[Git][security-tracker-team/security-tracker][master] LTS/Add and claim imagemagick
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 4c83fc61 by Roberto C. Sánchez at 2018-09-15T23:24:26Z LTS/Add and claim imagemagick - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -31,6 +31,8 @@ glusterfs gnutls28 (Ola Lundqvist) NOTE: 20180824: Upstream patch is quite invasive, adding new options etc. (lamby) -- +imagemagick (Roberto C. Sánchez) +-- intel-microcode (Henrique de Moraes Holschuh) NOTE: 20180915: intel-microcode 3.20180807a.1 also going through stretch-security (hmh) NOTE: 20180915: DLA likely should wait for (or be done in sync with) the DSA (hmh) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4c83fc61b976eacc221730c4afbcb00f020b2613 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4c83fc61b976eacc221730c4afbcb00f020b2613 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim intel-microcode in dla-needed.txt
Henrique de Moraes Holschuh pushed to branch master at Debian Security Tracker / security-tracker Commits: 1eb4f792 by Henrique de Moraes Holschuh at 2018-09-15T20:26:14Z Claim intel-microcode in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -31,6 +31,10 @@ glusterfs gnutls28 (Ola Lundqvist) NOTE: 20180824: Upstream patch is quite invasive, adding new options etc. (lamby) -- +intel-microcode (Henrique de Moraes Holschuh) + NOTE: 20180915: intel-microcode 3.20180807a.1 also going through stretch-security (hmh) + NOTE: 20180915: DLA likely should wait for (or be done in sync with) the DSA (hmh) +-- kdepim -- libav (Hugo Lefeuvre) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1eb4f7929109d9f57b262cd9120b7eb6935a26bf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1eb4f7929109d9f57b262cd9120b7eb6935a26bf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-1505-1 for zutils
Daniel Baumann pushed to branch master at Debian Security Tracker / security-tracker Commits: a3e6f726 by Daniel Baumann at 2018-09-15T20:15:10Z Reserve DLA-1505-1 for zutils Signed-off-by: Daniel Baumann- - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[15 Sep 2018] DLA-1505-1 zutils - security update + {CVE-2018-1000637} + [jessie] - zutils 1.3-4+deb8u1 [13 Sep 2018] DLA-1504-1 ghostscript - security update {CVE-2018-11645 CVE-2018-15908 CVE-2018-15909 CVE-2018-15910 CVE-2018-15911 CVE-2018-16509 CVE-2018-16511 CVE-2018-16513 CVE-2018-16539 CVE-2018-16540 CVE-2018-16541 CVE-2018-16542 CVE-2018-16585 CVE-2018-16802} [jessie] - ghostscript 9.06~dfsg-2+deb8u8 = data/dla-needed.txt = @@ -82,5 +82,3 @@ thunderbird -- xen -- -zutils (Daniel Baumann) --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a3e6f726e392f4c706410e0bad6ed617a1dec9d4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a3e6f726e392f4c706410e0bad6ed617a1dec9d4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 51383ab6 by security tracker role at 2018-09-15T20:10:37Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,9 @@ +CVE-2018-17062 + RESERVED +CVE-2018-17061 (BullGuard Safe Browsing 18.1.355 allows XSS on Google, Bing, and Yahoo! ...) + TODO: check +CVE-2018-17060 + RESERVED CVE-2018-17059 RESERVED CVE-2018-17058 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/51383ab6ab36cada1c0370f0e49953d055b5df71 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/51383ab6ab36cada1c0370f0e49953d055b5df71 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim zutils in dla-needed.txt
Daniel Baumann pushed to branch master at Debian Security Tracker / security-tracker Commits: 4cff5394 by Daniel Baumann at 2018-09-15T20:01:08Z Claim zutils in dla-needed.txt Signed-off-by: Daniel Baumann- - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -82,3 +82,5 @@ thunderbird -- xen -- +zutils (Daniel Baumann) +-- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4cff5394c3751ffc55052873f6369325c82f32d6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4cff5394c3751ffc55052873f6369325c82f32d6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim nss in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: c760b912 by Markus Koschany at 2018-09-15T16:56:07Z Claim nss in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -53,6 +53,8 @@ linux-4.9 (Ben Hutchings) mosquitto NOTE: 20180629: there are still two CVEs open, their upstream bugs show no progress -- +nss (Markus Koschany) +-- mupdf (Abhijith PA) NOTE: 20180912: convert command not available in jessie mupdf. Couldn't reproduce, but codebase almost similar. NOTE: 20180912: Waiting for bug reporter's reply (abhijith) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c760b9125d1ffa05b7c7fe7ee9daedbaca145703 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c760b9125d1ffa05b7c7fe7ee9daedbaca145703 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] ghostscript/9.25~dfsg-1 uploaded to unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 72f03af3 by Salvatore Bonaccorso at 2018-09-15T15:38:31Z ghostscript/9.25~dfsg-1 uploaded to unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -582,7 +582,7 @@ CVE-2018-16793 CVE-2018-16802 (An issue was discovered in Artifex Ghostscript before 9.25. Incorrect ...) {DLA-1504-1} [experimental] - ghostscript 9.25~dfsg-1~exp1 - - ghostscript + - ghostscript 9.25~dfsg-1 NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=3e5d316b72e3965b7968bb1d96baa137cd063ac6 NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=643b24dbd002fb9c131313253c307cf3951b3d47 NOTE: https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5812b1b78fc4d36fdc293b7859de69241140d590 @@ -2781,7 +2781,7 @@ CVE-2017-18345 (The Joomanager component through 2.0.0 for Joomla! has an arbitr CVE-2018-16543 (In Artifex Ghostscript before 9.24, gssetresolution and gsgetresolution ...) {DSA-4288-1} [experimental] - ghostscript 9.25~dfsg-1~exp1 - - ghostscript (bug #908303) + - ghostscript 9.25~dfsg-1 (bug #908303) NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=5b5536fa88a9e885032bc0df3852c3439399a5c0 NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=699670 CVE-2018-16542 (In Artifex Ghostscript before 9.24, attackers able to supply crafted ...) @@ -2820,7 +2820,7 @@ CVE-2018-16511 (An issue was discovered in Artifex Ghostscript before 9.24. A ty NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=699659 CVE-2018-16510 (An issue was discovered in Artifex Ghostscript before 9.24. Incorrect ...) [experimental] - ghostscript 9.25~dfsg-1~exp1 - - ghostscript (bug #908304) + - ghostscript 9.25~dfsg-1 (bug #908304) [stretch] - ghostscript (Introduced in 9.22) [jessie] - ghostscript (vulnerable code is not present) NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=ea735ba37dc0fd5f5622d031830b9a559dec1cc9 @@ -2828,7 +2828,7 @@ CVE-2018-16510 (An issue was discovered in Artifex Ghostscript before 9.24. Inco CVE-2018-16509 (An issue was discovered in Artifex Ghostscript before 9.24. Incorrect ...) {DLA-1504-1} [experimental] - ghostscript 9.25~dfsg-1~exp1 - - ghostscript (bug #907332; bug #907703) + - ghostscript 9.25~dfsg-1 (bug #907332; bug #907703) NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=78911a01b67d590b4a91afac2e8417360b934156 NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=5516c614dc33662a2afdc377159f70218e67bde5 NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=79cccf641486a6595c43f1de1cd7ade696020a31 @@ -2838,7 +2838,7 @@ CVE-2018-16509 (An issue was discovered in Artifex Ghostscript before 9.24. Inco CVE-2018-16585 (An issue was discovered in Artifex Ghostscript before 9.24. The ...) {DSA-4288-1 DLA-1504-1} [experimental] - ghostscript 9.25~dfsg-1~exp1 - - ghostscript (bug #908305) + - ghostscript 9.25~dfsg-1 (bug #908305) NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=1497d65039885a52b598b137dd8622bd4672f9be NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=971472c83a345a16dac9f90f91258bb22dd77f22 NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=699663 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/72f03af3b9e9e4e260c11bf6b4bce180ac3819ad -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/72f03af3b9e9e4e260c11bf6b4bce180ac3819ad You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 389-ds-base: mark CVE-2018-14638 not affected
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: 84eb3bca by Hugo Lefeuvre at 2018-09-15T14:57:18Z 389-ds-base: mark CVE-2018-14638 not affected CVE-2018-14638: two cloned pblocks share the same password policy, and under certain circumstances the clone might be freed, consequently freeing the shared password policy. Later, when the original password policy is freed, it tries to free the password policy a second time thus resulting in double free, crash and other undefined behavior. It seems that this vulnerability first appeared in 74c666b83e3e1789c2ef3f7935c327bd7555193e (after 1.3.6.3), which introduced the concept of cloning blocks and 407d7d9de7e9c4db1e4c1f5a1a98890f2474c477 (after 1.3.7.0), which refactored the pblock to a tree-like structure. It is not completely clear to me when exactly the vulnerability first appeared, but it is almost certain that the Jessie version (1.3.3.5) is not affected since affected concepts are not present at all. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5721,6 +5721,7 @@ CVE-2018-14639 RESERVED CVE-2018-14638 (A flaw was found in 389-ds-base before version 1.3.8.4-13. The process ...) - 389-ds-base (bug #908859) + [jessie] - 389-ds-base (Vulnerable code not present) NOTE: https://pagure.io/389-ds-base/c/78fc627accacfa4061ce48977e22301f81ea8d73 CVE-2018-14637 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/84eb3bcae498c6e618dea2cc018513e4954d9e69 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/84eb3bcae498c6e618dea2cc018513e4954d9e69 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim openjpeg2 and 389-ds-base in data/dla-needed
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: 42841b83 by Hugo Lefeuvre at 2018-09-15T13:27:31Z Claim openjpeg2 and 389-ds-base in data/dla-needed - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -10,7 +10,7 @@ this list is updated have a look at https://wiki.debian.org/LTS/Development#Triage_new_security_issues -- -389-ds-base +389-ds-base (Hugo Lefeuvre) NOTE: 20180901: No detailed information or a reproducer available at the NOTE: moment. Check. (apo) -- @@ -61,7 +61,7 @@ mysql-5.5 (Emilio Pozuelo) -- openjdk-7 (Emilio Pozuelo) -- -openjpeg2 +openjpeg2 (Hugo Lefeuvre) NOTE: 20180719: there is no patch available for the remaining CVEs -- phpldapadmin (Mike Gabriel) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/42841b83d8780d392c5ff4b176b55a96a0f619d7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/42841b83d8780d392c5ff4b176b55a96a0f619d7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add fixed version for CVE-2016-3956/npm
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d8f24fcf by Salvatore Bonaccorso at 2018-09-15T13:21:10Z Add fixed version for CVE-2016-3956/npm - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -115823,7 +115823,7 @@ CVE-2016-3957 (The secure_load function in gluon/utils.py in web2py before 2.14. [jessie] - web2py (Vulnerable code not present) [wheezy] - web2py (Vulnerable code not present) CVE-2016-3956 (The CLI in npm before 2.15.1 and 3.x before 3.8.3, as used in Node.js ...) - - npm (bug #850322) + - npm 5.8.0+ds-2 (bug #850322) [jessie] - npm (Minor issue) NOTE: https://github.com/npm/npm/issues/8380 NOTE: https://github.com/npm/npm/commit/fea8cc92cee02c720b58f95f14d315507ccad401 (2.15.1) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d8f24fcf9f5b1b6f172440523385f6d8909f1f3d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d8f24fcf9f5b1b6f172440523385f6d8909f1f3d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add bug reference for CVE-2018-17057
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 747bd6a4 by Salvatore Bonaccorso at 2018-09-15T09:50:46Z Add bug reference for CVE-2018-17057 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3,7 +3,7 @@ CVE-2018-17059 CVE-2018-17058 RESERVED CVE-2018-17057 (An issue was discovered in TCPDF before 6.2.22. Attackers can trigger ...) - - tcpdf + - tcpdf (bug #908866) NOTE: https://github.com/tecnickcom/TCPDF/commit/1861e33fe05f653b67d070f7c106463e7a5c26e CVE-2018-17056 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/747bd6a458dd8cfb89873663d1b998939f988035 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/747bd6a458dd8cfb89873663d1b998939f988035 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2018-17057/tcpdf
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c5a240c5 by Salvatore Bonaccorso at 2018-09-15T09:38:39Z Add CVE-2018-17057/tcpdf - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3,7 +3,8 @@ CVE-2018-17059 CVE-2018-17058 RESERVED CVE-2018-17057 (An issue was discovered in TCPDF before 6.2.22. Attackers can trigger ...) - TODO: check + - tcpdf + NOTE: https://github.com/tecnickcom/TCPDF/commit/1861e33fe05f653b67d070f7c106463e7a5c26e CVE-2018-17056 RESERVED CVE-2018-17055 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c5a240c58a97bc383a58d55bd96f5b84636f6701 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c5a240c58a97bc383a58d55bd96f5b84636f6701 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d5fa39ec by Salvatore Bonaccorso at 2018-09-15T09:13:17Z Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -782,7 +782,7 @@ CVE-2018-16708 CVE-2018-16707 RESERVED CVE-2018-16706 (LG SuperSign CMS allows TVs to be rebooted remotely without ...) - TODO: check + NOT-FOR-US: LG SuperSign CMS CVE-2018-16705 (FURUNO FELCOM 250 and 500 devices allow unauthenticated access to the ...) NOT-FOR-US: FURUNO FELCOM 250 and 500 devices CVE-2018-16704 (An issue was discovered in Gleez CMS v1.2.0. Because of an Insecure ...) @@ -1803,11 +1803,11 @@ CVE-2018-16290 CVE-2018-16289 RESERVED CVE-2018-16288 (LG SuperSign CMS allows reading of arbitrary files via ...) - TODO: check + NOT-FOR-US: LG SuperSign CMS CVE-2018-16287 (LG SuperSign CMS allows file upload via ...) - TODO: check + NOT-FOR-US: LG SuperSign CMS CVE-2018-16286 (LG SuperSign CMS allows authentication bypass because the CAPTCHA ...) - TODO: check + NOT-FOR-US: LG SuperSign CMS CVE-2018-16285 (The UserPro plugin through 4.9.23 for WordPress allows XSS via the ...) NOT-FOR-US: Wordpress plugin CVE-2018-16284 @@ -15036,7 +15036,7 @@ CVE-2018-11060 (RSA Archer, versions prior to 6.4.0.1, contain an authorization CVE-2018-11059 (RSA Archer, versions prior to 6.4.0.1, contain a stored cross-site ...) NOT-FOR-US: RSA Archer CVE-2018-11058 (RSA BSAFE Micro Edition Suite, versions prior to 4.0.11 (in 4.0.x) and ...) - TODO: check + NOT-FOR-US: RSA BSAFE Micro Edition Suite CVE-2018-11057 (RSA BSAFE Micro Edition Suite, versions prior to 4.0.11 (in 4.0.x) and ...) NOT-FOR-US: RSA BSAFE Micro Edition Suite CVE-2018-11056 (RSA BSAFE Micro Edition Suite, prior to 4.1.6.1 (in 4.1.x), and RSA ...) @@ -15819,7 +15819,7 @@ CVE-2018-10816 CVE-2018-10815 RESERVED CVE-2018-10814 (Synametrics SynaMan 4.0 build 1488 uses cleartext password storage for ...) - TODO: check + NOT-FOR-US: Synametrics SynaMan CVE-2018-10813 (In Dedos-web 1.0, the cookie and session secrets used in the ...) NOT-FOR-US: Dedos-web CVE-2018-10812 (The Bitpie application through 3.2.4 for Android and iOS uses cleartext ...) @@ -15988,7 +15988,7 @@ CVE-2018-10765 CVE-2018-10764 RESERVED CVE-2018-10763 (Multiple cross-site scripting (XSS) vulnerabilities in Synametrics ...) - TODO: check + NOT-FOR-US: Synametrics SynaMan CVE-2018-10762 REJECTED CVE-2018-10761 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d5fa39ec0f077564a1a47bab5f8a15d8bc2bc240 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d5fa39ec0f077564a1a47bab5f8a15d8bc2bc240 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add but reference for CVE-2018-14638/389-ds-base
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0d71770d by Salvatore Bonaccorso at 2018-09-15T08:48:54Z Add but reference for CVE-2018-14638/389-ds-base - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5719,7 +5719,7 @@ CVE-2018-14640 CVE-2018-14639 RESERVED CVE-2018-14638 (A flaw was found in 389-ds-base before version 1.3.8.4-13. The process ...) - - 389-ds-base + - 389-ds-base (bug #908859) NOTE: https://pagure.io/389-ds-base/c/78fc627accacfa4061ce48977e22301f81ea8d73 CVE-2018-14637 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0d71770d1b724885d36158675add8ea72af79546 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0d71770d1b724885d36158675add8ea72af79546 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ee4723f8 by security tracker role at 2018-09-15T08:10:18Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,19 @@ +CVE-2018-17059 + RESERVED +CVE-2018-17058 + RESERVED +CVE-2018-17057 (An issue was discovered in TCPDF before 6.2.22. Attackers can trigger ...) + TODO: check +CVE-2018-17056 + RESERVED +CVE-2018-17055 + RESERVED +CVE-2018-17054 + RESERVED +CVE-2018-17053 + RESERVED +CVE-2018-17052 + RESERVED CVE-2018-17051 (K-Net Cisco Configuration Manager through 2014-11-19 has XSS via ...) NOT-FOR-US: K-Net Cisco Configuration Manager CVE-2018-17050 @@ -765,8 +781,8 @@ CVE-2018-16708 RESERVED CVE-2018-16707 RESERVED -CVE-2018-16706 - RESERVED +CVE-2018-16706 (LG SuperSign CMS allows TVs to be rebooted remotely without ...) + TODO: check CVE-2018-16705 (FURUNO FELCOM 250 and 500 devices allow unauthenticated access to the ...) NOT-FOR-US: FURUNO FELCOM 250 and 500 devices CVE-2018-16704 (An issue was discovered in Gleez CMS v1.2.0. Because of an Insecure ...) @@ -1786,12 +1802,12 @@ CVE-2018-16290 RESERVED CVE-2018-16289 RESERVED -CVE-2018-16288 - RESERVED -CVE-2018-16287 - RESERVED -CVE-2018-16286 - RESERVED +CVE-2018-16288 (LG SuperSign CMS allows reading of arbitrary files via ...) + TODO: check +CVE-2018-16287 (LG SuperSign CMS allows file upload via ...) + TODO: check +CVE-2018-16286 (LG SuperSign CMS allows authentication bypass because the CAPTCHA ...) + TODO: check CVE-2018-16285 (The UserPro plugin through 4.9.23 for WordPress allows XSS via the ...) NOT-FOR-US: Wordpress plugin CVE-2018-16284 @@ -1879,8 +1895,8 @@ CVE-2018-16244 RESERVED CVE-2018-16243 RESERVED -CVE-2018-16242 - RESERVED +CVE-2018-16242 (oBike relies on Hangzhou Luoping Smart Locker to lock bicycles, which ...) + TODO: check CVE-2018-16241 RESERVED CVE-2018-16240 @@ -5702,8 +5718,7 @@ CVE-2018-14640 RESERVED CVE-2018-14639 RESERVED -CVE-2018-14638 [Crash in delete_passwdPolicy when persistent search connections are terminated unexpectedly] - RESERVED +CVE-2018-14638 (A flaw was found in 389-ds-base before version 1.3.8.4-13. The process ...) - 389-ds-base NOTE: https://pagure.io/389-ds-base/c/78fc627accacfa4061ce48977e22301f81ea8d73 CVE-2018-14637 @@ -10843,8 +10858,8 @@ CVE-2018-12587 (A cross-site scripting (XSS) vulnerability was found in valeurad NOT-FOR-US: valeuraddons German Spelling Dictionary CVE-2018-12586 RESERVED -CVE-2018-12585 - RESERVED +CVE-2018-12585 (An XXE vulnerability in the OPC UA Java and .NET Legacy Stack can ...) + TODO: check CVE-2018-12584 (The ConnectionBase::preparseNewBytes function in ...) {DLA-1439-1} - resiprocate (bug #905495) @@ -11084,7 +11099,7 @@ CVE-2018-12497 CVE-2018-12496 RESERVED CVE-2018-12495 (The quoteblock function in markdown.c in libmarkdown.a in DISCOUNT ...) - {DLA-1499-1} + {DSA-4293-1 DLA-1499-1} - discount 2.2.4-1 (bug #901912) NOTE: https://github.com/Orc/discount/issues/189#issuecomment-397541501 NOTE: Fixed by https://github.com/Orc/discount/commit/b002a5a4db31e42dfb45451c059bc56941c17974 @@ -12273,8 +12288,8 @@ CVE-2018-12088 (S3QL before 2.27 mishandles checksumming, and consequently allow NOTE: https://bitbucket.org/nikratio/s3ql/commits/85aba5c2d5c81453a73a50ed638adaeef0521020 CVE-2018-12087 RESERVED -CVE-2018-12086 - RESERVED +CVE-2018-12086 (Buffer overflow in OPC UA applications allows remote attackers to ...) + TODO: check CVE-2018-12085 (Liblouis 3.6.0 has a stack-based Buffer Overflow in the function ...) - liblouis 3.5.0-4 (bug #901202) [stretch] - liblouis 3.0.0-3+deb9u4 @@ -13793,13 +13808,13 @@ CVE-2018-11506 (The sr_do_ioctl function in drivers/scsi/sr_ioctl.c in the Linux CVE-2018-11505 (The Werewolf Online application 0.8.8 for Android allows attackers to ...) NOT-FOR-US: Werewolf Online application for Android CVE-2018-11504 (The islist function in markdown.c in libmarkdown.a in DISCOUNT 2.2.3a ...) - {DLA-1499-1} + {DSA-4293-1 DLA-1499-1} - discount 2.2.4-1 (bug #901912) NOTE: https://github.com/Orc/discount/issues/189#issuecomment-392247798 NOTE: POC: https://github.com/fCorleone/fuzz_programs/blob/master/discount/issue3_testcase NOTE: Fixed by https://github.com/Orc/discount/commit/b002a5a4db31e42dfb45451c059bc56941c17974 CVE-2018-11503 (The isfootnote function in markdown.c in libmarkdown.a in DISCOUNT ...) - {DLA-1499-1} + {DSA-4293-1 DLA-1499-1} - discount
[Git][security-tracker-team/security-tracker][master] Add CVE-2018-14638/389-ds-base
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d8271dcc by Salvatore Bonaccorso at 2018-09-15T07:20:43Z Add CVE-2018-14638/389-ds-base - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5702,8 +5702,10 @@ CVE-2018-14640 RESERVED CVE-2018-14639 RESERVED -CVE-2018-14638 +CVE-2018-14638 [Crash in delete_passwdPolicy when persistent search connections are terminated unexpectedly] RESERVED + - 389-ds-base + NOTE: https://pagure.io/389-ds-base/c/78fc627accacfa4061ce48977e22301f81ea8d73 CVE-2018-14637 RESERVED CVE-2018-14636 (Live-migrated instances are briefly able to inspect traffic for other ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d8271dcc832fb6dec8ebabf3b5e17f6a40c4ed4c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d8271dcc832fb6dec8ebabf3b5e17f6a40c4ed4c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add bug reference for CVE-2017-7561
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 250047e9 by Salvatore Bonaccorso at 2018-09-15T06:43:17Z Add bug reference for CVE-2017-7561 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -75832,7 +75832,7 @@ CVE-2017-7562 (An authentication bypass flaw was found in the way krb5's certaut CVE-2017-7561 (Red Hat JBoss EAP version 3.0.7 through before 4.0.0.Beta1 is ...) - resteasy (bug #873392) [jessie] - resteasy (CORS Filter added in 3.0.7.Final) - - resteasy3.0 + - resteasy3.0 (bug #908836) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1483823 NOTE: https://issues.jboss.org/projects/RESTEASY/issues/RESTEASY-1704 NOTE: Fixed by: https://github.com/resteasy/Resteasy/commit/517db971d8f7094124416bf72091fd0b45a13028 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/250047e9878291446d63932656ca7527973c7db4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/250047e9878291446d63932656ca7527973c7db4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits