[Git][security-tracker-team/security-tracker][master] Add CVE-2018-17075/golang-golang-x-net-dev
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: eaa73ae8 by Salvatore Bonaccorso at 2018-09-29T06:45:27Z Add CVE-2018-17075/golang-golang-x-net-dev - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1487,7 +1487,11 @@ CVE-2018-17076 (GPP through 2.25 will try to use more memory space than is avail [jessie] - gpp (Minor issue) NOTE: https://github.com/logological/gpp/issues/26 CVE-2018-17075 (The html package (aka x/net/html) before 2018-07-13 in Go mishandles ...) - TODO: check + - golang-golang-x-net-dev (Vulnerable code introduced later) + - golang-go.net-dev (Vulnerable code introduced later) + NOTE: https://github.com/golang/go/issues/27016 + NOTE: Fixed by: https://github.com/golang/net/commit/aaf60122140d3fcf75376d319f0554393160eb50 + NOTE: Introduced in: https://github.com/golang/net/commit/500e7a4f953ddaf55d316b4d3adc516aa0379622 CVE-2018-17074 (The Feed Statistics plugin before 4.0 for WordPress has an Open ...) NOT-FOR-US: Feed Statistics plugin for WordPress CVE-2018-17073 (wernsey/bitmap before 2018-08-18 allows a NULL pointer dereference via ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/eaa73ae89deaab6d46a8280a92038205c60cdc2c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/eaa73ae89deaab6d46a8280a92038205c60cdc2c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2018-14650 as NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4a4a9e35 by Salvatore Bonaccorso at 2018-09-29T06:31:45Z Mark CVE-2018-14650 as NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7262,7 +7262,7 @@ CVE-2018-14652 CVE-2018-14651 RESERVED CVE-2018-14650 (It was discovered that sos-collector does not properly set the default ...) - TODO: check + NOT-FOR-US: sos-collector (not same as sosreport itself, additional tool to sosreport) CVE-2018-14649 RESERVED NOT-FOR-US: ceph-iscsi-cli View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4a4a9e35c829ad8e02fb073d3004c8ab8efacd96 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4a4a9e35c829ad8e02fb073d3004c8ab8efacd96 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add proposed stretch-pu fixes for CVE-2018-80{19,20}
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
b2304445 by Salvatore Bonaccorso at 2018-09-28T22:11:14Z
Add proposed stretch-pu fixes for CVE-2018-80{19,20}
- - - - -
1 changed file:
- data/next-point-update.txt
Changes:
=
data/next-point-update.txt
=
@@ -54,3 +54,7 @@ CVE-2018-1000637
[stretch] - zutils 1.5-5+deb9u1
CVE-2018-1000632
[stretch] - dom4j 1.6.1+dfsg.3-2+deb9u1
+CVE-2018-8019
+ [stretch] - tomcat-native 1.2.12-2+deb9u2
+CVE-2018-8020
+ [stretch] - tomcat-native 1.2.12-2+deb9u2
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/b2304445d0652d7539011b391363965d3d1a83da
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/b2304445d0652d7539011b391363965d3d1a83da
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3955652e by Salvatore Bonaccorso at 2018-09-28T22:08:43Z Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -305,15 +305,15 @@ CVE-2018-17613 (Telegram Desktop (aka tdesktop) 1.3.16 alpha, when "Use pro CVE-2018-17612 RESERVED CVE-2018-17611 (Foxit PhantomPDF and Reader before 9.3 allow remote attackers to ...) - TODO: check + NOT-FOR-US: Foxit CVE-2018-17610 (Foxit PhantomPDF and Reader before 9.3 allow remote attackers to ...) - TODO: check + NOT-FOR-US: Foxit CVE-2018-17609 (Foxit PhantomPDF and Reader before 9.3 allow remote attackers to ...) - TODO: check + NOT-FOR-US: Foxit CVE-2018-17608 (Foxit PhantomPDF and Reader before 9.3 allow remote attackers to ...) - TODO: check + NOT-FOR-US: Foxit CVE-2018-17607 (Foxit PhantomPDF and Reader before 9.3 allow remote attackers to ...) - TODO: check + NOT-FOR-US: Foxit CVE-2018-17606 RESERVED CVE-2018-17605 (An issue was discovered in the Asset Pipeline plugin before 3.0.4 for ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3955652e8cf6114eecc965181ae486da76467c39 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3955652e8cf6114eecc965181ae486da76467c39 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Clarify status for CVE-2014-470{1,3}
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
e2beca2f by Salvatore Bonaccorso at 2018-09-28T21:20:22Z
Clarify status for CVE-2014-470{1,3}
- - - - -
dfd15f50 by Salvatore Bonaccorso at 2018-09-28T21:33:10Z
Update status for CVE-2014-470{1,2,3}/monitoring-plugins
The issues were fixed differently in the monitoring-plugins codebasis.
Upstream of monitoring-plugins did in the fix decide to drop privileges
before reading file. Thiw as adressed in
https://github.com/monitoring-plugins/monitoring-plugins/commit/48025ff39c3a78b7805bf803ac96730cef53e15c
which is included in the initial upload of monitoring-plugins for
Debian. As such CVE-2014-4703 as well (as being a CVE for an incomplete
fix specifically for nagios-plugins does not affect montoring-plugins)
As a note for people wanting to backport the fixed for nagios-plugins
itself for older versions: For nagios-plugins specifically the fix could
be extracted by the diff of the tarballs for 2.0.1 to 2.0.2 for
CVE-2014-470{1,2} limiting to lib/parse_ini.c and for CVE-2014-4703 for
the changes in lib/parse_ini.c between 2.0.2 and 2.0.3.
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -171326,23 +171326,26 @@ CVE-2014-3771 (TeamPass before 2.1.20 allows remote
attackers to bypass access .
- teampass (bug #730180)
NOTE:
https://github.com/nilsteampassnet/TeamPass/commit/fd549b245c0f639a8d47bf4f74f92c37c053706f
CVE-2014-4703 (lib/parse_ini.c in Nagios Plugins 2.0.2 allows local users to
obtain ...)
- - nagios-plugins (unimportant)
+ - nagios-plugins (incomplete fix for CVE-2014-4701 not
applied)
NOTE: check_dhcp is not installed with root suid permissions in Debian
NOTE: http://seclists.org/fulldisclosure/2014/Jun/141
- - monitoring-plugins (unimportant)
- [jessie] - monitoring-plugins (Minor issue, setuid bit not set
by default.)
+ NOTE: Introduced due to incomplete fix for CVE-2014-4701 in 2.0.2.
+ - monitoring-plugins (Vulnerable code not present, fix
for CVE-2014-4701 adressed differently directly by dropping privileges)
CVE-2014-4702 (The check_icmp plugin in Nagios Plugins before 2.0.2 allows
local ...)
- nagios-plugins (unimportant)
NOTE: http://seclists.org/fulldisclosure/2014/May/74
+ NOTE: Fixed in nagios-plugins 2.0.2
NOTE: check_imcp is not installed with root suid permissions in Debian
- - monitoring-plugins (unimportant)
- [jessie] - monitoring-plugins (Minor issue, setuid bit not set
by default.)
+ - monitoring-plugins (Fixed with initial upload to
Debian)
+ NOTE:
https://github.com/monitoring-plugins/monitoring-plugins/commit/48025ff39c3a78b7805bf803ac96730cef53e15c
CVE-2014-4701 (The check_dhcp plugin in Nagios Plugins before 2.0.2 allows
local ...)
- nagios-plugins (unimportant)
NOTE: check_dhcp is not installed with root suid permissions in Debian
NOTE: http://seclists.org/fulldisclosure/2014/May/74
- - monitoring-plugins (unimportant)
- [jessie] - monitoring-plugins (Minor issue, setuid bit not set
by default.)
+ NOTE: fixed in nagios-plugins 2.0.2 (but needs to be made complete to
not open
+ NOTE: CVE-2014-4703) and thus include the fix from 2.0.3 upstream.
+ - monitoring-plugins (Fixed with initial upload to
Debian)
+ NOTE:
https://github.com/monitoring-plugins/monitoring-plugins/commit/48025ff39c3a78b7805bf803ac96730cef53e15c
CVE-2014-3776 (Buffer overflow in the "read-u8vector!" procedure in
the srfi-4 unit ...)
- chicken 4.9.0-1 (bug #748904)
[squeeze] - chicken (Minor issue)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/compare/98d59a660ba6d503e25159cc7765c9547a7a7f4d...dfd15f500c45dcb9546b32e6f62bfd73fd9bc27f
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/compare/98d59a660ba6d503e25159cc7765c9547a7a7f4d...dfd15f500c45dcb9546b32e6f62bfd73fd9bc27f
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] udisks2 fixed
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 98d59a66 by Moritz Muehlenhoff at 2018-09-28T21:05:30Z udisks2 fixed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -869,7 +869,7 @@ CVE-2018-17338 (An issue has been found in pdfalto through 0.2. It is a heap-bas CVE-2018-17337 RESERVED CVE-2018-17336 (UDisks 2.8.0 has a format string vulnerability in udisks_log in ...) - - udisks2 (bug #909607) + - udisks2 2.8.1-1 (bug #909607) [stretch] - udisks2 (Vulnerable code introduced later) [jessie] - udisks2 (Vulnerable code introduced later) NOTE: https://github.com/storaged-project/udisks/issues/578 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/98d59a660ba6d503e25159cc7765c9547a7a7f4d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/98d59a660ba6d503e25159cc7765c9547a7a7f4d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: Update status for CVE-2013-4215/monitoring-plugins
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
9376c9ac by Salvatore Bonaccorso at 2018-09-28T20:58:16Z
Update status for CVE-2013-4215/monitoring-plugins
The contrib/check_ipxping source was removed in upstream release 1.5
(that is before the src:nagios-plugins -> src:monitoring-plugins move)
and the src:monitoring-plugins move never contained an affected version
in consequence before the initial upload to Debian.
Merge thus as well the jessie status in the entry as it is the same for
all suites now.
- - - - -
f609be7e by Salvatore Bonaccorso at 2018-09-28T20:58:16Z
Track fixed verison for CVE-2013-4215/nagios-plugins
1.4.16+git20130902-1 upload to unstable removed contrib/check_ipxping.c
and thus fixing the issue for the source package in Debian.
- - - - -
119e5b06 by Salvatore Bonaccorso at 2018-09-28T20:58:59Z
Remove no-dsa tag for CVe-2017-9868 as fix included in DLA
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -68433,7 +68433,6 @@ CVE-2017-9868 (In Mosquitto through 1.4.12,
mosquitto.db (aka the persistence fi
{DLA-1146-1}
- mosquitto 1.4.14-1 (bug #865959)
[stretch] - mosquitto 1.4.10-3+deb9u1
- [jessie] - mosquitto (Minor issue)
NOTE: https://github.com/eclipse/mosquitto/issues/468
NOTE:
https://github.com/eclipse/mosquitto/commit/09cb1b61c8f48284d9c42bd911faa7525cc689c7
CVE-2017-9867
@@ -188797,10 +188796,11 @@ CVE-2013-4217 (The OSAL_Crypt_SetEncryptedPassword
function in ...)
CVE-2013-4216 (The Trace_OpenLogFile function in ...)
- wimax-tools (bug #627975)
CVE-2013-4215 (The IPXPING_COMMAND in contrib/check_ipxping.c in Nagios
Plugins ...)
- - nagios-plugins (unimportant)
+ - nagios-plugins 1.4.16+git20130902-1 (unimportant)
NOTE: vulnerable code present, but check_ipxping is neither built nor
installed
- - monitoring-plugins (unimportant)
- [jessie] - monitoring-plugins (vulnerable code not
present)
+ - monitoring-plugins (Fixed before initial upload to
Debian)
+ NOTE: contrib/check_ipxping removed from src:monitoring-pluging before
the
+ NOTE: initial upload to Debian after the source package rename.
CVE-2013-4214 (rss-newsfeed.php in Nagios Core 3.4.4, 3.5.1, and earlier, when
...)
- nagios3 3.5.1-1 (low; bug #719056)
[wheezy] - nagios3 (Minor issue)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/compare/854124a607ab4c09c8bb576f7f0adc72cfbd53bd...119e5b068476ac0dd1850e2c0938fde14464f414
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/compare/854124a607ab4c09c8bb576f7f0adc72cfbd53bd...119e5b068476ac0dd1850e2c0938fde14464f414
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-1525-1 for mosquitto
Thorsten Alteholz pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
854124a6 by Thorsten Alteholz at 2018-09-28T20:50:53Z
Reserve DLA-1525-1 for mosquitto
- - - - -
2 changed files:
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[28 Sep 2018] DLA-1525-1 mosquitto - security update
+ {CVE-2017-7653 CVE-2017-7654 CVE-2017-9868}
+ [jessie] - mosquitto 1.3.4-2+deb8u3
[27 Sep 2018] DLA-1524-1 libxml2 - security update
{CVE-2017-18258 CVE-2018-14404 CVE-2018-14567}
[jessie] - libxml2 2.9.1+dfsg1-5+deb8u7
=
data/dla-needed.txt
=
@@ -49,8 +49,6 @@ linux (Ben Hutchings)
--
linux-4.9 (Ben Hutchings)
--
-mosquitto (Thorsten Alteholz)
---
mysql-5.5 (Emilio Pozuelo)
--
openjdk-7 (Emilio Pozuelo)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/854124a607ab4c09c8bb576f7f0adc72cfbd53bd
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/854124a607ab4c09c8bb576f7f0adc72cfbd53bd
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Smal round of NFU processing
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1894e665 by Salvatore Bonaccorso at 2018-09-28T20:23:27Z Smal round of NFU processing - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -42510,7 +42510,7 @@ CVE-2018-1822 CVE-2018-1821 RESERVED CVE-2018-1820 (IBM WebSphere Portal 8.0, 8.5, and 9.0 is vulnerable to cross-site ...) - TODO: check + NOT-FOR-US: IBM CVE-2018-1819 RESERVED CVE-2018-1818 @@ -42678,7 +42678,7 @@ CVE-2018-1738 CVE-2018-1737 RESERVED CVE-2018-1736 (IBM WebSphere Portal 7.0, 8.0, 8.5, and 9.0 could allow a remote ...) - TODO: check + NOT-FOR-US: IBM CVE-2018-1735 RESERVED CVE-2018-1734 @@ -42718,7 +42718,7 @@ CVE-2018-1718 (IBM Sterling B2B Integrator Standard Edition 5.2.0.1 - 5.2.6.3 is CVE-2018-1717 RESERVED CVE-2018-1716 (IBM WebSphere Portal 7.0, 8.0, 8.5, and 9.0 is vulnerable to ...) - TODO: check + NOT-FOR-US: IBM CVE-2018-1715 (IBM Maximo Asset Management 7.6 through 7.6.3 is vulnerable to ...) NOT-FOR-US: IBM CVE-2018-1714 @@ -42830,7 +42830,7 @@ CVE-2018-1662 CVE-2018-1661 RESERVED CVE-2018-1660 (IBM WebSphere Portal 7.0, 8.0, 8.5, and 9.0 is vulnerable to ...) - TODO: check + NOT-FOR-US: IBM CVE-2018-1659 (IBM Rational Engineering Lifecycle Manager 5.0 through 5.02 and 6.0 ...) NOT-FOR-US: IBM CVE-2018-1658 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1894e665d1fa8b488a0d54a8e4fe80b6be99a582 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1894e665d1fa8b488a0d54a8e4fe80b6be99a582 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 64953563 by security tracker role at 2018-09-28T20:10:38Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,359 @@ +CVE-2018-17764 + RESERVED +CVE-2018-17763 + RESERVED +CVE-2018-17762 + RESERVED +CVE-2018-17761 + RESERVED +CVE-2018-17760 + RESERVED +CVE-2018-17759 + RESERVED +CVE-2018-17758 + RESERVED +CVE-2018-17757 + RESERVED +CVE-2018-17756 + RESERVED +CVE-2018-17755 + RESERVED +CVE-2018-17754 + RESERVED +CVE-2018-17753 + RESERVED +CVE-2018-17752 + RESERVED +CVE-2018-17751 + RESERVED +CVE-2018-17750 + RESERVED +CVE-2018-17749 + RESERVED +CVE-2018-17748 + RESERVED +CVE-2018-17747 + RESERVED +CVE-2018-17746 + RESERVED +CVE-2018-17745 + RESERVED +CVE-2018-17744 + RESERVED +CVE-2018-17743 + RESERVED +CVE-2018-17742 + RESERVED +CVE-2018-17741 + RESERVED +CVE-2018-17740 + RESERVED +CVE-2018-17739 + RESERVED +CVE-2018-17738 + RESERVED +CVE-2018-17737 + RESERVED +CVE-2018-17736 + RESERVED +CVE-2018-17735 + RESERVED +CVE-2018-17734 + RESERVED +CVE-2018-17733 + RESERVED +CVE-2018-17732 + RESERVED +CVE-2018-17731 + RESERVED +CVE-2018-17730 + RESERVED +CVE-2018-17729 + RESERVED +CVE-2018-17728 + RESERVED +CVE-2018-17727 + RESERVED +CVE-2018-17726 + RESERVED +CVE-2018-17725 + RESERVED +CVE-2018-17724 + RESERVED +CVE-2018-17723 + RESERVED +CVE-2018-17722 + RESERVED +CVE-2018-17721 + RESERVED +CVE-2018-17720 + RESERVED +CVE-2018-17719 + RESERVED +CVE-2018-17718 + RESERVED +CVE-2018-17717 + RESERVED +CVE-2018-17716 + RESERVED +CVE-2018-17715 + RESERVED +CVE-2018-17714 + RESERVED +CVE-2018-17713 + RESERVED +CVE-2018-17712 + RESERVED +CVE-2018-17711 + RESERVED +CVE-2018-17710 + RESERVED +CVE-2018-17709 + RESERVED +CVE-2018-17708 + RESERVED +CVE-2018-17707 + RESERVED +CVE-2018-17706 + RESERVED +CVE-2018-17705 + RESERVED +CVE-2018-17704 + RESERVED +CVE-2018-17703 + RESERVED +CVE-2018-17702 + RESERVED +CVE-2018-17701 + RESERVED +CVE-2018-17700 + RESERVED +CVE-2018-17699 + RESERVED +CVE-2018-17698 + RESERVED +CVE-2018-17697 + RESERVED +CVE-2018-17696 + RESERVED +CVE-2018-17695 + RESERVED +CVE-2018-17694 + RESERVED +CVE-2018-17693 + RESERVED +CVE-2018-17692 + RESERVED +CVE-2018-17691 + RESERVED +CVE-2018-17690 + RESERVED +CVE-2018-17689 + RESERVED +CVE-2018-17688 + RESERVED +CVE-2018-17687 + RESERVED +CVE-2018-17686 + RESERVED +CVE-2018-17685 + RESERVED +CVE-2018-17684 + RESERVED +CVE-2018-17683 + RESERVED +CVE-2018-17682 + RESERVED +CVE-2018-17681 + RESERVED +CVE-2018-17680 + RESERVED +CVE-2018-17679 + RESERVED +CVE-2018-17678 + RESERVED +CVE-2018-17677 + RESERVED +CVE-2018-17676 + RESERVED +CVE-2018-17675 + RESERVED +CVE-2018-17674 + RESERVED +CVE-2018-17673 + RESERVED +CVE-2018-17672 + RESERVED +CVE-2018-17671 + RESERVED +CVE-2018-17670 + RESERVED +CVE-2018-17669 + RESERVED +CVE-2018-17668 + RESERVED +CVE-2018-17667 + RESERVED +CVE-2018-17666 + RESERVED +CVE-2018-17665 + RESERVED +CVE-2018-17664 + RESERVED +CVE-2018-17663 + RESERVED +CVE-2018-17662 + RESERVED +CVE-2018-17661 + RESERVED +CVE-2018-17660 + RESERVED +CVE-2018-17659 + RESERVED +CVE-2018-17658 + RESERVED +CVE-2018-17657 + RESERVED +CVE-2018-17656 + RESERVED +CVE-2018-17655 + RESERVED +CVE-2018-17654 + RESERVED +CVE-2018-17653 + RESERVED +CVE-2018-17652 + RESERVED +CVE-2018-17651 + RESERVED +CVE-2018-17650 + RESERVED +CVE-2018-17649 + RESERVED +CVE-2018-17648 + RESERVED +CVE-2018-17647 + RESERVED +CVE-2018-17646 + RESERVED +CVE-2018-17645 + RESERVED +CVE-2018-17644 + RESERVED +CVE-2018-17643 + RESERVED +CVE-2018-17642 + RESERVED +CVE-2018-17641 + RESERVED +CVE-2018-17640 + RESERVED +CVE-2018-17639 + RESERVED +CVE-2018-17638 + RESERVED +CVE-2018-17637 + RESERVED +CVE-2018-17636 + RESERVED +CVE-2018-17635 + RESERVED +CVE-2018-17634 + RESERVED +CVE-2018-17633 + RESERVED +CVE-2018-17632 + RESERVED +CVE-2018-17631 + RESERVED +CVE-2018-17630 + RESERVED +CVE-2018-17629 + RESERVED +CVE-2018-17628 + RESERVED +CVE-2018-17627 + RESERVED +CVE-2018-17626 + RESERVED +CVE-2018-17625 + RESERVED +CVE-2018-17624 + RESERVED +C
[Git][security-tracker-team/security-tracker][master] CVE-2014-7850/freeipa adressed back in 4.3.1-1 upload to unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 63993ab0 by Salvatore Bonaccorso at 2018-09-28T19:59:05Z CVE-2014-7850/freeipa adressed back in 4.3.1-1 upload to unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -160151,7 +160151,7 @@ CVE-2014-7852 (Cross-site scripting (XSS) vulnerability in JBoss RichFaces, as u CVE-2014-7851 (oVirt 3.2.2 through 3.5.0 does not invalidate the restapi session ...) NOT-FOR-US: ovirt-engine-webadmin CVE-2014-7850 (Cross-site scripting (XSS) vulnerability in the Web UI in FreeIPA 4.x ...) - - freeipa (unimportant) + - freeipa 4.3.1-1 (unimportant) NOTE: https://fedorahosted.org/freeipa/ticket/4742 NOTE: Upstream commit: https://pagure.io/freeipa/c/af9fd4dfe2c18e52127480c959c35ad37b566095 CVE-2014-7849 (The Role Based Access Control (RBAC) implementation in JBoss ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/63993ab0f7c111d8ac54014aa3efdd541719a0ee -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/63993ab0f7c111d8ac54014aa3efdd541719a0ee You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update commit reference for CVE-2014-7850/freeipa
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d69e1e00 by Salvatore Bonaccorso at 2018-09-28T19:52:49Z Update commit reference for CVE-2014-7850/freeipa - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -160153,7 +160153,7 @@ CVE-2014-7851 (oVirt 3.2.2 through 3.5.0 does not invalidate the restapi session CVE-2014-7850 (Cross-site scripting (XSS) vulnerability in the Web UI in FreeIPA 4.x ...) - freeipa (unimportant) NOTE: https://fedorahosted.org/freeipa/ticket/4742 - NOTE: Upstream commit: https://git.fedorahosted.org/cgit/freeipa.git/commit/?id=af9fd4dfe2c18e52127480c959c35ad37b566095 + NOTE: Upstream commit: https://pagure.io/freeipa/c/af9fd4dfe2c18e52127480c959c35ad37b566095 CVE-2014-7849 (The Role Based Access Control (RBAC) implementation in JBoss ...) NOT-FOR-US: JBoss AS/WildFly Domain Management CVE-2014-7848 (lib/phpunit/bootstrap.php in Moodle 2.6.x before 2.6.6 and 2.7.x ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d69e1e003b4718b63828c17b01a3c52e875a47c0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d69e1e003b4718b63828c17b01a3c52e875a47c0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] python3.5 DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
72ed4d61 by Moritz Muehlenhoff at 2018-09-28T19:13:36Z
python3.5 DSA
- - - - -
2 changed files:
- data/DSA/list
- data/dsa-needed.txt
Changes:
=
data/DSA/list
=
@@ -1,3 +1,6 @@
+[28 Sep 2018] DSA-4307-1 python3.5 - security update
+ {CVE-2017-1000158 CVE-2018-1060 CVE-2018-1061 CVE-2018-14647}
+ [stretch] - python3.5 3.5.3-1+deb9u1
[27 Sep 2018] DSA-4306-1 python2.7 - security update
{CVE-2018-1060 CVE-2018-1061 CVE-2018-14647 CVE-2018-1000802}
[stretch] - python2.7 2.7.13-2+deb9u3
=
data/dsa-needed.txt
=
@@ -66,8 +66,6 @@ passenger
php7.0
wait until more severe issues have come up
--
-python3.5 (jmm)
---
smarty3
--
spamassassin
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/72ed4d617a3f2ac453016f4de39d1078fc9af762
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/72ed4d617a3f2ac453016f4de39d1078fc9af762
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove todo item for one issue which was reported upstream
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 049837c1 by Salvatore Bonaccorso at 2018-09-28T19:06:23Z Remove todo item for one issue which was reported upstream - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2096,7 +2096,6 @@ CVE-2018-16646 (In Poppler 0.68.0, the Parser::getObj() function in Parser.cc ma [stretch] - poppler (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1622951 NOTE: Proposed fix: https://gitlab.freedesktop.org/poppler/poppler/merge_requests/67 - TODO: check, reporter did only report to Red Hat so far, few details CVE-2018-16645 (There is an excessive memory allocation issue in the functions ...) - imagemagick NOTE: https://github.com/ImageMagick/ImageMagick/commit/ecb31dbad39ccdc65868d5d2a37f0f0521250832 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/049837c125e933683673566f611652249d907faa -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/049837c125e933683673566f611652249d907faa You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Rearrange notes for CVE-2017-16907 below source package listings
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b28bb64c by Salvatore Bonaccorso at 2018-09-28T19:02:20Z Rearrange notes for CVE-2017-16907 below source package listings - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -48277,11 +48277,11 @@ CVE-2017-16908 (In Horde Groupware 5.2.19, there is XSS via the Name field durin NOTE: https://github.com/horde/kronolith/commit/39f740068ad21618f6f70b6e37855c61cadbd716 CVE-2017-16907 (In Horde Groupware 5.2.19 and 5.2.21, there is XSS via the Color field ...) - php-horde (bug #909739) + - php-horde-core (bug #909800) NOTE: http://code610.blogspot.com/2017/11/rce-via-xss-horde-5219.html NOTE: https://bugs.horde.org/ticket/14857 NOTE: php-horde: https://github.com/horde/base/commit/fb2113bbcd04bd4a28c46aad0889fb0a3979a230 NOTE: php-horde-core: https://github.com/horde/Core/commit/ecea6ea740419e19122a50579ba2903c1cb71d7a - - php-horde-core (bug #909800) CVE-2017-16906 (In Horde Groupware 5.2.19-5.2.22, there is XSS via the URL field in a ...) - php-horde-kronolith (bug #909737) NOTE: http://code610.blogspot.com/2017/11/rce-via-xss-horde-5219.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b28bb64c261d3bce09859cd33838df8e4de04d0d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b28bb64c261d3bce09859cd33838df8e4de04d0d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] poppler no-dsa
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: d5a3b9fd by Moritz Muehlenhoff at 2018-09-28T18:47:33Z poppler no-dsa - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2092,7 +2092,8 @@ CVE-2018-16647 (In Artifex MuPDF 1.13.0, the pdf_get_xref_entry function in ...) [jessie] - mupdf (Minor issue) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=699686 CVE-2018-16646 (In Poppler 0.68.0, the Parser::getObj() function in Parser.cc may cause ...) - - poppler (bug #909802) + - poppler (low; bug #909802) + [stretch] - poppler (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1622951 NOTE: Proposed fix: https://gitlab.freedesktop.org/poppler/poppler/merge_requests/67 TODO: check, reporter did only report to Red Hat so far, few details View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d5a3b9fdc579aba7d95b11f77909e16c2209f46a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d5a3b9fdc579aba7d95b11f77909e16c2209f46a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add poppler to dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 9c1c887c by Markus Koschany at 2018-09-28T18:36:08Z Add poppler to dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -61,6 +61,10 @@ openjpeg2 (Hugo Lefeuvre) phpldapadmin (Mike Gabriel) NOTE: 20180731: See https://lists.debian.org/debian-lts/2018/07/msg00123.html for research already done -- +poppler + NOTE: 20180928: Consider fixing no-dsa/ignored bugs as well since this is + NOTE: frequently used package. +-- salt NOTE: 20180921: CVE-2017-7893 is not crucial since the managed system must be NOTE: 20180921: compromised first. But the security escalation effect can cause View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9c1c887cae95f34842f3d057da0991d7644fad17 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9c1c887cae95f34842f3d057da0991d7644fad17 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2018-16646,poppler: Reference bug number
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: aa5ec653 by Markus Koschany at 2018-09-28T18:33:37Z CVE-2018-16646,poppler: Reference bug number - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2092,7 +2092,7 @@ CVE-2018-16647 (In Artifex MuPDF 1.13.0, the pdf_get_xref_entry function in ...) [jessie] - mupdf (Minor issue) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=699686 CVE-2018-16646 (In Poppler 0.68.0, the Parser::getObj() function in Parser.cc may cause ...) - - poppler + - poppler (bug #909802) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1622951 NOTE: Proposed fix: https://gitlab.freedesktop.org/poppler/poppler/merge_requests/67 TODO: check, reporter did only report to Red Hat so far, few details View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/aa5ec653cc1edf05b862de9f4aa1ff1d52e8a2fc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/aa5ec653cc1edf05b862de9f4aa1ff1d52e8a2fc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2018-16646,poppler: Link to proposed patch
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 3c2eb604 by Markus Koschany at 2018-09-28T18:30:20Z CVE-2018-16646,poppler: Link to proposed patch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2092,8 +2092,9 @@ CVE-2018-16647 (In Artifex MuPDF 1.13.0, the pdf_get_xref_entry function in ...) [jessie] - mupdf (Minor issue) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=699686 CVE-2018-16646 (In Poppler 0.68.0, the Parser::getObj() function in Parser.cc may cause ...) - - poppler + - poppler NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1622951 + NOTE: Proposed fix: https://gitlab.freedesktop.org/poppler/poppler/merge_requests/67 TODO: check, reporter did only report to Red Hat so far, few details CVE-2018-16645 (There is an excessive memory allocation issue in the functions ...) - imagemagick View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3c2eb60475718d2d6c3b6b0438a204148beecd1e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3c2eb60475718d2d6c3b6b0438a204148beecd1e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update CVE-2017-16907 and rearrange the NOTES.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 30772934 by Markus Koschany at 2018-09-28T18:10:22Z Update CVE-2017-16907 and rearrange the NOTES. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -48277,11 +48277,9 @@ CVE-2017-16907 (In Horde Groupware 5.2.19 and 5.2.21, there is XSS via the Color - php-horde (bug #909739) NOTE: http://code610.blogspot.com/2017/11/rce-via-xss-horde-5219.html NOTE: https://bugs.horde.org/ticket/14857 - NOTE: https://github.com/horde/base/commit/fb2113bbcd04bd4a28c46aad0889fb0a3979a230 + NOTE: php-horde: https://github.com/horde/base/commit/fb2113bbcd04bd4a28c46aad0889fb0a3979a230 + NOTE: php-horde-core: https://github.com/horde/Core/commit/ecea6ea740419e19122a50579ba2903c1cb71d7a - php-horde-core (bug #909800) - NOTE: http://code610.blogspot.com/2017/11/rce-via-xss-horde-5219.html - NOTE: https://bugs.horde.org/ticket/14857 - NOTE: https://github.com/horde/Core/commit/ecea6ea740419e19122a50579ba2903c1cb71d7a CVE-2017-16906 (In Horde Groupware 5.2.19-5.2.22, there is XSS via the URL field in a ...) - php-horde-kronolith (bug #909737) NOTE: http://code610.blogspot.com/2017/11/rce-via-xss-horde-5219.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/30772934ec44822e39a4839ae2473be356745450 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/30772934ec44822e39a4839ae2473be356745450 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2017-16907 is also in php-horde-core.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 92ee75ea by Markus Koschany at 2018-09-28T17:55:55Z CVE-2017-16907 is also in php-horde-core. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -48278,6 +48278,10 @@ CVE-2017-16907 (In Horde Groupware 5.2.19 and 5.2.21, there is XSS via the Color NOTE: http://code610.blogspot.com/2017/11/rce-via-xss-horde-5219.html NOTE: https://bugs.horde.org/ticket/14857 NOTE: https://github.com/horde/base/commit/fb2113bbcd04bd4a28c46aad0889fb0a3979a230 + - php-horde-core (bug #909800) + NOTE: http://code610.blogspot.com/2017/11/rce-via-xss-horde-5219.html + NOTE: https://bugs.horde.org/ticket/14857 + NOTE: https://github.com/horde/Core/commit/ecea6ea740419e19122a50579ba2903c1cb71d7a CVE-2017-16906 (In Horde Groupware 5.2.19-5.2.22, there is XSS via the URL field in a ...) - php-horde-kronolith (bug #909737) NOTE: http://code610.blogspot.com/2017/11/rce-via-xss-horde-5219.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/92ee75ea91f3ab1a3c3ed461a418dc1f12d0c9ed -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/92ee75ea91f3ab1a3c3ed461a418dc1f12d0c9ed You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] look into gnutls again
Antoine Beaupré pushed to branch master at Debian Security Tracker / security-tracker Commits: 300de2aa by Antoine Beaupré at 2018-09-28T15:53:38Z look into gnutls again - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -31,7 +31,7 @@ ghostscript (Markus Koschany) NOTE: 20180913: CVE-2018-16543 is still unfixed. Preliminary work is available at NOTE: 20180913: https://people.debian.org/~apo/lts/. See also the README. (apo) -- -gnutls28 +gnutls28 (Antoine Beaupre) NOTE: 20180824: Upstream patch is quite invasive, adding new options etc. (lamby) -- imagemagick (Roberto C. Sánchez) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/300de2aa37201f87383514792ca497267448112e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/300de2aa37201f87383514792ca497267448112e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] unclaim xen, credativ will followup
Antoine Beaupré pushed to branch master at Debian Security Tracker / security-tracker Commits: 15076a25 by Antoine Beaupré at 2018-09-28T15:53:14Z unclaim xen, credativ will followup - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -79,5 +79,6 @@ symfony (Thorsten Alteholz) -- thunderbird -- -xen (Antoine Beaupre) +xen + NOTE: 20180928: credativ will look into this next week (anarcat) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/15076a2549f8bf4965482ede608603f5f2a39c1b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/15076a2549f8bf4965482ede608603f5f2a39c1b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2017-15365,percona-xtrabackup: Jessie is not affected.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: c0c74a7b by Markus Koschany at 2018-09-28T13:59:50Z CVE-2017-15365,percona-xtrabackup: Jessie is not affected. The vulnerable WSREP code was never introduced to this backup tool. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -53201,6 +53201,7 @@ CVE-2017-15365 (sql/event_data_objects.cc in MariaDB before 10.1.30 and 10.2.x b [stretch] - mariadb-10.1 (Minor issue) - mariadb-10.0 - percona-xtrabackup + [jessie] - percona-xtrabackup (vulnerable code not present) - mysql-5.7 - mysql-5.5 (Vulnerable code not present) NOTE: MariaDB: Fixed in 10.2.10, 10.1.30 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c0c74a7bf4a9e120ebd4adc2ee7e63c9687071c9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c0c74a7bf4a9e120ebd4adc2ee7e63c9687071c9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Triage monitoring-plugins for Jessie.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: ee77dd8b by Markus Koschany at 2018-09-28T13:33:47Z Triage monitoring-plugins for Jessie. Mark the remaining issues as no-dsa because the setuid bit is not set by default. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -170972,16 +170972,19 @@ CVE-2014-4703 (lib/parse_ini.c in Nagios Plugins 2.0.2 allows local users to obt NOTE: check_dhcp is not installed with root suid permissions in Debian NOTE: http://seclists.org/fulldisclosure/2014/Jun/141 - monitoring-plugins (unimportant) + [jessie] - monitoring-plugins (Minor issue, setuid bit not set by default.) CVE-2014-4702 (The check_icmp plugin in Nagios Plugins before 2.0.2 allows local ...) - nagios-plugins (unimportant) NOTE: http://seclists.org/fulldisclosure/2014/May/74 NOTE: check_imcp is not installed with root suid permissions in Debian - monitoring-plugins (unimportant) + [jessie] - monitoring-plugins (Minor issue, setuid bit not set by default.) CVE-2014-4701 (The check_dhcp plugin in Nagios Plugins before 2.0.2 allows local ...) - nagios-plugins (unimportant) NOTE: check_dhcp is not installed with root suid permissions in Debian NOTE: http://seclists.org/fulldisclosure/2014/May/74 - monitoring-plugins (unimportant) + [jessie] - monitoring-plugins (Minor issue, setuid bit not set by default.) CVE-2014-3776 (Buffer overflow in the "read-u8vector!" procedure in the srfi-4 unit ...) - chicken 4.9.0-1 (bug #748904) [squeeze] - chicken (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ee77dd8b9317feb7259c960936e311fb2d441bed -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ee77dd8b9317feb7259c960936e311fb2d441bed You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2013-4215,monitoring-plugins: Jessie is not affected.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: ed6e9cf6 by Markus Koschany at 2018-09-28T12:30:10Z CVE-2013-4215,monitoring-plugins: Jessie is not affected. There is no define statement that would allow a symlinking attack on /tmp. The ipxping command does not exist. The contrib plugins were removed in 2013. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -188438,6 +188438,7 @@ CVE-2013-4215 (The IPXPING_COMMAND in contrib/check_ipxping.c in Nagios Plugins - nagios-plugins (unimportant) NOTE: vulnerable code present, but check_ipxping is neither built nor installed - monitoring-plugins (unimportant) + [jessie] - monitoring-plugins (vulnerable code not present) CVE-2013-4214 (rss-newsfeed.php in Nagios Core 3.4.4, 3.5.1, and earlier, when ...) - nagios3 3.5.1-1 (low; bug #719056) [wheezy] - nagios3 (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ed6e9cf604d922141efcd9d587cf56574b78433d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ed6e9cf604d922141efcd9d587cf56574b78433d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Triage jasperreports for Jessie.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 593135ab by Markus Koschany at 2018-09-28T11:49:55Z Triage jasperreports for Jessie. Ignore open issues. No detailed information were publicly disclosed. Jasperreports is mainly used as a build-dependency for Spring. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -54682,6 +54682,7 @@ CVE-2017-14942 (Intelbras WRN 150 devices allow remote attackers to read the ... NOT-FOR-US: Intelbras WRN 150 devices CVE-2017-14941 (Jaspersoft JasperReports 4.7 suffers from a saved credential disclosure ...) - jasperreports (bug #880467; bug #884131) + [jessie] - jasperreports (no detailed information available, only needed as build-dependency for Spring) [wheezy] - jasperreports (cannot be supported due to lack of information) NOTE: https://github.com/binary1985/VulnerabilityDisclosure/blob/master/JasperSoft%20JasperReports%20-%204.7%20-%20CVE-2017-14941 CVE-2017-14940 (scan_unit_for_symbols in dwarf2.c in the Binary File Descriptor (BFD) ...) @@ -83827,10 +83828,12 @@ CVE-2017-5534 (The tibbr user profiles components of tibbr Community, and tibbr NOT-FOR-US: tibbr CVE-2017-5533 (A vulnerability in the server content cache of TIBCO JasperReports ...) - jasperreports (bug #884131) + [jessie] - jasperreports (no detailed information available, only needed as build-dependency for Spring) [wheezy] - jasperreports (cannot be supported due to lack of information) NOTE: http://www.tibco.com/support/advisories/2017/11/tibco-security-advisory-november-15-2017-tibco-jasperreports-server-2017 CVE-2017-5532 (A vulnerability in the report renderer component of TIBCO ...) - jasperreports (bug #884131) + [jessie] - jasperreports (no detailed information available, only needed as build-dependency for Spring) [wheezy] - jasperreports (cannot be supported due to lack of information) NOTE: https://www.tibco.com/support/advisories/2017/11/tibco-security-advisory-november-15-2017-tibco-jasperreports-2017-5532 CVE-2017-5531 (Deployments of TIBCO Managed File Transfer Command Center versions ...) @@ -83839,10 +83842,12 @@ CVE-2017-5530 (The tibbr web server components of tibbr Community, and tibbr ... NOT-FOR-US: tibbr CVE-2017-5529 (JasperReports library components contain an information disclosure ...) - jasperreports (bug #880467) + [jessie] - jasperreports (no detailed information available, only needed as build-dependency for Spring) [wheezy] - jasperreports (cannot be supported due to lack of information) NOTE: https://www.tibco.com/support/advisories/2017/06/tibco-security-advisory-june-28-2017-tibco-jasperreports-server-2017-0 CVE-2017-5528 (Multiple JasperReports Server components contain vulnerabilities ...) - jasperreports (bug #880467) + [jessie] - jasperreports (no detailed information available, only needed as build-dependency for Spring) [wheezy] - jasperreports (cannot be supported due to lack of information) NOTE: https://www.tibco.com/support/advisories/2017/06/tibco-security-advisory-june-28-2017-tibco-jasperreports-server-2017 CVE-2017-5527 (TIBCO Spotfire Server 7.0.X before 7.0.2, 7.5.x before 7.5.1, 7.6.x ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/593135ab051af44ec4652acf806ddbc4e44b8893 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/593135ab051af44ec4652acf806ddbc4e44b8893 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Triage binutils for Jessie.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: ac6657cb by Markus Koschany at 2018-09-28T11:36:58Z Triage binutils for Jessie. Follow Stretch. Mark CVE-2018-17358, CVE-2018-17359 and CVE-2018-17360 as ignored. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -455,16 +455,19 @@ CVE-2018-17361 (Multiple XSS vulnerabilities in WeaselCMS v0.3.6 allow remote at CVE-2018-17360 (An issue was discovered in the Binary File Descriptor (BFD) library ...) - binutils [stretch] - binutils (Minor issue) + [jessie] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=23685 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=cf93e9c2cf8f8b2566f8fc86e961592b51b5980d CVE-2018-17359 (An issue was discovered in the Binary File Descriptor (BFD) library ...) - binutils [stretch] - binutils (Minor issue) + [jessie] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=23686 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=30838132997e6a3cfe3ec11c58b32b22f6f6b102 CVE-2018-17358 (An issue was discovered in the Binary File Descriptor (BFD) library ...) - binutils [stretch] - binutils (Minor issue) + [jessie] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=23686 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=30838132997e6a3cfe3ec11c58b32b22f6f6b102 CVE-2018-17357 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ac6657cb57a7ffae4bb5e09ae4aad5f4a03938cf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ac6657cb57a7ffae4bb5e09ae4aad5f4a03938cf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
c94f6429 by security tracker role at 2018-09-28T08:10:16Z
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -1,11 +1,43 @@
+CVE-2018-17586
+ RESERVED
+CVE-2018-17585
+ RESERVED
+CVE-2018-17584
+ RESERVED
+CVE-2018-17583
+ RESERVED
+CVE-2018-17582
+ RESERVED
+CVE-2018-17581
+ RESERVED
+CVE-2018-17580
+ RESERVED
+CVE-2018-17579
+ RESERVED
+CVE-2018-17578
+ RESERVED
+CVE-2018-17577
+ RESERVED
+CVE-2018-17576
+ RESERVED
+CVE-2018-17575
+ RESERVED
+CVE-2018-17574
+ RESERVED
+CVE-2018-17573 (The Wp-Insert plugin through 2.4.2 for WordPress allows upload
of ...)
+ TODO: check
+CVE-2018-17572
+ RESERVED
+CVE-2018-17571 (Vanilla before 2.6.3 allows XSS via the email field of a
profile. ...)
+ TODO: check
CVE-2018-17570 (utils/ut_ws_svr.c in ViaBTC Exchange Server before 2018-08-21
has an ...)
NOT-FOR-US: ViaBTC Exchange Server
CVE-2018-17569 (network/nw_buf.c in ViaBTC Exchange Server before 2018-08-21
has an ...)
NOT-FOR-US: ViaBTC Exchange Server
CVE-2018-17568 (utils/ut_rpc.c in ViaBTC Exchange Server before 2018-08-21 has
an ...)
NOT-FOR-US: ViaBTC Exchange Server
-CVE-2018-17567
- RESERVED
+CVE-2018-17567 (Jekyll through 3.6.2, 3.7.x through 3.7.3, and 3.8.x through
3.8.3 ...)
+ TODO: check
CVE-2018-17566 (In ThinkPHP 5.1.24, the inner function delete can be used for
SQL ...)
TODO: check
CVE-2018-17565
@@ -346,20 +378,20 @@ CVE-2018-17399
RESERVED
CVE-2018-17398
RESERVED
-CVE-2018-17397
- RESERVED
+CVE-2018-17397 (SQL Injection exists in the AlphaIndex Dictionaries 1.0
component for ...)
+ TODO: check
CVE-2018-17396
RESERVED
CVE-2018-17395
RESERVED
-CVE-2018-17394
- RESERVED
+CVE-2018-17394 (SQL Injection exists in the Timetable Schedule 3.6.8 component
for ...)
+ TODO: check
CVE-2018-17393
RESERVED
CVE-2018-17392
RESERVED
-CVE-2018-17391
- RESERVED
+CVE-2018-17391 (SQL Injection exists in authors_post.php in Super Cms Blog Pro
1.0 via ...)
+ TODO: check
CVE-2018-17390
RESERVED
CVE-2018-17389
@@ -370,28 +402,28 @@ CVE-2018-17387
RESERVED
CVE-2018-17386
RESERVED
-CVE-2018-17385
- RESERVED
-CVE-2018-17384
- RESERVED
-CVE-2018-17383
- RESERVED
-CVE-2018-17382
- RESERVED
+CVE-2018-17385 (SQL Injection exists in the Social Factory 3.8.3 component for
Joomla! ...)
+ TODO: check
+CVE-2018-17384 (SQL Injection exists in the Swap Factory 2.2.1 component for
Joomla! ...)
+ TODO: check
+CVE-2018-17383 (SQL Injection exists in the Collection Factory 4.1.9 component
for ...)
+ TODO: check
+CVE-2018-17382 (SQL Injection exists in the Jobs Factory 2.0.4 component for
Joomla! ...)
+ TODO: check
CVE-2018-17381
RESERVED
-CVE-2018-17380
- RESERVED
-CVE-2018-17379
- RESERVED
-CVE-2018-17378
- RESERVED
-CVE-2018-17377
- RESERVED
-CVE-2018-17376
- RESERVED
-CVE-2018-17375
- RESERVED
+CVE-2018-17380 (SQL Injection exists in the Article Factory Manager 4.3.9
component ...)
+ TODO: check
+CVE-2018-17379 (SQL Injection exists in the Raffle Factory 3.5.2 component for
Joomla! ...)
+ TODO: check
+CVE-2018-17378 (SQL Injection exists in the Penny Auction Factory 2.0.4
component for ...)
+ TODO: check
+CVE-2018-17377 (SQL Injection exists in the Questions 1.4.3 component for
Joomla! via ...)
+ TODO: check
+CVE-2018-17376 (SQL Injection exists in the Reverse Auction Factory 4.3.8
component ...)
+ TODO: check
+CVE-2018-17375 (SQL Injection exists in the Music Collection 3.0.3 component
for ...)
+ TODO: check
CVE-2018-17374
RESERVED
CVE-2018-17373
@@ -888,7 +920,7 @@ CVE-2018-17155
CVE-2018-17154
RESERVED
CVE-2018-1000802 (Python Software Foundation Python (CPython) version 2.7
contains a ...)
- {DLA-1520-1 DLA-1519-1}
+ {DSA-4306-1 DLA-1520-1 DLA-1519-1}
- python3.7 (Fixed before initial upload)
- python3.6 (Fixed before initial upload)
- python3.5 (Fixed before initial upload)
@@ -1138,10 +1170,10 @@ CVE-2018-17057 (An issue was discovered in TCPDF before
6.2.22. Attackers can tr
NOTE:
https://github.com/tecnickcom/TCPDF/commit/1861e33fe05f653b67d070f7c106463e7a5c26e
NOTE: Was considered minor for jessie since arbitrary deserialization
NOTE: is still possible using http and https.
-CVE-2018-17056
- RESERVED
-CVE-2018-17055
- RESERVED
+CVE-2018-17056 (Cross-site scripting (XSS) vulnerability in ServiceStack in
Progress ...)
+ TODO: check
+CVE-2018-17055 (An arbitrary file upload vulnerability in Progress Sitefinity
CMS
