[Secure-testing-commits] r42802 - data/CVE
Author: fgeek-guest Date: 2016-06-25 22:46:14 + (Sat, 25 Jun 2016) New Revision: 42802 Modified: data/CVE/list Log: Add reproducer for CVE-2016-5319 Modified: data/CVE/list === --- data/CVE/list 2016-06-25 21:10:14 UTC (rev 42801) +++ data/CVE/list 2016-06-25 22:46:14 UTC (rev 42802) @@ -1420,6 +1420,7 @@ - tiff - tiff3 NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2562 + NOTE: Reproducer http://bugs.fi/media/afl/libtiff/CVE-2016-5319.bmp CVE-2016-5318 [libtiff: stack buffer overflow in _TIFFVGetField function] RESERVED - tiff ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42801 - data/CVE
Author: sectracker
Date: 2016-06-25 21:10:14 + (Sat, 25 Jun 2016)
New Revision: 42801
Modified:
data/CVE/list
Log:
automatic update
Modified: data/CVE/list
===
--- data/CVE/list 2016-06-25 20:34:48 UTC (rev 42800)
+++ data/CVE/list 2016-06-25 21:10:14 UTC (rev 42801)
@@ -2255,6 +2255,7 @@
- foreman (bug #663101)
CVE-2016-4994 [Use-after-free vulnerabilities in the channel and layer
properties parsing process]
RESERVED
+ {DLA-525-1}
- gimp (bug #828179)
NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=767873
CVE-2016-4993
@@ -8440,6 +8441,7 @@
CVE-2016-2835
RESERVED
CVE-2016-2834 (Mozilla Network Security Services (NSS) before 3.23, as used in
...)
+ {DLA-527-1}
- nss 2:3.23-1
- firefox-esr (Doesn't apply to Firefox ESR)
- firefox 47.0-1
@@ -35435,6 +35437,7 @@
CVE-2015-2576 (Unspecified vulnerability in the MySQL Utilities component in
Oracle ...)
NOT-FOR-US: MySQL Utilities component of MySQL on Windows
CVE-2015-2575 (Unspecified vulnerability in the MySQL Connectors component in
Oracle ...)
+ {DLA-526-1}
- mysql-connector-java 5.1.37-1
CVE-2015-2574 (Unspecified vulnerability in Oracle Sun Solaris 10 allows local
users ...)
NOT-FOR-US: Oracle Sun Solaris
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42800 - data
Author: pochu Date: 2016-06-25 20:34:48 + (Sat, 25 Jun 2016) New Revision: 42800 Modified: data/dla-needed.txt Log: debdiff sent for cacti Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-06-25 20:16:36 UTC (rev 42799) +++ data/dla-needed.txt 2016-06-25 20:34:48 UTC (rev 42800) @@ -13,6 +13,7 @@ -- cacti (Emilio Pozuelo) NOTE: Maintainer wants to review changes; see https://lists.debian.org/<5724f47d.6090...@debian.org> + NOTE: debdiff sent to maintainer: https://lists.debian.org/debian-lts/2016/06/msg00127.html -- cakephp NOTE: CVE-2015-8379 No official solution is currently available, 20160425 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42799 - data/CVE
Author: carnil Date: 2016-06-25 20:16:36 + (Sat, 25 Jun 2016) New Revision: 42799 Modified: data/CVE/list Log: Report bug for CVE-2016-4994 Modified: data/CVE/list === --- data/CVE/list 2016-06-25 20:12:13 UTC (rev 42798) +++ data/CVE/list 2016-06-25 20:16:36 UTC (rev 42799) @@ -2255,9 +2255,8 @@ - foreman (bug #663101) CVE-2016-4994 [Use-after-free vulnerabilities in the channel and layer properties parsing process] RESERVED - - gimp + - gimp (bug #828179) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=767873 - TODO: check CVE-2016-4993 RESERVED CVE-2016-4992 [Information disclosure via repeated use of LDAP ADD operation] ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42798 - data
Author: pochu Date: 2016-06-25 20:12:13 + (Sat, 25 Jun 2016) New Revision: 42798 Modified: data/dla-needed.txt Log: CVE-2016-3659 has a fix Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-06-25 20:11:39 UTC (rev 42797) +++ data/dla-needed.txt 2016-06-25 20:12:13 UTC (rev 42798) @@ -12,7 +12,6 @@ asterisk (Thorsten Alteholz) -- cacti (Emilio Pozuelo) - NOTE: CVE-2016-3659 doesn't have a fix yet, 20160425 NOTE: Maintainer wants to review changes; see https://lists.debian.org/<5724f47d.6090...@debian.org> -- cakephp ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42797 - data
Author: pochu Date: 2016-06-25 20:11:39 + (Sat, 25 Jun 2016) New Revision: 42797 Modified: data/dla-needed.txt Log: claim cacti in dla-needed.txt Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-06-25 19:10:31 UTC (rev 42796) +++ data/dla-needed.txt 2016-06-25 20:11:39 UTC (rev 42797) @@ -11,7 +11,7 @@ -- asterisk (Thorsten Alteholz) -- -cacti +cacti (Emilio Pozuelo) NOTE: CVE-2016-3659 doesn't have a fix yet, 20160425 NOTE: Maintainer wants to review changes; see https://lists.debian.org/<5724f47d.6090...@debian.org> -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42796 - data/CVE
Author: carnil Date: 2016-06-25 19:10:31 + (Sat, 25 Jun 2016) New Revision: 42796 Modified: data/CVE/list Log: Update CVE-2016-5828 information Modified: data/CVE/list === --- data/CVE/list 2016-06-25 19:09:07 UTC (rev 42795) +++ data/CVE/list 2016-06-25 19:10:31 UTC (rev 42796) @@ -12,7 +12,9 @@ NOTE: https://github.com/ImageMagick/ImageMagick/commit/d8ab7f046587f2e9f734b687ba7e6e10147c294b CVE-2016-5828 [powerpc/tm: Always reclaim in start_thread() for exec() class syscalls] - linux + [wheezy] - linux (Introduced in v3.10-rc1) NOTE: https://patchwork.ozlabs.org/patch/636776/ + NOTE: Introduced in https://git.kernel.org/linus/bc2a9408fa65195288b41751016c36fd00a75a85 (v3.10-rc1) CVE-2016-5744 RESERVED CVE-2016-5743 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42795 - data/CVE
Author: carnil Date: 2016-06-25 19:09:07 + (Sat, 25 Jun 2016) New Revision: 42795 Modified: data/CVE/list Log: dd CVE-2016-5828/linux Modified: data/CVE/list === --- data/CVE/list 2016-06-25 19:08:58 UTC (rev 42794) +++ data/CVE/list 2016-06-25 19:09:07 UTC (rev 42795) @@ -10,6 +10,9 @@ - imagemagick NOTE: Details: http://www.openwall.com/lists/oss-security/2016/06/23/1 NOTE: https://github.com/ImageMagick/ImageMagick/commit/d8ab7f046587f2e9f734b687ba7e6e10147c294b +CVE-2016-5828 [powerpc/tm: Always reclaim in start_thread() for exec() class syscalls] + - linux + NOTE: https://patchwork.ozlabs.org/patch/636776/ CVE-2016-5744 RESERVED CVE-2016-5743 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42794 - data/CVE
Author: carnil Date: 2016-06-25 19:08:58 + (Sat, 25 Jun 2016) New Revision: 42794 Modified: data/CVE/list Log: Reorder one entry Modified: data/CVE/list === --- data/CVE/list 2016-06-25 18:02:50 UTC (rev 42793) +++ data/CVE/list 2016-06-25 19:08:58 UTC (rev 42794) @@ -1098,8 +1098,8 @@ RESERVED - tiff - tiff3 + NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2557 TODO: check, disputable that this actually would be as well a nautilus issue - NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2557 CVE-2016-5316 [tif_pixarlog.c: PixarLogCleanup() Segmentation fault] RESERVED - tiff ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42793 - in data: . DLA
Author: pochu
Date: 2016-06-25 18:02:50 + (Sat, 25 Jun 2016)
New Revision: 42793
Modified:
data/DLA/list
data/dla-needed.txt
Log:
Reserve DLA-527-1 for nss
Modified: data/DLA/list
===
--- data/DLA/list 2016-06-25 17:35:54 UTC (rev 42792)
+++ data/DLA/list 2016-06-25 18:02:50 UTC (rev 42793)
@@ -1,3 +1,6 @@
+[25 Jun 2016] DLA-527-1 nss - security update
+ {CVE-2016-2834}
+ [wheezy] - nss 2:3.14.5-1+deb7u8
[25 Jun 2016] DLA-526-1 mysql-connector-java - security update
{CVE-2015-2575}
[wheezy] - mysql-connector-java 5.1.39-1~deb7u1
Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2016-06-25 17:35:54 UTC (rev 42792)
+++ data/dla-needed.txt 2016-06-25 18:02:50 UTC (rev 42793)
@@ -52,9 +52,6 @@
--
mat
--
-nss (Emilio Pozuelo)
- NOTE: Not 100% this applies to wheezy yet; can't find the changeset and the
diff between NSS 3.22 and 3.23 is very large.
---
ntp (Santiago R.R.)
NOTE: maintainer would like help working on the updates but will handle the
updates himself
NOTE: 20160518175636.ga29...@roeckx.be
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42792 - data/CVE
Author: pochu
Date: 2016-06-25 17:35:54 + (Sat, 25 Jun 2016)
New Revision: 42792
Modified:
data/CVE/list
Log:
triage tiff CVEs
Modified: data/CVE/list
===
--- data/CVE/list 2016-06-25 16:18:04 UTC (rev 42791)
+++ data/CVE/list 2016-06-25 17:35:54 UTC (rev 42792)
@@ -1074,6 +1074,7 @@
[jessie] - tiff (Minor issue)
[wheezy] - tiff (Minor issue)
- tiff3
+ NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2559
CVE-2016-5322 [extractContigSamplesBytes: out-of-bounds read]
RESERVED
- tiff
@@ -1081,36 +1082,39 @@
[wheezy] - tiff (Minor issue)
- tiff3 (unimportant)
NOTE: src:tiff3: built binary packages do not contain the TIFF tools
+ NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2560
CVE-2016-5321 [DumpModeDecode(): Ddos]
RESERVED
- tiff
- tiff3
- TODO: check
+ NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2558
CVE-2016-5320 [rgb2ycbcr: command excution]
RESERVED
- tiff
- tiff3
TODO: check
+ NOTE: See http://bugzilla.maptools.org/show_bug.cgi?id=2554#c1
CVE-2016-5317 [GNOME nautilus: crash occurs when generating a thumbnail for a
crafted TIFF image]
RESERVED
- tiff
- tiff3
TODO: check, disputable that this actually would be as well a nautilus
issue
+ NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2557
CVE-2016-5316 [tif_pixarlog.c: PixarLogCleanup() Segmentation fault]
RESERVED
- tiff
- tiff3
- TODO: check
+ NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2556
CVE-2016-5315 [tif_dir.c: setByteArray() Read access violation]
RESERVED
- tiff
- tiff3
- TODO: check
+ NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2555
CVE-2016-5314 [PixarLogDecode() out-of-bound writes]
RESERVED
- tiff
- tiff3
- TODO: check
+ NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2554
CVE-2016-5313
RESERVED
CVE-2016-5312
@@ -1410,11 +1414,14 @@
RESERVED
- tiff
- tiff3
+ NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2562
CVE-2016-5318 [libtiff: stack buffer overflow in _TIFFVGetField function]
RESERVED
- tiff
- tiff3
NOTE: Upstream will remove thumbnail from 4.0.7 release
+ NOTE: _TIFFVGetField isn't specific to thumbnail tool
+ NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2561
CVE-2016-5301 [denial of service]
RESERVED
{DLA-511-1}
@@ -14806,6 +14813,7 @@
NOTE: http://seclists.org/bugtraq/2015/Dec/138
NOTE: no fix published yet
NOTE: Red Hat say it's only OOB read:
https://bugzilla.redhat.com/show_bug.cgi?id=1294425#c1
+ NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2563
CVE-2015-8683 (The putcontig8bitCIELab function in tif_getimage.c in LibTIFF
4.0.6 ...)
{DSA-3467-1 DLA-402-1}
- tiff 4.0.6-1 (bug #809021)
@@ -21092,6 +21100,7 @@
- tiff3
NOTE: http://www.openwall.com/lists/oss-security/2015/12/26/7
NOTE: SUSE seem to have a fix (disputed):
https://bugzilla.novell.com/show_bug.cgi?id=960341
+ NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2564
CVE-2015-7553 [nfnetlink race in NETLINK_NFLOG socket creation]
RESERVED
- linux (RHEL-specific backport bug)
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42791 - data
Author: pochu Date: 2016-06-25 16:18:04 + (Sat, 25 Jun 2016) New Revision: 42791 Modified: data/dla-needed.txt Log: add note to clamav in dla-needed.txt Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-06-25 16:08:52 UTC (rev 42790) +++ data/dla-needed.txt 2016-06-25 16:18:04 UTC (rev 42791) @@ -21,6 +21,7 @@ clamav (Emilio Pozuelo) NOTE: Should be updated to the latest stable release 0.99.2 in line with the approach for Jessie. + NOTE: Maintainer will upload after #826607 is fixed in jessie. -- extplorer NOTE: 20160529, no fix yet ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42790 - in data: . DLA
Author: apo
Date: 2016-06-25 16:08:52 + (Sat, 25 Jun 2016)
New Revision: 42790
Modified:
data/DLA/list
data/dla-needed.txt
Log:
Reserve DLA-526-1 for mysql-connector-java
Modified: data/DLA/list
===
--- data/DLA/list 2016-06-25 15:26:12 UTC (rev 42789)
+++ data/DLA/list 2016-06-25 16:08:52 UTC (rev 42790)
@@ -1,3 +1,6 @@
+[25 Jun 2016] DLA-526-1 mysql-connector-java - security update
+ {CVE-2015-2575}
+ [wheezy] - mysql-connector-java 5.1.39-1~deb7u1
[25 Jun 2016] DLA-525-1 gimp - security update
{CVE-2016-4994}
[wheezy] - gimp 2.8.2-2+deb7u2
Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2016-06-25 15:26:12 UTC (rev 42789)
+++ data/dla-needed.txt 2016-06-25 16:08:52 UTC (rev 42790)
@@ -51,8 +51,6 @@
--
mat
--
-mysql-connector-java (Markus Koschany)
---
nss (Emilio Pozuelo)
NOTE: Not 100% this applies to wheezy yet; can't find the changeset and the
diff between NSS 3.22 and 3.23 is very large.
--
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42789 - in data: . DLA
Author: lamby
Date: 2016-06-25 15:26:12 + (Sat, 25 Jun 2016)
New Revision: 42789
Modified:
data/DLA/list
data/dla-needed.txt
Log:
Reserve DLA-525-1 for gimp
Modified: data/DLA/list
===
--- data/DLA/list 2016-06-25 15:10:02 UTC (rev 42788)
+++ data/DLA/list 2016-06-25 15:26:12 UTC (rev 42789)
@@ -1,3 +1,6 @@
+[25 Jun 2016] DLA-525-1 gimp - security update
+ {CVE-2016-4994}
+ [wheezy] - gimp 2.8.2-2+deb7u2
[22 Jun 2016] DLA-524-1 squidguard - security update
{CVE-2015-8936}
[wheezy] - squidguard 1.5-1+deb7u1
Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2016-06-25 15:10:02 UTC (rev 42788)
+++ data/dla-needed.txt 2016-06-25 15:26:12 UTC (rev 42789)
@@ -26,8 +26,6 @@
NOTE: 20160529, no fix yet
NOTE: 20160618, still no fix
--
-gimp (Chris Lamb)
---
gosa (Mike Gabriel)
NOTE: .debdiff sent to the Security Team, waiting for feedback
NOTE: asked about jessie status (seb)
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42788 - data
Author: alteholz Date: 2016-06-25 15:10:02 + (Sat, 25 Jun 2016) New Revision: 42788 Modified: data/dla-needed.txt Log: add libjgroups-java Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-06-25 14:51:16 UTC (rev 42787) +++ data/dla-needed.txt 2016-06-25 15:10:02 UTC (rev 42788) @@ -39,8 +39,12 @@ -- libcommons-fileupload-java (Markus Koschany) -- +libgd2 (Thorsten Alteholz) +-- libjackson-json-java -- +libjgroups-java +-- libspring-java The JSON/JaF doesn't appear to be present in wheezy but the content-disposition stuff might be. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42787 - data
Author: pochu Date: 2016-06-25 14:51:16 + (Sat, 25 Jun 2016) New Revision: 42787 Modified: data/dla-needed.txt Log: claim nss in data-dla-needed.txt Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-06-25 11:11:48 UTC (rev 42786) +++ data/dla-needed.txt 2016-06-25 14:51:16 UTC (rev 42787) @@ -51,7 +51,7 @@ -- mysql-connector-java (Markus Koschany) -- -nss +nss (Emilio Pozuelo) NOTE: Not 100% this applies to wheezy yet; can't find the changeset and the diff between NSS 3.22 and 3.23 is very large. -- ntp (Santiago R.R.) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42785 - data/CVE
Author: carnil Date: 2016-06-25 11:11:38 + (Sat, 25 Jun 2016) New Revision: 42785 Modified: data/CVE/list Log: Add two new imagemagick issues Modified: data/CVE/list === --- data/CVE/list 2016-06-25 10:59:49 UTC (rev 42784) +++ data/CVE/list 2016-06-25 11:11:38 UTC (rev 42785) @@ -2,6 +2,14 @@ - libarchive NOTE: https://github.com/libarchive/libarchive/issues/717#event-697151157 NOTE: https://github.com/libarchive/libarchive/commit/3ad08e01b4d253c66ae56414886089684155af22 +CVE-2016-5842 + - imagemagick + NOTE: Details: http://www.openwall.com/lists/oss-security/2016/06/23/1 + NOTE: https://github.com/ImageMagick/ImageMagick/commit/d8ab7f046587f2e9f734b687ba7e6e10147c294b +CVE-2016-5841 + - imagemagick + NOTE: Details: http://www.openwall.com/lists/oss-security/2016/06/23/1 + NOTE: https://github.com/ImageMagick/ImageMagick/commit/d8ab7f046587f2e9f734b687ba7e6e10147c294b CVE-2016-5744 RESERVED CVE-2016-5743 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42786 - data/CVE
Author: carnil
Date: 2016-06-25 11:11:48 + (Sat, 25 Jun 2016)
New Revision: 42786
Modified:
data/CVE/list
Log:
Cleanup trailing whitespaces
Modified: data/CVE/list
===
--- data/CVE/list 2016-06-25 11:11:38 UTC (rev 42785)
+++ data/CVE/list 2016-06-25 11:11:48 UTC (rev 42786)
@@ -14396,8 +14396,8 @@
- linux 4.6.2-2
[wheezy] - linux (Vulnerable code introduced later)
NOTE: Introduced by:
https://git.kernel.org/linus/4ac7249ea5a0ceef9f8269f63f33cc873c3fac61
(v3.14-rc1)
- NOTE: Prerequisite:
https://git.kernel.org/linus/485e71e8fb6356c08c7fc6bcce4bf02c9a9a663f
- NOTE: Fixed by:
https://git.kernel.org/linus/999653786df6954a31044528ac3f7a5dadca08f4
+ NOTE: Prerequisite:
https://git.kernel.org/linus/485e71e8fb6356c08c7fc6bcce4bf02c9a9a663f
+ NOTE: Fixed by:
https://git.kernel.org/linus/999653786df6954a31044528ac3f7a5dadca08f4
CVE-2016-1236 (Multiple cross-site scripting (XSS) vulnerabilities in (1) ...)
{DSA-3572-1 DLA-462-1}
- websvn
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42784 - data/CVE
Author: carnil Date: 2016-06-25 10:59:49 + (Sat, 25 Jun 2016) New Revision: 42784 Modified: data/CVE/list Log: CVE-2016-1237 fixed Modified: data/CVE/list === --- data/CVE/list 2016-06-25 10:59:11 UTC (rev 42783) +++ data/CVE/list 2016-06-25 10:59:49 UTC (rev 42784) @@ -14385,7 +14385,7 @@ RESERVED CVE-2016-1237 [nfsd: any user can set a file's ACL over NFS and grant access to it] RESERVED - - linux + - linux 4.6.2-2 [wheezy] - linux (Vulnerable code introduced later) NOTE: Introduced by: https://git.kernel.org/linus/4ac7249ea5a0ceef9f8269f63f33cc873c3fac61 (v3.14-rc1) NOTE: Prerequisite: https://git.kernel.org/linus/485e71e8fb6356c08c7fc6bcce4bf02c9a9a663f ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42783 - data/CVE
Author: carnil Date: 2016-06-25 10:59:11 + (Sat, 25 Jun 2016) New Revision: 42783 Modified: data/CVE/list Log: Four CVEs fixed in unstable for linux Modified: data/CVE/list === --- data/CVE/list 2016-06-25 10:34:28 UTC (rev 42782) +++ data/CVE/list 2016-06-25 10:59:11 UTC (rev 42783) @@ -2221,11 +2221,11 @@ RESERVED CVE-2016-4998 [out of bounds reads when processing IPT_SO_SET_REPLACE setsockopt] RESERVED - - linux + - linux 4.6.2-2 NOTE: Non-privileged user namespaces disabled by default, only vulnerable with sysctl kernel.unprivileged_userns_clone=1 CVE-2016-4997 [Corrupted offset allows for arbitrary decrements in compat IPT_SO_SET_REPLACE setsockopt] RESERVED - - linux + - linux 4.6.2-2 NOTE: Non-privileged user namespaces disabled by default, only vulnerable with sysctl kernel.unprivileged_userns_clone=1 CVE-2016-4996 RESERVED @@ -3453,7 +3453,7 @@ NOTE: https://github.com/uclouvain/openjpeg/commit/8f9cc62b3f9a1da9712329ddcedb9750d585505c NOTE: CVE-2016-4797 exists because of an incorrect fix for CVE-2014-7947 CVE-2016-4794 (Use-after-free vulnerability in mm/percpu.c in the Linux kernel ...) - - linux + - linux 4.6.2-2 [jessie] - linux (Introduced in v3.18-rc1) [wheezy] - linux (Introduced in v3.18-rc1) NOTE: https://git.kernel.org/linus/4f996e234dad488e5d9ba0858bc1bae12eff82c3 @@ -4018,7 +4018,7 @@ RESERVED CVE-2016-4470 RESERVED - - linux + - linux 4.6.2-2 NOTE: https://www.spinics.net/lists/linux-kernel-janitors/msg26069.html CVE-2016-4469 RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42782 - data
Author: alteholz Date: 2016-06-25 10:34:28 + (Sat, 25 Jun 2016) New Revision: 42782 Modified: data/dla-needed.txt Log: some of those CVEs must be an issue for Wheezy Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-06-25 10:12:38 UTC (rev 42781) +++ data/dla-needed.txt 2016-06-25 10:34:28 UTC (rev 42782) @@ -45,6 +45,8 @@ The JSON/JaF doesn't appear to be present in wheezy but the content-disposition stuff might be. -- +linux +-- mat -- mysql-connector-java (Markus Koschany) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42779 - data
Author: lamby Date: 2016-06-25 10:12:34 + (Sat, 25 Jun 2016) New Revision: 42779 Modified: data/dla-needed.txt Log: Triage gimp for LTS Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-06-25 09:52:06 UTC (rev 42778) +++ data/dla-needed.txt 2016-06-25 10:12:34 UTC (rev 42779) @@ -26,6 +26,8 @@ NOTE: 20160529, no fix yet NOTE: 20160618, still no fix -- +gimp +-- gosa (Mike Gabriel) NOTE: .debdiff sent to the Security Team, waiting for feedback NOTE: asked about jessie status (seb) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42781 - data
Author: lamby Date: 2016-06-25 10:12:38 + (Sat, 25 Jun 2016) New Revision: 42781 Modified: data/dla-needed.txt Log: Claim gimp in data/dla-needed.txt Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-06-25 10:12:36 UTC (rev 42780) +++ data/dla-needed.txt 2016-06-25 10:12:38 UTC (rev 42781) @@ -26,7 +26,7 @@ NOTE: 20160529, no fix yet NOTE: 20160618, still no fix -- -gimp +gimp (Chris Lamb) -- gosa (Mike Gabriel) NOTE: .debdiff sent to the Security Team, waiting for feedback ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42780 - data
Author: lamby Date: 2016-06-25 10:12:36 + (Sat, 25 Jun 2016) New Revision: 42780 Modified: data/dla-needed.txt Log: Correct ordering of pidgin Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-06-25 10:12:34 UTC (rev 42779) +++ data/dla-needed.txt 2016-06-25 10:12:36 UTC (rev 42780) @@ -64,12 +64,12 @@ NOTE: Kurt Roeckx considers CVE-2016-2177 and CVE-2016-2178 to be low NOTE: priority issues and will fix them after the next release of OpenSSL. -- -pidgin (Brian May) --- php5 (Thorsten Alteholz) -- phpmyadmin -- +pidgin (Brian May) +-- qemu -- qemu-kvm ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42778 - data
Author: pochu Date: 2016-06-25 09:52:06 + (Sat, 25 Jun 2016) New Revision: 42778 Modified: data/dla-needed.txt Log: claim clamav Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-06-25 05:14:40 UTC (rev 42777) +++ data/dla-needed.txt 2016-06-25 09:52:06 UTC (rev 42778) @@ -18,7 +18,7 @@ cakephp NOTE: CVE-2015-8379 No official solution is currently available, 20160425 -- -clamav +clamav (Emilio Pozuelo) NOTE: Should be updated to the latest stable release 0.99.2 in line with the approach for Jessie. -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
