[Secure-testing-commits] r38997 - data/CVE
Author: carnil Date: 2016-01-18 07:57:08 + (Mon, 18 Jan 2016) New Revision: 38997 Modified: data/CVE/list Log: Mark librsvg as no-dsa Modified: data/CVE/list === --- data/CVE/list 2016-01-18 06:22:02 UTC (rev 38996) +++ data/CVE/list 2016-01-18 07:57:08 UTC (rev 38997) @@ -7893,6 +7893,8 @@ CVE-2015-7558 [Stack exhaustion] RESERVED - librsvg 2.40.12-1 + [jessie] - librsvg (Too intrusive to backport) + [wheezy] - librsvg (Too intrusive to backport) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1268243 NOTE: https://git.gnome.org/browse/librsvg/commit/?id=a51919f7e1ca9c535390a746fbf6e28c8402dc61 (2.40.12) CVE-2015-7557 [Out-of-bounds heap read in librsvg2 was found when parsing SVG file] ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r38996 - data/CVE
Author: carnil Date: 2016-01-18 06:22:02 + (Mon, 18 Jan 2016) New Revision: 38996 Modified: data/CVE/list Log: Updates for imagemagick issues Modified: data/CVE/list === --- data/CVE/list 2016-01-18 06:18:26 UTC (rev 38995) +++ data/CVE/list 2016-01-18 06:22:02 UTC (rev 38996) @@ -1,3 +1,6 @@ +CVE-2016- [Multiple minor security issues] + - imagemagick 8:6.8.9.9-7 (bug #811308) + TODO: check, needs possibly CVEs CVE-2016-1920 [VPN Man-in-the-Middle due to shared certificate store on KNOX 1.0 / Android 4.3] NOT-FOR-US: KNOX 1.0 / Android 4.3 CVE-2016-1919 [Weak eCryptFS Key generation from user password on KNOX 1.0 / Android 4.3] @@ -7403,7 +7406,7 @@ CVE-2014-9752 (Unrestricted file upload vulnerability in ...) TODO: check CVE-2015- [Double free in coders/pict.c:2000] - - imagemagick (bug #806441) + - imagemagick 8:6.8.9.9-7 (bug #806441) [jessie] - imagemagick (Minor issue) [wheezy] - imagemagick (Minor issue) [squeeze] - imagemagick 8:6.6.0.4-3+squeeze7 @@ -7421,7 +7424,7 @@ NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/10/07/2 NOTE: The problem can only be triggered with recent versions of ImageMagick (8:6.9.1.2-1 in experimental is vulnerable, 8:6.8.9.9-6 in sid is not vulnerable, older versions are not vulnerable) CVE-2015- [Integer and Buffer overflow in coders/icon.c] - - imagemagick (bug #806441) + - imagemagick 8:6.8.9.9-7 (bug #806441) [jessie] - imagemagick (Minor issue) [wheezy] - imagemagick (Minor issue) [squeeze] - imagemagick 8:6.6.0.4-3+squeeze7 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r38995 - data/CVE
Author: carnil Date: 2016-01-18 06:18:26 + (Mon, 18 Jan 2016) New Revision: 38995 Modified: data/CVE/list Log: Add bug reference for CVE-2016-0724/moodle Modified: data/CVE/list === --- data/CVE/list 2016-01-18 05:57:20 UTC (rev 38994) +++ data/CVE/list 2016-01-18 06:18:26 UTC (rev 38995) @@ -3301,7 +3301,7 @@ NOTE: http://git.moodle.org/gw?p=moodle.git=search=HEAD=commit=MDL-52552 CVE-2016-0724 [Two enrolment-related web services don't check course visibility] RESERVED - - moodle + - moodle (bug #811344) NOTE: http://git.moodle.org/gw?p=moodle.git=search=HEAD=commit=MDL-52072 CVE-2016-0723 [use-after-free in TIOCGETD ioctl] RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r38994 - data/CVE
Author: carnil Date: 2016-01-18 05:57:20 + (Mon, 18 Jan 2016) New Revision: 38994 Modified: data/CVE/list Log: Add two CVEs for moodle Modified: data/CVE/list === --- data/CVE/list 2016-01-17 22:02:59 UTC (rev 38993) +++ data/CVE/list 2016-01-18 05:57:20 UTC (rev 38994) @@ -3295,10 +3295,14 @@ RESERVED CVE-2016-0726 RESERVED -CVE-2016-0725 +CVE-2016-0725 [XSS Vulnerability in course management search] RESERVED -CVE-2016-0724 + - moodle (Only affects 3.0 to 3.0.1, 2.9 to 2.9.3 and 2.8 to 2.8.9) + NOTE: http://git.moodle.org/gw?p=moodle.git=search=HEAD=commit=MDL-52552 +CVE-2016-0724 [Two enrolment-related web services don't check course visibility] RESERVED + - moodle + NOTE: http://git.moodle.org/gw?p=moodle.git=search=HEAD=commit=MDL-52072 CVE-2016-0723 [use-after-free in TIOCGETD ioctl] RESERVED - linux ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r38993 - in data: . DLA
Author: alteholz Date: 2016-01-17 22:02:59 + (Sun, 17 Jan 2016) New Revision: 38993 Modified: data/DLA/list data/dla-needed.txt Log: Reserve DLA-393-1 for srtp Modified: data/DLA/list === --- data/DLA/list 2016-01-17 21:10:13 UTC (rev 38992) +++ data/DLA/list 2016-01-17 22:02:59 UTC (rev 38993) @@ -1,3 +1,6 @@ +[17 Jan 2016] DLA-393-1 srtp - security update + {CVE-2015-6360} + [squeeze] - srtp 1.4.4~dfsg-6+deb6u2 [17 Jan 2016] DLA-392-1 roundcube - security update {CVE-2015-8770} [squeeze] - roundcube 0.3.1-6+deb6u1 Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-01-17 21:10:13 UTC (rev 38992) +++ data/dla-needed.txt 2016-01-17 22:02:59 UTC (rev 38993) @@ -46,7 +46,5 @@ -- radicale -- -srtp (Thorsten Alteholz) --- tiff -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r38991 - data/CVE
Author: carnil Date: 2016-01-17 19:12:42 + (Sun, 17 Jan 2016) New Revision: 38991 Modified: data/CVE/list Log: Remove TODO items for two linux CVEs Modified: data/CVE/list === --- data/CVE/list 2016-01-17 18:23:00 UTC (rev 38990) +++ data/CVE/list 2016-01-17 19:12:42 UTC (rev 38991) @@ -799,7 +799,6 @@ - linux-2.6 NOTE: https://git.kernel.org/linus/635682a14427d241bab7bbdeebb48a7d7b91638e (v4.3-rc4) NOTE: http://www.openwall.com/lists/oss-security/2016/01/11/4 - TODO: check versions CVE-2016-1569 (FireBird 2.5.5 allows remote authenticated users to cause a denial of ...) - firebird2.5 2.5.5.26952.ds4-3 (bug #810599) [jessie] - firebird2.5 (Issue introduced in 2.5.5) @@ -7869,7 +7868,6 @@ - linux-2.6 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1283371 (not (yet) public) NOTE: Proposed upstream patch: http://marc.info/?l=linux-usb=145260786729359=2 - TODO: check CVE-2015-7565 RESERVED CVE-2015-7564 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r38990 - data/CVE
Author: carnil Date: 2016-01-17 18:23:00 + (Sun, 17 Jan 2016) New Revision: 38990 Modified: data/CVE/list Log: Two CVEs fixed in unstable for ffmpeg Modified: data/CVE/list === --- data/CVE/list 2016-01-17 16:35:19 UTC (rev 38989) +++ data/CVE/list 2016-01-17 18:23:00 UTC (rev 38990) @@ -429,13 +429,13 @@ NOTE: Fixed by: https://anongit.mindrot.org/openssh.git/commit/?id=2fecfd486bdba9f51b3a789277bb0733ca36e1c0 NOTE: Introduced by: https://anongit.mindrot.org/openssh.git/commit/packet.c?id=091c302829210c41e7f57c3f094c7b9c054306f0 (V_6_8_P1) CVE-2016-1898 (FFmpeg 2.x allows remote attackers to conduct cross-origin attacks and ...) - - ffmpeg + - ffmpeg 7:2.8.5-1 [squeeze] - ffmpeg (Not supported in Squeeze LTS) - libav NOTE: http://habrahabr.ru/company/mailru/blog/274855 NOTE: Fixed in 2.8.5 upstream CVE-2016-1897 (FFmpeg 2.x allows remote attackers to conduct cross-origin attacks and ...) - - ffmpeg + - ffmpeg 7:2.8.5-1 [squeeze] - ffmpeg (Not supported in Squeeze LTS) - libav NOTE: http://habrahabr.ru/company/mailru/blog/274855 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r38992 - data/CVE
Author: sectracker Date: 2016-01-17 21:10:13 + (Sun, 17 Jan 2016) New Revision: 38992 Modified: data/CVE/list Log: automatic update Modified: data/CVE/list === --- data/CVE/list 2016-01-17 19:12:42 UTC (rev 38991) +++ data/CVE/list 2016-01-17 21:10:13 UTC (rev 38992) @@ -457,6 +457,7 @@ NOTE: https://github.com/gosa-project/gosa-core/commit/a67a047cba2cdae8bccb0f0e2bc6d3eb45cfcbc8 CVE-2015-8770 [remote code execution / path traversal] RESERVED + {DLA-392-1} - roundcube 1.1.4+dfsg.1-1 NOTE: https://roundcube.net/news/2015/12/26/updates-1.1.4-and-1.0.8-released/ NOTE: https://github.com/roundcube/roundcubemail/commit/10e5192a2b1bc90ec137f5e69d0aa072c1210d6d @@ -35405,7 +35406,7 @@ CVE-2014-7811 (Multiple cross-site scripting (XSS) vulnerabilities in Spacewalk and ...) NOT-FOR-US: Red Hat Satellite / Spacewalk CVE-2014-7810 (The Expression Language (EL) implementation in Apache Tomcat 6.x ...) - {DSA-3428-1 DLA-232-1} + {DSA-3447-1 DSA-3428-1 DLA-232-1} - tomcat6 6.0.41-3 (bug #787010) NOTE: Marked as fixed in 6.0.41-3 which only builds the libservlet2.5-java and libservlet2.5-java-doc packages - tomcat7 7.0.61-1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r38976 - data/CVE
Author: carnil Date: 2016-01-17 10:02:43 + (Sun, 17 Jan 2016) New Revision: 38976 Modified: data/CVE/list Log: Mark both CVE-2016-1919/CVE-2016-1920 as NFU (KNOX 1.0 specific) Modified: data/CVE/list === --- data/CVE/list 2016-01-17 06:53:38 UTC (rev 38975) +++ data/CVE/list 2016-01-17 10:02:43 UTC (rev 38976) @@ -1,3 +1,7 @@ +CVE-2016-1920 [VPN Man-in-the-Middle due to shared certificate store on KNOX 1.0 / Android 4.3] + NOT-FOR-US: KNOX 1.0 / Android 4.3 +CVE-2016-1919 [Weak eCryptFS Key generation from user password on KNOX 1.0 / Android 4.3] + NOT-FOR-US: KNOX 1.0 / Android 4.3 CVE-2016-1902 RESERVED CVE-2016-1906 [Kubernetes api server: build config to a strategy that isn't allowed by policy] ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r38977 - in data: . CVE
Author: sunweaver Date: 2016-01-17 13:06:54 + (Sun, 17 Jan 2016) New Revision: 38977 Modified: data/CVE/list data/dla-needed.txt Log: data/dla-needed.txt: Adding gosa. Taking gosa myself (as I am the current maintainer and member of upstream). Modified: data/CVE/list === --- data/CVE/list 2016-01-17 10:02:43 UTC (rev 38976) +++ data/CVE/list 2016-01-17 13:06:54 UTC (rev 38977) @@ -950,7 +950,6 @@ RESERVED - dhcpcd5 (bug #810621) - dhcpcd - [squeeze] - dhcpcd (Vulnerable code not present) NOTE: http://roy.marples.name/projects/dhcpcd/info/76a1609352263bd9def1300d7ba990679571fa30 NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2016/01/07/3 NOTE: dhcpcd 3.2.3- in squeeze and wheezy differ very much from dhcpcd5 in later Debian versions. @@ -959,7 +958,6 @@ RESERVED - dhcpcd5 (bug #810620) - dhcpcd - [squeeze] - dhcpcd (Vulnerable code not present) NOTE: http://roy.marples.name/projects/dhcpcd/info/595883e2a431f65d8fabf33059aa4689cca17403 NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2016/01/07/3 NOTE: dhcpcd 3.2.3- in squeeze and wheezy differ very much from dhcpcd5 in later Debian versions. Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-01-17 10:02:43 UTC (rev 38976) +++ data/dla-needed.txt 2016-01-17 13:06:54 UTC (rev 38977) @@ -14,6 +14,8 @@ gajim NOTE: _rosterSetCB in src/common/connection_handlers.py ? -- +gosa (Mike Gabriel) +-- jasper (Ben Hutchings) -- libraw ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r38979 - data
Author: sunweaver Date: 2016-01-17 13:11:24 + (Sun, 17 Jan 2016) New Revision: 38979 Modified: data/dla-needed.txt Log: data/dla-needed.txt: Adding gosa. Taking gosa myself (as I am the current maintainer and member of upstream). Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-01-17 13:10:52 UTC (rev 38978) +++ data/dla-needed.txt 2016-01-17 13:11:24 UTC (rev 38979) @@ -16,6 +16,8 @@ -- jasper (Ben Hutchings) -- +gosa (Mike Gabriel) +-- libraw -- librsvg (Santiago R.R.) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r38978 - in data: . CVE
Author: sunweaver Date: 2016-01-17 13:10:52 + (Sun, 17 Jan 2016) New Revision: 38978 Modified: data/CVE/list data/dla-needed.txt Log: revert r38977: Log messages does not match committed data. Modified: data/CVE/list === --- data/CVE/list 2016-01-17 13:06:54 UTC (rev 38977) +++ data/CVE/list 2016-01-17 13:10:52 UTC (rev 38978) @@ -950,6 +950,7 @@ RESERVED - dhcpcd5 (bug #810621) - dhcpcd + [squeeze] - dhcpcd (Vulnerable code not present) NOTE: http://roy.marples.name/projects/dhcpcd/info/76a1609352263bd9def1300d7ba990679571fa30 NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2016/01/07/3 NOTE: dhcpcd 3.2.3- in squeeze and wheezy differ very much from dhcpcd5 in later Debian versions. @@ -958,6 +959,7 @@ RESERVED - dhcpcd5 (bug #810620) - dhcpcd + [squeeze] - dhcpcd (Vulnerable code not present) NOTE: http://roy.marples.name/projects/dhcpcd/info/595883e2a431f65d8fabf33059aa4689cca17403 NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2016/01/07/3 NOTE: dhcpcd 3.2.3- in squeeze and wheezy differ very much from dhcpcd5 in later Debian versions. Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-01-17 13:06:54 UTC (rev 38977) +++ data/dla-needed.txt 2016-01-17 13:10:52 UTC (rev 38978) @@ -14,8 +14,6 @@ gajim NOTE: _rosterSetCB in src/common/connection_handlers.py ? -- -gosa (Mike Gabriel) --- jasper (Ben Hutchings) -- libraw ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r38980 - data/CVE
Author: sunweaver Date: 2016-01-17 13:19:35 + (Sun, 17 Jan 2016) New Revision: 38980 Modified: data/CVE/list Log: CVE-2016-1503+1504/dhcpcd: Remove not-affected tags for squeeze. By simple code inspection we cannot say that the issue is not present in squeeze's / wheezy's version of dhcpcd. Further actions: try exploit, ask upstream, second opinion. Modified: data/CVE/list === --- data/CVE/list 2016-01-17 13:11:24 UTC (rev 38979) +++ data/CVE/list 2016-01-17 13:19:35 UTC (rev 38980) @@ -950,7 +950,6 @@ RESERVED - dhcpcd5 (bug #810621) - dhcpcd - [squeeze] - dhcpcd (Vulnerable code not present) NOTE: http://roy.marples.name/projects/dhcpcd/info/76a1609352263bd9def1300d7ba990679571fa30 NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2016/01/07/3 NOTE: dhcpcd 3.2.3- in squeeze and wheezy differ very much from dhcpcd5 in later Debian versions. @@ -959,7 +958,6 @@ RESERVED - dhcpcd5 (bug #810620) - dhcpcd - [squeeze] - dhcpcd (Vulnerable code not present) NOTE: http://roy.marples.name/projects/dhcpcd/info/595883e2a431f65d8fabf33059aa4689cca17403 NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2016/01/07/3 NOTE: dhcpcd 3.2.3- in squeeze and wheezy differ very much from dhcpcd5 in later Debian versions. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r38981 - data/CVE
Author: sunweaver Date: 2016-01-17 13:39:32 + (Sun, 17 Jan 2016) New Revision: 38981 Modified: data/CVE/list Log: CVE-2015-8770/roundcube: Add note with upstream commit that fixes this issue. Modified: data/CVE/list === --- data/CVE/list 2016-01-17 13:19:35 UTC (rev 38980) +++ data/CVE/list 2016-01-17 13:39:32 UTC (rev 38981) @@ -448,6 +448,7 @@ RESERVED - roundcube 1.1.4+dfsg.1-1 NOTE: https://roundcube.net/news/2015/12/26/updates-1.1.4-and-1.0.8-released/ + NOTE: https://github.com/roundcube/roundcubemail/commit/10e5192a2b1bc90ec137f5e69d0aa072c1210d6d TODO: check older versions CVE-2015-8769 (SQL injection vulnerability in Joomla! 3.x before 3.4.7 allows ...) - joomla (bug #571794) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r38982 - data/CVE
Author: carnil Date: 2016-01-17 13:48:57 + (Sun, 17 Jan 2016) New Revision: 38982 Modified: data/CVE/list Log: Update information for gosa issues according to maintainer info Modified: data/CVE/list === --- data/CVE/list 2016-01-17 13:39:32 UTC (rev 38981) +++ data/CVE/list 2016-01-17 13:48:57 UTC (rev 38982) @@ -441,9 +441,8 @@ CVE-2016-1712 RESERVED CVE-2015-8771 [Possibility of code injection when setting passwords for Samba] - - gosa + - gosa 2.7.4+reloaded2-6 NOTE: https://github.com/gosa-project/gosa-core/commit/a67a047cba2cdae8bccb0f0e2bc6d3eb45cfcbc8 - TODO: check CVE-2015-8770 [remote code execution / path traversal] RESERVED - roundcube 1.1.4+dfsg.1-1 @@ -1734,9 +1733,9 @@ NOTE: https://github.com/htacg/tidy-html5/issues/341 NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2016/01/03/4 CVE-2014-9760 [XSS vulnerability during session log on] - - gosa + - gosa 2.7.4+reloaded1-5 + NOTE: Fixed in 2.7.4+reloaded1-3 with follow-up fix in 2.7.4+reloaded1-5 NOTE: https://github.com/gosa-project/gosa-core/commit/e35b990464a2c2cf64d6833a217ed944876e7732 - TODO: check CVE-2014-9759 [MantisBT SOAP API can be used to disclose confidential settings] RESERVED - mantis (Affects >= 1.3.0-beta.1) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r38983 - data
Author: sunweaver Date: 2016-01-17 14:35:02 + (Sun, 17 Jan 2016) New Revision: 38983 Modified: data/dla-needed.txt Log: data/dla-needed.txt: Add roundcube (CVE-2015-8770). Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-01-17 13:48:57 UTC (rev 38982) +++ data/dla-needed.txt 2016-01-17 14:35:02 UTC (rev 38983) @@ -46,6 +46,9 @@ -- radicale -- +roundcube + NOTE: Skin name sanitizing needs to be done in roundcube-0.3.1-6/program/include/rcube_template.php (method: set_skin()) +-- srtp (Thorsten Alteholz) -- tiff ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r38984 - data
Author: alteholz Date: 2016-01-17 14:54:12 + (Sun, 17 Jan 2016) New Revision: 38984 Modified: data/dla-needed.txt Log: take roundcube Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-01-17 14:35:02 UTC (rev 38983) +++ data/dla-needed.txt 2016-01-17 14:54:12 UTC (rev 38984) @@ -46,7 +46,7 @@ -- radicale -- -roundcube +roundcube (Thorsten Alteholz) NOTE: Skin name sanitizing needs to be done in roundcube-0.3.1-6/program/include/rcube_template.php (method: set_skin()) -- srtp (Thorsten Alteholz) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r38988 - in data: . DLA
Author: alteholz Date: 2016-01-17 16:16:09 + (Sun, 17 Jan 2016) New Revision: 38988 Modified: data/DLA/list data/dla-needed.txt Log: Reserve DLA-392-1 for roundcube Modified: data/DLA/list === --- data/DLA/list 2016-01-17 16:00:35 UTC (rev 38987) +++ data/DLA/list 2016-01-17 16:16:09 UTC (rev 38988) @@ -1,3 +1,6 @@ +[17 Jan 2016] DLA-392-1 roundcube - security update + {CVE-2015-8770} + [squeeze] - roundcube 0.3.1-6+deb6u1 [16 Jan 2016] DLA-391-1 prosody - security update {CVE-2016-1232} [squeeze] - prosody 0.7.0-1squeeze1+deb6u1 Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-01-17 16:00:35 UTC (rev 38987) +++ data/dla-needed.txt 2016-01-17 16:16:09 UTC (rev 38988) @@ -46,9 +46,6 @@ -- radicale -- -roundcube (Thorsten Alteholz) - NOTE: Skin name sanitizing needs to be done in roundcube-0.3.1-6/program/include/rcube_template.php (method: set_skin()) --- srtp (Thorsten Alteholz) -- tiff ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r38985 - in data: . CVE DSA
Author: carnil Date: 2016-01-17 15:29:36 + (Sun, 17 Jan 2016) New Revision: 38985 Modified: data/CVE/list data/DSA/list data/dsa-needed.txt Log: Reserve DSA number for tomcat7 Modified: data/CVE/list === --- data/CVE/list 2016-01-17 14:54:12 UTC (rev 38984) +++ data/CVE/list 2016-01-17 15:29:36 UTC (rev 38985) @@ -55409,7 +55409,7 @@ {DLA-232-1} - tomcat6 6.0.41-3 (bug #785316) - tomcat7 7.0.55-1 - [jessie] - tomcat7 (Minor issue) + [wheezy] - tomcat7 7.0.28-4+deb7u3 - tomcat8 8.0.9-1 NOTE: tomcat6 in jessie only builds the servlet API classes NOTE: https://svn.apache.org/viewvc?view=revision=1603781 (7.x) @@ -55424,6 +55424,7 @@ NOTE: Fixed in https://svn.apache.org/viewvc?view=revision=1603628 (6.x) NOTE: Marked as fixed in 6.0.41-3 which only builds the libservlet2.5-java and libservlet2.5-java-doc packages - tomcat7 7.0.55-1 + [wheezy] - tomcat7 7.0.28-4+deb7u3 NOTE: Fixed in https://svn.apache.org/viewvc?view=revision=1601333 (7.x) - tomcat8 8.0.9-1 NOTE: Fixed in https://svn.apache.org/viewvc?view=revision=1600984 (8.x) @@ -55921,6 +55922,7 @@ CVE-2014-0099 (Integer overflow in java/org/apache/tomcat/util/buf/Ascii.java in ...) - tomcat8 8.0.5-1 - tomcat7 7.0.53-1 + [wheezy] - tomcat7 7.0.28-4+deb7u3 - tomcat6 6.0.41-1 NOTE: http://svn.apache.org/r1578814 CVE-2014-0098 (The log_cookie function in mod_log_config.c in the mod_log_config ...) @@ -56016,6 +56018,7 @@ CVE-2014-0075 (Integer overflow in the parseChunkHeader function in ...) - tomcat8 8.0.5-1 - tomcat7 7.0.53-1 + [wheezy] - tomcat7 7.0.28-4+deb7u3 - tomcat6 6.0.41-1 CVE-2014-0074 (Apache Shiro 1.x before 1.2.3, when using an LDAP server with ...) NOT-FOR-US: Apache Shiro @@ -62686,6 +62689,7 @@ NOT-FOR-US: Context Drupal contributed module CVE-2013- (Unrestricted file upload vulnerability in Apache Tomcat 7.x before ...) - tomcat7 7.0.40-1 + [wheezy] - tomcat7 7.0.28-4+deb7u3 NOTE: https://svn.apache.org/viewvc?view=revision=1470435 CVE-2013-4443 REJECTED Modified: data/DSA/list === --- data/DSA/list 2016-01-17 14:54:12 UTC (rev 38984) +++ data/DSA/list 2016-01-17 15:29:36 UTC (rev 38985) @@ -1,3 +1,7 @@ +[17 Jan 2016] DSA-3447-1 tomcat7 - security update + {CVE-2014-7810} + [wheezy] - tomcat7 7.0.28-4+deb7u3 + [jessie] - tomcat7 7.0.56-3+deb8u1 [14 Jan 2016] DSA-3431-2 ganeti - regression update [wheezy] - ganeti 2.5.2-1+deb7u2 [jessie] - ganeti 2.12.4-1+deb8u3 Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2016-01-17 14:54:12 UTC (rev 38984) +++ data/dsa-needed.txt 2016-01-17 15:29:36 UTC (rev 38985) @@ -76,8 +76,5 @@ -- tomcat6 -- -tomcat7 - Maintainer prepared update for jessie-security. wheezy-security pending/wip --- wireshark -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r38986 - data/CVE
Author: carnil Date: 2016-01-17 15:57:45 + (Sun, 17 Jan 2016) New Revision: 38986 Modified: data/CVE/list Log: Add two CVEs for kfreebsd Modified: data/CVE/list === --- data/CVE/list 2016-01-17 15:29:36 UTC (rev 38985) +++ data/CVE/list 2016-01-17 15:57:45 UTC (rev 38986) @@ -73,10 +73,16 @@ RESERVED CVE-2016-1881 RESERVED -CVE-2016-1880 +CVE-2016-1880 [Linux compatibility layer incorrect futex handling [SA-16:02]] RESERVED -CVE-2016-1879 + - kfreebsd-10 (unimportant; bug #811278) + NOTE: kfreebsd not covered by security support in Jessie + - kfreebsd-9 +CVE-2016-1879 [SCTP ICMPv6 error message vulnerability [SA-16:01]] RESERVED + - kfreebsd-10 (unimportant; bug #811277) + NOTE: kfreebsd not covered by security support in Jessie + - kfreebsd-9 CVE-2016-1878 RESERVED CVE-2016-1877 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r38987 - data/CVE
Author: carnil Date: 2016-01-17 16:00:35 + (Sun, 17 Jan 2016) New Revision: 38987 Modified: data/CVE/list Log: Add two more CVEs for kreebsd Modified: data/CVE/list === --- data/CVE/list 2016-01-17 15:57:45 UTC (rev 38986) +++ data/CVE/list 2016-01-17 16:00:35 UTC (rev 38987) @@ -69,10 +69,16 @@ RESERVED CVE-2016-1883 RESERVED -CVE-2016-1882 +CVE-2016-1882 [TCP MD5 signature denial of service [SA-16:05]] RESERVED -CVE-2016-1881 + - kfreebsd-10 (unimportant; bug #811280) + NOTE: kfreebsd not covered by security support in Jessie + - kfreebsd-9 +CVE-2016-1881 [Linux compatibility layer setgroups(2) system call vulnerability [SA-16:04]] RESERVED + - kfreebsd-10 (unimportant; bug #811279) + NOTE: kfreebsd not covered by security support in Jessie + - kfreebsd-9 CVE-2016-1880 [Linux compatibility layer incorrect futex handling [SA-16:02]] RESERVED - kfreebsd-10 (unimportant; bug #811278) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r38989 - data/CVE
Author: carnil Date: 2016-01-17 16:35:19 + (Sun, 17 Jan 2016) New Revision: 38989 Modified: data/CVE/list Log: Correct description for CVE-2016-1880 Modified: data/CVE/list === --- data/CVE/list 2016-01-17 16:16:09 UTC (rev 38988) +++ data/CVE/list 2016-01-17 16:35:19 UTC (rev 38989) @@ -79,7 +79,7 @@ - kfreebsd-10 (unimportant; bug #811279) NOTE: kfreebsd not covered by security support in Jessie - kfreebsd-9 -CVE-2016-1880 [Linux compatibility layer incorrect futex handling [SA-16:02]] +CVE-2016-1880 [Linux compatibility layer incorrect futex handling [SA-16:03]] RESERVED - kfreebsd-10 (unimportant; bug #811278) NOTE: kfreebsd not covered by security support in Jessie ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits