[Secure-testing-commits] r39803 - data/CVE
Author: carnil Date: 2016-02-22 05:17:15 + (Mon, 22 Feb 2016) New Revision: 39803 Modified: data/CVE/list Log: Add note about workaround Modified: data/CVE/list === --- data/CVE/list 2016-02-21 22:17:12 UTC (rev 39802) +++ data/CVE/list 2016-02-22 05:17:15 UTC (rev 39803) @@ -1199,6 +1199,7 @@ - pillow 3.1.1-1 - python-imaging [squeeze] - python-imaging 1.1.7-2+deb6u2 + NOTE: workaround entry for DLA-422-1 until/if CVE assigned NOTE: https://github.com/python-pillow/Pillow/pull/1706 NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2016/02/02/5 NOTE: https://github.com/python-pillow/Pillow/commit/ae453aa18b66af54e7ff716f4ccb33adca60afd4 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39802 - in data: . CVE
Author: benh Date: 2016-02-21 22:17:12 + (Sun, 21 Feb 2016) New Revision: 39802 Modified: data/CVE/list data/dla-needed.txt Log: Triage new issues for squeeze Modified: data/CVE/list === --- data/CVE/list 2016-02-21 21:45:04 UTC (rev 39801) +++ data/CVE/list 2016-02-21 22:17:12 UTC (rev 39802) @@ -1198,6 +1198,7 @@ CVE-2016- [Buffer overflow in Python-Pillow and PIL] - pillow 3.1.1-1 - python-imaging + [squeeze] - python-imaging 1.1.7-2+deb6u2 NOTE: https://github.com/python-pillow/Pillow/pull/1706 NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2016/02/02/5 NOTE: https://github.com/python-pillow/Pillow/commit/ae453aa18b66af54e7ff716f4ccb33adca60afd4 Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-02-21 21:45:04 UTC (rev 39801) +++ data/dla-needed.txt 2016-02-21 22:17:12 UTC (rev 39802) @@ -9,6 +9,8 @@ https://wiki.debian.org/LTS/Development#Triage_new_security_issues -- +bsh +-- cacti NOTE: Issue being disputed, check https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=814353#10 -- @@ -19,6 +21,8 @@ NOTE: marked as no-dsa in wheezy as too intrusive to backport NOTE: should we have the resources to handle it we should fix wheezy too. -- +didiwiki +-- dwarfutils NOTE: 20160123, no CVE assigned yet, no fix availabe yet -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39801 - data/DSA
Author: mgilbert Date: 2016-02-21 21:45:04 + (Sun, 21 Feb 2016) New Revision: 39801 Modified: data/DSA/list Log: chromium dsa Modified: data/DSA/list === --- data/DSA/list 2016-02-21 21:10:12 UTC (rev 39800) +++ data/DSA/list 2016-02-21 21:45:04 UTC (rev 39801) @@ -1,3 +1,6 @@ +[21 Feb 2016] DSA-3486-1 chromium-browser - security update + {CVE-2016-1622 CVE-2016-1623 CVE-2016-1624 CVE-2016-1625 CVE-2016-1626 CVE-2016-1627 CVE-2016-1628 CVE-2016-1629} + [jessie] - chromium-browser 48.0.2564.116-1~deb8u1 [20 Feb 2016] DSA-3485-1 didiwiki - security update {CVE-2013-7448} [wheezy] - didiwiki 0.5-11+deb7u1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39800 - data/CVE
Author: sectracker Date: 2016-02-21 21:10:12 + (Sun, 21 Feb 2016) New Revision: 39800 Modified: data/CVE/list Log: automatic update Modified: data/CVE/list === --- data/CVE/list 2016-02-21 15:16:55 UTC (rev 39799) +++ data/CVE/list 2016-02-21 21:10:12 UTC (rev 39800) @@ -5282,6 +5282,7 @@ RESERVED CVE-2016-0775 [Buffer overflow in FliDecode.c] RESERVED + {DLA-422-1} - pillow 3.1.1-1 (bug #813909) - python-imaging NOTE: https://github.com/python-pillow/Pillow/commit/bcaaf97f4ff25b3b5b9e8efeda364e17e80858ec (3.1.1) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39798 - data
Author: carnil Date: 2016-02-21 14:48:31 + (Sun, 21 Feb 2016) New Revision: 39798 Modified: data/next-oldstable-point-update.txt Log: Remove one entry for CVE-2015-0254, the upload for wheezy-pu newer happend so far Modified: data/next-oldstable-point-update.txt === --- data/next-oldstable-point-update.txt2016-02-21 14:43:55 UTC (rev 39797) +++ data/next-oldstable-point-update.txt2016-02-21 14:48:31 UTC (rev 39798) @@ -13,8 +13,6 @@ [wheezy] - fso-gsmd 0.11.3-2+deb7u1 [wheezy] - fso-usaged 0.11.0-1+deb7u1 [wheezy] - phonefsod 0.1+git20110827-3+deb7u1 -CVE-2015-0254 - [wheezy] - jakarta-taglibs-standard 1.1.2-2+deb7u1 CVE-2015-3253 [wheezy] - groovy 1.8.6-1+deb7u1 CVE-2015-3206 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39797 - data/CVE
Author: carnil Date: 2016-02-21 14:43:55 + (Sun, 21 Feb 2016) New Revision: 39797 Modified: data/CVE/list Log: Reorganize one pillow entry Modified: data/CVE/list === --- data/CVE/list 2016-02-21 13:53:06 UTC (rev 39796) +++ data/CVE/list 2016-02-21 14:43:55 UTC (rev 39797) @@ -871,8 +871,8 @@ RESERVED CVE-2016- [Integer overflow in Resample.c] - pillow 3.1.1-1 + [jessie] - pillow - python-imaging - [jessie] - pillow [wheezy] - python-imaging [squeeze] - python-imaging NOTE: https://github.com/python-pillow/Pillow/commit/41fae6d9e2da741d2c5464775c7f1a609ea03798 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39796 - data/CVE
Author: apo-guest Date: 2016-02-21 13:53:06 + (Sun, 21 Feb 2016) New Revision: 39796 Modified: data/CVE/list Log: Mark pillow, python-imaging prior version 2.7 as not-affected Modified: data/CVE/list === --- data/CVE/list 2016-02-21 13:27:52 UTC (rev 39795) +++ data/CVE/list 2016-02-21 13:53:06 UTC (rev 39796) @@ -872,10 +872,12 @@ CVE-2016- [Integer overflow in Resample.c] - pillow 3.1.1-1 - python-imaging + [jessie] - pillow + [wheezy] - python-imaging + [squeeze] - python-imaging NOTE: https://github.com/python-pillow/Pillow/commit/41fae6d9e2da741d2c5464775c7f1a609ea03798 - NOTE: For jessie the vulnerable code seems to be in libImaging/Antialias.c instead, - NOTE: due to upstream commit bc0f896a47d7b2dcd6f9fc1fff88f6a25b248f8a renaming - NOTE: Antialias and stretch to resample. + NOTE: Upstream confirmed that versions prior 2.7 are not vulnerable. + NOTE: https://github.com/python-pillow/Pillow/issues/1737 CVE-2016- [AST-2016-003: Remote crash vulnerability when receiving UDPTL FAX data] - asterisk [jessie] - asterisk (Minor issue) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39795 - in data: . DLA
Author: apo-guest Date: 2016-02-21 13:27:52 + (Sun, 21 Feb 2016) New Revision: 39795 Modified: data/DLA/list data/dla-needed.txt Log: Reserve DLA-422-1 for python-imaging Modified: data/DLA/list === --- data/DLA/list 2016-02-21 11:18:02 UTC (rev 39794) +++ data/DLA/list 2016-02-21 13:27:52 UTC (rev 39795) @@ -1,3 +1,6 @@ +[21 Feb 2016] DLA-422-1 python-imaging - security update + {CVE-2016-0775} + [squeeze] - python-imaging 1.1.7-2+deb6u2 [20 Feb 2016] DLA-421-1 openssl - security update {CVE-2015-3197} [squeeze] - openssl 0.9.8o-4squeeze23 Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-02-21 11:18:02 UTC (rev 39794) +++ data/dla-needed.txt 2016-02-21 13:27:52 UTC (rev 39795) @@ -58,8 +58,6 @@ php5 (Thorsten Alteholz) NOTE: next upload end of December -- -python-imaging (Markus Koschany) --- tiff -- xymon (Chris Lamb) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39794 - data/CVE
Author: jmm Date: 2016-02-21 11:18:02 + (Sun, 21 Feb 2016) New Revision: 39794 Modified: data/CVE/list Log: fix up entries, see narrative introction docs for details Modified: data/CVE/list === --- data/CVE/list 2016-02-21 09:29:16 UTC (rev 39793) +++ data/CVE/list 2016-02-21 11:18:02 UTC (rev 39794) @@ -7725,19 +7725,13 @@ [wheezy] - libraw (Vulnerable code not present) [squeeze] - libraw (Vulerable code not present) - dcraw (Vulerable code not present) - - kodi (Vulerable code not present) + - kodi (Vulnerable code not present) - darktable 2.0.0-1 [jessie] - darktable (Vulnerable code not present) [wheezy] - darktable (Vulnerable code not present) [squeeze] - darktable (Vulnerable code not present) - - ufraw - [jessie] - ufraw (Vulnerable code not present) - [wheezy] - ufraw (Vulnerable code not present) - [squeeze] - ufraw (Vulnerable code not present) + - ufraw (Vulnerable code not present) - rawtherapee (Vulnerable code not present) - [jessie] - rawtherapee (Vulnerable code not present) - [wheezy] - rawtherapee (Vulnerable code not present) - [squeeze] - rawtherapee (Vulnerable code not present) - exactimage (Vulnerable code not present) - xbmc [jessie] - xbmc (Transitional dummy package) @@ -7754,17 +7748,15 @@ - dcraw [wheezy] - dcraw (Vulnerable code not present) [squeeze] - dcraw (Vulnerable code not present) - - kodi (Vulerable code not present) + - kodi (Vulnerable code not present) - darktable 2.0.0-1 [jessie] - darktable (Vulnerable code not present) [wheezy] - darktable (Vulnerable code not present) [squeeze] - darktable (Vulnerable code not present) - ufraw - [jessie] - ufraw [wheezy] - ufraw (Vulnerable code not present) [squeeze] - ufraw (Vulnerable code not present) - rawtherapee - [jessie] - rawtherapee [wheezy] - rawtherapee (Vulnerable code not present) [squeeze] - rawtherapee (Vulnerable code not present) - exactimage ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39793 - data/CVE
Author: bam Date: 2016-02-21 09:29:16 + (Sun, 21 Feb 2016) New Revision: 39793 Modified: data/CVE/list Log: kodi has same dcraw.c as xbmc so not affected Modified: data/CVE/list === --- data/CVE/list 2016-02-21 09:15:29 UTC (rev 39792) +++ data/CVE/list 2016-02-21 09:29:16 UTC (rev 39793) @@ -7725,7 +7725,7 @@ [wheezy] - libraw (Vulnerable code not present) [squeeze] - libraw (Vulerable code not present) - dcraw (Vulerable code not present) - - kodi + - kodi (Vulerable code not present) - darktable 2.0.0-1 [jessie] - darktable (Vulnerable code not present) [wheezy] - darktable (Vulnerable code not present) @@ -7754,7 +7754,7 @@ - dcraw [wheezy] - dcraw (Vulnerable code not present) [squeeze] - dcraw (Vulnerable code not present) - - kodi + - kodi (Vulerable code not present) - darktable 2.0.0-1 [jessie] - darktable (Vulnerable code not present) [wheezy] - darktable (Vulnerable code not present) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39792 - data/CVE
Author: bam Date: 2016-02-21 09:15:29 + (Sun, 21 Feb 2016) New Revision: 39792 Modified: data/CVE/list Log: check xbmc; too old to be affected Modified: data/CVE/list === --- data/CVE/list 2016-02-21 08:52:27 UTC (rev 39791) +++ data/CVE/list 2016-02-21 09:15:29 UTC (rev 39792) @@ -7739,7 +7739,9 @@ [wheezy] - rawtherapee (Vulnerable code not present) [squeeze] - rawtherapee (Vulnerable code not present) - exactimage (Vulnerable code not present) - - xbmc + - xbmc + [jessie] - xbmc (Transitional dummy package) + [wheezy] - xbmc (Vulnerable code not present) NOTE: Fixed by: https://github.com/LibRaw/LibRaw/commit/89d065424f09b788f443734d44857289489ca9e2 NOTE: Introduced by: https://github.com/LibRaw/LibRaw/commit/7b1430c76a19c93f3cc755bb2ff9bda0ba9b4082 (0.15.0) TODO: double check introducing commit and related packages @@ -7769,7 +7771,9 @@ [wheezy] - exactimage (Vulnerable code not present) [squeeze] - exactimage (Vulnerable code not present) NOTE: exactimage: smal_decode_segment inside dcraw.h not dcraw.c - - xbmc + - xbmc + [jessie] - xbmc (Transitional dummy package) + [wheezy] - xbmc (Vulnerable code not present) NOTE: Fixed by: https://github.com/LibRaw/LibRaw/commit/89d065424f09b788f443734d44857289489ca9e2 NOTE: Introduced by: https://github.com/LibRaw/LibRaw/commit/cfe3ab8da7276fb339de770a3d1b7bfb212620b7 TODO: double check introducing commit and related packages ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39791 - data/CVE
Author: bam Date: 2016-02-21 08:52:27 + (Sun, 21 Feb 2016) New Revision: 39791 Modified: data/CVE/list Log: Add comment Modified: data/CVE/list === --- data/CVE/list 2016-02-21 08:51:41 UTC (rev 39790) +++ data/CVE/list 2016-02-21 08:52:27 UTC (rev 39791) @@ -7731,9 +7731,9 @@ [wheezy] - darktable (Vulnerable code not present) [squeeze] - darktable (Vulnerable code not present) - ufraw - [jessie] - ufraw - [wheezy] - ufraw - [squeeze] - ufraw + [jessie] - ufraw (Vulnerable code not present) + [wheezy] - ufraw (Vulnerable code not present) + [squeeze] - ufraw (Vulnerable code not present) - rawtherapee (Vulnerable code not present) [jessie] - rawtherapee (Vulnerable code not present) [wheezy] - rawtherapee (Vulnerable code not present) @@ -7759,8 +7759,8 @@ [squeeze] - darktable (Vulnerable code not present) - ufraw [jessie] - ufraw - [wheezy] - ufraw - [squeeze] - ufraw + [wheezy] - ufraw (Vulnerable code not present) + [squeeze] - ufraw (Vulnerable code not present) - rawtherapee [jessie] - rawtherapee [wheezy] - rawtherapee (Vulnerable code not present) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39790 - data/CVE
Author: bam Date: 2016-02-21 08:51:41 + (Sun, 21 Feb 2016) New Revision: 39790 Modified: data/CVE/list Log: Check rawtherapee Modified: data/CVE/list === --- data/CVE/list 2016-02-21 08:12:04 UTC (rev 39789) +++ data/CVE/list 2016-02-21 08:51:41 UTC (rev 39790) @@ -7734,7 +7734,10 @@ [jessie] - ufraw [wheezy] - ufraw [squeeze] - ufraw - - rawtherapee + - rawtherapee (Vulnerable code not present) + [jessie] - rawtherapee (Vulnerable code not present) + [wheezy] - rawtherapee (Vulnerable code not present) + [squeeze] - rawtherapee (Vulnerable code not present) - exactimage (Vulnerable code not present) - xbmc NOTE: Fixed by: https://github.com/LibRaw/LibRaw/commit/89d065424f09b788f443734d44857289489ca9e2 @@ -7758,7 +7761,10 @@ [jessie] - ufraw [wheezy] - ufraw [squeeze] - ufraw - - rawtherapee + - rawtherapee + [jessie] - rawtherapee + [wheezy] - rawtherapee (Vulnerable code not present) + [squeeze] - rawtherapee (Vulnerable code not present) - exactimage [wheezy] - exactimage (Vulnerable code not present) [squeeze] - exactimage (Vulnerable code not present) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39789 - data/CVE
Author: bam Date: 2016-02-21 08:12:04 + (Sun, 21 Feb 2016) New Revision: 39789 Modified: data/CVE/list Log: Check ufraw Modified: data/CVE/list === --- data/CVE/list 2016-02-20 21:10:14 UTC (rev 39788) +++ data/CVE/list 2016-02-21 08:12:04 UTC (rev 39789) @@ -7730,7 +7730,10 @@ [jessie] - darktable (Vulnerable code not present) [wheezy] - darktable (Vulnerable code not present) [squeeze] - darktable (Vulnerable code not present) - - ufraw + - ufraw + [jessie] - ufraw + [wheezy] - ufraw + [squeeze] - ufraw - rawtherapee - exactimage (Vulnerable code not present) - xbmc @@ -7751,7 +7754,10 @@ [jessie] - darktable (Vulnerable code not present) [wheezy] - darktable (Vulnerable code not present) [squeeze] - darktable (Vulnerable code not present) - - ufraw + - ufraw + [jessie] - ufraw + [wheezy] - ufraw + [squeeze] - ufraw - rawtherapee - exactimage [wheezy] - exactimage (Vulnerable code not present) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits