[Secure-testing-commits] r39827 - data/CVE
Author: carnil Date: 2016-02-23 06:10:58 + (Tue, 23 Feb 2016) New Revision: 39827 Modified: data/CVE/list Log: Add first round of new tomcat issues Modified: data/CVE/list === --- data/CVE/list 2016-02-23 05:35:28 UTC (rev 39826) +++ data/CVE/list 2016-02-23 06:10:58 UTC (rev 39827) @@ -5557,6 +5557,11 @@ RESERVED CVE-2016-0714 RESERVED + - tomcat9 (bug #802312) + - tomcat8 8.0.32-1 + - tomcat7 7.0.68-1 + - tomcat6 + NOTE: Fixed in 6.0.45, 7.0.68, 8.0.32, 9.0.0.M3 CVE-2016-0713 RESERVED CVE-2016-0712 @@ -5573,6 +5578,11 @@ RESERVED CVE-2016-0706 RESERVED + - tomcat9 (bug #802312) + - tomcat8 8.0.32-1 + - tomcat7 7.0.68-1 + - tomcat6 + NOTE: Fixed in 6.0.45, 7.0.68, 8.0.32, 9.0.0.M3 CVE-2016-0705 RESERVED - openssl @@ -16246,6 +16256,11 @@ NOT-FOR-US: Novius OS CVE-2015-5351 RESERVED + - tomcat9 (bug #802312) + - tomcat8 8.0.32-1 + - tomcat7 7.0.68-1 + - tomcat6 + NOTE: Fixed in 7.0.68, 8.0.32, 9.0.0.M3 CVE-2015-5350 RESERVED CVE-2015-5349 @@ -16960,6 +16975,10 @@ NOT-FOR-US: Apache CXF Fediz CVE-2015-5174 RESERVED + - tomcat8 8.0.28-1 + - tomcat7 7.0.68-1 + - tomcat6 + NOTE: Fixed in 6.0.45, 7.0.65, 8.0.27 CVE-2015-5173 RESERVED CVE-2015-5172 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39826 - data
Author: carnil Date: 2016-02-23 05:35:28 + (Tue, 23 Feb 2016) New Revision: 39826 Modified: data/dsa-needed.txt Log: Add and take samba Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2016-02-23 05:17:59 UTC (rev 39825) +++ data/dsa-needed.txt 2016-02-23 05:35:28 UTC (rev 39826) @@ -59,6 +59,8 @@ -- pillow (jmm) -- +samba (carnil) +-- smarty3 -- squid/oldstable ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39825 - data
Author: carnil Date: 2016-02-23 05:17:59 + (Tue, 23 Feb 2016) New Revision: 39825 Modified: data/dsa-needed.txt Log: Add lighttpd/oldstable to DSA needed list, Markus Koschany prepared an update Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2016-02-23 05:12:29 UTC (rev 39824) +++ data/dsa-needed.txt 2016-02-23 05:17:59 UTC (rev 39825) @@ -39,6 +39,9 @@ https://people.debian.org/~ghedo/libidn_1.29-1+deb8u1.diff Help is needed to fix it so that it doesn't FTBFS -- +lighttpd/oldstable + Markus Koschany prepared a debdiff +-- linux Wait until more severe issues have accumulated -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39824 - data/CVE
Author: carnil Date: 2016-02-23 05:12:29 + (Tue, 23 Feb 2016) New Revision: 39824 Modified: data/CVE/list Log: Add CVE request reference for one php issue Modified: data/CVE/list === --- data/CVE/list 2016-02-22 23:29:33 UTC (rev 39823) +++ data/CVE/list 2016-02-23 05:12:29 UTC (rev 39824) @@ -529,6 +529,7 @@ NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1305543 NOTE: https://git.php.net/?p=php-src.git;a=commit;h=07c7df68bd68bbe706371fccc77c814ebb335d9e NOTE: Fixed in 5.6.18, 5.5.32, 7.0.3 + NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2016/02/22/5 CVE-2016- [Crash in SessionHandler::read()] - php5 - php5.6 5.6.18+dfsg-1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39823 - data/CVE
Author: bam Date: 2016-02-22 23:29:33 + (Mon, 22 Feb 2016) New Revision: 39823 Modified: data/CVE/list Log: Add link to latest CVE request; imagemagic issues Modified: data/CVE/list === --- data/CVE/list 2016-02-22 22:42:40 UTC (rev 39822) +++ data/CVE/list 2016-02-22 23:29:33 UTC (rev 39823) @@ -1958,7 +1958,7 @@ NOTE: fawour of the C version. CVE-2016- [Multiple minor security issues] - imagemagick 8:6.8.9.9-7 (bug #811308) - TODO: check, needs possibly CVEs + NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2016/02/22/4 CVE-2016-1925 [Improper handling of length parameter inconsitency] RESERVED - lha (unimportant) @@ -9858,6 +9858,7 @@ NOTE: https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1448803 NOTE: https://github.com/ImageMagick/ImageMagick/commit/0f6fc2d5bf8f500820c3dbcf0d23ee14f2d9f734 NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/10/07/2 + NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2016/02/22/4 CVE-2015- [Double free in coders/tga.c:221] - imagemagick 8:6.8.9.9-6 (bug #806442; bug #799524) [jessie] - imagemagick (Can't reproduce crash with file) @@ -9866,6 +9867,7 @@ NOTE: https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1490362 NOTE: https://github.com/ImageMagick/ImageMagick/commit/4f68e9661518463fca523c9726bb5d940a2aa6d8 NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/10/07/2 + NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2016/02/22/4 NOTE: The problem can only be triggered with recent versions of ImageMagick (8:6.9.1.2-1 in experimental is vulnerable, 8:6.8.9.9-6 in sid is not vulnerable, older versions are not vulnerable) CVE-2015- [Integer and Buffer overflow in coders/icon.c] - imagemagick 8:6.8.9.9-7 (bug #806441) @@ -9876,6 +9878,7 @@ NOTE: https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1459747 NOTE: https://github.com/ImageMagick/ImageMagick/commit/0f6fc2d5bf8f500820c3dbcf0d23ee14f2d9f734 NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/10/07/2 + NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2016/02/22/4 NOTE: The issue is only exploitable on 32 bit architectures. CVE-2015- [EncryptedType uses static IV per key] - python-sqlalchemy-utils ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39822 - data
Author: jmm Date: 2016-02-22 22:42:40 + (Mon, 22 Feb 2016) New Revision: 39822 Modified: data/next-oldstable-point-update.txt Log: drop ospu fixes, no activity and unblock bug got closed by jcristau Modified: data/next-oldstable-point-update.txt === --- data/next-oldstable-point-update.txt2016-02-22 21:25:34 UTC (rev 39821) +++ data/next-oldstable-point-update.txt2016-02-22 22:42:40 UTC (rev 39822) @@ -6,13 +6,6 @@ [wheezy] - boinc 7.0.27+dfsg-5+deb7u1 CVE-2013-7386 [wheezy] - boinc 7.0.27+dfsg-5+deb7u1 -CVE-2014-8156 - [wheezy] - fso-datad 0.11.0-1+deb7u1 - [wheezy] - fso-deviced 0.11.4-1+deb7u1 - [wheezy] - fso-frameworkd 0.9.5.9+git20110512-4+deb7u1 - [wheezy] - fso-gsmd 0.11.3-2+deb7u1 - [wheezy] - fso-usaged 0.11.0-1+deb7u1 - [wheezy] - phonefsod 0.1+git20110827-3+deb7u1 CVE-2015-3253 [wheezy] - groovy 1.8.6-1+deb7u1 CVE-2015-3206 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39821 - data/CVE
Author: carnil Date: 2016-02-22 21:25:34 + (Mon, 22 Feb 2016) New Revision: 39821 Modified: data/CVE/list Log: overlayfs only in unstable, marking as not-affected for jessie and below Modified: data/CVE/list === --- data/CVE/list 2016-02-22 21:17:46 UTC (rev 39820) +++ data/CVE/list 2016-02-22 21:25:34 UTC (rev 39821) @@ -2787,17 +2787,19 @@ CVE-2016-1576 RESERVED - linux - - linux-2.6 + [jessie] - linux (Vulnerable code not present) + [wheezy] - linux (Vulnerable code not present) + - linux-2.6 (Vulnerable code not present) NOTE: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1535150 NOTE: http://www.halfdog.net/Security/2016/OverlayfsOverFusePrivilegeEscalation/ - TODO: check CVE-2016-1575 RESERVED - linux - - linux-2.6 + [jessie] - linux (Vulnerable code not present) + [wheezy] - linux (Vulnerable code not present) + - linux-2.6 (Vulnerable code not present) NOTE: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1534961 NOTE: http://www.halfdog.net/Security/2016/UserNamespaceOverlayfsXattrSetgidPrivilegeEscalation/ - TODO: check CVE-2016-1574 RESERVED CVE-2016-1573 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39820 - data/CVE
Author: carnil
Date: 2016-02-22 21:17:46 + (Mon, 22 Feb 2016)
New Revision: 39820
Modified:
data/CVE/list
Log:
Add initial templates for CVE-2016-157{5,6}/linux
Modified: data/CVE/list
===
--- data/CVE/list 2016-02-22 21:10:12 UTC (rev 39819)
+++ data/CVE/list 2016-02-22 21:17:46 UTC (rev 39820)
@@ -2786,8 +2786,18 @@
RESERVED
CVE-2016-1576
RESERVED
+ - linux
+ - linux-2.6
+ NOTE: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1535150
+ NOTE:
http://www.halfdog.net/Security/2016/OverlayfsOverFusePrivilegeEscalation/
+ TODO: check
CVE-2016-1575
RESERVED
+ - linux
+ - linux-2.6
+ NOTE: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1534961
+ NOTE:
http://www.halfdog.net/Security/2016/UserNamespaceOverlayfsXattrSetgidPrivilegeEscalation/
+ TODO: check
CVE-2016-1574
RESERVED
CVE-2016-1573
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39819 - data/CVE
Author: sectracker
Date: 2016-02-22 21:10:12 + (Mon, 22 Feb 2016)
New Revision: 39819
Modified:
data/CVE/list
Log:
automatic update
Modified: data/CVE/list
===
--- data/CVE/list 2016-02-22 19:54:00 UTC (rev 39818)
+++ data/CVE/list 2016-02-22 21:10:12 UTC (rev 39819)
@@ -1,3 +1,43 @@
+CVE-2016-2532
+ RESERVED
+CVE-2016-2531
+ RESERVED
+CVE-2016-2530
+ RESERVED
+CVE-2016-2529
+ RESERVED
+CVE-2016-2528
+ RESERVED
+CVE-2016-2527
+ RESERVED
+CVE-2016-2526
+ RESERVED
+CVE-2016-2525
+ RESERVED
+CVE-2016-2524
+ RESERVED
+CVE-2016-2523
+ RESERVED
+CVE-2016-2522
+ RESERVED
+CVE-2016-2521
+ RESERVED
+CVE-2016-2520
+ RESERVED
+CVE-2016-2519
+ RESERVED
+CVE-2016-2518
+ RESERVED
+CVE-2016-2517
+ RESERVED
+CVE-2016-2516
+ RESERVED
+CVE-2016-2514
+ RESERVED
+CVE-2016-2513
+ RESERVED
+CVE-2016-2512
+ RESERVED
CVE-2016- [usb: integer overflow in remote NDIS control message handling]
- qemu
- qemu-kvm
@@ -6,8 +46,10 @@
NOTE: CVE Request:
http://www.openwall.com/lists/oss-security/2016/02/22/3
TODO: check versions
CVE-2016-2515
+ RESERVED
NOT-FOR-US: NodeJS Hawk
CVE-2016-2511 [Reflected Cross-Site Scripting]
+ RESERVED
- websvn
CVE-2016-2509 (The password-sync feature on Belden Hirschmann Classic Platform
...)
NOT-FOR-US: Belden Hirschmann Classic Platform switches
@@ -224,7 +266,8 @@
CVE-2016-2403
RESERVED
CVE-2013-7448 [path traversal vulnerability]
- {DSA-3485-1}
+ RESERVED
+ {DSA-3485-1 DLA-424-1}
- didiwiki 0.5-12 (bug #815111)
NOTE: https://github.com/OpenedHand/didiwiki/pull/1/files
NOTE: http://www.openwall.com/lists/oss-security/2016/02/19/4
@@ -640,22 +683,20 @@
RESERVED
CVE-2016-2276
RESERVED
-CVE-2016-2275
- RESERVED
+CVE-2016-2275 (The web interface on Advantech/B+B SmartWorx VESP211-EU devices
with ...)
+ TODO: check
CVE-2016-2274
RESERVED
CVE-2016-2273
RESERVED
CVE-2016-2272
RESERVED
-CVE-2016-2271 [XSA-170: VMX: guest user mode may crash guest with
non-canonical RIP]
- RESERVED
+CVE-2016-2271 (VMX in Xen 4.6.x and earlier, when using an Intel or Cyrix CPU,
allows ...)
- xen
[squeeze] - xen (Unsupported in Squeeze LTS)
NOTE: http://xenbits.xen.org/xsa/advisory-170.html
TODO: check
-CVE-2016-2270 [XSA-154: x86: inconsistent cachability flags on guest mappings]
- RESERVED
+CVE-2016-2270 (Xen 4.6.x and earlier allows local guest administrators to
cause a ...)
- xen
[squeeze] - xen (Unsupported in Squeeze LTS)
NOTE: http://xenbits.xen.org/xsa/advisory-154.html
@@ -1206,6 +1247,7 @@
NOTE:
https://lists.matroska.org/pipermail/matroska-users/2015-October/006985.html
NOTE:
https://github.com/Matroska-Org/libebml/commit/ababb64e0c792ad2a314245233db0833ba12036b
CVE-2016-2533 [Buffer overflow in Python-Pillow and PIL]
+ {DLA-422-1}
- pillow 3.1.1-1
- python-imaging
NOTE: https://github.com/python-pillow/Pillow/pull/1706
@@ -1449,45 +1491,37 @@
NOTE:
https://www.djangoproject.com/weblog/2016/feb/01/releases-192-and-189/
CVE-2016-2046 (Cross-site scripting (XSS) vulnerability in the Nessus Web UI
in ...)
TODO: check
-CVE-2016-2045
- RESERVED
+CVE-2016-2045 (Cross-site scripting (XSS) vulnerability in the SQL editor in
...)
- phpmyadmin 4:4.5.4-1
[squeeze] - phpmyadmin (vulnerable code not present)
NOTE: https://www.phpmyadmin.net/security/PMASA-2016-9/
-CVE-2016-2044
- RESERVED
+CVE-2016-2044 (libraries/sql-parser/autoload.php in the SQL parser in
phpMyAdmin ...)
- phpmyadmin 4:4.5.4-1
[squeeze] - phpmyadmin (vulnerable code not present)
NOTE: https://www.phpmyadmin.net/security/PMASA-2016-8/
-CVE-2016-2043
- RESERVED
+CVE-2016-2043 (Cross-site scripting (XSS) vulnerability in the goToFinish1NF
function ...)
- phpmyadmin 4:4.5.4-1
[squeeze] - phpmyadmin (vulnerable code not present)
NOTE: https://www.phpmyadmin.net/security/PMASA-2016-7/
-CVE-2016-2042
- RESERVED
+CVE-2016-2042 (phpMyAdmin 4.4.x before 4.4.15.3 and 4.5.x before 4.5.4 allows
remote ...)
- phpmyadmin 4:4.5.4-1
[squeeze] - phpmyadmin (vulnerable code not present)
NOTE: https://www.phpmyadmin.net/security/PMASA-2016-6/
-CVE-2016-2041
- RESERVED
+CVE-2016-2041 (libraries/common.inc.php in phpMyAdmin 4.0.x before 4.0.10.13,
4.4.x ...)
{DLA-406-1}
- phpmyadmin 4:4.5.4-1
NOTE: https://www.phpmyadmin.net/security/PMASA-2016-5/
NOTE:
https://github.com/phpmyadmin/phpmyadmin/commit/fe62b69a5b032de8e1d9d0a04456c1cecf46428c
-CVE-2016-2040
- RESERVED
+CVE-2016-2040
[Secure-testing-commits] r39818 - data/CVE
Author: carnil Date: 2016-02-22 19:54:00 + (Mon, 22 Feb 2016) New Revision: 39818 Modified: data/CVE/list Log: Mark CVE-2016-2509 as NFU Modified: data/CVE/list === --- data/CVE/list 2016-02-22 19:48:46 UTC (rev 39817) +++ data/CVE/list 2016-02-22 19:54:00 UTC (rev 39818) @@ -10,7 +10,7 @@ CVE-2016-2511 [Reflected Cross-Site Scripting] - websvn CVE-2016-2509 (The password-sync feature on Belden Hirschmann Classic Platform ...) - TODO: check + NOT-FOR-US: Belden Hirschmann Classic Platform switches CVE-2016-2508 RESERVED CVE-2016-2507 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39817 - data/CVE
Author: carnil Date: 2016-02-22 19:48:46 + (Mon, 22 Feb 2016) New Revision: 39817 Modified: data/CVE/list Log: CVE-2016-2312/plasma-workspace fixed in unstable, #814355 Modified: data/CVE/list === --- data/CVE/list 2016-02-22 19:03:10 UTC (rev 39816) +++ data/CVE/list 2016-02-22 19:48:46 UTC (rev 39817) @@ -737,7 +737,7 @@ NOTE: Issue might be disputed, see maintainers comment in https://bugs.debian.org/814353#10 CVE-2016-2312 [KDE lockscreen bypass by switching display off and on] RESERVED - - plasma-workspace (bug #814355) + - plasma-workspace 4:5.4.3-2 (bug #814355) NOTE: Affects plasma-workspace < 5.5.0, kscreenlocker < 5.5.5 NOTE: kscreenlocker is only in experimental NOTE: https://www.kde.org/info/security/advisory-20160209-1.txt ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39816 - in data: . DLA
Author: alteholz
Date: 2016-02-22 19:03:10 + (Mon, 22 Feb 2016)
New Revision: 39816
Modified:
data/DLA/list
data/dla-needed.txt
Log:
Reserve DLA-424-1 for didiwiki
Modified: data/DLA/list
===
--- data/DLA/list 2016-02-22 19:02:07 UTC (rev 39815)
+++ data/DLA/list 2016-02-22 19:03:10 UTC (rev 39816)
@@ -1,3 +1,6 @@
+[22 Feb 2016] DLA-424-1 didiwiki - security update
+ {CVE-2013-7448}
+ [squeeze] - didiwiki 0.5-9+deb6u1
[22 Feb 2016] DLA-423-1 krb5 - security update
{CVE-2015-8629 CVE-2015-8631}
[squeeze] - krb5 1.8.3+dfsg-4squeeze11
Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2016-02-22 19:02:07 UTC (rev 39815)
+++ data/dla-needed.txt 2016-02-22 19:03:10 UTC (rev 39816)
@@ -21,8 +21,6 @@
NOTE: marked as no-dsa in wheezy as too intrusive to backport
NOTE: should we have the resources to handle it we should fix wheezy too.
--
-didiwiki
---
dwarfutils
NOTE: 20160123, no CVE assigned yet, no fix availabe yet
--
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39815 - in data: . DLA
Author: alteholz
Date: 2016-02-22 19:02:07 + (Mon, 22 Feb 2016)
New Revision: 39815
Modified:
data/DLA/list
data/dla-needed.txt
Log:
Reserve DLA-423-1 for krb5
Modified: data/DLA/list
===
--- data/DLA/list 2016-02-22 17:19:53 UTC (rev 39814)
+++ data/DLA/list 2016-02-22 19:02:07 UTC (rev 39815)
@@ -1,3 +1,6 @@
+[22 Feb 2016] DLA-423-1 krb5 - security update
+ {CVE-2015-8629 CVE-2015-8631}
+ [squeeze] - krb5 1.8.3+dfsg-4squeeze11
[21 Feb 2016] DLA-422-1 python-imaging - security update
{CVE-2016-0775 CVE-2016-2533}
[squeeze] - python-imaging 1.1.7-2+deb6u2
Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2016-02-22 17:19:53 UTC (rev 39814)
+++ data/dla-needed.txt 2016-02-22 19:02:07 UTC (rev 39815)
@@ -40,8 +40,6 @@
--
jasper (Ben Hutchings)
--
-krb5 (Thorsten Alteholz)
---
libebml (Damyan Ivanov)
--
libxml2
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39814 - data
Author: carnil Date: 2016-02-22 17:19:53 + (Mon, 22 Feb 2016) New Revision: 39814 Modified: data/dsa-needed.txt Log: Add name for websvn Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2016-02-22 17:19:22 UTC (rev 39813) +++ data/dsa-needed.txt 2016-02-22 17:19:53 UTC (rev 39814) @@ -71,7 +71,7 @@ -- tomcat6 -- -websvn +websvn (seb) -- wireshark -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39813 - data
Author: carnil Date: 2016-02-22 17:19:22 + (Mon, 22 Feb 2016) New Revision: 39813 Modified: data/dsa-needed.txt Log: Add websvn to dsa-needed list Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2016-02-22 17:19:20 UTC (rev 39812) +++ data/dsa-needed.txt 2016-02-22 17:19:22 UTC (rev 39813) @@ -71,6 +71,8 @@ -- tomcat6 -- +websvn +-- wireshark -- xymon (seb) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39812 - data/CVE
Author: carnil Date: 2016-02-22 17:19:20 + (Mon, 22 Feb 2016) New Revision: 39812 Modified: data/CVE/list Log: Add websvn issue Modified: data/CVE/list === --- data/CVE/list 2016-02-22 17:16:53 UTC (rev 39811) +++ data/CVE/list 2016-02-22 17:19:20 UTC (rev 39812) @@ -7,6 +7,8 @@ TODO: check versions CVE-2016-2515 NOT-FOR-US: NodeJS Hawk +CVE-2016-2511 [Reflected Cross-Site Scripting] + - websvn CVE-2016-2509 (The password-sync feature on Belden Hirschmann Classic Platform ...) TODO: check CVE-2016-2508 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39811 - data/CVE
Author: carnil Date: 2016-02-22 17:16:53 + (Mon, 22 Feb 2016) New Revision: 39811 Modified: data/CVE/list Log: Add new qemu issue Modified: data/CVE/list === --- data/CVE/list 2016-02-22 14:47:08 UTC (rev 39810) +++ data/CVE/list 2016-02-22 17:16:53 UTC (rev 39811) @@ -1,3 +1,10 @@ +CVE-2016- [usb: integer overflow in remote NDIS control message handling] + - qemu + - qemu-kvm + NOTE: https://lists.gnu.org/archive/html/qemu-devel/2016-02/msg03658.html + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1303120 + NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2016/02/22/3 + TODO: check versions CVE-2016-2515 NOT-FOR-US: NodeJS Hawk CVE-2016-2509 (The password-sync feature on Belden Hirschmann Classic Platform ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39810 - data/CVE
Author: carnil
Date: 2016-02-22 14:47:08 + (Mon, 22 Feb 2016)
New Revision: 39810
Modified:
data/CVE/list
Log:
Adjust entries added for gtk+2.0 and add note
Modified: data/CVE/list
===
--- data/CVE/list 2016-02-22 14:06:38 UTC (rev 39809)
+++ data/CVE/list 2016-02-22 14:47:08 UTC (rev 39810)
@@ -10148,17 +10148,19 @@
CVE-2015-7673 (io-tga.c in gdk-pixbuf before 2.32.0 uses heap memory after its
...)
{DSA-3378-1}
- gdk-pixbuf 2.32.0-1
- [squeeze] - gtk+2.0
+ - gtk+2.0 2.21.5-1
NOTE: http://www.openwall.com/lists/oss-security/2015/10/01/3
NOTE:
https://git.gnome.org/browse/gdk-pixbuf/commit/?id=19f9685dbff7d1f929c61cf99188df917a18811d
NOTE:
https://git.gnome.org/browse/gdk-pixbuf/commit/?id=edf6fb8d856574bc3bb3a703037f56533229267c
NOTE:
https://git.gnome.org/browse/gdk-pixbuf/commit/?id=6ddca835100107e6b5841ce9d56074f6d98c387e
+ NOTE: gtk+2.0 2.21.5-1 removed the embedded copy of gdk-pixbuf and
build-depends on external gdk-pixbuf
CVE-2015-7674 (Integer overflow in the pixops_scale_nearest function in ...)
{DSA-3378-1}
- gdk-pixbuf 2.32.1-1
- [squeeze] - gtk+2.0
+ - gtk+2.0 2.21.5-1
NOTE: http://www.openwall.com/lists/oss-security/2015/10/01/4
NOTE:
https://git.gnome.org/browse/gdk-pixbuf/commit/?id=e9a5704edaa9aee9498f1fbf6e1b70fcce2e55aa
+ NOTE: gtk+2.0 2.21.5-1 removed the embedded copy of gdk-pixbuf and
build-depends on external gdk-pixbuf
CVE-2015- [trivial hash complexity DoS attack]
- php5 (bug #800564)
[jessie] - php5 (Too intrusive to backport)
@@ -18795,12 +18797,13 @@
CVE-2015-4491 (Integer overflow in the make_filter_table function in
pixops/pixops.c ...)
{DSA-3337-2 DSA-3337-1}
- gdk-pixbuf 2.31.7-1
- [squeeze] - gtk+2.0
+ - gtk+2.0 2.21.5-1
NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=752297
NOTE:
https://git.gnome.org/browse/gdk-pixbuf/commit/?id=ffec86ed5010c5a2be14f47b33bcf4ed3169a199
NOTE:
https://git.gnome.org/browse/gdk-pixbuf/commit/?id=8dba67cb4f38d62a47757741ad41e3f245b4a32a
NOTE: http://www.openwall.com/lists/oss-security/2015/07/17/17
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-88/
+ NOTE: gtk+2.0 2.21.5-1 removed the embedded copy of gdk-pixbuf and
build-depends on external gdk-pixbuf
CVE-2015-4490 (The nsCSPHostSrc::permits function in
dom/security/nsCSPUtils.cpp in ...)
- iceweasel (Only affects Firefox 39)
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-91
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39809 - data
Author: santiago
Date: 2016-02-22 14:06:38 + (Mon, 22 Feb 2016)
New Revision: 39809
Modified:
data/dla-needed.txt
Log:
Add gtk+2.0 to dla-needed and claim it
Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2016-02-22 14:03:33 UTC (rev 39808)
+++ data/dla-needed.txt 2016-02-22 14:06:38 UTC (rev 39809)
@@ -29,6 +29,8 @@
graphicsmagick
NOTE: CVE-2016-231{8,9} don't have upstream fixes but we crash on the
exploits
--
+gtk+2.0 (Santiago R.R.)
+--
icu
NOTE: check comments on CVE-2016-0494 as well
NOTE: tentative package for icu
https://lists.debian.org/debian-lts/2016/01/msg00133.html
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39808 - data/CVE
Author: santiago
Date: 2016-02-22 14:03:33 + (Mon, 22 Feb 2016)
New Revision: 39808
Modified:
data/CVE/list
Log:
CVE-2015-4491, CVE-2015-7673, CVE-2015-7674: gdk-pixbuf code was part of
gtk+2.0 in squeeze
Modified: data/CVE/list
===
--- data/CVE/list 2016-02-22 13:50:15 UTC (rev 39807)
+++ data/CVE/list 2016-02-22 14:03:33 UTC (rev 39808)
@@ -10148,6 +10148,7 @@
CVE-2015-7673 (io-tga.c in gdk-pixbuf before 2.32.0 uses heap memory after its
...)
{DSA-3378-1}
- gdk-pixbuf 2.32.0-1
+ [squeeze] - gtk+2.0
NOTE: http://www.openwall.com/lists/oss-security/2015/10/01/3
NOTE:
https://git.gnome.org/browse/gdk-pixbuf/commit/?id=19f9685dbff7d1f929c61cf99188df917a18811d
NOTE:
https://git.gnome.org/browse/gdk-pixbuf/commit/?id=edf6fb8d856574bc3bb3a703037f56533229267c
@@ -10155,6 +10156,7 @@
CVE-2015-7674 (Integer overflow in the pixops_scale_nearest function in ...)
{DSA-3378-1}
- gdk-pixbuf 2.32.1-1
+ [squeeze] - gtk+2.0
NOTE: http://www.openwall.com/lists/oss-security/2015/10/01/4
NOTE:
https://git.gnome.org/browse/gdk-pixbuf/commit/?id=e9a5704edaa9aee9498f1fbf6e1b70fcce2e55aa
CVE-2015- [trivial hash complexity DoS attack]
@@ -18793,6 +18795,7 @@
CVE-2015-4491 (Integer overflow in the make_filter_table function in
pixops/pixops.c ...)
{DSA-3337-2 DSA-3337-1}
- gdk-pixbuf 2.31.7-1
+ [squeeze] - gtk+2.0
NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=752297
NOTE:
https://git.gnome.org/browse/gdk-pixbuf/commit/?id=ffec86ed5010c5a2be14f47b33bcf4ed3169a199
NOTE:
https://git.gnome.org/browse/gdk-pixbuf/commit/?id=8dba67cb4f38d62a47757741ad41e3f245b4a32a
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39807 - in data: CVE DLA
Author: carnil
Date: 2016-02-22 13:50:15 + (Mon, 22 Feb 2016)
New Revision: 39807
Modified:
data/CVE/list
data/DLA/list
Log:
CVE-2016-2533 assigned for one pillow issue
Modified: data/CVE/list
===
--- data/CVE/list 2016-02-22 12:54:25 UTC (rev 39806)
+++ data/CVE/list 2016-02-22 13:50:15 UTC (rev 39807)
@@ -1196,13 +1196,11 @@
- libebml 1.3.3-1
NOTE:
https://lists.matroska.org/pipermail/matroska-users/2015-October/006985.html
NOTE:
https://github.com/Matroska-Org/libebml/commit/ababb64e0c792ad2a314245233db0833ba12036b
-CVE-2016- [Buffer overflow in Python-Pillow and PIL]
+CVE-2016-2533 [Buffer overflow in Python-Pillow and PIL]
- pillow 3.1.1-1
- python-imaging
- [squeeze] - python-imaging 1.1.7-2+deb6u2
- NOTE: workaround entry for DLA-422-1 until/if CVE assigned
NOTE: https://github.com/python-pillow/Pillow/pull/1706
- NOTE: CVE Request:
http://www.openwall.com/lists/oss-security/2016/02/02/5
+ NOTE: http://www.openwall.com/lists/oss-security/2016/02/02/5
NOTE:
https://github.com/python-pillow/Pillow/commit/ae453aa18b66af54e7ff716f4ccb33adca60afd4
CVE-2016-2221 [open redirect vulnerability]
RESERVED
Modified: data/DLA/list
===
--- data/DLA/list 2016-02-22 12:54:25 UTC (rev 39806)
+++ data/DLA/list 2016-02-22 13:50:15 UTC (rev 39807)
@@ -1,5 +1,5 @@
[21 Feb 2016] DLA-422-1 python-imaging - security update
- {CVE-2016-0775}
+ {CVE-2016-0775 CVE-2016-2533}
[squeeze] - python-imaging 1.1.7-2+deb6u2
[20 Feb 2016] DLA-421-1 openssl - security update
{CVE-2015-3197}
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39806 - data
Author: apo-guest Date: 2016-02-22 12:54:25 + (Mon, 22 Feb 2016) New Revision: 39806 Modified: data/dla-needed.txt Log: Claim bsh in dla-needed.txt Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-02-22 12:16:22 UTC (rev 39805) +++ data/dla-needed.txt 2016-02-22 12:54:25 UTC (rev 39806) @@ -9,7 +9,7 @@ https://wiki.debian.org/LTS/Development#Triage_new_security_issues -- -bsh +bsh (Markus Koschany) -- cacti NOTE: Issue being disputed, check https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=814353#10 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39805 - data/CVE
Author: pabs Date: 2016-02-22 12:16:22 + (Mon, 22 Feb 2016) New Revision: 39805 Modified: data/CVE/list Log: Add a blog post about CVE-2016-2384 - Linux usb-midi issue Suggested-by: ewew on #debian-security Modified: data/CVE/list === --- data/CVE/list 2016-02-22 09:10:17 UTC (rev 39804) +++ data/CVE/list 2016-02-22 12:16:22 UTC (rev 39805) @@ -404,6 +404,7 @@ - linux-2.6 NOTE: Fixed by: https://git.kernel.org/linus/07d86ca93db7e5cdf4743564d98292042ec21af7 (v4.5-rc4) NOTE: http://www.openwall.com/lists/oss-security/2016/02/14/2 + NOTE: https://xairy.github.io/blog/2016/cve-2016-2384 CVE-2016-2383 [Incorrect branch fixups for eBPF allow arbitrary read] RESERVED - linux 4.4.2-1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39804 - data/CVE
Author: sectracker
Date: 2016-02-22 09:10:17 + (Mon, 22 Feb 2016)
New Revision: 39804
Modified:
data/CVE/list
Log:
automatic update
Modified: data/CVE/list
===
--- data/CVE/list 2016-02-22 05:17:15 UTC (rev 39803)
+++ data/CVE/list 2016-02-22 09:10:17 UTC (rev 39804)
@@ -2587,36 +2587,44 @@
RESERVED
CVE-2016-1629
RESERVED
+ {DSA-3486-1}
- chromium-browser 48.0.2564.116-1
[wheezy] - chromium-browser (Not supported in Wheezy)
[squeeze] - chromium-browser (Not supported in Squeeze
LTS)
CVE-2016-1628
RESERVED
+ {DSA-3486-1}
- chromium-browser 48.0.2564.116-1
[wheezy] - chromium-browser (Not supported in Wheezy)
[squeeze] - chromium-browser (Not supported in Squeeze
LTS)
CVE-2016-1627 (The Developer Tools (aka DevTools) subsystem in Google Chrome
before ...)
+ {DSA-3486-1}
- chromium-browser 48.0.2564.116-1
[wheezy] - chromium-browser (Not supported in Wheezy)
[squeeze] - chromium-browser (Not supported in Squeeze
LTS)
CVE-2016-1626 (The opj_pi_update_decode_poc function in pi.c in OpenJPEG, as
used in ...)
+ {DSA-3486-1}
- chromium-browser 48.0.2564.116-1
[wheezy] - chromium-browser (Not supported in Wheezy)
[squeeze] - chromium-browser (Not supported in Squeeze
LTS)
CVE-2016-1625 (The Chrome Instant feature in Google Chrome before
48.0.2564.109 does ...)
+ {DSA-3486-1}
- chromium-browser 48.0.2564.116-1
[wheezy] - chromium-browser (Not supported in Wheezy)
[squeeze] - chromium-browser (Not supported in Squeeze
LTS)
CVE-2016-1624 (Integer underflow in the ProcessCommandsInternal function in
...)
+ {DSA-3486-1}
- chromium-browser 48.0.2564.116-1
[wheezy] - chromium-browser (Not supported in Wheezy)
[squeeze] - chromium-browser (Not supported in Squeeze
LTS)
- brotli
CVE-2016-1623 (The DOM implementation in Google Chrome before 48.0.2564.109
does not ...)
+ {DSA-3486-1}
- chromium-browser 48.0.2564.116-1
[wheezy] - chromium-browser (Not supported in Wheezy)
[squeeze] - chromium-browser (Not supported in Squeeze
LTS)
CVE-2016-1622 (The Extensions subsystem in Google Chrome before 48.0.2564.109
does ...)
+ {DSA-3486-1}
- chromium-browser 48.0.2564.116-1
[wheezy] - chromium-browser (Not supported in Wheezy)
[squeeze] - chromium-browser (Not supported in Squeeze
LTS)
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
