[Secure-testing-commits] r32254 - data/CVE
Author: carnil Date: 2015-02-16 10:02:41 + (Mon, 16 Feb 2015) New Revision: 32254 Modified: data/CVE/list Log: CVE-2014-8986/mantis: Reference 1.2.x branch fix as well Modified: data/CVE/list === --- data/CVE/list 2015-02-16 02:57:06 UTC (rev 32253) +++ data/CVE/list 2015-02-16 10:02:41 UTC (rev 32254) @@ -6345,6 +6345,7 @@ - mantis [squeeze] - mantis (Unsupported in squeeze-lts) NOTE: https://github.com/mantisbt/mantisbt/commit/cabacdc291c251bfde0dc2a2c945c02cef41bf40 + NOTE: https://github.com/mantisbt/mantisbt/commit/e326b73a (1.2.x) CVE-2014-8985 RESERVED CVE-2014-8984 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r32255 - in data: . DLA
Author: hertzog
Date: 2015-02-16 10:49:45 + (Mon, 16 Feb 2015)
New Revision: 32255
Modified:
data/DLA/list
data/dla-needed.txt
Log:
Take DLA-153-1 for e2fsprogs
Modified: data/DLA/list
===
--- data/DLA/list 2015-02-16 10:02:41 UTC (rev 32254)
+++ data/DLA/list 2015-02-16 10:49:45 UTC (rev 32255)
@@ -1,3 +1,6 @@
+[16 Feb 2015] DLA-153-1 e2fsprogs - security update
+ {CVE-2015-0247}
+ [squeeze] - e2fsprogs 1.41.12-4+deb6u1
[12 Feb 2015] DLA-152-1 postgresql-8.4 - new minor release
{CVE-2014-8161 CVE-2015-0241 CVE-2015-0243 CVE-2015-0244}
[squeeze] - postgresql-8.4 8.4.22lts1-0+deb6u1
Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2015-02-16 10:02:41 UTC (rev 32254)
+++ data/dla-needed.txt 2015-02-16 10:49:45 UTC (rev 32255)
@@ -19,8 +19,6 @@
--
ejabberd
--
-e2fsprogs (Nguyen Cong)
---
file (Nguyen Cong)
--
httpcomponents-client
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r32256 - data/CVE
Author: jmm Date: 2015-02-16 11:24:12 + (Mon, 16 Feb 2015) New Revision: 32256 Modified: data/CVE/list Log: librcsb-core-wrapper fixed Modified: data/CVE/list === --- data/CVE/list 2015-02-16 10:49:45 UTC (rev 32255) +++ data/CVE/list 2015-02-16 11:24:12 UTC (rev 32256) @@ -1,3 +1,5 @@ +CVE-2014-9682 + NOT-FOR-US: node-dns-sync CVE-2014- [more to CVE-2014-6585] - icu (low; bug #778511) CVE-2015-1607 [memcpy with overlapping ranges, resulting from incorrect bitwise left shifts] @@ -82,7 +84,7 @@ - llvm-toolchain-snapshot (bug #778394) - haskell-regex-posix (only when building on Windows, see bug #778395) - cups (Local regex copy only used when building on Windows, see #778396) - - librcsb-core-wrapper (bug #778397) + - librcsb-core-wrapper 1.005-3 (bug #778397) - openrpt (bug #778398) - z88dk (bug #778399) - newlib (bug #778408) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r32257 - data/CVE
Author: carnil Date: 2015-02-16 11:44:56 + (Mon, 16 Feb 2015) New Revision: 32257 Modified: data/CVE/list Log: Add note for CVE-2014-8986/mantis, disagreement between reporter and developer Modified: data/CVE/list === --- data/CVE/list 2015-02-16 11:24:12 UTC (rev 32256) +++ data/CVE/list 2015-02-16 11:44:56 UTC (rev 32257) @@ -6348,6 +6348,7 @@ [squeeze] - mantis (Unsupported in squeeze-lts) NOTE: https://github.com/mantisbt/mantisbt/commit/cabacdc291c251bfde0dc2a2c945c02cef41bf40 NOTE: https://github.com/mantisbt/mantisbt/commit/e326b73a (1.2.x) + NOTE: Reporter and Mantis Developer disagree on this CVE, so needs double check CVE-2014-8985 RESERVED CVE-2014-8984 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r32258 - data
Author: hertzog Date: 2015-02-16 13:59:15 + (Mon, 16 Feb 2015) New Revision: 32258 Modified: data/dla-needed.txt Log: Take nss in dla-needed.txt Modified: data/dla-needed.txt === --- data/dla-needed.txt 2015-02-16 11:44:56 UTC (rev 32257) +++ data/dla-needed.txt 2015-02-16 13:59:15 UTC (rev 32258) @@ -48,7 +48,7 @@ -- linux-2.6 (Ben Hutchings) -- -nss +nss (Raphael Hertzog) -- openjdk-6 -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r32259 - data/CVE
Author: fgeek-guest Date: 2015-02-16 15:01:51 + (Mon, 16 Feb 2015) New Revision: 32259 Modified: data/CVE/list Log: NFU Modified: data/CVE/list === --- data/CVE/list 2015-02-16 13:59:15 UTC (rev 32258) +++ data/CVE/list 2015-02-16 15:01:51 UTC (rev 32259) @@ -18,6 +18,8 @@ NOT-FOR-US: Landsknecht Adminsystems CVE-2015-1603 NOT-FOR-US: Landsknecht Adminsystems +CVE-2015-1600 + NOT-FOR-US: Netatmo Weather Station CVE-2015-1588 RESERVED CVE-2015-1587 @@ -356,7 +358,7 @@ CVE-2014-9679 [cupsRasterReadPixels buffer overflow] RESERVED [experimental] - cups 2.0.2-1 - - cups (bug #778387) + - cups (bug #778387) NOTE: Marked with [experimental] tag as the fix is only in experimental so far NOTE: Switch this to regular fixed version once the fix is in unstable NOTE: https://www.cups.org/strfiles.php/3438/str4551.patch ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r32260 - data/CVE
Author: fgeek-guest Date: 2015-02-16 15:02:38 + (Mon, 16 Feb 2015) New Revision: 32260 Modified: data/CVE/list Log: NFU Modified: data/CVE/list === --- data/CVE/list 2015-02-16 15:01:51 UTC (rev 32259) +++ data/CVE/list 2015-02-16 15:02:38 UTC (rev 32260) @@ -28,6 +28,7 @@ RESERVED CVE-2015-1585 RESERVED + NOT-FOR-US: Fat Free CRM CVE-2015-1584 RESERVED CVE-2015-1583 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r32261 - in data: . DLA
Author: hertzog
Date: 2015-02-16 15:19:12 + (Mon, 16 Feb 2015)
New Revision: 32261
Modified:
data/DLA/list
data/dla-needed.txt
Log:
Take DLA-154-1 for nss
Modified: data/DLA/list
===
--- data/DLA/list 2015-02-16 15:02:38 UTC (rev 32260)
+++ data/DLA/list 2015-02-16 15:19:12 UTC (rev 32261)
@@ -1,3 +1,6 @@
+[16 Feb 2015] DLA-154-1 nss - security update
+ {CVE-2011-3389 CVE-2014-1569}
+ [squeeze] - nss 3.12.8-1+squeeze11
[16 Feb 2015] DLA-153-1 e2fsprogs - security update
{CVE-2015-0247}
[squeeze] - e2fsprogs 1.41.12-4+deb6u1
Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2015-02-16 15:02:38 UTC (rev 32260)
+++ data/dla-needed.txt 2015-02-16 15:19:12 UTC (rev 32261)
@@ -48,8 +48,6 @@
--
linux-2.6 (Ben Hutchings)
--
-nss (Raphael Hertzog)
---
openjdk-6
--
php5
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r32262 - data/CVE
Author: carnil Date: 2015-02-16 15:30:25 + (Mon, 16 Feb 2015) New Revision: 32262 Modified: data/CVE/list Log: Add CVE-2015-1572/e2fsprogs Modified: data/CVE/list === --- data/CVE/list 2015-02-16 15:19:12 UTC (rev 32261) +++ data/CVE/list 2015-02-16 15:30:25 UTC (rev 32262) @@ -70,8 +70,10 @@ - movabletype-opensource NOTE: https://movabletype.org/news/2015/02/movable_type_607_and_5212_released_to_close_security_vulnera.html NOTE: http://www.openwall.com/lists/oss-security/2015/02/12/2 -CVE-2015-1572 +CVE-2015-1572 [potential buffer overflow in closefs()] RESERVED + - e2fsprogs + NOTE: https://git.kernel.org/cgit/fs/ext2/e2fsprogs.git/commit/?id=49d0fe2a14f2a23da2fe299643379b8c1d37df73 CVE-2015-1571 (The CAPWAP DTLS protocol implementation in Fortinet FortiOS 5.0 Patch ...) TODO: check CVE-2015-1570 (The Endpoint Control protocol implementation in Fortinet FortiClient ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r32263 - data/CVE
Author: carnil Date: 2015-02-16 15:31:49 + (Mon, 16 Feb 2015) New Revision: 32263 Modified: data/CVE/list Log: Add marker for no-dsa for CVE-2015-1572 Modified: data/CVE/list === --- data/CVE/list 2015-02-16 15:30:25 UTC (rev 32262) +++ data/CVE/list 2015-02-16 15:31:49 UTC (rev 32263) @@ -73,6 +73,7 @@ CVE-2015-1572 [potential buffer overflow in closefs()] RESERVED - e2fsprogs + [wheezy] - e2fsprogs (Minor issue) NOTE: https://git.kernel.org/cgit/fs/ext2/e2fsprogs.git/commit/?id=49d0fe2a14f2a23da2fe299643379b8c1d37df73 CVE-2015-1571 (The CAPWAP DTLS protocol implementation in Fortinet FortiOS 5.0 Patch ...) TODO: check ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r32264 - data/CVE
Author: carnil Date: 2015-02-16 15:31:57 + (Mon, 16 Feb 2015) New Revision: 32264 Modified: data/CVE/list Log: Cleanup trailing whitespaces Modified: data/CVE/list === --- data/CVE/list 2015-02-16 15:31:49 UTC (rev 32263) +++ data/CVE/list 2015-02-16 15:31:57 UTC (rev 32264) @@ -95,7 +95,7 @@ - z88dk (bug #778399) - newlib (bug #778408) - yap (bug #778410) - - vnc4 (bug #778403) + - vnc4 (bug #778403) - sma (Local regex copy only used when building on Windows, see #778411) - clamav (bug #778406) [wheezy] - clamav (Updated through stable-updates) @@ -362,7 +362,7 @@ CVE-2014-9679 [cupsRasterReadPixels buffer overflow] RESERVED [experimental] - cups 2.0.2-1 - - cups (bug #778387) + - cups (bug #778387) NOTE: Marked with [experimental] tag as the fix is only in experimental so far NOTE: Switch this to regular fixed version once the fix is in unstable NOTE: https://www.cups.org/strfiles.php/3438/str4551.patch ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r32265 - data/CVE
Author: carnil Date: 2015-02-16 15:42:13 + (Mon, 16 Feb 2015) New Revision: 32265 Modified: data/CVE/list Log: Add fixed version for #778387, cups Modified: data/CVE/list === --- data/CVE/list 2015-02-16 15:31:57 UTC (rev 32264) +++ data/CVE/list 2015-02-16 15:42:13 UTC (rev 32265) @@ -362,7 +362,7 @@ CVE-2014-9679 [cupsRasterReadPixels buffer overflow] RESERVED [experimental] - cups 2.0.2-1 - - cups (bug #778387) + - cups 1.7.5-11 (bug #778387) NOTE: Marked with [experimental] tag as the fix is only in experimental so far NOTE: Switch this to regular fixed version once the fix is in unstable NOTE: https://www.cups.org/strfiles.php/3438/str4551.patch ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r32266 - data/CVE
Author: jmm
Date: 2015-02-16 16:22:54 + (Mon, 16 Feb 2015)
New Revision: 32266
Modified:
data/CVE/list
Log:
spencer regex updates:
- php confirmed
- olsrd, ptlib, clamav, alpine, vigor n/a or unimportant
nagios no-dsa for jessie
one freetype issue n/a in squeeze/wheezy
take freetype
Modified: data/CVE/list
===
--- data/CVE/list 2015-02-16 15:42:13 UTC (rev 32265)
+++ data/CVE/list 2015-02-16 16:22:54 UTC (rev 32266)
@@ -7,12 +7,14 @@
- gnupg2
- gnupg
NOTE:
https://blog.fuzzing-project.org/5-Multiple-issues-in-GnuPG-found-through-keyring-fuzzing-TFPA-0012015.html
+ NOTE:
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=2183683bd633818dd031b090b5530951de76f392
TODO: check
CVE-2015-1606 [use after free resulting from failure to skip invalid packets]
[experimental] - gnupg2 2.1.2-1
- gnupg2
- gnupg
NOTE:
https://blog.fuzzing-project.org/5-Multiple-issues-in-GnuPG-found-through-keyring-fuzzing-TFPA-0012015.html
+ NOTE:
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=f0f71a721ccd7ab9e40b8b6b028b59632c0cc648
TODO: check
CVE-2015-1604
NOT-FOR-US: Landsknecht Adminsystems
@@ -64,7 +66,6 @@
- linux-2.6
NOTE: http://hmarco.org/bugs/linux-ASLR-integer-overflow.html
NOTE: https://lkml.org/lkml/2015/2/14/61
- TODO: check
CVE-2015-1592 [local file inclusion or inauthenticated arbitrary remote code
execution]
RESERVED
- movabletype-opensource
@@ -82,10 +83,12 @@
CVE-2015-1569 (Fortinet FortiClient 5.2.028 for iOS does not validate
certificates, ...)
TODO: check
CVE-2015- [Henry Spencer regular expressions (regex) library contains a
heap overflow vulnerability]
- - php5 (bug #778389)
- - olsrd (bug #778390)
- - llvm-toolchain-3.4 (bug #778391)
- - llvm-toolchain-3.5 (bug #778392)
+ - php5 (low; bug #778389)
+ - olsrd (only when building on Android, see bug #778390)
+ - llvm-toolchain-3.4 (low; bug #778391)
+ [jessie] - llvm-toolchain-3.4 (Minor issue)
+ - llvm-toolchain-3.5 (low; bug #778392)
+ [jessie] - llvm-toolchain-3.5 (Minor issue)
- llvm-toolchain-3.6 (bug #778393)
- llvm-toolchain-snapshot (bug #778394)
- haskell-regex-posix (only when building on Windows,
see bug #778395)
@@ -97,15 +100,18 @@
- yap (bug #778410)
- vnc4 (bug #778403)
- sma (Local regex copy only used when building on
Windows, see #778411)
- - clamav (bug #778406)
- [wheezy] - clamav (Updated through stable-updates)
+ - clamav (unimportant; bug #778406)
+ NOTE: Only exploitable through virusdb updates, which need to be
trusted anywaya
- knews (bug #778401)
- radare2 (bug #778402)
- efl (bug #778414)
- - ptlib (bug #778404)
- - alpine (bug #778413)
- - vigor 0.016-24 (bug #778409)
+ - ptlib (unimportant; bug #778404)
+ NOTE: ptlib uses the regex code from glibc, local fallback code not used
+ - alpine (unimportant; bug #778413)
+ NOTE: alpine uses the regex code from glibc, local fallback code not
used
+ - vigor 0.016-24 (unimportant; bug #778409)
- nvi (unimportant; bug #778412)
+ NOTE: No security impact in nvi/vigor
NOTE: http://www.kb.cert.org/vuls/id/695940
NOTE:
https://guidovranken.wordpress.com/2015/02/04/full-disclosure-heap-overflow-in-h-spencers-regex-library-on-32-bit-systems/
CVE-2015- [insecure storage of password]
@@ -329,6 +335,8 @@
NOTE:
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=9bd20b7304aae61de5d50ac359cf27132bafd4c1
CVE-2014-9662 (cff/cf2ft.c in FreeType before 2.5.4 does not validate the
return ...)
- freetype (bug #777656)
+ [wheezy] - freetype (Vulnerable code not present)
+ [squeeze] - freetype (Vulnerable code not present)
NOTE:
http://code.google.com/p/google-security-research/issues/detail?id=185
NOTE:
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=5f201ab5c24cb69bc96b724fd66e739928d6c5e2
CVE-2014-9661 (type42/t42parse.c in FreeType before 2.5.4 does not consider
that ...)
@@ -28697,6 +28705,7 @@
{DSA-2956-1 DLA-60-1}
- icinga 1.10.2-1 (low)
- nagios3 (low; bug #771466)
+ [jessie] - nagios3 (Minor issue)
[squeeze] - nagios3 (Minor issue)
[wheezy] - nagios3 (Minor issue)
NOTE: https://dev.icinga.org/issues/5251
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r32267 - data/CVE
Author: carnil Date: 2015-02-16 19:05:13 + (Mon, 16 Feb 2015) New Revision: 32267 Modified: data/CVE/list Log: Reference CVE request for Henry Spencer regular expressions library issue Modified: data/CVE/list === --- data/CVE/list 2015-02-16 16:22:54 UTC (rev 32266) +++ data/CVE/list 2015-02-16 19:05:13 UTC (rev 32267) @@ -114,6 +114,7 @@ NOTE: No security impact in nvi/vigor NOTE: http://www.kb.cert.org/vuls/id/695940 NOTE: https://guidovranken.wordpress.com/2015/02/04/full-disclosure-heap-overflow-in-h-spencers-regex-library-on-32-bit-systems/ + NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/02/16/8 CVE-2015- [insecure storage of password] - nut (bug #06) CVE-2015- [command injection vulnerability] ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r32268 - data/CVE
Author: sectracker
Date: 2015-02-16 21:10:23 + (Mon, 16 Feb 2015)
New Revision: 32268
Modified:
data/CVE/list
Log:
automatic update
Modified: data/CVE/list
===
--- data/CVE/list 2015-02-16 19:05:13 UTC (rev 32267)
+++ data/CVE/list 2015-02-16 21:10:23 UTC (rev 32268)
@@ -5756,6 +5756,7 @@
RESERVED
CVE-2015-0247 [heap based buffer overflow]
RESERVED
+ {DLA-153-1}
- e2fsprogs 1.42.12-1
[wheezy] - e2fsprogs (Minor issue)
NOTE:
https://git.kernel.org/cgit/fs/ext2/e2fsprogs.git/commit/?id=f66e6ce4
@@ -25497,6 +25498,7 @@
CVE-2014-1570
RESERVED
CVE-2014-1569 (The definite_length_decoder function in lib/util/quickder.c in
Mozilla ...)
+ {DLA-154-1}
- nss 2:3.17.2-1.1 (bug #773625)
CVE-2014-1568 (Mozilla Network Security Services (NSS) before 3.16.2.1, 3.16.x
before ...)
{DSA-3037-1 DSA-3034-1 DSA-3033-1 DLA-62-1}
@@ -71187,7 +71189,7 @@
[lenny] - masqmail (no security issue by itself)
[squeeze] - masqmail 0.2.27-1.1+squeeze1
CVE-2011-3389 (The SSL protocol, as used in certain configurations in
Microsoft ...)
- {DSA-2398-1 DSA-2368-1 DSA-2358-1 DSA-2356-1}
+ {DSA-2398-1 DSA-2368-1 DSA-2358-1 DSA-2356-1 DLA-154-1}
- sun-java6 (bug #645881)
[lenny] - sun-java6 (Non-free not supported)
[squeeze] - sun-java6 (Non-free not supported)
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r32269 - data/CVE
Author: carnil Date: 2015-02-17 05:24:22 + (Tue, 17 Feb 2015) New Revision: 32269 Modified: data/CVE/list Log: Add bug reference for gnupg2, #778577 Modified: data/CVE/list === --- data/CVE/list 2015-02-16 21:10:23 UTC (rev 32268) +++ data/CVE/list 2015-02-17 05:24:22 UTC (rev 32269) @@ -4,18 +4,16 @@ - icu (low; bug #778511) CVE-2015-1607 [memcpy with overlapping ranges, resulting from incorrect bitwise left shifts] [experimental] - gnupg2 2.1.2-1 - - gnupg2 + - gnupg2 (bug #778577) - gnupg NOTE: https://blog.fuzzing-project.org/5-Multiple-issues-in-GnuPG-found-through-keyring-fuzzing-TFPA-0012015.html NOTE: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=2183683bd633818dd031b090b5530951de76f392 - TODO: check CVE-2015-1606 [use after free resulting from failure to skip invalid packets] [experimental] - gnupg2 2.1.2-1 - - gnupg2 + - gnupg2 (bug #778577) - gnupg NOTE: https://blog.fuzzing-project.org/5-Multiple-issues-in-GnuPG-found-through-keyring-fuzzing-TFPA-0012015.html NOTE: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=f0f71a721ccd7ab9e40b8b6b028b59632c0cc648 - TODO: check CVE-2015-1604 NOT-FOR-US: Landsknecht Adminsystems CVE-2015-1603 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r32270 - data/CVE
Author: carnil Date: 2015-02-17 05:49:39 + (Tue, 17 Feb 2015) New Revision: 32270 Modified: data/CVE/list Log: Update entry for wordpress, affecting only Wordpress on Windows systems Modified: data/CVE/list === --- data/CVE/list 2015-02-17 05:24:22 UTC (rev 32269) +++ data/CVE/list 2015-02-17 05:49:39 UTC (rev 32270) @@ -12697,7 +12697,7 @@ RESERVED CVE-2014-6412 RESERVED - - wordpress + - wordpress (Affects only Wordpress on Windows systems) CVE-2014-6411 RESERVED CVE-2014-6409 (Cross-site request forgery (CSRF) vulnerability in M/Monit 3.3.2 and ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r32271 - data/CVE
Author: carnil Date: 2015-02-17 05:52:18 + (Tue, 17 Feb 2015) New Revision: 32271 Modified: data/CVE/list Log: Add CVE-2014-7851, NFU, concludes external check Modified: data/CVE/list === --- data/CVE/list 2015-02-17 05:49:39 UTC (rev 32270) +++ data/CVE/list 2015-02-17 05:52:18 UTC (rev 32271) @@ -9428,6 +9428,7 @@ NOT-FOR-US: RichFaces CVE-2014-7851 RESERVED + NOT-FOR-US: ovirt-engine-webadmin CVE-2014-7850 (Cross-site scripting (XSS) vulnerability in the Web UI in FreeIPA 4.x ...) - freeipa NOTE: https://fedorahosted.org/freeipa/ticket/4742 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r32272 - data
Author: carnil Date: 2015-02-17 06:05:35 + (Tue, 17 Feb 2015) New Revision: 32272 Modified: data/dsa-needed.txt Log: Add ruby-redcloth to dsa-needed, maintainer submitted debdiff Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-02-17 05:52:18 UTC (rev 32271) +++ data/dsa-needed.txt 2015-02-17 06:05:35 UTC (rev 32272) @@ -60,6 +60,9 @@ -- pound (thijs) -- +ruby-redcloth + NOTE: debdiff already prepared by maintainer +-- smarty3 -- sudo (carnil) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r32273 - data/CVE
Author: carnil Date: 2015-02-17 06:13:21 + (Tue, 17 Feb 2015) New Revision: 32273 Modified: data/CVE/list Log: Update information for CVE-2015-1573/linux Modified: data/CVE/list === --- data/CVE/list 2015-02-17 06:05:35 UTC (rev 32272) +++ data/CVE/list 2015-02-17 06:13:21 UTC (rev 32273) @@ -377,9 +377,10 @@ CVE-2015-1573 [nft flush ruleset crashes kernel] RESERVED - linux - [wheezy] - linux (nftables introduced in 3.13) - - linux-2.6 (nftables introduced in 3.13) + [wheezy] - linux (nftables introduced in 3.13 and corresponding vulnerable code in v3.18-rc1) + - linux-2.6 (nftables introduced in 3.13 and corresponding vulnerable code in v3.18-rc1) NOTE: Fixed by https://git.kernel.org/cgit/linux/kernel/git/pablo/nf.git/commit/?id=a2f18db0c68fec96631c10cad9384c196e9008ac (v3.19-rc5) + NOTE: Introduced by http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=b9ac12ef099707f405d7478009564302d7ed8393 (v3.18-rc1) NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=91441 CVE-2015- [XSS] - mantis ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r32274 - data/CVE
Author: carnil Date: 2015-02-17 06:26:35 + (Tue, 17 Feb 2015) New Revision: 32274 Modified: data/CVE/list Log: Asked for status for gnupg in #778577 Modified: data/CVE/list === --- data/CVE/list 2015-02-17 06:13:21 UTC (rev 32273) +++ data/CVE/list 2015-02-17 06:26:35 UTC (rev 32274) @@ -8,12 +8,14 @@ - gnupg NOTE: https://blog.fuzzing-project.org/5-Multiple-issues-in-GnuPG-found-through-keyring-fuzzing-TFPA-0012015.html NOTE: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=2183683bd633818dd031b090b5530951de76f392 + NOTE: Asked maintainers for gnupg CVE-2015-1606 [use after free resulting from failure to skip invalid packets] [experimental] - gnupg2 2.1.2-1 - gnupg2 (bug #778577) - gnupg NOTE: https://blog.fuzzing-project.org/5-Multiple-issues-in-GnuPG-found-through-keyring-fuzzing-TFPA-0012015.html NOTE: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=f0f71a721ccd7ab9e40b8b6b028b59632c0cc648 + NOTE: Asked maintainers for gnupg CVE-2015-1604 NOT-FOR-US: Landsknecht Adminsystems CVE-2015-1603 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r32275 - in data: . CVE
Author: jmm Date: 2015-02-17 06:46:31 + (Tue, 17 Feb 2015) New Revision: 32275 Modified: data/CVE/list data/dsa-needed.txt Log: really take freetype (previoulsy only mentioned in the commit msg) Modified: data/CVE/list === --- data/CVE/list 2015-02-17 06:26:35 UTC (rev 32274) +++ data/CVE/list 2015-02-17 06:46:31 UTC (rev 32275) @@ -378,9 +378,7 @@ NOTE: http://www.openwall.com/lists/oss-security/2015/02/10/15 CVE-2015-1573 [nft flush ruleset crashes kernel] RESERVED - - linux - [wheezy] - linux (nftables introduced in 3.13 and corresponding vulnerable code in v3.18-rc1) - - linux-2.6 (nftables introduced in 3.13 and corresponding vulnerable code in v3.18-rc1) + - linux (Vulnerable code introduced in v3.18-rc1, never in the archive outside of experimental) NOTE: Fixed by https://git.kernel.org/cgit/linux/kernel/git/pablo/nf.git/commit/?id=a2f18db0c68fec96631c10cad9384c196e9008ac (v3.19-rc5) NOTE: Introduced by http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=b9ac12ef099707f405d7478009564302d7ed8393 (v3.18-rc1) NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=91441 Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-02-17 06:26:35 UTC (rev 32274) +++ data/dsa-needed.txt 2015-02-17 06:46:31 UTC (rev 32275) @@ -19,7 +19,7 @@ eglibc we should fix at least CVE-2013-7423/CVE-2015-1472, some of the other no-dsa bugs could be fixed along -- -freetype +freetype (jmm) -- icu (mgilbert) -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
