[Secure-testing-commits] r40790 - data/CVE
Author: carnil Date: 2016-04-07 05:51:12 + (Thu, 07 Apr 2016) New Revision: 40790 Modified: data/CVE/list Log: Add (hopefully) clarifying note for CVE-2014-1949, thanks pabs and sarnold Modified: data/CVE/list === --- data/CVE/list 2016-04-07 05:45:28 UTC (rev 40789) +++ data/CVE/list 2016-04-07 05:51:12 UTC (rev 40790) @@ -57155,6 +57155,8 @@ - cinnamon 2.2.14-1 (bug #738828) NOTE: http://www.openwall.com/lists/oss-security/2014/02/12/7 NOTE: https://git.gnome.org/browse/gtk+/commit/?id=1691bb741d50c90ee938f0b73fe81b0ca9bfd6d4 + NOTE: The CVE was originally assigned specifically for cinnamon-screensaver, but the underlying fix lies in gtk+3.0 + NOTE: and later MITRE assigned the CVE to GTK+ 3.10.9 and later, see official MITRE CVE description. CVE-2014-1948 (OpenStack Image Registry and Delivery Service (Glance) 2013.2 through ...) - glance 2013.2.2-1 (bug #738924) [wheezy] - glance (Only affects Havana) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r40788 - data/CVE
Author: carnil Date: 2016-04-07 05:37:05 + (Thu, 07 Apr 2016) New Revision: 40788 Modified: data/CVE/list Log: Add CVE-2016-3951/linux Modified: data/CVE/list === --- data/CVE/list 2016-04-07 05:24:28 UTC (rev 40787) +++ data/CVE/list 2016-04-07 05:37:05 UTC (rev 40788) @@ -16,8 +16,12 @@ RESERVED CVE-2016-3952 RESERVED -CVE-2016-3951 +CVE-2016-3951 [usbnet: memory corruption triggered by invalid USB descriptor] RESERVED + - linux + NOTE: https://git.kernel.org/linus/4d06dd537f95683aba3651098ae288b7cbff8274 (v4.5) + NOTE: https://git.kernel.org/linus/1666984c8625b3db19a9abc298931d35ab7bc64b (v4.5) + NOTE: https://www.spinics.net/lists/netdev/msg367669.html CVE-2016-3950 RESERVED CVE-2016-3949 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r40785 - data/CVE
Author: sectracker Date: 2016-04-06 21:10:13 + (Wed, 06 Apr 2016) New Revision: 40785 Modified: data/CVE/list Log: automatic update Modified: data/CVE/list === --- data/CVE/list 2016-04-06 20:34:06 UTC (rev 40784) +++ data/CVE/list 2016-04-06 21:10:13 UTC (rev 40785) @@ -1,7 +1,33 @@ +CVE-2016-3962 + RESERVED +CVE-2016-3961 + RESERVED +CVE-2016-3960 + RESERVED +CVE-2016-3957 + RESERVED +CVE-2016-3956 + RESERVED +CVE-2016-3955 + RESERVED +CVE-2016-3954 + RESERVED +CVE-2016-3953 + RESERVED +CVE-2016-3952 + RESERVED +CVE-2016-3951 + RESERVED +CVE-2016-3950 + RESERVED +CVE-2016-3949 + RESERVED CVE-2016-3959 + RESERVED - golang NOTE: https://golang.org/cl/21533 CVE-2016-3958 + RESERVED - golang (Only affects Go on Windows) NOTE: https://golang.org/cl/21428 CVE-2016-3946 @@ -1760,8 +1786,8 @@ [jessie] - krb5 (Minor issue; can be fixed along with a future DSA) [wheezy] - krb5 (Minor issue; can be fixed along with a future DSA) NOTE: https://github.com/krb5/krb5/commit/08c642c09c38a9c6454ab43a9b53b2a89b9eef99 -CVE-2016-3118 - RESERVED +CVE-2016-3118 (CRLF injection vulnerability in CA API Gateway (formerly Layer7 API ...) + TODO: check CVE-2016-3117 RESERVED CVE-2016-3114 @@ -1969,8 +1995,7 @@ [wheezy] - linux (Minor issue) NOTE: http://seclists.org/bugtraq/2016/Mar/57 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1283370 -CVE-2016-3125 [TLSDHParamFile directive ignored] - RESERVED +CVE-2016-3125 (The mod_tls module in ProFTPD before 1.3.5b and 1.3.6 before 1.3.6rc2 ...) - proftpd-dfsg (bug #818492) [jessie] - proftpd-dfsg (Minor issue; can be fixed in point release) [wheezy] - proftpd-dfsg (Minor issue; can be fixed in point release) @@ -6210,8 +6235,8 @@ RESERVED CVE-2016-1790 RESERVED -CVE-2016-1789 - RESERVED +CVE-2016-1789 (Apple iBooks Author before 2.4.1 allows remote attackers to read ...) + TODO: check CVE-2016-1788 (Messages in Apple iOS before 9.3, OS X before 10.11.4, and watchOS ...) TODO: check CVE-2016-1787 (Wiki Server in Apple OS X Server before 5.1 allows remote attackers to ...) @@ -8235,10 +8260,10 @@ RESERVED CVE-2016-1177 (The management screen in Falcon WisePoint 4.3.1 and earlier and ...) TODO: check -CVE-2016-1176 - RESERVED -CVE-2016-1175 - RESERVED +CVE-2016-1176 (Buffer overflow in the ActiveX control in Sharp EVA Animeter allows ...) + TODO: check +CVE-2016-1175 (Cross-site request forgery (CSRF) vulnerability in AQUOS Photo Player ...) + TODO: check CVE-2016-1174 RESERVED CVE-2016-1173 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r40784 - in data: . CVE
Author: jmm Date: 2016-04-06 20:34:06 + (Wed, 06 Apr 2016) New Revision: 40784 Modified: data/CVE/list data/dsa-needed.txt Log: add and take optipng Modified: data/CVE/list === --- data/CVE/list 2016-04-06 20:11:11 UTC (rev 40783) +++ data/CVE/list 2016-04-06 20:34:06 UTC (rev 40784) @@ -4581,10 +4581,9 @@ NOTE: https://github.com/jmacd/xdelta-devel/commit/ef93ff74203e030073b898c05e8b4860b5d09ef2 NOTE: http://www.openwall.com/lists/oss-security/2016/02/08/1 CVE-2014- [LFI posting internal files externally abusing default parameter] - - tcpdf 6.2.12+dfsg-1 (bug #814030) + - tcpdf (bug #814030) NOTE: https://sourceforge.net/p/tcpdf/bugs/1005/ (not public) NOTE: According to upstream fixed in 6.2.0, but not details available - TODO: check CVE-2015-8808 [out-of-bound read in the parsing of gif files] RESERVED - graphicsmagick 1.3.21-2 Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2016-04-06 20:11:11 UTC (rev 40783) +++ data/dsa-needed.txt 2016-04-06 20:34:06 UTC (rev 40784) @@ -57,6 +57,8 @@ -- ntp -- +optipng (jmm) +-- openjpeg2 (jmm) -- pdns/oldstable (Mike Gabriel) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r40782 - data/CVE
Author: carnil Date: 2016-04-06 14:47:39 + (Wed, 06 Apr 2016) New Revision: 40782 Modified: data/CVE/list Log: Add CVE-2016-3672/linux Modified: data/CVE/list === --- data/CVE/list 2016-04-06 14:46:25 UTC (rev 40781) +++ data/CVE/list 2016-04-06 14:47:39 UTC (rev 40782) @@ -594,8 +594,10 @@ RESERVED CVE-2016-3673 RESERVED -CVE-2016-3672 +CVE-2016-3672 [Unlimiting the stack not longer disables ASLR] RESERVED + - linux + NOTE: http://hmarco.org/bugs/CVE-2016-3672-Unlimiting-the-stack-not-longer-disables-ASLR.html CVE-2014-9769 (pcre_jit_compile.c in PCRE 8.35 does not properly use table jumps to ...) - pcre3 2:8.38-1 (bug #819050) [jessie] - pcre3 2:8.35-3.3+deb8u4 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r40781 - data/CVE
Author: carnil Date: 2016-04-06 14:46:25 + (Wed, 06 Apr 2016) New Revision: 40781 Modified: data/CVE/list Log: Add second reference for CVE request on xchat/hexchat issue Modified: data/CVE/list === --- data/CVE/list 2016-04-06 09:47:34 UTC (rev 40780) +++ data/CVE/list 2016-04-06 14:46:25 UTC (rev 40781) @@ -32801,6 +32801,7 @@ NOTE: https://github.com/hexchat/hexchat/commit/c9b63f7f9be01692b03fa15275135a4910a7e02d (v2.12.0) NOTE: https://github.com/hexchat/hexchat/commit/c99f2ba645d1f4d01d6d2bb0cc1238825e15c604 (v2.10.2) NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/01/29/23 + NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2016/04/05/4 CVE-2013-7426 [insecure default fifo path /tmp/kamailio_fifo] RESERVED - kamailio 4.0.2-1 (bug #712083) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r40780 - bin
Author: pabs Date: 2016-04-06 09:47:34 + (Wed, 06 Apr 2016) New Revision: 40780 Modified: bin/tracker_service.py Log: Drop links to OSVDB OSVDB is now closed officially: https://blog.osvdb.org/2016/04/05/osvdb-fin/ Modified: bin/tracker_service.py === --- bin/tracker_service.py 2016-04-06 09:36:04 UTC (rev 40779) +++ bin/tracker_service.py 2016-04-06 09:47:34 UTC (rev 40780) @@ -365,8 +365,6 @@ ", ", self.make_bugtraq_bug_ref(url, bug.name, 'bugtraq'), ", ", - self.make_osvdb_bug_ref(url, bug.name, 'OSVDB'), - ", ", self.make_edb_bug_ref(url, bug.name, 'EDB'), ", ", self.make_metasploit_bug_ref(url, bug.name, 'Metasploit'), @@ -1483,8 +1481,6 @@ return url.absolute("https://marc.info/";, l="full-disclosure", s=name) def url_bugtraq_bug(self, url, name): return url.absolute("https://marc.info/";, l="bugtraq", s=name) -def url_osvdb_bug(self, url, name): -return url.absoluteDict("https://osvdb.org/search/search";, {"search[refid]": name}) def url_edb_bug(self, url, name): name = name[len('CVE-'):] if name.startswith('CVE-') else name return url.absolute("https://www.exploit-db.com/search/";, action="search", cve=name) @@ -1576,11 +1572,6 @@ name = cve return A(self.url_bugtraq_bug(url, cve), name) -def make_osvdb_bug_ref(self, url, cve, name=None): -if name is None: -name = cve -return A(self.url_osvdb_bug(url, cve), name) - def make_edb_bug_ref(self, url, cve, name=None): if name is None: name = cve ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r40779 - data/CVE
Author: fgeek-guest Date: 2016-04-06 09:36:04 + (Wed, 06 Apr 2016) New Revision: 40779 Modified: data/CVE/list Log: OSVDB is now closed officially Modified: data/CVE/list === --- data/CVE/list 2016-04-05 21:10:11 UTC (rev 40778) +++ data/CVE/list 2016-04-06 09:36:04 UTC (rev 40779) @@ -47574,7 +47574,6 @@ {DSA-3101-1} - c-icap 1:0.3.1-1 NOTE: http://sourceforge.net/p/c-icap/bugs/59/ - NOTE: http://osvdb.org/ref/89/c-icap.txt NOTE: http://sourceforge.net/p/c-icap/code/1018/ CVE-2014-6070 (Multiple cross-site scripting (XSS) vulnerabilities in Adiscon ...) - loganalyzer 3.6.6+dfsg-1 (bug #760372) @@ -89306,7 +89305,6 @@ CVE-2012-3878 [Perl require Directive Path Subversion Arbitrary Module / File Loading Weakness] RESERVED - perl (unimportant; bug #776270) - NOTE: http://osvdb.org/106565 NOTE: http://www.nntp.perl.org/group/perl.perl5.porters/2012/07/msg189909.html NOTE: https://rt.perl.org/Public/Bug/Display.html?id=125833 NOTE: (possibly) to be rejected, see also http://www.openwall.com/lists/oss-security/2015/01/26/3 @@ -93323,7 +93321,6 @@ - php5 5.4.3-1 (bug #671880) NOTE: This CVE ID is for the initial incomplete fix for CVE-2012-1823 NOTE: http://www.kb.cert.org/vuls/id/520827 - NOTE: http://osvdb.org/81633 CVE-2012-2310 (Cross-site scripting (XSS) vulnerability in the cctags module for ...) NOT-FOR-US: Drupal addon not packaged CVE-2012-2309 (Cross-site scripting (XSS) vulnerability in the Glossify Internal ...) @@ -100485,7 +100482,6 @@ CVE-2011-4558 RESERVED - tikiwiki - NOTE: http://osvdb.org/78013 NOTE: http://dev.tiki.org/item4059 NOTE: http://info.tiki.org/article185-Tiki-Security-Patches-Available-for-8-3-and-6-6-LTS CVE-2011-4557 @@ -100754,12 +100750,10 @@ CVE-2011-4455 RESERVED - tikiwiki - NOTE: http://osvdb.org/77156 NOTE: http://secunia.com/advisories/46740/ CVE-2011-4454 RESERVED - tikiwiki - NOTE: http://osvdb.org/77155 NOTE: http://secunia.com/advisories/46740/ CVE-2011-4453 (The PageListSort function in scripts/pagelist.php in PmWiki 2.x before ...) - pmwiki (bug #330117) @@ -125395,7 +125389,6 @@ - gtk+2.0 2.18.5-1 [lenny] - gtk+2.0 (issue only exposed by gnome-screensaver 2.28) [etch] - gtk+2.0 (issue only exposed by gnome-screensaver 2.28) - NOTE: http://osvdb.org/61203 NOTE: http://www.openwall.com/lists/oss-security/2010/02/12/1 CVE-2010-0731 (The gnutls_x509_crt_get_serial function in the GnuTLS library before ...) - gnutls26 (Fixed before initial release) @@ -172083,7 +172076,6 @@ - mediawiki 1.7.1-9 (bug #406238; medium) CVE-2007-1054 (Cross-site scripting (XSS) vulnerability in the AJAX features in ...) - mediawiki 1.7.1-9 (bug #406238; medium) - NOTE: http://osvdb.org/32078 CVE-2007-1053 (** DISPUTED ** ...) NOT-FOR-US: phpXmms CVE-2007-1052 (** DISPUTED ** ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits