[Secure-testing-commits] r41303 - in data: . DLA
Author: jamessan
Date: 2016-04-30 03:52:25 + (Sat, 30 Apr 2016)
New Revision: 41303
Modified:
data/DLA/list
data/dla-needed.txt
Log:
Reserve DLA-448-1 for subversion
Modified: data/DLA/list
===
--- data/DLA/list 2016-04-30 00:44:47 UTC (rev 41302)
+++ data/DLA/list 2016-04-30 03:52:25 UTC (rev 41303)
@@ -1,3 +1,6 @@
+[29 Apr 2016] DLA-448-1 subversion - security update
+ {CVE-2016-2167 CVE-2016-2168}
+ [wheezy] - subversion 1.6.17dfsg-4+deb7u11
[28 Apr 2016] DLA-447-1 mysql-5.5 - security update
{CVE-2016-0640 CVE-2016-0641 CVE-2016-0642 CVE-2016-0643 CVE-2016-0644
CVE-2016-0646 CVE-2016-0647 CVE-2016-0648 CVE-2016-0649 CVE-2016-0650
CVE-2016-0666 CVE-2016-2047}
[wheezy] - mysql-5.5 5.5.49-0+deb7u1
Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2016-04-30 00:44:47 UTC (rev 41302)
+++ data/dla-needed.txt 2016-04-30 03:52:25 UTC (rev 41303)
@@ -84,8 +84,6 @@
--
squid3
--
-subversion (James McCoy)
---
tardiff
fw asked maintainer for preparing debdiffs for wheezy- and jessie-security
https://anonscm.debian.org/cgit/collab-maint/tardiff.git/log/?h=wheezy
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41302 - data
Author: jamessan Date: 2016-04-30 00:44:47 + (Sat, 30 Apr 2016) New Revision: 41302 Modified: data/dla-needed.txt Log: Claim subversion in dla-needed Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-04-29 21:10:15 UTC (rev 41301) +++ data/dla-needed.txt 2016-04-30 00:44:47 UTC (rev 41302) @@ -84,7 +84,7 @@ -- squid3 -- -subversion +subversion (James McCoy) -- tardiff fw asked maintainer for preparing debdiffs for wheezy- and jessie-security ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41301 - data/CVE
Author: sectracker
Date: 2016-04-29 21:10:15 + (Fri, 29 Apr 2016)
New Revision: 41301
Modified:
data/CVE/list
Log:
automatic update
Modified: data/CVE/list
===
--- data/CVE/list 2016-04-29 16:28:58 UTC (rev 41300)
+++ data/CVE/list 2016-04-29 21:10:15 UTC (rev 41301)
@@ -1,3 +1,5 @@
+CVE-2016-4349 (Untrusted search path vulnerability in Cisco WebEx Productivity
Tools ...)
+ TODO: check
CVE-2016-4352 [Mplayer/Mencoder integer overflow parsing gif files]
- mplayer
NOTE: https://trac.mplayerhq.hu/ticket/2295
@@ -5580,28 +5582,35 @@
- hhvm 3.12.1+dfsg-1
NOTE:
https://github.com/facebook/hhvm/commit/eae73029336e4d577707cb8a0527f22cb8a4588a
CVE-2016-4348
+ RESERVED
- librsvg
TODO: check affected versions
CVE-2016-4347
+ RESERVED
- librsvg
TODO: check affected versions
CVE-2016-4346 [Multiple Heap Overflow due to integer overflows |
xml/filter_url/addcslashes -- ext/standard/string.c]
+ RESERVED
- php7.0
- php5
NOTE: https://bugs.php.net/bug.php?id=71637
CVE-2016-4345 [Multiple Heap Overflow due to integer overflows |
xml/filter_url/addcslashes -- ext/filter/sanitizing_filters.c]
+ RESERVED
- php7.0
- php5
NOTE: https://bugs.php.net/bug.php?id=71637
CVE-2016-4344 [Multiple Heap Overflow due to integer overflows |
xml/filter_url/addcslashes -- ext/xml/xml.c]
+ RESERVED
- php7.0
- php5
NOTE: https://bugs.php.net/bug.php?id=71637
CVE-2016-4343 [Uninitialized pointer in phar_make_dirstream()]
+ RESERVED
- php7.0
- php5
NOTE: https://bugs.php.net/bug.php?id=71331
CVE-2016-4342 [Heap corruption in tar/zip/phar parser]
+ RESERVED
- php5 5.6.18+dfsg-1
[jessie] - php5 5.6.19+dfsg-0+deb8u1
[wheezy] - php5 (Minor issue, can be fixed in next update
round)
@@ -6173,10 +6182,12 @@
RESERVED
CVE-2016-2168
RESERVED
+ {DSA-3561-1}
- subversion 1.9.4-1
NOTE: https://subversion.apache.org/security/CVE-2016-2168-advisory.txt
CVE-2016-2167
RESERVED
+ {DSA-3561-1}
- subversion 1.9.4-1
NOTE: https://subversion.apache.org/security/CVE-2016-2167-advisory.txt
CVE-2016-2166 (The (1) proton.reactor.Connector, (2) proton.reactor.Container,
and ...)
@@ -8806,14 +8817,14 @@
RESERVED
CVE-2016-1390
RESERVED
-CVE-2016-1389
- RESERVED
+CVE-2016-1389 (Open redirect vulnerability in Cisco WebEx Meetings Server
(CWMS) 2.6 ...)
+ TODO: check
CVE-2016-1388
RESERVED
CVE-2016-1387
RESERVED
-CVE-2016-1386
- RESERVED
+CVE-2016-1386 (The API in Cisco Application Policy Infrastructure Controller
...)
+ TODO: check
CVE-2016-1385
RESERVED
CVE-2016-1384 (The NTP implementation in Cisco IOS 15.1 and 15.5 and IOS XE
3.2 ...)
@@ -79294,7 +79305,7 @@
NOT-FOR-US: WordPress theme
CVE-2011-5256 (Cross-site scripting (XSS) vulnerability in the tooltips in
LimeSurvey ...)
- limesurvey (bug #472802)
-CVE-2013-1656 (Spree Commerce 1.0.x through 1.3.2 allow remote authenticated
...)
+CVE-2013-1656 (Spree Commerce 1.0.x through 1.3.2 allows remote authenticated
...)
NOT-FOR-US: Spree
CVE-2013-1655 (Puppet 2.7.x before 2.7.21 and 3.1.x before 3.1.1, when running
Ruby ...)
{DSA-2643-1}
@@ -105323,7 +105334,7 @@
NOT-FOR-US: Oracle Siebel
CVE-2011-3525 (Unspecified vulnerability in the Application Express component
in ...)
NOT-FOR-US: Oracle Database Server
-CVE-2011-3524 (Unspecified vulnerability in the JD Edwards EnterpriseOne Tools
...)
+CVE-2011-3524 (Unspecified vulnerability in the EnterpriseOne Tools component
in ...)
NOT-FOR-US: Oracle JD Edwards Products
CVE-2011-3523 (Unspecified vulnerability in the Oracle Web Services Manager
component ...)
NOT-FOR-US: Oracle Fusion
@@ -105349,7 +105360,7 @@
- openjdk-6 (Windows-specific)
CVE-2011-3515 (Unspecified vulnerability in the Oracle Solaris 10 and 11
Express ...)
NOT-FOR-US: Oracle Solaris
-CVE-2011-3514 (Unspecified vulnerability in the JD Edwards EnterpriseOne Tools
...)
+CVE-2011-3514 (Unspecified vulnerability in the EnterpriseOne Tools component
in ...)
NOT-FOR-US: Oracle JD Edwards Products
CVE-2011-3513 (Unspecified vulnerability in the Oracle Application Object
Library ...)
NOT-FOR-US: Oracle E-Business Suite
@@ -105359,7 +105370,7 @@
NOT-FOR-US: Oracle Database Server
CVE-2011-3510 (Unspecified vulnerability in the Oracle Business Intelligence
...)
NOT-FOR-US: Oracle Fusion Middleware
-CVE-2011-3509 (Unspecified vulnerability in the JD Edwards EnterpriseOne Tools
...)
+CVE-2011-3509 (Unspecified vulnerability in the EnterpriseOne Tools component
in ...)
NOT-FOR-US: Oracle JD Edwards Products
CV
[Secure-testing-commits] r41300 - data
Author: carnil Date: 2016-04-29 16:28:58 + (Fri, 29 Apr 2016) New Revision: 41300 Modified: data/dsa-needed.txt Log: Add note about additional information provided by apo Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2016-04-29 16:22:55 UTC (rev 41299) +++ data/dsa-needed.txt 2016-04-29 16:28:58 UTC (rev 41300) @@ -18,6 +18,7 @@ NOTE: Markus Koschany provided a patch -- gdk-pixbuf (carnil) + NOTE: Markus Koschany shared information about the same he prepared for wheezy -- gosa NOTE: .debdiff sent to the Security Team, waiting for feedback ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41299 - data/CVE
Author: carnil
Date: 2016-04-29 16:22:55 + (Fri, 29 Apr 2016)
New Revision: 41299
Modified:
data/CVE/list
Log:
CVE-2016-4356/libksba assigned
Modified: data/CVE/list
===
--- data/CVE/list 2016-04-29 16:21:31 UTC (rev 41298)
+++ data/CVE/list 2016-04-29 16:22:55 UTC (rev 41299)
@@ -29111,13 +29111,13 @@
NOTE: http://www.openwall.com/lists/oss-security/2015/04/13/5
NOTE: http://www.openwall.com/lists/oss-security/2016/04/29/5
NOTE:
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=commit;h=aea7b6032865740478ca4b706850a5217f1c3887
-CVE-2015- [integer overflow in the DN decoder src/dn.c]
+CVE-2016-4356
- libksba 1.3.3-1 (low)
[squeeze] - libksba (Minor issue)
[wheezy] - libksba (Minor issue)
[jessie] - libksba (Minor issue)
- NOTE: CVE Request:
http://www.openwall.com/lists/oss-security/2015/04/13/5
- NOTE: CVE Request:
http://www.openwall.com/lists/oss-security/2016/04/29/5
+ NOTE: http://www.openwall.com/lists/oss-security/2015/04/13/5
+ NOTE: http://www.openwall.com/lists/oss-security/2016/04/29/5
NOTE:
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=commit;h=243d12fdec66a4360fbb3e307a046b39b5b4ffc3
CVE-2015-3310 (Buffer overflow in the rc_mksid function in
plugins/radius/util.c in ...)
{DSA-3228-1 DLA-205-1}
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41298 - data/CVE
Author: carnil
Date: 2016-04-29 16:21:31 + (Fri, 29 Apr 2016)
New Revision: 41298
Modified:
data/CVE/list
Log:
CVE-2016-435{4,5}/libksba assigned
Modified: data/CVE/list
===
--- data/CVE/list 2016-04-29 16:20:11 UTC (rev 41297)
+++ data/CVE/list 2016-04-29 16:21:31 UTC (rev 41298)
@@ -29095,14 +29095,22 @@
NOTE: http://www.openwall.com/lists/oss-security/2015/04/13/5
NOTE: http://www.openwall.com/lists/oss-security/2016/04/29/5
NOTE:
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=commit;h=07116a314f4dcd4d96990bbd74db95a03a9f650a
-CVE-2015- [integer overflow in the BER decoder src/ber-decoder.c]
+CVE-2016-4355
- libksba 1.3.3-1 (low)
[squeeze] - libksba (Minor issue)
[wheezy] - libksba (Minor issue)
[jessie] - libksba (Minor issue)
- NOTE: CVE Request:
http://www.openwall.com/lists/oss-security/2015/04/13/5
- NOTE: CVE Request:
http://www.openwall.com/lists/oss-security/2016/04/29/5
+ NOTE: http://www.openwall.com/lists/oss-security/2015/04/13/5
+ NOTE: http://www.openwall.com/lists/oss-security/2016/04/29/5
NOTE:
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=commit;h=aea7b6032865740478ca4b706850a5217f1c3887
+CVE-2016-4354
+ - libksba 1.3.3-1 (low)
+ [squeeze] - libksba (Minor issue)
+ [wheezy] - libksba (Minor issue)
+ [jessie] - libksba (Minor issue)
+ NOTE: http://www.openwall.com/lists/oss-security/2015/04/13/5
+ NOTE: http://www.openwall.com/lists/oss-security/2016/04/29/5
+ NOTE:
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=commit;h=aea7b6032865740478ca4b706850a5217f1c3887
CVE-2015- [integer overflow in the DN decoder src/dn.c]
- libksba 1.3.3-1 (low)
[squeeze] - libksba (Minor issue)
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41297 - data/CVE
Author: carnil Date: 2016-04-29 16:20:11 + (Fri, 29 Apr 2016) New Revision: 41297 Modified: data/CVE/list Log: CVE-2016-4353/libksba assigned Modified: data/CVE/list === --- data/CVE/list 2016-04-29 15:21:57 UTC (rev 41296) +++ data/CVE/list 2016-04-29 16:20:11 UTC (rev 41297) @@ -29087,13 +29087,13 @@ - linux-2.6 (TCP Fast Open introduced in v3.6-rc1) NOTE: http://www.openwall.com/lists/oss-security/2015/04/14/14 NOTE: http://thread.gmane.org/gmane.linux.network/359588 -CVE-2015- [denial of service due to stack overflow in src/ber-decoder.c] +CVE-2016-4353 [denial of service due to stack overflow in src/ber-decoder.c] - libksba 1.3.3-1 (low) [squeeze] - libksba (Minor issue) [wheezy] - libksba (Minor issue) [jessie] - libksba (Minor issue) - NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/04/13/5 - NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2016/04/29/5 + NOTE: http://www.openwall.com/lists/oss-security/2015/04/13/5 + NOTE: http://www.openwall.com/lists/oss-security/2016/04/29/5 NOTE: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=commit;h=07116a314f4dcd4d96990bbd74db95a03a9f650a CVE-2015- [integer overflow in the BER decoder src/ber-decoder.c] - libksba 1.3.3-1 (low) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41296 - data/CVE
Author: carnil Date: 2016-04-29 15:21:57 + (Fri, 29 Apr 2016) New Revision: 41296 Modified: data/CVE/list Log: CVE-2016-4352/mplayer assigned Modified: data/CVE/list === --- data/CVE/list 2016-04-29 15:09:15 UTC (rev 41295) +++ data/CVE/list 2016-04-29 15:21:57 UTC (rev 41296) @@ -1,7 +1,8 @@ -CVE-2016- [Mplayer/Mencoder integer overflow parsing gif files] +CVE-2016-4352 [Mplayer/Mencoder integer overflow parsing gif files] - mplayer NOTE: https://trac.mplayerhq.hu/ticket/2295 - NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2016/04/29/3 + NOTE: Fixed in Revision r37857 upstream + NOTE: http://www.openwall.com/lists/oss-security/2016/04/29/3 CVE-2015-8869 [buffer overflow and information leak] - ocaml NOTE: https://github.com/ocaml/ocaml/commit/659615c7b100a89eafe6253e7a5b9d84d0e8df74#diff-a97df53e3ebc59bb457191b496c90762 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41295 - data/CVE
Author: carnil Date: 2016-04-29 15:09:15 + (Fri, 29 Apr 2016) New Revision: 41295 Modified: data/CVE/list Log: CVE-2015-8869/ocaml assigned Modified: data/CVE/list === --- data/CVE/list 2016-04-29 14:39:01 UTC (rev 41294) +++ data/CVE/list 2016-04-29 15:09:15 UTC (rev 41295) @@ -2,10 +2,10 @@ - mplayer NOTE: https://trac.mplayerhq.hu/ticket/2295 NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2016/04/29/3 -CVE-2016- [buffer overflow and information leak] +CVE-2015-8869 [buffer overflow and information leak] - ocaml NOTE: https://github.com/ocaml/ocaml/commit/659615c7b100a89eafe6253e7a5b9d84d0e8df74#diff-a97df53e3ebc59bb457191b496c90762 - NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2016/04/29/1 + NOTE: http://www.openwall.com/lists/oss-security/2016/04/29/1 CVE-2016-4341 RESERVED CVE-2016-4339 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41294 - data
Author: santiago Date: 2016-04-29 14:39:01 + (Fri, 29 Apr 2016) New Revision: 41294 Modified: data/dla-needed.txt Log: phpmyadmin needs a dla Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-04-29 14:34:37 UTC (rev 41293) +++ data/dla-needed.txt 2016-04-29 14:39:01 UTC (rev 41294) @@ -69,6 +69,9 @@ -- php5 -- +phpmyadmin + NOTE: anarcat already prepared a package: https://lists.debian.org/debian-lts/2016/04/msg00086.html +-- policykit-1 NOTE: CVE-2016-2568 doesn't have a fix yet, 20160425 -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41293 - data/CVE
Author: carnil
Date: 2016-04-29 14:34:37 + (Fri, 29 Apr 2016)
New Revision: 41293
Modified:
data/CVE/list
Log:
Add reference for further CVE request on libksba issues
Modified: data/CVE/list
===
--- data/CVE/list 2016-04-29 14:25:50 UTC (rev 41292)
+++ data/CVE/list 2016-04-29 14:34:37 UTC (rev 41293)
@@ -29092,6 +29092,7 @@
[wheezy] - libksba (Minor issue)
[jessie] - libksba (Minor issue)
NOTE: CVE Request:
http://www.openwall.com/lists/oss-security/2015/04/13/5
+ NOTE: CVE Request:
http://www.openwall.com/lists/oss-security/2016/04/29/5
NOTE:
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=commit;h=07116a314f4dcd4d96990bbd74db95a03a9f650a
CVE-2015- [integer overflow in the BER decoder src/ber-decoder.c]
- libksba 1.3.3-1 (low)
@@ -29099,6 +29100,7 @@
[wheezy] - libksba (Minor issue)
[jessie] - libksba (Minor issue)
NOTE: CVE Request:
http://www.openwall.com/lists/oss-security/2015/04/13/5
+ NOTE: CVE Request:
http://www.openwall.com/lists/oss-security/2016/04/29/5
NOTE:
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=commit;h=aea7b6032865740478ca4b706850a5217f1c3887
CVE-2015- [integer overflow in the DN decoder src/dn.c]
- libksba 1.3.3-1 (low)
@@ -29106,6 +29108,7 @@
[wheezy] - libksba (Minor issue)
[jessie] - libksba (Minor issue)
NOTE: CVE Request:
http://www.openwall.com/lists/oss-security/2015/04/13/5
+ NOTE: CVE Request:
http://www.openwall.com/lists/oss-security/2016/04/29/5
NOTE:
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=commit;h=243d12fdec66a4360fbb3e307a046b39b5b4ffc3
CVE-2015-3310 (Buffer overflow in the rc_mksid function in
plugins/radius/util.c in ...)
{DSA-3228-1 DLA-205-1}
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41292 - data/CVE
Author: carnil Date: 2016-04-29 14:25:50 + (Fri, 29 Apr 2016) New Revision: 41292 Modified: data/CVE/list Log: Update status for CVE-2016-3139/linux Modified: data/CVE/list === --- data/CVE/list 2016-04-29 14:21:28 UTC (rev 41291) +++ data/CVE/list 2016-04-29 14:25:50 UTC (rev 41292) @@ -3227,7 +3227,7 @@ NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1283378 NOTE: https://marc.info/?l=linux-usb&m=145796765030590&w=2 CVE-2016-3139 (The wacom_probe function in drivers/input/tablet/wacom_sys.c in the ...) - - linux (low) + - linux 4.0.2-1 (low) NOTE: http://seclists.org/bugtraq/2016/Mar/60 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1283375 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1283377 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41291 - templates
Author: santiago
Date: 2016-04-29 14:21:28 + (Fri, 29 Apr 2016)
New Revision: 41291
Modified:
templates/lts-no-dsa.txt
Log:
update templates/lts-no-dsa.txt for Wheezy
Modified: templates/lts-no-dsa.txt
===
--- templates/lts-no-dsa.txt2016-04-29 14:18:57 UTC (rev 41290)
+++ templates/lts-no-dsa.txt2016-04-29 14:21:28 UTC (rev 41291)
@@ -1,11 +1,11 @@
To: {{ to }}
Cc: {{ cc }}
-Subject: About the security issues affecting {{ package }} in Squeeze
+Subject: About the security issues affecting {{ package }} in Wheezy
Hello dear maintainer(s),
the Debian LTS team recently reviewed the security issue(s) affecting your
-package in Squeeze:
+package in Wheezy:
{%- if cve -%}
{% for entry in cve %}
https://security-tracker.debian.org/tracker/{{ entry }}
@@ -14,10 +14,10 @@
https://security-tracker.debian.org/tracker/source-package/{{ package }}
{%- endif %}
-We decided that we would not prepare a squeeze security update (usually
+We decided that we would not prepare a wheezy security update (usually
because the security impact is low and that we concentrate our limited
resources on higher severity issues and on the most widely used packages).
-That said the squeeze users would most certainly benefit from a fixed
+That said the wheezy users would most certainly benefit from a fixed
package.
If you want to work on such an update, you're welcome to do so. Please
@@ -25,11 +25,11 @@
https://wiki.debian.org/LTS/Development
If that workflow is a burden to you, feel free to just prepare an
-updated source package and send it to debian-...@lists.debian.org
-(via a debdiff, or with an URL pointing to the the source package,
-or even with a pointer to your packaging repository), and the members
-of the LTS team will take care of the rest. However please make sure to
-submit a tested package.
+updated source package and send it to debian-...@lists.debian.org (via a
+debdiff, or with an URL pointing to the source package, or even with a
+pointer to your packaging repository), and the members of the LTS team
+will take care of the rest. However please make sure to submit a tested
+package.
Thank you very much.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41290 - data/CVE
Author: santiago Date: 2016-04-29 14:18:57 + (Fri, 29 Apr 2016) New Revision: 41290 Modified: data/CVE/list Log: CVE-2015-8076/cyrus-imapd-2.4 no-dsa in wheezy Modified: data/CVE/list === --- data/CVE/list 2016-04-29 13:25:59 UTC (rev 41289) +++ data/CVE/list 2016-04-29 14:18:57 UTC (rev 41290) @@ -16709,6 +16709,7 @@ CVE-2015-8076 (The index_urlfetch function in index.c in Cyrus IMAP 2.3.x before ...) - cyrus-imapd-2.4 2.4.17+nocaldav-2 [jessie] - cyrus-imapd-2.4 (Will be fixed via a jessie-pu) + [wheezy] - cyrus-imapd-2.4 (Minor issue; can be fixed alone in a future DLA) NOTE: http://www.openwall.com/lists/oss-security/2015/09/29/2 NOTE: https://cyrus.foundation/cyrus-imapd/commit/?id=07de4ff1bf2fa340b9d77b8e7de8d43d47a33921 NOTE: https://cyrus.foundation/cyrus-imapd/commit/?id=c21e179c1f6b968fe69bebe079176714e511587b ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41289 - data/CVE
Author: jmm Date: 2016-04-29 13:25:59 + (Fri, 29 Apr 2016) New Revision: 41289 Modified: data/CVE/list Log: ipython fixed Modified: data/CVE/list === --- data/CVE/list 2016-04-29 13:13:46 UTC (rev 41288) +++ data/CVE/list 2016-04-29 13:25:59 UTC (rev 41289) @@ -21772,7 +21772,7 @@ RESERVED CVE-2015-5607 [IPython CSRF validation] RESERVED - - ipython (bug #793123) + - ipython 2.4.1-1 (bug #793123) [jessie] - ipython (Minor issue) [wheezy] - ipython (Minor issue) [squeeze] - ipython (Vulnerable code not present) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41288 - data/CVE
Author: jmm
Date: 2016-04-29 13:13:46 + (Fri, 29 Apr 2016)
New Revision: 41288
Modified:
data/CVE/list
Log:
new chromium issues
Modified: data/CVE/list
===
--- data/CVE/list 2016-04-29 12:43:46 UTC (rev 41287)
+++ data/CVE/list 2016-04-29 13:13:46 UTC (rev 41288)
@@ -7926,18 +7926,34 @@
RESERVED
CVE-2016-1666
RESERVED
+ - chromium-browser
+ [wheezy] - chromium-browser (Not supported in Wheezy)
CVE-2016-1665
RESERVED
+ - chromium-browser
+ [wheezy] - chromium-browser (Not supported in Wheezy)
+ - libv8 (unimportant)
+ NOTE: libv8 not covered by security support
CVE-2016-1664
RESERVED
+ - chromium-browser
+ [wheezy] - chromium-browser (Not supported in Wheezy)
CVE-2016-1663
RESERVED
+ - chromium-browser
+ [wheezy] - chromium-browser (Not supported in Wheezy)
CVE-2016-1662
RESERVED
+ - chromium-browser
+ [wheezy] - chromium-browser (Not supported in Wheezy)
CVE-2016-1661
RESERVED
+ - chromium-browser
+ [wheezy] - chromium-browser (Not supported in Wheezy)
CVE-2016-1660
RESERVED
+ - chromium-browser
+ [wheezy] - chromium-browser (Not supported in Wheezy)
CVE-2016-1659 (Multiple unspecified vulnerabilities in Google Chrome before
...)
{DSA-3549-1}
- chromium-browser 50.0.2661.75-1
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41287 - in data: . DSA
Author: carnil
Date: 2016-04-29 12:43:46 + (Fri, 29 Apr 2016)
New Revision: 41287
Modified:
data/DSA/list
data/dsa-needed.txt
Log:
Reserve DSA number for subversion
Modified: data/DSA/list
===
--- data/DSA/list 2016-04-29 12:05:36 UTC (rev 41286)
+++ data/DSA/list 2016-04-29 12:43:46 UTC (rev 41287)
@@ -1,3 +1,6 @@
+[29 Apr 2016] DSA-3561-1 subversion - security update
+ {CVE-2016-2167 CVE-2016-2168}
+ [jessie] - subversion 1.8.10-6+deb8u4
[27 Apr 2016] DSA-3560-1 php5 - security update
{CVE-2015-8865 CVE-2016-4070 CVE-2016-4071 CVE-2016-4072 CVE-2016-4073}
[jessie] - php5 5.6.20+dfsg-0+deb8u1
Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2016-04-29 12:05:36 UTC (rev 41286)
+++ data/dsa-needed.txt 2016-04-29 12:43:46 UTC (rev 41287)
@@ -67,8 +67,6 @@
--
squid3
--
-subversion
---
tardiff (carnil)
fw asked maintainer for preparing debdiffs for wheezy- and jessie-security
https://anonscm.debian.org/cgit/collab-maint/tardiff.git/log/?h=jessie
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41286 - data/CVE
Author: carnil Date: 2016-04-29 12:05:36 + (Fri, 29 Apr 2016) New Revision: 41286 Modified: data/CVE/list Log: Update status for CVE-2010-1642 Modified: data/CVE/list === --- data/CVE/list 2016-04-29 12:03:19 UTC (rev 41285) +++ data/CVE/list 2016-04-29 12:05:36 UTC (rev 41286) @@ -124064,7 +124064,7 @@ - linux-2.6 2.6.28-1 [lenny] - linux-2.6 2.6.26-23 CVE-2010-1642 (The reply_sesssetup_and_X_spnego function in sesssetup.c in smbd in ...) - - samba (unimportant) + - samba 2:3.5.4~dfsg-2 (unimportant) NOTE: Only crashes a single connection, not the entire smbd CVE-2010-1641 (The do_gfs2_set_flags function in fs/gfs2/file.c in the Linux kernel ...) - linux-2.6 2.6.32-16 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41285 - data/CVE
Author: carnil Date: 2016-04-29 12:03:19 + (Fri, 29 Apr 2016) New Revision: 41285 Modified: data/CVE/list Log: Update CVE-2010-1635/samba Modified: data/CVE/list === --- data/CVE/list 2016-04-29 11:33:01 UTC (rev 41284) +++ data/CVE/list 2016-04-29 12:03:19 UTC (rev 41285) @@ -124083,7 +124083,8 @@ - linux-2.6 2.6.32-14 [lenny] - linux-2.6 (brtfs introduced in 2.6.32) CVE-2010-1635 (The chain_reply function in process.c in smbd in Samba before 3.4.8 ...) - - samba (unimportant) + - samba 2:3.6.1-2 (unimportant) + NOTE: http://git.samba.org/?p=samba.git;a=commitdiff;h=25452a2268ac7013da28125f3df22085139af12d NOTE: Only crashes a single connection, not the entire smbd CVE-2010-1634 (Multiple integer overflows in audioop.c in the audioop module in ...) - python3.1 3.1.2+20100822-1 (low) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41284 - data/CVE
Author: carnil Date: 2016-04-29 11:33:01 + (Fri, 29 Apr 2016) New Revision: 41284 Modified: data/CVE/list Log: Add temporary entry for mplayer Modified: data/CVE/list === --- data/CVE/list 2016-04-29 11:30:12 UTC (rev 41283) +++ data/CVE/list 2016-04-29 11:33:01 UTC (rev 41284) @@ -1,3 +1,7 @@ +CVE-2016- [Mplayer/Mencoder integer overflow parsing gif files] + - mplayer + NOTE: https://trac.mplayerhq.hu/ticket/2295 + NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2016/04/29/3 CVE-2016- [buffer overflow and information leak] - ocaml NOTE: https://github.com/ocaml/ocaml/commit/659615c7b100a89eafe6253e7a5b9d84d0e8df74#diff-a97df53e3ebc59bb457191b496c90762 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41283 - data/CVE
Author: carnil Date: 2016-04-29 11:30:12 + (Fri, 29 Apr 2016) New Revision: 41283 Modified: data/CVE/list Log: Add temporary entry for ocaml Modified: data/CVE/list === --- data/CVE/list 2016-04-29 11:11:52 UTC (rev 41282) +++ data/CVE/list 2016-04-29 11:30:12 UTC (rev 41283) @@ -1,3 +1,7 @@ +CVE-2016- [buffer overflow and information leak] + - ocaml + NOTE: https://github.com/ocaml/ocaml/commit/659615c7b100a89eafe6253e7a5b9d84d0e8df74#diff-a97df53e3ebc59bb457191b496c90762 + NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2016/04/29/1 CVE-2016-4341 RESERVED CVE-2016-4339 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41282 - data
Author: carnil Date: 2016-04-29 11:11:52 + (Fri, 29 Apr 2016) New Revision: 41282 Modified: data/dsa-needed.txt Log: Take two source packages from dsa-needed list Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2016-04-29 11:09:44 UTC (rev 41281) +++ data/dsa-needed.txt 2016-04-29 11:11:52 UTC (rev 41282) @@ -17,7 +17,7 @@ botan1.10 (seb) NOTE: Markus Koschany provided a patch -- -gdk-pixbuf +gdk-pixbuf (carnil) -- gosa NOTE: .debdiff sent to the Security Team, waiting for feedback @@ -49,7 +49,7 @@ -- ntp -- -openafs +openafs (carnil) -- openjpeg2 (jmm) -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41281 - data/CVE
Author: carnil Date: 2016-04-29 11:09:44 + (Fri, 29 Apr 2016) New Revision: 41281 Modified: data/CVE/list Log: One php7.0 issue fixed Modified: data/CVE/list === --- data/CVE/list 2016-04-29 10:44:17 UTC (rev 41280) +++ data/CVE/list 2016-04-29 11:09:44 UTC (rev 41281) @@ -3104,7 +3104,7 @@ NOT-FOR-US: Red Hat Satellite / Spacewalk CVE-2016-3078 [integer overflow in ZipArchive::getFrom*] RESERVED - - php7.0 + - php7.0 7.0.6-1 NOTE: http://www.openwall.com/lists/oss-security/2016/04/28/1 NOTE: Fixed in 7.0.6 TODO: check other php versions if affected ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41280 - data
Author: carnil Date: 2016-04-29 10:44:17 + (Fri, 29 Apr 2016) New Revision: 41280 Modified: data/dla-needed.txt Log: Add note for tardiff Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-04-29 10:44:16 UTC (rev 41279) +++ data/dla-needed.txt 2016-04-29 10:44:17 UTC (rev 41280) @@ -86,6 +86,7 @@ tardiff fw asked maintainer for preparing debdiffs for wheezy- and jessie-security https://anonscm.debian.org/cgit/collab-maint/tardiff.git/log/?h=wheezy + NOTE: maintainer showed interest to do the LTS upload on his own -- tiff NOTE: 20160226, no fix available yet ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41279 - data
Author: carnil Date: 2016-04-29 10:44:16 + (Fri, 29 Apr 2016) New Revision: 41279 Modified: data/dsa-needed.txt Log: Take tardiff for releasing Axel's packages Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2016-04-29 10:36:38 UTC (rev 41278) +++ data/dsa-needed.txt 2016-04-29 10:44:16 UTC (rev 41279) @@ -69,7 +69,7 @@ -- subversion -- -tardiff +tardiff (carnil) fw asked maintainer for preparing debdiffs for wheezy- and jessie-security https://anonscm.debian.org/cgit/collab-maint/tardiff.git/log/?h=jessie -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41278 - data/CVE
Author: carnil Date: 2016-04-29 10:36:38 + (Fri, 29 Apr 2016) New Revision: 41278 Modified: data/CVE/list Log: Add fixes for subversion to unstable Modified: data/CVE/list === --- data/CVE/list 2016-04-29 10:35:50 UTC (rev 41277) +++ data/CVE/list 2016-04-29 10:36:38 UTC (rev 41278) @@ -6164,11 +6164,11 @@ RESERVED CVE-2016-2168 RESERVED - - subversion + - subversion 1.9.4-1 NOTE: https://subversion.apache.org/security/CVE-2016-2168-advisory.txt CVE-2016-2167 RESERVED - - subversion + - subversion 1.9.4-1 NOTE: https://subversion.apache.org/security/CVE-2016-2167-advisory.txt CVE-2016-2166 (The (1) proton.reactor.Connector, (2) proton.reactor.Container, and ...) - qpid-proton (Vulnerable code not present) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41277 - data/CVE
Author: carnil Date: 2016-04-29 10:35:50 + (Fri, 29 Apr 2016) New Revision: 41277 Modified: data/CVE/list Log: Add more ntp fixes via the last ntp update in unstable Modified: data/CVE/list === --- data/CVE/list 2016-04-29 10:31:54 UTC (rev 41276) +++ data/CVE/list 2016-04-29 10:35:50 UTC (rev 41277) @@ -14196,7 +14196,7 @@ RESERVED CVE-2015-8140 [ntpq vulnerable to replay attacks] RESERVED - - ntp + - ntp 1:4.2.8p7+dfsg-1 [jessie] - ntp (Minor issue) [wheezy] - ntp (Minor issue) NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit @@ -14204,7 +14204,7 @@ NOTE: Mitigated in 4.2.8p6 CVE-2015-8139 [Origin Leak: ntpq and ntpdc, disclose origin] RESERVED - - ntp + - ntp 1:4.2.8p7+dfsg-1 [jessie] - ntp (Minor issue) [wheezy] - ntp (Minor issue) NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit @@ -14750,7 +14750,7 @@ NOTE: http://www.openwall.com/lists/oss-security/2015/10/27/5 CVE-2015-7979 [Off-path Denial of Service (DoS) attack on authenticated broadcast mode] RESERVED - - ntp + - ntp 1:4.2.8p7+dfsg-1 [jessie] - ntp (Minor issue, can be fixed along in a future update) [wheezy] - ntp (Minor issue, can be fixed along in a future update) NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit @@ -14758,7 +14758,7 @@ NOTE: https://github.com/ntp-project/ntp/commit/fe46889f7baa75fc8e6c0fcde87706d396ce1461 CVE-2015-7978 [Stack exhaustion in recursive traversal of restriction list] RESERVED - - ntp + - ntp 1:4.2.8p7+dfsg-1 [jessie] - ntp (Minor issue, can be fixed along in a future update) [wheezy] - ntp (Minor issue, can be fixed along in a future update) NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit @@ -14766,7 +14766,7 @@ NOTE: https://github.com/ntp-project/ntp/commit/8a0c765f3c47633fa262356b0818788d1cf249b1 CVE-2015-7977 [reslist NULL pointer dereference] RESERVED - - ntp + - ntp 1:4.2.8p7+dfsg-1 [jessie] - ntp (Minor issue, can be fixed along in a future update) [wheezy] - ntp (Minor issue, can be fixed along in a future update) NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit @@ -14774,7 +14774,7 @@ NOTE: https://github.com/ntp-project/ntp/commit/8a0c765f3c47633fa262356b0818788d1cf249b1 CVE-2015-7976 [ntpq saveconfig command allows dangerous characters in filenames] RESERVED - - ntp (low) + - ntp 1:4.2.8p7+dfsg-1 (low) [jessie] - ntp (Minor issue, can be fixed along in a future update) [wheezy] - ntp (Minor issue, can be fixed along in a future update) NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit @@ -14783,20 +14783,20 @@ NOTE: https://github.com/ntp-project/ntp/commit/7fe04606062ed674db3b9553d32dedad29504d61 CVE-2015-7975 [nextvar() missing length check] RESERVED - - ntp + - ntp 1:4.2.8p7+dfsg-1 [jessie] - ntp (Introduced in 4.2.8) [wheezy] - ntp (Introduced in 4.2.8) NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit NOTE: http://support.ntp.org/bin/view/Main/NtpBug2937 CVE-2015-7974 (NTP 4.x before 4.2.8p6 and 4.3.x before 4.3.90 do not verify peer ...) - - ntp (low) + - ntp 1:4.2.8p7+dfsg-1 (low) [jessie] - ntp (Minor issue, can be fixed along in a future update) [wheezy] - ntp (Minor issue, can be fixed along in a future update) NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit NOTE: http://support.ntp.org/bin/view/Main/NtpBug2936 CVE-2015-7973 [Deja Vu: Replay attack on authenticated broadcast mode] RESERVED - - ntp (low) + - ntp 1:4.2.8p7+dfsg-1 (low) [jessie] - ntp (Minor issue, can be fixed along in a future update) [wheezy] - ntp (Minor issue, can be fixed along in a future update) NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41276 - data/CVE
Author: carnil Date: 2016-04-29 10:31:54 + (Fri, 29 Apr 2016) New Revision: 41276 Modified: data/CVE/list Log: First round of ntp fixes added, need to check the ones from january Modified: data/CVE/list === --- data/CVE/list 2016-04-29 10:20:09 UTC (rev 41275) +++ data/CVE/list 2016-04-29 10:31:54 UTC (rev 41276) @@ -5016,23 +5016,23 @@ RESERVED CVE-2016-2519 RESERVED - - ntp + - ntp 1:4.2.8p7+dfsg-1 NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#April_2016_NTP_4_2_8p7_Security TODO: check CVE-2016-2518 RESERVED - - ntp + - ntp 1:4.2.8p7+dfsg-1 NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#April_2016_NTP_4_2_8p7_Security TODO: check CVE-2016-2517 RESERVED - - ntp + - ntp 1:4.2.8p7+dfsg-1 NOTE: CVE-2016-2517 is for a regression caused by the patch for CVE-2016-2516 NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#April_2016_NTP_4_2_8p7_Security TODO: check CVE-2016-2516 RESERVED - - ntp + - ntp 1:4.2.8p7+dfsg-1 NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#April_2016_NTP_4_2_8p7_Security TODO: check CVE-2016-2514 @@ -8374,27 +8374,27 @@ NOTE: https://github.com/facebook/hhvm/commit/f21dccdde582c61d5a9b52dd821bcb1f08169d28 CVE-2016-1551 RESERVED - - ntp + - ntp 1:4.2.8p7+dfsg-1 NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#April_2016_NTP_4_2_8p7_Security TODO: check CVE-2016-1550 RESERVED - - ntp + - ntp 1:4.2.8p7+dfsg-1 NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#April_2016_NTP_4_2_8p7_Security TODO: check CVE-2016-1549 RESERVED - - ntp + - ntp 1:4.2.8p7+dfsg-1 NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#April_2016_NTP_4_2_8p7_Security TODO: check CVE-2016-1548 RESERVED - - ntp + - ntp 1:4.2.8p7+dfsg-1 NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#April_2016_NTP_4_2_8p7_Security TODO: check CVE-2016-1547 RESERVED - - ntp + - ntp 1:4.2.8p7+dfsg-1 NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#April_2016_NTP_4_2_8p7_Security TODO: check CVE-2016-1546 @@ -14160,7 +14160,7 @@ RESERVED CVE-2015-8158 [Potential Infinite Loop in ntpq] RESERVED - - ntp + - ntp 1:4.2.8p7+dfsg-1 NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit NOTE: http://support.ntp.org/bin/view/Main/NtpBug2948 TODO: check @@ -14212,7 +14212,7 @@ NOTE: Mitigated in 4.2.8p6 CVE-2015-8138 [ntp: missing check for zero originate timestamp] RESERVED - - ntp + - ntp 1:4.2.8p7+dfsg-1 NOTE: http://www.talosintel.com/reports/TALOS-2016-0077/ NOTE: https://github.com/ntp-project/ntp/commit/880191b72409a1965712999d248d70e6f7163af8 NOTE: The upstream fix for this issue is reported to be incomplete: ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41275 - data/CVE
Author: carnil
Date: 2016-04-29 10:20:09 + (Fri, 29 Apr 2016)
New Revision: 41275
Modified:
data/CVE/list
Log:
Four CVEs fixed in unstable for src:linux
Modified: data/CVE/list
===
--- data/CVE/list 2016-04-29 09:26:19 UTC (rev 41274)
+++ data/CVE/list 2016-04-29 10:20:09 UTC (rev 41275)
@@ -777,7 +777,7 @@
NOTE: World readable files in /etc/quagga as well in Debian
CVE-2016-3955 [remote buffer overflow in usbip]
RESERVED
- - linux
+ - linux 4.5.2-1
NOTE: Upstream commit:
https://git.kernel.org/linus/b348d7dddb6c4fbfc810b7a0626e8ec9e29f7cbb (v4.6-rc3)
NOTE: http://www.openwall.com/lists/oss-security/2016/04/19/1
CVE-2016-4038
@@ -1133,7 +1133,7 @@
CVE-2016-3962
RESERVED
CVE-2016-3961 (Xen and the Linux kernel through 4.5.x do not properly suppress
...)
- - linux
+ - linux 4.5.2-1
NOTE: http://xenbits.xen.org/xsa/advisory-174.html
CVE-2016-3960 (Integer overflow in the x86 shadow pagetable code in Xen allows
local ...)
{DSA-3554-1}
@@ -6104,7 +6104,7 @@
NOTE: http://marc.info/?l=linux-usb&m=145796659429788&w=2
CVE-2016-2187 [Kernel panic on invalid USB device descriptor (gtco driver)]
RESERVED
- - linux
+ - linux 4.5.2-1
NOTE: Upstream commit:
https://git.kernel.org/linus/162f98dea487206d9ab79fc12ed64700667a894d (v4.6-rc5)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1317017
CVE-2016-2186 [Kernel panic on invalid USB device descriptor (powermate
driver)]
@@ -6305,7 +6305,7 @@
NOTE: http://badlock.org/
CVE-2016-2117 [memory disclosure to ethernet due to unchecked scatter/gather
IO]
RESERVED
- - linux
+ - linux 4.5.2-1
[wheezy] - linux (Issue introduced with v3.10-rc1)
NOTE: Introduced in
https://git.kernel.org/linus/ec5f061564238892005257c83565a0b58ec79295
(v3.10-rc1)
NOTE: http://www.openwall.com/lists/oss-security/2016/03/16/7
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41274 - data
Author: santiago Date: 2016-04-29 09:26:19 + (Fri, 29 Apr 2016) New Revision: 41274 Modified: data/dla-needed.txt Log: add squid3 to dla-needed Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-04-29 09:10:12 UTC (rev 41273) +++ data/dla-needed.txt 2016-04-29 09:26:19 UTC (rev 41274) @@ -79,6 +79,8 @@ -- squid -- +squid3 +-- subversion -- tardiff ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41273 - data/CVE
Author: sectracker Date: 2016-04-29 09:10:12 + (Fri, 29 Apr 2016) New Revision: 41273 Modified: data/CVE/list Log: automatic update Modified: data/CVE/list === --- data/CVE/list 2016-04-29 08:29:34 UTC (rev 41272) +++ data/CVE/list 2016-04-29 09:10:12 UTC (rev 41273) @@ -1,4 +1,511 @@ +CVE-2016-4341 + RESERVED +CVE-2016-4339 + RESERVED +CVE-2016-4338 + RESERVED +CVE-2016-4337 + RESERVED +CVE-2016-4336 + RESERVED +CVE-2016-4335 + RESERVED +CVE-2016-4334 + RESERVED +CVE-2016-4333 + RESERVED +CVE-2016-4332 + RESERVED +CVE-2016-4331 + RESERVED +CVE-2016-4330 + RESERVED +CVE-2016-4329 + RESERVED +CVE-2016-4328 + RESERVED +CVE-2016-4327 + RESERVED +CVE-2016-4326 + RESERVED +CVE-2016-4325 + RESERVED +CVE-2016-4324 + RESERVED +CVE-2016-4323 + RESERVED +CVE-2016-4322 + RESERVED +CVE-2016-4321 + RESERVED +CVE-2016-4320 + RESERVED +CVE-2016-4319 + RESERVED +CVE-2016-4318 + RESERVED +CVE-2016-4317 + RESERVED +CVE-2016-4316 + RESERVED +CVE-2016-4315 + RESERVED +CVE-2016-4314 + RESERVED +CVE-2016-4313 + RESERVED +CVE-2016-4312 + RESERVED +CVE-2016-4311 + RESERVED +CVE-2016-4310 + RESERVED +CVE-2016-4309 + RESERVED +CVE-2016-4308 + RESERVED +CVE-2016-4307 + RESERVED +CVE-2016-4306 + RESERVED +CVE-2016-4305 + RESERVED +CVE-2016-4304 + RESERVED +CVE-2016-4303 + RESERVED +CVE-2016-4302 + RESERVED +CVE-2016-4301 + RESERVED +CVE-2016-4300 + RESERVED +CVE-2016-4299 + RESERVED +CVE-2016-4298 + RESERVED +CVE-2016-4297 + RESERVED +CVE-2016-4296 + RESERVED +CVE-2016-4295 + RESERVED +CVE-2016-4294 + RESERVED +CVE-2016-4293 + RESERVED +CVE-2016-4292 + RESERVED +CVE-2016-4291 + RESERVED +CVE-2016-4290 + RESERVED +CVE-2016-4289 + RESERVED +CVE-2016-4288 + RESERVED +CVE-2016-4287 + RESERVED +CVE-2016-4286 + RESERVED +CVE-2016-4285 + RESERVED +CVE-2016-4284 + RESERVED +CVE-2016-4283 + RESERVED +CVE-2016-4282 + RESERVED +CVE-2016-4281 + RESERVED +CVE-2016-4280 + RESERVED +CVE-2016-4279 + RESERVED +CVE-2016-4278 + RESERVED +CVE-2016-4277 + RESERVED +CVE-2016-4276 + RESERVED +CVE-2016-4275 + RESERVED +CVE-2016-4274 + RESERVED +CVE-2016-4273 + RESERVED +CVE-2016-4272 + RESERVED +CVE-2016-4271 + RESERVED +CVE-2016-4270 + RESERVED +CVE-2016-4269 + RESERVED +CVE-2016-4268 + RESERVED +CVE-2016-4267 + RESERVED +CVE-2016-4266 + RESERVED +CVE-2016-4265 + RESERVED +CVE-2016-4264 + RESERVED +CVE-2016-4263 + RESERVED +CVE-2016-4262 + RESERVED +CVE-2016-4261 + RESERVED +CVE-2016-4260 + RESERVED +CVE-2016-4259 + RESERVED +CVE-2016-4258 + RESERVED +CVE-2016-4257 + RESERVED +CVE-2016-4256 + RESERVED +CVE-2016-4255 + RESERVED +CVE-2016-4254 + RESERVED +CVE-2016-4253 + RESERVED +CVE-2016-4252 + RESERVED +CVE-2016-4251 + RESERVED +CVE-2016-4250 + RESERVED +CVE-2016-4249 + RESERVED +CVE-2016-4248 + RESERVED +CVE-2016-4247 + RESERVED +CVE-2016-4246 + RESERVED +CVE-2016-4245 + RESERVED +CVE-2016-4244 + RESERVED +CVE-2016-4243 + RESERVED +CVE-2016-4242 + RESERVED +CVE-2016-4241 + RESERVED +CVE-2016-4240 + RESERVED +CVE-2016-4239 + RESERVED +CVE-2016-4238 + RESERVED +CVE-2016-4237 + RESERVED +CVE-2016-4236 + RESERVED +CVE-2016-4235 + RESERVED +CVE-2016-4234 + RESERVED +CVE-2016-4233 + RESERVED +CVE-2016-4232 + RESERVED +CVE-2016-4231 + RESERVED +CVE-2016-4230 + RESERVED +CVE-2016-4229 + RESERVED +CVE-2016-4228 + RESERVED +CVE-2016-4227 + RESERVED +CVE-2016-4226 + RESERVED +CVE-2016-4225 + RESERVED +CVE-2016-4224 + RESERVED +CVE-2016-4223 + RESERVED +CVE-2016-4222 + RESERVED +CVE-2016-4221 + RESERVED +CVE-2016-4220 + RESERVED +CVE-2016-4219 + RESERVED +CVE-2016-4218 + RESERVED +CVE-2016-4217 + RESERVED +CVE-2016-4216 + RESERVED +CVE-2016-4215 + RESERVED +CVE-2016-4214 + RESERVED +CVE-2016-4213 + RESERVED +CVE-2016-4212 + RESERVED +CVE-2016-4211 + RESERVED +CVE-2016-4210 + RESERVED +CVE-2016-4209 + RESERVED +CVE-2016-4208 + RESERVED +CVE-2016-4207 + RESERVED +CVE-2016-4206 + RESERVED +CVE-2016-4205 + RESERVED +CVE-2016-4204 + RESERVED +CVE-2016-4203 + RESERVED +CVE-2016-4202 + RESERVED +CVE-2016-4201 + RESERVED +CVE-2016-4200 + RESERVED +CVE-2016-4199 + RESERVED +CVE-2016-4198 + RESERVED +CVE-2016-4197 + RESERVED +CVE-2016-4196 +
[Secure-testing-commits] r41272 - data
Author: santiago Date: 2016-04-29 08:29:34 + (Fri, 29 Apr 2016) New Revision: 41272 Modified: data/dla-needed.txt Log: add subversion to dla-needed.txt Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-04-29 07:03:53 UTC (rev 41271) +++ data/dla-needed.txt 2016-04-29 08:29:34 UTC (rev 41272) @@ -79,6 +79,8 @@ -- squid -- +subversion +-- tardiff fw asked maintainer for preparing debdiffs for wheezy- and jessie-security https://anonscm.debian.org/cgit/collab-maint/tardiff.git/log/?h=wheezy ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41271 - data/CVE
Author: jmm Date: 2016-04-29 07:03:53 + (Fri, 29 Apr 2016) New Revision: 41271 Modified: data/CVE/list Log: llvm 3.6 fixed Modified: data/CVE/list === --- data/CVE/list 2016-04-29 06:34:15 UTC (rev 41270) +++ data/CVE/list 2016-04-29 07:03:53 UTC (rev 41271) @@ -32983,7 +32983,7 @@ [jessie] - llvm-toolchain-3.4 (Minor issue) - llvm-toolchain-3.5 1:3.5.2-2 (low; bug #778392) [jessie] - llvm-toolchain-3.5 (Minor issue) - - llvm-toolchain-3.6 (bug #778393) + - llvm-toolchain-3.6 1:3.6-1 (bug #778393) - llvm-toolchain-3.7 1:3.7~+rc3-1 - llvm-toolchain-snapshot 1:3.8~svn245286-1 (bug #778394) - haskell-regex-posix (only when building on Windows, see bug #778395) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
