[Git][security-tracker-team/security-tracker][master] Add information for CVE-2018-11796/tika
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b7b3f20b by Salvatore Bonaccorso at 2018-10-15T06:13:49Z Add information for CVE-2018-11796/tika - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -16177,7 +16177,10 @@ CVE-2018-11797 (In Apache PDFBox 1.8.0 to 1.8.15 and 2.0.0RC1 to 2.0.11, a caref NOTE: https://svn.apache.org/r1842131 (branch 2.0) NOTE: https://svn.apache.org/r1842278 (branch 1.8) CVE-2018-11796 (In Apache Tika 1.19 (CVE-2018-11761), we added an entity expansion ...) - TODO: check + - tika (Incomplete fix for CVE-2018-11761 not applied) + NOTE: https://lists.apache.org/thread.html/88de8350cda9b184888ec294c813c5bd8a2081de8fd3666f8904bc05@%3Cdev.tika.apache.org%3E + NOTE: https://issues.apache.org/jira/projects/TIKA/issues/TIKA-2727 + NOTE: https://github.com/apache/tika/commit/86d4ba1e CVE-2018-11795 RESERVED CVE-2018-11794 @@ -16278,6 +16281,8 @@ CVE-2018-11761 (In Apache Tika 0.1 to 1.18, the XML parsers were not configured - tika [jessie] - tika (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2018/09/19/4 + NOTE: When fixing this issue the fix needs to be made complete to not open + NOTE: CVE-2018-11796. CVE-2018-11760 RESERVED CVE-2018-11759 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b7b3f20b2060562916837a24c30678aea5dbdf60 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b7b3f20b2060562916837a24c30678aea5dbdf60 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFU
Henri Salo pushed to branch master at Debian Security Tracker / security-tracker Commits: cc5c3a11 by Henri Salo at 2018-10-15T06:08:03Z NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,5 @@ +CVE-2018-18289 +NOT-FOR-US: Zabbix Plugin for Confluence CVE-2018-18288 RESERVED CVE-2018-18287 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/cc5c3a1145a90384984fcfcab9ec610ccd87c8c4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/cc5c3a1145a90384984fcfcab9ec610ccd87c8c4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: cb603244 by security tracker role at 2018-10-14T20:11:24Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,7 @@ +CVE-2018-18288 + RESERVED +CVE-2018-18287 + RESERVED CVE-2018-18286 RESERVED CVE-2018-18285 @@ -4078,14 +4082,14 @@ CVE-2018-16588 (Privilege escalation can occur in the SUSE useradd.c code in use NOTE: https://bugzilla.novell.com/show_bug.cgi?id=1106914 NOTE: The SUSE specific patch was a first iteration of https://github.com/shadow-maint/shadow/pull/2 CVE-2018-16587 (In Open Ticket Request System (OTRS) 4.0.x before 4.0.32, 5.0.x before ...) - {DLA-1521-1} + {DSA-4317-1 DLA-1521-1} - otrs2 6.0.11-1 NOTE: https://community.otrs.com/security-advisory-2018-04-security-update-for-otrs-framework/ NOTE: OTRS 6: https://github.com/OTRS/otrs/commit/a4a1a01f84fac7ab032570ee50b660e2ebb15c01 NOTE: OTRS 5: https://github.com/OTRS/otrs/commit/d9db0c6a15caafda7689320ecf61777993c33711 NOTE: OTRS 4: https://github.com/OTRS/otrs/commit/d8cae00b0f78c2a07bb10cedb817304139395843 CVE-2018-16586 (In Open Ticket Request System (OTRS) 4.0.x before 4.0.32, 5.0.x before ...) - {DLA-1521-1} + {DSA-4317-1 DLA-1521-1} - otrs2 6.0.11-1 NOTE: https://community.otrs.com/security-advisory-2018-05-security-update-for-otrs-framework/ NOTE: OTRS 6: https://github.com/OTRS/otrs/commit/09e80c7752b0d9080688e4597c7495dd109e0963 @@ -9006,7 +9010,7 @@ CVE-2018-14595 CVE-2018-14594 RESERVED CVE-2018-14593 (An issue was discovered in Open Ticket Request System (OTRS) 6.0.x ...) - {DLA-1473-1} + {DSA-4317-1 DLA-1473-1} - otrs2 6.0.10-1 NOTE: https://community.otrs.com/security-advisory-2018-03-security-update-for-otrs-framework/ NOTE: OTRS-6: https://github.com/OTRS/otrs/commit/57cda14db8fdbcbfb8cabb32d85fbc89fde48c62 @@ -16195,6 +16199,7 @@ CVE-2018-11786 (In Apache Karaf prior to 4.2.0 release, if the sshd service in K CVE-2018-11785 RESERVED CVE-2018-11784 (When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11, ...) + {DLA-1544-1} - tomcat9 (bug #802312) - tomcat8 8.5.34-1 - tomcat8.0 (unimportant) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/cb603244134262dba523860cd5967e42d1a3f1fd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/cb603244134262dba523860cd5967e42d1a3f1fd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Triage imagemagick for Jessie.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: b48aa5dc by Markus Koschany at 2018-10-14T19:55:05Z Triage imagemagick for Jessie. - - - - - 2a1a767f by Markus Koschany at 2018-10-14T19:55:29Z Merge branch 'master' of salsa.debian.org:security-tracker-team/security-tracker - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -764,12 +764,14 @@ CVE-2018-18025 (In ImageMagick 7.0.8-13 Q16, there is a heap-based buffer over-r CVE-2018-18024 (In ImageMagick 7.0.8-13 Q16, there is an infinite loop in the ...) - imagemagick (low) [stretch] - imagemagick (Minor issue) + [jessie] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1337 NOTE: https://github.com/ImageMagick/ImageMagick/commit/948f1c86d649a29df08a38d2ff8b91cdf3e92b82 NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/b268ce7a59440972f4476b9fd98104b6a836d971 CVE-2018-18023 (In ImageMagick 7.0.8-13 Q16, there is a heap-based buffer over-read in ...) - imagemagick [stretch] - imagemagick (Vulnerable code not present) + [jessie] - imagemagick (Vulnerable code not present) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1336 NOTE: https://github.com/ImageMagick/ImageMagick/commit/5d71e23b853461dd3628cd1218834fcf13938365 NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/a5db4873626f702d2ddd8bc293573493e0a412c0 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/6526309ed859686fa19469392830f0221460c96b...2a1a767fc6ea89ff867fff49d5dca3f676258c11 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/6526309ed859686fa19469392830f0221460c96b...2a1a767fc6ea89ff867fff49d5dca3f676258c11 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 6526309e by Moritz Muehlenhoff at 2018-10-14T19:12:47Z NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7,7 +7,7 @@ CVE-2018-18284 CVE-2018-18283 RESERVED CVE-2018-18282 (Next.js 7.0.0 and 7.0.1 has XSS via the 404 or 500 /_error page. ...) - TODO: check + NOT-FOR-US: Next.js CVE-2018-18281 RESERVED CVE-2018-18280 @@ -23,7 +23,7 @@ CVE-2018-18276 CVE-2018-18275 RESERVED CVE-2018-18274 (A issue was found in pdfalto 0.2. There is a heap-based buffer overflow ...) - TODO: check + NOT-FOR-US: pdfalto CVE-2018-18273 RESERVED CVE-2018-18272 @@ -5012,7 +5012,7 @@ CVE-2018-16212 CVE-2018-16211 RESERVED CVE-2018-16210 (WAGO 750-881 Ethernet Controller devices, versions 01.09.18(13) and ...) - TODO: check + NOT-FOR-US: WAGO CVE-2018-16209 RESERVED CVE-2018-16208 @@ -6199,7 +6199,7 @@ CVE-2018-15757 CVE-2018-15756 RESERVED CVE-2018-15755 (Cloud Foundry CF Networking Release, versions 2.11.0 prior to 2.16.0, ...) - TODO: check + NOT-FOR-US: Cloud Foundry CVE-2018-15754 RESERVED CVE-2018-15753 (An issue was discovered in the MensaMax (aka com.breustedt.mensamax) ...) @@ -16026,9 +16026,9 @@ CVE-2018-11829 CVE-2018-11828 RESERVED CVE-2018-11827 (In all android releases (Android for MSM, Firefox OS for MSM, QRD ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2018-11826 (In all android releases (Android for MSM, Firefox OS for MSM, QRD ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2018-11825 RESERVED CVE-2018-11824 @@ -20742,7 +20742,7 @@ CVE-2018-10143 CVE-2018-10142 RESERVED CVE-2018-10141 (GlobalProtect Portal Login page in Palo Alto Networks PAN-OS before ...) - TODO: check + NOT-FOR-US: Palo Alto Networks PAN-OS CVE-2018-10140 (The PAN-OS Management Web Interface in Palo Alto Networks PAN-OS 8.1.2 ...) NOT-FOR-US: Palo Alto Networks PAN-OS CVE-2018-10139 (The PAN-OS response for GlobalProtect Gateway in Palo Alto Networks ...) @@ -23903,7 +23903,7 @@ CVE-2018-8892 CVE-2018-8891 RESERVED CVE-2018-8890 (An information disclosure vulnerability in the Management Console of ...) - TODO: check + NOT-FOR-US: BlackBerry CVE-2018-8889 (A directory traversal vulnerability in the Connect Service of the ...) NOT-FOR-US: BlackBerry CVE-2018- @@ -30122,7 +30122,7 @@ CVE-2018-6684 CVE-2018-6683 (Exploiting Incorrectly Configured Access Control Security Levels ...) NOT-FOR-US: McAfee CVE-2018-6682 (Cross Site Scripting Exposure in McAfee True Key (TK) 4.0.0.0 and ...) - TODO: check + NOT-FOR-US: McAfee CVE-2018-6681 (Abuse of Functionality vulnerability in the web interface in McAfee ...) NOT-FOR-US: McAfee CVE-2018-6680 @@ -30861,17 +30861,17 @@ CVE-2018-6507 CVE-2018-6506 (Cross-Site Scripting (XSS) exists in the Add Forum feature in the ...) NOT-FOR-US: miniBB CVE-2018-6505 (A potential Unauthenticated File Download vulnerability has been ...) - TODO: check + NOT-FOR-US: ArcSight Management Center (ArcMC) CVE-2018-6504 (A potential Cross-Site Request Forgery (CSRF) vulnerability has been ...) - TODO: check + NOT-FOR-US: ArcSight Management Center (ArcMC) CVE-2018-6503 (A potential Access Control vulnerability has been identified in ...) - TODO: check + NOT-FOR-US: ArcSight Management Center (ArcMC) CVE-2018-6502 (A potential Reflected Cross-Site Scripting (XSS) Security ...) - TODO: check + NOT-FOR-US: ArcSight Management Center (ArcMC) CVE-2018-6501 (Potential security vulnerability of Insufficient Access Controls has ...) - TODO: check + NOT-FOR-US: ArcSight Management Center (ArcMC) CVE-2018-6500 (A potential Directory Traversal Security vulnerability has been ...) - TODO: check + NOT-FOR-US: ArcSight Management Center (ArcMC) CVE-2018-6499 (Remote Code Execution in the following products Hybrid Cloud ...) NOT-FOR-US: Hybrid Cloud Management Containerized Suite CVE-2018-6498 (Remote Code Execution in the following products Hybrid Cloud ...) @@ -31604,9 +31604,9 @@ CVE-2018-6264 CVE-2018-6263 RESERVED CVE-2018-6262 (NVIDIA GeForce Experience prior to 3.15 contains a vulnerability when ...) - TODO: check + NOT-FOR-US: NVIDIA GeForce Experience CVE-2018-6261 (NVIDIA GeForce Experience prior to 3.15 contains a vulnerability when ...) - TODO: check + NOT-FOR-US: NVIDIA GeForce Experience CVE-2018-6260 RESERVED CVE-2018-6259 (NVIDIA GeForce Experience all versions prior to 3.14.1 contains a ...) @@ -32998,7 +32998,7 @@ CVE-2018-5923 CVE-2018-5922
[Git][security-tracker-team/security-tracker][master] CVE-2018-17795,tiff: Mark issue as postponed for Jessie.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 96e1ee8a by Markus Koschany at 2018-10-14T19:02:42Z CVE-2018-17795,tiff: Mark issue as postponed for Jessie. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1297,6 +1297,7 @@ CVE-2018-17796 (An issue was discovered in MRCMS (aka mushroom) through 3.1.2. T NOT-FOR-US: MRCMS CVE-2018-17795 (The function t2p_write_pdf in tiff2pdf.c in LibTIFF 4.0.9 allows remote ...) - tiff + [jessie] - tiff (possibly a duplicate, can be revisited later) - tiff3 NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2816 NOTE: Seems like duplicate. Waiting info from reporter View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/96e1ee8aabf7c34ba2ce9d32f4cb6e69e9ce64eb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/96e1ee8aabf7c34ba2ce9d32f4cb6e69e9ce64eb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Claim moin and mono in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: b9cbbccb by Markus Koschany at 2018-10-14T18:58:43Z Claim moin and mono in dla-needed.txt - - - - - 69883723 by Markus Koschany at 2018-10-14T18:59:31Z Merge branch 'master' of salsa.debian.org:security-tracker-team/security-tracker - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -51,6 +51,10 @@ linux (Ben Hutchings) -- linux-4.9 (Ben Hutchings) -- +moin (Markus Koschany) +-- +mono (Markus Koschany) +-- mysql-5.5 (Emilio Pozuelo) -- nsis View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/699c06133e602d603b916bdd138ada05f74db61e...698837232507bd8e624a54ee220fa6571a97c499 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/699c06133e602d603b916bdd138ada05f74db61e...698837232507bd8e624a54ee220fa6571a97c499 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] otrs DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 699c0613 by Moritz Muehlenhoff at 2018-10-14T18:58:33Z otrs DSA - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,6 @@ +[14 Oct 2018] DSA-4317-1 otrs2 - security update + {CVE-2018-14593 CVE-2018-16586 CVE-2018-16587} + [stretch] - otrs2 5.0.16-1+deb9u6 [12 Oct 2018] DSA-4316-1 imagemagick - security update {CVE-2018-16412 CVE-2018-16413 CVE-2018-16642 CVE-2018-16644 CVE-2018-16645} [stretch] - imagemagick 8:6.9.7.4+dfsg-11+deb9u6 = data/dsa-needed.txt = @@ -61,9 +61,6 @@ mupdf -- openjpeg2 (luciano) -- -otrs2 (jmm) - Maintainer submitted debdiff for reviewe --- passenger -- php7.0 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/699c06133e602d603b916bdd138ada05f74db61e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/699c06133e602d603b916bdd138ada05f74db61e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Revert "Triage firmware-nonfree for Jessie."
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 01d79dd0 by Markus Koschany at 2018-10-14T18:48:36Z Revert "Triage firmware-nonfree for Jessie." This reverts commit 744ef2d45a425bb5819b28196a349aaa599c6784. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -61779,14 +61779,12 @@ CVE-2017-13081 (Wi-Fi Protected Access (WPA and WPA2) that supports IEEE 802.11w {DSA-3999-1 DLA-1150-1} - firmware-nonfree 20180825-1 [stretch] - firmware-nonfree (non-free not supported) - [jessie] - firmware-nonfree (non-free not supported) - wpa 2:2.4-1.1 NOTE: https://w1.fi/security/2017-1/ CVE-2017-13080 (Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the ...) {DSA-3999-1 DLA-1200-1 DLA-1150-1} - firmware-nonfree 20180825-1 [stretch] - firmware-nonfree (non-free not supported) - [jessie] - firmware-nonfree (non-free not supported) - wpa 2:2.4-1.1 - linux 4.13.13-1 [stretch] - linux 4.9.65-1 @@ -61797,21 +61795,18 @@ CVE-2017-13079 (Wi-Fi Protected Access (WPA and WPA2) that supports IEEE 802.11w {DSA-3999-1 DLA-1150-1} - firmware-nonfree 20180825-1 [stretch] - firmware-nonfree (non-free not supported) - [jessie] - firmware-nonfree (non-free not supported) - wpa 2:2.4-1.1 NOTE: https://w1.fi/security/2017-1/ CVE-2017-13078 (Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the ...) {DSA-3999-1 DLA-1150-1} - firmware-nonfree 20180825-1 [stretch] - firmware-nonfree (non-free not supported) - [jessie] - firmware-nonfree (non-free not supported) - wpa 2:2.4-1.1 NOTE: https://w1.fi/security/2017-1/ CVE-2017-13077 (Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the ...) {DSA-3999-1 DLA-1150-1} - firmware-nonfree 20180825-1 [stretch] - firmware-nonfree (non-free not supported) - [jessie] - firmware-nonfree (non-free not supported) - wpa 2:2.4-1.1 NOTE: https://w1.fi/security/2017-1/ CVE-2017-13076 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/01d79dd0a6c3bc1420f9425cb3ee6133442d9e68 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/01d79dd0a6c3bc1420f9425cb3ee6133442d9e68 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Triage firmware-nonfree for Jessie.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 744ef2d4 by Markus Koschany at 2018-10-14T18:43:27Z Triage firmware-nonfree for Jessie. Non-free is not supported. - - - - - 70aa5a6c by Markus Koschany at 2018-10-14T18:47:28Z Add firmware-nonfree to dla-needed.txt - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -61779,12 +61779,14 @@ CVE-2017-13081 (Wi-Fi Protected Access (WPA and WPA2) that supports IEEE 802.11w {DSA-3999-1 DLA-1150-1} - firmware-nonfree 20180825-1 [stretch] - firmware-nonfree (non-free not supported) + [jessie] - firmware-nonfree (non-free not supported) - wpa 2:2.4-1.1 NOTE: https://w1.fi/security/2017-1/ CVE-2017-13080 (Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the ...) {DSA-3999-1 DLA-1200-1 DLA-1150-1} - firmware-nonfree 20180825-1 [stretch] - firmware-nonfree (non-free not supported) + [jessie] - firmware-nonfree (non-free not supported) - wpa 2:2.4-1.1 - linux 4.13.13-1 [stretch] - linux 4.9.65-1 @@ -61795,18 +61797,21 @@ CVE-2017-13079 (Wi-Fi Protected Access (WPA and WPA2) that supports IEEE 802.11w {DSA-3999-1 DLA-1150-1} - firmware-nonfree 20180825-1 [stretch] - firmware-nonfree (non-free not supported) + [jessie] - firmware-nonfree (non-free not supported) - wpa 2:2.4-1.1 NOTE: https://w1.fi/security/2017-1/ CVE-2017-13078 (Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the ...) {DSA-3999-1 DLA-1150-1} - firmware-nonfree 20180825-1 [stretch] - firmware-nonfree (non-free not supported) + [jessie] - firmware-nonfree (non-free not supported) - wpa 2:2.4-1.1 NOTE: https://w1.fi/security/2017-1/ CVE-2017-13077 (Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the ...) {DSA-3999-1 DLA-1150-1} - firmware-nonfree 20180825-1 [stretch] - firmware-nonfree (non-free not supported) + [jessie] - firmware-nonfree (non-free not supported) - wpa 2:2.4-1.1 NOTE: https://w1.fi/security/2017-1/ CVE-2017-13076 = data/dla-needed.txt = @@ -24,6 +24,10 @@ firefox-esr (Emilio Pozuelo) NOTE: 20180525: We will need an update to Firefox ESR 60 in jessie once 52 goes EOL. NOTE: 20180525: This needs some backports (llvm, rustc, cargo) which need some work. -- +firmware-nonfree + NOTE: Perhaps this should be handled by or at least coordinated with Ben + NOTE: Hutchings. The stretch-pu might be a good place to start the update. +-- ghostscript (Markus Koschany) -- gnutls28 (Antoine Beaupre) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/921cb236033478690730f9f08452c62ebba63a38...70aa5a6cdc04b5a427261f654dbd68d7ff4fcc40 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/921cb236033478690730f9f08452c62ebba63a38...70aa5a6cdc04b5a427261f654dbd68d7ff4fcc40 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim tomcat in dla-needed.txt as discussed with Roberto via private email.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 921cb236 by Markus Koschany at 2018-10-14T18:17:08Z Claim tomcat in dla-needed.txt as discussed with Roberto via private email. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -84,7 +84,7 @@ symfony (Thorsten Alteholz) -- thunderbird (Emilio Pozuelo) -- -tomcat8 (Roberto C. Sánchez) +tomcat8 (Markus Koschany) -- wireshark (Thorsten Alteholz) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/921cb236033478690730f9f08452c62ebba63a38 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/921cb236033478690730f9f08452c62ebba63a38 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-1544-1 for tomcat7
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 8c717e67 by Markus Koschany at 2018-10-14T18:16:49Z Reserve DLA-1544-1 for tomcat7 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[14 Oct 2018] DLA-1544-1 tomcat7 - security update + {CVE-2018-11784} + [jessie] - tomcat7 7.0.56-3+really7.0.91-1 [10 Oct 2018] DLA-1543-1 gnulib - security update {CVE-2018-17942} [jessie] - gnulib 20140202+stable-2+deb8u1 = data/dla-needed.txt = @@ -84,8 +84,6 @@ symfony (Thorsten Alteholz) -- thunderbird (Emilio Pozuelo) -- -tomcat7 (Roberto C. Sánchez) --- tomcat8 (Roberto C. Sánchez) -- wireshark (Thorsten Alteholz) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8c717e6700963c5b81c8e98ad9946fcb4c3e610e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8c717e6700963c5b81c8e98ad9946fcb4c3e610e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information on CVE-2018-10780/exiv2
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6993ba17 by Salvatore Bonaccorso at 2018-10-14T17:17:54Z Update information on CVE-2018-10780/exiv2 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -19116,12 +19116,14 @@ CVE-2018-10782 CVE-2018-10781 RESERVED CVE-2018-10780 (Exiv2::Image::byteSwap2 in image.cpp in Exiv2 0.26 has a heap-based ...) - - exiv2 - [jessie] - exiv2 (Vulnerable code not present; image format not supported) + [experimental] - exiv2 + - exiv2 (Vulnerable code introduced later) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1575201 - NOTE: Fixed by upstream commit https://github.com/Exiv2/exiv2/commit/74cb5bab132ed76adf15df172c5e8b58cddaa96c - NOTE: The upstream commit was identified by starting at tag v0.26 and bisecting - TODO: check, there is same function in byteSwap2 in earlier versions than 0.26 + NOTE: Commit https://github.com/Exiv2/exiv2/commit/74cb5bab132ed76adf15df172c5e8b58cddaa96c + NOTE: adresses an overflow, but not solving the invalid write of size 1 via + NOTE: Exiv2::Image::printIFDStructure. + NOTE: Commit https://github.com/Exiv2/exiv2/commit/8ff26931e31bb25d66c69846f47f3f5b6d9a32f1 + NOTE: avoids using Image::printStructure() when reading images. CVE-2018-10779 (TIFFWriteScanline in tif_write.c in LibTIFF 3.8.2 has a heap-based ...) - tiff 4.0.6-3 (bug #898359) [jessie] - tiff 4.0.3-12.3+deb8u2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6993ba175e156cb706b8c9e20fd434d2517e6ea7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6993ba175e156cb706b8c9e20fd434d2517e6ea7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information on CVE-2018-17229/CVE-2018-17230 in exiv2
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4fb0cae0 by Salvatore Bonaccorso at 2018-10-14T12:47:00Z Update information on CVE-2018-17229/CVE-2018-17230 in exiv2 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2536,11 +2536,23 @@ CVE-2018-17231 (** DISPUTED ** Telegram Desktop (aka tdesktop) 1.3.14 might allo - telegram-desktop (unimportant) NOTE: Disputed as attack scenario does not cross a privilege boundary. CVE-2018-17230 (Exiv2::ul2Data in types.cpp in Exiv2 v0.26 allows remote attackers to ...) - - exiv2 + [experimental] - exiv2 + - exiv2 (Vulnerable code introduced later) NOTE: https://github.com/Exiv2/exiv2/issues/455 + NOTE: Introduced in: https://github.com/Exiv2/exiv2/commit/3d57bbc6e6036723df3c7da352e40267c90d1640 + NOTE: Fixed by: https://github.com/Exiv2/exiv2/commit/afb98cbc6e288dc8ea75f3394a347fb9b37abc55 + NOTE: Some extra care needs to be applied when fixing isolately the issue in + NOTE: experimental, as the commit afb98cbc6e288dc8ea75f3394a347fb9b37abc55 + NOTE: would introduce/uncover CVE-2018-17282. CVE-2018-17229 (Exiv2::d2Data in types.cpp in Exiv2 v0.26 allows remote attackers to ...) - - exiv2 + [experimental] - exiv2 + - exiv2 (Vulnerable code introduced later) NOTE: https://github.com/Exiv2/exiv2/issues/453 + NOTE: Introduced in: https://github.com/Exiv2/exiv2/commit/3d57bbc6e6036723df3c7da352e40267c90d1640 + NOTE: Fixed by: https://github.com/Exiv2/exiv2/commit/afb98cbc6e288dc8ea75f3394a347fb9b37abc55 + NOTE: Some extra care needs to be applied when fixing isolately the issue in + NOTE: experimental, as the commit afb98cbc6e288dc8ea75f3394a347fb9b37abc55 + NOTE: would introduce/uncover CVE-2018-17282. CVE-2018-17228 (nmap4j 1.1.0 allows attackers to execute arbitrary commands via shell ...) NOT-FOR-US: nmap4j CVE-2018-17227 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4fb0cae02fea5fc65205cc7e4e731877ad26eef7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4fb0cae02fea5fc65205cc7e4e731877ad26eef7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2018-17581/exiv2
Henri Salo pushed to branch master at Debian Security Tracker / security-tracker Commits: df064485 by Henri Salo at 2018-10-14T10:38:25Z CVE-2018-17581/exiv2 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1747,6 +1747,7 @@ CVE-2018-17581 (CiffDirectory::readDirectory() at crwimage_int.cpp in Exiv2 0.26 - exiv2 (low; bug #910060) [stretch] - exiv2 (Minor issue) NOTE: https://github.com/Exiv2/exiv2/issues/460 + NOTE: Fixed in: https://github.com/Exiv2/exiv2/commit/b3d077dcaefb6747fff8204490f33eba5a144edb CVE-2018-17580 (A heap-based buffer over-read exists in the function fast_edit_packet() ...) - tcpreplay (bug #910596) [stretch] - tcpreplay (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/df0644853f9bf1793f4229cc1ef51e6257c03260 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/df0644853f9bf1793f4229cc1ef51e6257c03260 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add proposed firmware-nonfree update via stretch-pu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: fcc03704 by Salvatore Bonaccorso at 2018-10-14T08:51:21Z Add proposed firmware-nonfree update via stretch-pu - - - - - 1 changed file: - data/next-point-update.txt Changes: = data/next-point-update.txt = @@ -100,3 +100,19 @@ CVE-2018-14600 [stretch] - libx11 2:1.6.4-3+deb9u1 CVE-2018-13406 [stretch] - linux 4.9.130-1 +CVE-2016-0801 + [stretch] - firmware-nonfree 20161130-4 +CVE-2017-0561 + [stretch] - firmware-nonfree 20161130-4 +CVE-2017-9417 + [stretch] - firmware-nonfree 20161130-4 +CVE-2017-13077 + [stretch] - firmware-nonfree 20161130-4 +CVE-2017-13078 + [stretch] - firmware-nonfree 20161130-4 +CVE-2017-13079 + [stretch] - firmware-nonfree 20161130-4 +CVE-2017-13080 + [stretch] - firmware-nonfree 20161130-4 +CVE-2017-13081 + [stretch] - firmware-nonfree 20161130-4 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/fcc037044861911f50c0558e10420763d2d4020e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/fcc037044861911f50c0558e10420763d2d4020e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add firemware-nonfree source package tracking for "KRACK" issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 080afc86 by Salvatore Bonaccorso at 2018-10-14T08:49:29Z Add firemware-nonfree source package tracking for "KRACK" issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -61762,10 +61762,14 @@ CVE-2017-13082 (Wi-Fi Protected Access (WPA and WPA2) that supports IEEE 802.11r NOTE: https://w1.fi/security/2017-1/ CVE-2017-13081 (Wi-Fi Protected Access (WPA and WPA2) that supports IEEE 802.11w ...) {DSA-3999-1 DLA-1150-1} + - firmware-nonfree 20180825-1 + [stretch] - firmware-nonfree (non-free not supported) - wpa 2:2.4-1.1 NOTE: https://w1.fi/security/2017-1/ CVE-2017-13080 (Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the ...) {DSA-3999-1 DLA-1200-1 DLA-1150-1} + - firmware-nonfree 20180825-1 + [stretch] - firmware-nonfree (non-free not supported) - wpa 2:2.4-1.1 - linux 4.13.13-1 [stretch] - linux 4.9.65-1 @@ -61774,14 +61778,20 @@ CVE-2017-13080 (Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of t NOTE: https://git.kernel.org/linus/fdf7cb4185b60c68e1a75e61691c4afdc15dea0e (v4.14-rc6) CVE-2017-13079 (Wi-Fi Protected Access (WPA and WPA2) that supports IEEE 802.11w ...) {DSA-3999-1 DLA-1150-1} + - firmware-nonfree 20180825-1 + [stretch] - firmware-nonfree (non-free not supported) - wpa 2:2.4-1.1 NOTE: https://w1.fi/security/2017-1/ CVE-2017-13078 (Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the ...) {DSA-3999-1 DLA-1150-1} + - firmware-nonfree 20180825-1 + [stretch] - firmware-nonfree (non-free not supported) - wpa 2:2.4-1.1 NOTE: https://w1.fi/security/2017-1/ CVE-2017-13077 (Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the ...) {DSA-3999-1 DLA-1150-1} + - firmware-nonfree 20180825-1 + [stretch] - firmware-nonfree (non-free not supported) - wpa 2:2.4-1.1 NOTE: https://w1.fi/security/2017-1/ CVE-2017-13076 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/080afc8643de15bb9d85e70e7c142dd657e0211f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/080afc8643de15bb9d85e70e7c142dd657e0211f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE for wireshark adressed with 2.6.4 upstream
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1df4faab by Salvatore Bonaccorso at 2018-10-14T07:22:41Z Track fixed version for CVE for wireshark adressed with 2.6.4 upstream - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -287,19 +287,19 @@ CVE-2018-18229 CVE-2018-18228 RESERVED CVE-2018-18227 (In Wireshark 2.6.0 to 2.6.3 and 2.4.0 to 2.4.9, the MS-WSP protocol ...) - - wireshark + - wireshark 2.6.4-1 [stretch] - wireshark (Fix along in next DSA) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15119 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=d443be449a52f95df5754adc39e1f3472fec2f03 NOTE: https://www.wireshark.org/security/wnpa-sec-2018-47.html CVE-2018-18226 (In Wireshark 2.6.0 to 2.6.3, the Steam IHS Discovery dissector could ...) - - wireshark + - wireshark 2.6.4-1 [stretch] - wireshark (Fix along in next DSA) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15171 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=6e920ddc3cad2886ef07ca1a8e50e2a5c50986f7 NOTE: https://www.wireshark.org/security/wnpa-sec-2018-48.html CVE-2018-18225 (In Wireshark 2.6.0 to 2.6.3, the CoAP dissector could crash. This was ...) - - wireshark + - wireshark 2.6.4-1 [stretch] - wireshark (Fix along in next DSA) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15172 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=09a02cc1ea6de9f6c6cae75b3510a5477ef5f555 @@ -15430,7 +15430,7 @@ CVE-2018-12088 (S3QL before 2.27 mishandles checksumming, and consequently allow CVE-2018-12087 (Failure to validate certificates in OPC Foundation UA Client ...) NOT-FOR-US: OPC UA CVE-2018-12086 (Buffer overflow in OPC UA applications allows remote attackers to ...) - - wireshark + - wireshark 2.6.4-1 [stretch] - wireshark (Fix along in next DSA) NOTE: https://www.wireshark.org/security/wnpa-sec-2018-50.html CVE-2018-12085 (Liblouis 3.6.0 has a stack-based Buffer Overflow in the function ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1df4faabc164a32410818677cdca44a16bcf2652 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1df4faabc164a32410818677cdca44a16bcf2652 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add fixed version via unstable upload for CVE-2018-10733/libgxps
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1d7fbca7 by Salvatore Bonaccorso at 2018-10-14T07:17:51Z Add fixed version via unstable upload for CVE-2018-10733/libgxps - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -19240,7 +19240,7 @@ CVE-2018-10735 (A SQL injection issue was discovered in Nagios XI before 5.4.13 CVE-2018-10734 (KONGTOP DVR devices A303, A403, D303, D305, and D403 contain a ...) NOT-FOR-US: KONGTOP DVR devices CVE-2018-10733 (There is a heap-based buffer over-read in the function ...) - - libgxps (low; bug #897954) + - libgxps 0.3.0-3 (low; bug #897954) [stretch] - libgxps (Minor issue) [jessie] - libgxps (Minor issue) [wheezy] - libgxps (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1d7fbca7f145622f28c0782b95212bbc49fcb633 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1d7fbca7f145622f28c0782b95212bbc49fcb633 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits