[Secure-testing-commits] r47093 - data/CVE
Author: carnil Date: 2016-12-15 07:07:28 + (Thu, 15 Dec 2016) New Revision: 47093 Modified: data/CVE/list Log: Fix spacing in subject for CVE-2016-9588 Modified: data/CVE/list === --- data/CVE/list 2016-12-15 07:06:15 UTC (rev 47092) +++ data/CVE/list 2016-12-15 07:07:28 UTC (rev 47093) @@ -7904,7 +7904,7 @@ RESERVED CVE-2016-9589 RESERVED -CVE-2016-9588 [kvm: nVMX: uncaught software exceptions in L1 guest lead to DoS] +CVE-2016-9588 [kvm: nVMX: uncaught software exceptions in L1 guest lead to DoS] RESERVED - linux NOTE: https://www.spinics.net/lists/kvm/msg142495.html ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r47092 - data/CVE
Author: carnil Date: 2016-12-15 07:06:15 + (Thu, 15 Dec 2016) New Revision: 47092 Modified: data/CVE/list Log: Add CVE-2016-9588/linux Modified: data/CVE/list === --- data/CVE/list 2016-12-15 06:36:46 UTC (rev 47091) +++ data/CVE/list 2016-12-15 07:06:15 UTC (rev 47092) @@ -7904,8 +7904,10 @@ RESERVED CVE-2016-9589 RESERVED -CVE-2016-9588 +CVE-2016-9588 [kvm: nVMX: uncaught software exceptions in L1 guest lead to DoS] RESERVED + - linux + NOTE: https://www.spinics.net/lists/kvm/msg142495.html CVE-2016-9587 RESERVED CVE-2016-9586 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r47091 - data/CVE
Author: carnil Date: 2016-12-15 06:36:46 + (Thu, 15 Dec 2016) New Revision: 47091 Modified: data/CVE/list Log: Mark CVE-2016-9585 as NFU, Red Hat specific CVE Modified: data/CVE/list === --- data/CVE/list 2016-12-15 06:35:32 UTC (rev 47090) +++ data/CVE/list 2016-12-15 06:36:46 UTC (rev 47091) @@ -7912,6 +7912,7 @@ RESERVED CVE-2016-9585 RESERVED + NOT-FOR-US: JMX endpoint of Red Hat JBoss EAP 5 CVE-2016-9584 RESERVED CVE-2016-9583 [Out of bounds heap read in jpc_pi_nextpcrl()] ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r47090 - data/CVE
Author: carnil Date: 2016-12-15 06:35:32 + (Thu, 15 Dec 2016) New Revision: 47090 Modified: data/CVE/list Log: Mark CVE-2016-8609 as NFU Modified: data/CVE/list === --- data/CVE/list 2016-12-15 06:33:31 UTC (rev 47089) +++ data/CVE/list 2016-12-15 06:35:32 UTC (rev 47090) @@ -11343,6 +11343,7 @@ NOTE: https://gitlab.com/gnutls/gnutls/commit/1ffb827e45721ef56982d0ffd5c5de52376c428e CVE-2016-8609 RESERVED + NOT-FOR-US: Keycloak CVE-2016-8608 RESERVED NOT-FOR-US: JBoss BPMS ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r47089 - data/CVE
Author: carnil Date: 2016-12-15 06:33:31 + (Thu, 15 Dec 2016) New Revision: 47089 Modified: data/CVE/list Log: Add CVE-2016-9571 from external check Modified: data/CVE/list === --- data/CVE/list 2016-12-15 05:55:09 UTC (rev 47088) +++ data/CVE/list 2016-12-15 06:33:31 UTC (rev 47089) @@ -7970,6 +7970,8 @@ NOTE: https://github.com/szukw000/openjpeg/commit/7b28bd2b723df6be09fe7791eba33147c1c47d0d CVE-2016-9571 RESERVED + - resteasy + TODO: check details CVE-2016-9570 RESERVED CVE-2016-9569 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r47088 - data/CVE
Author: carnil Date: 2016-12-15 05:55:09 + (Thu, 15 Dec 2016) New Revision: 47088 Modified: data/CVE/list Log: Add bug for apport, #848213 Modified: data/CVE/list === --- data/CVE/list 2016-12-15 05:50:16 UTC (rev 47087) +++ data/CVE/list 2016-12-15 05:55:09 UTC (rev 47088) @@ -2,17 +2,17 @@ - flightgear 1:2016.4.3+dfsg-1 (bug #848114) NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2016/12/14/11 CVE-2016-9951 - [experimental] - apport + [experimental] - apport (bug #848213) NOTE: apport only in experimental, so we cannot track this in security-tracker NOTE: add it, as we have an explicit (bug) reference for apport NOTE: https://bugs.launchpad.net/apport/+bug/1648806 CVE-2016-9950 - [experimental] - apport + [experimental] - apport (bug #848213) NOTE: apport only in experimental, so we cannot track this in security-tracker NOTE: add it, as we have an explicit (bug) reference for apport NOTE: https://bugs.launchpad.net/apport/+bug/1648806 CVE-2016-9949 - [experimental] - apport + [experimental] - apport (bug #848213) NOTE: apport only in experimental, so we cannot track this in security-tracker NOTE: add it, as we have an explicit (bug) reference for apport NOTE: https://bugs.launchpad.net/apport/+bug/1648806 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r47087 - data/CVE
Author: carnil Date: 2016-12-15 05:50:16 + (Thu, 15 Dec 2016) New Revision: 47087 Modified: data/CVE/list Log: Add three apport CVEs Modified: data/CVE/list === --- data/CVE/list 2016-12-15 05:35:05 UTC (rev 47086) +++ data/CVE/list 2016-12-15 05:50:16 UTC (rev 47087) @@ -1,6 +1,21 @@ CVE-2016- [Allows the route manager to overwrite arbitrary files] - flightgear 1:2016.4.3+dfsg-1 (bug #848114) NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2016/12/14/11 +CVE-2016-9951 + [experimental] - apport + NOTE: apport only in experimental, so we cannot track this in security-tracker + NOTE: add it, as we have an explicit (bug) reference for apport + NOTE: https://bugs.launchpad.net/apport/+bug/1648806 +CVE-2016-9950 + [experimental] - apport + NOTE: apport only in experimental, so we cannot track this in security-tracker + NOTE: add it, as we have an explicit (bug) reference for apport + NOTE: https://bugs.launchpad.net/apport/+bug/1648806 +CVE-2016-9949 + [experimental] - apport + NOTE: apport only in experimental, so we cannot track this in security-tracker + NOTE: add it, as we have an explicit (bug) reference for apport + NOTE: https://bugs.launchpad.net/apport/+bug/1648806 CVE-2016-9948 RESERVED CVE-2016-9947 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r47086 - data/CVE
Author: carnil Date: 2016-12-15 05:35:05 + (Thu, 15 Dec 2016) New Revision: 47086 Modified: data/CVE/list Log: Reference CVE request for game-music-emu Modified: data/CVE/list === --- data/CVE/list 2016-12-15 05:21:50 UTC (rev 47085) +++ data/CVE/list 2016-12-15 05:35:05 UTC (rev 47086) @@ -30,6 +30,7 @@ [jessie] - game-music-emu 0.5.5-2+deb8u1 NOTE: Workaround entry for DSA-3735-1 until CVE assigned NOTE: http://scarybeastsecurity.blogspot.de/2016/12/redux-compromising-linux-using-snes.html + NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2016/12/15/1 CVE-2016-9939 [denial-of-service in ASN1 decoder] RESERVED - libcrypto++ (bug #848009) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r47085 - data/CVE
Author: carnil Date: 2016-12-15 05:21:50 + (Thu, 15 Dec 2016) New Revision: 47085 Modified: data/CVE/list Log: Mark nvidia-graphics-drivers* as no-dsa, not supported for security Modified: data/CVE/list === --- data/CVE/list 2016-12-15 05:16:52 UTC (rev 47084) +++ data/CVE/list 2016-12-15 05:21:50 UTC (rev 47085) @@ -10422,8 +10422,12 @@ CVE-2016-8826 [DoS via GPU interrupt storm] RESERVED - nvidia-graphics-drivers (bug #848195) + [jessie] - nvidia-graphics-drivers (Non-free not supported) + [wheezy] - nvidia-graphics-drivers (Non-free not supported) - nvidia-graphics-drivers-legacy-340xx (bug #848196) - nvidia-graphics-drivers-legacy-304xx (bug #848197) + [jessie] - nvidia-graphics-drivers-legacy-304xx (Non-free not supported) + [wheezy] - nvidia-graphics-drivers-legacy-304xx (Non-free not supported) NOTE: http://nvidia.custhelp.com/app/answers/detail/a_id/4278 CVE-2016-8825 RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r47084 - data/CVE
Author: carnil Date: 2016-12-15 05:16:52 + (Thu, 15 Dec 2016) New Revision: 47084 Modified: data/CVE/list Log: Clarify association with DSA-3735-1 Modified: data/CVE/list === --- data/CVE/list 2016-12-15 03:38:42 UTC (rev 47083) +++ data/CVE/list 2016-12-15 05:16:52 UTC (rev 47084) @@ -28,6 +28,7 @@ CVE-2016- [code execution in SNES code] - game-music-emu 0.6.0-4 (bug #848071) [jessie] - game-music-emu 0.5.5-2+deb8u1 + NOTE: Workaround entry for DSA-3735-1 until CVE assigned NOTE: http://scarybeastsecurity.blogspot.de/2016/12/redux-compromising-linux-using-snes.html CVE-2016-9939 [denial-of-service in ASN1 decoder] RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r47083 - data/CVE
Author: pabs Date: 2016-12-15 03:38:42 + (Thu, 15 Dec 2016) New Revision: 47083 Modified: data/CVE/list Log: one more nvidia source package Modified: data/CVE/list === --- data/CVE/list 2016-12-15 03:13:46 UTC (rev 47082) +++ data/CVE/list 2016-12-15 03:38:42 UTC (rev 47083) @@ -10422,6 +10422,7 @@ RESERVED - nvidia-graphics-drivers (bug #848195) - nvidia-graphics-drivers-legacy-340xx (bug #848196) + - nvidia-graphics-drivers-legacy-304xx (bug #848197) NOTE: http://nvidia.custhelp.com/app/answers/detail/a_id/4278 CVE-2016-8825 RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r47082 - data/CVE
Author: pabs
Date: 2016-12-15 03:13:46 + (Thu, 15 Dec 2016)
New Revision: 47082
Modified:
data/CVE/list
Log:
most: CVE-2016-1253: fixed in unstable
Modified: data/CVE/list
===
--- data/CVE/list 2016-12-15 03:11:45 UTC (rev 47081)
+++ data/CVE/list 2016-12-15 03:13:46 UTC (rev 47082)
@@ -36223,7 +36223,7 @@
RESERVED
CVE-2016-1253 [shell injection attack using LZMA-compressed files]
RESERVED
- - most (bug #848132)
+ - most 5.0.0a-3 (bug #848132)
CVE-2016-1252
RESERVED
{DSA-3733-1}
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r47081 - data/CVE
Author: pabs Date: 2016-12-15 03:11:45 + (Thu, 15 Dec 2016) New Revision: 47081 Modified: data/CVE/list Log: nvidia-graphics-drivers DoS Modified: data/CVE/list === --- data/CVE/list 2016-12-15 00:53:45 UTC (rev 47080) +++ data/CVE/list 2016-12-15 03:11:45 UTC (rev 47081) @@ -10418,8 +10418,11 @@ RESERVED CVE-2016-8827 RESERVED -CVE-2016-8826 +CVE-2016-8826 [DoS via GPU interrupt storm] RESERVED + - nvidia-graphics-drivers (bug #848195) + - nvidia-graphics-drivers-legacy-340xx (bug #848196) + NOTE: http://nvidia.custhelp.com/app/answers/detail/a_id/4278 CVE-2016-8825 RESERVED CVE-2016-8824 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r47080 - data/CVE
Author: apo Date: 2016-12-15 00:53:45 + (Thu, 15 Dec 2016) New Revision: 47080 Modified: data/CVE/list Log: Mark all open bluez CVE as for Wheezy because the real-life impact for users is minimal. This is a minor issue. Modified: data/CVE/list === --- data/CVE/list 2016-12-14 23:49:56 UTC (rev 47079) +++ data/CVE/list 2016-12-15 00:53:45 UTC (rev 47080) @@ -128,10 +128,12 @@ CVE-2016-9918 (In BlueZ 5.42, an out-of-bounds read was identified in "packet_hexdump" ...) - bluez (bug #847837) [jessie] - bluez (Minor issue) + [wheezy] - bluez (Minor issue) NOTE: https://www.spinics.net/lists/linux-bluetooth/msg68898.html CVE-2016-9917 (In BlueZ 5.42, a buffer overflow was observed in "read_n" function in ...) - bluez (bug #847837) [jessie] - bluez (Minor issue) + [wheezy] - bluez (Minor issue) NOTE: https://www.spinics.net/lists/linux-bluetooth/msg68892.html CVE-2016-9906 RESERVED @@ -7458,34 +7460,42 @@ CVE-2016-9804 (In BlueZ 5.42, a buffer overflow was observed in "commands_dump" ...) - bluez (bug #847837) [jessie] - bluez (Minor issue) + [wheezy] - bluez (Minor issue) NOTE: https://www.spinics.net/lists/linux-bluetooth/msg68892.html CVE-2016-9803 (In BlueZ 5.42, an out-of-bounds read was observed in "le_meta_ev_dump" ...) - bluez (bug #847837) [jessie] - bluez (Minor issue) + [wheezy] - bluez (Minor issue) NOTE: https://www.spinics.net/lists/linux-bluetooth/msg68892.html CVE-2016-9802 (In BlueZ 5.42, a buffer over-read was identified in "l2cap_packet" ...) - bluez (bug #847837) [jessie] - bluez (Minor issue) + [wheezy] - bluez (Minor issue) NOTE: https://www.spinics.net/lists/linux-bluetooth/msg68898.html CVE-2016-9801 (In BlueZ 5.42, a buffer overflow was observed in "set_ext_ctrl" ...) - bluez (bug #847837) [jessie] - bluez (Minor issue) + [wheezy] - bluez (Minor issue) NOTE: https://www.spinics.net/lists/linux-bluetooth/msg68892.html CVE-2016-9800 (In BlueZ 5.42, a buffer overflow was observed in "pin_code_reply_dump" ...) - bluez (bug #847837) [jessie] - bluez (Minor issue) + [wheezy] - bluez (Minor issue) NOTE: https://www.spinics.net/lists/linux-bluetooth/msg68892.html CVE-2016-9799 (In BlueZ 5.42, a buffer overflow was observed in "pklg_read_hci" ...) - bluez (bug #847837) [jessie] - bluez (Minor issue) + [wheezy] - bluez (Minor issue) NOTE: https://www.spinics.net/lists/linux-bluetooth/msg68898.html CVE-2016-9798 (In BlueZ 5.42, a use-after-free was identified in "conf_opt" function ...) - bluez (bug #847837) [jessie] - bluez (Minor issue) + [wheezy] - bluez (Minor issue) NOTE: https://www.spinics.net/lists/linux-bluetooth/msg68892.html CVE-2016-9797 (In BlueZ 5.42, a buffer over-read was observed in "l2cap_dump" function ...) - bluez (bug #847837) [jessie] - bluez (Minor issue) + [wheezy] - bluez (Minor issue) NOTE: https://www.spinics.net/lists/linux-bluetooth/msg68892.html CVE-2016-9794 [Linux kernel: ALSA: use-after-free in,kill_fasync] RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r47079 - data
Author: apo Date: 2016-12-14 23:49:56 + (Wed, 14 Dec 2016) New Revision: 47079 Modified: data/dla-needed.txt Log: Add game-music-emu to dla-needed.txt Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-12-14 23:43:12 UTC (rev 47078) +++ data/dla-needed.txt 2016-12-14 23:49:56 UTC (rev 47079) @@ -17,6 +17,8 @@ -- firefox-esr (Emilio Pozuelo) -- +game-music-emu +-- graphicsmagick NOTE: DLA-547-1 also did not fix CVE-2016-5240 so should be included in next upload. NOTE: Incomplete/Incorrect fix as per https://lists.debian.org/debian-lts/2016/12/msg00077.html ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r47078 - data/CVE
Author: apo Date: 2016-12-14 23:43:12 + (Wed, 14 Dec 2016) New Revision: 47078 Modified: data/CVE/list Log: Mark openjdk-6 CVEs in Wheezy as - Diese und die folgenden Zeilen werden ignoriert -- Mdata/CVE/list Modified: data/CVE/list === --- data/CVE/list 2016-12-14 23:33:52 UTC (rev 47077) +++ data/CVE/list 2016-12-14 23:43:12 UTC (rev 47078) @@ -21183,6 +21183,7 @@ - openjdk-7 NOTE: #841692 tracks openjdk-7 - openjdk-6 + [wheezy] - openjdk-6 CVE-2016-5596 (Unspecified vulnerability in the Oracle CRM Technical Foundation ...) TODO: check CVE-2016-5595 (Unspecified vulnerability in the Oracle Customer Interaction History ...) @@ -21223,6 +21224,7 @@ - openjdk-7 NOTE: #841692 tracks openjdk-7 - openjdk-6 + [wheezy] - openjdk-6 CVE-2016-5581 (Unspecified vulnerability in the Oracle iRecruitment component in ...) TODO: check CVE-2016-5580 (Unspecified vulnerability in the Secure Global Desktop component in ...) @@ -21246,6 +21248,7 @@ - openjdk-7 NOTE: #841692 tracks openjdk-7 - openjdk-6 + [wheezy] - openjdk-6 CVE-2016-5572 (Unspecified vulnerability in the Kernel PDB component in Oracle ...) TODO: check CVE-2016-5571 (Unspecified vulnerability in the Oracle Applications DBA component in ...) @@ -21293,6 +21296,7 @@ - openjdk-7 NOTE: #841692 tracks openjdk-7 - openjdk-6 + [wheezy] - openjdk-6 CVE-2016-5553 (Unspecified vulnerability in Oracle Sun Solaris 10 and 11.3 allows ...) NOT-FOR-US: Solaris CVE-2016-5552 @@ -21322,6 +21326,7 @@ - openjdk-7 NOTE: #841692 tracks openjdk-7 - openjdk-6 + [wheezy] - openjdk-6 CVE-2016-5541 RESERVED CVE-2016-5540 (Unspecified vulnerability in the Oracle Retail Xstore Payment ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r47077 - data/CVE
Author: apo Date: 2016-12-14 23:33:52 + (Wed, 14 Dec 2016) New Revision: 47077 Modified: data/CVE/list Log: CVE-2016-9583, jasper: Clarify that the vulnerability is not present in Wheezy and Jessie and suggest to implement the check when more important issues are found. Leave as for Wheezy so that the issue continues to be on the radar. Modified: data/CVE/list === --- data/CVE/list 2016-12-14 23:33:15 UTC (rev 47076) +++ data/CVE/list 2016-12-14 23:33:52 UTC (rev 47077) @@ -7892,6 +7892,9 @@ - jasper NOTE: https://github.com/mdadams/jasper/issues/103 NOTE: Fixed by https://github.com/mdadams/jasper/commit/99a50593254d1b53002719bbecfc946c84b23d27 + NOTE: The issue exists due to an overflow check which is not present + NOTE: in Wheezy and Jessie. However it makes sense to implement this check. + NOTE: This can be done when more important issues are found [wheezy]. CVE-2016-9582 RESERVED CVE-2016-9581 [infinite loop in tiftoimage resulting into heap buffer overflow in convert_32s_C1P1] ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r47076 - data/CVE
Author: jmm Date: 2016-12-14 23:33:15 + (Wed, 14 Dec 2016) New Revision: 47076 Modified: data/CVE/list Log: dovecot fixed Modified: data/CVE/list === --- data/CVE/list 2016-12-14 23:25:39 UTC (rev 47075) +++ data/CVE/list 2016-12-14 23:33:15 UTC (rev 47076) @@ -11076,7 +11076,7 @@ NOT-FOR-US: JMX endpoint of Red Hat JBoss Fuse 6 and Red Hat A-MQ 6 CVE-2016-8652 RESERVED - - dovecot (bug #846605) + - dovecot 1:2.2.27-1 (bug #846605) [jessie] - dovecot (Only affects 2.2.25 up and including 2.2.26.1) [wheezy] - dovecot (Only affects 2.2.25 up and including 2.2.26.1) CVE-2016-8651 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r47075 - in data: CVE DSA
Author: jmm
Date: 2016-12-14 23:25:39 + (Wed, 14 Dec 2016)
New Revision: 47075
Modified:
data/CVE/list
data/DSA/list
Log:
game-music-emu DSA
Modified: data/CVE/list
===
--- data/CVE/list 2016-12-14 22:48:58 UTC (rev 47074)
+++ data/CVE/list 2016-12-14 23:25:39 UTC (rev 47075)
@@ -27,6 +27,7 @@
NOTE: CVE Request:
http://www.openwall.com/lists/oss-security/2016/12/14/7
CVE-2016- [code execution in SNES code]
- game-music-emu 0.6.0-4 (bug #848071)
+ [jessie] - game-music-emu 0.5.5-2+deb8u1
NOTE:
http://scarybeastsecurity.blogspot.de/2016/12/redux-compromising-linux-using-snes.html
CVE-2016-9939 [denial-of-service in ASN1 decoder]
RESERVED
Modified: data/DSA/list
===
--- data/DSA/list 2016-12-14 22:48:58 UTC (rev 47074)
+++ data/DSA/list 2016-12-14 23:25:39 UTC (rev 47075)
@@ -1,3 +1,5 @@
+[15 Dec 2016] DSA-3735-1 game-music-emu - security update
+ [jessie] - game-music-emu 0.5.5-2+deb8u1
[14 Dec 2016] DSA-3734-1 firefox-esr - security update
{CVE-2016-9893 CVE-2016-9895 CVE-2016-9897 CVE-2016-9898 CVE-2016-9899
CVE-2016-9900 CVE-2016-9901 CVE-2016-9902 CVE-2016-9904 CVE-2016-9905}
[jessie] - firefox-esr 45.6.0esr-1~deb8u1
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r47074 - data/CVE
Author: apo Date: 2016-12-14 22:48:58 + (Wed, 14 Dec 2016) New Revision: 47074 Modified: data/CVE/list Log: CVE-2016-9583, jasper: Add link to patch Modified: data/CVE/list === --- data/CVE/list 2016-12-14 21:10:13 UTC (rev 47073) +++ data/CVE/list 2016-12-14 22:48:58 UTC (rev 47074) @@ -7890,6 +7890,7 @@ RESERVED - jasper NOTE: https://github.com/mdadams/jasper/issues/103 + NOTE: Fixed by https://github.com/mdadams/jasper/commit/99a50593254d1b53002719bbecfc946c84b23d27 CVE-2016-9582 RESERVED CVE-2016-9581 [infinite loop in tiftoimage resulting into heap buffer overflow in convert_32s_C1P1] ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r47073 - data/CVE
Author: sectracker
Date: 2016-12-14 21:10:13 + (Wed, 14 Dec 2016)
New Revision: 47073
Modified:
data/CVE/list
Log:
automatic update
Modified: data/CVE/list
===
--- data/CVE/list 2016-12-14 20:51:59 UTC (rev 47072)
+++ data/CVE/list 2016-12-14 21:10:13 UTC (rev 47073)
@@ -136,11 +136,13 @@
RESERVED
CVE-2016-9905
RESERVED
+ {DSA-3734-1}
- firefox (Only affects Firefox 45 ESR series)
- firefox-esr 45.6.0esr-1
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2016-95/#CVE-2016-9905
CVE-2016-9904
RESERVED
+ {DSA-3734-1}
- firefox 50.1.0-1
- firefox-esr 45.6.0esr-1
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2016-95/#CVE-2016-9904
@@ -151,31 +153,37 @@
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2016-94/#CVE-2016-9903
CVE-2016-9902
RESERVED
+ {DSA-3734-1}
- firefox 50.1.0-1
- firefox-esr 45.6.0esr-1
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2016-95/#CVE-2016-9902
CVE-2016-9901
RESERVED
+ {DSA-3734-1}
- firefox 50.1.0-1
- firefox-esr 45.6.0esr-1
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2016-95/#CVE-2016-9901
CVE-2016-9900
RESERVED
+ {DSA-3734-1}
- firefox 50.1.0-1
- firefox-esr 45.6.0esr-1
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2016-95/#CVE-2016-9900
CVE-2016-9899
RESERVED
+ {DSA-3734-1}
- firefox 50.1.0-1
- firefox-esr 45.6.0esr-1
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2016-95/#CVE-2016-9899
CVE-2016-9898
RESERVED
+ {DSA-3734-1}
- firefox 50.1.0-1
- firefox-esr 45.6.0esr-1
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2016-95/#CVE-2016-9898
CVE-2016-9897
RESERVED
+ {DSA-3734-1}
- firefox 50.1.0-1
- firefox-esr 45.6.0esr-1
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2016-95/#CVE-2016-9897
@@ -186,6 +194,7 @@
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2016-94/#CVE-2016-9896
CVE-2016-9895
RESERVED
+ {DSA-3734-1}
- firefox 50.1.0-1
- firefox-esr 45.6.0esr-1
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2016-95/#CVE-2016-9895
@@ -196,6 +205,7 @@
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2016-94/#CVE-2016-9894
CVE-2016-9893
RESERVED
+ {DSA-3734-1}
- firefox 50.1.0-1
- firefox-esr 45.6.0esr-1
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2016-95/#CVE-2016-9893
@@ -9378,42 +9388,42 @@
RESERVED
CVE-2016-9216
RESERVED
-CVE-2016-9215
- RESERVED
-CVE-2016-9214
- RESERVED
+CVE-2016-9215 (A vulnerability in Cisco IOS XR Software could allow an
authenticated, ...)
+ TODO: check
+CVE-2016-9214 (Cisco Identity Services Engine (ISE) contains a vulnerability
that ...)
+ TODO: check
CVE-2016-9213
RESERVED
-CVE-2016-9212
- RESERVED
-CVE-2016-9211
- RESERVED
-CVE-2016-9210
- RESERVED
-CVE-2016-9209
- RESERVED
-CVE-2016-9208
- RESERVED
-CVE-2016-9207
- RESERVED
-CVE-2016-9206
- RESERVED
-CVE-2016-9205
- RESERVED
-CVE-2016-9204
- RESERVED
-CVE-2016-9203
- RESERVED
-CVE-2016-9202
- RESERVED
-CVE-2016-9201
- RESERVED
-CVE-2016-9200
- RESERVED
-CVE-2016-9199
- RESERVED
-CVE-2016-9198
- RESERVED
+CVE-2016-9212 (A vulnerability in the Decrypt for End-User Notification
configuration ...)
+ TODO: check
+CVE-2016-9211 (A vulnerability in TCP port management in Cisco ONS 15454
Series ...)
+ TODO: check
+CVE-2016-9210 (A vulnerability in the Cisco Unified Reporting upload tool
accessed via ...)
+ TODO: check
+CVE-2016-9209 (A vulnerability in TCP processing in Cisco FirePOWER system
software ...)
+ TODO: check
+CVE-2016-9208 (A vulnerability in the File Management Utility, the Download
File form, ...)
+ TODO: check
+CVE-2016-9207 (A vulnerability in the HTTP traffic server component of Cisco
...)
+ TODO: check
+CVE-2016-9206 (A vulnerability in the ccmadmin page of Cisco Unified
Communications ...)
+ TODO: check
+CVE-2016-9205 (A vulnerability in the HTTP 2.0 request handling code of Cisco
IOS XR ...)
+ TODO: check
+CVE-2016-9204 (A vulnerability in the Cisco Intercloud Fabric (ICF) Director
could ...)
+ TODO: check
+CVE-2016-9203 (A vulnerability in the Internet Key Exchange Version 2 (IKEv2)
feature ...)
+ TODO: check
+CVE-2016-9202 (A vulnerability in the web-based management interface of Cisco
Email ...)
+ TODO: check
+CVE-2016-9201 (A vulnerability in the Zone-Based Firewall feature of Cisco IOS
and ...)
[Secure-testing-commits] r47072 - data/CVE
Author: carnil Date: 2016-12-14 20:51:59 + (Wed, 14 Dec 2016) New Revision: 47072 Modified: data/CVE/list Log: Add fixed version for #848114 for unstable upload Modified: data/CVE/list === --- data/CVE/list 2016-12-14 20:42:46 UTC (rev 47071) +++ data/CVE/list 2016-12-14 20:51:59 UTC (rev 47072) @@ -1,5 +1,5 @@ CVE-2016- [Allows the route manager to overwrite arbitrary files] - - flightgear (bug #848114) + - flightgear 1:2016.4.3+dfsg-1 (bug #848114) NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2016/12/14/11 CVE-2016-9948 RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r47071 - data/CVE
Author: carnil Date: 2016-12-14 20:42:46 + (Wed, 14 Dec 2016) New Revision: 47071 Modified: data/CVE/list Log: Add TODO for CVE-2016-9574, is beeing clarified Modified: data/CVE/list === --- data/CVE/list 2016-12-14 16:47:48 UTC (rev 47070) +++ data/CVE/list 2016-12-14 20:42:46 UTC (rev 47071) @@ -7915,6 +7915,7 @@ RESERVED - nss NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1320695 + TODO: Currently beeing clarified which change after 3.17 and 3.21 addressed the issue CVE-2016-9573 RESERVED - openjpeg2 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r47070 - data/CVE
Author: carnil
Date: 2016-12-14 16:47:48 + (Wed, 14 Dec 2016)
New Revision: 47070
Modified:
data/CVE/list
Log:
Update status for CVE-2016-9773/imagemagick
Modified: data/CVE/list
===
--- data/CVE/list 2016-12-14 16:36:37 UTC (rev 47069)
+++ data/CVE/list 2016-12-14 16:47:48 UTC (rev 47070)
@@ -8470,11 +8470,11 @@
NOTE: https://github.com/ImageMagick/ImageMagick/issues/298
CVE-2016-9773 [Incomplete fix for CVE-2016-9556]
RESERVED
- - imagemagick
+ - imagemagick (Affects only the ImageMagick-7 branch,
cf. NOTE)
NOTE: Fixed by:
https://github.com/ImageMagick/ImageMagick/commit/4e8c2ed53fcb54a34b3a6185b2584f26cf6874a3
NOTE:
https://blogs.gentoo.org/ago/2016/12/01/imagemagick-heap-based-buffer-overflow-in-ispixelgray-pixel-accessor-h-incomplete-fix-for-cve-2016-9556/
NOTE: https://github.com/ImageMagick/ImageMagick/issues/312
- TODO: double-check, the incomplete fix might not affect the
ImageMagick-6 branch
+ NOTE: Upstream statement:
https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=31045
CVE-2016-9556 [Heap buffer overflow in heap-buffer-overflow in IsPixelGray]
RESERVED
{DSA-3726-1}
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r47069 - data/CVE
Author: carnil Date: 2016-12-14 16:36:37 + (Wed, 14 Dec 2016) New Revision: 47069 Modified: data/CVE/list Log: Add CVE-2016-9575/freeipa Modified: data/CVE/list === --- data/CVE/list 2016-12-14 16:36:26 UTC (rev 47068) +++ data/CVE/list 2016-12-14 16:36:37 UTC (rev 47069) @@ -7907,8 +7907,10 @@ NOTE: https://marc.info/?l=linux-scsi&m=148010092224801&w=2 NOTE: https://gist.githubusercontent.com/dvyukov/80cd94b4e4c288f16ee4c787d404118b/raw/10536069562444da51b758bb39655b514ff93b45/gistfile1.txt NOTE: Fixed by: https://git.kernel.org/linus/a0ac402cfcdc904f9772e1762b3fda112dcc56a0 -CVE-2016-9575 +CVE-2016-9575 [Insufficient permission check in certprofile-mod] RESERVED + - freeipa + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1395311 CVE-2016-9574 [Remote DoS during session handshake when using SessionTicket extention and ECDHE-ECDSA] RESERVED - nss ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r47068 - data/CVE
Author: carnil Date: 2016-12-14 16:36:26 + (Wed, 14 Dec 2016) New Revision: 47068 Modified: data/CVE/list Log: Add CVE-2016-9574 Modified: data/CVE/list === --- data/CVE/list 2016-12-14 16:31:51 UTC (rev 47067) +++ data/CVE/list 2016-12-14 16:36:26 UTC (rev 47068) @@ -7909,8 +7909,10 @@ NOTE: Fixed by: https://git.kernel.org/linus/a0ac402cfcdc904f9772e1762b3fda112dcc56a0 CVE-2016-9575 RESERVED -CVE-2016-9574 +CVE-2016-9574 [Remote DoS during session handshake when using SessionTicket extention and ECDHE-ECDSA] RESERVED + - nss + NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1320695 CVE-2016-9573 RESERVED - openjpeg2 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r47067 - data/CVE
Author: carnil Date: 2016-12-14 16:31:51 + (Wed, 14 Dec 2016) New Revision: 47067 Modified: data/CVE/list Log: Add CVE-2016-7030 Modified: data/CVE/list === --- data/CVE/list 2016-12-14 16:09:48 UTC (rev 47066) +++ data/CVE/list 2016-12-14 16:31:51 UTC (rev 47067) @@ -16301,8 +16301,11 @@ NOTE: http://tracker.ceph.com/issues/13207 NOTE: https://github.com/ceph/ceph/pull/6057 NOTE: https://github.com/ceph/ceph/pull/11045 -CVE-2016-7030 +CVE-2016-7030 [DoS attack against kerberized services by abusing password policy] RESERVED + - freeipa + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1370493 + TODO: check if applies to Debian package as well, builds at least with Kerberos support CVE-2016-7029 RESERVED CVE-2016-7027 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r47066 - data/CVE
Author: carnil Date: 2016-12-14 16:09:48 + (Wed, 14 Dec 2016) New Revision: 47066 Modified: data/CVE/list Log: Update status for jessie and wheezy for CVE-2016-9755 Modified: data/CVE/list === --- data/CVE/list 2016-12-14 16:01:56 UTC (rev 47065) +++ data/CVE/list 2016-12-14 16:09:48 UTC (rev 47066) @@ -7529,6 +7529,8 @@ CVE-2016-9755 [net: out-of-bounds due do a signedness issue when defragging ipv6] RESERVED - linux + [jessie] - linux (Vulnerable code introduced later) + [wheezy] - linux (Vulnerable code introduced later) NOTE: Fixed by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=9b57da0630c9fd36ed7a20fc0f98dc82cc0777fa (v4.9-rc8) NOTE: https://groups.google.com/forum/#!topic/syzkaller/GFbGpX7nTEo CVE-2016-9684 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r47065 - data/CVE
Author: carnil Date: 2016-12-14 16:01:56 + (Wed, 14 Dec 2016) New Revision: 47065 Modified: data/CVE/list Log: Add CVE Request reference for flightgear issue Modified: data/CVE/list === --- data/CVE/list 2016-12-14 16:01:03 UTC (rev 47064) +++ data/CVE/list 2016-12-14 16:01:56 UTC (rev 47065) @@ -1,5 +1,6 @@ CVE-2016- [Allows the route manager to overwrite arbitrary files] - flightgear (bug #848114) + NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2016/12/14/11 CVE-2016-9948 RESERVED CVE-2016-9947 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r47064 - data/CVE
Author: carnil Date: 2016-12-14 16:01:03 + (Wed, 14 Dec 2016) New Revision: 47064 Modified: data/CVE/list Log: Adjust tag for upstream commit for CVE-2016-9755 Modified: data/CVE/list === --- data/CVE/list 2016-12-14 15:47:08 UTC (rev 47063) +++ data/CVE/list 2016-12-14 16:01:03 UTC (rev 47064) @@ -7528,7 +7528,7 @@ CVE-2016-9755 [net: out-of-bounds due do a signedness issue when defragging ipv6] RESERVED - linux - NOTE: Fixed by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=9b57da0630c9fd36ed7a20fc0f98dc82cc0777fa (v4.9-rc9) + NOTE: Fixed by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=9b57da0630c9fd36ed7a20fc0f98dc82cc0777fa (v4.9-rc8) NOTE: https://groups.google.com/forum/#!topic/syzkaller/GFbGpX7nTEo CVE-2016-9684 RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r47063 - data/CVE
Author: nluedtke-guest Date: 2016-12-14 15:47:08 + (Wed, 14 Dec 2016) New Revision: 47063 Modified: data/CVE/list Log: Update CVE-2016-9755/linux Modified: data/CVE/list === --- data/CVE/list 2016-12-14 15:44:05 UTC (rev 47062) +++ data/CVE/list 2016-12-14 15:47:08 UTC (rev 47063) @@ -7528,7 +7528,7 @@ CVE-2016-9755 [net: out-of-bounds due do a signedness issue when defragging ipv6] RESERVED - linux - NOTE: Proposed fix: https://www.spinics.net/lists/netdev/msg407525.html + NOTE: Fixed by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=9b57da0630c9fd36ed7a20fc0f98dc82cc0777fa (v4.9-rc9) NOTE: https://groups.google.com/forum/#!topic/syzkaller/GFbGpX7nTEo CVE-2016-9684 RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r47062 - data/CVE
Author: carnil Date: 2016-12-14 15:44:05 + (Wed, 14 Dec 2016) New Revision: 47062 Modified: data/CVE/list Log: Add bug reference for CVE-2016-8707/imagemagick Modified: data/CVE/list === --- data/CVE/list 2016-12-14 15:24:28 UTC (rev 47061) +++ data/CVE/list 2016-12-14 15:44:05 UTC (rev 47062) @@ -10652,7 +10652,7 @@ RESERVED CVE-2016-8707 [ImageMagick Convert Tiff Adobe Deflate Code Execution Vulnerability] RESERVED - - imagemagick + - imagemagick (bug #848139) NOTE: http://www.talosintelligence.com/reports/TALOS-2016-0216/ NOTE: Fixed by: https://github.com/ImageMagick/ImageMagick/commit/e5fd9ab1b70b2edd06de8efb606e04482cb9a2f0 (7.0.3-9) CVE-2016-8706 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r47061 - data/CVE
Author: carnil Date: 2016-12-14 15:24:28 + (Wed, 14 Dec 2016) New Revision: 47061 Modified: data/CVE/list Log: Update notes for CVE-2016-6810, mark as unimportant since not enabled in Debian package Modified: data/CVE/list === --- data/CVE/list 2016-12-14 15:23:10 UTC (rev 47060) +++ data/CVE/list 2016-12-14 15:24:28 UTC (rev 47061) @@ -16824,8 +16824,11 @@ RESERVED CVE-2016-6810 RESERVED - - activemq (Admin console not enabled in the Debian package, see #702670) + - activemq 5.14.2+dfsg-1 (unimportant) + NOTE: Admin console not enabled in the Debian package, see #702670 NOTE: http://activemq.apache.org/security-advisories.data/CVE-2016-6810-announcement.txt + NOTE: http://jvndb.jvn.jp/en/contents/2016/JVNDB-2016-000245.html + NOTE: https://jvn.jp/en/jp/JVN78980598/index.html CVE-2016-6809 [Arbitrary code execution vulnerability in MATLAB parser] RESERVED - tika (Matlab file parser introduced in 1.6) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r47060 - in data: . DSA
Author: jmm
Date: 2016-12-14 15:23:10 + (Wed, 14 Dec 2016)
New Revision: 47060
Modified:
data/DSA/list
data/dsa-needed.txt
Log:
firefox DSA
Modified: data/DSA/list
===
--- data/DSA/list 2016-12-14 15:18:33 UTC (rev 47059)
+++ data/DSA/list 2016-12-14 15:23:10 UTC (rev 47060)
@@ -1,3 +1,6 @@
+[14 Dec 2016] DSA-3734-1 firefox-esr - security update
+ {CVE-2016-9893 CVE-2016-9895 CVE-2016-9897 CVE-2016-9898 CVE-2016-9899
CVE-2016-9900 CVE-2016-9901 CVE-2016-9902 CVE-2016-9904 CVE-2016-9905}
+ [jessie] - firefox-esr 45.6.0esr-1~deb8u1
[13 Dec 2016] DSA-3733-1 apt - security update
{CVE-2016-1252}
[jessie] - apt 1.0.9.8.4
Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2016-12-14 15:18:33 UTC (rev 47059)
+++ data/dsa-needed.txt 2016-12-14 15:23:10 UTC (rev 47060)
@@ -14,8 +14,6 @@
--
389-ds-base (fw)
--
-firefox-esr (jmm)
---
graphicsmagick (luciano)
--
jasper (jmm)
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r47059 - data
Author: jmm Date: 2016-12-14 15:18:33 + (Wed, 14 Dec 2016) New Revision: 47059 Modified: data/next-point-update.txt Log: two spu Modified: data/next-point-update.txt === --- data/next-point-update.txt 2016-12-14 15:00:37 UTC (rev 47058) +++ data/next-point-update.txt 2016-12-14 15:18:33 UTC (rev 47059) @@ -76,3 +76,7 @@ [jessie] - lxc 1:1.0.6-6+deb8u5 CVE-2016-9839 [jessie] - mapserver 6.4.1-5+deb8u1 +CVE-2016-7382 + [jessie] - nvidia-graphics-drivers 340.98-1 +CVE-2016-7389 + [jessie] - nvidia-graphics-drivers 340.98-1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r47058 - data/CVE
Author: carnil Date: 2016-12-14 15:00:37 + (Wed, 14 Dec 2016) New Revision: 47058 Modified: data/CVE/list Log: Adjust version for CVE-2016-8595 Already fixed in 3.1.5, and fixed with the 7:3.1.5-1 upload. Modified: data/CVE/list === --- data/CVE/list 2016-12-14 14:51:51 UTC (rev 47057) +++ data/CVE/list 2016-12-14 15:00:37 UTC (rev 47058) @@ -11307,7 +11307,7 @@ NOTE: https://github.com/GomSpace/libcsp/pull/81/commits/4435fbed4090ff3cd090a61517430fe8a3924cd8 CVE-2016-8595 RESERVED - - ffmpeg 7:3.2-1 + - ffmpeg 7:3.1.5-1 NOTE: http://www.openwall.com/lists/oss-security/2016/12/08/2 NOTE: https://github.com/FFmpeg/FFmpeg/commit/987690799dd86433bf98b897aaa4c8d93ade646d CVE-2016-8594 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r47057 - data/CVE
Author: carnil
Date: 2016-12-14 14:51:51 + (Wed, 14 Dec 2016)
New Revision: 47057
Modified:
data/CVE/list
Log:
Add reference for CVE-2016-8678
Modified: data/CVE/list
===
--- data/CVE/list 2016-12-14 14:50:29 UTC (rev 47056)
+++ data/CVE/list 2016-12-14 14:51:51 UTC (rev 47057)
@@ -10960,6 +10960,7 @@
- imagemagick (unimportant; bug #845204)
NOTE:
https://blogs.gentoo.org/ago/2016/10/07/imagemagick-heap-based-buffer-overflow-in-ispixelmonochrome-pixel-accessor-h/
NOTE: unimportant: Only an issue with a QuantumDepth=64 build, thus not
affecting the binary packages
+ NOTE: https://github.com/ImageMagick/ImageMagick/issues/272
CVE-2016-8677 [memory allocate failure in AcquireQuantumPixels]
RESERVED
{DSA-3726-1}
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r47056 - data/CVE
Author: carnil Date: 2016-12-14 14:50:29 + (Wed, 14 Dec 2016) New Revision: 47056 Modified: data/CVE/list Log: Add CVE request for SimpleSAMLphp issue, SSPSA 201612-02 Modified: data/CVE/list === --- data/CVE/list 2016-12-14 12:59:37 UTC (rev 47055) +++ data/CVE/list 2016-12-14 14:50:29 UTC (rev 47056) @@ -23,6 +23,7 @@ [jessie] - simplesamlphp (Minor issue) NOTE: https://simplesamlphp.org/security/201612-02 NOTE: https://github.com/simplesamlphp/simplesamlphp/commit/a2326d75dd14accaac162dd2cb30aaefcc1f9205 + NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2016/12/14/7 CVE-2016- [code execution in SNES code] - game-music-emu 0.6.0-4 (bug #848071) NOTE: http://scarybeastsecurity.blogspot.de/2016/12/redux-compromising-linux-using-snes.html ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r47055 - data/CVE
Author: carnil
Date: 2016-12-14 12:59:37 + (Wed, 14 Dec 2016)
New Revision: 47055
Modified:
data/CVE/list
Log:
Add CVE-2016-1253/most
Modified: data/CVE/list
===
--- data/CVE/list 2016-12-14 12:58:06 UTC (rev 47054)
+++ data/CVE/list 2016-12-14 12:59:37 UTC (rev 47055)
@@ -36197,8 +36197,9 @@
RESERVED
CVE-2016-1254
RESERVED
-CVE-2016-1253
+CVE-2016-1253 [shell injection attack using LZMA-compressed files]
RESERVED
+ - most (bug #848132)
CVE-2016-1252
RESERVED
{DSA-3733-1}
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r47054 - data/CVE
Author: carnil Date: 2016-12-14 12:58:06 + (Wed, 14 Dec 2016) New Revision: 47054 Modified: data/CVE/list Log: game-music-emu issue fixed in unstable Modified: data/CVE/list === --- data/CVE/list 2016-12-14 12:28:24 UTC (rev 47053) +++ data/CVE/list 2016-12-14 12:58:06 UTC (rev 47054) @@ -24,7 +24,7 @@ NOTE: https://simplesamlphp.org/security/201612-02 NOTE: https://github.com/simplesamlphp/simplesamlphp/commit/a2326d75dd14accaac162dd2cb30aaefcc1f9205 CVE-2016- [code execution in SNES code] - - game-music-emu (bug #848071) + - game-music-emu 0.6.0-4 (bug #848071) NOTE: http://scarybeastsecurity.blogspot.de/2016/12/redux-compromising-linux-using-snes.html CVE-2016-9939 [denial-of-service in ASN1 decoder] RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r47053 - data/CVE
Author: carnil Date: 2016-12-14 12:28:24 + (Wed, 14 Dec 2016) New Revision: 47053 Modified: data/CVE/list Log: CVE-2016-8637 fixed in unstable Modified: data/CVE/list === --- data/CVE/list 2016-12-14 12:27:01 UTC (rev 47052) +++ data/CVE/list 2016-12-14 12:28:24 UTC (rev 47053) @@ -11123,7 +11123,7 @@ NOTE: https://pagure.io/ipsilon/c/511fa8b7001c2f9a42301aa1d4b85aaf170a461c CVE-2016-8637 [dracut creates world readble initramfs when early cpio is used] RESERVED - - dracut (low; bug #843697) + - dracut 044+189-1 (low; bug #843697) [jessie] - dracut (Minor issue) [wheezy] - dracut (Introduced in 030 upstream) NOTE: Fixed by: http://git.kernel.org/cgit/boot/dracut/dracut.git/commit/?id=0db98910a11c12a454eac4c8e86dc7a7bbc764a4 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r47052 - data/CVE
Author: carnil Date: 2016-12-14 12:27:01 + (Wed, 14 Dec 2016) New Revision: 47052 Modified: data/CVE/list Log: Add entry for flightgear Modified: data/CVE/list === --- data/CVE/list 2016-12-14 09:22:30 UTC (rev 47051) +++ data/CVE/list 2016-12-14 12:27:01 UTC (rev 47052) @@ -1,3 +1,5 @@ +CVE-2016- [Allows the route manager to overwrite arbitrary files] + - flightgear (bug #848114) CVE-2016-9948 RESERVED CVE-2016-9947 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r47051 - data/CVE
Author: carnil Date: 2016-12-14 09:22:30 + (Wed, 14 Dec 2016) New Revision: 47051 Modified: data/CVE/list Log: Update CVE-2016-9566, remove TODO Modified: data/CVE/list === --- data/CVE/list 2016-12-14 09:13:37 UTC (rev 47050) +++ data/CVE/list 2016-12-14 09:22:30 UTC (rev 47051) @@ -7925,11 +7925,10 @@ RESERVED CVE-2016-9567 (The mDNIe system service on Samsung Mobile S7 devices with M(6.0) ...) NOT-FOR-US: Samsung -CVE-2016-9566 +CVE-2016-9566 [privilege escalation] RESERVED - nagios3 NOTE: https://github.com/NagiosEnterprises/nagioscore/commit/c29557dec91eba2306f5fb11b8da4474ba63f8c4 - TODO: check CVE-2016-9565 [Curl Command Injection] RESERVED - nagios3 3.5.1-1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r47050 - data/CVE
Author: carnil Date: 2016-12-14 09:13:37 + (Wed, 14 Dec 2016) New Revision: 47050 Modified: data/CVE/list Log: Update tracking information for simplesamlphp issue, mark no-dsa Modified: data/CVE/list === --- data/CVE/list 2016-12-14 08:34:28 UTC (rev 47049) +++ data/CVE/list 2016-12-14 09:13:37 UTC (rev 47050) @@ -17,7 +17,8 @@ CVE-2016-9940 RESERVED CVE-2016- [Incorrect signature verification] - - simplesamlphp 1.14.11-1 + - simplesamlphp 1.14.11-1 (low) + [jessie] - simplesamlphp (Minor issue) NOTE: https://simplesamlphp.org/security/201612-02 NOTE: https://github.com/simplesamlphp/simplesamlphp/commit/a2326d75dd14accaac162dd2cb30aaefcc1f9205 CVE-2016- [code execution in SNES code] ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r47049 - data/CVE
Author: carnil Date: 2016-12-14 08:34:28 + (Wed, 14 Dec 2016) New Revision: 47049 Modified: data/CVE/list Log: Update CVE-2016-9565 Modified: data/CVE/list === --- data/CVE/list 2016-12-14 08:28:38 UTC (rev 47048) +++ data/CVE/list 2016-12-14 08:34:28 UTC (rev 47049) @@ -7929,11 +7929,11 @@ - nagios3 NOTE: https://github.com/NagiosEnterprises/nagioscore/commit/c29557dec91eba2306f5fb11b8da4474ba63f8c4 TODO: check -CVE-2016-9565 +CVE-2016-9565 [Curl Command Injection] RESERVED - - nagios3 + - nagios3 3.5.1-1 NOTE: https://legalhackers.com/advisories/Nagios-Exploit-Command-Injection-CVE-2016-9565-2008-4796.html - TODO: check + NOTE: The RSS feed and call-home was removed with the 3.5.1-1 were the affected function was removed CVE-2016-9564 (Buffer overflow in send_redirect() in Boa Webserver 0.92r allows ...) - boa (the vuln was removed in 0.93.14) NOTE: http://www.ljcusack.io/cve-2016-9564-stack-based-buffer-overflow-in-boa-0-dot-92r ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r47048 - data
Author: jmm Date: 2016-12-14 08:28:38 + (Wed, 14 Dec 2016) New Revision: 47048 Modified: data/dsa-needed.txt Log: take firefox Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2016-12-14 07:20:18 UTC (rev 47047) +++ data/dsa-needed.txt 2016-12-14 08:28:38 UTC (rev 47048) @@ -14,7 +14,7 @@ -- 389-ds-base (fw) -- -firefox-esr +firefox-esr (jmm) -- graphicsmagick (luciano) -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
