[Secure-testing-commits] r40655 - data
Author: pabs Date: 2016-03-30 06:10:48 + (Wed, 30 Mar 2016) New Revision: 40655 Modified: data/embedded-code-copies Log: Document gzstream embedded code copies Reported-in: <20160329200151.ga7...@jwilk.net> Modified: data/embedded-code-copies === --- data/embedded-code-copies 2016-03-30 05:42:20 UTC (rev 40654) +++ data/embedded-code-copies 2016-03-30 06:10:48 UTC (rev 40655) @@ -2994,3 +2994,22 @@ - wolfssl (modified-embed) - sks-ecc (embed) NOTE: there are probably more + +gzstream (not packaged in Debian: http://www.cs.unc.edu/Research/compgeom/gzstream/) + - k3d (embed) + - freecad (embed) + - lyx (embed) + - texlive-bin (embed) + - iqtree (embed) + - paraview (embed) + - sga (embed) + - vtk6 (embed) + - filo (embed) + - bedtools (embed) + - freefoam (embed) + - tulip (embed) + - xdmf (embed) + - ticcutils (embed) + - spades (embed) + - ossim (embed) + - gnudatalanguage (embed) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r40653 - data/CVE
Author: carnil Date: 2016-03-30 05:03:44 + (Wed, 30 Mar 2016) New Revision: 40653 Modified: data/CVE/list Log: CVE-2016-0636/openjdk-8 fixed in unstable Modified: data/CVE/list === --- data/CVE/list 2016-03-30 05:01:38 UTC (rev 40652) +++ data/CVE/list 2016-03-30 05:03:44 UTC (rev 40653) @@ -9511,7 +9511,7 @@ CVE-2016-0637 RESERVED CVE-2016-0636 (Unspecified vulnerability in Oracle Java SE 7u97, 8u73, and 8u74 ...) - - openjdk-8 + - openjdk-8 8u77-b03-1 [experimental] - openjdk-7 7u95-2.6.4-3 - openjdk-7 - openjdk-6 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r40652 - data/CVE
Author: carnil Date: 2016-03-30 05:01:38 + (Wed, 30 Mar 2016) New Revision: 40652 Modified: data/CVE/list Log: CVE-2015-5621/net-snmp, #788964, fixed in unstable with NMU upload Modified: data/CVE/list === --- data/CVE/list 2016-03-30 04:59:13 UTC (rev 40651) +++ data/CVE/list 2016-03-30 05:01:38 UTC (rev 40652) @@ -26920,7 +26920,7 @@ NOTE: http://www.openwall.com/lists/oss-security/2015/04/13/4 NOTE: Patch: https://bugs.debian.org/cgi-bin/bugreport.cgi?msg=17;filename=ppp_2.4.6-3.1-nmu.diff;att=1;bug=782450 CVE-2015-5621 (The snmp_pdu_parse function in snmp_api.c in net-snmp 5.7.2 and ...) - - net-snmp (bug #788964) + - net-snmp 5.7.3+dfsg-1.1 (bug #788964) [jessie] - net-snmp (Minor issue) [wheezy] - net-snmp (Minor issue) [squeeze] - net-snmp (Minor issue) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r40651 - data/CVE
Author: carnil Date: 2016-03-30 04:59:13 + (Wed, 30 Mar 2016) New Revision: 40651 Modified: data/CVE/list Log: Some asterisk issues fixed in unstable with recent update Modified: data/CVE/list === --- data/CVE/list 2016-03-30 04:51:07 UTC (rev 40650) +++ data/CVE/list 2016-03-30 04:59:13 UTC (rev 40651) @@ -4036,7 +4036,7 @@ NOTE: Upstream confirmed that versions prior 2.7 are not vulnerable. NOTE: https://github.com/python-pillow/Pillow/issues/1737 CVE-2016-2232 (Asterisk Open Source 1.8.x, 11.x before 11.21.1, 12.x, and 13.x before ...) - - asterisk + - asterisk 1:13.7.2~dfsg-1 [jessie] - asterisk (Minor issue) [wheezy] - asterisk (Minor issue) [squeeze] - asterisk (Not supported in Squeeze LTS) @@ -4046,7 +4046,7 @@ NOTE: patch for 11 / jessie: https://code.asterisk.org/code/changelog/asterisk?cs=da2573a3779425654543d6ac4c4dd6871ce16720 NOTE: all versions vulnerable, backport required for wheezy CVE-2016-2316 (chan_sip in Asterisk Open Source 1.8.x, 11.x before 11.21.1, 12.x, and ...) - - asterisk + - asterisk 1:13.7.2~dfsg-1 [jessie] - asterisk (Minor issue) [wheezy] - asterisk (Minor issue) [squeeze] - asterisk (Not supported in Squeeze LTS) @@ -26945,7 +26945,7 @@ NOTE: Patch: http://bk1.ntp.org/ntp-stable/?PAGE=patch&REV=55199296N2gFqH1Hm5GOnhrk9Ypygg NOTE: http://www.openwall.com/lists/oss-security/2015/04/09/5 CVE-2015-3008 (Asterisk Open Source 1.8 before 1.8.32.3, 11.x before 11.17.1, 12.x ...) - - asterisk (bug #782411) + - asterisk 1:13.7.2~dfsg-1 (bug #782411) [squeeze] - asterisk (Not supported in Squeeze LTS) NOTE: http://downloads.asterisk.org/pub/security/AST-2015-003.html NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-24847 @@ -103504,7 +103504,7 @@ NOTE: Pound 2.6-2 added an anti_beast.patch to mitigate BEAST attacks. - erlang 1:15.b-dfsg-1 [squeeze] - erlang (Minor issue) - - asterisk + - asterisk 1:13.7.2~dfsg-1 [jessie] - asterisk (Minor issue) [wheezy] - asterisk (Minor issue) [squeeze] - asterisk (Not supported in Squeeze LTS) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r40650 - data/CVE
Author: carnil Date: 2016-03-30 04:51:07 + (Wed, 30 Mar 2016) New Revision: 40650 Modified: data/CVE/list Log: Two more NFUs Modified: data/CVE/list === --- data/CVE/list 2016-03-30 04:50:55 UTC (rev 40649) +++ data/CVE/list 2016-03-30 04:51:07 UTC (rev 40650) @@ -3507,9 +3507,9 @@ CVE-2016-2346 RESERVED CVE-2016-2345 (Stack-based buffer overflow in dwrcs.exe in the dwmrcs daemon in ...) - TODO: check + NOT-FOR-US: SolarWinds DameWare Mini Remote Control CVE-2016-2344 (Stack-based buffer overflow in manager.exe in Backburner Manager in ...) - TODO: check + NOT-FOR-US: Autodesk Backburner CVE-2016-2343 RESERVED CVE-2016-2342 (The bgp_nlri_parse_vpnv4 function in bgp_mplsvpn.c in the VPNv4 NLRI ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r40649 - data/CVE
Author: carnil Date: 2016-03-30 04:50:55 + (Wed, 30 Mar 2016) New Revision: 40649 Modified: data/CVE/list Log: Mark CVE-2016-1314 as NFU Modified: data/CVE/list === --- data/CVE/list 2016-03-29 21:10:14 UTC (rev 40648) +++ data/CVE/list 2016-03-30 04:50:55 UTC (rev 40649) @@ -6871,7 +6871,7 @@ CVE-2016-1315 (The proxy engine in Cisco Advanced Malware Protection (AMP), when used ...) NOT-FOR-US: Cisco CVE-2016-1314 (Cross-site scripting (XSS) vulnerability in Cisco Unified ...) - TODO: check + NOT-FOR-US: Cisco CVE-2016-1313 RESERVED CVE-2016-1312 (The HTTPS inspection engine in the Content Security and Control ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r40648 - data/CVE
Author: sectracker Date: 2016-03-29 21:10:14 + (Tue, 29 Mar 2016) New Revision: 40648 Modified: data/CVE/list Log: automatic update Modified: data/CVE/list === --- data/CVE/list 2016-03-29 19:46:31 UTC (rev 40647) +++ data/CVE/list 2016-03-29 21:10:14 UTC (rev 40648) @@ -1,6 +1,24 @@ +CVE-2016-3682 + RESERVED +CVE-2016-3681 + RESERVED +CVE-2016-3680 + RESERVED +CVE-2016-3679 (Multiple unspecified vulnerabilities in Google V8 before 4.9.385.33, ...) + TODO: check +CVE-2016-3678 + RESERVED +CVE-2016-3677 + RESERVED +CVE-2016-3676 + RESERVED +CVE-2016-3675 + RESERVED +CVE-2016-3673 + RESERVED CVE-2016-3672 RESERVED -CVE-2014-9769 [Segmentation fault on certain input to regular expressions with nested alternatives when JIT is used] +CVE-2014-9769 (pcre_jit_compile.c in PCRE 8.35 does not properly use table jumps to ...) - pcre3 2:8.38-1 (bug #819050) [jessie] - pcre3 (Minor issue, can be fixed via point release) [wheezy] - pcre3 (Vulnerable code not present) @@ -8,6 +26,7 @@ NOTE: Introduced in: http://vcs.pcre.org/pcre?view=revision&revision=1434 (8.35) NOTE: http://www.openwall.com/lists/oss-security/2016/03/26/1 CVE-2016-3674 [XXE vulnerability] + RESERVED - libxstream-java 1.4.9-1 (bug #819455) NOTE: http://x-stream.github.io/changes.html#1.4.9 CVE-2016-3671 @@ -3489,8 +3508,8 @@ RESERVED CVE-2016-2345 (Stack-based buffer overflow in dwrcs.exe in the dwmrcs daemon in ...) TODO: check -CVE-2016-2344 - RESERVED +CVE-2016-2344 (Stack-based buffer overflow in manager.exe in Backburner Manager in ...) + TODO: check CVE-2016-2343 RESERVED CVE-2016-2342 (The bgp_nlri_parse_vpnv4 function in bgp_mplsvpn.c in the VPNv4 NLRI ...) @@ -3522,6 +3541,7 @@ RESERVED CVE-2016-2385 [SEAS Module Heap overflow] RESERVED + {DSA-3535-1} - kamailio 4.3.4-2 (bug #815178) NOTE: https://github.com/kamailio/kamailio/commit/f50c9c853e7809810099c970780c30b0765b0643 CVE-2016-2384 [Double-free in snd-usbmidi-lib triggered by invalid USB descriptor] @@ -5897,28 +5917,23 @@ RESERVED CVE-2016-1651 RESERVED -CVE-2016-1650 - RESERVED +CVE-2016-1650 (The PageCaptureSaveAsMHTMLFunction::ReturnFailure function in ...) {DSA-3531-1} - chromium-browser 49.0.2623.108-1 [wheezy] - chromium-browser (Not supported in Wheezy) -CVE-2016-1649 - RESERVED +CVE-2016-1649 (The Program::getUniformInternal function in Program.cpp in libANGLE, ...) {DSA-3531-1} - chromium-browser 49.0.2623.108-1 [wheezy] - chromium-browser (Not supported in Wheezy) -CVE-2016-1648 - RESERVED +CVE-2016-1648 (Use-after-free vulnerability in the GetLoadTimes function in ...) {DSA-3531-1} - chromium-browser 49.0.2623.108-1 [wheezy] - chromium-browser (Not supported in Wheezy) -CVE-2016-1647 - RESERVED +CVE-2016-1647 (Use-after-free vulnerability in the RenderWidgetHostImpl::Destroy ...) {DSA-3531-1} - chromium-browser 49.0.2623.108-1 [wheezy] - chromium-browser (Not supported in Wheezy) -CVE-2016-1646 - RESERVED +CVE-2016-1646 (The Array.prototype.concat implementation in builtins.cc in Google V8, ...) {DSA-3531-1} - chromium-browser 49.0.2623.108-1 [wheezy] - chromium-browser (Not supported in Wheezy) @@ -6855,8 +6870,8 @@ NOT-FOR-US: Cisco CVE-2016-1315 (The proxy engine in Cisco Advanced Malware Protection (AMP), when used ...) NOT-FOR-US: Cisco -CVE-2016-1314 - RESERVED +CVE-2016-1314 (Cross-site scripting (XSS) vulnerability in Cisco Unified ...) + TODO: check CVE-2016-1313 RESERVED CVE-2016-1312 (The HTTPS inspection engine in the Content Security and Control ...) @@ -10455,8 +10470,8 @@ RESERVED CVE-2016-0227 (Cross-site scripting (XSS) vulnerability in the document-list control ...) NOT-FOR-US: IBM -CVE-2016-0226 - RESERVED +CVE-2016-0226 (The client implementation in IBM Informix Dynamic Server 11.70.xCn on ...) + TODO: check CVE-2016-0225 (IBM WebSphere Commerce 6.x through 6.0.0.11 and 7.x through 7.0.0.9 ...) NOT-FOR-US: IBM CVE-2016-0224 @@ -11273,18 +11288,19 @@ NOTE: https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=07343eab681bf8c22a2b31d978569a5f65253171 (v3.2.19) CVE-2012-6700 RESERVED - {DLA-362-1} + {DSA-3534-1 DLA-362-1} - dhcpcd NOTE: https://launchpadlibrarian.net/228152582/dhcp.c.patch NOTE: original ubuntu bug: https://bugs.launchpad.net/ubuntu/+source/dhcpcd/+bug/1517226 CVE-2012-6699 RESERVED + {DSA-3534-1} - dhcpcd NOTE: https://launchpadlibrarian.net/228152582/dhcp.c.patch NOTE:
[Secure-testing-commits] r40647 - data
Author: carnil Date: 2016-03-29 19:46:31 + (Tue, 29 Mar 2016) New Revision: 40647 Modified: data/dsa-needed.txt Log: Add mercurial to dsa-needed list Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2016-03-29 19:43:50 UTC (rev 40646) +++ data/dsa-needed.txt 2016-03-29 19:46:31 UTC (rev 40647) @@ -52,6 +52,8 @@ -- mediawiki/oldstable -- +mercurial +-- minissdpd NOTE: debdiff sent by Thorsten Alteholz to the Security Team on 2016-03-28 -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r40645 - data/CVE
Author: carnil Date: 2016-03-29 19:43:40 + (Tue, 29 Mar 2016) New Revision: 40645 Modified: data/CVE/list Log: Add commit required for CVE-2016-3068 Modified: data/CVE/list === --- data/CVE/list 2016-03-29 19:42:00 UTC (rev 40644) +++ data/CVE/list 2016-03-29 19:43:40 UTC (rev 40645) @@ -1232,6 +1232,7 @@ RESERVED - mercurial (bug #819504) NOTE: https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_3.7.3_.282016-3-29.29 + NOTE: https://selenic.com/repo/hg-stable/rev/34d43cb85de8 CVE-2016-3067 RESERVED CVE-2016-3066 [hijacks clipboard and sends contents to remote servers] ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r40644 - data/CVE
Author: carnil Date: 2016-03-29 19:42:00 + (Tue, 29 Mar 2016) New Revision: 40644 Modified: data/CVE/list Log: Add commits for CVE-2016-3069 Modified: data/CVE/list === --- data/CVE/list 2016-03-29 19:39:15 UTC (rev 40643) +++ data/CVE/list 2016-03-29 19:42:00 UTC (rev 40644) @@ -1223,6 +1223,11 @@ RESERVED - mercurial (bug #819504) NOTE: https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_3.7.3_.282016-3-29.29 + NOTE: https://selenic.com/repo/hg-stable/rev/197eed39e3d5 (1/5) + NOTE: https://selenic.com/repo/hg-stable/rev/cdda7b96afff (2/5) + NOTE: https://selenic.com/repo/hg-stable/rev/b732e7f2aba4 (3/5) + NOTE: https://selenic.com/repo/hg-stable/rev/80cac1de6aea (4/5) + NOTE: https://selenic.com/repo/hg-stable/rev/ae279d4a19e9 (5/5) CVE-2016-3068 [arbitrary code execution with Git subrepos] RESERVED - mercurial (bug #819504) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r40642 - data/CVE
Author: carnil Date: 2016-03-29 19:30:20 + (Tue, 29 Mar 2016) New Revision: 40642 Modified: data/CVE/list Log: Add three mercurial issues Modified: data/CVE/list === --- data/CVE/list 2016-03-29 18:55:57 UTC (rev 40641) +++ data/CVE/list 2016-03-29 19:30:20 UTC (rev 40642) @@ -94,8 +94,10 @@ RESERVED CVE-2016-3631 RESERVED -CVE-2016-3630 +CVE-2016-3630 [remote code execution in binary delta decoding] RESERVED + - mercurial + NOTE: https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_3.7.3_.282016-3-29.29 CVE-2016-3629 RESERVED CVE-2016-3628 @@ -1217,10 +1219,14 @@ RESERVED CVE-2016-3070 RESERVED -CVE-2016-3069 +CVE-2016-3069 [arbitrary code execution when converting Git repos] RESERVED -CVE-2016-3068 + - mercurial + NOTE: https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_3.7.3_.282016-3-29.29 +CVE-2016-3068 [arbitrary code execution with Git subrepos] RESERVED + - mercurial + NOTE: https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_3.7.3_.282016-3-29.29 CVE-2016-3067 RESERVED CVE-2016-3066 [hijacks clipboard and sends contents to remote servers] ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r40641 - data/CVE
Author: jmm Date: 2016-03-29 18:55:57 + (Tue, 29 Mar 2016) New Revision: 40641 Modified: data/CVE/list Log: xen no-dsa (can be folded into a later update) Modified: data/CVE/list === --- data/CVE/list 2016-03-29 18:51:15 UTC (rev 40640) +++ data/CVE/list 2016-03-29 18:55:57 UTC (rev 40641) @@ -1033,13 +1033,13 @@ CVE-2016-3159 RESERVED - xen + [jessie] - xen (Minor issue, can be fixed along in a future DSA) NOTE: http://xenbits.xen.org/xsa/advisory-172.html - TODO: check CVE-2016-3158 RESERVED - xen + [jessie] - xen (Minor issue, can be fixed along in a future DSA) NOTE: http://xenbits.xen.org/xsa/advisory-172.html - TODO: check CVE-2016-3157 [I/O port access privilege escalation in x86-64 Linux] RESERVED - linux ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r40639 - data/CVE
Author: carnil Date: 2016-03-29 18:50:30 + (Tue, 29 Mar 2016) New Revision: 40639 Modified: data/CVE/list Log: Update comment for CVE-2015-3220 Modified: data/CVE/list === --- data/CVE/list 2016-03-29 18:37:51 UTC (rev 40638) +++ data/CVE/list 2016-03-29 18:50:30 UTC (rev 40639) @@ -26194,7 +26194,7 @@ CVE-2015-3220 RESERVED - tlslite - [wheezy] - tlslite (Minor issue; can be fixed in point release) + [wheezy] - tlslite (Minor issue; will be removed from Wheezy) CVE-2015-3219 (Cross-site scripting (XSS) vulnerability in the Orchestration/Stack ...) - horizon 2015.1.0+2015.06.09.git15.e63af6c598-1 (bug #788306) [jessie] - horizon (Minor issue) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r40638 - data
Author: carnil Date: 2016-03-29 18:37:51 + (Tue, 29 Mar 2016) New Revision: 40638 Modified: data/next-point-update.txt Log: Add CVE-2016-3180/torbrowser-launcher for next jessie point release list Modified: data/next-point-update.txt === --- data/next-point-update.txt 2016-03-29 18:27:36 UTC (rev 40637) +++ data/next-point-update.txt 2016-03-29 18:37:51 UTC (rev 40638) @@ -85,3 +85,5 @@ [jessie] - pcre3 2:8.35-3.3+deb8u4 CVE-2015-7557 [jessie] - librsvg 2.40.5-1+deb8u1 +CVE-2016-3180 + [jessie] - torbrowser-launcher 0.1.9-1+deb8u3 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r40637 - data/CVE
Author: jmm Date: 2016-03-29 18:27:36 + (Tue, 29 Mar 2016) New Revision: 40637 Modified: data/CVE/list Log: torbrowser-launcher no-dsa Modified: data/CVE/list === --- data/CVE/list 2016-03-29 18:26:43 UTC (rev 40636) +++ data/CVE/list 2016-03-29 18:27:36 UTC (rev 40637) @@ -1007,6 +1007,7 @@ CVE-2016-3180 [Signature verification bypass attack] RESERVED - torbrowser-launcher 0.2.4-1 + [jessie] - torbrowser-launcher (contrib not supported) NOTE: https://github.com/micahflee/torbrowser-launcher/issues/229 CVE-2016-3177 [gifcolor: use-after-free in EGifCloseFile] RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r40636 - data
Author: jmm Date: 2016-03-29 18:26:43 + (Tue, 29 Mar 2016) New Revision: 40636 Modified: data/next-oldstable-point-update.txt Log: optipng ospu Modified: data/next-oldstable-point-update.txt === --- data/next-oldstable-point-update.txt2016-03-29 18:13:04 UTC (rev 40635) +++ data/next-oldstable-point-update.txt2016-03-29 18:26:43 UTC (rev 40636) @@ -51,3 +51,5 @@ [wheezy] - librsvg 2.36.1-2+deb7u1 CVE-2013-7447 [wheezy] - gtk+3.0 3.4.2-7+deb7u1 +CVE-2015-7801 + [wheezy] - optipng 0.6.4-1+deb7u1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r40634 - data
Author: apo-guest Date: 2016-03-29 18:03:48 + (Tue, 29 Mar 2016) New Revision: 40634 Modified: data/dsa-needed.txt Log: Claim srtp in dsa-needed.txt Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2016-03-29 16:28:13 UTC (rev 40633) +++ data/dsa-needed.txt 2016-03-29 18:03:48 UTC (rev 40634) @@ -87,6 +87,8 @@ -- squid/oldstable -- +srtp (Markus Koschany) +-- tardiff fw asked maintainer for preparing debdiffs for wheezy- and jessie-security -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r40633 - data/CVE
Author: anarcat Date: 2016-03-29 16:28:13 + (Tue, 29 Mar 2016) New Revision: 40633 Modified: data/CVE/list Log: Summary: CVE-2015-7575 not on wheezy / nss Modified: data/CVE/list === --- data/CVE/list 2016-03-29 15:45:39 UTC (rev 40632) +++ data/CVE/list 2016-03-29 16:28:13 UTC (rev 40633) @@ -13912,6 +13912,7 @@ [squeeze] - icedove - nss 2:3.21-1 [squeeze] - nss (only affects nss post 2012-07-26) + [wheezy] - nss (TLS 1.2 not supported in 3.14, only 3.15.1 and above) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-150/ NOTE: Patch in SuSE Bugzilla: https://bugzilla.novell.com/attachment.cgi?id=660286 NOTE: NSS upstream fix is actually in 3.20.2: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.20.2_release_notes ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r40632 - data/CVE
Author: carnil Date: 2016-03-29 15:45:39 + (Tue, 29 Mar 2016) New Revision: 40632 Modified: data/CVE/list Log: Slightly reorder notes for CVE-2015-7575 Modified: data/CVE/list === --- data/CVE/list 2016-03-29 15:38:02 UTC (rev 40631) +++ data/CVE/list 2016-03-29 15:45:39 UTC (rev 40632) @@ -13914,12 +13914,15 @@ [squeeze] - nss (only affects nss post 2012-07-26) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-150/ NOTE: Patch in SuSE Bugzilla: https://bugzilla.novell.com/attachment.cgi?id=660286 + NOTE: NSS upstream fix is actually in 3.20.2: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.20.2_release_notes + NOTE: NSS patch: https://hg.mozilla.org/projects/nss/raw-rev/891676aa0d85 - openssl 1.0.1f-1 [squeeze] - openssl (Vulnerable code not present) NOTE: OpenSSL fix: https://git.openssl.org/?p=openssl.git;a=commit;h=5e1ff664f95ab4c9176b3e86b5111e5777bad61a - openjdk-8 7u95-2.6.4-1 - openjdk-7 7u95-2.6.4-1 - openjdk-6 + NOTE: http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/1ad1d1b46fef - gnutls28 3.3.15-1 [jessie] - gnutls28 3.3.8-6+deb8u3 - gnutls26 @@ -13931,9 +13934,6 @@ NOTE: https://gitlab.com/gnutls/gnutls/commit/6822a37947d4e38c45b1afc0121cda35ba897182 NOTE: http://www.openwall.com/lists/oss-security/2015/05/05/8 NOTE: http://www.mitls.org/pages/attacks/SLOTH - NOTE: http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/1ad1d1b46fef - NOTE: NSS upstream fix is actually in 3.20.2: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.20.2_release_notes - NOTE: NSS patch: https://hg.mozilla.org/projects/nss/raw-rev/891676aa0d85 TODO: check other possible affected libraries (PolarSSL/mbedTLS, ...) CVE-2015-7574 RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r40631 - data/CVE
Author: anarcat Date: 2016-03-29 15:38:02 + (Tue, 29 Mar 2016) New Revision: 40631 Modified: data/CVE/list Log: Summary: clarify NSS patches for CVE-2015-7575 Modified: data/CVE/list === --- data/CVE/list 2016-03-29 15:11:18 UTC (rev 40630) +++ data/CVE/list 2016-03-29 15:38:02 UTC (rev 40631) @@ -13932,6 +13932,8 @@ NOTE: http://www.openwall.com/lists/oss-security/2015/05/05/8 NOTE: http://www.mitls.org/pages/attacks/SLOTH NOTE: http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/1ad1d1b46fef + NOTE: NSS upstream fix is actually in 3.20.2: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.20.2_release_notes + NOTE: NSS patch: https://hg.mozilla.org/projects/nss/raw-rev/891676aa0d85 TODO: check other possible affected libraries (PolarSSL/mbedTLS, ...) CVE-2015-7574 RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r40630 - in data: . CVE
Author: carnil Date: 2016-03-29 15:11:18 + (Tue, 29 Mar 2016) New Revision: 40630 Modified: data/CVE/list data/dsa-needed.txt Log: Marked tlslite as no-dsa, remove from dsa-needed list Modified: data/CVE/list === --- data/CVE/list 2016-03-29 15:08:06 UTC (rev 40629) +++ data/CVE/list 2016-03-29 15:11:18 UTC (rev 40630) @@ -26190,6 +26190,7 @@ CVE-2015-3220 RESERVED - tlslite + [wheezy] - tlslite (Minor issue; can be fixed in point release) CVE-2015-3219 (Cross-site scripting (XSS) vulnerability in the Orchestration/Stack ...) - horizon 2015.1.0+2015.06.09.git15.e63af6c598-1 (bug #788306) [jessie] - horizon (Minor issue) Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2016-03-29 15:08:06 UTC (rev 40629) +++ data/dsa-needed.txt 2016-03-29 15:11:18 UTC (rev 40630) @@ -90,9 +90,6 @@ tardiff fw asked maintainer for preparing debdiffs for wheezy- and jessie-security -- -tlslite/oldstable - NOTE: debdiff sent by Thorsten Alteholz to the Security Team on 2016-03-29 --- tiff3 -- tomcat7 (Markus Koschany) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r40628 - data/CVE
Author: carnil Date: 2016-03-29 14:56:01 + (Tue, 29 Mar 2016) New Revision: 40628 Modified: data/CVE/list Log: Record fixed versions for CVE-2016-0823 Modified: data/CVE/list === --- data/CVE/list 2016-03-29 13:02:27 UTC (rev 40627) +++ data/CVE/list 2016-03-29 14:56:01 UTC (rev 40628) @@ -8673,6 +8673,8 @@ TODO: check CVE-2016-0823 (The pagemap_open function in fs/proc/task_mmu.c in the Linux kernel ...) - linux 4.0.2-1 + [jessie] - 3.16.7-ckt11-1 + [wheezy] - linux 3.2.71-1 NOTE: Upstream patch: https://git.kernel.org/linus/ab676b7d6fbf4b294bf198fb27ade5b0e865c7ce (v4.0-rc5) NOTE: https://googleprojectzero.blogspot.cz/2015/03/exploiting-dram-rowhammer-bug-to-gain.html CVE-2016-0822 (The MediaTek connectivity kernel driver in Android 6.0.1 before ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r40627 - data/CVE
Author: carnil Date: 2016-03-29 13:02:27 + (Tue, 29 Mar 2016) New Revision: 40627 Modified: data/CVE/list Log: Add CVE-2016-315{8,9}/xen Modified: data/CVE/list === --- data/CVE/list 2016-03-29 12:30:38 UTC (rev 40626) +++ data/CVE/list 2016-03-29 13:02:27 UTC (rev 40627) @@ -1031,8 +1031,14 @@ RESERVED CVE-2016-3159 RESERVED + - xen + NOTE: http://xenbits.xen.org/xsa/advisory-172.html + TODO: check CVE-2016-3158 RESERVED + - xen + NOTE: http://xenbits.xen.org/xsa/advisory-172.html + TODO: check CVE-2016-3157 [I/O port access privilege escalation in x86-64 Linux] RESERVED - linux ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r40625 - data
Author: alteholz Date: 2016-03-29 10:31:00 + (Tue, 29 Mar 2016) New Revision: 40625 Modified: data/dsa-needed.txt Log: add tlslite/oldstable Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2016-03-29 09:10:22 UTC (rev 40624) +++ data/dsa-needed.txt 2016-03-29 10:31:00 UTC (rev 40625) @@ -92,6 +92,9 @@ tardiff fw asked maintainer for preparing debdiffs for wheezy- and jessie-security -- +tlslite/oldstable + NOTE: debdiff sent by Thorsten Alteholz to the Security Team on 2016-03-29 +-- tiff3 -- tomcat7 (Markus Koschany) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r40624 - data/CVE
Author: sectracker Date: 2016-03-29 09:10:22 + (Tue, 29 Mar 2016) New Revision: 40624 Modified: data/CVE/list Log: automatic update Modified: data/CVE/list === --- data/CVE/list 2016-03-29 05:19:12 UTC (rev 40623) +++ data/CVE/list 2016-03-29 09:10:22 UTC (rev 40624) @@ -4557,6 +4557,7 @@ NOT-FOR-US: VMware vRealize Business Advanced and Enterprise CVE-2016-2074 [MPLS buffer overflow] RESERVED + {DSA-3533-1} - openvswitch 2.3.0+git20140819-4 [wheezy] - openvswitch (Affects only 2.2.x and later) NOTE: http://openvswitch.org/pipermail/announce/2016-March/82.html ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits