[Git][security-tracker-team/security-tracker][master] stable triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 9ace03d7 by Moritz Muehlenhoff at 2021-01-07T08:11:52+01:00 stable triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -2673,10 +2673,12 @@ CVE-2020-36068 RESERVED CVE-2020-36067 (GJSON =v1.6.5 allows attackers to cause a denial of service (panic ...) - golang-github-tidwall-gjson + [buster] - golang-github-tidwall-gjson (Minor issue) NOTE: https://github.com/tidwall/gjson/issues/196 NOTE: https://github.com/tidwall/gjson/commit/bf4efcb3c18d1825b2988603dea5909140a5302b CVE-2020-36066 (GJSON 1.6.5 allows attackers to cause a denial of service (remote) ...) - golang-github-tidwall-gjson + [buster] - golang-github-tidwall-gjson (Minor issue) NOTE: https://github.com/tidwall/gjson/issues/195 NOTE: https://github.com/tidwall/match/commit/c2f534168b739a7ec1821a33839fb2f029f26bbc CVE-2020-36065 @@ -6719,6 +6721,7 @@ CVE-2020-35546 RESERVED CVE-2020-35545 (Time-based SQL injection exists in Spotweb 1.4.9 via the query string. ...) - spotweb (bug #977719) + [buster] - spotweb (Minor issue) NOTE: https://github.com/spotweb/spotweb/issues/629 NOTE: https://github.com/spotweb/spotweb/commit/fefb39ad143caad021ad496427617db79c42aff2 CVE-2020-35544 @@ -6876,6 +6879,7 @@ CVE-2020-35492 [cairo: libreoffice slideshow aborts with stack smashing in cairo RESERVED {DLA-2518-1} - cairo 1.16.0-5 (bug #978658) + [buster] - cairo (Minor issue) NOTE: https://gitlab.freedesktop.org/cairo/cairo/-/issues/437 NOTE: Introduced by: https://gitlab.freedesktop.org/cairo/cairo/-/commit/c986a7310bb06582b7d8a566d5f007ba4e5e75bf (1.12.12) NOTE: Fixed by: https://gitlab.freedesktop.org/cairo/cairo/-/commit/03a820b173ed1fdef6ff14b4468f5dbc02ff59be @@ -8919,6 +8923,7 @@ CVE-2020-29658 RESERVED CVE-2020-29657 (In JerryScript 2.3.0, there is an out-of-bounds read in main_print_unh ...) - iotjs (bug #977736) + [buster] - iotjs (Minor issue) NOTE: https://github.com/jerryscript-project/jerryscript/issues/4244 CVE-2020-29656 (An information disclosure vulnerability exists in RT-AC88U Download Ma ...) NOT-FOR-US: RT-AC88U Download Master @@ -20724,7 +20729,8 @@ CVE-2020-26265 (Go Ethereum, or "Geth", is the official Golang implementation of CVE-2020-26264 (Go Ethereum, or "Geth", is the official Golang implementation of the E ...) - golang-github-go-ethereum (bug #890541) CVE-2020-26263 (tlslite-ng is an open source python library that implements SSL and TL ...) - - tlslite-ng + - tlslite-ng + [buster] - tlslite-ng (Minor issue) NOTE: https://github.com/tlsfuzzer/tlslite-ng/security/advisories/GHSA-wvcv-832q-fjg7 NOTE: https://github.com/tlsfuzzer/tlslite-ng/commit/c28d6d387bba59d8bd5cb3ba15edc42edf54b368 NOTE: https://github.com/tlsfuzzer/tlslite-ng/pull/438 @@ -25253,6 +25259,7 @@ CVE-2020-24345 (** DISPUTED ** JerryScript through 2.3.0 allows stack consumptio NOTE: Disputed JerryScript issue CVE-2020-24344 (JerryScript through 2.3.0 has a (function({a=arguments}){const argumen ...) - iotjs + [buster] - iotjs (Minor issue) NOTE: https://github.com/jerryscript-project/jerryscript/issues/3976 NOTE: https://github.com/jerryscript-project/jerryscript/commit/841d536fce1ce29267cdf0ea12be4026e1c35d3a CVE-2020-24343 (Artifex MuJS through 1.0.7 has a use-after-free in jsrun.c because of ...) @@ -49002,6 +49009,7 @@ CVE-2020-13650 (An issue was discovered in DigDash 2018R2 before p20200210 and 2 NOT-FOR-US: DigDash CVE-2020-13649 (parser/js/js-scanner.c in JerryScript 2.2.0 mishandles errors during c ...) - iotjs 1.0+715-1 + [buster] - iotjs (Minor issue) NOTE: https://github.com/jerryscript-project/jerryscript/commit/69f8e78c2f8d562bd6d8002b5488f1662ac30d24 NOTE: https://github.com/jerryscript-project/jerryscript/issues/3786 NOTE: https://github.com/jerryscript-project/jerryscript/issues/3788 @@ -114779,6 +114787,7 @@ CVE-2019-1010177 (Jsish 2.4.70 2.047 is affected by: Use After Free. The impact NOT-FOR-US: Jsish CVE-2019-1010176 (JerryScript commit 4e58ccf68070671e1fff5cd6673f0c1d5b80b166 is affecte ...) - iotjs 1.0+715-1 + [buster] - iotjs (Minor issue) NOTE: https://github.com/jerryscript-project/jerryscript/issues/2476 NOTE: https://github.com/jerryscript-project/jerryscript/commit/505dace719aebb3308a3af223cfaa985159efae0 CVE-2019-1010175 @@ -153144,6 +153153,7 @@ CVE-2018-1000638 (MiniCMS version 1.1 contains a Cross Site Scripting (XSS) vuln NOT-FOR-US: MiniCMS CVE-2018-1000636 (JerryScript
[Git][security-tracker-team/security-tracker][master] stable triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 2fc91a81 by Moritz Muehlenhoff at 2020-07-31T07:48:12+02:00 stable triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -459,6 +459,7 @@ CVE-2020-15948 RESERVED CVE-2020- [RUSTSEC-2020-0026] - rust-linked-hash-map (bug #966246) + [buster] - rust-linked-hash-map (Minor issue) NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0026.html CVE-2020-15947 RESERVED @@ -803,6 +804,7 @@ CVE-2020-15804 RESERVED CVE-2020-15803 (Zabbix before 3.0.32rc1, 4.x before 4.0.22rc1, 4.1.x through 4.4.x bef ...) - zabbix 1:5.0.2+dfsg-1 (bug #966146) + [buster] - zabbix (Minor issue) NOTE: https://support.zabbix.com/browse/ZBX-18057 CVE-2020-15802 RESERVED @@ -2047,8 +2049,11 @@ CVE-2020-15305 (An issue was discovered in OpenEXR before 2.5.2. Invalid input c NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/730 CVE-2020-15304 (An issue was discovered in OpenEXR before 2.5.2. An invalid tiled inpu ...) - openexr + [buster] - openexr (Vulnerable code not present) + [stretch] - openexr (Vulnerable code not present) [jessie] - openexr (Minor issue) NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/727 + NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/36e05c14c612a89c43d4e0b013669ecd7f8e3440 CVE-2020-15303 RESERVED CVE-2020-15302 (In Argent RecoveryManager before 0xdc350d09f71c48c5D22fBE2741e4d6A0397 ...) @@ -5326,9 +5331,11 @@ CVE-2020-14020 RESERVED CVE-2020-14019 (Open-iSCSI rtslib-fb through 2.1.72 has weak permissions for /etc/targ ...) - python-rtslib-fb + [buster] - python-rtslib-fb (Introduced in 2.1.70) [stretch] - python-rtslib-fb (vulnerable code introduced later, shutil.copyfile is not used) [jessie] - python-rtslib-fb (vulnerable code introduced later, shutil.copyfile is not used) NOTE: https://github.com/open-iscsi/rtslib-fb/pull/162 + NOTE: https://github.com/open-iscsi/rtslib-fb/commit/75e73778dce1cb7a2816a936240ef75adfbd6ed9 CVE-2020-14018 (An issue was discovered in Navigate CMS 2.9 r1433. There is a stored X ...) NOT-FOR-US: Navigate CMS CVE-2020-14017 (An issue was discovered in Navigate CMS 2.9 r1433. Sessions, as well a ...) @@ -11818,7 +11825,6 @@ CVE-2020-11759 (An issue was discovered in OpenEXR before 2.4.1. Because of inte NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1987 NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/b9997d0c045fa01af3d2e46e1a74b07cc4519446 NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/acad98d6d3e787f36012a3737c23c42c7f43a00f - TODO: check completeness for upstream commits to cover CVE-2020-11759 CVE-2020-11758 (An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bo ...) [experimental] - openexr 2.5.0-1 - openexr (bug #959444) @@ -74521,7 +74527,7 @@ CVE-2019-8945 (Zimbra Collaboration 8.7.x - 8.8.11P2 contains persistent XSS. .. CVE-2019-8944 (An Information Exposure issue in the Terraform deployment step in Octo ...) NOT-FOR-US: Terraform CVE-2019-8943 (WordPress through 5.0.3 allows Path Traversal in wp_crop_image(). An a ...) - - wordpress (bug #923583) + - wordpress (bug #923583) [jessie] - wordpress (requires privileged account, not directly exploitable as CVE-2019-8942 is fixed, no official patch) NOTE: https://blog.ripstech.com/2019/wordpress-image-remote-code-execution/ NOTE: This CVE is explicitly for the mentioned Path Traversal in wp_crop_image(). @@ -99366,6 +99372,7 @@ CVE-2019-0194 (Apache Camel's File is vulnerable to directory traversal. Camel 2 CVE-2019-0193 (In Apache Solr, the DataImportHandler, an optional but popular module ...) {DLA-1954-1} - lucene-solr 3.6.2+dfsg-22 (low) + [buster] - lucene-solr (Minor issue) NOTE: https://issues.apache.org/jira/browse/SOLR-13669 NOTE: upstream recommends everybody upgrade or rework their configuration NOTE: consider backporting enable.dih.dataConfigParam instead: @@ -113600,6 +113607,7 @@ CVE-2018-14029 (CSRF vulnerability in admin/user/edit in Creatiwity wityCMS 0.6. NOT-FOR-US: Creatiwity wityCMS CVE-2018-14028 (In WordPress 4.9.7, plugins uploaded via the admin area are not verifi ...) - wordpress (bug #906565) + [buster] - wordpress (Minor issue, revisit when fixed upstream) [stretch] - wordpress (Minor issue) [jessie] - wordpress (no sanctioned patch) NOTE: https://core.trac.wordpress.org/ticket/44710 =
[Git][security-tracker-team/security-tracker][master] stable triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 81694e53 by Moritz Muehlenhoff at 2020-07-22T18:34:56+02:00 stable triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -387,8 +387,7 @@ CVE-2020-15720 (In Dogtag PKI through 10.8.3, the pki.client.PKIConnection class NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1855273 NOTE: https://github.com/dogtagpki/pki/commit/50c23ec146ee9abf28c9de87a5f7787d495f0b72 CVE-2020-15719 (libldap in certain third-party OpenLDAP packages has a certificate-val ...) - - openldap (bug #965184) - [stretch] - openldap (Minor issue, works as intended) + - openldap (unimportant; bug #965184) NOTE: https://bugs.openldap.org/show_bug.cgi?id=9266 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1740070 NOTE: RedHat/CentOS applied patch: https://git.centos.org/rpms/openldap/raw/67459960064be9d226d57c5f82aaba0929876813/f/SOURCES/openldap-tlso-dont-check-cn-when-bad-san.patch @@ -11926,11 +11925,10 @@ CVE-2020-11560 (NCH Express Invoice 7.25 allows local users to discover the clea CVE-2020-11559 RESERVED CVE-2020-11558 (An issue was discovered in libgpac.a in GPAC 0.8.0, as demonstrated by ...) - - gpac + - gpac [jessie] - gpac (Vulnerable code not present and not reproducible) NOTE: https://github.com/gpac/gpac/commit/6063b1a011c3f80cee25daade18154e15e4c058c NOTE: https://github.com/gpac/gpac/issues/1440 - TODO: check CVE-2020-11557 (An issue was discovered in Castle Rock SNMPc Online 12.10.10 before 20 ...) NOT-FOR-US: Castle Rock SNMPc CVE-2020-11556 (An issue was discovered in Castle Rock SNMPc Online 12.10.10 before 20 ...) @@ -11970,10 +11968,10 @@ CVE-2020-11540 CVE-2020-11539 (An issue was discovered on Tata Sonata Smart SF Rush 1.12 devices. It ...) NOT-FOR-US: Tata Sonata Smart SF Rush 1.12 devices CVE-2020-11538 (In libImaging/SgiRleDecode.c in Pillow through 7.0.0, a number of out- ...) - - pillow 7.2.0-1 (unimportant) + - pillow 7.2.0-1 (low) + [buster] - pillow (Will be fixed via spu) NOTE: https://github.com/python-pillow/Pillow/pull/4504 NOTE: https://github.com/python-pillow/Pillow/pull/4538 - NOTE: Debian packages are built without JPEG2000 support CVE-2020-11537 (A SQL Injection issue was discovered in ONLYOFFICE Document Server 5.5 ...) NOT-FOR-US: ONLYOFFICE Document Server CVE-2020-11536 (An issue was discovered in ONLYOFFICE Document Server 5.5.0. An attack ...) @@ -13377,12 +13375,11 @@ CVE-2020-10995 (PowerDNS Recursor from 4.1.0 up to and including 4.3.0 does not NOTE: https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-01.html NOTE: https://www.openwall.com/lists/oss-security/2020/05/19/3 CVE-2020-10994 (In libImaging/Jpeg2KDecode.c in Pillow before 7.1.0, there are multipl ...) - - pillow 7.2.0-1 (low) - [buster] - pillow (Minor issue) - [jessie] - pillow (Minor issue) + - pillow 7.2.0-1 (unimportant) NOTE: https://github.com/python-pillow/Pillow/pull/4505 NOTE: https://github.com/python-pillow/Pillow/pull/4538 NOTE: Fixed in 7.1.0 + NOTE: Debian packages are built without JPEG2000 support CVE-2020-10993 (Osmand through 2.0.0 allow XXE because of binary/BinaryMapIndexReader. ...) NOT-FOR-US: Osmand CVE-2020-10992 (Azkaban through 3.84.0 allows XXE, related to validator/XmlValidatorMa ...) @@ -13552,6 +13549,7 @@ CVE-2020-10942 (In the Linux kernel before 5.5.8, get_raw_socket in drivers/vhos NOTE: https://git.kernel.org/linus/42d84c8490f9f0931786f1623191fcab397c3d64 (5.6-rc4) CVE-2020-10941 (Arm Mbed TLS before 2.6.15 allows attackers to obtain sensitive inform ...) - mbedtls 2.16.5-1 + [buster] - mbedtls (Minor issue) NOTE: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-02 CVE-2020-10940 (Local Privilege Escalation can occur in PHOENIX CONTACT PORTICO SERVER ...) NOT-FOR-US: PHOENIX CONTACT @@ -13586,6 +13584,7 @@ CVE-2020-10933 (An issue was discovered in Ruby 2.5.x through 2.5.7, 2.6.x throu NOTE: and https://github.com/ruby/ruby/commit/ba5eb6458a7e9a41ee76cfe45b84f997600681dc CVE-2020-10932 (An issue was discovered in Arm Mbed TLS before 2.16.6 and 2.7.x before ...) - mbedtls (bug #963159) + [buster] - mbedtls (Minor issue) NOTE: https://tls.mbed.org/tech-updates/releases/mbedtls-2.16.6-and-2.7.15-released NOTE: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-04 CVE-2020-10930 @@ -15308,7 +15307,7 @@ CVE-2020-10379 (In Pillow before 7.1.0, there are two Buffer Overflows in libIma NOTE: Fixed in 6.2.3 and 7.1.0
[Git][security-tracker-team/security-tracker][master] stable triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 5f1a9760 by Moritz Muehlenhoff at 2020-07-14T11:10:24+02:00 stable triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -1737,6 +1737,7 @@ CVE-2020-14930 (An issue was discovered in BT CTROMS Terminal OS Port Portal CT- NOT-FOR-US: BT CTROMS Terminal OS Port Portal CT-464 CVE-2019-20892 (net-snmp before 5.8.1.pre1 has a double free in usm_free_usmStateRefer ...) - net-snmp 5.8+dfsg-3 (bug #963713) + [buster] - net-snmp (Minor issue) [stretch] - net-snmp (Vulnerable code introduced later) NOTE: https://www.openwall.com/lists/oss-security/2020/06/25/4 NOTE: https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/1877027 @@ -3372,6 +3373,7 @@ CVE-2020-14304 [ethtool when reading eeprom of device could lead to memory leak] - linux (bug #960702) CVE-2020-14303 (A flaw was found in the AD DC NBT server in all Samba versions before ...) - samba 2:4.12.5+dfsg-1 + [buster] - samba (Minor issue, fix along in next DSA) NOTE: https://www.samba.org/samba/security/CVE-2020-14303.html CVE-2020-14302 RESERVED @@ -4022,6 +4024,7 @@ CVE-2020-14041 CVE-2020-14040 (The x/text package before 0.3.3 for Go has a vulnerability in encoding ...) - golang-golang-x-text 0.3.3-1 (bug #964272) - golang-x-text (bug #964271) + [buster] - golang-x-text (Minor issue) NOTE: https://github.com/golang/go/issues/39491 NOTE: https://go.googlesource.com/text/+/23ae387dee1f90d29a23c0e87ee0b46038fbed0e NOTE: https://groups.google.com/forum/#!topic/golang-announce/bXVeAmGOqz0 @@ -7313,6 +7316,7 @@ CVE-2020-12696 (The iframe plugin before 4.5 for WordPress does not sanitize a U NOT-FOR-US: iframe plugin for WordPress CVE-2020-12695 (The Open Connectivity Foundation UPnP specification before 2020-04-17 ...) - wpa + [buster] - wpa (Minor issue) - gupnp 1.2.3-1 NOTE: https://w1.fi/security/2020-1/upnp-subscribe-misbehavior-wps-ap.txt NOTE: https://w1.fi/security/2020-1/0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch @@ -12841,7 +12845,8 @@ CVE-2020-10995 (PowerDNS Recursor from 4.1.0 up to and including 4.3.0 does not NOTE: https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-01.html NOTE: https://www.openwall.com/lists/oss-security/2020/05/19/3 CVE-2020-10994 (In libImaging/Jpeg2KDecode.c in Pillow before 7.1.0, there are multipl ...) - - pillow + - pillow (low) + [buster] - pillow (Minor issue) [jessie] - pillow (Minor issue) NOTE: https://github.com/python-pillow/Pillow/pull/4505 NOTE: https://github.com/python-pillow/Pillow/pull/4538 @@ -13697,6 +13702,7 @@ CVE-2020-10761 (An assertion failure issue was found in the Network Block Device NOTE: Introduced in: https://git.qemu.org/?p=qemu.git;a=commit;h=93676c88d7a5cd5971de94f9091eff8e9773b1af CVE-2020-10760 (A use-after-free flaw was found in all samba LDAP server versions befo ...) - samba 2:4.12.5+dfsg-1 + [buster] - samba (Minor issue, fix along in next DSA) NOTE: https://www.samba.org/samba/security/CVE-2020-10760.html CVE-2020-10759 [Possible bypass in signature verification] RESERVED @@ -13767,6 +13773,7 @@ CVE-2020-10746 RESERVED CVE-2020-10745 (A flaw was found in all Samba versions before 4.10.17, before 4.11.11 ...) - samba 2:4.12.5+dfsg-1 + [buster] - samba (Minor issue, fix along in next DSA) NOTE: https://www.samba.org/samba/security/CVE-2020-10745.html CVE-2020-10744 (An incomplete fix was found for the fix of the flaw CVE-2020-1733 ansi ...) - ansible @@ -13821,6 +13828,7 @@ CVE-2020-10731 CVE-2020-10730 (A NULL pointer dereference, or possible use-after-free flaw was found ...) - ldb 2:2.1.4-1 - samba 2:4.12.5+dfsg-1 + [buster] - samba (Minor issue, fix along in next DSA) [stretch] - ldb (Vulnerable code introduced later) NOTE: https://www.samba.org/samba/security/CVE-2020-10730.html NOTE: https://git.samba.org/?p=samba.git;a=commitdiff;h=9dd458956d7af1b4bbe505ba2ab72235e81c27d0 (for ldb) @@ -14022,6 +14030,7 @@ CVE-2020-10684 (A flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x an CVE-2020-10683 (dom4j before 2.1.3 allows external DTDs and External Entities by defau ...) {DLA-2191-1} - dom4j (bug #958055) + [buster] - dom4j (Minor issue) NOTE: https://github.com/dom4j/dom4j/commit/1707bf3d898a8ada3b213acb0e3b38f16eaae73d (the fix?) NOTE: https://github.com/dom4j/dom4j/commit/a8228522a99a02146106672a34c104adbda5c658 (post-fix refactor?) CVE-2020-10682 (The
[Git][security-tracker-team/security-tracker][master] stable triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 0e3e6bb8 by Moritz Muehlenhoff at 2020-07-10T19:14:22+02:00 stable triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -1208,7 +1208,8 @@ CVE-2020-15097 CVE-2020-15096 (In Electron before versions 6.1.1, 7.2.4, 8.2.4, and 9.0.0-beta21, the ...) - electron (bug #842420) CVE-2020-15095 (Versions of the npm CLI prior to 6.14.6 are vulnerable to an informati ...) - - npm (bug #964746) + - npm (low; bug #964746) + [buster] - npm (Minor issue) NOTE: https://github.com/npm/cli/security/advisories/GHSA-93f3-23rq-pjfp NOTE: https://github.com/npm/cli/commit/a9857b8f6869451ff058789c4631fadfde5bbcbc CVE-2020-15094 @@ -14599,9 +14600,12 @@ CVE-2020-10379 (In Pillow before 7.1.0, there are two Buffer Overflows in libIma NOTE: Fixed in 6.2.3 and 7.1.0 CVE-2020-10378 (In libImaging/PcxDecode.c in Pillow before before 7.1.0, an out-of-bou ...) - pillow + [buster] - pillow (Minor issue) [jessie] - pillow (Minor issue) NOTE: https://github.com/python-pillow/Pillow/pull/4538 NOTE: Fixed in 6.2.3 and 7.1.0 + NOTE: https://github.com/python-pillow/Pillow/commit/6b842f4ec001b12a9348e95854e02bbd10a84e20 + NOTE: https://github.com/python-pillow/Pillow/commit/b8d4ce1a591beda18c2d5c80a9f5a5e4856f6beb CVE-2020-10377 (A weak encryption vulnerability in Mitel MiVoice Connect Client before ...) NOT-FOR-US: Mitel CVE-2020-10376 (Technicolor TC7337NET 08.89.17.23.03 devices allow remote attackers to ...) @@ -15066,6 +15070,7 @@ CVE-2020-10178 REJECTED CVE-2020-10177 (Pillow before 7.1.0 has multiple out-of-bounds reads in libImaging/Fli ...) - pillow + [buster] - pillow (Minor issue) [jessie] - pillow (Minor issue) NOTE: https://github.com/python-pillow/Pillow/pull/4503 NOTE: https://github.com/python-pillow/Pillow/pull/4538 = data/dsa-needed.txt = @@ -29,6 +29,8 @@ poppler (jmm) rails Sylvain Beucler proposed to help for the update, pending upstream feedback for CVE-2020-8163 -- +ruby-sanitize +-- squid (jmm) -- teeworlds (jmm) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0e3e6bb87ced9a8e297148176266fb8fce0586d7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0e3e6bb87ced9a8e297148176266fb8fce0586d7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] stable triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 617038f2 by Moritz Muehlenhoff at 2018-07-17T08:01:53+02:00 stable triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -168,9 +168,11 @@ CVE-2018-14241 RESERVED CVE-2018-14326 (In MP4v2 2.0.0, there is an integer overflow (with resultant memory ...) - mp4v2 + [stretch] - mp4v2 (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2018/07/16/1 CVE-2018-14325 (In MP4v2 2.0.0, there is an integer underflow (with resultant memory ...) - mp4v2 + [stretch] - mp4v2 (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2018/07/16/1 CVE-2018-14240 RESERVED @@ -1207,6 +1209,7 @@ CVE-2018-1000611 (SURFnet OpenConext EngineBlock version 5.7.0 to 5.7.3 contains NOT-FOR-US: SURFnet OpenConext EngineBlock CVE-2018-1000622 (The Rust Programming Language rustdoc version Between 0.8 and 1.27.0 ...) - rustc + [stretch] - rustc (Minor issue, can be fixed along in future rustc update for ESR69) NOTE: https://groups.google.com/forum/#!topic/rustlang-security-announcements/4ybxYLTtXuM CVE-2018-13787 (Certain Supermicro X11S, X10, X9, X8SI, K1SP, C9X299, C7, B1, A2, and ...) NOT-FOR-US: Supermicro @@ -3818,7 +3821,8 @@ CVE-2018-1000522 CVE-2018-1000521 (BigTree-CMS contains a Cross Site Scripting (XSS) vulnerability in ...) NOT-FOR-US: BigTree-CMS CVE-2018-1000520 (ARM mbedTLS version 2.7.0 and earlier contains a Ciphersuite Allows ...) - - mbedtls + - mbedtls (low) + [stretch] - mbedtls (Minor issue) - polarssl NOTE: https://github.com/ARMmbed/mbedtls/issues/1561 CVE-2018-1000519 (aio-libs aiohttp-session contains a Session Fixation vulnerability in ...) @@ -32229,6 +32233,7 @@ CVE-2017-17690 RESERVED CVE-2017-17689 (The S/MIME specification allows a Cipher Block Chaining (CBC) ...) - thunderbird (bug #898631) + [stretch] - thunderbird (Wait until fixed in upstream release) - evolution (bug #898633) - kmail (bug #898634) - kf5-messagelib (bug #899127) @@ -37468,7 +37473,8 @@ CVE-2018-0739 (Constructed ASN.1 types with a recursive definition (such as can {DSA-4158-1 DSA-4157-1 DLA-1330-1} - openssl 1.1.0h-1 - openssl1.0 1.0.2o-1 - - libtomcrypt 1.18.2-1 + - libtomcrypt 1.18.2-1 (low) + [stretch] - libtomcrypt (Minor issue) NOTE: https://www.openssl.org/news/secadv/20180327.txt NOTE: OpenSSL_1_1_0-stable: https://git.openssl.org/?p=openssl.git;a=commit;h=2ac4c6f7b2b2af20c0e2b0ba05367e454cd11b33 NOTE: OpenSSL_1_0_2-stable: https://git.openssl.org/?p=openssl.git;a=commit;h=9310d45087ae546e27e61ddf8f6367f29848220d = data/dsa-needed.txt = --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -51,7 +51,6 @@ mailman mariadb-10.1/stable -- mercurial - 2018-06-07: jessie update proposed by anarcat in https://lists.debian.org/87y3fr75kk@angela.anarc.at -- mosquitto (seb) 2018-02-27: Roger Light provided a debdiff targetting stretch, needs review View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/617038f2a055c00cdd92b9384e3c9a85fe8cbb86 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/617038f2a055c00cdd92b9384e3c9a85fe8cbb86 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits