[Secure-testing-commits] r42802 - data/CVE
Author: fgeek-guest Date: 2016-06-25 22:46:14 + (Sat, 25 Jun 2016) New Revision: 42802 Modified: data/CVE/list Log: Add reproducer for CVE-2016-5319 Modified: data/CVE/list === --- data/CVE/list 2016-06-25 21:10:14 UTC (rev 42801) +++ data/CVE/list 2016-06-25 22:46:14 UTC (rev 42802) @@ -1420,6 +1420,7 @@ - tiff - tiff3 NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2562 + NOTE: Reproducer http://bugs.fi/media/afl/libtiff/CVE-2016-5319.bmp CVE-2016-5318 [libtiff: stack buffer overflow in _TIFFVGetField function] RESERVED - tiff ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42801 - data/CVE
Author: sectracker Date: 2016-06-25 21:10:14 + (Sat, 25 Jun 2016) New Revision: 42801 Modified: data/CVE/list Log: automatic update Modified: data/CVE/list === --- data/CVE/list 2016-06-25 20:34:48 UTC (rev 42800) +++ data/CVE/list 2016-06-25 21:10:14 UTC (rev 42801) @@ -2255,6 +2255,7 @@ - foreman (bug #663101) CVE-2016-4994 [Use-after-free vulnerabilities in the channel and layer properties parsing process] RESERVED + {DLA-525-1} - gimp (bug #828179) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=767873 CVE-2016-4993 @@ -8440,6 +8441,7 @@ CVE-2016-2835 RESERVED CVE-2016-2834 (Mozilla Network Security Services (NSS) before 3.23, as used in ...) + {DLA-527-1} - nss 2:3.23-1 - firefox-esr (Doesn't apply to Firefox ESR) - firefox 47.0-1 @@ -35435,6 +35437,7 @@ CVE-2015-2576 (Unspecified vulnerability in the MySQL Utilities component in Oracle ...) NOT-FOR-US: MySQL Utilities component of MySQL on Windows CVE-2015-2575 (Unspecified vulnerability in the MySQL Connectors component in Oracle ...) + {DLA-526-1} - mysql-connector-java 5.1.37-1 CVE-2015-2574 (Unspecified vulnerability in Oracle Sun Solaris 10 allows local users ...) NOT-FOR-US: Oracle Sun Solaris ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42800 - data
Author: pochu Date: 2016-06-25 20:34:48 + (Sat, 25 Jun 2016) New Revision: 42800 Modified: data/dla-needed.txt Log: debdiff sent for cacti Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-06-25 20:16:36 UTC (rev 42799) +++ data/dla-needed.txt 2016-06-25 20:34:48 UTC (rev 42800) @@ -13,6 +13,7 @@ -- cacti (Emilio Pozuelo) NOTE: Maintainer wants to review changes; see https://lists.debian.org/<5724f47d.6090...@debian.org> + NOTE: debdiff sent to maintainer: https://lists.debian.org/debian-lts/2016/06/msg00127.html -- cakephp NOTE: CVE-2015-8379 No official solution is currently available, 20160425 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42799 - data/CVE
Author: carnil Date: 2016-06-25 20:16:36 + (Sat, 25 Jun 2016) New Revision: 42799 Modified: data/CVE/list Log: Report bug for CVE-2016-4994 Modified: data/CVE/list === --- data/CVE/list 2016-06-25 20:12:13 UTC (rev 42798) +++ data/CVE/list 2016-06-25 20:16:36 UTC (rev 42799) @@ -2255,9 +2255,8 @@ - foreman (bug #663101) CVE-2016-4994 [Use-after-free vulnerabilities in the channel and layer properties parsing process] RESERVED - - gimp + - gimp (bug #828179) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=767873 - TODO: check CVE-2016-4993 RESERVED CVE-2016-4992 [Information disclosure via repeated use of LDAP ADD operation] ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42798 - data
Author: pochu Date: 2016-06-25 20:12:13 + (Sat, 25 Jun 2016) New Revision: 42798 Modified: data/dla-needed.txt Log: CVE-2016-3659 has a fix Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-06-25 20:11:39 UTC (rev 42797) +++ data/dla-needed.txt 2016-06-25 20:12:13 UTC (rev 42798) @@ -12,7 +12,6 @@ asterisk (Thorsten Alteholz) -- cacti (Emilio Pozuelo) - NOTE: CVE-2016-3659 doesn't have a fix yet, 20160425 NOTE: Maintainer wants to review changes; see https://lists.debian.org/<5724f47d.6090...@debian.org> -- cakephp ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42797 - data
Author: pochu Date: 2016-06-25 20:11:39 + (Sat, 25 Jun 2016) New Revision: 42797 Modified: data/dla-needed.txt Log: claim cacti in dla-needed.txt Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-06-25 19:10:31 UTC (rev 42796) +++ data/dla-needed.txt 2016-06-25 20:11:39 UTC (rev 42797) @@ -11,7 +11,7 @@ -- asterisk (Thorsten Alteholz) -- -cacti +cacti (Emilio Pozuelo) NOTE: CVE-2016-3659 doesn't have a fix yet, 20160425 NOTE: Maintainer wants to review changes; see https://lists.debian.org/<5724f47d.6090...@debian.org> -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42796 - data/CVE
Author: carnil Date: 2016-06-25 19:10:31 + (Sat, 25 Jun 2016) New Revision: 42796 Modified: data/CVE/list Log: Update CVE-2016-5828 information Modified: data/CVE/list === --- data/CVE/list 2016-06-25 19:09:07 UTC (rev 42795) +++ data/CVE/list 2016-06-25 19:10:31 UTC (rev 42796) @@ -12,7 +12,9 @@ NOTE: https://github.com/ImageMagick/ImageMagick/commit/d8ab7f046587f2e9f734b687ba7e6e10147c294b CVE-2016-5828 [powerpc/tm: Always reclaim in start_thread() for exec() class syscalls] - linux + [wheezy] - linux (Introduced in v3.10-rc1) NOTE: https://patchwork.ozlabs.org/patch/636776/ + NOTE: Introduced in https://git.kernel.org/linus/bc2a9408fa65195288b41751016c36fd00a75a85 (v3.10-rc1) CVE-2016-5744 RESERVED CVE-2016-5743 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42795 - data/CVE
Author: carnil Date: 2016-06-25 19:09:07 + (Sat, 25 Jun 2016) New Revision: 42795 Modified: data/CVE/list Log: dd CVE-2016-5828/linux Modified: data/CVE/list === --- data/CVE/list 2016-06-25 19:08:58 UTC (rev 42794) +++ data/CVE/list 2016-06-25 19:09:07 UTC (rev 42795) @@ -10,6 +10,9 @@ - imagemagick NOTE: Details: http://www.openwall.com/lists/oss-security/2016/06/23/1 NOTE: https://github.com/ImageMagick/ImageMagick/commit/d8ab7f046587f2e9f734b687ba7e6e10147c294b +CVE-2016-5828 [powerpc/tm: Always reclaim in start_thread() for exec() class syscalls] + - linux + NOTE: https://patchwork.ozlabs.org/patch/636776/ CVE-2016-5744 RESERVED CVE-2016-5743 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42794 - data/CVE
Author: carnil Date: 2016-06-25 19:08:58 + (Sat, 25 Jun 2016) New Revision: 42794 Modified: data/CVE/list Log: Reorder one entry Modified: data/CVE/list === --- data/CVE/list 2016-06-25 18:02:50 UTC (rev 42793) +++ data/CVE/list 2016-06-25 19:08:58 UTC (rev 42794) @@ -1098,8 +1098,8 @@ RESERVED - tiff - tiff3 + NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2557 TODO: check, disputable that this actually would be as well a nautilus issue - NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2557 CVE-2016-5316 [tif_pixarlog.c: PixarLogCleanup() Segmentation fault] RESERVED - tiff ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42793 - in data: . DLA
Author: pochu Date: 2016-06-25 18:02:50 + (Sat, 25 Jun 2016) New Revision: 42793 Modified: data/DLA/list data/dla-needed.txt Log: Reserve DLA-527-1 for nss Modified: data/DLA/list === --- data/DLA/list 2016-06-25 17:35:54 UTC (rev 42792) +++ data/DLA/list 2016-06-25 18:02:50 UTC (rev 42793) @@ -1,3 +1,6 @@ +[25 Jun 2016] DLA-527-1 nss - security update + {CVE-2016-2834} + [wheezy] - nss 2:3.14.5-1+deb7u8 [25 Jun 2016] DLA-526-1 mysql-connector-java - security update {CVE-2015-2575} [wheezy] - mysql-connector-java 5.1.39-1~deb7u1 Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-06-25 17:35:54 UTC (rev 42792) +++ data/dla-needed.txt 2016-06-25 18:02:50 UTC (rev 42793) @@ -52,9 +52,6 @@ -- mat -- -nss (Emilio Pozuelo) - NOTE: Not 100% this applies to wheezy yet; can't find the changeset and the diff between NSS 3.22 and 3.23 is very large. --- ntp (Santiago R.R.) NOTE: maintainer would like help working on the updates but will handle the updates himself NOTE: 20160518175636.ga29...@roeckx.be ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42792 - data/CVE
Author: pochu Date: 2016-06-25 17:35:54 + (Sat, 25 Jun 2016) New Revision: 42792 Modified: data/CVE/list Log: triage tiff CVEs Modified: data/CVE/list === --- data/CVE/list 2016-06-25 16:18:04 UTC (rev 42791) +++ data/CVE/list 2016-06-25 17:35:54 UTC (rev 42792) @@ -1074,6 +1074,7 @@ [jessie] - tiff (Minor issue) [wheezy] - tiff (Minor issue) - tiff3 + NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2559 CVE-2016-5322 [extractContigSamplesBytes: out-of-bounds read] RESERVED - tiff @@ -1081,36 +1082,39 @@ [wheezy] - tiff (Minor issue) - tiff3 (unimportant) NOTE: src:tiff3: built binary packages do not contain the TIFF tools + NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2560 CVE-2016-5321 [DumpModeDecode(): Ddos] RESERVED - tiff - tiff3 - TODO: check + NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2558 CVE-2016-5320 [rgb2ycbcr: command excution] RESERVED - tiff - tiff3 TODO: check + NOTE: See http://bugzilla.maptools.org/show_bug.cgi?id=2554#c1 CVE-2016-5317 [GNOME nautilus: crash occurs when generating a thumbnail for a crafted TIFF image] RESERVED - tiff - tiff3 TODO: check, disputable that this actually would be as well a nautilus issue + NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2557 CVE-2016-5316 [tif_pixarlog.c: PixarLogCleanup() Segmentation fault] RESERVED - tiff - tiff3 - TODO: check + NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2556 CVE-2016-5315 [tif_dir.c: setByteArray() Read access violation] RESERVED - tiff - tiff3 - TODO: check + NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2555 CVE-2016-5314 [PixarLogDecode() out-of-bound writes] RESERVED - tiff - tiff3 - TODO: check + NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2554 CVE-2016-5313 RESERVED CVE-2016-5312 @@ -1410,11 +1414,14 @@ RESERVED - tiff - tiff3 + NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2562 CVE-2016-5318 [libtiff: stack buffer overflow in _TIFFVGetField function] RESERVED - tiff - tiff3 NOTE: Upstream will remove thumbnail from 4.0.7 release + NOTE: _TIFFVGetField isn't specific to thumbnail tool + NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2561 CVE-2016-5301 [denial of service] RESERVED {DLA-511-1} @@ -14806,6 +14813,7 @@ NOTE: http://seclists.org/bugtraq/2015/Dec/138 NOTE: no fix published yet NOTE: Red Hat say it's only OOB read: https://bugzilla.redhat.com/show_bug.cgi?id=1294425#c1 + NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2563 CVE-2015-8683 (The putcontig8bitCIELab function in tif_getimage.c in LibTIFF 4.0.6 ...) {DSA-3467-1 DLA-402-1} - tiff 4.0.6-1 (bug #809021) @@ -21092,6 +21100,7 @@ - tiff3 NOTE: http://www.openwall.com/lists/oss-security/2015/12/26/7 NOTE: SUSE seem to have a fix (disputed): https://bugzilla.novell.com/show_bug.cgi?id=960341 + NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2564 CVE-2015-7553 [nfnetlink race in NETLINK_NFLOG socket creation] RESERVED - linux (RHEL-specific backport bug) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42791 - data
Author: pochu Date: 2016-06-25 16:18:04 + (Sat, 25 Jun 2016) New Revision: 42791 Modified: data/dla-needed.txt Log: add note to clamav in dla-needed.txt Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-06-25 16:08:52 UTC (rev 42790) +++ data/dla-needed.txt 2016-06-25 16:18:04 UTC (rev 42791) @@ -21,6 +21,7 @@ clamav (Emilio Pozuelo) NOTE: Should be updated to the latest stable release 0.99.2 in line with the approach for Jessie. + NOTE: Maintainer will upload after #826607 is fixed in jessie. -- extplorer NOTE: 20160529, no fix yet ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42790 - in data: . DLA
Author: apo Date: 2016-06-25 16:08:52 + (Sat, 25 Jun 2016) New Revision: 42790 Modified: data/DLA/list data/dla-needed.txt Log: Reserve DLA-526-1 for mysql-connector-java Modified: data/DLA/list === --- data/DLA/list 2016-06-25 15:26:12 UTC (rev 42789) +++ data/DLA/list 2016-06-25 16:08:52 UTC (rev 42790) @@ -1,3 +1,6 @@ +[25 Jun 2016] DLA-526-1 mysql-connector-java - security update + {CVE-2015-2575} + [wheezy] - mysql-connector-java 5.1.39-1~deb7u1 [25 Jun 2016] DLA-525-1 gimp - security update {CVE-2016-4994} [wheezy] - gimp 2.8.2-2+deb7u2 Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-06-25 15:26:12 UTC (rev 42789) +++ data/dla-needed.txt 2016-06-25 16:08:52 UTC (rev 42790) @@ -51,8 +51,6 @@ -- mat -- -mysql-connector-java (Markus Koschany) --- nss (Emilio Pozuelo) NOTE: Not 100% this applies to wheezy yet; can't find the changeset and the diff between NSS 3.22 and 3.23 is very large. -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42789 - in data: . DLA
Author: lamby Date: 2016-06-25 15:26:12 + (Sat, 25 Jun 2016) New Revision: 42789 Modified: data/DLA/list data/dla-needed.txt Log: Reserve DLA-525-1 for gimp Modified: data/DLA/list === --- data/DLA/list 2016-06-25 15:10:02 UTC (rev 42788) +++ data/DLA/list 2016-06-25 15:26:12 UTC (rev 42789) @@ -1,3 +1,6 @@ +[25 Jun 2016] DLA-525-1 gimp - security update + {CVE-2016-4994} + [wheezy] - gimp 2.8.2-2+deb7u2 [22 Jun 2016] DLA-524-1 squidguard - security update {CVE-2015-8936} [wheezy] - squidguard 1.5-1+deb7u1 Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-06-25 15:10:02 UTC (rev 42788) +++ data/dla-needed.txt 2016-06-25 15:26:12 UTC (rev 42789) @@ -26,8 +26,6 @@ NOTE: 20160529, no fix yet NOTE: 20160618, still no fix -- -gimp (Chris Lamb) --- gosa (Mike Gabriel) NOTE: .debdiff sent to the Security Team, waiting for feedback NOTE: asked about jessie status (seb) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42788 - data
Author: alteholz Date: 2016-06-25 15:10:02 + (Sat, 25 Jun 2016) New Revision: 42788 Modified: data/dla-needed.txt Log: add libjgroups-java Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-06-25 14:51:16 UTC (rev 42787) +++ data/dla-needed.txt 2016-06-25 15:10:02 UTC (rev 42788) @@ -39,8 +39,12 @@ -- libcommons-fileupload-java (Markus Koschany) -- +libgd2 (Thorsten Alteholz) +-- libjackson-json-java -- +libjgroups-java +-- libspring-java The JSON/JaF doesn't appear to be present in wheezy but the content-disposition stuff might be. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42787 - data
Author: pochu Date: 2016-06-25 14:51:16 + (Sat, 25 Jun 2016) New Revision: 42787 Modified: data/dla-needed.txt Log: claim nss in data-dla-needed.txt Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-06-25 11:11:48 UTC (rev 42786) +++ data/dla-needed.txt 2016-06-25 14:51:16 UTC (rev 42787) @@ -51,7 +51,7 @@ -- mysql-connector-java (Markus Koschany) -- -nss +nss (Emilio Pozuelo) NOTE: Not 100% this applies to wheezy yet; can't find the changeset and the diff between NSS 3.22 and 3.23 is very large. -- ntp (Santiago R.R.) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42785 - data/CVE
Author: carnil Date: 2016-06-25 11:11:38 + (Sat, 25 Jun 2016) New Revision: 42785 Modified: data/CVE/list Log: Add two new imagemagick issues Modified: data/CVE/list === --- data/CVE/list 2016-06-25 10:59:49 UTC (rev 42784) +++ data/CVE/list 2016-06-25 11:11:38 UTC (rev 42785) @@ -2,6 +2,14 @@ - libarchive NOTE: https://github.com/libarchive/libarchive/issues/717#event-697151157 NOTE: https://github.com/libarchive/libarchive/commit/3ad08e01b4d253c66ae56414886089684155af22 +CVE-2016-5842 + - imagemagick + NOTE: Details: http://www.openwall.com/lists/oss-security/2016/06/23/1 + NOTE: https://github.com/ImageMagick/ImageMagick/commit/d8ab7f046587f2e9f734b687ba7e6e10147c294b +CVE-2016-5841 + - imagemagick + NOTE: Details: http://www.openwall.com/lists/oss-security/2016/06/23/1 + NOTE: https://github.com/ImageMagick/ImageMagick/commit/d8ab7f046587f2e9f734b687ba7e6e10147c294b CVE-2016-5744 RESERVED CVE-2016-5743 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42786 - data/CVE
Author: carnil Date: 2016-06-25 11:11:48 + (Sat, 25 Jun 2016) New Revision: 42786 Modified: data/CVE/list Log: Cleanup trailing whitespaces Modified: data/CVE/list === --- data/CVE/list 2016-06-25 11:11:38 UTC (rev 42785) +++ data/CVE/list 2016-06-25 11:11:48 UTC (rev 42786) @@ -14396,8 +14396,8 @@ - linux 4.6.2-2 [wheezy] - linux (Vulnerable code introduced later) NOTE: Introduced by: https://git.kernel.org/linus/4ac7249ea5a0ceef9f8269f63f33cc873c3fac61 (v3.14-rc1) - NOTE: Prerequisite: https://git.kernel.org/linus/485e71e8fb6356c08c7fc6bcce4bf02c9a9a663f - NOTE: Fixed by: https://git.kernel.org/linus/999653786df6954a31044528ac3f7a5dadca08f4 + NOTE: Prerequisite: https://git.kernel.org/linus/485e71e8fb6356c08c7fc6bcce4bf02c9a9a663f + NOTE: Fixed by: https://git.kernel.org/linus/999653786df6954a31044528ac3f7a5dadca08f4 CVE-2016-1236 (Multiple cross-site scripting (XSS) vulnerabilities in (1) ...) {DSA-3572-1 DLA-462-1} - websvn ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42784 - data/CVE
Author: carnil Date: 2016-06-25 10:59:49 + (Sat, 25 Jun 2016) New Revision: 42784 Modified: data/CVE/list Log: CVE-2016-1237 fixed Modified: data/CVE/list === --- data/CVE/list 2016-06-25 10:59:11 UTC (rev 42783) +++ data/CVE/list 2016-06-25 10:59:49 UTC (rev 42784) @@ -14385,7 +14385,7 @@ RESERVED CVE-2016-1237 [nfsd: any user can set a file's ACL over NFS and grant access to it] RESERVED - - linux + - linux 4.6.2-2 [wheezy] - linux (Vulnerable code introduced later) NOTE: Introduced by: https://git.kernel.org/linus/4ac7249ea5a0ceef9f8269f63f33cc873c3fac61 (v3.14-rc1) NOTE: Prerequisite: https://git.kernel.org/linus/485e71e8fb6356c08c7fc6bcce4bf02c9a9a663f ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42783 - data/CVE
Author: carnil Date: 2016-06-25 10:59:11 + (Sat, 25 Jun 2016) New Revision: 42783 Modified: data/CVE/list Log: Four CVEs fixed in unstable for linux Modified: data/CVE/list === --- data/CVE/list 2016-06-25 10:34:28 UTC (rev 42782) +++ data/CVE/list 2016-06-25 10:59:11 UTC (rev 42783) @@ -2221,11 +2221,11 @@ RESERVED CVE-2016-4998 [out of bounds reads when processing IPT_SO_SET_REPLACE setsockopt] RESERVED - - linux + - linux 4.6.2-2 NOTE: Non-privileged user namespaces disabled by default, only vulnerable with sysctl kernel.unprivileged_userns_clone=1 CVE-2016-4997 [Corrupted offset allows for arbitrary decrements in compat IPT_SO_SET_REPLACE setsockopt] RESERVED - - linux + - linux 4.6.2-2 NOTE: Non-privileged user namespaces disabled by default, only vulnerable with sysctl kernel.unprivileged_userns_clone=1 CVE-2016-4996 RESERVED @@ -3453,7 +3453,7 @@ NOTE: https://github.com/uclouvain/openjpeg/commit/8f9cc62b3f9a1da9712329ddcedb9750d585505c NOTE: CVE-2016-4797 exists because of an incorrect fix for CVE-2014-7947 CVE-2016-4794 (Use-after-free vulnerability in mm/percpu.c in the Linux kernel ...) - - linux + - linux 4.6.2-2 [jessie] - linux (Introduced in v3.18-rc1) [wheezy] - linux (Introduced in v3.18-rc1) NOTE: https://git.kernel.org/linus/4f996e234dad488e5d9ba0858bc1bae12eff82c3 @@ -4018,7 +4018,7 @@ RESERVED CVE-2016-4470 RESERVED - - linux + - linux 4.6.2-2 NOTE: https://www.spinics.net/lists/linux-kernel-janitors/msg26069.html CVE-2016-4469 RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42782 - data
Author: alteholz Date: 2016-06-25 10:34:28 + (Sat, 25 Jun 2016) New Revision: 42782 Modified: data/dla-needed.txt Log: some of those CVEs must be an issue for Wheezy Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-06-25 10:12:38 UTC (rev 42781) +++ data/dla-needed.txt 2016-06-25 10:34:28 UTC (rev 42782) @@ -45,6 +45,8 @@ The JSON/JaF doesn't appear to be present in wheezy but the content-disposition stuff might be. -- +linux +-- mat -- mysql-connector-java (Markus Koschany) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42779 - data
Author: lamby Date: 2016-06-25 10:12:34 + (Sat, 25 Jun 2016) New Revision: 42779 Modified: data/dla-needed.txt Log: Triage gimp for LTS Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-06-25 09:52:06 UTC (rev 42778) +++ data/dla-needed.txt 2016-06-25 10:12:34 UTC (rev 42779) @@ -26,6 +26,8 @@ NOTE: 20160529, no fix yet NOTE: 20160618, still no fix -- +gimp +-- gosa (Mike Gabriel) NOTE: .debdiff sent to the Security Team, waiting for feedback NOTE: asked about jessie status (seb) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42781 - data
Author: lamby Date: 2016-06-25 10:12:38 + (Sat, 25 Jun 2016) New Revision: 42781 Modified: data/dla-needed.txt Log: Claim gimp in data/dla-needed.txt Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-06-25 10:12:36 UTC (rev 42780) +++ data/dla-needed.txt 2016-06-25 10:12:38 UTC (rev 42781) @@ -26,7 +26,7 @@ NOTE: 20160529, no fix yet NOTE: 20160618, still no fix -- -gimp +gimp (Chris Lamb) -- gosa (Mike Gabriel) NOTE: .debdiff sent to the Security Team, waiting for feedback ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42780 - data
Author: lamby Date: 2016-06-25 10:12:36 + (Sat, 25 Jun 2016) New Revision: 42780 Modified: data/dla-needed.txt Log: Correct ordering of pidgin Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-06-25 10:12:34 UTC (rev 42779) +++ data/dla-needed.txt 2016-06-25 10:12:36 UTC (rev 42780) @@ -64,12 +64,12 @@ NOTE: Kurt Roeckx considers CVE-2016-2177 and CVE-2016-2178 to be low NOTE: priority issues and will fix them after the next release of OpenSSL. -- -pidgin (Brian May) --- php5 (Thorsten Alteholz) -- phpmyadmin -- +pidgin (Brian May) +-- qemu -- qemu-kvm ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42778 - data
Author: pochu Date: 2016-06-25 09:52:06 + (Sat, 25 Jun 2016) New Revision: 42778 Modified: data/dla-needed.txt Log: claim clamav Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-06-25 05:14:40 UTC (rev 42777) +++ data/dla-needed.txt 2016-06-25 09:52:06 UTC (rev 42778) @@ -18,7 +18,7 @@ cakephp NOTE: CVE-2015-8379 No official solution is currently available, 20160425 -- -clamav +clamav (Emilio Pozuelo) NOTE: Should be updated to the latest stable release 0.99.2 in line with the approach for Jessie. -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits