[Secure-testing-commits] r41055 - data/CVE
Author: carnil Date: 2016-04-22 04:54:09 + (Fri, 22 Apr 2016) New Revision: 41055 Modified: data/CVE/list Log: Add CVE-2015-8212/bozohttpd Thanks: Sander Bos Modified: data/CVE/list === --- data/CVE/list 2016-04-22 04:17:04 UTC (rev 41054) +++ data/CVE/list 2016-04-22 04:54:09 UTC (rev 41055) @@ -13179,8 +13179,11 @@ NOTE: https://github.com/django/django/commit/316bc3fc9437c5960c24baceb93c73f1939711e4 (master) NOTE: https://github.com/django/django/commit/8a01c6b53169ee079cb21ac5919fdafcc8c5e172 (1.7.x) NOTE: https://www.djangoproject.com/weblog/2015/nov/24/security-releases-issued/ -CVE-2015-8212 - RESERVED +CVE-2015-8212 [bozohttpd CGI handlers potential remote code execution] + - bozohttpd + NOTE: http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2016-005.txt.asc + NOTE: http://www.eterna.com.au/bozohttpd/CHANGES + NOTE: http://www.eterna.com.au/bozohttpd/bozohttpd-20160415.tar.bz2 CVE-2015-8211 RESERVED CVE-2015-8210 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41054 - data/CVE
Author: carnil Date: 2016-04-22 04:17:04 + (Fri, 22 Apr 2016) New Revision: 41054 Modified: data/CVE/list Log: Add upstream tag information for tmux issue and mark as no-dsa Modified: data/CVE/list === --- data/CVE/list 2016-04-22 04:15:14 UTC (rev 41053) +++ data/CVE/list 2016-04-22 04:17:04 UTC (rev 41054) @@ -44,8 +44,10 @@ RESERVED CVE-2015- [tmux out-of-bounds heap read] - tmux 2.1-1 + [jessie] - tmux (Minor issue, can be fixed via point release) + [wheezy] - tmux (Minor issue) NOTE: upstream issue: https://github.com/tmux/tmux/issues/92 - NOTE: upstream commit: https://github.com/tmux/tmux/commit/2ffbd5b5f05dded1564ba32a6a00b0b417439b2f + NOTE: upstream commit: https://github.com/tmux/tmux/commit/2ffbd5b5f05dded1564ba32a6a00b0b417439b2f (2.1) NOTE: upstream fixed in 2.1 NOTE: https://bugs.gentoo.org/show_bug.cgi?id=564400 CVE-2016- [libxml_disable_entity_loader setting is shared between threads] ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41053 - data/CVE
Author: carnil Date: 2016-04-22 04:15:14 + (Fri, 22 Apr 2016) New Revision: 41053 Modified: data/CVE/list Log: Remove todo item from REJECTED entry Modified: data/CVE/list === --- data/CVE/list 2016-04-21 21:10:12 UTC (rev 41052) +++ data/CVE/list 2016-04-22 04:15:14 UTC (rev 41053) @@ -1,6 +1,5 @@ CVE-2016-6479 REJECTED - TODO: check CVE-2016-4055 RESERVED CVE-2016-4050 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41052 - data/CVE
Author: sectracker Date: 2016-04-21 21:10:12 + (Thu, 21 Apr 2016) New Revision: 41052 Modified: data/CVE/list Log: automatic update Modified: data/CVE/list === --- data/CVE/list 2016-04-21 20:55:43 UTC (rev 41051) +++ data/CVE/list 2016-04-21 21:10:12 UTC (rev 41052) @@ -1,3 +1,48 @@ +CVE-2016-6479 + REJECTED + TODO: check +CVE-2016-4055 + RESERVED +CVE-2016-4050 + RESERVED +CVE-2016-4049 + RESERVED +CVE-2016-4048 + RESERVED +CVE-2016-4047 + RESERVED +CVE-2016-4046 + RESERVED +CVE-2016-4045 + RESERVED +CVE-2015-8862 + RESERVED +CVE-2015-8861 + RESERVED +CVE-2015-8860 + RESERVED +CVE-2015-8859 + RESERVED +CVE-2015-8858 + RESERVED +CVE-2015-8857 + RESERVED +CVE-2015-8856 + RESERVED +CVE-2015-8855 + RESERVED +CVE-2015-8854 + RESERVED +CVE-2014-9772 + RESERVED +CVE-2013-7454 + RESERVED +CVE-2013-7453 + RESERVED +CVE-2013-7452 + RESERVED +CVE-2013-7451 + RESERVED CVE-2015- [tmux out-of-bounds heap read] - tmux 2.1-1 NOTE: upstream issue: https://github.com/tmux/tmux/issues/92 @@ -26,18 +71,22 @@ - typo3-src [wheezy] - typo3-src (See DSA 3314) CVE-2016-4054 + RESERVED - squid3 - squid TODO: check CVE-2016-4053 + RESERVED - squid3 - squid TODO: check CVE-2016-4052 + RESERVED - squid3 - squid TODO: check CVE-2016-4051 + RESERVED - squid3 - squid TODO: check @@ -52,6 +101,7 @@ CVE-2016-4040 (SQL injection vulnerability in the Workflow Screen in dotCMS before ...) TODO: check CVE-2015-8853 [Regexp-matching "hangs" indefinitely on illegal input using binmode :utf8 using 100%CPU] + RESERVED - perl 5.22.1-1 (bug #821848) NOTE: https://rt.perl.org/Public/Bug/Display.html?id=123562 NOTE: http://perl5.git.perl.org/perl.git/commitdiff/22b433eff9a1ffa2454e18405a56650f07b385b5 @@ -361,15 +411,13 @@ NOTE: https://git.enlightenment.org/legacy/imlib2.git/commit/?id=143f299 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1324774 NOTE: http://www.openwall.com/lists/oss-security/2016/04/09/3 -CVE-2014-9770 [systemd / journald created world readable journal files (for volatile journals)] - RESERVED +CVE-2014-9770 (tmpfiles.d/systemd.conf in systemd before 214 uses weak permissions ...) - systemd 215-4 [wheezy] - systemd (Vulnerable code not present) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=972612 NOTE: Introduced by: https://github.com/systemd/systemd/commit/a606871da508995f5ede113a8fc6538afd98966c (v213) NOTE: Fixed by (for volatile journals): https://github.com/systemd/systemd/commit/176f2acf8dee45fee832fd2ab07243f63783a238 (v214) -CVE-2015-8842 [systemd / journald created world readable journal files (for current persistent journal)] - RESERVED +CVE-2015-8842 (tmpfiles.d/systemd.conf in systemd before 229 uses weak permissions ...) - systemd 229-1 [wheezy] - systemd (Vulnerable code not present) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=972612 @@ -416,6 +464,7 @@ - linux NOTE: http://xenbits.xen.org/xsa/advisory-174.html CVE-2016-3960 (Integer overflow in the x86 shadow pagetable code in Xen allows local ...) + {DSA-3554-1} - xen NOTE: http://xenbits.xen.org/xsa/advisory-173.html CVE-2016-3957 @@ -1553,34 +1602,32 @@ RESERVED CVE-2016-3467 RESERVED -CVE-2016-3466 - RESERVED -CVE-2016-3465 - RESERVED +CVE-2016-3466 (Unspecified vulnerability in the Oracle Field Service component in ...) + TODO: check +CVE-2016-3465 (Unspecified vulnerability in Oracle Sun Solaris 11.3 allows local ...) NOT-FOR-US: Solaris -CVE-2016-3464 - RESERVED -CVE-2016-3463 - RESERVED -CVE-2016-3462 - RESERVED +CVE-2016-3464 (Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking ...) + TODO: check +CVE-2016-3463 (Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking ...) + TODO: check +CVE-2016-3462 (Unspecified vulnerability in Oracle Sun Solaris 11.3 allows local ...) NOT-FOR-US: Solaris -CVE-2016-3461 - RESERVED -CVE-2016-3460 - RESERVED +CVE-2016-3461 (Unspecified vulnerability in the MySQL Enterprise Monitor component in ...) + TODO: check +CVE-2016-3460 (Unspecified vulnerability in the PeopleSoft Enterprise HCM component ...) + TODO: check CVE-2016-3459 RESERVED CVE-2016-3458 RESERVED -CVE-2016-3457 - RESERVED -CVE-2016-3456 - RESERVED -CVE-2016-3455 - RESERVED -CVE-2016-3454 - RESERVED +CVE-2016-3457 (Unspecified vulnerability in the PeopleSoft Enterprise HCM ...) + TODO: check
[Secure-testing-commits] r41051 - data/CVE
Author: kosh-guest Date: 2016-04-21 20:55:43 + (Thu, 21 Apr 2016) New Revision: 41051 Modified: data/CVE/list Log: tmux OOB apparently fixed in 2.1 already Modified: data/CVE/list === --- data/CVE/list 2016-04-21 20:38:49 UTC (rev 41050) +++ data/CVE/list 2016-04-21 20:55:43 UTC (rev 41051) @@ -1,8 +1,8 @@ CVE-2015- [tmux out-of-bounds heap read] - - tmux 2.2-1 + - tmux 2.1-1 NOTE: upstream issue: https://github.com/tmux/tmux/issues/92 NOTE: upstream commit: https://github.com/tmux/tmux/commit/2ffbd5b5f05dded1564ba32a6a00b0b417439b2f - NOTE: upstream fixed in 2.2 + NOTE: upstream fixed in 2.1 NOTE: https://bugs.gentoo.org/show_bug.cgi?id=564400 CVE-2016- [libxml_disable_entity_loader setting is shared between threads] - php5 5.6.6+dfsg-1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41050 - data/CVE
Author: carnil Date: 2016-04-21 20:38:49 + (Thu, 21 Apr 2016) New Revision: 41050 Modified: data/CVE/list Log: Update entry for jq issue, #802231 Modified: data/CVE/list === --- data/CVE/list 2016-04-21 19:51:39 UTC (rev 41049) +++ data/CVE/list 2016-04-21 20:38:49 UTC (rev 41050) @@ -58,7 +58,8 @@ NOTE: http://www.openwall.com/lists/oss-security/2016/04/20/5 CVE-2015- [Heap-based buffer overflow in check_literal()] - jq (bug #802231) - TODO: check versions + NOTE: https://github.com/stedolan/jq/issues/995 + NOTE: https://github.com/stedolan/jq/commit/8eb1367ca44e772963e704a700ef72ae2e12babd CVE-2016-4039 RESERVED CVE-2016-4036 (openSUSE and SUSE Linux Enterprise Server 11 SP 1 use weak permissions ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41048 - in data: . DSA
Author: carnil Date: 2016-04-21 19:22:29 + (Thu, 21 Apr 2016) New Revision: 41048 Modified: data/DSA/list data/dsa-needed.txt Log: Reserve DSA number for xen for jessie-security Modified: data/DSA/list === --- data/DSA/list 2016-04-21 18:35:22 UTC (rev 41047) +++ data/DSA/list 2016-04-21 19:22:29 UTC (rev 41048) @@ -1,3 +1,6 @@ +[21 Apr 2016] DSA-3554-1 xen - security update + {CVE-2016-3158 CVE-2016-3159 CVE-2016-3960} + [jessie] - xen 4.4.1-9+deb8u5 [21 Apr 2016] DSA-3553-1 varnish - security update {CVE-2015-8852} [wheezy] - varnish 3.0.2-2+deb7u2 Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2016-04-21 18:35:22 UTC (rev 41047) +++ data/dsa-needed.txt 2016-04-21 19:22:29 UTC (rev 41048) @@ -80,6 +80,3 @@ -- tomcat8 -- -xen/stable (carnil) - https://people.debian.org/~carnil/tmp/xen/jessie/ --- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41047 - data/CVE
Author: carnil Date: 2016-04-21 18:35:22 + (Thu, 21 Apr 2016) New Revision: 41047 Modified: data/CVE/list Log: Add two more temporary items for php issues Modified: data/CVE/list === --- data/CVE/list 2016-04-21 18:05:44 UTC (rev 41046) +++ data/CVE/list 2016-04-21 18:35:22 UTC (rev 41047) @@ -1,3 +1,21 @@ +CVE-2016- [libxml_disable_entity_loader setting is shared between threads] + - php5 5.6.6+dfsg-1 + NOTE: https://bugs.php.net/bug.php?id=64938 + NOTE: https://bugs.launchpad.net/ubuntu/+source/php5/+bug/1509817 + NOTE: http://framework.zend.com/security/advisory/ZF2015-06 -> Relation to CVE-2015-5161 + NOTE: http://git.php.net/?p=php-src.git;a=commit;h=de31324c221c1791b26350ba106cc26bad23ace9 + NOTE: Fixed in 5.6.6, 5.5.22 + NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2016/04/21/8 +CVE-2016- [openssl_random_pseudo_bytes() is not cryptographically secure] + - php7.0 7.0.0-1 + - php5 5.6.12+dfsg-1 + [jessie] - php5 5.6.12+dfsg-0+deb8u1 + [wheezy] - php5 5.4.44-0+deb7u1 + NOTE: https://bugs.php.net/bug.php?id=70014 + NOTE: https://bugs.launchpad.net/ubuntu/+source/php5/+bug/1534203 + NOTE: http://git.php.net/?p=php-src.git;a=commit;h=16023f3e3b9c06cf677c3c980e8d574e4c162827 + NOTE: Fixed in 7.0.0, 5.6.12, 5.5.28, 5.5.44 + NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2016/04/21/8 CVE-2016-4056 - typo3-src [wheezy] - typo3-src (See DSA 3314) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41046 - data
Author: carnil Date: 2016-04-21 18:05:44 + (Thu, 21 Apr 2016) New Revision: 41046 Modified: data/dsa-needed.txt Log: Add openjdk-6 and openjdk-7 to dsa-needed list Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2016-04-21 18:04:24 UTC (rev 41045) +++ data/dsa-needed.txt 2016-04-21 18:05:44 UTC (rev 41046) @@ -56,6 +56,10 @@ -- ntp -- +openjdk-6/oldstable +-- +openjdk-7 +-- openjpeg2 (jmm) -- pdns/oldstable (Mike Gabriel) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41045 - data/CVE
Author: carnil Date: 2016-04-21 18:04:24 + (Thu, 21 Apr 2016) New Revision: 41045 Modified: data/CVE/list Log: openjdk-7 removed from unstable, only maintained in experimental Modified: data/CVE/list === --- data/CVE/list 2016-04-21 17:57:21 UTC (rev 41044) +++ data/CVE/list 2016-04-21 18:04:24 UTC (rev 41045) @@ -1582,7 +1582,7 @@ CVE-2016-3443 RESERVED - openjdk-8 - - openjdk-7 + - openjdk-7 - openjdk-6 CVE-2016-3442 RESERVED @@ -1619,17 +1619,17 @@ CVE-2016-3427 RESERVED - openjdk-8 - - openjdk-7 + - openjdk-7 - openjdk-6 CVE-2016-3426 RESERVED - openjdk-8 - - openjdk-7 + - openjdk-7 - openjdk-6 CVE-2016-3425 RESERVED - openjdk-8 - - openjdk-7 + - openjdk-7 - openjdk-6 CVE-2016-3424 RESERVED @@ -1638,7 +1638,7 @@ CVE-2016-3422 RESERVED - openjdk-8 - - openjdk-7 + - openjdk-7 - openjdk-6 CVE-2016-3421 RESERVED @@ -10541,7 +10541,7 @@ CVE-2016-0695 RESERVED - openjdk-8 - - openjdk-7 + - openjdk-7 - openjdk-6 CVE-2016-0694 RESERVED @@ -10564,12 +10564,12 @@ CVE-2016-0687 RESERVED - openjdk-8 - - openjdk-7 + - openjdk-7 - openjdk-6 CVE-2016-0686 RESERVED - openjdk-8 - - openjdk-7 + - openjdk-7 - openjdk-6 CVE-2016-0685 RESERVED @@ -10776,7 +10776,7 @@ CVE-2016-0636 (Unspecified vulnerability in Oracle Java SE 7u97, 8u73, and 8u74 ...) - openjdk-8 8u77-b03-1 [experimental] - openjdk-7 7u95-2.6.4-3 - - openjdk-7 + - openjdk-7 - openjdk-6 NOTE: http://www.oracle.com/technetwork/topics/security/alert-cve-2016-0636-2949497.html NOTE: https://blogs.oracle.com/security/entry/security_alert_cve_2016_0636 @@ -85634,7 +85634,7 @@ - openjdk-6 (low) [squeeze] - openjdk-6 (Minor issue, no icedtea fix, too complex to backport) [wheezy] - openjdk-6 (Minor issue, no icedtea fix, too complex to backport) - - openjdk-7 (low) + - openjdk-7 (low) [wheezy] - openjdk-7 (Minor issue, no icedtea fix, too complex to backport) [jessie] - openjdk-7 (Minor issue, no icedtea fix, too complex to backport) CVE-2012-5372 (Rubinius computes hash values without properly restricting the ability ...) @@ -92751,7 +92751,7 @@ NOT-FOR-US: phplist CVE-2012-2739 (Oracle Java SE before 7 Update 6, and OpenJDK 7 before 7u6 build 12 ...) - openjdk-6 (unimportant) - - openjdk-7 (unimportant) + - openjdk-7 (unimportant) NOTE: Upstream disputes this and states it needs to be fixed in Java apps itself NOTE: http://mail.openjdk.java.net/pipermail/core-libs-dev/2012-May/010238.html NOTE: http://armoredbarista.blogspot.de/2012/02/investigating-hashdos-issue.html ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41044 - data/CVE
Author: carnil Date: 2016-04-21 17:57:21 + (Thu, 21 Apr 2016) New Revision: 41044 Modified: data/CVE/list Log: Add note and expand TODO for CVE-2016-3074 Modified: data/CVE/list === --- data/CVE/list 2016-04-21 17:50:58 UTC (rev 41043) +++ data/CVE/list 2016-04-21 17:57:21 UTC (rev 41044) @@ -2368,9 +2368,12 @@ CVE-2016-3074 RESERVED - libgd2 + - php5 (unimportant) + - php7.0 (unimportant) NOTE: PoC: https://github.com/dyntopia/exploits/tree/master/CVE-2016-3074 NOTE: Upstream fix: https://github.com/libgd/libgd/commit/2bb97f407c1145c850416a3bfbcc8cf124e68a19 - TODO: check + NOTE: Starting with 5.4.0-1 Debian uses the system copy of libgd + TODO: check (php5, php7.0, hhvm, texlive, libwmf) CVE-2016-3073 RESERVED CVE-2016-3072 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41043 - data/CVE
Author: carnil Date: 2016-04-21 17:50:58 + (Thu, 21 Apr 2016) New Revision: 41043 Modified: data/CVE/list Log: Add CVE-2016-3074/libgd2 Modified: data/CVE/list === --- data/CVE/list 2016-04-21 17:28:33 UTC (rev 41042) +++ data/CVE/list 2016-04-21 17:50:58 UTC (rev 41043) @@ -2367,6 +2367,10 @@ NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=19879 CVE-2016-3074 RESERVED + - libgd2 + NOTE: PoC: https://github.com/dyntopia/exploits/tree/master/CVE-2016-3074 + NOTE: Upstream fix: https://github.com/libgd/libgd/commit/2bb97f407c1145c850416a3bfbcc8cf124e68a19 + TODO: check CVE-2016-3073 RESERVED CVE-2016-3072 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41042 - data/CVE
Author: carnil Date: 2016-04-21 17:28:33 + (Thu, 21 Apr 2016) New Revision: 41042 Modified: data/CVE/list Log: Add CVE-2016-4056/typo3-src Modified: data/CVE/list === --- data/CVE/list 2016-04-21 15:44:08 UTC (rev 41041) +++ data/CVE/list 2016-04-21 17:28:33 UTC (rev 41042) @@ -1,3 +1,6 @@ +CVE-2016-4056 + - typo3-src + [wheezy] - typo3-src (See DSA 3314) CVE-2016-4054 - squid3 - squid ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41041 - data/CVE
Author: anarcat Date: 2016-04-21 15:44:08 + (Thu, 21 Apr 2016) New Revision: 41041 Modified: data/CVE/list Log: Summary: clarify status of CVE-2016-2039 (SNAFU) and CVE-2016-2042 (introduced with 2039) Modified: data/CVE/list === --- data/CVE/list 2016-04-21 15:24:48 UTC (rev 41040) +++ data/CVE/list 2016-04-21 15:44:08 UTC (rev 41041) @@ -5855,6 +5855,7 @@ CVE-2016-2042 (phpMyAdmin 4.4.x before 4.4.15.3 and 4.5.x before 4.5.4 allows remote ...) - phpmyadmin 4:4.5.4-1 [squeeze] - phpmyadmin (vulnerable code not present) + NOTE: introduced as part of the CVE-2016-2039 fix NOTE: https://www.phpmyadmin.net/security/PMASA-2016-6/ CVE-2016-2041 (libraries/common.inc.php in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x ...) {DLA-406-1} @@ -5869,9 +5870,10 @@ CVE-2016-2039 (libraries/session.inc.php in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x ...) {DLA-406-1} - phpmyadmin 4:4.5.4-1 - NOTE: squeeze patch backport trivial to wheezy + NOTE: squeeze patch was actually incorrect and probably not functional: libraries/phpseclib/Crypt/Random.php needs some engine (e.g. AES) to work NOTE: https://www.phpmyadmin.net/security/PMASA-2016-2/ - NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/6fe54dfa000dd6f43f237e859781fad7111ac1bd + NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/6fe54dfa000dd6f43f237e859781fad7111ac1bd is not sufficient: one needs 29b297f to import more bits from phpseclib or simply import all of phpseclib. + NOTE: such a fix needs to avoid introducing a new vulnerability as well, upstream introduced CVE-2016-2042 as part of this CVE-2016-2038 (phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x ...) - phpmyadmin 4:4.5.4-1 [squeeze] - phpmyadmin (minor issue) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41040 - data/CVE
Author: anarcat Date: 2016-04-21 15:24:48 + (Thu, 21 Apr 2016) New Revision: 41040 Modified: data/CVE/list Log: Summary: it's 2044, not 2045, and same for 2043 Modified: data/CVE/list === --- data/CVE/list 2016-04-21 15:21:50 UTC (rev 41039) +++ data/CVE/list 2016-04-21 15:24:48 UTC (rev 41040) @@ -5837,18 +5837,21 @@ CVE-2016-2045 (Cross-site scripting (XSS) vulnerability in the SQL editor in ...) - phpmyadmin 4:4.5.4-1 [squeeze] - phpmyadmin (vulnerable code not present) - [wheezy] - phpmyadmin (vulnerable code not present) - [jessie] - phpmyadmin (vulnerable code not present) NOTE: https://www.phpmyadmin.net/security/PMASA-2016-9/ - NOTE: vulnerability introduced in 4.5.0.1 / 718ef31 CVE-2016-2044 (libraries/sql-parser/autoload.php in the SQL parser in phpMyAdmin ...) - phpmyadmin 4:4.5.4-1 [squeeze] - phpmyadmin (vulnerable code not present) + [wheezy] - phpmyadmin (vulnerable code not present) + [jessie] - phpmyadmin (vulnerable code not present) NOTE: https://www.phpmyadmin.net/security/PMASA-2016-8/ + NOTE: vulnerability introduced in 4.5.0.1 / 718ef31 CVE-2016-2043 (Cross-site scripting (XSS) vulnerability in the goToFinish1NF function ...) - phpmyadmin 4:4.5.4-1 [squeeze] - phpmyadmin (vulnerable code not present) + [wheezy] - phpmyadmin (vulnerable code not present) + [jessie] - phpmyadmin (vulnerable code not present) NOTE: https://www.phpmyadmin.net/security/PMASA-2016-7/ + NOTE: vulnerability introduced in 4.3.3 / 1e971f3 CVE-2016-2042 (phpMyAdmin 4.4.x before 4.4.15.3 and 4.5.x before 4.5.4 allows remote ...) - phpmyadmin 4:4.5.4-1 [squeeze] - phpmyadmin (vulnerable code not present) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41039 - data/CVE
Author: anarcat Date: 2016-04-21 15:21:50 + (Thu, 21 Apr 2016) New Revision: 41039 Modified: data/CVE/list Log: Summary: CVE-2016-2045: not-affected Modified: data/CVE/list === --- data/CVE/list 2016-04-21 15:17:30 UTC (rev 41038) +++ data/CVE/list 2016-04-21 15:21:50 UTC (rev 41039) @@ -5837,7 +5837,10 @@ CVE-2016-2045 (Cross-site scripting (XSS) vulnerability in the SQL editor in ...) - phpmyadmin 4:4.5.4-1 [squeeze] - phpmyadmin (vulnerable code not present) + [wheezy] - phpmyadmin (vulnerable code not present) + [jessie] - phpmyadmin (vulnerable code not present) NOTE: https://www.phpmyadmin.net/security/PMASA-2016-9/ + NOTE: vulnerability introduced in 4.5.0.1 / 718ef31 CVE-2016-2044 (libraries/sql-parser/autoload.php in the SQL parser in phpMyAdmin ...) - phpmyadmin 4:4.5.4-1 [squeeze] - phpmyadmin (vulnerable code not present) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41038 - data/CVE
Author: carnil Date: 2016-04-21 15:17:30 + (Thu, 21 Apr 2016) New Revision: 41038 Modified: data/CVE/list Log: Add four more NFUs for Pulp Thanks: Sander Bos Modified: data/CVE/list === --- data/CVE/list 2016-04-21 14:34:12 UTC (rev 41037) +++ data/CVE/list 2016-04-21 15:17:30 UTC (rev 41038) @@ -2268,16 +2268,20 @@ RESERVED CVE-2016-3112 RESERVED + NOT-FOR-US: Pulp (Red Hat) CVE-2016-3111 RESERVED + NOT-FOR-US: Pulp (Red Hat) CVE-2016-3110 RESERVED CVE-2016-3109 RESERVED CVE-2016-3108 RESERVED + NOT-FOR-US: Pulp (Red Hat) CVE-2016-3107 RESERVED + NOT-FOR-US: Pulp (Red Hat) CVE-2016-3106 RESERVED NOT-FOR-US: Pulp (Red Hat) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41037 - org
Author: anarcat Date: 2016-04-21 14:34:12 + (Thu, 21 Apr 2016) New Revision: 41037 Modified: org/lts-frontdesk.2016.txt Log: Summary: take two more frontdesk spots Modified: org/lts-frontdesk.2016.txt === --- org/lts-frontdesk.2016.txt 2016-04-21 12:21:51 UTC (rev 41036) +++ org/lts-frontdesk.2016.txt 2016-04-21 14:34:12 UTC (rev 41037) @@ -30,11 +30,11 @@ From 25-04 to 01-05:Santiago Ruano RincónFrom 02-05 to 08-05:Markus Koschany From 09-05 to 15-05:Chris Lamb -From 16-05 to 22-05: +From 16-05 to 22-05:Antoine Beaupré From 23-05 to 29-05: From 30-05 to 05-06: From 06-06 to 12-06:Chris Lamb -From 13-06 to 19-06: +From 13-06 to 19-06:Antoine Beaupré From 20-06 to 26-06: From 27-06 to 03-07: From 04-07 to 10-07:Chris Lamb ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41036 - in data: . DSA
Author: seb Date: 2016-04-21 12:21:51 + (Thu, 21 Apr 2016) New Revision: 41036 Modified: data/DSA/list data/dsa-needed.txt Log: Reserve DSA-3553-1 for CVE-2015-8852 (varnish) Modified: data/DSA/list === --- data/DSA/list 2016-04-21 10:01:02 UTC (rev 41035) +++ data/DSA/list 2016-04-21 12:21:51 UTC (rev 41036) @@ -1,3 +1,6 @@ +[21 Apr 2016] DSA-3553-1 varnish - security update + {CVE-2015-8852} + [wheezy] - varnish 3.0.2-2+deb7u2 [17 Apr 2016] DSA-3552-1 tomcat7 - security update {CVE-2015-5174 CVE-2015-5345 CVE-2015-5346 CVE-2015-5351 CVE-2016-0706 CVE-2016-0714 CVE-2016-0763} [wheezy] - tomcat7 7.0.28-4+deb7u4 Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2016-04-21 10:01:02 UTC (rev 41035) +++ data/dsa-needed.txt 2016-04-21 12:21:51 UTC (rev 41036) @@ -79,5 +79,3 @@ xen/stable (carnil) https://people.debian.org/~carnil/tmp/xen/jessie/ -- -varnish/oldstable (seb) - http://permalink.gmane.org/gmane.comp.security.oss.general/19316 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41035 - org
Author: lamby Date: 2016-04-21 10:01:02 + (Thu, 21 Apr 2016) New Revision: 41035 Modified: org/lts-frontdesk.2016.txt Log: Schedule a few LTS frontdesk duties. Modified: org/lts-frontdesk.2016.txt === --- org/lts-frontdesk.2016.txt 2016-04-21 08:23:14 UTC (rev 41034) +++ org/lts-frontdesk.2016.txt 2016-04-21 10:01:02 UTC (rev 41035) @@ -29,15 +29,15 @@ From 18-04 to 24-04: From 25-04 to 01-05:Santiago Ruano RincónFrom 02-05 to 08-05:Markus Koschany -From 09-05 to 15-05: +From 09-05 to 15-05:Chris Lamb From 16-05 to 22-05: From 23-05 to 29-05: From 30-05 to 05-06: -From 06-06 to 12-06: +From 06-06 to 12-06:Chris Lamb From 13-06 to 19-06: From 20-06 to 26-06: From 27-06 to 03-07: -From 04-07 to 10-07: +From 04-07 to 10-07:Chris Lamb From 11-07 to 17-07: From 18-07 to 24-07: From 25-07 to 31-07: ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41034 - data/CVE
Author: carnil Date: 2016-04-21 08:23:14 + (Thu, 21 Apr 2016) New Revision: 41034 Modified: data/CVE/list Log: CVEs for mysql-5.6 fixed in unstable Modified: data/CVE/list === --- data/CVE/list 2016-04-21 07:15:06 UTC (rev 41033) +++ data/CVE/list 2016-04-21 08:23:14 UTC (rev 41034) @@ -5926,7 +5926,7 @@ - mariadb-10.0 10.0.23-1 NOTE: https://mariadb.atlassian.net/browse/MDEV-9212 NOTE: https://github.com/MariaDB/server/commit/f0d774d48416bb06063184380b684380ca005a41 - - mysql-5.6 (bug #821094) + - mysql-5.6 5.6.30-1 (bug #821094) - mysql-5.5 (bug #821100) [squeeze] - mysql-5.5 (will be fixed along with an upcoming Oracle CPU) NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2016-2881694.html @@ -10594,7 +10594,7 @@ NOT-FOR-US: Solaris CVE-2016-0668 RESERVED - - mysql-5.6 (bug #821094) + - mysql-5.6 5.6.30-1 (bug #821094) - mysql-5.5 (Only affects MySQL 5.6 and MySQL 5.7) NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2016-2881694.html CVE-2016-0667 @@ -10604,13 +10604,13 @@ NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2016-2881694.html CVE-2016-0666 RESERVED - - mysql-5.6 (bug #821094) + - mysql-5.6 5.6.30-1 (bug #821094) - mysql-5.5 (bug #821100) - mariadb-10.0 NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2016-2881694.html CVE-2016-0665 RESERVED - - mysql-5.6 (bug #821094) + - mysql-5.6 5.6.30-1 (bug #821094) - mysql-5.5 (Only affects MySQL 5.6 and MySQL 5.7) NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2016-2881694.html CVE-2016-0664 @@ -10627,7 +10627,7 @@ NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2016-2881694.html CVE-2016-0661 RESERVED - - mysql-5.6 (bug #821094) + - mysql-5.6 5.6.30-1 (bug #821094) - mysql-5.5 (Only affects MySQL 5.6 and MySQL 5.7) NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2016-2881694.html CVE-2016-0660 @@ -10654,7 +10654,7 @@ NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2016-2881694.html CVE-2016-0655 RESERVED - - mysql-5.6 (bug #821094) + - mysql-5.6 5.6.30-1 (bug #821094) - mysql-5.5 (Only affects MySQL 5.6 and MySQL 5.7) NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2016-2881694.html CVE-2016-0654 @@ -10682,31 +10682,31 @@ NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2016-2881694.html CVE-2016-0650 RESERVED - - mysql-5.6 (bug #821094) + - mysql-5.6 5.6.30-1 (bug #821094) - mysql-5.5 (bug #821100) - mariadb-10.0 NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2016-2881694.html CVE-2016-0649 RESERVED - - mysql-5.6 (bug #821094) + - mysql-5.6 5.6.30-1 (bug #821094) - mysql-5.5 (bug #821100) - mariadb-10.0 NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2016-2881694.html CVE-2016-0648 RESERVED - - mysql-5.6 (bug #821094) + - mysql-5.6 5.6.30-1 (bug #821094) - mysql-5.5 (bug #821100) - mariadb-10.0 NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2016-2881694.html CVE-2016-0647 RESERVED - - mysql-5.6 (bug #821094) + - mysql-5.6 5.6.30-1 (bug #821094) - mysql-5.5 (bug #821100) - mariadb-10.0 NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2016-2881694.html CVE-2016-0646 RESERVED - - mysql-5.6 (bug #821094) + - mysql-5.6 5.6.30-1 (bug #821094) - mysql-5.5 (bug #821100) - mariadb-10.0 NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2016-2881694.html @@ -10714,37 +10714,37 @@ RESERVED CVE-2016-0644 RESERVED - - mysql-5.6 (bug #821094) + - mysql-5.6 5.6.30-1 (bug #821094) - mysql-5.5 (bug #821100) - mariadb-10.0 NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2016-2881694.html CVE-2016-0643 RESERVED - - mysql-5.6 (bug #821094) + - mysql-5.6 5.6.30-1 (bug #821094) - mysql-5.5 (bug #821100) - mariadb-10.0 NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2016-2881694.html CVE-2016-0642 RESERVED - - mysql-5.6 (bug #821094) + - mysql-5.6 5.6.30-1 (bug #821094) - mysql-5.5 (bug #821100) - mariadb-10.0 NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2016-2881694.html CVE-2016-0641 RESERVED - - mysql-5.6 (bug #821094) + - mysql-5.6 5.6.30-1 (bug #821094) - mysql-5.5 (bug #821100) -
[Secure-testing-commits] r41033 - org
Author: santiago Date: 2016-04-21 07:15:06 + (Thu, 21 Apr 2016) New Revision: 41033 Modified: org/lts-frontdesk.2016.txt Log: LTS frontdesk: add myself for next week Modified: org/lts-frontdesk.2016.txt === --- org/lts-frontdesk.2016.txt 2016-04-21 06:42:04 UTC (rev 41032) +++ org/lts-frontdesk.2016.txt 2016-04-21 07:15:06 UTC (rev 41033) @@ -27,7 +27,7 @@ From 04-04 to 10-04: From 11-04 to 17-04:Markus KoschanyFrom 18-04 to 24-04: -From 25-04 to 01-05: +From 25-04 to 01-05:Santiago Ruano Rincón From 02-05 to 08-05:Markus Koschany From 09-05 to 15-05: From 16-05 to 22-05: ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41032 - org
Author: apo Date: 2016-04-21 06:42:04 + (Thu, 21 Apr 2016) New Revision: 41032 Modified: org/lts-frontdesk.2016.txt Log: Add myself to lts-frontdesk.2016. 2-8 May Modified: org/lts-frontdesk.2016.txt === --- org/lts-frontdesk.2016.txt 2016-04-21 06:36:30 UTC (rev 41031) +++ org/lts-frontdesk.2016.txt 2016-04-21 06:42:04 UTC (rev 41032) @@ -28,7 +28,7 @@ From 11-04 to 17-04:Markus KoschanyFrom 18-04 to 24-04: From 25-04 to 01-05: -From 02-05 to 08-05: +From 02-05 to 08-05:Markus Koschany From 09-05 to 15-05: From 16-05 to 22-05: From 23-05 to 29-05: ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41031 - data/CVE
Author: carnil Date: 2016-04-21 06:36:30 + (Thu, 21 Apr 2016) New Revision: 41031 Modified: data/CVE/list Log: Add four new CVEs for squid Modified: data/CVE/list === --- data/CVE/list 2016-04-21 05:21:32 UTC (rev 41030) +++ data/CVE/list 2016-04-21 06:36:30 UTC (rev 41031) @@ -1,3 +1,19 @@ +CVE-2016-4054 + - squid3 + - squid + TODO: check +CVE-2016-4053 + - squid3 + - squid + TODO: check +CVE-2016-4052 + - squid3 + - squid + TODO: check +CVE-2016-4051 + - squid3 + - squid + TODO: check CVE-2016-4044 RESERVED CVE-2016-4043 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits