[Secure-testing-commits] r44598 - data/CVE
Author: carnil Date: 2016-09-15 05:58:25 + (Thu, 15 Sep 2016) New Revision: 44598 Modified: data/CVE/list Log: Add four new dropbar CVEs Modified: data/CVE/list === --- data/CVE/list 2016-09-15 05:18:13 UTC (rev 44597) +++ data/CVE/list 2016-09-15 05:58:25 UTC (rev 44598) @@ -2221,12 +2221,20 @@ RESERVED CVE-2016-7409 RESERVED + - dropbear 2016.74-1 + NOTE: https://secure.ucc.asn.au/hg/dropbear/rev/6a14b1f6dc04 CVE-2016-7408 RESERVED + - dropbear 2016.74-1 + NOTE: https://secure.ucc.asn.au/hg/dropbear/rev/eed9376a4ad6 CVE-2016-7407 RESERVED + - dropbear 2016.74-1 + NOTE: https://secure.ucc.asn.au/hg/dropbear/rev/34e6127ef02e CVE-2016-7406 RESERVED + - dropbear 2016.74-1 + NOTE: https://secure.ucc.asn.au/hg/dropbear/rev/b66a483f3dcb CVE-2016-7404 RESERVED CVE-2016-7403 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r44597 - in data: . CVE DLA
Author: carnil
Date: 2016-09-15 05:18:13 + (Thu, 15 Sep 2016)
New Revision: 44597
Modified:
data/CVE/list
data/DLA/list
data/next-point-update.txt
Log:
CVE-2016-7405 assigned for libphp-adodb issue
Modified: data/CVE/list
===
--- data/CVE/list 2016-09-15 04:41:01 UTC (rev 44596)
+++ data/CVE/list 2016-09-15 05:18:13 UTC (rev 44597)
@@ -2227,8 +2227,6 @@
RESERVED
CVE-2016-7406
RESERVED
-CVE-2016-7405
- RESERVED
CVE-2016-7404
RESERVED
CVE-2016-7403
@@ -2820,16 +2818,14 @@
RESERVED
CVE-2016- [SGI security bug]
- imagemagick (bug #836776)
-CVE-2016- [incorrect quoting may allow SQL injection]
+CVE-2016-7405 [incorrect quoting may allow SQL injection]
- libphp-adodb 5.20.6-1 (bug #837211)
[jessie] - libphp-adodb (Minor issue, can be fixed via point
release)
- [wheezy] - libphp-adodb 5.15-1+deb7u1
- NOTE: Added workaround entry for DLA-620-1 until CVE is assigned
NOTE: https://github.com/ADOdb/ADOdb/issues/226
NOTE: https://github.com/ADOdb/ADOdb/commit/bd9eca9
NOTE: Issue only with the PDO driver and only if queries built by
inlining
NOTE: the quoted string (not recommended).
- NOTE: CVE Request:
http://www.openwall.com/lists/oss-security/2016/09/07/8
+ NOTE: http://www.openwall.com/lists/oss-security/2016/09/07/8
CVE-2016-7154 [use after free in FIFO event channel code]
RESERVED
{DSA-3663-1}
Modified: data/DLA/list
===
--- data/DLA/list 2016-09-15 04:41:01 UTC (rev 44596)
+++ data/DLA/list 2016-09-15 05:18:13 UTC (rev 44597)
@@ -1,5 +1,5 @@
[13 Sep 2016] DLA-620-1 libphp-adodb - security update
- {CVE-2016-4855}
+ {CVE-2016-4855 CVE-2016-7405}
[wheezy] - libphp-adodb 5.15-1+deb7u1
[11 Sep 2016] DLA-619-1 qemu-kvm - security update
{CVE-2016-7116}
Modified: data/next-point-update.txt
===
--- data/next-point-update.txt 2016-09-15 04:41:01 UTC (rev 44596)
+++ data/next-point-update.txt 2016-09-15 05:18:13 UTC (rev 44597)
@@ -107,6 +107,5 @@
[jessie] - elog 2.9.2+2014.05.11git44800a7-3
CVE-2016-4855
[jessie] - libphp-adodb 5.15-1+deb8u1
-CVE-2016- [incorrect quoting may allow SQL injection]
+CVE-2016-7405 [incorrect quoting may allow SQL injection]
[jessie] - libphp-adodb 5.15-1+deb8u1
- NOTE: for #837211 which has not yet a CVE
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r44596 - in data: . DSA
Author: mgilbert
Date: 2016-09-15 04:41:01 + (Thu, 15 Sep 2016)
New Revision: 44596
Modified:
data/DSA/list
data/dsa-needed.txt
Log:
chromium dsa
Modified: data/DSA/list
===
--- data/DSA/list 2016-09-15 03:12:45 UTC (rev 44595)
+++ data/DSA/list 2016-09-15 04:41:01 UTC (rev 44596)
@@ -1,3 +1,6 @@
+[15 Sep 2016] DSA-3667-1 chromium-browser - security update
+ {CVE-2016-5170 CVE-2016-5171 CVE-2016-5172 CVE-2016-5173 CVE-2016-5174
CVE-2016-5175 CVE-2016-7395}
+ [jessie] - chromium-browser 53.0.2785.113-1~deb8u1
[14 Sep 2016] DSA-3666-1 mysql-5.5 - security update
{CVE-2016-6662}
[jessie] - mysql-5.5 5.5.52-0+deb8u1
Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2016-09-15 03:12:45 UTC (rev 44595)
+++ data/dsa-needed.txt 2016-09-15 04:41:01 UTC (rev 44596)
@@ -14,8 +14,6 @@
--
389-ds-base
--
-chromium-browser
---
graphicsmagick (luciano)
--
icu
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r44595 - data
Author: pabs Date: 2016-09-15 03:12:45 + (Thu, 15 Sep 2016) New Revision: 44595 Modified: data/embedded-code-copies Log: quesoglc removed use of embedded glew in 0.7.2-2 Modified: data/embedded-code-copies === --- data/embedded-code-copies 2016-09-15 02:46:22 UTC (rev 44594) +++ data/embedded-code-copies 2016-09-15 03:12:45 UTC (rev 44595) @@ -783,7 +783,7 @@ - quesoglc 0.7.2-2 (embed) glew - - quesoglc (embed; bug #489341) + - quesoglc 0.7.2-2 (embed; bug #489341) NOTE: waiting on GLEW_MX version of glew (see bug #474488) - trigger 0.5.2.1-2 (embed) NOTE: http://lists.debian.org/debian-devel-games/2009/12/msg7.html ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r44594 - data
Author: luciano Date: 2016-09-15 02:46:22 + (Thu, 15 Sep 2016) New Revision: 44594 Modified: data/dsa-needed.txt Log: unadf: dsa-needed Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2016-09-14 21:10:12 UTC (rev 44593) +++ data/dsa-needed.txt 2016-09-15 02:46:22 UTC (rev 44594) @@ -42,3 +42,5 @@ -- tiff -- +unadf (luciano) +-- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r44593 - data/CVE
Author: sectracker
Date: 2016-09-14 21:10:12 + (Wed, 14 Sep 2016)
New Revision: 44593
Modified:
data/CVE/list
Log:
automatic update
Modified: data/CVE/list
===
--- data/CVE/list 2016-09-14 20:26:50 UTC (rev 44592)
+++ data/CVE/list 2016-09-14 21:10:12 UTC (rev 44593)
@@ -1,3 +1,43 @@
+CVE-2016-8220
+ RESERVED
+CVE-2016-8219
+ RESERVED
+CVE-2016-8218
+ RESERVED
+CVE-2016-8217
+ RESERVED
+CVE-2016-8216
+ RESERVED
+CVE-2016-8215
+ RESERVED
+CVE-2016-8214
+ RESERVED
+CVE-2016-8213
+ RESERVED
+CVE-2016-8212
+ RESERVED
+CVE-2016-8211
+ RESERVED
+CVE-2016-8210
+ RESERVED
+CVE-2016-8209
+ RESERVED
+CVE-2016-8208
+ RESERVED
+CVE-2016-8207
+ RESERVED
+CVE-2016-8206
+ RESERVED
+CVE-2016-8205
+ RESERVED
+CVE-2016-8204
+ RESERVED
+CVE-2016-8203
+ RESERVED
+CVE-2016-8202
+ RESERVED
+CVE-2016-8201
+ RESERVED
CVE-2016- [GNUTLS-SA-2016-3: missing OCSP response serial length check]
- gnutls28 3.5.3-4
NOTE:
http://lists.gnutls.org/pipermail/gnutls-devel/2016-September/008146.html
@@ -4117,6 +4157,7 @@
RESERVED
CVE-2016-6662 [privilege escalation through ld_preload hijacking and my.cnf
rewrite]
RESERVED
+ {DSA-3666-1}
- mariadb-10.0 10.0.27-1
- mysql-5.6
- mysql-5.5
@@ -14943,82 +14984,82 @@
RESERVED
CVE-2016-3382
RESERVED
-CVE-2016-3381
- RESERVED
+CVE-2016-3381 (Microsoft Excel 2007 SP3, Excel 2010 SP2, Excel 2013 SP1, Excel
2013 ...)
+ TODO: check
CVE-2016-3380
RESERVED
-CVE-2016-3379
- RESERVED
-CVE-2016-3378
- RESERVED
-CVE-2016-3377
- RESERVED
+CVE-2016-3379 (Cross-site scripting (XSS) vulnerability in Microsoft Exchange
Server ...)
+ TODO: check
+CVE-2016-3378 (Open redirect vulnerability in Microsoft Exchange Server 2013
SP1, ...)
+ TODO: check
+CVE-2016-3377 (The Chakra JavaScript engine in Microsoft Edge allows remote
attackers ...)
+ TODO: check
CVE-2016-3376
RESERVED
-CVE-2016-3375
- RESERVED
-CVE-2016-3374
- RESERVED
-CVE-2016-3373
- RESERVED
-CVE-2016-3372
- RESERVED
-CVE-2016-3371
- RESERVED
-CVE-2016-3370
- RESERVED
-CVE-2016-3369
- RESERVED
-CVE-2016-3368
- RESERVED
-CVE-2016-3367
- RESERVED
-CVE-2016-3366
- RESERVED
-CVE-2016-3365
- RESERVED
-CVE-2016-3364
- RESERVED
-CVE-2016-3363
- RESERVED
-CVE-2016-3362
- RESERVED
-CVE-2016-3361
- RESERVED
-CVE-2016-3360
- RESERVED
-CVE-2016-3359
- RESERVED
-CVE-2016-3358
- RESERVED
-CVE-2016-3357
- RESERVED
-CVE-2016-3356
- RESERVED
-CVE-2016-3355
- RESERVED
-CVE-2016-3354
- RESERVED
-CVE-2016-3353
- RESERVED
-CVE-2016-3352
- RESERVED
-CVE-2016-3351
- RESERVED
-CVE-2016-3350
- RESERVED
-CVE-2016-3349
- RESERVED
-CVE-2016-3348
- RESERVED
+CVE-2016-3375 (The OLE Automation mechanism and VBScript scripting engine in
...)
+ TODO: check
+CVE-2016-3374 (The PDF library in Microsoft Edge, Windows 8.1, Windows Server
2012 ...)
+ TODO: check
+CVE-2016-3373 (The kernel API in Microsoft Windows Vista SP2, Windows Server
2008 SP2 ...)
+ TODO: check
+CVE-2016-3372 (The kernel API in Microsoft Windows Vista SP2 and Windows
Server 2008 ...)
+ TODO: check
+CVE-2016-3371 (The kernel API in Microsoft Windows Vista SP2, Windows Server
2008 SP2 ...)
+ TODO: check
+CVE-2016-3370 (The PDF library in Microsoft Edge, Windows 8.1, Windows Server
2012 ...)
+ TODO: check
+CVE-2016-3369 (Microsoft Windows 10 Gold and 1511 allows attackers to cause a
denial ...)
+ TODO: check
+CVE-2016-3368 (Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2
SP1, ...)
+ TODO: check
+CVE-2016-3367 (StringBuilder in Microsoft Silverlight 5 before 5.1.50709.0
does not ...)
+ TODO: check
+CVE-2016-3366 (Microsoft Outlook 2007 SP3, Outlook 2010 SP2, Outlook 2013 SP1,
...)
+ TODO: check
+CVE-2016-3365 (Microsoft Excel 2007 SP3, Excel 2010 SP2, Excel 2013 SP1, Excel
2013 ...)
+ TODO: check
+CVE-2016-3364 (Microsoft Visio 2016 allows remote attackers to execute
arbitrary code ...)
+ TODO: check
+CVE-2016-3363 (Microsoft Excel 2007 SP3, Excel 2010 SP2, Excel 2013 SP1, Excel
2013 ...)
+ TODO: check
+CVE-2016-3362 (Microsoft Excel 2007 SP3, Excel 2010 SP2, Excel 2013 SP1, Excel
2013 ...)
+ TODO: check
+CVE-2016-3361 (Microsoft Excel 2010 SP2 allows remote attackers to execute
arbitrary ...)
+ TODO: check
+CVE-2016-3360 (Microsoft PowerPoint 2007 SP3, PowerPoint 2010 SP2, PowerPoint
2013 ...)
+ TODO: check
+CVE-2016-3359 (Microsoft Excel 2007 SP3, Excel 2010 SP2, Office Compatibility
Pack ...)
+ TODO: check
+CVE-2016-3358 (Microsoft Excel 2007 SP3, Excel 2010 SP2, Excel 2013 SP1,
[Secure-testing-commits] r44592 - data/CVE
Author: opal Date: 2016-09-14 20:26:50 + (Wed, 14 Sep 2016) New Revision: 44592 Modified: data/CVE/list Log: CVE-2016-6632 is not vulnerable. Modified: data/CVE/list === --- data/CVE/list 2016-09-14 20:09:03 UTC (rev 44591) +++ data/CVE/list 2016-09-14 20:26:50 UTC (rev 44592) @@ -4235,7 +4235,7 @@ CVE-2016-6632 RESERVED - phpmyadmin 4:4.6.4+dfsg1-1 - [wheezy] - phpmyadmin (Not critical enough) + [wheezy] - phpmyadmin (Vulnerable code not present) NOTE: https://www.phpmyadmin.net/security/PMASA-2016-55/ CVE-2016-6631 RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r44591 - data/CVE
Author: opal Date: 2016-09-14 20:09:03 + (Wed, 14 Sep 2016) New Revision: 44591 Modified: data/CVE/list Log: CVE-2016-6618 is not vulnerable. Modified: data/CVE/list === --- data/CVE/list 2016-09-14 20:05:49 UTC (rev 44590) +++ data/CVE/list 2016-09-14 20:09:03 UTC (rev 44591) @@ -4307,7 +4307,7 @@ CVE-2016-6618 RESERVED - phpmyadmin 4:4.6.4+dfsg1-1 - [wheezy] - phpmyadmin (Not critical enough) + [wheezy] - phpmyadmin (Vulnerable code not present) NOTE: https://www.phpmyadmin.net/security/PMASA-2016-41/ CVE-2016-6617 RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r44590 - data/CVE
Author: opal Date: 2016-09-14 20:05:49 + (Wed, 14 Sep 2016) New Revision: 44590 Modified: data/CVE/list Log: Motivation for not solving CVE-2016-6625 in wheezy. Modified: data/CVE/list === --- data/CVE/list 2016-09-14 20:00:22 UTC (rev 44589) +++ data/CVE/list 2016-09-14 20:05:49 UTC (rev 44590) @@ -4270,6 +4270,12 @@ - phpmyadmin 4:4.6.4+dfsg1-1 [wheezy] - phpmyadmin (Not critical enough) NOTE: https://www.phpmyadmin.net/security/PMASA-2016-48/ + NOTE: The solution is to remove a configuration option. This option + NOTE: is by default disabled so a default installation is not + NOTE: vulnerable. It should be fairly obvious that enabling phpinfo + NOTE: printing can show more information than what should be used in + NOTE: a production environment. This is the motivation that it is not + NOTE: solved for wheezy. CVE-2016-6624 RESERVED - phpmyadmin 4:4.6.4+dfsg1-1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r44589 - data/CVE
Author: opal Date: 2016-09-14 20:00:22 + (Wed, 14 Sep 2016) New Revision: 44589 Modified: data/CVE/list Log: CVE-2016-6610 do not apply to wheezy. Modified: data/CVE/list === --- data/CVE/list 2016-09-14 17:57:52 UTC (rev 44588) +++ data/CVE/list 2016-09-14 20:00:22 UTC (rev 44589) @@ -4263,6 +4263,7 @@ CVE-2016-6626 RESERVED - phpmyadmin 4:4.6.4+dfsg1-1 + [wheezy] - phpmyadmin (Vulnerable code not present) NOTE: https://www.phpmyadmin.net/security/PMASA-2016-49/ CVE-2016-6625 RESERVED @@ -4336,7 +4337,7 @@ CVE-2016-6610 RESERVED - phpmyadmin 4:4.6.4+dfsg1-1 - [wheezy] - phpmyadmin (Not critial enough) + [wheezy] - phpmyadmin (Vulnerable code not present) NOTE: https://www.phpmyadmin.net/security/PMASA-2016-33/ CVE-2016-6609 RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r44588 - data/CVE
Author: nluedtke-guest Date: 2016-09-14 17:57:52 + (Wed, 14 Sep 2016) New Revision: 44588 Modified: data/CVE/list Log: Update notes for CVE-2016-6662 Modified: data/CVE/list === --- data/CVE/list 2016-09-14 15:03:06 UTC (rev 44587) +++ data/CVE/list 2016-09-14 17:57:52 UTC (rev 44588) @@ -4127,9 +4127,9 @@ NOTE: http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html NOTE: https://bugzilla.novell.com/show_bug.cgi?id=998309 NOTE: Fixed in upstream Oracle MySQL 5.5.52, 5.6.33 and 5.7.15 - NOTE: supposedly fixed in perconadb and mariadb as well, to be confirmed NOTE: MariaDB: https://jira.mariadb.org/browse/MDEV-10465 NOTE: Fixed in upstream MariaDB 5.5.51, 10.0.27, 10.1.17 + NOTE: PerconaDB: https://www.percona.com/blog/2016/09/12/database-affected-cve-2016-6662/ CVE-2016-6661 RESERVED CVE-2016-6660 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r44587 - data/DSA
Author: carnil
Date: 2016-09-14 15:03:06 + (Wed, 14 Sep 2016)
New Revision: 44587
Modified:
data/DSA/list
Log:
Reserve DSA number for mysql-5.5 update
Modified: data/DSA/list
===
--- data/DSA/list 2016-09-14 12:08:33 UTC (rev 44586)
+++ data/DSA/list 2016-09-14 15:03:06 UTC (rev 44587)
@@ -1,3 +1,6 @@
+[14 Sep 2016] DSA-3666-1 mysql-5.5 - security update
+ {CVE-2016-6662}
+ [jessie] - mysql-5.5 5.5.52-0+deb8u1
[11 Sep 2016] DSA-3665-1 openjpeg2 - security update
{CVE-2015-6581 CVE-2015-8871 CVE-2016-1924 CVE-2016-7163}
[jessie] - openjpeg2 2.1.0-2+deb8u1
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r44586 - data/CVE
Author: carnil Date: 2016-09-14 12:08:33 + (Wed, 14 Sep 2016) New Revision: 44586 Modified: data/CVE/list Log: Split up information, adjust upstream version to 10.0.27 Modified: data/CVE/list === --- data/CVE/list 2016-09-14 12:04:02 UTC (rev 44585) +++ data/CVE/list 2016-09-14 12:08:33 UTC (rev 44586) @@ -4128,7 +4128,8 @@ NOTE: https://bugzilla.novell.com/show_bug.cgi?id=998309 NOTE: Fixed in upstream Oracle MySQL 5.5.52, 5.6.33 and 5.7.15 NOTE: supposedly fixed in perconadb and mariadb as well, to be confirmed - NOTE: MariaDB fixed in 5.5.51, 10.0.27-1 and 10.1.17: https://jira.mariadb.org/browse/MDEV-10465 + NOTE: MariaDB: https://jira.mariadb.org/browse/MDEV-10465 + NOTE: Fixed in upstream MariaDB 5.5.51, 10.0.27, 10.1.17 CVE-2016-6661 RESERVED CVE-2016-6660 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r44585 - data/CVE
Author: anarcat Date: 2016-09-14 12:04:02 + (Wed, 14 Sep 2016) New Revision: 44585 Modified: data/CVE/list Log: Summary: add details on fixed mariadb versions Modified: data/CVE/list === --- data/CVE/list 2016-09-14 10:39:34 UTC (rev 44584) +++ data/CVE/list 2016-09-14 12:04:02 UTC (rev 44585) @@ -4128,7 +4128,7 @@ NOTE: https://bugzilla.novell.com/show_bug.cgi?id=998309 NOTE: Fixed in upstream Oracle MySQL 5.5.52, 5.6.33 and 5.7.15 NOTE: supposedly fixed in perconadb and mariadb as well, to be confirmed - NOTE: MariaDB: https://jira.mariadb.org/browse/MDEV-10465 + NOTE: MariaDB fixed in 5.5.51, 10.0.27-1 and 10.1.17: https://jira.mariadb.org/browse/MDEV-10465 CVE-2016-6661 RESERVED CVE-2016-6660 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r44584 - data
Author: hle Date: 2016-09-14 10:39:34 + (Wed, 14 Sep 2016) New Revision: 44584 Modified: data/dla-needed.txt Log: Assign libav to Hugo Lefeuvre in dla-needed. Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-09-14 10:08:37 UTC (rev 44583) +++ data/dla-needed.txt 2016-09-14 10:39:34 UTC (rev 44584) @@ -28,7 +28,7 @@ -- libarchive (Emilio Pozuelo) -- -libav +libav (Hugo Lefeuvre) NOTE: Latest issue is CVE-2016-7393, it would be a good time to release accumulated fixes NOTE: (See debian-lts ML) -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r44583 - data/CVE
Author: carnil Date: 2016-09-14 10:08:37 + (Wed, 14 Sep 2016) New Revision: 44583 Modified: data/CVE/list Log: Mark some NFUs Modified: data/CVE/list === --- data/CVE/list 2016-09-14 10:00:31 UTC (rev 44582) +++ data/CVE/list 2016-09-14 10:08:37 UTC (rev 44583) @@ -25349,15 +25349,15 @@ CVE-2016-0366 RESERVED CVE-2016-0365 (IBM UrbanCode Deploy 6.0.x before 6.0.1.13, 6.1.x before 6.1.3.3, and ...) - TODO: check + NOT-FOR-US: IBM CVE-2016-0364 (IBM UrbanCode Deploy 6.0.x before 6.0.1.13, 6.1.x before 6.1.3.3, and ...) - TODO: check + NOT-FOR-US: IBM CVE-2016-0363 (The com.ibm.CORBA.iiop.ClientDelegate class in IBM SDK, Java ...) - TODO: check + NOT-FOR-US: IBM JDK CVE-2016-0362 (IBM TRIRIGA Application Platform 3.3 before 3.3.2.6, 3.4 before ...) - TODO: check + NOT-FOR-US: IBM CVE-2016-0361 (IBM General Parallel File System (GPFS) 3.5 before 3.5.0.29 efix 6 and ...) - TODO: check + NOT-FOR-US: IBM General Parallel File System CVE-2016-0360 RESERVED CVE-2016-0359 (CRLF injection vulnerability in IBM WebSphere Application Server (WAS) ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r44582 - check-external
Author: atomo64-guest
Date: 2016-09-14 10:00:31 + (Wed, 14 Sep 2016)
New Revision: 44582
Modified:
check-external/update.sh
Log:
Remove duplicates from the mitre-based lists
Modified: check-external/update.sh
===
--- check-external/update.sh2016-09-14 10:00:00 UTC (rev 44581)
+++ check-external/update.sh2016-09-14 10:00:31 UTC (rev 44582)
@@ -59,6 +59,6 @@
for vendor in SUSE DEBIAN GENTOO FEDORA REDHAT UBUNTU; do
wget -N http://cve.mitre.org/data/refs/refmap/source-$vendor.html
sed -rn
'/CVE-[12][0-9]{3}-/{s/^.+>(CVE-[12][0-9]{3}-[0-9]{4,})<.+$/\1/;p}'
source-$vendor.html |
- sort > $vendor.list
+ sort -u > $vendor.list
check_list $vendor.list
done
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r44581 - check-external
Author: atomo64-guest
Date: 2016-09-14 10:00:00 + (Wed, 14 Sep 2016)
New Revision: 44581
Modified:
check-external/update.sh
Log:
Add another bugzilla-based source
Modified: check-external/update.sh
===
--- check-external/update.sh2016-09-14 09:32:15 UTC (rev 44580)
+++ check-external/update.sh2016-09-14 10:00:00 UTC (rev 44581)
@@ -46,7 +46,10 @@
# but it is sufficient for now to get some additional CVE information
# from Red Hat source
wget -O redhat-bugzilla.html
'https://bugzilla.redhat.com/buglist.cgi?classification=Other&component=vulnerability&f1=alias&o1=regexp&product=Security%20Response&query_format=advanced&v1=^CVE-.*&order=priority%2Cbug_severity&limit=0'
-perl -ne 'print "$1\n" while (s/(CVE-[12][0-9]{3}-[0-9]{4,})//);' <
redhat-bugzilla.html | sort -u > cve.list
+# Some extra data is readily available as an xml file
+wget -N
https://www.redhat.com/security/data/metrics/cve-metadata-from-bugzilla.xml
+cat redhat-bugzilla.html cve-metadata-from-bugzilla.xml |
+perl -ne 'print "$1\n" while (s/(CVE-[12][0-9]{3}-[0-9]{4,})//);' | sort -u >
cve.list
check_list cve.list
# List of issues fixed by each vendor, according to MITRE. Very
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r44580 - check-external
Author: atomo64-guest
Date: 2016-09-14 09:32:15 + (Wed, 14 Sep 2016)
New Revision: 44580
Modified:
check-external/update.sh
Log:
bugzilla's results may contain more than one CVE per line
Use perl for easier looping and to have more readable code
Modified: check-external/update.sh
===
--- check-external/update.sh2016-09-14 09:10:17 UTC (rev 44579)
+++ check-external/update.sh2016-09-14 09:32:15 UTC (rev 44580)
@@ -46,7 +46,7 @@
# but it is sufficient for now to get some additional CVE information
# from Red Hat source
wget -O redhat-bugzilla.html
'https://bugzilla.redhat.com/buglist.cgi?classification=Other&component=vulnerability&f1=alias&o1=regexp&product=Security%20Response&query_format=advanced&v1=^CVE-.*&order=priority%2Cbug_severity&limit=0'
-sed -rn '/CVE-[12][0-9]{2,}-/{s/^.+(CVE-[12][0-9]{3}-[0-9]{4,}).+$/\1/;T;p}'
redhat-bugzilla.html | sort > cve.list
+perl -ne 'print "$1\n" while (s/(CVE-[12][0-9]{3}-[0-9]{4,})//);' <
redhat-bugzilla.html | sort -u > cve.list
check_list cve.list
# List of issues fixed by each vendor, according to MITRE. Very
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r44579 - data/CVE
Author: sectracker
Date: 2016-09-14 09:10:17 + (Wed, 14 Sep 2016)
New Revision: 44579
Modified:
data/CVE/list
Log:
automatic update
Modified: data/CVE/list
===
--- data/CVE/list 2016-09-14 07:18:29 UTC (rev 44578)
+++ data/CVE/list 2016-09-14 09:10:17 UTC (rev 44579)
@@ -10662,6 +10662,7 @@
RESERVED
CVE-2016-4855
RESERVED
+ {DLA-620-1}
- libphp-adodb 5.20.6-1 (unimportant; bug #837418)
NOTE: https://github.com/ADOdb/ADOdb/issues/274
NOTE: https://jvn.jp/en/jp/JVN48237713/
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r44578 - data
Author: lamby Date: 2016-09-14 07:18:29 + (Wed, 14 Sep 2016) New Revision: 44578 Modified: data/dla-needed.txt Log: dla-needed.txt: Add warning note in case someone doesn't read the list (!) Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-09-14 07:13:49 UTC (rev 44577) +++ data/dla-needed.txt 2016-09-14 07:18:29 UTC (rev 44578) @@ -30,6 +30,7 @@ -- libav NOTE: Latest issue is CVE-2016-7393, it would be a good time to release accumulated fixes + NOTE: (See debian-lts ML) -- libgd2 (Thorsten Alteholz) -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r44577 - data
Author: carnil Date: 2016-09-14 07:13:49 + (Wed, 14 Sep 2016) New Revision: 44577 Modified: data/next-point-update.txt Log: Add libphp-adodb to next-point-update.txt, but unlikely to be included for 8.6, so list for next point release Modified: data/next-point-update.txt === --- data/next-point-update.txt 2016-09-14 07:00:30 UTC (rev 44576) +++ data/next-point-update.txt 2016-09-14 07:13:49 UTC (rev 44577) @@ -105,3 +105,8 @@ [jessie] - suckless-tools 40-1+deb8u2 CVE-2016-6342 [jessie] - elog 2.9.2+2014.05.11git44800a7-3 +CVE-2016-4855 + [jessie] - libphp-adodb 5.15-1+deb8u1 +CVE-2016- [incorrect quoting may allow SQL injection] + [jessie] - libphp-adodb 5.15-1+deb8u1 + NOTE: for #837211 which has not yet a CVE ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r44576 - data/CVE
Author: hertzog
Date: 2016-09-14 07:00:30 + (Wed, 14 Sep 2016)
New Revision: 44576
Modified:
data/CVE/list
Log:
Update comments for CVE where I got the reproducer file
They have been posted on the upstream ticket each time.
Modified: data/CVE/list
===
--- data/CVE/list 2016-09-14 06:59:31 UTC (rev 44575)
+++ data/CVE/list 2016-09-14 07:00:30 UTC (rev 44576)
@@ -14304,7 +14304,6 @@
- tiff3
[wheezy] - tiff3 (Minor issue)
NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2566
- NOTE: Reproducer file is not available.
CVE-2016-3624 [Out-of-bounds Write occurred in function cvtClump in rgb2ycbcr]
RESERVED
- tiff
@@ -22880,7 +22879,7 @@
NOTE: Red Hat's patch is partially incorrect according to upstream
NOTE: Issue was also marked as wontfix, because bmp2tiff utility has
been removed
NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2563#c4
- NOTE: No reproducer file seems to be publicly available.
+ NOTE: Reproducer file here:
http://bugzilla.maptools.org/attachment.cgi?id=677
CVE-2015-8683 (The putcontig8bitCIELab function in tif_getimage.c in LibTIFF
4.0.6 ...)
{DSA-3467-1 DLA-610-1 DLA-402-1}
- tiff 4.0.6-1 (bug #809021)
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
