-2021-36350 (Dell PowerScale OneFS, versions 8.2.2-9.3.0.x, contain an authenticati ...) @@ -270799,7 +270798,6 @@ CVE-2019-13039 RESERVED CVE-2019-13038 (mod_auth_mellon through 0.14.2 has an Open Redirect via the login?Retu ...) - libapache2-mod-auth-mellon 0.15.0-1 (low; bug #931265) - [buster] - libapache2-mod-auth-mellon (Minor issue) [stretch] - libapache2-mod-auth-mellon (Minor issue) [jessie] - libapache2-mod-auth-mellon (Open Redirect protection not implemented yet) NOTE: https://github.com/Uninett/mod_auth_mellon/issues/35#issuecomment-503974885 = data/DLA/list = @@ -1,3 +1,6 @@ +[13 Mar 2023] DLA-3359-1 libapache2-mod-auth-mellon - security update + {CVE-2019-13038 CVE-2021-3639} + [buster] - libapache2-mod-auth-mellon 0.14.2-1+deb10u1 [12 Mar 2023] DLA-3358-1 mpv - security update {CVE-2020-19824} [buster] - mpv 0.29.1-1+deb10u1 = data/dla-needed.txt = @@ -102,12 +102,6 @@ intel-microcode (tobi) NOTE: 20230310: will first fix unstable and stable, then proceed with LTS and ELTS, using the same new upstream version. (tobi) NOTE: 20230312: uploaded to DELAYED/5 for unstable. -- -libapache2-mod-auth-mellon (Utkarsh) - NOTE: 20230105: Programming language: C. - NOTE: 20230105: Follow fixes from bullseye 11.6 (Beuc/front-desk) - NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/libapache2-mod-auth-mellon.git - NOTE: 20230220: upload prepped, testing remains. (utkarsh) --- libreoffice NOTE: 20221012: Programming language: C++. NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/libreoffice.git @@ -263,6 +257,7 @@ ruby-loofah (Daniel Leidert) ruby-rails-html-sanitizer NOTE: 20221231: Programming language: Ruby. NOTE: 20221231: VCS: https://salsa.debian.org/lts-team/packages/ruby-rails-html-sanitizer.git + NOTE: 20230303: this cannot be fixed unless ruby-loofah is fixed with appropriate methods. (utkarsh) -- ruby-sidekiq (Utkarsh) NOTE: 20221231: Programming language: Ruby. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/23a9d48016bd0218a366177fd3cdd5051347ed17...4dacbb52b1761a042d3085dc122626e08b9288ca -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/23a9d48016bd0218a366177fd3cdd5051347ed17...4dacbb52b1761a042d3085dc122626e08b9288ca You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Drop tmux from dla-needed
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 85981430 by Utkarsh Gupta at 2023-02-20T03:07:03+05:30 Drop tmux from dla-needed even if the upload was already made, we've decided to ignore it completely; cf: #debian-lts. - - - - - b3e1ae1a by Utkarsh Gupta at 2023-02-20T03:10:53+05:30 Add notes for packages - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -125,6 +125,7 @@ libapache2-mod-auth-mellon (Utkarsh) NOTE: 20230105: Programming language: C. NOTE: 20230105: Follow fixes from bullseye 11.6 (Beuc/front-desk) NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/libapache2-mod-auth-mellon.git + NOTE: 20230220: upload prepped, testing remains. (utkarsh) -- libgit2 (gladk) NOTE: 20230126: Programming language: C. @@ -302,6 +303,7 @@ ruby-sidekiq (Utkarsh) NOTE: 20221231: Programming language: Ruby. NOTE: 20221231: CVE-2022-23837 was fixed in stretch so should be fixed in buster for consistency even though it is not that severe. (opal). NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/ruby-sidekiq.git + NOTE: 20230220: almost done-ish. Will roll out the DLA this week. (utkarsh) -- runc (Sylvain Beucler) NOTE: 20220905: Programming language: Go. @@ -352,10 +354,6 @@ tinymce NOTE: 20221227: Programming language: PHP. NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/tinymce.git -- -tmux (Utkarsh) - NOTE: 20230129: Programming language: C. - NOTE: 20230129: VCS: https://salsa.debian.org/lts-team/packages/tmux.git --- trafficserver NOTE: 20230202: Programming language: C. NOTE: 20230202: Note recent DLA-3279-1 update. Removed notes (2d9f50586010) suggest CVE-2022-31779 may have already been investigated. (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/900565f6d1ee995b7b3dadb93769bd5cbf112254...b3e1ae1a031ccb1a8fa0dd6aab7e85fb75a6bc68 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/900565f6d1ee995b7b3dadb93769bd5cbf112254...b3e1ae1a031ccb1a8fa0dd6aab7e85fb75a6bc68 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add a note for rails
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 0da904c6 by Utkarsh Gupta at 2023-01-31T06:20:40+05:30 Add a note for rails - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -235,6 +235,7 @@ rails NOTE: 20221024: to break thrice in less than 2 month. NOTE: 20221209: Programming language: Ruby. NOTE: 20221209: Testsuite: https://lts-team.pages.debian.net/wiki/TestSuites/rails.html + NOTE: 20230131: Utkarsh to start a thread with sec+ruby team with the possible path forward. (utkarsh) -- rainloop NOTE: 20220913: Programming language: PHP, JavaScript. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0da904c6023b8344c1fdc266ff06690b584e9974 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0da904c6023b8344c1fdc266ff06690b584e9974 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Take ruby-sidekiq and libapache2-mod-auth-mellon
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 305e3012 by Utkarsh Gupta at 2023-01-31T06:07:26+05:30 Take ruby-sidekiq and libapache2-mod-auth-mellon - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -108,7 +108,7 @@ kopanocore NOTE: 20220801: Programming language: C++. NOTE: 20220811: Proposed a patch to CVE-2022-26562 (#1016973) (gusnan/retired) -- -libapache2-mod-auth-mellon +libapache2-mod-auth-mellon (Utkarsh) NOTE: 20230105: Programming language: C. NOTE: 20230105: Follow fixes from bullseye 11.6 (Beuc/front-desk) -- @@ -259,7 +259,7 @@ ruby-rails-html-sanitizer NOTE: 20221231: Programming language: Ruby. NOTE: 20221231: VCS: https://salsa.debian.org/lts-team/packages/ruby-rails-html-sanitizer.git -- -ruby-sidekiq +ruby-sidekiq (Utkarsh) NOTE: 20221231: Programming language: Ruby. NOTE: 20221231: CVE-2022-23837 was fixed in stretch so should be fixed in buster for consistency even though it is not that severe. (opal). -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/305e3012a4b9226ec06bd5b7a4c6de8f401db07d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/305e3012a4b9226ec06bd5b7a4c6de8f401db07d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3303-1 for ruby-git
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: be53887b by Utkarsh Gupta at 2023-01-31T03:50:15+05:30 Reserve DLA-3303-1 for ruby-git - - - - - 2 changed files: - data/CVE/list - data/DLA/list Changes: = data/CVE/list = @@ -74099,7 +74099,6 @@ CVE-2022-25758 (All versions of package scss-tokenizer are vulnerable to Regular CVE-2022-25648 (The package git before 1.11.0 are vulnerable to Command Injection via ...) - ruby-git 1.13.1-1 (bug #1009926) [bullseye] - ruby-git (Minor issue) - [buster] - ruby-git (Minor issue) NOTE: https://github.com/ruby-git/ruby-git/pull/569 NOTE: Fixed by: https://github.com/ruby-git/ruby-git/commit/291ca0946bec7164b90ad5c572ac147f512c7159 (v1.11.0) NOTE: https://security.snyk.io/vuln/SNYK-RUBY-GIT-2421270 = data/DLA/list = @@ -1,3 +1,6 @@ +[31 Jan 2023] DLA-3303-1 ruby-git - security update + {CVE-2022-25648 CVE-2022-46648 CVE-2022-47318} + [buster] - ruby-git 1.2.8-1+deb10u1 [31 Jan 2023] DLA-3302-1 nova - security update {CVE-2022-47951} [buster] - nova 2:18.1.0-6+deb10u2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/be53887be480c3bd0a4af216f8dee8d5c5719ae1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/be53887be480c3bd0a4af216f8dee8d5c5719ae1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3302-1 for nova
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 0fd32e1c by Utkarsh Gupta at 2023-01-31T03:37:31+05:30 Reserve DLA-3302-1 for nova - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[31 Jan 2023] DLA-3302-1 nova - security update + {CVE-2022-47951} + [buster] - nova 2:18.1.0-6+deb10u2 [31 Jan 2023] DLA-3301-1 cinder - security update {CVE-2022-47951} [buster] - cinder 2:13.0.7-1+deb10u2 = data/dla-needed.txt = @@ -174,13 +174,6 @@ nodejs NOTE: 20221105: Source code not checked. It may be so that the vulnerability is not present in buster. NOTE: 20221209: Testsuite: https://lts-team.pages.debian.net/wiki/TestSuites/nodejs.html -- -nova - NOTE: 20230130: Same issue in cinder, glance and nova packages: claim all three? (lamby) - NOTE: 20230130: Programming language: Python - NOTE: 20230130: VCS: https://salsa.debian.org/openstack-team/services/nova - NOTE: 20230130: Testsuite: https://lts-team.pages.debian.net/wiki/TestSuites/OpenStack.html - NOTE: 20230130: Maintainer notes: Contact original maintainer: zigo --- nvidia-graphics-drivers NOTE: 20221225: Programming language: binary blob. NOTE: 20230103: Cf. on-going discussion on nvidia support (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0fd32e1c891fad0c94ddd530a8d382857d65d323 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0fd32e1c891fad0c94ddd530a8d382857d65d323 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3301-1 for cinder
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 29b2cbb1 by Utkarsh Gupta at 2023-01-31T03:36:29+05:30 Reserve DLA-3301-1 for cinder - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[31 Jan 2023] DLA-3301-1 cinder - security update + {CVE-2022-47951} + [buster] - cinder 2:13.0.7-1+deb10u2 [31 Jan 2023] DLA-3300-1 glance - security update {CVE-2022-47951} [buster] - glance 2:17.0.0-5+deb10u1 = data/dla-needed.txt = @@ -40,11 +40,6 @@ ceph NOTE: 20221130: https://lists.debian.org/debian-lts/2022/11/msg00025.html (zigo/maintainer) NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/ceph.git -- -cinder - NOTE: 20230130: Same issue in cinder, glance and nova packages: claim all three? (lamby) - NOTE: 20230130: Programming language: Python - NOTE: 20230130: VCS: https://salsa.debian.org/lts-team/packages/cinder.git --- consul NOTE: 20221031: Programming language: Go. NOTE: 20221031: Concluded that the package should be fixed by the CVE description. Source code not analyzed in detail. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/29b2cbb1829e009bc9036315ad20afe738a778ce -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/29b2cbb1829e009bc9036315ad20afe738a778ce You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3300-1 for glance
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: a16875cc by Utkarsh Gupta at 2023-01-31T03:30:00+05:30 Reserve DLA-3300-1 for glance - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[31 Jan 2023] DLA-3300-1 glance - security update + {CVE-2022-47951} + [buster] - glance 2:17.0.0-5+deb10u1 [30 Jan 2023] DLA-3299-1 node-qs - security update {CVE-2022-24999} [buster] - node-qs 6.5.2-1+deb10u1 = data/dla-needed.txt = @@ -72,11 +72,6 @@ fusiondirectory NOTE: 20221203: Also the package was removed from sid recently (gladk). NOTE: 20221203: Feel free to marke both CVEs as , if they are not too serious (gladk). -- -glance - NOTE: 20230130: Same issue in cinder, glance and nova packages: claim all three? (lamby) - NOTE: 20230130: Programming language: Python - NOTE: 20230130: VCS: https://salsa.debian.org/lts-team/packages/glance.git --- golang-1.11 NOTE: 20220916: Programming language: Go. NOTE: 20220916: Special attention: limited support; requires rebuilding reverse build dependencies (though recent bullseye updates didn't) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a16875cc84c280114001b7652c9ebf235ea3561b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a16875cc84c280114001b7652c9ebf235ea3561b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3298-1 for ruby-rack
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 66debdde by Utkarsh Gupta at 2023-01-31T03:20:06+05:30 Reserve DLA-3298-1 for ruby-rack - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -219706,7 +219706,6 @@ CVE-2020-8185 (A denial of service vulnerability exists in Rails <6.0.3.2 tha CVE-2020-8184 (A reliance on cookies without validation/integrity check security vuln ...) {DLA-2275-1} - ruby-rack 2.1.1-6 (bug #963477) - [buster] - ruby-rack (Minor issue) NOTE: https://hackerone.com/reports/895727 NOTE: Fixed by: https://github.com/rack/rack/commit/1f5763de6a9fe515ff84992b343d63c88104654c CVE-2020-8183 (A logic error in Nextcloud Server 19.0.0 caused a plaintext storage of ...) @@ -219806,7 +219805,6 @@ CVE-2020-8162 (A client side enforcement of server side security vulnerability e CVE-2020-8161 (A directory traversal vulnerability exists in rack < 2.2.0 that all ...) {DLA-2275-1 DLA-2216-1} - ruby-rack 2.1.1-5 - [buster] - ruby-rack (Minor issue; can be fixed via point release) NOTE: https://groups.google.com/forum/#!msg/rubyonrails-security/IOO1vNZTzPA/Ylzi1UYLAAAJ NOTE: Fixed by: https://github.com/rack/rack/commit/dddb7ad18ed79ca6ab06ccc417a169fde451246e NOTE: Required followup: https://github.com/rack/rack/commit/e7ba1b0557d3ad97af1ef113bbeb5f27417983fa = data/DLA/list = @@ -1,3 +1,6 @@ +[31 Jan 2023] DLA-3298-1 ruby-rack - security update + {CVE-2020-8161 CVE-2020-8184 CVE-2022-44570 CVE-2022-44571 CVE-2022-44572} + [buster] - ruby-rack 2.0.6-3+deb10u2 [31 Jan 2023] DLA-3297-1 tiff - security update {CVE-2022-48281} [buster] - tiff 4.1.0+git191117-2~deb10u6 = data/dla-needed.txt = @@ -276,10 +276,6 @@ ring ruby-loofah NOTE: 20221231: Programming language: Ruby. -- -ruby-rack (Utkarsh) - NOTE: 20230129: Programming language: Ruby. - NOTE: 20230129: VCS: https://salsa.debian.org/lts-team/packages/ruby-rack.git --- ruby-rails-html-sanitizer NOTE: 20221231: Programming language: Ruby. NOTE: 20221231: VCS: https://salsa.debian.org/lts-team/packages/ruby-rails-html-sanitizer.git View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/66debdde9414db2fe10477797b161ef8564408bf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/66debdde9414db2fe10477797b161ef8564408bf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3297-1 for tiff
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: b87f2096 by Utkarsh Gupta at 2023-01-31T03:07:20+05:30 Reserve DLA-3297-1 for tiff - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[31 Jan 2023] DLA-3297-1 tiff - security update + {CVE-2022-48281} + [buster] - tiff 4.1.0+git191117-2~deb10u6 [31 Jan 2023] DLA-3296-1 libhtml-stripscripts-perl - security update {CVE-2023-24038} [buster] - libhtml-stripscripts-perl 1.06-1+deb10u1 = data/dla-needed.txt = @@ -327,11 +327,6 @@ sox (Helmut Grohne) thunderbird (Emilio) NOTE: 20230123: Programming language: C++ -- -tiff (Utkarsh) - NOTE: 20230126: Programming language: C. - NOTE: 20230126: VCS: https://salsa.debian.org/lts-team/packages/tiff.git - NOTE: 20230126: Testsuite: https://lts-team.pages.debian.net/wiki/TestSuites/tiff.html --- tinymce NOTE: 20221227: Programming language: PHP. -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b87f209613c50813adfde09902c570f646a5f598 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b87f209613c50813adfde09902c570f646a5f598 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3296-1 for libhtml-stripscripts-perl
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 72ce3811 by Utkarsh Gupta at 2023-01-31T03:01:20+05:30 Reserve DLA-3296-1 for libhtml-stripscripts-perl - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[31 Jan 2023] DLA-3296-1 libhtml-stripscripts-perl - security update + {CVE-2023-24038} + [buster] - libhtml-stripscripts-perl 1.06-1+deb10u1 [31 Jan 2023] DLA-3295-1 node-moment - security update {CVE-2022-24785 CVE-2022-31129} [buster] - node-moment 2.24.0+ds-1+deb10u1 = data/dla-needed.txt = @@ -127,10 +127,6 @@ libgit2 (gladk) NOTE: 20230126: VCS: https://salsa.debian.org/debian/libgit2.git NOTE: 20230126: Please fix also CVE-2020* (gladk). -- -libhtml-stripscripts-perl (Utkarsh) - NOTE: 20230125: Programming language: Perl. - NOTE: 20230125: VCS: https://salsa.debian.org/lts-team/packages/libhtml-stripscripts-perl.git --- libreoffice NOTE: 20221012: Programming language: C++. NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/libreoffice.git View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/72ce38117a275fbd676b4ed73560b2f6ffdc67e6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/72ce38117a275fbd676b4ed73560b2f6ffdc67e6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3295-1 for node-moment
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 4abda771 by Utkarsh Gupta at 2023-01-31T02:54:50+05:30 Reserve DLA-3295-1 for node-moment - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -58694,7 +58694,6 @@ CVE-2022-31130 (Grafana is an open source observability and data visualization p CVE-2022-31129 (moment is a JavaScript date library for parsing, validating, manipulat ...) - node-moment 2.29.4+ds-1 (bug #1014845) [bullseye] - node-moment 2.29.1+ds-2+deb11u2 - [buster] - node-moment (Minor issue) NOTE: https://github.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3 (2.29.4) NOTE: https://github.com/moment/moment/pull/6015#issuecomment-1152961973 NOTE: https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g @@ -77426,7 +77425,6 @@ CVE-2022-24786 (PJSIP is a free and open source multimedia communication library CVE-2022-24785 (Moment.js is a JavaScript date library for parsing, validating, manipu ...) - node-moment 2.29.2+ds-1 (bug #1009327) [bullseye] - node-moment 2.29.1+ds-2+deb11u1 - [buster] - node-moment (Minor issue) [stretch] - node-moment (Nodejs in stretch not covered by security support) NOTE: https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4 NOTE: https://github.com/moment/moment/commit/4211bfc8f15746be4019bba557e29a7ba83d54c5 (2.29.2) = data/DLA/list = @@ -1,3 +1,6 @@ +[31 Jan 2023] DLA-3295-1 node-moment - security update + {CVE-2022-24785 CVE-2022-31129} + [buster] - node-moment 2.24.0+ds-1+deb10u1 [30 Jan 2023] DLA-3294-1 libarchive - security update {CVE-2022-36227} [buster] - libarchive 3.3.3-4+deb10u3 = data/dla-needed.txt = @@ -173,10 +173,6 @@ node-got NOTE: 2022: Follow fixes from bullseye 11.4 (Beuc/front-desk) NOTE: 20221223: Module has been rewritten in Typescript since Buster released (lamby). -- -node-moment - NOTE: 2022: Programming language: JavaScript. - NOTE: 2022: Follow fixes from bullseye 11.4 and 11.5 (Beuc/front-desk) --- node-nth-check NOTE: 2022: Programming language: JavaScript. NOTE: 2022: Follow fixes from bullseye 11.3 (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4abda771f80df8767b1c7d160aee8cbb78f169fa -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4abda771f80df8767b1c7d160aee8cbb78f169fa You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Take ruby-rack and tmux
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: ad80502d by Utkarsh Gupta at 2023-01-30T01:40:47+05:30 Take ruby-rack and tmux - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -268,7 +268,7 @@ ring ruby-loofah NOTE: 20221231: Programming language: Ruby. -- -ruby-rack +ruby-rack (Utkarsh) NOTE: 20230129: Programming language: Ruby. NOTE: 20230129: VCS: https://salsa.debian.org/lts-team/packages/ruby-rack.git -- @@ -331,7 +331,7 @@ tiff (Utkarsh) tinymce NOTE: 20221227: Programming language: PHP. -- -tmux +tmux (Utkarsh) NOTE: 20230129: Programming language: C. NOTE: 20230129: VCS: https://salsa.debian.org/lts-team/packages/tmux.git -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ad80502d6b7dea39ca397e0477ddf734adec8060 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ad80502d6b7dea39ca397e0477ddf734adec8060 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Take tiff
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 6c66a1ef by Utkarsh Gupta at 2023-01-26T16:09:23+05:30 Take tiff - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -357,7 +357,7 @@ sox thunderbird (Emilio) NOTE: 20230123: Programming language: C++ -- -tiff +tiff (Utkarsh) NOTE: 20230126: Programming language: C. NOTE: 20230126: VCS: https://salsa.debian.org/lts-team/packages/tiff.git NOTE: 20230126: Testsuite: https://lts-team.pages.debian.net/wiki/TestSuites/tiff.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6c66a1ef3a3ac75d9e90ec3aea674c189204c2bd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6c66a1ef3a3ac75d9e90ec3aea674c189204c2bd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Take libhtml-stripscripts-perl
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: df378eb6 by Utkarsh Gupta at 2023-01-25T16:08:06+05:30 Take libhtml-stripscripts-perl - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -127,7 +127,7 @@ libapache2-mod-auth-mellon NOTE: 20230105: Programming language: C. NOTE: 20230105: Follow fixes from bullseye 11.6 (Beuc/front-desk) -- -libhtml-stripscripts-perl +libhtml-stripscripts-perl (Utkarsh) NOTE: 20230125: Programming language: Perl. NOTE: 20230125: VCS: https://salsa.debian.org/lts-team/packages/libhtml-stripscripts-perl.git -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/df378eb61a2b234b7f46c7e2105aad9db6a45198 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/df378eb61a2b234b7f46c7e2105aad9db6a45198 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3281-1 for swift
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 24a110dd by Utkarsh Gupta at 2023-01-25T07:46:44+05:30 Reserve DLA-3281-1 for swift - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[25 Jan 2023] DLA-3281-1 swift - security update + {CVE-2022-47950} + [buster] - swift 2.19.1-1+deb10u1 [24 Jan 2023] DLA-3280-1 libde265 - security update {CVE-2020-21596 CVE-2020-21597 CVE-2020-21598 CVE-2022-43235 CVE-2022-43236 CVE-2022-43237 CVE-2022-43238 CVE-2022-43239 CVE-2022-43240 CVE-2022-43241 CVE-2022-43242 CVE-2022-43243 CVE-2022-43244 CVE-2022-43245 CVE-2022-43248 CVE-2022-43249 CVE-2022-43250 CVE-2022-43252 CVE-2022-43253 CVE-2022-47655} [buster] - libde265 1.0.3-1+deb10u3 = data/dla-needed.txt = @@ -331,10 +331,6 @@ sox NOTE: 20221003: https://sourceforge.net/p/sox/bugs/362/ Re-pinged upstream committer (abhijith) NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/sox.git -- -swift - NOTE: 20230123: Programming language: Python. - NOTE: 20230123: Thomas already uploaded the package; discussion on #debian-lts. (utkarsh) --- thunderbird (Emilio) NOTE: 20230123: Programming language: C++ -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/24a110dd2b485ff3413d8325916c5c7161215086 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/24a110dd2b485ff3413d8325916c5c7161215086 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add wireshark to dla-needed
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: ec6899fd by Utkarsh Gupta at 2023-01-23T04:38:51+05:30 Add wireshark to dla-needed - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -355,6 +355,10 @@ trafficserver NOTE: 20221114: https://people.debian.org/~abhijith/upload/trf/ (abhijith) NOTE: 20221114: Asked upstream regarding CVE-2022-31779 (abhijith) -- +wireshark + NOTE: 20230123: Programming language: C. + NOTE: 20230123: 7 new CVEs + 3 postponed ones. Would be good to not let them pile up like last time. (utkarsh). +-- xdg-utils NOTE: 20221120: Programming language: C. NOTE: 20221120: no real fix yet View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ec6899fdedb622df907350925414e1a9699a1f77 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ec6899fdedb622df907350925414e1a9699a1f77 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 4 commits: Mark CVE-2023-2249{6,7}/netdata as no-dsa for buster
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 17454138 by Utkarsh Gupta at 2023-01-23T03:37:19+05:30 Mark CVE-2023-2249{6,7}/netdata as no-dsa for buster - - - - - 4c6244f5 by Utkarsh Gupta at 2023-01-23T03:37:46+05:30 Mark CVE-2021-46872/nim as no-dsa for buster - - - - - 5be04707 by Utkarsh Gupta at 2023-01-23T03:38:19+05:30 Mark CVE-2022-46176/rust-cargo as no-dsa in buster - - - - - 4f16ce9f by Utkarsh Gupta at 2023-01-23T03:39:11+05:30 Mark TEMP-1028986-7037E6/sgt-puzzles as no-dsa for buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1407,6 +1407,7 @@ CVE-2023-0306 (Cross-site Scripting (XSS) - Stored in GitHub repository thorsten CVE-2023- [Multiple integer overflow and buffer overflow issues in game loading] - sgt-puzzles (bug #1028986) [bullseye] - sgt-puzzles (Minor issue) + [buster] - sgt-puzzles (Minor issue) CVE-2023-0305 (A vulnerability classified as critical was found in SourceCodester Onl ...) NOT-FOR-US: SourceCodester Online Food Ordering System CVE-2023-0304 (A vulnerability classified as critical has been found in SourceCodeste ...) @@ -1794,6 +1795,7 @@ CVE-2022-48256 (Technitium DNS Server before 10.0 allows a self-CNAME denial-of- CVE-2021-46872 (An issue was discovered in Nim before 1.6.2. The RST module of the Nim ...) - nim 1.6.2-1 [bullseye] - nim (Minor issue) + [buster] - nim (Minor issue) NOTE: https://github.com/nim-lang/Nim/pull/19134 NOTE: https://github.com/nim-lang/Nim/commit/9338aa24977e84a33b9a7802eaff0777fcf4d9c3 CVE-2023-23492 (The Login with Phone Number WordPress Plugin, version < 1.4.2, is a ...) @@ -4946,10 +4948,12 @@ CVE-2023-22498 CVE-2023-22497 (Netdata is an open source option for real-time infrastructure monitori ...) - netdata 1.37.0-1 [bullseye] - netdata (Minor issue) + [buster] - netdata (Minor issue) NOTE: https://github.com/netdata/netdata/security/advisories/GHSA-jx85-39cw-66f2 CVE-2023-22496 (Netdata is an open source option for real-time infrastructure monitori ...) - netdata 1.37.0-1 [bullseye] - netdata (Minor issue) + [buster] - netdata (Minor issue) NOTE: https://github.com/netdata/netdata/security/advisories/GHSA-xg38-3vmw-2978 CVE-2023-22495 (Izanami is a shared configuration service well-suited for micro-servic ...) NOT-FOR-US: Izanami @@ -12878,6 +12882,7 @@ CVE-2022-46176 (Cargo is a Rust package manager. The Rust Security Response WG w [buster] - cargo (Minor issue) - rust-cargo 0.66.0-1 [bullseye] - rust-cargo (Minor issue) + [buster] - rust-cargo (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2023/01/10/3 NOTE: https://github.com/rust-lang/wg-security-response/tree/main/patches/CVE-2022-46176 CVE-2022-46175 (JSON5 is an extension to the popular JSON file format that aims to be ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/1e28fe4bb1032925e2ac6eb78ea27209012d73c4...4f16ce9f2009e1361bfcd923cd79b48197183c9d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/1e28fe4bb1032925e2ac6eb78ea27209012d73c4...4f16ce9f2009e1361bfcd923cd79b48197183c9d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 8 commits: Mark CVE-2023-{0358,2314{3-5}}/gpac as EOL for buster
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 2514409c by Utkarsh Gupta at 2023-01-23T02:29:57+05:30 Mark CVE-2023-{0358,2314{3-5}}/gpac as EOL for buster - - - - - 3848b103 by Utkarsh Gupta at 2023-01-23T02:52:41+05:30 Mark CVE-2022-46176/cargo as no-dsa in buster - - - - - 9719f3b6 by Utkarsh Gupta at 2023-01-23T02:55:28+05:30 Add git to dla-needed - - - - - 2dd36d80 by Utkarsh Gupta at 2023-01-23T02:58:08+05:30 Add openjdk-11 to dla-needed - - - - - 929f4e49 by Utkarsh Gupta at 2023-01-23T02:59:44+05:30 Add swift to dla-needed - - - - - e98afa9d by Utkarsh Gupta at 2023-01-23T03:01:30+05:30 Mark CVE-2022-4{4617,6285,883}/libxpm as no-dsa for buster - - - - - a6054f0c by Utkarsh Gupta at 2023-01-23T03:02:18+05:30 Mark CVE-2020-17354/lilypond as ignored for buster; follow bullseye - - - - - 1e28fe4b by Utkarsh Gupta at 2023-01-23T03:02:58+05:30 Mark CVE-2022-48279/modsecurity as no-dsa for buster - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -261,6 +261,7 @@ CVE-2022-48279 (In ModSecurity before 2.9.6 and 3.x before 3.0.8, HTTP multipart [bullseye] - modsecurity-apache (Minor issue) - modsecurity 3.0.8-1 [bullseye] - modsecurity (Minor issue) + [buster] - modsecurity (Minor issue) NOTE: https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves/ NOTE: https://github.com/SpiderLabs/ModSecurity/pull/2795 NOTE: Fixed by: https://github.com/SpiderLabs/ModSecurity/commit/d6c10885e08779e99e76efcd5ad65802104cda14 (v3.0.8) @@ -869,6 +870,7 @@ CVE-2023-0359 RESERVED CVE-2023-0358 (Use After Free in GitHub repository gpac/gpac prior to 2.3.0-DEV. ...) - gpac + [buster] - gpac (EOL in buster LTS) NOTE: https://huntr.dev/bounties/93e128ed-253f-4c42-81ff-fbac7fd8f355 NOTE: https://github.com/gpac/gpac/commit/9971fb125cf91cefd081a080c417b90bbe4a467b CVE-2023-0357 @@ -2577,12 +2579,15 @@ CVE-2023-23146 RESERVED CVE-2023-23145 (GPAC version 2.2-rev0-gab012bbfb-master was discovered to contain a me ...) - gpac + [buster] - gpac (EOL in buster LTS) NOTE: https://github.com/gpac/gpac/commit/4ade98128cbc41d5115b97a41ca2e59529c8dd5f CVE-2023-23144 (Integer overflow vulnerability in function Q_DecCoordOnUnitSphere file ...) - gpac + [buster] - gpac (EOL in buster LTS) NOTE: https://github.com/gpac/gpac/commit/3a2458a49b3e6399709d456d7b35e7a6f50cfb86 CVE-2023-23143 (Buffer overflow vulnerability in function avc_parse_slice in file medi ...) - gpac + [buster] - gpac (EOL in buster LTS) NOTE: https://github.com/gpac/gpac/commit/af6a5e7a96ee01a139cce6c9e4edfc069aad17a6 CVE-2023-23142 RESERVED @@ -3497,6 +3502,7 @@ CVE-2022-4883 RESERVED - libxpm 1:3.5.12-1.1 [bullseye] - libxpm (Minor issue) + [buster] - libxpm (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2023/01/17/2 NOTE: https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/515294bb8023a45ff916696d0a14308ff4f3a376 (libXpm-3.5.15) NOTE: https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/8178eb0834d82242e1edbc7d4fb0d1b397569c68 (libXpm-3.5.15) @@ -3548,12 +3554,14 @@ CVE-2022-46285 RESERVED - libxpm 1:3.5.12-1.1 [bullseye] - libxpm (Minor issue) + [buster] - libxpm (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2023/01/17/2 NOTE: https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/a3a7c6dcc3b629d765014816c566c63165c63ca8 (libXpm-3.5.15) CVE-2022-44617 RESERVED - libxpm 1:3.5.12-1.1 [bullseye] - libxpm (Minor issue) + [buster] - libxpm (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2023/01/17/2 NOTE: https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/f80fa6ae47ad4a5beacb287c0030c9913b046643 (libXpm-3.5.15) NOTE: https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/c5ab17bcc34914c0b0707d2135dbebe9a367c5f0 (libXpm-3.5.15) @@ -12867,6 +12875,7 @@ CVE-2022-46177 (Discourse is an option source discussion platform. Prior to vers CVE-2022-46176 (Cargo is a Rust package manager. The Rust Security Response WG was not ...) - cargo 0.66.0+ds1-1 [bullseye] - cargo (Minor issue) + [buster] - cargo (Minor issue) - rust-cargo 0.66.0-1 [bullseye] - rust-cargo (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2023/01/10/3 @@ -192382,6 +192391,7 @@ CVE-2020-17354 RESERVED - lilypond 2.22.1-1 [bullseye] - lilypond (Unfixable, marked as insecure in later uploads) + [buster] - lilypond (Unfixable, marked as insecure in later uploads) NOTE: https
[Git][security-tracker-team/security-tracker][master] Add modsecurity-apache to dla-needed
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 5462141a by Utkarsh Gupta at 2023-01-20T13:14:16+05:30 Add modsecurity-apache to dla-needed - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -148,6 +148,11 @@ man2html NOTE: 20221004: It looks like not patch is available. NOTE: 20221004: Please evalulate, whether the issue can be marked as . -- +modsecurity-apache (Tobias Frost) + NOTE: 20230120: From IRC: + NOTE: 20230120: : a backport in modsecurity(-apache) is needed as well [...] + NOTE: 20230120: this is in reference to fixing the CVE is in modsecurity-crs. +-- modsecurity-crs (Tobias Frost) NOTE: 20221006: Programming language: Other. NOTE: 20221006: Maintainer notes: Please contact maintainer. Consider uploading of newer version. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5462141a0e734391bca34c1ff09a0f7447c17e59 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5462141a0e734391bca34c1ff09a0f7447c17e59 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Re-claim node-moment from Guilhem
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 4cbb3ed7 by Utkarsh Gupta at 2023-01-15T19:27:13+05:30 Re-claim node-moment from Guilhem - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -184,7 +184,7 @@ node-minimatch (guilhem) NOTE: 20230105: Programming language: JavaScript. NOTE: 20230105: Follow fixes from bullseye 11.6 (Beuc/front-desk) -- -node-moment (guilhem) +node-moment (Utkarsh) NOTE: 2022: Programming language: JavaScript. NOTE: 2022: Follow fixes from bullseye 11.4 and 11.5 (Beuc/front-desk) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4cbb3ed70075cc1bf5dfa94e2c0d2347f89fee19 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4cbb3ed70075cc1bf5dfa94e2c0d2347f89fee19 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Take libetpan
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: c40dfd1e by Utkarsh Gupta at 2022-12-20T02:39:29+05:30 Take libetpan - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -105,7 +105,7 @@ libde265 NOTE: 20221107: No prior DSA/DLA/ELA afaics (Beuc/front-desk) NOTE: 20221215: CVE-2020-21599 CVE-2021-35452 CVE-2021-36408 CVE-2021-36409 CVE-2021-36410 CVE-2021-36411 adressed, remaining CVEs are unfixed upstream. (I've proposed a patch upstream, waiting for feeback) (tobi) -- -libetpan +libetpan (Utkarsh) NOTE: 20221203: Programming language: C++. NOTE: 20221203: VCS: https://salsa.debian.org/lts-team/packages/libetpan.git -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c40dfd1e4993e05de8e2d095c3ef538b1522d8ae -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c40dfd1e4993e05de8e2d095c3ef538b1522d8ae You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3231-1 for dlt-daemon
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: efc6d52b by Utkarsh Gupta at 2022-12-07T16:05:57+05:30 Reserve DLA-3231-1 for dlt-daemon - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -44719,7 +44719,6 @@ CVE-2022-31292 CVE-2022-31291 (An issue in dlt_config_file_parser.c of dlt-daemon v2.18.8 allows atta ...) - dlt-daemon 2.18.6-2.1 (bug #1014534) [bullseye] - dlt-daemon 2.18.6-1+deb11u1 - [buster] - dlt-daemon (Minor issue) NOTE: https://github.com/COVESA/dlt-daemon/pull/376 NOTE: https://github.com/COVESA/dlt-daemon/commit/6a3bd901d825c7206797e36ea98e10a218f5aad2 CVE-2022-31290 (A cross-site scripting (XSS) vulnerability in Known v1.2.2+2020061101 ...) @@ -127743,7 +127742,6 @@ CVE-2021-23201 (NVIDIA GPU and Tegra hardware contain a vulnerability in an inte NOT-FOR-US: NVIDIA CVE-2020-36244 (The daemon in GENIVI diagnostic log and trace (DLT), is vulnerable to ...) - dlt-daemon 2.18.6-1 - [buster] - dlt-daemon (Minor issue) NOTE: https://github.com/GENIVI/dlt-daemon/issues/265 NOTE: https://github.com/GENIVI/dlt-daemon/pull/269 NOTE: https://github.com/GENIVI/dlt-daemon/commit/af734fe097ed379b0aa5fcf551886b1ce5098052 (v2.18.6) @@ -150161,7 +150159,6 @@ CVE-2020-29395 (The EventON plugin through 3.0.5 for WordPress allows addons/?q= NOT-FOR-US: EventON plugin for WordPress CVE-2020-29394 (A buffer overflow in the dlt_filter_load function in dlt_common.c from ...) - dlt-daemon 2.18.5-0.3 (bug #976228) - [buster] - dlt-daemon (Minor issue) NOTE: https://github.com/GENIVI/dlt-daemon/issues/274 NOTE: https://github.com/GENIVI/dlt-daemon/pull/275 NOTE: https://github.com/GENIVI/dlt-daemon/commit/ff4f44c159df6f44b48bd38c9d2f104eb360be11 = data/DLA/list = @@ -1,3 +1,6 @@ +[07 Dec 2022] DLA-3231-1 dlt-daemon - security update + {CVE-2020-29394 CVE-2020-36244 CVE-2022-31291} + [buster] - dlt-daemon 2.18.0-1+deb10u1 [07 Dec 2022] DLA-3230-1 jqueryui - security update {CVE-2021-41182 CVE-2021-41183 CVE-2021-41184 CVE-2022-31160} [buster] - jqueryui 1.12.1+dfsg-5+deb10u1 = data/dla-needed.txt = @@ -30,9 +30,6 @@ curl (Roberto C. Sánchez) NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/curl.git NOTE: 20220904: Special attention: high popcon!. -- -dlt-daemon (Utkarsh) - NOTE: 20221207: Programming language: C. --- erlang NOTE: 20221119: Programming language: Erlang. NOTE: 20221119: at least CVE-2022-37026 needs to be fixed (original request has been for Stretch) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/efc6d52bfc1d48084fb197c441b5a71b876c78ce -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/efc6d52bfc1d48084fb197c441b5a71b876c78ce You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3230-1 for jqueryui
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 858d86a3 by Utkarsh Gupta at 2022-12-07T15:34:10+05:30 Reserve DLA-3230-1 for jqueryui - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -45119,7 +45119,6 @@ CVE-2022-31161 (Roxy-WI is a Web interface for managing HAProxy, Nginx and Keepa CVE-2022-31160 (jQuery UI is a curated set of user interface interactions, effects, wi ...) - jqueryui 1.13.2+dfsg-1 (bug #1015982) [bullseye] - jqueryui (Minor issue) - [buster] - jqueryui (Minor issue) NOTE: https://github.com/jquery/jquery-ui/security/advisories/GHSA-h6gj-6jjq-h8g9 NOTE: https://github.com/jquery/jquery-ui/commit/8cc5bae1caa1fcf96bf5862c5646c787020ba3f9 (1.13.2) CVE-2022-31159 (The AWS SDK for Java enables Java developers to work with Amazon Web S ...) @@ -91490,7 +91489,6 @@ CVE-2021-41185 (Mycodo is an environmental monitoring and regulation system. An CVE-2021-41184 (jQuery-UI is the official jQuery user interface library. Prior to vers ...) - jqueryui 1.13.0+dfsg-1 [bullseye] - jqueryui 1.12.1+dfsg-8+deb11u1 - [buster] - jqueryui (Minor issue) [stretch] - jqueryui (Minor issue) - otrs2 6.3.1-1 [bullseye] - otrs2 (Non-free not supported) @@ -91504,7 +91502,6 @@ CVE-2021-41183 (jQuery-UI is the official jQuery user interface library. Prior t - drupal7 - jqueryui 1.13.0+dfsg-1 [bullseye] - jqueryui 1.12.1+dfsg-8+deb11u1 - [buster] - jqueryui (Minor issue) [stretch] - jqueryui (Minor issue) - otrs2 6.3.1-1 [bullseye] - otrs2 (Non-free not supported) @@ -91520,7 +91517,6 @@ CVE-2021-41182 (jQuery-UI is the official jQuery user interface library. Prior t - drupal7 - jqueryui 1.13.0+dfsg-1 [bullseye] - jqueryui 1.12.1+dfsg-8+deb11u1 - [buster] - jqueryui (Minor issue) [stretch] - jqueryui (Minor issue) - otrs2 6.3.1-1 [bullseye] - otrs2 (Non-free not supported) = data/DLA/list = @@ -1,3 +1,6 @@ +[07 Dec 2022] DLA-3230-1 jqueryui - security update + {CVE-2021-41182 CVE-2021-41183 CVE-2021-41184 CVE-2022-31160} + [buster] - jqueryui 1.12.1+dfsg-5+deb10u1 [07 Dec 2022] DLA-3229-1 node-log4js - security update {CVE-2022-21704} [buster] - node-log4js 4.0.2-2+deb10u1 = data/dla-needed.txt = @@ -90,13 +90,6 @@ imagemagick (Roberto C. Sánchez) NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/imagemagick.git NOTE: 20220904: Should be synced with Stretch. (apo) -- -jqueryui (Utkarsh Gupta) - NOTE: 2022: Programming language: JavaScript. - NOTE: 2022: Follow fixes from bullseye 11.2 (and jessie/elts) (Beuc/front-desk) - NOTE: 20221204: update already prepared for buster, as doing for stretch. - NOTE: 20221204: forgot to claim it in dla-needed, e-mailed Markus now. (utkarsh) - NOTE: 20221204: currently, testing the update with Yadd. (utkarsh) --- kopanocore NOTE: 20220801: Programming language: C++. NOTE: 20220811: Proposed a patch to CVE-2022-26562 (#1016973) (gusnan/retired) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/858d86a38e10419ae1ba08fd027a4b8a266634e1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/858d86a38e10419ae1ba08fd027a4b8a266634e1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Take node-moment and dlt-daemon
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 6253dae0 by Utkarsh Gupta at 2022-12-07T15:10:39+05:30 Take node-moment and dlt-daemon - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -30,7 +30,7 @@ curl (Roberto C. Sánchez) NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/curl.git NOTE: 20220904: Special attention: high popcon!. -- -dlt-daemon +dlt-daemon (Utkarsh) NOTE: 20221207: Programming language: C. -- erlang @@ -184,7 +184,7 @@ node-loader-utils NOTE: 2022: Programming language: JavaScript. NOTE: 2022: upcoming bullseye PU https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1023798 (Beuc/front-desk) -- -node-moment +node-moment (Utkarsh) NOTE: 2022: Programming language: JavaScript. NOTE: 2022: Follow fixes from bullseye 11.4 and 11.5 (Beuc/front-desk) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6253dae0ed118a41931ab2e7069020b33fd47c7d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6253dae0ed118a41931ab2e7069020b33fd47c7d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3229-1 for node-log4js
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: d43927f5 by Utkarsh Gupta at 2022-12-07T00:40:16+05:30 Reserve DLA-3229-1 for node-log4js - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -80457,7 +80457,6 @@ CVE-2022-21705 (Octobercms is a self-hosted CMS platform based on the Laravel PH CVE-2022-21704 (log4js-node is a port of log4js to node.js. In affected versions defau ...) - node-log4js 6.4.1+~cs8.3.5-1 [bullseye] - node-log4js 6.3.0+~cs8.3.10-1+deb11u1 - [buster] - node-log4js (Minor issue) [stretch] - node-log4js (Nodejs in stretch not covered by security support) NOTE: https://github.com/log4js-node/log4js-node/pull/1141 (v6.4.1) NOTE: https://github.com/log4js-node/streamroller/pull/87 = data/DLA/list = @@ -1,3 +1,6 @@ +[07 Dec 2022] DLA-3229-1 node-log4js - security update + {CVE-2022-21704} + [buster] - node-log4js 4.0.2-2+deb10u1 [07 Dec 2022] DLA-3228-1 node-json-schema - security update {CVE-2021-3918} [buster] - node-json-schema 0.2.3-1+deb10u1 = data/dla-needed.txt = @@ -181,10 +181,6 @@ node-loader-utils NOTE: 2022: Programming language: JavaScript. NOTE: 2022: upcoming bullseye PU https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1023798 (Beuc/front-desk) -- -node-log4js (Utkarsh) - NOTE: 2022: Programming language: JavaScript. - NOTE: 2022: Follow fixes from bullseye 11.5 (Beuc/front-desk) --- node-moment NOTE: 2022: Programming language: JavaScript. NOTE: 2022: Follow fixes from bullseye 11.4 and 11.5 (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d43927f5b41c699799f7f7a79ca9b141a4c21f96 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d43927f5b41c699799f7f7a79ca9b141a4c21f96 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3228-1 for node-json-schema
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: b2055004 by Utkarsh Gupta at 2022-12-07T00:39:14+05:30 Reserve DLA-3228-1 for node-json-schema - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -84780,7 +84780,6 @@ CVE-2021-43175 (The GOautodial API prior to commit 3c3a979 made on October 13th, CVE-2021-3918 (json-schema is vulnerable to Improperly Controlled Modification of Obj ...) - node-json-schema 0.4.0+~7.0.9-1 (bug #999765) [bullseye] - node-json-schema 0.3.0+~7.0.6-1+deb11u1 - [buster] - node-json-schema (Minor issue) NOTE: https://github.com/kriszyp/json-schema/commit/22f146111f541d9737e832823699ad3528ca7741 (v0.4.0) CVE-2021-43174 (NLnet Labs Routinator versions 0.9.0 up to and including 0.10.1, suppo ...) {DSA-5041-1} = data/DLA/list = @@ -1,3 +1,6 @@ +[07 Dec 2022] DLA-3228-1 node-json-schema - security update + {CVE-2021-3918} + [buster] - node-json-schema 0.2.3-1+deb10u1 [07 Dec 2022] DLA-3227-1 ruby-rails-html-sanitizer - security update {CVE-2022-32209} [buster] - ruby-rails-html-sanitizer 1.0.4-1+deb10u1 = data/dla-needed.txt = @@ -177,10 +177,6 @@ node-hawk NOTE: 20221204: Programming language: Javascript. NOTE: 20221204: VCS: https://salsa.debian.org/lts-team/packages/node-hawk.git -- -node-json-schema (Utkarsh) - NOTE: 2022: Programming language: JavaScript. - NOTE: 2022: Follow fixes from bullseye 11.2 (Beuc/front-desk) --- node-loader-utils NOTE: 2022: Programming language: JavaScript. NOTE: 2022: upcoming bullseye PU https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1023798 (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b20550049ef2c9e4d716097ef5cef61a76f028d0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b20550049ef2c9e4d716097ef5cef61a76f028d0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Take node-log4js and node-json-schema
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: dbe27611 by Utkarsh Gupta at 2022-12-07T00:25:14+05:30 Take node-log4js and node-json-schema - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -177,7 +177,7 @@ node-hawk NOTE: 20221204: Programming language: Javascript. NOTE: 20221204: VCS: https://salsa.debian.org/lts-team/packages/node-hawk.git -- -node-json-schema +node-json-schema (Utkarsh) NOTE: 2022: Programming language: JavaScript. NOTE: 2022: Follow fixes from bullseye 11.2 (Beuc/front-desk) -- @@ -185,7 +185,7 @@ node-loader-utils NOTE: 2022: Programming language: JavaScript. NOTE: 2022: upcoming bullseye PU https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1023798 (Beuc/front-desk) -- -node-log4js +node-log4js (Utkarsh) NOTE: 2022: Programming language: JavaScript. NOTE: 2022: Follow fixes from bullseye 11.5 (Beuc/front-desk) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dbe276117bb086db29c17579a03619eff609da87 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dbe276117bb086db29c17579a03619eff609da87 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3227-1 for ruby-rails-html-sanitizer
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 5d252a97 by Utkarsh Gupta at 2022-12-07T00:21:54+05:30 Reserve DLA-3227-1 for ruby-rails-html-sanitizer - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[07 Dec 2022] DLA-3227-1 ruby-rails-html-sanitizer - security update + {CVE-2022-32209} + [buster] - ruby-rails-html-sanitizer 1.0.4-1+deb10u1 [06 Dec 2022] DLA-3226-1 cgal - security update {CVE-2020-28601 CVE-2020-28602 CVE-2020-28603 CVE-2020-28604 CVE-2020-28605 CVE-2020-28606 CVE-2020-28607 CVE-2020-28608 CVE-2020-28609 CVE-2020-28610 CVE-2020-28611 CVE-2020-28612 CVE-2020-28613 CVE-2020-28614 CVE-2020-28615 CVE-2020-28616 CVE-2020-28617 CVE-2020-28618 CVE-2020-28619 CVE-2020-28620 CVE-2020-28621 CVE-2020-28622 CVE-2020-28623 CVE-2020-28624 CVE-2020-28625 CVE-2020-28626 CVE-2020-28627 CVE-2020-28628 CVE-2020-28629 CVE-2020-28630 CVE-2020-28631 CVE-2020-28632 CVE-2020-28633 CVE-2020-28634 CVE-2020-28635 CVE-2020-28636 CVE-2020-35628 CVE-2020-35629 CVE-2020-35630 CVE-2020-35631 CVE-2020-35632 CVE-2020-35633 CVE-2020-35634 CVE-2020-35635 CVE-2020-35636} [buster] - cgal 4.13-1+deb10u1 = data/dla-needed.txt = @@ -286,10 +286,6 @@ rainloop ring NOTE: 20221120: Programming language: C. -- -ruby-rails-html-sanitizer (Utkarsh) - NOTE: 20221102: Programming language: Ruby. - NOTE: 20221102: VCS: https://salsa.debian.org/lts-team/packages/ruby-rails-html-sanitizer.git --- runc NOTE: 20220905: Programming language: Go. NOTE: 20220905: Special attention: Sync with Bullseye. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5d252a97bb10e16245e3ba947feda02a08b289d1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5d252a97bb10e16245e3ba947feda02a08b289d1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Take ruby-*
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 2d875460 by Utkarsh Gupta at 2022-12-06T19:38:30+05:30 Take ruby-* - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -285,7 +285,7 @@ rainloop ring NOTE: 20221120: Programming language: C. -- -ruby-rails-html-sanitizer +ruby-rails-html-sanitizer (Utkarsh) NOTE: 20221102: Programming language: Ruby. NOTE: 20221102: VCS: https://salsa.debian.org/lts-team/packages/ruby-rails-html-sanitizer.git -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2d87546075cfb64258f043e7030ec2385a44dd82 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2d87546075cfb64258f043e7030ec2385a44dd82 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3225-1 for awstats
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 4e7488ea by Utkarsh Gupta at 2022-12-05T18:34:06+05:30 Reserve DLA-3225-1 for awstats - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[05 Dec 2022] DLA-3225-1 awstats - security update + {CVE-2022-46391} + [buster] - awstats 7.6+dfsg-2+deb10u2 [05 Dec 2022] DLA-3224-1 http-parser - security update {CVE-2020-8287} [buster] - http-parser 2.8.1-1+deb10u3 = data/dla-needed.txt = @@ -12,10 +12,6 @@ https://wiki.debian.org/LTS/Development#Triage_new_security_issues To make it easier to see the entire history of an update, please append notes rather than remove/replace existing ones. --- -awstats (Utkarsh) - NOTE: 20221204: Programming language: Perl. - NOTE: 20221204: VCS: https://salsa.debian.org/lts-team/packages/awstats.git -- ceph NOTE: 20221031: Programming language: C++. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4e7488ea1dde5f369cd5f04a9bafb11cb453a35b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4e7488ea1dde5f369cd5f04a9bafb11cb453a35b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3224-1 for http-parser
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 60113425 by Utkarsh Gupta at 2022-12-05T18:31:13+05:30 Reserve DLA-3224-1 for http-parser - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -205009,7 +205009,6 @@ CVE-2020-8287 (Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow t {DSA-4826-1} - http-parser 2.9.4-5 (bug #1016690) [bullseye] - http-parser 2.9.4-4+deb11u1 - [buster] - http-parser (Minor issue) - nodejs 12.20.1~dfsg-1 (bug #979364) [stretch] - nodejs (Nodejs in stretch not covered by security support) NOTE: https://nodejs.org/en/blog/release/v10.23.1/ = data/DLA/list = @@ -1,3 +1,6 @@ +[05 Dec 2022] DLA-3224-1 http-parser - security update + {CVE-2020-8287} + [buster] - http-parser 2.8.1-1+deb10u3 [05 Dec 2022] DLA-3223-1 giflib - security update {CVE-2018-11490 CVE-2019-15133} [buster] - giflib 5.1.4-3+deb10u1 = data/dla-needed.txt = @@ -86,9 +86,6 @@ hsqldb (Markus Koschany) NOTE: 20221031: To be investigated further. A possible outcome is to ignore it. NOTE: 20221031: https://lists.debian.org/debian-lts/2022/10/msg00060.html. -- -http-parser (Utkarsh) - NOTE: 20221205: Programming language: C. --- imagemagick (Roberto C. Sánchez) NOTE: 20220904: Programming language: C. NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/imagemagick.git View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6011342551f626625be8d8f37949fabc50bd101a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6011342551f626625be8d8f37949fabc50bd101a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Take awstats
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 40e39912 by Utkarsh Gupta at 2022-12-05T14:27:34+05:30 Take awstats - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -13,7 +13,7 @@ To make it easier to see the entire history of an update, please append notes rather than remove/replace existing ones. -- -awstats +awstats (Utkarsh) NOTE: 20221204: Programming language: Perl. NOTE: 20221204: VCS: https://salsa.debian.org/lts-team/packages/awstats.git -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/40e39912894c22041b972c532cd34b2033317f17 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/40e39912894c22041b972c532cd34b2033317f17 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Take http-parser
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 084c4d3e by Utkarsh Gupta at 2022-12-05T14:19:33+05:30 Take http-parser - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -86,7 +86,7 @@ hsqldb (Markus Koschany) NOTE: 20221031: To be investigated further. A possible outcome is to ignore it. NOTE: 20221031: https://lists.debian.org/debian-lts/2022/10/msg00060.html. -- -http-parser +http-parser (Utkarsh) NOTE: 20221205: Programming language: C. -- imagemagick (Roberto C. Sánchez) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/084c4d3e77af101d43504749d75852d34899b85b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/084c4d3e77af101d43504749d75852d34899b85b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits