[Secure-testing-commits] r41935 - data/CVE
Author: carnil Date: 2016-05-22 04:46:25 + (Sun, 22 May 2016) New Revision: 41935 Modified: data/CVE/list Log: Mark remaining libxml2 issues as undetermined for now Modified: data/CVE/list === --- data/CVE/list 2016-05-22 04:46:12 UTC (rev 41934) +++ data/CVE/list 2016-05-22 04:46:25 UTC (rev 41935) @@ -9207,23 +9207,23 @@ CVE-2016-1841 (libxslt, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS ...) TODO: check CVE-2016-1840 (libxml2, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS ...) - TODO: check + - libxml2 CVE-2016-1839 (libxml2, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS ...) - TODO: check + - libxml2 CVE-2016-1838 (libxml2, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS ...) - TODO: check + - libxml2 CVE-2016-1837 (libxml2, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS ...) - TODO: check + - libxml2 CVE-2016-1836 (libxml2, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS ...) - TODO: check + - libxml2 CVE-2016-1835 (libxml2, as used in Apple iOS before 9.3.2 and OS X before 10.11.5, ...) - TODO: check + - libxml2 CVE-2016-1834 (libxml2, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS ...) - libxml2 NOTE: https://git.gnome.org/browse/libxml2/commit/?id=8fbbf5513d609c1770b391b99e33314cd0742704 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=763071 CVE-2016-1833 (libxml2, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS ...) - TODO: check + - libxml2 CVE-2016-1832 (libc in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before ...) TODO: check CVE-2016-1831 (The kernel in Apple iOS before 9.3.2 and OS X before 10.11.5 allows ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41932 - data/CVE
Author: sectracker Date: 2016-05-21 21:10:12 + (Sat, 21 May 2016) New Revision: 41932 Modified: data/CVE/list Log: automatic update Modified: data/CVE/list === --- data/CVE/list 2016-05-21 18:08:56 UTC (rev 41931) +++ data/CVE/list 2016-05-21 21:10:12 UTC (rev 41932) @@ -2171,7 +2171,7 @@ [jessie] - wireshark (vulnerable code not present) [wheezy] - wireshark (vulnerable code not present) NOTE: https://www.wireshark.org/security/wnpa-sec-2016-21.html -NOTE: Upstream lists 1.12.x affected, I have contacted them for clarification + NOTE: Upstream lists 1.12.x affected, I have contacted them for clarification CVE-2016-4077 (epan/reassemble.c in TShark in Wireshark 2.0.x before 2.0.3 relies on ...) - wireshark 2.0.3+geed34f0-1 (low) [jessie] - wireshark (Only affects 2.x) @@ -3246,27 +3246,27 @@ CVE-2016-3719 REJECTED CVE-2016-3718 (The (1) HTTP and (2) FTP coders in ImageMagick before 6.9.3-10 and 7.x ...) - {DSA-3580-1} + {DSA-3580-1 DLA-484-1} - imagemagick - graphicsmagick NOTE: https://sourceforge.net/p/graphicsmagick/mailman/message/35072963/ CVE-2016-3717 (The LABEL coder in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 ...) - {DSA-3580-1} + {DSA-3580-1 DLA-484-1} - imagemagick - graphicsmagick NOTE: https://sourceforge.net/p/graphicsmagick/mailman/message/35072963/ CVE-2016-3716 (The MSL coder in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 ...) - {DSA-3580-1} + {DSA-3580-1 DLA-484-1} - imagemagick - graphicsmagick NOTE: https://sourceforge.net/p/graphicsmagick/mailman/message/35072963/ CVE-2016-3715 (The EPHEMERAL coder in ImageMagick before 6.9.3-10 and 7.x before ...) - {DSA-3580-1} + {DSA-3580-1 DLA-484-1} - imagemagick - graphicsmagick NOTE: https://sourceforge.net/p/graphicsmagick/mailman/message/35072963/ CVE-2016-3714 (The (1) EPHEMERAL, (2) HTTPS, (3) MVG, (4) MSL, (5) TEXT, (6) SHOW, ...) - {DSA-3580-1} + {DSA-3580-1 DLA-484-1} - imagemagick NOTE: Workaround: https://bugzilla.redhat.com/show_bug.cgi?id=1332492#c3 NOTE: https://www.imagemagick.org/discourse-server/viewtopic.php?f=4=29588 @@ -7357,11 +7357,13 @@ NOT-FOR-US: Huawei CVE-2016-2318 RESERVED + {DLA-484-1} - graphicsmagick (bug #814732) NOTE: FIX http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/e797bb0aec31 TODO: check other versions (newest 1.3.23 is vulnerable according to reporter) CVE-2016-2317 RESERVED + {DLA-484-1} - graphicsmagick (bug #814732) NOTE: FIX http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/98394eb235a6 NOTE: FIX http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/52b59d2ef4a1 @@ -7615,6 +7617,7 @@ NOTE: According to upstream fixed in 6.2.0, but not details available CVE-2015-8808 [out-of-bound read in the parsing of gif files] RESERVED + {DLA-484-1} - graphicsmagick 1.3.21-2 NOTE: http://www.openwall.com/lists/oss-security/2016/02/06/1 NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick?cmd=changeset;node=8e8fa353f53 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41931 - in data: . DLA
Author: apo Date: 2016-05-21 18:08:56 + (Sat, 21 May 2016) New Revision: 41931 Modified: data/DLA/list data/dla-needed.txt Log: Reserve DLA-484-1 for graphicsmagick Modified: data/DLA/list === --- data/DLA/list 2016-05-21 16:35:00 UTC (rev 41930) +++ data/DLA/list 2016-05-21 18:08:56 UTC (rev 41931) @@ -1,3 +1,6 @@ +[21 May 2016] DLA-484-1 graphicsmagick - security update + {CVE-2015-8808 CVE-2016-2317 CVE-2016-2318 CVE-2016-3714 CVE-2016-3715 CVE-2016-3716 CVE-2016-3717 CVE-2016-3718} + [wheezy] - graphicsmagick 1.3.16-1.1+deb7u1 [19 May 2016] DLA-483-1 expat - security update {CVE-2016-0718} [wheezy] - expat 2.1.0-1+deb7u3 Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-05-21 16:35:00 UTC (rev 41930) +++ data/dla-needed.txt 2016-05-21 18:08:56 UTC (rev 41931) @@ -31,8 +31,6 @@ NOTE: .debdiff sent to the Security Team, waiting for feedback NOTE: asked about jessie status (seb) -- -graphicsmagick (Markus Koschany) --- icu (Roberto C. Sánchez) NOTE: check comments on CVE-2016-0494 as well -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41930 - data/CVE
Author: apo Date: 2016-05-21 16:35:00 + (Sat, 21 May 2016) New Revision: 41930 Modified: data/CVE/list Log: CVE-2016-2318: Add link to patch Modified: data/CVE/list === --- data/CVE/list 2016-05-21 16:32:55 UTC (rev 41929) +++ data/CVE/list 2016-05-21 16:35:00 UTC (rev 41930) @@ -7358,6 +7358,7 @@ CVE-2016-2318 RESERVED - graphicsmagick (bug #814732) + NOTE: FIX http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/e797bb0aec31 TODO: check other versions (newest 1.3.23 is vulnerable according to reporter) CVE-2016-2317 RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41929 - data/CVE
Author: apo Date: 2016-05-21 16:32:55 + (Sat, 21 May 2016) New Revision: 41929 Modified: data/CVE/list Log: CVE-2016-2317: Add more links to patches. Modified: data/CVE/list === --- data/CVE/list 2016-05-21 14:22:04 UTC (rev 41928) +++ data/CVE/list 2016-05-21 16:32:55 UTC (rev 41929) @@ -7363,6 +7363,8 @@ RESERVED - graphicsmagick (bug #814732) NOTE: FIX http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/98394eb235a6 + NOTE: FIX http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/52b59d2ef4a1 + NOTE: FIX http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/44ed8318ba6a TODO: check other versions (newest 1.3.23 is vulnerable according to reporter) CVE-2016-2311 RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41928 - data/CVE
Author: carnil Date: 2016-05-21 14:22:04 + (Sat, 21 May 2016) New Revision: 41928 Modified: data/CVE/list Log: Update information for CVE-2016-4951 Modified: data/CVE/list === --- data/CVE/list 2016-05-21 14:21:52 UTC (rev 41927) +++ data/CVE/list 2016-05-21 14:22:04 UTC (rev 41928) @@ -1,5 +1,7 @@ CVE-2016-4951 [Null pointer dereference in tipc_nl_publ_dump] - linux + [jessie] - linux (Introduced in 3.19) + [wheezy] - linux (Introduced in 3.19) NOTE: http://lists.openwall.net/netdev/2016/05/14/28 NOTE: Fixed by: https://git.kernel.org/linus/45e093ae2830cd1264677d47ff9a95a71f5d9f9c NOTE: Introduced by: https://git.kernel.org/linus/1a1a143daf84db95dd7212086042004a3abb7bc2 (v3.19-rc1) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41927 - data/CVE
Author: carnil Date: 2016-05-21 14:21:52 + (Sat, 21 May 2016) New Revision: 41927 Modified: data/CVE/list Log: Update information for CVE-2016-4951 Modified: data/CVE/list === --- data/CVE/list 2016-05-21 14:12:57 UTC (rev 41926) +++ data/CVE/list 2016-05-21 14:21:52 UTC (rev 41927) @@ -1,7 +1,8 @@ CVE-2016-4951 [Null pointer dereference in tipc_nl_publ_dump] - linux NOTE: http://lists.openwall.net/netdev/2016/05/14/28 - NOTE: https://git.kernel.org/linus/45e093ae2830cd1264677d47ff9a95a71f5d9f9c + NOTE: Fixed by: https://git.kernel.org/linus/45e093ae2830cd1264677d47ff9a95a71f5d9f9c + NOTE: Introduced by: https://git.kernel.org/linus/1a1a143daf84db95dd7212086042004a3abb7bc2 (v3.19-rc1) CVE-2016-4944 RESERVED CVE-2016-4943 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41926 - data/CVE
Author: carnil Date: 2016-05-21 14:12:57 + (Sat, 21 May 2016) New Revision: 41926 Modified: data/CVE/list Log: Add CVE-2016-4951/linux Modified: data/CVE/list === --- data/CVE/list 2016-05-21 11:50:55 UTC (rev 41925) +++ data/CVE/list 2016-05-21 14:12:57 UTC (rev 41926) @@ -1,3 +1,7 @@ +CVE-2016-4951 [Null pointer dereference in tipc_nl_publ_dump] + - linux + NOTE: http://lists.openwall.net/netdev/2016/05/14/28 + NOTE: https://git.kernel.org/linus/45e093ae2830cd1264677d47ff9a95a71f5d9f9c CVE-2016-4944 RESERVED CVE-2016-4943 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41925 - data/CVE
Author: rbalint Date: 2016-05-21 11:50:55 + (Sat, 21 May 2016) New Revision: 41925 Modified: data/CVE/list Log: CVE-2016-4078 of wireshark does not affect jessie Modified: data/CVE/list === --- data/CVE/list 2016-05-21 07:07:17 UTC (rev 41924) +++ data/CVE/list 2016-05-21 11:50:55 UTC (rev 41925) @@ -2161,7 +2161,10 @@ NOTE: https://www.wireshark.org/security/wnpa-sec-2016-22.html CVE-2016-4078 (The IEEE 802.11 dissector in Wireshark 1.12.x before 1.12.11 and 2.0.x ...) - wireshark 2.0.3+geed34f0-1 (low) + [jessie] - wireshark (vulnerable code not present) + [wheezy] - wireshark (vulnerable code not present) NOTE: https://www.wireshark.org/security/wnpa-sec-2016-21.html +NOTE: Upstream lists 1.12.x affected, I have contacted them for clarification CVE-2016-4077 (epan/reassemble.c in TShark in Wireshark 2.0.x before 2.0.3 relies on ...) - wireshark 2.0.3+geed34f0-1 (low) [jessie] - wireshark (Only affects 2.x) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41923 - data/CVE
Author: carnil Date: 2016-05-21 07:07:08 + (Sat, 21 May 2016) New Revision: 41923 Modified: data/CVE/list Log: Mark CVE-2015-8158 as no-dsa Modified: data/CVE/list === --- data/CVE/list 2016-05-21 05:39:51 UTC (rev 41922) +++ data/CVE/list 2016-05-21 07:07:08 UTC (rev 41923) @@ -15905,10 +15905,10 @@ CVE-2015-8158 [Potential Infinite Loop in ntpq] RESERVED - ntp 1:4.2.8p7+dfsg-1 + [jessie] - ntp (Minor issue) [wheezy] - ntp (minor issue) NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit NOTE: http://support.ntp.org/bin/view/Main/NtpBug2948 - TODO: check CVE-2015-8157 RESERVED CVE-2015-8156 (Unquoted Windows search path vulnerability in EEDService in Symantec ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41924 - data/CVE
Author: carnil Date: 2016-05-21 07:07:17 + (Sat, 21 May 2016) New Revision: 41924 Modified: data/CVE/list Log: Mark some NFUs Modified: data/CVE/list === --- data/CVE/list 2016-05-21 07:07:08 UTC (rev 41923) +++ data/CVE/list 2016-05-21 07:07:17 UTC (rev 41924) @@ -15912,15 +15912,15 @@ CVE-2015-8157 RESERVED CVE-2015-8156 (Unquoted Windows search path vulnerability in EEDService in Symantec ...) - TODO: check + NOT-FOR-US: Symantec CVE-2015-8155 RESERVED CVE-2015-8154 (The SysPlant.sys driver in the Application and Device Control (ADC) ...) - TODO: check + NOT-FOR-US: Symantec CVE-2015-8153 (SQL injection vulnerability in Symantec Endpoint Protection Manager ...) - TODO: check + NOT-FOR-US: Symantec CVE-2015-8152 (Cross-site request forgery (CSRF) vulnerability in Symantec Endpoint ...) - TODO: check + NOT-FOR-US: Symantec CVE-2015-8151 (Symantec Encryption Management Server (SEMS) 3.3.2 before MP12 allows ...) NOT-FOR-US: Symantec CVE-2015-8150 (Symantec Encryption Management Server (SEMS) 3.3.2 before MP12 allows ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits