[Secure-testing-commits] r44663 - data
Author: pabs Date: 2016-09-17 02:08:48 + (Sat, 17 Sep 2016) New Revision: 44663 Modified: data/embedded-code-copies Log: libsquish now accepted Modified: data/embedded-code-copies === --- data/embedded-code-copies 2016-09-17 01:21:05 UTC (rev 44662) +++ data/embedded-code-copies 2016-09-17 02:08:48 UTC (rev 44663) @@ -3067,7 +3067,7 @@ liblemon (ITP: #833548) - cufflinks (embed) -libsquish (ITP: #836247) +libsquish - 0ad (embed; bug #838055) - kodi (modified-embed; bug #838051) - mame (modified-embed; bug #838052) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r44662 - data
Author: pabs Date: 2016-09-17 01:21:05 + (Sat, 17 Sep 2016) New Revision: 44662 Modified: data/embedded-code-copies Log: Add bug numbers for libsquish embedded code copies Suggested-by: Wookey Suggested-in: <20160917010345.gv7...@mail.wookware.org> Modified: data/embedded-code-copies === --- data/embedded-code-copies 2016-09-16 21:10:16 UTC (rev 44661) +++ data/embedded-code-copies 2016-09-17 01:21:05 UTC (rev 44662) @@ -3068,12 +3068,12 @@ - cufflinks (embed) libsquish (ITP: #836247) - - 0ad (embed) - - kodi (modified-embed) - - mame (modified-embed) - - nvidia-texture-tools (modified-embed) - - openimageio (modified-embed) - - spring (embed) + - 0ad (embed; bug #838055) + - kodi (modified-embed; bug #838051) + - mame (modified-embed; bug #838052) + - nvidia-texture-tools (modified-embed; bug #838056) + - openimageio (modified-embed; bug #838053) + - spring (embed; bug #838054) - xbmc (modified-embed) node-ms (not packaged, no ITP as per 2016-09-09) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r44661 - data/CVE
Author: sectracker
Date: 2016-09-16 21:10:16 + (Fri, 16 Sep 2016)
New Revision: 44661
Modified:
data/CVE/list
Log:
automatic update
Modified: data/CVE/list
===
--- data/CVE/list 2016-09-16 17:40:28 UTC (rev 44660)
+++ data/CVE/list 2016-09-16 21:10:16 UTC (rev 44661)
@@ -1,4 +1,5 @@
CVE-2016-7423 [scsi: mptsas: OOB access when freeing MPTSASRequest object]
+ RESERVED
- qemu
[jessie] - qemu (Vulnerable code introduced later)
[wheezy] - qemu (Vulnerable code introduced later)
@@ -10,6 +11,7 @@
NOTE:
http://git.qemu.org/?p=qemu.git;a=commit;h=e351b82611293683c4cabe4b69b7552bde5d4e2a
(v2.6.0-rc0)
NOTE: Fixed by:
http://git.qemu.org/?p=qemu.git;a=commit;h=670e56d3ed2918b3861d9216f2c0540d9e9ae0d5
CVE-2016-7422 [virtio: null pointer dereference in virtqueue_map_desc]
+ RESERVED
- qemu
[jessie] - qemu (Vulnerable code introduced later)
[wheezy] - qemu (Vulnerable code introduced later)
@@ -19,6 +21,7 @@
NOTE: Introduced by:
http://git.qemu.org/?p=qemu.git;a=commit;h=3b3b0628217e2726069990ff9942a5d6d9816bd7
(v2.6.0-rc0)
NOTE: http://www.openwall.com/lists/oss-security/2016/09/16/4
CVE-2016-7421 [scsi: pvscsi: infinite loop when processing IO requests]
+ RESERVED
- qemu
[wheezy] - qemu (Vulnerable code not present, introduced
after 1.5)
- qemu-kvm (Vulnerable code not present, introduced
after 1.5)
@@ -2219,8 +,7 @@
RESERVED
CVE-2016-7424
RESERVED
-CVE-2016-7420 [Library documentation lacks treatment of -DNDEBUG and Static
Initialization]
- RESERVED
+CVE-2016-7420 (Crypto++ (aka cryptopp) through 5.6.4 does not document the ...)
- libcrypto++
NOTE: https://github.com/weidai11/cryptopp/issues/277
CVE-2016-7419
@@ -3555,8 +3557,8 @@
RESERVED
CVE-2016-6937
RESERVED
-CVE-2016-6936
- RESERVED
+CVE-2016-6936 (Adobe AIR SDK & Compiler before 23.0.0.257 on Windows does
not support ...)
+ TODO: check
CVE-2016-6935
RESERVED
CVE-2016-6934
@@ -4242,7 +4244,7 @@
RESERVED
CVE-2016-6662 [privilege escalation through ld_preload hijacking and my.cnf
rewrite]
RESERVED
- {DSA-3666-1}
+ {DSA-3666-1 DLA-624-1}
- mariadb-10.0 10.0.27-1
- mysql-5.6
- mysql-5.5
@@ -5503,13 +5505,11 @@
RESERVED
CVE-2016-6304
RESERVED
-CVE-2016-6303
- RESERVED
+CVE-2016-6303 (Integer overflow in the MDC2_Update function in
crypto/mdc2/mdc2dgst.c ...)
- openssl
[jessie] - openssl (Wait until next openssl update round)
NOTE:
https://git.openssl.org/?p=openssl.git;a=commit;h=55d83bf7c10c7b205fffa23fa7c3977491e56c07
-CVE-2016-6302
- RESERVED
+CVE-2016-6302 (The tls_decrypt_ticket function in ssl/t1_lib.c in OpenSSL
before ...)
- openssl
[jessie] - openssl (Wait until next openssl update round)
NOTE:
https://git.openssl.org/?p=openssl.git;a=commit;h=e97763c92c655dcf4af2860b3abd2bc4c8a267f9
@@ -12577,22 +12577,22 @@
NOT-FOR-US: Adobe
CVE-2016-4264 (The Office Open XML (OOXML) feature in Adobe ColdFusion 10
before ...)
TODO: check
-CVE-2016-4263
- RESERVED
-CVE-2016-4262
- RESERVED
-CVE-2016-4261
- RESERVED
-CVE-2016-4260
- RESERVED
-CVE-2016-4259
- RESERVED
-CVE-2016-4258
- RESERVED
-CVE-2016-4257
- RESERVED
-CVE-2016-4256
- RESERVED
+CVE-2016-4263 (Use-after-free vulnerability in Adobe Digital Editions before
4.5.2 ...)
+ TODO: check
+CVE-2016-4262 (Adobe Digital Editions before 4.5.2 allows attackers to execute
...)
+ TODO: check
+CVE-2016-4261 (Adobe Digital Editions before 4.5.2 allows attackers to execute
...)
+ TODO: check
+CVE-2016-4260 (Adobe Digital Editions before 4.5.2 allows attackers to execute
...)
+ TODO: check
+CVE-2016-4259 (Adobe Digital Editions before 4.5.2 allows attackers to execute
...)
+ TODO: check
+CVE-2016-4258 (Adobe Digital Editions before 4.5.2 allows attackers to execute
...)
+ TODO: check
+CVE-2016-4257 (Adobe Digital Editions before 4.5.2 allows attackers to execute
...)
+ TODO: check
+CVE-2016-4256 (Adobe Digital Editions before 4.5.2 allows attackers to execute
...)
+ TODO: check
CVE-2016-4255 (Use-after-free vulnerability in Adobe Reader and Acrobat before
...)
NOT-FOR-US: Adobe
CVE-2016-4254 (Adobe Reader and Acrobat before 11.0.17, Acrobat and Acrobat
Reader DC ...)
@@ -18964,13 +18964,11 @@
NOTE: What was done in OpenSSL:
https://www.openssl.org/blog/blog/2016/08/24/sweet32/
NOTE: Python issue: https://bugs.python.org/issue27850
TODO: not clear if this should be assigned to individual source, like
openssl and nss (openpvn got a own CVE)
-CVE-2016-2182
- RESERVED
+CVE-2016-2182 (The BN_bn2dec function in crypto/bn/bn_pr
[Secure-testing-commits] r44660 - data/CVE
Author: carnil Date: 2016-09-16 17:40:28 + (Fri, 16 Sep 2016) New Revision: 44660 Modified: data/CVE/list Log: Mark CVE-2016-0635 as NFU Modified: data/CVE/list === --- data/CVE/list 2016-09-16 17:40:12 UTC (rev 44659) +++ data/CVE/list 2016-09-16 17:40:28 UTC (rev 44660) @@ -24829,7 +24829,7 @@ NOTE: https://blogs.oracle.com/security/entry/security_alert_cve_2016_0636 NOTE: http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/c44179bce874 CVE-2016-0635 (Unspecified vulnerability in the Enterprise Manager Ops Center ...) - TODO: check + NOT-FOR-US: Oracle CVE-2016-0634 [bash prompt expanding $HOSTNAME] RESERVED - bash ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r44659 - data
Author: alteholz Date: 2016-09-16 17:40:12 + (Fri, 16 Sep 2016) New Revision: 44659 Modified: data/dla-needed.txt Log: no upload for libgd2 needed Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-09-16 17:39:28 UTC (rev 44658) +++ data/dla-needed.txt 2016-09-16 17:40:12 UTC (rev 44659) @@ -30,8 +30,6 @@ NOTE: Latest issue is CVE-2016-7393, it would be a good time to release accumulated fixes NOTE: (See debian-lts ML) -- -libgd2 (Thorsten Alteholz) --- libical (Ola Lundqvist) NOTE: issues are currently not public, but https://marc.info/?l=oss-security&m=146685931517961&w=2 claims ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r44658 - data/CVE
Author: carnil Date: 2016-09-16 17:39:28 + (Fri, 16 Sep 2016) New Revision: 44658 Modified: data/CVE/list Log: Mark CVE-2016-7031 as no-dsa, thanks jmm_ Modified: data/CVE/list === --- data/CVE/list 2016-09-16 17:38:23 UTC (rev 44657) +++ data/CVE/list 2016-09-16 17:39:28 UTC (rev 44658) @@ -3365,6 +3365,7 @@ CVE-2016-7031 [rgw: Anonymous user is able to read bucket with authenticated read ACL] RESERVED - ceph (bug #838026) + [jessie] - ceph (Minor issue) NOTE: http://tracker.ceph.com/issues/13207 NOTE: https://github.com/ceph/ceph/pull/6057 NOTE: https://github.com/ceph/ceph/pull/11045 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r44657 - data/CVE
Author: carnil Date: 2016-09-16 17:38:23 + (Fri, 16 Sep 2016) New Revision: 44657 Modified: data/CVE/list Log: Add CVE-2016-0634/bash Modified: data/CVE/list === --- data/CVE/list 2016-09-16 17:36:00 UTC (rev 44656) +++ data/CVE/list 2016-09-16 17:38:23 UTC (rev 44657) @@ -24829,8 +24829,12 @@ NOTE: http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/c44179bce874 CVE-2016-0635 (Unspecified vulnerability in the Enterprise Manager Ops Center ...) TODO: check -CVE-2016-0634 +CVE-2016-0634 [bash prompt expanding $HOSTNAME] RESERVED + - bash + [jessie] - bash (Minor issue) + NOTE: http://www.openwall.com/lists/oss-security/2016/09/16/8 + NOTE: Fixed bin Bash upstream bash-4.4 CVE-2016-0633 RESERVED CVE-2016-0632 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r44656 - data/CVE
Author: carnil Date: 2016-09-16 17:36:00 + (Fri, 16 Sep 2016) New Revision: 44656 Modified: data/CVE/list Log: CVE-2016-7421/qemu assigned Modified: data/CVE/list === --- data/CVE/list 2016-09-16 17:34:35 UTC (rev 44655) +++ data/CVE/list 2016-09-16 17:36:00 UTC (rev 44656) @@ -18,13 +18,14 @@ NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1376755 NOTE: Introduced by: http://git.qemu.org/?p=qemu.git;a=commit;h=3b3b0628217e2726069990ff9942a5d6d9816bd7 (v2.6.0-rc0) NOTE: http://www.openwall.com/lists/oss-security/2016/09/16/4 -CVE-2016- [scsi: pvscsi: infinite loop when processing IO requests] +CVE-2016-7421 [scsi: pvscsi: infinite loop when processing IO requests] - qemu [wheezy] - qemu (Vulnerable code not present, introduced after 1.5) - qemu-kvm (Vulnerable code not present, introduced after 1.5) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg03609.html NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1376731 - NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2016/09/16/3 + NOTE: http://www.openwall.com/lists/oss-security/2016/09/16/3 + NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commit;h=d251157ac1928191af851d199a9ff255d330bec9 CVE-2016-8220 RESERVED CVE-2016-8219 @@ -2218,8 +2219,6 @@ RESERVED CVE-2016-7424 RESERVED -CVE-2016-7421 - RESERVED CVE-2016-7420 [Library documentation lacks treatment of -DNDEBUG and Static Initialization] RESERVED - libcrypto++ ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r44655 - data/CVE
Author: carnil Date: 2016-09-16 17:34:35 + (Fri, 16 Sep 2016) New Revision: 44655 Modified: data/CVE/list Log: CVE-2016-7422 qemu assigned Modified: data/CVE/list === --- data/CVE/list 2016-09-16 17:33:50 UTC (rev 44654) +++ data/CVE/list 2016-09-16 17:34:35 UTC (rev 44655) @@ -9,7 +9,7 @@ NOTE: LSI SAS1068 (mptsas) device support added in NOTE: http://git.qemu.org/?p=qemu.git;a=commit;h=e351b82611293683c4cabe4b69b7552bde5d4e2a (v2.6.0-rc0) NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commit;h=670e56d3ed2918b3861d9216f2c0540d9e9ae0d5 -CVE-2016- [virtio: null pointer dereference in virtqueue_map_desc] +CVE-2016-7422 [virtio: null pointer dereference in virtqueue_map_desc] - qemu [jessie] - qemu (Vulnerable code introduced later) [wheezy] - qemu (Vulnerable code introduced later) @@ -17,7 +17,7 @@ NOTE: https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg03546.html NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1376755 NOTE: Introduced by: http://git.qemu.org/?p=qemu.git;a=commit;h=3b3b0628217e2726069990ff9942a5d6d9816bd7 (v2.6.0-rc0) - NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2016/09/16/4 + NOTE: http://www.openwall.com/lists/oss-security/2016/09/16/4 CVE-2016- [scsi: pvscsi: infinite loop when processing IO requests] - qemu [wheezy] - qemu (Vulnerable code not present, introduced after 1.5) @@ -2218,8 +2218,6 @@ RESERVED CVE-2016-7424 RESERVED -CVE-2016-7422 - RESERVED CVE-2016-7421 RESERVED CVE-2016-7420 [Library documentation lacks treatment of -DNDEBUG and Static Initialization] ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r44654 - data/CVE
Author: carnil Date: 2016-09-16 17:33:50 + (Fri, 16 Sep 2016) New Revision: 44654 Modified: data/CVE/list Log: Add fixing commit for CVE-2016-7423 Modified: data/CVE/list === --- data/CVE/list 2016-09-16 17:32:57 UTC (rev 44653) +++ data/CVE/list 2016-09-16 17:33:50 UTC (rev 44654) @@ -8,6 +8,7 @@ NOTE: http://www.openwall.com/lists/oss-security/2016/09/16/5 NOTE: LSI SAS1068 (mptsas) device support added in NOTE: http://git.qemu.org/?p=qemu.git;a=commit;h=e351b82611293683c4cabe4b69b7552bde5d4e2a (v2.6.0-rc0) + NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commit;h=670e56d3ed2918b3861d9216f2c0540d9e9ae0d5 CVE-2016- [virtio: null pointer dereference in virtqueue_map_desc] - qemu [jessie] - qemu (Vulnerable code introduced later) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r44653 - data/CVE
Author: carnil Date: 2016-09-16 17:32:57 + (Fri, 16 Sep 2016) New Revision: 44653 Modified: data/CVE/list Log: CVE-2016-7423 assigned Modified: data/CVE/list === --- data/CVE/list 2016-09-16 16:02:46 UTC (rev 44652) +++ data/CVE/list 2016-09-16 17:32:57 UTC (rev 44653) @@ -1,11 +1,11 @@ -CVE-2016- [scsi: mptsas: OOB access when freeing MPTSASRequest object] +CVE-2016-7423 [scsi: mptsas: OOB access when freeing MPTSASRequest object] - qemu [jessie] - qemu (Vulnerable code introduced later) [wheezy] - qemu (Vulnerable code introduced later) - qemu-kvm (Vulnerable code introduced later) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg03604.html NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1376776 - NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2016/09/16/5 + NOTE: http://www.openwall.com/lists/oss-security/2016/09/16/5 NOTE: LSI SAS1068 (mptsas) device support added in NOTE: http://git.qemu.org/?p=qemu.git;a=commit;h=e351b82611293683c4cabe4b69b7552bde5d4e2a (v2.6.0-rc0) CVE-2016- [virtio: null pointer dereference in virtqueue_map_desc] @@ -2217,8 +2217,6 @@ RESERVED CVE-2016-7424 RESERVED -CVE-2016-7423 - RESERVED CVE-2016-7422 RESERVED CVE-2016-7421 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r44652 - data/CVE
Author: nluedtke-guest
Date: 2016-09-16 16:02:46 + (Fri, 16 Sep 2016)
New Revision: 44652
Modified:
data/CVE/list
Log:
Add commit reference for CVE-2016-3961
Modified: data/CVE/list
===
--- data/CVE/list 2016-09-16 15:34:18 UTC (rev 44651)
+++ data/CVE/list 2016-09-16 16:02:46 UTC (rev 44652)
@@ -13552,6 +13552,7 @@
{DSA-3607-1 DLA-516-1}
- linux 4.5.2-1
NOTE: http://xenbits.xen.org/xsa/advisory-174.html
+ NOTE: Fixed by:
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=103f6112f253017d7062cd74d17f4a514ed4485c
CVE-2016-3960 (Integer overflow in the x86 shadow pagetable code in Xen allows
local ...)
{DSA-3554-1 DLA-571-1}
- xen (bug #823620)
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r44651 - data/CVE
Author: carnil Date: 2016-09-16 15:34:18 + (Fri, 16 Sep 2016) New Revision: 44651 Modified: data/CVE/list Log: Add another qemu issue Modified: data/CVE/list === --- data/CVE/list 2016-09-16 15:34:06 UTC (rev 44650) +++ data/CVE/list 2016-09-16 15:34:18 UTC (rev 44651) @@ -1,3 +1,13 @@ +CVE-2016- [scsi: mptsas: OOB access when freeing MPTSASRequest object] + - qemu + [jessie] - qemu (Vulnerable code introduced later) + [wheezy] - qemu (Vulnerable code introduced later) + - qemu-kvm (Vulnerable code introduced later) + NOTE: https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg03604.html + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1376776 + NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2016/09/16/5 + NOTE: LSI SAS1068 (mptsas) device support added in + NOTE: http://git.qemu.org/?p=qemu.git;a=commit;h=e351b82611293683c4cabe4b69b7552bde5d4e2a (v2.6.0-rc0) CVE-2016- [virtio: null pointer dereference in virtqueue_map_desc] - qemu [jessie] - qemu (Vulnerable code introduced later) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r44650 - data/CVE
Author: carnil Date: 2016-09-16 15:34:06 + (Fri, 16 Sep 2016) New Revision: 44650 Modified: data/CVE/list Log: Add CVE request reference for one previous qemu issue Modified: data/CVE/list === --- data/CVE/list 2016-09-16 15:28:18 UTC (rev 44649) +++ data/CVE/list 2016-09-16 15:34:06 UTC (rev 44650) @@ -6,6 +6,7 @@ NOTE: https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg03546.html NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1376755 NOTE: Introduced by: http://git.qemu.org/?p=qemu.git;a=commit;h=3b3b0628217e2726069990ff9942a5d6d9816bd7 (v2.6.0-rc0) + NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2016/09/16/4 CVE-2016- [scsi: pvscsi: infinite loop when processing IO requests] - qemu [wheezy] - qemu (Vulnerable code not present, introduced after 1.5) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r44649 - data/CVE
Author: carnil Date: 2016-09-16 15:28:18 + (Fri, 16 Sep 2016) New Revision: 44649 Modified: data/CVE/list Log: Add another qemu issues Modified: data/CVE/list === --- data/CVE/list 2016-09-16 15:22:06 UTC (rev 44648) +++ data/CVE/list 2016-09-16 15:28:18 UTC (rev 44649) @@ -1,3 +1,11 @@ +CVE-2016- [virtio: null pointer dereference in virtqueue_map_desc] + - qemu + [jessie] - qemu (Vulnerable code introduced later) + [wheezy] - qemu (Vulnerable code introduced later) + - qemu-kvm (Vulnerable code introduced later) + NOTE: https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg03546.html + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1376755 + NOTE: Introduced by: http://git.qemu.org/?p=qemu.git;a=commit;h=3b3b0628217e2726069990ff9942a5d6d9816bd7 (v2.6.0-rc0) CVE-2016- [scsi: pvscsi: infinite loop when processing IO requests] - qemu [wheezy] - qemu (Vulnerable code not present, introduced after 1.5) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r44648 - data/CVE
Author: carnil Date: 2016-09-16 15:22:06 + (Fri, 16 Sep 2016) New Revision: 44648 Modified: data/CVE/list Log: Update information for CVE-2016-7031, add bug reference, #838026 Modified: data/CVE/list === --- data/CVE/list 2016-09-16 15:18:38 UTC (rev 44647) +++ data/CVE/list 2016-09-16 15:22:06 UTC (rev 44648) @@ -3349,10 +3349,10 @@ RESERVED CVE-2016-7031 [rgw: Anonymous user is able to read bucket with authenticated read ACL] RESERVED - - ceph + - ceph (bug #838026) + NOTE: http://tracker.ceph.com/issues/13207 NOTE: https://github.com/ceph/ceph/pull/6057 - NOTE: http://tracker.ceph.com/issues/13207 - TODO: check (versions) + NOTE: https://github.com/ceph/ceph/pull/11045 CVE-2016-7030 RESERVED CVE-2016-7029 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r44647 - data/CVE
Author: carnil Date: 2016-09-16 15:18:38 + (Fri, 16 Sep 2016) New Revision: 44647 Modified: data/CVE/list Log: Add new qem uissue Modified: data/CVE/list === --- data/CVE/list 2016-09-16 15:14:43 UTC (rev 44646) +++ data/CVE/list 2016-09-16 15:18:38 UTC (rev 44647) @@ -1,3 +1,10 @@ +CVE-2016- [scsi: pvscsi: infinite loop when processing IO requests] + - qemu + [wheezy] - qemu (Vulnerable code not present, introduced after 1.5) + - qemu-kvm (Vulnerable code not present, introduced after 1.5) + NOTE: https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg03609.html + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1376731 + NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2016/09/16/3 CVE-2016-8220 RESERVED CVE-2016-8219 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r44646 - in data: . DLA
Author: roberto
Date: 2016-09-16 15:14:43 + (Fri, 16 Sep 2016)
New Revision: 44646
Modified:
data/DLA/list
data/dla-needed.txt
Log:
Claim DLA for mysql-5.5
Modified: data/DLA/list
===
--- data/DLA/list 2016-09-16 15:01:47 UTC (rev 44645)
+++ data/DLA/list 2016-09-16 15:14:43 UTC (rev 44646)
@@ -1,3 +1,6 @@
+[16 Sep 2016] DLA-624-1 mysql-5.5 - security update
+ {CVE-2016-6662}
+ [wheezy] - mysql-5.5 5.5.52-0+deb7u1
[15 Sep 2016] DLA-623-1 tomcat7 - security update
{CVE-2016-1240}
[wheezy] - tomcat7 7.0.28-4+deb7u6
Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2016-09-16 15:01:47 UTC (rev 44645)
+++ data/dla-needed.txt 2016-09-16 15:14:43 UTC (rev 44646)
@@ -48,11 +48,6 @@
--
mingw32 (Stephen Kitt)
--
-mysql-5.5 (Roberto C. Sanchez)
- NOTE: Should be fixed ASAP.
- NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-6662
- NOTE: The RedHat bug references specific commits and release notes of new
upstream releases; it also notes that the fixes are not likely to be
acknowledged as with CVEs by Oracle until next month's CPU
---
openssl
NOTE: For CVE-2016-2177, some parts of the upstream patch do not apply
NOTE: because the wheezy version is completely missing the checks being
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r44645 - data/CVE
Author: jmm Date: 2016-09-16 15:01:47 + (Fri, 16 Sep 2016) New Revision: 44645 Modified: data/CVE/list Log: add qemu upstream fix file-roller no-dsa Modified: data/CVE/list === --- data/CVE/list 2016-09-16 13:23:55 UTC (rev 44644) +++ data/CVE/list 2016-09-16 15:01:47 UTC (rev 44645) @@ -2831,6 +2831,7 @@ - qemu (bug #837316) - qemu-kvm NOTE: https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg01764.html + NOTE: http://git.qemu.org/?p=qemu.git;a=commit;h=167d97a3def77ee2dbf6e908b0ecbfe2103977db CVE-2016-7169 [a path traversal vulnerability in the upgrade package uploader] RESERVED - wordpress 4.6.1+dfsg-1 @@ -2856,6 +2857,7 @@ CVE-2016-7162 RESERVED - file-roller 3.20.3-1 + [jessie] - file-roller (Minor issue) [wheezy] - file-roller (Vulnerable code introduced in 3.5.4) NOTE: Ubuntu Bug: https://launchpad.net/bugs/1171236 NOTE: Upstream bug: https://bugzilla.gnome.org/show_bug.cgi?id=698554 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r44644 - data/CVE
Author: carnil Date: 2016-09-16 13:23:55 + (Fri, 16 Sep 2016) New Revision: 44644 Modified: data/CVE/list Log: Add bug reference for CVE-2016-7410, #838019 Modified: data/CVE/list === --- data/CVE/list 2016-09-16 13:06:38 UTC (rev 44643) +++ data/CVE/list 2016-09-16 13:23:55 UTC (rev 44644) @@ -2260,10 +2260,9 @@ NOTE: PHP Bug: https://bugs.php.net/bug.php?id=73052 NOTE: Fixed in 5.6.26 NOTE: https://github.com/php/php-src/commit/6a7cc8ff85827fa9ac715b3a83c2d9147f33cd43?w=1 -CVE-2016-7410 +CVE-2016-7410 [Heap buffer overflow in _dwarf_read_loc_section] RESERVED - - dwarfutils - TODO: check + - dwarfutils (bug #838019) CVE-2016-7409 RESERVED - dropbear 2016.74-1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r44643 - data/CVE
Author: carnil Date: 2016-09-16 13:06:38 + (Fri, 16 Sep 2016) New Revision: 44643 Modified: data/CVE/list Log: Add bug reference for manila-ui issue, #838017 Modified: data/CVE/list === --- data/CVE/list 2016-09-16 09:10:22 UTC (rev 44642) +++ data/CVE/list 2016-09-16 13:06:38 UTC (rev 44643) @@ -4849,10 +4849,9 @@ RESERVED NOT-FOR-US: Python Priority NOTE: https://github.com/python-hyper/priority/pull/23 -CVE-2016-6519 +CVE-2016-6519 [persistent XSS in metadata field] RESERVED - - manila-ui - TODO: check + - manila-ui (bug #838017) CVE-2016-6518 RESERVED CVE-2016-6517 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r44642 - data/CVE
Author: sectracker Date: 2016-09-16 09:10:22 + (Fri, 16 Sep 2016) New Revision: 44642 Modified: data/CVE/list Log: automatic update Modified: data/CVE/list === --- data/CVE/list 2016-09-16 08:30:11 UTC (rev 44641) +++ data/CVE/list 2016-09-16 09:10:22 UTC (rev 44642) @@ -10769,6 +10769,7 @@ CVE-2016-4862 RESERVED CVE-2016-4861 [ZF2016-03] + RESERVED - zendframework 1.12.20+dfsg-1 NOTE: http://framework.zend.com/security/advisory/ZF2016-03 NOTE: This security fix can be considered an improvement of the previous ZF2016-02 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r44641 - data/CVE
Author: carnil
Date: 2016-09-16 08:30:11 + (Fri, 16 Sep 2016)
New Revision: 44641
Modified:
data/CVE/list
Log:
Remove TODO item for CVE-2016-7395
Modified: data/CVE/list
===
--- data/CVE/list 2016-09-16 06:35:42 UTC (rev 44640)
+++ data/CVE/list 2016-09-16 08:30:11 UTC (rev 44641)
@@ -2302,7 +2302,6 @@
{DSA-3667-1}
- chromium-browser 53.0.2785.92-1
[wheezy] - chromium-browser (Not supported in Wheezy)
- TODO: check if already fixed in 53.0.2785.89-1 for the Debian upload
CVE-2016-7394
RESERVED
CVE-2016-7391
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
