[Git][security-tracker-team/security-tracker][master] NFU
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: cb868194 by Moritz Muehlenhoff at 2018-10-11T06:17:40Z NFU qpdf no-dsa - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -460,6 +460,7 @@ CVE-2012-6710 (ext_find_user in eXtplorer through 2.1.2 allows remote attackers - extplorer CVE-2018-18020 (In QPDF 8.2.1, in libqpdf/QPDFWriter.cc, QPDFWriter::unparseObject and ...) - qpdf + [stretch] - qpdf (Minor issue) [jessie] - qpdf (Minor issue) NOTE: https://github.com/qpdf/qpdf/issues/243 CVE-2018-1000806 @@ -8396,6 +8397,7 @@ CVE-2018-14665 RESERVED CVE-2018-14664 RESERVED + - foreman (bug #663101) CVE-2018-14663 RESERVED CVE-2018-14662 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/cb868194f9353f3ee5e36d46d8bcb84c3bad5b49 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/cb868194f9353f3ee5e36d46d8bcb84c3bad5b49 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] pyopenssl no-dsa, NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 6d8f082f by Moritz Muehlenhoff at 2018-10-11T06:00:29Z pyopenssl no-dsa, NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -361,7 +361,8 @@ CVE-2018-1000810 (The Rust Programming Language Standard Library version 1.29.0, CVE-2018-1000809 (privacyIDEA version 2.23.1 and earlier contains a Improper Input ...) NOT-FOR-US: privacyIDEA CVE-2018-1000808 (Python Cryptographic Authority pyopenssl version Before 17.5.0 ...) - - pyopenssl 17.5.0-1 + - pyopenssl 17.5.0-1 (low) + [stretch] - pyopenssl (Minor issue) NOTE: https://github.com/pyca/pyopenssl/pull/723 NOTE: https://github.com/pyca/pyopenssl/commit/e73818600065821d588af475b024f4eb518c3509 CVE-2018-1000807 (Python Cryptographic Authority pyopenssl version prior to version ...) @@ -50360,47 +50361,47 @@ CVE-2018-0065 CVE-2018-0064 RESERVED CVE-2018-0063 (A vulnerability in the IP next-hop index database in Junos OS 17.3R3 ...) - TODO: check + NOT-FOR-US: Juniper CVE-2018-0062 (A Denial of Service vulnerability in J-Web service may allow a remote ...) - TODO: check + NOT-FOR-US: Juniper CVE-2018-0061 (A denial of service vulnerability in the telnetd service on Junos OS ...) - TODO: check + NOT-FOR-US: Juniper CVE-2018-0060 (An improper input validation weakness in the device control daemon ...) - TODO: check + NOT-FOR-US: Juniper CVE-2018-0059 (A persistent cross-site scripting vulnerability in the graphical user ...) - TODO: check + NOT-FOR-US: Juniper CVE-2018-0058 (Receipt of a specially crafted IPv6 exception packet may be able to ...) - TODO: check + NOT-FOR-US: Juniper CVE-2018-0057 (On MX Series and M120/M320 platforms configured in a Broadband Edge ...) - TODO: check + NOT-FOR-US: Juniper CVE-2018-0056 (If a duplicate MAC address is learned by two different interfaces on ...) - TODO: check + NOT-FOR-US: Juniper CVE-2018-0055 (Receipt of a specially crafted DHCPv6 message destined to a Junos OS ...) - TODO: check + NOT-FOR-US: Juniper CVE-2018-0054 (On QFX5000 Series and EX4600 switches, a high rate of Ethernet pause ...) - TODO: check + NOT-FOR-US: Juniper CVE-2018-0053 (An authentication bypass vulnerability in the initial boot sequence of ...) - TODO: check + NOT-FOR-US: Juniper CVE-2018-0052 (If RSH service is enabled on Junos OS and if the PAM authentication is ...) - TODO: check + NOT-FOR-US: Juniper CVE-2018-0051 (A Denial of Service vulnerability in the SIP application layer gateway ...) - TODO: check + NOT-FOR-US: Juniper CVE-2018-0050 (An error handling vulnerability in Routing Protocols Daemon (RPD) of ...) - TODO: check + NOT-FOR-US: Juniper CVE-2018-0049 (A NULL Pointer Dereference vulnerability in Juniper Networks Junos OS ...) - TODO: check + NOT-FOR-US: Juniper CVE-2018-0048 (A vulnerability in the Routing Protocols Daemon (RPD) with Juniper ...) - TODO: check + NOT-FOR-US: Juniper CVE-2018-0047 (A persistent cross-site scripting vulnerability in the UI framework ...) - TODO: check + NOT-FOR-US: Juniper CVE-2018-0046 (A reflected cross-site scripting vulnerability in OpenNMS included ...) - TODO: check + NOT-FOR-US: Juniper CVE-2018-0045 (Receipt of a specific Draft-Rosen MVPN control packet may cause the ...) - TODO: check + NOT-FOR-US: Juniper CVE-2018-0044 (An insecure SSHD configuration in Juniper Device Manager (JDM) and ...) - TODO: check + NOT-FOR-US: Juniper CVE-2018-0043 (Receipt of a specific MPLS packet may cause the routing protocol ...) - TODO: check + NOT-FOR-US: Juniper CVE-2018-0042 (Juniper Networks CSO versions prior to 4.0.0 may log passwords in log ...) NOT-FOR-US: Juniper Networks CSO CVE-2018-0041 (Juniper Networks Contrail Service Orchestration releases prior to ...) @@ -50906,7 +50907,7 @@ CVE-2017-16716 (A SQL Injection issue was discovered in WebAccess versions prior CVE-2017-16715 (An Information Exposure issue was discovered in Moxa NPort 5110 Version ...) NOT-FOR-US: Moxa CVE-2017-16714 (In Ice Qube Thermal Management Center versions prior to version 4.13, ...) - TODO: check + NOT-FOR-US: Ice Qube Thermal Management Center CVE-2017-16713 RESERVED CVE-2017-16712 @@ -53556,7 +53557,7 @@ CVE-2017-15846 (In the video_ioctl2() function in the camera driver in Android f CVE-2017-15845 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-15844 (In all android releases (Android for MSM, Firefox OS for MSM, QRD ...) - TODO: chec
[Git][security-tracker-team/security-tracker][master] Add bug reference for CVE-2017-5934/moin
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c91aea52 by Salvatore Bonaccorso at 2018-10-11T05:24:45Z Add bug reference for CVE-2017-5934/moin - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -84015,7 +84015,7 @@ CVE-2017-5935 RESERVED CVE-2017-5934 [XSS in GUI editor related code] RESERVED - - moin + - moin (bug #910776) NOTE: https://github.com/moinwiki/moin-1.9/commit/70955a8eae091cc88fd9a6e510177e70289ec024 CVE-2017-5933 (Citrix NetScaler ADC and NetScaler Gateway 10.5 before Build 65.11, ...) NOT-FOR-US: Citrix View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c91aea52e7409f031e7ddeec4ca13620fe753c8c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c91aea52e7409f031e7ddeec4ca13620fe753c8c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2017-5934/moin
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9fb4e6d2 by Salvatore Bonaccorso at 2018-10-11T04:49:15Z Add CVE-2017-5934/moin - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -84013,8 +84013,10 @@ CVE-2016-10214 (Memory leak in the virgl_resource_attach_backing function in ... NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1420266 CVE-2017-5935 RESERVED -CVE-2017-5934 +CVE-2017-5934 [XSS in GUI editor related code] RESERVED + - moin + NOTE: https://github.com/moinwiki/moin-1.9/commit/70955a8eae091cc88fd9a6e510177e70289ec024 CVE-2017-5933 (Citrix NetScaler ADC and NetScaler Gateway 10.5 before Build 65.11, ...) NOT-FOR-US: Citrix CVE-2016-10213 (A10 AX1030 and possibly other devices with software before 2.7.2-P8 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9fb4e6d273d58d52e6c3ff895050a91ff514448c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9fb4e6d273d58d52e6c3ff895050a91ff514448c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Two libgd2 issues fixed in unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ffa02825 by Salvatore Bonaccorso at 2018-10-11T04:24:46Z Two libgd2 issues fixed in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6218,7 +6218,7 @@ CVE-2018-1000225 (Cobbler version Verified as present in Cobbler versions 2.6.11 CVE-2018-1000224 (Godot Engine version All versions prior to 2.1.5, all 3.0 versions ...) NOT-FOR-US: Godot CVE-2018-1000222 (Libgd version 2.2.5 contains a Double Free Vulnerability vulnerability ...) - - libgd2 (low; bug #906886) + - libgd2 2.2.5-4.1 (low; bug #906886) [stretch] - libgd2 (Minor issue, will be fixed via point release) [jessie] - libgd2 (Minor issue) NOTE: https://github.com/libgd/libgd/issues/447 @@ -33348,7 +33348,7 @@ CVE-2018-5711 (gd_gif_in.c in the GD Graphics Library (aka libgd), as used in PH NOTE: Fixed in 5.6.33, 7.0.27, 7.1.13, 7.2.1 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=75571 NOTE: https://hhvm.com/blog/2018/05/04/hhvm-3.25.3.html - - libgd2 (bug #887485) + - libgd2 2.2.5-4.1 (bug #887485) [stretch] - libgd2 (Minor issue, will be fixed via point release) [jessie] - libgd2 (Minor issue, can be fixed along in a future update) NOTE: https://github.com/libgd/libgd/issues/420 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ffa028252414b33e478dbdc760b5d73e6eb82fff -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ffa028252414b33e478dbdc760b5d73e6eb82fff You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Don't need to add specific reproducibility mentioning as triaged for all suites
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 730ae578 by Salvatore Bonaccorso at 2018-10-11T04:18:57Z Don't need to add specific reproducibility mentioning as triaged for all suites - - - - - e6b2ea16 by Salvatore Bonaccorso at 2018-10-11T04:23:32Z CVE-2018-14638 and CVE-2018-14624 for 389-ds-base adressed in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4401,7 +4401,6 @@ CVE-2018-16336 (Exiv2::Internal::PngChunk::parseTXTChunk in Exiv2 v0.26 allows r - exiv2 NOTE: https://github.com/Exiv2/exiv2/issues/400 NOTE: https://github.com/Exiv2/exiv2/commit/35b3e596edacd2437c2c5d3dd2b5c9502626163d - NOTE: reproduced with ASAN build (on jessie) and POC file provided in GitHub issue CVE-2018-16335 (newoffsets handling in ChopUpSingleUncompressedStrip in tif_dirread.c ...) - tiff (bug #907795) [stretch] - tiff (Can be fixed along in future DSA) @@ -8472,7 +8471,7 @@ CVE-2018-14640 CVE-2018-14639 RESERVED CVE-2018-14638 (A flaw was found in 389-ds-base before version 1.3.8.4-13. The process ...) - - 389-ds-base (bug #908859) + - 389-ds-base 1.4.0.18-1 (bug #908859) [jessie] - 389-ds-base (Vulnerable code not present) NOTE: https://pagure.io/389-ds-base/c/78fc627accacfa4061ce48977e22301f81ea8d73 CVE-2018-14637 @@ -8517,7 +8516,7 @@ CVE-2018-14625 (A flaw was found in the Linux Kernel where an attacker may be ab NOTE: https://syzkaller.appspot.com/bug?extid=bd391451452fb0b93039 CVE-2018-14624 (A vulnerability was discovered in 389-ds-base through versions ...) {DLA-1526-1} - - 389-ds-base (bug #907778) + - 389-ds-base 1.4.0.18-1 (bug #907778) NOTE: https://pagure.io/389-ds-base/issue/49937 NOTE: https://pagure.io/389-ds-base/c/8ff8cb850 (master) NOTE: https://pagure.io/389-ds-base/c/c5e78249d (389-ds-base-1.3.8) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/16e32bce9234c363f773bdc13567c8e3a96a5a3b...e6b2ea1620617764082598ba13949d59a08c8adf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/16e32bce9234c363f773bdc13567c8e3a96a5a3b...e6b2ea1620617764082598ba13949d59a08c8adf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] exiv2/CVE-2018-16336 change undetermined -> unfixed; reproduced on jessie and…
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 16e32bce by Roberto C. Sánchez at 2018-10-11T04:10:18Z exiv2/CVE-2018-16336 change undetermined -> unfixed; reproduced on jessie and affected code in stretch is identical - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4398,9 +4398,10 @@ CVE-2018-16338 (An issue was discovered in AuraCMS 2.3. There is a CSRF vulnerab CVE-2018-16337 (An issue was discovered in Cscms V4.1.8. There is a CSRF vulnerability ...) NOT-FOR-US: Cscms CVE-2018-16336 (Exiv2::Internal::PngChunk::parseTXTChunk in Exiv2 v0.26 allows remote ...) - - exiv2 + - exiv2 NOTE: https://github.com/Exiv2/exiv2/issues/400 NOTE: https://github.com/Exiv2/exiv2/commit/35b3e596edacd2437c2c5d3dd2b5c9502626163d + NOTE: reproduced with ASAN build (on jessie) and POC file provided in GitHub issue CVE-2018-16335 (newoffsets handling in ChopUpSingleUncompressedStrip in tif_dirread.c ...) - tiff (bug #907795) [stretch] - tiff (Can be fixed along in future DSA) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/16e32bce9234c363f773bdc13567c8e3a96a5a3b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/16e32bce9234c363f773bdc13567c8e3a96a5a3b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2018-18074,requests: Mark issue as postponed for Jessie
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 74a411cf by Markus Koschany at 2018-10-10T22:20:06Z CVE-2018-18074,requests: Mark issue as postponed for Jessie This can be fixed later when a more important issue arises. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -299,6 +299,7 @@ CVE-2018-18075 (WikidForum 2.20 has SQL Injection via the rpc.php parent_post_id CVE-2018-18074 (The Requests package through 2.19.1 before 2018-09-14 for Python sends ...) - requests (low; bug #910766) [stretch] - requests (Minor issue) + [jessie] - requests (Minor issue) NOTE: https://github.com/requests/requests/issues/4716 NOTE: https://github.com/requests/requests/pull/4718 NOTE: https://github.com/requests/requests/commit/c45d7c49ea75133e52ab22a8e9e13173938e36ff View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/74a411cf2333d4b4a2b6ed944c32706551d3032c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/74a411cf2333d4b4a2b6ed944c32706551d3032c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2018-18020,qpdf: Mark as no-dsa for Jessie.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 10120ec1 by Markus Koschany at 2018-10-10T21:40:57Z CVE-2018-18020,qpdf: Mark as no-dsa for Jessie. Minor issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -458,6 +458,7 @@ CVE-2012-6710 (ext_find_user in eXtplorer through 2.1.2 allows remote attackers - extplorer CVE-2018-18020 (In QPDF 8.2.1, in libqpdf/QPDFWriter.cc, QPDFWriter::unparseObject and ...) - qpdf + [jessie] - qpdf (Minor issue) NOTE: https://github.com/qpdf/qpdf/issues/243 CVE-2018-1000806 REJECTED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/10120ec1bfbebe46ebae562e1ca0a11776296a7f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/10120ec1bfbebe46ebae562e1ca0a11776296a7f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add paramiko to dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 39890f94 by Markus Koschany at 2018-10-10T21:34:06Z Add paramiko to dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -56,6 +56,9 @@ openjdk-7 (Emilio Pozuelo) openjpeg2 (Hugo Lefeuvre) NOTE: 20180719: there is no patch available for the remaining CVEs -- +paramiko + NOTE: 20181010: Consider fixing no-dsa issue too. (apo) +-- phpldapadmin (Mike Gabriel) NOTE: 20180731: See https://lists.debian.org/debian-lts/2018/07/msg00123.html for research already done -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/39890f94be5890a2e0d89519201e71b60efdf9d3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/39890f94be5890a2e0d89519201e71b60efdf9d3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] requests no-dsa
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 719d3da6 by Moritz Muehlenhoff at 2018-10-10T21:27:43Z requests no-dsa NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -297,7 +297,8 @@ CVE-2018-18076 CVE-2018-18075 (WikidForum 2.20 has SQL Injection via the rpc.php parent_post_id or ...) NOT-FOR-US: WikidForum CVE-2018-18074 (The Requests package through 2.19.1 before 2018-09-14 for Python sends ...) - - requests (bug #910766) + - requests (low; bug #910766) + [stretch] - requests (Minor issue) NOTE: https://github.com/requests/requests/issues/4716 NOTE: https://github.com/requests/requests/pull/4718 NOTE: https://github.com/requests/requests/commit/c45d7c49ea75133e52ab22a8e9e13173938e36ff @@ -700,15 +701,15 @@ CVE-2018-17921 CVE-2018-17920 RESERVED CVE-2018-17919 (All versions of Hangzhou Xiongmai Technology Co., Ltd XMeye P2P Cloud ...) - TODO: check + NOT-FOR-US: P2P Cloud Server CVE-2018-17918 RESERVED CVE-2018-17917 (All versions of Hangzhou Xiongmai Technology Co., Ltd XMeye P2P Cloud ...) - TODO: check + NOT-FOR-US: P2P Cloud Server CVE-2018-17916 RESERVED CVE-2018-17915 (All versions of Hangzhou Xiongmai Technology Co., Ltd XMeye P2P Cloud ...) - TODO: check + NOT-FOR-US: P2P Cloud Server CVE-2018-17914 RESERVED CVE-2018-17913 @@ -6429,9 +6430,9 @@ CVE-2018-15545 CVE-2018-15544 RESERVED CVE-2018-15543 (** DISPUTED ** An issue was discovered in the org.telegram.messenger ...) - TODO: check + NOT-FOR-US: org.telegram.messenger for Android CVE-2018-15542 (** DISPUTED ** An issue was discovered in the org.telegram.messenger ...) - TODO: check + NOT-FOR-US: org.telegram.messenger for Android CVE-2018-15541 RESERVED CVE-2018-15540 @@ -14899,9 +14900,9 @@ CVE-2018-12175 (Default install directory permissions in Intel Distribution for CVE-2018-12174 RESERVED CVE-2018-12173 (Insufficient access protection in firmware in Intel Server Board, ...) - TODO: check + NOT-FOR-US: Intel CVE-2018-12172 (Improper password hashing in firmware in Intel Server Board ...) - TODO: check + NOT-FOR-US: Intel CVE-2018-12171 (Privilege escalation in Intel Baseboard Management Controller (BMC) ...) NOT-FOR-US: Intel Baseboard Management Controller firmware CVE-2018-12170 @@ -14929,7 +14930,7 @@ CVE-2018-12160 (DLL injection vulnerability in software installer for Intel Data CVE-2018-12159 RESERVED CVE-2018-12158 (Insufficient input validation in BIOS update utility in Intel NUC FW ...) - TODO: check + NOT-FOR-US: Intel CVE-2018-12157 RESERVED CVE-2018-12156 @@ -14949,7 +14950,7 @@ CVE-2018-12150 (Escalation of privilege in Installer for Intel Extreme Tuning Ut CVE-2018-12149 (Buffer overflow in input handling in Intel Extreme Tuning Utility ...) NOT-FOR-US: Intel CVE-2018-12148 (Privilege escalation in file permissions in Intel Driver and Support ...) - NOT-FOR-US: INtel + NOT-FOR-US: Intel CVE-2018-12147 RESERVED CVE-2018-12146 @@ -14983,7 +14984,7 @@ CVE-2018-12133 CVE-2018-12132 RESERVED CVE-2018-12131 (Permissions in the driver pack installers for Intel NVMe before ...) - TODO: check + NOT-FOR-US: Intel CVE-2018-12130 RESERVED CVE-2018-12129 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/719d3da6f79565ca4d5a33901c6812f98bf5b732 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/719d3da6f79565ca4d5a33901c6812f98bf5b732 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add bug reference for CVE-2018-18074/requests
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a5a62474 by Salvatore Bonaccorso at 2018-10-10T20:54:32Z Add bug reference for CVE-2018-18074/requests - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -296,7 +296,7 @@ CVE-2018-18076 CVE-2018-18075 (WikidForum 2.20 has SQL Injection via the rpc.php parent_post_id or ...) NOT-FOR-US: WikidForum CVE-2018-18074 (The Requests package through 2.19.1 before 2018-09-14 for Python sends ...) - - requests + - requests (bug #910766) NOTE: https://github.com/requests/requests/issues/4716 NOTE: https://github.com/requests/requests/pull/4718 NOTE: https://github.com/requests/requests/commit/c45d7c49ea75133e52ab22a8e9e13173938e36ff View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a5a6247489b88abc6489487076ab817ef8c565f8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a5a6247489b88abc6489487076ab817ef8c565f8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add bug reference for CVE-2018-18088/openjpeg2
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8756000c by Salvatore Bonaccorso at 2018-10-10T20:29:41Z Add bug reference for CVE-2018-18088/openjpeg2 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -267,7 +267,7 @@ CVE-2018-18090 CVE-2018-18089 RESERVED CVE-2018-18088 (OpenJPEG 2.3.0 has a NULL pointer dereference for "red" in the ...) - - openjpeg2 + - openjpeg2 (bug #910763) NOTE: https://github.com/uclouvain/openjpeg/issues/1152 CVE-2018-18087 (The Bixie Portfolio plugin 1.2.0 for Pagekit has XSS: a logged-in user ...) NOT-FOR-US: Bixie Portfolio plugin for Pagekit View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8756000c45d87261f2c68ff36055a38c6408a149 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8756000c45d87261f2c68ff36055a38c6408a149 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-1543-1 for gnulib
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 04544cbd by Markus Koschany at 2018-10-10T20:11:26Z Reserve DLA-1543-1 for gnulib - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[10 Oct 2018] DLA-1543-1 gnulib - security update + {CVE-2018-17942} + [jessie] - gnulib 20140202+stable-2+deb8u1 [10 Oct 2018] DLA-1542-1 dnsruby - update [jessie] - dnsruby 1.54-2+deb8u1 [10 Oct 2018] DLA-1541-1 jekyll - security update = data/dla-needed.txt = @@ -24,8 +24,6 @@ firefox-esr (Emilio Pozuelo) NOTE: 20180525: We will need an update to Firefox ESR 60 in jessie once 52 goes EOL. NOTE: 20180525: This needs some backports (llvm, rustc, cargo) which need some work. -- -gnulib (Markus Koschany) --- gnutls28 (Antoine Beaupre) NOTE: 20180824: Upstream patch is quite invasive, adding new options etc. (Chris Lamb) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/04544cbd7f4b0ebef31f38801929a622a817bc8b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/04544cbd7f4b0ebef31f38801929a622a817bc8b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add bug reference for CVE-2018-1000805/paramiko
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 914e180d by Salvatore Bonaccorso at 2018-10-10T19:57:00Z Add bug reference for CVE-2018-1000805/paramiko - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -324,7 +324,7 @@ CVE-2018-1000807 (Python Cryptographic Authority pyopenssl version prior to vers NOTE: https://github.com/pyca/pyopenssl/pull/723 NOTE: https://github.com/pyca/pyopenssl/commit/e73818600065821d588af475b024f4eb518c3509 CVE-2018-1000805 (Paramiko version 2.4.1, 2.3.2, 2.2.3, 2.1.5, 2.0.8, 1.18.5, 1.17.6 ...) - - paramiko + - paramiko (bug #910760) NOTE: https://github.com/paramiko/paramiko/issues/1283 NOTE: https://github.com/paramiko/paramiko/commit/56c96a659658acdbb873aef8809a7b508434dcce CVE-2018-1000804 (contiki-ng version 4 contains a Buffer Overflow vulnerability in AQL ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/914e180d7d9a788ddadfde5195ee30cb4cebc936 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/914e180d7d9a788ddadfde5195ee30cb4cebc936 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add bug reference for CVE-2018-18073/ghostscript
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0cd9e47f by Salvatore Bonaccorso at 2018-10-10T19:30:13Z Add bug reference for CVE-2018-18073/ghostscript - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -260,7 +260,7 @@ CVE-2018-18074 (The Requests package through 2.19.1 before 2018-09-14 for Python TODO: check CVE-2018-18073 [saved execution stacks can leak operator arrays] RESERVED - - ghostscript + - ghostscript (bug #910758) NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1690 NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=699927 NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=34cc326eb2c5695833361887fe0b32e8d987741c View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0cd9e47fe3f8068e16255b94580c3f3a642c1ebe -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0cd9e47fe3f8068e16255b94580c3f3a642c1ebe You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update glassfish entry, removed from the archiive
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 83cc4e7f by Salvatore Bonaccorso at 2018-10-10T19:28:01Z Update glassfish entry, removed from the archiive - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -210700,7 +210700,7 @@ CVE-2012-3157 (Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking . CVE-2012-3156 (Unspecified vulnerability in the MySQL Server component in Oracle ...) - mysql-5.5 5.5.28+dfsg-1 (bug #690778) CVE-2012-3155 (Unspecified vulnerability in the CORBA ORB component in Sun GlassFish ...) - - glassfish (bug #692035) + - glassfish (bug #692035) [wheezy] - glassfish NOTE: Oracle doesn't provide any useful public information to fix the package without importing a new upstream version. CVE-2012-3154 (Unspecified vulnerability in the Oracle Agile PLM Framework component ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/83cc4e7f97a037149463576d1e6bb8c75baa4e25 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/83cc4e7f97a037149463576d1e6bb8c75baa4e25 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add upstream bug reference for CVE-2018-18073
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a240bd25 by Salvatore Bonaccorso at 2018-10-10T19:18:44Z Add upstream bug reference for CVE-2018-18073 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -262,6 +262,7 @@ CVE-2018-18073 [saved execution stacks can leak operator arrays] RESERVED - ghostscript NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1690 + NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=699927 NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=34cc326eb2c5695833361887fe0b32e8d987741c NOTE: https://www.openwall.com/lists/oss-security/2018/10/10/12 CVE-2018-18072 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a240bd25472dc79354e2dce38c14922994ac6216 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a240bd25472dc79354e2dce38c14922994ac6216 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2018-17942,gnulib: Reference bug number
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: afa15090 by Markus Koschany at 2018-10-10T19:12:25Z CVE-2018-17942,gnulib: Reference bug number - - - - - 0ff22550 by Markus Koschany at 2018-10-10T19:12:47Z Merge branch 'master' of salsa.debian.org:security-tracker-team/security-tracker - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -606,7 +606,7 @@ CVE-2018-17944 CVE-2018-17943 RESERVED CVE-2018-17942 (The convert_to_decimal function in vasnprintf.c in Gnulib before ...) - - gnulib + - gnulib (bug #910757) NOTE: pspp affecting bug: https://savannah.gnu.org/bugs/?func=detailitem&item_id=54686 NOTE: https://lists.gnu.org/archive/html/bug-gnulib/2018-09/msg00107.html NOTE: https://github.com/coreutils/gnulib/commit/278b4175c9d7dd47c1a3071554aac02add3b3c35 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/36842dfaca1f41a78bc48bf2aa53bb36f50b640c...0ff22550a46beda9fa71f89a582dd3b6fdd75d85 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/36842dfaca1f41a78bc48bf2aa53bb36f50b640c...0ff22550a46beda9fa71f89a582dd3b6fdd75d85 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Tentatilvely add for coordination one item to dsa-needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a4349db6 by Salvatore Bonaccorso at 2018-10-10T19:05:27Z Tentatilvely add for coordination one item to dsa-needed list - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -20,7 +20,7 @@ asterisk -- ceph -- -ghostscript +ghostscript (carnil) Regression update: #909076, possibly #909929 (but see upstream issue), and #909957 Regression #90 seems to not affect stretch, but needs double-check View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a4349db63608a7323654a0dc8f21199241a65f7b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a4349db63608a7323654a0dc8f21199241a65f7b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2018-18073/ghostscript
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8fb74e81 by Salvatore Bonaccorso at 2018-10-10T19:04:31Z Add CVE-2018-18073/ghostscript - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -258,8 +258,12 @@ CVE-2018-18075 (WikidForum 2.20 has SQL Injection via the rpc.php parent_post_id NOT-FOR-US: WikidForum CVE-2018-18074 (The Requests package through 2.19.1 before 2018-09-14 for Python sends ...) TODO: check -CVE-2018-18073 +CVE-2018-18073 [saved execution stacks can leak operator arrays] RESERVED + - ghostscript + NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1690 + NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=34cc326eb2c5695833361887fe0b32e8d987741c + NOTE: https://www.openwall.com/lists/oss-security/2018/10/10/12 CVE-2018-18072 RESERVED CVE-2018-18071 (An issue was discovered in the Daimler Mercedes-Benz Me app 2.11.0-846 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8fb74e815c4ddc42cf94411df8f612568189f075 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8fb74e815c4ddc42cf94411df8f612568189f075 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fix for CVE-2017-18208 in jessie
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f0cbcb85 by Salvatore Bonaccorso at 2018-10-10T14:46:01Z Track fix for CVE-2017-18208 in jessie - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -26979,7 +26979,7 @@ CVE-2018-7568 (The parse_die function in dwarf1.c in the Binary File Descriptor CVE-2017-18208 (The madvise_willneed function in mm/madvise.c in the Linux kernel ...) - linux 4.14.7-1 [stretch] - linux 4.9.80-1 - [jessie] - linux (Only affects ARM with XIP enabled) + [jessie] - linux 3.16.57-1 [wheezy] - linux (Only affects ARM with XIP enabled) NOTE: Fixed by: https://git.kernel.org/linus/6ea8d958a2c95a1d514015d4e29ba21a8c0a1a91 CVE-2017-18207 (** DISPUTED ** The Wave_read._read_fmt_chunk function in Lib/wave.py ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f0cbcb8566e07494a80e9eb94b9c4925559d377f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f0cbcb8566e07494a80e9eb94b9c4925559d377f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-1541-1 for jekyll
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: ff8fc05c by Abhijith PA at 2018-10-10T14:09:00Z Reserve DLA-1541-1 for jekyll - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[10 Oct 2018] DLA-1541-1 jekyll - security update + {CVE-2018-17567} + [jessie] - jekyll 2.2.0+dfsg-2+deb8u1 [09 Oct 2018] DLA-1540-1 net-snmp - security update {CVE-2018-18065} [jessie] - net-snmp 5.7.2.1+dfsg-1+deb8u2 = data/dla-needed.txt = @@ -29,8 +29,6 @@ gnulib (Markus Koschany) gnutls28 (Antoine Beaupre) NOTE: 20180824: Upstream patch is quite invasive, adding new options etc. (Chris Lamb) -- -jekyll (Abhijith PA) --- libav (Hugo Lefeuvre) NOTE: 20180118: Diego Biurrun (from the libav team) was working on patches, but encountered personal issues and had to stop. NOTE: 20180118: It is unlikely that he will start again in the next weeks. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ff8fc05c6c6b371c2b336ca278b69963850b1e33 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ff8fc05c6c6b371c2b336ca278b69963850b1e33 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Record one CVE which will be fixed in stretch-pu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8649fb0b by Salvatore Bonaccorso at 2018-10-10T13:25:31Z Record one CVE which will be fixed in stretch-pu - - - - - 1 changed file: - data/next-point-update.txt Changes: = data/next-point-update.txt = @@ -98,3 +98,5 @@ CVE-2018-14599 [stretch] - libx11 2:1.6.4-3+deb9u1 CVE-2018-14600 [stretch] - libx11 2:1.6.4-3+deb9u1 +CVE-2018-13406 + [stretch] - linux 4.9.130-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8649fb0baa25e8c33b6a951560dbb138b2fe1905 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8649fb0baa25e8c33b6a951560dbb138b2fe1905 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: cf78bf81 by Salvatore Bonaccorso at 2018-10-10T08:24:25Z Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,15 +1,15 @@ CVE-2018-18203 RESERVED CVE-2018-18202 (The QLogic 4Gb Fibre Channel 5.5.2.6.0 and 4/8Gb SAN 7.10.1.20.0 ...) - TODO: check + NOT-FOR-US: IBM CVE-2018-18201 (qibosoft V7.0 allows CSRF via ...) TODO: check CVE-2018-18200 (There is a SQL injection in Benutzerverwaltung in REDAXO before 5.6.4. ...) - TODO: check + NOT-FOR-US: REDAXO CVE-2018-18199 (Mediamanager in REDAXO before 5.6.4 has XSS. ...) - TODO: check + NOT-FOR-US: REDAXO CVE-2018-18198 (The $opener_input_field variable in addons/mediapool/pages/index.php in ...) - TODO: check + NOT-FOR-US: REDAXO CVE-2018-18197 (An issue was discovered in libgig 4.1.0. There is an operator new[] ...) TODO: check CVE-2018-18196 (An issue was discovered in libgig 4.1.0. There is a heap-based buffer ...) @@ -23,7 +23,7 @@ CVE-2018-18193 (An issue was discovered in libgig 4.1.0. There is operator new[] CVE-2018-18192 (An issue was discovered in libgig 4.1.0. There is a NULL pointer ...) TODO: check CVE-2018-18191 (Cross-site request forgery (CSRF) vulnerability in ...) - TODO: check + NOT-FOR-US: FineCms CVE-2018-18190 (An issue was discovered in GoPro gpmf-parser before 1.2.1. There is a ...) TODO: check CVE-2018-18189 @@ -233,7 +233,7 @@ CVE-2018-18088 (OpenJPEG 2.3.0 has a NULL pointer dereference for "red" CVE-2018-18087 (The Bixie Portfolio plugin 1.2.0 for Pagekit has XSS: a logged-in user ...) TODO: check CVE-2018-18086 (EmpireCMS v7.5 has an arbitrary file upload vulnerability in the ...) - TODO: check + NOT-FOR-US: EmpireCMS CVE-2018-18085 RESERVED CVE-2018-18084 (An issue was discovered in DuomiCMS 3.0. SQL injection exists in the ...) @@ -767,7 +767,7 @@ CVE-2018-17868 (DASAN H660GW devices have Stored XSS in the Port Forwarding ...) CVE-2018-17867 (The Port Forwarding functionality on DASAN H660GW devices allows remote ...) NOT-FOR-US: DASAN H660GW device CVE-2018-17866 (Multiple cross-site scripting (XSS) vulnerabilities in ...) - TODO: check + NOT-FOR-US: "Ultimate Member - User Profile & Membership" plugin for WordPress CVE-2018-17865 RESERVED CVE-2018-17864 @@ -781,15 +781,15 @@ CVE-2018-17861 CVE-2018-17860 RESERVED CVE-2018-17859 (An issue was discovered in Joomla! before 3.8.13. Inadequate checks in ...) - TODO: check + NOT-FOR-US: Joomla! CVE-2018-17858 (An issue was discovered in Joomla! before 3.8.13. com_installer actions ...) - TODO: check + NOT-FOR-US: Joomla! CVE-2018-17857 (An issue was discovered in Joomla! before 3.8.13. Inadequate checks on ...) - TODO: check + NOT-FOR-US: Joomla! CVE-2018-17856 (An issue was discovered in Joomla! before 3.8.13. com_joomlaupdate ...) - TODO: check + NOT-FOR-US: Joomla! CVE-2018-17855 (An issue was discovered in Joomla! before 3.8.13. If an attacker gets ...) - TODO: check + NOT-FOR-US: Joomla! CVE-2015-9271 (The VideoWhisper videowhisper-video-conference-integration plugin ...) NOT-FOR-US: WordPress plugin videowhisper-video-conference-integration CVE-2015-9270 (XSS exists in the the-holiday-calendar plugin before 1.11.3 for ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/cf78bf81c61a933ba1787635b0713ccc65615338 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/cf78bf81c61a933ba1787635b0713ccc65615338 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 56f1cc3f by security tracker role at 2018-10-10T08:10:55Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,33 @@ +CVE-2018-18203 + RESERVED +CVE-2018-18202 (The QLogic 4Gb Fibre Channel 5.5.2.6.0 and 4/8Gb SAN 7.10.1.20.0 ...) + TODO: check +CVE-2018-18201 (qibosoft V7.0 allows CSRF via ...) + TODO: check +CVE-2018-18200 (There is a SQL injection in Benutzerverwaltung in REDAXO before 5.6.4. ...) + TODO: check +CVE-2018-18199 (Mediamanager in REDAXO before 5.6.4 has XSS. ...) + TODO: check +CVE-2018-18198 (The $opener_input_field variable in addons/mediapool/pages/index.php in ...) + TODO: check +CVE-2018-18197 (An issue was discovered in libgig 4.1.0. There is an operator new[] ...) + TODO: check +CVE-2018-18196 (An issue was discovered in libgig 4.1.0. There is a heap-based buffer ...) + TODO: check +CVE-2018-18195 (An issue discovered in libgig 4.1.0. There is an FPE (divide-by-zero ...) + TODO: check +CVE-2018-18194 (An issue was discovered in libgig 4.1.0. There is a heap-based buffer ...) + TODO: check +CVE-2018-18193 (An issue was discovered in libgig 4.1.0. There is operator new[] ...) + TODO: check +CVE-2018-18192 (An issue was discovered in libgig 4.1.0. There is a NULL pointer ...) + TODO: check +CVE-2018-18191 (Cross-site request forgery (CSRF) vulnerability in ...) + TODO: check +CVE-2018-18190 (An issue was discovered in GoPro gpmf-parser before 1.2.1. There is a ...) + TODO: check +CVE-2018-18189 + RESERVED CVE-2018-18188 RESERVED CVE-2018-18187 @@ -198,12 +228,12 @@ CVE-2018-18090 RESERVED CVE-2018-18089 RESERVED -CVE-2018-18088 - RESERVED -CVE-2018-18087 - RESERVED -CVE-2018-18086 - RESERVED +CVE-2018-18088 (OpenJPEG 2.3.0 has a NULL pointer dereference for "red" in the ...) + TODO: check +CVE-2018-18087 (The Bixie Portfolio plugin 1.2.0 for Pagekit has XSS: a logged-in user ...) + TODO: check +CVE-2018-18086 (EmpireCMS v7.5 has an arbitrary file upload vulnerability in the ...) + TODO: check CVE-2018-18085 RESERVED CVE-2018-18084 (An issue was discovered in DuomiCMS 3.0. SQL injection exists in the ...) @@ -250,6 +280,7 @@ CVE-2018-18066 (snmp_oid_compare in snmplib/snmp_api.c in Net-SNMP before 5.8 ha NOTE: issue, but might still not be just a duplicate but an independent issue fixed with NOTE: same commit. CVE-2018-18065 (_set_key in agent/helpers/table_container.c in Net-SNMP before 5.8 has ...) + {DLA-1540-1} - net-snmp (bug #910638) NOTE: https://dumpco.re/blog/net-snmp-5.7.3-remote-dos NOTE: https://sourceforge.net/p/net-snmp/code/ci/7ffb8e25a0db851953155de91f0170e9bf8c457d/ @@ -516,13 +547,11 @@ CVE-2018-17965 (ImageMagick 7.0.7-28 has a memory leak vulnerability in WriteSGI NOTE: https://github.com/ImageMagick/ImageMagick/issues/1052 CVE-2018-17964 RESERVED -CVE-2018-17963 [net: ignore packets with large size] - RESERVED +CVE-2018-17963 (qemu_deliver_packet_iov in net/net.c in Qemu accepts packet sizes ...) - qemu - qemu-kvm NOTE: https://lists.gnu.org/archive/html/qemu-devel/2018-09/msg03267.html -CVE-2018-17962 [pcnet: integer overflow leads to buffer overflow] - RESERVED +CVE-2018-17962 (Qemu has a Buffer Overflow in pcnet_receive in hw/net/pcnet.c because ...) - qemu - qemu-kvm NOTE: https://lists.gnu.org/archive/html/qemu-devel/2018-09/msg03268.html @@ -537,8 +566,7 @@ CVE-2018-17960 RESERVED CVE-2018-17959 RESERVED -CVE-2018-17958 [rtl8139: integer overflow leads to buffer overflow] - RESERVED +CVE-2018-17958 (Qemu has a Buffer Overflow in rtl8139_do_receive in hw/net/rtl8139.c ...) - qemu - qemu-kvm NOTE: https://lists.gnu.org/archive/html/qemu-devel/2018-09/msg03269.html @@ -738,8 +766,8 @@ CVE-2018-17868 (DASAN H660GW devices have Stored XSS in the Port Forwarding ...) NOT-FOR-US: DASAN H660GW devices CVE-2018-17867 (The Port Forwarding functionality on DASAN H660GW devices allows remote ...) NOT-FOR-US: DASAN H660GW device -CVE-2018-17866 - RESERVED +CVE-2018-17866 (Multiple cross-site scripting (XSS) vulnerabilities in ...) + TODO: check CVE-2018-17865 RESERVED CVE-2018-17864 @@ -752,16 +780,16 @@ CVE-2018-17861 RESERVED CVE-2018-17860 RESERVED -CVE-2018-17859 - RESERVED -CVE-2018-17858 - RESERVED -CVE-2018-17857 - RESERVED -CVE-2018-17856 - RESERVED -CVE-2018-17855 - RESERVED +CVE-2018-17859 (An issue was discovered in Joomla! before 3.8.13. Inadequate checks in ...) + TODO: check +CVE-2018-
[Git][security-tracker-team/security-tracker][master] - imagemagick triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: f31208ad by Moritz Muehlenhoff at 2018-10-10T07:02:13Z - imagemagick triage - remove exiv commit reference, https://github.com/Exiv2/exiv2/commit/74cb5bab132ed76adf15df172c5e8b58cddaa96c refers to https://github.com/Exiv2/exiv2/issues/76 which itself refers to https://bugzilla.redhat.com/show_bug.cgi?id=1495043, not 1577319 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -361,7 +361,8 @@ CVE-2018-18025 (In ImageMagick 7.0.8-13 Q16, there is a heap-based buffer over-r - imagemagick NOTE: https://github.com/ImageMagick/ImageMagick/issues/1335 CVE-2018-18024 (In ImageMagick 7.0.8-13 Q16, there is an infinite loop in the ...) - - imagemagick + - imagemagick (low) + [stretch] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1337 NOTE: https://github.com/ImageMagick/ImageMagick/commit/948f1c86d649a29df08a38d2ff8b91cdf3e92b82 NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/b268ce7a59440972f4476b9fd98104b6a836d971 @@ -3253,7 +3254,8 @@ CVE-2018-16750 (In ImageMagick 7.0.7-29 and earlier, a memory leak in the ...) NOTE: https://github.com/ImageMagick/ImageMagick6/commit/359331c61193138ce2b85331df25235b81499cfc CVE-2018-16749 (In ImageMagick 7.0.7-29 and earlier, a missing NULL check in ...) {DLA-1530-1} - - imagemagick 8:6.9.10.2+dfsg-2 + - imagemagick 8:6.9.10.2+dfsg-2 (low) + [stretch] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1119 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/1007b98f8795ad4bea6bc5f68a32d83e982fdae4 CVE-2018-16748 @@ -3518,7 +3520,8 @@ CVE-2018-16644 (There is a missing check for length in the functions ReadDCMImag NOTE: https://github.com/ImageMagick/ImageMagick/issues/1269 CVE-2018-16643 (The functions ReadDCMImage in coders/dcm.c, ReadPWPImage in ...) {DLA-1530-1} - - imagemagick 8:6.9.10.8+dfsg-1 + - imagemagick 8:6.9.10.8+dfsg-1 (low) + [stretch] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/commit/6b6bff054d569a77973f2140c0e86366e6168a6c NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/11d9dac3d991c62289d1ef7a097670166480e76c NOTE: https://github.com/ImageMagick/ImageMagick/issues/1199 @@ -18690,7 +18693,6 @@ CVE-2018-10780 (Exiv2::Image::byteSwap2 in image.cpp in Exiv2 0.26 has a heap-ba - exiv2 [jessie] - exiv2 (Vulnerable code not present; image format not supported) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1575201 - NOTE: Fixed by upstream commit https://github.com/Exiv2/exiv2/commit/74cb5bab132ed76adf15df172c5e8b58cddaa96c TODO: check, there is same function in byteSwap2 in earlier versions than 0.26 CVE-2018-10779 (TIFFWriteScanline in tif_write.c in LibTIFF 3.8.2 has a heap-based ...) - tiff 4.0.6-3 (bug #898359) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f31208ad76f289526e4fb2129818e449b4d1c913 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f31208ad76f289526e4fb2129818e449b4d1c913 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits