[Git][security-tracker-team/security-tracker][master] NFU
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: cb868194 by Moritz Muehlenhoff at 2018-10-11T06:17:40Z NFU qpdf no-dsa - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -460,6 +460,7 @@ CVE-2012-6710 (ext_find_user in eXtplorer through 2.1.2 allows remote attackers - extplorer CVE-2018-18020 (In QPDF 8.2.1, in libqpdf/QPDFWriter.cc, QPDFWriter::unparseObject and ...) - qpdf + [stretch] - qpdf (Minor issue) [jessie] - qpdf (Minor issue) NOTE: https://github.com/qpdf/qpdf/issues/243 CVE-2018-1000806 @@ -8396,6 +8397,7 @@ CVE-2018-14665 RESERVED CVE-2018-14664 RESERVED + - foreman (bug #663101) CVE-2018-14663 RESERVED CVE-2018-14662 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/cb868194f9353f3ee5e36d46d8bcb84c3bad5b49 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/cb868194f9353f3ee5e36d46d8bcb84c3bad5b49 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] pyopenssl no-dsa, NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 6d8f082f by Moritz Muehlenhoff at 2018-10-11T06:00:29Z pyopenssl no-dsa, NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -361,7 +361,8 @@ CVE-2018-1000810 (The Rust Programming Language Standard Library version 1.29.0, CVE-2018-1000809 (privacyIDEA version 2.23.1 and earlier contains a Improper Input ...) NOT-FOR-US: privacyIDEA CVE-2018-1000808 (Python Cryptographic Authority pyopenssl version Before 17.5.0 ...) - - pyopenssl 17.5.0-1 + - pyopenssl 17.5.0-1 (low) + [stretch] - pyopenssl (Minor issue) NOTE: https://github.com/pyca/pyopenssl/pull/723 NOTE: https://github.com/pyca/pyopenssl/commit/e73818600065821d588af475b024f4eb518c3509 CVE-2018-1000807 (Python Cryptographic Authority pyopenssl version prior to version ...) @@ -50360,47 +50361,47 @@ CVE-2018-0065 CVE-2018-0064 RESERVED CVE-2018-0063 (A vulnerability in the IP next-hop index database in Junos OS 17.3R3 ...) - TODO: check + NOT-FOR-US: Juniper CVE-2018-0062 (A Denial of Service vulnerability in J-Web service may allow a remote ...) - TODO: check + NOT-FOR-US: Juniper CVE-2018-0061 (A denial of service vulnerability in the telnetd service on Junos OS ...) - TODO: check + NOT-FOR-US: Juniper CVE-2018-0060 (An improper input validation weakness in the device control daemon ...) - TODO: check + NOT-FOR-US: Juniper CVE-2018-0059 (A persistent cross-site scripting vulnerability in the graphical user ...) - TODO: check + NOT-FOR-US: Juniper CVE-2018-0058 (Receipt of a specially crafted IPv6 exception packet may be able to ...) - TODO: check + NOT-FOR-US: Juniper CVE-2018-0057 (On MX Series and M120/M320 platforms configured in a Broadband Edge ...) - TODO: check + NOT-FOR-US: Juniper CVE-2018-0056 (If a duplicate MAC address is learned by two different interfaces on ...) - TODO: check + NOT-FOR-US: Juniper CVE-2018-0055 (Receipt of a specially crafted DHCPv6 message destined to a Junos OS ...) - TODO: check + NOT-FOR-US: Juniper CVE-2018-0054 (On QFX5000 Series and EX4600 switches, a high rate of Ethernet pause ...) - TODO: check + NOT-FOR-US: Juniper CVE-2018-0053 (An authentication bypass vulnerability in the initial boot sequence of ...) - TODO: check + NOT-FOR-US: Juniper CVE-2018-0052 (If RSH service is enabled on Junos OS and if the PAM authentication is ...) - TODO: check + NOT-FOR-US: Juniper CVE-2018-0051 (A Denial of Service vulnerability in the SIP application layer gateway ...) - TODO: check + NOT-FOR-US: Juniper CVE-2018-0050 (An error handling vulnerability in Routing Protocols Daemon (RPD) of ...) - TODO: check + NOT-FOR-US: Juniper CVE-2018-0049 (A NULL Pointer Dereference vulnerability in Juniper Networks Junos OS ...) - TODO: check + NOT-FOR-US: Juniper CVE-2018-0048 (A vulnerability in the Routing Protocols Daemon (RPD) with Juniper ...) - TODO: check + NOT-FOR-US: Juniper CVE-2018-0047 (A persistent cross-site scripting vulnerability in the UI framework ...) - TODO: check + NOT-FOR-US: Juniper CVE-2018-0046 (A reflected cross-site scripting vulnerability in OpenNMS included ...) - TODO: check + NOT-FOR-US: Juniper CVE-2018-0045 (Receipt of a specific Draft-Rosen MVPN control packet may cause the ...) - TODO: check + NOT-FOR-US: Juniper CVE-2018-0044 (An insecure SSHD configuration in Juniper Device Manager (JDM) and ...) - TODO: check + NOT-FOR-US: Juniper CVE-2018-0043 (Receipt of a specific MPLS packet may cause the routing protocol ...) - TODO: check + NOT-FOR-US: Juniper CVE-2018-0042 (Juniper Networks CSO versions prior to 4.0.0 may log passwords in log ...) NOT-FOR-US: Juniper Networks CSO CVE-2018-0041 (Juniper Networks Contrail Service Orchestration releases prior to ...) @@ -50906,7 +50907,7 @@ CVE-2017-16716 (A SQL Injection issue was discovered in WebAccess versions prior CVE-2017-16715 (An Information Exposure issue was discovered in Moxa NPort 5110 Version ...) NOT-FOR-US: Moxa CVE-2017-16714 (In Ice Qube Thermal Management Center versions prior to version 4.13, ...) - TODO: check + NOT-FOR-US: Ice Qube Thermal Management Center CVE-2017-16713 RESERVED CVE-2017-16712 @@ -53556,7 +53557,7 @@ CVE-2017-15846 (In the video_ioctl2() function in the camera driver in Android f CVE-2017-15845 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-15844 (In all android releases (Android for MSM, Firefox OS for MSM, QRD ...) - TODO: chec
[Git][security-tracker-team/security-tracker][master] Add bug reference for CVE-2017-5934/moin
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c91aea52 by Salvatore Bonaccorso at 2018-10-11T05:24:45Z Add bug reference for CVE-2017-5934/moin - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -84015,7 +84015,7 @@ CVE-2017-5935 RESERVED CVE-2017-5934 [XSS in GUI editor related code] RESERVED - - moin + - moin (bug #910776) NOTE: https://github.com/moinwiki/moin-1.9/commit/70955a8eae091cc88fd9a6e510177e70289ec024 CVE-2017-5933 (Citrix NetScaler ADC and NetScaler Gateway 10.5 before Build 65.11, ...) NOT-FOR-US: Citrix View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c91aea52e7409f031e7ddeec4ca13620fe753c8c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c91aea52e7409f031e7ddeec4ca13620fe753c8c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2017-5934/moin
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9fb4e6d2 by Salvatore Bonaccorso at 2018-10-11T04:49:15Z Add CVE-2017-5934/moin - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -84013,8 +84013,10 @@ CVE-2016-10214 (Memory leak in the virgl_resource_attach_backing function in ... NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1420266 CVE-2017-5935 RESERVED -CVE-2017-5934 +CVE-2017-5934 [XSS in GUI editor related code] RESERVED + - moin + NOTE: https://github.com/moinwiki/moin-1.9/commit/70955a8eae091cc88fd9a6e510177e70289ec024 CVE-2017-5933 (Citrix NetScaler ADC and NetScaler Gateway 10.5 before Build 65.11, ...) NOT-FOR-US: Citrix CVE-2016-10213 (A10 AX1030 and possibly other devices with software before 2.7.2-P8 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9fb4e6d273d58d52e6c3ff895050a91ff514448c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9fb4e6d273d58d52e6c3ff895050a91ff514448c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Two libgd2 issues fixed in unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ffa02825 by Salvatore Bonaccorso at 2018-10-11T04:24:46Z Two libgd2 issues fixed in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6218,7 +6218,7 @@ CVE-2018-1000225 (Cobbler version Verified as present in Cobbler versions 2.6.11 CVE-2018-1000224 (Godot Engine version All versions prior to 2.1.5, all 3.0 versions ...) NOT-FOR-US: Godot CVE-2018-1000222 (Libgd version 2.2.5 contains a Double Free Vulnerability vulnerability ...) - - libgd2 (low; bug #906886) + - libgd2 2.2.5-4.1 (low; bug #906886) [stretch] - libgd2 (Minor issue, will be fixed via point release) [jessie] - libgd2 (Minor issue) NOTE: https://github.com/libgd/libgd/issues/447 @@ -33348,7 +33348,7 @@ CVE-2018-5711 (gd_gif_in.c in the GD Graphics Library (aka libgd), as used in PH NOTE: Fixed in 5.6.33, 7.0.27, 7.1.13, 7.2.1 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=75571 NOTE: https://hhvm.com/blog/2018/05/04/hhvm-3.25.3.html - - libgd2 (bug #887485) + - libgd2 2.2.5-4.1 (bug #887485) [stretch] - libgd2 (Minor issue, will be fixed via point release) [jessie] - libgd2 (Minor issue, can be fixed along in a future update) NOTE: https://github.com/libgd/libgd/issues/420 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ffa028252414b33e478dbdc760b5d73e6eb82fff -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ffa028252414b33e478dbdc760b5d73e6eb82fff You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Don't need to add specific reproducibility mentioning as triaged for all suites
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
730ae578 by Salvatore Bonaccorso at 2018-10-11T04:18:57Z
Don't need to add specific reproducibility mentioning as triaged for all
suites
- - - - -
e6b2ea16 by Salvatore Bonaccorso at 2018-10-11T04:23:32Z
CVE-2018-14638 and CVE-2018-14624 for 389-ds-base adressed in unstable
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -4401,7 +4401,6 @@ CVE-2018-16336 (Exiv2::Internal::PngChunk::parseTXTChunk
in Exiv2 v0.26 allows r
- exiv2
NOTE: https://github.com/Exiv2/exiv2/issues/400
NOTE:
https://github.com/Exiv2/exiv2/commit/35b3e596edacd2437c2c5d3dd2b5c9502626163d
- NOTE: reproduced with ASAN build (on jessie) and POC file provided in
GitHub issue
CVE-2018-16335 (newoffsets handling in ChopUpSingleUncompressedStrip in
tif_dirread.c ...)
- tiff (bug #907795)
[stretch] - tiff (Can be fixed along in future DSA)
@@ -8472,7 +8471,7 @@ CVE-2018-14640
CVE-2018-14639
RESERVED
CVE-2018-14638 (A flaw was found in 389-ds-base before version 1.3.8.4-13. The
process ...)
- - 389-ds-base (bug #908859)
+ - 389-ds-base 1.4.0.18-1 (bug #908859)
[jessie] - 389-ds-base (Vulnerable code not present)
NOTE:
https://pagure.io/389-ds-base/c/78fc627accacfa4061ce48977e22301f81ea8d73
CVE-2018-14637
@@ -8517,7 +8516,7 @@ CVE-2018-14625 (A flaw was found in the Linux Kernel
where an attacker may be ab
NOTE: https://syzkaller.appspot.com/bug?extid=bd391451452fb0b93039
CVE-2018-14624 (A vulnerability was discovered in 389-ds-base through versions
...)
{DLA-1526-1}
- - 389-ds-base (bug #907778)
+ - 389-ds-base 1.4.0.18-1 (bug #907778)
NOTE: https://pagure.io/389-ds-base/issue/49937
NOTE: https://pagure.io/389-ds-base/c/8ff8cb850 (master)
NOTE: https://pagure.io/389-ds-base/c/c5e78249d (389-ds-base-1.3.8)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/compare/16e32bce9234c363f773bdc13567c8e3a96a5a3b...e6b2ea1620617764082598ba13949d59a08c8adf
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/compare/16e32bce9234c363f773bdc13567c8e3a96a5a3b...e6b2ea1620617764082598ba13949d59a08c8adf
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] exiv2/CVE-2018-16336 change undetermined -> unfixed; reproduced on jessie and…
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 16e32bce by Roberto C. Sánchez at 2018-10-11T04:10:18Z exiv2/CVE-2018-16336 change undetermined -> unfixed; reproduced on jessie and affected code in stretch is identical - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4398,9 +4398,10 @@ CVE-2018-16338 (An issue was discovered in AuraCMS 2.3. There is a CSRF vulnerab CVE-2018-16337 (An issue was discovered in Cscms V4.1.8. There is a CSRF vulnerability ...) NOT-FOR-US: Cscms CVE-2018-16336 (Exiv2::Internal::PngChunk::parseTXTChunk in Exiv2 v0.26 allows remote ...) - - exiv2 + - exiv2 NOTE: https://github.com/Exiv2/exiv2/issues/400 NOTE: https://github.com/Exiv2/exiv2/commit/35b3e596edacd2437c2c5d3dd2b5c9502626163d + NOTE: reproduced with ASAN build (on jessie) and POC file provided in GitHub issue CVE-2018-16335 (newoffsets handling in ChopUpSingleUncompressedStrip in tif_dirread.c ...) - tiff (bug #907795) [stretch] - tiff (Can be fixed along in future DSA) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/16e32bce9234c363f773bdc13567c8e3a96a5a3b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/16e32bce9234c363f773bdc13567c8e3a96a5a3b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2018-18074,requests: Mark issue as postponed for Jessie
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 74a411cf by Markus Koschany at 2018-10-10T22:20:06Z CVE-2018-18074,requests: Mark issue as postponed for Jessie This can be fixed later when a more important issue arises. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -299,6 +299,7 @@ CVE-2018-18075 (WikidForum 2.20 has SQL Injection via the rpc.php parent_post_id CVE-2018-18074 (The Requests package through 2.19.1 before 2018-09-14 for Python sends ...) - requests (low; bug #910766) [stretch] - requests (Minor issue) + [jessie] - requests (Minor issue) NOTE: https://github.com/requests/requests/issues/4716 NOTE: https://github.com/requests/requests/pull/4718 NOTE: https://github.com/requests/requests/commit/c45d7c49ea75133e52ab22a8e9e13173938e36ff View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/74a411cf2333d4b4a2b6ed944c32706551d3032c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/74a411cf2333d4b4a2b6ed944c32706551d3032c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2018-18020,qpdf: Mark as no-dsa for Jessie.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 10120ec1 by Markus Koschany at 2018-10-10T21:40:57Z CVE-2018-18020,qpdf: Mark as no-dsa for Jessie. Minor issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -458,6 +458,7 @@ CVE-2012-6710 (ext_find_user in eXtplorer through 2.1.2 allows remote attackers - extplorer CVE-2018-18020 (In QPDF 8.2.1, in libqpdf/QPDFWriter.cc, QPDFWriter::unparseObject and ...) - qpdf + [jessie] - qpdf (Minor issue) NOTE: https://github.com/qpdf/qpdf/issues/243 CVE-2018-1000806 REJECTED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/10120ec1bfbebe46ebae562e1ca0a11776296a7f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/10120ec1bfbebe46ebae562e1ca0a11776296a7f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add paramiko to dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 39890f94 by Markus Koschany at 2018-10-10T21:34:06Z Add paramiko to dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -56,6 +56,9 @@ openjdk-7 (Emilio Pozuelo) openjpeg2 (Hugo Lefeuvre) NOTE: 20180719: there is no patch available for the remaining CVEs -- +paramiko + NOTE: 20181010: Consider fixing no-dsa issue too. (apo) +-- phpldapadmin (Mike Gabriel) NOTE: 20180731: See https://lists.debian.org/debian-lts/2018/07/msg00123.html for research already done -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/39890f94be5890a2e0d89519201e71b60efdf9d3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/39890f94be5890a2e0d89519201e71b60efdf9d3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] requests no-dsa
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 719d3da6 by Moritz Muehlenhoff at 2018-10-10T21:27:43Z requests no-dsa NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -297,7 +297,8 @@ CVE-2018-18076 CVE-2018-18075 (WikidForum 2.20 has SQL Injection via the rpc.php parent_post_id or ...) NOT-FOR-US: WikidForum CVE-2018-18074 (The Requests package through 2.19.1 before 2018-09-14 for Python sends ...) - - requests (bug #910766) + - requests (low; bug #910766) + [stretch] - requests (Minor issue) NOTE: https://github.com/requests/requests/issues/4716 NOTE: https://github.com/requests/requests/pull/4718 NOTE: https://github.com/requests/requests/commit/c45d7c49ea75133e52ab22a8e9e13173938e36ff @@ -700,15 +701,15 @@ CVE-2018-17921 CVE-2018-17920 RESERVED CVE-2018-17919 (All versions of Hangzhou Xiongmai Technology Co., Ltd XMeye P2P Cloud ...) - TODO: check + NOT-FOR-US: P2P Cloud Server CVE-2018-17918 RESERVED CVE-2018-17917 (All versions of Hangzhou Xiongmai Technology Co., Ltd XMeye P2P Cloud ...) - TODO: check + NOT-FOR-US: P2P Cloud Server CVE-2018-17916 RESERVED CVE-2018-17915 (All versions of Hangzhou Xiongmai Technology Co., Ltd XMeye P2P Cloud ...) - TODO: check + NOT-FOR-US: P2P Cloud Server CVE-2018-17914 RESERVED CVE-2018-17913 @@ -6429,9 +6430,9 @@ CVE-2018-15545 CVE-2018-15544 RESERVED CVE-2018-15543 (** DISPUTED ** An issue was discovered in the org.telegram.messenger ...) - TODO: check + NOT-FOR-US: org.telegram.messenger for Android CVE-2018-15542 (** DISPUTED ** An issue was discovered in the org.telegram.messenger ...) - TODO: check + NOT-FOR-US: org.telegram.messenger for Android CVE-2018-15541 RESERVED CVE-2018-15540 @@ -14899,9 +14900,9 @@ CVE-2018-12175 (Default install directory permissions in Intel Distribution for CVE-2018-12174 RESERVED CVE-2018-12173 (Insufficient access protection in firmware in Intel Server Board, ...) - TODO: check + NOT-FOR-US: Intel CVE-2018-12172 (Improper password hashing in firmware in Intel Server Board ...) - TODO: check + NOT-FOR-US: Intel CVE-2018-12171 (Privilege escalation in Intel Baseboard Management Controller (BMC) ...) NOT-FOR-US: Intel Baseboard Management Controller firmware CVE-2018-12170 @@ -14929,7 +14930,7 @@ CVE-2018-12160 (DLL injection vulnerability in software installer for Intel Data CVE-2018-12159 RESERVED CVE-2018-12158 (Insufficient input validation in BIOS update utility in Intel NUC FW ...) - TODO: check + NOT-FOR-US: Intel CVE-2018-12157 RESERVED CVE-2018-12156 @@ -14949,7 +14950,7 @@ CVE-2018-12150 (Escalation of privilege in Installer for Intel Extreme Tuning Ut CVE-2018-12149 (Buffer overflow in input handling in Intel Extreme Tuning Utility ...) NOT-FOR-US: Intel CVE-2018-12148 (Privilege escalation in file permissions in Intel Driver and Support ...) - NOT-FOR-US: INtel + NOT-FOR-US: Intel CVE-2018-12147 RESERVED CVE-2018-12146 @@ -14983,7 +14984,7 @@ CVE-2018-12133 CVE-2018-12132 RESERVED CVE-2018-12131 (Permissions in the driver pack installers for Intel NVMe before ...) - TODO: check + NOT-FOR-US: Intel CVE-2018-12130 RESERVED CVE-2018-12129 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/719d3da6f79565ca4d5a33901c6812f98bf5b732 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/719d3da6f79565ca4d5a33901c6812f98bf5b732 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add bug reference for CVE-2018-18074/requests
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a5a62474 by Salvatore Bonaccorso at 2018-10-10T20:54:32Z Add bug reference for CVE-2018-18074/requests - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -296,7 +296,7 @@ CVE-2018-18076 CVE-2018-18075 (WikidForum 2.20 has SQL Injection via the rpc.php parent_post_id or ...) NOT-FOR-US: WikidForum CVE-2018-18074 (The Requests package through 2.19.1 before 2018-09-14 for Python sends ...) - - requests + - requests (bug #910766) NOTE: https://github.com/requests/requests/issues/4716 NOTE: https://github.com/requests/requests/pull/4718 NOTE: https://github.com/requests/requests/commit/c45d7c49ea75133e52ab22a8e9e13173938e36ff View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a5a6247489b88abc6489487076ab817ef8c565f8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a5a6247489b88abc6489487076ab817ef8c565f8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add bug reference for CVE-2018-18088/openjpeg2
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8756000c by Salvatore Bonaccorso at 2018-10-10T20:29:41Z Add bug reference for CVE-2018-18088/openjpeg2 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -267,7 +267,7 @@ CVE-2018-18090 CVE-2018-18089 RESERVED CVE-2018-18088 (OpenJPEG 2.3.0 has a NULL pointer dereference for "red" in the ...) - - openjpeg2 + - openjpeg2 (bug #910763) NOTE: https://github.com/uclouvain/openjpeg/issues/1152 CVE-2018-18087 (The Bixie Portfolio plugin 1.2.0 for Pagekit has XSS: a logged-in user ...) NOT-FOR-US: Bixie Portfolio plugin for Pagekit View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8756000c45d87261f2c68ff36055a38c6408a149 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8756000c45d87261f2c68ff36055a38c6408a149 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-1543-1 for gnulib
Markus Koschany pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
04544cbd by Markus Koschany at 2018-10-10T20:11:26Z
Reserve DLA-1543-1 for gnulib
- - - - -
2 changed files:
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[10 Oct 2018] DLA-1543-1 gnulib - security update
+ {CVE-2018-17942}
+ [jessie] - gnulib 20140202+stable-2+deb8u1
[10 Oct 2018] DLA-1542-1 dnsruby - update
[jessie] - dnsruby 1.54-2+deb8u1
[10 Oct 2018] DLA-1541-1 jekyll - security update
=
data/dla-needed.txt
=
@@ -24,8 +24,6 @@ firefox-esr (Emilio Pozuelo)
NOTE: 20180525: We will need an update to Firefox ESR 60 in jessie once 52
goes EOL.
NOTE: 20180525: This needs some backports (llvm, rustc, cargo) which need
some work.
--
-gnulib (Markus Koschany)
---
gnutls28 (Antoine Beaupre)
NOTE: 20180824: Upstream patch is quite invasive, adding new options etc.
(Chris Lamb)
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/04544cbd7f4b0ebef31f38801929a622a817bc8b
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/04544cbd7f4b0ebef31f38801929a622a817bc8b
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add bug reference for CVE-2018-1000805/paramiko
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 914e180d by Salvatore Bonaccorso at 2018-10-10T19:57:00Z Add bug reference for CVE-2018-1000805/paramiko - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -324,7 +324,7 @@ CVE-2018-1000807 (Python Cryptographic Authority pyopenssl version prior to vers NOTE: https://github.com/pyca/pyopenssl/pull/723 NOTE: https://github.com/pyca/pyopenssl/commit/e73818600065821d588af475b024f4eb518c3509 CVE-2018-1000805 (Paramiko version 2.4.1, 2.3.2, 2.2.3, 2.1.5, 2.0.8, 1.18.5, 1.17.6 ...) - - paramiko + - paramiko (bug #910760) NOTE: https://github.com/paramiko/paramiko/issues/1283 NOTE: https://github.com/paramiko/paramiko/commit/56c96a659658acdbb873aef8809a7b508434dcce CVE-2018-1000804 (contiki-ng version 4 contains a Buffer Overflow vulnerability in AQL ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/914e180d7d9a788ddadfde5195ee30cb4cebc936 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/914e180d7d9a788ddadfde5195ee30cb4cebc936 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add bug reference for CVE-2018-18073/ghostscript
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0cd9e47f by Salvatore Bonaccorso at 2018-10-10T19:30:13Z Add bug reference for CVE-2018-18073/ghostscript - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -260,7 +260,7 @@ CVE-2018-18074 (The Requests package through 2.19.1 before 2018-09-14 for Python TODO: check CVE-2018-18073 [saved execution stacks can leak operator arrays] RESERVED - - ghostscript + - ghostscript (bug #910758) NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1690 NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=699927 NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=34cc326eb2c5695833361887fe0b32e8d987741c View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0cd9e47fe3f8068e16255b94580c3f3a642c1ebe -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0cd9e47fe3f8068e16255b94580c3f3a642c1ebe You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update glassfish entry, removed from the archiive
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 83cc4e7f by Salvatore Bonaccorso at 2018-10-10T19:28:01Z Update glassfish entry, removed from the archiive - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -210700,7 +210700,7 @@ CVE-2012-3157 (Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking . CVE-2012-3156 (Unspecified vulnerability in the MySQL Server component in Oracle ...) - mysql-5.5 5.5.28+dfsg-1 (bug #690778) CVE-2012-3155 (Unspecified vulnerability in the CORBA ORB component in Sun GlassFish ...) - - glassfish (bug #692035) + - glassfish (bug #692035) [wheezy] - glassfish NOTE: Oracle doesn't provide any useful public information to fix the package without importing a new upstream version. CVE-2012-3154 (Unspecified vulnerability in the Oracle Agile PLM Framework component ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/83cc4e7f97a037149463576d1e6bb8c75baa4e25 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/83cc4e7f97a037149463576d1e6bb8c75baa4e25 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add upstream bug reference for CVE-2018-18073
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a240bd25 by Salvatore Bonaccorso at 2018-10-10T19:18:44Z Add upstream bug reference for CVE-2018-18073 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -262,6 +262,7 @@ CVE-2018-18073 [saved execution stacks can leak operator arrays] RESERVED - ghostscript NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1690 + NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=699927 NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=34cc326eb2c5695833361887fe0b32e8d987741c NOTE: https://www.openwall.com/lists/oss-security/2018/10/10/12 CVE-2018-18072 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a240bd25472dc79354e2dce38c14922994ac6216 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a240bd25472dc79354e2dce38c14922994ac6216 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2018-17942,gnulib: Reference bug number
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: afa15090 by Markus Koschany at 2018-10-10T19:12:25Z CVE-2018-17942,gnulib: Reference bug number - - - - - 0ff22550 by Markus Koschany at 2018-10-10T19:12:47Z Merge branch 'master' of salsa.debian.org:security-tracker-team/security-tracker - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -606,7 +606,7 @@ CVE-2018-17944 CVE-2018-17943 RESERVED CVE-2018-17942 (The convert_to_decimal function in vasnprintf.c in Gnulib before ...) - - gnulib + - gnulib (bug #910757) NOTE: pspp affecting bug: https://savannah.gnu.org/bugs/?func=detailitem&item_id=54686 NOTE: https://lists.gnu.org/archive/html/bug-gnulib/2018-09/msg00107.html NOTE: https://github.com/coreutils/gnulib/commit/278b4175c9d7dd47c1a3071554aac02add3b3c35 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/36842dfaca1f41a78bc48bf2aa53bb36f50b640c...0ff22550a46beda9fa71f89a582dd3b6fdd75d85 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/36842dfaca1f41a78bc48bf2aa53bb36f50b640c...0ff22550a46beda9fa71f89a582dd3b6fdd75d85 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Tentatilvely add for coordination one item to dsa-needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a4349db6 by Salvatore Bonaccorso at 2018-10-10T19:05:27Z Tentatilvely add for coordination one item to dsa-needed list - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -20,7 +20,7 @@ asterisk -- ceph -- -ghostscript +ghostscript (carnil) Regression update: #909076, possibly #909929 (but see upstream issue), and #909957 Regression #90 seems to not affect stretch, but needs double-check View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a4349db63608a7323654a0dc8f21199241a65f7b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a4349db63608a7323654a0dc8f21199241a65f7b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2018-18073/ghostscript
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8fb74e81 by Salvatore Bonaccorso at 2018-10-10T19:04:31Z Add CVE-2018-18073/ghostscript - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -258,8 +258,12 @@ CVE-2018-18075 (WikidForum 2.20 has SQL Injection via the rpc.php parent_post_id NOT-FOR-US: WikidForum CVE-2018-18074 (The Requests package through 2.19.1 before 2018-09-14 for Python sends ...) TODO: check -CVE-2018-18073 +CVE-2018-18073 [saved execution stacks can leak operator arrays] RESERVED + - ghostscript + NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1690 + NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=34cc326eb2c5695833361887fe0b32e8d987741c + NOTE: https://www.openwall.com/lists/oss-security/2018/10/10/12 CVE-2018-18072 RESERVED CVE-2018-18071 (An issue was discovered in the Daimler Mercedes-Benz Me app 2.11.0-846 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8fb74e815c4ddc42cf94411df8f612568189f075 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8fb74e815c4ddc42cf94411df8f612568189f075 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fix for CVE-2017-18208 in jessie
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f0cbcb85 by Salvatore Bonaccorso at 2018-10-10T14:46:01Z Track fix for CVE-2017-18208 in jessie - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -26979,7 +26979,7 @@ CVE-2018-7568 (The parse_die function in dwarf1.c in the Binary File Descriptor CVE-2017-18208 (The madvise_willneed function in mm/madvise.c in the Linux kernel ...) - linux 4.14.7-1 [stretch] - linux 4.9.80-1 - [jessie] - linux (Only affects ARM with XIP enabled) + [jessie] - linux 3.16.57-1 [wheezy] - linux (Only affects ARM with XIP enabled) NOTE: Fixed by: https://git.kernel.org/linus/6ea8d958a2c95a1d514015d4e29ba21a8c0a1a91 CVE-2017-18207 (** DISPUTED ** The Wave_read._read_fmt_chunk function in Lib/wave.py ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f0cbcb8566e07494a80e9eb94b9c4925559d377f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f0cbcb8566e07494a80e9eb94b9c4925559d377f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-1541-1 for jekyll
Abhijith PA pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
ff8fc05c by Abhijith PA at 2018-10-10T14:09:00Z
Reserve DLA-1541-1 for jekyll
- - - - -
2 changed files:
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[10 Oct 2018] DLA-1541-1 jekyll - security update
+ {CVE-2018-17567}
+ [jessie] - jekyll 2.2.0+dfsg-2+deb8u1
[09 Oct 2018] DLA-1540-1 net-snmp - security update
{CVE-2018-18065}
[jessie] - net-snmp 5.7.2.1+dfsg-1+deb8u2
=
data/dla-needed.txt
=
@@ -29,8 +29,6 @@ gnulib (Markus Koschany)
gnutls28 (Antoine Beaupre)
NOTE: 20180824: Upstream patch is quite invasive, adding new options etc.
(Chris Lamb)
--
-jekyll (Abhijith PA)
---
libav (Hugo Lefeuvre)
NOTE: 20180118: Diego Biurrun (from the libav team) was working on patches,
but encountered personal issues and had to stop.
NOTE: 20180118: It is unlikely that he will start again in the next weeks.
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/ff8fc05c6c6b371c2b336ca278b69963850b1e33
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/ff8fc05c6c6b371c2b336ca278b69963850b1e33
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Record one CVE which will be fixed in stretch-pu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8649fb0b by Salvatore Bonaccorso at 2018-10-10T13:25:31Z Record one CVE which will be fixed in stretch-pu - - - - - 1 changed file: - data/next-point-update.txt Changes: = data/next-point-update.txt = @@ -98,3 +98,5 @@ CVE-2018-14599 [stretch] - libx11 2:1.6.4-3+deb9u1 CVE-2018-14600 [stretch] - libx11 2:1.6.4-3+deb9u1 +CVE-2018-13406 + [stretch] - linux 4.9.130-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8649fb0baa25e8c33b6a951560dbb138b2fe1905 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8649fb0baa25e8c33b6a951560dbb138b2fe1905 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: cf78bf81 by Salvatore Bonaccorso at 2018-10-10T08:24:25Z Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,15 +1,15 @@ CVE-2018-18203 RESERVED CVE-2018-18202 (The QLogic 4Gb Fibre Channel 5.5.2.6.0 and 4/8Gb SAN 7.10.1.20.0 ...) - TODO: check + NOT-FOR-US: IBM CVE-2018-18201 (qibosoft V7.0 allows CSRF via ...) TODO: check CVE-2018-18200 (There is a SQL injection in Benutzerverwaltung in REDAXO before 5.6.4. ...) - TODO: check + NOT-FOR-US: REDAXO CVE-2018-18199 (Mediamanager in REDAXO before 5.6.4 has XSS. ...) - TODO: check + NOT-FOR-US: REDAXO CVE-2018-18198 (The $opener_input_field variable in addons/mediapool/pages/index.php in ...) - TODO: check + NOT-FOR-US: REDAXO CVE-2018-18197 (An issue was discovered in libgig 4.1.0. There is an operator new[] ...) TODO: check CVE-2018-18196 (An issue was discovered in libgig 4.1.0. There is a heap-based buffer ...) @@ -23,7 +23,7 @@ CVE-2018-18193 (An issue was discovered in libgig 4.1.0. There is operator new[] CVE-2018-18192 (An issue was discovered in libgig 4.1.0. There is a NULL pointer ...) TODO: check CVE-2018-18191 (Cross-site request forgery (CSRF) vulnerability in ...) - TODO: check + NOT-FOR-US: FineCms CVE-2018-18190 (An issue was discovered in GoPro gpmf-parser before 1.2.1. There is a ...) TODO: check CVE-2018-18189 @@ -233,7 +233,7 @@ CVE-2018-18088 (OpenJPEG 2.3.0 has a NULL pointer dereference for "red" CVE-2018-18087 (The Bixie Portfolio plugin 1.2.0 for Pagekit has XSS: a logged-in user ...) TODO: check CVE-2018-18086 (EmpireCMS v7.5 has an arbitrary file upload vulnerability in the ...) - TODO: check + NOT-FOR-US: EmpireCMS CVE-2018-18085 RESERVED CVE-2018-18084 (An issue was discovered in DuomiCMS 3.0. SQL injection exists in the ...) @@ -767,7 +767,7 @@ CVE-2018-17868 (DASAN H660GW devices have Stored XSS in the Port Forwarding ...) CVE-2018-17867 (The Port Forwarding functionality on DASAN H660GW devices allows remote ...) NOT-FOR-US: DASAN H660GW device CVE-2018-17866 (Multiple cross-site scripting (XSS) vulnerabilities in ...) - TODO: check + NOT-FOR-US: "Ultimate Member - User Profile & Membership" plugin for WordPress CVE-2018-17865 RESERVED CVE-2018-17864 @@ -781,15 +781,15 @@ CVE-2018-17861 CVE-2018-17860 RESERVED CVE-2018-17859 (An issue was discovered in Joomla! before 3.8.13. Inadequate checks in ...) - TODO: check + NOT-FOR-US: Joomla! CVE-2018-17858 (An issue was discovered in Joomla! before 3.8.13. com_installer actions ...) - TODO: check + NOT-FOR-US: Joomla! CVE-2018-17857 (An issue was discovered in Joomla! before 3.8.13. Inadequate checks on ...) - TODO: check + NOT-FOR-US: Joomla! CVE-2018-17856 (An issue was discovered in Joomla! before 3.8.13. com_joomlaupdate ...) - TODO: check + NOT-FOR-US: Joomla! CVE-2018-17855 (An issue was discovered in Joomla! before 3.8.13. If an attacker gets ...) - TODO: check + NOT-FOR-US: Joomla! CVE-2015-9271 (The VideoWhisper videowhisper-video-conference-integration plugin ...) NOT-FOR-US: WordPress plugin videowhisper-video-conference-integration CVE-2015-9270 (XSS exists in the the-holiday-calendar plugin before 1.11.3 for ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/cf78bf81c61a933ba1787635b0713ccc65615338 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/cf78bf81c61a933ba1787635b0713ccc65615338 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
56f1cc3f by security tracker role at 2018-10-10T08:10:55Z
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -1,3 +1,33 @@
+CVE-2018-18203
+ RESERVED
+CVE-2018-18202 (The QLogic 4Gb Fibre Channel 5.5.2.6.0 and 4/8Gb SAN
7.10.1.20.0 ...)
+ TODO: check
+CVE-2018-18201 (qibosoft V7.0 allows CSRF via ...)
+ TODO: check
+CVE-2018-18200 (There is a SQL injection in Benutzerverwaltung in REDAXO
before 5.6.4. ...)
+ TODO: check
+CVE-2018-18199 (Mediamanager in REDAXO before 5.6.4 has XSS. ...)
+ TODO: check
+CVE-2018-18198 (The $opener_input_field variable in
addons/mediapool/pages/index.php in ...)
+ TODO: check
+CVE-2018-18197 (An issue was discovered in libgig 4.1.0. There is an operator
new[] ...)
+ TODO: check
+CVE-2018-18196 (An issue was discovered in libgig 4.1.0. There is a heap-based
buffer ...)
+ TODO: check
+CVE-2018-18195 (An issue discovered in libgig 4.1.0. There is an FPE
(divide-by-zero ...)
+ TODO: check
+CVE-2018-18194 (An issue was discovered in libgig 4.1.0. There is a heap-based
buffer ...)
+ TODO: check
+CVE-2018-18193 (An issue was discovered in libgig 4.1.0. There is operator
new[] ...)
+ TODO: check
+CVE-2018-18192 (An issue was discovered in libgig 4.1.0. There is a NULL
pointer ...)
+ TODO: check
+CVE-2018-18191 (Cross-site request forgery (CSRF) vulnerability in ...)
+ TODO: check
+CVE-2018-18190 (An issue was discovered in GoPro gpmf-parser before 1.2.1.
There is a ...)
+ TODO: check
+CVE-2018-18189
+ RESERVED
CVE-2018-18188
RESERVED
CVE-2018-18187
@@ -198,12 +228,12 @@ CVE-2018-18090
RESERVED
CVE-2018-18089
RESERVED
-CVE-2018-18088
- RESERVED
-CVE-2018-18087
- RESERVED
-CVE-2018-18086
- RESERVED
+CVE-2018-18088 (OpenJPEG 2.3.0 has a NULL pointer dereference for
"red" in the ...)
+ TODO: check
+CVE-2018-18087 (The Bixie Portfolio plugin 1.2.0 for Pagekit has XSS: a
logged-in user ...)
+ TODO: check
+CVE-2018-18086 (EmpireCMS v7.5 has an arbitrary file upload vulnerability in
the ...)
+ TODO: check
CVE-2018-18085
RESERVED
CVE-2018-18084 (An issue was discovered in DuomiCMS 3.0. SQL injection exists
in the ...)
@@ -250,6 +280,7 @@ CVE-2018-18066 (snmp_oid_compare in snmplib/snmp_api.c in
Net-SNMP before 5.8 ha
NOTE: issue, but might still not be just a duplicate but an independent
issue fixed with
NOTE: same commit.
CVE-2018-18065 (_set_key in agent/helpers/table_container.c in Net-SNMP before
5.8 has ...)
+ {DLA-1540-1}
- net-snmp (bug #910638)
NOTE: https://dumpco.re/blog/net-snmp-5.7.3-remote-dos
NOTE:
https://sourceforge.net/p/net-snmp/code/ci/7ffb8e25a0db851953155de91f0170e9bf8c457d/
@@ -516,13 +547,11 @@ CVE-2018-17965 (ImageMagick 7.0.7-28 has a memory leak
vulnerability in WriteSGI
NOTE: https://github.com/ImageMagick/ImageMagick/issues/1052
CVE-2018-17964
RESERVED
-CVE-2018-17963 [net: ignore packets with large size]
- RESERVED
+CVE-2018-17963 (qemu_deliver_packet_iov in net/net.c in Qemu accepts packet
sizes ...)
- qemu
- qemu-kvm
NOTE:
https://lists.gnu.org/archive/html/qemu-devel/2018-09/msg03267.html
-CVE-2018-17962 [pcnet: integer overflow leads to buffer overflow]
- RESERVED
+CVE-2018-17962 (Qemu has a Buffer Overflow in pcnet_receive in hw/net/pcnet.c
because ...)
- qemu
- qemu-kvm
NOTE:
https://lists.gnu.org/archive/html/qemu-devel/2018-09/msg03268.html
@@ -537,8 +566,7 @@ CVE-2018-17960
RESERVED
CVE-2018-17959
RESERVED
-CVE-2018-17958 [rtl8139: integer overflow leads to buffer overflow]
- RESERVED
+CVE-2018-17958 (Qemu has a Buffer Overflow in rtl8139_do_receive in
hw/net/rtl8139.c ...)
- qemu
- qemu-kvm
NOTE:
https://lists.gnu.org/archive/html/qemu-devel/2018-09/msg03269.html
@@ -738,8 +766,8 @@ CVE-2018-17868 (DASAN H660GW devices have Stored XSS in the
Port Forwarding ...)
NOT-FOR-US: DASAN H660GW devices
CVE-2018-17867 (The Port Forwarding functionality on DASAN H660GW devices
allows remote ...)
NOT-FOR-US: DASAN H660GW device
-CVE-2018-17866
- RESERVED
+CVE-2018-17866 (Multiple cross-site scripting (XSS) vulnerabilities in ...)
+ TODO: check
CVE-2018-17865
RESERVED
CVE-2018-17864
@@ -752,16 +780,16 @@ CVE-2018-17861
RESERVED
CVE-2018-17860
RESERVED
-CVE-2018-17859
- RESERVED
-CVE-2018-17858
- RESERVED
-CVE-2018-17857
- RESERVED
-CVE-2018-17856
- RESERVED
-CVE-2018-17855
- RESERVED
+CVE-2018-17859 (An issue was discovered in Joomla! before 3.8.13. Inadequate
checks in ...)
+ TODO: check
+CVE-2018-
[Git][security-tracker-team/security-tracker][master] - imagemagick triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
f31208ad by Moritz Muehlenhoff at 2018-10-10T07:02:13Z
- imagemagick triage
- remove exiv commit reference,
https://github.com/Exiv2/exiv2/commit/74cb5bab132ed76adf15df172c5e8b58cddaa96c
refers to https://github.com/Exiv2/exiv2/issues/76 which itself refers to
https://bugzilla.redhat.com/show_bug.cgi?id=1495043, not 1577319
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -361,7 +361,8 @@ CVE-2018-18025 (In ImageMagick 7.0.8-13 Q16, there is a
heap-based buffer over-r
- imagemagick
NOTE: https://github.com/ImageMagick/ImageMagick/issues/1335
CVE-2018-18024 (In ImageMagick 7.0.8-13 Q16, there is an infinite loop in the
...)
- - imagemagick
+ - imagemagick (low)
+ [stretch] - imagemagick (Minor issue)
NOTE: https://github.com/ImageMagick/ImageMagick/issues/1337
NOTE:
https://github.com/ImageMagick/ImageMagick/commit/948f1c86d649a29df08a38d2ff8b91cdf3e92b82
NOTE: ImageMagick6:
https://github.com/ImageMagick/ImageMagick6/commit/b268ce7a59440972f4476b9fd98104b6a836d971
@@ -3253,7 +3254,8 @@ CVE-2018-16750 (In ImageMagick 7.0.7-29 and earlier, a
memory leak in the ...)
NOTE:
https://github.com/ImageMagick/ImageMagick6/commit/359331c61193138ce2b85331df25235b81499cfc
CVE-2018-16749 (In ImageMagick 7.0.7-29 and earlier, a missing NULL check in
...)
{DLA-1530-1}
- - imagemagick 8:6.9.10.2+dfsg-2
+ - imagemagick 8:6.9.10.2+dfsg-2 (low)
+ [stretch] - imagemagick (Minor issue)
NOTE: https://github.com/ImageMagick/ImageMagick/issues/1119
NOTE:
https://github.com/ImageMagick/ImageMagick6/commit/1007b98f8795ad4bea6bc5f68a32d83e982fdae4
CVE-2018-16748
@@ -3518,7 +3520,8 @@ CVE-2018-16644 (There is a missing check for length in
the functions ReadDCMImag
NOTE: https://github.com/ImageMagick/ImageMagick/issues/1269
CVE-2018-16643 (The functions ReadDCMImage in coders/dcm.c, ReadPWPImage in
...)
{DLA-1530-1}
- - imagemagick 8:6.9.10.8+dfsg-1
+ - imagemagick 8:6.9.10.8+dfsg-1 (low)
+ [stretch] - imagemagick (Minor issue)
NOTE:
https://github.com/ImageMagick/ImageMagick/commit/6b6bff054d569a77973f2140c0e86366e6168a6c
NOTE: ImageMagick6:
https://github.com/ImageMagick/ImageMagick6/commit/11d9dac3d991c62289d1ef7a097670166480e76c
NOTE: https://github.com/ImageMagick/ImageMagick/issues/1199
@@ -18690,7 +18693,6 @@ CVE-2018-10780 (Exiv2::Image::byteSwap2 in image.cpp in
Exiv2 0.26 has a heap-ba
- exiv2
[jessie] - exiv2 (Vulnerable code not present; image
format not supported)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1575201
- NOTE: Fixed by upstream commit
https://github.com/Exiv2/exiv2/commit/74cb5bab132ed76adf15df172c5e8b58cddaa96c
TODO: check, there is same function in byteSwap2 in earlier versions
than 0.26
CVE-2018-10779 (TIFFWriteScanline in tif_write.c in LibTIFF 3.8.2 has a
heap-based ...)
- tiff 4.0.6-3 (bug #898359)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/f31208ad76f289526e4fb2129818e449b4d1c913
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/f31208ad76f289526e4fb2129818e449b4d1c913
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
