[Git][security-tracker-team/security-tracker][master] Mark CVE-2018-1338/tika as unfixed for unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b0422e6d by Salvatore Bonaccorso at 2019-01-07T07:15:30Z Mark CVE-2018-1338/tika as unfixed for unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -63775,7 +63775,8 @@ CVE-2018-1339 (A carefully crafted (or fuzzed) file can trigger an infinite loop [jessie] - tika (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2018/04/25/7 CVE-2018-1338 (A carefully crafted (or fuzzed) file can trigger an infinite loop in ...) - - tika (BGP parser introduced in 1.7) + - tika + [jessie] - tika (BGP parser introduced in 1.7) NOTE: http://www.openwall.com/lists/oss-security/2018/04/25/6 CVE-2018-1337 (In Apache LDAP API before 1.0.2, a bug in the way the SSL Filter was ...) NOT-FOR-US: Apache LDAP API View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b0422e6d75834ee5283366ee9dd9bed7d5357a84 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b0422e6d75834ee5283366ee9dd9bed7d5357a84 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update some older enries for tika wich now is affected by some CVEs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a944d6ba by Salvatore Bonaccorso at 2019-01-07T07:10:00Z Update some older enries for tika wich now is affected by some CVEs Unfortunately tika/1.8 was uploaded wich open at least three further CVEs. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -19959,7 +19959,8 @@ CVE-2018-17199 CVE-2018-17198 RESERVED CVE-2018-17197 (A carefully crafted or corrupt sqlite file can cause an infinite loop ...) - - tika (Only affects 1.8 to 1.19.1) + - tika + [jessie] - tika (Only affects 1.8 to 1.19.1) NOTE: https://www.openwall.com/lists/oss-security/2018/12/22/2 CVE-2018-17196 RESERVED @@ -63792,7 +63793,8 @@ CVE-2018-1336 (An improper handing of overflow in the UTF-8 decoder with ...) NOTE: https://svn.apache.org/r1830375 (8.0.x) NOTE: https://svn.apache.org/r1830376 (7.0.x) CVE-2018-1335 (From Apache Tika versions 1.7 to 1.17, clients could send carefully ...) - - tika (Server functionality not present) + - tika + [jessie] - tika (Server functionality not present) NOTE: http://www.openwall.com/lists/oss-security/2018/04/25/8 CVE-2018-1334 (In Apache Spark 1.0.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, when using ...) NOT-FOR-US: Apache Spark @@ -127193,7 +127195,8 @@ CVE-2016-6810 (In Apache ActiveMQ 5.x before 5.14.2, an instance of a cross-site NOTE: http://jvndb.jvn.jp/en/contents/2016/JVNDB-2016-000245.html NOTE: https://jvn.jp/en/jp/JVN78980598/index.html CVE-2016-6809 (Apache Tika before 1.14 allows Java code execution for serialized ...) - - tika (Matlab file parser introduced in 1.6) + - tika + [jessie] - tika (Matlab file parser introduced in 1.6) NOTE: http://seclists.org/bugtraq/2016/Nov/40 CVE-2016-6808 (Buffer overflow in Apache Tomcat Connectors (mod_jk) before 1.2.42. ...) - libapache-mod-jk (Windows/IIS vhost handling specific issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a944d6ba1df53b08df4c692d4623824784f91db8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a944d6ba1df53b08df4c692d4623824784f91db8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Add fixed version for CVE-2018-16476/rails
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ea1dd03e by Salvatore Bonaccorso at 2019-01-07T06:58:06Z Add fixed version for CVE-2018-16476/rails - - - - - 25a10cc7 by Salvatore Bonaccorso at 2019-01-07T07:00:23Z Update status for CVE-2018-16477/rails - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -21827,10 +21827,13 @@ CVE-2018-16479 CVE-2018-16478 (A Path Traversal in simplehttpserver versions <=0.2.1 allows to list ...) NOT-FOR-US: simplehttpserver CVE-2018-16477 (A bypass vulnerability in Active Storage >= 5.2.0 for Google Cloud ...) - - rails (Only affects >= 5.2.0; vulnerable code not present) + - rails 2:5.2.2+dfsg-1 (bug #914848) + [stretch] - rails (Only affects >= 5.2.0; vulnerable code not present) + [jessie] - rails (Only affects >= 5.2.0; vulnerable code not present) NOTE: https://www.openwall.com/lists/oss-security/2018/11/27/5 + NOTE: Originally no version was affected until 2:5.2.0+dfsg-2 was uploaded to unstable. CVE-2018-16476 (A Broken Access Control vulnerability in Active Job versions >= 4.2.0 ...) - - rails (bug #914847) + - rails 2:5.2.2+dfsg-1 (bug #914847) [jessie] - rails (only affects >= 4.2.0) NOTE: https://www.openwall.com/lists/oss-security/2018/11/27/4 CVE-2018-16475 (A Path Traversal in Knightjs versions <= 0.0.1 allows an attacker to ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/5386d8d19678b3d59f3e1d540139bc9cddbb5df3...25a10cc79368f466fee86bc3add00d98e2115fa6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/5386d8d19678b3d59f3e1d540139bc9cddbb5df3...25a10cc79368f466fee86bc3add00d98e2115fa6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-3804/cockpit
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5386d8d1 by Salvatore Bonaccorso at 2019-01-07T06:53:16Z Add CVE-2019-3804/cockpit - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3387,8 +3387,11 @@ CVE-2019-3806 RESERVED CVE-2019-3805 RESERVED -CVE-2019-3804 +CVE-2019-3804 [Crash when parsing invalid base64 headers] RESERVED + - cockpit 184-1 + NOTE: https://github.com/cockpit-project/cockpit/pull/10819 + NOTE: https://github.com/cockpit-project/cockpit/commit/c51f6177576d7e12 CVE-2019-3803 RESERVED CVE-2019-3802 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5386d8d19678b3d59f3e1d540139bc9cddbb5df3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5386d8d19678b3d59f3e1d540139bc9cddbb5df3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add fixed version for CVE-2018-20467/imagemagick in unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2f7057ff by Salvatore Bonaccorso at 2019-01-07T05:53:18Z Add fixed version for CVE-2018-20467/imagemagick in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4758,7 +4758,7 @@ CVE-2018-20469 CVE-2018-20468 RESERVED CVE-2018-20467 (In coders/bmp.c in ImageMagick before 7.0.8-16, an input file can ...) - - imagemagick (low; bug #917326) + - imagemagick 8:6.9.10.23+dfsg-1 (low; bug #917326) [stretch] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1408 NOTE: https://github.com/ImageMagick/ImageMagick/commit/db0add932fb850d762b02604ca3053b7d7ab6deb View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2f7057ff65abdeed2765815e3a14b5b464c49a6b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2f7057ff65abdeed2765815e3a14b5b464c49a6b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Fix CVE/list entries about yaml-cpp0.3
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 3de60132 by Markus Koschany at 2019-01-06T21:58:13Z Fix CVE/list entries about yaml-cpp0.3 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4416,7 +4416,7 @@ CVE-2018-20574 (The SingleDocParser::HandleFlowMap function in yaml-cpp (aka ... [jessie] - yaml-cpp (Minor issue) - yaml-cpp0.3 (low; bug #918146) [stretch] - yaml-cpp0.3 (Minor issue) - [jessie] - yaml-cpp (Minor issue) + [jessie] - yaml-cpp0.3 (Minor issue) NOTE: https://github.com/jbeder/yaml-cpp/issues/654 CVE-2018-20573 (The Scanner::EnsureTokensInQueue function in yaml-cpp (aka LibYaml-C++) ...) - yaml-cpp (low; bug #918147) @@ -4424,7 +4424,7 @@ CVE-2018-20573 (The Scanner::EnsureTokensInQueue function in yaml-cpp (aka LibYa [jessie] - yaml-cpp (Minor issue) - yaml-cpp0.3 (low; bug #918148) [stretch] - yaml-cpp0.3 (Minor issue) - [jessie] - yaml-cpp (Minor issue) + [jessie] - yaml-cpp0.3 (Minor issue) NOTE: https://github.com/jbeder/yaml-cpp/issues/655 CVE-2018-20572 (WUZHI CMS 4.1.0 allows coreframe/app/coupon/admin/copyfrom.php SQL ...) NOT-FOR-US: WUZHI CMS View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3de6013248df2099b11e7bb1cc0cd7fa14dfe469 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3de6013248df2099b11e7bb1cc0cd7fa14dfe469 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
Processing b98d58683af55cda604142cf0df785fb3834065a failed
The error message was: Traceback (most recent call last): File "bin/update-db", line 41, in warnings = db.readBugs(cursor, 'data') File "/srv/security-tracker.debian.org/website/security-tracker/lib/python/security_db.py", line 967, in readBugs read_one(cls(path + srcpath)) File "/srv/security-tracker.debian.org/website/security-tracker/lib/python/security_db.py", line 958, in read_one do_parse(source) File "/srv/security-tracker.debian.org/website/security-tracker/lib/python/security_db.py", line 914, in do_parse for bug in source: File "/srv/security-tracker.debian.org/website/security-tracker/lib/python/bugs.py", line 740, in __iter__ is_extend=self.is_extend)) File "/srv/security-tracker.debian.org/website/security-tracker/lib/python/bugs.py", line 780, in finishBug bug.mergeNotes() File "/srv/security-tracker.debian.org/website/security-tracker/lib/python/bugs.py", line 286, in mergeNotes notes[key].merge(n) AttributeError: PackageNoteNoDSA instance has no attribute 'merge' Makefile:34: recipe for target 'all' failed make: *** [all] Error 1 ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2018-20573,CVE-2018-20574,yaml-cpp,yaml-cpp0.3: postponed for Jessie
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: b98d5868 by Markus Koschany at 2019-01-06T21:54:02Z CVE-2018-20573,CVE-2018-20574,yaml-cpp,yaml-cpp0.3: postponed for Jessie Not urgent and postponed for now, hardly used but could be fixed later. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4413,14 +4413,18 @@ CVE-2018-20575 (Orange Livebox 00.96.320S devices have an undocumented ...) CVE-2018-20574 (The SingleDocParser::HandleFlowMap function in yaml-cpp (aka ...) - yaml-cpp (low; bug #918145) [stretch] - yaml-cpp (Minor issue) + [jessie] - yaml-cpp (Minor issue) - yaml-cpp0.3 (low; bug #918146) [stretch] - yaml-cpp0.3 (Minor issue) + [jessie] - yaml-cpp (Minor issue) NOTE: https://github.com/jbeder/yaml-cpp/issues/654 CVE-2018-20573 (The Scanner::EnsureTokensInQueue function in yaml-cpp (aka LibYaml-C++) ...) - yaml-cpp (low; bug #918147) [stretch] - yaml-cpp (Minor issue) + [jessie] - yaml-cpp (Minor issue) - yaml-cpp0.3 (low; bug #918148) [stretch] - yaml-cpp0.3 (Minor issue) + [jessie] - yaml-cpp (Minor issue) NOTE: https://github.com/jbeder/yaml-cpp/issues/655 CVE-2018-20572 (WUZHI CMS 4.1.0 allows coreframe/app/coupon/admin/copyfrom.php SQL ...) NOT-FOR-US: WUZHI CMS View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b98d58683af55cda604142cf0df785fb3834065a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b98d58683af55cda604142cf0df785fb3834065a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] claim sssd
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: 191a856b by Mike Gabriel at 2019-01-06T21:14:08Z claim sssd - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -131,7 +131,7 @@ sqlite3 NOTE: 20181221: re-added sqlite3, so that no-dsa issues stay on our radar NOTE: 20181221: low-prio, pick it if all other packages are taken... -- -sssd +sssd (Mike Gabriel) NOTE: 20181220: Specific fixes for older branches will be provided in January 2019. (apo) -- symfony (Roberto C. Sánchez) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/191a856bb6af49df449a5093770b62c1d1700727 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/191a856bb6af49df449a5093770b62c1d1700727 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2017-11684,libav: Link to fixing commit
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 68c6a716 by Markus Koschany at 2019-01-06T20:44:51Z CVE-2017-11684,libav: Link to fixing commit - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -84412,6 +84412,8 @@ CVE-2017-11685 (Multiple Reflective cross-site scripting (XSS) vulnerabilities i CVE-2017-11684 (There is an illegal address access in the build_table function in ...) - libav - ffmpeg 7:2.3.1-1 + NOTE: https://bugzilla.libav.org/show_bug.cgi?id=1073 + NOTE: Fixed by https://github.com/libav/libav/commit/ec683ed527cef9aad208d1daeb10d0e7fb63e75e.patch CVE-2017-11683 (There is a reachable assertion in the ...) {DLA-1147-1} - exiv2 (low) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/68c6a716a06dee48c53dc7f70aa73edb0301 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/68c6a716a06dee48c53dc7f70aa73edb0301 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add fixed version for arc directory traversal issue
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: eaf0cb35 by Salvatore Bonaccorso at 2019-01-06T20:11:10Z Add fixed version for arc directory traversal issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -173892,7 +173892,7 @@ CVE-2015-4467 (The chmd_init_decomp function in chmd.c in libmspack before 0.5 d - libmspack 0.4-3 (bug #774725) NOTE: http://www.openwall.com/lists/oss-security/2015/02/03/11 CVE-2015- [directory traversal] - - arc (low; bug #774527) + - arc 5.21q-6 (low; bug #774527) [stretch] - arc (Minor issue) [jessie] - arc (Minor issue) [wheezy] - arc (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/eaf0cb35339fa93b4f8f12956203ccab2d63a3dc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/eaf0cb35339fa93b4f8f12956203ccab2d63a3dc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e3ac93c5 by security tracker role at 2019-01-06T20:10:31Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4042,6 +4042,7 @@ CVE-2019-3499 RESERVED CVE-2019-3498 [Content spoofing possibility in the default 404 page] RESERVED + {DLA-1629-1} - python-django 1:1.11.18-1 (bug #918230) NOTE: https://www.djangoproject.com/weblog/2019/jan/04/security-releases/ NOTE: https://github.com/django/django/commit/1cd00fcf52d089ef0fe03beabd05d59df8ea052a (1.11.x) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e3ac93c5892434cf9faeb6a9299f13a35564b49c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e3ac93c5892434cf9faeb6a9299f13a35564b49c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-1629-1 for python-django
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 5493b1a5 by Chris Lamb at 2019-01-06T19:02:20Z Reserve DLA-1629-1 for python-django - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[06 Jan 2019] DLA-1629-1 python-django - security update + {CVE-2019-3498} + [jessie] - python-django 1.7.11-1+deb8u4 [02 Jan 2019] DLA-1628-1 jasper - security update {CVE-2018-18873 CVE-2018-19539 CVE-2018-19540 CVE-2018-19541 CVE-2018-19542 CVE-2018-20570 CVE-2018-20584 CVE-2018-20622} [jessie] - jasper 1.900.1-debian1-2.4+deb8u5 = data/dla-needed.txt = @@ -118,8 +118,6 @@ policykit-1 (Emilio) -- poppler (Emilio) -- -python-django (Chris Lamb) --- python3.4 NOTE: 20181225: The update should include also the postponed and no-dsa NOTE: issues which were already fixed by us in Wheezy. (apo) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5493b1a58c0f626f055feb8034bdb50a7dfcfcd0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5493b1a58c0f626f055feb8034bdb50a7dfcfcd0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2018-11788/apache-karafa
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 029c4cd2 by Salvatore Bonaccorso at 2019-01-06T16:22:00Z Add CVE-2018-11788/apache-karafa - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -33933,6 +33933,7 @@ CVE-2018-11789 RESERVED CVE-2018-11788 RESERVED + - apache-karaf (bug #881297) CVE-2018-11787 (In Apache Karaf version prior to 3.0.9, 4.0.9, 4.1.1, when the ...) - apache-karaf (bug #881297) CVE-2018-11786 (In Apache Karaf prior to 4.2.0 release, if the sshd service in Karaf ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/029c4cd2ffac5d32624e4a8d9153646d3cc4691d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/029c4cd2ffac5d32624e4a8d9153646d3cc4691d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove libssh from dsa-needed
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1404b7d1 by Salvatore Bonaccorso at 2019-01-06T13:44:22Z Remove libssh from dsa-needed Regression is adressed via stretch-pu - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -31,9 +31,6 @@ libidn -- libspring-java -- -libssh - Regression update for #913870 --- libvncserver (jmm) -- linux View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1404b7d1defd92006bdf13842962d0bc0532211a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1404b7d1defd92006bdf13842962d0bc0532211a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add fixed version for CVE-2015-8985/glibc
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c091b6e0 by Salvatore Bonaccorso at 2019-01-06T13:12:25Z Add fixed version for CVE-2015-8985/glibc First version in Debian including the fix was the 2.28-0experimental0 to experimental, which landed with 2.28-1 in unstable. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -168688,7 +168688,7 @@ CVE-2015-2081 (Datto ALTO and SIRIS devices allow Remote Code Execution via ...) CVE-2014-9685 (Multiple cross-site scripting (XSS) vulnerabilities in Vanilla Forums ...) NOT-FOR-US: Vanilla Forums CVE-2015-8985 (The pop_fail_stack function in the GNU C Library (aka glibc or libc6) ...) - - glibc (unimportant; bug #779392) + - glibc 2.28-1 (unimportant; bug #779392) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21163 NOTE: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=eb04c21373e2a2885f3d52ff192b0499afe3c672 (2.28) NOTE: DoS via crafted regexps are not considered security issues by glibc upstream View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c091b6e06c798063601c82f35b1be797858ab5d4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c091b6e06c798063601c82f35b1be797858ab5d4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add fixed version for CVE-2017-9472/libytnef
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2a732eb6 by Salvatore Bonaccorso at 2019-01-06T12:52:00Z Add fixed version for CVE-2017-9472/libytnef Upstream issue https://github.com/Yeraze/ytnef/issues/41 got adressed as part of https://github.com/Yeraze/ytnef/pull/64 which got merged in 1.9.3 upstream and thus present in Debian in unstable since the 1.9.3-1 upload. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -90970,7 +90970,7 @@ CVE-2017-9473 (In ytnef 1.9.2, the TNEFFillMapi function in lib/ytnef.c allows r NOTE: https?//github.com/Yeraze/ytnef/commit/a341b7f1bf8a2c59ece89f2d6cdc09856d501cc0 NOTE: https://blogs.gentoo.org/ago/2017/05/24/ytnef-memory-allocation-failure-in-tneffillmapi-ytnef-c/ CVE-2017-9472 (In ytnef 1.9.2, the SwapDWord function in lib/ytnef.c allows remote ...) - - libytnef (low; bug #870193) + - libytnef 1.9.3-1 (low; bug #870193) [stretch] - libytnef (Minor issue) [jessie] - libytnef (Minor issue) [wheezy] - libytnef (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2a732eb6893dd79773841434880771ceb086e70e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2a732eb6893dd79773841434880771ceb086e70e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Add commit reference for CVE-2017-9473/libytnef
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1c963827 by Salvatore Bonaccorso at 2019-01-06T12:49:00Z Add commit reference for CVE-2017-9473/libytnef - - - - - 0a2e6fe6 by Salvatore Bonaccorso at 2019-01-06T12:49:50Z Add fixed version for CVE-2017-9473/libytnef - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -90962,11 +90962,12 @@ CVE-2017-9474 (In ytnef 1.9.2, the DecompressRTF function in lib/ytnef.c allows NOTE: https://github.com/Yeraze/ytnef/issues/40 NOTE: https://blogs.gentoo.org/ago/2017/05/24/ytnef-heap-based-buffer-overflow-in-decompressrtf-ytnef-c/ CVE-2017-9473 (In ytnef 1.9.2, the TNEFFillMapi function in lib/ytnef.c allows remote ...) - - libytnef (low; bug #870197) + - libytnef 1.9.3-1 (low; bug #870197) [stretch] - libytnef (Minor issue) [jessie] - libytnef (Minor issue) [wheezy] - libytnef (Minor issue) NOTE: https://github.com/Yeraze/ytnef/issues/42 + NOTE: https?//github.com/Yeraze/ytnef/commit/a341b7f1bf8a2c59ece89f2d6cdc09856d501cc0 NOTE: https://blogs.gentoo.org/ago/2017/05/24/ytnef-memory-allocation-failure-in-tneffillmapi-ytnef-c/ CVE-2017-9472 (In ytnef 1.9.2, the SwapDWord function in lib/ytnef.c allows remote ...) - libytnef (low; bug #870193) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/bb99e75cce2801776f197336599f558edc05ccab...0a2e6fe68ff3769454d7397b32907be2ba6a724b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/bb99e75cce2801776f197336599f558edc05ccab...0a2e6fe68ff3769454d7397b32907be2ba6a724b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Add fixing commit for CVE-2017-9146/libytnef
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 120019f8 by Salvatore Bonaccorso at 2019-01-06T12:45:12Z Add fixing commit for CVE-2017-9146/libytnef - - - - - bb99e75c by Salvatore Bonaccorso at 2019-01-06T12:45:41Z Add fixed version for CVE-2017-9146/libytnef - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -92242,11 +92242,12 @@ CVE-2017-9147 (LibTIFF 4.0.7 has an invalid read in the _TIFFVGetField function - tiff3 NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2693 CVE-2017-9146 (The TNEFFillMapi function in lib/ytnef.c in libytnef in ytnef through ...) - - libytnef (bug #862707) + - libytnef 1.9.3-1 (bug #862707) [stretch] - libytnef (Minor issue, can be fixed via a point update) [jessie] - libytnef (Minor issue, can be fixed via a point update) [wheezy] - libytnef (Minor issue) NOTE: https://github.com/Yeraze/ytnef/issues/47 + NOTE: https://github.com/Yeraze/ytnef/commit/c576639e7e6bd9c7de0a288b9f94590d34ac9215 CVE-2017-9145 (TikiFilter.php in Tiki Wiki CMS Groupware 12.x through 16.x does not ...) - tikiwiki CVE-2017-11352 (In ImageMagick before 7.0.5-10, a crafted RLE image can trigger a crash ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/24ca91b656d424f890215e1083f4137cd5bdb984...bb99e75cce2801776f197336599f558edc05ccab -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/24ca91b656d424f890215e1083f4137cd5bdb984...bb99e75cce2801776f197336599f558edc05ccab You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add fixed version CVE-2017-14107 for libzip embedded copy
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 24ca91b6 by Salvatore Bonaccorso at 2019-01-06T12:28:49Z Add fixed version CVE-2017-14107 for libzip embedded copy - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -77285,6 +77285,7 @@ CVE-2017-14107 (The _zip_read_eocd64 function in zip_open.c in libzip before 1.3 [jessie] - libzip (Minor issue) [wheezy] - libzip (Minor issue) - php5 (unimportant) + [jessie] - php5 5.6.33+dfsg-0+deb8u1 NOTE: https://blogs.gentoo.org/ago/2017/09/01/libzip-memory-allocation-failure-in-_zip_cdir_grow-zip_dirent-c/ NOTE: https://github.com/nih-at/libzip/commit/9b46957ec98d85a572e9ef98301247f39338a3b5 NOTE: PHP commit: https://github.com/php/php-src/commit/f6e8ce812174343b5c9fd1860f9e2e2864428567 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/24ca91b656d424f890215e1083f4137cd5bdb984 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/24ca91b656d424f890215e1083f4137cd5bdb984 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits