date:20180527

[Git][security-tracker-team/security-tracker][master] NFU

2018-05-27 Thread Moritz Muehlenhoff

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
0f490324 by Moritz Muehlenhoff at 2018-05-27T22:31:15+02:00
NFU

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -19,7 +19,7 @@ CVE-2018-11499 (A use-after-free vulnerability exists in 
handle_error() in ...)
[stretch] - libsass  (Vulnerability introduced in 3.4.7 
upstream)
NOTE: https://github.com/sass/libsass/issues/2643
 CVE-2018-11498 (In Lizard v1.0 and LZ5 v2.0 (the prior release, before the 
product was ...)
-   TODO: check
+   NOT-FOR-US: Lizard
 CVE-2018-11497
RESERVED
 CVE-2018-11496 (In Long Range Zip (aka lrzip) 0.631, there is a use-after-free 
in ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/0f490324bf1cabdb0bafa6b819b3dfc7c8233d8e

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/0f490324bf1cabdb0bafa6b819b3dfc7c8233d8e
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] automatic update

2018-05-27 Thread Salvatore Bonaccorso

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
faad15a1 by security tracker role at 2018-05-27T20:10:22+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -2750,7 +2750,7 @@ CVE-2018-10380 (kwallet-pam in KDE KWallet before 5.12.6 
allows local users to o
 CVE-2018-10379 [Persistent XSS in 'Move Issue' using project namespace]
RESERVED
- gitlab 10.6.5+dfsg-1
-[stretch] - gitlab  (Vulnerable code introduced in 9.5)
+   [stretch] - gitlab  (Vulnerable code introduced in 9.5)
NOTE: 
https://about.gitlab.com/2018/04/30/security-release-gitlab-10-dot-7-dot-2-released/
 CVE-2018-10378
RESERVED
@@ -5293,7 +5293,7 @@ CVE-2018-9243 (GitLab Community and Enterprise Editions 
version 8.4 up to 10.4 a
NOTE: 
https://about.gitlab.com/2018/04/04/security-release-gitlab-10-dot-6-dot-3-released/
 CVE-2018-9244 (GitLab Community and Enterprise Editions version 9.2 up to 10.4 
are ...)
- gitlab 10.6.3+dfsg-1 (bug #894868)
-[stretch] - gitlab  (Vulnerable code introduced in 9.2)
+   [stretch] - gitlab  (Vulnerable code introduced in 9.2)
NOTE: 
https://about.gitlab.com/2018/04/04/security-release-gitlab-10-dot-6-dot-3-released/
 CVE-2018- [Confidential issue comments in Slack, Mattermost, and webhook 
integrations]
- gitlab 10.6.3+dfsg-1 (bug #894867)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/faad15a1a042261daece40795e1bd56faac6c747

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/faad15a1a042261daece40795e1bd56faac6c747
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add note for sssd update for stretch

2018-05-27 Thread Salvatore Bonaccorso

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
aa94f3f7 by Salvatore Bonaccorso at 2018-05-27T21:02:53+02:00
Add note for sssd update for stretch

The acked debdiff looks good, but the update needs further testing
before the DSA release.

- - - - -


1 changed file:

- data/dsa-needed.txt


Changes:

=
data/dsa-needed.txt
=
--- a/data/dsa-needed.txt
+++ b/data/dsa-needed.txt
@@ -81,6 +81,7 @@ ruby2.3/stable
   work-in-progress: 
https://salsa.debian.org/ruby-team/ruby/tree/stretch-security-wip
 --
 sssd/stable
+  Maintainer prepared an update and proposed debdiff, acked for upload, but 
update needs further testing before release.
 --
 tomcat7/oldstable
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/aa94f3f7a82fbc6db4274958f627ffea12a779e3

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/aa94f3f7a82fbc6db4274958f627ffea12a779e3
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add fixing version for CVE-2017-15105/unbound via unstable upload

2018-05-27 Thread Salvatore Bonaccorso

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
14daec92 by Salvatore Bonaccorso at 2018-05-27T20:39:49+02:00
Add fixing version for CVE-2017-15105/unbound via unstable upload

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -37714,7 +37714,7 @@ CVE-2017-15106
RESERVED
 CVE-2017-15105 (A flaw was found in the way unbound before 1.6.8 validated ...)
{DLA-1264-1}
-   - unbound  (bug #887733)
+   - unbound 1.7.1-1 (bug #887733)
[stretch] - unbound  (Minor issue, can be fixed via point 
release)
[jessie] - unbound  (Minor issue, can be fixed via point 
release)
NOTE: https://unbound.net/downloads/CVE-2017-15105.txt



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/14daec9218f36e65874adf86698df368b9796584

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/14daec9218f36e65874adf86698df368b9796584
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Triage mupdf for Wheezy.

2018-05-27 Thread Markus Koschany

Markus Koschany pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
98f08c98 by Markus Koschany at 2018-05-27T20:00:11+02:00
Triage mupdf for Wheezy.

The vulnerable code is not present in this version.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -12886,6 +12886,7 @@ CVE-2018-6586 (CA API Developer Portal 3.5 up to and 
including 3.5 CR6 has a sto
NOT-FOR-US: CA API Developer Portal
 CVE-2018-140 (In MuPDF 1.12.0 and earlier, multiple use of uninitialized 
value bugs ...)
- mupdf 1.13.0+ds1-1
+   [wheezy] - mupdf  (vulnerable code not present)
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5596
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5600
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5603
@@ -12894,6 +12895,7 @@ CVE-2018-140 (In MuPDF 1.12.0 and earlier, multiple 
use of uninitialized val
NOTE: 
http://git.ghostscript.com/?p=mupdf.git;a=commitdiff;h=83d4dae44c71816c084a635550acc1a51529b881;hp=f597300439e62f5e921f0d7b1e880b5c1a1f1607
 CVE-2018-139 (In MuPDF 1.12.0 and earlier, multiple heap use after free 
bugs in the ...)
- mupdf 1.13.0+ds1-1
+   [wheezy] - mupdf  (vulnerable code not present)
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5492
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5513
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5521
@@ -12903,11 +12905,13 @@ CVE-2018-139 (In MuPDF 1.12.0 and earlier, 
multiple heap use after free bugs
NOTE: 
http://git.ghostscript.com/?p=mupdf.git;a=commitdiff;h=f597300439e62f5e921f0d7b1e880b5c1a1f1607;hp=093fc3b098dc5fadef5d8ad4b225db9fb124758b
 CVE-2018-138 (In MuPDF 1.12.0 and earlier, a stack buffer overflow in 
function ...)
- mupdf 1.13.0+ds1-1
+   [wheezy] - mupdf  (vulnerable code not present)
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5494
NOTE: 
http://git.ghostscript.com/?p=mupdf.git;a=commitdiff;h=71ceebcf56e682504da22c4035b39a2d451e8ffd;hp=7f82c01523505052615492f8e220f4348ba46995
NOTE: 
http://git.ghostscript.com/?p=mupdf.git;a=commitdiff;h=f597300439e62f5e921f0d7b1e880b5c1a1f1607;hp=093fc3b098dc5fadef5d8ad4b225db9fb124758b
 CVE-2018-137 (In MuPDF 1.12.0 and earlier, multiple reachable assertions 
in the PDF ...)
- mupdf 1.13.0+ds1-1
+   [wheezy] - mupdf  (vulnerable code not present)
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5490
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5501
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5503



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/98f08c98fc8485bf3b08b374fc68e0007c570267

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/98f08c98fc8485bf3b08b374fc68e0007c570267
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] add intel-microcode to dsa-needed

2018-05-27 Thread Moritz Muehlenhoff

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
6d65f390 by Moritz Muehlenhoff at 2018-05-27T19:51:35+02:00
add intel-microcode to dsa-needed

- - - - -


1 changed file:

- data/dsa-needed.txt


Changes:

=
data/dsa-needed.txt
=
--- a/data/dsa-needed.txt
+++ b/data/dsa-needed.txt
@@ -32,6 +32,9 @@ glusterfs
 --
 graphicsmagick
 --
+intel-microcode
+  or possibly via spu, depends on timing of release and other factors
+--
 knot-resolver
 --
 libav/oldstable
@@ -67,7 +70,7 @@ php-horde-image
 phpmyadmin/oldstable (abhijith)
   
https://mentors.debian.net/debian/pool/main/p/phpmyadmin/phpmyadmin_4.2.12-2+deb8u3.dsc
 --
-qemu/oldstable
+qemu
 --
 ruby2.1/oldstable
   Santiago will prepare an update



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/6d65f3904dd4f68693a1ef5d831b32f74d61191f

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/6d65f3904dd4f68693a1ef5d831b32f74d61191f
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] remove amd64-microcode entries for two recent spectre updates,

2018-05-27 Thread Moritz Muehlenhoff

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
8aec7b1b by Moritz Muehlenhoff at 2018-05-27T19:48:59+02:00
remove amd64-microcode entries for two recent spectre updates,
no microcode coming/needed for amd64 per the current status

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -21093,14 +21093,12 @@ CVE-2018-3641 (Escalation of privilege in all 
versions of the Intel Remote Keybo
NOT-FOR-US: Intel
 CVE-2018-3640 (Systems with microprocessors utilizing speculative execution 
and that ...)
- intel-microcode 
-   - amd64-microcode 
NOTE: 
https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability
NOTE: No software mitigations planned to be implemented in src:linux
NOTE: 
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00115.html
 CVE-2018-3639 (Systems with microprocessors utilizing speculative execution 
and ...)
{DSA-4210-1}
- intel-microcode 
-   - amd64-microcode 
- linux 4.16.12-1
[wheezy] - linux  (Too much work to backport)
- xen 



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/8aec7b1bca56253b1e1c92b93ad6c50627f78371

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/8aec7b1bca56253b1e1c92b93ad6c50627f78371
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] two imagemagick issues ignored

2018-05-27 Thread Moritz Muehlenhoff

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
d87a3e32 by Moritz Muehlenhoff at 2018-05-27T19:48:05+02:00
two imagemagick issues ignored

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -697,7 +697,9 @@ CVE-2018-1000400 (Kubernetes CRI-O version prior to 1.9 
contains a Privilege Con
NOT-FOR-US: Kubernetes CRI-O
 CVE-2017-18273 (In ImageMagick 7.0.7-16 Q16 x86_64 2017-12-22, an infinite 
loop ...)
{DLA-1381-1}
-   - imagemagick 8:6.9.9.34+dfsg-3
+   - imagemagick 8:6.9.9.34+dfsg-3 (low)
+   [stretch] - imagemagick  (Minor issue)
+   [jessie] - imagemagick  (Minor issue)
NOTE: https://github.com/ImageMagick/ImageMagick/issues/910
NOTE: 
https://github.com/ImageMagick/ImageMagick/commit/b8fcb59e9e1d1189caf2e0f5e39346944dcd6b9d
 CVE-2017-18272 (In ImageMagick 7.0.7-16 Q16 x86_64 2017-12-25, there is a ...)
@@ -707,7 +709,9 @@ CVE-2017-18272 (In ImageMagick 7.0.7-16 Q16 x86_64 
2017-12-25, there is a ...)
NOTE: 
https://github.com/ImageMagick/ImageMagick/commit/93d029b70ac766ce0b5d7261a2dd334535f48038
 CVE-2017-18271 (In ImageMagick 7.0.7-16 Q16 x86_64 2017-12-22, an infinite 
loop ...)
{DLA-1381-1}
-   - imagemagick 8:6.9.9.34+dfsg-3
+   - imagemagick 8:6.9.9.34+dfsg-3 (low)
+   [stretch] - imagemagick  (Minor issue)
+   [jessie] - imagemagick  (Minor issue)
NOTE: https://github.com/ImageMagick/ImageMagick/issues/911
NOTE: 
https://github.com/ImageMagick/ImageMagick/commit/7523250e2664028aa1d8f02d2d7ae49c769a851e
 CVE-2017-18269 (An SSE2-optimized memmove implementation for i386 in ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/d87a3e326cf7c676ffa3a0e87742866001496a37

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/d87a3e326cf7c676ffa3a0e87742866001496a37
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add fixing version for linux CVEs

2018-05-27 Thread Salvatore Bonaccorso

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
ebdc116b by Salvatore Bonaccorso at 2018-05-27T16:09:50+02:00
Add fixing version for linux CVEs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -1395,7 +1395,7 @@ CVE-2018-10942 
(modules/attributewizardpro/file_upload.php in the Attribute Wiza
 CVE-2018-10941
RESERVED
 CVE-2018-10940 (The cdrom_ioctl_media_changed function in 
drivers/cdrom/cdrom.c in the ...)
-   - linux 
+   - linux 4.16.12-1
NOTE: Fixed by: 
https://git.kernel.org/linus/9de4ee40547fd315d4a0ed1dd15a2fa3559ad707
 CVE-2018-10939
RESERVED
@@ -3191,7 +3191,7 @@ CVE-2018-10194 (The set_text_distance function in 
devices/vector/gdevpdts.c in t
NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=699255 (not yet 
public)
 CVE-2018-1000200 [mm, oom: fix concurrent munlock and oom reaper unmap]
RESERVED
-   - linux 
+   - linux 4.16.12-1
[stretch] - linux  (Vulnerable code introduced later)
[jessie] - linux  (Vulnerable code introduced later)
[wheezy] - linux  (Vulnerable code introduced later)
@@ -21097,7 +21097,7 @@ CVE-2018-3639 (Systems with microprocessors utilizing 
speculative execution and 
{DSA-4210-1}
- intel-microcode 
- amd64-microcode 
-   - linux 
+   - linux 4.16.12-1
[wheezy] - linux  (Too much work to backport)
- xen 
NOTE: https://xenbits.xen.org/xsa/advisory-263.html
@@ -28436,7 +28436,7 @@ CVE-2018-1121 [Unprivileged process hiding]
NOTE: 
https://www.qualys.com/2018/05/17/procps-ng-audit-report-advisory.txt
 CVE-2018-1120 [FUSE-backed /proc/PID/cmdline]
RESERVED
-   - linux 
+   - linux 4.16.12-1
NOTE: http://www.openwall.com/lists/oss-security/2018/05/17/1
NOTE: 
https://www.qualys.com/2018/05/17/procps-ng-audit-report-advisory.txt
NOTE: Fixed by: 
https://git.kernel.org/linus/7f7ccc2ccc2e70c6054685f5e3522efa81556830



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/ebdc116b9a9bb80b8ced94b230b96142b56b2d7e

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/ebdc116b9a9bb80b8ced94b230b96142b56b2d7e
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Mark CVE-2017-14992 as no-dsa

2018-05-27 Thread Salvatore Bonaccorso

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
4ae2be04 by Salvatore Bonaccorso at 2018-05-27T15:00:15+02:00
Mark CVE-2017-14992 as no-dsa

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -38203,6 +38203,7 @@ CVE-2017-14993 (OXID eShop Community Edition before 
6.0.0 RC3 (development), 4.1
 CVE-2017-14992 (Lack of content verification in Docker-CE (Also known as Moby) 
...)
- docker.io 
- golang-github-vbatts-tar-split 0.10.2-1
+   [stretch] - golang-github-vbatts-tar-split  (Minor issue)
NOTE: Issue needs to be fixed in src:golang-github-vbatts-tar-split 
first
NOTE: https://github.com/vbatts/tar-split/issues/41
NOTE: docker.io needs then a rebuild with a fixed 
golang-github-vbatts-tar-split



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/4ae2be045f7ea46d3c05854eb16680613b921dbc

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/4ae2be045f7ea46d3c05854eb16680613b921dbc
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] mark CVE-2018-9244 and CVE-2018-10379 as not-affected for stretch

2018-05-27 Thread Abhijith PA

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
910b98aa by Abhijith PA at 2018-05-27T14:45:28+05:30
mark CVE-2018-9244 and CVE-2018-10379 as not-affected for stretch

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -2746,6 +2746,7 @@ CVE-2018-10380 (kwallet-pam in KDE KWallet before 5.12.6 
allows local users to o
 CVE-2018-10379 [Persistent XSS in 'Move Issue' using project namespace]
RESERVED
- gitlab 10.6.5+dfsg-1
+[stretch] - gitlab  (Vulnerable code introduced in 9.5)
NOTE: 
https://about.gitlab.com/2018/04/30/security-release-gitlab-10-dot-7-dot-2-released/
 CVE-2018-10378
RESERVED
@@ -5288,6 +5289,7 @@ CVE-2018-9243 (GitLab Community and Enterprise Editions 
version 8.4 up to 10.4 a
NOTE: 
https://about.gitlab.com/2018/04/04/security-release-gitlab-10-dot-6-dot-3-released/
 CVE-2018-9244 (GitLab Community and Enterprise Editions version 9.2 up to 10.4 
are ...)
- gitlab 10.6.3+dfsg-1 (bug #894868)
+[stretch] - gitlab  (Vulnerable code introduced in 9.2)
NOTE: 
https://about.gitlab.com/2018/04/04/security-release-gitlab-10-dot-6-dot-3-released/
 CVE-2018- [Confidential issue comments in Slack, Mattermost, and webhook 
integrations]
- gitlab 10.6.3+dfsg-1 (bug #894867)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/910b98aa576ec14f7aa703b040d23b42c6189f7a

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/910b98aa576ec14f7aa703b040d23b42c6189f7a
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Mark CVE-2018-11499 as not-affected for stretch

2018-05-27 Thread Salvatore Bonaccorso

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
e9c56a6a by Salvatore Bonaccorso at 2018-05-27T11:00:08+02:00
Mark CVE-2018-11499 as not-affected for stretch

The issue was introduced only in 3.4.7 upstream.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -16,6 +16,7 @@ CVE-2018-11500 (An issue was discovered in PublicCMS 
V4.0.20180210. There is a C
NOT-FOR-US: PublicCMS
 CVE-2018-11499 (A use-after-free vulnerability exists in handle_error() in ...)
- libsass  (bug #900182)
+   [stretch] - libsass  (Vulnerability introduced in 3.4.7 
upstream)
NOTE: https://github.com/sass/libsass/issues/2643
 CVE-2018-11498 (In Lizard v1.0 and LZ5 v2.0 (the prior release, before the 
product was ...)
TODO: check



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/e9c56a6a6393b399769282e9b787116d3cd3c30d

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/e9c56a6a6393b399769282e9b787116d3cd3c30d
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add bug reference for CVE-2018-11499

2018-05-27 Thread Salvatore Bonaccorso

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
e7669f5f by Salvatore Bonaccorso at 2018-05-27T10:58:06+02:00
Add bug reference for CVE-2018-11499

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -15,7 +15,7 @@ CVE-2018-11501 (PHP Scripts Mall Website Seller Script 2.0.3 
has CSRF via ...)
 CVE-2018-11500 (An issue was discovered in PublicCMS V4.0.20180210. There is a 
CSRF ...)
NOT-FOR-US: PublicCMS
 CVE-2018-11499 (A use-after-free vulnerability exists in handle_error() in ...)
-   - libsass 
+   - libsass  (bug #900182)
NOTE: https://github.com/sass/libsass/issues/2643
 CVE-2018-11498 (In Lizard v1.0 and LZ5 v2.0 (the prior release, before the 
product was ...)
TODO: check



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/e7669f5f75ff441d10fea8954c1469c535cbb3eb

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/e7669f5f75ff441d10fea8954c1469c535cbb3eb
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add CVE-2018-11499/libsass

2018-05-27 Thread Salvatore Bonaccorso

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
934dbed7 by Salvatore Bonaccorso at 2018-05-27T10:44:57+02:00
Add CVE-2018-11499/libsass

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -15,7 +15,8 @@ CVE-2018-11501 (PHP Scripts Mall Website Seller Script 2.0.3 
has CSRF via ...)
 CVE-2018-11500 (An issue was discovered in PublicCMS V4.0.20180210. There is a 
CSRF ...)
NOT-FOR-US: PublicCMS
 CVE-2018-11499 (A use-after-free vulnerability exists in handle_error() in ...)
-   TODO: check
+   - libsass 
+   NOTE: https://github.com/sass/libsass/issues/2643
 CVE-2018-11498 (In Lizard v1.0 and LZ5 v2.0 (the prior release, before the 
product was ...)
TODO: check
 CVE-2018-11497



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/934dbed7f5ef0139abe69be24144f9e01f277d9d

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/934dbed7f5ef0139abe69be24144f9e01f277d9d
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] discount: reference directly the reproducing file to better identify the CVEs

2018-05-27 Thread Salvatore Bonaccorso

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
1a0ebb55 by Salvatore Bonaccorso at 2018-05-27T10:34:35+02:00
discount: reference directly the reproducing file to better identify the CVEs

Since the reporter did fill all the issues in one upstream issue
directly reference the pocs as well to make it clear which CVE is for
which issue.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -3,9 +3,11 @@ CVE-2018-11505 (The Werewolf Online application 0.8.8 for 
Android allows attacke
 CVE-2018-11504 (The islist function in markdown.c in libmarkdown.a in DISCOUNT 
2.2.3a ...)
- discount 
NOTE: https://github.com/Orc/discount/issues/189#issuecomment-392247798
+   NOTE: POC: 
https://github.com/fCorleone/fuzz_programs/blob/master/discount/issue3_testcase
 CVE-2018-11503 (The isfootnote function in markdown.c in libmarkdown.a in 
DISCOUNT ...)
- discount 
NOTE: https://github.com/Orc/discount/issues/189#issuecomment-392247798
+   NOTE: POC: 
https://github.com/fCorleone/fuzz_programs/blob/master/discount/issue2_testcase
 CVE-2018-11502
RESERVED
 CVE-2018-11501 (PHP Scripts Mall Website Seller Script 2.0.3 has CSRF via ...)
@@ -80,6 +82,7 @@ CVE-2018-11469 (Incorrect caching of responses to requests 
including an Authoriz
 CVE-2018-11468 (The __mkd_trim_line function in mkdio.c in libmarkdown.a in 
DISCOUNT ...)
- discount 
NOTE: https://github.com/Orc/discount/issues/189
+   NOTE: POC: 
https://github.com/fCorleone/fuzz_programs/blob/master/discount/issue1_testcase
 CVE-2018-11467
RESERVED
 CVE-2018-11466



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/1a0ebb5505b2a210b88a08d6f4c2634c17b0a1d5

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/1a0ebb5505b2a210b88a08d6f4c2634c17b0a1d5
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add two more issues in discout

2018-05-27 Thread Salvatore Bonaccorso

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
f2469101 by Salvatore Bonaccorso at 2018-05-27T10:32:23+02:00
Add two more issues in discout

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -1,9 +1,11 @@
 CVE-2018-11505 (The Werewolf Online application 0.8.8 for Android allows 
attackers to ...)
NOT-FOR-US: Werewolf Online application for Android
 CVE-2018-11504 (The islist function in markdown.c in libmarkdown.a in DISCOUNT 
2.2.3a ...)
-   TODO: check
+   - discount 
+   NOTE: https://github.com/Orc/discount/issues/189#issuecomment-392247798
 CVE-2018-11503 (The isfootnote function in markdown.c in libmarkdown.a in 
DISCOUNT ...)
-   TODO: check
+   - discount 
+   NOTE: https://github.com/Orc/discount/issues/189#issuecomment-392247798
 CVE-2018-11502
RESERVED
 CVE-2018-11501 (PHP Scripts Mall Website Seller Script 2.0.3 has CSRF via ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/f24691011de6343a4381792be5d8022fff263aa8

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/f24691011de6343a4381792be5d8022fff263aa8
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Process more NFUs

2018-05-27 Thread Salvatore Bonaccorso

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
d5dd3128 by Salvatore Bonaccorso at 2018-05-27T10:23:34+02:00
Process more NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -1,5 +1,5 @@
 CVE-2018-11505 (The Werewolf Online application 0.8.8 for Android allows 
attackers to ...)
-   TODO: check
+   NOT-FOR-US: Werewolf Online application for Android
 CVE-2018-11504 (The islist function in markdown.c in libmarkdown.a in DISCOUNT 
2.2.3a ...)
TODO: check
 CVE-2018-11503 (The isfootnote function in markdown.c in libmarkdown.a in 
DISCOUNT ...)
@@ -7,9 +7,9 @@ CVE-2018-11503 (The isfootnote function in markdown.c in 
libmarkdown.a in DISCOU
 CVE-2018-11502
RESERVED
 CVE-2018-11501 (PHP Scripts Mall Website Seller Script 2.0.3 has CSRF via ...)
-   TODO: check
+   NOT-FOR-US: PHP Scripts Mall Website Seller Script
 CVE-2018-11500 (An issue was discovered in PublicCMS V4.0.20180210. There is a 
CSRF ...)
-   TODO: check
+   NOT-FOR-US: PublicCMS
 CVE-2018-11499 (A use-after-free vulnerability exists in handle_error() in ...)
TODO: check
 CVE-2018-11498 (In Lizard v1.0 and LZ5 v2.0 (the prior release, before the 
product was ...)
@@ -19,9 +19,9 @@ CVE-2018-11497
 CVE-2018-11496 (In Long Range Zip (aka lrzip) 0.631, there is a use-after-free 
in ...)
TODO: check
 CVE-2018-11495 (OpenCart through 3.0.2.0 allows directory traversal in the 
editDownload ...)
-   TODO: check
+   NOT-FOR-US: OpenCart
 CVE-2018-11494 (The "program extension upload" feature in OpenCart 
through 3.0.2.0 has ...)
-   TODO: check
+   NOT-FOR-US: OpenCart
 CVE-2018-11493 (An issue was discovered in WUZHI CMS 4.1.0. There is a CSRF 
...)
NOT-FOR-US: WUZHI CMS
 CVE-2018-11492
@@ -13488,11 +13488,11 @@ CVE-2018-6412 (In the function sbusfb_ioctl_helper() 
in drivers/video/fbdev/sbus
NOTE: https://marc.info/?l=linux-fbdev&m=151734425901499&w=2
NOTE: The issue only affects SPARC systems.
 CVE-2018-6411 (An issue was discovered in Appnitro MachForm before 4.2.3. When 
the ...)
-   TODO: check
+   NOT-FOR-US: Appnitro MachForm
 CVE-2018-6410 (An issue was discovered in Appnitro MachForm before 4.2.3. 
There is a ...)
-   TODO: check
+   NOT-FOR-US: Appnitro MachForm
 CVE-2018-6409 (An issue was discovered in Appnitro MachForm before 4.2.3. The 
module ...)
-   TODO: check
+   NOT-FOR-US: Appnitro MachForm
 CVE-2018-6408 (An issue was discovered on Conceptronic CIPCAMPTIWL V3 
0.61.30.21 ...)
NOT-FOR-US: CIPCAMPTIWL devices
 CVE-2018-6407 (An issue was discovered on Conceptronic CIPCAMPTIWL V3 
0.61.30.21 ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/d5dd3128619053c8af6da73fe0ab9a8d1862

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/d5dd3128619053c8af6da73fe0ab9a8d1862
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] automatic update

2018-05-27 Thread Salvatore Bonaccorso

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
ecb3eada by security tracker role at 2018-05-27T08:10:29+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -1,9 +1,27 @@
-CVE-2018-11496
-   RESERVED
-CVE-2018-11495
+CVE-2018-11505 (The Werewolf Online application 0.8.8 for Android allows 
attackers to ...)
+   TODO: check
+CVE-2018-11504 (The islist function in markdown.c in libmarkdown.a in DISCOUNT 
2.2.3a ...)
+   TODO: check
+CVE-2018-11503 (The isfootnote function in markdown.c in libmarkdown.a in 
DISCOUNT ...)
+   TODO: check
+CVE-2018-11502
RESERVED
-CVE-2018-11494
+CVE-2018-11501 (PHP Scripts Mall Website Seller Script 2.0.3 has CSRF via ...)
+   TODO: check
+CVE-2018-11500 (An issue was discovered in PublicCMS V4.0.20180210. There is a 
CSRF ...)
+   TODO: check
+CVE-2018-11499 (A use-after-free vulnerability exists in handle_error() in ...)
+   TODO: check
+CVE-2018-11498 (In Lizard v1.0 and LZ5 v2.0 (the prior release, before the 
product was ...)
+   TODO: check
+CVE-2018-11497
RESERVED
+CVE-2018-11496 (In Long Range Zip (aka lrzip) 0.631, there is a use-after-free 
in ...)
+   TODO: check
+CVE-2018-11495 (OpenCart through 3.0.2.0 allows directory traversal in the 
editDownload ...)
+   TODO: check
+CVE-2018-11494 (The "program extension upload" feature in OpenCart 
through 3.0.2.0 has ...)
+   TODO: check
 CVE-2018-11493 (An issue was discovered in WUZHI CMS 4.1.0. There is a CSRF 
...)
NOT-FOR-US: WUZHI CMS
 CVE-2018-11492
@@ -6027,6 +6045,7 @@ CVE-2017-18249 (The add_free_nid function in 
fs/f2fs/node.c in the Linux kernel 
[wheezy] - linux  (Vulnerable code not present)
NOTE: Fixed by: 
https://git.kernel.org/linus/30a61ddf8117c26ac5b295e1233eaa9629a94ca3
 CVE-2017-18248 (The add_job function in scheduler/ipp.c in CUPS before 2.2.6, 
when ...)
+   {DLA-1387-1}
- cups 2.2.6-1
NOTE: 
https://github.com/apple/cups/commit/49fa4983f25b64ec29d548ffa3b9782426007df3
NOTE: https://github.com/apple/cups/issues/5143
@@ -13468,12 +13487,12 @@ CVE-2018-6412 (In the function sbusfb_ioctl_helper() 
in drivers/video/fbdev/sbus
- linux  (unimportant)
NOTE: https://marc.info/?l=linux-fbdev&m=151734425901499&w=2
NOTE: The issue only affects SPARC systems.
-CVE-2018-6411
-   RESERVED
-CVE-2018-6410
-   RESERVED
-CVE-2018-6409
-   RESERVED
+CVE-2018-6411 (An issue was discovered in Appnitro MachForm before 4.2.3. When 
the ...)
+   TODO: check
+CVE-2018-6410 (An issue was discovered in Appnitro MachForm before 4.2.3. 
There is a ...)
+   TODO: check
+CVE-2018-6409 (An issue was discovered in Appnitro MachForm before 4.2.3. The 
module ...)
+   TODO: check
 CVE-2018-6408 (An issue was discovered on Conceptronic CIPCAMPTIWL V3 
0.61.30.21 ...)
NOT-FOR-US: CIPCAMPTIWL devices
 CVE-2018-6407 (An issue was discovered on Conceptronic CIPCAMPTIWL V3 
0.61.30.21 ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/ecb3eada3209efdaff1f5a9af4b17313b9a042ea

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/ecb3eada3209efdaff1f5a9af4b17313b9a042ea
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Process two NFUs

2018-05-27 Thread Salvatore Bonaccorso

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
15995823 by Salvatore Bonaccorso at 2018-05-27T10:06:05+02:00
Process two NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -5,7 +5,7 @@ CVE-2018-11495
 CVE-2018-11494
RESERVED
 CVE-2018-11493 (An issue was discovered in WUZHI CMS 4.1.0. There is a CSRF 
...)
-   TODO: check
+   NOT-FOR-US: WUZHI CMS
 CVE-2018-11492
RESERVED
 CVE-2018-11491
@@ -17,7 +17,7 @@ CVE-2018-11489 (The DGifDecompressLine function in dgif_lib.c 
in GIFLIB (possibl
 CVE-2018-11488
RESERVED
 CVE-2018-11487 (PHPMyWind 5.5 has XSS via the cid parameter to newsshow.php, 
or the ...)
-   TODO: check
+   NOT-FOR-US: PHPMyWind
 CVE-2018-11486
RESERVED
 CVE-2018-11485



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/159958238365dd88580e8007190d5fa696f85719

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/159958238365dd88580e8007190d5fa696f85719
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] NFU

[Git][security-tracker-team/security-tracker][master] automatic update

[Git][security-tracker-team/security-tracker][master] Add note for sssd update for stretch

[Git][security-tracker-team/security-tracker][master] Add fixing version for CVE-2017-15105/unbound via unstable upload

[Git][security-tracker-team/security-tracker][master] Triage mupdf for Wheezy.

[Git][security-tracker-team/security-tracker][master] add intel-microcode to dsa-needed

[Git][security-tracker-team/security-tracker][master] remove amd64-microcode entries for two recent spectre updates,

[Git][security-tracker-team/security-tracker][master] two imagemagick issues ignored

[Git][security-tracker-team/security-tracker][master] Add fixing version for linux CVEs

[Git][security-tracker-team/security-tracker][master] Mark CVE-2017-14992 as no-dsa

[Git][security-tracker-team/security-tracker][master] mark CVE-2018-9244 and CVE-2018-10379 as not-affected for stretch

[Git][security-tracker-team/security-tracker][master] Mark CVE-2018-11499 as not-affected for stretch

[Git][security-tracker-team/security-tracker][master] Add bug reference for CVE-2018-11499

[Git][security-tracker-team/security-tracker][master] Add CVE-2018-11499/libsass

[Git][security-tracker-team/security-tracker][master] discount: reference directly the reproducing file to better identify the CVEs

[Git][security-tracker-team/security-tracker][master] Add two more issues in discout

[Git][security-tracker-team/security-tracker][master] Process more NFUs

[Git][security-tracker-team/security-tracker][master] automatic update

[Git][security-tracker-team/security-tracker][master] Process two NFUs

19 matches

Site Navigation

Mail list logo

Footer information