[Secure-testing-commits] r41105 - data/CVE

2016-04-23 Thread Salvatore Bonaccorso 
Author: carnil
Date: 2016-04-24 05:23:25 + (Sun, 24 Apr 2016)
New Revision: 41105

Modified:
   data/CVE/list
Log:
CVE-2015-8867/php assigned

Modified: data/CVE/list
===
--- data/CVE/list   2016-04-24 05:22:15 UTC (rev 41104)
+++ data/CVE/list   2016-04-24 05:23:25 UTC (rev 41105)
@@ -111,7 +111,7 @@
NOTE: 
http://git.php.net/?p=php-src.git;a=commit;h=de31324c221c1791b26350ba106cc26bad23ace9
NOTE: Fixed in 5.6.6, 5.5.22
NOTE: http://www.openwall.com/lists/oss-security/2016/04/21/8
-CVE-2016- [openssl_random_pseudo_bytes() is not cryptographically secure]
+CVE-2015-8867 [openssl_random_pseudo_bytes() is not cryptographically secure]
- php7.0 7.0.0-1
- php5 5.6.12+dfsg-1
[jessie] - php5 5.6.12+dfsg-0+deb8u1
@@ -120,7 +120,7 @@
NOTE: https://bugs.launchpad.net/ubuntu/+source/php5/+bug/1534203
NOTE: 
http://git.php.net/?p=php-src.git;a=commit;h=16023f3e3b9c06cf677c3c980e8d574e4c162827
NOTE: Fixed in 7.0.0, 5.6.12, 5.5.28, 5.5.44
-   NOTE: CVE Request: 
http://www.openwall.com/lists/oss-security/2016/04/21/8
+   NOTE: http://www.openwall.com/lists/oss-security/2016/04/21/8
 CVE-2016-4056
RESERVED
- typo3-src 


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r41104 - data/CVE

2016-04-23 Thread Salvatore Bonaccorso 
Author: carnil
Date: 2016-04-24 05:22:15 + (Sun, 24 Apr 2016)
New Revision: 41104

Modified:
   data/CVE/list
Log:
CVE-2015-8866/php assigned

Modified: data/CVE/list
===
--- data/CVE/list   2016-04-24 05:16:36 UTC (rev 41103)
+++ data/CVE/list   2016-04-24 05:22:15 UTC (rev 41104)
@@ -103,14 +103,14 @@
NOTE: upstream commit: 
https://github.com/tmux/tmux/commit/2ffbd5b5f05dded1564ba32a6a00b0b417439b2f 
(2.1)
NOTE: upstream fixed in 2.1
NOTE: https://bugs.gentoo.org/show_bug.cgi?id=564400
-CVE-2016- [libxml_disable_entity_loader setting is shared between threads]
+CVE-2015-8866 [libxml_disable_entity_loader setting is shared between threads]
- php5 5.6.6+dfsg-1
NOTE: https://bugs.php.net/bug.php?id=64938
NOTE: https://bugs.launchpad.net/ubuntu/+source/php5/+bug/1509817
NOTE: http://framework.zend.com/security/advisory/ZF2015-06 -> Relation 
to CVE-2015-5161
NOTE: 
http://git.php.net/?p=php-src.git;a=commit;h=de31324c221c1791b26350ba106cc26bad23ace9
NOTE: Fixed in 5.6.6, 5.5.22
-   NOTE: CVE Request: 
http://www.openwall.com/lists/oss-security/2016/04/21/8
+   NOTE: http://www.openwall.com/lists/oss-security/2016/04/21/8
 CVE-2016- [openssl_random_pseudo_bytes() is not cryptographically secure]
- php7.0 7.0.0-1
- php5 5.6.12+dfsg-1


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r41103 - data/CVE

2016-04-23 Thread Salvatore Bonaccorso 
Author: carnil
Date: 2016-04-24 05:16:36 + (Sun, 24 Apr 2016)
New Revision: 41103

Modified:
   data/CVE/list
Log:
CVE-2016-4073/php assigned

Modified: data/CVE/list
===
--- data/CVE/list   2016-04-24 05:15:08 UTC (rev 41102)
+++ data/CVE/list   2016-04-24 05:16:36 UTC (rev 41103)
@@ -460,13 +460,14 @@
NOTE: https://gist.github.com/smalyshev/80b5c2909832872f2ba2
NOTE: 
https://git.php.net/?p=php-src.git;a=commit;h=1e9b175204e3286d64dfd6c9f09151c31b5e099a
NOTE: http://www.openwall.com/lists/oss-security/2016/04/11/7
-CVE-2016- [Negative size parameter in memcpy]
+CVE-2016-4073 [Negative size parameter in memcpy]
- php7.0 7.0.5-1
- php5 5.6.20+dfsg-1
NOTE: Fixed in 7.0.5, 5.6.20, 5.5.34
NOTE: https://bugs.php.net/bug.php?id=71906
NOTE: https://gist.github.com/smalyshev/d8355c96a657cc5dba70
-   NOTE: CVE Request: 
http://www.openwall.com/lists/oss-security/2016/04/11/7
+   NOTE: 
https://git.php.net/?p=php-src.git;a=commit;h=64f42c73efc58e88671ad76b6b6bc8e2b62713e1
+   NOTE: http://www.openwall.com/lists/oss-security/2016/04/11/7
 CVE-2016-3976 (Directory traversal vulnerability in SAP NetWeaver AS Java 7.4 
allows ...)
NOT-FOR-US: SAP
 CVE-2016-3975 (Cross-site scripting (XSS) vulnerability in SAP NetWeaver AS 
Java 7.4 ...)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r41100 - data/CVE

2016-04-23 Thread Salvatore Bonaccorso 
Author: carnil
Date: 2016-04-24 05:13:12 + (Sun, 24 Apr 2016)
New Revision: 41100

Modified:
   data/CVE/list
Log:
CVE-2016-4070/php5 assigned

Modified: data/CVE/list
===
--- data/CVE/list   2016-04-24 05:11:42 UTC (rev 41099)
+++ data/CVE/list   2016-04-24 05:13:12 UTC (rev 41100)
@@ -438,13 +438,13 @@
- imlib2 1.4.8-1 (bug #785369)
NOTE: 
https://git.enlightenment.org/legacy/imlib2.git/commit/?id=37a96801663b7b4cd3fbe56cc0eb8b6a17e766a8
NOTE: http://www.openwall.com/lists/oss-security/2016/04/09/6
-CVE-2016- [Integer overflow in php_raw_url_encode]
+CVE-2016-4070 [Integer overflow in php_raw_url_encode]
- php7.0 7.0.5-1
- php5 5.6.20+dfsg-1
NOTE: Fixed in 7.0.5, 5.6.20, 5.5.34
NOTE: https://bugs.php.net/bug.php?id=71798
NOTE: 
https://git.php.net/?p=php-src.git;a=commit;h=95433e8e339dbb6b5d5541473c1661db6ba2c451
-   NOTE: CVE Request: 
http://www.openwall.com/lists/oss-security/2016/04/11/7
+   NOTE: http://www.openwall.com/lists/oss-security/2016/04/11/7
 CVE-2016- [Format string vulnerability in php_snmp_error()]
- php7.0 7.0.5-1
- php5 5.6.20+dfsg-1


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r41101 - data/CVE

2016-04-23 Thread Salvatore Bonaccorso 
Author: carnil
Date: 2016-04-24 05:14:04 + (Sun, 24 Apr 2016)
New Revision: 41101

Modified:
   data/CVE/list
Log:
CVE-2016-4071/php assigned

Modified: data/CVE/list
===
--- data/CVE/list   2016-04-24 05:13:12 UTC (rev 41100)
+++ data/CVE/list   2016-04-24 05:14:04 UTC (rev 41101)
@@ -445,13 +445,13 @@
NOTE: https://bugs.php.net/bug.php?id=71798
NOTE: 
https://git.php.net/?p=php-src.git;a=commit;h=95433e8e339dbb6b5d5541473c1661db6ba2c451
NOTE: http://www.openwall.com/lists/oss-security/2016/04/11/7
-CVE-2016- [Format string vulnerability in php_snmp_error()]
+CVE-2016-4071 [Format string vulnerability in php_snmp_error()]
- php7.0 7.0.5-1
- php5 5.6.20+dfsg-1
NOTE: Fixed in 7.0.5, 5.6.20, 5.5.34
NOTE: https://bugs.php.net/bug.php?id=71704
NOTE: 
https://git.php.net/?p=php-src.git;a=commit;h=6e25966544fb1d2f3d7596e060ce9c9269bbdcf8
-   NOTE: CVE Request: 
http://www.openwall.com/lists/oss-security/2016/04/11/7
+   NOTE: http://www.openwall.com/lists/oss-security/2016/04/11/7
 CVE-2016- [Invalid memory write in phar on filename containing \0 inside 
name]
- php7.0 7.0.5-1
- php5 5.6.20+dfsg-1


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r41099 - data/CVE

2016-04-23 Thread Salvatore Bonaccorso 
Author: carnil
Date: 2016-04-24 05:11:42 + (Sun, 24 Apr 2016)
New Revision: 41099

Modified:
   data/CVE/list
Log:
CVE-2015-8865/{php,file} assigned

Modified: data/CVE/list
===
--- data/CVE/list   2016-04-24 05:09:37 UTC (rev 41098)
+++ data/CVE/list   2016-04-24 05:11:42 UTC (rev 41099)
@@ -580,14 +580,16 @@
- tiff 
- tiff3 
TODO: check
-CVE-2016- [Buffer over-write in finfo_open with malformed magic file]
+CVE-2015-8865 [Buffer over-write in finfo_open with malformed magic file]
- php7.0 7.0.5-1
- php5 5.6.20+dfsg-1
- file 1:5.24-1
NOTE: http://bugs.gw.com/view.php?id=522
+   NOTE: 
https://github.com/file/file/commit/6713ca45e7757297381f4b4cdb9cf5e624a9ad36
NOTE: https://bugs.php.net/bug.php?id=71527
+   NOTE: 
http://git.php.net/?p=php-src.git;a=commit;h=fe13566c93f118a15a96320a546c7878fd0cfc5e
NOTE: PHP fixed in 7.0.5, 5.6.20, 5.5.34
-   NOTE: CVE Request: 
http://www.openwall.com/lists/oss-security/2016/04/11/7
+   NOTE: http://www.openwall.com/lists/oss-security/2016/04/11/7
TODO: recheck versions
 CVE-2016-3993 [off-by-one OOB read in __imlib_MergeUpdate]
RESERVED


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r41098 - data/CVE

2016-04-23 Thread Salvatore Bonaccorso 
Author: carnil
Date: 2016-04-24 05:09:37 + (Sun, 24 Apr 2016)
New Revision: 41098

Modified:
   data/CVE/list
Log:
CVE-2015-8868/poppler assigned

Modified: data/CVE/list
===
--- data/CVE/list   2016-04-24 05:08:38 UTC (rev 41097)
+++ data/CVE/list   2016-04-24 05:09:37 UTC (rev 41098)
@@ -345,11 +345,11 @@
NOTE: CVE Request: 
http://www.openwall.com/lists/oss-security/2016/04/12/4
NOTE: Introduced in: 
https://github.com/brltty/brltty/commit/e62b3c925d03239a372d425fb87b2cac65d8ef19
NOTE: Fixed by: 
https://github.com/brltty/brltty/commit/74affe7d1401f2b43ad32e18cb78704d22604ad7
-CVE-2016- [heap overflow]
+CVE-2015-8868 [heap overflow]
- poppler 
NOTE: 
https://cgit.freedesktop.org/poppler/poppler/commit/?id=b3425dd3261679958cd56c0f71995c15d2124433
NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=93476
-   NOTE: CVE Request: 
http://www.openwall.com/lists/oss-security/2016/04/12/1
+   NOTE: http://www.openwall.com/lists/oss-security/2016/04/12/1
 CVE-2016-3996
RESERVED
 CVE-2016-3991


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r41097 - data/CVE

2016-04-23 Thread Salvatore Bonaccorso 
Author: carnil
Date: 2016-04-24 05:08:38 + (Sun, 24 Apr 2016)
New Revision: 41097

Modified:
   data/CVE/list
Log:
CVE-2016-4069/roundcube assigned

Modified: data/CVE/list
===
--- data/CVE/list   2016-04-24 05:05:56 UTC (rev 41096)
+++ data/CVE/list   2016-04-24 05:08:38 UTC (rev 41097)
@@ -1,10 +1,10 @@
-CVE-2016- [Protect download urls against CSRF using unique request tokens]
+CVE-2016-4069 [Protect download urls against CSRF using unique request tokens]
- roundcube  (bug #822333)
NOTE: https://github.com/roundcube/roundcubemail/issues/4957
NOTE: 
https://github.com/roundcube/roundcubemail/wiki/Changelog#release-115
NOTE: 
https://github.com/roundcube/roundcubemail/commit/4a408843b0ef816daf70a472a02b78cd6073a4d5
NOTE: 
https://github.com/roundcube/roundcubemail/commit/699af1e5206ed9114322adaa3c25c1c969640a53
 (release-1.1)
-   NOTE: CVE Request: 
http://www.openwall.com/lists/oss-security/2016/04/23/3
+   NOTE: http://www.openwall.com/lists/oss-security/2016/04/23/3
 CVE-2016-4068 ["for the remaining SVG XSS issues additional to CVE-2015-8864"]
- roundcube 
NOTE: 
https://github.com/roundcube/roundcubemail/commit/40d7342dd9c9bd2a1d613edc848ed95a4d71aa18#commitcomment-15294218


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r41096 - data/CVE

2016-04-23 Thread Salvatore Bonaccorso 
Author: carnil
Date: 2016-04-24 05:05:56 + (Sun, 24 Apr 2016)
New Revision: 41096

Modified:
   data/CVE/list
Log:
Two CVEs for roundcube assigned for XSS issues

Modified: data/CVE/list
===
--- data/CVE/list   2016-04-23 22:13:46 UTC (rev 41095)
+++ data/CVE/list   2016-04-24 05:05:56 UTC (rev 41096)
@@ -5,13 +5,17 @@
NOTE: 
https://github.com/roundcube/roundcubemail/commit/4a408843b0ef816daf70a472a02b78cd6073a4d5
NOTE: 
https://github.com/roundcube/roundcubemail/commit/699af1e5206ed9114322adaa3c25c1c969640a53
 (release-1.1)
NOTE: CVE Request: 
http://www.openwall.com/lists/oss-security/2016/04/23/3
-CVE-2016- [XSS issue in SVG images handling]
+CVE-2016-4068 ["for the remaining SVG XSS issues additional to CVE-2015-8864"]
+   - roundcube 
+   NOTE: 
https://github.com/roundcube/roundcubemail/commit/40d7342dd9c9bd2a1d613edc848ed95a4d71aa18#commitcomment-15294218
+   NOTE: These remain unfixed in versions 1.0.9, 1.1.5 and 1.2-rc
+CVE-2015-8864 [XSS issue in SVG images handling]
- roundcube  (bug #822333)
NOTE: https://github.com/roundcube/roundcubemail/issues/4949
NOTE: 
https://github.com/roundcube/roundcubemail/wiki/Changelog#release-115
NOTE: 
https://github.com/roundcube/roundcubemail/commit/40d7342dd9c9bd2a1d613edc848ed95a4d71aa18
NOTE: 
https://github.com/roundcube/roundcubemail/commit/7bbefdb63b12e2344cf1cb87aeb6e3933b4063e0
 (release-1.1)
-   NOTE: CVE Request: 
http://www.openwall.com/lists/oss-security/2016/04/23/3
+   NOTE: http://www.openwall.com/lists/oss-security/2016/04/23/3
 CVE-2016- [MS-WSP dissector crash]
- wireshark 2.0.3+geed34f0-1 (low)
[jessie] - wireshark  (Only affects 2.x)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r41095 - in data: . DSA

2016-04-23 Thread Alessandro Ghedini 
Author: ghedo
Date: 2016-04-23 22:13:46 + (Sat, 23 Apr 2016)
New Revision: 41095

Modified:
   data/DSA/list
   data/dsa-needed.txt
Log:
Reserve DSA for imlib2

Modified: data/DSA/list
===
--- data/DSA/list   2016-04-23 17:55:09 UTC (rev 41094)
+++ data/DSA/list   2016-04-23 22:13:46 UTC (rev 41095)
@@ -1,3 +1,7 @@
+[23 Apr 2016] DSA-3555-1 imlib2 - security update
+   {CVE-2011-5326 CVE-2014-9771 CVE-2016-3993 CVE-2016-3994 CVE-2016-4024}
+   [wheezy] - imlib2 1.4.5-1+deb7u2
+   [jessie] - imlib2 1.4.6-2+deb8u2
 [21 Apr 2016] DSA-3554-1 xen - security update
{CVE-2016-3158 CVE-2016-3159 CVE-2016-3960}
[jessie] - xen 4.4.1-9+deb8u5

Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2016-04-23 17:55:09 UTC (rev 41094)
+++ data/dsa-needed.txt 2016-04-23 22:13:46 UTC (rev 41095)
@@ -30,8 +30,6 @@
   no-dsa bugs CVE-2014-8354 CVE-2014-8355 CVE-2014-8562 CVE-2014-8716
   should be fixed along
 --
-imlib2 (ghedo)
---
 libgd2
   carnil> Test packages: https://people.debian.org/~carnil/tmp/libgd2/
 --


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r41094 - data/CVE

2016-04-23 Thread Salvatore Bonaccorso 
Author: carnil
Date: 2016-04-23 17:55:09 + (Sat, 23 Apr 2016)
New Revision: 41094

Modified:
   data/CVE/list
Log:
Add fixed version for #822242

Modified: data/CVE/list
===
--- data/CVE/list   2016-04-23 17:40:02 UTC (rev 41093)
+++ data/CVE/list   2016-04-23 17:55:09 UTC (rev 41094)
@@ -2508,7 +2508,7 @@
NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=19879
 CVE-2016-3074 [Signedness vulnerability causing heap overflow]
RESERVED
-   - libgd2  (bug #822242)
+   - libgd2 2.1.1-4.1 (bug #822242)
- php5  (unimportant)
- php7.0  (unimportant)
NOTE: PoC: 
https://github.com/dyntopia/exploits/tree/master/CVE-2016-3074


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r41093 - data/CVE

2016-04-23 Thread Salvatore Bonaccorso 
Author: carnil
Date: 2016-04-23 17:40:02 + (Sat, 23 Apr 2016)
New Revision: 41093

Modified:
   data/CVE/list
Log:
Add runc for CVE-2016-3697, add commit references for upstream fixes

Modified: data/CVE/list
===
--- data/CVE/list   2016-04-23 17:29:40 UTC (rev 41092)
+++ data/CVE/list   2016-04-23 17:40:02 UTC (rev 41093)
@@ -1103,6 +1103,9 @@
 CVE-2016-3697 [privilege escalation via confusion of usernames and UIDs]
RESERVED
- docker.io 
+   - runc 
+   NOTE: 
https://github.com/opencontainers/runc/commit/69af385de62ea68e2e608335cffbb0f4aa3db091
 (runc)
+   NOTE: 
https://github.com/docker/docker/commit/da38ac6c79fe902ed0687afc73d731c95c6d491a
 (docker)
TODO: check
 CVE-2016-3696
RESERVED


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r41092 - data/CVE

2016-04-23 Thread Salvatore Bonaccorso 
Author: carnil
Date: 2016-04-23 17:29:40 + (Sat, 23 Apr 2016)
New Revision: 41092

Modified:
   data/CVE/list
Log:
Add bug reference for qemu issue, #822344

Modified: data/CVE/list
===
--- data/CVE/list   2016-04-23 17:13:01 UTC (rev 41091)
+++ data/CVE/list   2016-04-23 17:29:40 UTC (rev 41092)
@@ -208,7 +208,7 @@
RESERVED
 CVE-2016-4037 [usb: Infinite loop vulnerability in usb_ehci using siTD process]
RESERVED
-   - qemu 
+   - qemu  (bug #822344)
[jessie] - qemu  (Minor issue)
[wheezy] - qemu  (Minor issue)
- qemu-kvm 


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r41091 - data/CVE

2016-04-23 Thread Salvatore Bonaccorso 
Author: carnil
Date: 2016-04-23 17:13:01 + (Sat, 23 Apr 2016)
New Revision: 41091

Modified:
   data/CVE/list
Log:
Reference upstream commits for CVE-2016-4037/qemu

Modified: data/CVE/list
===
--- data/CVE/list   2016-04-23 17:03:15 UTC (rev 41090)
+++ data/CVE/list   2016-04-23 17:13:01 UTC (rev 41091)
@@ -216,7 +216,8 @@
NOTE: 
https://lists.gnu.org/archive/html/qemu-devel/2016-04/msg02691.html
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1325129
NOTE: http://www.openwall.com/lists/oss-security/2016/04/18/3
-   TODO: check affected versions
+   NOTE: 
http://git.qemu.org/?p=qemu.git;a=commit;h=1ae3f2f178087711f9591350abad133525ba93f2
 (v2.6.0-rc3)
+   NOTE: 
http://git.qemu.org/?p=qemu.git;a=commit;h=a49923d2837d20510d645d3758f1ad87c32d0730
 (v2.6.0-rc3)
 CVE-2016-4030
RESERVED
 CVE-2016-4029


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r41090 - data/CVE

2016-04-23 Thread Thorsten Alteholz 
Author: alteholz
Date: 2016-04-23 17:03:15 + (Sat, 23 Apr 2016)
New Revision: 41090

Modified:
   data/CVE/list
Log:
only version 11.x, 12.x, 13.x affected

Modified: data/CVE/list
===
--- data/CVE/list   2016-04-23 16:54:46 UTC (rev 41089)
+++ data/CVE/list   2016-04-23 17:03:15 UTC (rev 41090)
@@ -41190,6 +41190,7 @@
 CVE-2014-8417 (ConfBridge in Asterisk 11.x before 11.14.1, 12.x before 12.7.1, 
and ...)
- asterisk 1:13.1.0~dfsg-1 (bug #771463)
[jessie] - asterisk 1:11.13.1~dfsg-2
+   [wheezy] - asterisk  (Only affects 11.x, 12.x and 13.x)
[squeeze] - asterisk  (Unsupported in squeeze-lts)
NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-24490
NOTE: http://downloads.digium.com/pub/security/AST-2014-017.html


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r41089 - data/CVE

2016-04-23 Thread Alessandro Ghedini 
Author: ghedo
Date: 2016-04-23 16:54:46 + (Sat, 23 Apr 2016)
New Revision: 41089

Modified:
   data/CVE/list
Log:
Remove no-dsa tag from imlib2 issues (might as well fix them while I'm at it)

Modified: data/CVE/list
===
--- data/CVE/list   2016-04-23 15:22:54 UTC (rev 41088)
+++ data/CVE/list   2016-04-23 16:54:46 UTC (rev 41089)
@@ -412,8 +412,6 @@
 CVE-2011-5326 [divide-by-zero on 2x1 ellipse]
RESERVED
- imlib2 1.4.8-1 (bug #639414)
-   [jessie] - imlib2  (Minor issue)
-   [wheezy] - imlib2  (Minor issue)
NOTE: 
https://git.enlightenment.org/legacy/imlib2.git/commit/?id=c94d83ccab15d5ef02f88d42dce38ed3f0892882
NOTE: http://www.openwall.com/lists/oss-security/2016/04/10/5
 CVE-2016-3995 [Timing Attack Counter Measure AES]
@@ -589,8 +587,6 @@
 CVE-2016-3993 [off-by-one OOB read in __imlib_MergeUpdate]
RESERVED
- imlib2 1.4.8-1 (bug #819818)
-   [jessie] - imlib2  (Minor issue)
-   [wheezy] - imlib2  (Minor issue)
NOTE: 
https://git.enlightenment.org/legacy/imlib2.git/commit/?id=ce94edca1ccfbe314cb7cd9453433fad404ec7ef
NOTE: http://www.openwall.com/lists/oss-security/2016/04/09/5
 CVE-2012- [Option -localhost seems to fail to restrict ipv6 access]


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r41088 - data/CVE

2016-04-23 Thread Thorsten Alteholz 
Author: alteholz
Date: 2016-04-23 15:22:54 + (Sat, 23 Apr 2016)
New Revision: 41088

Modified:
   data/CVE/list
Log:
only version 11.x affected

Modified: data/CVE/list
===
--- data/CVE/list   2016-04-23 15:13:35 UTC (rev 41087)
+++ data/CVE/list   2016-04-23 15:22:54 UTC (rev 41088)
@@ -41214,6 +41214,7 @@
 CVE-2014-8414 (ConfBridge in Asterisk 11.x before 11.14.1 and Certified 
Asterisk 11.6 ...)
- asterisk 1:13.1.0~dfsg-1 (bug #771463)
[jessie] - asterisk 1:11.13.1~dfsg-2
+   [wheezy] - asterisk  (Only affects 11.x)
[squeeze] - asterisk  (Unsupported in squeeze-lts)
NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-24440
NOTE: http://downloads.digium.com/pub/security/AST-2014-014.html


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r41087 - data/CVE

2016-04-23 Thread Salvatore Bonaccorso 
Author: carnil
Date: 2016-04-23 15:13:35 + (Sat, 23 Apr 2016)
New Revision: 41087

Modified:
   data/CVE/list
Log:
Add bug reference for roundcube issues, #822333

Modified: data/CVE/list
===
--- data/CVE/list   2016-04-23 15:04:55 UTC (rev 41086)
+++ data/CVE/list   2016-04-23 15:13:35 UTC (rev 41087)
@@ -1,12 +1,12 @@
 CVE-2016- [Protect download urls against CSRF using unique request tokens]
-   - roundcube 
+   - roundcube  (bug #822333)
NOTE: https://github.com/roundcube/roundcubemail/issues/4957
NOTE: 
https://github.com/roundcube/roundcubemail/wiki/Changelog#release-115
NOTE: 
https://github.com/roundcube/roundcubemail/commit/4a408843b0ef816daf70a472a02b78cd6073a4d5
NOTE: 
https://github.com/roundcube/roundcubemail/commit/699af1e5206ed9114322adaa3c25c1c969640a53
 (release-1.1)
NOTE: CVE Request: 
http://www.openwall.com/lists/oss-security/2016/04/23/3
 CVE-2016- [XSS issue in SVG images handling]
-   - roundcube 
+   - roundcube  (bug #822333)
NOTE: https://github.com/roundcube/roundcubemail/issues/4949
NOTE: 
https://github.com/roundcube/roundcubemail/wiki/Changelog#release-115
NOTE: 
https://github.com/roundcube/roundcubemail/commit/40d7342dd9c9bd2a1d613edc848ed95a4d71aa18


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r41086 - data/CVE

2016-04-23 Thread Salvatore Bonaccorso 
Author: carnil
Date: 2016-04-23 15:04:55 + (Sat, 23 Apr 2016)
New Revision: 41086

Modified:
   data/CVE/list
Log:
Add CVE request references for roundcube

Modified: data/CVE/list
===
--- data/CVE/list   2016-04-23 14:56:31 UTC (rev 41085)
+++ data/CVE/list   2016-04-23 15:04:55 UTC (rev 41086)
@@ -4,12 +4,14 @@
NOTE: 
https://github.com/roundcube/roundcubemail/wiki/Changelog#release-115
NOTE: 
https://github.com/roundcube/roundcubemail/commit/4a408843b0ef816daf70a472a02b78cd6073a4d5
NOTE: 
https://github.com/roundcube/roundcubemail/commit/699af1e5206ed9114322adaa3c25c1c969640a53
 (release-1.1)
+   NOTE: CVE Request: 
http://www.openwall.com/lists/oss-security/2016/04/23/3
 CVE-2016- [XSS issue in SVG images handling]
- roundcube 
NOTE: https://github.com/roundcube/roundcubemail/issues/4949
NOTE: 
https://github.com/roundcube/roundcubemail/wiki/Changelog#release-115
NOTE: 
https://github.com/roundcube/roundcubemail/commit/40d7342dd9c9bd2a1d613edc848ed95a4d71aa18
NOTE: 
https://github.com/roundcube/roundcubemail/commit/7bbefdb63b12e2344cf1cb87aeb6e3933b4063e0
 (release-1.1)
+   NOTE: CVE Request: 
http://www.openwall.com/lists/oss-security/2016/04/23/3
 CVE-2016- [MS-WSP dissector crash]
- wireshark 2.0.3+geed34f0-1 (low)
[jessie] - wireshark  (Only affects 2.x)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r41085 - data/CVE

2016-04-23 Thread Salvatore Bonaccorso 
Author: carnil
Date: 2016-04-23 14:56:31 + (Sat, 23 Apr 2016)
New Revision: 41085

Modified:
   data/CVE/list
Log:
Add upstream commit references for XSS issue in roundcube

Modified: data/CVE/list
===
--- data/CVE/list   2016-04-23 14:52:45 UTC (rev 41084)
+++ data/CVE/list   2016-04-23 14:56:31 UTC (rev 41085)
@@ -5,10 +5,11 @@
NOTE: 
https://github.com/roundcube/roundcubemail/commit/4a408843b0ef816daf70a472a02b78cd6073a4d5
NOTE: 
https://github.com/roundcube/roundcubemail/commit/699af1e5206ed9114322adaa3c25c1c969640a53
 (release-1.1)
 CVE-2016- [XSS issue in SVG images handling]
-   - roundcube 
+   - roundcube 
NOTE: https://github.com/roundcube/roundcubemail/issues/4949
NOTE: 
https://github.com/roundcube/roundcubemail/wiki/Changelog#release-115
-   TODO: check
+   NOTE: 
https://github.com/roundcube/roundcubemail/commit/40d7342dd9c9bd2a1d613edc848ed95a4d71aa18
+   NOTE: 
https://github.com/roundcube/roundcubemail/commit/7bbefdb63b12e2344cf1cb87aeb6e3933b4063e0
 (release-1.1)
 CVE-2016- [MS-WSP dissector crash]
- wireshark 2.0.3+geed34f0-1 (low)
[jessie] - wireshark  (Only affects 2.x)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r41083 - data/CVE

2016-04-23 Thread Salvatore Bonaccorso 
Author: carnil
Date: 2016-04-23 14:39:19 + (Sat, 23 Apr 2016)
New Revision: 41083

Modified:
   data/CVE/list
Log:
Add two roundcube issues from latest release

Modified: data/CVE/list
===
--- data/CVE/list   2016-04-23 14:14:31 UTC (rev 41082)
+++ data/CVE/list   2016-04-23 14:39:19 UTC (rev 41083)
@@ -1,3 +1,13 @@
+CVE-2016- [Protect download urls against CSRF using unique request tokens]
+   - roundcube 
+   NOTE: https://github.com/roundcube/roundcubemail/issues/4957
+   NOTE: 
https://github.com/roundcube/roundcubemail/wiki/Changelog#release-115
+   TODO: check
+CVE-2016- [XSS issue in SVG images handling]
+   - roundcube 
+   NOTE: https://github.com/roundcube/roundcubemail/issues/4949
+   NOTE: 
https://github.com/roundcube/roundcubemail/wiki/Changelog#release-115
+   TODO: check
 CVE-2016- [MS-WSP dissector crash]
- wireshark 2.0.3+geed34f0-1 (low)
[jessie] - wireshark  (Only affects 2.x)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r41082 - data/CVE

2016-04-23 Thread Moritz Muehlenhoff 
Author: jmm
Date: 2016-04-23 14:14:31 + (Sat, 23 Apr 2016)
New Revision: 41082

Modified:
   data/CVE/list
Log:
new wireshark issues


Modified: data/CVE/list
===
--- data/CVE/list   2016-04-23 13:58:23 UTC (rev 41081)
+++ data/CVE/list   2016-04-23 14:14:31 UTC (rev 41082)
@@ -1,3 +1,34 @@
+CVE-2016- [MS-WSP dissector crash]
+   - wireshark 2.0.3+geed34f0-1 (low)
+   [jessie] - wireshark  (Only affects 2.x)
+   [wheezy] - wireshark  (Only affects 2.x)
+   NOTE: https://www.wireshark.org/security/wnpa-sec-2016-27.html
+CVE-2016- [GSM CBCH dissector crash]
+   - wireshark 2.0.3+geed34f0-1 (low)
+   NOTE: https://www.wireshark.org/security/wnpa-sec-2016-26.html
+CVE-2016- [Wireshark and TShark crash]
+   - wireshark 2.0.3+geed34f0-1 (low)
+   NOTE: https://www.wireshark.org/security/wnpa-sec-2016-25.html
+CVE-2016- [IAX2 infinite loop]
+   - wireshark 2.0.3+geed34f0-1 (low)
+   NOTE: https://www.wireshark.org/security/wnpa-sec-2016-24.html
+CVE-2016- [PKTC dissector crash]
+   - wireshark 2.0.3+geed34f0-1 (low)
+   NOTE: https://www.wireshark.org/security/wnpa-sec-2016-23.html
+   NOTE: https://www.wireshark.org/security/wnpa-sec-2016-22.html
+CVE-2016- [IEEE 802.11 dissector crash #2]
+   - wireshark 2.0.3+geed34f0-1 (low)
+   NOTE: https://www.wireshark.org/security/wnpa-sec-2016-21.html
+CVE-2016- [TShark reassembly crash]
+   - wireshark 2.0.3+geed34f0-1 (low)
+   [jessie] - wireshark  (Only affects 2.x)
+   [wheezy] - wireshark  (Only affects 2.x)
+   NOTE: https://www.wireshark.org/security/wnpa-sec-2016-20.html
+CVE-2016- [NCP dissector crash]
+   - wireshark 2.0.3+geed34f0-1 (low)
+   [jessie] - wireshark  (Only affects 2.x)
+   [wheezy] - wireshark  (Only affects 2.x)
+   NOTE: https://www.wireshark.org/security/wnpa-sec-2016-19.html
 CVE-2016-4058
RESERVED
 CVE-2016-4057


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r41081 - data

2016-04-23 Thread Salvatore Bonaccorso 
Author: carnil
Date: 2016-04-23 13:58:23 + (Sat, 23 Apr 2016)
New Revision: 41081

Modified:
   data/dsa-needed.txt
Log:
Add php5 to dsa-needed

Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2016-04-23 13:57:28 UTC (rev 41080)
+++ data/dsa-needed.txt 2016-04-23 13:58:23 UTC (rev 41081)
@@ -69,6 +69,9 @@
 --
 pdns/oldstable (Mike Gabriel)
 --
+php5
+  Maintainer proposed update to 5.6.20 for jessie, needs check/ack
+--
 samba
   Samba maintainers are preparing updates for regressions
 --


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r41080 - data/CVE

2016-04-23 Thread Salvatore Bonaccorso 
Author: carnil
Date: 2016-04-23 13:57:28 + (Sat, 23 Apr 2016)
New Revision: 41080

Modified:
   data/CVE/list
Log:
CVE-2015-8863/jq assigned

Modified: data/CVE/list
===
--- data/CVE/list   2016-04-23 12:43:42 UTC (rev 41079)
+++ data/CVE/list   2016-04-23 13:57:28 UTC (rev 41080)
@@ -134,11 +134,11 @@
NOTE: https://rt.perl.org/Public/Bug/Display.html?id=123562
NOTE: 
http://perl5.git.perl.org/perl.git/commitdiff/22b433eff9a1ffa2454e18405a56650f07b385b5
NOTE: http://www.openwall.com/lists/oss-security/2016/04/20/5
-CVE-2015- [Heap-based buffer overflow in check_literal()]
+CVE-2015-8863 [off-by-one error that leads to a heap-based buffer overflow]
- jq  (bug #802231)
NOTE: https://github.com/stedolan/jq/issues/995
NOTE: 
https://github.com/stedolan/jq/commit/8eb1367ca44e772963e704a700ef72ae2e12babd
-   NOTE: CVE Request: 
http://www.openwall.com/lists/oss-security/2016/04/23/1
+   NOTE: http://www.openwall.com/lists/oss-security/2016/04/23/1
 CVE-2016-4039
RESERVED
 CVE-2016-4036 (openSUSE and SUSE Linux Enterprise Server 11 SP 1 use weak 
permissions ...)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r41079 - data/CVE

2016-04-23 Thread Alessandro Ghedini 
Author: ghedo
Date: 2016-04-23 12:43:42 + (Sat, 23 Apr 2016)
New Revision: 41079

Modified:
   data/CVE/list
Log:
imlib2 issues fixed in sid

Modified: data/CVE/list
===
--- data/CVE/list   2016-04-23 12:43:33 UTC (rev 41078)
+++ data/CVE/list   2016-04-23 12:43:42 UTC (rev 41079)
@@ -238,7 +238,7 @@
NOT-FOR-US: Foxit Reader
 CVE-2016-4024 [integer overflow resulting in insufficient heap allocation]
RESERVED
-   - imlib2  (bug #821732)
+   - imlib2 1.4.8-1 (bug #821732)
NOTE: Upstream fix: 
https://git.enlightenment.org/legacy/imlib2.git/commit/?id=7eba2e4c8ac0e20838947f10f29d0efe1add8227
NOTE: http://www.openwall.com/lists/oss-security/2016/04/14/5
 CVE-2016-4005
@@ -366,7 +366,7 @@
NOTE: http://www.openwall.com/lists/oss-security/2016/04/11/3
 CVE-2011-5326 [divide-by-zero on 2x1 ellipse]
RESERVED
-   - imlib2  (bug #639414)
+   - imlib2 1.4.8-1 (bug #639414)
[jessie] - imlib2  (Minor issue)
[wheezy] - imlib2  (Minor issue)
NOTE: 
https://git.enlightenment.org/legacy/imlib2.git/commit/?id=c94d83ccab15d5ef02f88d42dce38ed3f0892882
@@ -387,7 +387,7 @@
TODO: vtk6, paraview, opencollada, xdmf, gettext appear to include the 
affected code
 CVE-2016-3994 [GIF loader: out-of-bounds read]
RESERVED
-   - imlib2  (bug #785369)
+   - imlib2 1.4.8-1 (bug #785369)
NOTE: 
https://git.enlightenment.org/legacy/imlib2.git/commit/?id=37a96801663b7b4cd3fbe56cc0eb8b6a17e766a8
NOTE: http://www.openwall.com/lists/oss-security/2016/04/09/6
 CVE-2016- [Integer overflow in php_raw_url_encode]
@@ -543,7 +543,7 @@
TODO: recheck versions
 CVE-2016-3993 [off-by-one OOB read in __imlib_MergeUpdate]
RESERVED
-   - imlib2  (bug #819818)
+   - imlib2 1.4.8-1 (bug #819818)
[jessie] - imlib2  (Minor issue)
[wheezy] - imlib2  (Minor issue)
NOTE: 
https://git.enlightenment.org/legacy/imlib2.git/commit/?id=ce94edca1ccfbe314cb7cd9453433fad404ec7ef


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r41078 - data

2016-04-23 Thread Alessandro Ghedini 
Author: ghedo
Date: 2016-04-23 12:43:33 + (Sat, 23 Apr 2016)
New Revision: 41078

Modified:
   data/dsa-needed.txt
Log:
Take imlib2

Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2016-04-23 12:27:16 UTC (rev 41077)
+++ data/dsa-needed.txt 2016-04-23 12:43:33 UTC (rev 41078)
@@ -30,7 +30,7 @@
   no-dsa bugs CVE-2014-8354 CVE-2014-8355 CVE-2014-8562 CVE-2014-8716
   should be fixed along
 --
-imlib2 (carnil)
+imlib2 (ghedo)
 --
 libgd2
   carnil> Test packages: https://people.debian.org/~carnil/tmp/libgd2/


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r41077 - org

2016-04-23 Thread Thorsten Alteholz 
Author: alteholz
Date: 2016-04-23 12:27:16 + (Sat, 23 Apr 2016)
New Revision: 41077

Modified:
   org/lts-frontdesk.2016.txt
Log:
take some frontend weeks

Modified: org/lts-frontdesk.2016.txt
===
--- org/lts-frontdesk.2016.txt  2016-04-23 11:40:48 UTC (rev 41076)
+++ org/lts-frontdesk.2016.txt  2016-04-23 12:27:16 UTC (rev 41077)
@@ -26,16 +26,16 @@
 From 28-03 to 03-04:Santiago Ruano Rincón 
 From 04-04 to 10-04:
 From 11-04 to 17-04:Markus Koschany 
-From 18-04 to 24-04:
+From 18-04 to 24-04:Thorsten Alteholz 
 From 25-04 to 01-05:Santiago Ruano Rincón 
 From 02-05 to 08-05:Markus Koschany 
 From 09-05 to 15-05:Chris Lamb 
 From 16-05 to 22-05:Antoine Beaupré 
-From 23-05 to 29-05:
+From 23-05 to 29-05:Thorsten Alteholz 
 From 30-05 to 05-06:
 From 06-06 to 12-06:Chris Lamb 
 From 13-06 to 19-06:Antoine Beaupré 
-From 20-06 to 26-06:
+From 20-06 to 26-06:Thorsten Alteholz 
 From 27-06 to 03-07:
 From 04-07 to 10-07:Chris Lamb 
 From 11-07 to 17-07:


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r41076 - data/CVE

2016-04-23 Thread Moritz Muehlenhoff 
Author: jmm
Date: 2016-04-23 11:40:48 + (Sat, 23 Apr 2016)
New Revision: 41076

Modified:
   data/CVE/list
Log:
new openssl issue


Modified: data/CVE/list
===
--- data/CVE/list   2016-04-23 09:58:08 UTC (rev 41075)
+++ data/CVE/list   2016-04-23 11:40:48 UTC (rev 41076)
@@ -5585,6 +5585,8 @@
NOTE: https://www.samba.org/samba/security/CVE-2016-2110.html
 CVE-2016-2109
RESERVED
+   - openssl  (low)
+   NOTE: Fixed in master in 
https://git.openssl.org/?p=openssl.git;a=commit;h=c62981390d6cf9e3d612c489b8b77c2913b25807
 CVE-2016-2108
RESERVED
 CVE-2016-2107


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r41075 - data

2016-04-23 Thread Salvatore Bonaccorso 
Author: carnil
Date: 2016-04-23 09:58:08 + (Sat, 23 Apr 2016)
New Revision: 41075

Modified:
   data/dsa-needed.txt
Log:
Add libgd2 to dsa-needed list

Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2016-04-23 06:28:19 UTC (rev 41074)
+++ data/dsa-needed.txt 2016-04-23 09:58:08 UTC (rev 41075)
@@ -32,6 +32,9 @@
 --
 imlib2 (carnil)
 --
+libgd2
+  carnil> Test packages: https://people.debian.org/~carnil/tmp/libgd2/
+--
 libidn
   Working debdiff for wheezy-security at
   https://people.debian.org/~ghedo/libidn_1.25-2+deb7u1.diff


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r41074 - data/CVE

2016-04-23 Thread Salvatore Bonaccorso 
Author: carnil
Date: 2016-04-23 06:28:19 + (Sat, 23 Apr 2016)
New Revision: 41074

Modified:
   data/CVE/list
Log:
Add CVE request reference for jq issue, #802231

Modified: data/CVE/list
===
--- data/CVE/list   2016-04-23 06:17:32 UTC (rev 41073)
+++ data/CVE/list   2016-04-23 06:28:19 UTC (rev 41074)
@@ -138,6 +138,7 @@
- jq  (bug #802231)
NOTE: https://github.com/stedolan/jq/issues/995
NOTE: 
https://github.com/stedolan/jq/commit/8eb1367ca44e772963e704a700ef72ae2e12babd
+   NOTE: CVE Request: 
http://www.openwall.com/lists/oss-security/2016/04/23/1
 CVE-2016-4039
RESERVED
 CVE-2016-4036 (openSUSE and SUSE Linux Enterprise Server 11 SP 1 use weak 
permissions ...)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r41073 - data/CVE

2016-04-23 Thread Salvatore Bonaccorso 
Author: carnil
Date: 2016-04-23 06:17:32 + (Sat, 23 Apr 2016)
New Revision: 41073

Modified:
   data/CVE/list
Log:
Update some NFUs

Modified: data/CVE/list
===
--- data/CVE/list   2016-04-23 06:07:08 UTC (rev 41072)
+++ data/CVE/list   2016-04-23 06:17:32 UTC (rev 41073)
@@ -2312,7 +2312,7 @@
 CVE-2016-3146
RESERVED
 CVE-2016-3145 (Lexmark printers with firmware ATL before ATL.021.063, CB 
before ...)
-   TODO: check
+   NOT-FOR-US: Lexmark printers
 CVE-2016-3144 (Cross-site scripting (XSS) vulnerability in the Block Class 
module ...)
TODO: check
 CVE-2016-3143
@@ -4725,7 +4725,7 @@
 CVE-2016-2355
RESERVED
 CVE-2016-2354 (The Bluetooth functionality in Lemur Vehicle Monitors 
BlueDriver ...)
-   TODO: check
+   NOT-FOR-US: Lemur Vehicle Monitors BlueDriver
 CVE-2016-2353
RESERVED
 CVE-2016-2352
@@ -4960,21 +4960,21 @@
 CVE-2016-2307
RESERVED
 CVE-2016-2306 (The HMI web server in Ecava IntegraXor before 5.0 build 4522 
allows ...)
-   TODO: check
+   NOT-FOR-US: Ecava IntegraXor
 CVE-2016-2305 (Cross-site scripting (XSS) vulnerability in Ecava IntegraXor 
before ...)
-   TODO: check
+   NOT-FOR-US: Ecava IntegraXor
 CVE-2016-2304 (Ecava IntegraXor before 5.0 build 4522 does not include the 
HTTPOnly ...)
-   TODO: check
+   NOT-FOR-US: Ecava IntegraXor
 CVE-2016-2303 (CRLF injection vulnerability in Ecava IntegraXor before 5.0 
build 4522 ...)
-   TODO: check
+   NOT-FOR-US: Ecava IntegraXor
 CVE-2016-2302 (Ecava IntegraXor before 5.0 build 4522 allows remote attackers 
to ...)
-   TODO: check
+   NOT-FOR-US: Ecava IntegraXor
 CVE-2016-2301 (SQL injection vulnerability in Ecava IntegraXor before 5.0 
build 4522 ...)
-   TODO: check
+   NOT-FOR-US: Ecava IntegraXor
 CVE-2016-2300 (Ecava IntegraXor before 5.0 build 4522 allows remote attackers 
to ...)
-   TODO: check
+   NOT-FOR-US: Ecava IntegraXor
 CVE-2016-2299 (SQL injection vulnerability in Ecava IntegraXor before 5.0 
build 4522 ...)
-   TODO: check
+   NOT-FOR-US: Ecava IntegraXor
 CVE-2016-2298
RESERVED
 CVE-2016-2297
@@ -5397,6 +5397,7 @@
RESERVED
 CVE-2016-2173
RESERVED
+   NOT-FOR-US: Spring AMQP
 CVE-2016-2172
RESERVED
 CVE-2016-2171 (The User Manager service in Apache Jetspeed before 2.3.1 does 
not ...)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r41072 - data/CVE

2016-04-23 Thread Salvatore Bonaccorso 
Author: carnil
Date: 2016-04-23 06:07:08 + (Sat, 23 Apr 2016)
New Revision: 41072

Modified:
   data/CVE/list
Log:
Update information for CVE-2016-4051/squid3

Modified: data/CVE/list
===
--- data/CVE/list   2016-04-23 06:03:07 UTC (rev 41071)
+++ data/CVE/list   2016-04-23 06:07:08 UTC (rev 41072)
@@ -111,7 +111,11 @@
RESERVED
- squid3 3.5.17-1
- squid 
-   TODO: check
+   NOTE: http://www.squid-cache.org/Advisories/SQUID-2016_5.txt
+   NOTE: 
http://www.squid-cache.org/Versions/v3/3.2/changesets/SQUID-2016_5.patch (Squid 
3.2)
+   NOTE: 
http://www.squid-cache.org/Versions/v3/3.3/changesets/SQUID-2016_5.patch (Squid 
3.3)
+   NOTE: 
http://www.squid-cache.org/Versions/v3/3.4/changesets/SQUID-2016_5.patch (Squid 
3.4)
+   NOTE: 
http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2016_5.patch (Squid 
3.5)
 CVE-2016-4044
RESERVED
 CVE-2016-4043


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r41071 - data/CVE

2016-04-23 Thread Salvatore Bonaccorso 
Author: carnil
Date: 2016-04-23 06:03:07 + (Sat, 23 Apr 2016)
New Revision: 41071

Modified:
   data/CVE/list
Log:
Update ifnormation for squid3/CVE-2016-405{2,3,4}

Modified: data/CVE/list
===
--- data/CVE/list   2016-04-23 05:54:56 UTC (rev 41070)
+++ data/CVE/list   2016-04-23 06:03:07 UTC (rev 41071)
@@ -79,17 +79,33 @@
 CVE-2016-4054
RESERVED
- squid3 3.5.17-1
-   - squid 
+   - squid  (Squid 2.x are not vulnerable)
+   NOTE: http://www.squid-cache.org/Advisories/SQUID-2016_6.txt
+   NOTE: 
http://www.squid-cache.org/Versions/v3/3.2/changesets/squid-3.2-11841.patch 
(Squid 3.2)
+   NOTE: 
http://www.squid-cache.org/Versions/v3/3.3/changesets/squid-3.3-12697.patch 
(Squid 3.3)
+   NOTE: 
http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13235.patch 
(Squid 3.4)
+   NOTE: 
http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-14034.patch 
(Squid 3.5)
TODO: check
 CVE-2016-4053
RESERVED
- squid3 3.5.17-1
- squid 
+   - squid  (Squid 2.x are not vulnerable)
+   NOTE: http://www.squid-cache.org/Advisories/SQUID-2016_6.txt
+   NOTE: 
http://www.squid-cache.org/Versions/v3/3.2/changesets/squid-3.2-11841.patch 
(Squid 3.2)
+   NOTE: 
http://www.squid-cache.org/Versions/v3/3.3/changesets/squid-3.3-12697.patch 
(Squid 3.3)
+   NOTE: 
http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13235.patch 
(Squid 3.4)
+   NOTE: 
http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-14034.patch 
(Squid 3.5)
TODO: check
 CVE-2016-4052
RESERVED
- squid3 3.5.17-1
-   - squid 
+   - squid  (Squid 2.x are not vulnerable)
+   NOTE: http://www.squid-cache.org/Advisories/SQUID-2016_6.txt
+   NOTE: 
http://www.squid-cache.org/Versions/v3/3.2/changesets/squid-3.2-11841.patch 
(Squid 3.2)
+   NOTE: 
http://www.squid-cache.org/Versions/v3/3.3/changesets/squid-3.3-12697.patch 
(Squid 3.3)
+   NOTE: 
http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13235.patch 
(Squid 3.4)
+   NOTE: 
http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-14034.patch 
(Squid 3.5)
TODO: check
 CVE-2016-4051
RESERVED


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits