[Secure-testing-commits] r31592 - data/CVE
Author: carnil Date: 2015-01-22 06:09:43 + (Thu, 22 Jan 2015) New Revision: 31592 Modified: data/CVE/list Log: Add CVE-2015-1201 from external check, unclear CVE assignment according to Red Hat bug Modified: data/CVE/list === --- data/CVE/list 2015-01-22 05:30:28 UTC (rev 31591) +++ data/CVE/list 2015-01-22 06:09:43 UTC (rev 31592) @@ -297,6 +297,9 @@ CVE-2015-1202 [stack allocation with an attacker-controlled size -- modules/services_discovery/sap.c] - vlc (bug #775866) [squeeze] - vlc (Unsupported in squeeze-lts) +CVE-2015-1201 + - privoxy + NOTE: CVE assignment unclear, see also comment in https://bugzilla.redhat.com/show_bug.cgi?id=1169213#c4 CVE-2014-9630 [Invalid memory access in rtp code] - vlc 2.2.0~rc2-2 (bug #775866) [squeeze] - vlc (Unsupported in squeeze-lts) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r31591 - data/CVE
Author: carnil Date: 2015-01-22 05:30:28 + (Thu, 22 Jan 2015) New Revision: 31591 Modified: data/CVE/list Log: Add fixed version for icu, #775884 Modified: data/CVE/list === --- data/CVE/list 2015-01-22 05:29:22 UTC (rev 31590) +++ data/CVE/list 2015-01-22 05:30:28 UTC (rev 31591) @@ -10514,7 +10514,7 @@ - openjdk-6 - openjdk-7 - openjdk-8 - - icu (bug #775884) + - icu 52.1-7 (bug #775884) CVE-2014-6590 RESERVED - virtualbox (bug #775888) @@ -10542,7 +10542,7 @@ - openjdk-6 - openjdk-7 - openjdk-8 - - icu (bug #775884) + - icu 52.1-7 (bug #775884) CVE-2014-6584 RESERVED CVE-2014-6583 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r31590 - data/CVE
Author: carnil Date: 2015-01-22 05:29:22 + (Thu, 22 Jan 2015) New Revision: 31590 Modified: data/CVE/list Log: Add fixed version for vlc upload TODO/NOTE: only a part of the CVE assigned corrected? Needs to be double-checked if other are maybe not-affected. Modified: data/CVE/list === --- data/CVE/list 2015-01-22 04:19:13 UTC (rev 31589) +++ data/CVE/list 2015-01-22 05:29:22 UTC (rev 31590) @@ -298,23 +298,23 @@ - vlc (bug #775866) [squeeze] - vlc (Unsupported in squeeze-lts) CVE-2014-9630 [Invalid memory access in rtp code] - - vlc (bug #775866) + - vlc 2.2.0~rc2-2 (bug #775866) [squeeze] - vlc (Unsupported in squeeze-lts) NOTE: https://github.com/videolan/vlc/commit/204291467724867b79735c0ee3aeb0dbc2200f97 CVE-2014-9629 [integer overflow with resultant buffer overflow] - - vlc (bug #775866) + - vlc 2.2.0~rc2-2 (bug #775866) [squeeze] - vlc (Unsupported in squeeze-lts) NOTE: https://github.com/videolan/vlc/commit/9bb0353a5c63a7f8c6fc853faa3df4b4df1f5eb5 CVE-2014-9628 [attacker-triggered zero-size malloc with resultant buffer overflow] - - vlc (bug #775866) + - vlc 2.2.0~rc2-2 (bug #775866) [squeeze] - vlc (Unsupported in squeeze-lts) NOTE: https://github.com/videolan/vlc/commit/2e7c7091a61aa5d07e7997b393d821e91f593c39 CVE-2014-9627 [integer truncation on 32-bit platforms] - - vlc (bug #775866) + - vlc 2.2.0~rc2-2 (bug #775866) [squeeze] - vlc (Unsupported in squeeze-lts) NOTE: https://github.com/videolan/vlc/commit/2e7c7091a61aa5d07e7997b393d821e91f593c39 CVE-2014-9626 [integer underflow] - - vlc (bug #775866) + - vlc 2.2.0~rc2-2 (bug #775866) [squeeze] - vlc (Unsupported in squeeze-lts) NOTE: https://github.com/videolan/vlc/commit/2e7c7091a61aa5d07e7997b393d821e91f593c39 CVE-2014-9625 [Buffer overflow in updater] ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r31589 - in data: . CVE
Author: carnil Date: 2015-01-22 04:19:13 + (Thu, 22 Jan 2015) New Revision: 31589 Modified: data/CVE/list data/dsa-needed.txt Log: Add new jasper issues Modified: data/CVE/list === --- data/CVE/list 2015-01-21 20:01:14 UTC (rev 31588) +++ data/CVE/list 2015-01-22 04:19:13 UTC (rev 31589) @@ -6927,10 +6927,14 @@ NOTE: http://www.spinics.net/lists/netfilter-devel/msg33430.html CVE-2014-8159 RESERVED -CVE-2014-8158 +CVE-2014-8158 [stack overflow] RESERVED -CVE-2014-8157 + - jasper (bug #775970) + NOTE: http://www.ocert.org/advisories/ocert-2015-001.html +CVE-2014-8157 [off-by-one heap buffer overflow] RESERVED + - jasper (bug #775970) + NOTE: http://www.ocert.org/advisories/ocert-2015-001.html CVE-2014-8156 RESERVED CVE-2014-8155 Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-01-21 20:01:14 UTC (rev 31588) +++ data/dsa-needed.txt 2015-01-22 04:19:13 UTC (rev 31589) @@ -22,6 +22,8 @@ no-dsa bugs CVE-2014-8354 CVE-2014-8355 CVE-2014-8562 CVE-2014-8716 should be fixed along -- +jasper +-- libav -- liblivemedia ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r31588 - data
Author: carnil Date: 2015-01-21 20:01:14 + (Wed, 21 Jan 2015) New Revision: 31588 Modified: data/dsa-needed.txt Log: polarssl: prepared package which need to be tested Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-01-21 19:44:03 UTC (rev 31587) +++ data/dsa-needed.txt 2015-01-21 20:01:14 UTC (rev 31588) @@ -54,7 +54,7 @@ -- phpmyadmin (thijs) -- -polarssl +polarssl (carnil) -- python-django -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r31587 - data/CVE
Author: carnil Date: 2015-01-21 19:44:03 + (Wed, 21 Jan 2015) New Revision: 31587 Modified: data/CVE/list Log: Add two rabbitmq-server issues Modified: data/CVE/list === --- data/CVE/list 2015-01-21 19:02:43 UTC (rev 31586) +++ data/CVE/list 2015-01-21 19:44:03 UTC (rev 31587) @@ -11,6 +11,15 @@ NOTE: https://trac.xiph.org/ticket/2009 NOTE: Upstream fix: https://trac.xiph.org/changeset/19117 NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/01/21/6 +CVE-2014- [Bug 26437 - prevent /api/* from returning text/html error messages which could act as an XSS vector] + - rabbitmq-server 3.4.1-1 + NOTE: https://groups.google.com/forum/#!topic/rabbitmq-users/-3Z2FyGtXhs + NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/01/21/13 +CVE-2014- [Bug 26433 - fix response-splitting vulnerability in /api/downloads] + - rabbitmq-server 3.4.1-1 + NOTE: https://groups.google.com/forum/#!topic/rabbitmq-users/-3Z2FyGtXhs + NOTE: Fixed by: https://github.com/rabbitmq/rabbitmq-management/commit/b5a5fc31bd49ad821a655ea9e2fe920d670a62ad + NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/01/21/13 CVE-2015- [(another) directory traversal via symlinks -- incomplete fix for CVE-2015-1196] - patch (bug #775901) [wheezy] - patch (Not affected by CVE-2015-1196 and no incomplete fix applied) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r31586 - data/CVE
Author: carnil Date: 2015-01-21 19:02:43 + (Wed, 21 Jan 2015) New Revision: 31586 Modified: data/CVE/list Log: Remove todo, there is no more information available so we need to trust information given via version numbers Modified: data/CVE/list === --- data/CVE/list 2015-01-21 19:00:36 UTC (rev 31585) +++ data/CVE/list 2015-01-21 19:02:43 UTC (rev 31586) @@ -2720,7 +2720,6 @@ - mariadb-10.0 - percona-xtradb-cluster-5.5 NOTE: http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html#AppendixMSQL - TODO: possibly already fixed in 5.5.39, to be checked CVE-2015-0390 RESERVED CVE-2015-0389 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r31585 - data/CVE
Author: carnil Date: 2015-01-21 19:00:36 + (Wed, 21 Jan 2015) New Revision: 31585 Modified: data/CVE/list Log: One mysql issue already fixed in upstream 5.5.39 Modified: data/CVE/list === --- data/CVE/list 2015-01-21 18:56:36 UTC (rev 31584) +++ data/CVE/list 2015-01-21 19:00:36 UTC (rev 31585) @@ -2714,7 +2714,8 @@ RESERVED CVE-2015-0391 RESERVED - - mysql-5.5 (bug #775881) + - mysql-5.5 5.5.39-1 + [wheezy] - mysql-5.5 5.5.40-0+wheezy1 - mariadb-5.5 - mariadb-10.0 - percona-xtradb-cluster-5.5 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r31584 - data/CVE
Author: carnil Date: 2015-01-21 18:56:36 + (Wed, 21 Jan 2015) New Revision: 31584 Modified: data/CVE/list Log: Correct one mysql entry: CVE-2015-0375 -> CVE-2015-0374 Modified: data/CVE/list === --- data/CVE/list 2015-01-21 16:47:09 UTC (rev 31583) +++ data/CVE/list 2015-01-21 18:56:36 UTC (rev 31584) @@ -2774,13 +2774,13 @@ RESERVED CVE-2015-0375 RESERVED +CVE-2015-0374 + RESERVED - mysql-5.5 (bug #775881) - mariadb-5.5 - mariadb-10.0 - percona-xtradb-cluster-5.5 NOTE: http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html#AppendixMSQL -CVE-2015-0374 - RESERVED CVE-2015-0373 RESERVED CVE-2015-0372 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r31583 - data/CVE
Author: carnil Date: 2015-01-21 16:47:09 + (Wed, 21 Jan 2015) New Revision: 31583 Modified: data/CVE/list Log: Add fixed version for CVE-2015-1195/glance, #775926 Modified: data/CVE/list === --- data/CVE/list 2015-01-21 16:37:39 UTC (rev 31582) +++ data/CVE/list 2015-01-21 16:47:09 UTC (rev 31583) @@ -421,7 +421,7 @@ [wheezy] - ppmd (Minor issue) [jessie] - ppmd (Minor issue) CVE-2015-1195 [Glance v2 API unrestricted path traversal through filesystem:// scheme] - - glance (bug #775926) + - glance 2014.1.3-11 (bug #775926) [wheezy] - glance (Vulnerable code not present) NOTE: up to 2014.1.3 and 2014.2 versions up to 2014.2.1 CVE-2012- [Insufficient validation of USB device descriptors] ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r31582 - data/CVE
Author: carnil Date: 2015-01-21 16:37:39 + (Wed, 21 Jan 2015) New Revision: 31582 Modified: data/CVE/list Log: Update entry for sympa issue Modified: data/CVE/list === --- data/CVE/list 2015-01-21 16:22:48 UTC (rev 31581) +++ data/CVE/list 2015-01-21 16:37:39 UTC (rev 31582) @@ -398,7 +398,10 @@ NOT-FOR-US: Apache CloudStack CVE-2015- [vulnerability in the web interface] - sympa 6.1.23~dfsg-2 + [wheezy] - sympa 6.1.11~dfsg-5+deb7u2 NOTE: https://www.sympa.org/security_advisories#security_breaches_in_newsletter_posting + NOTE: add proper cross reference from DSA/list once CVE is assigned + NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/01/20/4 CVE-2014-9624 [CAPTCHA bypass] - mantis [wheezy] - mantis (Minor issue) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r31580 - data/CVE
Author: carnil Date: 2015-01-21 16:22:17 + (Wed, 21 Jan 2015) New Revision: 31580 Modified: data/CVE/list Log: Add bugreference (#775926) for CVE-2015-1195/glance Modified: data/CVE/list === --- data/CVE/list 2015-01-21 16:14:59 UTC (rev 31579) +++ data/CVE/list 2015-01-21 16:22:17 UTC (rev 31580) @@ -418,7 +418,7 @@ [wheezy] - ppmd (Minor issue) [jessie] - ppmd (Minor issue) CVE-2015-1195 [Glance v2 API unrestricted path traversal through filesystem:// scheme] - - glance + - glance (bug #775926) [wheezy] - glance (Vulnerable code not present) NOTE: up to 2014.1.3 and 2014.2 versions up to 2014.2.1 CVE-2012- [Insufficient validation of USB device descriptors] ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r31581 - data/CVE
Author: carnil Date: 2015-01-21 16:22:48 + (Wed, 21 Jan 2015) New Revision: 31581 Modified: data/CVE/list Log: Add reference for the itp bug Modified: data/CVE/list === --- data/CVE/list 2015-01-21 16:22:17 UTC (rev 31580) +++ data/CVE/list 2015-01-21 16:22:48 UTC (rev 31581) @@ -477,6 +477,7 @@ RESERVED - kiwix NOTE: actually RFP again, but was removed from the archive on 2014-09-25 + NOTE: See https://bugs.debian.org/763321 CVE-2015-1029 (The puppetlabs-stdlib module 2.1 through 3.0 and 4.1.0 through 4.5.x ...) - puppet-module-puppetlabs-stdlib (bug #775535) NOTE: http://puppetlabs.com/security/cve/cve-2015-1029 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r31579 - data/CVE
Author: carnil Date: 2015-01-21 16:14:59 + (Wed, 21 Jan 2015) New Revision: 31579 Modified: data/CVE/list Log: Update entry for kiwix Modified: data/CVE/list === --- data/CVE/list 2015-01-21 16:10:30 UTC (rev 31578) +++ data/CVE/list 2015-01-21 16:14:59 UTC (rev 31579) @@ -475,7 +475,8 @@ RESERVED CVE-2015-1032 [Cross-Site Scripting Vulnerability] RESERVED - - kiwix (bug #763321) + - kiwix + NOTE: actually RFP again, but was removed from the archive on 2014-09-25 CVE-2015-1029 (The puppetlabs-stdlib module 2.1 through 3.0 and 4.1.0 through 4.5.x ...) - puppet-module-puppetlabs-stdlib (bug #775535) NOTE: http://puppetlabs.com/security/cve/cve-2015-1029 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] Processing r31578 failed
The error message was: data/CVE/list:476: ITPed package kiwix is in the archive make: *** [all] Error 1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r31578 - data/CVE
Author: fgeek-guest Date: 2015-01-21 16:10:30 + (Wed, 21 Jan 2015) New Revision: 31578 Modified: data/CVE/list Log: NFU Modified: data/CVE/list === --- data/CVE/list 2015-01-21 16:07:19 UTC (rev 31577) +++ data/CVE/list 2015-01-21 16:10:30 UTC (rev 31578) @@ -58,6 +58,8 @@ CVE-2015-1182 [Remote attack using crafted certificates] - polarssl (bug #775776) NOTE: https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2014-04 +CVE-2015-1175 + NOT-FOR-US: PrestaShop CVE-2015-1160 RESERVED CVE-2015-1159 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] Processing r31577 failed
The error message was: data/CVE/list:474: ITPed package kiwix is in the archive make: *** [all] Error 1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r31577 - data/CVE
Author: carnil Date: 2015-01-21 16:07:19 + (Wed, 21 Jan 2015) New Revision: 31577 Modified: data/CVE/list Log: Add CVE-2015-1032, kiwix, itp'ed as #763321 Modified: data/CVE/list === --- data/CVE/list 2015-01-21 15:21:48 UTC (rev 31576) +++ data/CVE/list 2015-01-21 16:07:19 UTC (rev 31577) @@ -471,8 +471,9 @@ RESERVED CVE-2015-1033 RESERVED -CVE-2015-1032 +CVE-2015-1032 [Cross-Site Scripting Vulnerability] RESERVED + - kiwix (bug #763321) CVE-2015-1029 (The puppetlabs-stdlib module 2.1 through 3.0 and 4.1.0 through 4.5.x ...) - puppet-module-puppetlabs-stdlib (bug #775535) NOTE: http://puppetlabs.com/security/cve/cve-2015-1029 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r31576 - data/CVE
Author: carnil Date: 2015-01-21 15:21:48 + (Wed, 21 Jan 2015) New Revision: 31576 Modified: data/CVE/list Log: Add three new vorbis-tools issues Modified: data/CVE/list === --- data/CVE/list 2015-01-21 15:17:17 UTC (rev 31575) +++ data/CVE/list 2015-01-21 15:21:48 UTC (rev 31576) @@ -1,3 +1,16 @@ +CVE-2015- [Oggenc division by zero issue] + - vorbis-tools + NOTE: https://trac.xiph.org/ticket/2137 + NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/01/21/5 +CVE-2015- [Oggenc channel integer overflow] + - vorbis-tools + NOTE: https://trac.xiph.org/ticket/2136 + NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/01/21/5 +CVE-2014- [segfault when trying to encode trivial raw input] + - vorbis-tools + NOTE: https://trac.xiph.org/ticket/2009 + NOTE: Upstream fix: https://trac.xiph.org/changeset/19117 + NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/01/21/6 CVE-2015- [(another) directory traversal via symlinks -- incomplete fix for CVE-2015-1196] - patch (bug #775901) [wheezy] - patch (Not affected by CVE-2015-1196 and no incomplete fix applied) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r31575 - data/CVE
Author: carnil Date: 2015-01-21 15:17:17 + (Wed, 21 Jan 2015) New Revision: 31575 Modified: data/CVE/list Log: Add another procmail/formail issue Modified: data/CVE/list === --- data/CVE/list 2015-01-21 13:56:15 UTC (rev 31574) +++ data/CVE/list 2015-01-21 15:17:17 UTC (rev 31575) @@ -35,6 +35,9 @@ NOTE: http://bugs.gnu.org/19563 NOTE: Upstream fix: http://git.sv.gnu.org/cgit/grep.git/commit/?id=83a95bd8c8561875b948cadd417c653dbe7ef2e2 NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/01/18/12 +CVE-2014- [formail: memory corruption] + - procmail (bug #769937) + NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/01/21/9 CVE-2014- [GTK+ improperly handled the menu key, possibly allowing lock screen bypass] - gtk+3.0 (bug #759145) [wheezy] - gtk+3.0 (Vulnerable code not present) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r31574 - data/CVE
Author: carnil Date: 2015-01-21 13:56:15 + (Wed, 21 Jan 2015) New Revision: 31574 Modified: data/CVE/list Log: Add bug reference for CVE-2014-8154/vala-0.26 Modified: data/CVE/list === --- data/CVE/list 2015-01-21 13:13:34 UTC (rev 31573) +++ data/CVE/list 2015-01-21 13:56:15 UTC (rev 31574) @@ -6904,7 +6904,7 @@ RESERVED CVE-2014-8154 [Heap-buffer overflow in vala-gstreamer bindings at Gst.MapInfo()] RESERVED - - vala-0.26 + - vala-0.26 (bug #775913) - vala-0.16 (MapInfo not yet present) - vala-0.14 (MapInfo not yet present) - vala (MapInfo not yet present) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r31573 - data/CVE
Author: carnil Date: 2015-01-21 13:13:34 + (Wed, 21 Jan 2015) New Revision: 31573 Modified: data/CVE/list Log: python-django fixed in unstable, #775375 Modified: data/CVE/list === --- data/CVE/list 2015-01-21 12:32:47 UTC (rev 31572) +++ data/CVE/list 2015-01-21 13:13:34 UTC (rev 31573) @@ -4308,17 +4308,17 @@ CVE-2015-0223 RESERVED CVE-2015-0222 (ModelMultipleChoiceField in Django 1.6.x before 1.6.10 and 1.7.x ...) - - python-django (bug #775375) + - python-django 1.7.1-1.1 (bug #775375) [wheezy] - python-django (1.4.x not affected) NOTE: https://www.djangoproject.com/weblog/2015/jan/13/security/ CVE-2015-0221 (The django.views.static.serve view in Django before 1.4.18, 1.6.x ...) - - python-django (bug #775375) + - python-django 1.7.1-1.1 (bug #775375) NOTE: https://www.djangoproject.com/weblog/2015/jan/13/security/ CVE-2015-0220 (The django.util.http.is_safe_url function in Django before 1.4.18, ...) - - python-django (bug #775375) + - python-django 1.7.1-1.1 (bug #775375) NOTE: https://www.djangoproject.com/weblog/2015/jan/13/security/ CVE-2015-0219 (Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 ...) - - python-django (bug #775375) + - python-django 1.7.1-1.1 (bug #775375) NOTE: https://www.djangoproject.com/weblog/2015/jan/13/security/ CVE-2015-0218 RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r31572 - data/CVE
Author: alteholz Date: 2015-01-21 12:32:47 + (Wed, 21 Jan 2015) New Revision: 31572 Modified: data/CVE/list Log: temporary php CVE not for squeeze Modified: data/CVE/list === --- data/CVE/list 2015-01-21 11:33:51 UTC (rev 31571) +++ data/CVE/list 2015-01-21 12:32:47 UTC (rev 31572) @@ -1799,6 +1799,7 @@ TODO: check CVE-2015- [Null Pointer Deference in pgsql] - php5 + [squeeze] - php5 (vulnerable code (build_tablename()) introduced later) NOTE: https://bugs.php.net/bug.php?id=68741 NOTE: http://git.php.net/?p=php-src.git;a=commit;h=124fb22a13fafa3648e4e15b4f207c7096d8155e TODO: check ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r31571 - data/CVE
Author: carnil Date: 2015-01-21 11:33:51 + (Wed, 21 Jan 2015) New Revision: 31571 Modified: data/CVE/list Log: Add new patch issue, #775901 Modified: data/CVE/list === --- data/CVE/list 2015-01-21 08:28:49 UTC (rev 31570) +++ data/CVE/list 2015-01-21 11:33:51 UTC (rev 31571) @@ -1,3 +1,7 @@ +CVE-2015- [(another) directory traversal via symlinks -- incomplete fix for CVE-2015-1196] + - patch (bug #775901) + [wheezy] - patch (Not affected by CVE-2015-1196 and no incomplete fix applied) + [squeeze] - patch (Not affected by CVE-2015-1196 and no incomplete fix applied) CVE-2015- [PHP int overflow] - php5 NOTE: https://github.com/MegaManSec/php-src/commit/a538d2f5605798422f2746636ecdc300f8ebcaa1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r31570 - data/CVE
Author: jmm Date: 2015-01-21 08:28:49 + (Wed, 21 Jan 2015) New Revision: 31570 Modified: data/CVE/list Log: one vlc issue n/a vlc eol in squeeze Modified: data/CVE/list === --- data/CVE/list 2015-01-21 08:00:06 UTC (rev 31569) +++ data/CVE/list 2015-01-21 08:28:49 UTC (rev 31570) @@ -262,25 +262,33 @@ RESERVED CVE-2015-1203 [stack allocation with an attacker-controlled size -- modules/access/ftp.c] - vlc (bug #775866) + [squeeze] - vlc (Unsupported in squeeze-lts) CVE-2015-1202 [stack allocation with an attacker-controlled size -- modules/services_discovery/sap.c] - vlc (bug #775866) + [squeeze] - vlc (Unsupported in squeeze-lts) CVE-2014-9630 [Invalid memory access in rtp code] - vlc (bug #775866) + [squeeze] - vlc (Unsupported in squeeze-lts) NOTE: https://github.com/videolan/vlc/commit/204291467724867b79735c0ee3aeb0dbc2200f97 CVE-2014-9629 [integer overflow with resultant buffer overflow] - vlc (bug #775866) + [squeeze] - vlc (Unsupported in squeeze-lts) NOTE: https://github.com/videolan/vlc/commit/9bb0353a5c63a7f8c6fc853faa3df4b4df1f5eb5 CVE-2014-9628 [attacker-triggered zero-size malloc with resultant buffer overflow] - vlc (bug #775866) + [squeeze] - vlc (Unsupported in squeeze-lts) NOTE: https://github.com/videolan/vlc/commit/2e7c7091a61aa5d07e7997b393d821e91f593c39 CVE-2014-9627 [integer truncation on 32-bit platforms] - vlc (bug #775866) + [squeeze] - vlc (Unsupported in squeeze-lts) NOTE: https://github.com/videolan/vlc/commit/2e7c7091a61aa5d07e7997b393d821e91f593c39 CVE-2014-9626 [integer underflow] - vlc (bug #775866) + [squeeze] - vlc (Unsupported in squeeze-lts) NOTE: https://github.com/videolan/vlc/commit/2e7c7091a61aa5d07e7997b393d821e91f593c39 CVE-2014-9625 [Buffer overflow in updater] - - vlc (bug #775866) + - vlc (Update mechanism not enabled in the Debian package) + [squeeze] - vlc (Unsupported in squeeze-lts) NOTE: https://github.com/videolan/vlc/commit/fbe2837bc80f155c001781041a54c58b5524fc14 CVE-2014-9623 [Glance user storage quota bypass] - glance ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r31569 - data/CVE
Author: jmm Date: 2015-01-21 08:00:06 + (Wed, 21 Jan 2015) New Revision: 31569 Modified: data/CVE/list Log: vbox bugnums Modified: data/CVE/list === --- data/CVE/list 2015-01-21 06:48:59 UTC (rev 31568) +++ data/CVE/list 2015-01-21 08:00:06 UTC (rev 31569) @@ -2562,6 +2562,9 @@ RESERVED CVE-2015-0427 RESERVED + - virtualbox (bug #775888) + [wheezy] - virtualbox (Introduced in 4.3) + - virtualbox-ose (Introduced in 4.3) CVE-2015-0426 RESERVED CVE-2015-0425 @@ -2581,6 +2584,8 @@ RESERVED CVE-2015-0418 RESERVED + - virtualbox (low; bug #775888) + - virtualbox-ose (low) CVE-2015-0417 RESERVED CVE-2015-0416 @@ -2724,6 +2729,10 @@ RESERVED CVE-2015-0377 RESERVED + - virtualbox 4.3.2-dfsg-1 + - virtualbox-ose + NOTE: According to http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html the 4.3 + NOTE: series is not affected, so marking the first 4.3 upload as fixed CVE-2015-0376 RESERVED CVE-2015-0375 @@ -10438,6 +10447,9 @@ RESERVED CVE-2014-6595 RESERVED + - virtualbox (bug #775888) + [wheezy] - virtualbox (Introduced in 4.3) + - virtualbox-ose (Introduced in 4.3) CVE-2014-6594 RESERVED CVE-2014-6593 @@ -10455,10 +10467,19 @@ - icu (bug #775884) CVE-2014-6590 RESERVED + - virtualbox (bug #775888) + [wheezy] - virtualbox (Introduced in 4.3) + - virtualbox-ose (Introduced in 4.3) CVE-2014-6589 RESERVED + - virtualbox (bug #775888) + [wheezy] - virtualbox (Introduced in 4.3) + - virtualbox-ose (Introduced in 4.3) CVE-2014-6588 RESERVED + - virtualbox (bug #775888) + [wheezy] - virtualbox (Introduced in 4.3) + - virtualbox-ose (Introduced in 4.3) CVE-2014-6587 RESERVED - openjdk-6 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits