[Secure-testing-commits] r48907 - data/CVE
Author: carnil Date: 2017-02-14 07:59:18 + (Tue, 14 Feb 2017) New Revision: 48907 Modified: data/CVE/list Log: Remove CVE request annotation Modified: data/CVE/list === --- data/CVE/list 2017-02-14 07:52:24 UTC (rev 48906) +++ data/CVE/list 2017-02-14 07:59:18 UTC (rev 48907) @@ -1132,7 +1132,7 @@ NOTE: https://www.mail-archive.com/s-nail-users@lists.sourceforge.net/msg00551.html NOTE: https://git.sdaoden.eu/cgit/s-nail.git/commit/?id=f797c27efecad45af191c518b7f87fda32ada160 NOTE: https://git.sdaoden.eu/cgit/s-nail.git/commit/?id=f2699449b66dd702a98925bd1b11153a6f7294bf - NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2017/01/27/7 + NOTE: http://www.openwall.com/lists/oss-security/2017/01/27/7 CVE-2017-5628 (An issue was discovered in Artifex Software, Inc. MuJS before ...) NOT-FOR-US: MuJS CVE-2017-5627 (An issue was discovered in Artifex Software, Inc. MuJS before ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48906 - data/CVE
Author: carnil Date: 2017-02-14 07:52:24 + (Tue, 14 Feb 2017) New Revision: 48906 Modified: data/CVE/list Log: Update entry for CVE-2012-5635 Modified: data/CVE/list === --- data/CVE/list 2017-02-14 07:33:40 UTC (rev 48905) +++ data/CVE/list 2017-02-14 07:52:24 UTC (rev 48906) @@ -119332,8 +119332,8 @@ CVE-2012-5636 RESERVED CVE-2012-5635 (The GlusterFS functionality in Red Hat Storage Management Console 2.0, ...) - - glusterfs (bug #704944) - [wheezy] - glusterfs (Minor issue) + - glusterfs (unimportant; bug #704944) + NOTE: Neutralised by kernel hardening CVE-2012-5634 (Xen 4.2.x, 4.1.x, and 4.0, when using Intel VT-d for PCI passthrough, ...) {DSA-2636-1} - xen 4.1.3-8 (low) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48905 - data/CVE
Author: jmm Date: 2017-02-14 07:33:40 + (Tue, 14 Feb 2017) New Revision: 48905 Modified: data/CVE/list Log: new linux issue (concludes external check) Modified: data/CVE/list === --- data/CVE/list 2017-02-14 07:32:26 UTC (rev 48904) +++ data/CVE/list 2017-02-14 07:33:40 UTC (rev 48905) @@ -37,8 +37,9 @@ RESERVED CVE-2017-5971 RESERVED -CVE-2017-5970 +CVE-2017-5970 [kernel: ipv4: Invalid IP options could cause skb->dst drop] RESERVED + - linux CVE-2017-5969 [null pointer dereference when parsing a xml file using recover mode] RESERVED - libxml2 (bug #855001) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48904 - data/CVE
Author: jmm Date: 2017-02-14 07:32:26 + (Tue, 14 Feb 2017) New Revision: 48904 Modified: data/CVE/list Log: new qemu issue Modified: data/CVE/list === --- data/CVE/list 2017-02-14 07:04:59 UTC (rev 48903) +++ data/CVE/list 2017-02-14 07:32:26 UTC (rev 48904) @@ -23,8 +23,12 @@ RESERVED CVE-2017-5974 RESERVED -CVE-2017-5973 +CVE-2017-5973 [Qemu: usb: infinite loop while doing control transfer in xhci_kick_epctx] RESERVED + - qemu + - qemu-kvm + NOTE: https://lists.gnu.org/archive/html/qemu-devel/2017-02/msg01101.html + NOTE: http://www.openwall.com/lists/oss-security/2017/02/13/11 CVE-2017-5972 RESERVED CVE-2016-10224 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48903 - data/CVE
Author: carnil Date: 2017-02-14 07:04:59 + (Tue, 14 Feb 2017) New Revision: 48903 Modified: data/CVE/list Log: Reference CVE request for one libpodofo issue Modified: data/CVE/list === --- data/CVE/list 2017-02-14 07:04:49 UTC (rev 48902) +++ data/CVE/list 2017-02-14 07:04:59 UTC (rev 48903) @@ -864,7 +864,7 @@ - libpodofo (bug #854605) NOTE: https://blogs.gentoo.org/ago/2017/02/01/podofo-null-pointer-dereference-in-pdfinfoguessformat-pdfinfo-cpp/ NOTE: https://sourceforge.net/p/podofo/mailman/podofo-users/thread/12497325.VLNgGImML2%40blackgate/#msg35640936 - NOTE: https://marc.info/?l=oss-security=148603648823037=2 + NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2017/02/02/21 CVE-2015-8981 [Heap overflow in the function ReadXRefSubsection] RESERVED - libpodofo 0.9.4-1 (bug #854599) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48902 - data/CVE
Author: carnil Date: 2017-02-14 07:04:49 + (Tue, 14 Feb 2017) New Revision: 48902 Modified: data/CVE/list Log: Reference patch for CVE-2017-5848 Modified: data/CVE/list === --- data/CVE/list 2017-02-14 06:27:01 UTC (rev 48901) +++ data/CVE/list 2017-02-14 07:04:49 UTC (rev 48902) @@ -739,6 +739,7 @@ - gst-plugins-bad0.10 (low) NOTE: http://www.openwall.com/lists/oss-security/2017/02/01/7 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=777957 + NOTE: Patch: https://bugzilla.gnome.org/show_bug.cgi?id=777957#c3 CVE-2017-5847 (The gst_asf_demux_process_ext_content_desc function in ...) - gst-plugins-ugly1.0 (low) - gst-plugins-ugly0.10 (low) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48901 - data/CVE
Author: carnil Date: 2017-02-14 06:27:01 + (Tue, 14 Feb 2017) New Revision: 48901 Modified: data/CVE/list Log: Add fixing commit for CVE-2017-5847 Modified: data/CVE/list === --- data/CVE/list 2017-02-14 05:50:19 UTC (rev 48900) +++ data/CVE/list 2017-02-14 06:27:01 UTC (rev 48901) @@ -744,6 +744,7 @@ - gst-plugins-ugly0.10 (low) NOTE: http://www.openwall.com/lists/oss-security/2017/02/01/7 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=777955 + NOTE: https://github.com/GStreamer/gst-plugins-ugly/commit/d21017b52a585f145e8d62781bcc1c5fefc7ee37 CVE-2017-5846 (The gst_asf_demux_process_ext_stream_props function in ...) - gst-plugins-ugly1.0 1.10.3-1 (low) - gst-plugins-ugly0.10 (low) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48900 - data/CVE
Author: carnil Date: 2017-02-14 05:50:19 + (Tue, 14 Feb 2017) New Revision: 48900 Modified: data/CVE/list Log: Fix typo in CVE id for mp3splt Modified: data/CVE/list === --- data/CVE/list 2017-02-14 05:46:59 UTC (rev 48899) +++ data/CVE/list 2017-02-14 05:50:19 UTC (rev 48900) @@ -406,8 +406,6 @@ RESERVED CVE-2017-5858 (An incorrect implementation of XEP-0280: Message Carbons in multiple ...) NOT-FOR-US: converse.js -CVE-2017-5851 - RESERVED CVE-2017-5836 [issue in plist_free_data plist.c:185] RESERVED - libplist (bug #854000) @@ -823,7 +821,7 @@ - libav NOTE: Patch: https://github.com/FFmpeg/FFmpeg/commit/2a05c8f813de6f2278827734bf8102291e7484aa NOTE: http://www.openwall.com/lists/oss-security/2017/01/31/12 -CVE-2017-5681 [mp3splt: NULL pointer dereference in free_options] +CVE-2017-5851 [mp3splt: NULL pointer dereference in free_options] RESERVED - mp3splt (unimportant) NOTE: https://github.com/asarubbo/poc/blob/master/00127-mp3splt-nullptr-free_options ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48899 - data/CVE
Author: carnil Date: 2017-02-14 05:46:59 + (Tue, 14 Feb 2017) New Revision: 48899 Modified: data/CVE/list Log: Mark CVE-2017-5857 as unimportant 1:2.8+dfsg-2 did revert "enable virtio gpu (virglrenderer) and opengl support". Modified: data/CVE/list === --- data/CVE/list 2017-02-14 05:46:49 UTC (rev 48898) +++ data/CVE/list 2017-02-14 05:46:59 UTC (rev 48899) @@ -840,12 +840,12 @@ RESERVED CVE-2017-5857 [Qemu: display: virtio-gpu-3d: host memory leakage in virgl_cmd_resource_unref] RESERVED - - qemu (bug #853996) + - qemu (bug #853996; unimportant) [jessie] - qemu (Vulnerable code not present) - qemu-kvm (Vulnerable code not present) NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2017-01/msg04615.html NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1418382 - NOTE: http://www.openwall.com/lists/oss-security/2017/02/01/21c + NOTE: http://www.openwall.com/lists/oss-security/2017/02/01/21 CVE-2017-5856 [Qemu: scsi: megasas: host memory leakage in megasas_handle_dcmd] RESERVED - qemu (bug #853996) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48898 - data/CVE
Author: carnil Date: 2017-02-14 05:46:49 + (Tue, 14 Feb 2017) New Revision: 48898 Modified: data/CVE/list Log: Replace new URL for 2017-02-01 jenkins advisory The previous one was obsoleted and replaced by the shorter one. A 'redirect'/'this page has moved' hint is still present on the former one. Modified: data/CVE/list === --- data/CVE/list 2017-02-14 05:33:35 UTC (rev 48897) +++ data/CVE/list 2017-02-14 05:46:49 UTC (rev 48898) @@ -9281,67 +9281,67 @@ CVE-2017-2613 RESERVED - jenkins - NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2017-02-01 + NOTE: https://jenkins.io/security/advisory/2017-02-01/ CVE-2017-2612 RESERVED - jenkins - NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2017-02-01 + NOTE: https://jenkins.io/security/advisory/2017-02-01/ CVE-2017-2611 RESERVED - jenkins - NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2017-02-01 + NOTE: https://jenkins.io/security/advisory/2017-02-01/ CVE-2017-2610 RESERVED - jenkins - NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2017-02-01 + NOTE: https://jenkins.io/security/advisory/2017-02-01/ CVE-2017-2609 RESERVED - jenkins - NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2017-02-01 + NOTE: https://jenkins.io/security/advisory/2017-02-01/ CVE-2017-2608 RESERVED - jenkins - NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2017-02-01 + NOTE: https://jenkins.io/security/advisory/2017-02-01/ CVE-2017-2607 RESERVED - jenkins - NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2017-02-01 + NOTE: https://jenkins.io/security/advisory/2017-02-01/ CVE-2017-2606 RESERVED - jenkins - NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2017-02-01 + NOTE: https://jenkins.io/security/advisory/2017-02-01/ CVE-2017-2605 RESERVED - jenkins - NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2017-02-01 + NOTE: https://jenkins.io/security/advisory/2017-02-01/ CVE-2017-2604 RESERVED - jenkins - NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2017-02-01 + NOTE: https://jenkins.io/security/advisory/2017-02-01/ CVE-2017-2603 RESERVED - jenkins - NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2017-02-01 + NOTE: https://jenkins.io/security/advisory/2017-02-01/ CVE-2017-2602 RESERVED - jenkins - NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2017-02-01 + NOTE: https://jenkins.io/security/advisory/2017-02-01/ CVE-2017-2601 RESERVED - jenkins - NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2017-02-01 + NOTE: https://jenkins.io/security/advisory/2017-02-01/ CVE-2017-2600 RESERVED - jenkins - NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2017-02-01 + NOTE: https://jenkins.io/security/advisory/2017-02-01/ CVE-2017-2599 RESERVED - jenkins - NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2017-02-01 + NOTE: https://jenkins.io/security/advisory/2017-02-01/ CVE-2017-2598 RESERVED - jenkins - NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2017-02-01 + NOTE: https://jenkins.io/security/advisory/2017-02-01/ CVE-2017-2597 RESERVED CVE-2017-2596 (The nested_vmx_check_vmptr function in arch/x86/kvm/vmx.c in the Linux ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48897 - data/CVE
Author: carnil Date: 2017-02-14 05:33:35 + (Tue, 14 Feb 2017) New Revision: 48897 Modified: data/CVE/list Log: Update some NFUs which are specific to IBM products Modified: data/CVE/list === --- data/CVE/list 2017-02-14 05:32:29 UTC (rev 48896) +++ data/CVE/list 2017-02-14 05:33:35 UTC (rev 48897) @@ -36077,15 +36077,15 @@ CVE-2016-3058 RESERVED CVE-2016-3057 (Cross-site scripting (XSS) vulnerability in IBM Sterling B2B ...) - TODO: check + NOT-FOR-US: IBM CVE-2016-3056 (Cross-site scripting (XSS) vulnerability in Business Space in IBM ...) - TODO: check + NOT-FOR-US: IBM CVE-2016-3055 (IBM FileNet Workplace 4.0.2 before 4.0.2.14 LA012 allows remote ...) - TODO: check + NOT-FOR-US: IBM CVE-2016-3054 (Cross-site scripting (XSS) vulnerability in IBM FileNet Workplace ...) - TODO: check + NOT-FOR-US: IBM CVE-2016-3053 (IBM AIX contains an unspecified vulnerability that would allow a ...) - TODO: check + NOT-FOR-US: IBM CVE-2016-3052 RESERVED CVE-2016-3051 @@ -36097,11 +36097,11 @@ CVE-2016-3048 RESERVED CVE-2016-3047 (Open redirect vulnerability in IBM FileNet Workplace 4.0.2 through ...) - TODO: check + NOT-FOR-US: IBM CVE-2016-3046 (IBM Security Access Manager for Web is vulnerable to SQL injection. A ...) - TODO: check + NOT-FOR-US: IBM CVE-2016-3045 (IBM Security Access Manager for Web stores sensitive information in ...) - TODO: check + NOT-FOR-US: IBM CVE-2016-3044 (The Linux kernel component in IBM PowerKVM 2.1 before 2.1.1.3-65.10 ...) - linux NOTE: https://www-01.ibm.com/support/docview.wss?uid=isg3T1023969 @@ -36124,11 +36124,11 @@ CVE-2016-3036 RESERVED CVE-2016-3035 (IBM AppScan Source could reveal some sensitive information through the ...) - TODO: check + NOT-FOR-US: IBM CVE-2016-3034 (IBM AppScan Source uses a one-way hash without salt to encrypt highly ...) - TODO: check + NOT-FOR-US: IBM CVE-2016-3033 (IBM AppScan Source 8.7 through 9.0.3.3 allows remote authenticated ...) - TODO: check + NOT-FOR-US: IBM CVE-2016-3032 RESERVED CVE-2016-3031 @@ -36136,11 +36136,11 @@ CVE-2016-3030 RESERVED CVE-2016-3029 (IBM Security Access Manager for Web is vulnerable to cross-site ...) - TODO: check + NOT-FOR-US: IBM CVE-2016-3028 (IBM Security Access Manager for Web 7.0 before IF2 and 8.0 before ...) - TODO: check + NOT-FOR-US: IBM CVE-2016-3027 (IBM Security Access Manager for Web is vulnerable to a denial of ...) - TODO: check + NOT-FOR-US: IBM CVE-2016-3026 RESERVED CVE-2016-3025 (IBM Security Access Manager for Mobile 8.x before 8.0.1.4 IF3 and ...) @@ -36218,15 +36218,15 @@ CVE-2016-2989 (Open redirect vulnerability in the Connections Portlets component 5.x ...) TODO: check CVE-2016-2988 (IBM Tivoli Storage Manger for Virtual Environments: Data Protection ...) - TODO: check + NOT-FOR-US: IBM CVE-2016-2987 (An undisclosed vulnerability in CLM applications may result in some ...) - TODO: check + NOT-FOR-US: IBM CVE-2016-2986 (Cross-site scripting (XSS) vulnerability in IBM Rational Collaborative ...) - TODO: check + NOT-FOR-US: IBM CVE-2016-2985 (IBM Spectrum Scale 4.1.1.x before 4.1.1.8 and 4.2.x before 4.2.0.4 and ...) - TODO: check + NOT-FOR-US: IBM CVE-2016-2984 (IBM Spectrum Scale 4.1.1.x before 4.1.1.8 and 4.2.x before 4.2.0.4 and ...) - TODO: check + NOT-FOR-US: IBM CVE-2016-2983 RESERVED CVE-2016-2982 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48895 - data/CVE
Author: carnil Date: 2017-02-14 05:32:20 + (Tue, 14 Feb 2017) New Revision: 48895 Modified: data/CVE/list Log: Add note for introducing commit of CVE-2017-2615 Modified: data/CVE/list === --- data/CVE/list 2017-02-14 04:59:20 UTC (rev 48894) +++ data/CVE/list 2017-02-14 05:32:20 UTC (rev 48895) @@ -9274,7 +9274,7 @@ RESERVED - qemu (low; bug #854731) [jessie] - qemu (Minor issue) - NOTE: Introduced with http://git.qemu.org/?p=qemu.git;a=commit;h=d3532a0db02296e687711b8cdc7791924efccea0 (which got backported to jessie) + NOTE: Introduced with http://git.qemu.org/?p=qemu.git;a=commit;h=d3532a0db02296e687711b8cdc7791924efccea0 (which was the fix for CVE-2014-8106) NOTE: Patch: https://lists.gnu.org/archive/html/qemu-devel/2017-02/msg00015.html CVE-2017-2614 RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48896 - data/CVE
Author: carnil Date: 2017-02-14 05:32:29 + (Tue, 14 Feb 2017) New Revision: 48896 Modified: data/CVE/list Log: Add fixing commit for CVE-2017-2615 Modified: data/CVE/list === --- data/CVE/list 2017-02-14 05:32:20 UTC (rev 48895) +++ data/CVE/list 2017-02-14 05:32:29 UTC (rev 48896) @@ -9274,8 +9274,8 @@ RESERVED - qemu (low; bug #854731) [jessie] - qemu (Minor issue) - NOTE: Introduced with http://git.qemu.org/?p=qemu.git;a=commit;h=d3532a0db02296e687711b8cdc7791924efccea0 (which was the fix for CVE-2014-8106) - NOTE: Patch: https://lists.gnu.org/archive/html/qemu-devel/2017-02/msg00015.html + NOTE: Introduced with: http://git.qemu.org/?p=qemu.git;a=commit;h=d3532a0db02296e687711b8cdc7791924efccea0 (which was the fix for CVE-2014-8106) + NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commit;h=62d4c6bd5263bb8413a06c80144fc678df6dfb64 CVE-2017-2614 RESERVED CVE-2017-2613 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48894 - data/CVE
Author: carnil Date: 2017-02-14 04:59:20 + (Tue, 14 Feb 2017) New Revision: 48894 Modified: data/CVE/list Log: Add bug report for CVE-2016-2399/libquicktime Modified: data/CVE/list === --- data/CVE/list 2017-02-14 04:54:54 UTC (rev 48893) +++ data/CVE/list 2017-02-14 04:59:20 UTC (rev 48894) @@ -38145,7 +38145,7 @@ CVE-2016-2400 RESERVED CVE-2016-2399 (Integer overflow in the quicktime_read_pascal function in libquicktime ...) - - libquicktime + - libquicktime (bug #855099) NOTE: PoC: http://www.nemux.org/2016/02/23/libquicktime-1-2-4/ CVE-2016-2398 (Comcast XFINITY Home Security System does not properly maintain ...) NOT-FOR-US: XFINITY ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48893 - data/CVE
Author: carnil Date: 2017-02-14 04:54:54 + (Tue, 14 Feb 2017) New Revision: 48893 Modified: data/CVE/list Log: Update information for CVE-2016-2399/libquicktime Modified: data/CVE/list === --- data/CVE/list 2017-02-14 03:32:04 UTC (rev 48892) +++ data/CVE/list 2017-02-14 04:54:54 UTC (rev 48893) @@ -38145,7 +38145,8 @@ CVE-2016-2400 RESERVED CVE-2016-2399 (Integer overflow in the quicktime_read_pascal function in libquicktime ...) - TODO: check + - libquicktime + NOTE: PoC: http://www.nemux.org/2016/02/23/libquicktime-1-2-4/ CVE-2016-2398 (Comcast XFINITY Home Security System does not properly maintain ...) NOT-FOR-US: XFINITY CVE-2016-2397 (The cliserver implementation in Dell SonicWALL GMS, Analyzer, and UMA ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48891 - data/CVE
Author: carnil Date: 2017-02-14 03:19:49 + (Tue, 14 Feb 2017) New Revision: 48891 Modified: data/CVE/list Log: Mark mariadb sources as unfixed yet, affects 10.0.x still through 10.0.29, and 10.1.x still through 10.1.21 Modified: data/CVE/list === --- data/CVE/list 2017-02-14 03:17:16 UTC (rev 48890) +++ data/CVE/list 2017-02-14 03:19:49 UTC (rev 48891) @@ -7357,8 +7357,8 @@ CVE-2017-3303 (Vulnerability in the Oracle XML Gateway component of Oracle E-Business ...) NOT-FOR-US: Oracle CVE-2017-3302 (Crash in libmysqlclient.so in Oracle MySQL before 5.6.21 and 5.7.x ...) - - mariadb-10.1 - - mariadb-10.0 + - mariadb-10.1 + - mariadb-10.0 - mysql-5.7 (Fixed before initial release in Debian) - mysql-5.6 (Fixed before initial release in Debian) - mysql-5.5 (bug #854713) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48890 - data/CVE
Author: carnil Date: 2017-02-14 03:17:16 + (Tue, 14 Feb 2017) New Revision: 48890 Modified: data/CVE/list Log: Mark CVE-2017-5969/libxml2 as no-dsa Modified: data/CVE/list === --- data/CVE/list 2017-02-14 03:12:00 UTC (rev 48889) +++ data/CVE/list 2017-02-14 03:17:16 UTC (rev 48890) @@ -36,6 +36,7 @@ CVE-2017-5969 [null pointer dereference when parsing a xml file using recover mode] RESERVED - libxml2 (bug #855001) + [jessie] - libxml2 (Minor issue, nonly a denial-of-service when using recover mode) NOTE: http://www.openwall.com/lists/oss-security/2016/11/05/3 NOTE: Upstream bug: https://bugzilla.gnome.org/show_bug.cgi?id=778519 CVE-2017-5968 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48889 - data/DLA
Author: carnil Date: 2017-02-14 03:12:00 + (Tue, 14 Feb 2017) New Revision: 48889 Modified: data/DLA/list Log: Correct tracking of mysql-5.5 fix The fix was in the 5.5.54-0+deb7u2 upload. The DLA just mentioned a wrong number. Additionally add the assigned CVE. Modified: data/DLA/list === --- data/DLA/list 2017-02-13 21:57:12 UTC (rev 4) +++ data/DLA/list 2017-02-14 03:12:00 UTC (rev 48889) @@ -10,7 +10,8 @@ {CVE-2017-5938} [wheezy] - viewvc 1.1.5-1.4+deb7u1 [09 Feb 2017] DLA-819-1 mysql-5.5 - security update - [wheezy] - mysql-5.5 5.5.47-0+deb7u2 + {CVE-2017-3302} + [wheezy] - mysql-5.5 5.5.54-0+deb7u2 [07 Feb 2017] DLA-818-1 php5 - security update {CVE-2016-2554 CVE-2016-3141 CVE-2016-3142 CVE-2016-4342 CVE-2016-9934 CVE-2016-9935 CVE-2016-10158 CVE-2016-10159 CVE-2016-10160 CVE-2016-10161} [wheezy] - php5 5.4.45-0+deb7u7 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48888 - data/CVE
Author: jmm Date: 2017-02-13 21:57:12 + (Mon, 13 Feb 2017) New Revision: 4 Modified: data/CVE/list Log: libwebp unimportant Modified: data/CVE/list === --- data/CVE/list 2017-02-13 21:55:06 UTC (rev 48887) +++ data/CVE/list 2017-02-13 21:57:12 UTC (rev 4) @@ -5487,7 +5487,7 @@ CVE-2017-3903 RESERVED CVE-2017-3902 (Cross-site scripting (XSS) vulnerability in the Web user interface ...) - TODO: check + NOT-FOR-US: Intel Security ePO CVE-2017-3901 RESERVED CVE-2017-3900 @@ -5499,7 +5499,7 @@ CVE-2017-3897 RESERVED CVE-2017-3896 (Unvalidated parameter vulnerability in the remote log viewing ...) - TODO: check + NOT-FOR-US: Intel McAfee CVE-2017-3895 RESERVED CVE-2016-10087 (The png_set_text_2 function in libpng 0.71 before 1.0.67, 1.2.x before ...) @@ -16621,13 +16621,14 @@ CVE-2016-9031 (An exploitable integer overflow exists in the Joyent SmartOS ...) NOT-FOR-US: Joyent SmartOS CVE-2016-9085 (Multiple integer overflows in libwebp allows attackers to have ...) - - libwebp (bug #842714) + - libwebp (unimportant; bug #842714) [wheezy] - libwebp (vulnerable code not present) NOTE: https://chromium.googlesource.com/webm/libwebp/+/e2affacc35f1df6cc3b1a9fa0ceff5ce2d0cce83 NOTE: Report: https://bugs.chromium.org/p/webp/issues/detail?id=314 (private) NOTE: For libwebp only in examples, but other projects seem to use the gifdec.c NOTE: Origin of the file seems to be from libav - TODO: check: 0.5.1-3 claims the upload fixed CVE-2016- and CVE-2016-9085 but the taken patch looks different, needs investigation + NOTE: 0.5.1-3 claims the upload fixed CVE-2016- and CVE-2016-9085 but the taken patches + NOTE: look different, needs further investigation before marking as fixed CVE-2016-9084 (drivers/vfio/pci/vfio_pci_intrs.c in the Linux kernel through 4.8.11 ...) - linux 4.8.11-1 [jessie] - linux 3.16.39-1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48887 - data/CVE
Author: jmm Date: 2017-02-13 21:55:06 + (Mon, 13 Feb 2017) New Revision: 48887 Modified: data/CVE/list Log: new tomcat issue Modified: data/CVE/list === --- data/CVE/list 2017-02-13 21:46:04 UTC (rev 48886) +++ data/CVE/list 2017-02-13 21:55:06 UTC (rev 48887) @@ -1,3 +1,10 @@ +CVE-2017- [tomcat DoS via infinite loop in HTTPS request processing] + - tomcat8 (bug #851304) + [jessie] - tomcat8 8.0.14-1+deb8u7 + - tomcat7 7.0.72-3 + [jessie] - tomcat7 7.0.56-3+deb8u8 + NOTE: Since 7.0.72-3, src:tomcat7 only builds the Servlet API + NOTE: https://bz.apache.org/bugzilla/show_bug.cgi?id=57544 CVE-2017-5981 RESERVED CVE-2017-5980 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48886 - data/DSA
Author: jmm Date: 2017-02-13 21:46:04 + (Mon, 13 Feb 2017) New Revision: 48886 Modified: data/DSA/list Log: tomcat DSAs Modified: data/DSA/list === --- data/DSA/list 2017-02-13 21:28:34 UTC (rev 48885) +++ data/DSA/list 2017-02-13 21:46:04 UTC (rev 48886) @@ -1,3 +1,7 @@ +[13 Feb 2017] DSA-3788-1 tomcat8 - security update + [jessie] - tomcat8 8.0.14-1+deb8u7 +[13 Feb 2017] DSA-3787-1 tomcat7 - security update + [jessie] - tomcat7 7.0.56-3+deb8u8 [13 Feb 2017] DSA-3786-1 vim - security update {CVE-2017-5953} [jessie] - vim 2:7.4.488-7+deb8u2 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48885 - in data: . DSA
Author: jmm Date: 2017-02-13 21:28:34 + (Mon, 13 Feb 2017) New Revision: 48885 Modified: data/DSA/list data/dsa-needed.txt Log: vim DSA Modified: data/DSA/list === --- data/DSA/list 2017-02-13 21:10:13 UTC (rev 48884) +++ data/DSA/list 2017-02-13 21:28:34 UTC (rev 48885) @@ -1,3 +1,6 @@ +[13 Feb 2017] DSA-3786-1 vim - security update + {CVE-2017-5953} + [jessie] - vim 2:7.4.488-7+deb8u2 [09 Feb 2017] DSA-3785-1 jasper - security update {CVE-2016-1867 CVE-2016-8654 CVE-2016-8691 CVE-2016-8692 CVE-2016-8693 CVE-2016-8882 CVE-2016-9560} [jessie] - jasper 1.900.1-debian1-2.4+deb8u2 Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-02-13 21:10:13 UTC (rev 48884) +++ data/dsa-needed.txt 2017-02-13 21:28:34 UTC (rev 48885) @@ -37,8 +37,6 @@ -- spip -- -vim (jmm) --- xen -- zabbix (jmm) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48884 - data/CVE
Author: sectracker Date: 2017-02-13 21:10:13 + (Mon, 13 Feb 2017) New Revision: 48884 Modified: data/CVE/list Log: automatic update Modified: data/CVE/list === --- data/CVE/list 2017-02-13 19:18:41 UTC (rev 48883) +++ data/CVE/list 2017-02-13 21:10:13 UTC (rev 48884) @@ -1,3 +1,21 @@ +CVE-2017-5981 + RESERVED +CVE-2017-5980 + RESERVED +CVE-2017-5979 + RESERVED +CVE-2017-5978 + RESERVED +CVE-2017-5977 + RESERVED +CVE-2017-5976 + RESERVED +CVE-2017-5975 + RESERVED +CVE-2017-5974 + RESERVED +CVE-2017-5973 + RESERVED CVE-2017-5972 RESERVED CVE-2016-10224 @@ -54,6 +72,7 @@ CVE-2017-5954 (An issue was discovered in the serialize-to-js package 0.5.0 for ...) NOT-FOR-US: serialize-to-js Node package CVE-2017-5953 (vim before patch 8.0.0322 does not properly validate values for tree ...) + {DLA-822-1} - vim 2:8.0.0197-2 (bug #854969) NOTE: Fixed by https://github.com/vim/vim/commit/399c297aa93afe2c0a39e2a1b3f972aebba44c9d CVE-2017-5952 @@ -5460,8 +5479,8 @@ RESERVED CVE-2017-3903 RESERVED -CVE-2017-3902 - RESERVED +CVE-2017-3902 (Cross-site scripting (XSS) vulnerability in the Web user interface ...) + TODO: check CVE-2017-3901 RESERVED CVE-2017-3900 @@ -5472,8 +5491,8 @@ RESERVED CVE-2017-3897 RESERVED -CVE-2017-3896 - RESERVED +CVE-2017-3896 (Unvalidated parameter vulnerability in the remote log viewing ...) + TODO: check CVE-2017-3895 RESERVED CVE-2016-10087 (The png_set_text_2 function in libpng 0.71 before 1.0.67, 1.2.x before ...) @@ -5794,8 +5813,7 @@ [jessie] - ikiwiki (Incomplete fix for CVE-2016-10026 not applied) [wheezy] - ikiwiki (Incomplete fix for CVE-2016-10026 not applied) NOTE: https://ikiwiki.info/security/#cve-2016-9645 -CVE-2016-10026 [authorization bypass when reverting changes] - RESERVED +CVE-2016-10026 (ikiwiki 3.20161219 does not properly check if a revision changes the ...) {DSA-3760-1 DLA-812-1} - ikiwiki 3.20161219 NOTE: http://ikiwiki.info/bugs/rcs_revert_can_bypass_authorization_if_affected_files_were_renamed/ @@ -17443,8 +17461,7 @@ NOTE: https://blogs.gentoo.org/ago/2016/10/20/imagemagick-memory-allocation-failure-in-acquiremagickmemory-memory-c-incomplete-fix-for-cve-2016-8862/ NOTE: This is not a real problem in imagemagick but caused by the "observer" (the address sanitizer), cf. NOTE: https://www.imagemagick.org/discourse-server/viewtopic.php?f=3=30908#p140255 . -CVE-2016-8859 [Regex integer overflow in buffer size computations] - RESERVED +CVE-2016-8859 (Multiple integer overflows in the TRE library and musl libc allow ...) {DLA-687-1} - tre 0.8.0-5 (bug #842169) [jessie] - tre 0.8.0-4+deb8u1 @@ -17993,8 +18010,7 @@ - linux [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) -CVE-2016-8659 [privilege escalation via ptrace] - RESERVED +CVE-2016-8659 (Bubblewrap before 0.1.3 sets the PR_SET_DUMPABLE flag, which might ...) - bubblewrap 0.1.2-2 (bug #840605) NOTE: https://github.com/projectatomic/bubblewrap/issues/107 CVE-2016-8658 (Stack-based buffer overflow in the brcmf_cfg80211_start_ap function in ...) @@ -18217,8 +18233,8 @@ RESERVED CVE-2016-8496 RESERVED -CVE-2016-8495 - RESERVED +CVE-2016-8495 (FortiManager does not properly validate TLS certificates when probing ...) + TODO: check CVE-2016-8494 (Insufficient verification of uploaded files allows attackers with ...) NOT-FOR-US: Fortiguard CVE-2016-8493 @@ -21323,8 +21339,7 @@ NOTE: https://sourceforge.net/p/openslp/mercurial/ci/34fb3aa5e6b4997fa21cb614e480de36da5dbc9a/ CVE-2016-7566 RESERVED -CVE-2016-7565 - RESERVED +CVE-2016-7565 (install/index.php in Exponent CMS 2.3.9 allows remote attackers to ...) NOT-FOR-US: Exponent CMS CVE-2016-7564 (Heap-based buffer overflow in the Fp_toString function in jsfunction.c ...) NOT-FOR-US: MuJS @@ -25948,8 +25963,7 @@ RESERVED CVE-2016-6212 (The Views module 7.x-3.x before 7.x-3.14 in Drupal 7.x and the Views ...) - drupal8 (bug #756305) -CVE-2016-6210 [User enumeration via covert timing channel] - RESERVED +CVE-2016-6210 (sshd in OpenSSH before 7.3, when SHA256 or SHA512 are used for user ...) {DSA-3626-1 DLA-578-1} - openssh 1:7.2p2-6 (bug #831902) NOTE: http://seclists.org/fulldisclosure/2016/Jul/51 @@ -26334,8 +26348,7 @@ NOTE: http://www.sqlite.org/cgi/src/info/b38fe522cfc971b3 NOTE: and possibly http://www.sqlite.org/cgi/src/info/614bb709d34e1148 NOTE: https://www.korelogic.com/Resources/Advisories/KL-001-2016-003.txt -CVE-2016-6129 - RESERVED
[Secure-testing-commits] r48883 - data
Author: jmm Date: 2017-02-13 19:18:41 + (Mon, 13 Feb 2017) New Revision: 48883 Modified: data/dsa-needed.txt Log: take vim Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-02-13 18:43:11 UTC (rev 48882) +++ data/dsa-needed.txt 2017-02-13 19:18:41 UTC (rev 48883) @@ -37,7 +37,7 @@ -- spip -- -vim +vim (jmm) -- xen -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48882 - data/CVE
Author: jmm Date: 2017-02-13 18:43:11 + (Mon, 13 Feb 2017) New Revision: 48882 Modified: data/CVE/list Log: libevent fixed Modified: data/CVE/list === --- data/CVE/list 2017-02-13 18:41:57 UTC (rev 48881) +++ data/CVE/list 2017-02-13 18:43:11 UTC (rev 48882) @@ -694,17 +694,17 @@ RESERVED CVE-2016-10197 RESERVED - - libevent (bug #854092) + - libevent 2.0.21-stable-3 (bug #854092) NOTE: https://github.com/libevent/libevent/issues/332 NOTE: http://www.openwall.com/lists/oss-security/2017/01/31/17 CVE-2016-10196 RESERVED - - libevent (bug #854092) + - libevent 2.0.21-stable-3 (bug #854092) NOTE: https://github.com/libevent/libevent/issues/318 NOTE: http://www.openwall.com/lists/oss-security/2017/01/31/17 CVE-2016-10195 RESERVED - - libevent (bug #854092) + - libevent 2.0.21-stable-3 (bug #854092) NOTE: https://github.com/libevent/libevent/issues/317 NOTE: http://www.openwall.com/lists/oss-security/2017/01/31/17 CVE-2017-5848 (The gst_ps_demux_parse_psm function in gst/mpegdemux/gstmpegdemux.c in ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48881 - data/CVE
Author: jmm Date: 2017-02-13 18:41:57 + (Mon, 13 Feb 2017) New Revision: 48881 Modified: data/CVE/list Log: vim fixed Modified: data/CVE/list === --- data/CVE/list 2017-02-13 18:40:43 UTC (rev 48880) +++ data/CVE/list 2017-02-13 18:41:57 UTC (rev 48881) @@ -54,7 +54,7 @@ CVE-2017-5954 (An issue was discovered in the serialize-to-js package 0.5.0 for ...) NOT-FOR-US: serialize-to-js Node package CVE-2017-5953 (vim before patch 8.0.0322 does not properly validate values for tree ...) - - vim (bug #854969) + - vim 2:8.0.0197-2 (bug #854969) NOTE: Fixed by https://github.com/vim/vim/commit/399c297aa93afe2c0a39e2a1b3f972aebba44c9d CVE-2017-5952 RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48880 - data/CVE
Author: jmm Date: 2017-02-13 18:40:43 + (Mon, 13 Feb 2017) New Revision: 48880 Modified: data/CVE/list Log: two puppet issues n/a NFus Modified: data/CVE/list === --- data/CVE/list 2017-02-13 16:14:30 UTC (rev 48879) +++ data/CVE/list 2017-02-13 18:40:43 UTC (rev 48880) @@ -17317,18 +17317,18 @@ CVE-2016-8714 RESERVED CVE-2016-8713 (A remote out of bound write / memory corruption vulnerability exists ...) - TODO: check + NOT-FOR-US: Nitro Pro CVE-2016-8712 RESERVED CVE-2016-8711 (A potential remote code execution vulnerability exists in the PDF ...) - TODO: check + NOT-FOR-US: Nitro Pro CVE-2016-8710 (An exploitable heap write out of bounds vulnerability exists in the ...) - ffmpeg NOTE: The libbpg library is not packaged in Debian but seem embedded in ffmpeg NOTE: http://blog.talosintel.com/2017/01/vulnerability-spotlight-libbpg-image.html NOTE: http://www.talosintelligence.com/reports/TALOS-2016-0223/ CVE-2016-8709 (A remote out of bound write / memory corruption vulnerability exists ...) - TODO: check + NOT-FOR-US: Nitro Pro CVE-2016-8708 REJECTED CVE-2016-8707 (An exploitable out of bounds write exists in the handling of ...) @@ -17797,7 +17797,6 @@ RESERVED - linux NOTE: Fix https://github.com/torvalds/linux/commit/647bf3d8a8e5777319da92af672289b2a6c4dc66 - TODO: check CVE-2016-8635 [small-subgroups attack flaw] RESERVED - nss 2:3.25-1 @@ -26966,7 +26965,7 @@ CVE-2016-5845 (SAP SAPCAR does not check the return value of file operations when ...) NOT-FOR-US: SAP SAPCAR CVE-2016-5843 (Multiple SQL injection vulnerabilities in the FAQ package 2.x before ...) - TODO: check + NOT-FOR-US: OTRS addon CVE-2016-5840 (hotfix_upload.cgi in Trend Micro Deep Discovery Inspector (DDI) 3.7, ...) NOT-FOR-US: Trend Micro Deep Discovery Inspector CVE-2016-5831 @@ -27267,12 +27266,10 @@ - libical [wheezy] - libical (Low prio according to upstream) NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1281043 - TODO: check CVE-2016-5826 (The parser_get_next_char function in libical 0.47 and 1.0 allows ...) - libical [wheezy] - libical (Low prio according to upstream) NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1281041 - TODO: check CVE-2016-5825 (The icalparser_parse_string function in libical 0.47 and 1.0 allows ...) - libical [wheezy] - libical (Low prio according to upstream) @@ -27478,7 +27475,7 @@ CVE-2016-5716 RESERVED CVE-2016-5715 (Open redirect vulnerability in the Console in Puppet Enterprise 2015.x ...) - TODO: check + - puppet (Limited to Puppet Enterprise) CVE-2016-5714 RESERVED CVE-2016-5713 @@ -52397,7 +52394,7 @@ CVE-2015-6502 RESERVED CVE-2015-6501 (Open redirect vulnerability in the Console in Puppet Enterprise before ...) - TODO: check + - puppet (Limited to Puppet Enterprise) CVE-2015-6500 (Directory traversal vulnerability in ownCloud Server before 8.0.6 and ...) {DSA-3373-1} - owncloud 7.0.10~dfsg-2 (bug #800126) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48879 - data/CVE
Author: mattia Date: 2017-02-13 16:14:30 + (Mon, 13 Feb 2017) New Revision: 48879 Modified: data/CVE/list Log: CVE-2017-0359/diffoscope fixed in version 76 Modified: data/CVE/list === --- data/CVE/list 2017-02-13 13:39:03 UTC (rev 48878) +++ data/CVE/list 2017-02-13 16:14:30 UTC (rev 48879) @@ -14141,7 +14141,7 @@ RESERVED CVE-2017-0359 [diffoscope writes to arbitrary locations on disk based on the contents of an untrusted archive] RESERVED - - diffoscope (bug #854723) + - diffoscope 76 (bug #854723) CVE-2017-0358 RESERVED {DSA-3780-1 DLA-815-1} ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48878 - in data: . CVE
Author: jmm Date: 2017-02-13 13:39:03 + (Mon, 13 Feb 2017) New Revision: 48878 Modified: data/CVE/list data/dsa-needed.txt Log: libmysqlclient.so issue CVEfied NFUs add vim Modified: data/CVE/list === --- data/CVE/list 2017-02-13 12:08:00 UTC (rev 48877) +++ data/CVE/list 2017-02-13 13:39:03 UTC (rev 48878) @@ -22,15 +22,15 @@ CVE-2017-5965 RESERVED CVE-2017-5964 (An issue was discovered in Emoncms through 9.8.0. The vulnerability ...) - TODO: check + NOT-FOR-US: Emoncms CVE-2017-5963 (An issue was discovered in caddy (for TYPO3) before 7.2.10. The ...) - TODO: check + NOT-FOR-US: Typo3 extension CVE-2017-5962 (An issue was discovered in contexts_wurfl (for TYPO3) before 0.4.2. The ...) - TODO: check + NOT-FOR-US: Typo3 extension CVE-2017-5961 (An issue was discovered in ionize through 1.0.8. The vulnerability ...) - TODO: check + NOT-FOR-US: ionize CVE-2017-5960 (An issue was discovered in Phalcon Eye through 0.4.1. The vulnerability ...) - TODO: check + NOT-FOR-US: Phalcon Eye CVE-2017- [use-after-free in fz_subsample_pixmap (pixmap.c)] - mupdf NOTE: Fix http://git.ghostscript.com/?p=mupdf.git;h=2c4e5867ee699b1081527bc6c6ea0e99a35a5c27 @@ -1092,17 +1092,6 @@ NOTE: Upstream report: https://launchpad.net/bugs/1651728 NOTE: Upstream fix: https://github.com/kovidgoyal/calibre/commit/3a89718664cb8cce0449d1758eee585ed0d0433c NOTE: http://www.openwall.com/lists/oss-security/2017/01/29/8 -CVE-2017- [use after free in libmysqlclient.so] - - mariadb-10.1 - - mariadb-10.0 - - mysql-5.7 (Fixed before initial release in Debian) - - mysql-5.6 (Fixed before initial release in Debian) - - mysql-5.5 (bug #854713) - NOTE: Fixed by: https://github.com/mysql/mysql-server/commit/4797ea0b772d5f4c5889bc552424132806f46e93 - NOTE: Fixed in Oracle MySQL 5.6.21, 5.7.5 - NOTE: https://bugs.mysql.com/bug.php?id=70429 - NOTE: https://bugs.mysql.com/bug.php?id=63363 - NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2017/01/28/1 CVE-2017-5899 [s-nail local root privilege escalation] RESERVED - s-nail 14.8.16-1 (bug #852934) @@ -7342,7 +7331,16 @@ CVE-2017-3303 (Vulnerability in the Oracle XML Gateway component of Oracle E-Business ...) NOT-FOR-US: Oracle CVE-2017-3302 (Crash in libmysqlclient.so in Oracle MySQL before 5.6.21 and 5.7.x ...) - TODO: check + - mariadb-10.1 + - mariadb-10.0 + - mysql-5.7 (Fixed before initial release in Debian) + - mysql-5.6 (Fixed before initial release in Debian) + - mysql-5.5 (bug #854713) + NOTE: Fixed by: https://github.com/mysql/mysql-server/commit/4797ea0b772d5f4c5889bc552424132806f46e93 + NOTE: Fixed in Oracle MySQL 5.6.21, 5.7.5 + NOTE: https://bugs.mysql.com/bug.php?id=70429 + NOTE: https://bugs.mysql.com/bug.php?id=63363 + NOTE: http://www.openwall.com/lists/oss-security/2017/01/28/1 CVE-2017-3301 (Vulnerability in the Solaris component of Oracle Sun Systems Products ...) NOT-FOR-US: Solaris CVE-2017-3300 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of ...) Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-02-13 12:08:00 UTC (rev 48877) +++ data/dsa-needed.txt 2017-02-13 13:39:03 UTC (rev 48878) @@ -37,6 +37,8 @@ -- spip -- +vim +-- xen -- zabbix (jmm) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48877 - in data: . DLA
Author: jamessan Date: 2017-02-13 12:08:00 + (Mon, 13 Feb 2017) New Revision: 48877 Modified: data/DLA/list data/dla-needed.txt Log: Reserve DLA-822-1 for vim Modified: data/DLA/list === --- data/DLA/list 2017-02-13 09:10:13 UTC (rev 48876) +++ data/DLA/list 2017-02-13 12:08:00 UTC (rev 48877) @@ -1,3 +1,6 @@ +[13 Feb 2017] DLA-822-1 vim - security update + {CVE-2017-5953} + [wheezy] - vim 2:7.3.547-7+deb7u2 [11 Feb 2017] DLA-821-1 openjdk-7 - security update {CVE-2016-5546 CVE-2016-5547 CVE-2016-5548 CVE-2016-5552 CVE-2017-3231 CVE-2017-3241 CVE-2017-3252 CVE-2017-3253 CVE-2017-3260 CVE-2017-3261 CVE-2017-3272 CVE-2017-3289} [wheezy] - openjdk-7 7u121-2.6.8-2~deb7u1 Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-02-13 09:10:13 UTC (rev 48876) +++ data/dla-needed.txt 2017-02-13 12:08:00 UTC (rev 48877) @@ -122,10 +122,6 @@ NOTE: package is ready. Intend to NMU #854336 if maintainer doesn't respond NOTE: until Monday. Will release spice update for Wheezy afterwards. -- -vim (James McCoy) - NOTE: "Yes, I'll take care of it." (James McCoy) - NOTE: > --- xen -- xrdp ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48876 - data/CVE
Author: sectracker Date: 2017-02-13 09:10:13 + (Mon, 13 Feb 2017) New Revision: 48876 Modified: data/CVE/list Log: automatic update Modified: data/CVE/list === --- data/CVE/list 2017-02-13 07:43:42 UTC (rev 48875) +++ data/CVE/list 2017-02-13 09:10:13 UTC (rev 48876) @@ -1,3 +1,9 @@ +CVE-2017-5972 + RESERVED +CVE-2016-10224 + RESERVED +CVE-2016-10223 + RESERVED CVE-2017-5971 RESERVED CVE-2017-5970 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits