date:20160509

[Secure-testing-commits] r41593 - data

2016-05-09 Thread Salvatore Bonaccorso

Author: carnil
Date: 2016-05-10 05:22:11 + (Tue, 10 May 2016)
New Revision: 41593

Modified:
   data/dsa-needed.txt
Log:
Add libarchive

Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2016-05-10 04:41:13 UTC (rev 41592)
+++ data/dsa-needed.txt 2016-05-10 05:22:11 UTC (rev 41593)
@@ -25,6 +25,9 @@
 --
 icu
 --
+libarchive
+  Testpackages: https://people.debian.org/~carnil/tmp/libarchive/jessie
+--
 libidn
   Working debdiff for wheezy-security at
   https://people.debian.org/~ghedo/libidn_1.25-2+deb7u1.diff


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r41592 - data/CVE

2016-05-09 Thread Salvatore Bonaccorso

Author: carnil
Date: 2016-05-10 04:41:13 + (Tue, 10 May 2016)
New Revision: 41592

Modified:
   data/CVE/list
Log:
Add bug reference for CVE-2016-1541, #823893

Modified: data/CVE/list
===
--- data/CVE/list   2016-05-10 04:39:52 UTC (rev 41591)
+++ data/CVE/list   2016-05-10 04:41:13 UTC (rev 41592)
@@ -9187,7 +9187,7 @@
RESERVED
 CVE-2016-1541 (Heap-based buffer overflow in the zip_read_mac_metadata 
function in ...)
[experimental] - libarchive 3.2.0-1
-   - libarchive 
+   - libarchive  (bug #823893)
NOTE: http://www.kb.cert.org/vuls/id/862384
NOTE: 
https://github.com/libarchive/libarchive/commit/d0331e8e5b05b475f20b1f3101fe1ad772d7e7e7
 (v3.2.0)
 CVE-2016-1540


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r41591 - data/CVE

2016-05-09 Thread Salvatore Bonaccorso

Author: carnil
Date: 2016-05-10 04:39:52 + (Tue, 10 May 2016)
New Revision: 41591

Modified:
   data/CVE/list
Log:
CVE-2016-457{0,1}/mxml assigned

Modified: data/CVE/list
===
--- data/CVE/list   2016-05-10 04:36:12 UTC (rev 41590)
+++ data/CVE/list   2016-05-10 04:39:52 UTC (rev 41591)
@@ -65,10 +65,12 @@
 CVE-2016-4546
RESERVED
NOT-FOR-US: Samsung Android component
-CVE-2016- [two stack exhaustation parsing xml files using mxml]
+CVE-2016-4570 [Recursion using mxmlDelete at mxml-node.c:217 
(stack-exhaustion-1.xml)]
- mxml 
-   NOTE: CVE Request: 
http://www.openwall.com/lists/oss-security/2016/05/07/8
-   TODO: check
+   NOTE: http://www.openwall.com/lists/oss-security/2016/05/07/8
+CVE-2016-4571 [Recursion using mxml_write_node at mxml-file.c:2739 
(stack-exhaustion-2.xml]
+   - mxml 
+   NOTE: http://www.openwall.com/lists/oss-security/2016/05/07/8
 CVE-2016- [invalid pointer read]
- mxml 
NOTE: CVE Request: 
http://www.openwall.com/lists/oss-security/2016/05/06/6


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r41590 - data/CVE

2016-05-09 Thread Salvatore Bonaccorso

Author: carnil
Date: 2016-05-10 04:36:12 + (Tue, 10 May 2016)
New Revision: 41590

Modified:
   data/CVE/list
Log:
Add CVE-2016-4569/linux

Modified: data/CVE/list
===
--- data/CVE/list   2016-05-10 04:34:32 UTC (rev 41589)
+++ data/CVE/list   2016-05-10 04:36:12 UTC (rev 41590)
@@ -1,3 +1,6 @@
+CVE-2016-4569 [information leak]
+   - linux 
+   NOTE: http://comments.gmane.org/gmane.linux.kernel/2214250
 CVE-2016-4564
RESERVED
 CVE-2016-4563


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r41589 - data/CVE

2016-05-09 Thread Salvatore Bonaccorso

Author: carnil
Date: 2016-05-10 04:34:32 + (Tue, 10 May 2016)
New Revision: 41589

Modified:
   data/CVE/list
Log:
Add information for CVE-2016-1541

Modified: data/CVE/list
===
--- data/CVE/list   2016-05-09 23:00:01 UTC (rev 41588)
+++ data/CVE/list   2016-05-10 04:34:32 UTC (rev 41589)
@@ -9181,7 +9181,10 @@
 CVE-2016-1542
RESERVED
 CVE-2016-1541 (Heap-based buffer overflow in the zip_read_mac_metadata 
function in ...)
-   TODO: check
+   [experimental] - libarchive 3.2.0-1
+   - libarchive 
+   NOTE: http://www.kb.cert.org/vuls/id/862384
+   NOTE: 
https://github.com/libarchive/libarchive/commit/d0331e8e5b05b475f20b1f3101fe1ad772d7e7e7
 (v3.2.0)
 CVE-2016-1540
RESERVED
 CVE-2016-1539


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r41588 - data

2016-05-09 Thread Brian May

Author: bam
Date: 2016-05-09 23:00:01 + (Mon, 09 May 2016)
New Revision: 41588

Modified:
   data/dla-needed.txt
Log:
Mark librsvg


Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2016-05-09 22:36:48 UTC (rev 41587)
+++ data/dla-needed.txt 2016-05-09 23:00:01 UTC (rev 41588)
@@ -41,7 +41,8 @@
 --
 libjackson-json-java
 --
-librsvg
+librsvg (Brian May)
+  Reproduced issue in wheezy and Jessie. Need to git bisect to find fix.
   NOTE: reproducer http://seclists.org/oss-sec/2016/q2/161
   NOTE: Apparently fixed in Git upstream, needs confirmation
 --


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r41587 - in data: . DLA

2016-05-09 Thread Markus Koschany

Author: apo
Date: 2016-05-09 22:36:48 + (Mon, 09 May 2016)
New Revision: 41587

Modified:
   data/DLA/list
   data/dla-needed.txt
Log:
Reserve DLA-463-1 for ikiwiki

Modified: data/DLA/list
===
--- data/DLA/list   2016-05-09 22:22:33 UTC (rev 41586)
+++ data/DLA/list   2016-05-09 22:36:48 UTC (rev 41587)
@@ -1,3 +1,6 @@
+[10 May 2016] DLA-463-1 ikiwiki - security update
+   {CVE-2016-4561}
+   [wheezy] - ikiwiki 3.20120629.2+deb7u1
 [09 May 2016] DLA-462-1 websvn - security update
{CVE-2016-1236}
[wheezy] - websvn 2.3.3-1.1+deb7u3

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2016-05-09 22:22:33 UTC (rev 41586)
+++ data/dla-needed.txt 2016-05-09 22:36:48 UTC (rev 41587)
@@ -30,8 +30,6 @@
 icu (Roberto C. Sánchez)
   NOTE: check comments on CVE-2016-0494 as well
 --
-ikiwiki
---
 imagemagick
   NOTE: only minor issues
 --


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r41586 - data

2016-05-09 Thread Simon McVittie

Author: smcv
Date: 2016-05-09 22:22:33 + (Mon, 09 May 2016)
New Revision: 41586

Modified:
   data/dla-needed.txt
Log:
give back responsibility for ikiwiki DLA

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2016-05-09 21:10:11 UTC (rev 41585)
+++ data/dla-needed.txt 2016-05-09 22:22:33 UTC (rev 41586)
@@ -30,7 +30,7 @@
 icu (Roberto C. Sánchez)
   NOTE: check comments on CVE-2016-0494 as well
 --
-ikiwiki (smcv)
+ikiwiki
 --
 imagemagick
   NOTE: only minor issues


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r41585 - data/CVE

2016-05-09 Thread security tracker role

Author: sectracker
Date: 2016-05-09 21:10:11 + (Mon, 09 May 2016)
New Revision: 41585

Modified:
   data/CVE/list
Log:
automatic update

Modified: data/CVE/list
===
--- data/CVE/list   2016-05-09 20:05:36 UTC (rev 41584)
+++ data/CVE/list   2016-05-09 21:10:11 UTC (rev 41585)
@@ -1,3 +1,15 @@
+CVE-2016-4564
+   RESERVED
+CVE-2016-4563
+   RESERVED
+CVE-2016-4562
+   RESERVED
+CVE-2016-4560
+   RESERVED
+CVE-2016-4559
+   RESERVED
+CVE-2016-4552
+   RESERVED
 CVE-2016- [Multiple security problems]
- imagemagick  (bug #823750)
NOTE: This really should be split up in individual cases otherwise hard 
to act on
@@ -2,2 +14,3 @@
 CVE-2016-4567 [XSS]
+   RESERVED
- mediaelement  (unimportant; bug #823649)
@@ -9,6 +22,7 @@
NOTE: See 0004-Deactivate-Flash-and-Silverlight.patch
NOTE: http://www.openwall.com/lists/oss-security/2016/05/07/2
 CVE-2016-4566 [XSS]
+   RESERVED
- wordpress 4.5.2+dfsg-1 (bug #823640)
[jessie] - wordpress  (Vulnerable code not present)
[wheezy] - wordpress  (Vulnerable code not present)
@@ -16,12 +30,14 @@
NOTE: Fixed by: https://core.trac.wordpress.org/changeset/37382
NOTE: http://www.openwall.com/lists/oss-security/2016/05/07/2
 CVE-2016-4568 [videobuf2-v4l2: Verify planes array in buffer dequeueing]
+   RESERVED
- linux 4.5.3-1
[jessie] - linux  (Vulnerable code introduced in 4.4)
[wheezy] - linux  (Vulnerable code introduced in 4.4)
NOTE: Fixed by: 
https://git.kernel.org/linus/2c1f6951a8a82e6de0d82b1158b5e493fc6c54ab (v4.6-rc6)
NOTE: Introduced by: 
https://git.kernel.org/linus/b0e0e1f83de31aa0428c38b692c590cc0ecd3f03 (v4.4-rc1)
 CVE-2016-4565 [IB/security: Restrict use of the write() interface]
+   RESERVED
- linux 4.5.3-1
NOTE: Fixed by: 
https://git.kernel.org/linus/e6bd18f57aad1a2d1ef40e646d03ed0f2515c9e3 (v4.6-rc6)
 CVE-2016-4551
@@ -35,6 +51,7 @@
 CVE-2016-4545
RESERVED
 CVE-2016-4561 [HTML-escape error messages, in one case avoiding potential 
cross-site scripting]
+   RESERVED
{DSA-3571-1}
- ikiwiki 3.20160506
NOTE: 
http://source.ikiwiki.branchable.com/?p=source.git;a=commitdiff;h=32ef584dc5abb6ddb9f794f94ea0b2934967bba7
@@ -54,11 +71,13 @@
NOTE: CVE Request: 
http://www.openwall.com/lists/oss-security/2016/05/06/6
TODO: check
 CVE-2016-4558 [bpf: fix refcnt overflow]
+   RESERVED
- linux 4.5.3-1
NOTE: Fixed by: 
https://git.kernel.org/linus/92117d8443bc5afacc8d5ba82e541946310f106e
NOTE: Introduced by: 
https://git.kernel.org/linus/1be7f75d1668d6296b80bf35dcf6762393530afc(v4.4-rc1)
NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=809
 CVE-2016-4557 [UAF via double-fdput() in bpf(BPF_PROG_LOAD) error path]
+   RESERVED
- linux 4.5.3-1 (bug #823603)
[jessie] - linux  (Issue introduced later)
[wheezy] - linux  (Issue introduced later)
@@ -68,18 +87,21 @@
NOTE: Exploitable since: 
https://git.kernel.org/linus/1be7f75d1668d6296b80bf35dcf6762393530afc (v4.4-rc1)
NOTE: http://www.openwall.com/lists/oss-security/2016/05/06/4
 CVE-2016-4556
+   RESERVED
- squid3 
- squid  (Does not affect 2.x)
NOTE: http://www.squid-cache.org/Advisories/SQUID-2016_9.txt
NOTE: 
http://www.squid-cache.org/Versions/v3/3.4/changesets/SQUID-2016_9.patch
NOTE: 
http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2016_9.patch
 CVE-2016-4555
+   RESERVED
- squid3 
- squid  (Does not affect 2.x)
NOTE: http://www.squid-cache.org/Advisories/SQUID-2016_9.txt
NOTE: 
http://www.squid-cache.org/Versions/v3/3.4/changesets/SQUID-2016_9.patch
NOTE: 
http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2016_9.patch
 CVE-2016-4554 [Header Smuggling issue in HTTP Request processing]
+   RESERVED
- squid3 
- squid 
NOTE: http://www.squid-cache.org/Advisories/SQUID-2016_8.txt
@@ -89,6 +111,7 @@
NOTE: 
http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13236.patch
NOTE: 
http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-14038.patch
 CVE-2016-4553 [Cache Poisoning issue in HTTP Request handling]
+   RESERVED
- squid3 
- squid  (Does not affect 2.x)
NOTE: http://www.squid-cache.org/Advisories/SQUID-2016_7.txt
@@ -484,8 +507,7 @@
RESERVED
 CVE-2015-8870
RESERVED
-CVE-2013-7455
-   RESERVED
+CVE-2013-7455 (Double free vulnerability in the DefaultICCintents function in 
...)
- lcms2 2.6-1
[wheezy] - lcms2  (vulnerable code not present, no 
cmsPipelineFree(Lut); in Error:-part)
NOTE: https://www.kb.cert.org/vuls/id/369800
@@ -501,12 +523,10 @@
 CVE-2016-4483
RESERVED
- libxml2  (

[Secure-testing-commits] r41584 - in data: . DSA

2016-05-09 Thread Salvatore Bonaccorso

Author: carnil
Date: 2016-05-09 20:05:36 + (Mon, 09 May 2016)
New Revision: 41584

Modified:
   data/DSA/list
   data/dsa-needed.txt
Log:
Reserve DSA number for qemu update

Modified: data/DSA/list
===
--- data/DSA/list   2016-05-09 19:37:18 UTC (rev 41583)
+++ data/DSA/list   2016-05-09 20:05:36 UTC (rev 41584)
@@ -1,3 +1,6 @@
+[09 May 2016] DSA-3573-1 qemu - security update
+   {CVE-2016-3710 CVE-2016-3712}
+   [jessie] - qemu 1:2.1+dfsg-12+deb8u6
 [09 May 2016] DSA-3572-1 websvn - security update
{CVE-2016-1236}
[jessie] - websvn 2.3.3-1.2+deb8u2

Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2016-05-09 19:37:18 UTC (rev 41583)
+++ data/dsa-needed.txt 2016-05-09 20:05:36 UTC (rev 41584)
@@ -55,9 +55,6 @@
 --
 phpmyadmin (thijs)
 --
-qemu (carnil)
-  Waiting for ftp-master for Built-Using problem
---
 quagga
   Waiting for upstream-blessed patch before going forward
   Triggering circumstances not common


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r41583 - data

2016-05-09 Thread Chris Lamb

Author: lamby
Date: 2016-05-09 19:37:18 + (Mon, 09 May 2016)
New Revision: 41583

Modified:
   data/dla-needed.txt
Log:
Triage xerces-c for LTS

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2016-05-09 19:35:22 UTC (rev 41582)
+++ data/dla-needed.txt 2016-05-09 19:37:18 UTC (rev 41583)
@@ -121,5 +121,7 @@
 --
 x11vnc
 --
+xerces-c
+--
 xymon (Chris Lamb)
 --


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r41582 - data

2016-05-09 Thread Chris Lamb

Author: lamby
Date: 2016-05-09 19:35:22 + (Mon, 09 May 2016)
New Revision: 41582

Modified:
   data/dla-needed.txt
Log:
Triage x11vnc for LTS

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2016-05-09 19:30:34 UTC (rev 41581)
+++ data/dla-needed.txt 2016-05-09 19:35:22 UTC (rev 41582)
@@ -119,5 +119,7 @@
 --
 wpa
 --
+x11vnc
+--
 xymon (Chris Lamb)
 --


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r41581 - data

2016-05-09 Thread Chris Lamb

Author: lamby
Date: 2016-05-09 19:30:34 + (Mon, 09 May 2016)
New Revision: 41581

Modified:
   data/dla-needed.txt
Log:
Triage wireshark for LTS

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2016-05-09 19:09:55 UTC (rev 41580)
+++ data/dla-needed.txt 2016-05-09 19:30:34 UTC (rev 41581)
@@ -115,6 +115,8 @@
 --
 tiff3
 --
+wireshark
+--
 wpa
 --
 xymon (Chris Lamb)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r41580 - data

2016-05-09 Thread Chris Lamb

Author: lamby
Date: 2016-05-09 19:09:55 + (Mon, 09 May 2016)
New Revision: 41580

Modified:
   data/dla-needed.txt
Log:
Triage dhcpcd5 for LTS

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2016-05-09 18:53:16 UTC (rev 41579)
+++ data/dla-needed.txt 2016-05-09 19:09:55 UTC (rev 41580)
@@ -18,6 +18,8 @@
 cakephp
   NOTE: CVE-2015-8379 No official solution is currently available, 20160425
 --
+dhcpcd5
+--
 gosa (Mike Gabriel)
   NOTE: .debdiff sent to the Security Team, waiting for feedback
   NOTE: asked about jessie status (seb)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r41579 - data

2016-05-09 Thread Chris Lamb

Author: lamby
Date: 2016-05-09 18:53:16 + (Mon, 09 May 2016)
New Revision: 41579

Modified:
   data/dla-needed.txt
Log:
Revert "Triage loldongs for LTS"

Was testing a zsh alias and clearly did not revert this :/

This reverts commit d8e853ad70367a66dd3e0899f102ab41face8fe9.

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2016-05-09 18:53:15 UTC (rev 41578)
+++ data/dla-needed.txt 2016-05-09 18:53:16 UTC (rev 41579)
@@ -59,8 +59,6 @@
 --
 linux
 --
-loldongs
---
 mxml
 --
 nss (Guido Günther)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r41578 - data

2016-05-09 Thread Chris Lamb

Author: lamby
Date: 2016-05-09 18:53:15 + (Mon, 09 May 2016)
New Revision: 41578

Modified:
   data/dla-needed.txt
Log:
Triage mxml for LTS

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2016-05-09 18:51:32 UTC (rev 41577)
+++ data/dla-needed.txt 2016-05-09 18:53:15 UTC (rev 41578)
@@ -61,6 +61,8 @@
 --
 loldongs
 --
+mxml
+--
 nss (Guido Günther)
 --
 ntp


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r41577 - in data: . DLA

2016-05-09 Thread Salvatore Bonaccorso

Author: carnil
Date: 2016-05-09 18:51:32 + (Mon, 09 May 2016)
New Revision: 41577

Modified:
   data/DLA/list
   data/dla-needed.txt
Log:
Reserve DLA number for websvn

Modified: data/DLA/list
===
--- data/DLA/list   2016-05-09 18:46:15 UTC (rev 41576)
+++ data/DLA/list   2016-05-09 18:51:32 UTC (rev 41577)
@@ -1,3 +1,6 @@
+[09 May 2016] DLA-462-1 websvn - security update
+   {CVE-2016-1236}
+   [wheezy] - websvn 2.3.3-1.1+deb7u3
 [07 May 2016] DLA-461-1 nagios3 - security update
{CVE-2014-1878}
[wheezy] - nagios3 3.4.1-3+deb7u2

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2016-05-09 18:46:15 UTC (rev 41576)
+++ data/dla-needed.txt 2016-05-09 18:51:32 UTC (rev 41577)
@@ -113,9 +113,6 @@
 --
 tiff3
 --
-websvn (carnil)
-  carnil> Testpackages: https://people.debian.org/~carnil/tmp/websvn/wheezy/
---
 wpa
 --
 xymon (Chris Lamb)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r41576 - data/CVE

2016-05-09 Thread Chris Lamb

Author: lamby
Date: 2016-05-09 18:46:15 + (Mon, 09 May 2016)
New Revision: 41576

Modified:
   data/CVE/list
Log:
libjackson-json-java is also vulnerable, at least for the JSONP part

Modified: data/CVE/list
===
--- data/CVE/list   2016-05-09 18:33:22 UTC (rev 41575)
+++ data/CVE/list   2016-05-09 18:46:15 UTC (rev 41576)
@@ -23455,6 +23455,7 @@
 CVE-2015-5211
RESERVED
- libspring-java 
+   - libjackson-json-java 
NOTE: https://jira.spring.io/browse/SPR-13548
NOTE: https://github.com/spring-projects/spring-framework/commit/2bd1da
NOTE: https://github.com/spring-projects/spring-framework/commit/a95c3d


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r41575 - in data: . DSA

2016-05-09 Thread Salvatore Bonaccorso

Author: carnil
Date: 2016-05-09 18:33:22 + (Mon, 09 May 2016)
New Revision: 41575

Modified:
   data/DSA/list
   data/dsa-needed.txt
Log:
Reserve DSA for websvn

Modified: data/DSA/list
===
--- data/DSA/list   2016-05-09 18:12:44 UTC (rev 41574)
+++ data/DSA/list   2016-05-09 18:33:22 UTC (rev 41575)
@@ -1,3 +1,6 @@
+[09 May 2016] DSA-3572-1 websvn - security update
+   {CVE-2016-1236}
+   [jessie] - websvn 2.3.3-1.2+deb8u2
 [08 May 2016] DSA-3571-1 ikiwiki - security update
{CVE-2016-4561}
[jessie] - ikiwiki 3.20141016.3

Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2016-05-09 18:12:44 UTC (rev 41574)
+++ data/dsa-needed.txt 2016-05-09 18:33:22 UTC (rev 41575)
@@ -69,6 +69,3 @@
 --
 tomcat8 (Markus Koschany)
 --
-websvn (carnil)
-  carnil> Testpackages: https://people.debian.org/~carnil/tmp/websvn/jessie/
---


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r41574 - data/CVE

2016-05-09 Thread Salvatore Bonaccorso

Author: carnil
Date: 2016-05-09 18:12:44 + (Mon, 09 May 2016)
New Revision: 41574

Modified:
   data/CVE/list
Log:
web2ldap removed from the archive

Modified: data/CVE/list
===
--- data/CVE/list   2016-05-09 18:05:59 UTC (rev 41573)
+++ data/CVE/list   2016-05-09 18:12:44 UTC (rev 41574)
@@ -62853,7 +62853,7 @@
- neo4j-community  (bug #685615)
NOTE: 
http://blog.diniscruz.com/2013/08/neo4j-csrf-payload-to-start-processes.html
 CVE-2013-7258 (Cross-site scripting (XSS) vulnerability in web2ldap 1.1.x 
before ...)
-   - web2ldap  (low; bug #734107)
+   - web2ldap  (low; bug #734107)
 CVE-2013-7257 (Cross-site scripting (XSS) vulnerability in Codiad 2.0.7 allows 
remote ...)
NOT-FOR-US: Codiad
 CVE-2013-7256 (Cross-site request forgery (CSRF) vulnerability in Opsview 
before ...)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r41573 - data/CVE

2016-05-09 Thread Salvatore Bonaccorso

Author: carnil
Date: 2016-05-09 18:05:59 + (Mon, 09 May 2016)
New Revision: 41573

Modified:
   data/CVE/list
Log:
Revert "Correct package for CVE-2015-5211"

This reverts commit 0fc6896d0ba5b4bd3d817cdecdcb930adfed6682.

Modified: data/CVE/list
===
--- data/CVE/list   2016-05-09 18:01:50 UTC (rev 41572)
+++ data/CVE/list   2016-05-09 18:05:59 UTC (rev 41573)
@@ -23454,7 +23454,7 @@
NOTE: 
https://www.libreoffice.org/about-us/security/advisories/cve-2015-5212/
 CVE-2015-5211
RESERVED
-   - libjackson-json-java 
+   - libspring-java 
NOTE: https://jira.spring.io/browse/SPR-13548
NOTE: https://github.com/spring-projects/spring-framework/commit/2bd1da
NOTE: https://github.com/spring-projects/spring-framework/commit/a95c3d


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r41572 - data/CVE

2016-05-09 Thread Salvatore Bonaccorso

Author: carnil
Date: 2016-05-09 18:01:50 + (Mon, 09 May 2016)
New Revision: 41572

Modified:
   data/CVE/list
Log:
Add bug reference for CVE-2016-2099/xerces-c

Modified: data/CVE/list
===
--- data/CVE/list   2016-05-09 18:00:28 UTC (rev 41571)
+++ data/CVE/list   2016-05-09 18:01:50 UTC (rev 41572)
@@ -7095,9 +7095,8 @@
- foreman  (bug #663101)
 CVE-2016-2099 [use-after-free]
RESERVED
-   - xerces-c 
+   - xerces-c  (bug #823863)
NOTE: https://issues.apache.org/jira/browse/XERCESC-2066
-   TODO: check
 CVE-2016-2098 (Action Pack in Ruby on Rails before 3.2.22.2, 4.x before 
4.1.14.2, and ...)
{DSA-3509-1}
- rails 2:4.2.5.2-1


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r41571 - data/CVE

2016-05-09 Thread Salvatore Bonaccorso

Author: carnil
Date: 2016-05-09 18:00:28 + (Mon, 09 May 2016)
New Revision: 41571

Modified:
   data/CVE/list
Log:
Add fixed version for CVE-2015-1840/ruby-jquery-rails

Modified: data/CVE/list
===
--- data/CVE/list   2016-05-09 17:47:51 UTC (rev 41570)
+++ data/CVE/list   2016-05-09 18:00:28 UTC (rev 41571)
@@ -33468,7 +33468,7 @@
 CVE-2015-1841 (The Web Admin interface in Red Hat Enterprise Virtualization 
Manager ...)
NOT-FOR-US: RHEV
 CVE-2015-1840 (jquery_ujs.js in jquery-rails before 3.1.3 and 4.x before 4.0.4 
and ...)
-   - ruby-jquery-rails  (bug #790395)
+   - ruby-jquery-rails 4.0.4-1 (bug #790395)
NOTE: https://hackerone.com/reports/49935
NOTE: 
https://groups.google.com/forum/#!msg/rubyonrails-security/XIZPbobuwaY/fqnzzpuOlA4J
NOTE: https://nodesecurity.io/advisories/15


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r41570 - data/CVE

2016-05-09 Thread Salvatore Bonaccorso

Author: carnil
Date: 2016-05-09 17:47:51 + (Mon, 09 May 2016)
New Revision: 41570

Modified:
   data/CVE/list
Log:
Add CVE-2016-2099/xerces-c

Modified: data/CVE/list
===
--- data/CVE/list   2016-05-09 17:35:49 UTC (rev 41569)
+++ data/CVE/list   2016-05-09 17:47:51 UTC (rev 41570)
@@ -7093,8 +7093,11 @@
 CVE-2016-2100
RESERVED
- foreman  (bug #663101)
-CVE-2016-2099
+CVE-2016-2099 [use-after-free]
RESERVED
+   - xerces-c 
+   NOTE: https://issues.apache.org/jira/browse/XERCESC-2066
+   TODO: check
 CVE-2016-2098 (Action Pack in Ruby on Rails before 3.2.22.2, 4.x before 
4.1.14.2, and ...)
{DSA-3509-1}
- rails 2:4.2.5.2-1


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r41569 - data

2016-05-09 Thread Chris Lamb

Author: lamby
Date: 2016-05-09 17:35:49 + (Mon, 09 May 2016)
New Revision: 41569

Modified:
   data/dla-needed.txt
Log:
Triage ruby-jquery-rails for LTS

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2016-05-09 17:31:15 UTC (rev 41568)
+++ data/dla-needed.txt 2016-05-09 17:35:49 UTC (rev 41569)
@@ -92,6 +92,8 @@
 --
 ruby-eventmachine
 --
+ruby-jquery-rails
+--
 samba
   Samba maintainers are preparing updates for regressions
 --


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r41568 - data

2016-05-09 Thread Chris Lamb

Author: lamby
Date: 2016-05-09 17:31:15 + (Mon, 09 May 2016)
New Revision: 41568

Modified:
   data/dla-needed.txt
Log:
Triage libjackson-json-java for LTS

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2016-05-09 17:31:13 UTC (rev 41567)
+++ data/dla-needed.txt 2016-05-09 17:31:15 UTC (rev 41568)
@@ -39,6 +39,8 @@
   Testing is required.
   https://people.debian.org/~bam/debian/pool/main/libi/libidn/
 --
+libjackson-json-java
+--
 librsvg
   NOTE: reproducer http://seclists.org/oss-sec/2016/q2/161
   NOTE: Apparently fixed in Git upstream, needs confirmation


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r41567 - data/CVE

2016-05-09 Thread Chris Lamb

Author: lamby
Date: 2016-05-09 17:31:13 + (Mon, 09 May 2016)
New Revision: 41567

Modified:
   data/CVE/list
Log:
Correct package for CVE-2015-5211

Modified: data/CVE/list
===
--- data/CVE/list   2016-05-09 17:26:44 UTC (rev 41566)
+++ data/CVE/list   2016-05-09 17:31:13 UTC (rev 41567)
@@ -23452,7 +23452,7 @@
NOTE: 
https://www.libreoffice.org/about-us/security/advisories/cve-2015-5212/
 CVE-2015-5211
RESERVED
-   - libspring-java 
+   - libjackson-json-java 
NOTE: https://jira.spring.io/browse/SPR-13548
NOTE: https://github.com/spring-projects/spring-framework/commit/2bd1da
NOTE: https://github.com/spring-projects/spring-framework/commit/a95c3d


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r41566 - data/CVE

2016-05-09 Thread Chris Lamb

Author: lamby
Date: 2016-05-09 17:26:44 + (Mon, 09 May 2016)
New Revision: 41566

Modified:
   data/CVE/list
Log:
Triage libvpx for LTS

Modified: data/CVE/list
===
--- data/CVE/list   2016-05-09 17:26:36 UTC (rev 41565)
+++ data/CVE/list   2016-05-09 17:26:44 UTC (rev 41566)
@@ -25401,6 +25401,7 @@
[squeeze] - iceweasel 
- libvpx 
[squeeze] - libvpx  (no vp9 support in this version)
+   [wheezy] - libvpx  (no vp9 support in this version)
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-101/
 CVE-2015-4505 (updater.exe in Mozilla Firefox before 41.0 and Firefox ESR 38.x 
before ...)
- iceweasel  (Windows-specific)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r41564 - data

2016-05-09 Thread Chris Lamb

Author: lamby
Date: 2016-05-09 17:26:35 + (Mon, 09 May 2016)
New Revision: 41564

Modified:
   data/dla-needed.txt
Log:
Drop extra whitespace.

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2016-05-09 16:25:54 UTC (rev 41563)
+++ data/dla-needed.txt 2016-05-09 17:26:35 UTC (rev 41564)
@@ -9,7 +9,7 @@
 https://wiki.debian.org/LTS/Development#Triage_new_security_issues
 
 --
- asterisk (Thorsten Alteholz)
+asterisk (Thorsten Alteholz)
 --
 cacti
   NOTE: CVE-2016-3659 doesn't have a fix yet, 20160425


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r41565 - data

2016-05-09 Thread Chris Lamb

Author: lamby
Date: 2016-05-09 17:26:36 + (Mon, 09 May 2016)
New Revision: 41565

Modified:
   data/dla-needed.txt
Log:
Triage loldongs for LTS

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2016-05-09 17:26:35 UTC (rev 41564)
+++ data/dla-needed.txt 2016-05-09 17:26:36 UTC (rev 41565)
@@ -57,6 +57,8 @@
 --
 linux
 --
+loldongs
+--
 nss (Guido Günther)
 --
 ntp


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r41563 - data/CVE

2016-05-09 Thread Moritz Muehlenhoff

Author: jmm
Date: 2016-05-09 16:25:54 + (Mon, 09 May 2016)
New Revision: 41563

Modified:
   data/CVE/list
Log:
tiff no-dsa
NFUs
cleared some TODOs


Modified: data/CVE/list
===
--- data/CVE/list   2016-05-09 14:13:53 UTC (rev 41562)
+++ data/CVE/list   2016-05-09 16:25:54 UTC (rev 41563)
@@ -624,7 +624,7 @@
 CVE-2016-4357
RESERVED
 CVE-2016-4351 (SQL injection vulnerability in the authentication functionality 
in ...)
-   TODO: check
+   NOT-FOR-US: Trend Micro
 CVE-2016-4350
RESERVED
 CVE-2014-9773 [A remote attacker could change Atheme's behavior by 
registering/dropping certain accounts/nicks]
@@ -1388,17 +1388,14 @@
NOTE: 
http://www.squid-cache.org/Versions/v3/3.3/changesets/squid-3.3-12697.patch 
(Squid 3.3)
NOTE: 
http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13235.patch 
(Squid 3.4)
NOTE: 
http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-14034.patch 
(Squid 3.5)
-   TODO: check
 CVE-2016-4053 (Squid 3.x before 3.5.17 and 4.x before 4.0.9 allow remote 
attackers to ...)
- squid3 3.5.17-1
-   - squid 
- squid  (Squid 2.x are not vulnerable)
NOTE: http://www.squid-cache.org/Advisories/SQUID-2016_6.txt
NOTE: 
http://www.squid-cache.org/Versions/v3/3.2/changesets/squid-3.2-11841.patch 
(Squid 3.2)
NOTE: 
http://www.squid-cache.org/Versions/v3/3.3/changesets/squid-3.3-12697.patch 
(Squid 3.3)
NOTE: 
http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13235.patch 
(Squid 3.4)
NOTE: 
http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-14034.patch 
(Squid 3.5)
-   TODO: check
 CVE-2016-4052 (Multiple stack-based buffer overflows in Squid 3.x before 
3.5.17 and ...)
- squid3 3.5.17-1
- squid  (Squid 2.x are not vulnerable)
@@ -1407,7 +1404,6 @@
NOTE: 
http://www.squid-cache.org/Versions/v3/3.3/changesets/squid-3.3-12697.patch 
(Squid 3.3)
NOTE: 
http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13235.patch 
(Squid 3.4)
NOTE: 
http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-14034.patch 
(Squid 3.5)
-   TODO: check
 CVE-2016-4051 (Buffer overflow in cachemgr.cgi in Squid 2.x, 3.x before 
3.5.17, and ...)
- squid3 3.5.17-1
- squid 
@@ -1425,7 +1421,7 @@
 CVE-2016-4041
RESERVED
 CVE-2016-4040 (SQL injection vulnerability in the Workflow Screen in dotCMS 
before ...)
-   TODO: check
+   NOT-FOR-US: dotCMS
 CVE-2015-8853 [Regexp-matching "hangs" indefinitely on illegal input using 
binmode :utf8 using 100%CPU]
RESERVED
- perl 5.22.1-1 (bug #821848)
@@ -1549,9 +1545,8 @@
 CVE-2016-4004 (Directory traversal vulnerability in Dell OpenManage Server ...)
NOT-FOR-US: Dell
 CVE-2016-4003 (Cross-site scripting (XSS) vulnerability in the URLDecoder 
function in ...)
-   - libstruts1.2-java 
+   - libstruts1.2-java  (Only affects 2.x)
NOTE: http://struts.apache.org/docs/s2-028.html
-   TODO: check, possibly only 2.x
 CVE-2016-4020 [i386: leakage of stack memory to guest in kvmvapic.c]
RESERVED
- qemu  (bug #821062)
@@ -1745,9 +1740,9 @@
 CVE-2016-3973 (The chat feature in the Real-Time Collaboration (RTC) services 
in SAP ...)
NOT-FOR-US: SAP
 CVE-2016-3972 (Directory traversal vulnerability in the dotTailLogServlet in 
dotCMS ...)
-   TODO: check
+   NOT-FOR-US: dotCMS
 CVE-2016-3971 (Cross-site scripting (XSS) vulnerability in lucene_search.jsp 
in ...)
-   TODO: check
+   NOT-FOR-US: dotCMS
 CVE-2016-3970
RESERVED
 CVE-2015-8840 (The XML Data Archiving Service (XML DAS) in SAP NetWeaver AS 
Java does ...)
@@ -1848,8 +1843,10 @@
 CVE-2016-3945 [Out-of-bounds Write in the tiff2rgba tool]
RESERVED
- tiff 
-   - tiff3 
-   TODO: check
+   [jessie] - tiff  (Minor issue)
+   [wheezy] - tiff  (Minor issue)
+   - tiff3  (unimportant)
+   NOTE: src:tiff3: built binary packages do not contain the TIFF tools
NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2545
 CVE-2015-8865 [Buffer over-write in finfo_open with malformed magic file]
RESERVED
@@ -2442,7 +2439,7 @@
NOTE: https://bugs.launchpad.net/bugs/1533633
NOTE: It is unclear when this was fixed exactly, marking the version in 
jessie as fixed for now
 CVE-2016-3688 (SQL injection vulnerability in dotCMS before 3.5 allows remote 
...)
-   TODO: check
+   NOT-FOR-US: dotCMS
 CVE-2016-3687
RESERVED
 CVE-2016-3686 (The Single Sign-On (SSO) feature in F5 BIG-IP APM 11.x before 
11.6.0 ...)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r41562 - data/CVE

2016-05-09 Thread Salvatore Bonaccorso

Author: carnil
Date: 2016-05-09 14:13:53 + (Mon, 09 May 2016)
New Revision: 41562

Modified:
   data/CVE/list
Log:
Mark CVE-2016-2785/puppet as not-affected

Modified: data/CVE/list
===
--- data/CVE/list   2016-05-09 12:34:50 UTC (rev 41561)
+++ data/CVE/list   2016-05-09 14:13:53 UTC (rev 41562)
@@ -4851,9 +4851,9 @@
RESERVED
 CVE-2016-2785 [incorrect URL decoding]
RESERVED
-   - puppet 
+   - puppet  (Vulnerable code only in 4.x)
NOTE: https://puppet.com/security/cve/cve-2016-2785
-   TODO: check versions, fixed in Puppet 4.4.2, possibly only 4.x
+   NOTE: 
https://github.com/puppetlabs/puppet/pull/4921/commits/8d2ce797db265720f0a20d1d46ee2757b4e4f6b2
 CVE-2016-2784
RESERVED
 CVE-2015-8818


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r41561 - data/CVE

2016-05-09 Thread Salvatore Bonaccorso

Author: carnil
Date: 2016-05-09 12:34:50 + (Mon, 09 May 2016)
New Revision: 41561

Modified:
   data/CVE/list
Log:
Add qemu bug reference, #823830

Modified: data/CVE/list
===
--- data/CVE/list   2016-05-09 12:10:56 UTC (rev 41560)
+++ data/CVE/list   2016-05-09 12:34:50 UTC (rev 41561)
@@ -2370,9 +2370,9 @@
TODO: check if other packages are affected
 CVE-2016-3713
RESERVED
-CVE-2016-3712
+CVE-2016-3712 [Out-of-bounds read when creating weird vga screen surface]
RESERVED
-   - qemu 
+   - qemu  (bug #823830)
- qemu-kvm 
NOTE: http://xenbits.xen.org/xsa/advisory-179.html
 CVE-2016-3711 [Setting cookie containing internal IP address of a pod]
@@ -2380,9 +2380,9 @@
- haproxy 
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1318796
TODO: check
-CVE-2016-3710
+CVE-2016-3710 [incorrect banked access bounds checking in vga module]
RESERVED
-   - qemu 
+   - qemu  (bug #823830)
- qemu-kvm 
NOTE: http://xenbits.xen.org/xsa/advisory-179.html
 CVE-2016-3709


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r41560 - data

2016-05-09 Thread Salvatore Bonaccorso

Author: carnil
Date: 2016-05-09 12:10:56 + (Mon, 09 May 2016)
New Revision: 41560

Modified:
   data/dsa-needed.txt
Log:
Add qemu to dsa-needed list

Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2016-05-09 12:10:53 UTC (rev 41559)
+++ data/dsa-needed.txt 2016-05-09 12:10:56 UTC (rev 41560)
@@ -55,6 +55,9 @@
 --
 phpmyadmin (thijs)
 --
+qemu (carnil)
+  Waiting for ftp-master for Built-Using problem
+--
 quagga
   Waiting for upstream-blessed patch before going forward
   Triggering circumstances not common


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r41559 - data/CVE

2016-05-09 Thread Salvatore Bonaccorso

Author: carnil
Date: 2016-05-09 12:10:53 + (Mon, 09 May 2016)
New Revision: 41559

Modified:
   data/CVE/list
Log:
Add XSA references

Modified: data/CVE/list
===
--- data/CVE/list   2016-05-09 12:09:10 UTC (rev 41558)
+++ data/CVE/list   2016-05-09 12:10:53 UTC (rev 41559)
@@ -2374,6 +2374,7 @@
RESERVED
- qemu 
- qemu-kvm 
+   NOTE: http://xenbits.xen.org/xsa/advisory-179.html
 CVE-2016-3711 [Setting cookie containing internal IP address of a pod]
RESERVED
- haproxy 
@@ -2383,6 +2384,7 @@
RESERVED
- qemu 
- qemu-kvm 
+   NOTE: http://xenbits.xen.org/xsa/advisory-179.html
 CVE-2016-3709
RESERVED
 CVE-2016-3708


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r41558 - data/CVE

2016-05-09 Thread Salvatore Bonaccorso

Author: carnil
Date: 2016-05-09 12:09:10 + (Mon, 09 May 2016)
New Revision: 41558

Modified:
   data/CVE/list
Log:
Add new qemu issues

Modified: data/CVE/list
===
--- data/CVE/list   2016-05-09 10:13:40 UTC (rev 41557)
+++ data/CVE/list   2016-05-09 12:09:10 UTC (rev 41558)
@@ -2372,6 +2372,8 @@
RESERVED
 CVE-2016-3712
RESERVED
+   - qemu 
+   - qemu-kvm 
 CVE-2016-3711 [Setting cookie containing internal IP address of a pod]
RESERVED
- haproxy 
@@ -2379,6 +2381,8 @@
TODO: check
 CVE-2016-3710
RESERVED
+   - qemu 
+   - qemu-kvm 
 CVE-2016-3709
RESERVED
 CVE-2016-3708


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r41557 - data

2016-05-09 Thread Chris Lamb

Author: lamby
Date: 2016-05-09 10:13:40 + (Mon, 09 May 2016)
New Revision: 41557

Modified:
   data/dla-needed.txt
Log:
Add ruby-eventmachine to data/dla-needed.txt

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2016-05-09 09:22:41 UTC (rev 41556)
+++ data/dla-needed.txt 2016-05-09 10:13:40 UTC (rev 41557)
@@ -86,6 +86,8 @@
   NOTE: One maintainer suggests to update to the stable 1.0.x branch
   NOTE: https://lists.debian.org/debian-lts/2016/05/msg00016.html
 --
+ruby-eventmachine
+--
 samba
   Samba maintainers are preparing updates for regressions
 --


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r41556 - data

2016-05-09 Thread Santiago Ruano Rincón

Author: santiago
Date: 2016-05-09 09:22:41 + (Mon, 09 May 2016)
New Revision: 41556

Modified:
   data/dla-needed.txt
Log:
Claim squid3 in dla-needed.txt

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2016-05-09 09:15:42 UTC (rev 41555)
+++ data/dla-needed.txt 2016-05-09 09:22:41 UTC (rev 41556)
@@ -93,7 +93,7 @@
 --
 squid
 --
-squid3
+squid3 (Santiago R.R.)
 --
 tardiff
   fw asked maintainer for preparing debdiffs for wheezy- and jessie-security


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r41555 - data/CVE

2016-05-09 Thread Salvatore Bonaccorso

Author: carnil
Date: 2016-05-09 09:15:42 + (Mon, 09 May 2016)
New Revision: 41555

Modified:
   data/CVE/list
Log:
Mark one android-platform-system-core as no-dsa

Modified: data/CVE/list
===
--- data/CVE/list   2016-05-09 07:54:16 UTC (rev 41554)
+++ data/CVE/list   2016-05-09 09:15:42 UTC (rev 41555)
@@ -86906,6 +86906,7 @@
- android-tools  (bug #688280)
[jessie] - android-tools  (Minor issue)
- android-platform-system-core  (bug #823792)
+   [jessie] - android-platform-system-core  (Minor issue)
 CVE-2012-5563 (OpenStack Keystone, as used in OpenStack Folsom 2012.2, does 
not ...)
- keystone  (Folsom branch not packaged yet)
 CVE-2012-5562


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r41554 - data

2016-05-09 Thread Markus Koschany

Author: apo
Date: 2016-05-09 07:54:16 + (Mon, 09 May 2016)
New Revision: 41554

Modified:
   data/dla-needed.txt
Log:
Add sogo to dla-needed.txt


Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2016-05-09 07:51:49 UTC (rev 41553)
+++ data/dla-needed.txt 2016-05-09 07:54:16 UTC (rev 41554)
@@ -89,6 +89,8 @@
 samba
   Samba maintainers are preparing updates for regressions
 --
+sogo
+--
 squid
 --
 squid3


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r41553 - data

2016-05-09 Thread Markus Koschany

Author: apo
Date: 2016-05-09 07:51:49 + (Mon, 09 May 2016)
New Revision: 41553

Modified:
   data/dla-needed.txt
Log:
Claim libuser in dla-needed.txt


Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2016-05-09 07:50:39 UTC (rev 41552)
+++ data/dla-needed.txt 2016-05-09 07:51:49 UTC (rev 41553)
@@ -45,7 +45,7 @@
 --
 libtasn1-3 (Thorsten Alteholz)
 --
-libuser
+libuser (Markus Koschany)
   NOTE: More information and fixing commit in https://bugs.debian.org/793465
 --
 libxml2


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r41552 - data

2016-05-09 Thread Markus Koschany

Author: apo
Date: 2016-05-09 07:50:39 + (Mon, 09 May 2016)
New Revision: 41552

Modified:
   data/dla-needed.txt
Log:
Add wpa to dla-needed.txt


Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2016-05-09 07:31:38 UTC (rev 41551)
+++ data/dla-needed.txt 2016-05-09 07:50:39 UTC (rev 41552)
@@ -106,5 +106,7 @@
 websvn (carnil)
   carnil> Testpackages: https://people.debian.org/~carnil/tmp/websvn/wheezy/
 --
+wpa
+--
 xymon (Chris Lamb)
 --


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r41551 - data

2016-05-09 Thread Brian May

Author: bam
Date: 2016-05-09 07:31:38 + (Mon, 09 May 2016)
New Revision: 41551

Modified:
   data/dla-needed.txt
Log:
Update libidn status


Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2016-05-09 06:56:58 UTC (rev 41550)
+++ data/dla-needed.txt 2016-05-09 07:31:38 UTC (rev 41551)
@@ -35,12 +35,9 @@
 --
 jansson
 --
-libidn
-  Working debdiff for wheezy-security at
-  https://people.debian.org/~ghedo/libidn_1.25-2+deb7u1.diff
-  Work-in-progress debdiff for jessie-security at
-  https://people.debian.org/~ghedo/libidn_1.29-1+deb8u1.diff
-  Help is needed to fix it so that it doesn't FTBFS
+libidn (Brian May)
+  Testing is required.
+  https://people.debian.org/~bam/debian/pool/main/libi/libidn/
 --
 librsvg
   NOTE: reproducer http://seclists.org/oss-sec/2016/q2/161


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

43 matches

Mail list logo