[Secure-testing-commits] r33259 - data/CVE
Author: carnil Date: 2015-03-30 17:39:09 + (Mon, 30 Mar 2015) New Revision: 33259 Modified: data/CVE/list Log: CVE assigned for libdbd-firebird-perl issue, #780925 Modified: data/CVE/list === --- data/CVE/list 2015-03-30 17:16:00 UTC (rev 33258) +++ data/CVE/list 2015-03-30 17:39:09 UTC (rev 33259) @@ -886,7 +886,7 @@ - inspircd 2.0.16-1 (bug #780880) NOTE: https://github.com/inspircd/inspircd/commit/58c893e834ff20495d007709220881a3ff13f423 NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/03/29/5 -CVE-2015- [Buffer Overflow in dbdimp.c] +CVE-2015-2788 [Buffer Overflow in dbdimp.c] - libdbd-firebird-perl unfixed (bug #780925) NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/03/30/4 CVE-2015- [SoapClient's __call() type confusion through unserialize()] ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r33256 - data
Author: apo-guest Date: 2015-03-30 17:08:18 + (Mon, 30 Mar 2015) New Revision: 33256 Modified: data/dla-needed.txt Log: Claim checkpw in dla-needed.txt Modified: data/dla-needed.txt === --- data/dla-needed.txt 2015-03-30 17:06:06 UTC (rev 33255) +++ data/dla-needed.txt 2015-03-30 17:08:18 UTC (rev 33256) @@ -7,7 +7,9 @@ To pick an issue, simply add your name behind it. -- -checkpw +checkpw (Markus Koschany) +https://lists.debian.org/debian-lts/2015/03/msg00093.html +Debdiff and fix available. Needs review and sponsor. -- commons-httpclient -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r33258 - data
Author: apo-guest Date: 2015-03-30 17:16:00 + (Mon, 30 Mar 2015) New Revision: 33258 Modified: data/dla-needed.txt Log: Grooming. Remove trailing whitespace in dla-needed.txt Modified: data/dla-needed.txt === --- data/dla-needed.txt 2015-03-30 17:11:47 UTC (rev 33257) +++ data/dla-needed.txt 2015-03-30 17:16:00 UTC (rev 33258) @@ -1,4 +1,4 @@ -A squeeze-lts security update is needed for the following source packages. +A squeeze-lts security update is needed for the following source packages. The specific CVE IDs do not need to be listed, they can be gathered in an up-to-date manner from https://security-tracker.debian.org/tracker/source-package/SOURCEPACKAGE @@ -122,7 +122,7 @@ It might also be the case that a package is heavily used in stable, but has no reverse deps in oldstable and was introduced on a rather experimental basis. -no-dsa doesn't mean that a security issue will remain unfixed. For standard stable +no-dsa doesn't mean that a security issue will remain unfixed. For standard stable and oldstable in Debian there are regular point updates which incorporate such minor fixes. There are no such point updates for Debian LTS, though. But if e.g. there's a minor issue in a package, it can be postponed using no-dsa and if there's @@ -132,7 +132,7 @@ every update involves work on the admin rolling out the updated package! -So, if there's a security issue in a package listed at +So, if there's a security issue in a package listed at https://security-tracker.debian.org/tracker/status/release/oldstable which is not yet present in this file, so should do the following: ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r33257 - data
Author: apo-guest Date: 2015-03-30 17:11:47 + (Mon, 30 Mar 2015) New Revision: 33257 Modified: data/dla-needed.txt Log: Claim commons-httpclient in dla-needed.txt Modified: data/dla-needed.txt === --- data/dla-needed.txt 2015-03-30 17:08:18 UTC (rev 33256) +++ data/dla-needed.txt 2015-03-30 17:11:47 UTC (rev 33257) @@ -11,7 +11,11 @@ https://lists.debian.org/debian-lts/2015/03/msg00093.html Debdiff and fix available. Needs review and sponsor. -- -commons-httpclient +commons-httpclient (Markus Koschany) +https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=758086#50 +Debdiff and patch for Jessie and Sid available. Debian Java team members +prefer testcase before uploading. When approved the fix could be easily +backported to Wheezy and Squeeze. -- clamav http://lists.debian.org/20150218123232.ga25...@breakpoint.cc ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r33255 - data
Author: apo-guest Date: 2015-03-30 17:06:06 + (Mon, 30 Mar 2015) New Revision: 33255 Modified: data/dla-needed.txt Log: Remove libspring-2.5-java entry because the last CVE was misassigned to that package Modified: data/dla-needed.txt === --- data/dla-needed.txt 2015-03-30 04:58:57 UTC (rev 33254) +++ data/dla-needed.txt 2015-03-30 17:06:06 UTC (rev 33255) @@ -48,8 +48,6 @@ libphp-snoopy NOTE: maintainer might take care of it, cf http://lists.debian.org/1424805686.2351.19.ca...@debian.org -- -libspring-2.5-java --- libvncserver (Nguyen Cong) -- linux-2.6 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r33260 - data/CVE
Author: carnil Date: 2015-03-30 19:26:05 + (Mon, 30 Mar 2015) New Revision: 33260 Modified: data/CVE/list Log: Add hp2xx issue to CVE list Modified: data/CVE/list === --- data/CVE/list 2015-03-30 17:39:09 UTC (rev 33259) +++ data/CVE/list 2015-03-30 19:26:05 UTC (rev 33260) @@ -1,3 +1,5 @@ +CVE-2015- [crashes found with afl] + - hp2xx 3.4.4-10 CVE-2015- [cross-site scripting via openid_identifier] - ikiwiki 3.20141016.2 (bug #781483) NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/03/30/5 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r33262 - data/DSA
Author: corsac Date: 2015-03-30 20:34:08 + (Mon, 30 Mar 2015) New Revision: 33262 Modified: data/DSA/list Log: allocate DSA for openldap Modified: data/DSA/list === --- data/DSA/list 2015-03-30 20:25:46 UTC (rev 33261) +++ data/DSA/list 2015-03-30 20:34:08 UTC (rev 33262) @@ -1,3 +1,6 @@ +[30 Mar 2015] DSA-3209-1 openldap - security update + {CVE-2013-4449 CVE-2014-9713 CVE-2015-1545} + [wheezy] - openldap 2.4.31-2 [29 Mar 2015] DSA-3208-1 freexl - security update {CVE-2015-2753 CVE-2015-2754 CVE-2015-2776} [wheezy] - freexl 1.0.0b-1+deb7u1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r33261 - data/CVE
Author: carnil Date: 2015-03-30 20:25:46 + (Mon, 30 Mar 2015) New Revision: 33261 Modified: data/CVE/list Log: CVE-2015-0249, NFU, Apache Roller Modified: data/CVE/list === --- data/CVE/list 2015-03-30 19:26:05 UTC (rev 33260) +++ data/CVE/list 2015-03-30 20:25:46 UTC (rev 33261) @@ -8964,6 +8964,7 @@ NOTE: PoC: https://www.ernw.de/download/xxe_batik.tar.xz CVE-2015-0249 RESERVED + NOT-FOR-US: Apache Roller CVE-2015-0248 RESERVED CVE-2015-0247 (Heap-based buffer overflow in openfs.c in the libext2fs library in ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r33264 - data/CVE
Author: carnil Date: 2015-03-30 20:53:30 + (Mon, 30 Mar 2015) New Revision: 33264 Modified: data/CVE/list Log: Add nbd issue, #781547 Modified: data/CVE/list === --- data/CVE/list 2015-03-30 20:48:40 UTC (rev 33263) +++ data/CVE/list 2015-03-30 20:53:30 UTC (rev 33264) @@ -9,6 +9,9 @@ - libtasn1-3 removed NOTE: http://git.savannah.gnu.org/gitweb/?p=libtasn1.git;a=commit;h=4d4f992826a4962790ecd0cce6fbba4a415ce149 NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/03/29/4 +CVE-2013- [nbd-server: server dies if client asks for a non-existing export] + - nbd 1:3.4-1 (bug #781547) + TODO: check details CVE-2015-2782 [buffer overflow] - arj 3.10.22-13 (bug #774015) NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/03/28/5 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r33263 - data/CVE
Author: carnil Date: 2015-03-30 20:48:40 + (Mon, 30 Mar 2015) New Revision: 33263 Modified: data/CVE/list Log: Add CVE-2014-8119/netcf Modified: data/CVE/list === --- data/CVE/list 2015-03-30 20:34:08 UTC (rev 33262) +++ data/CVE/list 2015-03-30 20:48:40 UTC (rev 33263) @@ -11934,8 +11934,13 @@ - eglibc removed (low) CVE-2014-8120 (The agent in Thermostat before 1.0.6, when using unspecified ...) NOT-FOR-US: Thermostat Hotspot instrumentation -CVE-2014-8119 +CVE-2014-8119 [augeas path expression injection via interface name] RESERVED + - netcf unfixed + NOTE: Issue is in the way the netcf's find_ifcfg_path() function processed + NOTE: certain XPath expressions according to Red Hat bugzilla. But augeas has + NOTE: as well recieved a fix to completely fix the issue. + TODO: check CVE-2014-8118 (Integer overflow in RPM 4.12 and earlier allows remote attackers to ...) {DSA-3129-1 DLA-140-1} - rpm 4.11.3-1.1 (bug #773101) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r33265 - data
Author: corsac Date: 2015-03-30 21:04:41 + (Mon, 30 Mar 2015) New Revision: 33265 Modified: data/dsa-needed.txt Log: openldap DSA released Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-03-30 20:53:30 UTC (rev 33264) +++ data/dsa-needed.txt 2015-03-30 21:04:41 UTC (rev 33265) @@ -42,8 +42,6 @@ nss Red Hat has moved to 3.16 even in EL5, Ubuntu uses 3.17 across the LTSes, maybe we should follow that approach -- -openldap (corsac) --- openssl SSLv3 deprecation -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r33266 - data/CVE
Author: sectracker Date: 2015-03-30 21:10:17 + (Mon, 30 Mar 2015) New Revision: 33266 Modified: data/CVE/list Log: automatic update Modified: data/CVE/list === --- data/CVE/list 2015-03-30 21:04:41 UTC (rev 33265) +++ data/CVE/list 2015-03-30 21:10:17 UTC (rev 33266) @@ -125,6 +125,7 @@ CVE-2015-2701 (Cross-site request forgery (CSRF) vulnerability in CS-Cart 4.2.4 ...) NOT-FOR-US: CS-Cart CVE-2014-9713 [slapd: dangerous access rule in default config] + {DSA-3209-1} - openldap 2.4.40-2 (bug #761406) CVE-2014-9711 (Multiple cross-site scripting (XSS) vulnerabilities in the ...) NOT-FOR-US: Websense @@ -3437,6 +3438,7 @@ - libidn unfixed (unimportant) NOTE: Mis-use of an API (even if poorly documented) is hardly a security issue CVE-2015-1545 (The deref_parseCtrl function in servers/slapd/overlays/deref.c in ...) + {DSA-3209-1} - openldap 2.4.40-4 (bug #776988) [wheezy] - openldap no-dsa (Minor issue) [squeeze] - openldap no-dsa (Minor issue) @@ -40096,6 +40098,7 @@ NOTE: https://github.com/joyent/node/commit/085dd30e93da67362f044ad1b3b6b2d997064692 NOTE: http://blog.nodejs.org/2013/10/18/node-v0-10-21-stable/ CVE-2013-4449 (The rwm overlay in OpenLDAP 2.4.23, 2.4.36, and earlier does not ...) + {DSA-3209-1} - openldap 2.4.39-1.1 (low; bug #729367) [wheezy] - openldap no-dsa (Minor issue) [squeeze] - openldap no-dsa (Minor issue) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r33268 - data/CVE
Author: jmm Date: 2015-03-30 23:17:48 + (Mon, 30 Mar 2015) New Revision: 33268 Modified: data/CVE/list Log: NFU Modified: data/CVE/list === --- data/CVE/list 2015-03-30 21:40:55 UTC (rev 33267) +++ data/CVE/list 2015-03-30 23:17:48 UTC (rev 33268) @@ -13619,6 +13619,7 @@ NOT-FOR-US: bene+ odmeny a slevy (aka cz.gemoney.bene.android) application for Android CVE-2014-7438 RESERVED + NOT-FOR-US: pbm2l2030 printer driver CVE-2014-7437 (The Love Horoscope Guide (aka com.charl.charlylovehoroscopes) ...) NOT-FOR-US: Love Horoscope Guide (aka com.charl.charlylovehoroscopes) application for Android CVE-2014-7436 (The SOS recette (aka com.sos.recette) application 1.0 for Android does ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r33267 - data/CVE
Author: jmm Date: 2015-03-30 21:40:55 + (Mon, 30 Mar 2015) New Revision: 33267 Modified: data/CVE/list Log: hp2xx no-dsa Modified: data/CVE/list === --- data/CVE/list 2015-03-30 21:10:17 UTC (rev 33266) +++ data/CVE/list 2015-03-30 21:40:55 UTC (rev 33267) @@ -1,5 +1,7 @@ CVE-2015- [crashes found with afl] - - hp2xx 3.4.4-10 + - hp2xx 3.4.4-10 (low) + [wheezy] - hp2xx no-dsa (Minor issue) + [squeeze] - hp2xx no-dsa (Minor issue) CVE-2015- [cross-site scripting via openid_identifier] - ikiwiki 3.20141016.2 (bug #781483) NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/03/30/5 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r33269 - in data: . DLA
Author: benh Date: 2015-03-31 02:17:57 + (Tue, 31 Mar 2015) New Revision: 33269 Modified: data/DLA/list data/dla-needed.txt Log: Assign DLA-185-1 to freetype Modified: data/DLA/list === --- data/DLA/list 2015-03-30 23:17:48 UTC (rev 33268) +++ data/DLA/list 2015-03-31 02:17:57 UTC (rev 33269) @@ -1,3 +1,6 @@ +[31 Mar 2015] DLA-185-1 freetype - security update + {CVE-2014-9656 CVE-2014-9657 CVE-2014-9658 CVE-2014-9660 CVE-2014-9661 CVE-2014-9663 CVE-2014-9664 CVE-2014-9665 CVE-2014-9666 CVE-2014-9667 CVE-2014-9669 CVE-2014-9670 CVE-2014-9671 CVE-2014-9672 CVE-2014-9673 CVE-2014-9674 CVE-2014-9675} + [squeeze] - freetype 2.4.2-2.1+squeeze5 [28 Mar 2015] DLA-184-1 binutils - security update {CVE-2014-8484 CVE-2014-8485 CVE-2014-8501 CVE-2014-8502 CVE-2014-8503 CVE-2014-8504 CVE-2014-8737 CVE-2014-8738} [squeeze] - binutils 2.20.1-16+deb6u1 Modified: data/dla-needed.txt === --- data/dla-needed.txt 2015-03-30 23:17:48 UTC (rev 33268) +++ data/dla-needed.txt 2015-03-31 02:17:57 UTC (rev 33269) @@ -27,9 +27,6 @@ -- flightgear -- -freetype (Ben Hutchings) - http://lists.debian.org/86sidwsd5t@hiro.keithp.com --- icu -- imagemagick ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r33270 - data/CVE
Author: carnil Date: 2015-03-31 04:29:22 + (Tue, 31 Mar 2015) New Revision: 33270 Modified: data/CVE/list Log: CVE assigned for ikiwiki, #781483 Modified: data/CVE/list === --- data/CVE/list 2015-03-31 02:17:57 UTC (rev 33269) +++ data/CVE/list 2015-03-31 04:29:22 UTC (rev 33270) @@ -2,7 +2,7 @@ - hp2xx 3.4.4-10 (low) [wheezy] - hp2xx no-dsa (Minor issue) [squeeze] - hp2xx no-dsa (Minor issue) -CVE-2015- [cross-site scripting via openid_identifier] +CVE-2015-2793 [cross-site scripting via openid_identifier] - ikiwiki 3.20141016.2 (bug #781483) NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/03/30/5 CVE-2015- [two-byte stack overflow in asn1_der_decoding] ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r33272 - data/CVE
Author: carnil Date: 2015-03-31 04:41:31 + (Tue, 31 Mar 2015) New Revision: 33272 Modified: data/CVE/list Log: CVE assigned for libtasn1, CVE-2015-2806 Modified: data/CVE/list === --- data/CVE/list 2015-03-31 04:40:40 UTC (rev 33271) +++ data/CVE/list 2015-03-31 04:41:31 UTC (rev 33272) @@ -5,12 +5,12 @@ CVE-2015-2793 [cross-site scripting via openid_identifier] - ikiwiki 3.20141016.2 (bug #781483) NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/03/30/5 -CVE-2015- [two-byte stack overflow in asn1_der_decoding] +CVE-2015-2806 [two-byte stack overflow in asn1_der_decoding] [experimental] - libtasn1-6 4.4-1 - libtasn1-6 unfixed - libtasn1-3 removed NOTE: http://git.savannah.gnu.org/gitweb/?p=libtasn1.git;a=commit;h=4d4f992826a4962790ecd0cce6fbba4a415ce149 - NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/03/29/4 + NOTE: http://www.openwall.com/lists/oss-security/2015/03/29/4 CVE-2013- [nbd-server: server dies if client asks for a non-existing export] - nbd 1:3.4-1 (bug #781547) TODO: check details ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r33271 - in data: CVE DSA
Author: carnil Date: 2015-03-31 04:40:40 + (Tue, 31 Mar 2015) New Revision: 33271 Modified: data/CVE/list data/DSA/list Log: Add CVE-2015-2787/php5 Modified: data/CVE/list === --- data/CVE/list 2015-03-31 04:29:22 UTC (rev 33270) +++ data/CVE/list 2015-03-31 04:40:40 UTC (rev 33271) @@ -14,6 +14,10 @@ CVE-2013- [nbd-server: server dies if client asks for a non-existing export] - nbd 1:3.4-1 (bug #781547) TODO: check details +CVE-2015-2787 [Use After Free Vulnerability in unserialize()] + {DSA-3198-1} + - php5 5.6.7+dfsg-1 + NOTE: https://bugs.php.net/68976 CVE-2015-2782 [buffer overflow] - arj 3.10.22-13 (bug #774015) NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/03/28/5 Modified: data/DSA/list === --- data/DSA/list 2015-03-31 04:29:22 UTC (rev 33270) +++ data/DSA/list 2015-03-31 04:40:40 UTC (rev 33271) @@ -36,7 +36,7 @@ {CVE-2015-0252} [wheezy] - xerces-c 3.1.1-3+deb7u1 [20 Mar 2015] DSA-3198-1 php5 - security update - {CVE-2015-2301 CVE-2015-2331} + {CVE-2015-2301 CVE-2015-2331 CVE-2015-2787} [wheezy] - php5 5.4.39-0+deb7u1 [19 Mar 2015] DSA-3197-1 openssl - security update {CVE-2015-0209 CVE-2015-0286 CVE-2015-0287 CVE-2015-0288 CVE-2015-0289 CVE-2015-0292} ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits