[Secure-testing-commits] r39707 - data
Author: lamby Date: 2016-02-16 07:48:44 + (Tue, 16 Feb 2016) New Revision: 39707 Modified: data/dla-needed.txt Log: Claim libmatroska in data/dla-needed.txt Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-02-16 07:25:40 UTC (rev 39706) +++ data/dla-needed.txt 2016-02-16 07:48:44 UTC (rev 39707) @@ -37,7 +37,7 @@ -- krb5 (Thorsten Alteholz) -- -libmatroska +libmatroska (Chris Lamb) -- lxc (Mike Gabriel) NOTE: waiting for upstream feedback: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1476662/comments/77 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39708 - data
Author: lamby Date: 2016-02-16 07:48:46 + (Tue, 16 Feb 2016) New Revision: 39708 Modified: data/dla-needed.txt Log: Claim xdelta3 in data/dla-needed.txt. Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-02-16 07:48:44 UTC (rev 39707) +++ data/dla-needed.txt 2016-02-16 07:48:46 UTC (rev 39708) @@ -57,7 +57,7 @@ -- tiff -- -xdelta3 +xdelta3 (Chris Lamb) -- xymon (Chris Lamb) -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39706 - data/CVE
Author: carnil Date: 2016-02-16 07:25:40 + (Tue, 16 Feb 2016) New Revision: 39706 Modified: data/CVE/list Log: Add CVE-2015-1776/hadoop Modified: data/CVE/list === --- data/CVE/list 2016-02-16 05:39:10 UTC (rev 39705) +++ data/CVE/list 2016-02-16 07:25:40 UTC (rev 39706) @@ -26658,6 +26658,7 @@ [wheezy] - rhn-client-tools (Minor issue) CVE-2015-1776 RESERVED + - hadoop (bug #793644) CVE-2015-1775 (Server-side request forgery (SSRF) vulnerability in the proxy endpoint ...) NOT-FOR-US: Apache Ambari CVE-2015-1774 (The HWP filter in LibreOffice before 4.3.7 and 4.4.x before 4.4.2 and ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39705 - data/CVE
Author: carnil Date: 2016-02-16 05:39:10 + (Tue, 16 Feb 2016) New Revision: 39705 Modified: data/CVE/list Log: Mark CVE-2016-1896 as NFU Modified: data/CVE/list === --- data/CVE/list 2016-02-15 22:42:13 UTC (rev 39704) +++ data/CVE/list 2016-02-16 05:39:10 UTC (rev 39705) @@ -1660,7 +1660,7 @@ - cgit 0.11.2.git2.3.2-1.1 (bug #812411) NOTE: http://git.zx2c4.com/cgit/commit/?id=1c581a072651524f3b0d91f33e22a42c4166dd96 (v0.12) CVE-2016-1896 (Race condition in the initialization process on Lexmark printers with ...) - TODO: check + NOT-FOR-US: Firmware in Lexmark printers CVE-2016-1895 RESERVED CVE-2016-1894 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39704 - data/DSA
Author: jmm
Date: 2016-02-15 22:42:13 + (Mon, 15 Feb 2016)
New Revision: 39704
Modified:
data/DSA/list
Log:
graphite DSA
Modified: data/DSA/list
===
--- data/DSA/list 2016-02-15 21:10:13 UTC (rev 39703)
+++ data/DSA/list 2016-02-15 22:42:13 UTC (rev 39704)
@@ -1,3 +1,7 @@
+[15 Feb 2016] DSA-3479-1 graphite2 - security update
+ {CVE-2016-1521 CVE-2016-1522 CVE-2016-1523}
+ [wheezy] - graphite2 1.3.5-1~deb7u1
+ [jessie] - graphite2 1.3.5-1~deb8u1
[15 Feb 2016] DSA-3478-1 libgcrypt11 - security update
{CVE-2015-7511}
[wheezy] - libgcrypt11 1.5.0-5+deb7u4
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39703 - data/CVE
Author: sectracker Date: 2016-02-15 21:10:13 + (Mon, 15 Feb 2016) New Revision: 39703 Modified: data/CVE/list Log: automatic update Modified: data/CVE/list === --- data/CVE/list 2016-02-15 20:59:29 UTC (rev 39702) +++ data/CVE/list 2016-02-15 21:10:13 UTC (rev 39703) @@ -1,3 +1,107 @@ +CVE-2016-2382 + RESERVED +CVE-2016-2381 + RESERVED +CVE-2016-2380 + RESERVED +CVE-2016-2379 + RESERVED +CVE-2016-2378 + RESERVED +CVE-2016-2377 + RESERVED +CVE-2016-2376 + RESERVED +CVE-2016-2375 + RESERVED +CVE-2016-2374 + RESERVED +CVE-2016-2373 + RESERVED +CVE-2016-2372 + RESERVED +CVE-2016-2371 + RESERVED +CVE-2016-2370 + RESERVED +CVE-2016-2369 + RESERVED +CVE-2016-2368 + RESERVED +CVE-2016-2367 + RESERVED +CVE-2016-2366 + RESERVED +CVE-2016-2365 + RESERVED +CVE-2016-2364 + RESERVED +CVE-2016-2363 + RESERVED +CVE-2016-2362 + RESERVED +CVE-2016-2361 + RESERVED +CVE-2016-2360 + RESERVED +CVE-2016-2359 + RESERVED +CVE-2016-2358 + RESERVED +CVE-2016-2357 + RESERVED +CVE-2016-2356 + RESERVED +CVE-2016-2355 + RESERVED +CVE-2016-2354 + RESERVED +CVE-2016-2353 + RESERVED +CVE-2016-2352 + RESERVED +CVE-2016-2351 + RESERVED +CVE-2016-2350 + RESERVED +CVE-2016-2349 + RESERVED +CVE-2016-2348 + RESERVED +CVE-2016-2347 + RESERVED +CVE-2016-2346 + RESERVED +CVE-2016-2345 + RESERVED +CVE-2016-2344 + RESERVED +CVE-2016-2343 + RESERVED +CVE-2016-2342 + RESERVED +CVE-2016-2341 + RESERVED +CVE-2016-2340 + RESERVED +CVE-2016-2339 + RESERVED +CVE-2016-2338 + RESERVED +CVE-2016-2337 + RESERVED +CVE-2016-2336 + RESERVED +CVE-2016-2335 + RESERVED +CVE-2016-2334 + RESERVED +CVE-2016-2333 + RESERVED +CVE-2016-2332 + RESERVED +CVE-2016-2331 + RESERVED CVE-2016-2385 [SEAS Module Heap overflow] - kamailio NOTE: https://github.com/kamailio/kamailio/commit/f50c9c853e7809810099c970780c30b0765b0643 @@ -3,9 +107,11 @@ TODO: check CVE-2016-2384 [Double-free in snd-usbmidi-lib triggered by invalid USB descriptor] + RESERVED - linux - linux-2.6 NOTE: Fixed by: https://git.kernel.org/linus/07d86ca93db7e5cdf4743564d98292042ec21af7 (v4.5-rc4) NOTE: http://www.openwall.com/lists/oss-security/2016/02/14/2 CVE-2016-2383 [Incorrect branch fixups for eBPF allow arbitrary read] + RESERVED - linux [jessie] - linux (Vulnerable code not present) @@ -150,8 +256,8 @@ RESERVED CVE-2016-2315 RESERVED -CVE-2016-2314 - RESERVED +CVE-2016-2314 (GlobespanVirata ftpd 1.0, as used on Huawei SmartAX MT882 devices ...) + TODO: check CVE-2016-2318 RESERVED - graphicsmagick (bug #814732) @@ -360,8 +466,8 @@ RESERVED CVE-2016-2232 RESERVED -CVE-2016-2231 - RESERVED +CVE-2016-2231 (The Windows-based Host Interface Program (WHIP) service on Huawei ...) + TODO: check CVE-2016-2230 (OpenELEC and RasPlex devices have a hardcoded password for the root ...) TODO: check CVE-2016-2229 @@ -754,12 +860,12 @@ [squeeze] - nettle (Vulnerable code not present) NOTE: https://lists.lysator.liu.se/pipermail/nettle-bugs/2015/003028.html NOTE: https://git.lysator.liu.se/nettle/nettle/commit/c71d2c9d20eeebb985e3872e4550137209e3ce4d -CVE-2015-8797 - RESERVED -CVE-2015-8796 - RESERVED -CVE-2015-8795 - RESERVED +CVE-2015-8797 (Cross-site scripting (XSS) vulnerability in ...) + TODO: check +CVE-2015-8796 (Cross-site scripting (XSS) vulnerability in ...) + TODO: check +CVE-2015-8795 (Multiple cross-site scripting (XSS) vulnerabilities in the Admin UI in ...) + TODO: check CVE-2015-8794 (Absolute path traversal vulnerability in ...) - roundcube 1.1.2+dfsg.1-1 [wheezy] - roundcube (Vulnerable code not present) @@ -961,8 +1067,7 @@ NOTE: http://sourceforge.net/p/giflib/bugs/82/ NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2016/01/26/5 NOTE: http://sourceforge.net/p/giflib/code/ci/4cc68b315ff9a378aef6664e1be6b2144ad4a5e6/ -CVE-2016-2073 [Out-of-bounds Read in the libxml2's htmlParseNameComplex() function] - RESERVED +CVE-2016-2073 (The htmlParseNameComplex function in HTMLparser.c in libxml2 allows ...) - libxml2 (bug #812807) NOTE: http://www.openwall.com/lists/oss-security/2016/01/25/6 NOTE: http://www.openwall.com/lists/oss-security/2016/01/26/8 has details @@ -1301,8 +1406,7 @@ RESERVED CVE-2016-1950 RESERVED -CVE-2016-1949 - RESERVED +CVE-2016-1949 (Mozilla Firefox before 44.0.2 does not properly restrict the ...) - iceweasel [jessie] - icewe
[Secure-testing-commits] r39702 - data/CVE
Author: carnil Date: 2016-02-15 20:59:29 + (Mon, 15 Feb 2016) New Revision: 39702 Modified: data/CVE/list Log: Add notes for CVE-2016-1544/nghttp2 Modified: data/CVE/list === --- data/CVE/list 2016-02-15 20:52:24 UTC (rev 39701) +++ data/CVE/list 2016-02-15 20:59:29 UTC (rev 39702) @@ -2458,9 +2458,12 @@ RESERVED CVE-2016-1545 RESERVED -CVE-2016-1544 +CVE-2016-1544 [out of memory error due to unlimited incoming HTTP header fields] RESERVED - nghttp2 1.7.1-1 + NOTE: Fix spread across multiple commits: https://github.com/tatsuhiro-t/nghttp2/compare/v1.7.0...v1.7.1 + NOTE: Commits between 1.7.0 and 1.7.1 seem almost limited to this issue, cf. + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1308461#c3 CVE-2016-1543 RESERVED CVE-2016-1542 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39701 - data
Author: agx Date: 2016-02-15 20:52:24 + (Mon, 15 Feb 2016) New Revision: 39701 Modified: data/dla-needed.txt Log: Libmatroska in squeeze-lts affected by CVE-2015-8792 Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-02-15 20:52:23 UTC (rev 39700) +++ data/dla-needed.txt 2016-02-15 20:52:24 UTC (rev 39701) @@ -37,6 +37,8 @@ -- krb5 (Thorsten Alteholz) -- +libmatroska +-- lxc (Mike Gabriel) NOTE: waiting for upstream feedback: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1476662/comments/77 -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39699 - data
Author: agx Date: 2016-02-15 20:52:21 + (Mon, 15 Feb 2016) New Revision: 39699 Modified: data/dla-needed.txt Log: gtk+2.0 in squeeze-lts affected by CVE-2013-7447 gnome-photos also contains the overflow in view_helper_draw in src/gegl-gtk-view-helper.c but I've not been able to crash it since it doesn't load images directly. Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-02-15 19:49:41 UTC (rev 39698) +++ data/dla-needed.txt 2016-02-15 20:52:21 UTC (rev 39699) @@ -24,6 +24,8 @@ -- eglibc (Aurelien Jarno) -- +gtk+2.0 +-- icu NOTE: check comments on CVE-2016-0494 as well NOTE: tentative package for icu https://lists.debian.org/debian-lts/2016/01/msg00133.html ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39700 - data
Author: agx Date: 2016-02-15 20:52:23 + (Mon, 15 Feb 2016) New Revision: 39700 Modified: data/dla-needed.txt Log: xdelta3 in squeeze-lts affected by CVE-2014-9765 Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-02-15 20:52:21 UTC (rev 39699) +++ data/dla-needed.txt 2016-02-15 20:52:23 UTC (rev 39700) @@ -55,6 +55,8 @@ -- tiff -- +xdelta3 +-- xymon (Chris Lamb) -- wordpress (Markus Koschany) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39698 - org
Author: carnil Date: 2016-02-15 19:49:41 + (Mon, 15 Feb 2016) New Revision: 39698 Modified: org/security-frontdesk.2016.txt Log: Fill another round for frontdesk shifts Modified: org/security-frontdesk.2016.txt === --- org/security-frontdesk.2016.txt 2016-02-15 19:42:52 UTC (rev 39697) +++ org/security-frontdesk.2016.txt 2016-02-15 19:49:41 UTC (rev 39698) @@ -13,18 +13,18 @@ From 28-03 to 03-04:corsac From 04-04 to 10-04:thijs From 11-04 to 17-04:fw -From 18-04 to 24-04: -From 25-04 to 01-05: -From 02-05 to 08-05: -From 09-05 to 15-05: -From 16-05 to 22-05: -From 23-05 to 29-05: -From 30-05 to 05-06: -From 06-06 to 12-06: -From 13-06 to 19-06: -From 20-06 to 26-06: -From 27-06 to 03-07: -From 04-07 to 10-07: +From 18-04 to 24-04:ghedo +From 25-04 to 01-05:iuculano +From 02-05 to 08-05:seb +From 09-05 to 15-05:jmm +From 16-05 to 22-05:carnil +From 23-05 to 29-05:luciano +From 30-05 to 05-06:mgilbert +From 06-06 to 12-06:nion +From 13-06 to 19-06:geissert +From 20-06 to 26-06:corsac +From 27-06 to 03-07:thijs +From 04-07 to 10-07:fw From 11-07 to 17-07: From 18-07 to 24-07: From 25-07 to 31-07: ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39697 - data
Author: agx Date: 2016-02-15 19:42:52 + (Mon, 15 Feb 2016) New Revision: 39697 Modified: data/dla-needed.txt Log: Add cacti to dla-needed. Note that there's an ongoing discussion if this is a vulnerability after all. Check the links at the CVE Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-02-15 19:38:52 UTC (rev 39696) +++ data/dla-needed.txt 2016-02-15 19:42:52 UTC (rev 39697) @@ -9,6 +9,9 @@ https://wiki.debian.org/LTS/Development#Triage_new_security_issues -- +cacti + NOTE: Issue being disputed, check https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=814353#10 +-- cakephp NOTE: 20160123, No official solution is currently available. -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39696 - data/CVE
Author: carnil Date: 2016-02-15 19:38:52 + (Mon, 15 Feb 2016) New Revision: 39696 Modified: data/CVE/list Log: CVE-2010-5325: version 4.0.5-6 included the fix already Modified: data/CVE/list === --- data/CVE/list 2016-02-15 19:30:59 UTC (rev 39695) +++ data/CVE/list 2016-02-15 19:38:52 UTC (rev 39696) @@ -19093,15 +19093,13 @@ CVE-2015-4173 (Unquoted Windows search path vulnerability in the autorun value in ...) NOT-FOR-US: Dell SonicWall NetExtender CVE-2010-5325 [foomatic-rip unhtmlify() buffer overflow vulnerability] - - foomatic-filters 4.0.6-1 - [squeeze] - foomatic-filters 4.0.5-6+squeeze2 + - foomatic-filters 4.0.5-6 - cups-filters (Vulnerable code not present) NOTE: cups-filters 1.0.42 introduced foomatic-rip filter which already was fixed. NOTE: https://bugs.linuxfoundation.org/show_bug.cgi?id=515 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1218297 NOTE: http://bzr.linuxfoundation.org/loggerhead/openprinting/foomatic/foomatic-filters/revision/239 (HEAD) NOTE: http://bzr.linuxfoundation.org/loggerhead/openprinting/foomatic-4.0/foomatic-filters/revision/225 (4.0.x branch) - TODO: check fixing version CVE-2010-5324 (Directory traversal vulnerability in UploadServlet in the Remote ...) NOT-FOR-US: Novell ZENworks Configuration Management CVE-2015-4692 (The kvm_apic_has_events function in arch/x86/kvm/lapic.h in the Linux ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39695 - data/CVE
Author: agx Date: 2016-02-15 19:30:59 + (Mon, 15 Feb 2016) New Revision: 39695 Modified: data/CVE/list Log: CVE-2010-5325 already fixed in squeeze by debian/patches/unhtmlify-segfault.patch Modified: data/CVE/list === --- data/CVE/list 2016-02-15 19:23:48 UTC (rev 39694) +++ data/CVE/list 2016-02-15 19:30:59 UTC (rev 39695) @@ -19094,6 +19094,7 @@ NOT-FOR-US: Dell SonicWall NetExtender CVE-2010-5325 [foomatic-rip unhtmlify() buffer overflow vulnerability] - foomatic-filters 4.0.6-1 + [squeeze] - foomatic-filters 4.0.5-6+squeeze2 - cups-filters (Vulnerable code not present) NOTE: cups-filters 1.0.42 introduced foomatic-rip filter which already was fixed. NOTE: https://bugs.linuxfoundation.org/show_bug.cgi?id=515 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39694 - data/CVE
Author: carnil Date: 2016-02-15 19:23:48 + (Mon, 15 Feb 2016) New Revision: 39694 Modified: data/CVE/list Log: Add CVE-2016-2385/kamailio Modified: data/CVE/list === --- data/CVE/list 2016-02-15 18:51:41 UTC (rev 39693) +++ data/CVE/list 2016-02-15 19:23:48 UTC (rev 39694) @@ -1,3 +1,7 @@ +CVE-2016-2385 [SEAS Module Heap overflow] + - kamailio + NOTE: https://github.com/kamailio/kamailio/commit/f50c9c853e7809810099c970780c30b0765b0643 + TODO: check CVE-2016-2384 [Double-free in snd-usbmidi-lib triggered by invalid USB descriptor] - linux - linux-2.6 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39693 - in data: . DSA
Author: carnil
Date: 2016-02-15 18:51:41 + (Mon, 15 Feb 2016)
New Revision: 39693
Modified:
data/DSA/list
data/dsa-needed.txt
Log:
Reserve DSA number for libgcrypt11
Modified: data/DSA/list
===
--- data/DSA/list 2016-02-15 18:16:42 UTC (rev 39692)
+++ data/DSA/list 2016-02-15 18:51:41 UTC (rev 39693)
@@ -1,3 +1,6 @@
+[15 Feb 2016] DSA-3478-1 libgcrypt11 - security update
+ {CVE-2015-7511}
+ [wheezy] - libgcrypt11 1.5.0-5+deb7u4
[14 Feb 2016] DSA-3477-1 iceweasel - security update
{CVE-2016-1523}
[wheezy] - iceweasel 38.6.1esr-1~deb7u1
Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2016-02-15 18:16:42 UTC (rev 39692)
+++ data/dsa-needed.txt 2016-02-15 18:51:41 UTC (rev 39693)
@@ -32,9 +32,6 @@
--
libav/oldstable
--
-libgcrypt11 (carnil)
- waiting for feedback from upstream
---
libidn
Working debdiff for wheezy-security at
https://people.debian.org/~ghedo/libidn_1.25-2+deb7u1.diff
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39692 - data/CVE
Author: carnil Date: 2016-02-15 18:16:42 + (Mon, 15 Feb 2016) New Revision: 39692 Modified: data/CVE/list Log: Update status for cups-filters as well (no version affected) Modified: data/CVE/list === --- data/CVE/list 2016-02-15 18:04:21 UTC (rev 39691) +++ data/CVE/list 2016-02-15 18:16:42 UTC (rev 39692) @@ -19090,7 +19090,8 @@ NOT-FOR-US: Dell SonicWall NetExtender CVE-2010-5325 [foomatic-rip unhtmlify() buffer overflow vulnerability] - foomatic-filters 4.0.6-1 - - cups-filters + - cups-filters (Vulnerable code not present) + NOTE: cups-filters 1.0.42 introduced foomatic-rip filter which already was fixed. NOTE: https://bugs.linuxfoundation.org/show_bug.cgi?id=515 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1218297 NOTE: http://bzr.linuxfoundation.org/loggerhead/openprinting/foomatic/foomatic-filters/revision/239 (HEAD) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39691 - data/CVE
Author: carnil Date: 2016-02-15 18:04:21 + (Mon, 15 Feb 2016) New Revision: 39691 Modified: data/CVE/list Log: CVE-2016-5325/foomatic-filters fixed in 4.0.6-1 Modified: data/CVE/list === --- data/CVE/list 2016-02-15 17:54:08 UTC (rev 39690) +++ data/CVE/list 2016-02-15 18:04:21 UTC (rev 39691) @@ -19089,7 +19089,7 @@ CVE-2015-4173 (Unquoted Windows search path vulnerability in the autorun value in ...) NOT-FOR-US: Dell SonicWall NetExtender CVE-2010-5325 [foomatic-rip unhtmlify() buffer overflow vulnerability] - - foomatic-filters + - foomatic-filters 4.0.6-1 - cups-filters NOTE: https://bugs.linuxfoundation.org/show_bug.cgi?id=515 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1218297 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39690 - data/CVE
Author: carnil Date: 2016-02-15 17:54:08 + (Mon, 15 Feb 2016) New Revision: 39690 Modified: data/CVE/list Log: Add references to commits for foomatic-filters issue Modified: data/CVE/list === --- data/CVE/list 2016-02-15 17:23:01 UTC (rev 39689) +++ data/CVE/list 2016-02-15 17:54:08 UTC (rev 39690) @@ -19093,6 +19093,8 @@ - cups-filters NOTE: https://bugs.linuxfoundation.org/show_bug.cgi?id=515 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1218297 + NOTE: http://bzr.linuxfoundation.org/loggerhead/openprinting/foomatic/foomatic-filters/revision/239 (HEAD) + NOTE: http://bzr.linuxfoundation.org/loggerhead/openprinting/foomatic-4.0/foomatic-filters/revision/225 (4.0.x branch) TODO: check fixing version CVE-2010-5324 (Directory traversal vulnerability in UploadServlet in the Remote ...) NOT-FOR-US: Novell ZENworks Configuration Management ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39689 - data/CVE
Author: carnil Date: 2016-02-15 17:23:01 + (Mon, 15 Feb 2016) New Revision: 39689 Modified: data/CVE/list Log: Add CVE-2010-5325/foomatic-filters, possibly cups-filters Note: this is fixed long time ago, but fixing version needs to be specified, thus left as undetermined until fixing version in Debian found. Modified: data/CVE/list === --- data/CVE/list 2016-02-15 14:23:25 UTC (rev 39688) +++ data/CVE/list 2016-02-15 17:23:01 UTC (rev 39689) @@ -19088,6 +19088,12 @@ NOT-FOR-US: Siemens Climatix BACnet/IP communication module CVE-2015-4173 (Unquoted Windows search path vulnerability in the autorun value in ...) NOT-FOR-US: Dell SonicWall NetExtender +CVE-2010-5325 [foomatic-rip unhtmlify() buffer overflow vulnerability] + - foomatic-filters + - cups-filters + NOTE: https://bugs.linuxfoundation.org/show_bug.cgi?id=515 + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1218297 + TODO: check fixing version CVE-2010-5324 (Directory traversal vulnerability in UploadServlet in the Remote ...) NOT-FOR-US: Novell ZENworks Configuration Management CVE-2015-4692 (The kvm_apic_has_events function in arch/x86/kvm/lapic.h in the Linux ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39688 - in data: . DLA
Author: aurel32
Date: 2016-02-15 14:23:25 + (Mon, 15 Feb 2016)
New Revision: 39688
Modified:
data/DLA/list
data/dla-needed.txt
Log:
Reserve DLA-416-1 for eglibc
Modified: data/DLA/list
===
--- data/DLA/list 2016-02-15 09:10:15 UTC (rev 39687)
+++ data/DLA/list 2016-02-15 14:23:25 UTC (rev 39688)
@@ -1,3 +1,6 @@
+[15 Feb 2016] DLA-416-1 eglibc - security update
+ {CVE-2015-7547}
+ [squeeze] - eglibc 2.11.3-4+deb6u11
[15 Feb 2016] DLA-415-1 cpio - security update
{CVE-2016-2037}
[squeeze] - cpio 2.11-4+deb6u2
Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2016-02-15 09:10:15 UTC (rev 39687)
+++ data/dla-needed.txt 2016-02-15 14:23:25 UTC (rev 39688)
@@ -19,6 +19,8 @@
dwarfutils
NOTE: 20160123, no CVE assigned yet, no fix availabe yet
--
+eglibc (Aurelien Jarno)
+--
icu
NOTE: check comments on CVE-2016-0494 as well
NOTE: tentative package for icu
https://lists.debian.org/debian-lts/2016/01/msg00133.html
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39687 - data/CVE
Author: sectracker
Date: 2016-02-15 09:10:15 + (Mon, 15 Feb 2016)
New Revision: 39687
Modified:
data/CVE/list
Log:
automatic update
Modified: data/CVE/list
===
--- data/CVE/list 2016-02-15 09:01:02 UTC (rev 39686)
+++ data/CVE/list 2016-02-15 09:10:15 UTC (rev 39687)
@@ -1480,6 +1480,7 @@
NOTE: http://www.openwall.com/lists/oss-security/2016/01/19/10
CVE-2016-2037 [out-of-bounds write with cpio 2.11]
RESERVED
+ {DLA-415-1}
- cpio 2.11+dfsg-5 (bug #812401)
NOTE: http://www.openwall.com/lists/oss-security/2016/01/19/4
NOTE: To reproduce and uncover the issue with unstable version compile
with ASAN
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39686 - in data: . DLA
Author: santiago
Date: 2016-02-15 09:01:02 + (Mon, 15 Feb 2016)
New Revision: 39686
Modified:
data/DLA/list
data/dla-needed.txt
Log:
Reserve DLA-415-1 for cpio
Modified: data/DLA/list
===
--- data/DLA/list 2016-02-14 21:10:12 UTC (rev 39685)
+++ data/DLA/list 2016-02-15 09:01:02 UTC (rev 39686)
@@ -1,3 +1,6 @@
+[15 Feb 2016] DLA-415-1 cpio - security update
+ {CVE-2016-2037}
+ [squeeze] - cpio 2.11-4+deb6u2
[12 Feb 2016] DLA-414-1 chrony - security update
{CVE-2016-1567}
[squeeze] - chrony 1.24-3+squeeze3
Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2016-02-14 21:10:12 UTC (rev 39685)
+++ data/dla-needed.txt 2016-02-15 09:01:02 UTC (rev 39686)
@@ -12,8 +12,6 @@
cakephp
NOTE: 20160123, No official solution is currently available.
--
-cpio (Santiago R.R.)
---
curl
NOTE: marked as no-dsa in wheezy as too intrusive to backport
NOTE: should we have the resources to handle it we should fix wheezy too.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
