[Secure-testing-commits] r56166 - in data: . DSA
Author: fw
Date: 2017-09-26 19:39:04 + (Tue, 26 Sep 2017)
New Revision: 56166
Modified:
data/DSA/list
data/dsa-needed.txt
Log:
DSA-3984-1 git
Modified: data/DSA/list
===
--- data/DSA/list 2017-09-26 19:03:31 UTC (rev 56165)
+++ data/DSA/list 2017-09-26 19:39:04 UTC (rev 56166)
@@ -1,3 +1,6 @@
+[26 Sep 2017] DSA-3984-1 git - security update
+ [jessie] - git 1:2.1.4-2.1+deb8u5 (bug #876854)
+ [stretch] - git 1:2.11.0-3+deb9u2 (bug #876854)
[22 Sep 2017] DSA-3983-1 samba - security update
{CVE-2017-12150 CVE-2017-12151 CVE-2017-12163}
[jessie] - samba 2:4.2.14+dfsg-0+deb8u8
Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2017-09-26 19:03:31 UTC (rev 56165)
+++ data/dsa-needed.txt 2017-09-26 19:39:04 UTC (rev 56166)
@@ -25,8 +25,6 @@
--
graphicsmagick
--
-git
---
git-annex (seb)
2017-08-23: sent email to Richard Hartmann
--
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r47932 - in data: . DSA
Author: fw
Date: 2017-01-11 21:48:04 + (Wed, 11 Jan 2017)
New Revision: 47932
Modified:
data/DSA/list
data/dsa-needed.txt
Log:
DSA-3758-1 bind9
Modified: data/DSA/list
===
--- data/DSA/list 2017-01-11 21:31:09 UTC (rev 47931)
+++ data/DSA/list 2017-01-11 21:48:04 UTC (rev 47932)
@@ -1,3 +1,6 @@
+[11 Jan 2017] DSA-3758-1 bind9 - security update
+ {CVE-2016-9131 CVE-2016-9147 CVE-2016-9444}
+ [jessie] - bind9 1:9.9.5.dfsg-9+deb8u9
[11 Jan 2017] DSA-3757-1 icedove - security update
{CVE-2016-9893 CVE-2016-9895 CVE-2016-9897 CVE-2016-9898 CVE-2016-9899
CVE-2016-9900 CVE-2016-9904 CVE-2016-9905}
[jessie] - icedove 1:45.6.0-1~deb8u1
Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2017-01-11 21:31:09 UTC (rev 47931)
+++ data/dsa-needed.txt 2017-01-11 21:48:04 UTC (rev 47932)
@@ -17,8 +17,6 @@
apache2
sf is working on an update, but needs extra testing due to invasive changes
--
-bind9 (fw)
---
graphicsmagick
--
icoutils (carnil)
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r45857 - data/DSA
Author: fw
Date: 2016-11-01 21:28:30 + (Tue, 01 Nov 2016)
New Revision: 45857
Modified:
data/DSA/list
Log:
DSA-3703-1 bind9
Modified: data/DSA/list
===
--- data/DSA/list 2016-11-01 21:10:11 UTC (rev 45856)
+++ data/DSA/list 2016-11-01 21:28:30 UTC (rev 45857)
@@ -1,3 +1,6 @@
+[01 Nov 2016] DSA-3703-1 bind9 - security update
+ {CVE-2016-8864}
+ [jessie] - bind9 1:9.9.5.dfsg-9+deb8u8
[01 Nov 2016] DSA-3702-1 tar - security update
{CVE-2016-6321}
[jessie] - tar 1.27.1-2+deb8u1
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r45599 - data/DSA
Author: fw
Date: 2016-10-25 18:31:02 + (Tue, 25 Oct 2016)
New Revision: 45599
Modified:
data/DSA/list
Log:
Summary: DSA-3701-1 nginx
Modified: data/DSA/list
===
--- data/DSA/list 2016-10-25 18:12:43 UTC (rev 45598)
+++ data/DSA/list 2016-10-25 18:31:02 UTC (rev 45599)
@@ -1,3 +1,6 @@
+[25 Oct 2016] DSA-3701-1 nginx - security update
+ {CVE-2016-1247}
+ [jessie] - nginx 1.6.2-5+deb8u3
[25 Oct 2016] DSA-3700-1 asterisk - security update
{CVE-2015-3008 CVE-2016-2232 CVE-2016-2316 CVE-2016-7551}
[jessie] - asterisk 1:11.13.1~dfsg-2+deb8u1
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r45435 - data/CVE
Author: fw Date: 2016-10-18 20:15:04 + (Tue, 18 Oct 2016) New Revision: 45435 Modified: data/CVE/list Log: CVE-2016-1245 quagga fixed Modified: data/CVE/list === --- data/CVE/list 2016-10-18 19:46:53 UTC (rev 45434) +++ data/CVE/list 2016-10-18 20:15:04 UTC (rev 45435) @@ -24317,7 +24317,7 @@ NOTE: https://github.com/perl5-dbi/DBD-mysql/commit/7c164a0c86cec6ee95df1d141e67b0e85dfdefd2 (4.037) CVE-2016-1245 RESERVED - - quagga (bug #841162) + - quagga 1.0.20160315-3 (bug #841162) NOTE: Fixed by: https://github.com/Quagga/quagga/commit/cfb1fae25f8c092e0d17073eaf7bd428ce1cd546 NOTE: https://lists.quagga.net/pipermail/quagga-users/2016-October/014478.html CVE-2016-1244 (The extractTree function in unADF allows remote attackers to execute ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r45434 - data/DSA
Author: fw
Date: 2016-10-18 19:46:53 + (Tue, 18 Oct 2016)
New Revision: 45434
Modified:
data/DSA/list
Log:
Summary: DSA-3695-1 quagga
Modified: data/DSA/list
===
--- data/DSA/list 2016-10-18 19:16:58 UTC (rev 45433)
+++ data/DSA/list 2016-10-18 19:46:53 UTC (rev 45434)
@@ -1,3 +1,6 @@
+[18 Oct 2016] DSA-3695-1 quagga - security update
+ {CVE-2016-1245}
+ [jessie] - quagga 0.99.23.1-1+deb8u3
[18 Oct 2016] DSA-3694-1 tor - security update
[jessie] - tor 0.2.5.12-3
[14 Oct 2016] DSA-3693-1 libgd2 - security update
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r45088 - in data: . DSA
Author: fw
Date: 2016-10-05 19:24:06 + (Wed, 05 Oct 2016)
New Revision: 45088
Modified:
data/DSA/list
data/dsa-needed.txt
Log:
DSA-3688-1 nss
Modified: data/DSA/list
===
--- data/DSA/list 2016-10-05 19:21:26 UTC (rev 45087)
+++ data/DSA/list 2016-10-05 19:24:06 UTC (rev 45088)
@@ -1,3 +1,6 @@
+[05 Oct 2016] DSA-3688-1 nss - security update
+ {CVE-2015-4000 CVE-2015-7181 CVE-2015-7182 CVE-2015-7575 CVE-2016-1938
CVE-2016-1950 CVE-2016-1978 CVE-2016-1979 CVE-2016-2834}
+ [jessie] - nss 2:3.26-1+debu8u1
[05 Oct 2016] DSA-3687-1 nspr - security update
{CVE-2016-1951}
[jessie] - nspr 2:4.12-1+debu8u1
Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2016-10-05 19:21:26 UTC (rev 45087)
+++ data/dsa-needed.txt 2016-10-05 19:24:06 UTC (rev 45088)
@@ -24,8 +24,6 @@
--
linux
--
-nss (fw)
---
php5
--
qemu
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r45086 - data/DSA
Author: fw
Date: 2016-10-05 18:44:32 + (Wed, 05 Oct 2016)
New Revision: 45086
Modified:
data/DSA/list
Log:
Summary: DSA-3686-1 icedove
Modified: data/DSA/list
===
--- data/DSA/list 2016-10-05 18:42:32 UTC (rev 45085)
+++ data/DSA/list 2016-10-05 18:44:32 UTC (rev 45086)
@@ -1,6 +1,9 @@
[05 Oct 2016] DSA-3687-1 nspr - security update
{CVE-2016-1951}
[jessie] - nspr 2:4.12-1+debu8u1
+[05 Oct 2016] DSA-3686-1 icedove - security update
+ {CVE-2016-2836}
+ [jessie] - icedove 1:45.3.0-1~deb8u1
[04 Oct 2016] DSA-3685-1 libav - security update
{CVE-2016-7424}
[jessie] - libav 6:11.8-1~deb8u1
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r45085 - data/DSA
Author: fw
Date: 2016-10-05 18:42:32 + (Wed, 05 Oct 2016)
New Revision: 45085
Modified:
data/DSA/list
Log:
Summary: Correct DSA number
Modified: data/DSA/list
===
--- data/DSA/list 2016-10-05 18:35:38 UTC (rev 45084)
+++ data/DSA/list 2016-10-05 18:42:32 UTC (rev 45085)
@@ -1,4 +1,4 @@
-[05 Oct 2016] DSA-3686-1 nspr - security update
+[05 Oct 2016] DSA-3687-1 nspr - security update
{CVE-2016-1951}
[jessie] - nspr 2:4.12-1+debu8u1
[04 Oct 2016] DSA-3685-1 libav - security update
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r45084 - in data: . DSA
Author: fw
Date: 2016-10-05 18:35:38 + (Wed, 05 Oct 2016)
New Revision: 45084
Modified:
data/DSA/list
data/dsa-needed.txt
Log:
DSA-3686-1 nspr
Modified: data/DSA/list
===
--- data/DSA/list 2016-10-05 18:22:15 UTC (rev 45083)
+++ data/DSA/list 2016-10-05 18:35:38 UTC (rev 45084)
@@ -1,3 +1,6 @@
+[05 Oct 2016] DSA-3686-1 nspr - security update
+ {CVE-2016-1951}
+ [jessie] - nspr 2:4.12-1+debu8u1
[04 Oct 2016] DSA-3685-1 libav - security update
{CVE-2016-7424}
[jessie] - libav 6:11.8-1~deb8u1
Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2016-10-05 18:22:15 UTC (rev 45083)
+++ data/dsa-needed.txt 2016-10-05 18:35:38 UTC (rev 45084)
@@ -24,8 +24,6 @@
--
linux
--
-nspr (fw)
---
nss (fw)
--
php5
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r45007 - data/DSA
Author: fw
Date: 2016-10-03 17:05:00 + (Mon, 03 Oct 2016)
New Revision: 45007
Modified:
data/DSA/list
Log:
Summary: DSA-3684-1 libdbd-mysql-perl
Modified: data/DSA/list
===
--- data/DSA/list 2016-10-03 17:04:44 UTC (rev 45006)
+++ data/DSA/list 2016-10-03 17:05:00 UTC (rev 45007)
@@ -1,3 +1,6 @@
+[03 Oct 2016] DSA-3684-1 libdbd-mysql-perl - security update
+ {CVE-2016-1246}
+ [jessie] - libdbd-mysql-perl 4.028-2+deb8u2
[02 Oct 2016] DSA-3683-1 chromium-browser - security update
{CVE-2016-5177 CVE-2016-5178}
[jessie] - chromium-browser 53.0.2785.143-1~deb8u1
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r45006 - data/CVE
Author: fw Date: 2016-10-03 17:04:44 + (Mon, 03 Oct 2016) New Revision: 45006 Modified: data/CVE/list Log: Summary: CVE-2016-1246 is low Caught by _FORTIFY_SOURCE=2 (verified on jessie). Modified: data/CVE/list === --- data/CVE/list 2016-10-03 15:53:26 UTC (rev 45005) +++ data/CVE/list 2016-10-03 17:04:44 UTC (rev 45006) @@ -23349,7 +23349,7 @@ RESERVED CVE-2016-1246 RESERVED - - libdbd-mysql-perl 4.037-1 + - libdbd-mysql-perl 4.037-1 (low) NOTE: https://github.com/perl5-dbi/DBD-mysql/commit/7c164a0c86cec6ee95df1d141e67b0e85dfdefd2 (4.037) CVE-2016-1245 RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r44969 - data
Author: fw Date: 2016-10-02 20:50:13 + (Sun, 02 Oct 2016) New Revision: 44969 Modified: data/dsa-needed.txt Log: Summary: nspr needs an update as well Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2016-10-02 20:09:40 UTC (rev 44968) +++ data/dsa-needed.txt 2016-10-02 20:50:13 UTC (rev 44969) @@ -29,6 +29,8 @@ -- linux -- +nspr (fw) +-- nss (fw) -- php5 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r44968 - data/CVE
Author: fw Date: 2016-10-02 20:09:40 + (Sun, 02 Oct 2016) New Revision: 44968 Modified: data/CVE/list Log: Summary: nspr, nss unprotected environment variables Modified: data/CVE/list === --- data/CVE/list 2016-10-02 18:43:44 UTC (rev 44967) +++ data/CVE/list 2016-10-02 20:09:40 UTC (rev 44968) @@ -1,3 +1,8 @@ +CVE-2016- [nspr, nss: unprotected environment variables] + - nspr 2:4.12-1 (low) + - nss 2:3.23-1 (low) + NOTE: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.22.1_release_notes + NOTE: http://www.openwall.com/lists/oss-security/2016/10/02/4 CVE-2016- [ghostscript: various sandbox escapes] - ghostscript (high; bug #839260) NOTE: http://www.openwall.com/lists/oss-security/2016/09/29/3 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r44949 - data/CVE
Author: fw Date: 2016-09-30 21:42:18 + (Fri, 30 Sep 2016) New Revision: 44949 Modified: data/CVE/list Log: Summary: New ghostscript issues Modified: data/CVE/list === --- data/CVE/list 2016-09-30 21:35:43 UTC (rev 44948) +++ data/CVE/list 2016-09-30 21:42:18 UTC (rev 44949) @@ -1,3 +1,8 @@ +CVE-2016- [ghostscript: various sandbox escapes] + - ghostscript (high; bug #839260) + NOTE: http://www.openwall.com/lists/oss-security/2016/09/29/3 + NOTE: http://bugs.ghostscript.com/show_bug.cgi?id=697169 + NOTE: http://bugs.ghostscript.com/show_bug.cgi?id=697178 CVE-2016-8390 RESERVED CVE-2016-8389 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r44945 - in data: CVE DSA
Author: fw
Date: 2016-09-30 19:15:50 + (Fri, 30 Sep 2016)
New Revision: 44945
Modified:
data/CVE/list
data/DSA/list
Log:
DSA-3682-1 c-ares
Unstable has already been fixed.
Modified: data/CVE/list
===
--- data/CVE/list 2016-09-30 16:48:52 UTC (rev 44944)
+++ data/CVE/list 2016-09-30 19:15:50 UTC (rev 44945)
@@ -10195,7 +10195,7 @@
RESERVED
CVE-2016-5180 [c-ares: OOB write in ares_create_query and ares_mkquery]
RESERVED
- - c-ares (medium; bug #839151)
+ - c-ares 1.12.0-1 (medium; bug #839151)
NOTE: https://c-ares.haxx.se/adv_20160929.html
NOTE: https://c-ares.haxx.se/CVE-2016-5180.patch
CVE-2016-5179
Modified: data/DSA/list
===
--- data/DSA/list 2016-09-30 16:48:52 UTC (rev 44944)
+++ data/DSA/list 2016-09-30 19:15:50 UTC (rev 44945)
@@ -1,3 +1,6 @@
+[30 Sep 2016] DSA-3682-1 c-ares - security update
+ {CVE-2016-5180}
+ [jessie] - c-ares 1.10.0-2+deb8u1
[29 Sep 2016] DSA-3681-1 wordpress - security update
{CVE-2016-4029 CVE-2016-6634 CVE-2016-6635 CVE-2016-7168 CVE-2016-7169}
[jessie] - wordpress 4.1+dfsg-1+deb8u10
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r44928 - data/DSA
Author: fw
Date: 2016-09-27 18:41:43 + (Tue, 27 Sep 2016)
New Revision: 44928
Modified:
data/DSA/list
Log:
DSA-3680-1 bind9
Modified: data/DSA/list
===
--- data/DSA/list 2016-09-27 18:20:48 UTC (rev 44927)
+++ data/DSA/list 2016-09-27 18:41:43 UTC (rev 44928)
@@ -1,3 +1,6 @@
+[27 Sep 2016] DSA-3680-1 bind9 - security update
+ {CVE-2016-2775 CVE-2016-2776}
+ [jessie] - bind9 1:9.9.5.dfsg-9+deb8u7
[27 Sep 2016] DSA-3679-1 jackrabbit - security update
{CVE-2016-6801}
[jessie] - jackrabbit 2.3.6-1+deb8u2
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r44926 - data/CVE
Author: fw Date: 2016-09-27 17:24:53 + (Tue, 27 Sep 2016) New Revision: 44926 Modified: data/CVE/list Log: Summary: CVE-2016-2776 bind9 Modified: data/CVE/list === --- data/CVE/list 2016-09-27 13:17:45 UTC (rev 44925) +++ data/CVE/list 2016-09-27 17:24:53 UTC (rev 44926) @@ -17350,8 +17350,9 @@ RESERVED CVE-2016-2777 REJECTED -CVE-2016-2776 +CVE-2016-2776 [BIND assertion failure due to crafted query] RESERVED + - bind9 (bug #839010) CVE-2016-2775 (ISC BIND 9.x before 9.9.9-P2, 9.10.x before 9.10.4-P2, and 9.11.x ...) - bind9 (bug #831796) [jessie] - bind9 (Minor issue; lwresd not commonly used) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r44922 - data/DSA
Author: fw
Date: 2016-09-27 10:27:51 + (Tue, 27 Sep 2016)
New Revision: 44922
Modified:
data/DSA/list
Log:
Summary: DSA-3679-1 jackrabbit
Modified: data/DSA/list
===
--- data/DSA/list 2016-09-27 10:26:00 UTC (rev 44921)
+++ data/DSA/list 2016-09-27 10:27:51 UTC (rev 44922)
@@ -1,3 +1,6 @@
+[27 Sep 2016] DSA-3679-1 jackrabbit - security update
+ {CVE-2016-6801}
+ [jessie] - jackrabbit 2.3.6-1+deb8u2
[26 Sep 2016] DSA-3678-1 python-django - security update
{CVE-2016-7401}
[jessie] - python-django 1.7.11-1+deb8u1
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r40957 - data/DSA
Author: fw
Date: 2016-04-16 20:59:07 + (Sat, 16 Apr 2016)
New Revision: 40957
Modified:
data/DSA/list
Log:
DSA-3551-1 fuseiso
Modified: data/DSA/list
===
--- data/DSA/list 2016-04-16 15:51:08 UTC (rev 40956)
+++ data/DSA/list 2016-04-16 20:59:07 UTC (rev 40957)
@@ -1,3 +1,6 @@
+[16 Apr 2016] DSA-3551-1 fuseiso - security update
+ {CVE-2015-8836 CVE-2015-8837}
+ [wheezy] - fuseiso 20070708-3+deb7u1
[15 Apr 2016] DSA-3550-1 openssh - security update
{CVE-2015-8325}
[wheezy] - openssh 1:6.0p1-4+deb7u4
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r37902 - data/DSA
Author: fw
Date: 2015-11-25 21:24:22 + (Wed, 25 Nov 2015)
New Revision: 37902
Modified:
data/DSA/list
Log:
DSA-3405-1 smokeping
Modified: data/DSA/list
===
--- data/DSA/list 2015-11-25 21:10:12 UTC (rev 37901)
+++ data/DSA/list 2015-11-25 21:24:22 UTC (rev 37902)
@@ -1,3 +1,7 @@
+[25 Nov 2015] DSA-3405-1 smokeping - security update
+ {CVE-2015-0859}
+ [wheezy] - smokeping 2.6.8-2+deb7u1
+ [jessie] - smokeping 2.6.9-1+deb8u1
[25 Nov 2015] DSA-3404-1 python-django - security update
{CVE-2015-8213}
[wheezy] - python-django 1.4.5-1+deb7u14
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r37536 - in data: . DSA
Author: fw Date: 2015-11-03 20:59:53 + (Tue, 03 Nov 2015) New Revision: 37536 Modified: data/DSA/list data/dsa-needed.txt Log: DSA-3391-1 php-horde Modified: data/DSA/list === --- data/DSA/list 2015-11-03 20:43:59 UTC (rev 37535) +++ data/DSA/list 2015-11-03 20:59:53 UTC (rev 37536) @@ -1,3 +1,5 @@ +[03 Nov 2015] DSA-3391-1 php-horde - security update + [jessie] - php-horde 5.2.1+debian0-2+deb8u2 [02 Nov 2015] DSA-3355-2 libvdpau - regression update [jessie] - libvdpau 0.8-3+deb8u2 [02 Nov 2015] DSA-3390-1 xen - security update Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-11-03 20:43:59 UTC (rev 37535) +++ data/dsa-needed.txt 2015-11-03 20:59:53 UTC (rev 37536) @@ -55,9 +55,6 @@ -- pdns/oldstable -- -php-horde - Maintainer prepared update --- smarty3 -- squid/oldstable ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r37490 - in data: . DSA
Author: fw
Date: 2015-11-01 21:03:25 + (Sun, 01 Nov 2015)
New Revision: 37490
Modified:
data/DSA/list
data/dsa-needed.txt
Log:
DSA-3387-1 openafs
Modified: data/DSA/list
===
--- data/DSA/list 2015-11-01 17:13:28 UTC (rev 37489)
+++ data/DSA/list 2015-11-01 21:03:25 UTC (rev 37490)
@@ -1,3 +1,7 @@
+[01 Nov 2015] DSA-3387-1 openafs - security update
+ {CVE-2015-7762 CVE-2015-7763}
+ [wheezy] - openafs 1.6.1-3+deb7u5
+ [jessie] - openafs 1.6.9-2+deb8u4
[31 Oct 2015] DSA-3386-1 unzip - security update
{CVE-2015-7696 CVE-2015-7697}
[wheezy] - unzip 6.0-8+deb7u4
Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2015-11-01 17:13:28 UTC (rev 37489)
+++ data/dsa-needed.txt 2015-11-01 21:03:25 UTC (rev 37490)
@@ -51,9 +51,6 @@
--
ntp
--
-openafs
- Maintainer can prepare updated packages
---
openjdk-6 (jmm)
--
openswan (corsac)
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r37376 - data/CVE
Author: fw Date: 2015-10-27 18:10:14 + (Tue, 27 Oct 2015) New Revision: 37376 Modified: data/CVE/list Log: CVE-2015-7803 CVE-2015-7804: update severity Modified: data/CVE/list === --- data/CVE/list 2015-10-27 17:35:39 UTC (rev 37375) +++ data/CVE/list 2015-10-27 18:10:14 UTC (rev 37376) @@ -605,11 +605,11 @@ NOTE: http://symfony.com/blog/security-release-twig-1-20-0 CVE-2015-7804 [Uninitialized pointer in phar_make_dirstream when zip entry filename is "/"] RESERVED - - php5 5.6.14+dfsg-1 + - php5 5.6.14+dfsg-1 (medium) NOTE: https://bugs.php.net/bug.php?id=70433 CVE-2015-7803 [Null pointer dereference in phar_get_fp_offset()] RESERVED - - php5 5.6.14+dfsg-1 + - php5 5.6.14+dfsg-1 (low) NOTE: https://bugs.php.net/bug.php?id=69720 CVE-2015-7764 RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r37377 - in data: . DSA
Author: fw
Date: 2015-10-27 18:29:01 + (Tue, 27 Oct 2015)
New Revision: 37377
Modified:
data/DSA/list
data/dsa-needed.txt
Log:
DSA-3380-1 php5
Modified: data/DSA/list
===
--- data/DSA/list 2015-10-27 18:10:14 UTC (rev 37376)
+++ data/DSA/list 2015-10-27 18:29:01 UTC (rev 37377)
@@ -1,3 +1,7 @@
+[27 Oct 2015] DSA-3380-1 php5 - security update
+ {CVE-2015-7803 CVE-2015-7804}
+ [wheezy] - php5 5.4.45-0+deb7u2
+ [jessie] - php5 5.6.14+dfsg-0+deb8u1
[25 Oct 2015] DSA-3379-1 miniupnpc - security update
{CVE-2015-6031}
[wheezy] - miniupnpc 1.5-2+deb7u1
Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2015-10-27 18:10:14 UTC (rev 37376)
+++ data/dsa-needed.txt 2015-10-27 18:29:01 UTC (rev 37377)
@@ -63,9 +63,6 @@
--
pdns/oldstable
--
-php5
- Maintainer proposed updates for wheezy- and jessie-security
---
phpmyadmin (thijs)
--
smarty3
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r37114 - data/CVE
Author: fw Date: 2015-10-14 18:19:04 + (Wed, 14 Oct 2015) New Revision: 37114 Modified: data/CVE/list Log: CVE-2015-0856 sddm Modified: data/CVE/list === --- data/CVE/list 2015-10-14 14:30:29 UTC (rev 37113) +++ data/CVE/list 2015-10-14 18:19:04 UTC (rev 37114) @@ -19866,8 +19866,10 @@ RESERVED CVE-2015-0857 RESERVED -CVE-2015-0856 +CVE-2015-0856 [sddm: prevent KDE's crash handler from kicking in] RESERVED + - sddm (low) + NOTE: https://github.com/sddm/sddm/commit/4cfed6b0a625593 CVE-2015-0855 RESERVED CVE-2015-0854 [Insecure use of system()] ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r36428 - data/CVE
Author: fw Date: 2015-09-02 20:52:50 + (Wed, 02 Sep 2015) New Revision: 36428 Modified: data/CVE/list Log: CVE-2015-5738 openssl not-affected Modified: data/CVE/list === --- data/CVE/list 2015-09-02 16:54:41 UTC (rev 36427) +++ data/CVE/list 2015-09-02 20:52:50 UTC (rev 36428) @@ -2401,8 +2401,9 @@ RESERVED CVE-2015-5742 RESERVED -CVE-2015-5738 +CVE-2015-5738 [RSA-CRT key leak in custom version of OpenSSL] RESERVED + - openssl (OpenSSL upstream is not affected) CVE-2015-5959 RESERVED - froxlor (bug #581792) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r36389 - org
Author: fw Date: 2015-08-31 18:57:36 + (Mon, 31 Aug 2015) New Revision: 36389 Modified: org/security-frontdesk.2015.txt Log: Summary: Volunteering for the frontdesk Modified: org/security-frontdesk.2015.txt === --- org/security-frontdesk.2015.txt 2015-08-31 10:31:08 UTC (rev 36388) +++ org/security-frontdesk.2015.txt 2015-08-31 18:57:36 UTC (rev 36389) @@ -40,7 +40,7 @@ From 05-10 to 11-10:geissert From 12-10 to 18-10:corsac From 19-10 to 25-10:thijs -From 26-10 to 01-11: +From 26-10 to 01-11:fw From 02-11 to 08-11: From 09-11 to 15-11: From 16-11 to 22-11: ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r36286 - data/CVE
Author: fw Date: 2015-08-25 08:36:10 + (Tue, 25 Aug 2015) New Revision: 36286 Modified: data/CVE/list Log: CVE-2015-5229 glibc eglibc is specific to RHEL 6.7 Modified: data/CVE/list === --- data/CVE/list 2015-08-25 08:34:43 UTC (rev 36285) +++ data/CVE/list 2015-08-25 08:36:10 UTC (rev 36286) @@ -3403,9 +3403,8 @@ RESERVED CVE-2015-5229 [could return memory areas which contain non-zero bytes] RESERVED - - glibc unfixed - - eglibc removed - TODO: check + - glibc not-affected (RHEL-specific backport) + - eglibc not-affected (RHEL-specific backport) CVE-2015-5228 RESERVED CVE-2015-5227 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r36070 - data/CVE
Author: fw Date: 2015-08-14 18:45:08 + (Fri, 14 Aug 2015) New Revision: 36070 Modified: data/CVE/list Log: Summary: CVE-2015-5180 is low Modified: data/CVE/list === --- data/CVE/list 2015-08-14 18:01:04 UTC (rev 36069) +++ data/CVE/list 2015-08-14 18:45:08 UTC (rev 36070) @@ -2041,9 +2041,9 @@ RESERVED CVE-2015-5180 [DNS resolver NULL pointer dereference with crafted record type] RESERVED - - glibc unfixed + - glibc unfixed (low) [jessie] - glibc no-dsa (Minor issue) - - eglibc removed + - eglibc removed (low) [wheezy] - eglibc no-dsa (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=18784 CVE-2015-5179 [non-printable characters aren't check in every case of user data] ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r36073 - /
Author: fw Date: 2015-08-14 18:51:57 + (Fri, 14 Aug 2015) New Revision: 36073 Modified: Makefile Log: Summary: Makefile: Remove sparc from the sid architecture list Modified: Makefile === --- Makefile2015-08-14 18:49:49 UTC (rev 36072) +++ Makefile2015-08-14 18:51:57 UTC (rev 36073) @@ -11,7 +11,7 @@ wheezy_ARCHS = amd64 armel armhf i386 ia64 mips mipsel powerpc s390 s390x sparc kfreebsd-i386 kfreebsd-amd64 jessie_ARCHS = amd64 arm64 armel armhf i386 mips mipsel powerpc ppc64el s390x stretch_ARCHS = amd64 arm64 armel armhf i386 mips mipsel powerpc ppc64el s390x -sid_ARCHS = amd64 arm64 armel armhf hurd-i386 i386 kfreebsd-i386 kfreebsd-amd64 mips mipsel powerpc ppc64el s390x sparc +sid_ARCHS = amd64 arm64 armel armhf hurd-i386 i386 kfreebsd-i386 kfreebsd-amd64 mips mipsel powerpc ppc64el s390x OLDOLDSTABLE = squeeze OLDSTABLE= wheezy ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r36074 - doc
Author: fw Date: 2015-08-14 19:13:25 + (Fri, 14 Aug 2015) New Revision: 36074 Modified: doc/soriano.txt Log: Summary: soriano: Mention .curlrc Modified: doc/soriano.txt === --- doc/soriano.txt 2015-08-14 18:51:57 UTC (rev 36073) +++ doc/soriano.txt 2015-08-14 19:13:25 UTC (rev 36074) @@ -37,6 +37,10 @@ ca-certificate=/etc/ssl/ca-global/ca-certificates.crt +~sectracker/.curlrc contains a similar setting: + +capath=/etc/ssl/ca-global + Web server -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35547 - in data: CVE DSA
Author: fw
Date: 2015-07-18 12:13:25 + (Sat, 18 Jul 2015)
New Revision: 35547
Modified:
data/CVE/list
data/DSA/list
Log:
CVE-2014-8873 DSA-3235-1 in openjdk-7, openjdk-8
Modified: data/CVE/list
===
--- data/CVE/list 2015-07-18 11:22:09 UTC (rev 35546)
+++ data/CVE/list 2015-07-18 12:13:25 UTC (rev 35547)
@@ -17963,8 +17963,18 @@
NOT-FOR-US: Revive Adserver
CVE-2014-8874 (The ke_questionnaire extension 2.5.2 and earlier for TYPO3 uses
...)
NOT-FOR-US: TYPO3 Extension ke_questionnaire
-CVE-2014-8873
+CVE-2014-8873 [MIME type registration for JAR files in the Debian OpenJDK
packages enable user-initiated remote code execution]
RESERVED
+ - openjdk-8 8u45-b14-1 (high)
+ - openjdk-7 7u79-2.5.5-1 (high)
+ - openjdk-6 removed (high)
+ [squeeze] - openjdk-6 not-affected (MIME type setting is harmless on
squeeze)
+ [wheezy] - openjdk-6 not-affected (MIME type setting is harmless on
wheezy)
+ [squeeze] - openjdk-7 not-affected (MIME type setting is harmless on
this squeeze)
+ [wheezy] - openjdk-7 not-affected (MIME type setting is harmless on
wheezy)
+ NOTE: Starting with mime-support 3.53, MimeType entries in desktop
+ NOTE: files end up in /etc/mailcap, which introduces the user-initiated
+ NOTE: code execution.
CVE-2014-8872
RESERVED
CVE-2014-8871
Modified: data/DSA/list
===
--- data/DSA/list 2015-07-18 11:22:09 UTC (rev 35546)
+++ data/DSA/list 2015-07-18 12:13:25 UTC (rev 35547)
@@ -267,7 +267,7 @@
[wheezy] - libreoffice 1:3.5.4+dfsg2-0+deb7u4
[jessie] - libreoffice 1:4.3.3-2+deb8u1
[24 Apr 2015] DSA-3235-1 openjdk-7 - security update
- {CVE-2015-0460 CVE-2015-0469 CVE-2015-0470 CVE-2015-0477 CVE-2015-0478
CVE-2015-0480 CVE-2015-0488}
+ {CVE-2015-0460 CVE-2015-0469 CVE-2015-0470 CVE-2015-0477 CVE-2015-0478
CVE-2015-0480 CVE-2015-0488 CVE-2014-8873}
[wheezy] - openjdk-7 7u79-2.5.5-1~deb7u1
[jessie] - openjdk-7 7u79-2.5.5-1~deb8u1
[24 Apr 2015] DSA-3234-1 openjdk-6 - security update
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r34565 - bin lib/python
Author: fw Date: 2015-05-28 20:29:44 + (Thu, 28 May 2015) New Revision: 34565 Modified: bin/tracker_service.py lib/python/security_db.py Log: /data/json: Work around performance issue due to SQLite planner change Modified: bin/tracker_service.py === --- bin/tracker_service.py 2015-05-28 18:38:21 UTC (rev 34564) +++ bin/tracker_service.py 2015-05-28 20:29:44 UTC (rev 34565) @@ -1271,9 +1271,8 @@ SELECT sp.name, st.bug_name, (SELECT cve_desc FROM nvd_data WHERE cve_name = st.bug_name), -(SELECT debian_cve.bug FROM debian_cve -WHERE debian_cve.bug_name = st.bug_name -ORDER BY debian_cve.bug), +(SELECT MIN(debian_cve.bug) FROM debian_cve +WHERE debian_cve.bug_name = st.bug_name), sp.release, sp.subrelease, sp.version, (SELECT pn.fixed_version FROM package_notes AS pn Modified: lib/python/security_db.py === --- lib/python/security_db.py 2015-05-28 18:38:21 UTC (rev 34564) +++ lib/python/security_db.py 2015-05-28 20:29:44 UTC (rev 34565) @@ -518,11 +518,10 @@ cursor.execute( CREATE TEMPORARY VIEW debian_cve AS -SELECT DISTINCT debian_bugs.bug, st.bug_name +SELECT debian_bugs.bug, st.bug_name FROM package_notes, debian_bugs, source_package_status AS st WHERE package_notes.bug_name = st.bug_name -AND debian_bugs.note = package_notes.id -ORDER BY debian_bugs.bug) +AND debian_bugs.note = package_notes.id) def _initFunctions(self): Registers user-defined SQLite functions. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r34474 - bin lib/python
Author: fw
Date: 2015-05-24 19:36:19 + (Sun, 24 May 2015)
New Revision: 34474
Modified:
bin/tracker_service.py
lib/python/security_db.py
Log:
Introduce named tuples BugsForSourcePackage, DSAsForSourcePackage
Modified: bin/tracker_service.py
===
--- bin/tracker_service.py 2015-05-24 17:30:17 UTC (rev 34473)
+++ bin/tracker_service.py 2015-05-24 19:36:19 UTC (rev 34474)
@@ -587,8 +587,8 @@
self.db.cursor(), pkg):
yield release, version
def gen_bug_list(lst):
-for (bug, description) in lst:
-yield self.make_xref(url, bug), description
+for bug in lst:
+yield self.make_xref(url, bug.bug), bug.description
suites = ()
for (release, version) in self.db.getSourcePackageVersions(
@@ -597,10 +597,10 @@
suites = suites + (release,)
def gen_summary(bugs):
-for (bug, description) in bugs:
+for bug in bugs:
status = {}
for (package, releases, version, vulnerable) \
-in self.db.getSourcePackages(self.db.cursor(), bug):
+in self.db.getSourcePackages(self.db.cursor(),
bug.bug):
for release in releases:
if package == pkg:
if vulnerable == 1:
@@ -615,7 +615,8 @@
status_row = status_row + (status[release],)
else:
status_row = status_row +
(self.make_purple('unknown'),)
-yield (self.make_xref(url, bug),) + status_row + (description,)
+yield (self.make_xref(url, bug.bug),) + status_row \
++ (bug.description,)
return self.create_page(
url, 'Information on source package ' + pkg,
Modified: lib/python/security_db.py
===
--- lib/python/security_db.py 2015-05-24 17:30:17 UTC (rev 34473)
+++ lib/python/security_db.py 2015-05-24 19:36:19 UTC (rev 34474)
@@ -39,6 +39,8 @@
import types
import zlib
+from collections import namedtuple
+
import debian_support
import dist_config
@@ -98,6 +100,21 @@
The caller is expected to remove and regenerate the database.
+def getBugsForSourcePackage(self, cursor, pkg, vulnerable, unimportant):
+Returns a generator for a list of (BUG, DESCRIPTION) pairs
+which have the requested status. Only bugs affecting supported
+releases are returned.
+
+# Returned by DB.getBugsForSourcePackage().
+BugsForSourcePackage = namedtuple(
+BugsForSourcePackage,
+bug description)
+
+# Returned by DB.getDSAsForSourcePackage().
+DSAsForSourcePackage = namedtuple(
+DSAsForSourcePackage,
+bug description)
+
class DB:
Access to the security database.
@@ -1719,10 +1736,11 @@
return flag
def getBugsForSourcePackage(self, cursor, pkg, vulnerable, unimportant):
-Returns a generator for a list of (BUG, DESCRIPTION) pairs
-which have the requested status. Only bugs affecting supported
-releases are returned.
-return cursor.execute(
+Returns a generator for BugsForSourcePackage named tuples which
+have the requested status. Only bugs affecting supported
+releases are returned.
+
+for row in cursor.execute(
SELECT DISTINCT name, description
FROM (SELECT bugs.name AS name, bugs.description AS description,
MAX(st.vulnerable
@@ -1742,16 +1760,18 @@
AND (bugs.name LIKE 'CVE-%' OR bugs.name LIKE 'TEMP-%')
GROUP BY bugs.name, bugs.description, sp.name)
WHERE vulnerable = ? AND unimportant = ?
-ORDER BY name DESC, (pkg, vulnerable, unimportant))
+ORDER BY name DESC, (pkg, vulnerable, unimportant)):
+yield BugsForSourcePackage(*row)
def getDSAsForSourcePackage(self, cursor, package):
-return cursor.execute(
+for row in cursor.execute(
SELECT bugs.name, bugs.description
FROM bugs, package_notes as p
WHERE p.bug_name = bugs.name
AND ( bugs.name LIKE 'DSA-%' OR bugs.name LIKE 'DLA-%')
AND p.package = ?
-ORDER BY bugs.release_date DESC, (package,))
+ORDER BY bugs.release_date DESC, (package,)):
+yield DSAsForSourcePackage(*row)
def getTODOs(self, cursor=None, hide_check=False):
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r33091 - data/CVE
Author: fw Date: 2015-03-23 19:28:58 + (Mon, 23 Mar 2015) New Revision: 33091 Modified: data/CVE/list Log: CVE-2015-0841 libcapsinetwork monopd Modified: data/CVE/list === --- data/CVE/list 2015-03-23 19:22:36 UTC (rev 33090) +++ data/CVE/list 2015-03-23 19:28:58 UTC (rev 33091) @@ -4701,8 +4701,14 @@ RESERVED CVE-2015-0842 RESERVED -CVE-2015-0841 +CVE-2015-0841 [off-by-one buffer overflow in Listener::checkActivity in libcapsinetwork/monopd] RESERVED + - libcapsinetwork unfixed (bug #781044; low) + - monopd unfixed (bug #781043; low) + [squeeze] - libcapsinetwork no-dsa (not exploitable with dlmalloc) + [wheezy] - libcapsinetwork no-dsa (not exploitable with dlmalloc) + [squeeze] - monopd no-dsa (not exploitable with dlmalloc) + [wheezy] - monopd no-dsa (not exploitable with dlmalloc) CVE-2015-0840 RESERVED CVE-2015-0839 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r32433 - data/CVE
Author: fw Date: 2015-02-23 11:45:02 + (Mon, 23 Feb 2015) New Revision: 32433 Modified: data/CVE/list Log: CVE-2014-8121 glibc Modified: data/CVE/list === --- data/CVE/list 2015-02-23 11:25:14 UTC (rev 32432) +++ data/CVE/list 2015-02-23 11:45:02 UTC (rev 32433) @@ -9685,8 +9685,10 @@ NOTE: up to 2014.1.3 and 2014.2 version up to 2014.2.1 CVE-2014-8122 (Race condition in JBoss Weld before 2.2.8 and 3.x before 3.0.0 Alpha3 ...) NOT-FOR-US: JBoss Weld -CVE-2014-8121 +CVE-2014-8121 [glibc: nss_files file management issue causes Samba infinite loop] RESERVED + - glibc unfixed (low) + - eglibc removed (low) CVE-2014-8120 (The agent in Thermostat before 1.0.6, when using unspecified ...) NOT-FOR-US: Thermostat Hotspot instrumentation CVE-2014-8119 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r32330 - data/CVE
Author: fw Date: 2015-02-18 21:23:42 + (Wed, 18 Feb 2015) New Revision: 32330 Modified: data/CVE/list Log: CVE-2015-1349: bind9 Modified: data/CVE/list === --- data/CVE/list 2015-02-18 21:13:10 UTC (rev 32329) +++ data/CVE/list 2015-02-18 21:23:42 UTC (rev 32330) @@ -1514,8 +1514,9 @@ NOT-FOR-US: sequelize CVE-2015-1354 RESERVED -CVE-2015-1349 +CVE-2015-1349 [bind9 crash in trust anchor management] RESERVED + - bind9 unfixed (low) CVE-2015-1348 (Heap-based buffer overflow in Aruba Instant (IAP) with firmware before ...) NOT-FOR-US: Aruba Instant CVE-2015-1347 (Cross-site scripting (XSS) vulnerability in client.inc.php in osTicket ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r32329 - data/DSA
Author: fw
Date: 2015-02-18 21:13:10 + (Wed, 18 Feb 2015)
New Revision: 32329
Modified:
data/DSA/list
Log:
DSA-3162-1 bind9
Modified: data/DSA/list
===
--- data/DSA/list 2015-02-18 21:10:15 UTC (rev 32328)
+++ data/DSA/list 2015-02-18 21:13:10 UTC (rev 32329)
@@ -1,3 +1,6 @@
+[18 Feb 2015] DSA-3162-1 bind9 - security update
+ {CVE-2015-1349}
+ [wheezy] - bind9 1:9.8.4.dfsg.P1-6+nmu2+deb7u4
[11 Feb 2015] DSA-3161-1 dbus - security update
{CVE-2015-0245}
[wheezy] - dbus 1.6.8-1+deb7u6
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r31738 - data/CVE
Author: fw Date: 2015-01-27 15:19:29 + (Tue, 27 Jan 2015) New Revision: 31738 Modified: data/CVE/list Log: CVE-2015-0235 glibc, eglibc Modified: data/CVE/list === --- data/CVE/list 2015-01-27 12:58:43 UTC (rev 31737) +++ data/CVE/list 2015-01-27 15:19:29 UTC (rev 31738) @@ -4765,8 +4765,11 @@ NOTE: Upstream fix: http://libvirt.org/git/?p=libvirt.git;a=commit;h=b347c0c2a321ec5c20aae214927949832a288c5a NOTE: Introduced by: http://libvirt.org/git/?p=libvirt.git;a=commit;h=e341435e5090677c67a0d3d4ca0393102054841f (v1.1.0-rc1) NOTE: http://security.libvirt.org/2015/0001.html -CVE-2015-0235 +CVE-2015-0235 [glibc: buffer overflow in gethostbyname] RESERVED + - eglibc 2.18-1 (high) + - glibc 2.18-1 (high) + NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=15014 CVE-2015-0234 RESERVED - dogtag-pki unfixed (unimportant) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r31739 - data/DSA
Author: fw
Date: 2015-01-27 15:21:30 + (Tue, 27 Jan 2015)
New Revision: 31739
Modified:
data/DSA/list
Log:
DSA-3142-1 eglibc
Modified: data/DSA/list
===
--- data/DSA/list 2015-01-27 15:19:29 UTC (rev 31738)
+++ data/DSA/list 2015-01-27 15:21:30 UTC (rev 31739)
@@ -1,3 +1,6 @@
+[27 Jan 2015] DSA-3142-1 eglibc - security update
+ {CVE-2012-6656 CVE-2014-6040 CVE-2014-7817 CVE-2015-0235}
+ [wheezy] - eglibc 2.13-38+deb7u7
[27 Jan 2015] DSA-3141-1 wireshark - security update
{CVE-2015-0562 CVE-2015-0564}
[wheezy] - wireshark 1.8.2-5wheezy14
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r31490 - lib/python
Author: fw Date: 2015-01-18 11:00:10 + (Sun, 18 Jan 2015) New Revision: 31490 Modified: lib/python/security_db.py Log: security_db.Db.getUnreportedVulnerabilities(): New method Modified: lib/python/security_db.py === --- lib/python/security_db.py 2015-01-18 10:50:18 UTC (rev 31489) +++ lib/python/security_db.py 2015-01-18 11:00:10 UTC (rev 31490) @@ -1845,6 +1845,35 @@ st.bug_name 'TEMP-' AND st.bug_name LIKE 'TEMP-%' ORDER BY st.bug_name,(vulnerability,))) +def getUnreportedVulnerabilities(self, cursor=None): +Returns a list of pairs (BUG_NAME, DESCRIPTION) +of vulnerabilities which are unfixed in unstable and lack a filed bug. + +if cursor is None: +cursor = self.cursor() +last_bug = None +result = [] +for bug, pkg in cursor.execute( +SELECT DISTINCT source_package_status.bug_name, source_packages.name + FROM source_packages + JOIN source_package_status +ON source_packages.rowid = source_package_status.package + JOIN package_notes +ON source_packages.name = package_notes.package + AND package_notes.bug_name = source_package_status.bug_name + AND source_packages.release = 'sid' + AND package_notes.release = '' + WHERE source_package_status.bug_name LIKE 'CVE-%' + AND package_notes.urgency 'unimportant' + AND package_notes.rowid NOT IN (SELECT note FROM debian_bugs) + AND source_package_status.vulnerable + ORDER BY source_package_status.bug_name, source_packages.name): +if last_bug is None or last_bug bug: +last_bug = bug +result.append((bug, [])) +result[-1][1].append(pkg) +return result + def getITPs(self, cursor): Returns a generator for a list of unknown packages. Each entry has the form (PACKAGE, BUG-LIST, DEBIAN-BUG-LIST). ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r31491 - bin
Author: fw
Date: 2015-01-18 11:00:40 + (Sun, 18 Jan 2015)
New Revision: 31491
Modified:
bin/tracker_service.py
Log:
tracker_serve.py: New page status/unreported
Modified: bin/tracker_service.py
===
--- bin/tracker_service.py 2015-01-18 11:00:10 UTC (rev 31490)
+++ bin/tracker_service.py 2015-01-18 11:00:40 UTC (rev 31491)
@@ -129,6 +129,7 @@
self.register('status/undetermined', self.page_status_undetermined)
self.register('status/unimportant', self.page_status_unimportant)
self.register('status/itp', self.page_status_itp)
+self.register('status/unreported', self.page_status_unreported)
self.register('data/unknown-packages', self.page_data_unknown_packages)
self.register('data/missing-epochs', self.page_data_missing_epochs)
self.register('data/latently-vulnerable',
@@ -212,6 +213,7 @@
('status/undetermined', 'Packages that may be vulnerable but need
to be checked (undetermined issues)'),
('status/unimportant', 'Packages that have open unimportant
issues'),
('status/itp', 'ITPs with potential security issues'),
+('status/unreported', 'Open vulnerabilities without filed Debian
bugs'),
('data/unknown-packages',
'Packages names not found in the archive'),
('data/fake-names', 'Tracked issues without a CVE name'),
@@ -1015,6 +1017,18 @@
[make_table(gen(), caption=(Package, Issue, Debian Bugs),
replacement=No ITP bugs are currently known.)])
+def page_status_unreported(self, path, params, url):
+def gen():
+for (bug, packages) in self.db.getUnreportedVulnerabilities():
+pkgs = make_list([self.make_source_package_ref(url, pkg)
+ for pkg in packages], , )
+yield self.make_xref(url, bug), pkgs
+return self.create_page(
+url, Unfixed vulnerabilities in unstable without a filed bug,
+[P(The list below contains vulnerabilities for which no matching
+Debian bug has been filed, and there is still an unfixed package in sid.),
+ make_table(gen(), caption=(Bug, Packages))])
+
def page_data_unknown_packages(self, path, params, url):
def gen():
for name, bugs in self.db.getUnknownPackages(self.db.cursor()):
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r31416 - org
Author: fw Date: 2015-01-17 09:54:45 + (Sat, 17 Jan 2015) New Revision: 31416 Modified: org/agenda-2015.txt Log: List docker.io as a problematic package Modified: org/agenda-2015.txt === --- org/agenda-2015.txt 2015-01-17 09:54:10 UTC (rev 31415) +++ org/agenda-2015.txt 2015-01-17 09:54:45 UTC (rev 31416) @@ -105,6 +105,7 @@ == - Discuss list of open problematic packages (if not resolved by then) + * Docker - Start getting required in place for jessie-security: - buildds ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r31436 - doc
Author: fw Date: 2015-01-17 17:04:18 + (Sat, 17 Jan 2015) New Revision: 31436 Modified: doc/soler.txt Log: Document the Subversion backup Modified: doc/soler.txt === --- doc/soler.txt 2015-01-17 17:01:04 UTC (rev 31435) +++ doc/soler.txt 2015-01-17 17:04:18 UTC (rev 31436) @@ -87,3 +87,11 @@ /org/security-tracker.debian.org/website/secure-testing/data. Code changes need to be applied manually, using svn update, and a service restart (see above). + +Subversion repository mirror + + +The Subversion repository is mirrored (including history) using +svnsync, to the /org/security-tracker.debian.org/subversion-backup +directory. The sectracker crontab contains an entry which runs +svnsync periodically. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r31463 - data/CVE
Author: fw Date: 2015-01-17 22:44:19 + (Sat, 17 Jan 2015) New Revision: 31463 Modified: data/CVE/list Log: cronie is only in experimental Modified: data/CVE/list === --- data/CVE/list 2015-01-17 22:41:20 UTC (rev 31462) +++ data/CVE/list 2015-01-17 22:44:19 UTC (rev 31463) @@ -47711,7 +47711,7 @@ [squeeze] - moodle no-dsa (Minor issue) [wheezy] - moodle 2.2.3.dfsg-2.6~wheezy2 CVE-2012-6097 (File descriptor leak in cronie 1.4.8, when running in certain ...) - - cronie unfixed (low; bug #697811) + [experimental] - cronie unfixed (low; bug #697811) NOTE: Only present in experimental NOTE: https://bugzilla.novell.com/show_bug.cgi?id=786096 CVE-2012-6096 (Multiple stack-based buffer overflows in the get_history function in ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r31441 - data/packages
Author: fw Date: 2015-01-17 18:38:00 + (Sat, 17 Jan 2015) New Revision: 31441 Modified: data/packages/removed-packages Log: juju is no longer in the archive Modified: data/packages/removed-packages === --- data/packages/removed-packages 2015-01-17 18:31:27 UTC (rev 31440) +++ data/packages/removed-packages 2015-01-17 18:38:00 UTC (rev 31441) @@ -250,3 +250,4 @@ mysql-5.1 libpam-rsa passenger +juju ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r31462 - data/CVE
Author: fw Date: 2015-01-17 22:41:20 + (Sat, 17 Jan 2015) New Revision: 31462 Modified: data/CVE/list Log: apport is only in experimental Modified: data/CVE/list === --- data/CVE/list 2015-01-17 22:39:14 UTC (rev 31461) +++ data/CVE/list 2015-01-17 22:41:20 UTC (rev 31462) @@ -44092,7 +44092,7 @@ [wheezy] - cinder not-affected (Vulnerable code not present) NOTE: Requires includedir to be defined in /etc/sudoers file CVE-2013-1067 (Apport 2.12.5 and earlier uses weak permissions for core dump files ...) - - apport 2.12.6-1 (bug #727661) + [experimental] - apport 2.12.6-1 (bug #727661) NOTE: apport only in experimental, so we cannot track this in security-tracker NOTE: add it, as we have a explicit bug reference for apport CVE-2013-1066 (language-selector 0.110.x before 0.110.1, 0.90.x before 0.90.1, and ...) @@ -102679,7 +102679,7 @@ NOTE: encrypted home directories with ecryptfs, so no passphrase is stored in the NOTE: installer logs on disk CVE-2009-1295 (Apport before 0.108.4 on Ubuntu 8.04 LTS, before 0.119.2 on Ubuntu ...) - - apport not-affected (Fixed before initial upload into Debian) + [experimental] - apport not-affected (Fixed before initial upload into Debian) CVE-2009-1294 (Multiple cross-site scripting (XSS) vulnerabilities in web/guest/home ...) NOT-FOR-US: Novell Teaming CVE-2009-1293 (The web login functionality (c/portal/login) in Novell Teaming 1.0 ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r31458 - lib/python
Author: fw
Date: 2015-01-17 22:26:24 + (Sat, 17 Jan 2015)
New Revision: 31458
Modified:
lib/python/debian_support.py
Log:
debian_support.Release: Add experimental as a pseudo-release
At the start, to avoid issues with code assuming sid being last.
Modified: lib/python/debian_support.py
===
--- lib/python/debian_support.py2015-01-17 22:04:01 UTC (rev 31457)
+++ lib/python/debian_support.py2015-01-17 22:26:24 UTC (rev 31458)
@@ -193,7 +193,8 @@
def listReleases():
releases = {}
-rels = (potato, woody, sarge, etch, lenny, squeeze, wheezy,
jessie, sid)
+rels = (experimental, # For use in [brackets] in the list files.
+potato, woody, sarge, etch, lenny, squeeze, wheezy,
jessie, sid)
for r in range(len(rels)):
releases[rels[r]] = Release(rels[r], r)
Release.releases = releases
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r31459 - data/packages
Author: fw Date: 2015-01-17 22:35:32 + (Sat, 17 Jan 2015) New Revision: 31459 Modified: data/packages/removed-packages Log: Treat dtc as a removed package Modified: data/packages/removed-packages === --- data/packages/removed-packages 2015-01-17 22:26:24 UTC (rev 31458) +++ data/packages/removed-packages 2015-01-17 22:35:32 UTC (rev 31459) @@ -455,3 +455,6 @@ rt2500 foomatic-gui mpfr + +# Packages in experimental which used to be in other suites. +dtc ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r31472 - lib/python
Author: fw Date: 2015-01-17 23:38:45 + (Sat, 17 Jan 2015) New Revision: 31472 Modified: lib/python/security_db.py Log: security_db.DB._parseFile(): Only treat Extra-Source-Only: yes as skip-worthy Modified: lib/python/security_db.py === --- lib/python/security_db.py 2015-01-17 23:37:06 UTC (rev 31471) +++ lib/python/security_db.py 2015-01-17 23:38:45 UTC (rev 31472) @@ -524,7 +524,7 @@ elif name == Architecture: pkg_arch = contents elif name == Extra-Source-Only: -pkg_extra_source_only = True +pkg_extra_source_only = contents.strip() == yes if pkg_name is None: raise SyntaxError\ (package record does not contain package name) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r31461 - lib/python
Author: fw Date: 2015-01-17 22:39:14 + (Sat, 17 Jan 2015) New Revision: 31461 Modified: lib/python/security_db.py Log: security_db.DB.getUnknownPackages(): Filter out [experimental] We currently do not load package lists from the experimental source, so we cannot perform the typo check there. Modified: lib/python/security_db.py === --- lib/python/security_db.py 2015-01-17 22:37:47 UTC (rev 31460) +++ lib/python/security_db.py 2015-01-17 22:39:14 UTC (rev 31461) @@ -1809,6 +1809,7 @@ for (package, bug_name) in cursor.execute( SELECT DISTINCT package, bug_name FROM package_notes WHERE package_kind = 'unknown' +AND COALESCE (release, '') 'experimental' AND NOT EXISTS (SELECT * FROM removed_packages WHERE name = package) ORDER BY package, bug_name): ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r31400 - /
Author: fw Date: 2015-01-16 20:46:55 + (Fri, 16 Jan 2015) New Revision: 31400 Modified: Makefile Log: Use the official URL for the HTTP mirror redirector Modified: Makefile === --- Makefile2015-01-16 19:43:16 UTC (rev 31399) +++ Makefile2015-01-16 20:46:55 UTC (rev 31400) @@ -5,7 +5,7 @@ # Adjust these if necessary. The architecture selection is rather # arbitrary at the moment. More architectures can be added later. -MIRROR = http://http.debian.net/debian/ +MIRROR = http://httpredir.debian.org/debian/ squeeze_ARCHS = amd64 armel i386 ia64 mips mipsel powerpc s390 sparc kfreebsd-i386 kfreebsd-amd64 squeeze_LTS_ARCHS = amd64 i386 wheezy_ARCHS = amd64 armel armhf i386 ia64 mips mipsel powerpc s390 s390x sparc kfreebsd-i386 kfreebsd-amd64 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r30864 - data/DSA
Author: fw
Date: 2014-12-20 18:17:58 + (Sat, 20 Dec 2014)
New Revision: 30864
Modified:
data/DSA/list
Log:
DSA-3107-1 subversion
Modified: data/DSA/list
===
--- data/DSA/list 2014-12-20 16:40:17 UTC (rev 30863)
+++ data/DSA/list 2014-12-20 18:17:58 UTC (rev 30864)
@@ -1,3 +1,6 @@
+[20 Dec 2014] DSA-3107-1 subversion - security update
+ {CVE-2014-3580}
+ [wheezy] - subversion 1.6.17dfsg-4+deb7u7
[20 Dec 2014] DSA-3106-1 jasper - security update
{CVE-2014-8137 CVE-2014-8138}
[wheezy] - jasper 1.900.1-13+deb7u2
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r30869 - data/DSA
Author: fw
Date: 2014-12-20 20:22:29 + (Sat, 20 Dec 2014)
New Revision: 30869
Modified:
data/DSA/list
Log:
DSA-3108-1 ntp
Modified: data/DSA/list
===
--- data/DSA/list 2014-12-20 20:19:44 UTC (rev 30868)
+++ data/DSA/list 2014-12-20 20:22:29 UTC (rev 30869)
@@ -1,3 +1,6 @@
+[20 Dec 2014] DSA-3108-1 ntp - security update
+ {CVE-2014-9293 CVE-2014-9294 CVE-2014-9295 CVE-2014-9296}
+ [wheezy] - ntp 1:4.2.6.p5+dfsg-2+deb7u1
[20 Dec 2014] DSA-3107-1 subversion - security update
{CVE-2014-3580}
[wheezy] - subversion 1.6.17dfsg-4+deb7u7
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r30871 - data/DSA
Author: fw
Date: 2014-12-20 20:48:53 + (Sat, 20 Dec 2014)
New Revision: 30871
Modified:
data/DSA/list
Log:
DSA-3107-2 subversion
Modified: data/DSA/list
===
--- data/DSA/list 2014-12-20 20:46:32 UTC (rev 30870)
+++ data/DSA/list 2014-12-20 20:48:53 UTC (rev 30871)
@@ -1,3 +1,5 @@
+[20 Dec 2014] DSA-3107-2 subversion - regression update
+ [wheezy] - subversion 1.6.17dfsg-4+deb7u8
[20 Dec 2014] DSA-3108-1 ntp - security update
{CVE-2014-9293 CVE-2014-9294 CVE-2014-9295 CVE-2014-9296}
[wheezy] - ntp 1:4.2.6.p5+dfsg-2+deb7u1
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r30775 - data/DSA
Author: fw
Date: 2014-12-16 17:37:24 + (Tue, 16 Dec 2014)
New Revision: 30775
Modified:
data/DSA/list
Log:
DSA-3104-1 bsd-mailx
Modified: data/DSA/list
===
--- data/DSA/list 2014-12-16 16:02:40 UTC (rev 30774)
+++ data/DSA/list 2014-12-16 17:37:24 UTC (rev 30775)
@@ -1,3 +1,6 @@
+[16 Dec 2014] DSA-3104-1 bsd-mailx - security update
+ {CVE-2014-7844}
+ [wheezy] - bsd-mailx 8.1.2-0.2006cvs-1+deb7u1
[13 Dec 2014] DSA-3103-1 libyaml-libyaml-perl - security update
{CVE-2014-9130}
[wheezy] - libyaml-libyaml-perl 0.38-3+deb7u3
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r30776 - data/DSA
Author: fw
Date: 2014-12-16 17:38:07 + (Tue, 16 Dec 2014)
New Revision: 30776
Modified:
data/DSA/list
Log:
DSA-3105-1 heirloom-mailx
Modified: data/DSA/list
===
--- data/DSA/list 2014-12-16 17:37:24 UTC (rev 30775)
+++ data/DSA/list 2014-12-16 17:38:07 UTC (rev 30776)
@@ -1,3 +1,6 @@
+[16 Dec 2014] DSA-3105-1 heirloom-mailx - security update
+ {CVE-2004-2771 CVE-2014-7844}
+ [wheezy] - heirloom-mailx 12.5-2+deb7u1
[16 Dec 2014] DSA-3104-1 bsd-mailx - security update
{CVE-2014-7844}
[wheezy] - bsd-mailx 8.1.2-0.2006cvs-1+deb7u1
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r30681 - data/DSA
Author: fw
Date: 2014-12-11 20:49:27 + (Thu, 11 Dec 2014)
New Revision: 30681
Modified:
data/DSA/list
Log:
DSA-3099-1 dbus
Modified: data/DSA/list
===
--- data/DSA/list 2014-12-11 19:07:24 UTC (rev 30680)
+++ data/DSA/list 2014-12-11 20:49:27 UTC (rev 30681)
@@ -1,3 +1,6 @@
+[11 Dec 2014] DSA-3099-1 dbus - security update
+ {CVE-2014-7824}
+ [wheezy] - dbus 1.6.8-1+deb7u5
[11 Dec 2014] DSA-3098-1 graphviz - security update
{CVE-2014-9157}
[wheezy] - graphviz 2.26.3-14+deb7u2
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r30480 - data/DSA
Author: fw
Date: 2014-12-01 20:10:50 + (Mon, 01 Dec 2014)
New Revision: 30480
Modified:
data/DSA/list
Log:
DSA-3084-1 openvpn
Modified: data/DSA/list
===
--- data/DSA/list 2014-12-01 18:54:03 UTC (rev 30479)
+++ data/DSA/list 2014-12-01 20:10:50 UTC (rev 30480)
@@ -1,3 +1,6 @@
+[01 Dec 2014] DSA-3084-1 openvpn - security update
+ {CVE-2014-8104}
+ [wheezy] - openvpn 2.2.1-8+deb7u3
[30 Nov 2014] DSA-3083-1 mutt - security update
{CVE-2014-9116}
[wheezy] - mutt 1.5.21-6.2+deb7u3
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r30431 - lib/python
Author: fw Date: 2014-11-29 10:36:07 + (Sat, 29 Nov 2014) New Revision: 30431 Modified: lib/python/web_support.py Log: lib/python/web_support.py (ThreadingHTTPServer): Actually enable threading The order of inheritance matters. With the previous order, the threading mix-in was effectively ignored. Modified: lib/python/web_support.py === --- lib/python/web_support.py 2014-11-29 09:51:01 UTC (rev 30430) +++ lib/python/web_support.py 2014-11-29 10:36:07 UTC (rev 30431) @@ -771,8 +771,8 @@ assert isinstance(r, Result), `r` r.flatten(result.write) -class ThreadingHTTPServer(BaseHTTPServer.HTTPServer, - SocketServer.ThreadingMixIn): +class ThreadingHTTPServer(SocketServer.ThreadingMixIn, + BaseHTTPServer.HTTPServer): pass RE_BASE_URL = re.compile(r'^(https?)://([^/]+)(.*)') ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r29171 - data/CVE
Author: fw Date: 2014-09-30 17:42:06 + (Tue, 30 Sep 2014) New Revision: 29171 Modified: data/CVE/list Log: CVE-2014-6277 CVE-2014-6278 bash The prefix/suffix patch is considered sufficient fix for that. Modified: data/CVE/list === --- data/CVE/list 2014-09-30 13:40:31 UTC (rev 29170) +++ data/CVE/list 2014-09-30 17:42:06 UTC (rev 29171) @@ -2003,7 +2003,9 @@ RESERVED CVE-2014-6278 [code execution via specially crafted environment variables] RESERVED - - bash unfixed + - bash 4.3-9.2 (high) + [wheezy] - bash 4.2+dfsg-0.1+deb7u3 (high) + [squeeze] - bash 4.1-3+deb6u2 (high) NOTE: The underlying parser flaw has not yet been disclosed and might NOTE: still exist in latest released bash packages. However Florian NOTE: Weimer's variables-affix.patch patch applied in Debian prevents @@ -2012,7 +2014,9 @@ NOTE: from its environment. CVE-2014-6277 [untrusted pointer use issue leading to code execution] RESERVED - - bash unfixed + - bash 4.3-9.2 + [wheezy] - bash 4.2+dfsg-0.1+deb7u3 + [squeeze] - bash 4.1-3+deb6u2 NOTE: The underlying parser flaw has not yet been disclosed and might NOTE: still exist in latest released bash packages. However Florian NOTE: Weimer's variables-affix.patch patch applied in Debian prevents ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r29000 - data/DSA
Author: fw
Date: 2014-09-24 14:00:56 + (Wed, 24 Sep 2014)
New Revision: 29000
Modified:
data/DSA/list
Log:
DSA-3032-1 bash
Modified: data/DSA/list
===
--- data/DSA/list 2014-09-24 13:14:47 UTC (rev 28999)
+++ data/DSA/list 2014-09-24 14:00:56 UTC (rev 29000)
@@ -1,3 +1,6 @@
+[24 Sep 2014] DSA-3032-1 bash - security update
+ {CVE-2014-6271}
+ [wheezy] - bash 4.2+dfsg-0.1+deb7u1
[23 Sep 2014] DSA-3031-1 apt - security update
{CVE-2014-6273}
[wheezy] - apt 0.9.7.9+deb7u5
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r29001 - data/DLA
Author: fw
Date: 2014-09-24 14:11:41 + (Wed, 24 Sep 2014)
New Revision: 29001
Modified:
data/DLA/list
Log:
DLA-59-1 bash
Modified: data/DLA/list
===
--- data/DLA/list 2014-09-24 14:00:56 UTC (rev 29000)
+++ data/DLA/list 2014-09-24 14:11:41 UTC (rev 29001)
@@ -1,3 +1,6 @@
+[24 Sep 2014] DLA-59-1 bash - security update
+ {CVE-2014-6271}
+ [squeeze] - bash 4.1-3+deb6u1
[23 Sep 2014] DLA-58-1 apt - security update
{CVE-2014-6273}
[squeeze] - apt 0.8.10.3+squeeze5
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r28833 - data/DSA
Author: fw
Date: 2014-09-16 18:06:11 + (Tue, 16 Sep 2014)
New Revision: 28833
Modified:
data/DSA/list
Log:
DSA-3026-1 dbus
Modified: data/DSA/list
===
--- data/DSA/list 2014-09-16 17:34:12 UTC (rev 28832)
+++ data/DSA/list 2014-09-16 18:06:11 UTC (rev 28833)
@@ -1,3 +1,6 @@
+[16 Sep 2014] DSA-3026-1 dbus - security update
+ {CVE-2014-3635 CVE-2014-3636 CVE-2014-3637 CVE-2014-3638 CVE-2014-3639}
+ [wheezy] - dbus 1.6.8-1+deb7u4
[16 Sep 2014] DSA-3025-1 apt - security update
{CVE-2014-0487 CVE-2014-0488 CVE-2014-0489 CVE-2014-0490}
[wheezy] - apt 0.9.7.9+deb7u3
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r28795 - org
Author: fw Date: 2014-09-15 17:47:23 + (Mon, 15 Sep 2014) New Revision: 28795 Modified: org/TODO Log: Git migration has no impact on debsecan Modified: org/TODO === --- org/TODO2014-09-15 17:47:00 UTC (rev 28794) +++ org/TODO2014-09-15 17:47:23 UTC (rev 28795) @@ -47,7 +47,6 @@ the commit messages trigger updates of the tracker. - http://security-team.debian.org (on dillon.d.o) is updated from svn, needs to be switched (simple) - - debsecan? - https://contributors.debian.org/source/Debian%20Security%20Tracker Organisation ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r28555 - in data: . DSA
Author: fw
Date: 2014-09-01 18:44:26 + (Mon, 01 Sep 2014)
New Revision: 28555
Modified:
data/DSA/list
data/dsa-needed.txt
Log:
DSA-3016-1 lua5.2
Modified: data/DSA/list
===
--- data/DSA/list 2014-09-01 18:42:58 UTC (rev 28554)
+++ data/DSA/list 2014-09-01 18:44:26 UTC (rev 28555)
@@ -1,3 +1,6 @@
+[01 Sep 2014] DSA-3016-1 lua5.2 - security update
+ {CVE-2014-5461}
+ [wheezy] - lua5.2 5.2.1-3+deb7u1
[01 Sep 2014] DSA-3015-1 lua5.1 - security update
{CVE-2014-5461}
[wheezy] - lua5.1 5.1.5-4+deb7u1
Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2014-09-01 18:42:58 UTC (rev 28554)
+++ data/dsa-needed.txt 2014-09-01 18:44:26 UTC (rev 28555)
@@ -31,8 +31,6 @@
--
libxstream-java
--
-lua5.2
---
mantis
--
nss
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r28554 - in data: . DSA
Author: fw
Date: 2014-09-01 18:42:58 + (Mon, 01 Sep 2014)
New Revision: 28554
Modified:
data/DSA/list
data/dsa-needed.txt
Log:
DSA-3015-1 lua5.1
Modified: data/DSA/list
===
--- data/DSA/list 2014-09-01 18:31:16 UTC (rev 28553)
+++ data/DSA/list 2014-09-01 18:42:58 UTC (rev 28554)
@@ -1,3 +1,6 @@
+[01 Sep 2014] DSA-3015-1 lua5.1 - security update
+ {CVE-2014-5461}
+ [wheezy] - lua5.1 5.1.5-4+deb7u1
[31 Aug 2014] DSA-2987-2 openjdk-7 - regression update
[wheezy] - openjdk-7 7u65-2.5.1-5~deb7u1
[28 Aug 2014] DSA-3014-1 squid3 - security update
Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2014-09-01 18:31:16 UTC (rev 28553)
+++ data/dsa-needed.txt 2014-09-01 18:42:58 UTC (rev 28554)
@@ -31,8 +31,6 @@
--
libxstream-java
--
-lua5.1
---
lua5.2
--
mantis
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r28526 - data/DSA
Author: fw
Date: 2014-08-31 20:49:46 + (Sun, 31 Aug 2014)
New Revision: 28526
Modified:
data/DSA/list
Log:
DSA-2987-2 openjdk-7
Modified: data/DSA/list
===
--- data/DSA/list 2014-08-31 20:47:02 UTC (rev 28525)
+++ data/DSA/list 2014-08-31 20:49:46 UTC (rev 28526)
@@ -1,3 +1,5 @@
+[31 Aug 2014] DSA-2987-2 openjdk-7 - regression update
+ [wheezy] - openjdk-7 7u65-2.5.1-5~deb7u1
[28 Aug 2014] DSA-3014-1 squid3 - security update
{CVE-2014-3609}
[wheezy] - squid3 3.1.20-2.2+deb7u2
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r28527 - data
Author: fw Date: 2014-08-31 20:50:57 + (Sun, 31 Aug 2014) New Revision: 28527 Modified: data/dsa-needed.txt Log: DSA-2987-2 openjdk-7 Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2014-08-31 20:49:46 UTC (rev 28526) +++ data/dsa-needed.txt 2014-08-31 20:50:57 UTC (rev 28527) @@ -40,8 +40,6 @@ -- nss -- -openjdk-7 --- openswan (corsac) NOTE: regression fix needed for CVE-2013-2053 (#743332) and CVE-2013-6466 (#744717) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r28528 - lib/python
Author: fw Date: 2014-08-31 20:53:00 + (Sun, 31 Aug 2014) New Revision: 28528 Modified: lib/python/security_db.py Log: lib/python/security_db.py (DB.getBugsForSourcePackage): Include TEMP- bugs Modified: lib/python/security_db.py === --- lib/python/security_db.py 2014-08-31 20:50:57 UTC (rev 28527) +++ lib/python/security_db.py 2014-08-31 20:53:00 UTC (rev 28528) @@ -1679,7 +1679,7 @@ AND sp.subrelease 'security' AND sp.subrelease 'lts' AND st.package = sp.rowid AND bugs.name = st.bug_name -AND bugs.name LIKE 'CVE-%' +AND (bugs.name LIKE 'CVE-%' OR bugs.name LIKE 'TEMP-%') GROUP BY bugs.name, bugs.description, sp.name) WHERE vulnerable = ? AND unimportant = ? ORDER BY name, (pkg, vulnerable, unimportant)) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r28478 - data/DSA
Author: fw
Date: 2014-08-27 05:27:51 + (Wed, 27 Aug 2014)
New Revision: 28478
Modified:
data/DSA/list
Log:
DSA-3012-1 eglibc
Modified: data/DSA/list
===
--- data/DSA/list 2014-08-27 05:24:40 UTC (rev 28477)
+++ data/DSA/list 2014-08-27 05:27:51 UTC (rev 28478)
@@ -1,3 +1,6 @@
+[26 Aug 2014] DSA-3012-1 eglibc - security update
+ {CVE-2014-5119}
+ [wheezy] - eglibc 2.13-38+deb7u4
[23 Aug 2014] DSA-3011-1 mediawiki - security update
{CVE-2014-5241 CVE-2014-5243}
[wheezy] - mediawiki 1:1.19.18+dfsg-0+deb7u1
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r28251 - data/CVE
Author: fw
Date: 2014-08-13 06:13:35 + (Wed, 13 Aug 2014)
New Revision: 28251
Modified:
data/CVE/list
Log:
CVE-2014-5119 eglibc
Modified: data/CVE/list
===
--- data/CVE/list 2014-08-13 05:32:15 UTC (rev 28250)
+++ data/CVE/list 2014-08-13 06:13:35 UTC (rev 28251)
@@ -202,8 +202,6 @@
RESERVED
CVE-2014-5120
RESERVED
-CVE-2014-5119
- RESERVED
CVE-2014-5115 (Absolute path traversal vulnerability in DirPHP 1.0 allows
remote ...)
NOT-FOR-US: DirPHP
CVE-2014-5114 (WeBid 1.1.1 allows remote attackers to conduct an LDAP
injection ...)
@@ -1116,8 +1114,9 @@
- rawstudio unfixed (low; bug #754899)
[wheezy] - rawstudio no-dsa (Minor issue)
[squeeze] - rawstudio not-affected (Vulnerable code not present)
-CVE-2014- [glibc locale issues]
- TODO: check
+CVE-2014-5119 [glibc locale issues]
+ RESERVED
+ - eglibc unfixed (medium)
NOTE: http://www.openwall.com/lists/oss-security/2014/07/14/2
CVE-2014-4909 (Integer overflow in the tr_bitfieldEnsureNthBitAlloced function
in ...)
{DSA-2988-1}
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r27684 - data/DSA
Author: fw
Date: 2014-07-10 18:24:13 + (Thu, 10 Jul 2014)
New Revision: 27684
Modified:
data/DSA/list
Log:
DSA-2976-1 eglibc
Modified: data/DSA/list
===
--- data/DSA/list 2014-07-10 17:56:48 UTC (rev 27683)
+++ data/DSA/list 2014-07-10 18:24:13 UTC (rev 27684)
@@ -1,3 +1,6 @@
+[10 Jul 2014] DSA-2976-1 eglibc - security update
+ {CVE-2014-0475}
+ [wheezy] - eglibc 2.13-38+deb7u3
[09 Jul 2014] DSA-2975-1 phpmyadmin - security update
{CVE-2013-4995 CVE-2013-4996 CVE-2013-5002 CVE-2013-5003 CVE-2014-1879}
[wheezy] - phpmyadmin 4:3.4.11.1-2+deb7u1
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r26721 - /
Author: fw Date: 2014-04-28 06:24:48 + (Mon, 28 Apr 2014) New Revision: 26721 Modified: Makefile Log: Makefile: sparc is no longer part of testing Modified: Makefile === --- Makefile2014-04-28 06:05:44 UTC (rev 26720) +++ Makefile2014-04-28 06:24:48 UTC (rev 26721) @@ -8,7 +8,7 @@ MIRROR = http://cdn.debian.net/debian/ squeeze_ARCHS = amd64 armel i386 ia64 mips mipsel powerpc s390 sparc kfreebsd-i386 kfreebsd-amd64 wheezy_ARCHS = amd64 armel armhf i386 ia64 mips mipsel powerpc s390 s390x sparc kfreebsd-i386 kfreebsd-amd64 -jessie_ARCHS = amd64 armel armhf i386 mips mipsel powerpc s390x sparc kfreebsd-i386 kfreebsd-amd64 +jessie_ARCHS = amd64 armel armhf i386 mips mipsel powerpc s390x kfreebsd-i386 kfreebsd-amd64 sid_ARCHS = amd64 armel armhf hurd-i386 i386 kfreebsd-i386 kfreebsd-amd64 mips mipsel powerpc s390x sparc OLDSTABLE = squeeze ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r26732 - data/DSA
Author: fw
Date: 2014-04-28 17:45:25 + (Mon, 28 Apr 2014)
New Revision: 26732
Modified:
data/DSA/list
Log:
DSA-2917-1 super
Modified: data/DSA/list
===
--- data/DSA/list 2014-04-28 17:02:56 UTC (rev 26731)
+++ data/DSA/list 2014-04-28 17:45:25 UTC (rev 26732)
@@ -1,3 +1,7 @@
+[28 Apr 2014] DSA-2917-1 super - security update
+ {CVE-2014-0470}
+ [squeeze] - super 3.30.0-3+squeeze2
+ [wheezy] - super 3.30.0-6+deb7u1
[28 Apr 2014] DSA-2916-1 libmms - security update
{CVE-2014-2892}
[squeeze] - libmms 0.6-1+squeeze2
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r26270 - data/DSA
Author: fw
Date: 2014-03-26 19:52:17 + (Wed, 26 Mar 2014)
New Revision: 26270
Modified:
data/DSA/list
Log:
DSA-2886-1 libxalan2-java
Modified: data/DSA/list
===
--- data/DSA/list 2014-03-26 19:17:37 UTC (rev 26269)
+++ data/DSA/list 2014-03-26 19:52:17 UTC (rev 26270)
@@ -1,3 +1,7 @@
+[26 Mar 2014] DSA-2886-1 libxalan2-java - security update
+ {CVE-2014-0107}
+ [squeeze] - libxalan2-java 2.7.1-5+deb6u1
+ [wheezy] - libxalan2-java 2.7.1-7+deb7u1
[26 Mar 2014] DSA-2885-1 libyaml-libyaml-perl - security update
{CVE-2014-2525}
[squeeze] - libyaml-libyaml-perl 0.33-1+squeeze3
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r26143 - lib/python
Author: fw
Date: 2014-03-17 10:57:24 + (Mon, 17 Mar 2014)
New Revision: 26143
Modified:
lib/python/web_support.py
Log:
web_support: Pass down https:// URLs to sever redirects
This is required because security-tracker.debian.org sets STS and
redirects to HTTPS, and recent Firefox versions do not handle http://
redirects in this context.
Modified: lib/python/web_support.py
===
--- lib/python/web_support.py 2014-03-17 08:31:45 UTC (rev 26142)
+++ lib/python/web_support.py 2014-03-17 10:57:24 UTC (rev 26143)
@@ -148,7 +148,7 @@
generate URLs which reference to itself (see scriptRelative).
def __init__(self, server_name, script_name, path_info='',
- params={}):
+ params={}, secure=False):
self.server_name = server_name or 'localhost'
script_name = self._stripSlashes(script_name or '')
if script_name[-1:] == '/' or script_name == '':
@@ -157,6 +157,7 @@
self.script_name = script_name + '/'
self.path_info = self._stripSlashes(path_info)
self.params = params
+self.secure = secure
def _convertArgs(self, args):
arglist = []
@@ -198,11 +199,15 @@
def scriptRelativeFull(self, path, **args):
Like scriptRelative, but returns an absolute URL, including
the http:// prefix.
+if self.secure:
+schema = https
+else:
+schema = http
+return URL(%s://%s/%s%s%s % (schema,
+ self.server_name, self.script_name,
+ self._stripSlashes(path),
+ self._convertArgs(args)))
-return URL(http://%s/%s%s%s; % (self.server_name, self.script_name,
- self._stripSlashes(path),
- self._convertArgs(args)))
-
def updateParamsDict(self, args):
new_args = {}
for (key, value) in self.params.items():
@@ -745,7 +750,7 @@
SocketServer.ThreadingMixIn):
pass
-RE_BASE_URL = re.compile(r'^http://([^/]+)(.*)')
+RE_BASE_URL = re.compile(r'^(https?)://([^/]+)(.*)')
class WebServiceHTTP(WebServiceBase):
def __init__(self, socket_name):
@@ -764,7 +769,8 @@
url = URLFactory(service_self.server_name,
service_self.script_name,
- path, params)
+ path, params,
+ secure=service_self.secure)
service_self.lock.acquire()
try:
@@ -811,8 +817,9 @@
m = RE_BASE_URL.match(url)
if m is None:
raise ValueError(invalid base URL: + url)
-self.server_name = m.group(1)
-self.script_name = m.group(2)
+self.secure = m.group(1) == https
+self.server_name = m.group(2)
+self.script_name = m.group(3)
def __test():
@@ -829,6 +836,14 @@
assert str(u.scriptRelativeFull(/a/b, t='123')) \
== http://localhost/a/b?t=123;
+u = URLFactory(server_name=None, script_name=None, secure=True)
+assert str(u.absolute(http://www.enyo.de/;)) == http://www.enyo.de/;
+assert str(u.absolute(http://www.enyo.de/;, t='123')) \
+ == http://www.enyo.de/?t=123;
+assert str(u.scriptRelative(/a/b, t='123')) == /a/b?t=123
+assert str(u.scriptRelativeFull(/a/b, t='123')) \
+ == https://localhost/a/b?t=123;
+
u = URLFactory(server_name='localhost.localdomain',
script_name='/cgi-bin/test.cgi')
assert str(u.scriptRelative(a/b, t='123')) \
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r26149 - /
Author: fw Date: 2014-03-17 19:33:27 + (Mon, 17 Mar 2014) New Revision: 26149 Modified: Makefile Log: ia64 is gone from sid Modified: Makefile === --- Makefile2014-03-17 18:09:19 UTC (rev 26148) +++ Makefile2014-03-17 19:33:27 UTC (rev 26149) @@ -9,7 +9,7 @@ squeeze_ARCHS = amd64 armel i386 ia64 mips mipsel powerpc s390 sparc kfreebsd-i386 kfreebsd-amd64 wheezy_ARCHS = amd64 armel armhf i386 ia64 mips mipsel powerpc s390 s390x sparc kfreebsd-i386 kfreebsd-amd64 jessie_ARCHS = amd64 armel armhf i386 mips mipsel powerpc s390x sparc kfreebsd-i386 kfreebsd-amd64 -sid_ARCHS = amd64 armel armhf hurd-i386 i386 ia64 kfreebsd-i386 kfreebsd-amd64 mips mipsel powerpc s390x sparc +sid_ARCHS = amd64 armel armhf hurd-i386 i386 kfreebsd-i386 kfreebsd-amd64 mips mipsel powerpc s390x sparc OLDSTABLE = squeeze STABLE= wheezy ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r25624 - org
Author: fw Date: 2014-02-09 10:33:38 + (Sun, 09 Feb 2014) New Revision: 25624 Modified: org/TODO Log: private Subversion repository on chopin Modified: org/TODO === --- org/TODO2014-02-09 09:35:12 UTC (rev 25623) +++ org/TODO2014-02-09 10:33:38 UTC (rev 25624) @@ -10,6 +10,8 @@ - set up a private SVN repo for embargo issues - remove all reference to Security Audit https://www.debian.org/security/audit/ - svnsync setup on soler to back up alioth in near-realtime (fw) + - sec-private Subversion repository on chopin (fw) + - notify DSA and verify it is part of the backup Security Tracker - ask Jon Wiltshire if new status to differentiate between no-dsa, if the maintainer wants to fix in a point update go ahead and no-dsa, was ignored because it's possible to backport is still needed. (fw) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r25609 - org
Author: fw Date: 2014-02-08 15:46:36 + (Sat, 08 Feb 2014) New Revision: 25609 Modified: org/TODO Log: Web pages TODOs Modified: org/TODO === --- org/TODO2014-02-08 15:43:32 UTC (rev 25608) +++ org/TODO2014-02-08 15:46:36 UTC (rev 25609) @@ -11,4 +11,8 @@ - remove all reference to Security Audit https://www.debian.org/security/audit/ Security Tracker - - fw: ask Jon Wiltshire if new status to differentiate between no-dsa, if the maintainer wants to fix in a point update go ahead and no-dsa, was ignored because it's possible to backport is still needed. + - ask Jon Wiltshire if new status to differentiate between no-dsa, if the maintainer wants to fix in a point update go ahead and no-dsa, was ignored because it's possible to backport is still needed. (fw) + +Web pages + - rename Mitre CVE database to CVE IDs (fw) + - replace CVE cross-reference with links to approrate security tracker information ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r25611 - org
Author: fw Date: 2014-02-08 15:54:03 + (Sat, 08 Feb 2014) New Revision: 25611 Modified: org/TODO Log: More webwml TODOs Modified: org/TODO === --- org/TODO2014-02-08 15:49:57 UTC (rev 25610) +++ org/TODO2014-02-08 15:54:03 UTC (rev 25611) @@ -16,3 +16,5 @@ Web pages - rename Mitre CVE database to CVE IDs (fw) - replace CVE cross-reference with links to approrate security tracker information + - adjust parse-advisory.pl script to DSA template changes + - adjust webwml templates to cope with missing data ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r25613 - bin
Author: fw
Date: 2014-02-08 16:15:53 + (Sat, 08 Feb 2014)
New Revision: 25613
Removed:
bin/gen-DSA.py
Log:
Remove outdated and confusing gen-DSA script
Deleted: bin/gen-DSA.py
===
--- bin/gen-DSA.py 2014-02-08 15:56:43 UTC (rev 25612)
+++ bin/gen-DSA.py 2014-02-08 16:15:53 UTC (rev 25613)
@@ -1,280 +0,0 @@
-#!/usr/bin/python
-# gen-DSA -- create a DSA template
-# Copyright (C) 2011 Florian Weimer f...@deneb.enyo.de
-#
-# User interface based on a shell version written by
-# Raphael Geissert geiss...@debian.org.
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
-
-# This script is intended to be run on security-master to get an
-# unprocessed dump of the contents of the embargoed and unembargoed
-# queues.
-#
-# The script reads .deb and .changes files. A caching database is
-# written to ~/.cache.
-
-
-import sys
-import os.path
-def setup_path():
-dirname = os.path.dirname
-base = dirname(dirname(os.path.realpath(sys.argv[0])))
-sys.path.insert(0, os.path.join(base, lib, python))
-setup_path()
-
-from pwd import getpwuid
-import re
-import time
-
-import bugs
-import debian_support
-import secmaster
-
-def parsecommand():
-args = sys.argv[1:]
-if not args:
-usage()
-
-global opt_save
-if args[0] == --save:
-opt_save = True
-del args[0]
-else:
-opt_save = False
-if len(args) 3:
-usage()
-
-global opt_dsaid
-opt_dsaid = args[0]
-if opt_dsaid.upper().startswith(DSA-):
-opt_dsaid = opt_dsaid[4:]
-if - not in opt_dsaid:
-opt_dsaid += -1
-
-global opt_package
-opt_package = args[1]
-if not opt_package:
-usage(package argument is empty)
-
-global opt_vulnerability
-opt_vulnerability = args[2]
-if not opt_vulnerability:
-usage(vulnerability argument is empty)
-
-global opt_cve
-if len(args) = 4:
-re_cve = re.compile((?i)CVE-\d{4}-\d{4,})
-opt_cve = set()
-for cve in args[3].split():
-if not cve:
-continue
-cve = cve.upper()
-if not re_cve.match(cve):
-usage(malformed CVE name: + repr(cve))
-if cve in opt_cve:
-usage(duplicate CVE: + repr(cve))
-opt_cve.add(cve)
-opt_cve = tuple(sorted(opt_cve))
-else:
-opt_cve = ()
-
-global opt_bugs
-if len(args) = 5:
-opt_bugs = set()
-for bug in args[3].split():
-if not bug:
-continue
-try:
-bug = int(bug)
-if bug = 0:
-raise ValueError
-except:
-usage(malformed bug number: + repr(bug))
-if bug in opt_bugs:
-usage(duplicate bug number: + repr(bug))
-opt_bugs.add(cve)
-opt_bugs = tuple(sorted(opt_bugs))
-else:
-opt_bugs = ()
-if len(args) = 5:
-usage()
-
-def usage(msg=None):
-if msg is not None:
-print sys.stderr, error:, msg
-print sys.stderr, usage:, sys.argv[0], \
-[--save] DSA package vulnerability [CVE [bug number]]
-print sys.stderr
-print sys.stderr, \
-Multiple CVE and bug numbers can be separated by spaces
-sys.exit(1)
-
-def gecos():
-gecos = os.getenv(DEBFULLNAME)
-if gecos is not None:
-return gecos
-gecos = getpwuid(os.getuid()).pw_gecos
-return gecos.split(,)[0]
-
-def debemail():
-for env in (DEBEMAIL, USER):
-email = os.getenv(env)
-if email is not None:
-return email
-return unknown
-
-def filledtemplate(values, re_var=re.compile(r\$\$?([A-Z_]+))):
-template = file(debian_support.findresource(doc, DSA.template)).read()
-def repl(match):
-return values[match.group(1)]
-return re_var.sub(repl, template)
-
-tm = time.gmtime(time.time())
-def getdate(months= January February March April May June July August
September October November December.split( )):
-return {0} {1:02}, {2}.format(months[tm.tm_mon], tm.tm_mday, tm.tm_year)
-
-dsa_list_path = debian_support.findresource(*data DSA list.split())
-def checklist():
-name = DSA- + opt_dsaid
-for bug in bugs.DSAFile
[Secure-testing-commits] r25618 - org
Author: fw Date: 2014-02-08 17:53:24 + (Sat, 08 Feb 2014) New Revision: 25618 Modified: org/TODO Log: TODO: svnsync mirror Modified: org/TODO === --- org/TODO2014-02-08 17:40:41 UTC (rev 25617) +++ org/TODO2014-02-08 17:53:24 UTC (rev 25618) @@ -9,6 +9,7 @@ Infrastructure - set up a private SVN repo for embargo issues - remove all reference to Security Audit https://www.debian.org/security/audit/ + - svnsync setup on soler to back up alioth in near-realtime (fw) Security Tracker - ask Jon Wiltshire if new status to differentiate between no-dsa, if the maintainer wants to fix in a point update go ahead and no-dsa, was ignored because it's possible to backport is still needed. (fw) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r25568 - org
Author: fw Date: 2014-02-07 17:07:53 + (Fri, 07 Feb 2014) New Revision: 25568 Modified: org/agenda-2014.txt Log: debsecan item Modified: org/agenda-2014.txt === --- org/agenda-2014.txt 2014-02-07 16:36:06 UTC (rev 25567) +++ org/agenda-2014.txt 2014-02-07 17:07:53 UTC (rev 25568) @@ -71,6 +71,9 @@ + Automatically group/reorder unassigned CVE-$year- item to have them in one place and get a better overview? +- debsecan should move to a shared development platform + (collab-maint on alioth?) + Infrastructure == ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r25570 - org
Author: fw Date: 2014-02-07 17:23:27 + (Fri, 07 Feb 2014) New Revision: 25570 Modified: org/security-frontdesk.2014.txt Log: Frontdesk rotation: add myself Modified: org/security-frontdesk.2014.txt === --- org/security-frontdesk.2014.txt 2014-02-07 17:19:22 UTC (rev 25569) +++ org/security-frontdesk.2014.txt 2014-02-07 17:23:27 UTC (rev 25570) @@ -12,7 +12,7 @@ Week 12: 24-03 to 30-03:thijs Week 13: 31-03 to 06-04:nion Week 14: 07-04 to 13-04:carnil -Week 15: 14-04 to 20-04: +Week 15: 14-04 to 20-04:fw Week 16: 21-04 to 27-04:geissert Week 17: 28-04 to 04-05:corsac Week 18: 05-05 to 11-05: ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r25578 - data/DSA
Author: fw
Date: 2014-02-07 20:26:14 + (Fri, 07 Feb 2014)
New Revision: 25578
Modified:
data/DSA/list
Log:
DSA-2856-1 libcommons-fileupload-java
Modified: data/DSA/list
===
--- data/DSA/list 2014-02-07 20:14:08 UTC (rev 25577)
+++ data/DSA/list 2014-02-07 20:26:14 UTC (rev 25578)
@@ -1,3 +1,6 @@
+[07 Feb 2014] DSA-2856-1 libcommons-fileupload-java - CVE-2014-0050
+ [squeeze] - libcommons-fileupload-java 1.2.2-1+deb6u2
+ [wheezy] - libcommons-fileupload-java 1.2.2-1+deb7u2
[05 Feb 2014] DSA-2855-1 libav - several
{CVE-2011-3944 CVE-2013-0845 CVE-2013-0846 CVE-2013-0849 CVE-2013-0865
CVE-2013-7010 CVE-2013-7014 CVE-2013-7015}
[wheezy] - libav 6:0.8.10-1
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r25556 - data/DSA
Author: fw
Date: 2014-02-06 22:04:50 + (Thu, 06 Feb 2014)
New Revision: 25556
Modified:
data/DSA/list
Log:
DSA-2852-1 libgadu (squeeze)
Modified: data/DSA/list
===
--- data/DSA/list 2014-02-06 21:14:14 UTC (rev 2)
+++ data/DSA/list 2014-02-06 22:04:50 UTC (rev 25556)
@@ -10,6 +10,7 @@
[03 Feb 2014] DSA-2852-1 libgadu - heap-based buffer overflow
{CVE-2013-6487}
[wheezy] - libgadu 1:1.11.2-1+deb7u1
+ [squeeze] - libgadu 1:1.9.0-2+squeeze2
[02 Feb 2014] DSA-2851-1 drupal6 - impersonation
{CVE-2014-1475}
[squeeze] - drupal6 6.30-1
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r25500 - data/DSA
Author: fw
Date: 2014-02-03 21:18:28 + (Mon, 03 Feb 2014)
New Revision: 25500
Modified:
data/DSA/list
Log:
DSA-2852-1 libgadu
Modified: data/DSA/list
===
--- data/DSA/list 2014-02-03 15:41:24 UTC (rev 25499)
+++ data/DSA/list 2014-02-03 21:18:28 UTC (rev 25500)
@@ -1,3 +1,6 @@
+[03 Feb 2014] DSA-2852-1 libgadu - heap-based buffer overflow
+ {CVE-2013-6487}
+ [wheezy] - libgadu 1:1.11.2-1+deb7u1
[02 Feb 2014] DSA-2851-1 drupal6 - impersonation
{CVE-2014-1475}
[squeeze] - drupal6 6.30-1
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r25465 - data/CVE
Author: fw Date: 2014-02-02 10:43:51 + (Sun, 02 Feb 2014) New Revision: 25465 Modified: data/CVE/list Log: CVE-2014-1474: only record libemail-address-list-perl request-tracker4 does not bundle its dependencies, so bugs in the latter cannot be fixed in the former anyway. Modified: data/CVE/list === --- data/CVE/list 2014-02-02 09:09:28 UTC (rev 25464) +++ data/CVE/list 2014-02-02 10:43:51 UTC (rev 25465) @@ -796,7 +796,6 @@ RESERVED CVE-2014-1474 RESERVED - - request-tracker4 not-affected (Only 4.0.x does not have the dependency on Email::Address::List, only 4.2.0 onwards)) - libemail-address-list-perl 0.03-1 NOTE: http://lists.bestpractical.com/pipermail/rt-announce/2014-January/000245.html CVE-2013-7305 (fpw.php in e107 through 1.0.4 does not check the user_ban field, which ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r25480 - /
Author: fw Date: 2014-02-02 18:16:38 + (Sun, 02 Feb 2014) New Revision: 25480 Modified: Makefile Log: Makefile: Remove ia64 from jessie Modified: Makefile === --- Makefile2014-02-02 17:54:51 UTC (rev 25479) +++ Makefile2014-02-02 18:16:38 UTC (rev 25480) @@ -8,7 +8,7 @@ MIRROR = http://cdn.debian.net/debian/ squeeze_ARCHS = amd64 armel i386 ia64 mips mipsel powerpc s390 sparc kfreebsd-i386 kfreebsd-amd64 wheezy_ARCHS = amd64 armel armhf i386 ia64 mips mipsel powerpc s390 s390x sparc kfreebsd-i386 kfreebsd-amd64 -jessie_ARCHS = amd64 armel armhf i386 ia64 mips mipsel powerpc s390x sparc kfreebsd-i386 kfreebsd-amd64 +jessie_ARCHS = amd64 armel armhf i386 mips mipsel powerpc s390x sparc kfreebsd-i386 kfreebsd-amd64 sid_ARCHS = amd64 armel armhf hurd-i386 i386 ia64 kfreebsd-i386 kfreebsd-amd64 mips mipsel powerpc s390x sparc OLDSTABLE = squeeze ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r25437 - data/DSA
Author: fw
Date: 2014-01-31 07:20:38 + (Fri, 31 Jan 2014)
New Revision: 25437
Modified:
data/DSA/list
Log:
DSA-2849-1 curl
Modified: data/DSA/list
===
--- data/DSA/list 2014-01-31 06:30:22 UTC (rev 25436)
+++ data/DSA/list 2014-01-31 07:20:38 UTC (rev 25437)
@@ -1,3 +1,7 @@
+[31 Jan 2014] DSA-2849-1 curl - information disclosure
+ {CVE-2014-0015}
+ [squeeze] - curl 7.21.0-2.1+squeeze7
+ [wheezy] - curl 7.26.0-1+wheezy8
[23 Jan 2014] DSA-2848-1 mysql-5.5 - several
{CVE-2013-5891 CVE-2013-5908 CVE-2014-0386 CVE-2014-0393 CVE-2014-0401
CVE-2014-0402 CVE-2014-0412 CVE-2014-0420 CVE-2014-0437}
[wheezy] - mysql-5.5 5.5.35+dfsg-0+wheezy1
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r25130 - data/CVE
Author: fw Date: 2014-01-09 20:27:41 + (Thu, 09 Jan 2014) New Revision: 25130 Modified: data/CVE/list Log: CVE-2013-7284 libplrpc-perl Modified: data/CVE/list === --- data/CVE/list 2014-01-09 18:39:42 UTC (rev 25129) +++ data/CVE/list 2014-01-09 20:27:41 UTC (rev 25130) @@ -380,6 +380,9 @@ RESERVED CVE-2014-0790 RESERVED +CVE-2013-7284 [libplrpc-perl remote code execution due to Storable] + - libplrpc-perl unfixed (high; bug #734789) + NOTE: Upstream appears dead. CVE-2013-7273 [no prompt anymore after login cancel using disable_user_list] - gdm3 unfixed (low; bug #683338) [wheezy] - gdm3 no-dsa (Minor issue) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r24985 - data/CVE
Author: fw Date: 2013-12-30 21:55:47 + (Mon, 30 Dec 2013) New Revision: 24985 Modified: data/CVE/list Log: CVE-2013-4492 libi18n-ruby squeeze not-affected Modified: data/CVE/list === --- data/CVE/list 2013-12-30 21:52:20 UTC (rev 24984) +++ data/CVE/list 2013-12-30 21:55:47 UTC (rev 24985) @@ -7905,6 +7905,7 @@ CVE-2013-4492 (Cross-site scripting (XSS) vulnerability in exceptions.rb in the i18n ...) - ruby-i18n 0.6.9-1 - libi18n-ruby removed + [squeeze] - libi18n-ruby not-affected (vulnerable code not present) CVE-2013-4491 (Cross-site scripting (XSS) vulnerability in ...) - rails-4.0 4.0.2+dfsg-1 (bug #731290) - ruby-actionpack-3.2 3.2.16-1 (bug #731288) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r24986 - data/DSA
Author: fw
Date: 2013-12-30 21:56:39 + (Mon, 30 Dec 2013)
New Revision: 24986
Modified:
data/DSA/list
Log:
DSA-2830-1 ruby-i18n
Modified: data/DSA/list
===
--- data/DSA/list 2013-12-30 21:55:47 UTC (rev 24985)
+++ data/DSA/list 2013-12-30 21:56:39 UTC (rev 24986)
@@ -1,3 +1,6 @@
+[30 Dec 2013] DSA-2830-1 ruby-i18n - cross-site scripting
+ {CVE-2013-4492}
+ [wheezy] - ruby-i18n 0.6.0-3+deb7u1
[28 Dec 2013] DSA-2829-1 hplip - several
{CVE-2013-0200 CVE-2013-4325 CVE-2013-6402 CVE-2013-6427}
[squeeze] - hplip 3.10.6-2+squeeze2
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r24283 - data/DSA
Author: fw
Date: 2013-11-04 06:10:47 + (Mon, 04 Nov 2013)
New Revision: 24283
Modified:
data/DSA/list
Log:
DSA-2791-1 tryton-client
Modified: data/DSA/list
===
--- data/DSA/list 2013-11-04 05:11:34 UTC (rev 24282)
+++ data/DSA/list 2013-11-04 06:10:47 UTC (rev 24283)
@@ -1,3 +1,6 @@
+[04 Nov 2013] DSA-2791-1 tryton-client - missing input sanitization
+ [squeeze] - tryton-client 1.6.1-1+deb6u1
+ [wheezy] - tryton-client 2.2.3-1+deb7u1
[02 Nov 2013] DSA-2790-1 nss - uninitialized memory read
{CVE-2013-1739}
[wheezy] - nss 2:3.14.4-1
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23533 - data/CVE
Author: fw Date: 2013-09-03 19:50:25 + (Tue, 03 Sep 2013) New Revision: 23533 Modified: data/CVE/list Log: CVE-2013-4298 imagemagick CVEified Modified: data/CVE/list === --- data/CVE/list 2013-09-03 18:48:27 UTC (rev 23532) +++ data/CVE/list 2013-09-03 19:50:25 UTC (rev 23533) @@ -1,4 +1,5 @@ -CVE-2013- [Memory corruption while processing GIF comments] +CVE-2013-4298 [Memory corruption while processing GIF comments] + RESERVED - imagemagick 8:6.7.7.10-6 (bug #721273) [squeeze] - imagemagick not-affected (Code not vulnerable) CVE-2013-5673 [SQL injection] @@ -2939,8 +2940,6 @@ RESERVED CVE-2013-4299 RESERVED -CVE-2013-4298 - RESERVED CVE-2013-4297 RESERVED CVE-2013-4296 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23534 - data/DSA
Author: fw
Date: 2013-09-03 19:55:43 + (Tue, 03 Sep 2013)
New Revision: 23534
Modified:
data/DSA/list
Log:
DSA-2750-1 imagemagick
Modified: data/DSA/list
===
--- data/DSA/list 2013-09-03 19:50:25 UTC (rev 23533)
+++ data/DSA/list 2013-09-03 19:55:43 UTC (rev 23534)
@@ -1,3 +1,6 @@
+[03 Sep 2013] DSA-2750-1 imagemagick - buffer overflow
+ {CVE-2013-4298}
+ [wheezy] - imagemagick 8:6.7.7.10-5+deb7u2
[02 Sep 2013] DSA-2749-1 asterisk - several
{CVE-2013-5641 CVE-2013-5642}
[squeeze] - asterisk 1:1.6.2.9-2+squeeze11
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23542 - data
Author: fw Date: 2013-09-04 05:50:39 + (Wed, 04 Sep 2013) New Revision: 23542 Modified: data/dsa-needed.txt Log: imagemagick TCO Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2013-09-04 05:39:16 UTC (rev 23541) +++ data/dsa-needed.txt 2013-09-04 05:50:39 UTC (rev 23542) @@ -25,8 +25,6 @@ -- iceape (jmm) -- -imagemagick --- jquery/oldstable Maintainer prepared an update -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23513 - data
Author: fw Date: 2013-09-02 05:58:59 + (Mon, 02 Sep 2013) New Revision: 23513 Modified: data/dsa-needed.txt Log: imagemagick DSA in preparation Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2013-09-01 23:09:51 UTC (rev 23512) +++ data/dsa-needed.txt 2013-09-02 05:58:59 UTC (rev 23513) @@ -27,6 +27,8 @@ -- iceape (jmm) -- +imagemagick +-- jquery/oldstable Maintainer prepared an update -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
