[Secure-testing-commits] r45175 - data/CVE
Author: carnil Date: 2016-10-10 06:44:13 + (Mon, 10 Oct 2016) New Revision: 45175 Modified: data/CVE/list Log: Add fixed version for CVE-2016-{5325,7099}/nodejs Modified: data/CVE/list === --- data/CVE/list 2016-10-10 04:48:03 UTC (rev 45174) +++ data/CVE/list 2016-10-10 06:44:13 UTC (rev 45175) @@ -4117,7 +4117,7 @@ RESERVED CVE-2016-7099 RESERVED - - nodejs (bug #839714; unimportant) + - nodejs 4.6.0~dfsg-1 (bug #839714; unimportant) NOTE: https://nodejs.org/en/blog/vulnerability/september-2016-security-releases/ NOTE: 0.10.x: https://github.com/nodejs/node/commit/0d7e21ee7bcc79046f898f8c202d2ec87d23d711 NOTE: 4.x: https://github.com/nodejs/node/commit/3ff82deb2c3bd580d64be75dbafe460393c952fb @@ -9779,7 +9779,7 @@ RESERVED CVE-2016-5325 RESERVED - - nodejs (bug #839714; unimportant) + - nodejs 4.6.0~dfsg-1 (bug #839714; unimportant) NOTE: libv8 is not covered by security support NOTE: https://nodejs.org/en/blog/vulnerability/june-2016-security-releases/ CVE-2016-5359 (epan/dissectors/packet-wbxml.c in the WBXML dissector in Wireshark ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r45174 - data/CVE
Author: carnil Date: 2016-10-10 04:48:03 + (Mon, 10 Oct 2016) New Revision: 45174 Modified: data/CVE/list Log: Update source package name for dwarfutils issues Modified: data/CVE/list === --- data/CVE/list 2016-10-10 04:45:44 UTC (rev 45173) +++ data/CVE/list 2016-10-10 04:48:03 UTC (rev 45174) @@ -1,11 +1,11 @@ CVE-2016- [dwarf_util.c: heap-based buffer overflow in _dwarf_get_size_of_val] - - dwarfdump + - dwarfutils NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2016/10/08/11 CVE-2016- [dwarf_util.c: heap-based buffer overflow in _dwarf_get_abbrev_for_code] - - dwarfdump + - dwarfutils NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2016/10/08/12 CVE-2016- [dwarf_util.c: heap-based buffer overflow in _dwarf_get_abbrev_for_code second one] - - dwarfdump + - dwarfutils NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2016/10/08/13 CVE-2016-8569 [DoS using a null pointer dereference in git_commit_message] - libgit2 (bug #840227) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r45173 - data/CVE
Author: carnil Date: 2016-10-10 04:45:44 + (Mon, 10 Oct 2016) New Revision: 45173 Modified: data/CVE/list Log: Mark CVE-2016-7065 as NFU Modified: data/CVE/list === --- data/CVE/list 2016-10-10 04:45:34 UTC (rev 45172) +++ data/CVE/list 2016-10-10 04:45:44 UTC (rev 45173) @@ -4223,6 +4223,7 @@ RESERVED CVE-2016-7065 RESERVED + NOT-FOR-US: Red Hat JBoss EAP CVE-2016-7064 RESERVED CVE-2016-7063 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r45172 - data/CVE
Author: carnil Date: 2016-10-10 04:45:34 + (Mon, 10 Oct 2016) New Revision: 45172 Modified: data/CVE/list Log: Add CVE request marker Modified: data/CVE/list === --- data/CVE/list 2016-10-10 04:41:43 UTC (rev 45171) +++ data/CVE/list 2016-10-10 04:45:34 UTC (rev 45172) @@ -1,12 +1,12 @@ CVE-2016- [dwarf_util.c: heap-based buffer overflow in _dwarf_get_size_of_val] - dwarfdump - NOTE: http://www.openwall.com/lists/oss-security/2016/10/08/11 + NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2016/10/08/11 CVE-2016- [dwarf_util.c: heap-based buffer overflow in _dwarf_get_abbrev_for_code] - dwarfdump - NOTE: http://www.openwall.com/lists/oss-security/2016/10/08/12 + NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2016/10/08/12 CVE-2016- [dwarf_util.c: heap-based buffer overflow in _dwarf_get_abbrev_for_code second one] - dwarfdump - NOTE: http://www.openwall.com/lists/oss-security/2016/10/08/13 + NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2016/10/08/13 CVE-2016-8569 [DoS using a null pointer dereference in git_commit_message] - libgit2 (bug #840227) [jessie] - libgit2 (Minor issue) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r45171 - data/CVE
Author: fgeek-guest Date: 2016-10-10 04:41:43 + (Mon, 10 Oct 2016) New Revision: 45171 Modified: data/CVE/list Log: NFU Modified: data/CVE/list === --- data/CVE/list 2016-10-10 04:37:39 UTC (rev 45170) +++ data/CVE/list 2016-10-10 04:41:43 UTC (rev 45171) @@ -6330,23 +6330,23 @@ CVE-2016-6387 RESERVED CVE-2016-6386 (Cisco IOS XE 3.1 through 3.17 and 16.1 on 64-bit platforms allows ...) - TODO: check + NOT-FOR-US: Cisco CVE-2016-6385 (Memory leak in the Smart Install client implementation in Cisco IOS ...) - TODO: check + NOT-FOR-US: Cisco CVE-2016-6384 (Cisco IOS 12.2 through 12.4 and 15.0 through 15.6 and IOS XE 3.1 ...) - TODO: check + NOT-FOR-US: Cisco CVE-2016-6383 RESERVED CVE-2016-6382 (Cisco IOS 15.2 through 15.6 and IOS XE 3.6 through 3.17 and 16.1 allow ...) - TODO: check + NOT-FOR-US: Cisco CVE-2016-6381 (Cisco IOS 12.4 and 15.0 through 15.6 and IOS XE 3.1 through 3.18 and ...) - TODO: check + NOT-FOR-US: Cisco CVE-2016-6380 (The DNS forwarder in Cisco IOS 12.0 through 12.4 and 15.0 through 15.6 ...) - TODO: check + NOT-FOR-US: Cisco CVE-2016-6379 (Cisco IOS 12.2 and IOS XE 3.14 through 3.16 and 16.1 allow remote ...) - TODO: check + NOT-FOR-US: Cisco CVE-2016-6378 (Cisco IOS XE 3.1 through 3.17 and 16.1 through 16.2 allows remote ...) - TODO: check + NOT-FOR-US: Cisco CVE-2016-6377 (Media Origination System Suite Software 2.6 and earlier in Cisco ...) NOT-FOR-US: Cisco CVE-2016-6376 (The Adaptive Wireless Intrusion Prevention System (wIPS) feature on ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r45170 - data/CVE
Author: fgeek-guest Date: 2016-10-10 04:37:39 + (Mon, 10 Oct 2016) New Revision: 45170 Modified: data/CVE/list Log: Add recent dwarfdump issues Modified: data/CVE/list === --- data/CVE/list 2016-10-09 21:56:15 UTC (rev 45169) +++ data/CVE/list 2016-10-10 04:37:39 UTC (rev 45170) @@ -1,3 +1,12 @@ +CVE-2016- [dwarf_util.c: heap-based buffer overflow in _dwarf_get_size_of_val] + - dwarfdump + NOTE: http://www.openwall.com/lists/oss-security/2016/10/08/11 +CVE-2016- [dwarf_util.c: heap-based buffer overflow in _dwarf_get_abbrev_for_code] + - dwarfdump + NOTE: http://www.openwall.com/lists/oss-security/2016/10/08/12 +CVE-2016- [dwarf_util.c: heap-based buffer overflow in _dwarf_get_abbrev_for_code second one] + - dwarfdump + NOTE: http://www.openwall.com/lists/oss-security/2016/10/08/13 CVE-2016-8569 [DoS using a null pointer dereference in git_commit_message] - libgit2 (bug #840227) [jessie] - libgit2 (Minor issue) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r45169 - data
Author: rbalint Date: 2016-10-09 21:56:15 + (Sun, 09 Oct 2016) New Revision: 45169 Modified: data/dla-needed.txt Log: add kde-runtime as candidate to dla-needed Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-10-09 19:34:20 UTC (rev 45168) +++ data/dla-needed.txt 2016-10-09 21:56:15 UTC (rev 45169) @@ -31,6 +31,9 @@ irssi NOTE: rhonda@d.o is preparing an upload. -- +kde-runtime + NOTE: We may not need to update, but I'm leaning toward fixing CVE-2016-7787, see #839865 +-- libarchive (Emilio Pozuelo) -- libass (Markus Koschany) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r45168 - data/CVE
Author: carnil Date: 2016-10-09 19:34:20 + (Sun, 09 Oct 2016) New Revision: 45168 Modified: data/CVE/list Log: Add bug reference for CVe-2016-7995, #840236 Modified: data/CVE/list === --- data/CVE/list 2016-10-09 19:28:38 UTC (rev 45167) +++ data/CVE/list 2016-10-09 19:34:20 UTC (rev 45168) @@ -1784,7 +1784,7 @@ NOTE: away from the default with QuantumDepth=8 CVE-2016-7995 [usb: hcd-ehci: memory leak in ehci_process_itd] RESERVED - - qemu + - qemu (bug #840236) [jessie] - qemu (Vulnerable code introduced in v2.6.0-rc0) [wheezy] - qemu (Vulnerable code introduced in v2.6.0-rc0) - qemu-kvm (Vulnerable code introduced in v2.6.0-rc0) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r45167 - data/CVE
Author: carnil Date: 2016-10-09 19:28:38 + (Sun, 09 Oct 2016) New Revision: 45167 Modified: data/CVE/list Log: Update status for CVE-2016-7995 Note for reviewers: See the respective updated notes and please double check if this analysis is correct. Modified: data/CVE/list === --- data/CVE/list 2016-10-09 19:15:24 UTC (rev 45166) +++ data/CVE/list 2016-10-09 19:28:38 UTC (rev 45167) @@ -1785,10 +1785,15 @@ CVE-2016-7995 [usb: hcd-ehci: memory leak in ehci_process_itd] RESERVED - qemu - - qemu-kvm + [jessie] - qemu (Vulnerable code introduced in v2.6.0-rc0) + [wheezy] - qemu (Vulnerable code introduced in v2.6.0-rc0) + - qemu-kvm (Vulnerable code introduced in v2.6.0-rc0) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg06609.html NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1382668 - TODO: check versions + NOTE: Vulnerable code introduced in 49d925ce50383a286278143c05511d30ec41a36e + NOTE: Though this commit fixed an OOB read access issue which might need + NOTE: potentially a new separate CVE id if it does not have one yet. + TODO: double-check notes and analysis CVE-2016-7994 [virtio-gpu: memory leak in virtio_gpu_resource_create_2d] RESERVED - qemu (bug #840228) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r45166 - data/CVE
Author: carnil Date: 2016-10-09 19:15:24 + (Sun, 09 Oct 2016) New Revision: 45166 Modified: data/CVE/list Log: Add bug reference for CVE-2016-7994/qemu, #840228 Modified: data/CVE/list === --- data/CVE/list 2016-10-09 18:07:18 UTC (rev 45165) +++ data/CVE/list 2016-10-09 19:15:24 UTC (rev 45166) @@ -1791,7 +1791,7 @@ TODO: check versions CVE-2016-7994 [virtio-gpu: memory leak in virtio_gpu_resource_create_2d] RESERVED - - qemu + - qemu (bug #840228) [jessie] - qemu (Vulnerable code introduced in 2.4.0-rc0) [wheezy] - qemu (Vulnerable code introduced in 2.4.0-rc0) - qemu-kvm (Vulnerable code introduced in 2.4.0-rc0) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r45165 - data/CVE
Author: carnil Date: 2016-10-09 18:07:18 + (Sun, 09 Oct 2016) New Revision: 45165 Modified: data/CVE/list Log: Add bug reference for CVE-2016-856{8,9}/libgit2, #840227 Modified: data/CVE/list === --- data/CVE/list 2016-10-09 18:07:06 UTC (rev 45164) +++ data/CVE/list 2016-10-09 18:07:18 UTC (rev 45165) @@ -1,9 +1,9 @@ -CVE-2016-8569 - - libgit2 +CVE-2016-8569 [DoS using a null pointer dereference in git_commit_message] + - libgit2 (bug #840227) [jessie] - libgit2 (Minor issue) NOTE: https://github.com/libgit2/libgit2/issues/3937 -CVE-2016-8568 - - libgit2 +CVE-2016-8568 [Read out-of-bounds in git_oid_nfmt] + - libgit2 (bug #840227) [jessie] - libgit2 (Minor issue) NOTE: https://github.com/libgit2/libgit2/issues/3936 CVE-2016-8490 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r45164 - data/CVE
Author: carnil Date: 2016-10-09 18:07:06 + (Sun, 09 Oct 2016) New Revision: 45164 Modified: data/CVE/list Log: Update information for CVE-2016-7994/qemu Modified: data/CVE/list === --- data/CVE/list 2016-10-09 17:19:06 UTC (rev 45163) +++ data/CVE/list 2016-10-09 18:07:06 UTC (rev 45164) @@ -1792,9 +1792,10 @@ CVE-2016-7994 [virtio-gpu: memory leak in virtio_gpu_resource_create_2d] RESERVED - qemu - - qemu-kvm + [jessie] - qemu (Vulnerable code introduced in 2.4.0-rc0) + [wheezy] - qemu (Vulnerable code introduced in 2.4.0-rc0) + - qemu-kvm (Vulnerable code introduced in 2.4.0-rc0) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg04129.html - TODO: check versions CVE-2016-7993 RESERVED CVE-2016-7992 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r45163 - data/CVE
Author: carnil Date: 2016-10-09 17:19:06 + (Sun, 09 Oct 2016) New Revision: 45163 Modified: data/CVE/list Log: Add workaround entry for mat Modified: data/CVE/list === --- data/CVE/list 2016-10-09 16:48:47 UTC (rev 45162) +++ data/CVE/list 2016-10-09 17:19:06 UTC (rev 45163) @@ -10557,6 +10557,8 @@ CVE-2016- [doesn't remove metadata in embedded images in PDFs] - mat 0.6.1-3 (bug #826101) [jessie] - mat (Documented short-coming, can possibly be fixed by migrating to new upstream release) + [wheezy] - mat 0.3.2-1+deb7u1 + NOTE: Workaround entry for DLA-650-1 until/if CVE is assigned NOTE: https://0xacab.org/mat/mat/issues/11067 NOTE: Patch in 0.6.1-3 disabled PDF support NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2016/06/02/5 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r45162 - data/CVE
Author: jmm Date: 2016-10-09 16:48:47 + (Sun, 09 Oct 2016) New Revision: 45162 Modified: data/CVE/list Log: libgit no-dsa Modified: data/CVE/list === --- data/CVE/list 2016-10-09 15:43:03 UTC (rev 45161) +++ data/CVE/list 2016-10-09 16:48:47 UTC (rev 45162) @@ -1,11 +1,11 @@ CVE-2016-8569 - libgit2 + [jessie] - libgit2 (Minor issue) NOTE: https://github.com/libgit2/libgit2/issues/3937 - TODO: check CVE-2016-8568 - libgit2 + [jessie] - libgit2 (Minor issue) NOTE: https://github.com/libgit2/libgit2/issues/3936 - TODO: check CVE-2016-8490 RESERVED CVE-2016-8489 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r45161 - in data: . DLA
Author: mejo Date: 2016-10-09 15:43:03 + (Sun, 09 Oct 2016) New Revision: 45161 Modified: data/DLA/list data/dla-needed.txt Log: Reserve DLA-650-1 for mat Modified: data/DLA/list === --- data/DLA/list 2016-10-09 14:01:20 UTC (rev 45160) +++ data/DLA/list 2016-10-09 15:43:03 UTC (rev 45161) @@ -1,3 +1,5 @@ +[09 Oct 2016] DLA-650-1 mat - security update + [wheezy] - mat 0.3.2-1+deb7u1 [06 Oct 2016] DLA-649-1 python-django - security update {CVE-2016-7401} [wheezy] - python-django 1.4.22-1+deb7u1 Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-10-09 14:01:20 UTC (rev 45160) +++ data/dla-needed.txt 2016-10-09 15:43:03 UTC (rev 45161) @@ -50,11 +50,6 @@ -- linux (Ben Hutchings) -- -mat (Jonas Meurer) - NOTE: the fix for this issue: https://security-tracker.debian.org/tracker/TEMP-0826101-4D75EC - is not available yet. It will be available in next upstream release (already - in upstream roadmap). --- mingw32 (Stephen Kitt) -- mpg123 (Jonas Meurer) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r45160 - data
Author: fw-guest Date: 2016-10-09 14:01:20 + (Sun, 09 Oct 2016) New Revision: 45160 Modified: data/dla-needed.txt Log: Claim dwarfutils in dla-needed.txt Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-10-09 06:09:21 UTC (rev 45159) +++ data/dla-needed.txt 2016-10-09 14:01:20 UTC (rev 45160) @@ -13,6 +13,8 @@ -- bash (Ola Lundqvist) -- +dwarfutils (Fabian Wolff) +-- gcc-mingw-w64 (Stephen Kitt) -- ghostscript (Roberto C. Sánchez) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits