[Secure-testing-commits] r39401 - data/CVE
Author: carnil Date: 2016-02-01 20:42:06 + (Mon, 01 Feb 2016) New Revision: 39401 Modified: data/CVE/list Log: Add CVE-2016-2048/python-django Modified: data/CVE/list === --- data/CVE/list 2016-02-01 18:47:44 UTC (rev 39400) +++ data/CVE/list 2016-02-01 20:42:06 UTC (rev 39401) @@ -181,6 +181,11 @@ TODO: check CVE-2016-2048 RESERVED + - python-django + [jessie] - python-django (Only affects 1.9) + [wheezy] - python-django (Only affects 1.9) + [squeeze] - python-django (Only affects 1.9) + NOTE: https://www.djangoproject.com/weblog/2016/feb/01/releases-192-and-189/ CVE-2016-2046 RESERVED CVE-2016-2045 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39402 - bin
Author: carnil Date: 2016-02-01 21:30:59 + (Mon, 01 Feb 2016) New Revision: 39402 Modified: bin/tracker_service.py Log: Revert "temporarly disable data/json" This reverts commit 8610b300608199e8be73ccda726f539fa217471b. We tentatively reenable the json export after Seb's changes. Let's see how it goes. Modified: bin/tracker_service.py === --- bin/tracker_service.py 2016-02-01 20:42:06 UTC (rev 39401) +++ bin/tracker_service.py 2016-02-01 21:30:59 UTC (rev 39402) @@ -160,9 +160,7 @@ self.register('data/funny-versions', self.page_data_funny_versions) self.register('data/fake-names', self.page_data_fake_names) self.register('data/pts/1', self.page_data_pts) -# temorarly disabled on 2016-01-30 due to load on security-tracker -# self.register('data/json', self.page_json) -# --carnil +self.register('data/json', self.page_json) self.register('debsecan/**', self.page_debsecan) self.register('data/report', self.page_report) self.register('style.css', self.page_style_css) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39403 - bin
Author: carnil Date: 2016-02-01 21:47:10 + (Mon, 01 Feb 2016) New Revision: 39403 Modified: bin/tracker_service.py Log: ... and disable again Modified: bin/tracker_service.py === --- bin/tracker_service.py 2016-02-01 21:30:59 UTC (rev 39402) +++ bin/tracker_service.py 2016-02-01 21:47:10 UTC (rev 39403) @@ -160,7 +160,8 @@ self.register('data/funny-versions', self.page_data_funny_versions) self.register('data/fake-names', self.page_data_fake_names) self.register('data/pts/1', self.page_data_pts) -self.register('data/json', self.page_json) +# temorarly disabled on 2016-02-01 due to load on security-tracker +#self.register('data/json', self.page_json) self.register('debsecan/**', self.page_debsecan) self.register('data/report', self.page_report) self.register('style.css', self.page_style_css) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39405 - data/CVE
Author: anarcat Date: 2016-02-01 22:20:54 + (Mon, 01 Feb 2016) New Revision: 39405 Modified: data/CVE/list Log: fixup: add link to openssh thread to explain better Modified: data/CVE/list === --- data/CVE/list 2016-02-01 22:19:32 UTC (rev 39404) +++ data/CVE/list 2016-02-01 22:20:54 UTC (rev 39405) @@ -1106,6 +1106,7 @@ NOTE: https://lists.mindrot.org/pipermail/openssh-unix-dev/2016-January/034684.html NOTE: Red Hat Bugzilla entry: https://bugzilla.redhat.com/show_bug.cgi?id=1298741 NOTE: vulnerability is partly due to /etc/X11/Xsession.d/35x11-common_xhost-local introduced in x11-common in 1:7.6+9 (wheezy and up) + NOTE: https://lists.debian.org/debian-lts/2016/01/msg00029.html CVE-2016-1907 (The ssh_packet_read_poll2 function in packet.c in OpenSSH before 7.1p2 ...) - openssh 1:7.1p2-1 [jessie] - openssh (Vulnerable code not present; Introduced in OpenSSH 6.8) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39406 - bin
Author: seb Date: 2016-02-01 22:33:23 + (Mon, 01 Feb 2016) New Revision: 39406 Modified: bin/tracker_service.py Log: [tracker_service] Crude caching mechanism for JSON API * once computed, keep the JSON data cached in memory for 5 minutes (default value) before regenerating it * at the very minimum we'll need to send along a Last-Modified header exposing when the data was last generated Modified: bin/tracker_service.py === --- bin/tracker_service.py 2016-02-01 22:20:54 UTC (rev 39405) +++ bin/tracker_service.py 2016-02-01 22:33:23 UTC (rev 39406) @@ -7,6 +7,7 @@ import security_db from web_support import * import json +from datetime import datetime if __name__ == "__main__": if len(sys.argv) not in (3, 5): @@ -123,9 +124,13 @@ determining the values of these factors, but the rating itself comes from a fully automated formula.''') +json_generation_interval = 5 * 60 # in seconds + def __init__(self, socket_name, db_name): webservice_base_class.__init__(self, socket_name) self.db = security_db.DB(db_name) +self.json_data = None # the JSON dump itself +self.json_timestamp = None # timestamp of JSON generation self.register('', self.page_home) self.register('*', self.page_object) self.register('redirect/*', self.page_redirect) @@ -161,7 +166,7 @@ self.register('data/fake-names', self.page_data_fake_names) self.register('data/pts/1', self.page_data_pts) # temorarly disabled on 2016-02-01 due to load on security-tracker -#self.register('data/json', self.page_json) +self.register('data/json', self.page_json) self.register('debsecan/**', self.page_debsecan) self.register('data/report', self.page_report) self.register('style.css', self.page_style_css) @@ -1256,8 +1261,19 @@ data.append('\n') return BinaryResult(''.join(data),'application/octet-stream') -def page_json(self, path, params, url): +def _get_json(self): +"""Helper method handling basic caching of the JSON data, to avoid + overloading security-tracker.d.o. It'll return the cached + version of this data unless it's been generated more than + self.json_generation_interval seconds ago """ +if self.json_timestamp: # we've generated the JSON at least once +delta = datetime.now() - self.json_timestamp +if delta.total_seconds() <= self.json_generation_interval: +# not expired yet, serve the cached data +return self.json_data + +# if we reached here, the data has expired; let's regenerate it from collections import defaultdict packages = [] issues = defaultdict(list) @@ -1392,9 +1408,18 @@ data[pkg][issue]=pkg_issue -json_data = json.dumps(data, separators=(',', ':')) -return BinaryResult(json_data,'application/octet-stream') +# store the JSON dump in memory, and update the generation +# timestamp before returning +self.json_data = json.dumps(data, separators=(',', ':')) +self.json_timestamp = datetime.now() +return self.json_data +def page_json(self, path, params, url): +# FIXME: we want to send along a Last-Modified header, whose +# value will be: +# self.json_timestamp.strftime("%a, %d %b %Y %H:%M:%S ") + TZ +return BinaryResult(self._get_json(),'application/octet-stream') + def page_debsecan(self, path, params, url): obj = '/'.join(path) data = self.db.getDebsecan(obj) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39404 - in data: . CVE
Author: anarcat Date: 2016-02-01 22:19:32 + (Mon, 01 Feb 2016) New Revision: 39404 Modified: data/CVE/list data/dla-needed.txt Log: mark the openssh issue as solved, as with wheezy and jessie it is not worth trying to reproduce it in squeeze if we disable untrusted connexions by default anyways Modified: data/CVE/list === --- data/CVE/list 2016-02-01 21:47:10 UTC (rev 39403) +++ data/CVE/list 2016-02-01 22:19:32 UTC (rev 39404) @@ -1099,13 +1099,13 @@ - openssh [jessie] - openssh (Minor issue) [wheezy] - openssh (Minor issue) + [squeeze] - openssh (Minor issue) NOTE: Upstream commit: https://anongit.mindrot.org/openssh.git/commit/?id=ed4ce82dbfa8a3a3c8ea6fa0db113c71e234416c NOTE: which needs to be applied after: https://anongit.mindrot.org/openssh.git/commit/?id=f98a09cacff7baad8748c9aa217afd155a4d493f NOTE: Background information on X11 SECURITY extension and SSH: https://thejh.net/written-stuff/openssh-6.8-xsecurity NOTE: https://lists.mindrot.org/pipermail/openssh-unix-dev/2016-January/034684.html NOTE: Red Hat Bugzilla entry: https://bugzilla.redhat.com/show_bug.cgi?id=1298741 NOTE: vulnerability is partly due to /etc/X11/Xsession.d/35x11-common_xhost-local introduced in x11-common in 1:7.6+9 (wheezy and up) - TODO: check if squeeze is vulnerable CVE-2016-1907 (The ssh_packet_read_poll2 function in packet.c in OpenSSH before 7.1p2 ...) - openssh 1:7.1p2-1 [jessie] - openssh (Vulnerable code not present; Introduced in OpenSSH 6.8) Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-02-01 21:47:10 UTC (rev 39403) +++ data/dla-needed.txt 2016-02-01 22:19:32 UTC (rev 39404) @@ -65,8 +65,6 @@ -- openjdk-6 (Markus Koschany) -- -openssh (Guido Günther) --- php5 (Thorsten Alteholz) NOTE: next upload end of December -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39389 - data/CVE
Author: sectracker Date: 2016-02-01 09:10:15 + (Mon, 01 Feb 2016) New Revision: 39389 Modified: data/CVE/list Log: automatic update Modified: data/CVE/list === --- data/CVE/list 2016-01-31 21:30:33 UTC (rev 39388) +++ data/CVE/list 2016-02-01 09:10:15 UTC (rev 39389) @@ -4569,7 +4569,7 @@ CVE-2016-0617 RESERVED CVE-2016-0616 (Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier and ...) - {DSA-3459-1 DSA-3453-1} + {DSA-3459-1 DSA-3453-1 DLA-409-1} - mysql-5.6 (Only affects MySQL 5.5) - mysql-5.5 (bug #811428) - mariadb-10.0 10.0.23-1 @@ -4593,13 +4593,13 @@ [jessie] - mariadb-10.0 10.0.22-0+deb8u1 NOTE: http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html#AppendixMSQL CVE-2016-0609 (Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 ...) - {DSA-3459-1 DSA-3453-1} + {DSA-3459-1 DSA-3453-1 DLA-409-1} - mysql-5.6 5.6.28-1 (bug #811443) - mysql-5.5 (bug #811428) - mariadb-10.0 10.0.23-1 NOTE: http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html#AppendixMSQL CVE-2016-0608 (Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 ...) - {DSA-3459-1 DSA-3453-1} + {DSA-3459-1 DSA-3453-1 DLA-409-1} - mysql-5.6 5.6.28-1 (bug #811443) - mysql-5.5 (bug #811428) - mariadb-10.0 10.0.23-1 @@ -4609,7 +4609,7 @@ - mysql-5.5 (Only affects MySQL 5.6) NOTE: http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html#AppendixMSQL CVE-2016-0606 (Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 ...) - {DSA-3459-1 DSA-3453-1} + {DSA-3459-1 DSA-3453-1 DLA-409-1} - mysql-5.6 5.6.28-1 (bug #811443) - mysql-5.5 (bug #811428) - mariadb-10.0 10.0.23-1 @@ -4630,7 +4630,7 @@ - mysql-5.5 (Only affects MySQL 5.7) NOTE: http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html#AppendixMSQL CVE-2016-0600 (Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 ...) - {DSA-3459-1 DSA-3453-1} + {DSA-3459-1 DSA-3453-1 DLA-409-1} - mysql-5.6 5.6.28-1 (bug #811443) - mysql-5.5 (bug #811428) - mariadb-10.0 10.0.23-1 @@ -4640,19 +4640,19 @@ - mysql-5.5 (Only affects MySQL 5.7) NOTE: http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html#AppendixMSQL CVE-2016-0598 (Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 ...) - {DSA-3459-1 DSA-3453-1} + {DSA-3459-1 DSA-3453-1 DLA-409-1} - mysql-5.6 5.6.28-1 (bug #811443) - mysql-5.5 (bug #811428) - mariadb-10.0 10.0.23-1 NOTE: http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html#AppendixMSQL CVE-2016-0597 (Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 ...) - {DSA-3459-1 DSA-3453-1} + {DSA-3459-1 DSA-3453-1 DLA-409-1} - mysql-5.6 5.6.28-1 (bug #811443) - mysql-5.5 (bug #811428) - mariadb-10.0 10.0.23-1 NOTE: http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html#AppendixMSQL CVE-2016-0596 (Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier and ...) - {DSA-3459-1 DSA-3453-1} + {DSA-3459-1 DSA-3453-1 DLA-409-1} - mysql-5.6 5.6.28-1 (bug #811443) - mysql-5.5 (bug #811428) - mariadb-10.0 10.0.23-1 @@ -4763,7 +4763,7 @@ CVE-2016-0547 (Unspecified vulnerability in the Oracle E-Business Intelligence ...) TODO: check CVE-2016-0546 (Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 ...) - {DSA-3459-1 DSA-3453-1} + {DSA-3459-1 DSA-3453-1 DLA-409-1} - mysql-5.6 5.6.28-1 (bug #811443) - mysql-5.5 (bug #811428) - mariadb-10.0 10.0.23-1 @@ -4849,7 +4849,7 @@ CVE-2016-0506 (Unspecified vulnerability in the Oracle Retail Order Management System ...) TODO: check CVE-2016-0505 (Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 ...) - {DSA-3459-1 DSA-3453-1} + {DSA-3459-1 DSA-3453-1 DLA-409-1} - mysql-5.6 5.6.28-1 (bug #811443) - mysql-5.5 (bug #811428) - mariadb-10.0 10.0.23-1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39408 - data/CVE
Author: carnil Date: 2016-02-02 07:59:13 + (Tue, 02 Feb 2016) New Revision: 39408 Modified: data/CVE/list Log: Add bug reference for CVE-2016-2048/python-django Modified: data/CVE/list === --- data/CVE/list 2016-02-02 06:01:32 UTC (rev 39407) +++ data/CVE/list 2016-02-02 07:59:13 UTC (rev 39408) @@ -181,7 +181,7 @@ TODO: check CVE-2016-2048 RESERVED - - python-django + - python-django (bug #813448) [jessie] - python-django (Only affects 1.9) [wheezy] - python-django (Only affects 1.9) [squeeze] - python-django (Only affects 1.9) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39397 - data/CVE
Author: carnil Date: 2016-02-01 18:45:44 + (Mon, 01 Feb 2016) New Revision: 39397 Modified: data/CVE/list Log: Add another php5 issue Modified: data/CVE/list === --- data/CVE/list 2016-02-01 18:11:07 UTC (rev 39396) +++ data/CVE/list 2016-02-01 18:45:44 UTC (rev 39397) @@ -4,6 +4,11 @@ CVE-2016- [Socat security advisory 7 - Created new 2048bit DH modulus] - socat NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2016/02/01/4 +CVE-2015- [Type Confusion Vulnerability in PHP_to_XMLRPC_worker()] + - php5 5.6.17+dfsg-1 + [jessie] - 5.6.17+dfsg-0+deb8u1 + NOTE: http://git.php.net/?p=php-src.git;a=commit;h=f3c1863aa2721343245b63ac7bd68cfdc3dd41f3 + NOTE: https://bugs.php.net/bug.php?id=70728 CVE-2015- [Session WDDX Packet Deserialization Type Confusion Vulnerability] - php5 5.6.17+dfsg-1 [jessie] - 5.6.17+dfsg-0+deb8u1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39398 - data/CVE
Author: carnil Date: 2016-02-01 18:46:43 + (Mon, 01 Feb 2016) New Revision: 39398 Modified: data/CVE/list Log: Remove TODO item from one CVE entry Modified: data/CVE/list === --- data/CVE/list 2016-02-01 18:45:44 UTC (rev 39397) +++ data/CVE/list 2016-02-01 18:46:43 UTC (rev 39398) @@ -707,7 +707,6 @@ - php5.6 5.6.17+dfsg-1 - php7.0 7.0.2-1 NOTE: https://bugs.php.net/bug.php?id=70976 - TODO: check CVE-2016-1901 (Integer overflow in the authenticate_post function in CGit before 0.12 ...) - cgit (bug #812411) NOTE: http://git.zx2c4.com/cgit/commit/?id=4458abf64172a62b92810c2293450106e6dfc763 (v0.12) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39399 - data
Author: seb Date: 2016-02-01 18:47:19 + (Mon, 01 Feb 2016) New Revision: 39399 Modified: data/dsa-needed.txt Log: [dsa-needed] Update on CVE-2015-5291 (polarssl) status Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2016-02-01 18:46:43 UTC (rev 39398) +++ data/dsa-needed.txt 2016-02-01 18:47:19 UTC (rev 39399) @@ -62,7 +62,9 @@ pdns/oldstable -- polarssl (seb) - Guido Günther prepared an update for CVE-2015-5291 + Guido Günther prepared an update for CVE-2015-5291 for wheezy. He + and I will look into also fixing jessie by the end of this week + (2016-02-05) -- qemu (seb) mjt prepared updates for wheezy- and jessie-security ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39400 - data/CVE
Author: carnil Date: 2016-02-01 18:47:44 + (Mon, 01 Feb 2016) New Revision: 39400 Modified: data/CVE/list Log: Add commit reference for one php5 issue Modified: data/CVE/list === --- data/CVE/list 2016-02-01 18:47:19 UTC (rev 39399) +++ data/CVE/list 2016-02-01 18:47:44 UTC (rev 39400) @@ -707,6 +707,7 @@ - php5.6 5.6.17+dfsg-1 - php7.0 7.0.2-1 NOTE: https://bugs.php.net/bug.php?id=70976 + NOTE: https://git.php.net/?p=php-src.git;a=commit;h=4b8394dd78571826ac66a69dc240c623f31d78f8 CVE-2016-1901 (Integer overflow in the authenticate_post function in CGit before 0.12 ...) - cgit (bug #812411) NOTE: http://git.zx2c4.com/cgit/commit/?id=4458abf64172a62b92810c2293450106e6dfc763 (v0.12) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39391 - data/CVE
Author: carnil Date: 2016-02-01 15:51:26 + (Mon, 01 Feb 2016) New Revision: 39391 Modified: data/CVE/list Log: Add CVE-2015-8789/libebml Modified: data/CVE/list === --- data/CVE/list 2016-02-01 15:48:44 UTC (rev 39390) +++ data/CVE/list 2016-02-01 15:51:26 UTC (rev 39391) @@ -37,6 +37,10 @@ RESERVED CVE-2016-2086 RESERVED +CVE-2015-8789 [Use-after-free vulnerability in the EbmlMaster::Read function] + - libebml 1.3.3-1 + NOTE: http://lists.matroska.org/pipermail/matroska-users/2015-October/006985.html + NOTE: https://github.com/Matroska-Org/libebml/commit/88409e2a94dd3b40ff81d08bf6d92f486d036b24 CVE-2015-8788 RESERVED CVE-2016-2091 [an out of bound read is found in libdwarf] ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39392 - data/CVE
Author: carnil Date: 2016-02-01 15:53:30 + (Mon, 01 Feb 2016) New Revision: 39392 Modified: data/CVE/list Log: Add CVE-2015-8792/libmatroska Modified: data/CVE/list === --- data/CVE/list 2016-02-01 15:51:26 UTC (rev 39391) +++ data/CVE/list 2016-02-01 15:53:30 UTC (rev 39392) @@ -37,6 +37,10 @@ RESERVED CVE-2016-2086 RESERVED +CVE-2015-8792 [Out-of-bounds heap read in KaxInternalBlock::ReadData()] + - libmatroska 1.4.4-1 + NOTE: http://lists.matroska.org/pipermail/matroska-users/2015-October/006985.html + NOTE: https://github.com/Matroska-Org/libmatroska/commit/0a2d3e3644a7453b6513db2f9bc270f77943573f CVE-2015-8789 [Use-after-free vulnerability in the EbmlMaster::Read function] - libebml 1.3.3-1 NOTE: http://lists.matroska.org/pipermail/matroska-users/2015-October/006985.html ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39390 - data/CVE
Author: carnil Date: 2016-02-01 15:48:44 + (Mon, 01 Feb 2016) New Revision: 39390 Modified: data/CVE/list Log: Add two socat issues Modified: data/CVE/list === --- data/CVE/list 2016-02-01 09:10:15 UTC (rev 39389) +++ data/CVE/list 2016-02-01 15:48:44 UTC (rev 39390) @@ -1,3 +1,9 @@ +CVE-2016- [Socat security advisory 8 - Stack overflow in parser] + - socat + NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2016/02/01/5 +CVE-2016- [Socat security advisory 7 - Created new 2048bit DH modulus] + - socat + NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2016/02/01/4 CVE-2015- [php5: fpm_log.c memory leak and buffer overflow] - php5 5.6.17+dfsg-1 [jessie] - 5.6.17+dfsg-0+deb8u1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39393 - data/CVE
Author: carnil Date: 2016-02-01 15:56:54 + (Mon, 01 Feb 2016) New Revision: 39393 Modified: data/CVE/list Log: Add use-after-free issue in php5 Modified: data/CVE/list === --- data/CVE/list 2016-02-01 15:53:30 UTC (rev 39392) +++ data/CVE/list 2016-02-01 15:56:54 UTC (rev 39393) @@ -4,6 +4,11 @@ CVE-2016- [Socat security advisory 7 - Created new 2048bit DH modulus] - socat NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2016/02/01/4 +CVE-2015- [Use-after-free in WDDX Packet Deserialization] + - php5 5.6.17+dfsg-1 + [jessie] - 5.6.17+dfsg-0+deb8u1 + NOTE: https://git.php.net/?p=php-src.git;a=commit;h=366f9505a4aae98ef2f4ca39a838f628a324b746 + NOTE: https://bugs.php.net/bug.php?id=70661 CVE-2015- [php5: fpm_log.c memory leak and buffer overflow] - php5 5.6.17+dfsg-1 [jessie] - 5.6.17+dfsg-0+deb8u1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39394 - data/CVE
Author: carnil Date: 2016-02-01 15:58:26 + (Mon, 01 Feb 2016) New Revision: 39394 Modified: data/CVE/list Log: Add another issue in php5, fixed in 5.6.17 already Modified: data/CVE/list === --- data/CVE/list 2016-02-01 15:56:54 UTC (rev 39393) +++ data/CVE/list 2016-02-01 15:58:26 UTC (rev 39394) @@ -4,6 +4,11 @@ CVE-2016- [Socat security advisory 7 - Created new 2048bit DH modulus] - socat NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2016/02/01/4 +CVE-2015- [Session WDDX Packet Deserialization Type Confusion Vulnerability] + - php5 5.6.17+dfsg-1 + [jessie] - 5.6.17+dfsg-0+deb8u1 + NOTE: https://git.php.net/?p=php-src.git;a=commit;h=1785d2b805f64eaaacf98c14c9e13107bf085ab1 + NOTE: https://bugs.php.net/bug.php?id=70741 CVE-2015- [Use-after-free in WDDX Packet Deserialization] - php5 5.6.17+dfsg-1 [jessie] - 5.6.17+dfsg-0+deb8u1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39395 - org
Author: apo-guest Date: 2016-02-01 18:05:20 + (Mon, 01 Feb 2016) New Revision: 39395 Modified: org/lts-frontdesk.2016.txt Log: Add myself to lts frontdesk in April 2016. Modified: org/lts-frontdesk.2016.txt === --- org/lts-frontdesk.2016.txt 2016-02-01 15:58:26 UTC (rev 39394) +++ org/lts-frontdesk.2016.txt 2016-02-01 18:05:20 UTC (rev 39395) @@ -25,7 +25,7 @@ From 21-03 to 27-03:Antoine BeaupréFrom 28-03 to 03-04:Santiago Ruano Rincón From 04-04 to 10-04: -From 11-04 to 17-04: +From 11-04 to 17-04:Markus Koschany From 18-04 to 24-04: From 25-04 to 01-05: From 02-05 to 08-05: ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39396 - data
Author: apo-guest Date: 2016-02-01 18:11:07 + (Mon, 01 Feb 2016) New Revision: 39396 Modified: data/dla-needed.txt Log: Claim openjdk-6 in dla-needed.txt Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-02-01 18:05:20 UTC (rev 39395) +++ data/dla-needed.txt 2016-02-01 18:11:07 UTC (rev 39396) @@ -63,7 +63,7 @@ ntp NOTE: maybe maintainer wants to upload package (as done before) -- -openjdk-6 +openjdk-6 (Markus Koschany) -- openssh (Guido Günther) -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits