[Secure-testing-commits] r29369 - data/CVE
Author: jmm Date: 2014-10-12 15:54:37 + (Sun, 12 Oct 2014) New Revision: 29369 Modified: data/CVE/list Log: memcached fixed Modified: data/CVE/list === --- data/CVE/list 2014-10-12 06:52:36 UTC (rev 29368) +++ data/CVE/list 2014-10-12 15:54:37 UTC (rev 29369) @@ -17143,7 +17143,7 @@ CVE-2013-7292 (VASCO IDENTIKEY Authentication Server (IAS) 3.4.x allows remote ...) NOT-FOR-US: VASCO IAS CVE-2013-7291 (memcached before 1.4.17, when running in verbose mode, allows remote ...) - - memcached (low; bug #735314) + - memcached 1.4.20-1 (low; bug #735314) [squeeze] - memcached (Minor issue) [wheezy] - memcached (Minor issue) NOTE: https://github.com/memcached/memcached/commit/fbe823d9a61b5149cd6e3b5e17bd28dd3b8dd760 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r29370 - data/CVE
Author: mgilbert Date: 2014-10-12 18:32:32 + (Sun, 12 Oct 2014) New Revision: 29370 Modified: data/CVE/list Log: nfu Modified: data/CVE/list === --- data/CVE/list 2014-10-12 15:54:37 UTC (rev 29369) +++ data/CVE/list 2014-10-12 18:32:32 UTC (rev 29370) @@ -31941,7 +31941,7 @@ CVE-2013-2587 RESERVED CVE-2013-2586 (XAMPP 1.8.1 does not properly restrict access to xampp/lang.php, which ...) - TODO: check + NOT-FOR-US: XAMPPP CVE-2013-2585 (Cross-site scripting (XSS) vulnerability in Atmail Webmail Server ...) NOT-FOR-US: AtMail CVE-2013-2584 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r29371 - data/CVE
Author: mgilbert
Date: 2014-10-12 18:50:41 + (Sun, 12 Oct 2014)
New Revision: 29371
Modified:
data/CVE/list
Log:
fix chromium entries
Modified: data/CVE/list
===
--- data/CVE/list 2014-10-12 18:32:32 UTC (rev 29370)
+++ data/CVE/list 2014-10-12 18:50:41 UTC (rev 29371)
@@ -454,8 +454,9 @@
[wheezy] - libv8 (Minor issue, Chromium in Wheezy uses its own
fixed copy)
[squeeze] - libv8 (Unsupported in squeeze-lts)
- libv8-3.14
- - chromium-browser
+ - chromium-browser
[squeeze] - chromium-browser
+ TODO: CVE description indicates upsteam 38.0.2125.101 fixed this, but
there isn't enough information available to check yet
CVE-2014-7960 [Swift metadata constraints are not correctly enforced]
RESERVED
- swift
@@ -11393,18 +11394,20 @@
CVE-2014-3201
RESERVED
CVE-2014-3200 (Multiple unspecified vulnerabilities in Google Chrome before
...)
- - chromium-browser
+ - chromium-browser 38.0.2125.101-1
[squeeze] - chromium-browser
CVE-2014-3199 (The wrap function in bindings/core/v8/custom/V8EventCustom.cpp
in the ...)
- libv8
[wheezy] - libv8 (Minor issue, Chromium in Wheezy uses its own
fixed copy)
[squeeze] - libv8 (Unsupported in squeeze-lts)
- libv8-3.14
+ - chromium-browser 38.0.2125.101-1
+ [squeeze] - chromium-browser
CVE-2014-3198 (The Instance::HandleInputEvent function in pdf/instance.cc in
the ...)
- - chromium-browser 37.0.2062-1
+ - chromium-browser 38.0.2125.101-1
[squeeze] - chromium-browser
CVE-2014-3197 (The NavigationScheduler::schedulePageBlock function in ...)
- - chromium-browser 37.0.2062-1
+ - chromium-browser 38.0.2125.101-1
[squeeze] - chromium-browser
CVE-2014-3196 (base/memory/shared_memory_win.cc in Google Chrome before
38.0.2125.101 ...)
- chromium-browser (Only affects Windows)
@@ -11413,33 +11416,35 @@
[wheezy] - libv8 (Minor issue, Chromium in Wheezy uses its own
fixed copy)
[squeeze] - libv8 (Unsupported in squeeze-lts)
- libv8-3.14
+ - chromium-browser 38.0.2125.101-1
+ [squeeze] - chromium-browser
CVE-2014-3194 (Use-after-free vulnerability in the Web Workers implementation
in ...)
- - chromium-browser 37.0.2062-1
+ - chromium-browser 38.0.2125.101-1
[squeeze] - chromium-browser
CVE-2014-3193 (The SessionService::GetLastSession function in ...)
- - chromium-browser 37.0.2062-1
+ - chromium-browser 38.0.2125.101-1
[squeeze] - chromium-browser
CVE-2014-3192 (Use-after-free vulnerability in the ...)
- - chromium-browser 37.0.2062-1
+ - chromium-browser 38.0.2125.101-1
[squeeze] - chromium-browser
CVE-2014-3191 (Use-after-free vulnerability in Blink, as used in Google Chrome
before ...)
- - chromium-browser 37.0.2062-1
+ - chromium-browser 38.0.2125.101-1
[squeeze] - chromium-browser
CVE-2014-3190 (Use-after-free vulnerability in the Event::currentTarget
function in ...)
- - chromium-browser 37.0.2062-1
+ - chromium-browser 38.0.2125.101-1
[squeeze] - chromium-browser
CVE-2014-3189 (The chrome_pdf::CopyImage function in pdf/draw_utils.cc in the
PDFium ...)
- - chromium-browser 37.0.2062-1
+ - chromium-browser 38.0.2125.101-1
[squeeze] - chromium-browser
CVE-2014-3188 (Google Chrome before 38.0.2125.101 and Chrome OS before
38.0.2125.101 ...)
- - chromium-browser 37.0.2062-1
+ - chromium-browser 38.0.2125.101-1
[squeeze] - chromium-browser
- libv8
[wheezy] - libv8 (Minor issue, Chromium in Wheezy uses its own
fixed copy)
[squeeze] - libv8 (Unsupported in squeeze-lts)
- libv8-3.14
-CVE-2014-3187 (Google Chrome before 37.0.2062.60 and 38.x before 38.0.2125.59
on iOS ...)
- TODO: check
+CVE-2014-3187 (Google Chrome before 37.0.2062.120.60 and 38.x before
38.0.2125.59 on iOS ...)
+ - chromium-browser (only affects versions supporting
Apple's facetime)
CVE-2014-3186 (Buffer overflow in the picolcd_raw_event function in ...)
- linux
[wheezy] - linux (Will be fixed in next point release)
@@ -11480,63 +11485,63 @@
RESERVED
CVE-2014-3179 (Multiple unspecified vulnerabilities in Google Chrome before
...)
{DSA-3039-1}
- - chromium-browser 37.0.2062-1
+ - chromium-browser 37.0.2062.120-1
[squeeze] - chromium-browser
CVE-2014-3178 (Use-after-free vulnerability in core/dom/Node.cpp in Blink, as
used in ...)
{DSA-3039-1}
- - chromium-browser 37.0.2062-1
+ - chromium-browser 37.0.2062.120-1
[squeeze] - chromium-browser
-CVE-2014-3177 (Google Chrome before 37.0.2062.94 does not properly handle the
...)
+CVE-2014-3177 (Google Chrome before 37.0.2062.120.94 does not properly handl
[Secure-testing-commits] r29372 - data/CVE
Author: jmm Date: 2014-10-12 19:12:26 + (Sun, 12 Oct 2014) New Revision: 29372 Modified: data/CVE/list Log: enigmail n/a Modified: data/CVE/list === --- data/CVE/list 2014-10-12 18:50:41 UTC (rev 29371) +++ data/CVE/list 2014-10-12 19:12:26 UTC (rev 29372) @@ -5817,8 +5817,8 @@ RESERVED CVE-2014-5369 (Enigmail 1.7.x before 1.7.2 sends emails in plaintext when encryption ...) - enigmail 2:1.7.2-1 - [wheezy] - enigmail (Minor issue) - [squeeze] - enigmail (Icedove EOLed in squeeze) + [wheezy] - enigmail (Introduced in 1.7) + [squeeze] - enigmail (Introduced in 1.7) NOTE: http://sourceforge.net/p/enigmail/forum/support/thread/3e7268a4/#b315 NOTE: and http://sourceforge.net/p/enigmail/bugs/294/ NOTE: fixed in 1.7.1 and 1.8.0 upstream (not yet released) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r29373 - hardening
Author: jmm Date: 2014-10-12 19:45:09 + (Sun, 12 Oct 2014) New Revision: 29373 Modified: hardening/subgoal-dsa.txt Log: two packages moved to standard dpkg-buildflags Modified: hardening/subgoal-dsa.txt === --- hardening/subgoal-dsa.txt 2014-10-12 19:12:26 UTC (rev 29372) +++ hardening/subgoal-dsa.txt 2014-10-12 19:45:09 UTC (rev 29373) @@ -436,10 +436,11 @@ globus-gridftp-server (734920) (7.11-1) pcre3 (656008) (1:8.35-3.1) netpbm-free (655737) (2:10.0-15.1) +sendmail (8.14.4-4.1) +strongswan (5.0.4-1) Packages, which use hardened build flags manually, but not yet dpkg-buildflags: -sendmail eglibc (657528) pcp @@ -447,7 +448,6 @@ Packages using hardening-wrapper/-includes (these are considered fixed, although switching them over to dpkg-buildflags might be worthwhile later on): -strongswan (already uses dh) evolution tor mysql-5.5 @@ -462,3 +462,4 @@ ldns (needed) nsd3 virtualbox (736459) (4.3.6-dfsg-1) + ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r29374 - hardening
Author: jmm Date: 2014-10-12 19:58:20 + (Sun, 12 Oct 2014) New Revision: 29374 Modified: hardening/subgoal-dsa.txt Log: evolution,cyrus-sasl2,nsd3 use dpkg-buildflags nagios-plugins has been renamed to monitoring-plugins Modified: hardening/subgoal-dsa.txt === --- hardening/subgoal-dsa.txt 2014-10-12 19:45:09 UTC (rev 29373) +++ hardening/subgoal-dsa.txt 2014-10-12 19:58:20 UTC (rev 29374) @@ -28,6 +28,7 @@ pygresql (needed) python-pam (needed) zodb (needed) +pcp @@ -438,17 +439,18 @@ netpbm-free (655737) (2:10.0-15.1) sendmail (8.14.4-4.1) strongswan (5.0.4-1) +evolution (3.4.2-1) +cyrus-sasl2 (2.1.24~rc1.dfsg1+cvs2011-05-23-5) +nsd3 (3.2.9-3) Packages, which use hardened build flags manually, but not yet dpkg-buildflags: eglibc (657528) -pcp Packages using hardening-wrapper/-includes (these are considered fixed, although switching them over to dpkg-buildflags might be worthwhile later on): -evolution tor mysql-5.5 ipsec-tools @@ -456,10 +458,8 @@ bind9 postfix pidgin (needed) -nagios-plugins +monitoring-plugins znc -cyrus-sasl2 ldns (needed) -nsd3 virtualbox (736459) (4.3.6-dfsg-1) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r29375 - data/CVE
Author: jmm Date: 2014-10-12 19:58:55 + (Sun, 12 Oct 2014) New Revision: 29375 Modified: data/CVE/list Log: node-qs fixed Modified: data/CVE/list === --- data/CVE/list 2014-10-12 19:58:20 UTC (rev 29374) +++ data/CVE/list 2014-10-12 19:58:55 UTC (rev 29375) @@ -1877,7 +1877,7 @@ RESERVED CVE-2014-7191 [qs Denial-of-Service Memory Exhaustion] RESERVED - - node-qs + - node-qs 2.2.4-1 NOTE: https://github.com/raymondfeng/node-querystring/commit/43a604b7847e56bba49d0ce3e222fe89569354d8 NOTE: https://nodesecurity.io/advisories/qs_dos_memory_exhaustion CVE-2014-7188 (The hvm_msr_read_intercept function in arch/x86/hvm/hvm.c in Xen 4.1 ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r29376 - data/CVE
Author: joeyh
Date: 2014-10-12 21:14:12 + (Sun, 12 Oct 2014)
New Revision: 29376
Modified:
data/CVE/list
Log:
automatic update
Modified: data/CVE/list
===
--- data/CVE/list 2014-10-12 19:58:55 UTC (rev 29375)
+++ data/CVE/list 2014-10-12 21:14:12 UTC (rev 29376)
@@ -11443,7 +11443,7 @@
[wheezy] - libv8 (Minor issue, Chromium in Wheezy uses its own
fixed copy)
[squeeze] - libv8 (Unsupported in squeeze-lts)
- libv8-3.14
-CVE-2014-3187 (Google Chrome before 37.0.2062.120.60 and 38.x before
38.0.2125.59 on iOS ...)
+CVE-2014-3187 (Google Chrome before 37.0.2062.60 and 38.x before 38.0.2125.59
on iOS ...)
- chromium-browser (only affects versions supporting
Apple's facetime)
CVE-2014-3186 (Buffer overflow in the picolcd_raw_event function in ...)
- linux
@@ -11491,11 +11491,11 @@
{DSA-3039-1}
- chromium-browser 37.0.2062.120-1
[squeeze] - chromium-browser
-CVE-2014-3177 (Google Chrome before 37.0.2062.120.94 does not properly handle
the ...)
+CVE-2014-3177 (Google Chrome before 37.0.2062.94 does not properly handle the
...)
{DSA-3039-1}
- chromium-browser 37.0.2062.120-1
[squeeze] - chromium-browser
-CVE-2014-3176 (Google Chrome before 37.0.2062.120.94 does not properly handle
the ...)
+CVE-2014-3176 (Google Chrome before 37.0.2062.94 does not properly handle the
...)
{DSA-3039-1}
- chromium-browser 37.0.2062.120-1
[squeeze] - chromium-browser
@@ -11507,7 +11507,7 @@
{DSA-3039-1}
- chromium-browser 37.0.2062.120-1
[squeeze] - chromium-browser
-CVE-2014-3173 (The WebGL implementation in Google Chrome before
37.0.2062.120.94 does not ...)
+CVE-2014-3173 (The WebGL implementation in Google Chrome before 37.0.2062.94
does not ...)
{DSA-3039-1}
- chromium-browser 37.0.2062.120-1
[squeeze] - chromium-browser
@@ -11519,7 +11519,7 @@
{DSA-3039-1}
- chromium-browser 37.0.2062.120-1
[squeeze] - chromium-browser
-CVE-2014-3170 (extensions/common/url_pattern.cc in Google Chrome before
37.0.2062.120.94 ...)
+CVE-2014-3170 (extensions/common/url_pattern.cc in Google Chrome before
37.0.2062.94 ...)
{DSA-3039-1}
- chromium-browser 37.0.2062.120-1
[squeeze] - chromium-browser
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r29377 - data
Author: abartlet-guest Date: 2014-10-13 04:37:01 + (Mon, 13 Oct 2014) New Revision: 29377 Modified: data/dla-needed.txt Log: I'll take ppp Modified: data/dla-needed.txt === --- data/dla-needed.txt 2014-10-12 21:14:12 UTC (rev 29376) +++ data/dla-needed.txt 2014-10-13 04:37:01 UTC (rev 29377) @@ -52,7 +52,7 @@ -- openjdk-6 -- -ppp +ppp (Andrew Bartlett) -- qt4-x11 -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
