[Git][security-tracker-team/security-tracker][master] Add CVE-2018-17075/golang-golang-x-net-dev
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: eaa73ae8 by Salvatore Bonaccorso at 2018-09-29T06:45:27Z Add CVE-2018-17075/golang-golang-x-net-dev - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1487,7 +1487,11 @@ CVE-2018-17076 (GPP through 2.25 will try to use more memory space than is avail [jessie] - gpp (Minor issue) NOTE: https://github.com/logological/gpp/issues/26 CVE-2018-17075 (The html package (aka x/net/html) before 2018-07-13 in Go mishandles ...) - TODO: check + - golang-golang-x-net-dev (Vulnerable code introduced later) + - golang-go.net-dev (Vulnerable code introduced later) + NOTE: https://github.com/golang/go/issues/27016 + NOTE: Fixed by: https://github.com/golang/net/commit/aaf60122140d3fcf75376d319f0554393160eb50 + NOTE: Introduced in: https://github.com/golang/net/commit/500e7a4f953ddaf55d316b4d3adc516aa0379622 CVE-2018-17074 (The Feed Statistics plugin before 4.0 for WordPress has an Open ...) NOT-FOR-US: Feed Statistics plugin for WordPress CVE-2018-17073 (wernsey/bitmap before 2018-08-18 allows a NULL pointer dereference via ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/eaa73ae89deaab6d46a8280a92038205c60cdc2c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/eaa73ae89deaab6d46a8280a92038205c60cdc2c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2018-14650 as NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4a4a9e35 by Salvatore Bonaccorso at 2018-09-29T06:31:45Z Mark CVE-2018-14650 as NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7262,7 +7262,7 @@ CVE-2018-14652 CVE-2018-14651 RESERVED CVE-2018-14650 (It was discovered that sos-collector does not properly set the default ...) - TODO: check + NOT-FOR-US: sos-collector (not same as sosreport itself, additional tool to sosreport) CVE-2018-14649 RESERVED NOT-FOR-US: ceph-iscsi-cli View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4a4a9e35c829ad8e02fb073d3004c8ab8efacd96 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4a4a9e35c829ad8e02fb073d3004c8ab8efacd96 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add proposed stretch-pu fixes for CVE-2018-80{19,20}
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b2304445 by Salvatore Bonaccorso at 2018-09-28T22:11:14Z Add proposed stretch-pu fixes for CVE-2018-80{19,20} - - - - - 1 changed file: - data/next-point-update.txt Changes: = data/next-point-update.txt = @@ -54,3 +54,7 @@ CVE-2018-1000637 [stretch] - zutils 1.5-5+deb9u1 CVE-2018-1000632 [stretch] - dom4j 1.6.1+dfsg.3-2+deb9u1 +CVE-2018-8019 + [stretch] - tomcat-native 1.2.12-2+deb9u2 +CVE-2018-8020 + [stretch] - tomcat-native 1.2.12-2+deb9u2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b2304445d0652d7539011b391363965d3d1a83da -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b2304445d0652d7539011b391363965d3d1a83da You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3955652e by Salvatore Bonaccorso at 2018-09-28T22:08:43Z Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -305,15 +305,15 @@ CVE-2018-17613 (Telegram Desktop (aka tdesktop) 1.3.16 alpha, when "Use pro CVE-2018-17612 RESERVED CVE-2018-17611 (Foxit PhantomPDF and Reader before 9.3 allow remote attackers to ...) - TODO: check + NOT-FOR-US: Foxit CVE-2018-17610 (Foxit PhantomPDF and Reader before 9.3 allow remote attackers to ...) - TODO: check + NOT-FOR-US: Foxit CVE-2018-17609 (Foxit PhantomPDF and Reader before 9.3 allow remote attackers to ...) - TODO: check + NOT-FOR-US: Foxit CVE-2018-17608 (Foxit PhantomPDF and Reader before 9.3 allow remote attackers to ...) - TODO: check + NOT-FOR-US: Foxit CVE-2018-17607 (Foxit PhantomPDF and Reader before 9.3 allow remote attackers to ...) - TODO: check + NOT-FOR-US: Foxit CVE-2018-17606 RESERVED CVE-2018-17605 (An issue was discovered in the Asset Pipeline plugin before 3.0.4 for ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3955652e8cf6114eecc965181ae486da76467c39 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3955652e8cf6114eecc965181ae486da76467c39 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Clarify status for CVE-2014-470{1,3}
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e2beca2f by Salvatore Bonaccorso at 2018-09-28T21:20:22Z Clarify status for CVE-2014-470{1,3} - - - - - dfd15f50 by Salvatore Bonaccorso at 2018-09-28T21:33:10Z Update status for CVE-2014-470{1,2,3}/monitoring-plugins The issues were fixed differently in the monitoring-plugins codebasis. Upstream of monitoring-plugins did in the fix decide to drop privileges before reading file. Thiw as adressed in https://github.com/monitoring-plugins/monitoring-plugins/commit/48025ff39c3a78b7805bf803ac96730cef53e15c which is included in the initial upload of monitoring-plugins for Debian. As such CVE-2014-4703 as well (as being a CVE for an incomplete fix specifically for nagios-plugins does not affect montoring-plugins) As a note for people wanting to backport the fixed for nagios-plugins itself for older versions: For nagios-plugins specifically the fix could be extracted by the diff of the tarballs for 2.0.1 to 2.0.2 for CVE-2014-470{1,2} limiting to lib/parse_ini.c and for CVE-2014-4703 for the changes in lib/parse_ini.c between 2.0.2 and 2.0.3. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -171326,23 +171326,26 @@ CVE-2014-3771 (TeamPass before 2.1.20 allows remote attackers to bypass access . - teampass (bug #730180) NOTE: https://github.com/nilsteampassnet/TeamPass/commit/fd549b245c0f639a8d47bf4f74f92c37c053706f CVE-2014-4703 (lib/parse_ini.c in Nagios Plugins 2.0.2 allows local users to obtain ...) - - nagios-plugins (unimportant) + - nagios-plugins (incomplete fix for CVE-2014-4701 not applied) NOTE: check_dhcp is not installed with root suid permissions in Debian NOTE: http://seclists.org/fulldisclosure/2014/Jun/141 - - monitoring-plugins (unimportant) - [jessie] - monitoring-plugins (Minor issue, setuid bit not set by default.) + NOTE: Introduced due to incomplete fix for CVE-2014-4701 in 2.0.2. + - monitoring-plugins (Vulnerable code not present, fix for CVE-2014-4701 adressed differently directly by dropping privileges) CVE-2014-4702 (The check_icmp plugin in Nagios Plugins before 2.0.2 allows local ...) - nagios-plugins (unimportant) NOTE: http://seclists.org/fulldisclosure/2014/May/74 + NOTE: Fixed in nagios-plugins 2.0.2 NOTE: check_imcp is not installed with root suid permissions in Debian - - monitoring-plugins (unimportant) - [jessie] - monitoring-plugins (Minor issue, setuid bit not set by default.) + - monitoring-plugins (Fixed with initial upload to Debian) + NOTE: https://github.com/monitoring-plugins/monitoring-plugins/commit/48025ff39c3a78b7805bf803ac96730cef53e15c CVE-2014-4701 (The check_dhcp plugin in Nagios Plugins before 2.0.2 allows local ...) - nagios-plugins (unimportant) NOTE: check_dhcp is not installed with root suid permissions in Debian NOTE: http://seclists.org/fulldisclosure/2014/May/74 - - monitoring-plugins (unimportant) - [jessie] - monitoring-plugins (Minor issue, setuid bit not set by default.) + NOTE: fixed in nagios-plugins 2.0.2 (but needs to be made complete to not open + NOTE: CVE-2014-4703) and thus include the fix from 2.0.3 upstream. + - monitoring-plugins (Fixed with initial upload to Debian) + NOTE: https://github.com/monitoring-plugins/monitoring-plugins/commit/48025ff39c3a78b7805bf803ac96730cef53e15c CVE-2014-3776 (Buffer overflow in the "read-u8vector!" procedure in the srfi-4 unit ...) - chicken 4.9.0-1 (bug #748904) [squeeze] - chicken (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/98d59a660ba6d503e25159cc7765c9547a7a7f4d...dfd15f500c45dcb9546b32e6f62bfd73fd9bc27f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/98d59a660ba6d503e25159cc7765c9547a7a7f4d...dfd15f500c45dcb9546b32e6f62bfd73fd9bc27f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] udisks2 fixed
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 98d59a66 by Moritz Muehlenhoff at 2018-09-28T21:05:30Z udisks2 fixed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -869,7 +869,7 @@ CVE-2018-17338 (An issue has been found in pdfalto through 0.2. It is a heap-bas CVE-2018-17337 RESERVED CVE-2018-17336 (UDisks 2.8.0 has a format string vulnerability in udisks_log in ...) - - udisks2 (bug #909607) + - udisks2 2.8.1-1 (bug #909607) [stretch] - udisks2 (Vulnerable code introduced later) [jessie] - udisks2 (Vulnerable code introduced later) NOTE: https://github.com/storaged-project/udisks/issues/578 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/98d59a660ba6d503e25159cc7765c9547a7a7f4d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/98d59a660ba6d503e25159cc7765c9547a7a7f4d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: Update status for CVE-2013-4215/monitoring-plugins
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9376c9ac by Salvatore Bonaccorso at 2018-09-28T20:58:16Z Update status for CVE-2013-4215/monitoring-plugins The contrib/check_ipxping source was removed in upstream release 1.5 (that is before the src:nagios-plugins -> src:monitoring-plugins move) and the src:monitoring-plugins move never contained an affected version in consequence before the initial upload to Debian. Merge thus as well the jessie status in the entry as it is the same for all suites now. - - - - - f609be7e by Salvatore Bonaccorso at 2018-09-28T20:58:16Z Track fixed verison for CVE-2013-4215/nagios-plugins 1.4.16+git20130902-1 upload to unstable removed contrib/check_ipxping.c and thus fixing the issue for the source package in Debian. - - - - - 119e5b06 by Salvatore Bonaccorso at 2018-09-28T20:58:59Z Remove no-dsa tag for CVe-2017-9868 as fix included in DLA - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -68433,7 +68433,6 @@ CVE-2017-9868 (In Mosquitto through 1.4.12, mosquitto.db (aka the persistence fi {DLA-1146-1} - mosquitto 1.4.14-1 (bug #865959) [stretch] - mosquitto 1.4.10-3+deb9u1 - [jessie] - mosquitto (Minor issue) NOTE: https://github.com/eclipse/mosquitto/issues/468 NOTE: https://github.com/eclipse/mosquitto/commit/09cb1b61c8f48284d9c42bd911faa7525cc689c7 CVE-2017-9867 @@ -188797,10 +188796,11 @@ CVE-2013-4217 (The OSAL_Crypt_SetEncryptedPassword function in ...) CVE-2013-4216 (The Trace_OpenLogFile function in ...) - wimax-tools (bug #627975) CVE-2013-4215 (The IPXPING_COMMAND in contrib/check_ipxping.c in Nagios Plugins ...) - - nagios-plugins (unimportant) + - nagios-plugins 1.4.16+git20130902-1 (unimportant) NOTE: vulnerable code present, but check_ipxping is neither built nor installed - - monitoring-plugins (unimportant) - [jessie] - monitoring-plugins (vulnerable code not present) + - monitoring-plugins (Fixed before initial upload to Debian) + NOTE: contrib/check_ipxping removed from src:monitoring-pluging before the + NOTE: initial upload to Debian after the source package rename. CVE-2013-4214 (rss-newsfeed.php in Nagios Core 3.4.4, 3.5.1, and earlier, when ...) - nagios3 3.5.1-1 (low; bug #719056) [wheezy] - nagios3 (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/854124a607ab4c09c8bb576f7f0adc72cfbd53bd...119e5b068476ac0dd1850e2c0938fde14464f414 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/854124a607ab4c09c8bb576f7f0adc72cfbd53bd...119e5b068476ac0dd1850e2c0938fde14464f414 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-1525-1 for mosquitto
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 854124a6 by Thorsten Alteholz at 2018-09-28T20:50:53Z Reserve DLA-1525-1 for mosquitto - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[28 Sep 2018] DLA-1525-1 mosquitto - security update + {CVE-2017-7653 CVE-2017-7654 CVE-2017-9868} + [jessie] - mosquitto 1.3.4-2+deb8u3 [27 Sep 2018] DLA-1524-1 libxml2 - security update {CVE-2017-18258 CVE-2018-14404 CVE-2018-14567} [jessie] - libxml2 2.9.1+dfsg1-5+deb8u7 = data/dla-needed.txt = @@ -49,8 +49,6 @@ linux (Ben Hutchings) -- linux-4.9 (Ben Hutchings) -- -mosquitto (Thorsten Alteholz) --- mysql-5.5 (Emilio Pozuelo) -- openjdk-7 (Emilio Pozuelo) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/854124a607ab4c09c8bb576f7f0adc72cfbd53bd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/854124a607ab4c09c8bb576f7f0adc72cfbd53bd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Smal round of NFU processing
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1894e665 by Salvatore Bonaccorso at 2018-09-28T20:23:27Z Smal round of NFU processing - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -42510,7 +42510,7 @@ CVE-2018-1822 CVE-2018-1821 RESERVED CVE-2018-1820 (IBM WebSphere Portal 8.0, 8.5, and 9.0 is vulnerable to cross-site ...) - TODO: check + NOT-FOR-US: IBM CVE-2018-1819 RESERVED CVE-2018-1818 @@ -42678,7 +42678,7 @@ CVE-2018-1738 CVE-2018-1737 RESERVED CVE-2018-1736 (IBM WebSphere Portal 7.0, 8.0, 8.5, and 9.0 could allow a remote ...) - TODO: check + NOT-FOR-US: IBM CVE-2018-1735 RESERVED CVE-2018-1734 @@ -42718,7 +42718,7 @@ CVE-2018-1718 (IBM Sterling B2B Integrator Standard Edition 5.2.0.1 - 5.2.6.3 is CVE-2018-1717 RESERVED CVE-2018-1716 (IBM WebSphere Portal 7.0, 8.0, 8.5, and 9.0 is vulnerable to ...) - TODO: check + NOT-FOR-US: IBM CVE-2018-1715 (IBM Maximo Asset Management 7.6 through 7.6.3 is vulnerable to ...) NOT-FOR-US: IBM CVE-2018-1714 @@ -42830,7 +42830,7 @@ CVE-2018-1662 CVE-2018-1661 RESERVED CVE-2018-1660 (IBM WebSphere Portal 7.0, 8.0, 8.5, and 9.0 is vulnerable to ...) - TODO: check + NOT-FOR-US: IBM CVE-2018-1659 (IBM Rational Engineering Lifecycle Manager 5.0 through 5.02 and 6.0 ...) NOT-FOR-US: IBM CVE-2018-1658 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1894e665d1fa8b488a0d54a8e4fe80b6be99a582 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1894e665d1fa8b488a0d54a8e4fe80b6be99a582 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 64953563 by security tracker role at 2018-09-28T20:10:38Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,359 @@ +CVE-2018-17764 + RESERVED +CVE-2018-17763 + RESERVED +CVE-2018-17762 + RESERVED +CVE-2018-17761 + RESERVED +CVE-2018-17760 + RESERVED +CVE-2018-17759 + RESERVED +CVE-2018-17758 + RESERVED +CVE-2018-17757 + RESERVED +CVE-2018-17756 + RESERVED +CVE-2018-17755 + RESERVED +CVE-2018-17754 + RESERVED +CVE-2018-17753 + RESERVED +CVE-2018-17752 + RESERVED +CVE-2018-17751 + RESERVED +CVE-2018-17750 + RESERVED +CVE-2018-17749 + RESERVED +CVE-2018-17748 + RESERVED +CVE-2018-17747 + RESERVED +CVE-2018-17746 + RESERVED +CVE-2018-17745 + RESERVED +CVE-2018-17744 + RESERVED +CVE-2018-17743 + RESERVED +CVE-2018-17742 + RESERVED +CVE-2018-17741 + RESERVED +CVE-2018-17740 + RESERVED +CVE-2018-17739 + RESERVED +CVE-2018-17738 + RESERVED +CVE-2018-17737 + RESERVED +CVE-2018-17736 + RESERVED +CVE-2018-17735 + RESERVED +CVE-2018-17734 + RESERVED +CVE-2018-17733 + RESERVED +CVE-2018-17732 + RESERVED +CVE-2018-17731 + RESERVED +CVE-2018-17730 + RESERVED +CVE-2018-17729 + RESERVED +CVE-2018-17728 + RESERVED +CVE-2018-17727 + RESERVED +CVE-2018-17726 + RESERVED +CVE-2018-17725 + RESERVED +CVE-2018-17724 + RESERVED +CVE-2018-17723 + RESERVED +CVE-2018-17722 + RESERVED +CVE-2018-17721 + RESERVED +CVE-2018-17720 + RESERVED +CVE-2018-17719 + RESERVED +CVE-2018-17718 + RESERVED +CVE-2018-17717 + RESERVED +CVE-2018-17716 + RESERVED +CVE-2018-17715 + RESERVED +CVE-2018-17714 + RESERVED +CVE-2018-17713 + RESERVED +CVE-2018-17712 + RESERVED +CVE-2018-17711 + RESERVED +CVE-2018-17710 + RESERVED +CVE-2018-17709 + RESERVED +CVE-2018-17708 + RESERVED +CVE-2018-17707 + RESERVED +CVE-2018-17706 + RESERVED +CVE-2018-17705 + RESERVED +CVE-2018-17704 + RESERVED +CVE-2018-17703 + RESERVED +CVE-2018-17702 + RESERVED +CVE-2018-17701 + RESERVED +CVE-2018-17700 + RESERVED +CVE-2018-17699 + RESERVED +CVE-2018-17698 + RESERVED +CVE-2018-17697 + RESERVED +CVE-2018-17696 + RESERVED +CVE-2018-17695 + RESERVED +CVE-2018-17694 + RESERVED +CVE-2018-17693 + RESERVED +CVE-2018-17692 + RESERVED +CVE-2018-17691 + RESERVED +CVE-2018-17690 + RESERVED +CVE-2018-17689 + RESERVED +CVE-2018-17688 + RESERVED +CVE-2018-17687 + RESERVED +CVE-2018-17686 + RESERVED +CVE-2018-17685 + RESERVED +CVE-2018-17684 + RESERVED +CVE-2018-17683 + RESERVED +CVE-2018-17682 + RESERVED +CVE-2018-17681 + RESERVED +CVE-2018-17680 + RESERVED +CVE-2018-17679 + RESERVED +CVE-2018-17678 + RESERVED +CVE-2018-17677 + RESERVED +CVE-2018-17676 + RESERVED +CVE-2018-17675 + RESERVED +CVE-2018-17674 + RESERVED +CVE-2018-17673 + RESERVED +CVE-2018-17672 + RESERVED +CVE-2018-17671 + RESERVED +CVE-2018-17670 + RESERVED +CVE-2018-17669 + RESERVED +CVE-2018-17668 + RESERVED +CVE-2018-17667 + RESERVED +CVE-2018-17666 + RESERVED +CVE-2018-17665 + RESERVED +CVE-2018-17664 + RESERVED +CVE-2018-17663 + RESERVED +CVE-2018-17662 + RESERVED +CVE-2018-17661 + RESERVED +CVE-2018-17660 + RESERVED +CVE-2018-17659 + RESERVED +CVE-2018-17658 + RESERVED +CVE-2018-17657 + RESERVED +CVE-2018-17656 + RESERVED +CVE-2018-17655 + RESERVED +CVE-2018-17654 + RESERVED +CVE-2018-17653 + RESERVED +CVE-2018-17652 + RESERVED +CVE-2018-17651 + RESERVED +CVE-2018-17650 + RESERVED +CVE-2018-17649 + RESERVED +CVE-2018-17648 + RESERVED +CVE-2018-17647 + RESERVED +CVE-2018-17646 + RESERVED +CVE-2018-17645 + RESERVED +CVE-2018-17644 + RESERVED +CVE-2018-17643 + RESERVED +CVE-2018-17642 + RESERVED +CVE-2018-17641 + RESERVED +CVE-2018-17640 + RESERVED +CVE-2018-17639 + RESERVED +CVE-2018-17638 + RESERVED +CVE-2018-17637 + RESERVED +CVE-2018-17636 + RESERVED +CVE-2018-17635 + RESERVED +CVE-2018-17634 + RESERVED +CVE-2018-17633 + RESERVED +CVE-2018-17632 + RESERVED +CVE-2018-17631 + RESERVED +CVE-2018-17630 + RESERVED +CVE-2018-17629 + RESERVED +CVE-2018-17628 + RESERVED +CVE-2018-17627 + RESERVED +CVE-2018-17626 + RESERVED +CVE-2018-17625 + RESERVED +CVE-2018-17624 + RESERVED +C
[Git][security-tracker-team/security-tracker][master] CVE-2014-7850/freeipa adressed back in 4.3.1-1 upload to unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 63993ab0 by Salvatore Bonaccorso at 2018-09-28T19:59:05Z CVE-2014-7850/freeipa adressed back in 4.3.1-1 upload to unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -160151,7 +160151,7 @@ CVE-2014-7852 (Cross-site scripting (XSS) vulnerability in JBoss RichFaces, as u CVE-2014-7851 (oVirt 3.2.2 through 3.5.0 does not invalidate the restapi session ...) NOT-FOR-US: ovirt-engine-webadmin CVE-2014-7850 (Cross-site scripting (XSS) vulnerability in the Web UI in FreeIPA 4.x ...) - - freeipa (unimportant) + - freeipa 4.3.1-1 (unimportant) NOTE: https://fedorahosted.org/freeipa/ticket/4742 NOTE: Upstream commit: https://pagure.io/freeipa/c/af9fd4dfe2c18e52127480c959c35ad37b566095 CVE-2014-7849 (The Role Based Access Control (RBAC) implementation in JBoss ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/63993ab0f7c111d8ac54014aa3efdd541719a0ee -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/63993ab0f7c111d8ac54014aa3efdd541719a0ee You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update commit reference for CVE-2014-7850/freeipa
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d69e1e00 by Salvatore Bonaccorso at 2018-09-28T19:52:49Z Update commit reference for CVE-2014-7850/freeipa - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -160153,7 +160153,7 @@ CVE-2014-7851 (oVirt 3.2.2 through 3.5.0 does not invalidate the restapi session CVE-2014-7850 (Cross-site scripting (XSS) vulnerability in the Web UI in FreeIPA 4.x ...) - freeipa (unimportant) NOTE: https://fedorahosted.org/freeipa/ticket/4742 - NOTE: Upstream commit: https://git.fedorahosted.org/cgit/freeipa.git/commit/?id=af9fd4dfe2c18e52127480c959c35ad37b566095 + NOTE: Upstream commit: https://pagure.io/freeipa/c/af9fd4dfe2c18e52127480c959c35ad37b566095 CVE-2014-7849 (The Role Based Access Control (RBAC) implementation in JBoss ...) NOT-FOR-US: JBoss AS/WildFly Domain Management CVE-2014-7848 (lib/phpunit/bootstrap.php in Moodle 2.6.x before 2.6.6 and 2.7.x ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d69e1e003b4718b63828c17b01a3c52e875a47c0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d69e1e003b4718b63828c17b01a3c52e875a47c0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] python3.5 DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 72ed4d61 by Moritz Muehlenhoff at 2018-09-28T19:13:36Z python3.5 DSA - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,6 @@ +[28 Sep 2018] DSA-4307-1 python3.5 - security update + {CVE-2017-1000158 CVE-2018-1060 CVE-2018-1061 CVE-2018-14647} + [stretch] - python3.5 3.5.3-1+deb9u1 [27 Sep 2018] DSA-4306-1 python2.7 - security update {CVE-2018-1060 CVE-2018-1061 CVE-2018-14647 CVE-2018-1000802} [stretch] - python2.7 2.7.13-2+deb9u3 = data/dsa-needed.txt = @@ -66,8 +66,6 @@ passenger php7.0 wait until more severe issues have come up -- -python3.5 (jmm) --- smarty3 -- spamassassin View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/72ed4d617a3f2ac453016f4de39d1078fc9af762 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/72ed4d617a3f2ac453016f4de39d1078fc9af762 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove todo item for one issue which was reported upstream
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 049837c1 by Salvatore Bonaccorso at 2018-09-28T19:06:23Z Remove todo item for one issue which was reported upstream - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2096,7 +2096,6 @@ CVE-2018-16646 (In Poppler 0.68.0, the Parser::getObj() function in Parser.cc ma [stretch] - poppler (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1622951 NOTE: Proposed fix: https://gitlab.freedesktop.org/poppler/poppler/merge_requests/67 - TODO: check, reporter did only report to Red Hat so far, few details CVE-2018-16645 (There is an excessive memory allocation issue in the functions ...) - imagemagick NOTE: https://github.com/ImageMagick/ImageMagick/commit/ecb31dbad39ccdc65868d5d2a37f0f0521250832 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/049837c125e933683673566f611652249d907faa -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/049837c125e933683673566f611652249d907faa You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Rearrange notes for CVE-2017-16907 below source package listings
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b28bb64c by Salvatore Bonaccorso at 2018-09-28T19:02:20Z Rearrange notes for CVE-2017-16907 below source package listings - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -48277,11 +48277,11 @@ CVE-2017-16908 (In Horde Groupware 5.2.19, there is XSS via the Name field durin NOTE: https://github.com/horde/kronolith/commit/39f740068ad21618f6f70b6e37855c61cadbd716 CVE-2017-16907 (In Horde Groupware 5.2.19 and 5.2.21, there is XSS via the Color field ...) - php-horde (bug #909739) + - php-horde-core (bug #909800) NOTE: http://code610.blogspot.com/2017/11/rce-via-xss-horde-5219.html NOTE: https://bugs.horde.org/ticket/14857 NOTE: php-horde: https://github.com/horde/base/commit/fb2113bbcd04bd4a28c46aad0889fb0a3979a230 NOTE: php-horde-core: https://github.com/horde/Core/commit/ecea6ea740419e19122a50579ba2903c1cb71d7a - - php-horde-core (bug #909800) CVE-2017-16906 (In Horde Groupware 5.2.19-5.2.22, there is XSS via the URL field in a ...) - php-horde-kronolith (bug #909737) NOTE: http://code610.blogspot.com/2017/11/rce-via-xss-horde-5219.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b28bb64c261d3bce09859cd33838df8e4de04d0d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b28bb64c261d3bce09859cd33838df8e4de04d0d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] poppler no-dsa
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: d5a3b9fd by Moritz Muehlenhoff at 2018-09-28T18:47:33Z poppler no-dsa - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2092,7 +2092,8 @@ CVE-2018-16647 (In Artifex MuPDF 1.13.0, the pdf_get_xref_entry function in ...) [jessie] - mupdf (Minor issue) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=699686 CVE-2018-16646 (In Poppler 0.68.0, the Parser::getObj() function in Parser.cc may cause ...) - - poppler (bug #909802) + - poppler (low; bug #909802) + [stretch] - poppler (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1622951 NOTE: Proposed fix: https://gitlab.freedesktop.org/poppler/poppler/merge_requests/67 TODO: check, reporter did only report to Red Hat so far, few details View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d5a3b9fdc579aba7d95b11f77909e16c2209f46a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d5a3b9fdc579aba7d95b11f77909e16c2209f46a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add poppler to dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 9c1c887c by Markus Koschany at 2018-09-28T18:36:08Z Add poppler to dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -61,6 +61,10 @@ openjpeg2 (Hugo Lefeuvre) phpldapadmin (Mike Gabriel) NOTE: 20180731: See https://lists.debian.org/debian-lts/2018/07/msg00123.html for research already done -- +poppler + NOTE: 20180928: Consider fixing no-dsa/ignored bugs as well since this is + NOTE: frequently used package. +-- salt NOTE: 20180921: CVE-2017-7893 is not crucial since the managed system must be NOTE: 20180921: compromised first. But the security escalation effect can cause View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9c1c887cae95f34842f3d057da0991d7644fad17 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9c1c887cae95f34842f3d057da0991d7644fad17 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2018-16646,poppler: Reference bug number
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: aa5ec653 by Markus Koschany at 2018-09-28T18:33:37Z CVE-2018-16646,poppler: Reference bug number - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2092,7 +2092,7 @@ CVE-2018-16647 (In Artifex MuPDF 1.13.0, the pdf_get_xref_entry function in ...) [jessie] - mupdf (Minor issue) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=699686 CVE-2018-16646 (In Poppler 0.68.0, the Parser::getObj() function in Parser.cc may cause ...) - - poppler + - poppler (bug #909802) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1622951 NOTE: Proposed fix: https://gitlab.freedesktop.org/poppler/poppler/merge_requests/67 TODO: check, reporter did only report to Red Hat so far, few details View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/aa5ec653cc1edf05b862de9f4aa1ff1d52e8a2fc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/aa5ec653cc1edf05b862de9f4aa1ff1d52e8a2fc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2018-16646,poppler: Link to proposed patch
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 3c2eb604 by Markus Koschany at 2018-09-28T18:30:20Z CVE-2018-16646,poppler: Link to proposed patch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2092,8 +2092,9 @@ CVE-2018-16647 (In Artifex MuPDF 1.13.0, the pdf_get_xref_entry function in ...) [jessie] - mupdf (Minor issue) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=699686 CVE-2018-16646 (In Poppler 0.68.0, the Parser::getObj() function in Parser.cc may cause ...) - - poppler + - poppler NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1622951 + NOTE: Proposed fix: https://gitlab.freedesktop.org/poppler/poppler/merge_requests/67 TODO: check, reporter did only report to Red Hat so far, few details CVE-2018-16645 (There is an excessive memory allocation issue in the functions ...) - imagemagick View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3c2eb60475718d2d6c3b6b0438a204148beecd1e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3c2eb60475718d2d6c3b6b0438a204148beecd1e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update CVE-2017-16907 and rearrange the NOTES.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 30772934 by Markus Koschany at 2018-09-28T18:10:22Z Update CVE-2017-16907 and rearrange the NOTES. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -48277,11 +48277,9 @@ CVE-2017-16907 (In Horde Groupware 5.2.19 and 5.2.21, there is XSS via the Color - php-horde (bug #909739) NOTE: http://code610.blogspot.com/2017/11/rce-via-xss-horde-5219.html NOTE: https://bugs.horde.org/ticket/14857 - NOTE: https://github.com/horde/base/commit/fb2113bbcd04bd4a28c46aad0889fb0a3979a230 + NOTE: php-horde: https://github.com/horde/base/commit/fb2113bbcd04bd4a28c46aad0889fb0a3979a230 + NOTE: php-horde-core: https://github.com/horde/Core/commit/ecea6ea740419e19122a50579ba2903c1cb71d7a - php-horde-core (bug #909800) - NOTE: http://code610.blogspot.com/2017/11/rce-via-xss-horde-5219.html - NOTE: https://bugs.horde.org/ticket/14857 - NOTE: https://github.com/horde/Core/commit/ecea6ea740419e19122a50579ba2903c1cb71d7a CVE-2017-16906 (In Horde Groupware 5.2.19-5.2.22, there is XSS via the URL field in a ...) - php-horde-kronolith (bug #909737) NOTE: http://code610.blogspot.com/2017/11/rce-via-xss-horde-5219.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/30772934ec44822e39a4839ae2473be356745450 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/30772934ec44822e39a4839ae2473be356745450 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2017-16907 is also in php-horde-core.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 92ee75ea by Markus Koschany at 2018-09-28T17:55:55Z CVE-2017-16907 is also in php-horde-core. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -48278,6 +48278,10 @@ CVE-2017-16907 (In Horde Groupware 5.2.19 and 5.2.21, there is XSS via the Color NOTE: http://code610.blogspot.com/2017/11/rce-via-xss-horde-5219.html NOTE: https://bugs.horde.org/ticket/14857 NOTE: https://github.com/horde/base/commit/fb2113bbcd04bd4a28c46aad0889fb0a3979a230 + - php-horde-core (bug #909800) + NOTE: http://code610.blogspot.com/2017/11/rce-via-xss-horde-5219.html + NOTE: https://bugs.horde.org/ticket/14857 + NOTE: https://github.com/horde/Core/commit/ecea6ea740419e19122a50579ba2903c1cb71d7a CVE-2017-16906 (In Horde Groupware 5.2.19-5.2.22, there is XSS via the URL field in a ...) - php-horde-kronolith (bug #909737) NOTE: http://code610.blogspot.com/2017/11/rce-via-xss-horde-5219.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/92ee75ea91f3ab1a3c3ed461a418dc1f12d0c9ed -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/92ee75ea91f3ab1a3c3ed461a418dc1f12d0c9ed You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] look into gnutls again
Antoine Beaupré pushed to branch master at Debian Security Tracker / security-tracker Commits: 300de2aa by Antoine Beaupré at 2018-09-28T15:53:38Z look into gnutls again - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -31,7 +31,7 @@ ghostscript (Markus Koschany) NOTE: 20180913: CVE-2018-16543 is still unfixed. Preliminary work is available at NOTE: 20180913: https://people.debian.org/~apo/lts/. See also the README. (apo) -- -gnutls28 +gnutls28 (Antoine Beaupre) NOTE: 20180824: Upstream patch is quite invasive, adding new options etc. (lamby) -- imagemagick (Roberto C. Sánchez) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/300de2aa37201f87383514792ca497267448112e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/300de2aa37201f87383514792ca497267448112e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] unclaim xen, credativ will followup
Antoine Beaupré pushed to branch master at Debian Security Tracker / security-tracker Commits: 15076a25 by Antoine Beaupré at 2018-09-28T15:53:14Z unclaim xen, credativ will followup - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -79,5 +79,6 @@ symfony (Thorsten Alteholz) -- thunderbird -- -xen (Antoine Beaupre) +xen + NOTE: 20180928: credativ will look into this next week (anarcat) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/15076a2549f8bf4965482ede608603f5f2a39c1b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/15076a2549f8bf4965482ede608603f5f2a39c1b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2017-15365,percona-xtrabackup: Jessie is not affected.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: c0c74a7b by Markus Koschany at 2018-09-28T13:59:50Z CVE-2017-15365,percona-xtrabackup: Jessie is not affected. The vulnerable WSREP code was never introduced to this backup tool. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -53201,6 +53201,7 @@ CVE-2017-15365 (sql/event_data_objects.cc in MariaDB before 10.1.30 and 10.2.x b [stretch] - mariadb-10.1 (Minor issue) - mariadb-10.0 - percona-xtrabackup + [jessie] - percona-xtrabackup (vulnerable code not present) - mysql-5.7 - mysql-5.5 (Vulnerable code not present) NOTE: MariaDB: Fixed in 10.2.10, 10.1.30 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c0c74a7bf4a9e120ebd4adc2ee7e63c9687071c9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c0c74a7bf4a9e120ebd4adc2ee7e63c9687071c9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Triage monitoring-plugins for Jessie.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: ee77dd8b by Markus Koschany at 2018-09-28T13:33:47Z Triage monitoring-plugins for Jessie. Mark the remaining issues as no-dsa because the setuid bit is not set by default. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -170972,16 +170972,19 @@ CVE-2014-4703 (lib/parse_ini.c in Nagios Plugins 2.0.2 allows local users to obt NOTE: check_dhcp is not installed with root suid permissions in Debian NOTE: http://seclists.org/fulldisclosure/2014/Jun/141 - monitoring-plugins (unimportant) + [jessie] - monitoring-plugins (Minor issue, setuid bit not set by default.) CVE-2014-4702 (The check_icmp plugin in Nagios Plugins before 2.0.2 allows local ...) - nagios-plugins (unimportant) NOTE: http://seclists.org/fulldisclosure/2014/May/74 NOTE: check_imcp is not installed with root suid permissions in Debian - monitoring-plugins (unimportant) + [jessie] - monitoring-plugins (Minor issue, setuid bit not set by default.) CVE-2014-4701 (The check_dhcp plugin in Nagios Plugins before 2.0.2 allows local ...) - nagios-plugins (unimportant) NOTE: check_dhcp is not installed with root suid permissions in Debian NOTE: http://seclists.org/fulldisclosure/2014/May/74 - monitoring-plugins (unimportant) + [jessie] - monitoring-plugins (Minor issue, setuid bit not set by default.) CVE-2014-3776 (Buffer overflow in the "read-u8vector!" procedure in the srfi-4 unit ...) - chicken 4.9.0-1 (bug #748904) [squeeze] - chicken (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ee77dd8b9317feb7259c960936e311fb2d441bed -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ee77dd8b9317feb7259c960936e311fb2d441bed You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2013-4215,monitoring-plugins: Jessie is not affected.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: ed6e9cf6 by Markus Koschany at 2018-09-28T12:30:10Z CVE-2013-4215,monitoring-plugins: Jessie is not affected. There is no define statement that would allow a symlinking attack on /tmp. The ipxping command does not exist. The contrib plugins were removed in 2013. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -188438,6 +188438,7 @@ CVE-2013-4215 (The IPXPING_COMMAND in contrib/check_ipxping.c in Nagios Plugins - nagios-plugins (unimportant) NOTE: vulnerable code present, but check_ipxping is neither built nor installed - monitoring-plugins (unimportant) + [jessie] - monitoring-plugins (vulnerable code not present) CVE-2013-4214 (rss-newsfeed.php in Nagios Core 3.4.4, 3.5.1, and earlier, when ...) - nagios3 3.5.1-1 (low; bug #719056) [wheezy] - nagios3 (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ed6e9cf604d922141efcd9d587cf56574b78433d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ed6e9cf604d922141efcd9d587cf56574b78433d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Triage jasperreports for Jessie.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 593135ab by Markus Koschany at 2018-09-28T11:49:55Z Triage jasperreports for Jessie. Ignore open issues. No detailed information were publicly disclosed. Jasperreports is mainly used as a build-dependency for Spring. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -54682,6 +54682,7 @@ CVE-2017-14942 (Intelbras WRN 150 devices allow remote attackers to read the ... NOT-FOR-US: Intelbras WRN 150 devices CVE-2017-14941 (Jaspersoft JasperReports 4.7 suffers from a saved credential disclosure ...) - jasperreports (bug #880467; bug #884131) + [jessie] - jasperreports (no detailed information available, only needed as build-dependency for Spring) [wheezy] - jasperreports (cannot be supported due to lack of information) NOTE: https://github.com/binary1985/VulnerabilityDisclosure/blob/master/JasperSoft%20JasperReports%20-%204.7%20-%20CVE-2017-14941 CVE-2017-14940 (scan_unit_for_symbols in dwarf2.c in the Binary File Descriptor (BFD) ...) @@ -83827,10 +83828,12 @@ CVE-2017-5534 (The tibbr user profiles components of tibbr Community, and tibbr NOT-FOR-US: tibbr CVE-2017-5533 (A vulnerability in the server content cache of TIBCO JasperReports ...) - jasperreports (bug #884131) + [jessie] - jasperreports (no detailed information available, only needed as build-dependency for Spring) [wheezy] - jasperreports (cannot be supported due to lack of information) NOTE: http://www.tibco.com/support/advisories/2017/11/tibco-security-advisory-november-15-2017-tibco-jasperreports-server-2017 CVE-2017-5532 (A vulnerability in the report renderer component of TIBCO ...) - jasperreports (bug #884131) + [jessie] - jasperreports (no detailed information available, only needed as build-dependency for Spring) [wheezy] - jasperreports (cannot be supported due to lack of information) NOTE: https://www.tibco.com/support/advisories/2017/11/tibco-security-advisory-november-15-2017-tibco-jasperreports-2017-5532 CVE-2017-5531 (Deployments of TIBCO Managed File Transfer Command Center versions ...) @@ -83839,10 +83842,12 @@ CVE-2017-5530 (The tibbr web server components of tibbr Community, and tibbr ... NOT-FOR-US: tibbr CVE-2017-5529 (JasperReports library components contain an information disclosure ...) - jasperreports (bug #880467) + [jessie] - jasperreports (no detailed information available, only needed as build-dependency for Spring) [wheezy] - jasperreports (cannot be supported due to lack of information) NOTE: https://www.tibco.com/support/advisories/2017/06/tibco-security-advisory-june-28-2017-tibco-jasperreports-server-2017-0 CVE-2017-5528 (Multiple JasperReports Server components contain vulnerabilities ...) - jasperreports (bug #880467) + [jessie] - jasperreports (no detailed information available, only needed as build-dependency for Spring) [wheezy] - jasperreports (cannot be supported due to lack of information) NOTE: https://www.tibco.com/support/advisories/2017/06/tibco-security-advisory-june-28-2017-tibco-jasperreports-server-2017 CVE-2017-5527 (TIBCO Spotfire Server 7.0.X before 7.0.2, 7.5.x before 7.5.1, 7.6.x ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/593135ab051af44ec4652acf806ddbc4e44b8893 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/593135ab051af44ec4652acf806ddbc4e44b8893 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Triage binutils for Jessie.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: ac6657cb by Markus Koschany at 2018-09-28T11:36:58Z Triage binutils for Jessie. Follow Stretch. Mark CVE-2018-17358, CVE-2018-17359 and CVE-2018-17360 as ignored. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -455,16 +455,19 @@ CVE-2018-17361 (Multiple XSS vulnerabilities in WeaselCMS v0.3.6 allow remote at CVE-2018-17360 (An issue was discovered in the Binary File Descriptor (BFD) library ...) - binutils [stretch] - binutils (Minor issue) + [jessie] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=23685 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=cf93e9c2cf8f8b2566f8fc86e961592b51b5980d CVE-2018-17359 (An issue was discovered in the Binary File Descriptor (BFD) library ...) - binutils [stretch] - binutils (Minor issue) + [jessie] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=23686 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=30838132997e6a3cfe3ec11c58b32b22f6f6b102 CVE-2018-17358 (An issue was discovered in the Binary File Descriptor (BFD) library ...) - binutils [stretch] - binutils (Minor issue) + [jessie] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=23686 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=30838132997e6a3cfe3ec11c58b32b22f6f6b102 CVE-2018-17357 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ac6657cb57a7ffae4bb5e09ae4aad5f4a03938cf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ac6657cb57a7ffae4bb5e09ae4aad5f4a03938cf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c94f6429 by security tracker role at 2018-09-28T08:10:16Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,11 +1,43 @@ +CVE-2018-17586 + RESERVED +CVE-2018-17585 + RESERVED +CVE-2018-17584 + RESERVED +CVE-2018-17583 + RESERVED +CVE-2018-17582 + RESERVED +CVE-2018-17581 + RESERVED +CVE-2018-17580 + RESERVED +CVE-2018-17579 + RESERVED +CVE-2018-17578 + RESERVED +CVE-2018-17577 + RESERVED +CVE-2018-17576 + RESERVED +CVE-2018-17575 + RESERVED +CVE-2018-17574 + RESERVED +CVE-2018-17573 (The Wp-Insert plugin through 2.4.2 for WordPress allows upload of ...) + TODO: check +CVE-2018-17572 + RESERVED +CVE-2018-17571 (Vanilla before 2.6.3 allows XSS via the email field of a profile. ...) + TODO: check CVE-2018-17570 (utils/ut_ws_svr.c in ViaBTC Exchange Server before 2018-08-21 has an ...) NOT-FOR-US: ViaBTC Exchange Server CVE-2018-17569 (network/nw_buf.c in ViaBTC Exchange Server before 2018-08-21 has an ...) NOT-FOR-US: ViaBTC Exchange Server CVE-2018-17568 (utils/ut_rpc.c in ViaBTC Exchange Server before 2018-08-21 has an ...) NOT-FOR-US: ViaBTC Exchange Server -CVE-2018-17567 - RESERVED +CVE-2018-17567 (Jekyll through 3.6.2, 3.7.x through 3.7.3, and 3.8.x through 3.8.3 ...) + TODO: check CVE-2018-17566 (In ThinkPHP 5.1.24, the inner function delete can be used for SQL ...) TODO: check CVE-2018-17565 @@ -346,20 +378,20 @@ CVE-2018-17399 RESERVED CVE-2018-17398 RESERVED -CVE-2018-17397 - RESERVED +CVE-2018-17397 (SQL Injection exists in the AlphaIndex Dictionaries 1.0 component for ...) + TODO: check CVE-2018-17396 RESERVED CVE-2018-17395 RESERVED -CVE-2018-17394 - RESERVED +CVE-2018-17394 (SQL Injection exists in the Timetable Schedule 3.6.8 component for ...) + TODO: check CVE-2018-17393 RESERVED CVE-2018-17392 RESERVED -CVE-2018-17391 - RESERVED +CVE-2018-17391 (SQL Injection exists in authors_post.php in Super Cms Blog Pro 1.0 via ...) + TODO: check CVE-2018-17390 RESERVED CVE-2018-17389 @@ -370,28 +402,28 @@ CVE-2018-17387 RESERVED CVE-2018-17386 RESERVED -CVE-2018-17385 - RESERVED -CVE-2018-17384 - RESERVED -CVE-2018-17383 - RESERVED -CVE-2018-17382 - RESERVED +CVE-2018-17385 (SQL Injection exists in the Social Factory 3.8.3 component for Joomla! ...) + TODO: check +CVE-2018-17384 (SQL Injection exists in the Swap Factory 2.2.1 component for Joomla! ...) + TODO: check +CVE-2018-17383 (SQL Injection exists in the Collection Factory 4.1.9 component for ...) + TODO: check +CVE-2018-17382 (SQL Injection exists in the Jobs Factory 2.0.4 component for Joomla! ...) + TODO: check CVE-2018-17381 RESERVED -CVE-2018-17380 - RESERVED -CVE-2018-17379 - RESERVED -CVE-2018-17378 - RESERVED -CVE-2018-17377 - RESERVED -CVE-2018-17376 - RESERVED -CVE-2018-17375 - RESERVED +CVE-2018-17380 (SQL Injection exists in the Article Factory Manager 4.3.9 component ...) + TODO: check +CVE-2018-17379 (SQL Injection exists in the Raffle Factory 3.5.2 component for Joomla! ...) + TODO: check +CVE-2018-17378 (SQL Injection exists in the Penny Auction Factory 2.0.4 component for ...) + TODO: check +CVE-2018-17377 (SQL Injection exists in the Questions 1.4.3 component for Joomla! via ...) + TODO: check +CVE-2018-17376 (SQL Injection exists in the Reverse Auction Factory 4.3.8 component ...) + TODO: check +CVE-2018-17375 (SQL Injection exists in the Music Collection 3.0.3 component for ...) + TODO: check CVE-2018-17374 RESERVED CVE-2018-17373 @@ -888,7 +920,7 @@ CVE-2018-17155 CVE-2018-17154 RESERVED CVE-2018-1000802 (Python Software Foundation Python (CPython) version 2.7 contains a ...) - {DLA-1520-1 DLA-1519-1} + {DSA-4306-1 DLA-1520-1 DLA-1519-1} - python3.7 (Fixed before initial upload) - python3.6 (Fixed before initial upload) - python3.5 (Fixed before initial upload) @@ -1138,10 +1170,10 @@ CVE-2018-17057 (An issue was discovered in TCPDF before 6.2.22. Attackers can tr NOTE: https://github.com/tecnickcom/TCPDF/commit/1861e33fe05f653b67d070f7c106463e7a5c26e NOTE: Was considered minor for jessie since arbitrary deserialization NOTE: is still possible using http and https. -CVE-2018-17056 - RESERVED -CVE-2018-17055 - RESERVED +CVE-2018-17056 (Cross-site scripting (XSS) vulnerability in ServiceStack in Progress ...) + TODO: check +CVE-2018-17055 (An arbitrary file upload vulnerability in Progress Sitefinity CMS