[Git][security-tracker-team/security-tracker][master] LTS/Add and claim imagemagick

[Roberto C . Sánchez]

Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
4c83fc61 by Roberto C. Sánchez at 2018-09-15T23:24:26Z
LTS/Add and claim imagemagick

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -31,6 +31,8 @@ glusterfs
 gnutls28 (Ola Lundqvist)
   NOTE: 20180824: Upstream patch is quite invasive, adding new options etc. 
(lamby)
 --
+imagemagick (Roberto C. Sánchez)
+--
 intel-microcode (Henrique de Moraes Holschuh)
   NOTE: 20180915: intel-microcode 3.20180807a.1 also going through 
stretch-security (hmh)
   NOTE: 20180915: DLA likely should wait for (or be done in sync with) the DSA 
(hmh)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/4c83fc61b976eacc221730c4afbcb00f020b2613

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/4c83fc61b976eacc221730c4afbcb00f020b2613
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Claim intel-microcode in dla-needed.txt

[Henrique de Moraes Holschuh]

Henrique de Moraes Holschuh pushed to branch master at Debian Security Tracker 
/ security-tracker


Commits:
1eb4f792 by Henrique de Moraes Holschuh at 2018-09-15T20:26:14Z
Claim intel-microcode in dla-needed.txt

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -31,6 +31,10 @@ glusterfs
 gnutls28 (Ola Lundqvist)
   NOTE: 20180824: Upstream patch is quite invasive, adding new options etc. 
(lamby)
 --
+intel-microcode (Henrique de Moraes Holschuh)
+  NOTE: 20180915: intel-microcode 3.20180807a.1 also going through 
stretch-security (hmh)
+  NOTE: 20180915: DLA likely should wait for (or be done in sync with) the DSA 
(hmh)
+--
 kdepim
 --
 libav (Hugo Lefeuvre)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/1eb4f7929109d9f57b262cd9120b7eb6935a26bf

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/1eb4f7929109d9f57b262cd9120b7eb6935a26bf
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-1505-1 for zutils

[Daniel Baumann]

Daniel Baumann pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
a3e6f726 by Daniel Baumann at 2018-09-15T20:15:10Z
Reserve DLA-1505-1 for zutils

Signed-off-by: Daniel Baumann 

- - - - -


2 changed files:

- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[15 Sep 2018] DLA-1505-1 zutils - security update
+   {CVE-2018-1000637}
+   [jessie] - zutils 1.3-4+deb8u1
 [13 Sep 2018] DLA-1504-1 ghostscript - security update
{CVE-2018-11645 CVE-2018-15908 CVE-2018-15909 CVE-2018-15910 
CVE-2018-15911 CVE-2018-16509 CVE-2018-16511 CVE-2018-16513 CVE-2018-16539 
CVE-2018-16540 CVE-2018-16541 CVE-2018-16542 CVE-2018-16585 CVE-2018-16802}
[jessie] - ghostscript 9.06~dfsg-2+deb8u8


=
data/dla-needed.txt
=
@@ -82,5 +82,3 @@ thunderbird
 --
 xen
 --
-zutils (Daniel Baumann)
---



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/a3e6f726e392f4c706410e0bad6ed617a1dec9d4

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/a3e6f726e392f4c706410e0bad6ed617a1dec9d4
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] automatic update

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
51383ab6 by security tracker role at 2018-09-15T20:10:37Z
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,3 +1,9 @@
+CVE-2018-17062
+   RESERVED
+CVE-2018-17061 (BullGuard Safe Browsing 18.1.355 allows XSS on Google, Bing, 
and Yahoo! ...)
+   TODO: check
+CVE-2018-17060
+   RESERVED
 CVE-2018-17059
RESERVED
 CVE-2018-17058



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/51383ab6ab36cada1c0370f0e49953d055b5df71

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/51383ab6ab36cada1c0370f0e49953d055b5df71
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Claim zutils in dla-needed.txt

[Daniel Baumann]

Daniel Baumann pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
4cff5394 by Daniel Baumann at 2018-09-15T20:01:08Z
Claim zutils in dla-needed.txt

Signed-off-by: Daniel Baumann 

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -82,3 +82,5 @@ thunderbird
 --
 xen
 --
+zutils (Daniel Baumann)
+--



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/4cff5394c3751ffc55052873f6369325c82f32d6

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/4cff5394c3751ffc55052873f6369325c82f32d6
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Claim nss in dla-needed.txt

[Markus Koschany]

Markus Koschany pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
c760b912 by Markus Koschany at 2018-09-15T16:56:07Z
Claim nss in dla-needed.txt

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -53,6 +53,8 @@ linux-4.9 (Ben Hutchings)
 mosquitto
   NOTE: 20180629: there are still two CVEs open, their upstream bugs show no 
progress
 --
+nss (Markus Koschany)
+--
 mupdf (Abhijith PA)
  NOTE: 20180912: convert command not available in jessie mupdf. Couldn't 
reproduce, but codebase almost similar.
  NOTE: 20180912: Waiting for bug reporter's reply (abhijith)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/c760b9125d1ffa05b7c7fe7ee9daedbaca145703

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/c760b9125d1ffa05b7c7fe7ee9daedbaca145703
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] ghostscript/9.25~dfsg-1 uploaded to unstable

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
72f03af3 by Salvatore Bonaccorso at 2018-09-15T15:38:31Z
ghostscript/9.25~dfsg-1 uploaded to unstable

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -582,7 +582,7 @@ CVE-2018-16793
 CVE-2018-16802 (An issue was discovered in Artifex Ghostscript before 9.25. 
Incorrect ...)
{DLA-1504-1}
[experimental] - ghostscript 9.25~dfsg-1~exp1
-   - ghostscript 
+   - ghostscript 9.25~dfsg-1
NOTE: 
http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=3e5d316b72e3965b7968bb1d96baa137cd063ac6
NOTE: 
http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=643b24dbd002fb9c131313253c307cf3951b3d47
NOTE: 
https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5812b1b78fc4d36fdc293b7859de69241140d590
@@ -2781,7 +2781,7 @@ CVE-2017-18345 (The Joomanager component through 2.0.0 
for Joomla! has an arbitr
 CVE-2018-16543 (In Artifex Ghostscript before 9.24, gssetresolution and 
gsgetresolution ...)
{DSA-4288-1}
[experimental] - ghostscript 9.25~dfsg-1~exp1
-   - ghostscript  (bug #908303)
+   - ghostscript 9.25~dfsg-1 (bug #908303)
NOTE: 
http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=5b5536fa88a9e885032bc0df3852c3439399a5c0
NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=699670
 CVE-2018-16542 (In Artifex Ghostscript before 9.24, attackers able to supply 
crafted ...)
@@ -2820,7 +2820,7 @@ CVE-2018-16511 (An issue was discovered in Artifex 
Ghostscript before 9.24. A ty
NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=699659
 CVE-2018-16510 (An issue was discovered in Artifex Ghostscript before 9.24. 
Incorrect ...)
[experimental] - ghostscript 9.25~dfsg-1~exp1
-   - ghostscript  (bug #908304)
+   - ghostscript 9.25~dfsg-1 (bug #908304)
[stretch] - ghostscript  (Introduced in 9.22)
[jessie] - ghostscript  (vulnerable code is not present)
NOTE: 
http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=ea735ba37dc0fd5f5622d031830b9a559dec1cc9
@@ -2828,7 +2828,7 @@ CVE-2018-16510 (An issue was discovered in Artifex 
Ghostscript before 9.24. Inco
 CVE-2018-16509 (An issue was discovered in Artifex Ghostscript before 9.24. 
Incorrect ...)
{DLA-1504-1}
[experimental] - ghostscript 9.25~dfsg-1~exp1
-   - ghostscript  (bug #907332; bug #907703)
+   - ghostscript 9.25~dfsg-1 (bug #907332; bug #907703)
NOTE: 
http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=78911a01b67d590b4a91afac2e8417360b934156
NOTE: 
http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=5516c614dc33662a2afdc377159f70218e67bde5
NOTE: 
http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=79cccf641486a6595c43f1de1cd7ade696020a31
@@ -2838,7 +2838,7 @@ CVE-2018-16509 (An issue was discovered in Artifex 
Ghostscript before 9.24. Inco
 CVE-2018-16585 (An issue was discovered in Artifex Ghostscript before 9.24. 
The ...)
{DSA-4288-1 DLA-1504-1}
[experimental] - ghostscript 9.25~dfsg-1~exp1
-   - ghostscript  (bug #908305)
+   - ghostscript 9.25~dfsg-1 (bug #908305)
NOTE: 
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=1497d65039885a52b598b137dd8622bd4672f9be
NOTE: 
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=971472c83a345a16dac9f90f91258bb22dd77f22
NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=699663



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/72f03af3b9e9e4e260c11bf6b4bce180ac3819ad

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/72f03af3b9e9e4e260c11bf6b4bce180ac3819ad
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 389-ds-base: mark CVE-2018-14638 not affected

[Hugo Lefeuvre]

Hugo Lefeuvre pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
84eb3bca by Hugo Lefeuvre at 2018-09-15T14:57:18Z
389-ds-base: mark CVE-2018-14638 not affected

CVE-2018-14638: two cloned pblocks share the same password policy,
and under certain circumstances the clone might be freed, consequently
freeing the shared password policy. Later, when the original password
policy is freed, it tries to free the password policy a second time
thus resulting in double free, crash and other undefined behavior.

It seems that this vulnerability first appeared in

74c666b83e3e1789c2ef3f7935c327bd7555193e (after 1.3.6.3), which
introduced the concept of cloning blocks

and

407d7d9de7e9c4db1e4c1f5a1a98890f2474c477 (after 1.3.7.0), which
refactored the pblock to a tree-like structure.

It is not completely clear to me when exactly the vulnerability first
appeared, but it is almost certain that the Jessie version (1.3.3.5)
is not affected since affected concepts are not present at all.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -5721,6 +5721,7 @@ CVE-2018-14639
RESERVED
 CVE-2018-14638 (A flaw was found in 389-ds-base before version 1.3.8.4-13. The 
process ...)
- 389-ds-base  (bug #908859)
+   [jessie] - 389-ds-base  (Vulnerable code not present)
NOTE: 
https://pagure.io/389-ds-base/c/78fc627accacfa4061ce48977e22301f81ea8d73
 CVE-2018-14637
RESERVED



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/84eb3bcae498c6e618dea2cc018513e4954d9e69

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/84eb3bcae498c6e618dea2cc018513e4954d9e69
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Claim openjpeg2 and 389-ds-base in data/dla-needed

[Hugo Lefeuvre]

Hugo Lefeuvre pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
42841b83 by Hugo Lefeuvre at 2018-09-15T13:27:31Z
Claim openjpeg2 and 389-ds-base in data/dla-needed

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -10,7 +10,7 @@ this list is updated have a look at
 https://wiki.debian.org/LTS/Development#Triage_new_security_issues
 
 --
-389-ds-base
+389-ds-base (Hugo Lefeuvre)
   NOTE: 20180901: No detailed information or a reproducer available at the
   NOTE: moment. Check. (apo)
 --
@@ -61,7 +61,7 @@ mysql-5.5 (Emilio Pozuelo)
 --
 openjdk-7 (Emilio Pozuelo)
 --
-openjpeg2
+openjpeg2 (Hugo Lefeuvre)
   NOTE: 20180719: there is no patch available for the remaining CVEs
 --
 phpldapadmin (Mike Gabriel)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/42841b83d8780d392c5ff4b176b55a96a0f619d7

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/42841b83d8780d392c5ff4b176b55a96a0f619d7
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add fixed version for CVE-2016-3956/npm

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
d8f24fcf by Salvatore Bonaccorso at 2018-09-15T13:21:10Z
Add fixed version for CVE-2016-3956/npm

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -115823,7 +115823,7 @@ CVE-2016-3957 (The secure_load function in 
gluon/utils.py in web2py before 2.14.
[jessie] - web2py  (Vulnerable code not present)
[wheezy] - web2py  (Vulnerable code not present)
 CVE-2016-3956 (The CLI in npm before 2.15.1 and 3.x before 3.8.3, as used in 
Node.js ...)
-   - npm  (bug #850322)
+   - npm 5.8.0+ds-2 (bug #850322)
[jessie] - npm  (Minor issue)
NOTE: https://github.com/npm/npm/issues/8380
NOTE: 
https://github.com/npm/npm/commit/fea8cc92cee02c720b58f95f14d315507ccad401 
(2.15.1)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/d8f24fcf9f5b1b6f172440523385f6d8909f1f3d

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/d8f24fcf9f5b1b6f172440523385f6d8909f1f3d
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add bug reference for CVE-2018-17057

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
747bd6a4 by Salvatore Bonaccorso at 2018-09-15T09:50:46Z
Add bug reference for CVE-2018-17057

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -3,7 +3,7 @@ CVE-2018-17059
 CVE-2018-17058
RESERVED
 CVE-2018-17057 (An issue was discovered in TCPDF before 6.2.22. Attackers can 
trigger ...)
-   - tcpdf 
+   - tcpdf  (bug #908866)
NOTE: 
https://github.com/tecnickcom/TCPDF/commit/1861e33fe05f653b67d070f7c106463e7a5c26e
 CVE-2018-17056
RESERVED



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/747bd6a458dd8cfb89873663d1b998939f988035

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/747bd6a458dd8cfb89873663d1b998939f988035
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add CVE-2018-17057/tcpdf

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
c5a240c5 by Salvatore Bonaccorso at 2018-09-15T09:38:39Z
Add CVE-2018-17057/tcpdf

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -3,7 +3,8 @@ CVE-2018-17059
 CVE-2018-17058
RESERVED
 CVE-2018-17057 (An issue was discovered in TCPDF before 6.2.22. Attackers can 
trigger ...)
-   TODO: check
+   - tcpdf 
+   NOTE: 
https://github.com/tecnickcom/TCPDF/commit/1861e33fe05f653b67d070f7c106463e7a5c26e
 CVE-2018-17056
RESERVED
 CVE-2018-17055



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/c5a240c58a97bc383a58d55bd96f5b84636f6701

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/c5a240c58a97bc383a58d55bd96f5b84636f6701
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Process NFUs

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
d5fa39ec by Salvatore Bonaccorso at 2018-09-15T09:13:17Z
Process NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -782,7 +782,7 @@ CVE-2018-16708
 CVE-2018-16707
RESERVED
 CVE-2018-16706 (LG SuperSign CMS allows TVs to be rebooted remotely without 
...)
-   TODO: check
+   NOT-FOR-US: LG SuperSign CMS
 CVE-2018-16705 (FURUNO FELCOM 250 and 500 devices allow unauthenticated access 
to the ...)
NOT-FOR-US: FURUNO FELCOM 250 and 500 devices
 CVE-2018-16704 (An issue was discovered in Gleez CMS v1.2.0. Because of an 
Insecure ...)
@@ -1803,11 +1803,11 @@ CVE-2018-16290
 CVE-2018-16289
RESERVED
 CVE-2018-16288 (LG SuperSign CMS allows reading of arbitrary files via ...)
-   TODO: check
+   NOT-FOR-US: LG SuperSign CMS
 CVE-2018-16287 (LG SuperSign CMS allows file upload via ...)
-   TODO: check
+   NOT-FOR-US: LG SuperSign CMS
 CVE-2018-16286 (LG SuperSign CMS allows authentication bypass because the 
CAPTCHA ...)
-   TODO: check
+   NOT-FOR-US: LG SuperSign CMS
 CVE-2018-16285 (The UserPro plugin through 4.9.23 for WordPress allows XSS via 
the ...)
NOT-FOR-US: Wordpress plugin
 CVE-2018-16284
@@ -15036,7 +15036,7 @@ CVE-2018-11060 (RSA Archer, versions prior to 6.4.0.1, 
contain an authorization
 CVE-2018-11059 (RSA Archer, versions prior to 6.4.0.1, contain a stored 
cross-site ...)
NOT-FOR-US: RSA Archer
 CVE-2018-11058 (RSA BSAFE Micro Edition Suite, versions prior to 4.0.11 (in 
4.0.x) and ...)
-   TODO: check
+   NOT-FOR-US: RSA BSAFE Micro Edition Suite
 CVE-2018-11057 (RSA BSAFE Micro Edition Suite, versions prior to 4.0.11 (in 
4.0.x) and ...)
NOT-FOR-US: RSA BSAFE Micro Edition Suite
 CVE-2018-11056 (RSA BSAFE Micro Edition Suite, prior to 4.1.6.1 (in 4.1.x), 
and RSA ...)
@@ -15819,7 +15819,7 @@ CVE-2018-10816
 CVE-2018-10815
RESERVED
 CVE-2018-10814 (Synametrics SynaMan 4.0 build 1488 uses cleartext password 
storage for ...)
-   TODO: check
+   NOT-FOR-US: Synametrics SynaMan
 CVE-2018-10813 (In Dedos-web 1.0, the cookie and session secrets used in the 
...)
NOT-FOR-US: Dedos-web
 CVE-2018-10812 (The Bitpie application through 3.2.4 for Android and iOS uses 
cleartext ...)
@@ -15988,7 +15988,7 @@ CVE-2018-10765
 CVE-2018-10764
RESERVED
 CVE-2018-10763 (Multiple cross-site scripting (XSS) vulnerabilities in 
Synametrics ...)
-   TODO: check
+   NOT-FOR-US: Synametrics SynaMan
 CVE-2018-10762
REJECTED
 CVE-2018-10761



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/d5fa39ec0f077564a1a47bab5f8a15d8bc2bc240

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/d5fa39ec0f077564a1a47bab5f8a15d8bc2bc240
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add but reference for CVE-2018-14638/389-ds-base

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
0d71770d by Salvatore Bonaccorso at 2018-09-15T08:48:54Z
Add but reference for CVE-2018-14638/389-ds-base

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -5719,7 +5719,7 @@ CVE-2018-14640
 CVE-2018-14639
RESERVED
 CVE-2018-14638 (A flaw was found in 389-ds-base before version 1.3.8.4-13. The 
process ...)
-   - 389-ds-base 
+   - 389-ds-base  (bug #908859)
NOTE: 
https://pagure.io/389-ds-base/c/78fc627accacfa4061ce48977e22301f81ea8d73
 CVE-2018-14637
RESERVED



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/0d71770d1b724885d36158675add8ea72af79546

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/0d71770d1b724885d36158675add8ea72af79546
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] automatic update

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
ee4723f8 by security tracker role at 2018-09-15T08:10:18Z
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,3 +1,19 @@
+CVE-2018-17059
+   RESERVED
+CVE-2018-17058
+   RESERVED
+CVE-2018-17057 (An issue was discovered in TCPDF before 6.2.22. Attackers can 
trigger ...)
+   TODO: check
+CVE-2018-17056
+   RESERVED
+CVE-2018-17055
+   RESERVED
+CVE-2018-17054
+   RESERVED
+CVE-2018-17053
+   RESERVED
+CVE-2018-17052
+   RESERVED
 CVE-2018-17051 (K-Net Cisco Configuration Manager through 2014-11-19 has XSS 
via ...)
NOT-FOR-US: K-Net Cisco Configuration Manager
 CVE-2018-17050
@@ -765,8 +781,8 @@ CVE-2018-16708
RESERVED
 CVE-2018-16707
RESERVED
-CVE-2018-16706
-   RESERVED
+CVE-2018-16706 (LG SuperSign CMS allows TVs to be rebooted remotely without 
...)
+   TODO: check
 CVE-2018-16705 (FURUNO FELCOM 250 and 500 devices allow unauthenticated access 
to the ...)
NOT-FOR-US: FURUNO FELCOM 250 and 500 devices
 CVE-2018-16704 (An issue was discovered in Gleez CMS v1.2.0. Because of an 
Insecure ...)
@@ -1786,12 +1802,12 @@ CVE-2018-16290
RESERVED
 CVE-2018-16289
RESERVED
-CVE-2018-16288
-   RESERVED
-CVE-2018-16287
-   RESERVED
-CVE-2018-16286
-   RESERVED
+CVE-2018-16288 (LG SuperSign CMS allows reading of arbitrary files via ...)
+   TODO: check
+CVE-2018-16287 (LG SuperSign CMS allows file upload via ...)
+   TODO: check
+CVE-2018-16286 (LG SuperSign CMS allows authentication bypass because the 
CAPTCHA ...)
+   TODO: check
 CVE-2018-16285 (The UserPro plugin through 4.9.23 for WordPress allows XSS via 
the ...)
NOT-FOR-US: Wordpress plugin
 CVE-2018-16284
@@ -1879,8 +1895,8 @@ CVE-2018-16244
RESERVED
 CVE-2018-16243
RESERVED
-CVE-2018-16242
-   RESERVED
+CVE-2018-16242 (oBike relies on Hangzhou Luoping Smart Locker to lock 
bicycles, which ...)
+   TODO: check
 CVE-2018-16241
RESERVED
 CVE-2018-16240
@@ -5702,8 +5718,7 @@ CVE-2018-14640
RESERVED
 CVE-2018-14639
RESERVED
-CVE-2018-14638 [Crash in delete_passwdPolicy when persistent search 
connections are terminated unexpectedly]
-   RESERVED
+CVE-2018-14638 (A flaw was found in 389-ds-base before version 1.3.8.4-13. The 
process ...)
- 389-ds-base 
NOTE: 
https://pagure.io/389-ds-base/c/78fc627accacfa4061ce48977e22301f81ea8d73
 CVE-2018-14637
@@ -10843,8 +10858,8 @@ CVE-2018-12587 (A cross-site scripting (XSS) 
vulnerability was found in valeurad
NOT-FOR-US: valeuraddons German Spelling Dictionary
 CVE-2018-12586
RESERVED
-CVE-2018-12585
-   RESERVED
+CVE-2018-12585 (An XXE vulnerability in the OPC UA Java and .NET Legacy Stack 
can ...)
+   TODO: check
 CVE-2018-12584 (The ConnectionBase::preparseNewBytes function in ...)
{DLA-1439-1}
- resiprocate  (bug #905495)
@@ -11084,7 +11099,7 @@ CVE-2018-12497
 CVE-2018-12496
RESERVED
 CVE-2018-12495 (The quoteblock function in markdown.c in libmarkdown.a in 
DISCOUNT ...)
-   {DLA-1499-1}
+   {DSA-4293-1 DLA-1499-1}
- discount 2.2.4-1 (bug #901912)
NOTE: https://github.com/Orc/discount/issues/189#issuecomment-397541501
NOTE: Fixed by 
https://github.com/Orc/discount/commit/b002a5a4db31e42dfb45451c059bc56941c17974
@@ -12273,8 +12288,8 @@ CVE-2018-12088 (S3QL before 2.27 mishandles 
checksumming, and consequently allow
NOTE: 
https://bitbucket.org/nikratio/s3ql/commits/85aba5c2d5c81453a73a50ed638adaeef0521020
 CVE-2018-12087
RESERVED
-CVE-2018-12086
-   RESERVED
+CVE-2018-12086 (Buffer overflow in OPC UA applications allows remote attackers 
to ...)
+   TODO: check
 CVE-2018-12085 (Liblouis 3.6.0 has a stack-based Buffer Overflow in the 
function ...)
- liblouis 3.5.0-4 (bug #901202)
[stretch] - liblouis 3.0.0-3+deb9u4
@@ -13793,13 +13808,13 @@ CVE-2018-11506 (The sr_do_ioctl function in 
drivers/scsi/sr_ioctl.c in the Linux
 CVE-2018-11505 (The Werewolf Online application 0.8.8 for Android allows 
attackers to ...)
NOT-FOR-US: Werewolf Online application for Android
 CVE-2018-11504 (The islist function in markdown.c in libmarkdown.a in DISCOUNT 
2.2.3a ...)
-   {DLA-1499-1}
+   {DSA-4293-1 DLA-1499-1}
- discount 2.2.4-1 (bug #901912)
NOTE: https://github.com/Orc/discount/issues/189#issuecomment-392247798
NOTE: POC: 
https://github.com/fCorleone/fuzz_programs/blob/master/discount/issue3_testcase
NOTE: Fixed by 
https://github.com/Orc/discount/commit/b002a5a4db31e42dfb45451c059bc56941c17974
 CVE-2018-11503 (The isfootnote function in markdown.c in libmarkdown.a in 
DISCOUNT ...)
-   {DLA-1499-1}
+   {DSA-4293-1 DLA-1499-1}
- discount 

[Git][security-tracker-team/security-tracker][master] Add CVE-2018-14638/389-ds-base

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
d8271dcc by Salvatore Bonaccorso at 2018-09-15T07:20:43Z
Add CVE-2018-14638/389-ds-base

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -5702,8 +5702,10 @@ CVE-2018-14640
RESERVED
 CVE-2018-14639
RESERVED
-CVE-2018-14638
+CVE-2018-14638 [Crash in delete_passwdPolicy when persistent search 
connections are terminated unexpectedly]
RESERVED
+   - 389-ds-base 
+   NOTE: 
https://pagure.io/389-ds-base/c/78fc627accacfa4061ce48977e22301f81ea8d73
 CVE-2018-14637
RESERVED
 CVE-2018-14636 (Live-migrated instances are briefly able to inspect traffic 
for other ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/d8271dcc832fb6dec8ebabf3b5e17f6a40c4ed4c

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/d8271dcc832fb6dec8ebabf3b5e17f6a40c4ed4c
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add bug reference for CVE-2017-7561

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
250047e9 by Salvatore Bonaccorso at 2018-09-15T06:43:17Z
Add bug reference for CVE-2017-7561

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -75832,7 +75832,7 @@ CVE-2017-7562 (An authentication bypass flaw was found 
in the way krb5's certaut
 CVE-2017-7561 (Red Hat JBoss EAP version 3.0.7 through before 4.0.0.Beta1 is 
...)
- resteasy  (bug #873392)
[jessie] - resteasy  (CORS Filter added in 3.0.7.Final)
-   - resteasy3.0 
+   - resteasy3.0  (bug #908836)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1483823
NOTE: https://issues.jboss.org/projects/RESTEASY/issues/RESTEASY-1704
NOTE: Fixed by: 
https://github.com/resteasy/Resteasy/commit/517db971d8f7094124416bf72091fd0b45a13028



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/250047e9878291446d63932656ca7527973c7db4

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/250047e9878291446d63932656ca7527973c7db4
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits