[Secure-testing-commits] r42716 - data/CVE
Author: carnil Date: 2016-06-23 04:53:16 + (Thu, 23 Jun 2016) New Revision: 42716 Modified: data/CVE/list Log: Add fixed version for CVE-2016-5325 Modified: data/CVE/list === --- data/CVE/list 2016-06-23 04:46:50 UTC (rev 42715) +++ data/CVE/list 2016-06-23 04:53:16 UTC (rev 42716) @@ -887,7 +887,7 @@ RESERVED CVE-2016-5325 RESERVED - - nodejs (unimportant) + - nodejs 4.4.5~dfsg-1 (unimportant) NOTE: libv8 is not covered by security support NOTE: https://nodejs.org/en/blog/vulnerability/june-2016-security-releases/ CVE-2016-5359 [wnpa-sec-2016-38] ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42714 - data/CVE
Author: carnil Date: 2016-06-23 04:41:17 + (Thu, 23 Jun 2016) New Revision: 42714 Modified: data/CVE/list Log: Add three new libarchive issues Modified: data/CVE/list === --- data/CVE/list 2016-06-23 04:32:22 UTC (rev 42713) +++ data/CVE/list 2016-06-23 04:41:17 UTC (rev 42714) @@ -4365,12 +4365,21 @@ NOTE: https://raw.githubusercontent.com/esnet/security/master/cve-2016-4303/esnet-secadv-2016-0001.txt.asc NOTE: https://github.com/esnet/iperf/commit/f01a9ca8f7e878e438a53687dabe30b7f7222912 (3.1.x) NOTE: http://www.talosintel.com/reports/TALOS-2016-0164/ -CVE-2016-4302 +CVE-2016-4302 [Libarchive Rar RestartModel Heap Overflow] RESERVED -CVE-2016-4301 + - libarchive + NOTE: http://blog.talosintel.com/2016/06/the-poisoned-archives.html + NOTE: http://www.talosintel.com/reports/TALOS-2016-0154/ +CVE-2016-4301 [mtree parse_device Stack Based Buffer Overflow] RESERVED -CVE-2016-4300 + - libarchive + NOTE: http://blog.talosintel.com/2016/06/the-poisoned-archives.html + NOTE: http://www.talosintel.com/reports/TALOS-2016-0153/ +CVE-2016-4300 [7-Zip read_SubStreamsInfo Integer Overflow] RESERVED + - libarchive + NOTE: http://blog.talosintel.com/2016/06/the-poisoned-archives.html + NOTE: http://www.talosintel.com/reports/TALOS-2016-0152/ CVE-2016-4299 RESERVED CVE-2016-4298 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42717 - data/CVE
Author: carnil Date: 2016-06-23 04:56:16 + (Thu, 23 Jun 2016) New Revision: 42717 Modified: data/CVE/list Log: Remove one TODO item Modified: data/CVE/list === --- data/CVE/list 2016-06-23 04:53:16 UTC (rev 42716) +++ data/CVE/list 2016-06-23 04:56:16 UTC (rev 42717) @@ -4060,7 +4060,6 @@ {DLA-520-1} - horizon NOTE: https://bugs.launchpad.net/bugs/1567673 - TODO: check CVE-2016-4427 RESERVED CVE-2016-4426 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42715 - data/CVE
Author: carnil Date: 2016-06-23 04:46:50 + (Thu, 23 Jun 2016) New Revision: 42715 Modified: data/CVE/list Log: iperf3 fixed in unstable Modified: data/CVE/list === --- data/CVE/list 2016-06-23 04:41:17 UTC (rev 42714) +++ data/CVE/list 2016-06-23 04:46:50 UTC (rev 42715) @@ -4361,7 +4361,7 @@ RESERVED CVE-2016-4303 [JSON parsing vulnerability] RESERVED - - iperf3 (bug #827116) + - iperf3 3.1.3-1 (bug #827116) NOTE: https://raw.githubusercontent.com/esnet/security/master/cve-2016-4303/esnet-secadv-2016-0001.txt.asc NOTE: https://github.com/esnet/iperf/commit/f01a9ca8f7e878e438a53687dabe30b7f7222912 (3.1.x) NOTE: http://www.talosintel.com/reports/TALOS-2016-0164/ ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42713 - data/CVE
Author: carnil Date: 2016-06-23 04:32:22 + (Thu, 23 Jun 2016) New Revision: 42713 Modified: data/CVE/list Log: CVE-2016-5742/movabletype-opensource assigned Modified: data/CVE/list === --- data/CVE/list 2016-06-23 04:27:53 UTC (rev 42712) +++ data/CVE/list 2016-06-23 04:32:22 UTC (rev 42713) @@ -20,10 +20,10 @@ RESERVED CVE-2016-5730 RESERVED -CVE-2016- [SQL injection in MovableType xml-rpc interface] +CVE-2016-5742 [SQL injection in MovableType xml-rpc interface] - movabletype-opensource NOTE: https://movabletype.org/news/2016/06/movable_type_626_and_613_released.html - NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2016/06/22/3 + NOTE: http://www.openwall.com/lists/oss-security/2016/06/22/3 CVE-2016-5737 RESERVED NOT-FOR-US: Openstack-infra puppet-gerrit module ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42712 - data
Author: carnil Date: 2016-06-23 04:27:53 + (Thu, 23 Jun 2016) New Revision: 42712 Modified: data/dsa-needed.txt Log: Add tomcat7 to dsa-needed list Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2016-06-23 04:27:37 UTC (rev 42711) +++ data/dsa-needed.txt 2016-06-23 04:27:53 UTC (rev 42712) @@ -52,6 +52,8 @@ squid3 Santiago proposed a debdiff. -- +tomcat7 +-- tomcat8 (Markus Koschany) Emmanuel Bourg has send debdiff for review -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42711 - data
Author: carnil Date: 2016-06-23 04:27:37 + (Thu, 23 Jun 2016) New Revision: 42711 Modified: data/dsa-needed.txt Log: Add note for tomcat8 Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2016-06-22 22:41:34 UTC (rev 42710) +++ data/dsa-needed.txt 2016-06-23 04:27:37 UTC (rev 42711) @@ -53,4 +53,5 @@ Santiago proposed a debdiff. -- tomcat8 (Markus Koschany) + Emmanuel Bourg has send debdiff for review -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42710 - data/CVE
Author: apo Date: 2016-06-22 22:41:34 + (Wed, 22 Jun 2016) New Revision: 42710 Modified: data/CVE/list Log: CVE-2016-2226: Mark vulnerability as no-dsa for Wheezy Modified: data/CVE/list === --- data/CVE/list 2016-06-22 22:37:51 UTC (rev 42709) +++ data/CVE/list 2016-06-22 22:41:34 UTC (rev 42710) @@ -10373,22 +10373,31 @@ RESERVED - valgrind (low) [jessie] - valgrind (Minor issue) + [wheezy] - valgrind (Minor issue) - ht (low) [jessie] - ht (Minor issue) + [wheezy] - ht (Minor issue) - binutils (low) [jessie] - binutils (Minor issue) + [wheezy] - binutils (Minor issue) - binutils-h8300-hms (low) [jessie] - binutils-h8300-hms (Minor issue) + [wheezy] - binutils-h8300-hms (Minor issue) - gcc-h8300-hms (low) [jessie] - gcc-h8300-hms (Minor issue) + [wheezy] - gcc-h8300-hms (Minor issue) - gdb (low) [jessie] - gdb (Minor issue) + [wheezy] - gdb (Minor issue) - libiberty (low) [jessie] - libiberty (Minor issue) + [wheezy] - libiberty (Minor issue) - nescc (low) [jessie] - nescc (Minor issue) + [wheezy] - nescc (Minor issue) - sdcc (low) [jessie] - sdcc (Minor issue) + [wheezy] - sdcc (Minor issue) NOTE: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69687 NOTE: https://gcc.gnu.org/viewcvs/gcc?view=revision=234829 CVE-2015-8811 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42709 - data/CVE
Author: apo Date: 2016-06-22 22:37:51 + (Wed, 22 Jun 2016) New Revision: 42709 Modified: data/CVE/list Log: CVE-2016-4487: Mark vulnerability as no-dsa for Wheezy. Modified: data/CVE/list === --- data/CVE/list 2016-06-22 22:32:29 UTC (rev 42708) +++ data/CVE/list 2016-06-22 22:37:51 UTC (rev 42709) @@ -3769,22 +3769,31 @@ RESERVED - valgrind (low) [jessie] - valgrind (Minor issue) + [wheezy] - valgrind (Minor issue) - ht (low) [jessie] - ht (Minor issue) + [wheezy] - ht (Minor issue) - binutils (low) [jessie] - binutils (Minor issue) + [wheezy] - binutils (Minor issue) - binutils-h8300-hms (low) [jessie] - binutils-h8300-hms (Minor issue) + [wheezy] - binutils-h8300-hms (Minor issue) - gcc-h8300-hms (low) [jessie] - gcc-h8300-hms (Minor issue) + [wheezy] - gcc-h8300-hms (Minor issue) - gdb (low) [jessie] - gdb (Minor issue) + [wheezy] - gdb (Minor issue) - libiberty (low) [jessie] - libiberty (Minor issue) + [wheezy] - libiberty (Minor issue) - nescc (low) [jessie] - nescc (Minor issue) + [wheezy] - nescc (Minor issue) - sdcc (low) [jessie] - sdcc (Minor issue) + [wheezy] - sdcc (Minor issue) NOTE: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70481 NOTE: https://gcc.gnu.org/ml/gcc-patches/2016-03/msg01687.html CVE-2016-4539 (The xml_parse_into_struct function in ext/xml/xml.c in PHP before ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42708 - data/CVE
Author: apo Date: 2016-06-22 22:32:29 + (Wed, 22 Jun 2016) New Revision: 42708 Modified: data/CVE/list Log: CVE-2016-4488: Mark vulnerability as no-dsa for Wheezy Modified: data/CVE/list === --- data/CVE/list 2016-06-22 22:30:16 UTC (rev 42707) +++ data/CVE/list 2016-06-22 22:32:29 UTC (rev 42708) @@ -3738,22 +3738,31 @@ RESERVED - valgrind (low) [jessie] - valgrind (Minor issue) + [wheezy] - valgrind (Minor issue) - ht (low) [jessie] - ht (Minor issue) + [wheezy] - ht (Minor issue) - binutils (low) [jessie] - binutils (Minor issue) + [wheezy] - binutils (Minor issue) - binutils-h8300-hms (low) [jessie] - binutils-h8300-hms (Minor issue) + [wheezy] - binutils-h8300-hms (Minor issue) - gcc-h8300-hms (low) [jessie] - gcc-h8300-hms (Minor issue) + [wheezy] - gcc-h8300-hms (Minor issue) - gdb (low) [jessie] - gdb (Minor issue) + [wheezy] - gdb (Minor issue) - libiberty (low) [jessie] - libiberty (Minor issue) + [wheezy] - libiberty (Minor issue) - nescc (low) [jessie] - nescc (Minor issue) + [wheezy] - nescc (Minor issue) - sdcc (low) [jessie] - sdcc (Minor issue) + [wheezy] - sdcc (Minor issue) NOTE: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70481 NOTE: https://gcc.gnu.org/ml/gcc-patches/2016-03/msg01687.html CVE-2016-4487 [Invalid write due to a use-after-free to array btypevec] ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42707 - data/CVE
Author: apo Date: 2016-06-22 22:30:16 + (Wed, 22 Jun 2016) New Revision: 42707 Modified: data/CVE/list Log: CVE-2016-4489: Mark vulnerability as no-dsa for Wheezy Modified: data/CVE/list === --- data/CVE/list 2016-06-22 22:28:15 UTC (rev 42706) +++ data/CVE/list 2016-06-22 22:30:16 UTC (rev 42707) @@ -3707,22 +3707,31 @@ RESERVED - valgrind (low) [jessie] - valgrind (Minor issue) + [wheezy] - valgrind (Minor issue) - ht (low) [jessie] - ht (Minor issue) + [wheezy] - ht (Minor issue) - binutils (low) [jessie] - binutils (Minor issue) + [wheezy] - binutils (Minor issue) - binutils-h8300-hms (low) [jessie] - binutils-h8300-hms (Minor issue) + [wheezy] - binutils-h8300-hms (Minor issue) - gcc-h8300-hms (low) [jessie] - gcc-h8300-hms (Minor issue) + [wheezy] - gcc-h8300-hms (Minor issue) - gdb (low) [jessie] - gdb (Minor issue) + [wheezy] - gdb (Minor issue) - libiberty (low) [jessie] - libiberty (Minor issue) + [wheezy] - libiberty (Minor issue) - nescc (low) [jessie] - nescc (Minor issue) + [wheezy] - nescc (Minor issue) - sdcc (low) [jessie] - sdcc (Minor issue) + [wheezy] - sdcc (Minor issue) NOTE: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70492 NOTE: https://gcc.gnu.org/viewcvs/gcc?view=revision=234828 CVE-2016-4488 [Invalid write due to a use-after-free to array ktypevec] ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42706 - data/CVE
Author: apo Date: 2016-06-22 22:28:15 + (Wed, 22 Jun 2016) New Revision: 42706 Modified: data/CVE/list Log: CVE-2016-4490: Mark vulnerability as no-dsa for Wheezy Modified: data/CVE/list === --- data/CVE/list 2016-06-22 22:25:58 UTC (rev 42705) +++ data/CVE/list 2016-06-22 22:28:15 UTC (rev 42706) @@ -3676,22 +3676,31 @@ RESERVED - valgrind (low) [jessie] - valgrind (Minor issue) + [wheezy] - valgrind (Minor issue) - ht (low) [jessie] - ht (Minor issue) + [wheezy] - ht (Minor issue) - binutils (low) [jessie] - binutils (Minor issue) + [wheezy] - binutils (Minor issue) - binutils-h8300-hms (low) [jessie] - binutils-h8300-hms (Minor issue) + [wheezy] - binutils-h8300-hms (Minor issue) - gcc-h8300-hms (low) [jessie] - gcc-h8300-hms (Minor issue) + [wheezy] - gcc-h8300-hms (Minor issue) - gdb (low) [jessie] - gdb (Minor issue) + [wheezy] - gdb (Minor issue) - libiberty (low) [jessie] - libiberty (Minor issue) + [wheezy] - libiberty (Minor issue) - nescc (low) [jessie] - nescc (Minor issue) + [wheezy] - nescc (Minor issue) - sdcc (low) [jessie] - sdcc (Minor issue) + [wheezy] - sdcc (Minor issue) NOTE: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70498 NOTE: https://gcc.gnu.org/viewcvs/gcc?view=revision=235767 CVE-2016-4489 [Invalid write due to integer overflow] ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42705 - data/CVE
Author: apo Date: 2016-06-22 22:25:58 + (Wed, 22 Jun 2016) New Revision: 42705 Modified: data/CVE/list Log: CVE-2016-4491: Mark vulnerability as no-dsa for Wheezy Modified: data/CVE/list === --- data/CVE/list 2016-06-22 21:10:11 UTC (rev 42704) +++ data/CVE/list 2016-06-22 22:25:58 UTC (rev 42705) @@ -3645,22 +3645,31 @@ RESERVED - valgrind (low) [jessie] - valgrind (Minor issue) + [wheezy] - valgrind (Minor issue) - ht (low) [jessie] - ht (Minor issue) + [wheezy] - ht (Minor issue) - binutils (low) [jessie] - binutils (Minor issue) + [wheezy] - binutils (Minor issue) - binutils-h8300-hms (low) [jessie] - binutils-h8300-hms (Minor issue) + [wheezy] - binutils-h8300-hms (Minor issue) - gcc-h8300-hms (low) [jessie] - gcc-h8300-hms (Minor issue) + [wheezy] - gcc-h8300-hms (Minor issue) - gdb (low) [jessie] - gdb (Minor issue) + [wheezy] - gdb (Minor issue) - libiberty (low) [jessie] - libiberty (Minor issue) + [wheezy] - libiberty (Minor issue) - nescc (low) [jessie] - nescc (Minor issue) + [wheezy] - nescc (Minor issue) - sdcc (low) [jessie] - sdcc (Minor issue) + [wheezy] - sdcc (Minor issue) NOTE: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70909 NOTE: https://gcc.gnu.org/ml/gcc-patches/2016-05/msg00105.html CVE-2016-4490 [Write access violation] ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42704 - data/CVE
Author: sectracker Date: 2016-06-22 21:10:11 + (Wed, 22 Jun 2016) New Revision: 42704 Modified: data/CVE/list Log: automatic update Modified: data/CVE/list === --- data/CVE/list 2016-06-22 20:03:27 UTC (rev 42703) +++ data/CVE/list 2016-06-22 21:10:11 UTC (rev 42704) @@ -1,3 +1,25 @@ +CVE-2016-5741 + RESERVED +CVE-2016-5740 + RESERVED +CVE-2016-5739 + RESERVED +CVE-2016-5738 + RESERVED +CVE-2016-5736 + RESERVED +CVE-2016-5735 + RESERVED +CVE-2016-5734 + RESERVED +CVE-2016-5733 + RESERVED +CVE-2016-5732 + RESERVED +CVE-2016-5731 + RESERVED +CVE-2016-5730 + RESERVED CVE-2016- [SQL injection in MovableType xml-rpc interface] - movabletype-opensource NOTE: https://movabletype.org/news/2016/06/movable_type_626_and_613_released.html @@ -3,4 +25,5 @@ NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2016/06/22/3 CVE-2016-5737 + RESERVED NOT-FOR-US: Openstack-infra puppet-gerrit module CVE-2016-5729 @@ -9,6 +32,8 @@ CVE-2016-5728 RESERVED CVE-2015-8936 [squidguard reflected XSS] + RESERVED + {DLA-524-1} - squidguard 1.5-5 NOTE: Fix applied: 16_XSS-security-bugfix.patch in 1.5-5 NOTE: http://www.openwall.com/lists/oss-security/2016/06/20/2 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42703 - data/CVE
Author: apo Date: 2016-06-22 20:03:27 + (Wed, 22 Jun 2016) New Revision: 42703 Modified: data/CVE/list Log: CVE-2016-4492: Mark vulnerability in Wheezy as no-dsa Modified: data/CVE/list === --- data/CVE/list 2016-06-22 19:37:58 UTC (rev 42702) +++ data/CVE/list 2016-06-22 20:03:27 UTC (rev 42703) @@ -3589,22 +3589,31 @@ RESERVED - valgrind (low) [jessie] - valgrind (Minor issue) + [wheezy] - valgrind (Minor issue) - ht (low) [jessie] - ht (Minor issue) + [wheezy] - ht (Minor issue) - binutils (low) [jessie] - binutils (Minor issue) + [wheezy] - binutils (Minor issue) - binutils-h8300-hms (low) [jessie] - binutils-h8300-hms (Minor issue) + [wheezy] - binutils-h8300-hms (Minor issue) - gcc-h8300-hms (low) [jessie] - gcc-h8300-hms (Minor issue) + [wheezy] - gcc-h8300-hms (Minor issue) - gdb (low) [jessie] - gdb (Minor issue) + [wheezy] - gdb (Minor issue) - libiberty (low) [jessie] - libiberty (Minor issue) + [wheezy] - libiberty (Minor issue) - nescc (low) [jessie] - nescc (Minor issue) + [wheezy] - nescc (Minor issue) - sdcc (low) [jessie] - sdcc (Minor issue) + [wheezy] - sdcc (Minor issue) NOTE: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70926 NOTE: https://gcc.gnu.org/ml/gcc-patches/2016-05/msg00223.html CVE-2016-4491 [Stack overflow due to infinite recursion in d_print_comp] ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42702 - data/CVE
Author: apo Date: 2016-06-22 19:37:58 + (Wed, 22 Jun 2016) New Revision: 42702 Modified: data/CVE/list Log: CVE-2016-4493: Mark vulnerability as no-dsa for Wheezy Modified: data/CVE/list === --- data/CVE/list 2016-06-22 19:03:24 UTC (rev 42701) +++ data/CVE/list 2016-06-22 19:37:58 UTC (rev 42702) @@ -3558,22 +3558,31 @@ RESERVED - valgrind (low) [jessie] - valgrind (Minor issue) + [wheezy] - valgrind (Minor issue) - ht (low) [jessie] - ht (Minor issue) + [wheezy] - ht (Minor issue) - binutils (low) [jessie] - binutils (Minor issue) + [wheezy] - binutils (Minor issue) - binutils-h8300-hms (low) [jessie] - binutils-h8300-hms (Minor issue) + [wheezy] - binutils-h8300-hms (Minor issue) - gcc-h8300-hms (low) [jessie] - gcc-h8300-hms (Minor issue) + [wheezy] - gcc-h8300-hms (Minor issue) - gdb (low) [jessie] - gdb (Minor issue) + [wheezy] - gdb (Minor issue) - libiberty (low) [jessie] - libiberty (Minor issue) + [wheezy] - libiberty (Minor issue) - nescc (low) [jessie] - nescc (Minor issue) + [wheezy] - nescc (Minor issue) - sdcc (low) [jessie] - sdcc (Minor issue) + [wheezy] - sdcc (Minor issue) NOTE: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70926 NOTE: https://gcc.gnu.org/ml/gcc-patches/2016-05/msg00223.html CVE-2016-4492 [Write access violations] ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42701 - data/CVE
Author: apo Date: 2016-06-22 19:03:24 + (Wed, 22 Jun 2016) New Revision: 42701 Modified: data/CVE/list Log: CVE-2016-1621: libvpx in Wheezy is not affected vulnerable code is not present because webm module not yet included Modified: data/CVE/list === --- data/CVE/list 2016-06-22 18:49:59 UTC (rev 42700) +++ data/CVE/list 2016-06-22 19:03:24 UTC (rev 42701) @@ -12683,6 +12683,7 @@ CVE-2016-1621 (libvpx in mediaserver in Android 4.x before 4.4.4, 5.x before 5.1.1 ...) - libvpx [jessie] - libvpx (Vulnerable code not present, libwebm not yet included) + [wheezy] - libvpx (Vulnerable code not present, libwebm not yet included) NOTE: https://android.googlesource.com/platform/external/libvpx/+/04839626ed859623901ebd3a5fd483982186b59d%5E!/#F1 CVE-2016-1620 (Multiple unspecified vulnerabilities in Google Chrome before ...) {DSA-3456-1} ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42700 - data/CVE
Author: apo Date: 2016-06-22 18:49:59 + (Wed, 22 Jun 2016) New Revision: 42700 Modified: data/CVE/list Log: CVE-2016-3092: Add links to fix and upstream advisory Modified: data/CVE/list === --- data/CVE/list 2016-06-22 18:48:00 UTC (rev 42699) +++ data/CVE/list 2016-06-22 18:49:59 UTC (rev 42700) @@ -7382,6 +7382,8 @@ - tomcat7 7.0.70-1 - tomcat8 8.0.36-1 - tomcat9 (bug #802312) + NOTE: Fixed by https://svn.apache.org/r1743480 + NOTE: Upstream advisory http://markmail.org/message/oyxfv73jb2g7rjg3 CVE-2016-3091 RESERVED CVE-2016-3090 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42699 - data
Author: apo Date: 2016-06-22 18:48:00 + (Wed, 22 Jun 2016) New Revision: 42699 Modified: data/dla-needed.txt Log: Add libcommons-fileupload-java, tomcat6 and tomcat7 to dla-needed.txt and claim them. All three are affected by CVE-2016-3092, DoS through exhausting CPU resources Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-06-22 17:42:19 UTC (rev 42698) +++ data/dla-needed.txt 2016-06-22 18:48:00 UTC (rev 42699) @@ -35,6 +35,8 @@ -- libarchive (Markus Koschany) -- +libcommons-fileupload-java (Markus Koschany) +-- libjackson-json-java -- libspring-java @@ -93,6 +95,10 @@ -- tiff3 -- +tomcat6 (Markus Koschany) +-- +tomcat7 (Markus Koschany) +-- wget (Thorsten Alteholz) -- wireshark (Balint Reczey) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42698 - data/CVE
Author: jmm Date: 2016-06-22 17:42:19 + (Wed, 22 Jun 2016) New Revision: 42698 Modified: data/CVE/list Log: libvpx n/a in jessie, thanks nicholasL Modified: data/CVE/list === --- data/CVE/list 2016-06-22 16:57:37 UTC (rev 42697) +++ data/CVE/list 2016-06-22 17:42:19 UTC (rev 42698) @@ -12679,9 +12679,9 @@ [wheezy] - chromium-browser (Not supported in Wheezy) [squeeze] - chromium-browser (Not supported in Squeeze LTS) CVE-2016-1621 (libvpx in mediaserver in Android 4.x before 4.4.4, 5.x before 5.1.1 ...) - - libvpx + - libvpx + [jessie] - libvpx (Vulnerable code not present, libwebm not yet included) NOTE: https://android.googlesource.com/platform/external/libvpx/+/04839626ed859623901ebd3a5fd483982186b59d%5E!/#F1 - TODO: check CVE-2016-1620 (Multiple unspecified vulnerabilities in Google Chrome before ...) {DSA-3456-1} - chromium-browser 48.0.2564.82-1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42697 - data/CVE
Author: jmm Date: 2016-06-22 16:57:37 + (Wed, 22 Jun 2016) New Revision: 42697 Modified: data/CVE/list Log: kinit fixed Modified: data/CVE/list === --- data/CVE/list 2016-06-22 15:53:47 UTC (rev 42696) +++ data/CVE/list 2016-06-22 16:57:37 UTC (rev 42697) @@ -7346,12 +7346,11 @@ - jenkins CVE-2016-3100 RESERVED - - kinit (bug #827476) + - kinit 5.23.0-1 (bug #827476) NOTE: https://bugs.kde.org/show_bug.cgi?id=358593 NOTE: https://bugs.kde.org/show_bug.cgi?id=363140 NOTE: https://quickgit.kde.org/?p=kinit.git=commitdiff=dece8fd89979cd1a86c03bcaceef6e9221e8d8cd NOTE: https://quickgit.kde.org/?p=kinit.git=commitdiff=72f3702dbe6cf15c06dc13da2c99c864e9022a58 - TODO: check CVE-2016-3099 [Invalid handling of +CIPHER operator] RESERVED - libapache2-mod-nss (bug #822461) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42696 - data/CVE
Author: jmm Date: 2016-06-22 15:53:47 + (Wed, 22 Jun 2016) New Revision: 42696 Modified: data/CVE/list Log: mark groovy as fixed, thanks nicholasL Modified: data/CVE/list === --- data/CVE/list 2016-06-22 15:19:09 UTC (rev 42695) +++ data/CVE/list 2016-06-22 15:53:47 UTC (rev 42696) @@ -32814,7 +32814,7 @@ RESERVED CVE-2015-3253 (The MethodClosure class in runtime/MethodClosure.java in Apache Groovy ...) {DLA-274-1} - - groovy (bug #793397) + - groovy 2.4.6-1 (bug #793397) [jessie] - groovy 1.8.6-4+deb8u1 [wheezy] - groovy 1.8.6-1+deb7u1 - groovy2 2.2.2+dfsg-5 (bug #793398) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42695 - data/CVE
Author: carnil Date: 2016-06-22 15:19:09 + (Wed, 22 Jun 2016) New Revision: 42695 Modified: data/CVE/list Log: Add new issue in movabletype-opensource Modified: data/CVE/list === --- data/CVE/list 2016-06-22 15:03:42 UTC (rev 42694) +++ data/CVE/list 2016-06-22 15:19:09 UTC (rev 42695) @@ -1,3 +1,7 @@ +CVE-2016- [SQL injection in MovableType xml-rpc interface] + - movabletype-opensource + NOTE: https://movabletype.org/news/2016/06/movable_type_626_and_613_released.html + NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2016/06/22/3 CVE-2016-5737 NOT-FOR-US: Openstack-infra puppet-gerrit module CVE-2016-5729 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42694 - in data: . DLA
Author: lamby Date: 2016-06-22 15:03:42 + (Wed, 22 Jun 2016) New Revision: 42694 Modified: data/DLA/list data/dla-needed.txt Log: Reserve DLA-524-1 for squidguard Modified: data/DLA/list === --- data/DLA/list 2016-06-22 15:00:19 UTC (rev 42693) +++ data/DLA/list 2016-06-22 15:03:42 UTC (rev 42694) @@ -1,3 +1,6 @@ +[22 Jun 2016] DLA-524-1 squidguard - security update + {CVE-2015-8936} + [wheezy] - squidguard 1.5-1+deb7u1 [22 Jun 2016] DLA-523-1 enigmail - security update [wheezy] - enigmail 1.8.2-4~deb7u2 [21 Jun 2016] DLA-522-1 python2.7 - security update Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-06-22 15:00:19 UTC (rev 42693) +++ data/dla-needed.txt 2016-06-22 15:03:42 UTC (rev 42694) @@ -83,8 +83,6 @@ -- squid (Santiago R.R.) -- -squidguard (Chris Lamb) --- tardiff fw asked maintainer for preparing debdiffs for wheezy- and jessie-security https://anonscm.debian.org/cgit/collab-maint/tardiff.git/log/?h=wheezy ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42693 - data/CVE
Author: carnil Date: 2016-06-22 15:00:19 + (Wed, 22 Jun 2016) New Revision: 42693 Modified: data/CVE/list Log: Add CVE-2016-5737 Modified: data/CVE/list === --- data/CVE/list 2016-06-22 14:55:24 UTC (rev 42692) +++ data/CVE/list 2016-06-22 15:00:19 UTC (rev 42693) @@ -1,3 +1,5 @@ +CVE-2016-5737 + NOT-FOR-US: Openstack-infra puppet-gerrit module CVE-2016-5729 RESERVED CVE-2016-5728 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42691 - data
Author: lamby Date: 2016-06-22 14:55:22 + (Wed, 22 Jun 2016) New Revision: 42691 Modified: data/dla-needed.txt Log: Triage squidguard for LTS Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-06-22 14:25:39 UTC (rev 42690) +++ data/dla-needed.txt 2016-06-22 14:55:22 UTC (rev 42691) @@ -83,6 +83,8 @@ -- squid (Santiago R.R.) -- +squidguard +-- tardiff fw asked maintainer for preparing debdiffs for wheezy- and jessie-security https://anonscm.debian.org/cgit/collab-maint/tardiff.git/log/?h=wheezy ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42692 - data
Author: lamby Date: 2016-06-22 14:55:24 + (Wed, 22 Jun 2016) New Revision: 42692 Modified: data/dla-needed.txt Log: Claim squidguard in data/dla-needed.txt Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-06-22 14:55:22 UTC (rev 42691) +++ data/dla-needed.txt 2016-06-22 14:55:24 UTC (rev 42692) @@ -83,7 +83,7 @@ -- squid (Santiago R.R.) -- -squidguard +squidguard (Chris Lamb) -- tardiff fw asked maintainer for preparing debdiffs for wheezy- and jessie-security ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42690 - data/CVE
Author: santiago Date: 2016-06-22 14:25:39 + (Wed, 22 Jun 2016) New Revision: 42690 Modified: data/CVE/list Log: CVE-2016-3948/squid no-dsa Modified: data/CVE/list === --- data/CVE/list 2016-06-22 10:59:36 UTC (rev 42689) +++ data/CVE/list 2016-06-22 14:25:39 UTC (rev 42690) @@ -5386,6 +5386,7 @@ [jessie] - squid3 (Minor issue; needs substantial backporting; too intrusive to backport) [wheezy] - squid3 (Minor issue; needs substantial backporting; too intrusive to backport) - squid + [wheezy] - squid (Minor issue; needs substantial backporting; too intrusive to backport) NOTE: http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-14016.patch NOTE: http://www.squid-cache.org/Advisories/SQUID-2016_4.txt CVE-2016-3947 (Heap-based buffer overflow in the Icmp6::Recv function in ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42689 - data/CVE
Author: carnil Date: 2016-06-22 10:59:36 + (Wed, 22 Jun 2016) New Revision: 42689 Modified: data/CVE/list Log: Inverse sorting Modified: data/CVE/list === --- data/CVE/list 2016-06-22 10:46:11 UTC (rev 42688) +++ data/CVE/list 2016-06-22 10:59:36 UTC (rev 42689) @@ -7372,10 +7372,10 @@ CVE-2016-3092 RESERVED - libcommons-fileupload-java 1.3.2-1 + - tomcat6 + - tomcat7 7.0.70-1 + - tomcat8 8.0.36-1 - tomcat9 (bug #802312) - - tomcat8 8.0.36-1 - - tomcat7 7.0.70-1 - - tomcat6 CVE-2016-3091 RESERVED CVE-2016-3090 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42688 - data
Author: carnil Date: 2016-06-22 10:46:11 + (Wed, 22 Jun 2016) New Revision: 42688 Modified: data/dsa-needed.txt Log: Add libcommons-fileupload-java Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2016-06-22 10:45:38 UTC (rev 42687) +++ data/dsa-needed.txt 2016-06-22 10:46:11 UTC (rev 42688) @@ -20,6 +20,9 @@ -- icu -- +libcommons-fileupload-java + Maintainer is preparing update +-- libpdfbox-java Maintainer proposed debdiff, but first wait a bit for the upload in unstable to be tested/exposed for possible regressions. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42687 - data/CVE
Author: carnil Date: 2016-06-22 10:45:38 + (Wed, 22 Jun 2016) New Revision: 42687 Modified: data/CVE/list Log: Add CVE-2016-3092 Modified: data/CVE/list === --- data/CVE/list 2016-06-22 10:29:18 UTC (rev 42686) +++ data/CVE/list 2016-06-22 10:45:38 UTC (rev 42687) @@ -7371,6 +7371,11 @@ NOTE: https://struts.apache.org/docs/s2-034.html CVE-2016-3092 RESERVED + - libcommons-fileupload-java 1.3.2-1 + - tomcat9 (bug #802312) + - tomcat8 8.0.36-1 + - tomcat7 7.0.70-1 + - tomcat6 CVE-2016-3091 RESERVED CVE-2016-3090 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42686 - data/CVE
Author: carnil Date: 2016-06-22 10:29:18 + (Wed, 22 Jun 2016) New Revision: 42686 Modified: data/CVE/list Log: ironic fixed with unstable upload, #827886 Modified: data/CVE/list === --- data/CVE/list 2016-06-22 09:10:15 UTC (rev 42685) +++ data/CVE/list 2016-06-22 10:29:18 UTC (rev 42686) @@ -2124,7 +2124,7 @@ NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-06-20 CVE-2016-4985 [Ironic node information including credentials exposed to unathenticated users] RESERVED - - ironic (bug #827886) + - ironic 1:5.1.2-1 (bug #827886) NOTE: Affects >=2014.2, >=4.0.0 <=4.2.4, >=4.3.0 <=5.1.1 CVE-2016-4984 RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42685 - data/CVE
Author: sectracker Date: 2016-06-22 09:10:15 + (Wed, 22 Jun 2016) New Revision: 42685 Modified: data/CVE/list Log: automatic update Modified: data/CVE/list === --- data/CVE/list 2016-06-22 07:41:46 UTC (rev 42684) +++ data/CVE/list 2016-06-22 09:10:15 UTC (rev 42685) @@ -1,3 +1,7 @@ +CVE-2016-5729 + RESERVED +CVE-2016-5728 + RESERVED CVE-2015-8936 [squidguard reflected XSS] - squidguard 1.5-5 NOTE: Fix applied: 16_XSS-security-bugfix.patch in 1.5-5 @@ -200,6 +204,7 @@ TODO: check, referenced fix does not seem the one fixing the issue CVE-2016-5699 RESERVED + {DLA-522-1} - python3.5 (Fixed with initial upload to Debian) - python3.4 3.4.4~rc1-1 - python2.7 2.7.10~rc1-1 @@ -615,6 +620,7 @@ NOTE: workaround for DSA-3604-1 CVE-2016-5636 [heap overflow in Python zipimport module] RESERVED + {DLA-522-1} - python3.5 3.5.2~rc1-1 - python3.4 - python2.7 2.7.12~rc1-1 @@ -990,6 +996,7 @@ CVE-2016-5302 (Citrix XenServer 7.0 before Hotfix XS70E003, when a deployment has ...) TODO: check CVE-2015-8935 [XSS in header() with Internet Explorer] + RESERVED - php5 5.6.6+dfsg-1 [wheezy] - php5 5.4.38-0+deb7u1 NOTE: https://bugs.php.net/bug.php?id=68978 @@ -15498,6 +15505,7 @@ NOTE: http://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=3bb3f42f3749d40b8d4de65871e8d828b18d4a45 CVE-2016-0772 [TLS stripping vulnerability in smtplib] RESERVED + {DLA-522-1} - python3.5 3.5.2~rc1-1 - python3.4 - python2.7 2.7.12~rc1-1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42684 - data
Author: santiago Date: 2016-06-22 07:41:46 + (Wed, 22 Jun 2016) New Revision: 42684 Modified: data/dla-needed.txt Log: Take squid in dla-needed.txt Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-06-22 07:39:41 UTC (rev 42683) +++ data/dla-needed.txt 2016-06-22 07:41:46 UTC (rev 42684) @@ -81,7 +81,7 @@ -- spice (Santiago R.R.) -- -squid +squid (Santiago R.R.) -- tardiff fw asked maintainer for preparing debdiffs for wheezy- and jessie-security ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42683 - data/DLA
Author: agx Date: 2016-06-22 07:39:41 + (Wed, 22 Jun 2016) New Revision: 42683 Modified: data/DLA/list Log: Grab DLA for enigmail Modified: data/DLA/list === --- data/DLA/list 2016-06-22 06:50:53 UTC (rev 42682) +++ data/DLA/list 2016-06-22 07:39:41 UTC (rev 42683) @@ -1,3 +1,5 @@ +[22 Jun 2016] DLA-523-1 enigmail - security update + [wheezy] - enigmail 1.8.2-4~deb7u2 [21 Jun 2016] DLA-522-1 python2.7 - security update {CVE-2016-0772 CVE-2016-5636 CVE-2016-5699} [wheezy] - python2.7 2.7.3-6+deb7u3 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42682 - data/CVE
Author: carnil Date: 2016-06-22 06:50:53 + (Wed, 22 Jun 2016) New Revision: 42682 Modified: data/CVE/list Log: Add bug reference for CVE-2016-4985 Modified: data/CVE/list === --- data/CVE/list 2016-06-22 05:45:34 UTC (rev 42681) +++ data/CVE/list 2016-06-22 06:50:53 UTC (rev 42682) @@ -2117,7 +2117,7 @@ NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-06-20 CVE-2016-4985 [Ironic node information including credentials exposed to unathenticated users] RESERVED - - ironic + - ironic (bug #827886) NOTE: Affects >=2014.2, >=4.0.0 <=4.2.4, >=4.3.0 <=5.1.1 CVE-2016-4984 RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits