[Secure-testing-commits] r42716 - data/CVE
Author: carnil Date: 2016-06-23 04:53:16 + (Thu, 23 Jun 2016) New Revision: 42716 Modified: data/CVE/list Log: Add fixed version for CVE-2016-5325 Modified: data/CVE/list === --- data/CVE/list 2016-06-23 04:46:50 UTC (rev 42715) +++ data/CVE/list 2016-06-23 04:53:16 UTC (rev 42716) @@ -887,7 +887,7 @@ RESERVED CVE-2016-5325 RESERVED - - nodejs (unimportant) + - nodejs 4.4.5~dfsg-1 (unimportant) NOTE: libv8 is not covered by security support NOTE: https://nodejs.org/en/blog/vulnerability/june-2016-security-releases/ CVE-2016-5359 [wnpa-sec-2016-38] ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42714 - data/CVE
Author: carnil Date: 2016-06-23 04:41:17 + (Thu, 23 Jun 2016) New Revision: 42714 Modified: data/CVE/list Log: Add three new libarchive issues Modified: data/CVE/list === --- data/CVE/list 2016-06-23 04:32:22 UTC (rev 42713) +++ data/CVE/list 2016-06-23 04:41:17 UTC (rev 42714) @@ -4365,12 +4365,21 @@ NOTE: https://raw.githubusercontent.com/esnet/security/master/cve-2016-4303/esnet-secadv-2016-0001.txt.asc NOTE: https://github.com/esnet/iperf/commit/f01a9ca8f7e878e438a53687dabe30b7f7222912 (3.1.x) NOTE: http://www.talosintel.com/reports/TALOS-2016-0164/ -CVE-2016-4302 +CVE-2016-4302 [Libarchive Rar RestartModel Heap Overflow] RESERVED -CVE-2016-4301 + - libarchive + NOTE: http://blog.talosintel.com/2016/06/the-poisoned-archives.html + NOTE: http://www.talosintel.com/reports/TALOS-2016-0154/ +CVE-2016-4301 [mtree parse_device Stack Based Buffer Overflow] RESERVED -CVE-2016-4300 + - libarchive + NOTE: http://blog.talosintel.com/2016/06/the-poisoned-archives.html + NOTE: http://www.talosintel.com/reports/TALOS-2016-0153/ +CVE-2016-4300 [7-Zip read_SubStreamsInfo Integer Overflow] RESERVED + - libarchive + NOTE: http://blog.talosintel.com/2016/06/the-poisoned-archives.html + NOTE: http://www.talosintel.com/reports/TALOS-2016-0152/ CVE-2016-4299 RESERVED CVE-2016-4298 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42717 - data/CVE
Author: carnil
Date: 2016-06-23 04:56:16 + (Thu, 23 Jun 2016)
New Revision: 42717
Modified:
data/CVE/list
Log:
Remove one TODO item
Modified: data/CVE/list
===
--- data/CVE/list 2016-06-23 04:53:16 UTC (rev 42716)
+++ data/CVE/list 2016-06-23 04:56:16 UTC (rev 42717)
@@ -4060,7 +4060,6 @@
{DLA-520-1}
- horizon
NOTE: https://bugs.launchpad.net/bugs/1567673
- TODO: check
CVE-2016-4427
RESERVED
CVE-2016-4426
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42715 - data/CVE
Author: carnil Date: 2016-06-23 04:46:50 + (Thu, 23 Jun 2016) New Revision: 42715 Modified: data/CVE/list Log: iperf3 fixed in unstable Modified: data/CVE/list === --- data/CVE/list 2016-06-23 04:41:17 UTC (rev 42714) +++ data/CVE/list 2016-06-23 04:46:50 UTC (rev 42715) @@ -4361,7 +4361,7 @@ RESERVED CVE-2016-4303 [JSON parsing vulnerability] RESERVED - - iperf3 (bug #827116) + - iperf3 3.1.3-1 (bug #827116) NOTE: https://raw.githubusercontent.com/esnet/security/master/cve-2016-4303/esnet-secadv-2016-0001.txt.asc NOTE: https://github.com/esnet/iperf/commit/f01a9ca8f7e878e438a53687dabe30b7f7222912 (3.1.x) NOTE: http://www.talosintel.com/reports/TALOS-2016-0164/ ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42713 - data/CVE
Author: carnil Date: 2016-06-23 04:32:22 + (Thu, 23 Jun 2016) New Revision: 42713 Modified: data/CVE/list Log: CVE-2016-5742/movabletype-opensource assigned Modified: data/CVE/list === --- data/CVE/list 2016-06-23 04:27:53 UTC (rev 42712) +++ data/CVE/list 2016-06-23 04:32:22 UTC (rev 42713) @@ -20,10 +20,10 @@ RESERVED CVE-2016-5730 RESERVED -CVE-2016- [SQL injection in MovableType xml-rpc interface] +CVE-2016-5742 [SQL injection in MovableType xml-rpc interface] - movabletype-opensource NOTE: https://movabletype.org/news/2016/06/movable_type_626_and_613_released.html - NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2016/06/22/3 + NOTE: http://www.openwall.com/lists/oss-security/2016/06/22/3 CVE-2016-5737 RESERVED NOT-FOR-US: Openstack-infra puppet-gerrit module ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42712 - data
Author: carnil Date: 2016-06-23 04:27:53 + (Thu, 23 Jun 2016) New Revision: 42712 Modified: data/dsa-needed.txt Log: Add tomcat7 to dsa-needed list Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2016-06-23 04:27:37 UTC (rev 42711) +++ data/dsa-needed.txt 2016-06-23 04:27:53 UTC (rev 42712) @@ -52,6 +52,8 @@ squid3 Santiago proposed a debdiff. -- +tomcat7 +-- tomcat8 (Markus Koschany) Emmanuel Bourg has send debdiff for review -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42711 - data
Author: carnil Date: 2016-06-23 04:27:37 + (Thu, 23 Jun 2016) New Revision: 42711 Modified: data/dsa-needed.txt Log: Add note for tomcat8 Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2016-06-22 22:41:34 UTC (rev 42710) +++ data/dsa-needed.txt 2016-06-23 04:27:37 UTC (rev 42711) @@ -53,4 +53,5 @@ Santiago proposed a debdiff. -- tomcat8 (Markus Koschany) + Emmanuel Bourg has send debdiff for review -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42710 - data/CVE
Author: apo Date: 2016-06-22 22:41:34 + (Wed, 22 Jun 2016) New Revision: 42710 Modified: data/CVE/list Log: CVE-2016-2226: Mark vulnerability as no-dsa for Wheezy Modified: data/CVE/list === --- data/CVE/list 2016-06-22 22:37:51 UTC (rev 42709) +++ data/CVE/list 2016-06-22 22:41:34 UTC (rev 42710) @@ -10373,22 +10373,31 @@ RESERVED - valgrind (low) [jessie] - valgrind (Minor issue) + [wheezy] - valgrind (Minor issue) - ht (low) [jessie] - ht (Minor issue) + [wheezy] - ht (Minor issue) - binutils (low) [jessie] - binutils (Minor issue) + [wheezy] - binutils (Minor issue) - binutils-h8300-hms (low) [jessie] - binutils-h8300-hms (Minor issue) + [wheezy] - binutils-h8300-hms (Minor issue) - gcc-h8300-hms (low) [jessie] - gcc-h8300-hms (Minor issue) + [wheezy] - gcc-h8300-hms (Minor issue) - gdb (low) [jessie] - gdb (Minor issue) + [wheezy] - gdb (Minor issue) - libiberty (low) [jessie] - libiberty (Minor issue) + [wheezy] - libiberty (Minor issue) - nescc (low) [jessie] - nescc (Minor issue) + [wheezy] - nescc (Minor issue) - sdcc (low) [jessie] - sdcc (Minor issue) + [wheezy] - sdcc (Minor issue) NOTE: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69687 NOTE: https://gcc.gnu.org/viewcvs/gcc?view=revision=234829 CVE-2015-8811 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42709 - data/CVE
Author: apo Date: 2016-06-22 22:37:51 + (Wed, 22 Jun 2016) New Revision: 42709 Modified: data/CVE/list Log: CVE-2016-4487: Mark vulnerability as no-dsa for Wheezy. Modified: data/CVE/list === --- data/CVE/list 2016-06-22 22:32:29 UTC (rev 42708) +++ data/CVE/list 2016-06-22 22:37:51 UTC (rev 42709) @@ -3769,22 +3769,31 @@ RESERVED - valgrind (low) [jessie] - valgrind (Minor issue) + [wheezy] - valgrind (Minor issue) - ht (low) [jessie] - ht (Minor issue) + [wheezy] - ht (Minor issue) - binutils (low) [jessie] - binutils (Minor issue) + [wheezy] - binutils (Minor issue) - binutils-h8300-hms (low) [jessie] - binutils-h8300-hms (Minor issue) + [wheezy] - binutils-h8300-hms (Minor issue) - gcc-h8300-hms (low) [jessie] - gcc-h8300-hms (Minor issue) + [wheezy] - gcc-h8300-hms (Minor issue) - gdb (low) [jessie] - gdb (Minor issue) + [wheezy] - gdb (Minor issue) - libiberty (low) [jessie] - libiberty (Minor issue) + [wheezy] - libiberty (Minor issue) - nescc (low) [jessie] - nescc (Minor issue) + [wheezy] - nescc (Minor issue) - sdcc (low) [jessie] - sdcc (Minor issue) + [wheezy] - sdcc (Minor issue) NOTE: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70481 NOTE: https://gcc.gnu.org/ml/gcc-patches/2016-03/msg01687.html CVE-2016-4539 (The xml_parse_into_struct function in ext/xml/xml.c in PHP before ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42708 - data/CVE
Author: apo Date: 2016-06-22 22:32:29 + (Wed, 22 Jun 2016) New Revision: 42708 Modified: data/CVE/list Log: CVE-2016-4488: Mark vulnerability as no-dsa for Wheezy Modified: data/CVE/list === --- data/CVE/list 2016-06-22 22:30:16 UTC (rev 42707) +++ data/CVE/list 2016-06-22 22:32:29 UTC (rev 42708) @@ -3738,22 +3738,31 @@ RESERVED - valgrind (low) [jessie] - valgrind (Minor issue) + [wheezy] - valgrind (Minor issue) - ht (low) [jessie] - ht (Minor issue) + [wheezy] - ht (Minor issue) - binutils (low) [jessie] - binutils (Minor issue) + [wheezy] - binutils (Minor issue) - binutils-h8300-hms (low) [jessie] - binutils-h8300-hms (Minor issue) + [wheezy] - binutils-h8300-hms (Minor issue) - gcc-h8300-hms (low) [jessie] - gcc-h8300-hms (Minor issue) + [wheezy] - gcc-h8300-hms (Minor issue) - gdb (low) [jessie] - gdb (Minor issue) + [wheezy] - gdb (Minor issue) - libiberty (low) [jessie] - libiberty (Minor issue) + [wheezy] - libiberty (Minor issue) - nescc (low) [jessie] - nescc (Minor issue) + [wheezy] - nescc (Minor issue) - sdcc (low) [jessie] - sdcc (Minor issue) + [wheezy] - sdcc (Minor issue) NOTE: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70481 NOTE: https://gcc.gnu.org/ml/gcc-patches/2016-03/msg01687.html CVE-2016-4487 [Invalid write due to a use-after-free to array btypevec] ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42707 - data/CVE
Author: apo Date: 2016-06-22 22:30:16 + (Wed, 22 Jun 2016) New Revision: 42707 Modified: data/CVE/list Log: CVE-2016-4489: Mark vulnerability as no-dsa for Wheezy Modified: data/CVE/list === --- data/CVE/list 2016-06-22 22:28:15 UTC (rev 42706) +++ data/CVE/list 2016-06-22 22:30:16 UTC (rev 42707) @@ -3707,22 +3707,31 @@ RESERVED - valgrind (low) [jessie] - valgrind (Minor issue) + [wheezy] - valgrind (Minor issue) - ht (low) [jessie] - ht (Minor issue) + [wheezy] - ht (Minor issue) - binutils (low) [jessie] - binutils (Minor issue) + [wheezy] - binutils (Minor issue) - binutils-h8300-hms (low) [jessie] - binutils-h8300-hms (Minor issue) + [wheezy] - binutils-h8300-hms (Minor issue) - gcc-h8300-hms (low) [jessie] - gcc-h8300-hms (Minor issue) + [wheezy] - gcc-h8300-hms (Minor issue) - gdb (low) [jessie] - gdb (Minor issue) + [wheezy] - gdb (Minor issue) - libiberty (low) [jessie] - libiberty (Minor issue) + [wheezy] - libiberty (Minor issue) - nescc (low) [jessie] - nescc (Minor issue) + [wheezy] - nescc (Minor issue) - sdcc (low) [jessie] - sdcc (Minor issue) + [wheezy] - sdcc (Minor issue) NOTE: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70492 NOTE: https://gcc.gnu.org/viewcvs/gcc?view=revision=234828 CVE-2016-4488 [Invalid write due to a use-after-free to array ktypevec] ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42706 - data/CVE
Author: apo Date: 2016-06-22 22:28:15 + (Wed, 22 Jun 2016) New Revision: 42706 Modified: data/CVE/list Log: CVE-2016-4490: Mark vulnerability as no-dsa for Wheezy Modified: data/CVE/list === --- data/CVE/list 2016-06-22 22:25:58 UTC (rev 42705) +++ data/CVE/list 2016-06-22 22:28:15 UTC (rev 42706) @@ -3676,22 +3676,31 @@ RESERVED - valgrind (low) [jessie] - valgrind (Minor issue) + [wheezy] - valgrind (Minor issue) - ht (low) [jessie] - ht (Minor issue) + [wheezy] - ht (Minor issue) - binutils (low) [jessie] - binutils (Minor issue) + [wheezy] - binutils (Minor issue) - binutils-h8300-hms (low) [jessie] - binutils-h8300-hms (Minor issue) + [wheezy] - binutils-h8300-hms (Minor issue) - gcc-h8300-hms (low) [jessie] - gcc-h8300-hms (Minor issue) + [wheezy] - gcc-h8300-hms (Minor issue) - gdb (low) [jessie] - gdb (Minor issue) + [wheezy] - gdb (Minor issue) - libiberty (low) [jessie] - libiberty (Minor issue) + [wheezy] - libiberty (Minor issue) - nescc (low) [jessie] - nescc (Minor issue) + [wheezy] - nescc (Minor issue) - sdcc (low) [jessie] - sdcc (Minor issue) + [wheezy] - sdcc (Minor issue) NOTE: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70498 NOTE: https://gcc.gnu.org/viewcvs/gcc?view=revision=235767 CVE-2016-4489 [Invalid write due to integer overflow] ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42705 - data/CVE
Author: apo Date: 2016-06-22 22:25:58 + (Wed, 22 Jun 2016) New Revision: 42705 Modified: data/CVE/list Log: CVE-2016-4491: Mark vulnerability as no-dsa for Wheezy Modified: data/CVE/list === --- data/CVE/list 2016-06-22 21:10:11 UTC (rev 42704) +++ data/CVE/list 2016-06-22 22:25:58 UTC (rev 42705) @@ -3645,22 +3645,31 @@ RESERVED - valgrind (low) [jessie] - valgrind (Minor issue) + [wheezy] - valgrind (Minor issue) - ht (low) [jessie] - ht (Minor issue) + [wheezy] - ht (Minor issue) - binutils (low) [jessie] - binutils (Minor issue) + [wheezy] - binutils (Minor issue) - binutils-h8300-hms (low) [jessie] - binutils-h8300-hms (Minor issue) + [wheezy] - binutils-h8300-hms (Minor issue) - gcc-h8300-hms (low) [jessie] - gcc-h8300-hms (Minor issue) + [wheezy] - gcc-h8300-hms (Minor issue) - gdb (low) [jessie] - gdb (Minor issue) + [wheezy] - gdb (Minor issue) - libiberty (low) [jessie] - libiberty (Minor issue) + [wheezy] - libiberty (Minor issue) - nescc (low) [jessie] - nescc (Minor issue) + [wheezy] - nescc (Minor issue) - sdcc (low) [jessie] - sdcc (Minor issue) + [wheezy] - sdcc (Minor issue) NOTE: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70909 NOTE: https://gcc.gnu.org/ml/gcc-patches/2016-05/msg00105.html CVE-2016-4490 [Write access violation] ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42704 - data/CVE
Author: sectracker
Date: 2016-06-22 21:10:11 + (Wed, 22 Jun 2016)
New Revision: 42704
Modified:
data/CVE/list
Log:
automatic update
Modified: data/CVE/list
===
--- data/CVE/list 2016-06-22 20:03:27 UTC (rev 42703)
+++ data/CVE/list 2016-06-22 21:10:11 UTC (rev 42704)
@@ -1,3 +1,25 @@
+CVE-2016-5741
+ RESERVED
+CVE-2016-5740
+ RESERVED
+CVE-2016-5739
+ RESERVED
+CVE-2016-5738
+ RESERVED
+CVE-2016-5736
+ RESERVED
+CVE-2016-5735
+ RESERVED
+CVE-2016-5734
+ RESERVED
+CVE-2016-5733
+ RESERVED
+CVE-2016-5732
+ RESERVED
+CVE-2016-5731
+ RESERVED
+CVE-2016-5730
+ RESERVED
CVE-2016- [SQL injection in MovableType xml-rpc interface]
- movabletype-opensource
NOTE:
https://movabletype.org/news/2016/06/movable_type_626_and_613_released.html
@@ -3,4 +25,5 @@
NOTE: CVE Request:
http://www.openwall.com/lists/oss-security/2016/06/22/3
CVE-2016-5737
+ RESERVED
NOT-FOR-US: Openstack-infra puppet-gerrit module
CVE-2016-5729
@@ -9,6 +32,8 @@
CVE-2016-5728
RESERVED
CVE-2015-8936 [squidguard reflected XSS]
+ RESERVED
+ {DLA-524-1}
- squidguard 1.5-5
NOTE: Fix applied: 16_XSS-security-bugfix.patch in 1.5-5
NOTE: http://www.openwall.com/lists/oss-security/2016/06/20/2
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42703 - data/CVE
Author: apo Date: 2016-06-22 20:03:27 + (Wed, 22 Jun 2016) New Revision: 42703 Modified: data/CVE/list Log: CVE-2016-4492: Mark vulnerability in Wheezy as no-dsa Modified: data/CVE/list === --- data/CVE/list 2016-06-22 19:37:58 UTC (rev 42702) +++ data/CVE/list 2016-06-22 20:03:27 UTC (rev 42703) @@ -3589,22 +3589,31 @@ RESERVED - valgrind (low) [jessie] - valgrind (Minor issue) + [wheezy] - valgrind (Minor issue) - ht (low) [jessie] - ht (Minor issue) + [wheezy] - ht (Minor issue) - binutils (low) [jessie] - binutils (Minor issue) + [wheezy] - binutils (Minor issue) - binutils-h8300-hms (low) [jessie] - binutils-h8300-hms (Minor issue) + [wheezy] - binutils-h8300-hms (Minor issue) - gcc-h8300-hms (low) [jessie] - gcc-h8300-hms (Minor issue) + [wheezy] - gcc-h8300-hms (Minor issue) - gdb (low) [jessie] - gdb (Minor issue) + [wheezy] - gdb (Minor issue) - libiberty (low) [jessie] - libiberty (Minor issue) + [wheezy] - libiberty (Minor issue) - nescc (low) [jessie] - nescc (Minor issue) + [wheezy] - nescc (Minor issue) - sdcc (low) [jessie] - sdcc (Minor issue) + [wheezy] - sdcc (Minor issue) NOTE: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70926 NOTE: https://gcc.gnu.org/ml/gcc-patches/2016-05/msg00223.html CVE-2016-4491 [Stack overflow due to infinite recursion in d_print_comp] ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42702 - data/CVE
Author: apo Date: 2016-06-22 19:37:58 + (Wed, 22 Jun 2016) New Revision: 42702 Modified: data/CVE/list Log: CVE-2016-4493: Mark vulnerability as no-dsa for Wheezy Modified: data/CVE/list === --- data/CVE/list 2016-06-22 19:03:24 UTC (rev 42701) +++ data/CVE/list 2016-06-22 19:37:58 UTC (rev 42702) @@ -3558,22 +3558,31 @@ RESERVED - valgrind (low) [jessie] - valgrind (Minor issue) + [wheezy] - valgrind (Minor issue) - ht (low) [jessie] - ht (Minor issue) + [wheezy] - ht (Minor issue) - binutils (low) [jessie] - binutils (Minor issue) + [wheezy] - binutils (Minor issue) - binutils-h8300-hms (low) [jessie] - binutils-h8300-hms (Minor issue) + [wheezy] - binutils-h8300-hms (Minor issue) - gcc-h8300-hms (low) [jessie] - gcc-h8300-hms (Minor issue) + [wheezy] - gcc-h8300-hms (Minor issue) - gdb (low) [jessie] - gdb (Minor issue) + [wheezy] - gdb (Minor issue) - libiberty (low) [jessie] - libiberty (Minor issue) + [wheezy] - libiberty (Minor issue) - nescc (low) [jessie] - nescc (Minor issue) + [wheezy] - nescc (Minor issue) - sdcc (low) [jessie] - sdcc (Minor issue) + [wheezy] - sdcc (Minor issue) NOTE: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70926 NOTE: https://gcc.gnu.org/ml/gcc-patches/2016-05/msg00223.html CVE-2016-4492 [Write access violations] ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42701 - data/CVE
Author: apo
Date: 2016-06-22 19:03:24 + (Wed, 22 Jun 2016)
New Revision: 42701
Modified:
data/CVE/list
Log:
CVE-2016-1621: libvpx in Wheezy is not affected
vulnerable code is not present because webm module not yet included
Modified: data/CVE/list
===
--- data/CVE/list 2016-06-22 18:49:59 UTC (rev 42700)
+++ data/CVE/list 2016-06-22 19:03:24 UTC (rev 42701)
@@ -12683,6 +12683,7 @@
CVE-2016-1621 (libvpx in mediaserver in Android 4.x before 4.4.4, 5.x before
5.1.1 ...)
- libvpx
[jessie] - libvpx (Vulnerable code not present, libwebm
not yet included)
+ [wheezy] - libvpx (Vulnerable code not present, libwebm
not yet included)
NOTE:
https://android.googlesource.com/platform/external/libvpx/+/04839626ed859623901ebd3a5fd483982186b59d%5E!/#F1
CVE-2016-1620 (Multiple unspecified vulnerabilities in Google Chrome before
...)
{DSA-3456-1}
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42700 - data/CVE
Author: apo Date: 2016-06-22 18:49:59 + (Wed, 22 Jun 2016) New Revision: 42700 Modified: data/CVE/list Log: CVE-2016-3092: Add links to fix and upstream advisory Modified: data/CVE/list === --- data/CVE/list 2016-06-22 18:48:00 UTC (rev 42699) +++ data/CVE/list 2016-06-22 18:49:59 UTC (rev 42700) @@ -7382,6 +7382,8 @@ - tomcat7 7.0.70-1 - tomcat8 8.0.36-1 - tomcat9 (bug #802312) + NOTE: Fixed by https://svn.apache.org/r1743480 + NOTE: Upstream advisory http://markmail.org/message/oyxfv73jb2g7rjg3 CVE-2016-3091 RESERVED CVE-2016-3090 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42699 - data
Author: apo Date: 2016-06-22 18:48:00 + (Wed, 22 Jun 2016) New Revision: 42699 Modified: data/dla-needed.txt Log: Add libcommons-fileupload-java, tomcat6 and tomcat7 to dla-needed.txt and claim them. All three are affected by CVE-2016-3092, DoS through exhausting CPU resources Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-06-22 17:42:19 UTC (rev 42698) +++ data/dla-needed.txt 2016-06-22 18:48:00 UTC (rev 42699) @@ -35,6 +35,8 @@ -- libarchive (Markus Koschany) -- +libcommons-fileupload-java (Markus Koschany) +-- libjackson-json-java -- libspring-java @@ -93,6 +95,10 @@ -- tiff3 -- +tomcat6 (Markus Koschany) +-- +tomcat7 (Markus Koschany) +-- wget (Thorsten Alteholz) -- wireshark (Balint Reczey) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42698 - data/CVE
Author: jmm
Date: 2016-06-22 17:42:19 + (Wed, 22 Jun 2016)
New Revision: 42698
Modified:
data/CVE/list
Log:
libvpx n/a in jessie, thanks nicholasL
Modified: data/CVE/list
===
--- data/CVE/list 2016-06-22 16:57:37 UTC (rev 42697)
+++ data/CVE/list 2016-06-22 17:42:19 UTC (rev 42698)
@@ -12679,9 +12679,9 @@
[wheezy] - chromium-browser (Not supported in Wheezy)
[squeeze] - chromium-browser (Not supported in Squeeze
LTS)
CVE-2016-1621 (libvpx in mediaserver in Android 4.x before 4.4.4, 5.x before
5.1.1 ...)
- - libvpx
+ - libvpx
+ [jessie] - libvpx (Vulnerable code not present, libwebm
not yet included)
NOTE:
https://android.googlesource.com/platform/external/libvpx/+/04839626ed859623901ebd3a5fd483982186b59d%5E!/#F1
- TODO: check
CVE-2016-1620 (Multiple unspecified vulnerabilities in Google Chrome before
...)
{DSA-3456-1}
- chromium-browser 48.0.2564.82-1
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42697 - data/CVE
Author: jmm Date: 2016-06-22 16:57:37 + (Wed, 22 Jun 2016) New Revision: 42697 Modified: data/CVE/list Log: kinit fixed Modified: data/CVE/list === --- data/CVE/list 2016-06-22 15:53:47 UTC (rev 42696) +++ data/CVE/list 2016-06-22 16:57:37 UTC (rev 42697) @@ -7346,12 +7346,11 @@ - jenkins CVE-2016-3100 RESERVED - - kinit (bug #827476) + - kinit 5.23.0-1 (bug #827476) NOTE: https://bugs.kde.org/show_bug.cgi?id=358593 NOTE: https://bugs.kde.org/show_bug.cgi?id=363140 NOTE: https://quickgit.kde.org/?p=kinit.git=commitdiff=dece8fd89979cd1a86c03bcaceef6e9221e8d8cd NOTE: https://quickgit.kde.org/?p=kinit.git=commitdiff=72f3702dbe6cf15c06dc13da2c99c864e9022a58 - TODO: check CVE-2016-3099 [Invalid handling of +CIPHER operator] RESERVED - libapache2-mod-nss (bug #822461) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42696 - data/CVE
Author: jmm
Date: 2016-06-22 15:53:47 + (Wed, 22 Jun 2016)
New Revision: 42696
Modified:
data/CVE/list
Log:
mark groovy as fixed, thanks nicholasL
Modified: data/CVE/list
===
--- data/CVE/list 2016-06-22 15:19:09 UTC (rev 42695)
+++ data/CVE/list 2016-06-22 15:53:47 UTC (rev 42696)
@@ -32814,7 +32814,7 @@
RESERVED
CVE-2015-3253 (The MethodClosure class in runtime/MethodClosure.java in Apache
Groovy ...)
{DLA-274-1}
- - groovy (bug #793397)
+ - groovy 2.4.6-1 (bug #793397)
[jessie] - groovy 1.8.6-4+deb8u1
[wheezy] - groovy 1.8.6-1+deb7u1
- groovy2 2.2.2+dfsg-5 (bug #793398)
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42695 - data/CVE
Author: carnil Date: 2016-06-22 15:19:09 + (Wed, 22 Jun 2016) New Revision: 42695 Modified: data/CVE/list Log: Add new issue in movabletype-opensource Modified: data/CVE/list === --- data/CVE/list 2016-06-22 15:03:42 UTC (rev 42694) +++ data/CVE/list 2016-06-22 15:19:09 UTC (rev 42695) @@ -1,3 +1,7 @@ +CVE-2016- [SQL injection in MovableType xml-rpc interface] + - movabletype-opensource + NOTE: https://movabletype.org/news/2016/06/movable_type_626_and_613_released.html + NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2016/06/22/3 CVE-2016-5737 NOT-FOR-US: Openstack-infra puppet-gerrit module CVE-2016-5729 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42694 - in data: . DLA
Author: lamby
Date: 2016-06-22 15:03:42 + (Wed, 22 Jun 2016)
New Revision: 42694
Modified:
data/DLA/list
data/dla-needed.txt
Log:
Reserve DLA-524-1 for squidguard
Modified: data/DLA/list
===
--- data/DLA/list 2016-06-22 15:00:19 UTC (rev 42693)
+++ data/DLA/list 2016-06-22 15:03:42 UTC (rev 42694)
@@ -1,3 +1,6 @@
+[22 Jun 2016] DLA-524-1 squidguard - security update
+ {CVE-2015-8936}
+ [wheezy] - squidguard 1.5-1+deb7u1
[22 Jun 2016] DLA-523-1 enigmail - security update
[wheezy] - enigmail 1.8.2-4~deb7u2
[21 Jun 2016] DLA-522-1 python2.7 - security update
Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2016-06-22 15:00:19 UTC (rev 42693)
+++ data/dla-needed.txt 2016-06-22 15:03:42 UTC (rev 42694)
@@ -83,8 +83,6 @@
--
squid (Santiago R.R.)
--
-squidguard (Chris Lamb)
---
tardiff
fw asked maintainer for preparing debdiffs for wheezy- and jessie-security
https://anonscm.debian.org/cgit/collab-maint/tardiff.git/log/?h=wheezy
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42693 - data/CVE
Author: carnil Date: 2016-06-22 15:00:19 + (Wed, 22 Jun 2016) New Revision: 42693 Modified: data/CVE/list Log: Add CVE-2016-5737 Modified: data/CVE/list === --- data/CVE/list 2016-06-22 14:55:24 UTC (rev 42692) +++ data/CVE/list 2016-06-22 15:00:19 UTC (rev 42693) @@ -1,3 +1,5 @@ +CVE-2016-5737 + NOT-FOR-US: Openstack-infra puppet-gerrit module CVE-2016-5729 RESERVED CVE-2016-5728 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42691 - data
Author: lamby Date: 2016-06-22 14:55:22 + (Wed, 22 Jun 2016) New Revision: 42691 Modified: data/dla-needed.txt Log: Triage squidguard for LTS Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-06-22 14:25:39 UTC (rev 42690) +++ data/dla-needed.txt 2016-06-22 14:55:22 UTC (rev 42691) @@ -83,6 +83,8 @@ -- squid (Santiago R.R.) -- +squidguard +-- tardiff fw asked maintainer for preparing debdiffs for wheezy- and jessie-security https://anonscm.debian.org/cgit/collab-maint/tardiff.git/log/?h=wheezy ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42692 - data
Author: lamby Date: 2016-06-22 14:55:24 + (Wed, 22 Jun 2016) New Revision: 42692 Modified: data/dla-needed.txt Log: Claim squidguard in data/dla-needed.txt Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-06-22 14:55:22 UTC (rev 42691) +++ data/dla-needed.txt 2016-06-22 14:55:24 UTC (rev 42692) @@ -83,7 +83,7 @@ -- squid (Santiago R.R.) -- -squidguard +squidguard (Chris Lamb) -- tardiff fw asked maintainer for preparing debdiffs for wheezy- and jessie-security ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42690 - data/CVE
Author: santiago Date: 2016-06-22 14:25:39 + (Wed, 22 Jun 2016) New Revision: 42690 Modified: data/CVE/list Log: CVE-2016-3948/squid no-dsa Modified: data/CVE/list === --- data/CVE/list 2016-06-22 10:59:36 UTC (rev 42689) +++ data/CVE/list 2016-06-22 14:25:39 UTC (rev 42690) @@ -5386,6 +5386,7 @@ [jessie] - squid3 (Minor issue; needs substantial backporting; too intrusive to backport) [wheezy] - squid3 (Minor issue; needs substantial backporting; too intrusive to backport) - squid + [wheezy] - squid (Minor issue; needs substantial backporting; too intrusive to backport) NOTE: http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-14016.patch NOTE: http://www.squid-cache.org/Advisories/SQUID-2016_4.txt CVE-2016-3947 (Heap-based buffer overflow in the Icmp6::Recv function in ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42689 - data/CVE
Author: carnil Date: 2016-06-22 10:59:36 + (Wed, 22 Jun 2016) New Revision: 42689 Modified: data/CVE/list Log: Inverse sorting Modified: data/CVE/list === --- data/CVE/list 2016-06-22 10:46:11 UTC (rev 42688) +++ data/CVE/list 2016-06-22 10:59:36 UTC (rev 42689) @@ -7372,10 +7372,10 @@ CVE-2016-3092 RESERVED - libcommons-fileupload-java 1.3.2-1 + - tomcat6 + - tomcat7 7.0.70-1 + - tomcat8 8.0.36-1 - tomcat9 (bug #802312) - - tomcat8 8.0.36-1 - - tomcat7 7.0.70-1 - - tomcat6 CVE-2016-3091 RESERVED CVE-2016-3090 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42688 - data
Author: carnil Date: 2016-06-22 10:46:11 + (Wed, 22 Jun 2016) New Revision: 42688 Modified: data/dsa-needed.txt Log: Add libcommons-fileupload-java Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2016-06-22 10:45:38 UTC (rev 42687) +++ data/dsa-needed.txt 2016-06-22 10:46:11 UTC (rev 42688) @@ -20,6 +20,9 @@ -- icu -- +libcommons-fileupload-java + Maintainer is preparing update +-- libpdfbox-java Maintainer proposed debdiff, but first wait a bit for the upload in unstable to be tested/exposed for possible regressions. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42687 - data/CVE
Author: carnil Date: 2016-06-22 10:45:38 + (Wed, 22 Jun 2016) New Revision: 42687 Modified: data/CVE/list Log: Add CVE-2016-3092 Modified: data/CVE/list === --- data/CVE/list 2016-06-22 10:29:18 UTC (rev 42686) +++ data/CVE/list 2016-06-22 10:45:38 UTC (rev 42687) @@ -7371,6 +7371,11 @@ NOTE: https://struts.apache.org/docs/s2-034.html CVE-2016-3092 RESERVED + - libcommons-fileupload-java 1.3.2-1 + - tomcat9 (bug #802312) + - tomcat8 8.0.36-1 + - tomcat7 7.0.70-1 + - tomcat6 CVE-2016-3091 RESERVED CVE-2016-3090 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42686 - data/CVE
Author: carnil Date: 2016-06-22 10:29:18 + (Wed, 22 Jun 2016) New Revision: 42686 Modified: data/CVE/list Log: ironic fixed with unstable upload, #827886 Modified: data/CVE/list === --- data/CVE/list 2016-06-22 09:10:15 UTC (rev 42685) +++ data/CVE/list 2016-06-22 10:29:18 UTC (rev 42686) @@ -2124,7 +2124,7 @@ NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-06-20 CVE-2016-4985 [Ironic node information including credentials exposed to unathenticated users] RESERVED - - ironic (bug #827886) + - ironic 1:5.1.2-1 (bug #827886) NOTE: Affects >=2014.2, >=4.0.0 <=4.2.4, >=4.3.0 <=5.1.1 CVE-2016-4984 RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42685 - data/CVE
Author: sectracker
Date: 2016-06-22 09:10:15 + (Wed, 22 Jun 2016)
New Revision: 42685
Modified:
data/CVE/list
Log:
automatic update
Modified: data/CVE/list
===
--- data/CVE/list 2016-06-22 07:41:46 UTC (rev 42684)
+++ data/CVE/list 2016-06-22 09:10:15 UTC (rev 42685)
@@ -1,3 +1,7 @@
+CVE-2016-5729
+ RESERVED
+CVE-2016-5728
+ RESERVED
CVE-2015-8936 [squidguard reflected XSS]
- squidguard 1.5-5
NOTE: Fix applied: 16_XSS-security-bugfix.patch in 1.5-5
@@ -200,6 +204,7 @@
TODO: check, referenced fix does not seem the one fixing the issue
CVE-2016-5699
RESERVED
+ {DLA-522-1}
- python3.5 (Fixed with initial upload to Debian)
- python3.4 3.4.4~rc1-1
- python2.7 2.7.10~rc1-1
@@ -615,6 +620,7 @@
NOTE: workaround for DSA-3604-1
CVE-2016-5636 [heap overflow in Python zipimport module]
RESERVED
+ {DLA-522-1}
- python3.5 3.5.2~rc1-1
- python3.4
- python2.7 2.7.12~rc1-1
@@ -990,6 +996,7 @@
CVE-2016-5302 (Citrix XenServer 7.0 before Hotfix XS70E003, when a deployment
has ...)
TODO: check
CVE-2015-8935 [XSS in header() with Internet Explorer]
+ RESERVED
- php5 5.6.6+dfsg-1
[wheezy] - php5 5.4.38-0+deb7u1
NOTE: https://bugs.php.net/bug.php?id=68978
@@ -15498,6 +15505,7 @@
NOTE:
http://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=3bb3f42f3749d40b8d4de65871e8d828b18d4a45
CVE-2016-0772 [TLS stripping vulnerability in smtplib]
RESERVED
+ {DLA-522-1}
- python3.5 3.5.2~rc1-1
- python3.4
- python2.7 2.7.12~rc1-1
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42684 - data
Author: santiago Date: 2016-06-22 07:41:46 + (Wed, 22 Jun 2016) New Revision: 42684 Modified: data/dla-needed.txt Log: Take squid in dla-needed.txt Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-06-22 07:39:41 UTC (rev 42683) +++ data/dla-needed.txt 2016-06-22 07:41:46 UTC (rev 42684) @@ -81,7 +81,7 @@ -- spice (Santiago R.R.) -- -squid +squid (Santiago R.R.) -- tardiff fw asked maintainer for preparing debdiffs for wheezy- and jessie-security ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42683 - data/DLA
Author: agx
Date: 2016-06-22 07:39:41 + (Wed, 22 Jun 2016)
New Revision: 42683
Modified:
data/DLA/list
Log:
Grab DLA for enigmail
Modified: data/DLA/list
===
--- data/DLA/list 2016-06-22 06:50:53 UTC (rev 42682)
+++ data/DLA/list 2016-06-22 07:39:41 UTC (rev 42683)
@@ -1,3 +1,5 @@
+[22 Jun 2016] DLA-523-1 enigmail - security update
+ [wheezy] - enigmail 1.8.2-4~deb7u2
[21 Jun 2016] DLA-522-1 python2.7 - security update
{CVE-2016-0772 CVE-2016-5636 CVE-2016-5699}
[wheezy] - python2.7 2.7.3-6+deb7u3
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42682 - data/CVE
Author: carnil Date: 2016-06-22 06:50:53 + (Wed, 22 Jun 2016) New Revision: 42682 Modified: data/CVE/list Log: Add bug reference for CVE-2016-4985 Modified: data/CVE/list === --- data/CVE/list 2016-06-22 05:45:34 UTC (rev 42681) +++ data/CVE/list 2016-06-22 06:50:53 UTC (rev 42682) @@ -2117,7 +2117,7 @@ NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-06-20 CVE-2016-4985 [Ironic node information including credentials exposed to unathenticated users] RESERVED - - ironic + - ironic (bug #827886) NOTE: Affects >=2014.2, >=4.0.0 <=4.2.4, >=4.3.0 <=5.1.1 CVE-2016-4984 RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
