[Secure-testing-commits] r51347 - data/CVE
Author: fgeek-guest Date: 2017-05-05 06:21:06 + (Fri, 05 May 2017) New Revision: 51347 Modified: data/CVE/list Log: NFU Modified: data/CVE/list === --- data/CVE/list 2017-05-05 05:16:00 UTC (rev 51346) +++ data/CVE/list 2017-05-05 06:21:06 UTC (rev 51347) @@ -13728,6 +13728,7 @@ RESERVED CVE-2017-3882 RESERVED + NOT-FOR-US: Cisco CVE-2017-3881 (A vulnerability in the Cisco Cluster Management Protocol (CMP) ...) NOT-FOR-US: Cisco CVE-2017-3880 (An Authentication Bypass vulnerability in Cisco WebEx Meetings Server ...) @@ -13740,12 +13741,14 @@ NOT-FOR-US: Cisco CVE-2017-3876 RESERVED + NOT-FOR-US: Cisco CVE-2017-3875 (An Access-Control Filtering Mechanisms Bypass vulnerability in certain ...) NOT-FOR-US: Cisco CVE-2017-3874 (A vulnerability in the web framework of Cisco Unified Communications ...) NOT-FOR-US: Cisco CVE-2017-3873 RESERVED + NOT-FOR-US: Cisco CVE-2017-3872 (A cross-site scripting (XSS) filter bypass vulnerability in the ...) NOT-FOR-US: Cisco CVE-2017-3871 (A RADIUS Secret Disclosure vulnerability in the web network management ...) @@ -13842,6 +13845,7 @@ NOT-FOR-US: Cisco CVE-2017-3825 RESERVED + NOT-FOR-US: Cisco CVE-2017-3824 (A vulnerability in the handling of list headers in Cisco cBR Series ...) NOT-FOR-US: Cisco CVE-2017-3823 (An issue was discovered in the Cisco WebEx Extension before 1.0.7 on ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r51341 - data/CVE
Author: fgeek-guest Date: 2017-05-05 03:41:08 + (Fri, 05 May 2017) New Revision: 51341 Modified: data/CVE/list Log: NFU Modified: data/CVE/list === --- data/CVE/list 2017-05-04 21:10:12 UTC (rev 51340) +++ data/CVE/list 2017-05-05 03:41:08 UTC (rev 51341) @@ -11385,7 +11385,7 @@ CVE-2017-4984 RESERVED CVE-2017-4983 (EMC Data Domain OS 5.2 through 5.7 before 5.7.3.0 and 6.0 before ...) - TODO: check + NOT-FOR-US: EMC Data Domain OS CVE-2017-4982 RESERVED CVE-2017-4981 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r51317 - data/CVE
Author: fgeek-guest Date: 2017-05-04 03:12:25 + (Thu, 04 May 2017) New Revision: 51317 Modified: data/CVE/list Log: NFU Modified: data/CVE/list === --- data/CVE/list 2017-05-03 21:10:11 UTC (rev 51316) +++ data/CVE/list 2017-05-04 03:12:25 UTC (rev 51317) @@ -7360,6 +7360,7 @@ NOT-FOR-US: EyesOfNetwork CVE-2017-6086 RESERVED + NOT-FOR-US: ViMbAdmin CVE-2017-6085 RESERVED CVE-2017-6084 @@ -8096,6 +8097,7 @@ RESERVED CVE-2017-5870 RESERVED + NOT-FOR-US: ViMbAdmin CVE-2017-5869 (Directory traversal vulnerability in the file import feature in Nuxeo ...) NOT-FOR-US: Nuxeo CVE-2017-5868 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r51249 - data/CVE
Author: fgeek-guest Date: 2017-05-01 20:10:47 + (Mon, 01 May 2017) New Revision: 51249 Modified: data/CVE/list Log: CVE-2017-8372/libmad Modified: data/CVE/list === --- data/CVE/list 2017-05-01 17:58:44 UTC (rev 51248) +++ data/CVE/list 2017-05-01 20:10:47 UTC (rev 51249) @@ -26,7 +26,9 @@ CVE-2017-8373 (The mad_layer_III function in layer3.c in Underbit MAD libmad 0.15.1b ...) - libmad CVE-2017-8372 (The mad_layer_III function in layer3.c in Underbit MAD libmad 0.15.1b, ...) - - libmad + - libmad + NOTE: https://blogs.gentoo.org/ago/2017/04/30/libmad-assertion-failure-in-layer3-c/ + NOTE: No assertion failure with reproducer CVE-2017-8371 (Schneider Electric StruxureWare Data Center Expert before 7.4.0 uses ...) NOT-FOR-US: Schneider Electric CVE-2017-8370 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r51215 - data/CVE
Author: fgeek-guest Date: 2017-04-30 21:38:17 + (Sun, 30 Apr 2017) New Revision: 51215 Modified: data/CVE/list Log: NFU Modified: data/CVE/list === --- data/CVE/list 2017-04-30 19:23:55 UTC (rev 51214) +++ data/CVE/list 2017-04-30 21:38:17 UTC (rev 51215) @@ -7110,10 +7110,13 @@ RESERVED CVE-2017-5806 RESERVED + NOT-FOR-US: HPE Intelligent Management Center CVE-2017-5805 RESERVED + NOT-FOR-US: HPE Intelligent Management Center CVE-2017-5804 RESERVED + NOT-FOR-US: HPE Intelligent Management Center CVE-2017-5803 RESERVED CVE-2017-5802 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50937 - in data: . CVE
Author: fgeek-guest Date: 2017-04-23 06:33:44 + (Sun, 23 Apr 2017) New Revision: 50937 Modified: data/CVE/list data/embedded-code-copies Log: libbpg is embedded in ffmpeg Modified: data/CVE/list === --- data/CVE/list 2017-04-23 06:02:53 UTC (rev 50936) +++ data/CVE/list 2017-04-23 06:33:44 UTC (rev 50937) @@ -15910,6 +15910,7 @@ CVE-2017-2575 [NULL pointer dereference in image_alloc] RESERVED NOT-FOR-US: libbpg + NOTE: The libbpg library is not packaged in Debian but seem embedded in ffmpeg CVE-2017-2574 RESERVED CVE-2017-2573 Modified: data/embedded-code-copies === --- data/embedded-code-copies 2017-04-23 06:02:53 UTC (rev 50936) +++ data/embedded-code-copies 2017-04-23 06:33:44 UTC (rev 50937) @@ -376,6 +376,7 @@ - audacity 1.3.7-2 (embed; bug #512278) - chromium-browser 44.0.2403.157-1 (fork; bug #763632) - libav + - libbpg (embed) faad2 - mplayer 1.0~rc2-20 (embed) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50934 - data/CVE
Author: fgeek-guest Date: 2017-04-23 04:32:31 + (Sun, 23 Apr 2017) New Revision: 50934 Modified: data/CVE/list Log: NFU Modified: data/CVE/list === --- data/CVE/list 2017-04-22 20:19:28 UTC (rev 50933) +++ data/CVE/list 2017-04-23 04:32:31 UTC (rev 50934) @@ -15910,8 +15910,9 @@ NOTE: http://www.openwall.com/lists/oss-security/2017/02/05/7 CVE-2017-2577 REJECTED -CVE-2017-2575 +CVE-2017-2575 [NULL pointer dereference in image_alloc] RESERVED + NOT-FOR-US: libbpg CVE-2017-2574 RESERVED CVE-2017-2573 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50589 - data/CVE
Author: fgeek-guest Date: 2017-04-12 05:09:31 + (Wed, 12 Apr 2017) New Revision: 50589 Modified: data/CVE/list Log: cleanup Modified: data/CVE/list === --- data/CVE/list 2017-04-12 04:38:22 UTC (rev 50588) +++ data/CVE/list 2017-04-12 05:09:31 UTC (rev 50589) @@ -81,9 +81,9 @@ CVE-2017-7648 (Foscam networked devices use the same hardcoded SSL private key across ...) NOT-FOR-US: Foscam CVE-2017-7647 (SolarWinds Log Event Manager (LEM) before 6.3.1 Hotfix 4 allows an ...) - NOT-FOR-US: SolarWinds + NOT-FOR-US: SolarWinds CVE-2017-7646 (SolarWinds Log Event Manager (LEM) before 6.3.1 Hotfix 4 allows an ...) - NOT-FOR-US: SolarWinds + NOT-FOR-US: SolarWinds CVE-2017-7645 RESERVED CVE-2017-7644 @@ -1522,7 +1522,7 @@ NOT-FOR-US: imdbphp CVE-2017-7203 (A Cross-Site Scripting (XSS) was discovered in ZoneMinder 1.30.2. The ...) - zoneminder (bug #858329) - NOTE: https://github.com/ZoneMinder/ZoneMinder/issues/1797 + NOTE: https://github.com/ZoneMinder/ZoneMinder/issues/1797 CVE-2017-7202 (Multiple Cross-Site Scripting (XSS) were discovered in SLiMS 7 Cendana ...) NOT-FOR-US: SLiMS CVE-2017-7201 @@ -4803,7 +4803,7 @@ CVE-2017-5965 RESERVED CVE-2017-5964 (An issue was discovered in Emoncms through 9.8.0. The vulnerability ...) - NOT-FOR-US: Emoncms + NOT-FOR-US: Emoncms CVE-2017-5963 (An issue was discovered in caddy (for TYPO3) before 7.2.10. The ...) NOT-FOR-US: Typo3 extension CVE-2017-5962 (An issue was discovered in contexts_wurfl (for TYPO3) before 0.4.2. The ...) @@ -10575,7 +10575,7 @@ CVE-2016-10030 (The _prolog_error function in slurmd/req.c in Slurm before 15.08.13, ...) - slurm-llnl 16.05.8-1 (bug #850491) [jessie] - slurm-llnl (Minor issue) - NOTE: https://www.schedmd.com/news.php?id=178 + NOTE: https://www.schedmd.com/news.php?id=178 NOTE: https://github.com/SchedMD/slurm/commit/92362a92fffe60187df61f99ab11c249d44120ee CVE-2017-3894 RESERVED @@ -10742,7 +10742,7 @@ CVE-2017-3813 (A vulnerability in the Start Before Logon (SBL) module of Cisco ...) NOT-FOR-US: Cisco CVE-2017-3812 (A vulnerability in the implementation of Common Industrial Protocol ...) - NOT-FOR-US: Cisco Industrial Ethernet 2000 Series Switches + NOT-FOR-US: Cisco Industrial Ethernet 2000 Series Switches CVE-2017-3811 (An XML External Entity vulnerability in Cisco WebEx Meetings Server ...) NOT-FOR-US: Cisco CVE-2017-3810 (A vulnerability in the web framework of Cisco Prime Service Catalog ...) @@ -25653,7 +25653,7 @@ {DLA-684-1} - libx11 2:1.6.4-1 (low; bug #840439) [jessie] - libx11 (Minor issue, will be fixed in a point release) - NOTE: https://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=8c29f1607a31dac0911e45a0dd3d74173822b3c9 + NOTE: https://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=8c29f1607a31dac0911e45a0dd3d74173822b3c9 CVE-2016-7942 (The XGetImage function in X.org libX11 before 1.6.4 might allow remote ...) {DLA-684-1} - libx11 2:1.6.4-1 (low; bug #840439) @@ -27972,7 +27972,7 @@ CVE-2016-7094 (Buffer overflow in Xen 4.7.x and earlier allows local x86 HVM guest OS ...) {DSA-3663-1 DLA-614-1} - xen 4.8.0~rc3-1 - NOTE: http://xenbits.xen.org/xsa/advisory-187.html + NOTE: http://xenbits.xen.org/xsa/advisory-187.html CVE-2016-7093 (Xen 4.5.3, 4.6.3, and 4.7.x allow local HVM guest OS administrators to ...) - xen (Affects only 4.7.0 and later; 4.6.3 and 4.5.3) NOTE: http://xenbits.xen.org/xsa/advisory-186.html @@ -35576,7 +35576,7 @@ - gimp 2.8.16-2.2 (bug #828179) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=767873 CVE-2016-4993 (CRLF injection vulnerability in the Undertow web server in WildFly ...) - NOT-FOR-US: JBoss Enterprise Application Platform + NOT-FOR-US: JBoss Enterprise Application Platform CVE-2016-4992 [Information disclosure via repeated use of LDAP ADD operation] RESERVED - 389-ds-base 1.3.5.13-1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50453 - data/CVE
Author: fgeek-guest Date: 2017-04-07 21:30:18 + (Fri, 07 Apr 2017) New Revision: 50453 Modified: data/CVE/list Log: typofix Modified: data/CVE/list === --- data/CVE/list 2017-04-07 21:13:52 UTC (rev 50452) +++ data/CVE/list 2017-04-07 21:30:18 UTC (rev 50453) @@ -57,7 +57,7 @@ CVE-2016-10319 (In ARM Trusted Firmware 1.2 and 1.3, a malformed firmware update SMC ...) NOT-FOR-US: ARM CVE-2016-1000307 (Multiple Cross Site Scripting (XSS) Vulnerabilities in ClipBucket ...) - NOT-FOR-US: ClipBucker + NOT-FOR-US: ClipBucket CVE-2016-1000306 REJECTED CVE-2017-7578 (Multiple heap-based buffer overflows in parser.c in libming 0.4.7 allow ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r49626 - data/CVE
Author: fgeek-guest Date: 2017-03-13 08:13:41 + (Mon, 13 Mar 2017) New Revision: 49626 Modified: data/CVE/list Log: new profanity issue Modified: data/CVE/list === --- data/CVE/list 2017-03-13 06:22:42 UTC (rev 49625) +++ data/CVE/list 2017-03-13 08:13:41 UTC (rev 49626) @@ -1,3 +1,6 @@ +CVE-2017- [Server certificates are not verified] + - profanity (bug #857546) + NOTE: https://github.com/boothj5/profanity/issues/280 CVE-2017- [irssi use after free condition during netjoin processing] - irssi 1.0.2-1 (bug #857502) [jessie] - irssi (Different code path caused the netjoins to be flushed prior reaching use-after-free condition) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r49587 - data/CVE
Author: fgeek-guest Date: 2017-03-11 10:55:29 + (Sat, 11 Mar 2017) New Revision: 49587 Modified: data/CVE/list Log: NFU Modified: data/CVE/list === --- data/CVE/list 2017-03-11 10:39:46 UTC (rev 49586) +++ data/CVE/list 2017-03-11 10:55:29 UTC (rev 49587) @@ -2656,6 +2656,7 @@ RESERVED CVE-2017-5796 RESERVED + NOT-FOR-US: HPE 2620 Series Network Switches CVE-2017-5795 RESERVED CVE-2017-5794 @@ -2666,6 +2667,7 @@ RESERVED CVE-2017-5791 RESERVED + NOT-FOR-US: HPE Intelligent Management Center CVE-2017-5790 RESERVED CVE-2017-5789 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
Bug#809365: update
This has now been fixed in upstream. -- Henri Salo
Bug#809365: update
This has now been fixed in upstream. -- Henri Salo ___ forensics-devel mailing list forensics-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/forensics-devel
[Secure-testing-commits] r49234 - data/CVE
Author: fgeek-guest Date: 2017-02-26 11:10:21 + (Sun, 26 Feb 2017) New Revision: 49234 Modified: data/CVE/list Log: pax-utils scanelf: out of bounds read in scanelf_file_get_symtabs (scanelf.c) Modified: data/CVE/list === --- data/CVE/list 2017-02-26 10:11:39 UTC (rev 49233) +++ data/CVE/list 2017-02-26 11:10:21 UTC (rev 49234) @@ -1,3 +1,6 @@ +CVE-2017- [scanelf: out of bounds read in scanelf_file_get_symtabs (scanelf.c)] + - pax-utils + NOTE: https://blogs.gentoo.org/ago/2017/02/25/pax-utils-scanelf-out-of-bounds-read-in-scanelf_file_get_symtabs-scanelf-c-2/ CVE-2017-6321 RESERVED CVE-2017-6320 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r49116 - data/CVE
Author: fgeek-guest Date: 2017-02-22 08:02:20 + (Wed, 22 Feb 2017) New Revision: 49116 Modified: data/CVE/list Log: munin local write vulnerability Modified: data/CVE/list === --- data/CVE/list 2017-02-22 05:45:55 UTC (rev 49115) +++ data/CVE/list 2017-02-22 08:02:20 UTC (rev 49116) @@ -1,3 +1,6 @@ +CVE-2017- [munin-cgi-graph local file write vulnerability] + - munin (bug #855705) + NOTE: https://github.com/munin-monitoring/munin/issues/721 CVE-2017-6127 (Multiple cross-site request forgery (CSRF) vulnerabilities in the ...) NOT-FOR-US: DIGISOL DG-HR1400 Wireless Router CVE-2017-6126 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r49042 - data/CVE
Author: fgeek-guest Date: 2017-02-18 09:52:47 + (Sat, 18 Feb 2017) New Revision: 49042 Modified: data/CVE/list Log: fix source package name Modified: data/CVE/list === --- data/CVE/list 2017-02-18 09:10:20 UTC (rev 49041) +++ data/CVE/list 2017-02-18 09:52:47 UTC (rev 49042) @@ -29,7 +29,7 @@ CVE-2016-10226 RESERVED CVE-2017- [saned: SANE_NET_CONTROL_OPTION response packet may contain memory contents of the server] - - sane-utils (bug #854804) + - sane-backends (bug #854804) CVE-2017-6061 RESERVED CVE-2017-6060 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
Bug#855142: security bug closed without fix
Shouldn't this be closed AFTER the fix is available? Especially since this is a security issue. -- Henri Salo
Bug#855142: security bug closed without fix
Shouldn't this be closed AFTER the fix is available? Especially since this is a security issue. -- Henri Salo
[Secure-testing-commits] r48989 - data/CVE
Author: fgeek-guest Date: 2017-02-16 06:22:04 + (Thu, 16 Feb 2017) New Revision: 48989 Modified: data/CVE/list Log: NFU Modified: data/CVE/list === --- data/CVE/list 2017-02-16 06:15:33 UTC (rev 48988) +++ data/CVE/list 2017-02-16 06:22:04 UTC (rev 48989) @@ -1356,6 +1356,7 @@ RESERVED CVE-2017-5586 RESERVED + NOT-FOR-US: OpenText Documentum D2 CVE-2017-5585 RESERVED NOT-FOR-US: OpenText Documentum Content Server ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48988 - data/CVE
Author: fgeek-guest Date: 2017-02-16 06:15:33 + (Thu, 16 Feb 2017) New Revision: 48988 Modified: data/CVE/list Log: NFU Modified: data/CVE/list === --- data/CVE/list 2017-02-16 06:13:18 UTC (rev 48987) +++ data/CVE/list 2017-02-16 06:15:33 UTC (rev 48988) @@ -1358,6 +1358,7 @@ RESERVED CVE-2017-5585 RESERVED + NOT-FOR-US: OpenText Documentum Content Server CVE-2017-5584 RESERVED CVE-2017-5583 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48987 - data/CVE
Author: fgeek-guest Date: 2017-02-16 06:13:18 + (Thu, 16 Feb 2017) New Revision: 48987 Modified: data/CVE/list Log: CVE-2017-2627 Modified: data/CVE/list === --- data/CVE/list 2017-02-16 06:11:41 UTC (rev 48986) +++ data/CVE/list 2017-02-16 06:13:18 UTC (rev 48987) @@ -9364,8 +9364,10 @@ RESERVED CVE-2017-2628 RESERVED -CVE-2017-2627 +CVE-2017-2627 [openstack-tripleo-common: sudoers file is too permissive] RESERVED + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1421917 + TODO: check CVE-2017-2626 RESERVED CVE-2017-2625 @@ -9376,7 +9378,7 @@ RESERVED CVE-2017-2622 [openstack-mistral: /var/log/mistral/ is world readable] RESERVED - NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2622 + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1420992 TODO: check CVE-2017-2621 [/var/log/heat/ is world readable] RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48986 - data/CVE
Author: fgeek-guest Date: 2017-02-16 06:11:41 + (Thu, 16 Feb 2017) New Revision: 48986 Modified: data/CVE/list Log: CVE-2017-2622 Modified: data/CVE/list === --- data/CVE/list 2017-02-16 06:10:33 UTC (rev 48985) +++ data/CVE/list 2017-02-16 06:11:41 UTC (rev 48986) @@ -9374,8 +9374,10 @@ RESERVED CVE-2017-2623 RESERVED -CVE-2017-2622 +CVE-2017-2622 [openstack-mistral: /var/log/mistral/ is world readable] RESERVED + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2622 + TODO: check CVE-2017-2621 [/var/log/heat/ is world readable] RESERVED - heat ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48942 - data/CVE
Author: fgeek-guest Date: 2017-02-15 07:50:35 + (Wed, 15 Feb 2017) New Revision: 48942 Modified: data/CVE/list Log: CVE-2017-5982/kodi Modified: data/CVE/list === --- data/CVE/list 2017-02-14 22:17:49 UTC (rev 48941) +++ data/CVE/list 2017-02-15 07:50:35 UTC (rev 48942) @@ -13,8 +13,10 @@ RESERVED CVE-2017-5983 RESERVED -CVE-2017-5982 +CVE-2017-5982 [local file inclusion] RESERVED + - kodi + NOTE: http://seclists.org/fulldisclosure/2017/Feb/27 CVE-2017-5681 RESERVED CVE-2017- [tomcat DoS via infinite loop in HTTPS request processing] ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48912 - data/CVE
Author: fgeek-guest Date: 2017-02-14 09:31:22 + (Tue, 14 Feb 2017) New Revision: 48912 Modified: data/CVE/list Log: fix typo Modified: data/CVE/list === --- data/CVE/list 2017-02-14 09:25:22 UTC (rev 48911) +++ data/CVE/list 2017-02-14 09:31:22 UTC (rev 48912) @@ -342,11 +342,11 @@ - irssi [jessie] - irssi (support for sasl not present) [wheezy] - irssi (support for sasl not present) - NOTE: Patch: Patch: https://github.com/irssi/irssi/commit/19c51789967a2f63da033e60f6ef08848b9cd144 + NOTE: Patch: https://github.com/irssi/irssi/commit/19c51789967a2f63da033e60f6ef08848b9cd144 NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2017/02/05/8 CVE-2017- [irssi missing null terminator] - irssi (unimportant) - NOTE: Patch: Patch: https://github.com/irssi/irssi/pull/619/commits/677fb1f55ca52d0e43c93f7d8361d333ff5bffd6 + NOTE: Patch: https://github.com/irssi/irssi/pull/619/commits/677fb1f55ca52d0e43c93f7d8361d333ff5bffd6 NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2017/02/05/8 CVE-2016-10206 RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48873 - data/CVE
Author: fgeek-guest Date: 2017-02-13 04:58:17 + (Mon, 13 Feb 2017) New Revision: 48873 Modified: data/CVE/list Log: CVE-2017-5969/libxml2 Modified: data/CVE/list === --- data/CVE/list 2017-02-13 04:37:46 UTC (rev 48872) +++ data/CVE/list 2017-02-13 04:58:17 UTC (rev 48873) @@ -4,8 +4,8 @@ RESERVED CVE-2017-5969 [null pointer dereference when parsing a xml file using recover mode] RESERVED - - libxml2 - NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2016/11/05/3 + - libxml2 (bug #855001) + NOTE: http://www.openwall.com/lists/oss-security/2016/11/05/3 NOTE: Upstream bug: https://bugzilla.gnome.org/show_bug.cgi?id=778519 CVE-2017-5968 RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
Bug#855001: CVE-2017-5969: libxml2: null pointer dereference when parsing a xml file using recover mode
Package: libxml2 Version: 2.9.4+dfsg1-2.2 Severity: important Tags: security, upstream https://bugzilla.gnome.org/show_bug.cgi?id=778519 http://www.openwall.com/lists/oss-security/2016/11/05/3 -- Henri Salo
[Secure-testing-commits] r48872 - data/CVE
Author: fgeek-guest Date: 2017-02-13 04:37:46 + (Mon, 13 Feb 2017) New Revision: 48872 Modified: data/CVE/list Log: CVE-2017-5969/libxml2 Modified: data/CVE/list === --- data/CVE/list 2017-02-13 04:32:51 UTC (rev 48871) +++ data/CVE/list 2017-02-13 04:37:46 UTC (rev 48872) @@ -2,8 +2,11 @@ RESERVED CVE-2017-5970 RESERVED -CVE-2017-5969 +CVE-2017-5969 [null pointer dereference when parsing a xml file using recover mode] RESERVED + - libxml2 + NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2016/11/05/3 + NOTE: Upstream bug: https://bugzilla.gnome.org/show_bug.cgi?id=778519 CVE-2017-5968 RESERVED CVE-2017-5967 @@ -22,10 +25,6 @@ TODO: check CVE-2017-5960 (An issue was discovered in Phalcon Eye through 0.4.1. The vulnerability ...) TODO: check -CVE-2017- [null pointer dereference when parsing a xml file using recover mode] - - libxml2 - NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2016/11/05/3 - NOTE: Upstream bug: https://bugzilla.gnome.org/show_bug.cgi?id=778519 CVE-2017- [use-after-free in fz_subsample_pixmap (pixmap.c)] - mupdf NOTE: Fix http://git.ghostscript.com/?p=mupdf.git;h=2c4e5867ee699b1081527bc6c6ea0e99a35a5c27 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48852 - data/CVE
Author: fgeek-guest Date: 2017-02-12 07:29:42 + (Sun, 12 Feb 2017) New Revision: 48852 Modified: data/CVE/list Log: libxml2 null pointer dereference when parsing a xml file using recover mode Modified: data/CVE/list === --- data/CVE/list 2017-02-11 12:01:43 UTC (rev 48851) +++ data/CVE/list 2017-02-12 07:29:42 UTC (rev 48852) @@ -1,3 +1,7 @@ +CVE-2017- [null pointer dereference when parsing a xml file using recover mode] + - libxml2 + NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2016/11/05/3 + NOTE: Upstream bug: https://bugzilla.gnome.org/show_bug.cgi?id=778519 CVE-2017- [use-after-free in fz_subsample_pixmap (pixmap.c)] - mupdf NOTE: Fix http://git.ghostscript.com/?p=mupdf.git;h=2c4e5867ee699b1081527bc6c6ea0e99a35a5c27 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48851 - data/CVE
Author: fgeek-guest Date: 2017-02-11 12:01:43 + (Sat, 11 Feb 2017) New Revision: 48851 Modified: data/CVE/list Log: CVE-2016-8636/linux Modified: data/CVE/list === --- data/CVE/list 2017-02-11 11:46:40 UTC (rev 48850) +++ data/CVE/list 2017-02-11 12:01:43 UTC (rev 48851) @@ -17749,8 +17749,11 @@ [wheezy] - dracut (Introduced in 030 upstream) NOTE: Fixed by: http://git.kernel.org/cgit/boot/dracut/dracut.git/commit/?id=0db98910a11c12a454eac4c8e86dc7a7bbc764a4 NOTE: Introduced by: http://git.kernel.org/cgit/boot/dracut/dracut.git/commit/?id=5f2c30d9bcd614d546d5c55c6897e33f88b9ab90 (030) -CVE-2016-8636 +CVE-2016-8636 [mem_check_range integer overflow] RESERVED + - linux + NOTE: Fix https://github.com/torvalds/linux/commit/647bf3d8a8e5777319da92af672289b2a6c4dc66 + TODO: check CVE-2016-8635 [small-subgroups attack flaw] RESERVED - nss 2:3.25-1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48848 - data/CVE
Author: fgeek-guest Date: 2017-02-11 09:58:13 + (Sat, 11 Feb 2017) New Revision: 48848 Modified: data/CVE/list Log: mupdf use-after-free in fz_subsample_pixmap (pixmap.c) Modified: data/CVE/list === --- data/CVE/list 2017-02-11 09:10:14 UTC (rev 48847) +++ data/CVE/list 2017-02-11 09:58:13 UTC (rev 48848) @@ -1,3 +1,7 @@ +CVE-2017- [use-after-free in fz_subsample_pixmap (pixmap.c)] + - mupdf + NOTE: Fix http://git.ghostscript.com/?p=mupdf.git;h=2c4e5867ee699b1081527bc6c6ea0e99a35a5c27 + NOTE: https://blogs.gentoo.org/ago/2017/02/09/mupdf-use-after-free-in-fz_subsample_pixmap-pixmap-c/ CVE-2017-5959 RESERVED CVE-2017-5958 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48771 - data/CVE
Author: fgeek-guest Date: 2017-02-08 15:10:48 + (Wed, 08 Feb 2017) New Revision: 48771 Modified: data/CVE/list Log: CVE-2017-5932/bash Modified: data/CVE/list === --- data/CVE/list 2017-02-08 13:30:14 UTC (rev 48770) +++ data/CVE/list 2017-02-08 15:10:48 UTC (rev 48771) @@ -1,5 +1,8 @@ -CVE-2017-5932 +CVE-2017-5932 [code execution in autocompletion] RESERVED + - bash + NOTE: https://github.com/jheyens/bash_completion_vuln/raw/master/2017-01-17.bash_completion_report.pdf + NOTE: Fix http://git.savannah.gnu.org/cgit/bash.git/commit/?id=4f747edc625815f449048579f6e65869914dd715 CVE-2017-5931 RESERVED - qemu ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48770 - data/CVE
Author: fgeek-guest Date: 2017-02-08 13:30:14 + (Wed, 08 Feb 2017) New Revision: 48770 Modified: data/CVE/list Log: NFU Modified: data/CVE/list === --- data/CVE/list 2017-02-08 10:25:49 UTC (rev 48769) +++ data/CVE/list 2017-02-08 13:30:14 UTC (rev 48770) @@ -8793,6 +8793,7 @@ NOT-FOR-US: EMC Documentum eRoom CVE-2017-2765 RESERVED + NOT-FOR-US: EMC Isilon InsightIQ CVE-2017-2764 RESERVED CVE-2017-2763 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48746 - data/CVE
Author: fgeek-guest Date: 2017-02-07 07:07:15 + (Tue, 07 Feb 2017) New Revision: 48746 Modified: data/CVE/list Log: CVE-2017-5677 Modified: data/CVE/list === --- data/CVE/list 2017-02-07 07:02:18 UTC (rev 48745) +++ data/CVE/list 2017-02-07 07:07:15 UTC (rev 48746) @@ -562,6 +562,7 @@ RESERVED CVE-2017-5677 (PEAR HTML_AJAX 0.3.0 through 0.5.7 has a PHP Object Injection ...) TODO: check + NOTE: http://karmainsecurity.com/KIS-2017-01 CVE-2017-5676 RESERVED CVE-2017-5857 [Qemu: display: virtio-gpu-3d: host memory leakage in virgl_cmd_resource_unref] ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48745 - data/CVE
Author: fgeek-guest Date: 2017-02-07 07:02:18 + (Tue, 07 Feb 2017) New Revision: 48745 Modified: data/CVE/list Log: CVE-2017-5899/s-nail Modified: data/CVE/list === --- data/CVE/list 2017-02-07 00:55:46 UTC (rev 48744) +++ data/CVE/list 2017-02-07 07:02:18 UTC (rev 48745) @@ -850,7 +850,7 @@ NOTE: https://bugs.mysql.com/bug.php?id=63363 NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2017/01/28/1 TODO: check, claimed to affect all MySQL 5.5, MariaDB 10.0.29 and 10.1.21 -CVE-2017- [s-nail local root privilege escalation] +CVE-2017-5899 [s-nail local root privilege escalation] - s-nail 14.8.16-1 (bug #852934) NOTE: https://www.mail-archive.com/s-nail-users@lists.sourceforge.net/msg00551.html NOTE: https://git.sdaoden.eu/cgit/s-nail.git/commit/?id=f797c27efecad45af191c518b7f87fda32ada160 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48701 - data/CVE
Author: fgeek-guest Date: 2017-02-04 08:46:30 + (Sat, 04 Feb 2017) New Revision: 48701 Modified: data/CVE/list Log: CVE-2017-0358/ntfs-3g PoC Modified: data/CVE/list === --- data/CVE/list 2017-02-04 08:45:04 UTC (rev 48700) +++ data/CVE/list 2017-02-04 08:46:30 UTC (rev 48701) @@ -13775,6 +13775,7 @@ RESERVED {DSA-3780-1 DLA-815-1} - ntfs-3g 1:2016.2.22AR.1-4 + NOTE: PoC http://www.openwall.com/lists/oss-security/2017/02/04/1 CVE-2017-0357 [heap buffer overflow on -tr loader] RESERVED - iucode-tool 2.1.1-1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48700 - data/CVE
Author: fgeek-guest Date: 2017-02-04 08:45:04 + (Sat, 04 Feb 2017) New Revision: 48700 Modified: data/CVE/list Log: syntax Modified: data/CVE/list === --- data/CVE/list 2017-02-04 08:41:02 UTC (rev 48699) +++ data/CVE/list 2017-02-04 08:45:04 UTC (rev 48700) @@ -781,7 +781,7 @@ CVE-2017-5608 (Cross-site scripting (XSS) vulnerability in the image upload function ...) - piwigo CVE-2017-5600 (The Data Warehouse component in NetApp OnCommand Insight before 7.2.3 ...) -NOT-FOR-US: NetApp OnCommand Insight + NOT-FOR-US: NetApp OnCommand Insight CVE-2017-5599 (An issue was discovered in eClinicalWorks Patient Portal 7.0 build 13. ...) NOT-FOR-US: eClinicalWorks CVE-2017-5598 (An issue was discovered in eClinicalWorks healow@work 8.0 build 8. This ...) @@ -5371,19 +5371,19 @@ CVE-2017-3825 RESERVED CVE-2017-3824 (A vulnerability in the handling of list headers in Cisco cBR Series ...) -NOT-FOR-US: Cisco + NOT-FOR-US: Cisco CVE-2017-3823 (An issue was discovered in the Cisco WebEx Extension before 1.0.7 on ...) NOT-FOR-US: Cisco CVE-2017-3822 (A vulnerability in the logging subsystem of the Cisco Firepower Threat ...) -NOT-FOR-US: Cisco Firepower Threat Defense + NOT-FOR-US: Cisco Firepower Threat Defense CVE-2017-3821 RESERVED CVE-2017-3820 (A vulnerability in Simple Network Management Protocol (SNMP) functions ...) -NOT-FOR-US: Cisco IOS XE + NOT-FOR-US: Cisco IOS XE CVE-2017-3819 RESERVED CVE-2017-3818 (A vulnerability in the Multipurpose Internet Mail Extensions (MIME) ...) -NOT-FOR-US: Cisco Email Security Appliances + NOT-FOR-US: Cisco Email Security Appliances CVE-2017-3817 RESERVED CVE-2017-3816 @@ -5391,23 +5391,23 @@ CVE-2017-3815 RESERVED CVE-2017-3814 (A vulnerability in Cisco Firepower System Software could allow an ...) -NOT-FOR-US: Cisco Firepower System Software + NOT-FOR-US: Cisco Firepower System Software CVE-2017-3813 RESERVED CVE-2017-3812 (A vulnerability in the implementation of Common Industrial Protocol ...) -NOT-FOR-US: Cisco Industrial Ethernet 2000 Series Switches + NOT-FOR-US: Cisco Industrial Ethernet 2000 Series Switches CVE-2017-3811 RESERVED CVE-2017-3810 (A vulnerability in the web framework of Cisco Prime Service Catalog ...) -NOT-FOR-US: Cisco Prime Service Catalog + NOT-FOR-US: Cisco Prime Service Catalog CVE-2017-3809 (A vulnerability in the Policy deployment module of the Cisco Firepower ...) -NOT-FOR-US: Cisco Firepower Management Center + NOT-FOR-US: Cisco Firepower Management Center CVE-2017-3808 RESERVED CVE-2017-3807 RESERVED CVE-2017-3806 (A vulnerability in CLI command processing in the Cisco Firepower 4100 ...) -NOT-FOR-US: Cisco Firepower + NOT-FOR-US: Cisco Firepower CVE-2017-3805 (A vulnerability in the web-based management interface of Cisco IOS and ...) NOT-FOR-US: Cisco IOS CVE-2017-3804 (A vulnerability in Intermediate System-to-Intermediate System (IS-IS) ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48699 - data/CVE
Author: fgeek-guest Date: 2017-02-04 08:41:02 + (Sat, 04 Feb 2017) New Revision: 48699 Modified: data/CVE/list Log: NFU Modified: data/CVE/list === --- data/CVE/list 2017-02-04 08:37:49 UTC (rev 48698) +++ data/CVE/list 2017-02-04 08:41:02 UTC (rev 48699) @@ -781,7 +781,7 @@ CVE-2017-5608 (Cross-site scripting (XSS) vulnerability in the image upload function ...) - piwigo CVE-2017-5600 (The Data Warehouse component in NetApp OnCommand Insight before 7.2.3 ...) - TODO: check +NOT-FOR-US: NetApp OnCommand Insight CVE-2017-5599 (An issue was discovered in eClinicalWorks Patient Portal 7.0 build 13. ...) NOT-FOR-US: eClinicalWorks CVE-2017-5598 (An issue was discovered in eClinicalWorks healow@work 8.0 build 8. This ...) @@ -5371,19 +5371,19 @@ CVE-2017-3825 RESERVED CVE-2017-3824 (A vulnerability in the handling of list headers in Cisco cBR Series ...) - TODO: check +NOT-FOR-US: Cisco CVE-2017-3823 (An issue was discovered in the Cisco WebEx Extension before 1.0.7 on ...) NOT-FOR-US: Cisco CVE-2017-3822 (A vulnerability in the logging subsystem of the Cisco Firepower Threat ...) - TODO: check +NOT-FOR-US: Cisco Firepower Threat Defense CVE-2017-3821 RESERVED CVE-2017-3820 (A vulnerability in Simple Network Management Protocol (SNMP) functions ...) - TODO: check +NOT-FOR-US: Cisco IOS XE CVE-2017-3819 RESERVED CVE-2017-3818 (A vulnerability in the Multipurpose Internet Mail Extensions (MIME) ...) - TODO: check +NOT-FOR-US: Cisco Email Security Appliances CVE-2017-3817 RESERVED CVE-2017-3816 @@ -5391,23 +5391,23 @@ CVE-2017-3815 RESERVED CVE-2017-3814 (A vulnerability in Cisco Firepower System Software could allow an ...) - TODO: check +NOT-FOR-US: Cisco Firepower System Software CVE-2017-3813 RESERVED CVE-2017-3812 (A vulnerability in the implementation of Common Industrial Protocol ...) - TODO: check +NOT-FOR-US: Cisco Industrial Ethernet 2000 Series Switches CVE-2017-3811 RESERVED CVE-2017-3810 (A vulnerability in the web framework of Cisco Prime Service Catalog ...) - TODO: check +NOT-FOR-US: Cisco Prime Service Catalog CVE-2017-3809 (A vulnerability in the Policy deployment module of the Cisco Firepower ...) - TODO: check +NOT-FOR-US: Cisco Firepower Management Center CVE-2017-3808 RESERVED CVE-2017-3807 RESERVED CVE-2017-3806 (A vulnerability in CLI command processing in the Cisco Firepower 4100 ...) - TODO: check +NOT-FOR-US: Cisco Firepower CVE-2017-3805 (A vulnerability in the web-based management interface of Cisco IOS and ...) NOT-FOR-US: Cisco IOS CVE-2017-3804 (A vulnerability in Intermediate System-to-Intermediate System (IS-IS) ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48697 - data/CVE
Author: fgeek-guest Date: 2017-02-04 08:33:16 + (Sat, 04 Feb 2017) New Revision: 48697 Modified: data/CVE/list Log: NFU Modified: data/CVE/list === --- data/CVE/list 2017-02-04 08:09:23 UTC (rev 48696) +++ data/CVE/list 2017-02-04 08:33:16 UTC (rev 48697) @@ -7272,9 +7272,9 @@ CVE-2016-9874 REJECTED CVE-2016-9873 (EMC Documentum D2 version 4.5 and EMC Documentum D2 version 4.6 has a ...) - TODO: check + NOT-FOR-US: EMC Documentum CVE-2016-9872 (EMC Documentum D2 version 4.5 and EMC Documentum D2 version 4.6 has ...) - TODO: check + NOT-FOR-US: EMC Documentum CVE-2016-9871 (EMC Isilon OneFS 7.2.1.0 - 7.2.1.3, EMC Isilon OneFS 7.2.0.x, EMC ...) NOT-FOR-US: EMC Isilon CVE-2016-9870 (EMC Isilon OneFS 8.0.0.0, EMC Isilon OneFS 7.2.1.0 - 7.2.1.2, EMC ...) @@ -19750,7 +19750,7 @@ CVE-2016-8007 RESERVED CVE-2016-8006 (Authentication bypass vulnerability in Enterprise Security Manager ...) - TODO: check + NOT-FOR-US: Intel Security McAfee Security Information and Event Management CVE-2016-8005 RESERVED CVE-2016-8004 @@ -20243,7 +20243,7 @@ CVE-2016-7867 (Adobe Flash Player versions 23.0.0.207 and earlier, 11.2.202.644 and ...) NOT-FOR-US: Adobe Flash CVE-2016-7866 (Adobe Animate versions 15.2.1.95 and earlier have an exploitable memory ...) - TODO: check + NOT-FOR-US: Adobe Animate CVE-2016-7865 (Adobe Flash Player versions 23.0.0.205 and earlier, 11.2.202.643 and ...) NOT-FOR-US: Adobe Flash CVE-2016-7864 (Adobe Flash Player versions 23.0.0.205 and earlier, 11.2.202.643 and ...) @@ -20263,7 +20263,7 @@ CVE-2016-7857 (Adobe Flash Player versions 23.0.0.205 and earlier, 11.2.202.643 and ...) NOT-FOR-US: Adobe Flash CVE-2016-7856 (Adobe DNG Converter versions 9.7 and earlier have an exploitable memory ...) - TODO: check + NOT-FOR-US: Adobe DNG Converter CVE-2016-7855 (Use-after-free vulnerability in Adobe Flash Player before 23.0.0.205 ...) NOT-FOR-US: Adobe Flash CVE-2016-7854 (Adobe Reader and Acrobat before 11.0.18, Acrobat and Acrobat Reader DC ...) @@ -20420,7 +20420,7 @@ CVE-2016-7793 (sociomantic-tsunami git-hub before 0.10.3 allows remote attackers to ...) - git-hub 0.10.2-2 (bug #839284) CVE-2016-7792 (Ubiquiti Networks UniFi 5.2.7 does not restrict access to the ...) - TODO: check + NOT-FOR-US: Ubiquiti Networks UniFi CVE-2016-7791 (Exponent CMS 2.3.9 suffers from a remote code execution vulnerability ...) NOT-FOR-US: Exponent CMS CVE-2016-7790 (Exponent CMS 2.3.9 suffers from a remote code execution vulnerability ...) @@ -21165,7 +21165,7 @@ CVE-2016-7455 RESERVED CVE-2016-7454 (CSRF vulnerability on Technicolor TC dpc3941T (formerly Cisco dpc3941T) ...) - TODO: check + NOT-FOR-US: Technicolor TC dpc3941T CVE-2016-7453 (The Pixidou Image Editor in Exponent CMS prior to v2.3.9 patch 2 could ...) NOT-FOR-US: Exponent CMS CVE-2016-7452 (The Pixidou Image Editor in Exponent CMS prior to v2.3.9 patch 2 could ...) @@ -21434,8 +21434,10 @@ CVE-2016-7394 RESERVED CVE-2016-7391 (For the NVIDIA Quadro, NVS, and GeForce products, NVIDIA Windows GPU ...) + - nvidia-graphics-drivers TODO: check CVE-2016-7390 (For the NVIDIA Quadro, NVS, and GeForce products, NVIDIA Windows GPU ...) + - nvidia-graphics-drivers TODO: check CVE-2016-7389 (For the NVIDIA Quadro, NVS, GeForce, and Tesla products, NVIDIA GPU ...) - nvidia-graphics-drivers 367.57-1 (bug #846331) @@ -21446,16 +21448,22 @@ [jessie] - nvidia-graphics-drivers-legacy-304xx 304.134-0~deb8u1 NOTE: http://nvidia.custhelp.com/app/answers/detail/a_id/4246 CVE-2016-7388 (For the NVIDIA Quadro, NVS, and GeForce products, NVIDIA Windows GPU ...) + - nvidia-graphics-drivers TODO: check CVE-2016-7387 (For the NVIDIA Quadro, NVS, and GeForce products, NVIDIA Windows GPU ...) + - nvidia-graphics-drivers TODO: check CVE-2016-7386 (For the NVIDIA Quadro, NVS, and GeForce products, NVIDIA Windows GPU ...) + - nvidia-graphics-drivers TODO: check CVE-2016-7385 (For the NVIDIA Quadro, NVS, and GeForce products, NVIDIA Windows GPU ...) + - nvidia-graphics-drivers TODO: check CVE-2016-7384 (For the NVIDIA Quadro, NVS, and GeForce products, NVIDIA Windows GPU ...) + - nvidia-graphics-drivers TODO: check CVE-2016-7383 (For the NVIDIA Quadro, NVS, and GeForce products, NVIDIA Windows GPU ...) + - nvidia-graphics-drivers TODO: check CVE-2016-7382 (For the NVIDIA Quadro, NVS, GeForce, and Tesla products, NVIDIA GPU ...) - nvidia-graphics-drivers 367.57-1 (bug #846331) @@ -21466,6 +21474,7 @@ [jessie] - nvidia-graphics-drivers-legacy-304xx 304.134-0~deb8u1 NOTE:
[Secure-testing-commits] r48696 - data/CVE
Author: fgeek-guest Date: 2017-02-04 08:09:23 + (Sat, 04 Feb 2017) New Revision: 48696 Modified: data/CVE/list Log: NFU Modified: data/CVE/list === --- data/CVE/list 2017-02-04 00:18:01 UTC (rev 48695) +++ data/CVE/list 2017-02-04 08:09:23 UTC (rev 48696) @@ -8581,9 +8581,9 @@ CVE-2017-2769 RESERVED CVE-2017-2768 (EMC Network Configuration Manager (NCM) 9.3.x, EMC Network ...) - TODO: check + NOT-FOR-US: EMC Network Configuration Manager CVE-2017-2767 (EMC Network Configuration Manager (NCM) 9.3.x, EMC Network ...) - TODO: check + NOT-FOR-US: EMC Network Configuration Manager CVE-2017-2766 (EMC Documentum eRoom version 7.4.4, EMC Documentum eRoom version 7.4.4 ...) NOT-FOR-US: EMC Documentum eRoom CVE-2017-2765 @@ -11979,7 +11979,7 @@ CVE-2017-1094 RESERVED CVE-2017-1093 (IBM AIX 6.1, 7.1, and 7.2 could allow a local user to exploit a ...) - TODO: check + NOT-FOR-US: IBM AIX CVE-2017-1092 RESERVED CVE-2017-1091 @@ -18720,7 +18720,7 @@ CVE-2016-8218 RESERVED CVE-2016-8217 (EMC RSA BSAFE Crypto-J versions prior to 6.2.2 has a PKCS#12 Timing ...) - TODO: check + NOT-FOR-US: EMC RSA CVE-2016-8216 (EMC Data Domain OS (DD OS) 5.4 all versions, EMC Data Domain OS (DD OS) ...) NOT-FOR-US: EMC CVE-2016-8215 (EMC RSA Security Analytics 10.5.3 and 10.6.2 contains fixes for a ...) @@ -18730,9 +18730,9 @@ CVE-2016-8213 (EMC Documentum WebTop Version 6.8, prior to P18 and Version 6.8.1, ...) NOT-FOR-US: EMC Documentum CVE-2016-8212 (An issue was discovered in EMC RSA BSAFE Crypto-J versions prior to ...) - TODO: check + NOT-FOR-US: EMC RSA CVE-2016-8211 (EMC Data Protection Advisor 6.1.x, EMC Data Protection Advisor 6.2, EMC ...) - TODO: check + NOT-FOR-US: EMC Data Protection Advisor CVE-2016-8210 RESERVED CVE-2016-8209 @@ -18740,13 +18740,13 @@ CVE-2016-8208 RESERVED CVE-2016-8207 (A Directory Traversal vulnerability in CliMonitorReportServlet in the ...) - TODO: check + NOT-FOR-US: Brocade Network Advisor CVE-2016-8206 (A Directory Traversal vulnerability in servlet SoftwareImageUpload in ...) - TODO: check + NOT-FOR-US: Brocade Network Advisor CVE-2016-8205 (A Directory Traversal vulnerability in DashboardFileReceiveServlet in ...) - TODO: check + NOT-FOR-US: Brocade Network Advisor CVE-2016-8204 (A Directory Traversal vulnerability in FileReceiveServlet in the ...) - TODO: check + NOT-FOR-US: Brocade Network Advisor CVE-2016-8203 (A memory corruption in the IPsec code path of Brocade NetIron OS on ...) NOT-FOR-US: Brocade CVE-2016-8202 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48677 - data/CVE
Author: fgeek-guest Date: 2017-02-03 09:58:25 + (Fri, 03 Feb 2017) New Revision: 48677 Modified: data/CVE/list Log: libpodofo heap-based buffer overflow Modified: data/CVE/list === --- data/CVE/list 2017-02-03 09:13:15 UTC (rev 48676) +++ data/CVE/list 2017-02-03 09:58:25 UTC (rev 48677) @@ -1,3 +1,6 @@ +CVE-2017- [podofo: heap-based buffer overflow in PoDoFo::PdfTokenizer::GetNextToken (PdfTokenizer.cpp)] + - libpodofo + NOTE: https://blogs.gentoo.org/ago/2017/02/03/podofo-heap-based-buffer-overflow-in-podofopdftokenizergetnexttoken-pdftokenizer-cpp CVE-2017-5877 RESERVED CVE-2017-5876 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48660 - data/CVE
Author: fgeek-guest Date: 2017-02-02 08:43:53 + (Thu, 02 Feb 2017) New Revision: 48660 Modified: data/CVE/list Log: NFU Modified: data/CVE/list === --- data/CVE/list 2017-02-02 08:20:14 UTC (rev 48659) +++ data/CVE/list 2017-02-02 08:43:53 UTC (rev 48660) @@ -17260,6 +17260,7 @@ RESERVED CVE-2016-8529 RESERVED + NOT-FOR-US: HPE StoreVirtual CVE-2016-8528 RESERVED NOT-FOR-US: HPE Helion Eucalyptus ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48659 - data/CVE
Author: fgeek-guest Date: 2017-02-02 08:20:14 + (Thu, 02 Feb 2017) New Revision: 48659 Modified: data/CVE/list Log: CVE-2017-5849 needs more work Modified: data/CVE/list === --- data/CVE/list 2017-02-02 08:04:03 UTC (rev 48658) +++ data/CVE/list 2017-02-02 08:20:14 UTC (rev 48659) @@ -22,6 +22,9 @@ NOT-FOR-US: podofo CVE-2017-5852 NOT-FOR-US: podofo +CVE-2017-5849 [Out-of-Bound read and write issues in put1bitbwtile() and putgreytile()] + NOTE: http://www.openwall.com/lists/oss-security/2017/02/02/2 + TODO: check CVE-2017-5850 NOT-FOR-US: OpenBSD httpd CVE-2017-5833 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48644 - data/CVE
Author: fgeek-guest Date: 2017-02-01 07:15:36 + (Wed, 01 Feb 2017) New Revision: 48644 Modified: data/CVE/list Log: NFU Modified: data/CVE/list === --- data/CVE/list 2017-02-01 07:15:07 UTC (rev 48643) +++ data/CVE/list 2017-02-01 07:15:36 UTC (rev 48644) @@ -8022,6 +8022,7 @@ RESERVED CVE-2017-2766 RESERVED + NOT-FOR-US: EMC Documentum eRoom CVE-2017-2765 RESERVED CVE-2017-2764 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48643 - data/CVE
Author: fgeek-guest Date: 2017-02-01 07:15:07 + (Wed, 01 Feb 2017) New Revision: 48643 Modified: data/CVE/list Log: NFU Modified: data/CVE/list === --- data/CVE/list 2017-02-01 07:10:34 UTC (rev 48642) +++ data/CVE/list 2017-02-01 07:15:07 UTC (rev 48643) @@ -42854,23 +42854,24 @@ NOTE: Possibly introduced in http://git.qemu.org/?p=qemu.git;a=commit;h=4917cf44326a1bda2fd7f27303aff7a25ad86518 (v1.6.0-rc0) NOTE: kvmapic introduced after 1.0.50 (http://git.qemu.org/?p=qemu.git;a=commit;h=e5ad936b0fd7dfd7fd7908be6f9f1ca88f63b96b) CVE-2016-0930 (Pivotal Cloud Foundry (PCF) Ops Manager before 1.6.19 and 1.7.x before ...) - TODO: check + NOT-FOR-US: Pivotal Cloud Foundry CVE-2016-0929 (The metrics-collection component in RabbitMQ for Pivotal Cloud Foundry ...) - TODO: check + NOT-FOR-US: Pivotal Cloud Foundry CVE-2016-0928 (Multiple open redirect vulnerabilities in Pivotal Cloud Foundry (PCF) ...) - TODO: check + NOT-FOR-US: Pivotal Cloud Foundry CVE-2016-0927 (Cross-site scripting (XSS) vulnerability in Pivotal Cloud Foundry ...) - TODO: check + NOT-FOR-US: Pivotal Cloud Foundry CVE-2016-0926 (Cross-site scripting (XSS) vulnerability in Apps Manager in Pivotal ...) - TODO: check + NOT-FOR-US: Pivotal Cloud Foundry CVE-2016-0925 (Cross-site scripting (XSS) vulnerability in the Case Management ...) NOT-FOR-US: EMC RSA Adaptive Authentication CVE-2016-0924 REJECTED + NOT-FOR-US: RSA BSAFE Micro Edition Suite CVE-2016-0923 (The client in EMC RSA BSAFE Micro Edition Suite (MES) 4.0.x before ...) - TODO: check + NOT-FOR-US: RSA BSAFE Micro Edition Suite CVE-2016-0922 (EMC ViPR SRM before 3.7.2 does not restrict the number of ...) - TODO: check + NOT-FOR-US: EMC ViPR SRM CVE-2016-0921 (Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) in EMC Avamar ...) NOT-FOR-US: EMC Avamar CVE-2016-0920 (Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) in EMC Avamar ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48642 - data/CVE
Author: fgeek-guest Date: 2017-02-01 07:10:34 + (Wed, 01 Feb 2017) New Revision: 48642 Modified: data/CVE/list Log: NFU Modified: data/CVE/list === --- data/CVE/list 2017-02-01 06:46:37 UTC (rev 48641) +++ data/CVE/list 2017-02-01 07:10:34 UTC (rev 48642) @@ -17176,12 +17176,14 @@ RESERVED CVE-2016-8528 RESERVED + NOT-FOR-US: HPE Helion Eucalyptus CVE-2016-8527 RESERVED CVE-2016-8526 RESERVED CVE-2016-8525 RESERVED + NOT-FOR-US: HPE iMC PLAT CVE-2016-8524 RESERVED CVE-2016-8523 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48590 - data/CVE
Author: fgeek-guest Date: 2017-01-31 06:56:25 + (Tue, 31 Jan 2017) New Revision: 48590 Modified: data/CVE/list Log: NFU Modified: data/CVE/list === --- data/CVE/list 2017-01-31 06:16:38 UTC (rev 48589) +++ data/CVE/list 2017-01-31 06:56:25 UTC (rev 48590) @@ -17119,6 +17119,7 @@ RESERVED CVE-2016-8523 RESERVED + NOT-FOR-US: HP Smart Storage Administrator CVE-2016-8522 RESERVED NOT-FOR-US: HPE Diagnostics ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48542 - data/CVE
Author: fgeek-guest Date: 2017-01-29 22:50:56 + (Sun, 29 Jan 2017) New Revision: 48542 Modified: data/CVE/list Log: CVE-2016-3189/bzip2 fixed Modified: data/CVE/list === --- data/CVE/list 2017-01-29 21:10:13 UTC (rev 48541) +++ data/CVE/list 2017-01-29 22:50:56 UTC (rev 48542) @@ -34459,7 +34459,7 @@ [wheezy] - cairo (Minor issue) NOTE: https://cgit.freedesktop.org/cairo/patch/src/cairo-image-compositor.c?id=5c82d91a5e15d29b1489dcb413b24ee7fdf59934 CVE-2016-3189 (Use-after-free vulnerability in bzip2recover in bzip2 1.0.6 allows ...) - - bzip2 (low; bug #827744) + - bzip2 1.0.6-8.1 (low; bug #827744) [jessie] - bzip2 (Minor issue) [wheezy] - bzip2 (Minor issue) CVE-2016-3188 (The _prepopulate_request_walk function in the Prepopulate module ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48465 - data/CVE
Author: fgeek-guest Date: 2017-01-28 07:34:30 + (Sat, 28 Jan 2017) New Revision: 48465 Modified: data/CVE/list Log: use after free in libmysqlclient.so Modified: data/CVE/list === --- data/CVE/list 2017-01-28 06:42:24 UTC (rev 48464) +++ data/CVE/list 2017-01-28 07:34:30 UTC (rev 48465) @@ -1,3 +1,6 @@ +CVE-2017- [use after free in libmysqlclient.so] + NOTE: http://www.openwall.com/lists/oss-security/2017/01/28/1 + TODO: check CVE-2017- [s-nail local root privilege escalation] - s-nail NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2017/01/27/7 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48451 - data/CVE
Author: fgeek-guest Date: 2017-01-27 13:35:07 + (Fri, 27 Jan 2017) New Revision: 48451 Modified: data/CVE/list Log: NFU Modified: data/CVE/list === --- data/CVE/list 2017-01-27 13:33:59 UTC (rev 48450) +++ data/CVE/list 2017-01-27 13:35:07 UTC (rev 48451) @@ -42680,19 +42680,20 @@ CVE-2016-0896 (Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.6.34 and 1.7.x ...) TODO: check CVE-2016-0895 (EMC RSA Data Loss Prevention 9.6 before SP2 P5 allows remote attackers ...) - TODO: check + NOT-FOR-US: EMC CVE-2016-0894 (EMC RSA Data Loss Prevention 9.6 before SP2 P5 allows remote ...) - TODO: check + NOT-FOR-US: EMC CVE-2016-0893 (EMC RSA Data Loss Prevention 9.6 before SP2 P5 allows remote ...) - TODO: check + NOT-FOR-US: EMC CVE-2016-0892 (Cross-site scripting (XSS) vulnerability in EMC RSA Data Loss ...) - TODO: check + NOT-FOR-US: EMC CVE-2016-0891 (Multiple cross-site request forgery (CSRF) vulnerabilities in ...) NOT-FOR-US: EMC ViPR SRM CVE-2016-0890 RESERVED + NOT-FOR-US: EMC CVE-2016-0889 (An HTTP servlet in vApp Manager in EMC Unisphere for VMAX Virtual ...) - TODO: check + NOT-FOR-US: EMC CVE-2016-0888 (EMC Documentum D2 before 4.6 lacks intended ACLs for configuration ...) NOT-FOR-US: EMC Documentum D2 CVE-2016-0887 (EMC RSA BSAFE Micro Edition Suite (MES) 4.0.x and 4.1.x before 4.1.5, ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48450 - data/CVE
Author: fgeek-guest Date: 2017-01-27 13:33:59 + (Fri, 27 Jan 2017) New Revision: 48450 Modified: data/CVE/list Log: NFU Modified: data/CVE/list === --- data/CVE/list 2017-01-27 11:26:50 UTC (rev 48449) +++ data/CVE/list 2017-01-27 13:33:59 UTC (rev 48450) @@ -4694,7 +4694,7 @@ NOTE: https://www.openssl.org/news/secadv/20170126.txt NOTE: Fix for 1.0.2: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=51d009043670a627d6abe66894126851cf3690e9 NOTE: Fix for 1.1.0: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=f3a7e57c92b2c9b87dc4b2997f2ebda6781300d0 - NOTE:and https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=00d965474b22b54e4275232bc71ee0c699c5cd21 + NOTE: and https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=00d965474b22b54e4275232bc71ee0c699c5cd21 CVE-2017-3730 RESERVED - openssl 1.1.0d-1 @@ -17873,6 +17873,7 @@ RESERVED CVE-2016-8216 RESERVED + NOT-FOR-US: EMC CVE-2016-8215 (EMC RSA Security Analytics 10.5.3 and 10.6.2 contains fixes for a ...) NOT-FOR-US: RSA Security Analytics CVE-2016-8214 (EMC Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) versions ...) @@ -22807,8 +22808,10 @@ RESERVED CVE-2016-6649 RESERVED + NOT-FOR-US: EMC CVE-2016-6648 RESERVED + NOT-FOR-US: EMC CVE-2016-6647 (Cross-site scripting (XSS) vulnerability in EMC ViPR SRM before 4.0.1 ...) NOT-FOR-US: EMC CVE-2016-6646 (The vApp Managers web application in EMC Unisphere for VMAX Virtual ...) @@ -42629,6 +42632,7 @@ NOT-FOR-US: EMC Avamar CVE-2016-0919 RESERVED + NOT-FOR-US: RSA Web Threat Detection CVE-2016-0918 (EMC RSA Identity Management and Governance before 6.8.1 P25 and 6.9.x ...) NOT-FOR-US: EMC RSA Identity Governance and Lifecycle CVE-2016-0917 (The SMB service in EMC VNXe (VNXe3200 Operating Environment prior to ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48407 - data/CVE
Author: fgeek-guest Date: 2017-01-26 08:44:55 + (Thu, 26 Jan 2017) New Revision: 48407 Modified: data/CVE/list Log: NFU Modified: data/CVE/list === --- data/CVE/list 2017-01-26 08:25:45 UTC (rev 48406) +++ data/CVE/list 2017-01-26 08:44:55 UTC (rev 48407) @@ -4390,10 +4390,12 @@ RESERVED CVE-2017-3792 RESERVED + NOT-FOR-US: Cisco TelePresence CVE-2017-3791 RESERVED CVE-2017-3790 RESERVED + NOT-FOR-US: Cisco Expressway CVE-2016-5103 REJECTED CVE-2016-10027 (Race condition in the XMPP library in Smack before 4.1.9, when the ...) @@ -14592,6 +14594,7 @@ RESERVED CVE-2016-9225 RESERVED + NOT-FOR-US: Cisco Adaptive Security Appliance CVE-2016-9224 (A vulnerability in the Cisco Jabber Guest Server could allow an ...) NOT-FOR-US: Cisco CVE-2016-9223 (A vulnerability in the Docker Engine configuration of Cisco ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48406 - data/CVE
Author: fgeek-guest Date: 2017-01-26 08:25:45 + (Thu, 26 Jan 2017) New Revision: 48406 Modified: data/CVE/list Log: NFU Modified: data/CVE/list === --- data/CVE/list 2017-01-26 08:08:47 UTC (rev 48405) +++ data/CVE/list 2017-01-26 08:25:45 UTC (rev 48406) @@ -6319,6 +6319,7 @@ RESERVED CVE-2016-9871 RESERVED + NOT-FOR-US: EMC Isilon CVE-2016-9870 (EMC Isilon OneFS 8.0.0.0, EMC Isilon OneFS 7.2.1.0 - 7.2.1.2, EMC ...) NOT-FOR-US: EMC CVE-2016-9869 (An issue was discovered in EMC ScaleIO versions before 2.0.1.1. ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48357 - data/CVE
Author: fgeek-guest Date: 2017-01-25 09:19:18 + (Wed, 25 Jan 2017) New Revision: 48357 Modified: data/CVE/list Log: jasper Modified: data/CVE/list === --- data/CVE/list 2017-01-25 09:18:17 UTC (rev 48356) +++ data/CVE/list 2017-01-25 09:19:18 UTC (rev 48357) @@ -1,3 +1,6 @@ +CVE-2017- [jasper: heap-based buffer overflow in jpc_dec_decodepkt (jpc_t2dec.c)] + - jasper + NOTE: http://www.openwall.com/lists/oss-security/2017/01/25/10 CVE-2017- [jasper: NULL pointer dereference in jp2_cdef_destroy (jp2_cod.c)] - jasper NOTE: http://www.openwall.com/lists/oss-security/2017/01/25/8 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48356 - data/CVE
Author: fgeek-guest Date: 2017-01-25 09:18:17 + (Wed, 25 Jan 2017) New Revision: 48356 Modified: data/CVE/list Log: jasper Modified: data/CVE/list === --- data/CVE/list 2017-01-25 09:14:29 UTC (rev 48355) +++ data/CVE/list 2017-01-25 09:18:17 UTC (rev 48356) @@ -1,3 +1,9 @@ +CVE-2017- [jasper: NULL pointer dereference in jp2_cdef_destroy (jp2_cod.c)] + - jasper + NOTE: http://www.openwall.com/lists/oss-security/2017/01/25/8 +CVE-2017- [jasper: invalid memory read in jas_matrix_bindsub (jas_seq.c)] + - jasper + NOTE: http://www.openwall.com/lists/oss-security/2017/01/25/9 CVE-2017- [screen privilege escalation] - screen 4.5.0-3 (bug #852484) [stretch] - screen (Vulnerable code not present) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48321 - data/CVE
Author: fgeek-guest Date: 2017-01-24 07:11:33 + (Tue, 24 Jan 2017) New Revision: 48321 Modified: data/CVE/list Log: NFU Modified: data/CVE/list === --- data/CVE/list 2017-01-24 06:30:33 UTC (rev 48320) +++ data/CVE/list 2017-01-24 07:11:33 UTC (rev 48321) @@ -17536,10 +17536,12 @@ RESERVED CVE-2016-8215 RESERVED + NOT-FOR-US: RSA Security Analytics CVE-2016-8214 RESERVED + NOT-FOR-US: EMC Avamar CVE-2016-8213 (EMC Documentum WebTop Version 6.8, prior to P18 and Version 6.8.1, ...) - TODO: check + NOT-FOR-US: EMC Documentum CVE-2016-8212 RESERVED CVE-2016-8211 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48224 - data/CVE
Author: fgeek-guest Date: 2017-01-20 12:20:05 + (Fri, 20 Jan 2017) New Revision: 48224 Modified: data/CVE/list Log: NFU Modified: data/CVE/list === --- data/CVE/list 2017-01-20 11:40:46 UTC (rev 48223) +++ data/CVE/list 2017-01-20 12:20:05 UTC (rev 48224) @@ -3967,6 +3967,7 @@ RESERVED CVE-2017-3805 RESERVED + NOT-FOR-US: Cisco IOS CVE-2017-3804 RESERVED CVE-2017-3803 @@ -3977,6 +3978,7 @@ RESERVED CVE-2017-3800 RESERVED + NOT-FOR-US: Cisco Email Security Appliance CVE-2017-3799 RESERVED CVE-2017-3798 @@ -14215,6 +14217,7 @@ NOT-FOR-US: Cisco CVE-2016-9216 RESERVED + NOT-FOR-US: Cisco ASR 5000 CVE-2016-9215 (A vulnerability in Cisco IOS XR Software could allow an authenticated, ...) NOT-FOR-US: Cisco CVE-2016-9214 (Cisco Identity Services Engine (ISE) contains a vulnerability that ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48102 - data/CVE
Author: fgeek-guest Date: 2017-01-16 09:09:40 + (Mon, 16 Jan 2017) New Revision: 48102 Modified: data/CVE/list Log: NFU HPSBGN03689 Modified: data/CVE/list === --- data/CVE/list 2017-01-16 09:06:11 UTC (rev 48101) +++ data/CVE/list 2017-01-16 09:09:40 UTC (rev 48102) @@ -15741,8 +15741,10 @@ RESERVED CVE-2016-8522 RESERVED + NOT-FOR-US: HPE Diagnostics CVE-2016-8521 RESERVED + NOT-FOR-US: HPE Diagnostics CVE-2016-8520 RESERVED CVE-2016-8519 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r47783 - data/CVE
Author: fgeek-guest Date: 2017-01-06 11:53:49 + (Fri, 06 Jan 2017) New Revision: 47783 Modified: data/CVE/list Log: NFU ESA-2016-157 Modified: data/CVE/list === --- data/CVE/list 2017-01-06 11:22:30 UTC (rev 47782) +++ data/CVE/list 2017-01-06 11:53:49 UTC (rev 47783) @@ -4750,10 +4750,13 @@ RESERVED CVE-2016-9869 RESERVED + NOT-FOR-US: EMC ScaleIO CVE-2016-9868 RESERVED + NOT-FOR-US: EMC ScaleIO CVE-2016-9867 RESERVED + NOT-FOR-US: EMC ScaleIO CVE-2016-9919 (The icmp6_send function in net/ipv6/icmp.c in the Linux kernel through ...) - linux 4.8.15-1 [jessie] - linux (Vulnerable code introduced later) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r47742 - data/CVE
Author: fgeek-guest Date: 2017-01-05 09:12:50 + (Thu, 05 Jan 2017) New Revision: 47742 Modified: data/CVE/list Log: NFU Modified: data/CVE/list === --- data/CVE/list 2017-01-05 09:10:22 UTC (rev 47741) +++ data/CVE/list 2017-01-05 09:12:50 UTC (rev 47742) @@ -24525,7 +24525,7 @@ NOTE: http://freeimage.cvs.sourceforge.net/viewvc/freeimage/FreeImage/Source/FreeImage/PluginXPM.cpp?r1=1.17=1.18 NOTE: http://freeimage.cvs.sourceforge.net/viewvc/freeimage/FreeImage/Source/FreeImage/PluginXPM.cpp?r1=1.18=1.19 CVE-2016-5683 (ReadyDesk 9.1 allows local users to determine cleartext SQL Server ...) - TODO: check + NOT-FOR-US: ReadyDesk CVE-2016-5682 RESERVED CVE-2016-5681 (Stack-based buffer overflow in dws/api/Login on D-Link DIR-850L B1 ...) @@ -27297,21 +27297,21 @@ CVE-2016-5051 RESERVED CVE-2016-5050 (Unrestricted file upload vulnerability in chat/sendfile.aspx in ...) - TODO: check + NOT-FOR-US: ReadyDesk CVE-2016-5049 (Directory traversal vulnerability in chat/openattach.aspx in ReadyDesk ...) - TODO: check + NOT-FOR-US: ReadyDesk CVE-2016-5048 (SQL injection vulnerability in chat/staff/default.aspx in ReadyDesk ...) - TODO: check + NOT-FOR-US: ReadyDesk CVE-2016-5047 (NetApp OnCommand System Manager 8.3.x before 8.3.2P5 allows remote ...) - TODO: check + NOT-FOR-US: NetApp OnCommand System Manager CVE-2016-5046 RESERVED CVE-2016-5045 RESERVED CVE-2016-5025 (For the NVIDIA Quadro, NVS, and GeForce products, improper ...) - TODO: check + NOT-FOR-US: NVIDIA Quadro, NVS, and GeForce product CVE-2016-5024 (Virtual servers in F5 BIG-IP systems 11.6.1 before 11.6.1 HF1 and ...) - TODO: check + NOT-FOR-US: BIG-IP CVE-2016-5023 (Virtual servers in F5 BIG-IP systems 11.2.1 HF11 through HF15, 11.4.1 ...) NOT-FOR-US: BIG-IP CVE-2016-5022 (F5 BIG-IP LTM, Analytics, APM, ASM, and Link Controller 11.2.x before ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r47740 - data/CVE
Author: fgeek-guest Date: 2017-01-05 09:07:39 + (Thu, 05 Jan 2017) New Revision: 47740 Modified: data/CVE/list Log: NFU Modified: data/CVE/list === --- data/CVE/list 2017-01-05 08:58:08 UTC (rev 47739) +++ data/CVE/list 2017-01-05 09:07:39 UTC (rev 47740) @@ -18726,6 +18726,7 @@ NOT-FOR-US: Exponent CMS CVE-2016-7399 RESERVED + NOT-FOR-US: Veritas NetBackup Applianc CVE-2016-7398 RESERVED CVE-2016-7397 (The Frontend component in Sophos UTM with firmware 9.405-5 and earlier ...) @@ -20207,6 +20208,7 @@ REJECTED CVE-2016-6894 RESERVED + NOT-FOR-US: Arista EOS CVE-2016-6892 [Free of Memory not on the Heap] RESERVED - matrixssl ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r47739 - data/CVE
Author: fgeek-guest Date: 2017-01-05 08:58:08 + (Thu, 05 Jan 2017) New Revision: 47739 Modified: data/CVE/list Log: NFU Modified: data/CVE/list === --- data/CVE/list 2017-01-05 08:56:54 UTC (rev 47738) +++ data/CVE/list 2017-01-05 08:58:08 UTC (rev 47739) @@ -20295,13 +20295,13 @@ CVE-2016-6860 RESERVED CVE-2016-6859 (Hybris Management Console (HMC) in SAP Hybris before 6.0 allows remote ...) - TODO: check + NOT-FOR-US: SAP Hybris CVE-2016-6858 (Cross-site scripting (XSS) vulnerability in the Create Employee ...) - TODO: check + NOT-FOR-US: SAP Hybris CVE-2016-6857 (Cross-site scripting (XSS) vulnerability in the Create Catalogue ...) - TODO: check + NOT-FOR-US: SAP Hybris CVE-2016-6856 (Cross-site scripting (XSS) vulnerability in the Inbox Search feature ...) - TODO: check + NOT-FOR-US: SAP Hybris CVE-2016-6855 (Eye of GNOME (aka eog) 3.16.5, 3.17.x, 3.18.x before 3.18.3, 3.19.x, ...) {DLA-605-1} - eog 3.20.4-1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r47725 - data/CVE
Author: fgeek-guest Date: 2017-01-04 19:40:59 + (Wed, 04 Jan 2017) New Revision: 47725 Modified: data/CVE/list Log: NFU Modified: data/CVE/list === --- data/CVE/list 2017-01-04 17:43:57 UTC (rev 47724) +++ data/CVE/list 2017-01-04 19:40:59 UTC (rev 47725) @@ -15026,6 +15026,7 @@ RESERVED CVE-2016-8519 RESERVED + NOT-FOR-US: HPE Operations Orchestration CVE-2016-8518 RESERVED CVE-2016-8517 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r47717 - data/CVE
Author: fgeek-guest Date: 2017-01-04 15:16:04 + (Wed, 04 Jan 2017) New Revision: 47717 Modified: data/CVE/list Log: NFU Modified: data/CVE/list === --- data/CVE/list 2017-01-04 14:54:29 UTC (rev 47716) +++ data/CVE/list 2017-01-04 15:16:04 UTC (rev 47717) @@ -263,13 +263,13 @@ CVE-2017-5006 RESERVED CVE-2017-5005 (Stack-based buffer overflow in Quick Heal Internet Security 10.1.0.316 ...) - TODO: check + NOT-FOR-US: Quickheal CVE-2016-10108 (Unauthenticated Remote Command injection as root occurs in the Western ...) - TODO: check + NOT-FOR-US: Western Digital MyCloud NAS CVE-2016-10107 (Unauthenticated Remote Command injection as root occurs in the Western ...) - TODO: check + NOT-FOR-US: Western Digital MyCloud NAS CVE-2016-10106 (Directory traversal vulnerability in scgi-bin/platform.cgi on NETGEAR ...) - TODO: check + NOT-FOR-US: NETGEAR devices CVE-2016-10105 (admin/plugin.php in Piwigo through 2.8.3 doesn't validate the sections ...) - piwigo CVE-2016-10104 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
Bug#850158: Use of uninitialized memory in unserialize()
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Package: php7.0 Version: 7.0.14-2 Severity: important Tags: security, upstream, fixed-upstream There was found a bug showing that PHP uses uninitialized memory during calls to `unserialize()`. As the following report shows, the payload supplied to `unserialize()` may control this uninitialized memory region and thus may be used to trick PHP into operating on faked objects and calling attacker controlled destructor function pointers. The supplied proof of concept exploit practically demonstrates the issue by executing arbitrary code solely by passing a specially crafted string to `unserialize()`. Even though this particular demo exploit only works locally this flaw is very likely to also allow for remote code execution. Upstream bug report for additional details: https://bugs.php.net/bug.php?id=73832 Fix: https://gist.github.com/anonymous/9fbe5ccbe8e18659bec11ac963fd07a3 - -- Henri Salo -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBAgAGBQJYbP5hAAoJECet96ROqnV0rmIP/j0HpcNDEpNJTeR+JN75jC90 quuTqH98Neibb3WZEHHHksFVbKohmDm/KVQ1E7AWe6+zZ4FfEoPOsBkhoK2Swfv0 VTB7NVKFhlqmPwnVaB3l/6fc58mtyy6ljPcd/KIr1n3DCRbHgo13QmsgHBFSoqMs WhJ0CB4NR87/qGqmuHabT1wkzwIB90uApbwBlDRpPTA54XWLRPoIZNlb3roh8RGD lVb9Nb5vUZMGbrL376r6PkL+sZ6QcKemrGF3ZZqiirKcCfstYzhuftPgGLIGc0B2 Ud3IcH5wjxd/h4s4DA9SjZwnYbOlt76e3kcZbUZ4rJF1SEUAr0hfjRcbrEEj/0Ni 5B/z5H+miK4xAy+gyYemKELWhyrjSE5n2f5rN0SEJtTiaoF2XESLFP8HsuVzZyox KOte7ekNIX0Ev+UvmEGeXawlqKRR+xuIYfS9obpgtbWYOZa1zdKMJz8VFfSun2MQ 9aK5B6icbeGTjB+ilKINv7UqLXArZw4WokAVBKRFXRpdAOjBBdGp9u0lIp2vNcru hM6wc/lXShs7JlpQ3Rx0OMSv48u94NwwUw+otJcBg7lc5BoGlQSTqIObIUk4uuyY abCYVpGBQN/qzGB/lULpt4ExxHEzDHC3pRimBGM6vGdThXOHKFi4VwlMf39UXaLl rxvwtgdjnNAafVGc/H4g =lHoz -END PGP SIGNATURE-
[Secure-testing-commits] r47712 - data/CVE
Author: fgeek-guest Date: 2017-01-04 13:53:14 + (Wed, 04 Jan 2017) New Revision: 47712 Modified: data/CVE/list Log: piwigo removed Modified: data/CVE/list === --- data/CVE/list 2017-01-04 10:11:14 UTC (rev 47711) +++ data/CVE/list 2017-01-04 13:53:14 UTC (rev 47712) @@ -267,7 +267,7 @@ CVE-2016-10106 (Directory traversal vulnerability in scgi-bin/platform.cgi on NETGEAR ...) TODO: check CVE-2016-10105 (admin/plugin.php in Piwigo through 2.8.3 doesn't validate the sections ...) - TODO: check + - piwigo CVE-2016-10104 RESERVED CVE-2016-10103 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r47701 - data/CVE
Author: fgeek-guest Date: 2017-01-03 19:54:59 + (Tue, 03 Jan 2017) New Revision: 47701 Modified: data/CVE/list Log: add php unserialize() issue Modified: data/CVE/list === --- data/CVE/list 2017-01-03 19:30:43 UTC (rev 47700) +++ data/CVE/list 2017-01-03 19:54:59 UTC (rev 47701) @@ -1,5 +1,9 @@ CVE-2017- [wrestool: exploitable crash] - icoutils (bug #850017) +CVE-2016- [Use of uninitialized memory in unserialize()] + - php7.0 + - php5 + NOTE: https://bugs.php.net/bug.php?id=73832 CVE-2016-10109 [pcsc-lite use-after-free] - pcsc-lite 1.8.20-1 NOTE: https://anonscm.debian.org/cgit/pcsclite/PCSC.git/commit/?id=697fe05967af7ea215bcd5d5774be587780c9e22 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r47698 - data/CVE
Author: fgeek-guest Date: 2017-01-03 17:53:55 + (Tue, 03 Jan 2017) New Revision: 47698 Modified: data/CVE/list Log: add wrestool #850017 Modified: data/CVE/list === --- data/CVE/list 2017-01-03 15:48:11 UTC (rev 47697) +++ data/CVE/list 2017-01-03 17:53:55 UTC (rev 47698) @@ -1,3 +1,5 @@ +CVE-2017- [wrestool: exploitable crash] + - icoutils (bug #850017) CVE-2016-10109 [pcsc-lite use-after-free] - pcsc-lite 1.8.20-1 NOTE: https://anonscm.debian.org/cgit/pcsclite/PCSC.git/commit/?id=697fe05967af7ea215bcd5d5774be587780c9e22 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r47543 - data/CVE
Author: fgeek-guest Date: 2016-12-29 07:32:43 + (Thu, 29 Dec 2016) New Revision: 47543 Modified: data/CVE/list Log: CVE-2014-1934/eyed3 clarify hardening comment Modified: data/CVE/list === --- data/CVE/list 2016-12-29 07:09:45 UTC (rev 47542) +++ data/CVE/list 2016-12-29 07:32:43 UTC (rev 47543) @@ -88733,7 +88733,7 @@ [squeeze] - eyed3 (Minor issue) NOTE: Upstream patch: https://bitbucket.org/nicfit/eyed3/commits/372bbacb7a70 NOTE: https://bitbucket.org/nicfit/eyed3/issue/65/tagpy-in-eyed3-allows-local-users-to - NOTE: Neutralised by kernel temp hardening + NOTE: Neutralised by protected_symlinks kernel temp hardening CVE-2014-1933 (The (1) JpegImagePlugin.py and (2) EpsImagePlugin.py scripts in Python ...) - pillow 2.4.0-1 (low; bug #737059) - python-imaging ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r47342 - data/CVE
Author: fgeek-guest Date: 2016-12-22 14:12:55 + (Thu, 22 Dec 2016) New Revision: 47342 Modified: data/CVE/list Log: twiki Modified: data/CVE/list === --- data/CVE/list 2016-12-22 12:22:23 UTC (rev 47341) +++ data/CVE/list 2016-12-22 14:12:55 UTC (rev 47342) @@ -66021,7 +66021,7 @@ CVE-2014-9368 (Cross-site request forgery (CSRF) vulnerability in the twitterDash ...) NOT-FOR-US: WordPress plugin twitterDash CVE-2014-9367 (Incomplete blacklist vulnerability in the urlEncode function in ...) - NOT-FOR-US: Twiki + - twiki NOTE: http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2014-9367 CVE-2014-9366 RESERVED @@ -72674,7 +72674,7 @@ NOTE: http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2014-7237 CVE-2014-7236 RESERVED - NOT-FOR-US: TWiki + - twiki NOTE: http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2014-7236 CVE-2014-7235 (htdocs_ari/includes/login.php in the ARI Framework module/Asterisk ...) - freepbx (bug #464926) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r47306 - data/CVE
Author: fgeek-guest Date: 2016-12-21 22:08:34 + (Wed, 21 Dec 2016) New Revision: 47306 Modified: data/CVE/list Log: CVE-2016-9838/joomla itp Modified: data/CVE/list === --- data/CVE/list 2016-12-21 22:07:21 UTC (rev 47305) +++ data/CVE/list 2016-12-21 22:08:34 UTC (rev 47306) @@ -2605,7 +2605,7 @@ NOTE: https://github.com/mapserver/mapserver/pull/4928 NOTE: https://github.com/mapserver/mapserver/pull/5356 CVE-2016-9838 (An issue was discovered in components/com_users/models/registration.php ...) - TODO: check + - joomla (bug #571794) CVE-2016-9837 (An issue was discovered in ...) TODO: check CVE-2016-9836 (The file scanning mechanism of JFilterInput::isFileSafe() in Joomla! ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r47265 - data/CVE
Author: fgeek-guest Date: 2016-12-21 07:12:16 + (Wed, 21 Dec 2016) New Revision: 47265 Modified: data/CVE/list Log: CVE-2016-9586/curl Modified: data/CVE/list === --- data/CVE/list 2016-12-21 05:42:32 UTC (rev 47264) +++ data/CVE/list 2016-12-21 07:12:16 UTC (rev 47265) @@ -8271,8 +8271,11 @@ NOTE: https://www.spinics.net/lists/kvm/msg142495.html CVE-2016-9587 RESERVED -CVE-2016-9586 +CVE-2016-9586 [printf floating point buffer overflow] RESERVED + - curl + NOTE: https://curl.haxx.se/docs/adv_20161221A.html + TODO: check CVE-2016-9585 RESERVED NOT-FOR-US: JMX endpoint of Red Hat JBoss EAP 5 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r47133 - data/CVE
Author: fgeek-guest Date: 2016-12-16 14:16:38 + (Fri, 16 Dec 2016) New Revision: 47133 Modified: data/CVE/list Log: NFU Modified: data/CVE/list === --- data/CVE/list 2016-12-16 14:13:09 UTC (rev 47132) +++ data/CVE/list 2016-12-16 14:16:38 UTC (rev 47133) @@ -11610,10 +11610,13 @@ RESERVED CVE-2016-8515 RESERVED + NOT-FOR-US: HPE Version Control Repository Manager CVE-2016-8514 RESERVED + NOT-FOR-US: HPE Version Control Repository Manager CVE-2016-8513 RESERVED + NOT-FOR-US: HPE Version Control Repository Manager CVE-2016-8512 RESERVED CVE-2016-8511 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r46941 - data/CVE
Author: fgeek-guest Date: 2016-12-09 20:44:12 + (Fri, 09 Dec 2016) New Revision: 46941 Modified: data/CVE/list Log: fix typo Modified: data/CVE/list === --- data/CVE/list 2016-12-09 20:21:56 UTC (rev 46940) +++ data/CVE/list 2016-12-09 20:44:12 UTC (rev 46941) @@ -25560,7 +25560,7 @@ CVE-2015-8870 (Integer overflow in tools/bmp2tiff.c in LibTIFF before 4.0.4 allows ...) - tiff 4.0.3-12 [wheezy] - tiff 4.0.2-6+deb7u4 - NOTE: Fixed already witht the patch applied in 4.0.3-12 in unstable for the + NOTE: Fixed already with the patch applied in 4.0.3-12 in unstable for the NOTE: CVE-2014-9330 issue. CVE-2013-7455 (Double free vulnerability in the DefaultICCintents function in ...) - lcms2 2.6-1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r46762 - data/CVE
Author: fgeek-guest Date: 2016-12-04 13:52:34 + (Sun, 04 Dec 2016) New Revision: 46762 Modified: data/CVE/list Log: fix typo Modified: data/CVE/list === --- data/CVE/list 2016-12-04 12:48:21 UTC (rev 46761) +++ data/CVE/list 2016-12-04 13:52:34 UTC (rev 46762) @@ -6948,7 +6948,7 @@ [wheezy] - jasper (Vulnerable code introduced later) NOTE: Fixed by: https://github.com/mdadams/jasper/commit/634ce8e8a5accc0fa05dd2c20d42b4749d4b2735 NOTE: The use-afer-free seems to be introduced in a version later tha 1.900.1 but the - NOTE: CVE is assigned for everytihng fixed in the above commit, a such seems till + NOTE: CVE is assigned for everything fixed in the above commit, a such seems till NOTE: present in the 1.900.1 based versions. NOTE: https://blogs.gentoo.org/ago/2016/11/07/jasper-use-after-free-in-jas_realloc-jas_malloc-c TODO: double-check again ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r46749 - data/CVE
Author: fgeek-guest Date: 2016-12-03 13:49:03 + (Sat, 03 Dec 2016) New Revision: 46749 Modified: data/CVE/list Log: tiff issue #2608 Modified: data/CVE/list === --- data/CVE/list 2016-12-03 13:46:20 UTC (rev 46748) +++ data/CVE/list 2016-12-03 13:49:03 UTC (rev 46749) @@ -1,3 +1,6 @@ +CVE-2016- [heap-based buffer overflow in TIFFFillStrip (tif_read.c)] + - tiff + NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2608 CVE-2016- [tiffcrop: divide-by-zero in readSeparateStripsIntoBuffer when BitsPerSample is missing] - tiff NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2619 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r46748 - data/CVE
Author: fgeek-guest Date: 2016-12-03 13:46:20 + (Sat, 03 Dec 2016) New Revision: 46748 Modified: data/CVE/list Log: tiff issue #2619 Modified: data/CVE/list === --- data/CVE/list 2016-12-03 13:11:11 UTC (rev 46747) +++ data/CVE/list 2016-12-03 13:46:20 UTC (rev 46748) @@ -1,3 +1,6 @@ +CVE-2016- [tiffcrop: divide-by-zero in readSeparateStripsIntoBuffer when BitsPerSample is missing] + - tiff + NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2619 CVE-2017- [simplesamlphp signature validation SSPSA 201612-01] - simplesamlphp 1.14.10-1 (low) [jessie] - simplesamlphp (Minor issue) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r46404 - data/CVE
Author: fgeek-guest Date: 2016-11-21 20:51:54 + (Mon, 21 Nov 2016) New Revision: 46404 Modified: data/CVE/list Log: Remove trailing whitespaces Modified: data/CVE/list === --- data/CVE/list 2016-11-21 20:51:10 UTC (rev 46403) +++ data/CVE/list 2016-11-21 20:51:54 UTC (rev 46404) @@ -641,15 +641,15 @@ [wheezy] - imagemagick (Vulnerable code not present) NOTE: https://github.com/ImageMagick/ImageMagick/issues/296 NOTE: http://www.openwall.com/lists/oss-security/2016/11/13/1 -CVE-2016-9300 [maradns: remote crash bug in MaraDNS 2.0.13 js_readuint16] +CVE-2016-9300 [maradns: remote crash bug in MaraDNS 2.0.13 js_readuint16] RESERVED - maradns (bug #844121) NOTE: http://www.openwall.com/lists/oss-security/2016/11/12/3 -CVE-2016-9301 [maradns: remote crash bug in MaraDNS 2.0.13 js_substr] +CVE-2016-9301 [maradns: remote crash bug in MaraDNS 2.0.13 js_substr] RESERVED - maradns (bug #844121) NOTE: http://www.openwall.com/lists/oss-security/2016/11/12/3 -CVE-2016-9302 [maradns: remote crash bug in MaraDNS 2.0.13 process_query] +CVE-2016-9302 [maradns: remote crash bug in MaraDNS 2.0.13 process_query] RESERVED - maradns (bug #844121) NOTE: http://www.openwall.com/lists/oss-security/2016/11/12/3 @@ -5155,7 +5155,7 @@ NOTE: Fixed by: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8ba8682107ee2ca3347354e018865d8e1967c5f4 CVE-2016-7910 (Use-after-free vulnerability in the disk_seqf_stop function in ...) - linux 4.7.2-1 - NOTE: Fixed by: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=77da160530dd1dc94f6ae15a981f24e5f0021e84 + NOTE: Fixed by: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=77da160530dd1dc94f6ae15a981f24e5f0021e84 CVE-2016-7909 (The pcnet_rdra_addr function in hw/net/pcnet.c in QEMU (aka Quick ...) {DLA-698-1 DLA-689-1} - qemu (bug #839834) @@ -7467,7 +7467,7 @@ NOT-FOR-US: Red Hat rhscon-core CVE-2016-7061 RESERVED - NOT-FOR-US: Red Hat JBoss Enterprise Application Platform + NOT-FOR-US: Red Hat JBoss Enterprise Application Platform CVE-2016-7060 RESERVED CVE-2016-7059 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r46403 - data/CVE
Author: fgeek-guest Date: 2016-11-21 20:51:10 + (Mon, 21 Nov 2016) New Revision: 46403 Modified: data/CVE/list Log: NFU Modified: data/CVE/list === --- data/CVE/list 2016-11-21 20:49:11 UTC (rev 46402) +++ data/CVE/list 2016-11-21 20:51:10 UTC (rev 46403) @@ -16920,6 +16920,7 @@ TODO: check CVE-2016-4406 RESERVED + NOT-FOR-US: HPE iLO CVE-2016-4405 RESERVED CVE-2016-4404 @@ -36027,9 +36028,9 @@ - xen 4.4.0-1 NOTE: Xen switched to qemu-system in 4.4.0-1 NOTE: http://www.openwall.com/lists/oss-security/2015/09/10/1 -NOTE: Fix commit: http://git.qemu.org/?p=qemu.git;a=commit;h=d9033e1d3aa666c5071580617a57bd853c5d794a -NOTE: exec_cmd introduced in http://git.qemu.org/?p=qemu.git;a=commit;h=7cff87ff6ab117799e32e42c2e4dc4c0588e583a -NOTE: cmd_table introduced in http://git.qemu.org/?p=qemu.git;a=commit;h=844505b12e722d9ba7060480e766351fc6313501 + NOTE: Fix commit: http://git.qemu.org/?p=qemu.git;a=commit;h=d9033e1d3aa666c5071580617a57bd853c5d794a + NOTE: exec_cmd introduced in http://git.qemu.org/?p=qemu.git;a=commit;h=7cff87ff6ab117799e32e42c2e4dc4c0588e583a + NOTE: cmd_table introduced in http://git.qemu.org/?p=qemu.git;a=commit;h=844505b12e722d9ba7060480e766351fc6313501 CVE-2015-6927 (vzctl before 4.9.4 determines the virtual environment (VE) layout ...) {DSA-3357-1} - vzctl 4.9.4-1 @@ -121396,7 +121397,7 @@ - xen 4.4.0-1 [wheezy] - xen (Vulnerable code introduced after 0.14.50, embedded version is 0.10.2) NOTE: Xen switched to qemu-system in 4.4.0-1 -NOTE: Vulnerable code introduced after 0.14.50: http://git.qemu.org/?p=qemu.git;a=commit;h=edbb21363fbfe40e050f583df921484cbc31c79d + NOTE: Vulnerable code introduced after 0.14.50: http://git.qemu.org/?p=qemu.git;a=commit;h=edbb21363fbfe40e050f583df921484cbc31c79d CVE-2011-4110 (The user_update function in security/keys/user_defined.c in the Linux ...) {DSA-2389-1} - linux-2.6 3.1.4-1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r46343 - data/CVE
Author: fgeek-guest Date: 2016-11-19 11:34:39 + (Sat, 19 Nov 2016) New Revision: 46343 Modified: data/CVE/list Log: CVE-2016-9296/p7zip Modified: data/CVE/list === --- data/CVE/list 2016-11-19 11:18:32 UTC (rev 46342) +++ data/CVE/list 2016-11-19 11:34:39 UTC (rev 46343) @@ -560,7 +560,7 @@ NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2592 NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2016/11/11/14 CVE-2016-9296 (A null pointer dereference bug affects the 16.02 and many old versions ...) - - p7zip (bug #844344) + - p7zip 16.02+dfsg-2 (bug #844344) [jessie] - p7zip (Vulnerable code with potential NULL pointer dereference introduced later) [wheezy] - p7zip (Vulnerable code with potential NULL pointer dereference introduced later) NOTE: https://sourceforge.net/p/p7zip/bugs/185/ ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r46338 - data/CVE
Author: fgeek-guest Date: 2016-11-19 09:23:31 + (Sat, 19 Nov 2016) New Revision: 46338 Modified: data/CVE/list Log: CVE-2016-9448/tiff Modified: data/CVE/list === --- data/CVE/list 2016-11-19 09:10:13 UTC (rev 46337) +++ data/CVE/list 2016-11-19 09:23:31 UTC (rev 46338) @@ -1,3 +1,7 @@ +CVE-2016-9448 [invalid read of size 1 in TIFFFetchNormalTag] + - tiff + NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2593 + NOTE: Regression introduced by previous fix done on 2016-11-11 for CVE-2016-9297 CVE-2016-9421 RESERVED CVE-2016-9420 @@ -550,7 +554,6 @@ - tiff (bug #844226) NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2590 NOTE: http://www.openwall.com/lists/oss-security/2016/11/12/2 - NOTE: Caused regression, which is fixed in http://bugzilla.maptools.org/show_bug.cgi?id=2593 CVE-2016- [tiffcrop: heap buffer overflow via writeBufferToSeparateStrips] - tiff (bug #844057) [jessie] - tiff (Minor issue) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r46321 - data/CVE
Author: fgeek-guest Date: 2016-11-18 15:00:56 + (Fri, 18 Nov 2016) New Revision: 46321 Modified: data/CVE/list Log: tiff tiff2pdf out-of-bounds write memcpy Modified: data/CVE/list === --- data/CVE/list 2016-11-18 14:34:40 UTC (rev 46320) +++ data/CVE/list 2016-11-18 15:00:56 UTC (rev 46321) @@ -1,3 +1,8 @@ +CVE-2016- [tiff2pdf: out-of-bounds write memcpy] + - tiff + [jessie] - tiff (Minor issue) + NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2579 + NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2016/11/18/4 CVE-2016- [gstreamer 0.10 VMNC code execution] - gst-plugins-bad0.10 [jessie] - gst-plugins-bad0.10 0.10.23-7.4+deb8u2 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r46240 - data/CVE
Author: fgeek-guest Date: 2016-11-16 15:25:33 + (Wed, 16 Nov 2016) New Revision: 46240 Modified: data/CVE/list Log: CVE-2016-9297/tiff Modified: data/CVE/list === --- data/CVE/list 2016-11-16 11:19:25 UTC (rev 46239) +++ data/CVE/list 2016-11-16 15:25:33 UTC (rev 46240) @@ -115,6 +115,7 @@ - tiff (bug #844226) NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2590 NOTE: http://www.openwall.com/lists/oss-security/2016/11/12/2 + NOTE: Caused regression, which is fixed in http://bugzilla.maptools.org/show_bug.cgi?id=2593 CVE-2016- [tiffcrop: heap buffer overflow via writeBufferToSeparateStrips] - tiff (bug #844057) [jessie] - tiff (Minor issue) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r46235 - data/CVE
Author: fgeek-guest Date: 2016-11-16 08:02:27 + (Wed, 16 Nov 2016) New Revision: 46235 Modified: data/CVE/list Log: NFU Modified: data/CVE/list === --- data/CVE/list 2016-11-16 07:53:15 UTC (rev 46234) +++ data/CVE/list 2016-11-16 08:02:27 UTC (rev 46235) @@ -9705,11 +9705,11 @@ CVE-2016-1000126 (Reflected XSS in wordpress plugin admin-font-editor v1.8 ...) NOT-FOR-US: Wordpress plugin admin-font-editor CVE-2016-1000125 (Unauthenticated SQL Injection in Huge-IT Catalog v1.0.7 for Joomla ...) - TODO: check + NOT-FOR-US: Joomla component Huge-IT Catalog CVE-2016-1000124 (Unauthenticated SQL Injection in Huge-IT Portfolio Gallery Plugin ...) - TODO: check + NOT-FOR-US: Joomla component Huge-IT Portfolio Gallery CVE-2016-1000123 (Unauthenticated SQL Injection in Huge-IT Video Gallery v1.0.9 for ...) - TODO: check + NOT-FOR-US: Joomla component Huge-IT Video Gallery CVE-2016-1000122 (XSS and SQLi in Huge IT Joomla Slider v1.0.9 extension ...) NOT-FOR-US: Joomla extension Huge IT Joomla Slider CVE-2016-1000121 (XSS and SQLi in Huge IT Joomla Slider v1.0.9 extension ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r46222 - data/CVE
Author: fgeek-guest Date: 2016-11-16 05:45:25 + (Wed, 16 Nov 2016) New Revision: 46222 Modified: data/CVE/list Log: CVE-2016-1249/libdbd-mysql BTS Modified: data/CVE/list === --- data/CVE/list 2016-11-16 05:24:06 UTC (rev 46221) +++ data/CVE/list 2016-11-16 05:45:25 UTC (rev 46222) @@ -26684,7 +26684,7 @@ RESERVED CVE-2016-1249 [libdbd-mysql: out-of-bounds read] RESERVED - - libdbd-mysql-perl + - libdbd-mysql-perl (bug #844475) NOTE: https://github.com/perl5-dbi/DBD-mysql/commit/793b72b1a0baa5070adacaac0e12fd995a6fbabe NOTE: http://www.openwall.com/lists/oss-security/2016/11/16/1 CVE-2016-1248 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
Bug#844475: CVE-2016-1249: Out-of-bounds read by DBD::mysql
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Package: libdbd-mysql-perl Version: 4.037-5 Severity: important Tags: security, fixed-upstream, upstream Hi, the following vulnerability was published for libdbd-mysql-perl. CVE-2016-1249: Out-of-bounds read by DBD::mysql If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: http://www.openwall.com/lists/oss-security/2016/11/16/1 https://github.com/perl5-dbi/DBD-mysql/commit/793b72b1a0baa5070adacaac0e12fd995a6fbabe Please adjust the affected versions in the BTS as needed. - -- Henri Salo -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBAgAGBQJYK+6MAAoJECet96ROqnV0ArsP/3SLmKhsiPGu1gKBvr44t8Fn 65ZyBPjqqhTnxGUvwFO4Yb6XqXPy8iYdQ0WBknCx9E2B2ydnX/3MliCnNWvKe5rc SXpK549ULqyS31GuYqzubi+h8tNrKwtZuaLSSp1qMIX+u4Q3819DC1tEAadFUe2v jnGssmuJrd5N53xLZKe02d8D2OZuRZBWLqCJ+KjS/gE0RNr5kaMtuHEwgEYvmApA sSFXfJfTlM/GYPYqiFuOjY6BJ3V9N5C7Hp2yEuE0RPN7y3dj0FgiOXgk6zAB3tKV DdKM49G49fM4Kt7FTmNoq5tIR7/m3Jwy50NbNOzwawzFo6M1wosr0jyr4zlGjmMX zpiD5HEUlwDBvSvwjtUm54evOfs6iQqCskqBiOJGVRTL6KlctKYcul0dew3yvQEF EYlWdldipSSzXAfIRZ5887y3HE8uBy+RLy+YCIwiHYEITkGGpBjENOocHjWqermJ sTkJX2RjvgxAWIVsSU4wS4K59XLalzjwIGi+DwjIAk1g0+UTfKOOXnldg4S7N3/j xKLSOubzSFhMQoIf9NY2E1ek5R0WySP37yT2D1J0yuzdiUwlmqPxt0WSnc5i3FXf 9+WU2Jx18++WiqCyjjFbBgj+DO23UPrxNVZ3TrNSNJiD8EkLTVRpiEbQU80qQJmS 9mU9y9I1Dw/y4E4i8AHK =Ki3r -END PGP SIGNATURE-
[Secure-testing-commits] r46221 - data/CVE
Author: fgeek-guest Date: 2016-11-16 05:24:06 + (Wed, 16 Nov 2016) New Revision: 46221 Modified: data/CVE/list Log: CVE-2016-1249/libdbd-mysql-perl Modified: data/CVE/list === --- data/CVE/list 2016-11-15 21:10:12 UTC (rev 46220) +++ data/CVE/list 2016-11-16 05:24:06 UTC (rev 46221) @@ -26682,8 +26682,11 @@ RESERVED CVE-2016-1250 RESERVED -CVE-2016-1249 +CVE-2016-1249 [libdbd-mysql: out-of-bounds read] RESERVED + - libdbd-mysql-perl + NOTE: https://github.com/perl5-dbi/DBD-mysql/commit/793b72b1a0baa5070adacaac0e12fd995a6fbabe + NOTE: http://www.openwall.com/lists/oss-security/2016/11/16/1 CVE-2016-1248 RESERVED CVE-2016-1247 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r46182 - data/CVE
Author: fgeek-guest Date: 2016-11-14 15:06:25 + (Mon, 14 Nov 2016) New Revision: 46182 Modified: data/CVE/list Log: NFU Modified: data/CVE/list === --- data/CVE/list 2016-11-14 15:02:09 UTC (rev 46181) +++ data/CVE/list 2016-11-14 15:06:25 UTC (rev 46182) @@ -5345,10 +5345,13 @@ RESERVED CVE-2016-7490 RESERVED + NOT-FOR-US: Teradata Studio Express CVE-2016-7489 RESERVED + NOT-FOR-US: Teradata Virtual Machine Community Edition CVE-2016-7488 RESERVED + NOT-FOR-US: Teradata Virtual Machine Community Edition CVE-2016-7487 RESERVED CVE-2016-7486 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r46180 - data/CVE
Author: fgeek-guest Date: 2016-11-14 14:57:57 + (Mon, 14 Nov 2016) New Revision: 46180 Modified: data/CVE/list Log: CVE-2016-9296/p7zip Modified: data/CVE/list === --- data/CVE/list 2016-11-14 13:21:51 UTC (rev 46179) +++ data/CVE/list 2016-11-14 14:57:57 UTC (rev 46180) @@ -17,6 +17,9 @@ [jessie] - tiff (Minor issue) NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2592 NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2016/11/11/14 +CVE-2016-9296 + - p7zip + TODO: check CVE-2016-9276 [heap-based buffer overflow in dwarf_get_aranges_list (dwarf_arange.c)] - dwarfutils (bug #844011) [jessie] - dwarfutils (Minor issue) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r46181 - data/CVE
Author: fgeek-guest Date: 2016-11-14 15:02:09 + (Mon, 14 Nov 2016) New Revision: 46181 Modified: data/CVE/list Log: moin CVE-2016-7146 and CVE-2016-7148 Modified: data/CVE/list === --- data/CVE/list 2016-11-14 14:57:57 UTC (rev 46180) +++ data/CVE/list 2016-11-14 15:02:09 UTC (rev 46181) @@ -6297,10 +6297,14 @@ NOT-FOR-US: b2evolution CVE-2016-7148 RESERVED + - moin + TODO: check CVE-2016-7147 RESERVED CVE-2016-7146 RESERVED + - moin + TODO: check CVE-2016-7122 RESERVED - ffmpeg 7:3.1.4-1 (bug #840434) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r46154 - data/CVE
Author: fgeek-guest Date: 2016-11-13 12:37:51 + (Sun, 13 Nov 2016) New Revision: 46154 Modified: data/CVE/list Log: jenkins unauthenticated remote code execution Modified: data/CVE/list === --- data/CVE/list 2016-11-13 12:36:31 UTC (rev 46153) +++ data/CVE/list 2016-11-13 12:37:51 UTC (rev 46154) @@ -1,3 +1,6 @@ +CVE-2016- [jenkins: unauthenticated remote code execution] + - jenkins + NOTE: CVE Request http://www.openwall.com/lists/oss-security/2016/11/12/4 CVE-2016- [heap overflow in WaveletDenoiseImage()] - imagemagick NOTE: CVE request: http://www.openwall.com/lists/oss-security/2016/11/13/1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r46153 - data/CVE
Author: fgeek-guest Date: 2016-11-13 12:36:31 + (Sun, 13 Nov 2016) New Revision: 46153 Modified: data/CVE/list Log: imagemagick heap overflow in WaveletDenoiseImage( Modified: data/CVE/list === --- data/CVE/list 2016-11-13 10:14:09 UTC (rev 46152) +++ data/CVE/list 2016-11-13 12:36:31 UTC (rev 46153) @@ -1,3 +1,6 @@ +CVE-2016- [heap overflow in WaveletDenoiseImage()] + - imagemagick + NOTE: CVE request: http://www.openwall.com/lists/oss-security/2016/11/13/1 CVE-2016- [maradns: Remote crash in MaraDNS 2.0.13 and git master] - maradns (bug #844121) NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2016/11/12/3 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r46146 - data/CVE
Author: fgeek-guest Date: 2016-11-12 23:58:07 + (Sat, 12 Nov 2016) New Revision: 46146 Modified: data/CVE/list Log: tiff read outside buffer in _TIFFPrintField Modified: data/CVE/list === --- data/CVE/list 2016-11-12 19:35:48 UTC (rev 46145) +++ data/CVE/list 2016-11-12 23:58:07 UTC (rev 46146) @@ -1,6 +1,10 @@ CVE-2016- [maradns: Remote crash in MaraDNS 2.0.13 and git master] - maradns (bug #844121) NOTE: CVE Request: http://seclists.org/oss-sec/2016/q4/411 +CVE-2016- [libtiff/tif_dirread.c read outside buffer in _TIFFPrintField()] + - tiff + NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2590 + NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2016/11/12/2 CVE-2016- [tiffcrop: heap buffer overflow via writeBufferToSeparateStrips] - tiff (bug #844057) [jessie] - tiff (Minor issue) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r46135 - data/CVE
Author: fgeek-guest Date: 2016-11-11 21:01:48 + (Fri, 11 Nov 2016) New Revision: 46135 Modified: data/CVE/list Log: tiffcrop heap buffer overflow via writeBufferToSeparateStrips Modified: data/CVE/list === --- data/CVE/list 2016-11-11 20:43:20 UTC (rev 46134) +++ data/CVE/list 2016-11-11 21:01:48 UTC (rev 46135) @@ -1,3 +1,7 @@ +CVE-2016- [tiffcrop: heap buffer overflow via writeBufferToSeparateStrips] + - tiff + NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2592 + NOTE: CVE request: http://www.openwall.com/lists/oss-security/2016/11/11/14 CVE-2016-9276 [heap-based buffer overflow in dwarf_get_aranges_list (dwarf_arange.c)] - dwarfutils (bug #844011) [jessie] - dwarfutils (Minor issue) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r46122 - data/CVE
Author: fgeek-guest Date: 2016-11-11 16:15:09 + (Fri, 11 Nov 2016) New Revision: 46122 Modified: data/CVE/list Log: correct oss-security url Modified: data/CVE/list === --- data/CVE/list 2016-11-11 15:39:07 UTC (rev 46121) +++ data/CVE/list 2016-11-11 16:15:09 UTC (rev 46122) @@ -1,7 +1,7 @@ CVE-2016-9273 [libtiff heap overflow] - tiff NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2587 - NOTE: http://seclists.org/oss-sec/2016/q4/381 + NOTE: http://www.openwall.com/lists/oss-security/2016/11/09/20 CVE-2016-9261 RESERVED CVE-2016-9260 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r46078 - data/CVE
Author: fgeek-guest Date: 2016-11-09 07:34:46 + (Wed, 09 Nov 2016) New Revision: 46078 Modified: data/CVE/list Log: CVE-2016-8632/linux update Modified: data/CVE/list === --- data/CVE/list 2016-11-09 07:03:13 UTC (rev 46077) +++ data/CVE/list 2016-11-09 07:34:46 UTC (rev 46078) @@ -1642,7 +1642,7 @@ - linux NOTE: https://git.kernel.org/linus/667121ace9dbafb368618dbabcf07901c962ddac NOTE: https://eyalitkin.wordpress.com/2016/11/06/cve-publication-cve-2016-8633/ -CVE-2016-8632 +CVE-2016-8632 [tipc_msg_build() doesn't validate MTU that can trigger heap overflow] RESERVED - linux NOTE: https://www.mail-archive.com/netdev@vger.kernel.org/msg133205.html ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r46077 - data/CVE
Author: fgeek-guest Date: 2016-11-09 07:03:13 + (Wed, 09 Nov 2016) New Revision: 46077 Modified: data/CVE/list Log: NFU HPSBGN03643 Modified: data/CVE/list === --- data/CVE/list 2016-11-09 06:08:31 UTC (rev 46076) +++ data/CVE/list 2016-11-09 07:03:13 UTC (rev 46077) @@ -15962,10 +15962,13 @@ RESERVED CVE-2016-4404 RESERVED + NOT-FOR-US: HPE KeyView using Filter SDK CVE-2016-4403 RESERVED + NOT-FOR-US: HPE KeyView using Filter SDK CVE-2016-4402 RESERVED + NOT-FOR-US: HPE KeyView using Filter SDK CVE-2016-4401 RESERVED CVE-2016-4400 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r46033 - data/CVE
Author: fgeek-guest Date: 2016-11-07 07:18:18 + (Mon, 07 Nov 2016) New Revision: 46033 Modified: data/CVE/list Log: CVE-2016-8858/openssh note Modified: data/CVE/list === --- data/CVE/list 2016-11-07 06:32:20 UTC (rev 46032) +++ data/CVE/list 2016-11-07 07:18:18 UTC (rev 46033) @@ -1235,6 +1235,7 @@ [jessie] - openssh (Minor issue) [wheezy] - openssh (Minor issue) NOTE: http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/kex.c?rev=1.127=text/x-cvsweb-markup + NOTE: Only thing the attacker could do here is self-dos own connection CVE-2016-8862 [imagemagick: memory allocation failure in AcquireMagickMemory (memory.c)] RESERVED - imagemagick ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r45923 - data/CVE
Author: fgeek-guest Date: 2016-11-03 10:47:01 + (Thu, 03 Nov 2016) New Revision: 45923 Modified: data/CVE/list Log: CVE-2016-7035/pacemaker Modified: data/CVE/list === --- data/CVE/list 2016-11-03 10:18:00 UTC (rev 45922) +++ data/CVE/list 2016-11-03 10:47:01 UTC (rev 45923) @@ -6289,8 +6289,11 @@ RESERVED CVE-2016-7036 RESERVED -CVE-2016-7035 +CVE-2016-7035 [improper IPC guarding] RESERVED + - pacemaker + NOTE: http://www.openwall.com/lists/oss-security/2016/11/03/5 + TODO: check CVE-2016-7034 (The dashbuilder in Red Hat JBoss BPM Suite 6.3.2 does not properly ...) NOT-FOR-US: JBoss BPMS CVE-2016-7033 (Multiple cross-site scripting (XSS) vulnerabilities in the admin pages ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r45913 - data/CVE
Author: fgeek-guest Date: 2016-11-03 07:40:10 + (Thu, 03 Nov 2016) New Revision: 45913 Modified: data/CVE/list Log: NFU Modified: data/CVE/list === --- data/CVE/list 2016-11-03 06:19:35 UTC (rev 45912) +++ data/CVE/list 2016-11-03 07:40:10 UTC (rev 45913) @@ -8220,6 +8220,7 @@ RESERVED CVE-2016-6447 RESERVED + NOT-FOR-US: Cisco Meeting Server and Meeting App CVE-2016-6446 (A vulnerability in Web Bridge for Cisco Meeting Server could allow an ...) TODO: check CVE-2016-6445 (A vulnerability in the Extensible Messaging and Presence Protocol ...) @@ -8232,6 +8233,7 @@ TODO: check CVE-2016-6441 RESERVED + NOT-FOR-US: Cisco ASR 900 Series Aggregation Services Routers CVE-2016-6440 (The Cisco Unified Communications Manager (CUCM) may be vulnerable to ...) TODO: check CVE-2016-6439 (A vulnerability in the detection engine reassembly of HTTP packets for ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r45881 - data
Author: fgeek-guest Date: 2016-11-02 09:40:24 + (Wed, 02 Nov 2016) New Revision: 45881 Modified: data/embedded-code-copies Log: sfftobmp embeds tiff tools code Modified: data/embedded-code-copies === --- data/embedded-code-copies 2016-11-02 09:32:23 UTC (rev 45880) +++ data/embedded-code-copies 2016-11-02 09:40:24 UTC (rev 45881) @@ -329,6 +329,7 @@ - ghostscript 8.71~dfsg-1 (embed) - povray (embed) - insighttoolkit4 (embed) + - sfftobmp (embed) uudeview - libconvert-uulib-perl (embed) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits