[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Take jackson-databind from dsa-needed
Sebastien Delafond pushed to branch master at Debian Security Tracker / security-tracker Commits: 15b3d1b3 by Sébastien Delafond at 2018-02-10T09:43:50+01:00 Take jackson-databind from dsa-needed - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -27,7 +27,7 @@ graphicsmagick imagemagick Wait until more issues have piled up -- -jackson-databind +jackson-databind (seb) Markus Koschany prepared debdiffs and asked for advice/review in particular for the CVE-2017-17485 backport. -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/15b3d1b356bc89bb8838f1f73678ce5d8b848b40 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/15b3d1b356bc89bb8838f1f73678ce5d8b848b40 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0ac14faf by security tracker role at 2018-02-10T09:10:16+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,3 +1,13 @@ +CVE-2018-6882 + RESERVED +CVE-2018-162 (WonderCMS version 2.4.0 contains a Stored Cross-Site Scripting on File ...) + TODO: check +CVE-2018-161 (ARM mbedTLS version development branch, 2.7.0 and earlier contains a ...) + TODO: check +CVE-2018-160 (Sensu, Inc. Sensu Core version Before 1.2.0 & before commit ...) + TODO: check +CVE-2018-159 (ValidFormBuilder version 4.5.4 contains a PHP Object Injection ...) + TODO: check CVE-2018-6881 RESERVED CVE-2018-6880 @@ -562,45 +572,42 @@ CVE-2018-6624 (OMRON NS devices 1.1 through 1.3 allow remote attackers to bypass NOT-FOR-US: OMRON NS devices CVE-2018-6623 RESERVED -CVE-2018-158 - RESERVED +CVE-2018-158 (Jenkins Pipeline: Supporting APIs Plugin 2.17 and earlier have an ...) NOT-FOR-US: jenkins-plugin-workflow-support -CVE-2018-157 - RESERVED +CVE-2018-157 (Jenkins Credentials Binding Plugin 1.14 and earlier masks passwords it ...) NOT-FOR-US: jenkins-plugin-credentials-binding -CVE-2018-156 - RESERVED +CVE-2018-156 (Jenkins JUnit Plugin 1.23 and earlier processes XML external entities ...) NOT-FOR-US: jenkins-plugin-junit -CVE-2018-155 - RESERVED -CVE-2018-154 - RESERVED -CVE-2018-153 - RESERVED -CVE-2018-152 - RESERVED -CVE-2018-151 - RESERVED -CVE-2018-150 - RESERVED -CVE-2018-149 - RESERVED -CVE-2018-148 - RESERVED -CVE-2018-147 - RESERVED -CVE-2018-146 - RESERVED -CVE-2018-145 - RESERVED -CVE-2018-144 - RESERVED -CVE-2018-143 - RESERVED -CVE-2018-142 - RESERVED -CVE-2018-141 - RESERVED +CVE-2018-155 (Jenkins Android Lint Plugin 2.5 and earlier processes XML external ...) + TODO: check +CVE-2018-154 (Jenkins CCM Plugin 3.1 and earlier processes XML external entities in ...) + TODO: check +CVE-2018-153 (LimeSurvey version 3.0.0-beta.3+17110 contains a Cross ite Request ...) + TODO: check +CVE-2018-152 (fmtlib version prior to version 4.1.0 (before commit ...) + TODO: check +CVE-2018-151 (Artifex Mupdf version 1.12.0 contains a Use After Free vulnerability ...) + TODO: check +CVE-2018-150 (Sean Barrett stb_vorbis version 1.12 and earlier contains a Buffer ...) + TODO: check +CVE-2018-149 (nanopool Claymore Dual Miner version 7.3 and earlier contains a Remote ...) + TODO: check +CVE-2018-148 (NASA RtRetrievalFramework version v1.0 contains a CWE-502 ...) + TODO: check +CVE-2018-147 (NASA Kodiak version v1.0 contains a CWE-502 vulnerability in Kodiak ...) + TODO: check +CVE-2018-146 (NASA Pyblock version v1.0 - v1.3 contains a CWE-502 vulnerability in ...) + TODO: check +CVE-2018-145 (NASA Singledop version v1.0 contains a CWE-502 vulnerability in NASA ...) + TODO: check +CVE-2018-144 (Security Onion Solutions Squert version 1.1.1 through 1.6.7 contains a ...) + TODO: check +CVE-2018-143 (Security Onion Solutions Squert version 1.0.1 through 1.6.7 contains a ...) + TODO: check +CVE-2018-142 (Security Onion Solutions Squert version 1.3.0 through 1.6.7 contains a ...) + TODO: check +CVE-2018-141 (GNOME librsvg version before commit ...) + TODO: check CVE-2017-18173 RESERVED CVE-2017-18172 @@ -800,27 +807,22 @@ CVE-2018-137 RESERVED CVE-2018-136 RESERVED -CVE-2018-135 [Heap-based buffer overflow in password protected ZIP archives] - RESERVED +CVE-2018-135 (A heap-based buffer overflow exists in InfoZip UnZip version <= 6.00 ...) - unzip (bug #889838) [stretch] - unzip (Harmless crash, builds with fortified source) [jessie] - unzip (Harmless crash, builds with fortified source) [wheezy] - unzip (Harmless crash, builds with fortified source) NOTE: https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html -CVE-2018-134 [Multiple vulnerabilities in the LZMA compression algorithm] - RESERVED +CVE-2018-134 (An out-of-bounds read exists in InfoZip UnZip version 6.10c22 that ...) - unzip (Only affects 6.1c22) NOTE: https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html -CVE-2018-133 [Heap out-of-bounds access in ef_scan_for_stream] - RESERVED +CVE-2018-133 (An out-of-bounds read exists in InfoZip UnZip version 6.10
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2018-1000061/mbedtls
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: cb38047a by Salvatore Bonaccorso at 2018-02-10T10:19:14+01:00 Add CVE-2018-161/mbedtls - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -3,7 +3,8 @@ CVE-2018-6882 CVE-2018-162 (WonderCMS version 2.4.0 contains a Stored Cross-Site Scripting on File ...) TODO: check CVE-2018-161 (ARM mbedTLS version development branch, 2.7.0 and earlier contains a ...) - TODO: check + - mbedtls + NOTE: https://github.com/ARMmbed/mbedtls/issues/1356 CVE-2018-160 (Sensu, Inc. Sensu Core version Before 1.2.0 & before commit ...) TODO: check CVE-2018-159 (ValidFormBuilder version 4.5.4 contains a PHP Object Injection ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/cb38047afe0a2a71da00c06efff3423b9a7180bd --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/cb38047afe0a2a71da00c06efff3423b9a7180bd You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2018-1000052/fmtlib
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c66bd124 by Salvatore Bonaccorso at 2018-02-10T10:21:36+01:00 Add CVE-2018-152/fmtlib - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -586,7 +586,9 @@ CVE-2018-154 (Jenkins CCM Plugin 3.1 and earlier processes XML external enti CVE-2018-153 (LimeSurvey version 3.0.0-beta.3+17110 contains a Cross ite Request ...) TODO: check CVE-2018-152 (fmtlib version prior to version 4.1.0 (before commit ...) - TODO: check + - fmtlib + NOTE: https://github.com/fmtlib/fmt/issues/642 + NOTE: https://github.com/fmtlib/fmt/commit/8cf30aa2be256eba07bb1cefb998c52326e846e7 CVE-2018-151 (Artifex Mupdf version 1.12.0 contains a Use After Free vulnerability ...) TODO: check CVE-2018-150 (Sean Barrett stb_vorbis version 1.12 and earlier contains a Buffer ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c66bd124da9d2f5fd8e00900ec06d0e1843a1c13 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c66bd124da9d2f5fd8e00900ec06d0e1843a1c13 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2018-1000051/mupdf
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 75bb470a by Salvatore Bonaccorso at 2018-02-10T10:27:57+01:00 Add CVE-2018-151/mupdf - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -590,7 +590,10 @@ CVE-2018-152 (fmtlib version prior to version 4.1.0 (before commit ...) NOTE: https://github.com/fmtlib/fmt/issues/642 NOTE: https://github.com/fmtlib/fmt/commit/8cf30aa2be256eba07bb1cefb998c52326e846e7 CVE-2018-151 (Artifex Mupdf version 1.12.0 contains a Use After Free vulnerability ...) - TODO: check + - mupdf + NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=698825 + NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=698873 + NOTE: Fixed by: http://www.ghostscript.com/cgi-bin/findgit.cgi?321ba1de287016b0036bf4a56ce774ad11763384 CVE-2018-150 (Sean Barrett stb_vorbis version 1.12 and earlier contains a Buffer ...) TODO: check CVE-2018-149 (nanopool Claymore Dual Miner version 7.3 and earlier contains a Remote ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/75bb470a7fc8446f9e30fbbc972bd7df7a9a06f6 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/75bb470a7fc8446f9e30fbbc972bd7df7a9a06f6 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2018-1000041/librsvg
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0f8938e5 by Salvatore Bonaccorso at 2018-02-10T10:40:03+01:00 Add CVE-2018-141/librsvg - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -613,7 +613,8 @@ CVE-2018-143 (Security Onion Solutions Squert version 1.0.1 through 1.6.7 co CVE-2018-142 (Security Onion Solutions Squert version 1.3.0 through 1.6.7 contains a ...) TODO: check CVE-2018-141 (GNOME librsvg version before commit ...) - TODO: check + - librsvg 2.40.20-1 + NOTE: Fixed by: https://github.com/GNOME/librsvg/commit/c6ddf2ed4d768fd88adbea2b63f575cd523022ea CVE-2017-18173 RESERVED CVE-2017-18172 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0f8938e52771127503c7b492feadd761959f0ebe --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0f8938e52771127503c7b492feadd761959f0ebe You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2017-1000509/dolibarr
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9cbb5408 by Salvatore Bonaccorso at 2018-02-10T10:44:40+01:00 Add CVE-2017-1000509/dolibarr - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1504,7 +1504,8 @@ CVE-2018-119 (OpenEMR version 5.0.0 contains a OS Command Injection vulnerab CVE-2017-1000510 (Croogo version 2.3.1-17-g6f82e6c contains a Cross Site Scripting (XSS) ...) TODO: check CVE-2017-1000509 (Dolibarr version 6.0.2 contains a Cross Site Scripting (XSS) ...) - TODO: check + - dolibarr + NOTE: https://github.com/Dolibarr/dolibarr/issues/7727 CVE-2017-1000508 (Invoice Plane version 1.5.4 and earlier contains a Cross Site ...) TODO: check CVE-2017-1000507 (Canvs Canvas version 3.4.2 contains a Cross Site Scripting (XSS) ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9cbb5408bd0823c8127be729294fc20df03e5690 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9cbb5408bd0823c8127be729294fc20df03e5690 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Process some Trend Micro specific CVEs as NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ccd9ea13 by Salvatore Bonaccorso at 2018-02-10T10:47:26+01:00 Process some Trend Micro specific CVEs as NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -8337,21 +8337,21 @@ CVE-2018-3609 CVE-2018-3608 RESERVED CVE-2018-3607 (XXXTreeNode method SQL injection remote code execution (RCE) ...) - TODO: check + NOT-FOR-US: Trend Micro CVE-2018-3606 (XXXStatusXXX, XXXSummary, TemplateXXX and XXXCompliance method SQL ...) - TODO: check + NOT-FOR-US: Trend Micro CVE-2018-3605 (TopXXX, ViolationXXX, and IncidentXXX method SQL injection remote code ...) - TODO: check + NOT-FOR-US: Trend Micro CVE-2018-3604 (GetXXX method SQL injection remote code execution (RCE) ...) - TODO: check + NOT-FOR-US: Trend Micro CVE-2018-3603 (A CGGIServlet SQL injection remote code execution (RCE) vulnerability ...) - TODO: check + NOT-FOR-US: Trend Micro CVE-2018-3602 (An AdHocQuery_Processor SQL injection remote code execution (RCE) ...) - TODO: check + NOT-FOR-US: Trend Micro CVE-2018-3601 (A password hash usage authentication bypass vulnerability in Trend ...) - TODO: check + NOT-FOR-US: Trend Micro CVE-2018-3600 (A external entity processing information disclosure (XXE) ...) - TODO: check + NOT-FOR-US: Trend Micro CVE-2017-17935 (The File_read_line function in epan/wslua/wslua_file.c in Wireshark ...) - wireshark 2.4.4-1 (bug #885831) [stretch] - wireshark (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ccd9ea13eb33e487fcd07bbeb60180a43bd2 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ccd9ea13eb33e487fcd07bbeb60180a43bd2 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2018-1000060/sensu, itp'ed: #838484
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6a34ad27 by Salvatore Bonaccorso at 2018-02-10T10:58:19+01:00 Add CVE-2018-160/sensu, itp'ed: #838484 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -6,7 +6,7 @@ CVE-2018-161 (ARM mbedTLS version development branch, 2.7.0 and earlier cont - mbedtls NOTE: https://github.com/ARMmbed/mbedtls/issues/1356 CVE-2018-160 (Sensu, Inc. Sensu Core version Before 1.2.0 & before commit ...) - TODO: check + - sensu (bug #838484) CVE-2018-159 (ValidFormBuilder version 4.5.4 contains a PHP Object Injection ...) NOT-FOR-US: ValidFormBuilder CVE-2018-6881 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6a34ad2765a94a1e7d2ae8c5f6c97146fbc99ef9 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6a34ad2765a94a1e7d2ae8c5f6c97146fbc99ef9 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d93a434d by Salvatore Bonaccorso at 2018-02-10T10:57:56+01:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,14 +1,14 @@ CVE-2018-6882 RESERVED CVE-2018-162 (WonderCMS version 2.4.0 contains a Stored Cross-Site Scripting on File ...) - TODO: check + NOT-FOR-US: WonderCMS CVE-2018-161 (ARM mbedTLS version development branch, 2.7.0 and earlier contains a ...) - mbedtls NOTE: https://github.com/ARMmbed/mbedtls/issues/1356 CVE-2018-160 (Sensu, Inc. Sensu Core version Before 1.2.0 & before commit ...) TODO: check CVE-2018-159 (ValidFormBuilder version 4.5.4 contains a PHP Object Injection ...) - TODO: check + NOT-FOR-US: ValidFormBuilder CVE-2018-6881 RESERVED CVE-2018-6880 @@ -580,9 +580,9 @@ CVE-2018-157 (Jenkins Credentials Binding Plugin 1.14 and earlier masks pass CVE-2018-156 (Jenkins JUnit Plugin 1.23 and earlier processes XML external entities ...) NOT-FOR-US: jenkins-plugin-junit CVE-2018-155 (Jenkins Android Lint Plugin 2.5 and earlier processes XML external ...) - TODO: check + NOT-FOR-US: Jenkins Android Lint Plugin CVE-2018-154 (Jenkins CCM Plugin 3.1 and earlier processes XML external entities in ...) - TODO: check + NOT-FOR-US: Jenkins CCM Plugin CVE-2018-153 (LimeSurvey version 3.0.0-beta.3+17110 contains a Cross ite Request ...) TODO: check CVE-2018-152 (fmtlib version prior to version 4.1.0 (before commit ...) @@ -607,11 +607,11 @@ CVE-2018-146 (NASA Pyblock version v1.0 - v1.3 contains a CWE-502 vulnerabil CVE-2018-145 (NASA Singledop version v1.0 contains a CWE-502 vulnerability in NASA ...) TODO: check CVE-2018-144 (Security Onion Solutions Squert version 1.1.1 through 1.6.7 contains a ...) - TODO: check + NOT-FOR-US: Security Onion Solutions Squert CVE-2018-143 (Security Onion Solutions Squert version 1.0.1 through 1.6.7 contains a ...) - TODO: check + NOT-FOR-US: Security Onion Solutions Squert CVE-2018-142 (Security Onion Solutions Squert version 1.3.0 through 1.6.7 contains a ...) - TODO: check + NOT-FOR-US: Security Onion Solutions Squert CVE-2018-141 (GNOME librsvg version before commit ...) - librsvg 2.40.20-1 NOTE: Fixed by: https://github.com/GNOME/librsvg/commit/c6ddf2ed4d768fd88adbea2b63f575cd523022ea @@ -1481,7 +1481,7 @@ CVE-2018-130 (Python 2.7.14 is vulnerable to a Heap-Buffer-Overflow as well NOTE: where the 6401e56 commit was mostly reverted again. NOTE: Needed: https://github.com/python/cpython/commit/dbf52e02f18dac6f5f0a64f78932f3dc6efc056b CVE-2018-129 (mcholste Enterprise Log Search and Archive (ELSA) version revision ...) - TODO: check + NOT-FOR-US: mcholste Enterprise Log Search and Archive CVE-2018-126 (Linux Linux kernel version at least v4.8 onwards, probably well before ...) - linux NOTE: https://patchwork.ozlabs.org/patch/859410/ @@ -1498,20 +1498,20 @@ CVE-2018-121 (GIT version 2.15.1 and earlier contains a Input Validation Err NOTE: http://www.batterystapl.es/2018/01/security-implications-of-ansi-escape.html NOTE: Terminal emulators need to perform proper escaping CVE-2018-120 (OpenEMR version 5.0.0 contains a Cross Site Scripting (XSS) ...) - TODO: check + NOT-FOR-US: OpenEMR CVE-2018-119 (OpenEMR version 5.0.0 contains a OS Command Injection vulnerability in ...) - TODO: check + NOT-FOR-US: OpenEMR CVE-2017-1000510 (Croogo version 2.3.1-17-g6f82e6c contains a Cross Site Scripting (XSS) ...) - TODO: check + NOT-FOR-US: Croogo CVE-2017-1000509 (Dolibarr version 6.0.2 contains a Cross Site Scripting (XSS) ...) - dolibarr NOTE: https://github.com/Dolibarr/dolibarr/issues/7727 CVE-2017-1000508 (Invoice Plane version 1.5.4 and earlier contains a Cross Site ...) - TODO: check + NOT-FOR-US: Invoice Plane CVE-2017-1000507 (Canvs Canvas version 3.4.2 contains a Cross Site Scripting (XSS) ...) TODO: check CVE-2017-1000506 (Mautic version 2.11.0 and earlier contains a Cross Site Scripting ...) - TODO: check + NOT-FOR-US: Mautic CVE-2016-10711 (Apsis Pound before 2.8a allows request smuggling via crafted headers, a ...) - pound (bug #888786) [wheezy] - pound (Minor issue) @@ -4246,9 +4246,9 @@ CVE-2018-5308 (PoDoFo 0.9.5 does not properly validate memcpy arguments in the . NOTE: upstream commit: https://sourceforge.net/p/podofo/code/1870 NOTE: upstream commit: https://sourceforge.net/p/podofo/code/1876 CVE-2018-5307 (Multiple cross
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 2 commits: Add CVE-2018-1000053/limesurvey, itp'ed: #472802
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c644b392 by Salvatore Bonaccorso at 2018-02-10T10:59:15+01:00 Add CVE-2018-153/limesurvey, itp'ed: #472802 - - - - - 064fc571 by Salvatore Bonaccorso at 2018-02-10T10:59:38+01:00 Associate CVE-2012-4927 with limesurvey - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -584,7 +584,7 @@ CVE-2018-155 (Jenkins Android Lint Plugin 2.5 and earlier processes XML exte CVE-2018-154 (Jenkins CCM Plugin 3.1 and earlier processes XML external entities in ...) NOT-FOR-US: Jenkins CCM Plugin CVE-2018-153 (LimeSurvey version 3.0.0-beta.3+17110 contains a Cross ite Request ...) - TODO: check + - limesurvey (bug #472802) CVE-2018-152 (fmtlib version prior to version 4.1.0 (before commit ...) - fmtlib NOTE: https://github.com/fmtlib/fmt/issues/642 @@ -174394,7 +174394,7 @@ CVE-2012-4929 (The TLS protocol 1.2 and earlier, as used in Mozilla Firefox, Goo CVE-2012-4928 (Cross-site scripting (XSS) vulnerability in ow_updates/index.php in ...) NOT-FOR-US: Oxwall 1.1.1 CVE-2012-4927 (SQL injection vulnerability in Limesurvey (a.k.a PHPSurveyor) before ...) - NOT-FOR-US: Limesurvey + - limesurvey (bug #472802) CVE-2012-4926 (approve.php in Img Pals Photo Host 1.0 does not authenticate requests, ...) NOT-FOR-US: Img Pals Photo Host 1.0 CVE-2012-4925 (Multiple SQL injection vulnerabilities in approve.php in Img Pals ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/6a34ad2765a94a1e7d2ae8c5f6c97146fbc99ef9...064fc571bbd2b558217f56f23c302c0a0f443360 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/6a34ad2765a94a1e7d2ae8c5f6c97146fbc99ef9...064fc571bbd2b558217f56f23c302c0a0f443360 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add bug reference for CVE-2018-1000052/fmtlib: #890033
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f0cc468b by Salvatore Bonaccorso at 2018-02-10T11:24:51+01:00 Add bug reference for CVE-2018-152/fmtlib: #890033 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -586,7 +586,7 @@ CVE-2018-154 (Jenkins CCM Plugin 3.1 and earlier processes XML external enti CVE-2018-153 (LimeSurvey version 3.0.0-beta.3+17110 contains a Cross ite Request ...) - limesurvey (bug #472802) CVE-2018-152 (fmtlib version prior to version 4.1.0 (before commit ...) - - fmtlib + - fmtlib (bug #890033) NOTE: https://github.com/fmtlib/fmt/issues/642 NOTE: https://github.com/fmtlib/fmt/commit/8cf30aa2be256eba07bb1cefb998c52326e846e7 CVE-2018-151 (Artifex Mupdf version 1.12.0 contains a Use After Free vulnerability ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f0cc468b2c69ea60c6ec70e54ee75107c345c59b --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f0cc468b2c69ea60c6ec70e54ee75107c345c59b You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add missing epochs for DSA-4108-1 mailman
Adam Barratt pushed to branch master at Debian Security Tracker / security-tracker Commits: f24a0558 by Adam D. Barratt at 2018-02-10T11:13:27+00:00 Add missing epochs for DSA-4108-1 mailman - - - - - 1 changed file: - data/DSA/list Changes: = data/DSA/list = --- a/data/DSA/list +++ b/data/DSA/list @@ -4,8 +4,8 @@ [stretch] - ruby-omniauth 1.3.1-1+deb9u1 [09 Feb 2018] DSA-4108-1 mailman - security update {CVE-2018-5950} - [jessie] - mailman 2.1.18-2+deb8u2 - [stretch] - mailman 2.1.23-1+deb9u2 + [jessie] - mailman 1:2.1.18-2+deb8u2 + [stretch] - mailman 1:2.1.23-1+deb9u2 [09 Feb 2018] DSA-4105-2 mpv - regression update [stretch] - mpv 0.23.0-2+deb9u2 [07 Feb 2018] DSA-4107-1 django-anymail - security update View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f24a05581aa5fc09d377c72bd2606a3bd09e324b --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f24a05581aa5fc09d377c72bd2606a3bd09e324b You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] libreoffice n/a for wheezy
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: f241b6bc by Moritz Muehlenhoff at 2018-02-10T14:27:58+01:00 libreoffice n/a for wheezy - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -36,6 +36,7 @@ CVE-2018-6872 (The elf_parse_notes function in elf.c in the Binary File Descript NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=commit;h=ef135d4314fd4c2d7da66b9d7b59af4a85b0f7e6 CVE-2018-6871 (LibreOffice through 6.0.1 allows remote attackers to read arbitrary ...) - libreoffice 1:6.0.1-1 + [wheezy] - libreoffice (Vulnerable code not present) NOTE: https://github.com/jollheef/libreoffice-remote-arbitrary-file-disclosure CVE-2018-6870 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f241b6bc962cb57ae62ae764a35ae3067962b128 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f241b6bc962cb57ae62ae764a35ae3067962b128 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] NFU
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 8c867cbc by Moritz Muehlenhoff at 2018-02-10T14:32:29+01:00 NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -20,7 +20,7 @@ CVE-2018-6878 (Cross Site Scripting (XSS) exists in the review section in PHP Sc CVE-2018-6877 RESERVED CVE-2018-6876 (THe OLEProperty class in ole/oleprop.cpp in libfpx 1.3.1-10, as used in ...) - TODO: check + NOT-FOR-US: libfpx CVE-2018-6875 RESERVED CVE-2018-6874 @@ -596,17 +596,17 @@ CVE-2018-151 (Artifex Mupdf version 1.12.0 contains a Use After Free vulnera NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=698873 NOTE: Fixed by: http://www.ghostscript.com/cgi-bin/findgit.cgi?321ba1de287016b0036bf4a56ce774ad11763384 CVE-2018-150 (Sean Barrett stb_vorbis version 1.12 and earlier contains a Buffer ...) - TODO: check + NOT-FOR-US: Sean Barrett stb_vorbis CVE-2018-149 (nanopool Claymore Dual Miner version 7.3 and earlier contains a Remote ...) - TODO: check + NOT-FOR-US: nanopool Claymore Dual Miner CVE-2018-148 (NASA RtRetrievalFramework version v1.0 contains a CWE-502 ...) - TODO: check + NOT-FOR-US: NASA RtRetrievalFramework CVE-2018-147 (NASA Kodiak version v1.0 contains a CWE-502 vulnerability in Kodiak ...) - TODO: check + NOT-FOR-US: NASA Kodiak CVE-2018-146 (NASA Pyblock version v1.0 - v1.3 contains a CWE-502 vulnerability in ...) - TODO: check + NOT-FOR-US: NASA Pyblock CVE-2018-145 (NASA Singledop version v1.0 contains a CWE-502 vulnerability in NASA ...) - TODO: check + NOT-FOR-US: NASA Singledop CVE-2018-144 (Security Onion Solutions Squert version 1.1.1 through 1.6.7 contains a ...) NOT-FOR-US: Security Onion Solutions Squert CVE-2018-143 (Security Onion Solutions Squert version 1.0.1 through 1.6.7 contains a ...) @@ -944,7 +944,6 @@ CVE-2018-6548 (A use-after-free issue was discovered in libwebm through 2018-02- [wheezy] - chromium-browser (Not supported in wheezy LTS) NOTE: https://bugs.chromium.org/p/webm/issues/detail?id=1493 NOTE: https://github.com/dwfault/PoCs/blob/master/libwebm%20Vp9HeaderParser%20UAF%20by%20PrintVP9Info/libwebm%20Vp9HeaderParser%20UAF%20by%20PrintVP9Info.md - TODO: check CVE-2018-6547 RESERVED CVE-2018-6546 @@ -1381,7 +1380,6 @@ CVE-2018-6406 (The function ParseVP9SuperFrameIndex in common/libwebm_util.cc in [wheezy] - chromium-browser (Not supported in wheezy LTS) NOTE: https://bugs.chromium.org/p/webm/issues/detail?id=1492 NOTE: https://github.com/dwfault/PoCs/blob/master/libwebm%20ParseVP9SuperFrameIndex%20memory%20corruption/libwebm%20ParseVP9SuperFrameIndex%20OOB%20read.md - TODO: check CVE-2018-6405 (In the ReadDCMImage function in coders/dcm.c in ImageMagick before ...) [experimental] - imagemagick 8:6.9.9.34+dfsg-1 - imagemagick (unimportant) @@ -1491,9 +1489,9 @@ CVE-2018-126 (Linux Linux kernel version at least v4.8 onwards, probably wel NOTE: https://git.kernel.org/linus/8914a595110a6eca69a5e275b323f5d09e18f4f9 NOTE: https://git.kernel.org/linus/2b16f048729bf35e6c28a40cbfad07239f9dcd90 CVE-2018-125 (Jerome Gamez Firebase Admin SDK for PHP version from 3.2.0 to 3.8.0 ...) - TODO: check + NOT-FOR-US: Jerome Gamez Firebase Admin SDK for PHP CVE-2018-123 (Bitpay/insight-api Insight-api version 5.0.0 and earlier contains a ...) - TODO: check + NOT-FOR-US: Bitpay/insight-api Insight-api CVE-2018-121 (GIT version 2.15.1 and earlier contains a Input Validation Error ...) - git (unimportant; bug #889680) NOTE: http://www.batterystapl.es/2018/01/security-implications-of-ansi-escape.html @@ -1510,7 +1508,7 @@ CVE-2017-1000509 (Dolibarr version 6.0.2 contains a Cross Site Scripting (XSS) . CVE-2017-1000508 (Invoice Plane version 1.5.4 and earlier contains a Cross Site ...) NOT-FOR-US: Invoice Plane CVE-2017-1000507 (Canvs Canvas version 3.4.2 contains a Cross Site Scripting (XSS) ...) - TODO: check + NOT-FOR-US: Canvs Canvas CVE-2017-1000506 (Mautic version 2.11.0 and earlier contains a Cross Site Scripting ...) NOT-FOR-US: Mautic CVE-2016-10711 (Apsis Pound before 2.8a allows request smuggling via crafted headers, a ...) @@ -22691,7 +22689,7 @@ CVE-2017-15587 (An integer overflow was discovered in pdf_read_new_xref_section CVE-2017-15538 (Stored XSS vulnerability in the Media Objects component of ILIAS before ...) NOT-FOR-US: ILIAS CVE-2017-15536 (An issue was discovered in Cloudera Data Science Workbench (CDSW) 1.x ...) - TODO: check + NOT-FOR-US: Cloudera Data Science Workbench CV
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2015-9016/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1afb6776 by Salvatore Bonaccorso at 2018-02-10T15:24:11+01:00 Add CVE-2015-9016/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -48205,8 +48205,10 @@ CVE-2015-9018 RESERVED CVE-2015-9017 RESERVED -CVE-2015-9016 +CVE-2015-9016 [blk-mq: fix race between timeout and freeing request] RESERVED + - linux 4.2.3-1 + NOTE: Fixed by: https://git.kernel.org/linus/0048b4837affd153897ed183492070027aa9 (4.3-rc1) CVE-2015-9015 RESERVED CVE-2015-9014 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1afb67766da27a08eae1cbec1034f2a4fd4e08c9 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1afb67766da27a08eae1cbec1034f2a4fd4e08c9 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] CVE-2018-6791/plasma-workspace fixed in experimental with 4:5.12.0-1
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 260d3920 by Salvatore Bonaccorso at 2018-02-10T15:57:34+01:00 CVE-2018-6791/plasma-workspace fixed in experimental with 4:5.12.0-1 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -209,6 +209,7 @@ CVE-2018-6793 CVE-2018-6792 (Multiple SQL injection vulnerabilities in Saifor CVMS HUB 1.3.1 allow ...) NOT-FOR-US: Saifor CVMS HUB CVE-2018-6791 (An issue was discovered in soliduiserver/deviceserviceaction.cpp in KDE ...) + [experimental] - plasma-workspace 4:5.12.0-1 - plasma-workspace - kde-runtime [wheezy] - kde-runtime (vulnerable code not present) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/260d3920fa55ddbd69eb928aecfea3e82068a9d0 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/260d3920fa55ddbd69eb928aecfea3e82068a9d0 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] CVE-2018-6791/plasma-workspace fixed in experimental
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 317e955c by Salvatore Bonaccorso at 2018-02-10T16:06:09+01:00 CVE-2018-6791/plasma-workspace fixed in experimental - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -217,6 +217,7 @@ CVE-2018-6791 (An issue was discovered in soliduiserver/deviceserviceaction.cpp NOTE: https://commits.kde.org/plasma-workspace/f32002ce50edc3891f1fa41173132c820b917d57 (Plasma/5.12) NOTE: https://commits.kde.org/plasma-workspace/9db872df82c258315c6ebad800af59e81ffb9212 (Plasma/5.8) CVE-2018-6790 (An issue was discovered in KDE Plasma Workspace before 5.12.0. ...) + [experimental] - plasma-workspace 4:5.12.0-1 - plasma-workspace NOTE: https://phabricator.kde.org/D10188 NOTE: https://cgit.kde.org/plasma-workspace.git/commit/?id=5bc696b5abcdb460c1017592e80b2d7f6ed3107c View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/317e955cac0db75af5dc9b3f9c72c5048100133d --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/317e955cac0db75af5dc9b3f9c72c5048100133d You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Take exim4 from dsa-needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f6eb5028 by Salvatore Bonaccorso at 2018-02-10T16:37:24+01:00 Take exim4 from dsa-needed list - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -14,8 +14,7 @@ If needed, specify the release by adding a slash after the name of the source pa -- 389-ds-base (fw) -- -exim4 - Note: details will be public on 2018-02-15 16:50 (UTC) +exim4 (carnil) -- ffmpeg Wait for next 3.2.x release View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f6eb502814bb95077a1e00408eb897129c2d4bed --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f6eb502814bb95077a1e00408eb897129c2d4bed You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Update note for exim4 in dla-needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 90b0ba4c by Salvatore Bonaccorso at 2018-02-10T19:08:58+01:00 Update note for exim4 in dla-needed list - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -18,8 +18,7 @@ dovecot (Thorsten Alteholz) NOTE: probably no-dsa -- exim4 - NOTE: 20180209: Currently not known if Wheezy is affected. Check again in six - NOTE: days when the patch will be made public. + NOTE: canril: send debdiff to apo -- graphicsmagick (Roberto C. Sánchez) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/90b0ba4c4ea83fc8718868731110678250c5a7e9 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/90b0ba4c4ea83fc8718868731110678250c5a7e9 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Reference commit for exim4 issue
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4628a5f6 by Salvatore Bonaccorso at 2018-02-10T19:10:44+01:00 Reference commit for exim4 issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -227,6 +227,7 @@ CVE-2018-6789 (An issue was discovered in the SMTP listener in Exim 4.90 and ear - exim4 (bug #89) NOTE: http://www.openwall.com/lists/oss-security/2018/02/07/2 NOTE: https://exim.org/static/doc/security/CVE-2018-6789.txt + NOTE: https://git.exim.org/exim.git/commit/062990cc1b2f9e5d82a413b53c8f0569075de700 CVE-2018-6788 (In Jiangmin Antivirus 16.0.0.100, the driver file (KVFG.sys) allows ...) NOT-FOR-US: Jiangmin Antivirus CVE-2018-6787 (In Jiangmin Antivirus 16.0.0.100, the driver file (KVFG.sys) allows ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4628a5f68c3edd5130a89c3a8ce578fbbd95 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4628a5f68c3edd5130a89c3a8ce578fbbd95 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add upstream bug reference for CVE-2018-6789/exim4
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: fb74c3e8 by Salvatore Bonaccorso at 2018-02-10T19:13:40+01:00 Add upstream bug reference for CVE-2018-6789/exim4 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -227,6 +227,7 @@ CVE-2018-6789 (An issue was discovered in the SMTP listener in Exim 4.90 and ear - exim4 (bug #89) NOTE: http://www.openwall.com/lists/oss-security/2018/02/07/2 NOTE: https://exim.org/static/doc/security/CVE-2018-6789.txt + NOTE: https://bugs.exim.org/show_bug.cgi?id=2235 NOTE: https://git.exim.org/exim.git/commit/062990cc1b2f9e5d82a413b53c8f0569075de700 CVE-2018-6788 (In Jiangmin Antivirus 16.0.0.100, the driver file (KVFG.sys) allows ...) NOT-FOR-US: Jiangmin Antivirus View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/fb74c3e8a89bd207d6e8d95e1e6ca1fc0572da20 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/fb74c3e8a89bd207d6e8d95e1e6ca1fc0572da20 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Reserve DSA for exim4 update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 657f1d15 by Salvatore Bonaccorso at 2018-02-10T19:20:14+01:00 Reserve DSA for exim4 update - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = --- a/data/DSA/list +++ b/data/DSA/list @@ -1,3 +1,7 @@ +[10 Feb 2018] DSA-4110-1 exim4 - security update + {CVE-2018-6789} + [jessie] - exim4 4.84.2-2+deb8u5 + [stretch] - exim4 4.89-2+deb9u3 [09 Feb 2018] DSA-4109-1 ruby-omniauth - security update {CVE-2017-18076} [jessie] - ruby-omniauth 1.2.1-1+deb8u1 = data/dsa-needed.txt = --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -14,8 +14,6 @@ If needed, specify the release by adding a slash after the name of the source pa -- 389-ds-base (fw) -- -exim4 (carnil) --- ffmpeg Wait for next 3.2.x release -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/657f1d156a00b9f33e24fba115c86b47b164afd3 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/657f1d156a00b9f33e24fba115c86b47b164afd3 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add fixed version for exim4 in unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b91989de by Salvatore Bonaccorso at 2018-02-10T19:21:20+01:00 Add fixed version for exim4 in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -224,7 +224,7 @@ CVE-2018-6790 (An issue was discovered in KDE Plasma Workspace before 5.12.0. .. NOTE: https://cgit.kde.org/plasma-workspace.git/commit/?id=8164beac15ea34ec0d1564f0557fe3e742bdd938 TODO: check kde-workspace CVE-2018-6789 (An issue was discovered in the SMTP listener in Exim 4.90 and earlier. ...) - - exim4 (bug #89) + - exim4 4.90.1-1 (bug #89) NOTE: http://www.openwall.com/lists/oss-security/2018/02/07/2 NOTE: https://exim.org/static/doc/security/CVE-2018-6789.txt NOTE: https://bugs.exim.org/show_bug.cgi?id=2235 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b91989defe129974e278ab5d6eb2633b676577cd --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b91989defe129974e278ab5d6eb2633b676577cd You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] exim4: Reference debdiff
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: eab3855b by Salvatore Bonaccorso at 2018-02-10T19:33:32+01:00 exim4: Reference debdiff - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -18,7 +18,7 @@ dovecot (Thorsten Alteholz) NOTE: probably no-dsa -- exim4 - NOTE: canril: send debdiff to apo + NOTE: carnil: send debdiff to apo (https://people.debian.org/~carnil/tmp/exim4_4.80-7+deb7u6.debdiff) -- graphicsmagick (Roberto C. Sánchez) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/eab3855bb3809392e3d1e41767158eb5e31a6873 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/eab3855bb3809392e3d1e41767158eb5e31a6873 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Reserve DLA-1274-1 for exim4
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2f3860be by Salvatore Bonaccorso at 2018-02-10T21:00:34+01:00 Reserve DLA-1274-1 for exim4 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = --- a/data/DLA/list +++ b/data/DLA/list @@ -1,3 +1,6 @@ +[10 Feb 2018] DLA-1274-1 exim4 - security update + {CVE-2018-6789} + [wheezy] - exim4 4.80-7+deb7u6 [09 Feb 2018] DLA-1273-1 simplesamlphp - security update {CVE-2017-18121 CVE-2017-18122 CVE-2018-6521} [wheezy] - simplesamlphp 1.9.2-1+deb7u2 = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -17,9 +17,6 @@ dovecot (Thorsten Alteholz) NOTE: maintainer and security team are looking into this NOTE: probably no-dsa -- -exim4 - NOTE: carnil: send debdiff to apo (https://people.debian.org/~carnil/tmp/exim4_4.80-7+deb7u6.debdiff) --- graphicsmagick (Roberto C. Sánchez) -- icu View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2f3860be1ecbf125cd520800e1624086a5aaca4e --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2f3860be1ecbf125cd520800e1624086a5aaca4e You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Reserve DLA-1275-1 for uwsgi
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 59d19d0c by Markus Koschany at 2018-02-10T21:20:46+01:00 Reserve DLA-1275-1 for uwsgi - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = --- a/data/DLA/list +++ b/data/DLA/list @@ -1,3 +1,6 @@ +[10 Feb 2018] DLA-1275-1 uwsgi - security update + {CVE-2018-6758} + [wheezy] - uwsgi 1.2.3+dfsg-5+deb7u2 [10 Feb 2018] DLA-1274-1 exim4 - security update {CVE-2018-6789} [wheezy] - exim4 4.80-7+deb7u6 = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -62,5 +62,3 @@ python-crypto (Brian May) -- tomcat-native (Markus Koschany) -- -uwsgi (Markus Koschany) --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/59d19d0c8d63ec1790fdb1dbcd6874ea71253f7e --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/59d19d0c8d63ec1790fdb1dbcd6874ea71253f7e You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 3 commits: CVE-2016-10711, pound: Remove ignored tag for Wheezy
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: f6fc29a8 by Markus Koschany at 2018-02-10T21:57:35+01:00 CVE-2016-10711,pound: Remove ignored tag for Wheezy - - - - - 496cd274 by Markus Koschany at 2018-02-10T21:58:27+01:00 Add pound to dla-needed.txt - - - - - 58201dd1 by Markus Koschany at 2018-02-10T21:59:43+01:00 Add more information for CVE-2016-10711 - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1517,8 +1517,10 @@ CVE-2017-1000506 (Mautic version 2.11.0 and earlier contains a Cross Site Script NOT-FOR-US: Mautic CVE-2016-10711 (Apsis Pound before 2.8a allows request smuggling via crafted headers, a ...) - pound (bug #888786) - [wheezy] - pound (Minor issue) NOTE: http://www.apsis.ch/pound/pound_list/archive/2016/2016-10/1477235279000 + NOTE: https://www.suse.com/de-de/security/cve/CVE-2016-10711/ + NOTE: Fixed by https://build.opensuse.org/request/show/571084 + NOTE: Check for corresponding upstream commit CVE-2018-6375 RESERVED CVE-2018-6374 (The GUI component (aka PulseUI) in Pulse Secure Desktop Linux clients ...) = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -58,6 +58,8 @@ opencv (Thorsten Alteholz) -- openjdk-7 (Emilio Pozuelo) -- +pound (Markus Koschany) +-- python-crypto (Brian May) -- tomcat-native (Markus Koschany) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/59d19d0c8d63ec1790fdb1dbcd6874ea71253f7e...58201dd18568fe3bbdc3d4594d09b9855c00f48b --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/59d19d0c8d63ec1790fdb1dbcd6874ea71253f7e...58201dd18568fe3bbdc3d4594d09b9855c00f48b You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 30ae5551 by security tracker role at 2018-02-10T21:10:14+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -224,6 +224,7 @@ CVE-2018-6790 (An issue was discovered in KDE Plasma Workspace before 5.12.0. .. NOTE: https://cgit.kde.org/plasma-workspace.git/commit/?id=8164beac15ea34ec0d1564f0557fe3e742bdd938 TODO: check kde-workspace CVE-2018-6789 (An issue was discovered in the SMTP listener in Exim 4.90 and earlier. ...) + {DSA-4110-1 DLA-1274-1} - exim4 4.90.1-1 (bug #89) NOTE: http://www.openwall.com/lists/oss-security/2018/02/07/2 NOTE: https://exim.org/static/doc/security/CVE-2018-6789.txt @@ -503,6 +504,7 @@ CVE-2018-6659 CVE-2018-6658 RESERVED CVE-2018-6758 (The uwsgi_expand_path function in core/utils.c in Unbit uWSGI through ...) + {DLA-1275-1} - uwsgi 2.0.15-10.2 (bug #889753) [stretch] - uwsgi (Minor issue) [jessie] - uwsgi (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/30ae5551e3be3d7423d43f2146fa36d1e2009347 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/30ae5551e3be3d7423d43f2146fa36d1e2009347 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] CVE-2018-1056, advancecomp: Add link to upstream bug ticket.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 45070c03 by Markus Koschany at 2018-02-10T22:18:16+01:00 CVE-2018-1056,advancecomp: Add link to upstream bug ticket. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -15309,6 +15309,7 @@ CVE-2018-1057 CVE-2018-1056 [heap buffer overflow while running advzip] RESERVED - advancecomp (bug #889270) + NOTE: https://sourceforge.net/p/advancemame/bugs/259/ CVE-2018-1055 REJECTED CVE-2018-1054 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/45070c03a838aa510e0aee109341015dd5b9a239 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/45070c03a838aa510e0aee109341015dd5b9a239 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add audacity to dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: db14a2de by Markus Koschany at 2018-02-10T22:52:13+01:00 Add audacity to dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -10,6 +10,8 @@ this list is updated have a look at https://wiki.debian.org/LTS/Development#Triage_new_security_issues -- +audacity +-- clamav (Thorsten Alteholz) -- dovecot (Thorsten Alteholz) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/db14a2debb9b47d69c6ef7e418ee953e7cbcd68d --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/db14a2debb9b47d69c6ef7e418ee953e7cbcd68d You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2016-2541, audacity: Wheezy is not affected
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 1091e88e by Markus Koschany at 2018-02-10T22:40:04+01:00 CVE-2016-2541,audacity: Wheezy is not affected This version builds against the system library of libmad. The embedded code copy was apparently removed. Not sure if Debian's system library is vulnerable or if this issue is already reported as one of the open CVEs against libmad. - - - - - 6dda1438 by Markus Koschany at 2018-02-10T22:51:17+01:00 Is CVE-2017-8373 and CVE-2017-8372 related to CVE-2016-2541? - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -44304,6 +44304,7 @@ CVE-2017-8373 (The mad_layer_III function in layer3.c in Underbit MAD libmad 0.1 NOTE: https://blogs.gentoo.org/ago/2017/04/30/libmad-heap-based-buffer-overflow-in-mad_layer_iii-layer3-c/ NOTE: The patch from #508133 applied in 0.15.1b-4 only partially fixed it NOTE: "Duplicate with"/basically same as CVE-2017-8372 + NOTE: Is this related to CVE-2016-2541? CVE-2017-8372 (The mad_layer_III function in layer3.c in Underbit MAD libmad 0.15.1b, ...) - libmad 0.15.1b-9 (bug #287519) NOTE: https://blogs.gentoo.org/ago/2017/04/30/libmad-assertion-failure-in-layer3-c/ @@ -91329,6 +91330,7 @@ CVE-2016-3171 (Drupal 6.x before 6.38, when used with PHP before 5.4.45, 5.5.x b NOTE: http://www.openwall.com/lists/oss-security/2016/02/24/19 CVE-2016-2541 (Audacity before 2.1.2 allows remote attackers to cause a denial of ...) - audacity 2.1.2-1 + [wheezy] - audacity (vulnerable code not present) NOTE: http://wiki.audacityteam.org/wiki/Release_Notes_2.1.2 NOTE: https://github.com/audacity/audacity/commit/85026f98958a8dcc09188be24a8db0385988e23f CVE-2016-2540 (Audacity before 2.1.2 allows remote attackers to cause a denial of ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/45070c03a838aa510e0aee109341015dd5b9a239...6dda1438a4e2a8bbea92cdea54f41e8b33064c79 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/45070c03a838aa510e0aee109341015dd5b9a239...6dda1438a4e2a8bbea92cdea54f41e8b33064c79 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add leptonlib to dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 90ff0d6f by Markus Koschany at 2018-02-10T23:19:51+01:00 Add leptonlib to dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -32,6 +32,8 @@ lame (Hugo Lefeuvre) NOTE: 20180125: Fabian showed interest in porting lame to libsndfile and submitted a patch draft for Jessie. NOTE: I'll test it, submit the update for Jessie and backport the result to Wheezy on time. -- +leptonlib +-- libav (Hugo Lefeuvre) NOTE: 20180118: Diego Biurrun (from the libav team) was working on patches, but encountered personal issues and had to stop. NOTE: It is unlikely that he will start again in the next weeks. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/90ff0d6f43db0af5f8b609452780e54145268e12 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/90ff0d6f43db0af5f8b609452780e54145268e12 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] LTS: claim audacity in dla-needed.txt
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 037dca18 by Roberto C. Sánchez at 2018-02-10T19:45:10-05:00 LTS: claim audacity in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -10,7 +10,7 @@ this list is updated have a look at https://wiki.debian.org/LTS/Development#Triage_new_security_issues -- -audacity +audacity (Roberto C. Sánchez) -- clamav (Thorsten Alteholz) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/037dca1869450b4baba5ffdd2c4eec93d8caf4a6 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/037dca1869450b4baba5ffdd2c4eec93d8caf4a6 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] claim leptonlib in dla-needed
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 77d2b368 by Abhijith PA at 2018-02-11T07:53:36+05:30 claim leptonlib in dla-needed - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -32,7 +32,7 @@ lame (Hugo Lefeuvre) NOTE: 20180125: Fabian showed interest in porting lame to libsndfile and submitted a patch draft for Jessie. NOTE: I'll test it, submit the update for Jessie and backport the result to Wheezy on time. -- -leptonlib +leptonlib (Abhijith PA) -- libav (Hugo Lefeuvre) NOTE: 20180118: Diego Biurrun (from the libav team) was working on patches, but encountered personal issues and had to stop. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/77d2b368f5e45d74e25e31b23031152ca2600f1a --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/77d2b368f5e45d74e25e31b23031152ca2600f1a You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] chromium not-affected by VP9 issues
Michael Gilbert pushed to branch master at Debian Security Tracker / security-tracker Commits: 7c868a63 by Michael Gilbert at 2018-02-11T03:43:35+00:00 chromium not-affected by VP9 issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -944,10 +944,7 @@ CVE-2017-18121 (The consentAdmin module in SimpleSAMLphp through 1.14.15 is vuln CVE-2018-6549 RESERVED CVE-2018-6548 (A use-after-free issue was discovered in libwebm through 2018-02-02. If ...) - - chromium-browser - [stretch] - chromium-browser (Wait until this lands in a Chromium release) - [jessie] - chromium-browser (End of life, see DSA 4020) - [wheezy] - chromium-browser (Not supported in wheezy LTS) + - chromium-browser (chromium is built with support for VP9 disabled in debian) NOTE: https://bugs.chromium.org/p/webm/issues/detail?id=1493 NOTE: https://github.com/dwfault/PoCs/blob/master/libwebm%20Vp9HeaderParser%20UAF%20by%20PrintVP9Info/libwebm%20Vp9HeaderParser%20UAF%20by%20PrintVP9Info.md CVE-2018-6547 @@ -1380,10 +1377,7 @@ CVE-2018-6408 (An issue was discovered on Conceptronic CIPCAMPTIWL V3 0.61.30.21 CVE-2018-6407 (An issue was discovered on Conceptronic CIPCAMPTIWL V3 0.61.30.21 ...) NOT-FOR-US: CIPCAMPTIWL devices CVE-2018-6406 (The function ParseVP9SuperFrameIndex in common/libwebm_util.cc in ...) - - chromium-browser - [stretch] - chromium-browser (Wait until this lands in a Chromium release) - [jessie] - chromium-browser (End of life, see DSA 4020) - [wheezy] - chromium-browser (Not supported in wheezy LTS) + - chromium-browser (chromium is built with support for VP9 disabled in debian) NOTE: https://bugs.chromium.org/p/webm/issues/detail?id=1492 NOTE: https://github.com/dwfault/PoCs/blob/master/libwebm%20ParseVP9SuperFrameIndex%20memory%20corruption/libwebm%20ParseVP9SuperFrameIndex%20OOB%20read.md CVE-2018-6405 (In the ReadDCMImage function in coders/dcm.c in ImageMagick before ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7c868a631dc8768eab552ca5010afe9bb5638dd5 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7c868a631dc8768eab552ca5010afe9bb5638dd5 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits