[Git][security-tracker-team/security-tracker][master] NFU
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 0f490324 by Moritz Muehlenhoff at 2018-05-27T22:31:15+02:00 NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -19,7 +19,7 @@ CVE-2018-11499 (A use-after-free vulnerability exists in handle_error() in ...) [stretch] - libsass (Vulnerability introduced in 3.4.7 upstream) NOTE: https://github.com/sass/libsass/issues/2643 CVE-2018-11498 (In Lizard v1.0 and LZ5 v2.0 (the prior release, before the product was ...) - TODO: check + NOT-FOR-US: Lizard CVE-2018-11497 RESERVED CVE-2018-11496 (In Long Range Zip (aka lrzip) 0.631, there is a use-after-free in ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0f490324bf1cabdb0bafa6b819b3dfc7c8233d8e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0f490324bf1cabdb0bafa6b819b3dfc7c8233d8e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: faad15a1 by security tracker role at 2018-05-27T20:10:22+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -2750,7 +2750,7 @@ CVE-2018-10380 (kwallet-pam in KDE KWallet before 5.12.6 allows local users to o CVE-2018-10379 [Persistent XSS in 'Move Issue' using project namespace] RESERVED - gitlab 10.6.5+dfsg-1 -[stretch] - gitlab (Vulnerable code introduced in 9.5) + [stretch] - gitlab (Vulnerable code introduced in 9.5) NOTE: https://about.gitlab.com/2018/04/30/security-release-gitlab-10-dot-7-dot-2-released/ CVE-2018-10378 RESERVED @@ -5293,7 +5293,7 @@ CVE-2018-9243 (GitLab Community and Enterprise Editions version 8.4 up to 10.4 a NOTE: https://about.gitlab.com/2018/04/04/security-release-gitlab-10-dot-6-dot-3-released/ CVE-2018-9244 (GitLab Community and Enterprise Editions version 9.2 up to 10.4 are ...) - gitlab 10.6.3+dfsg-1 (bug #894868) -[stretch] - gitlab (Vulnerable code introduced in 9.2) + [stretch] - gitlab (Vulnerable code introduced in 9.2) NOTE: https://about.gitlab.com/2018/04/04/security-release-gitlab-10-dot-6-dot-3-released/ CVE-2018- [Confidential issue comments in Slack, Mattermost, and webhook integrations] - gitlab 10.6.3+dfsg-1 (bug #894867) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/faad15a1a042261daece40795e1bd56faac6c747 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/faad15a1a042261daece40795e1bd56faac6c747 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add note for sssd update for stretch
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: aa94f3f7 by Salvatore Bonaccorso at 2018-05-27T21:02:53+02:00 Add note for sssd update for stretch The acked debdiff looks good, but the update needs further testing before the DSA release. - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -81,6 +81,7 @@ ruby2.3/stable work-in-progress: https://salsa.debian.org/ruby-team/ruby/tree/stretch-security-wip -- sssd/stable + Maintainer prepared an update and proposed debdiff, acked for upload, but update needs further testing before release. -- tomcat7/oldstable -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/aa94f3f7a82fbc6db4274958f627ffea12a779e3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/aa94f3f7a82fbc6db4274958f627ffea12a779e3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add fixing version for CVE-2017-15105/unbound via unstable upload
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 14daec92 by Salvatore Bonaccorso at 2018-05-27T20:39:49+02:00 Add fixing version for CVE-2017-15105/unbound via unstable upload - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -37714,7 +37714,7 @@ CVE-2017-15106 RESERVED CVE-2017-15105 (A flaw was found in the way unbound before 1.6.8 validated ...) {DLA-1264-1} - - unbound (bug #887733) + - unbound 1.7.1-1 (bug #887733) [stretch] - unbound (Minor issue, can be fixed via point release) [jessie] - unbound (Minor issue, can be fixed via point release) NOTE: https://unbound.net/downloads/CVE-2017-15105.txt View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/14daec9218f36e65874adf86698df368b9796584 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/14daec9218f36e65874adf86698df368b9796584 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Triage mupdf for Wheezy.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 98f08c98 by Markus Koschany at 2018-05-27T20:00:11+02:00 Triage mupdf for Wheezy. The vulnerable code is not present in this version. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -12886,6 +12886,7 @@ CVE-2018-6586 (CA API Developer Portal 3.5 up to and including 3.5 CR6 has a sto NOT-FOR-US: CA API Developer Portal CVE-2018-140 (In MuPDF 1.12.0 and earlier, multiple use of uninitialized value bugs ...) - mupdf 1.13.0+ds1-1 + [wheezy] - mupdf (vulnerable code not present) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5596 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5600 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5603 @@ -12894,6 +12895,7 @@ CVE-2018-140 (In MuPDF 1.12.0 and earlier, multiple use of uninitialized val NOTE: http://git.ghostscript.com/?p=mupdf.git;a=commitdiff;h=83d4dae44c71816c084a635550acc1a51529b881;hp=f597300439e62f5e921f0d7b1e880b5c1a1f1607 CVE-2018-139 (In MuPDF 1.12.0 and earlier, multiple heap use after free bugs in the ...) - mupdf 1.13.0+ds1-1 + [wheezy] - mupdf (vulnerable code not present) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5492 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5513 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5521 @@ -12903,11 +12905,13 @@ CVE-2018-139 (In MuPDF 1.12.0 and earlier, multiple heap use after free bugs NOTE: http://git.ghostscript.com/?p=mupdf.git;a=commitdiff;h=f597300439e62f5e921f0d7b1e880b5c1a1f1607;hp=093fc3b098dc5fadef5d8ad4b225db9fb124758b CVE-2018-138 (In MuPDF 1.12.0 and earlier, a stack buffer overflow in function ...) - mupdf 1.13.0+ds1-1 + [wheezy] - mupdf (vulnerable code not present) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5494 NOTE: http://git.ghostscript.com/?p=mupdf.git;a=commitdiff;h=71ceebcf56e682504da22c4035b39a2d451e8ffd;hp=7f82c01523505052615492f8e220f4348ba46995 NOTE: http://git.ghostscript.com/?p=mupdf.git;a=commitdiff;h=f597300439e62f5e921f0d7b1e880b5c1a1f1607;hp=093fc3b098dc5fadef5d8ad4b225db9fb124758b CVE-2018-137 (In MuPDF 1.12.0 and earlier, multiple reachable assertions in the PDF ...) - mupdf 1.13.0+ds1-1 + [wheezy] - mupdf (vulnerable code not present) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5490 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5501 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5503 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/98f08c98fc8485bf3b08b374fc68e0007c570267 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/98f08c98fc8485bf3b08b374fc68e0007c570267 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] add intel-microcode to dsa-needed
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 6d65f390 by Moritz Muehlenhoff at 2018-05-27T19:51:35+02:00 add intel-microcode to dsa-needed - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -32,6 +32,9 @@ glusterfs -- graphicsmagick -- +intel-microcode + or possibly via spu, depends on timing of release and other factors +-- knot-resolver -- libav/oldstable @@ -67,7 +70,7 @@ php-horde-image phpmyadmin/oldstable (abhijith) https://mentors.debian.net/debian/pool/main/p/phpmyadmin/phpmyadmin_4.2.12-2+deb8u3.dsc -- -qemu/oldstable +qemu -- ruby2.1/oldstable Santiago will prepare an update View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6d65f3904dd4f68693a1ef5d831b32f74d61191f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6d65f3904dd4f68693a1ef5d831b32f74d61191f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] remove amd64-microcode entries for two recent spectre updates,
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 8aec7b1b by Moritz Muehlenhoff at 2018-05-27T19:48:59+02:00 remove amd64-microcode entries for two recent spectre updates, no microcode coming/needed for amd64 per the current status - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -21093,14 +21093,12 @@ CVE-2018-3641 (Escalation of privilege in all versions of the Intel Remote Keybo NOT-FOR-US: Intel CVE-2018-3640 (Systems with microprocessors utilizing speculative execution and that ...) - intel-microcode - - amd64-microcode NOTE: https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability NOTE: No software mitigations planned to be implemented in src:linux NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00115.html CVE-2018-3639 (Systems with microprocessors utilizing speculative execution and ...) {DSA-4210-1} - intel-microcode - - amd64-microcode - linux 4.16.12-1 [wheezy] - linux (Too much work to backport) - xen View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8aec7b1bca56253b1e1c92b93ad6c50627f78371 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8aec7b1bca56253b1e1c92b93ad6c50627f78371 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] two imagemagick issues ignored
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: d87a3e32 by Moritz Muehlenhoff at 2018-05-27T19:48:05+02:00 two imagemagick issues ignored - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -697,7 +697,9 @@ CVE-2018-1000400 (Kubernetes CRI-O version prior to 1.9 contains a Privilege Con NOT-FOR-US: Kubernetes CRI-O CVE-2017-18273 (In ImageMagick 7.0.7-16 Q16 x86_64 2017-12-22, an infinite loop ...) {DLA-1381-1} - - imagemagick 8:6.9.9.34+dfsg-3 + - imagemagick 8:6.9.9.34+dfsg-3 (low) + [stretch] - imagemagick (Minor issue) + [jessie] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/910 NOTE: https://github.com/ImageMagick/ImageMagick/commit/b8fcb59e9e1d1189caf2e0f5e39346944dcd6b9d CVE-2017-18272 (In ImageMagick 7.0.7-16 Q16 x86_64 2017-12-25, there is a ...) @@ -707,7 +709,9 @@ CVE-2017-18272 (In ImageMagick 7.0.7-16 Q16 x86_64 2017-12-25, there is a ...) NOTE: https://github.com/ImageMagick/ImageMagick/commit/93d029b70ac766ce0b5d7261a2dd334535f48038 CVE-2017-18271 (In ImageMagick 7.0.7-16 Q16 x86_64 2017-12-22, an infinite loop ...) {DLA-1381-1} - - imagemagick 8:6.9.9.34+dfsg-3 + - imagemagick 8:6.9.9.34+dfsg-3 (low) + [stretch] - imagemagick (Minor issue) + [jessie] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/911 NOTE: https://github.com/ImageMagick/ImageMagick/commit/7523250e2664028aa1d8f02d2d7ae49c769a851e CVE-2017-18269 (An SSE2-optimized memmove implementation for i386 in ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d87a3e326cf7c676ffa3a0e87742866001496a37 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d87a3e326cf7c676ffa3a0e87742866001496a37 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add fixing version for linux CVEs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ebdc116b by Salvatore Bonaccorso at 2018-05-27T16:09:50+02:00 Add fixing version for linux CVEs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1395,7 +1395,7 @@ CVE-2018-10942 (modules/attributewizardpro/file_upload.php in the Attribute Wiza CVE-2018-10941 RESERVED CVE-2018-10940 (The cdrom_ioctl_media_changed function in drivers/cdrom/cdrom.c in the ...) - - linux + - linux 4.16.12-1 NOTE: Fixed by: https://git.kernel.org/linus/9de4ee40547fd315d4a0ed1dd15a2fa3559ad707 CVE-2018-10939 RESERVED @@ -3191,7 +3191,7 @@ CVE-2018-10194 (The set_text_distance function in devices/vector/gdevpdts.c in t NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=699255 (not yet public) CVE-2018-1000200 [mm, oom: fix concurrent munlock and oom reaper unmap] RESERVED - - linux + - linux 4.16.12-1 [stretch] - linux (Vulnerable code introduced later) [jessie] - linux (Vulnerable code introduced later) [wheezy] - linux (Vulnerable code introduced later) @@ -21097,7 +21097,7 @@ CVE-2018-3639 (Systems with microprocessors utilizing speculative execution and {DSA-4210-1} - intel-microcode - amd64-microcode - - linux + - linux 4.16.12-1 [wheezy] - linux (Too much work to backport) - xen NOTE: https://xenbits.xen.org/xsa/advisory-263.html @@ -28436,7 +28436,7 @@ CVE-2018-1121 [Unprivileged process hiding] NOTE: https://www.qualys.com/2018/05/17/procps-ng-audit-report-advisory.txt CVE-2018-1120 [FUSE-backed /proc/PID/cmdline] RESERVED - - linux + - linux 4.16.12-1 NOTE: http://www.openwall.com/lists/oss-security/2018/05/17/1 NOTE: https://www.qualys.com/2018/05/17/procps-ng-audit-report-advisory.txt NOTE: Fixed by: https://git.kernel.org/linus/7f7ccc2ccc2e70c6054685f5e3522efa81556830 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ebdc116b9a9bb80b8ced94b230b96142b56b2d7e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ebdc116b9a9bb80b8ced94b230b96142b56b2d7e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2017-14992 as no-dsa
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4ae2be04 by Salvatore Bonaccorso at 2018-05-27T15:00:15+02:00 Mark CVE-2017-14992 as no-dsa - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -38203,6 +38203,7 @@ CVE-2017-14993 (OXID eShop Community Edition before 6.0.0 RC3 (development), 4.1 CVE-2017-14992 (Lack of content verification in Docker-CE (Also known as Moby) ...) - docker.io - golang-github-vbatts-tar-split 0.10.2-1 + [stretch] - golang-github-vbatts-tar-split (Minor issue) NOTE: Issue needs to be fixed in src:golang-github-vbatts-tar-split first NOTE: https://github.com/vbatts/tar-split/issues/41 NOTE: docker.io needs then a rebuild with a fixed golang-github-vbatts-tar-split View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4ae2be045f7ea46d3c05854eb16680613b921dbc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4ae2be045f7ea46d3c05854eb16680613b921dbc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] mark CVE-2018-9244 and CVE-2018-10379 as not-affected for stretch
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 910b98aa by Abhijith PA at 2018-05-27T14:45:28+05:30 mark CVE-2018-9244 and CVE-2018-10379 as not-affected for stretch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -2746,6 +2746,7 @@ CVE-2018-10380 (kwallet-pam in KDE KWallet before 5.12.6 allows local users to o CVE-2018-10379 [Persistent XSS in 'Move Issue' using project namespace] RESERVED - gitlab 10.6.5+dfsg-1 +[stretch] - gitlab (Vulnerable code introduced in 9.5) NOTE: https://about.gitlab.com/2018/04/30/security-release-gitlab-10-dot-7-dot-2-released/ CVE-2018-10378 RESERVED @@ -5288,6 +5289,7 @@ CVE-2018-9243 (GitLab Community and Enterprise Editions version 8.4 up to 10.4 a NOTE: https://about.gitlab.com/2018/04/04/security-release-gitlab-10-dot-6-dot-3-released/ CVE-2018-9244 (GitLab Community and Enterprise Editions version 9.2 up to 10.4 are ...) - gitlab 10.6.3+dfsg-1 (bug #894868) +[stretch] - gitlab (Vulnerable code introduced in 9.2) NOTE: https://about.gitlab.com/2018/04/04/security-release-gitlab-10-dot-6-dot-3-released/ CVE-2018- [Confidential issue comments in Slack, Mattermost, and webhook integrations] - gitlab 10.6.3+dfsg-1 (bug #894867) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/910b98aa576ec14f7aa703b040d23b42c6189f7a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/910b98aa576ec14f7aa703b040d23b42c6189f7a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2018-11499 as not-affected for stretch
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e9c56a6a by Salvatore Bonaccorso at 2018-05-27T11:00:08+02:00 Mark CVE-2018-11499 as not-affected for stretch The issue was introduced only in 3.4.7 upstream. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -16,6 +16,7 @@ CVE-2018-11500 (An issue was discovered in PublicCMS V4.0.20180210. There is a C NOT-FOR-US: PublicCMS CVE-2018-11499 (A use-after-free vulnerability exists in handle_error() in ...) - libsass (bug #900182) + [stretch] - libsass (Vulnerability introduced in 3.4.7 upstream) NOTE: https://github.com/sass/libsass/issues/2643 CVE-2018-11498 (In Lizard v1.0 and LZ5 v2.0 (the prior release, before the product was ...) TODO: check View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e9c56a6a6393b399769282e9b787116d3cd3c30d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e9c56a6a6393b399769282e9b787116d3cd3c30d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add bug reference for CVE-2018-11499
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e7669f5f by Salvatore Bonaccorso at 2018-05-27T10:58:06+02:00 Add bug reference for CVE-2018-11499 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -15,7 +15,7 @@ CVE-2018-11501 (PHP Scripts Mall Website Seller Script 2.0.3 has CSRF via ...) CVE-2018-11500 (An issue was discovered in PublicCMS V4.0.20180210. There is a CSRF ...) NOT-FOR-US: PublicCMS CVE-2018-11499 (A use-after-free vulnerability exists in handle_error() in ...) - - libsass + - libsass (bug #900182) NOTE: https://github.com/sass/libsass/issues/2643 CVE-2018-11498 (In Lizard v1.0 and LZ5 v2.0 (the prior release, before the product was ...) TODO: check View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e7669f5f75ff441d10fea8954c1469c535cbb3eb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e7669f5f75ff441d10fea8954c1469c535cbb3eb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2018-11499/libsass
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 934dbed7 by Salvatore Bonaccorso at 2018-05-27T10:44:57+02:00 Add CVE-2018-11499/libsass - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -15,7 +15,8 @@ CVE-2018-11501 (PHP Scripts Mall Website Seller Script 2.0.3 has CSRF via ...) CVE-2018-11500 (An issue was discovered in PublicCMS V4.0.20180210. There is a CSRF ...) NOT-FOR-US: PublicCMS CVE-2018-11499 (A use-after-free vulnerability exists in handle_error() in ...) - TODO: check + - libsass + NOTE: https://github.com/sass/libsass/issues/2643 CVE-2018-11498 (In Lizard v1.0 and LZ5 v2.0 (the prior release, before the product was ...) TODO: check CVE-2018-11497 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/934dbed7f5ef0139abe69be24144f9e01f277d9d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/934dbed7f5ef0139abe69be24144f9e01f277d9d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] discount: reference directly the reproducing file to better identify the CVEs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1a0ebb55 by Salvatore Bonaccorso at 2018-05-27T10:34:35+02:00 discount: reference directly the reproducing file to better identify the CVEs Since the reporter did fill all the issues in one upstream issue directly reference the pocs as well to make it clear which CVE is for which issue. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -3,9 +3,11 @@ CVE-2018-11505 (The Werewolf Online application 0.8.8 for Android allows attacke CVE-2018-11504 (The islist function in markdown.c in libmarkdown.a in DISCOUNT 2.2.3a ...) - discount NOTE: https://github.com/Orc/discount/issues/189#issuecomment-392247798 + NOTE: POC: https://github.com/fCorleone/fuzz_programs/blob/master/discount/issue3_testcase CVE-2018-11503 (The isfootnote function in markdown.c in libmarkdown.a in DISCOUNT ...) - discount NOTE: https://github.com/Orc/discount/issues/189#issuecomment-392247798 + NOTE: POC: https://github.com/fCorleone/fuzz_programs/blob/master/discount/issue2_testcase CVE-2018-11502 RESERVED CVE-2018-11501 (PHP Scripts Mall Website Seller Script 2.0.3 has CSRF via ...) @@ -80,6 +82,7 @@ CVE-2018-11469 (Incorrect caching of responses to requests including an Authoriz CVE-2018-11468 (The __mkd_trim_line function in mkdio.c in libmarkdown.a in DISCOUNT ...) - discount NOTE: https://github.com/Orc/discount/issues/189 + NOTE: POC: https://github.com/fCorleone/fuzz_programs/blob/master/discount/issue1_testcase CVE-2018-11467 RESERVED CVE-2018-11466 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1a0ebb5505b2a210b88a08d6f4c2634c17b0a1d5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1a0ebb5505b2a210b88a08d6f4c2634c17b0a1d5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add two more issues in discout
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f2469101 by Salvatore Bonaccorso at 2018-05-27T10:32:23+02:00 Add two more issues in discout - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,9 +1,11 @@ CVE-2018-11505 (The Werewolf Online application 0.8.8 for Android allows attackers to ...) NOT-FOR-US: Werewolf Online application for Android CVE-2018-11504 (The islist function in markdown.c in libmarkdown.a in DISCOUNT 2.2.3a ...) - TODO: check + - discount + NOTE: https://github.com/Orc/discount/issues/189#issuecomment-392247798 CVE-2018-11503 (The isfootnote function in markdown.c in libmarkdown.a in DISCOUNT ...) - TODO: check + - discount + NOTE: https://github.com/Orc/discount/issues/189#issuecomment-392247798 CVE-2018-11502 RESERVED CVE-2018-11501 (PHP Scripts Mall Website Seller Script 2.0.3 has CSRF via ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f24691011de6343a4381792be5d8022fff263aa8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f24691011de6343a4381792be5d8022fff263aa8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process more NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d5dd3128 by Salvatore Bonaccorso at 2018-05-27T10:23:34+02:00 Process more NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,5 +1,5 @@ CVE-2018-11505 (The Werewolf Online application 0.8.8 for Android allows attackers to ...) - TODO: check + NOT-FOR-US: Werewolf Online application for Android CVE-2018-11504 (The islist function in markdown.c in libmarkdown.a in DISCOUNT 2.2.3a ...) TODO: check CVE-2018-11503 (The isfootnote function in markdown.c in libmarkdown.a in DISCOUNT ...) @@ -7,9 +7,9 @@ CVE-2018-11503 (The isfootnote function in markdown.c in libmarkdown.a in DISCOU CVE-2018-11502 RESERVED CVE-2018-11501 (PHP Scripts Mall Website Seller Script 2.0.3 has CSRF via ...) - TODO: check + NOT-FOR-US: PHP Scripts Mall Website Seller Script CVE-2018-11500 (An issue was discovered in PublicCMS V4.0.20180210. There is a CSRF ...) - TODO: check + NOT-FOR-US: PublicCMS CVE-2018-11499 (A use-after-free vulnerability exists in handle_error() in ...) TODO: check CVE-2018-11498 (In Lizard v1.0 and LZ5 v2.0 (the prior release, before the product was ...) @@ -19,9 +19,9 @@ CVE-2018-11497 CVE-2018-11496 (In Long Range Zip (aka lrzip) 0.631, there is a use-after-free in ...) TODO: check CVE-2018-11495 (OpenCart through 3.0.2.0 allows directory traversal in the editDownload ...) - TODO: check + NOT-FOR-US: OpenCart CVE-2018-11494 (The "program extension upload" feature in OpenCart through 3.0.2.0 has ...) - TODO: check + NOT-FOR-US: OpenCart CVE-2018-11493 (An issue was discovered in WUZHI CMS 4.1.0. There is a CSRF ...) NOT-FOR-US: WUZHI CMS CVE-2018-11492 @@ -13488,11 +13488,11 @@ CVE-2018-6412 (In the function sbusfb_ioctl_helper() in drivers/video/fbdev/sbus NOTE: https://marc.info/?l=linux-fbdev&m=151734425901499&w=2 NOTE: The issue only affects SPARC systems. CVE-2018-6411 (An issue was discovered in Appnitro MachForm before 4.2.3. When the ...) - TODO: check + NOT-FOR-US: Appnitro MachForm CVE-2018-6410 (An issue was discovered in Appnitro MachForm before 4.2.3. There is a ...) - TODO: check + NOT-FOR-US: Appnitro MachForm CVE-2018-6409 (An issue was discovered in Appnitro MachForm before 4.2.3. The module ...) - TODO: check + NOT-FOR-US: Appnitro MachForm CVE-2018-6408 (An issue was discovered on Conceptronic CIPCAMPTIWL V3 0.61.30.21 ...) NOT-FOR-US: CIPCAMPTIWL devices CVE-2018-6407 (An issue was discovered on Conceptronic CIPCAMPTIWL V3 0.61.30.21 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d5dd3128619053c8af6da73fe0ab9a8d1862 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d5dd3128619053c8af6da73fe0ab9a8d1862 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ecb3eada by security tracker role at 2018-05-27T08:10:29+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,9 +1,27 @@ -CVE-2018-11496 - RESERVED -CVE-2018-11495 +CVE-2018-11505 (The Werewolf Online application 0.8.8 for Android allows attackers to ...) + TODO: check +CVE-2018-11504 (The islist function in markdown.c in libmarkdown.a in DISCOUNT 2.2.3a ...) + TODO: check +CVE-2018-11503 (The isfootnote function in markdown.c in libmarkdown.a in DISCOUNT ...) + TODO: check +CVE-2018-11502 RESERVED -CVE-2018-11494 +CVE-2018-11501 (PHP Scripts Mall Website Seller Script 2.0.3 has CSRF via ...) + TODO: check +CVE-2018-11500 (An issue was discovered in PublicCMS V4.0.20180210. There is a CSRF ...) + TODO: check +CVE-2018-11499 (A use-after-free vulnerability exists in handle_error() in ...) + TODO: check +CVE-2018-11498 (In Lizard v1.0 and LZ5 v2.0 (the prior release, before the product was ...) + TODO: check +CVE-2018-11497 RESERVED +CVE-2018-11496 (In Long Range Zip (aka lrzip) 0.631, there is a use-after-free in ...) + TODO: check +CVE-2018-11495 (OpenCart through 3.0.2.0 allows directory traversal in the editDownload ...) + TODO: check +CVE-2018-11494 (The "program extension upload" feature in OpenCart through 3.0.2.0 has ...) + TODO: check CVE-2018-11493 (An issue was discovered in WUZHI CMS 4.1.0. There is a CSRF ...) NOT-FOR-US: WUZHI CMS CVE-2018-11492 @@ -6027,6 +6045,7 @@ CVE-2017-18249 (The add_free_nid function in fs/f2fs/node.c in the Linux kernel [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/30a61ddf8117c26ac5b295e1233eaa9629a94ca3 CVE-2017-18248 (The add_job function in scheduler/ipp.c in CUPS before 2.2.6, when ...) + {DLA-1387-1} - cups 2.2.6-1 NOTE: https://github.com/apple/cups/commit/49fa4983f25b64ec29d548ffa3b9782426007df3 NOTE: https://github.com/apple/cups/issues/5143 @@ -13468,12 +13487,12 @@ CVE-2018-6412 (In the function sbusfb_ioctl_helper() in drivers/video/fbdev/sbus - linux (unimportant) NOTE: https://marc.info/?l=linux-fbdev&m=151734425901499&w=2 NOTE: The issue only affects SPARC systems. -CVE-2018-6411 - RESERVED -CVE-2018-6410 - RESERVED -CVE-2018-6409 - RESERVED +CVE-2018-6411 (An issue was discovered in Appnitro MachForm before 4.2.3. When the ...) + TODO: check +CVE-2018-6410 (An issue was discovered in Appnitro MachForm before 4.2.3. There is a ...) + TODO: check +CVE-2018-6409 (An issue was discovered in Appnitro MachForm before 4.2.3. The module ...) + TODO: check CVE-2018-6408 (An issue was discovered on Conceptronic CIPCAMPTIWL V3 0.61.30.21 ...) NOT-FOR-US: CIPCAMPTIWL devices CVE-2018-6407 (An issue was discovered on Conceptronic CIPCAMPTIWL V3 0.61.30.21 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ecb3eada3209efdaff1f5a9af4b17313b9a042ea -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ecb3eada3209efdaff1f5a9af4b17313b9a042ea You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process two NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 15995823 by Salvatore Bonaccorso at 2018-05-27T10:06:05+02:00 Process two NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -5,7 +5,7 @@ CVE-2018-11495 CVE-2018-11494 RESERVED CVE-2018-11493 (An issue was discovered in WUZHI CMS 4.1.0. There is a CSRF ...) - TODO: check + NOT-FOR-US: WUZHI CMS CVE-2018-11492 RESERVED CVE-2018-11491 @@ -17,7 +17,7 @@ CVE-2018-11489 (The DGifDecompressLine function in dgif_lib.c in GIFLIB (possibl CVE-2018-11488 RESERVED CVE-2018-11487 (PHPMyWind 5.5 has XSS via the cid parameter to newsshow.php, or the ...) - TODO: check + NOT-FOR-US: PHPMyWind CVE-2018-11486 RESERVED CVE-2018-11485 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/159958238365dd88580e8007190d5fa696f85719 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/159958238365dd88580e8007190d5fa696f85719 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits