[Secure-testing-commits] r39665 - data
Author: carnil Date: 2016-02-14 07:49:49 + (Sun, 14 Feb 2016) New Revision: 39665 Modified: data/dsa-needed.txt Log: Add comment for libgcrypt11 Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2016-02-14 07:42:25 UTC (rev 39664) +++ data/dsa-needed.txt 2016-02-14 07:49:49 UTC (rev 39665) @@ -33,6 +33,7 @@ libav/oldstable -- libgcrypt11 (carnil) + waiting for feedback from upstream -- libidn Working debdiff for wheezy-security at ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39664 - data/CVE
Author: carnil Date: 2016-02-14 07:42:25 + (Sun, 14 Feb 2016) New Revision: 39664 Modified: data/CVE/list Log: Add reference for one more php issue Modified: data/CVE/list === --- data/CVE/list 2016-02-14 07:41:03 UTC (rev 39663) +++ data/CVE/list 2016-02-14 07:42:25 UTC (rev 39664) @@ -58,6 +58,8 @@ - php5.6 5.6.18+dfsg-1 - php7.0 7.0.3-1 NOTE: https://bugs.php.net/bug.php?id=71488 + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1305543 + NOTE: https://git.php.net/?p=php-src.git;a=commit;h=07c7df68bd68bbe706371fccc77c814ebb335d9e NOTE: Fixed in 5.6.18, 5.5.32, 7.0.3 CVE-2016- [Crash in SessionHandler::read()] - php5 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39663 - data/CVE
Author: carnil Date: 2016-02-14 07:41:03 + (Sun, 14 Feb 2016) New Revision: 39663 Modified: data/CVE/list Log: More references for php issues Modified: data/CVE/list === --- data/CVE/list 2016-02-14 07:38:45 UTC (rev 39662) +++ data/CVE/list 2016-02-14 07:41:03 UTC (rev 39663) @@ -17,6 +17,8 @@ - php5.6 5.6.18+dfsg-1 - php7.0 7.0.3-1 NOTE: https://bugs.php.net/bug.php?id=71201 + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1305504 + NOTE: https://git.php.net/?p=php-src.git;a=commit;h=0d822f6df946764f3f0348b82efae2e1eaa83aa0 NOTE: Fixed in 5.6.18, 7.0.3 NOTE: can be possibly considered a plain bug not a security issue CVE-2016- [Output of stream_get_meta_data can be falsified by its input] @@ -62,8 +64,10 @@ - php5.6 5.6.18+dfsg-1 - php7.0 NOTE: https://bugs.php.net/bug.php?id=69111 + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1305548 + NOTE: https://git.php.net/?p=php-src.git;a=commit;h=a793b709086eed655bc98f933d838b8679b28920 NOTE: Fixed in 5.6.18 - TODO: check + TODO: check, can possibly be considered not security CVE-2016- [Type confusion vulnerability in WDDX packet deserialization] - php5 - php5.6 5.6.18+dfsg-1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39662 - data/CVE
Author: carnil Date: 2016-02-14 07:38:45 + (Sun, 14 Feb 2016) New Revision: 39662 Modified: data/CVE/list Log: Add more reference for php bugs Modified: data/CVE/list === --- data/CVE/list 2016-02-14 07:36:19 UTC (rev 39661) +++ data/CVE/list 2016-02-14 07:38:45 UTC (rev 39662) @@ -3,6 +3,8 @@ - php5.6 5.6.18+dfsg-1 - php7.0 7.0.3-1 NOTE: https://bugs.php.net/bug.php?id=71039 + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1305494 + NOTE: https://git.php.net/?p=php-src.git;a=commit;h=c527549e899bf211aac7d8ab5ceb1bdfedf07f14 NOTE: Fixed in 5.6.18, 5.5.32, 7.0.3 CVE-2016- [No check to duplicate zend_extension] - php5 @@ -22,24 +24,32 @@ - php5.6 5.6.18+dfsg-1 - php7.0 7.0.3-1 NOTE: https://bugs.php.net/bug.php?id=71323 + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1305523 + NOTE: https://git.php.net/?p=php-src.git;a=commit;h=6297a117d77fa3a0df2e21ca926a92c231819cd5 NOTE: Fixed in 5.6.18, 5.5.32, 7.0.3 CVE-2016- [Integer overflow in iptcembed()] - php5 - php5.6 5.6.18+dfsg-1 - php7.0 7.0.3-1 NOTE: https://bugs.php.net/bug.php?id=71459 + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1305518 + NOTE: http://git.php.net/?p=php-src.git;a=commit;h=54c210d2ea9b8539edcde1888b1104b96b38e886 NOTE: Fixed in 5.6.18, 5.5.32, 7.0.3 CVE-2016- [Heap corruption in tar/zip/phar parser] - php5 - php5.6 5.6.18+dfsg-1 - php7.0 7.0.3-1 NOTE: https://bugs.php.net/bug.php?id=71354 + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1305536 + NOTE: https://git.php.net/?p=php-src.git;a=commit;h=13ad4d3e971807f9a58ab5933182907dc2958539 NOTE: Fixed in 5.6.18, 5.5.32, 7.0.3 CVE-2016- [NULL Pointer Dereference in phar_tar_setupmetadata()] - php5 - php5.6 5.6.18+dfsg-1 - php7.0 7.0.3-1 NOTE: https://bugs.php.net/bug.php?id=71391 + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1305540 + NOTE: https://git.php.net/?p=php-src.git;a=commit;h=1c1b8b69982375700d4b011eb89ea48b66dbd5aa NOTE: Fixed in 5.6.18, 5.5.32, 7.0.3 CVE-2016- [Stack overflow when decompressing tar archives] - php5 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39661 - data/CVE
Author: carnil Date: 2016-02-14 07:36:19 + (Sun, 14 Feb 2016) New Revision: 39661 Modified: data/CVE/list Log: Add some new php issues Note: the list is not complete and some might be removed again due to no security impact (e.g. round() segfault on 64-bit builds). Modified: data/CVE/list === --- data/CVE/list 2016-02-14 07:17:58 UTC (rev 39660) +++ data/CVE/list 2016-02-14 07:36:19 UTC (rev 39661) @@ -1,3 +1,59 @@ +CVE-2016- [exec functions ignore length but look for NULL termination] + - php5 + - php5.6 5.6.18+dfsg-1 + - php7.0 7.0.3-1 + NOTE: https://bugs.php.net/bug.php?id=71039 + NOTE: Fixed in 5.6.18, 5.5.32, 7.0.3 +CVE-2016- [No check to duplicate zend_extension] + - php5 + - php5.6 5.6.18+dfsg-1 + - php7.0 7.0.3-1 + NOTE: https://bugs.php.net/bug.php?id=71089 + NOTE: Fixed in 5.6.18, 7.0.3 +CVE-2016- [round() segfault on 64-bit builds] + - php5 + - php5.6 5.6.18+dfsg-1 + - php7.0 7.0.3-1 + NOTE: https://bugs.php.net/bug.php?id=71201 + NOTE: Fixed in 5.6.18, 7.0.3 + NOTE: can be possibly considered a plain bug not a security issue +CVE-2016- [Output of stream_get_meta_data can be falsified by its input] + - php5 + - php5.6 5.6.18+dfsg-1 + - php7.0 7.0.3-1 + NOTE: https://bugs.php.net/bug.php?id=71323 + NOTE: Fixed in 5.6.18, 5.5.32, 7.0.3 +CVE-2016- [Integer overflow in iptcembed()] + - php5 + - php5.6 5.6.18+dfsg-1 + - php7.0 7.0.3-1 + NOTE: https://bugs.php.net/bug.php?id=71459 + NOTE: Fixed in 5.6.18, 5.5.32, 7.0.3 +CVE-2016- [Heap corruption in tar/zip/phar parser] + - php5 + - php5.6 5.6.18+dfsg-1 + - php7.0 7.0.3-1 + NOTE: https://bugs.php.net/bug.php?id=71354 + NOTE: Fixed in 5.6.18, 5.5.32, 7.0.3 +CVE-2016- [NULL Pointer Dereference in phar_tar_setupmetadata()] + - php5 + - php5.6 5.6.18+dfsg-1 + - php7.0 7.0.3-1 + NOTE: https://bugs.php.net/bug.php?id=71391 + NOTE: Fixed in 5.6.18, 5.5.32, 7.0.3 +CVE-2016- [Stack overflow when decompressing tar archives] + - php5 + - php5.6 5.6.18+dfsg-1 + - php7.0 7.0.3-1 + NOTE: https://bugs.php.net/bug.php?id=71488 + NOTE: Fixed in 5.6.18, 5.5.32, 7.0.3 +CVE-2016- [Crash in SessionHandler::read()] + - php5 + - php5.6 5.6.18+dfsg-1 + - php7.0 + NOTE: https://bugs.php.net/bug.php?id=69111 + NOTE: Fixed in 5.6.18 + TODO: check CVE-2016- [Type confusion vulnerability in WDDX packet deserialization] - php5 - php5.6 5.6.18+dfsg-1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39660 - data/CVE
Author: carnil Date: 2016-02-14 07:17:58 + (Sun, 14 Feb 2016) New Revision: 39660 Modified: data/CVE/list Log: Add three php isuses without CVE Modified: data/CVE/list === --- data/CVE/list 2016-02-14 07:02:12 UTC (rev 39659) +++ data/CVE/list 2016-02-14 07:17:58 UTC (rev 39660) @@ -1,3 +1,26 @@ +CVE-2016- [Type confusion vulnerability in WDDX packet deserialization] + - php5 + - php5.6 5.6.18+dfsg-1 + - php7.0 7.0.3-1 + NOTE: https://bugs.php.net/bug.php?id=71335 + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1305559 + NOTE: https://git.php.net/?p=php-src.git;a=commit;h=285cd3417fb61597345b829f5f573707bbdcd484 + NOTE: Fixed in 5.6.18, 5.5.32, 7.0.3 +CVE-2016- [Crash on bad SOAP request] + - php5 + - php5.6 5.6.18+dfsg-1 + - php7.0 7.0.3-1 + NOTE: https://bugs.php.net/bug.php?id=70979 + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1305551 + NOTE: https://git.php.net/?p=php-src.git;a=commit;h=4308c868f94df1f2b99e80038ba5ea1076d919a7 + NOTE: Fixed in 5.6.18, 7.0.3 +CVE-2016- [Segmentation fault in clean spl_autoload functions while autoloading] + - php5 + - php5.6 5.6.18+dfsg-1 + - php7.0 7.0.3-1 + NOTE: https://bugs.php.net/bug.php?id=71204 + NOTE: https://git.php.net/?p=php-src.git;a=commit;h=620ccc9b1a0a593786a364af15d45fd797a6cf1f + NOTE: Fixed in 5.6.18, 7.0.3 CVE-2016-2330 (libavcodec/gif.c in FFmpeg before 2.8.6 does not properly calculate a ...) - ffmpeg - libav ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39659 - data/CVE
Author: carnil Date: 2016-02-14 07:02:12 + (Sun, 14 Feb 2016) New Revision: 39659 Modified: data/CVE/list Log: Add source package names for issues to check Modified: data/CVE/list === --- data/CVE/list 2016-02-14 06:53:58 UTC (rev 39658) +++ data/CVE/list 2016-02-14 07:02:12 UTC (rev 39659) @@ -1,12 +1,22 @@ CVE-2016-2330 (libavcodec/gif.c in FFmpeg before 2.8.6 does not properly calculate a ...) + - ffmpeg + - libav TODO: check CVE-2016-2329 (libavcodec/tiff.c in FFmpeg before 2.8.6 does not properly validate ...) + - ffmpeg + - libav TODO: check CVE-2016-2328 (libswscale/swscale_unscaled.c in FFmpeg before 2.8.6 does not validate ...) + - ffmpeg + - libav TODO: check CVE-2016-2327 (libavcodec/pngenc.c in FFmpeg before 2.8.5 uses incorrect line sizes ...) + - ffmpeg + - libav TODO: check CVE-2016-2326 (Integer overflow in the asf_write_packet function in ...) + - ffmpeg + - libav TODO: check CVE-2016-2325 RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39658 - data/CVE
Author: carnil Date: 2016-02-14 06:53:58 + (Sun, 14 Feb 2016) New Revision: 39658 Modified: data/CVE/list Log: Sync CVE-2016-2085 with kernel-sec repo Modified: data/CVE/list === --- data/CVE/list 2016-02-14 06:36:58 UTC (rev 39657) +++ data/CVE/list 2016-02-14 06:53:58 UTC (rev 39658) @@ -785,8 +785,12 @@ [jessie] - jasper (Minor issue) [wheezy] - jasper (Minor issue) [squeeze] - jasper (Minor issue) -CVE-2016-2085 +CVE-2016-2085 [Timing side-channel in EVM] RESERVED + - linux (unimportant) + - linux-2.6 (unimportant) + NOTE: EVM is not enabled + NOTE: https://git.kernel.org/linus/613317bd212c585c20796c10afe5daaa95d4b0a1 (v4.5-rc4) CVE-2016-2084 RESERVED CVE-2016-2083 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39657 - data/CVE
Author: carnil Date: 2016-02-14 06:36:58 + (Sun, 14 Feb 2016) New Revision: 39657 Modified: data/CVE/list Log: Record fix in experimental for kodi issue, CVE-2015-3885, #792299 Modified: data/CVE/list === --- data/CVE/list 2016-02-13 21:30:54 UTC (rev 39656) +++ data/CVE/list 2016-02-14 06:36:58 UTC (rev 39657) @@ -20497,6 +20497,7 @@ - xbmc 2:13.2+dfsg1-5 (bug #786688) [jessie] - xbmc (Minor issue) [wheezy] - xbmc (Minor issue) + [experimental] - kodi 16.0~rc3+dfsg2-1 - kodi (bug #792299) - exactimage 0.9.1-5 (bug #786785) [jessie] - exactimage 0.8.9-7+deb8u1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39656 - data
Author: dmn Date: 2016-02-13 21:30:54 + (Sat, 13 Feb 2016) New Revision: 39656 Modified: data/dla-needed.txt Log: unclaim ntp, will be handled by the maintainer Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-02-13 21:10:12 UTC (rev 39655) +++ data/dla-needed.txt 2016-02-13 21:30:54 UTC (rev 39656) @@ -41,8 +41,9 @@ NOTE: Trying to sync the solution for CVE-2015-4000 with security team first NOTE: see https://lists.debian.org/debian-lts/2015/12/msg00025.html -- -ntp (Damyan Ivanov) - NOTE: maybe maintainer wants to upload package (as done before) +ntp + NOTE: maintainer wants to upload package (as done before) + NOTE: <20160213161710.ga9...@roeckx.be> -- php5 (Thorsten Alteholz) NOTE: next upload end of December ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39655 - data/CVE
Author: sectracker
Date: 2016-02-13 21:10:12 + (Sat, 13 Feb 2016)
New Revision: 39655
Modified:
data/CVE/list
Log:
automatic update
Modified: data/CVE/list
===
--- data/CVE/list 2016-02-13 19:48:12 UTC (rev 39654)
+++ data/CVE/list 2016-02-13 21:10:12 UTC (rev 39655)
@@ -4743,6 +4743,7 @@
NOTE: The upstream fix for 3.16 was correct, but wheezy had a
incomplete backport
CVE-2016-0773
RESERVED
+ {DSA-3476-1 DSA-3475-1}
- postgresql-9.5 9.5.1-1
- postgresql-9.4
- postgresql-9.1
@@ -4762,6 +4763,7 @@
RESERVED
CVE-2016-0766
RESERVED
+ {DSA-3476-1 DSA-3475-1}
- postgresql-9.5 9.5.1
- postgresql-9.4
- postgresql-9.1
@@ -15890,7 +15892,7 @@
- postgresql-9.1 (no json datatype)
- postgresql-8.4 (no json datatype)
CVE-2015-5288 (The crypt function in contrib/pgcrypto in PostgreSQL before
9.0.23, ...)
- {DSA-3374-1 DLA-329-1}
+ {DSA-3475-1 DSA-3374-1 DLA-329-1}
- postgresql-9.4 9.4.5-1
- postgresql-9.1
[jessie] - postgresql-9.1 (postgresql-9.1 in jessie only
provides PL/Perl)
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39654 - data/CVE
Author: carnil Date: 2016-02-13 19:48:12 + (Sat, 13 Feb 2016) New Revision: 39654 Modified: data/CVE/list Log: Revert "This was fixed after 0.8.9" This reverts commit 45fc2d5b56eb3256b4f6fa8fdb7febc6f5797960. Reasoning: https://github.com/LibRaw/LibRaw/commit/9ae25d8c3a6bfb40c582538193264f74c9b93bc0 fix still seems to affect dcraw itself. This needs double checking, since as well version 0.8.9 does not seem releated to dcraw. Modified: data/CVE/list === --- data/CVE/list 2016-02-13 19:33:07 UTC (rev 39653) +++ data/CVE/list 2016-02-13 19:48:12 UTC (rev 39654) @@ -73363,7 +73363,7 @@ [wheezy] - libkdcraw (Minor issue) - darktable 1.2.2-2 (bug #721233) [wheezy] - darktable 1.0.4-1+deb7u2 - - dcraw 0.8.10 (unimportant; bug #721232) + - dcraw (unimportant; bug #721232) - ufraw 0.19.2-2 (bug #721234) [wheezy] - ufraw (end-user app) [squeeze] - ufraw (end-user app) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39653 - data/CVE
Author: carnil Date: 2016-02-13 19:33:07 + (Sat, 13 Feb 2016) New Revision: 39653 Modified: data/CVE/list Log: Add CVE-2016-1544/nghttp2 Modified: data/CVE/list === --- data/CVE/list 2016-02-13 19:28:37 UTC (rev 39652) +++ data/CVE/list 2016-02-13 19:33:07 UTC (rev 39653) @@ -2331,6 +2331,7 @@ RESERVED CVE-2016-1544 RESERVED + - nghttp2 1.7.1-1 CVE-2016-1543 RESERVED CVE-2016-1542 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39652 - data/CVE
Author: carnil Date: 2016-02-13 19:28:37 + (Sat, 13 Feb 2016) New Revision: 39652 Modified: data/CVE/list Log: Try to mark CVE-2016-0774 to reflect current status for the issue Bit complicated to track this correctly. Wheezy needs an additonal fix since the fix for CVE-2015-1805 was incomplete. But for the other versions the upstream fix was correct. Modified: data/CVE/list === --- data/CVE/list 2016-02-13 18:12:33 UTC (rev 39651) +++ data/CVE/list 2016-02-13 19:28:37 UTC (rev 39652) @@ -4734,11 +4734,12 @@ - pillow 3.1.1-1 (bug #813909) - python-imaging NOTE: https://github.com/python-pillow/Pillow/commit/bcaaf97f4ff25b3b5b9e8efeda364e17e80858ec (3.1.1) -CVE-2016-0774 [Incomplete fix for CVE-2015-1805 in Red Hat Enterprise Linux only] +CVE-2016-0774 [Incomplete fix for CVE-2015-1805 for kernel versions < 3.16] RESERVED - - linux (Only affects Red Hat Enterprise Linux) - - linux-2.6 (Only affects Red Hat Enterprise Linux) + - linux 3.16.2-2 + - linux-2.6 NOTE: https://rhn.redhat.com/errata/RHSA-2016-0103.html + NOTE: The upstream fix for 3.16 was correct, but wheezy had a incomplete backport CVE-2016-0773 RESERVED - postgresql-9.5 9.5.1-1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39651 - data/CVE
Author: santiago
Date: 2016-02-13 18:12:33 + (Sat, 13 Feb 2016)
New Revision: 39651
Modified:
data/CVE/list
Log:
CVE-2015-7511/libgcrypt11 squeeze not-affected
Modified: data/CVE/list
===
--- data/CVE/list 2016-02-13 14:36:36 UTC (rev 39650)
+++ data/CVE/list 2016-02-13 18:12:33 UTC (rev 39651)
@@ -9932,6 +9932,7 @@
{DSA-3474-1}
- libgcrypt20 1.6.5-2
- libgcrypt11
+ [squeeze] - libgcrypt11 (Vulnerable code not present)
NOTE: http://www.cs.tau.ac.IL/~tromer/ecdh/
NOTE:
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=fcbb9fcc2e6983ea61bf565b6ee2e29816b8cd57
(LIBGCRYPT-1-5-BRANCH)
NOTE:
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=de7db12fa04016e12dffb2b678632f45eba15ec4
(libgcrypt-1.6.5)
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39649 - in data: . DSA
Author: carnil
Date: 2016-02-13 14:36:33 + (Sat, 13 Feb 2016)
New Revision: 39649
Modified:
data/DSA/list
data/dsa-needed.txt
Log:
Reserve DSA number for postgresql-9.1
Modified: data/DSA/list
===
--- data/DSA/list 2016-02-13 14:08:08 UTC (rev 39648)
+++ data/DSA/list 2016-02-13 14:36:33 UTC (rev 39649)
@@ -1,3 +1,6 @@
+[13 Feb 2016] DSA-3475-1 postgresql-9.1 - security update
+ {CVE-2015-5288 CVE-2016-0766 CVE-2016-0773}
+ [wheezy] - postgresql-9.1 9.1.20-0+deb7u1
[12 Feb 2016] DSA-3474-1 libgcrypt20 - security update
{CVE-2015-7511}
[jessie] - libgcrypt20 1.6.3-2+deb8u1
Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2016-02-13 14:08:08 UTC (rev 39648)
+++ data/dsa-needed.txt 2016-02-13 14:36:33 UTC (rev 39649)
@@ -58,8 +58,6 @@
--
pillow (jmm)
--
-postgresql-9.1 (carnil)
---
postgresql-9.4 (carnil)
--
smarty3
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39650 - in data: . DSA
Author: carnil
Date: 2016-02-13 14:36:36 + (Sat, 13 Feb 2016)
New Revision: 39650
Modified:
data/DSA/list
data/dsa-needed.txt
Log:
Reserve DSA number for postgresql-9.4
Modified: data/DSA/list
===
--- data/DSA/list 2016-02-13 14:36:33 UTC (rev 39649)
+++ data/DSA/list 2016-02-13 14:36:36 UTC (rev 39650)
@@ -1,3 +1,6 @@
+[13 Feb 2016] DSA-3476-1 postgresql-9.4 - security update
+ {CVE-2016-0766 CVE-2016-0773}
+ [jessie] - postgresql-9.4 9.4.6-0+deb8u1
[13 Feb 2016] DSA-3475-1 postgresql-9.1 - security update
{CVE-2015-5288 CVE-2016-0766 CVE-2016-0773}
[wheezy] - postgresql-9.1 9.1.20-0+deb7u1
Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2016-02-13 14:36:33 UTC (rev 39649)
+++ data/dsa-needed.txt 2016-02-13 14:36:36 UTC (rev 39650)
@@ -58,8 +58,6 @@
--
pillow (jmm)
--
-postgresql-9.4 (carnil)
---
smarty3
--
squid/oldstable
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39648 - data/CVE
Author: jmm Date: 2016-02-13 14:08:08 + (Sat, 13 Feb 2016) New Revision: 39648 Modified: data/CVE/list Log: reset to (unimportant), which is what we use for issues found in the source package, but not shipped in the binary package. once the sample code is fixed, it can be set as the fixed version Modified: data/CVE/list === --- data/CVE/list 2016-02-13 13:35:34 UTC (rev 39647) +++ data/CVE/list 2016-02-13 14:08:08 UTC (rev 39648) @@ -993,8 +993,8 @@ - node-cli (bug #809252) [jessie] - node-cli (Minor issue) CVE-2016-2049 (examples/consumer/common.php in JanRain PHP OpenID library (aka ...) - - php-openid (vulnerable code not present) - NOTE: sample code only, actual vulnerable code not found anywhere in Debian + - php-openid (unimportant) + NOTE: sample code only, actual vulnerable code not shipped in package NOTE: http://www.openwall.com/lists/oss-security/2016/01/24/2 NOTE: https://github.com/openid/php-openid/issues/128 CVE-2016-2047 (The ssl_verify_server_cert function in sql-common/client.c in MariaDB ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39647 - data/CVE
Author: carnil Date: 2016-02-13 13:35:34 + (Sat, 13 Feb 2016) New Revision: 39647 Modified: data/CVE/list Log: Fix CVE entry for postgresql, it is CVE-2016-0766 Modified: data/CVE/list === --- data/CVE/list 2016-02-13 13:07:41 UTC (rev 39646) +++ data/CVE/list 2016-02-13 13:35:34 UTC (rev 39647) @@ -4729,10 +4729,6 @@ NOTE: https://www.qualys.com/2016/01/14/cve-2016-0777-cve-2016-0778/openssh-cve-2016-0777-cve-2016-0778.txt CVE-2016-0776 RESERVED - - postgresql-9.5 9.5.1-1 - - postgresql-9.4 - - postgresql-9.1 - [jessie] - postgresql-9.1 (postgresql-9.1 in jessie only provides PL/Perl) CVE-2016-0775 [Buffer overflow in FliDecode.c] RESERVED - pillow 3.1.1-1 (bug #813909) @@ -4764,9 +4760,10 @@ RESERVED CVE-2016-0766 RESERVED - - postgresql-9.5 + - postgresql-9.5 9.5.1 - postgresql-9.4 - postgresql-9.1 + [jessie] - postgresql-9.1 (postgresql-9.1 in jessie only provides PL/Perl) CVE-2016-0765 RESERVED CVE-2016-0764 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39646 - in data: . CVE
Author: carnil Date: 2016-02-13 13:07:41 + (Sat, 13 Feb 2016) New Revision: 39646 Modified: data/CVE/list data/next-oldstable-point-update.txt Log: Remove CVE-2015-5288 from oldstable-point-update, will be included in DSA Modified: data/CVE/list === --- data/CVE/list 2016-02-13 12:52:28 UTC (rev 39645) +++ data/CVE/list 2016-02-13 13:07:41 UTC (rev 39646) @@ -15894,7 +15894,6 @@ - postgresql-9.4 9.4.5-1 - postgresql-9.1 [jessie] - postgresql-9.1 (postgresql-9.1 in jessie only provides PL/Perl) - [wheezy] - postgresql-9.1 (minor issue) - postgresql-8.4 [wheezy] - postgresql-8.4 (postgresql-8.4 in wheezy only provides PL/Perl; EOL upstream) [squeeze] - postgresql-8.4 (minor issue) Modified: data/next-oldstable-point-update.txt === --- data/next-oldstable-point-update.txt2016-02-13 12:52:28 UTC (rev 39645) +++ data/next-oldstable-point-update.txt2016-02-13 13:07:41 UTC (rev 39646) @@ -23,8 +23,6 @@ [wheezy] - sendmail 8.14.4-4+deb7u1 CVE-2015-6526 [wheezy] - linux 3.2.71-1 -CVE-2015-5288 - [wheezy] - postgresql-9.1 9.1.19-0+deb7u1 CVE-2015- [multiple overflows in strxfrm()] [wheezy] - eglibc 2.13-38+deb7u9 CVE-2015-8777 [Glibc Pointer guarding weakness] ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39645 - data
Author: carnil Date: 2016-02-13 12:52:28 + (Sat, 13 Feb 2016) New Revision: 39645 Modified: data/dsa-needed.txt Log: Take care of releasing Myon's packages for postgresql Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2016-02-13 12:08:44 UTC (rev 39644) +++ data/dsa-needed.txt 2016-02-13 12:52:28 UTC (rev 39645) @@ -58,9 +58,9 @@ -- pillow (jmm) -- -postgresql-9.1 +postgresql-9.1 (carnil) -- -postgresql-9.4 +postgresql-9.4 (carnil) -- smarty3 -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39644 - data/CVE
Author: fgeek-guest Date: 2016-02-13 12:08:44 + (Sat, 13 Feb 2016) New Revision: 39644 Modified: data/CVE/list Log: NFU ESA-2016-010 Modified: data/CVE/list === --- data/CVE/list 2016-02-13 09:49:57 UTC (rev 39643) +++ data/CVE/list 2016-02-13 12:08:44 UTC (rev 39644) @@ -4450,9 +4450,9 @@ CVE-2016-0883 RESERVED CVE-2016-0882 (EMC Documentum xCP 2.1 before patch 23 and 2.2 before patch 11 allows ...) - TODO: check + NOT-FOR-US: EMC Documentum CVE-2016-0881 (EMC Documentum xCP 2.1 before patch 23 and 2.2 before patch 11 allows ...) - TODO: check + NOT-FOR-US: EMC Documentum CVE-2015-8610 RESERVED CVE-2015-8609 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39643 - data
Author: dmn Date: 2016-02-13 09:49:57 + (Sat, 13 Feb 2016) New Revision: 39643 Modified: data/dla-needed.txt Log: claim ntp in dla-needed Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-02-13 06:12:01 UTC (rev 39642) +++ data/dla-needed.txt 2016-02-13 09:49:57 UTC (rev 39643) @@ -41,7 +41,7 @@ NOTE: Trying to sync the solution for CVE-2015-4000 with security team first NOTE: see https://lists.debian.org/debian-lts/2015/12/msg00025.html -- -ntp +ntp (Damyan Ivanov) NOTE: maybe maintainer wants to upload package (as done before) -- php5 (Thorsten Alteholz) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
