[Secure-testing-commits] r48217 - data/CVE
Author: carnil Date: 2017-01-20 06:41:39 + (Fri, 20 Jan 2017) New Revision: 48217 Modified: data/CVE/list Log: Mark CVE-2017-5538 as NFU, issue in source code not present in src:linux Modified: data/CVE/list === --- data/CVE/list 2017-01-20 06:05:10 UTC (rev 48216) +++ data/CVE/list 2017-01-20 06:41:39 UTC (rev 48217) @@ -11,6 +11,8 @@ [wheezy] - wordpress (wp_ajax_update_plugin function introduced in 4.2) NOTE: https://core.trac.wordpress.org/ticket/37490 NOTE: https://core.trac.wordpress.org/changeset/38168 +CVE-2017-5538 + NOT-FOR-US: Samsung Exynos CVE-2017-5524 RESERVED NOT-FOR-US: Plone ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48216 - data/CVE
Author: carnil Date: 2017-01-20 06:05:10 + (Fri, 20 Jan 2017) New Revision: 48216 Modified: data/CVE/list Log: Record fixed version for CVE-2016-2337 Modified: data/CVE/list === --- data/CVE/list 2017-01-20 05:56:10 UTC (rev 48215) +++ data/CVE/list 2017-01-20 06:05:10 UTC (rev 48216) @@ -36629,9 +36629,10 @@ CVE-2016-2338 RESERVED CVE-2016-2337 (Type confusion exists in _cancel_eval Ruby's TclTkIp class method. ...) - - ruby2.3 + - ruby2.3 2.3.0-1 - ruby2.1 (bug #851161) NOTE: http://www.talosintelligence.com/reports/TALOS-2016-0031/ + NOTE: https://github.com/ruby/ruby/commit/a2b8925a94a672235ca6a16e584bf09026a957ab TODO: check, might not be exploitable in jessie with ruby2.1, since requires cancel_eval which is supported in Tcl/Tk8.6 or later. CVE-2016-2336 (Type confusion exists in two methods of Ruby's WIN32OLE class, ...) - ruby2.3 (unimportant) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48215 - data/CVE
Author: carnil Date: 2017-01-20 05:56:10 + (Fri, 20 Jan 2017) New Revision: 48215 Modified: data/CVE/list Log: Record fixed version for CVE-2016-2339 Modified: data/CVE/list === --- data/CVE/list 2017-01-20 05:55:59 UTC (rev 48214) +++ data/CVE/list 2017-01-20 05:56:10 UTC (rev 48215) @@ -36622,7 +36622,7 @@ CVE-2016-2340 (The AMF framework in Granite Data Services 3.1.1-SNAPSHOT allows ...) NOT-FOR-US: Granite CVE-2016-2339 (An exploitable heap overflow vulnerability exists in the ...) - - ruby2.3 + - ruby2.3 2.3.0-1 - ruby2.1 (bug #851161) NOTE: http://www.talosintelligence.com/reports/TALOS-2016-0034/ NOTE: Fixed by: https://github.com/ruby/ruby/commit/bcc2421b4938fc1d9f5f3fb6ef2320571b27af42 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48214 - data/CVE
Author: carnil Date: 2017-01-20 05:55:59 + (Fri, 20 Jan 2017) New Revision: 48214 Modified: data/CVE/list Log: Move bug #851161 to src:ruby2.1 (reassigned by maintiner) Modified: data/CVE/list === --- data/CVE/list 2017-01-20 05:19:13 UTC (rev 48213) +++ data/CVE/list 2017-01-20 05:55:59 UTC (rev 48214) @@ -36622,15 +36622,15 @@ CVE-2016-2340 (The AMF framework in Granite Data Services 3.1.1-SNAPSHOT allows ...) NOT-FOR-US: Granite CVE-2016-2339 (An exploitable heap overflow vulnerability exists in the ...) - - ruby2.3 (bug #851161) - - ruby2.1 + - ruby2.3 + - ruby2.1 (bug #851161) NOTE: http://www.talosintelligence.com/reports/TALOS-2016-0034/ NOTE: Fixed by: https://github.com/ruby/ruby/commit/bcc2421b4938fc1d9f5f3fb6ef2320571b27af42 CVE-2016-2338 RESERVED CVE-2016-2337 (Type confusion exists in _cancel_eval Ruby's TclTkIp class method. ...) - - ruby2.3 (bug #851161) - - ruby2.1 + - ruby2.3 + - ruby2.1 (bug #851161) NOTE: http://www.talosintelligence.com/reports/TALOS-2016-0031/ TODO: check, might not be exploitable in jessie with ruby2.1, since requires cancel_eval which is supported in Tcl/Tk8.6 or later. CVE-2016-2336 (Type confusion exists in two methods of Ruby's WIN32OLE class, ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48213 - data/CVE
Author: carnil Date: 2017-01-20 05:19:13 + (Fri, 20 Jan 2017) New Revision: 48213 Modified: data/CVE/list Log: Add CVE-2017-5537/weblate Modified: data/CVE/list === --- data/CVE/list 2017-01-20 05:11:57 UTC (rev 48212) +++ data/CVE/list 2017-01-20 05:19:13 UTC (rev 48213) @@ -14,9 +14,9 @@ CVE-2017-5524 RESERVED NOT-FOR-US: Plone -CVE-2017- [weblate information leak] +CVE-2017-5537 [weblate information leak] - weblate (bug #745661) - NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2017/01/18/11 + NOTE: http://www.openwall.com/lists/oss-security/2017/01/18/11 CVE-2017-5526 [audio: memory leakage in es1370 device; CVE for the memory consumption issue] RESERVED - qemu (bug #851910) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48212 - data/CVE
Author: carnil Date: 2017-01-20 05:11:57 + (Fri, 20 Jan 2017) New Revision: 48212 Modified: data/CVE/list Log: Track linux status for CVE-2016-10150 Modified: data/CVE/list === --- data/CVE/list 2017-01-20 02:10:39 UTC (rev 48211) +++ data/CVE/list 2017-01-20 05:11:57 UTC (rev 48212) @@ -1,8 +1,9 @@ CVE-2016-10150 [kvm: use-after-free issue while creating devices] - - linux - NOTE: CVE request: http://www.openwall.com/lists/oss-security/2017/01/18/10 - NOTE: CVE assignment: http://www.openwall.com/lists/oss-security/2017/01/19/6 - NOTE: patch: https://git.kernel.org/linus/a0f1d21c1ccb1da66629627a74059dd7f5ac9c61 + - linux 4.8.15-1 + [jessie] - linux (Vulnerable code introduced later) + [wheezy] - linux (Vulnerable code introduced later) + NOTE: Fixed by: https://git.kernel.org/linus/a0f1d21c1ccb1da66629627a74059dd7f5ac9c61 (v4.9-rc8) + NOTE: Introduced by: https://git.kernel.org/linus/a28ebea2adc4a2bef5989a5a181ec238f59fbcad (v4.8-rc2) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1414506 CVE-2016-10148 (The wp_ajax_update_plugin function in ...) - wordpress 4.6.1+dfsg-1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48211 - data/CVE
Author: pabs Date: 2017-01-20 02:10:39 + (Fri, 20 Jan 2017) New Revision: 48211 Modified: data/CVE/list Log: Linux: kvm: use-after-free issue while creating devices Reported-by: hexa- Reported-in: #debian-security Modified: data/CVE/list === --- data/CVE/list 2017-01-19 21:46:29 UTC (rev 48210) +++ data/CVE/list 2017-01-20 02:10:39 UTC (rev 48211) @@ -1,3 +1,9 @@ +CVE-2016-10150 [kvm: use-after-free issue while creating devices] + - linux + NOTE: CVE request: http://www.openwall.com/lists/oss-security/2017/01/18/10 + NOTE: CVE assignment: http://www.openwall.com/lists/oss-security/2017/01/19/6 + NOTE: patch: https://git.kernel.org/linus/a0f1d21c1ccb1da66629627a74059dd7f5ac9c61 + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1414506 CVE-2016-10148 (The wp_ajax_update_plugin function in ...) - wordpress 4.6.1+dfsg-1 [jessie] - wordpress (wp_ajax_update_plugin function introduced in 4.2) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48210 - data
Author: seb Date: 2017-01-19 21:46:29 + (Thu, 19 Jan 2017) New Revision: 48210 Modified: data/dsa-needed.txt Log: Add and take libphp-swiftmailer (CVE-2016-10074) Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-01-19 21:22:41 UTC (rev 48209) +++ data/dsa-needed.txt 2017-01-19 21:46:29 UTC (rev 48210) @@ -23,6 +23,9 @@ -- libical -- +libphp-swiftmailer (seb) + Markus Koschany will provide a debdiff +-- libxml2 -- linux ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48209 - data/CVE
Author: carnil Date: 2017-01-19 21:22:41 + (Thu, 19 Jan 2017) New Revision: 48209 Modified: data/CVE/list Log: Update status for CVE-2016-10148 Modified: data/CVE/list === --- data/CVE/list 2017-01-19 21:19:13 UTC (rev 48208) +++ data/CVE/list 2017-01-19 21:22:41 UTC (rev 48209) @@ -1,5 +1,9 @@ CVE-2016-10148 (The wp_ajax_update_plugin function in ...) - TODO: check + - wordpress 4.6.1+dfsg-1 + [jessie] - wordpress (wp_ajax_update_plugin function introduced in 4.2) + [wheezy] - wordpress (wp_ajax_update_plugin function introduced in 4.2) + NOTE: https://core.trac.wordpress.org/ticket/37490 + NOTE: https://core.trac.wordpress.org/changeset/38168 CVE-2017-5524 RESERVED NOT-FOR-US: Plone ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48208 - in data: CVE DSA
Author: carnil
Date: 2017-01-19 21:19:13 + (Thu, 19 Jan 2017)
New Revision: 48208
Modified:
data/CVE/list
data/DSA/list
Log:
CVE-2016-1514 and CVE-2016-1515 rejected
Modified: data/CVE/list
===
--- data/CVE/list 2017-01-19 21:19:03 UTC (rev 48207)
+++ data/CVE/list 2017-01-19 21:19:13 UTC (rev 48208)
@@ -39924,16 +39924,8 @@
RESERVED
CVE-2016-1515
REJECTED
- {DSA-3538-1}
- - libebml 1.3.3-1
- NOTE: http://www.talosintelligence.com/reports/TALOS-2016-0037/
- NOTE: Duplicate of CVE-2015-8789 / DSA-3538-1
CVE-2016-1514
REJECTED
- {DSA-3538-1}
- - libebml 1.3.3-1
- NOTE: http://www.talosintelligence.com/reports/TALOS-2016-0036/
- NOTE: Duplicate of CVE-2015-8790 / DSA-3538-1
CVE-2016-1513 (The Impress tool in Apache OpenOffice 4.1.2 and earlier allows
remote ...)
{DLA-591-1}
- libreoffice 1:4.3.3-1
Modified: data/DSA/list
===
--- data/DSA/list 2017-01-19 21:19:03 UTC (rev 48207)
+++ data/DSA/list 2017-01-19 21:19:13 UTC (rev 48208)
@@ -720,7 +720,7 @@
[wheezy] - srtp 1.4.4+20100615~dfsg-2+deb7u2
[jessie] - srtp 1.4.5~20130609~dfsg-1.1+deb8u1
[31 Mar 2016] DSA-3538-1 libebml - security update
- {CVE-2015-8789 CVE-2016-1515 CVE-2015-8790 CVE-2016-1514 CVE-2015-8791}
+ {CVE-2015-8789 CVE-2015-8790 CVE-2015-8791}
[wheezy] - libebml 1.2.2-2+deb7u1
[jessie] - libebml 1.3.0-2+deb8u1
[31 Mar 2016] DSA-3537-1 imlib2 - security update
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48207 - data/CVE
Author: carnil Date: 2017-01-19 21:19:03 + (Thu, 19 Jan 2017) New Revision: 48207 Modified: data/CVE/list Log: Add bug reference for CVE-2017-5526 Modified: data/CVE/list === --- data/CVE/list 2017-01-19 21:10:12 UTC (rev 48206) +++ data/CVE/list 2017-01-19 21:19:03 UTC (rev 48207) @@ -8,7 +8,7 @@ NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2017/01/18/11 CVE-2017-5526 [audio: memory leakage in es1370 device; CVE for the memory consumption issue] RESERVED - - qemu + - qemu (bug #851910) - qemu-kvm NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2017-01/msg01742.html NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1414209 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48206 - data/CVE
Author: sectracker
Date: 2017-01-19 21:10:12 + (Thu, 19 Jan 2017)
New Revision: 48206
Modified:
data/CVE/list
Log:
automatic update
Modified: data/CVE/list
===
--- data/CVE/list 2017-01-19 20:43:00 UTC (rev 48205)
+++ data/CVE/list 2017-01-19 21:10:12 UTC (rev 48206)
@@ -1,9 +1,13 @@
+CVE-2016-10148 (The wp_ajax_update_plugin function in ...)
+ TODO: check
CVE-2017-5524
+ RESERVED
NOT-FOR-US: Plone
CVE-2017- [weblate information leak]
- weblate (bug #745661)
NOTE: CVE Request:
http://www.openwall.com/lists/oss-security/2017/01/18/11
CVE-2017-5526 [audio: memory leakage in es1370 device; CVE for the memory
consumption issue]
+ RESERVED
- qemu
- qemu-kvm
NOTE:
https://lists.nongnu.org/archive/html/qemu-devel/2017-01/msg01742.html
@@ -11,6 +15,7 @@
NOTE:
http://git.qemu.org/?p=qemu.git;a=commit;h=069eb7b2b8fc47c7cb52e5a4af23ea98d939e3da
TODO: check affected versions
CVE-2017-5525 [audio: memory leakage in ac97 device; CVE for the memory
consumption issue]
+ RESERVED
- qemu
- qemu-kvm
NOTE:
https://lists.nongnu.org/archive/html/qemu-devel/2017-01/msg01740.html
@@ -25,9 +30,11 @@
NOTE:
https://lists.osgeo.org/pipermail/mapserver-dev/2017-January/015007.html
NOTE:
https://github.com/mapserver/mapserver/commit/e52a436c0e1c5e9f7ef13428dba83194a800f4df
CVE-2017-2578
+ RESERVED
- moodle 2.7.18+dfsg-1
NOTE: https://moodle.org/mod/forum/discuss.php?d=345915
CVE-2017-2576
+ RESERVED
- moodle 2.7.18+dfsg-1
NOTE: https://moodle.org/mod/forum/discuss.php?d=345912
CVE-2017-5521 (An issue was discovered on NETGEAR R8500, R8300, R7000, R6400,
R7300, ...)
@@ -316,8 +323,7 @@
RESERVED
CVE-2017-5358
RESERVED
-CVE-2016-10147 [crash by spawning mcrypt(alg) with incompatible algorithm]
- RESERVED
+CVE-2016-10147 (crypto/mcryptd.c in the Linux kernel before 4.8.15 allows
local users ...)
- linux 4.8.15-1
NOTE: Fixed by:
https://git.kernel.org/linus/48a992727d82cb7db076fa15d372178743b1f4cd (v4.9)
CVE-2016-10143
@@ -805,9 +811,11 @@
CVE-2016-10125 (D-Link DGS-1100 devices with Rev.B firmware 1.01.018 have a
hardcoded ...)
NOT-FOR-US: D-Link
CVE-2016-10127 [XML external entity attack]
+ RESERVED
- python-pysaml2
NOTE: https://github.com/rohe/pysaml2/issues/366
CVE-2016-10149 [CWE-776 (Entity Expansion)]
+ {DSA-3759-1}
- python-pysaml2 3.0.0-5 (bug #850716)
NOTE: NOTE: https://github.com/rohe/pysaml2/pull/379
NOTE:
https://github.com/rohe/pysaml2/commit/6e09a25d9b4b7aa7a506853210a9a14100b8bc9b
@@ -1409,8 +1417,8 @@
NOT-FOR-US: GenixCMS
CVE-2016-10090
RESERVED
-CVE-2016-10086
- RESERVED
+CVE-2016-10086 (RESTful web services in CA Service Desk Manager 12.9 and CA
Service ...)
+ TODO: check
CVE-2017-5004
RESERVED
CVE-2017-5003
@@ -3701,6 +3709,7 @@
- tqdm (bug #849632)
NOTE: https://github.com/tqdm/tqdm/issues/328
CVE-2016-10074 (The mail transport (aka Swift_Transport_MailTransport) in
Swift Mailer ...)
+ {DLA-792-1}
- libphp-swiftmailer 5.4.2-1.1 (bug #849626)
NOTE:
https://legalhackers.com/advisories/SwiftMailer-Exploit-Remote-Code-Exec-CVE-2016-10074-Vuln.html
NOTE: https://github.com/swiftmailer/swiftmailer/issues/844
@@ -5500,6 +5509,7 @@
- mysql-5.5 (Only affects MySQL 5.7)
CVE-2017-3318
RESERVED
+ {DSA-3767-1}
- mariadb-10.1 10.1.21-1 (bug #851759)
- mariadb-10.0 (bug #851755)
- mysql-5.7 (bug #851235)
@@ -5507,6 +5517,7 @@
- mysql-5.5 (bug #851233)
CVE-2017-3317
RESERVED
+ {DSA-3767-1}
- mariadb-10.1 10.1.21-1 (bug #851759)
- mariadb-10.0 (bug #851755)
- mysql-5.7 (bug #851235)
@@ -5525,11 +5536,13 @@
NOT-FOR-US: Oracle FLEXCUBE
CVE-2017-3313
RESERVED
+ {DSA-3767-1}
- mysql-5.7 (bug #851235)
- mysql-5.6 (bug #851234)
- mysql-5.5 (bug #851233)
CVE-2017-3312
RESERVED
+ {DSA-3767-1}
- mariadb-10.1 10.1.21-1 (bug #851759)
- mariadb-10.0 (bug #851755)
- mysql-5.7 (bug #851235)
@@ -5590,6 +5603,7 @@
NOT-FOR-US: Oracle PeopleSoft
CVE-2017-3291
RESERVED
+ {DSA-3767-1}
- mariadb-10.1 10.1.21-1 (bug #851759)
- mariadb-10.0 (bug #851755)
- mysql-5.7 (bug #851235)
@@ -5679,6 +5693,7 @@
NOT-FOR-US: Oracle
CVE-2017-3265
RESERVED
+ {DSA-3767-1}
- mariadb-10.1 10.1.21-1 (bug #851759)
- mariadb-10.0 (bug #851755)
- mysql-5.7 (bug #851235)
@@ -5710,6 +5725,7 @@
- openjdk-6 (Deployment components not part of OpenJDK,
only present in Oracle Java)
CVE-2017-3258
RESERVED
+
[Secure-testing-commits] r48205 - data/CVE
Author: carnil Date: 2017-01-19 20:43:00 + (Thu, 19 Jan 2017) New Revision: 48205 Modified: data/CVE/list Log: Add CVE-2016-2087/hexchat Modified: data/CVE/list === --- data/CVE/list 2017-01-19 20:42:50 UTC (rev 48204) +++ data/CVE/list 2017-01-19 20:43:00 UTC (rev 48205) @@ -37803,6 +37803,8 @@ NOTE: https://kb.isc.org/article/AA-01351 CVE-2016-2087 RESERVED + - hexchat + NOTE: https://www.exploit-db.com/exploits/39656/ CVE-2016-2086 (Node.js 0.10.x before 0.10.42, 0.12.x before 0.12.10, 4.x before ...) - nodejs 4.3.0~dfsg-1 (unimportant) NOTE: libv8 is not covered by security support ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48204 - data/CVE
Author: carnil Date: 2017-01-19 20:42:50 + (Thu, 19 Jan 2017) New Revision: 48204 Modified: data/CVE/list Log: Add CVE-2016-2233/hexchat Modified: data/CVE/list === --- data/CVE/list 2017-01-19 20:42:40 UTC (rev 48203) +++ data/CVE/list 2017-01-19 20:42:50 UTC (rev 48204) @@ -37081,6 +37081,8 @@ RESERVED CVE-2016-2233 RESERVED + - hexchat + NOTE: https://www.exploit-db.com/exploits/39657/ CVE-2016-2231 (The Windows-based Host Interface Program (WHIP) service on Huawei ...) NOT-FOR-US: Huawei CVE-2016-2230 (OpenELEC and RasPlex devices have a hardcoded password for the root ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48203 - data/CVE
Author: carnil Date: 2017-01-19 20:42:40 + (Thu, 19 Jan 2017) New Revision: 48203 Modified: data/CVE/list Log: Group entries by source package Modified: data/CVE/list === --- data/CVE/list 2017-01-19 20:09:49 UTC (rev 48202) +++ data/CVE/list 2017-01-19 20:42:40 UTC (rev 48203) @@ -32844,9 +32844,9 @@ RESERVED CVE-2016-3625 (tif_read.c in the tiff2bw tool in LibTIFF 4.0.6 and earlier allows ...) - tiff 4.0.3-1 + [wheezy] - tiff (Can't reproduce) - tiff3 [wheezy] - tiff3 (Does not ship libtiff tools) - [wheezy] - tiff (Can't reproduce) NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2566 NOTE: Not reproducible with jessie and above, marking the version in jessie as fixed NOTE: CVE probably should/needs to be rejected, since upstream is as well unable to ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48202 - data/CVE
Author: anarcat Date: 2017-01-19 20:09:49 + (Thu, 19 Jan 2017) New Revision: 48202 Modified: data/CVE/list Log: can't reproduce CVE-2016-3625 in wheezy Modified: data/CVE/list === --- data/CVE/list 2017-01-19 19:46:56 UTC (rev 48201) +++ data/CVE/list 2017-01-19 20:09:49 UTC (rev 48202) @@ -32846,6 +32846,7 @@ - tiff 4.0.3-1 - tiff3 [wheezy] - tiff3 (Does not ship libtiff tools) + [wheezy] - tiff (Can't reproduce) NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2566 NOTE: Not reproducible with jessie and above, marking the version in jessie as fixed NOTE: CVE probably should/needs to be rejected, since upstream is as well unable to ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48201 - data/CVE
Author: carnil Date: 2017-01-19 19:46:56 + (Thu, 19 Jan 2017) New Revision: 48201 Modified: data/CVE/list Log: mariadb-10.1 fixed in unstable Modified: data/CVE/list === --- data/CVE/list 2017-01-19 19:24:27 UTC (rev 48200) +++ data/CVE/list 2017-01-19 19:46:56 UTC (rev 48201) @@ -5500,14 +5500,14 @@ - mysql-5.5 (Only affects MySQL 5.7) CVE-2017-3318 RESERVED - - mariadb-10.1 (bug #851759) + - mariadb-10.1 10.1.21-1 (bug #851759) - mariadb-10.0 (bug #851755) - mysql-5.7 (bug #851235) - mysql-5.6 (bug #851234) - mysql-5.5 (bug #851233) CVE-2017-3317 RESERVED - - mariadb-10.1 (bug #851759) + - mariadb-10.1 10.1.21-1 (bug #851759) - mariadb-10.0 (bug #851755) - mysql-5.7 (bug #851235) - mysql-5.6 (bug #851234) @@ -5530,7 +5530,7 @@ - mysql-5.5 (bug #851233) CVE-2017-3312 RESERVED - - mariadb-10.1 (bug #851759) + - mariadb-10.1 10.1.21-1 (bug #851759) - mariadb-10.0 (bug #851755) - mysql-5.7 (bug #851235) - mysql-5.6 (bug #851234) @@ -5590,7 +5590,7 @@ NOT-FOR-US: Oracle PeopleSoft CVE-2017-3291 RESERVED - - mariadb-10.1 (bug #851759) + - mariadb-10.1 10.1.21-1 (bug #851759) - mariadb-10.0 (bug #851755) - mysql-5.7 (bug #851235) - mysql-5.6 (bug #851234) @@ -5679,7 +5679,7 @@ NOT-FOR-US: Oracle CVE-2017-3265 RESERVED - - mariadb-10.1 (bug #851759) + - mariadb-10.1 10.1.21-1 (bug #851759) - mariadb-10.0 (bug #851755) - mysql-5.7 (bug #851235) - mysql-5.6 (bug #851234) @@ -5710,14 +5710,14 @@ - openjdk-6 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2017-3258 RESERVED - - mariadb-10.1 (bug #851759) + - mariadb-10.1 10.1.21-1 (bug #851759) - mariadb-10.0 (bug #851755) - mysql-5.7 (bug #851235) - mysql-5.6 (bug #851234) - mysql-5.5 (bug #851233) CVE-2017-3257 RESERVED - - mariadb-10.1 (bug #851759) + - mariadb-10.1 10.1.21-1 (bug #851759) - mariadb-10.0 (bug #851755) - mysql-5.7 (bug #851235) - mysql-5.6 (bug #851234) @@ -5769,14 +5769,14 @@ NOT-FOR-US: Oracle FLEXCUBE CVE-2017-3244 RESERVED - - mariadb-10.1 (bug #851759) + - mariadb-10.1 10.1.21-1 (bug #851759) - mariadb-10.0 (bug #851755) - mysql-5.7 (bug #851235) - mysql-5.6 (bug #851234) - mysql-5.5 (bug #851233) CVE-2017-3243 RESERVED - - mariadb-10.1 (bug #851759) + - mariadb-10.1 10.1.21-1 (bug #851759) - mariadb-10.0 (bug #851755) - mysql-5.7 (Only affects MySQL 5.5) - mysql-5.6 (Only affects MySQL 5.5) @@ -5798,7 +5798,7 @@ - glassfish (Only affects 3.x) CVE-2017-3238 RESERVED - - mariadb-10.1 (bug #851759) + - mariadb-10.1 10.1.21-1 (bug #851759) - mariadb-10.0 (bug #851755) - mysql-5.7 (bug #851235) - mysql-5.6 (bug #851234) @@ -22121,7 +22121,7 @@ CVE-2016-6665 RESERVED CVE-2016-6664 (mysqld_safe in Oracle MySQL through 5.5.51, 5.6.x through 5.6.32, and ...) - - mariadb-10.1 (bug #849435; bug #851759) + - mariadb-10.1 10.1.21-1 (bug #849435; bug #851759) - mariadb-10.0 (bug #842895; bug #851755) - mysql-5.7 5.7.15-1 - mysql-5.6 5.6.34-1 (bug #841049) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48200 - in data: . DSA
Author: carnil
Date: 2017-01-19 19:24:27 + (Thu, 19 Jan 2017)
New Revision: 48200
Modified:
data/DSA/list
data/dsa-needed.txt
Log:
Reserve DSA number for mysql-5.5
Modified: data/DSA/list
===
--- data/DSA/list 2017-01-19 18:42:07 UTC (rev 48199)
+++ data/DSA/list 2017-01-19 19:24:27 UTC (rev 48200)
@@ -1,3 +1,6 @@
+[19 Jan 2017] DSA-3767-1 mysql-5.5 - security update
+ {CVE-2017-3238 CVE-2017-3243 CVE-2017-3244 CVE-2017-3258 CVE-2017-3265
CVE-2017-3291 CVE-2017-3312 CVE-2017-3313 CVE-2017-3317 CVE-2017-3318}
+ [jessie] - mysql-5.5 5.5.54-0+deb8u1
[19 Jan 2017] DSA-3766-1 mapserver - security update
{CVE-2017-5522}
[jessie] - mapserver 6.4.1-5+deb8u3
Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2017-01-19 18:42:07 UTC (rev 48199)
+++ data/dsa-needed.txt 2017-01-19 19:24:27 UTC (rev 48200)
@@ -30,8 +30,6 @@
--
mariadb-10.0 (carnil)
--
-mysql-5.5 (carnil)
---
openjdk-7 (jmm)
--
openjpeg2 (jmm)
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48199 - data/CVE
Author: carnil Date: 2017-01-19 18:42:07 + (Thu, 19 Jan 2017) New Revision: 48199 Modified: data/CVE/list Log: Add fixed version for CVE-2017-0381 in unstable Modified: data/CVE/list === --- data/CVE/list 2017-01-19 18:35:52 UTC (rev 48198) +++ data/CVE/list 2017-01-19 18:42:07 UTC (rev 48199) @@ -12096,7 +12096,7 @@ CVE-2017-0382 (A remote code execution vulnerability in the Framesequence library ...) TODO: check CVE-2017-0381 (A remote code execution vulnerability in silk/NLSF_stabilize.c in ...) - - opus (bug #851612) + - opus 1.2~alpha2-1 (bug #851612) NOTE: Fixed by: https://github.com/xiph/opus/commit/79e8f527b0344b0897a65be35e77f7885bd99409 (v1.2-alpha) CVE-2016-9804 (In BlueZ 5.42, a buffer overflow was observed in commands_dump ...) - bluez (bug #847837) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48198 - in data: CVE DSA
Author: carnil
Date: 2017-01-19 18:35:52 + (Thu, 19 Jan 2017)
New Revision: 48198
Modified:
data/CVE/list
data/DSA/list
Log:
Adjust the CVE assignments for python-pysaml2
Modified: data/CVE/list
===
--- data/CVE/list 2017-01-19 17:46:49 UTC (rev 48197)
+++ data/CVE/list 2017-01-19 18:35:52 UTC (rev 48198)
@@ -805,12 +805,12 @@
CVE-2016-10125 (D-Link DGS-1100 devices with Rev.B firmware 1.01.018 have a
hardcoded ...)
NOT-FOR-US: D-Link
CVE-2016-10127 [XML external entity attack]
- RESERVED
- {DSA-3759-1}
+ - python-pysaml2
+ NOTE: https://github.com/rohe/pysaml2/issues/366
+CVE-2016-10149 [CWE-776 (Entity Expansion)]
- python-pysaml2 3.0.0-5 (bug #850716)
- NOTE: https://github.com/rohe/pysaml2/pull/379
+ NOTE: NOTE: https://github.com/rohe/pysaml2/pull/379
NOTE:
https://github.com/rohe/pysaml2/commit/6e09a25d9b4b7aa7a506853210a9a14100b8bc9b
- NOTE: http://www.openwall.com/lists/oss-security/2017/01/10/6
CVE-2017- [multiple new security issues]
- w3m 0.5.3-34 (bug #850432)
[jessie] - w3m (Minor issues)
Modified: data/DSA/list
===
--- data/DSA/list 2017-01-19 17:46:49 UTC (rev 48197)
+++ data/DSA/list 2017-01-19 18:35:52 UTC (rev 48198)
@@ -22,7 +22,7 @@
{CVE-2016-9646 CVE-2016-10026 CVE-2017-0356}
[jessie] - ikiwiki 3.20141016.4
[12 Jan 2017] DSA-3759-1 python-pysaml2 - security update
- {CVE-2016-10127}
+ {CVE-2016-10149}
[jessie] - python-pysaml2 2.0.0-1+deb8u1
[11 Jan 2017] DSA-3758-1 bind9 - security update
{CVE-2016-9131 CVE-2016-9147 CVE-2016-9444}
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48197 - data/CVE
Author: apo Date: 2017-01-19 17:46:49 + (Thu, 19 Jan 2017) New Revision: 48197 Modified: data/CVE/list Log: CVE-2016-10074, libphp-swiftmailer: Add more information. Modified: data/CVE/list === --- data/CVE/list 2017-01-19 17:44:54 UTC (rev 48196) +++ data/CVE/list 2017-01-19 17:46:49 UTC (rev 48197) @@ -3703,6 +3703,8 @@ CVE-2016-10074 (The mail transport (aka Swift_Transport_MailTransport) in Swift Mailer ...) - libphp-swiftmailer 5.4.2-1.1 (bug #849626) NOTE: https://legalhackers.com/advisories/SwiftMailer-Exploit-Remote-Code-Exec-CVE-2016-10074-Vuln.html + NOTE: https://github.com/swiftmailer/swiftmailer/issues/844 + NOTE: Fixed by https://github.com/swiftmailer/swiftmailer/commit/e6ccf40d856af9598b76eb313b215eed25ae9e86 CVE-2016-10073 RESERVED CVE-2016-10072 (** DISPUTED ** WampServer 3.0.6 has two files called 'wampmanager.exe' ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48196 - in data: . DLA
Author: apo
Date: 2017-01-19 17:44:54 + (Thu, 19 Jan 2017)
New Revision: 48196
Modified:
data/DLA/list
data/dla-needed.txt
Log:
Reserve DLA-792-1 for libphp-swiftmailer
Modified: data/DLA/list
===
--- data/DLA/list 2017-01-19 16:09:04 UTC (rev 48195)
+++ data/DLA/list 2017-01-19 17:44:54 UTC (rev 48196)
@@ -1,3 +1,6 @@
+[19 Jan 2017] DLA-792-1 libphp-swiftmailer - security update
+ {CVE-2016-10074}
+ [wheezy] - libphp-swiftmailer 4.1.5-1+deb7u1
[19 Jan 2017] DLA-791-1 libav - security update
{CVE-2016-9819 CVE-2016-9820 CVE-2016-9821 CVE-2016-9822}
[wheezy] - libav 6:0.8.20-0+deb7u1
Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-01-19 16:09:04 UTC (rev 48195)
+++ data/dla-needed.txt 2017-01-19 17:44:54 UTC (rev 48196)
@@ -42,10 +42,6 @@
libical
NOTE: No known solution as of 2017-01-16.
--
-libphp-swiftmailer (Markus Koschany)
- NOTE: According to the release note this is a critial vulnerability so it
- NOTE: should have high priority.
---
libplist (Emilio Pozuelo)
--
libxml-twig-perl
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48195 - data/CVE
Author: jmm
Date: 2017-01-19 16:09:04 + (Thu, 19 Jan 2017)
New Revision: 48195
Modified:
data/CVE/list
Log:
seafile n/a
new netbeans issue
NFUs
Modified: data/CVE/list
===
--- data/CVE/list 2017-01-19 13:34:31 UTC (rev 48194)
+++ data/CVE/list 2017-01-19 16:09:04 UTC (rev 48195)
@@ -25954,7 +25954,7 @@
CVE-2016-5619 (Unspecified vulnerability in the Oracle FLEXCUBE Universal
Banking ...)
NOT-FOR-US: Oracle FLEXCUBE
CVE-2016-5618 (Unspecified vulnerability in the Oracle Data Integrator
component in ...)
- TODO: check
+ NOT-FOR-US: Oracle
CVE-2016-5617
REJECTED
CVE-2016-5616
@@ -26001,17 +26001,17 @@
[jessie] - virtualbox (DSA-3699-1)
[wheezy] - virtualbox (DSA 3454)
CVE-2016-5604 (Unspecified vulnerability in the Enterprise Manager Base
Platform ...)
- TODO: check
+ NOT-FOR-US: Oracle
CVE-2016-5603 (Unspecified vulnerability in the Oracle FLEXCUBE Universal
Banking ...)
TODO: check
CVE-2016-5602 (Unspecified vulnerability in the Oracle Data Integrator
component in ...)
- TODO: check
+ NOT-FOR-US: Oracle
CVE-2016-5601 (Unspecified vulnerability in the Oracle WebLogic Server
component in ...)
- TODO: check
+ NOT-FOR-US: Oracle
CVE-2016-5600 (Unspecified vulnerability in the PeopleSoft Enterprise SCM
Services ...)
TODO: check
CVE-2016-5599 (Unspecified vulnerability in the Oracle Advanced Supply Chain
Planning ...)
- TODO: check
+ NOT-FOR-US: Oracle
CVE-2016-5598 (Unspecified vulnerability in the MySQL Connector component
2.1.3 and ...)
- mysql-connector-python 2.1.5-1 (bug #841677)
NOTE:
https://blog.qualys.com/laws-of-vulnerabilities/2016/10/18/oracle-october-2016-critical-patch-update
@@ -26024,30 +26024,30 @@
- openjdk-6
[wheezy] - openjdk-6
CVE-2016-5596 (Unspecified vulnerability in the Oracle CRM Technical
Foundation ...)
- TODO: check
+ NOT-FOR-US: Oracle
CVE-2016-5595 (Unspecified vulnerability in the Oracle Customer Interaction
History ...)
- TODO: check
+ NOT-FOR-US: Oracle
CVE-2016-5594 (Unspecified vulnerability in the Oracle FLEXCUBE Universal
Banking ...)
TODO: check
CVE-2016-5593 (Unspecified vulnerability in the Oracle Customer Interaction
History ...)
- TODO: check
+ NOT-FOR-US: Oracle
CVE-2016-5592 (Unspecified vulnerability in the Oracle Customer Interaction
History ...)
- TODO: check
+ NOT-FOR-US: Oracle
CVE-2016-5591 (Unspecified vulnerability in the Oracle Customer Interaction
History ...)
- TODO: check
+ NOT-FOR-US: Oracle
CVE-2016-5590
RESERVED
NOT-FOR-US: MySQL Enterprise Monitor
CVE-2016-5589 (Unspecified vulnerability in the Oracle CRM Technical
Foundation ...)
- TODO: check
+ NOT-FOR-US: Oracle
CVE-2016-5588 (Unspecified vulnerability in the Oracle Outside In Technology
...)
- TODO: check
+ NOT-FOR-US: Oracle
CVE-2016-5587 (Unspecified vulnerability in the Oracle Customer Interaction
History ...)
- TODO: check
+ NOT-FOR-US: Oracle
CVE-2016-5586 (Unspecified vulnerability in the Oracle Email Center component
in ...)
- TODO: check
+ NOT-FOR-US: Oracle
CVE-2016-5585 (Unspecified vulnerability in the Oracle Interaction Center ...)
- TODO: check
+ NOT-FOR-US: Oracle
CVE-2016-5584 (Unspecified vulnerability in Oracle MySQL 5.5.52 and earlier,
5.6.33 ...)
{DSA-3711-1 DSA-3706-1 DLA-708-1}
- mariadb-10.0 10.0.28-1
@@ -26056,7 +26056,7 @@
- mysql-5.5 (bug #841050)
NOTE: Fixed in MariaDB 5.5.53, MariaDB 10.0.28
CVE-2016-5583 (Unspecified vulnerability in the Oracle One-to-One Fulfillment
...)
- TODO: check
+ NOT-FOR-US: Oracle
CVE-2016-5582 (Unspecified vulnerability in Oracle Java SE 6u121, 7u111,
8u102; and ...)
{DSA-3707-1 DLA-704-1}
- openjdk-8 8u111-b14-1
@@ -26066,21 +26066,21 @@
- openjdk-6
[wheezy] - openjdk-6
CVE-2016-5581 (Unspecified vulnerability in the Oracle iRecruitment component
in ...)
- TODO: check
+ NOT-FOR-US: Oracle
CVE-2016-5580 (Unspecified vulnerability in the Secure Global Desktop
component in ...)
NOT-FOR-US: Secure Global Desktop
CVE-2016-5579 (Unspecified vulnerability in the Oracle Outside In Technology
...)
- TODO: check
+ NOT-FOR-US: Oracle
CVE-2016-5578 (Unspecified vulnerability in the Oracle Outside In Technology
...)
- TODO: check
+ NOT-FOR-US: Oracle
CVE-2016-5577 (Unspecified vulnerability in the Oracle Outside In Technology
...)
- TODO: check
+ NOT-FOR-US: Oracle
CVE-2016-5576 (Unspecified vulnerability in Oracle Sun Solaris 11.3 allows
local ...)
NOT-FOR-US: Solaris
CVE-2016-5575 (Unspecified vulnerability in the Oracle Common Applications
Calendar ...)
TODO: check
[Secure-testing-commits] Processing r48194 failed
The error message was: data/CVE/list:80900: ITPed package seafile is in the archive Makefile:22: recipe for target 'all' failed make: *** [all] Error 1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48194 - data/CVE
Author: carnil Date: 2017-01-19 13:34:31 + (Thu, 19 Jan 2017) New Revision: 48194 Modified: data/CVE/list Log: Record moodle issues Modified: data/CVE/list === --- data/CVE/list 2017-01-19 12:24:30 UTC (rev 48193) +++ data/CVE/list 2017-01-19 13:34:31 UTC (rev 48194) @@ -24,8 +24,12 @@ - mapserver 7.0.4-1 NOTE: https://lists.osgeo.org/pipermail/mapserver-dev/2017-January/015007.html NOTE: https://github.com/mapserver/mapserver/commit/e52a436c0e1c5e9f7ef13428dba83194a800f4df -CVE-2017- [Moodle issues; invormation released on 16th of january] +CVE-2017-2578 - moodle 2.7.18+dfsg-1 + NOTE: https://moodle.org/mod/forum/discuss.php?d=345915 +CVE-2017-2576 + - moodle 2.7.18+dfsg-1 + NOTE: https://moodle.org/mod/forum/discuss.php?d=345912 CVE-2017-5521 (An issue was discovered on NETGEAR R8500, R8300, R7000, R6400, R7300, ...) TODO: check CVE-2017-5520 (The media rename feature in GeniXCMS through 0.0.8 does not consider ...) @@ -7550,12 +7554,8 @@ RESERVED CVE-2017-2579 RESERVED -CVE-2017-2578 - RESERVED CVE-2017-2577 RESERVED -CVE-2017-2576 - RESERVED CVE-2017-2575 RESERVED CVE-2017-2574 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48193 - data/DLA
Author: hle
Date: 2017-01-19 12:24:30 + (Thu, 19 Jan 2017)
New Revision: 48193
Modified:
data/DLA/list
Log:
Reserve DLA number 791-1 for libav.
Modified: data/DLA/list
===
--- data/DLA/list 2017-01-19 12:21:44 UTC (rev 48192)
+++ data/DLA/list 2017-01-19 12:24:30 UTC (rev 48193)
@@ -1,3 +1,6 @@
+[19 Jan 2017] DLA-791-1 libav - security update
+ {CVE-2016-9819 CVE-2016-9820 CVE-2016-9821 CVE-2016-9822}
+ [wheezy] - libav 6:0.8.20-0+deb7u1
[19 Jan 2017] DLA-790-1 mapserver - security update
{CVE-2017-5522}
[wheezy] - mapserver 6.0.1-3.2+deb7u4
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48192 - data/CVE
Author: carnil Date: 2017-01-19 12:21:44 + (Thu, 19 Jan 2017) New Revision: 48192 Modified: data/CVE/list Log: Track fixes for CVE-2015-5303 and CVE-2015-5323 Note for reviewers: needs a peer review still, since fixed by a new upstream version. Modified: data/CVE/list === --- data/CVE/list 2017-01-19 12:19:32 UTC (rev 48191) +++ data/CVE/list 2017-01-19 12:21:44 UTC (rev 48192) @@ -53748,7 +53748,7 @@ NOTE: https://www.samba.org/samba/security/CVE-2015-5330.html NOTE: Samba update needs as well fixed ldb CVE-2015-5329 (The TripleO Heat templates (tripleo-heat-templates), as used in Red ...) - - tripleo-heat-templates (bug #851396) + - tripleo-heat-templates 5.2.0-1 (bug #851396) CVE-2015-5328 RESERVED CVE-2015-5327 [User triggerable out-of-bounds read] @@ -53873,7 +53873,7 @@ CVE-2015-5304 (Red Hat JBoss Enterprise Application Platform (EAP) before 6.4.5 does ...) NOT-FOR-US: Red Hat JBoss Enterprise Application Platform CVE-2015-5303 (The TripleO Heat templates (tripleo-heat-templates), when deployed via ...) - - tripleo-heat-templates (bug #851396) + - tripleo-heat-templates 5.2.0-1 (bug #851396) CVE-2015-5302 (libreport 2.0.7 before 2.6.3 only saves changes to the first file when ...) NOT-FOR-US: abrt/libreport CVE-2015-5301 (providers/saml2/admin.py in the Identity Provider (IdP) server in ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48191 - data/CVE
Author: carnil Date: 2017-01-19 12:19:32 + (Thu, 19 Jan 2017) New Revision: 48191 Modified: data/CVE/list Log: Use standardized format Modified: data/CVE/list === --- data/CVE/list 2017-01-19 10:35:45 UTC (rev 48190) +++ data/CVE/list 2017-01-19 12:19:32 UTC (rev 48191) @@ -2,7 +2,7 @@ NOT-FOR-US: Plone CVE-2017- [weblate information leak] - weblate (bug #745661) - NOTE: CVE request: http://www.openwall.com/lists/oss-security/2017/01/18/11 + NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2017/01/18/11 CVE-2017-5526 [audio: memory leakage in es1370 device; CVE for the memory consumption issue] - qemu - qemu-kvm ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48190 - data/CVE
Author: jmm Date: 2017-01-19 10:35:45 + (Thu, 19 Jan 2017) New Revision: 48190 Modified: data/CVE/list Log: new plone issue Modified: data/CVE/list === --- data/CVE/list 2017-01-19 09:37:24 UTC (rev 48189) +++ data/CVE/list 2017-01-19 10:35:45 UTC (rev 48190) @@ -1,3 +1,5 @@ +CVE-2017-5524 + NOT-FOR-US: Plone CVE-2017- [weblate information leak] - weblate (bug #745661) NOTE: CVE request: http://www.openwall.com/lists/oss-security/2017/01/18/11 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48189 - data/CVE
Author: jmm Date: 2017-01-19 09:37:24 + (Thu, 19 Jan 2017) New Revision: 48189 Modified: data/CVE/list Log: new weblate issue Modified: data/CVE/list === --- data/CVE/list 2017-01-19 09:10:13 UTC (rev 48188) +++ data/CVE/list 2017-01-19 09:37:24 UTC (rev 48189) @@ -1,3 +1,6 @@ +CVE-2017- [weblate information leak] + - weblate (bug #745661) + NOTE: CVE request: http://www.openwall.com/lists/oss-security/2017/01/18/11 CVE-2017-5526 [audio: memory leakage in es1370 device; CVE for the memory consumption issue] - qemu - qemu-kvm ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48188 - data/CVE
Author: sectracker
Date: 2017-01-19 09:10:13 + (Thu, 19 Jan 2017)
New Revision: 48188
Modified:
data/CVE/list
Log:
automatic update
Modified: data/CVE/list
===
--- data/CVE/list 2017-01-19 08:55:24 UTC (rev 48187)
+++ data/CVE/list 2017-01-19 09:10:13 UTC (rev 48188)
@@ -15,6 +15,7 @@
RESERVED
CVE-2017-5522 [stack buffer overflow]
RESERVED
+ {DSA-3766-1 DLA-790-1}
- mapserver 7.0.4-1
NOTE:
https://lists.osgeo.org/pipermail/mapserver-dev/2017-January/015007.html
NOTE:
https://github.com/mapserver/mapserver/commit/e52a436c0e1c5e9f7ef13428dba83194a800f4df
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48187 - data/CVE
Author: jmm
Date: 2017-01-19 08:55:24 + (Thu, 19 Jan 2017)
New Revision: 48187
Modified:
data/CVE/list
Log:
NFUs (concludes external check)
Modified: data/CVE/list
===
--- data/CVE/list 2017-01-19 08:29:44 UTC (rev 48186)
+++ data/CVE/list 2017-01-19 08:55:24 UTC (rev 48187)
@@ -16016,6 +16016,7 @@
NOTE: Needs an attacker to compromise a controlled server.
CVE-2016-8627
RESERVED
+ NOT-FOR-US: Red Hat JBoss EAP
CVE-2016-8626 [RGW Denial of Service by sending POST object with null
conditions]
RESERVED
- ceph 10.2.5-1 (bug #844200)
@@ -26083,7 +26084,7 @@
- openjdk-6
[wheezy] - openjdk-6
CVE-2016-5572 (Unspecified vulnerability in the Kernel PDB component in Oracle
...)
- TODO: check
+ NOT-FOR-US: Oracle
CVE-2016-5571 (Unspecified vulnerability in the Oracle Applications DBA
component in ...)
TODO: check
CVE-2016-5570 (Unspecified vulnerability in the Oracle Applications DBA
component in ...)
@@ -26121,7 +26122,7 @@
- openjdk-7 (specific to Oracle Java)
- openjdk-8 (specific to Oracle Java)
CVE-2016- (Unspecified vulnerability in the OJVM component in Oracle
Database ...)
- TODO: check
+ NOT-FOR-US: Oracle
CVE-2016-5554 (Unspecified vulnerability in Oracle Java SE 6u121, 7u111,
8u102; and ...)
{DSA-3707-1 DLA-704-1}
- openjdk-8 8u111-b14-1
@@ -26234,7 +26235,7 @@
CVE-2016-5517 (Unspecified vulnerability in the Oracle Applications DBA
component in ...)
TODO: check
CVE-2016-5516 (Unspecified vulnerability in the Kernel PDB component in Oracle
...)
- TODO: check
+ NOT-FOR-US: Oracle
CVE-2016-5515 (Unspecified vulnerability in the Oracle Agile PLM component in
Oracle ...)
TODO: check
CVE-2016-5514 (Unspecified vulnerability in the Oracle Agile PLM component in
Oracle ...)
@@ -26259,7 +26260,7 @@
CVE-2016-5506 (Unspecified vulnerability in the Oracle Identity Manager
component in ...)
TODO: check
CVE-2016-5505 (Unspecified vulnerability in the RDBMS Programmable Interface
...)
- TODO: check
+ NOT-FOR-US: Oracle
CVE-2016-5504 (Unspecified vulnerability in the Oracle Agile Product Lifecycle
...)
TODO: check
CVE-2016-5503 (Unspecified vulnerability in the Sun ZFS Storage Appliance Kit
(AK) ...)
@@ -26273,11 +26274,11 @@
CVE-2016-5500 (Unspecified vulnerability in the Oracle Discoverer component in
Oracle ...)
TODO: check
CVE-2016-5499 (Unspecified vulnerability in the RDBMS Security component in
Oracle ...)
- TODO: check
+ NOT-FOR-US: Oracle
CVE-2016-5498 (Unspecified vulnerability in the RDBMS Security component in
Oracle ...)
- TODO: check
+ NOT-FOR-US: Oracle
CVE-2016-5497 (Unspecified vulnerability in the RDBMS Security component in
Oracle ...)
- TODO: check
+ NOT-FOR-US: Oracle
CVE-2016-5496
RESERVED
CVE-2016-5495 (Unspecified vulnerability in the Oracle Discoverer component in
Oracle ...)
@@ -33029,7 +33030,7 @@
CVE-2016-3563 (Unspecified vulnerability in the Enterprise Manager Base
Platform ...)
TODO: check
CVE-2016-3562 (Unspecified vulnerability in the RDBMS Security and SQL*Plus
...)
- TODO: check
+ NOT-FOR-US: Oracle
CVE-2016-3561 (Unspecified vulnerability in the Oracle Agile PLM component in
Oracle ...)
TODO: check
CVE-2016-3560 (Unspecified vulnerability in the Oracle Agile PLM component in
Oracle ...)
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48186 - in data: . DSA
Author: seb
Date: 2017-01-19 08:29:44 + (Thu, 19 Jan 2017)
New Revision: 48186
Modified:
data/DSA/list
data/dsa-needed.txt
Log:
Reserve DSA-3766-1 for mapserver (CVE-2017-5522)
Modified: data/DSA/list
===
--- data/DSA/list 2017-01-19 08:28:40 UTC (rev 48185)
+++ data/DSA/list 2017-01-19 08:29:44 UTC (rev 48186)
@@ -1,3 +1,6 @@
+[19 Jan 2017] DSA-3766-1 mapserver - security update
+ {CVE-2017-5522}
+ [jessie] - mapserver 6.4.1-5+deb8u3
[15 Jan 2017] DSA-3743-2 python-bottle - regression update
[jessie] - python-bottle 0.12.7-1+deb8u2
[14 Jan 2017] DSA-3765-1 icoutils - security update
Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2017-01-19 08:28:40 UTC (rev 48185)
+++ data/dsa-needed.txt 2017-01-19 08:29:44 UTC (rev 48186)
@@ -28,9 +28,6 @@
linux
wait until more issues have piled up
--
-mapserver (seb)
- Maintainer prepared update for CVE-2017-5522, ack'ed for upload
---
mariadb-10.0 (carnil)
--
mysql-5.5 (carnil)
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48185 - data/CVE
Author: carnil Date: 2017-01-19 08:28:40 + (Thu, 19 Jan 2017) New Revision: 48185 Modified: data/CVE/list Log: Add CVE-2017-0386 information Modified: data/CVE/list === --- data/CVE/list 2017-01-19 07:08:24 UTC (rev 48184) +++ data/CVE/list 2017-01-19 08:28:40 UTC (rev 48185) @@ -12077,7 +12077,8 @@ CVE-2017-0387 (An elevation of privilege vulnerability in Mediaserver could enable a ...) TODO: check CVE-2017-0386 (An elevation of privilege vulnerability in the libnl library could ...) - TODO: check + - libnl3 (Specific to Android's use of libnl) + NOTE: https://github.com/thom311/libnl/issues/124 CVE-2017-0385 (An elevation of privilege vulnerability in Audioserver could enable a ...) TODO: check CVE-2017-0384 (An elevation of privilege vulnerability in ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
