[Git][security-tracker-team/security-tracker][master] stable triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
9ace03d7 by Moritz Muehlenhoff at 2021-01-07T08:11:52+01:00
stable triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=
data/CVE/list
=
@@ -2673,10 +2673,12 @@ CVE-2020-36068
RESERVED
CVE-2020-36067 (GJSON =v1.6.5 allows attackers to cause a denial of
service (panic ...)
- golang-github-tidwall-gjson
+ [buster] - golang-github-tidwall-gjson (Minor issue)
NOTE: https://github.com/tidwall/gjson/issues/196
NOTE:
https://github.com/tidwall/gjson/commit/bf4efcb3c18d1825b2988603dea5909140a5302b
CVE-2020-36066 (GJSON 1.6.5 allows attackers to cause a denial of service
(remote) ...)
- golang-github-tidwall-gjson
+ [buster] - golang-github-tidwall-gjson (Minor issue)
NOTE: https://github.com/tidwall/gjson/issues/195
NOTE:
https://github.com/tidwall/match/commit/c2f534168b739a7ec1821a33839fb2f029f26bbc
CVE-2020-36065
@@ -6719,6 +6721,7 @@ CVE-2020-35546
RESERVED
CVE-2020-35545 (Time-based SQL injection exists in Spotweb 1.4.9 via the query
string. ...)
- spotweb (bug #977719)
+ [buster] - spotweb (Minor issue)
NOTE: https://github.com/spotweb/spotweb/issues/629
NOTE:
https://github.com/spotweb/spotweb/commit/fefb39ad143caad021ad496427617db79c42aff2
CVE-2020-35544
@@ -6876,6 +6879,7 @@ CVE-2020-35492 [cairo: libreoffice slideshow aborts with
stack smashing in cairo
RESERVED
{DLA-2518-1}
- cairo 1.16.0-5 (bug #978658)
+ [buster] - cairo (Minor issue)
NOTE: https://gitlab.freedesktop.org/cairo/cairo/-/issues/437
NOTE: Introduced by:
https://gitlab.freedesktop.org/cairo/cairo/-/commit/c986a7310bb06582b7d8a566d5f007ba4e5e75bf
(1.12.12)
NOTE: Fixed by:
https://gitlab.freedesktop.org/cairo/cairo/-/commit/03a820b173ed1fdef6ff14b4468f5dbc02ff59be
@@ -8919,6 +8923,7 @@ CVE-2020-29658
RESERVED
CVE-2020-29657 (In JerryScript 2.3.0, there is an out-of-bounds read in
main_print_unh ...)
- iotjs (bug #977736)
+ [buster] - iotjs (Minor issue)
NOTE: https://github.com/jerryscript-project/jerryscript/issues/4244
CVE-2020-29656 (An information disclosure vulnerability exists in RT-AC88U
Download Ma ...)
NOT-FOR-US: RT-AC88U Download Master
@@ -20724,7 +20729,8 @@ CVE-2020-26265 (Go Ethereum, or "Geth", is the official
Golang implementation of
CVE-2020-26264 (Go Ethereum, or "Geth", is the official Golang implementation
of the E ...)
- golang-github-go-ethereum (bug #890541)
CVE-2020-26263 (tlslite-ng is an open source python library that implements
SSL and TL ...)
- - tlslite-ng
+ - tlslite-ng
+ [buster] - tlslite-ng (Minor issue)
NOTE:
https://github.com/tlsfuzzer/tlslite-ng/security/advisories/GHSA-wvcv-832q-fjg7
NOTE:
https://github.com/tlsfuzzer/tlslite-ng/commit/c28d6d387bba59d8bd5cb3ba15edc42edf54b368
NOTE: https://github.com/tlsfuzzer/tlslite-ng/pull/438
@@ -25253,6 +25259,7 @@ CVE-2020-24345 (** DISPUTED ** JerryScript through
2.3.0 allows stack consumptio
NOTE: Disputed JerryScript issue
CVE-2020-24344 (JerryScript through 2.3.0 has a (function({a=arguments}){const
argumen ...)
- iotjs
+ [buster] - iotjs (Minor issue)
NOTE: https://github.com/jerryscript-project/jerryscript/issues/3976
NOTE:
https://github.com/jerryscript-project/jerryscript/commit/841d536fce1ce29267cdf0ea12be4026e1c35d3a
CVE-2020-24343 (Artifex MuJS through 1.0.7 has a use-after-free in jsrun.c
because of ...)
@@ -49002,6 +49009,7 @@ CVE-2020-13650 (An issue was discovered in DigDash
2018R2 before p20200210 and 2
NOT-FOR-US: DigDash
CVE-2020-13649 (parser/js/js-scanner.c in JerryScript 2.2.0 mishandles errors
during c ...)
- iotjs 1.0+715-1
+ [buster] - iotjs (Minor issue)
NOTE:
https://github.com/jerryscript-project/jerryscript/commit/69f8e78c2f8d562bd6d8002b5488f1662ac30d24
NOTE: https://github.com/jerryscript-project/jerryscript/issues/3786
NOTE: https://github.com/jerryscript-project/jerryscript/issues/3788
@@ -114779,6 +114787,7 @@ CVE-2019-1010177 (Jsish 2.4.70 2.047 is affected by:
Use After Free. The impact
NOT-FOR-US: Jsish
CVE-2019-1010176 (JerryScript commit 4e58ccf68070671e1fff5cd6673f0c1d5b80b166
is affecte ...)
- iotjs 1.0+715-1
+ [buster] - iotjs (Minor issue)
NOTE: https://github.com/jerryscript-project/jerryscript/issues/2476
NOTE:
https://github.com/jerryscript-project/jerryscript/commit/505dace719aebb3308a3af223cfaa985159efae0
CVE-2019-1010175
@@ -153144,6 +153153,7 @@ CVE-2018-1000638 (MiniCMS version 1.1 contains a
Cross Site Scripting (XSS) vuln
NOT-FOR-US: MiniCMS
CVE-2018-1000636 (JerryScript
[Git][security-tracker-team/security-tracker][master] stable triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
2fc91a81 by Moritz Muehlenhoff at 2020-07-31T07:48:12+02:00
stable triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=
data/CVE/list
=
@@ -459,6 +459,7 @@ CVE-2020-15948
RESERVED
CVE-2020- [RUSTSEC-2020-0026]
- rust-linked-hash-map (bug #966246)
+ [buster] - rust-linked-hash-map (Minor issue)
NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0026.html
CVE-2020-15947
RESERVED
@@ -803,6 +804,7 @@ CVE-2020-15804
RESERVED
CVE-2020-15803 (Zabbix before 3.0.32rc1, 4.x before 4.0.22rc1, 4.1.x through
4.4.x bef ...)
- zabbix 1:5.0.2+dfsg-1 (bug #966146)
+ [buster] - zabbix (Minor issue)
NOTE: https://support.zabbix.com/browse/ZBX-18057
CVE-2020-15802
RESERVED
@@ -2047,8 +2049,11 @@ CVE-2020-15305 (An issue was discovered in OpenEXR
before 2.5.2. Invalid input c
NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/730
CVE-2020-15304 (An issue was discovered in OpenEXR before 2.5.2. An invalid
tiled inpu ...)
- openexr
+ [buster] - openexr (Vulnerable code not present)
+ [stretch] - openexr (Vulnerable code not present)
[jessie] - openexr (Minor issue)
NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/727
+ NOTE:
https://github.com/AcademySoftwareFoundation/openexr/commit/36e05c14c612a89c43d4e0b013669ecd7f8e3440
CVE-2020-15303
RESERVED
CVE-2020-15302 (In Argent RecoveryManager before
0xdc350d09f71c48c5D22fBE2741e4d6A0397 ...)
@@ -5326,9 +5331,11 @@ CVE-2020-14020
RESERVED
CVE-2020-14019 (Open-iSCSI rtslib-fb through 2.1.72 has weak permissions for
/etc/targ ...)
- python-rtslib-fb
+ [buster] - python-rtslib-fb (Introduced in 2.1.70)
[stretch] - python-rtslib-fb (vulnerable code introduced
later, shutil.copyfile is not used)
[jessie] - python-rtslib-fb (vulnerable code introduced
later, shutil.copyfile is not used)
NOTE: https://github.com/open-iscsi/rtslib-fb/pull/162
+ NOTE:
https://github.com/open-iscsi/rtslib-fb/commit/75e73778dce1cb7a2816a936240ef75adfbd6ed9
CVE-2020-14018 (An issue was discovered in Navigate CMS 2.9 r1433. There is a
stored X ...)
NOT-FOR-US: Navigate CMS
CVE-2020-14017 (An issue was discovered in Navigate CMS 2.9 r1433. Sessions,
as well a ...)
@@ -11818,7 +11825,6 @@ CVE-2020-11759 (An issue was discovered in OpenEXR
before 2.4.1. Because of inte
NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1987
NOTE:
https://github.com/AcademySoftwareFoundation/openexr/commit/b9997d0c045fa01af3d2e46e1a74b07cc4519446
NOTE:
https://github.com/AcademySoftwareFoundation/openexr/commit/acad98d6d3e787f36012a3737c23c42c7f43a00f
- TODO: check completeness for upstream commits to cover CVE-2020-11759
CVE-2020-11758 (An issue was discovered in OpenEXR before 2.4.1. There is an
out-of-bo ...)
[experimental] - openexr 2.5.0-1
- openexr (bug #959444)
@@ -74521,7 +74527,7 @@ CVE-2019-8945 (Zimbra Collaboration 8.7.x - 8.8.11P2
contains persistent XSS. ..
CVE-2019-8944 (An Information Exposure issue in the Terraform deployment step
in Octo ...)
NOT-FOR-US: Terraform
CVE-2019-8943 (WordPress through 5.0.3 allows Path Traversal in
wp_crop_image(). An a ...)
- - wordpress (bug #923583)
+ - wordpress (bug #923583)
[jessie] - wordpress (requires privileged account, not
directly exploitable as CVE-2019-8942 is fixed, no official patch)
NOTE:
https://blog.ripstech.com/2019/wordpress-image-remote-code-execution/
NOTE: This CVE is explicitly for the mentioned Path Traversal in
wp_crop_image().
@@ -99366,6 +99372,7 @@ CVE-2019-0194 (Apache Camel's File is vulnerable to
directory traversal. Camel 2
CVE-2019-0193 (In Apache Solr, the DataImportHandler, an optional but popular
module ...)
{DLA-1954-1}
- lucene-solr 3.6.2+dfsg-22 (low)
+ [buster] - lucene-solr (Minor issue)
NOTE: https://issues.apache.org/jira/browse/SOLR-13669
NOTE: upstream recommends everybody upgrade or rework their
configuration
NOTE: consider backporting enable.dih.dataConfigParam instead:
@@ -113600,6 +113607,7 @@ CVE-2018-14029 (CSRF vulnerability in admin/user/edit
in Creatiwity wityCMS 0.6.
NOT-FOR-US: Creatiwity wityCMS
CVE-2018-14028 (In WordPress 4.9.7, plugins uploaded via the admin area are
not verifi ...)
- wordpress (bug #906565)
+ [buster] - wordpress (Minor issue, revisit when fixed
upstream)
[stretch] - wordpress (Minor issue)
[jessie] - wordpress (no sanctioned patch)
NOTE: https://core.trac.wordpress.org/ticket/44710
=
[Git][security-tracker-team/security-tracker][master] stable triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 81694e53 by Moritz Muehlenhoff at 2020-07-22T18:34:56+02:00 stable triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -387,8 +387,7 @@ CVE-2020-15720 (In Dogtag PKI through 10.8.3, the pki.client.PKIConnection class NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1855273 NOTE: https://github.com/dogtagpki/pki/commit/50c23ec146ee9abf28c9de87a5f7787d495f0b72 CVE-2020-15719 (libldap in certain third-party OpenLDAP packages has a certificate-val ...) - - openldap (bug #965184) - [stretch] - openldap (Minor issue, works as intended) + - openldap (unimportant; bug #965184) NOTE: https://bugs.openldap.org/show_bug.cgi?id=9266 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1740070 NOTE: RedHat/CentOS applied patch: https://git.centos.org/rpms/openldap/raw/67459960064be9d226d57c5f82aaba0929876813/f/SOURCES/openldap-tlso-dont-check-cn-when-bad-san.patch @@ -11926,11 +11925,10 @@ CVE-2020-11560 (NCH Express Invoice 7.25 allows local users to discover the clea CVE-2020-11559 RESERVED CVE-2020-11558 (An issue was discovered in libgpac.a in GPAC 0.8.0, as demonstrated by ...) - - gpac + - gpac [jessie] - gpac (Vulnerable code not present and not reproducible) NOTE: https://github.com/gpac/gpac/commit/6063b1a011c3f80cee25daade18154e15e4c058c NOTE: https://github.com/gpac/gpac/issues/1440 - TODO: check CVE-2020-11557 (An issue was discovered in Castle Rock SNMPc Online 12.10.10 before 20 ...) NOT-FOR-US: Castle Rock SNMPc CVE-2020-11556 (An issue was discovered in Castle Rock SNMPc Online 12.10.10 before 20 ...) @@ -11970,10 +11968,10 @@ CVE-2020-11540 CVE-2020-11539 (An issue was discovered on Tata Sonata Smart SF Rush 1.12 devices. It ...) NOT-FOR-US: Tata Sonata Smart SF Rush 1.12 devices CVE-2020-11538 (In libImaging/SgiRleDecode.c in Pillow through 7.0.0, a number of out- ...) - - pillow 7.2.0-1 (unimportant) + - pillow 7.2.0-1 (low) + [buster] - pillow (Will be fixed via spu) NOTE: https://github.com/python-pillow/Pillow/pull/4504 NOTE: https://github.com/python-pillow/Pillow/pull/4538 - NOTE: Debian packages are built without JPEG2000 support CVE-2020-11537 (A SQL Injection issue was discovered in ONLYOFFICE Document Server 5.5 ...) NOT-FOR-US: ONLYOFFICE Document Server CVE-2020-11536 (An issue was discovered in ONLYOFFICE Document Server 5.5.0. An attack ...) @@ -13377,12 +13375,11 @@ CVE-2020-10995 (PowerDNS Recursor from 4.1.0 up to and including 4.3.0 does not NOTE: https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-01.html NOTE: https://www.openwall.com/lists/oss-security/2020/05/19/3 CVE-2020-10994 (In libImaging/Jpeg2KDecode.c in Pillow before 7.1.0, there are multipl ...) - - pillow 7.2.0-1 (low) - [buster] - pillow (Minor issue) - [jessie] - pillow (Minor issue) + - pillow 7.2.0-1 (unimportant) NOTE: https://github.com/python-pillow/Pillow/pull/4505 NOTE: https://github.com/python-pillow/Pillow/pull/4538 NOTE: Fixed in 7.1.0 + NOTE: Debian packages are built without JPEG2000 support CVE-2020-10993 (Osmand through 2.0.0 allow XXE because of binary/BinaryMapIndexReader. ...) NOT-FOR-US: Osmand CVE-2020-10992 (Azkaban through 3.84.0 allows XXE, related to validator/XmlValidatorMa ...) @@ -13552,6 +13549,7 @@ CVE-2020-10942 (In the Linux kernel before 5.5.8, get_raw_socket in drivers/vhos NOTE: https://git.kernel.org/linus/42d84c8490f9f0931786f1623191fcab397c3d64 (5.6-rc4) CVE-2020-10941 (Arm Mbed TLS before 2.6.15 allows attackers to obtain sensitive inform ...) - mbedtls 2.16.5-1 + [buster] - mbedtls (Minor issue) NOTE: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-02 CVE-2020-10940 (Local Privilege Escalation can occur in PHOENIX CONTACT PORTICO SERVER ...) NOT-FOR-US: PHOENIX CONTACT @@ -13586,6 +13584,7 @@ CVE-2020-10933 (An issue was discovered in Ruby 2.5.x through 2.5.7, 2.6.x throu NOTE: and https://github.com/ruby/ruby/commit/ba5eb6458a7e9a41ee76cfe45b84f997600681dc CVE-2020-10932 (An issue was discovered in Arm Mbed TLS before 2.16.6 and 2.7.x before ...) - mbedtls (bug #963159) + [buster] - mbedtls (Minor issue) NOTE: https://tls.mbed.org/tech-updates/releases/mbedtls-2.16.6-and-2.7.15-released NOTE: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-04 CVE-2020-10930 @@ -15308,7 +15307,7 @@ CVE-2020-10379 (In Pillow before 7.1.0, there are two Buffer Overflows in libIma NOTE: Fixed in 6.2.3 and 7.1.0
[Git][security-tracker-team/security-tracker][master] stable triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
5f1a9760 by Moritz Muehlenhoff at 2020-07-14T11:10:24+02:00
stable triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=
data/CVE/list
=
@@ -1737,6 +1737,7 @@ CVE-2020-14930 (An issue was discovered in BT CTROMS
Terminal OS Port Portal CT-
NOT-FOR-US: BT CTROMS Terminal OS Port Portal CT-464
CVE-2019-20892 (net-snmp before 5.8.1.pre1 has a double free in
usm_free_usmStateRefer ...)
- net-snmp 5.8+dfsg-3 (bug #963713)
+ [buster] - net-snmp (Minor issue)
[stretch] - net-snmp (Vulnerable code introduced later)
NOTE: https://www.openwall.com/lists/oss-security/2020/06/25/4
NOTE: https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/1877027
@@ -3372,6 +3373,7 @@ CVE-2020-14304 [ethtool when reading eeprom of device
could lead to memory leak]
- linux (bug #960702)
CVE-2020-14303 (A flaw was found in the AD DC NBT server in all Samba versions
before ...)
- samba 2:4.12.5+dfsg-1
+ [buster] - samba (Minor issue, fix along in next DSA)
NOTE: https://www.samba.org/samba/security/CVE-2020-14303.html
CVE-2020-14302
RESERVED
@@ -4022,6 +4024,7 @@ CVE-2020-14041
CVE-2020-14040 (The x/text package before 0.3.3 for Go has a vulnerability in
encoding ...)
- golang-golang-x-text 0.3.3-1 (bug #964272)
- golang-x-text (bug #964271)
+ [buster] - golang-x-text (Minor issue)
NOTE: https://github.com/golang/go/issues/39491
NOTE:
https://go.googlesource.com/text/+/23ae387dee1f90d29a23c0e87ee0b46038fbed0e
NOTE:
https://groups.google.com/forum/#!topic/golang-announce/bXVeAmGOqz0
@@ -7313,6 +7316,7 @@ CVE-2020-12696 (The iframe plugin before 4.5 for
WordPress does not sanitize a U
NOT-FOR-US: iframe plugin for WordPress
CVE-2020-12695 (The Open Connectivity Foundation UPnP specification before
2020-04-17 ...)
- wpa
+ [buster] - wpa (Minor issue)
- gupnp 1.2.3-1
NOTE:
https://w1.fi/security/2020-1/upnp-subscribe-misbehavior-wps-ap.txt
NOTE:
https://w1.fi/security/2020-1/0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch
@@ -12841,7 +12845,8 @@ CVE-2020-10995 (PowerDNS Recursor from 4.1.0 up to and
including 4.3.0 does not
NOTE:
https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-01.html
NOTE: https://www.openwall.com/lists/oss-security/2020/05/19/3
CVE-2020-10994 (In libImaging/Jpeg2KDecode.c in Pillow before 7.1.0, there are
multipl ...)
- - pillow
+ - pillow (low)
+ [buster] - pillow (Minor issue)
[jessie] - pillow (Minor issue)
NOTE: https://github.com/python-pillow/Pillow/pull/4505
NOTE: https://github.com/python-pillow/Pillow/pull/4538
@@ -13697,6 +13702,7 @@ CVE-2020-10761 (An assertion failure issue was found in
the Network Block Device
NOTE: Introduced in:
https://git.qemu.org/?p=qemu.git;a=commit;h=93676c88d7a5cd5971de94f9091eff8e9773b1af
CVE-2020-10760 (A use-after-free flaw was found in all samba LDAP server
versions befo ...)
- samba 2:4.12.5+dfsg-1
+ [buster] - samba (Minor issue, fix along in next DSA)
NOTE: https://www.samba.org/samba/security/CVE-2020-10760.html
CVE-2020-10759 [Possible bypass in signature verification]
RESERVED
@@ -13767,6 +13773,7 @@ CVE-2020-10746
RESERVED
CVE-2020-10745 (A flaw was found in all Samba versions before 4.10.17, before
4.11.11 ...)
- samba 2:4.12.5+dfsg-1
+ [buster] - samba (Minor issue, fix along in next DSA)
NOTE: https://www.samba.org/samba/security/CVE-2020-10745.html
CVE-2020-10744 (An incomplete fix was found for the fix of the flaw
CVE-2020-1733 ansi ...)
- ansible
@@ -13821,6 +13828,7 @@ CVE-2020-10731
CVE-2020-10730 (A NULL pointer dereference, or possible use-after-free flaw
was found ...)
- ldb 2:2.1.4-1
- samba 2:4.12.5+dfsg-1
+ [buster] - samba (Minor issue, fix along in next DSA)
[stretch] - ldb (Vulnerable code introduced later)
NOTE: https://www.samba.org/samba/security/CVE-2020-10730.html
NOTE:
https://git.samba.org/?p=samba.git;a=commitdiff;h=9dd458956d7af1b4bbe505ba2ab72235e81c27d0
(for ldb)
@@ -14022,6 +14030,7 @@ CVE-2020-10684 (A flaw was found in Ansible Engine, all
versions 2.7.x, 2.8.x an
CVE-2020-10683 (dom4j before 2.1.3 allows external DTDs and External Entities
by defau ...)
{DLA-2191-1}
- dom4j (bug #958055)
+ [buster] - dom4j (Minor issue)
NOTE:
https://github.com/dom4j/dom4j/commit/1707bf3d898a8ada3b213acb0e3b38f16eaae73d
(the fix?)
NOTE:
https://github.com/dom4j/dom4j/commit/a8228522a99a02146106672a34c104adbda5c658
(post-fix refactor?)
CVE-2020-10682 (The
[Git][security-tracker-team/security-tracker][master] stable triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 0e3e6bb8 by Moritz Muehlenhoff at 2020-07-10T19:14:22+02:00 stable triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -1208,7 +1208,8 @@ CVE-2020-15097 CVE-2020-15096 (In Electron before versions 6.1.1, 7.2.4, 8.2.4, and 9.0.0-beta21, the ...) - electron (bug #842420) CVE-2020-15095 (Versions of the npm CLI prior to 6.14.6 are vulnerable to an informati ...) - - npm (bug #964746) + - npm (low; bug #964746) + [buster] - npm (Minor issue) NOTE: https://github.com/npm/cli/security/advisories/GHSA-93f3-23rq-pjfp NOTE: https://github.com/npm/cli/commit/a9857b8f6869451ff058789c4631fadfde5bbcbc CVE-2020-15094 @@ -14599,9 +14600,12 @@ CVE-2020-10379 (In Pillow before 7.1.0, there are two Buffer Overflows in libIma NOTE: Fixed in 6.2.3 and 7.1.0 CVE-2020-10378 (In libImaging/PcxDecode.c in Pillow before before 7.1.0, an out-of-bou ...) - pillow + [buster] - pillow (Minor issue) [jessie] - pillow (Minor issue) NOTE: https://github.com/python-pillow/Pillow/pull/4538 NOTE: Fixed in 6.2.3 and 7.1.0 + NOTE: https://github.com/python-pillow/Pillow/commit/6b842f4ec001b12a9348e95854e02bbd10a84e20 + NOTE: https://github.com/python-pillow/Pillow/commit/b8d4ce1a591beda18c2d5c80a9f5a5e4856f6beb CVE-2020-10377 (A weak encryption vulnerability in Mitel MiVoice Connect Client before ...) NOT-FOR-US: Mitel CVE-2020-10376 (Technicolor TC7337NET 08.89.17.23.03 devices allow remote attackers to ...) @@ -15066,6 +15070,7 @@ CVE-2020-10178 REJECTED CVE-2020-10177 (Pillow before 7.1.0 has multiple out-of-bounds reads in libImaging/Fli ...) - pillow + [buster] - pillow (Minor issue) [jessie] - pillow (Minor issue) NOTE: https://github.com/python-pillow/Pillow/pull/4503 NOTE: https://github.com/python-pillow/Pillow/pull/4538 = data/dsa-needed.txt = @@ -29,6 +29,8 @@ poppler (jmm) rails Sylvain Beucler proposed to help for the update, pending upstream feedback for CVE-2020-8163 -- +ruby-sanitize +-- squid (jmm) -- teeworlds (jmm) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0e3e6bb87ced9a8e297148176266fb8fce0586d7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0e3e6bb87ced9a8e297148176266fb8fce0586d7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] stable triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
617038f2 by Moritz Muehlenhoff at 2018-07-17T08:01:53+02:00
stable triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -168,9 +168,11 @@ CVE-2018-14241
RESERVED
CVE-2018-14326 (In MP4v2 2.0.0, there is an integer overflow (with resultant
memory ...)
- mp4v2
+ [stretch] - mp4v2 (Minor issue)
NOTE: http://www.openwall.com/lists/oss-security/2018/07/16/1
CVE-2018-14325 (In MP4v2 2.0.0, there is an integer underflow (with resultant
memory ...)
- mp4v2
+ [stretch] - mp4v2 (Minor issue)
NOTE: http://www.openwall.com/lists/oss-security/2018/07/16/1
CVE-2018-14240
RESERVED
@@ -1207,6 +1209,7 @@ CVE-2018-1000611 (SURFnet OpenConext EngineBlock version
5.7.0 to 5.7.3 contains
NOT-FOR-US: SURFnet OpenConext EngineBlock
CVE-2018-1000622 (The Rust Programming Language rustdoc version Between 0.8
and 1.27.0 ...)
- rustc
+ [stretch] - rustc (Minor issue, can be fixed along in future
rustc update for ESR69)
NOTE:
https://groups.google.com/forum/#!topic/rustlang-security-announcements/4ybxYLTtXuM
CVE-2018-13787 (Certain Supermicro X11S, X10, X9, X8SI, K1SP, C9X299, C7, B1,
A2, and ...)
NOT-FOR-US: Supermicro
@@ -3818,7 +3821,8 @@ CVE-2018-1000522
CVE-2018-1000521 (BigTree-CMS contains a Cross Site Scripting (XSS)
vulnerability in ...)
NOT-FOR-US: BigTree-CMS
CVE-2018-1000520 (ARM mbedTLS version 2.7.0 and earlier contains a Ciphersuite
Allows ...)
- - mbedtls
+ - mbedtls (low)
+ [stretch] - mbedtls (Minor issue)
- polarssl
NOTE: https://github.com/ARMmbed/mbedtls/issues/1561
CVE-2018-1000519 (aio-libs aiohttp-session contains a Session Fixation
vulnerability in ...)
@@ -32229,6 +32233,7 @@ CVE-2017-17690
RESERVED
CVE-2017-17689 (The S/MIME specification allows a Cipher Block Chaining (CBC)
...)
- thunderbird (bug #898631)
+ [stretch] - thunderbird (Wait until fixed in upstream
release)
- evolution (bug #898633)
- kmail (bug #898634)
- kf5-messagelib (bug #899127)
@@ -37468,7 +37473,8 @@ CVE-2018-0739 (Constructed ASN.1 types with a recursive
definition (such as can
{DSA-4158-1 DSA-4157-1 DLA-1330-1}
- openssl 1.1.0h-1
- openssl1.0 1.0.2o-1
- - libtomcrypt 1.18.2-1
+ - libtomcrypt 1.18.2-1 (low)
+ [stretch] - libtomcrypt (Minor issue)
NOTE: https://www.openssl.org/news/secadv/20180327.txt
NOTE: OpenSSL_1_1_0-stable:
https://git.openssl.org/?p=openssl.git;a=commit;h=2ac4c6f7b2b2af20c0e2b0ba05367e454cd11b33
NOTE: OpenSSL_1_0_2-stable:
https://git.openssl.org/?p=openssl.git;a=commit;h=9310d45087ae546e27e61ddf8f6367f29848220d
=
data/dsa-needed.txt
=
--- a/data/dsa-needed.txt
+++ b/data/dsa-needed.txt
@@ -51,7 +51,6 @@ mailman
mariadb-10.1/stable
--
mercurial
- 2018-06-07: jessie update proposed by anarcat in
https://lists.debian.org/87y3fr75kk@angela.anarc.at
--
mosquitto (seb)
2018-02-27: Roger Light provided a debdiff targetting stretch, needs review
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/617038f2a055c00cdd92b9384e3c9a85fe8cbb86
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/617038f2a055c00cdd92b9384e3c9a85fe8cbb86
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
