[Secure-testing-commits] r48217 - data/CVE
Author: carnil Date: 2017-01-20 06:41:39 + (Fri, 20 Jan 2017) New Revision: 48217 Modified: data/CVE/list Log: Mark CVE-2017-5538 as NFU, issue in source code not present in src:linux Modified: data/CVE/list === --- data/CVE/list 2017-01-20 06:05:10 UTC (rev 48216) +++ data/CVE/list 2017-01-20 06:41:39 UTC (rev 48217) @@ -11,6 +11,8 @@ [wheezy] - wordpress (wp_ajax_update_plugin function introduced in 4.2) NOTE: https://core.trac.wordpress.org/ticket/37490 NOTE: https://core.trac.wordpress.org/changeset/38168 +CVE-2017-5538 + NOT-FOR-US: Samsung Exynos CVE-2017-5524 RESERVED NOT-FOR-US: Plone ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48216 - data/CVE
Author: carnil Date: 2017-01-20 06:05:10 + (Fri, 20 Jan 2017) New Revision: 48216 Modified: data/CVE/list Log: Record fixed version for CVE-2016-2337 Modified: data/CVE/list === --- data/CVE/list 2017-01-20 05:56:10 UTC (rev 48215) +++ data/CVE/list 2017-01-20 06:05:10 UTC (rev 48216) @@ -36629,9 +36629,10 @@ CVE-2016-2338 RESERVED CVE-2016-2337 (Type confusion exists in _cancel_eval Ruby's TclTkIp class method. ...) - - ruby2.3 + - ruby2.3 2.3.0-1 - ruby2.1 (bug #851161) NOTE: http://www.talosintelligence.com/reports/TALOS-2016-0031/ + NOTE: https://github.com/ruby/ruby/commit/a2b8925a94a672235ca6a16e584bf09026a957ab TODO: check, might not be exploitable in jessie with ruby2.1, since requires cancel_eval which is supported in Tcl/Tk8.6 or later. CVE-2016-2336 (Type confusion exists in two methods of Ruby's WIN32OLE class, ...) - ruby2.3 (unimportant) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48215 - data/CVE
Author: carnil Date: 2017-01-20 05:56:10 + (Fri, 20 Jan 2017) New Revision: 48215 Modified: data/CVE/list Log: Record fixed version for CVE-2016-2339 Modified: data/CVE/list === --- data/CVE/list 2017-01-20 05:55:59 UTC (rev 48214) +++ data/CVE/list 2017-01-20 05:56:10 UTC (rev 48215) @@ -36622,7 +36622,7 @@ CVE-2016-2340 (The AMF framework in Granite Data Services 3.1.1-SNAPSHOT allows ...) NOT-FOR-US: Granite CVE-2016-2339 (An exploitable heap overflow vulnerability exists in the ...) - - ruby2.3 + - ruby2.3 2.3.0-1 - ruby2.1 (bug #851161) NOTE: http://www.talosintelligence.com/reports/TALOS-2016-0034/ NOTE: Fixed by: https://github.com/ruby/ruby/commit/bcc2421b4938fc1d9f5f3fb6ef2320571b27af42 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48214 - data/CVE
Author: carnil Date: 2017-01-20 05:55:59 + (Fri, 20 Jan 2017) New Revision: 48214 Modified: data/CVE/list Log: Move bug #851161 to src:ruby2.1 (reassigned by maintiner) Modified: data/CVE/list === --- data/CVE/list 2017-01-20 05:19:13 UTC (rev 48213) +++ data/CVE/list 2017-01-20 05:55:59 UTC (rev 48214) @@ -36622,15 +36622,15 @@ CVE-2016-2340 (The AMF framework in Granite Data Services 3.1.1-SNAPSHOT allows ...) NOT-FOR-US: Granite CVE-2016-2339 (An exploitable heap overflow vulnerability exists in the ...) - - ruby2.3 (bug #851161) - - ruby2.1 + - ruby2.3 + - ruby2.1 (bug #851161) NOTE: http://www.talosintelligence.com/reports/TALOS-2016-0034/ NOTE: Fixed by: https://github.com/ruby/ruby/commit/bcc2421b4938fc1d9f5f3fb6ef2320571b27af42 CVE-2016-2338 RESERVED CVE-2016-2337 (Type confusion exists in _cancel_eval Ruby's TclTkIp class method. ...) - - ruby2.3 (bug #851161) - - ruby2.1 + - ruby2.3 + - ruby2.1 (bug #851161) NOTE: http://www.talosintelligence.com/reports/TALOS-2016-0031/ TODO: check, might not be exploitable in jessie with ruby2.1, since requires cancel_eval which is supported in Tcl/Tk8.6 or later. CVE-2016-2336 (Type confusion exists in two methods of Ruby's WIN32OLE class, ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48213 - data/CVE
Author: carnil Date: 2017-01-20 05:19:13 + (Fri, 20 Jan 2017) New Revision: 48213 Modified: data/CVE/list Log: Add CVE-2017-5537/weblate Modified: data/CVE/list === --- data/CVE/list 2017-01-20 05:11:57 UTC (rev 48212) +++ data/CVE/list 2017-01-20 05:19:13 UTC (rev 48213) @@ -14,9 +14,9 @@ CVE-2017-5524 RESERVED NOT-FOR-US: Plone -CVE-2017- [weblate information leak] +CVE-2017-5537 [weblate information leak] - weblate (bug #745661) - NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2017/01/18/11 + NOTE: http://www.openwall.com/lists/oss-security/2017/01/18/11 CVE-2017-5526 [audio: memory leakage in es1370 device; CVE for the memory consumption issue] RESERVED - qemu (bug #851910) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48212 - data/CVE
Author: carnil Date: 2017-01-20 05:11:57 + (Fri, 20 Jan 2017) New Revision: 48212 Modified: data/CVE/list Log: Track linux status for CVE-2016-10150 Modified: data/CVE/list === --- data/CVE/list 2017-01-20 02:10:39 UTC (rev 48211) +++ data/CVE/list 2017-01-20 05:11:57 UTC (rev 48212) @@ -1,8 +1,9 @@ CVE-2016-10150 [kvm: use-after-free issue while creating devices] - - linux - NOTE: CVE request: http://www.openwall.com/lists/oss-security/2017/01/18/10 - NOTE: CVE assignment: http://www.openwall.com/lists/oss-security/2017/01/19/6 - NOTE: patch: https://git.kernel.org/linus/a0f1d21c1ccb1da66629627a74059dd7f5ac9c61 + - linux 4.8.15-1 + [jessie] - linux (Vulnerable code introduced later) + [wheezy] - linux (Vulnerable code introduced later) + NOTE: Fixed by: https://git.kernel.org/linus/a0f1d21c1ccb1da66629627a74059dd7f5ac9c61 (v4.9-rc8) + NOTE: Introduced by: https://git.kernel.org/linus/a28ebea2adc4a2bef5989a5a181ec238f59fbcad (v4.8-rc2) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1414506 CVE-2016-10148 (The wp_ajax_update_plugin function in ...) - wordpress 4.6.1+dfsg-1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48211 - data/CVE
Author: pabs Date: 2017-01-20 02:10:39 + (Fri, 20 Jan 2017) New Revision: 48211 Modified: data/CVE/list Log: Linux: kvm: use-after-free issue while creating devices Reported-by: hexa- Reported-in: #debian-security Modified: data/CVE/list === --- data/CVE/list 2017-01-19 21:46:29 UTC (rev 48210) +++ data/CVE/list 2017-01-20 02:10:39 UTC (rev 48211) @@ -1,3 +1,9 @@ +CVE-2016-10150 [kvm: use-after-free issue while creating devices] + - linux + NOTE: CVE request: http://www.openwall.com/lists/oss-security/2017/01/18/10 + NOTE: CVE assignment: http://www.openwall.com/lists/oss-security/2017/01/19/6 + NOTE: patch: https://git.kernel.org/linus/a0f1d21c1ccb1da66629627a74059dd7f5ac9c61 + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1414506 CVE-2016-10148 (The wp_ajax_update_plugin function in ...) - wordpress 4.6.1+dfsg-1 [jessie] - wordpress (wp_ajax_update_plugin function introduced in 4.2) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48210 - data
Author: seb Date: 2017-01-19 21:46:29 + (Thu, 19 Jan 2017) New Revision: 48210 Modified: data/dsa-needed.txt Log: Add and take libphp-swiftmailer (CVE-2016-10074) Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-01-19 21:22:41 UTC (rev 48209) +++ data/dsa-needed.txt 2017-01-19 21:46:29 UTC (rev 48210) @@ -23,6 +23,9 @@ -- libical -- +libphp-swiftmailer (seb) + Markus Koschany will provide a debdiff +-- libxml2 -- linux ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48209 - data/CVE
Author: carnil Date: 2017-01-19 21:22:41 + (Thu, 19 Jan 2017) New Revision: 48209 Modified: data/CVE/list Log: Update status for CVE-2016-10148 Modified: data/CVE/list === --- data/CVE/list 2017-01-19 21:19:13 UTC (rev 48208) +++ data/CVE/list 2017-01-19 21:22:41 UTC (rev 48209) @@ -1,5 +1,9 @@ CVE-2016-10148 (The wp_ajax_update_plugin function in ...) - TODO: check + - wordpress 4.6.1+dfsg-1 + [jessie] - wordpress (wp_ajax_update_plugin function introduced in 4.2) + [wheezy] - wordpress (wp_ajax_update_plugin function introduced in 4.2) + NOTE: https://core.trac.wordpress.org/ticket/37490 + NOTE: https://core.trac.wordpress.org/changeset/38168 CVE-2017-5524 RESERVED NOT-FOR-US: Plone ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48208 - in data: CVE DSA
Author: carnil Date: 2017-01-19 21:19:13 + (Thu, 19 Jan 2017) New Revision: 48208 Modified: data/CVE/list data/DSA/list Log: CVE-2016-1514 and CVE-2016-1515 rejected Modified: data/CVE/list === --- data/CVE/list 2017-01-19 21:19:03 UTC (rev 48207) +++ data/CVE/list 2017-01-19 21:19:13 UTC (rev 48208) @@ -39924,16 +39924,8 @@ RESERVED CVE-2016-1515 REJECTED - {DSA-3538-1} - - libebml 1.3.3-1 - NOTE: http://www.talosintelligence.com/reports/TALOS-2016-0037/ - NOTE: Duplicate of CVE-2015-8789 / DSA-3538-1 CVE-2016-1514 REJECTED - {DSA-3538-1} - - libebml 1.3.3-1 - NOTE: http://www.talosintelligence.com/reports/TALOS-2016-0036/ - NOTE: Duplicate of CVE-2015-8790 / DSA-3538-1 CVE-2016-1513 (The Impress tool in Apache OpenOffice 4.1.2 and earlier allows remote ...) {DLA-591-1} - libreoffice 1:4.3.3-1 Modified: data/DSA/list === --- data/DSA/list 2017-01-19 21:19:03 UTC (rev 48207) +++ data/DSA/list 2017-01-19 21:19:13 UTC (rev 48208) @@ -720,7 +720,7 @@ [wheezy] - srtp 1.4.4+20100615~dfsg-2+deb7u2 [jessie] - srtp 1.4.5~20130609~dfsg-1.1+deb8u1 [31 Mar 2016] DSA-3538-1 libebml - security update - {CVE-2015-8789 CVE-2016-1515 CVE-2015-8790 CVE-2016-1514 CVE-2015-8791} + {CVE-2015-8789 CVE-2015-8790 CVE-2015-8791} [wheezy] - libebml 1.2.2-2+deb7u1 [jessie] - libebml 1.3.0-2+deb8u1 [31 Mar 2016] DSA-3537-1 imlib2 - security update ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48207 - data/CVE
Author: carnil Date: 2017-01-19 21:19:03 + (Thu, 19 Jan 2017) New Revision: 48207 Modified: data/CVE/list Log: Add bug reference for CVE-2017-5526 Modified: data/CVE/list === --- data/CVE/list 2017-01-19 21:10:12 UTC (rev 48206) +++ data/CVE/list 2017-01-19 21:19:03 UTC (rev 48207) @@ -8,7 +8,7 @@ NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2017/01/18/11 CVE-2017-5526 [audio: memory leakage in es1370 device; CVE for the memory consumption issue] RESERVED - - qemu + - qemu (bug #851910) - qemu-kvm NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2017-01/msg01742.html NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1414209 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48206 - data/CVE
Author: sectracker Date: 2017-01-19 21:10:12 + (Thu, 19 Jan 2017) New Revision: 48206 Modified: data/CVE/list Log: automatic update Modified: data/CVE/list === --- data/CVE/list 2017-01-19 20:43:00 UTC (rev 48205) +++ data/CVE/list 2017-01-19 21:10:12 UTC (rev 48206) @@ -1,9 +1,13 @@ +CVE-2016-10148 (The wp_ajax_update_plugin function in ...) + TODO: check CVE-2017-5524 + RESERVED NOT-FOR-US: Plone CVE-2017- [weblate information leak] - weblate (bug #745661) NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2017/01/18/11 CVE-2017-5526 [audio: memory leakage in es1370 device; CVE for the memory consumption issue] + RESERVED - qemu - qemu-kvm NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2017-01/msg01742.html @@ -11,6 +15,7 @@ NOTE: http://git.qemu.org/?p=qemu.git;a=commit;h=069eb7b2b8fc47c7cb52e5a4af23ea98d939e3da TODO: check affected versions CVE-2017-5525 [audio: memory leakage in ac97 device; CVE for the memory consumption issue] + RESERVED - qemu - qemu-kvm NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2017-01/msg01740.html @@ -25,9 +30,11 @@ NOTE: https://lists.osgeo.org/pipermail/mapserver-dev/2017-January/015007.html NOTE: https://github.com/mapserver/mapserver/commit/e52a436c0e1c5e9f7ef13428dba83194a800f4df CVE-2017-2578 + RESERVED - moodle 2.7.18+dfsg-1 NOTE: https://moodle.org/mod/forum/discuss.php?d=345915 CVE-2017-2576 + RESERVED - moodle 2.7.18+dfsg-1 NOTE: https://moodle.org/mod/forum/discuss.php?d=345912 CVE-2017-5521 (An issue was discovered on NETGEAR R8500, R8300, R7000, R6400, R7300, ...) @@ -316,8 +323,7 @@ RESERVED CVE-2017-5358 RESERVED -CVE-2016-10147 [crash by spawning mcrypt(alg) with incompatible algorithm] - RESERVED +CVE-2016-10147 (crypto/mcryptd.c in the Linux kernel before 4.8.15 allows local users ...) - linux 4.8.15-1 NOTE: Fixed by: https://git.kernel.org/linus/48a992727d82cb7db076fa15d372178743b1f4cd (v4.9) CVE-2016-10143 @@ -805,9 +811,11 @@ CVE-2016-10125 (D-Link DGS-1100 devices with Rev.B firmware 1.01.018 have a hardcoded ...) NOT-FOR-US: D-Link CVE-2016-10127 [XML external entity attack] + RESERVED - python-pysaml2 NOTE: https://github.com/rohe/pysaml2/issues/366 CVE-2016-10149 [CWE-776 (Entity Expansion)] + {DSA-3759-1} - python-pysaml2 3.0.0-5 (bug #850716) NOTE: NOTE: https://github.com/rohe/pysaml2/pull/379 NOTE: https://github.com/rohe/pysaml2/commit/6e09a25d9b4b7aa7a506853210a9a14100b8bc9b @@ -1409,8 +1417,8 @@ NOT-FOR-US: GenixCMS CVE-2016-10090 RESERVED -CVE-2016-10086 - RESERVED +CVE-2016-10086 (RESTful web services in CA Service Desk Manager 12.9 and CA Service ...) + TODO: check CVE-2017-5004 RESERVED CVE-2017-5003 @@ -3701,6 +3709,7 @@ - tqdm (bug #849632) NOTE: https://github.com/tqdm/tqdm/issues/328 CVE-2016-10074 (The mail transport (aka Swift_Transport_MailTransport) in Swift Mailer ...) + {DLA-792-1} - libphp-swiftmailer 5.4.2-1.1 (bug #849626) NOTE: https://legalhackers.com/advisories/SwiftMailer-Exploit-Remote-Code-Exec-CVE-2016-10074-Vuln.html NOTE: https://github.com/swiftmailer/swiftmailer/issues/844 @@ -5500,6 +5509,7 @@ - mysql-5.5 (Only affects MySQL 5.7) CVE-2017-3318 RESERVED + {DSA-3767-1} - mariadb-10.1 10.1.21-1 (bug #851759) - mariadb-10.0 (bug #851755) - mysql-5.7 (bug #851235) @@ -5507,6 +5517,7 @@ - mysql-5.5 (bug #851233) CVE-2017-3317 RESERVED + {DSA-3767-1} - mariadb-10.1 10.1.21-1 (bug #851759) - mariadb-10.0 (bug #851755) - mysql-5.7 (bug #851235) @@ -5525,11 +5536,13 @@ NOT-FOR-US: Oracle FLEXCUBE CVE-2017-3313 RESERVED + {DSA-3767-1} - mysql-5.7 (bug #851235) - mysql-5.6 (bug #851234) - mysql-5.5 (bug #851233) CVE-2017-3312 RESERVED + {DSA-3767-1} - mariadb-10.1 10.1.21-1 (bug #851759) - mariadb-10.0 (bug #851755) - mysql-5.7 (bug #851235) @@ -5590,6 +5603,7 @@ NOT-FOR-US: Oracle PeopleSoft CVE-2017-3291 RESERVED + {DSA-3767-1} - mariadb-10.1 10.1.21-1 (bug #851759) - mariadb-10.0 (bug #851755) - mysql-5.7 (bug #851235) @@ -5679,6 +5693,7 @@ NOT-FOR-US: Oracle CVE-2017-3265 RESERVED + {DSA-3767-1} - mariadb-10.1 10.1.21-1 (bug #851759) - mariadb-10.0 (bug #851755) - mysql-5.7 (bug #851235) @@ -5710,6 +5725,7 @@ - openjdk-6 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2017-3258 RESERVED +
[Secure-testing-commits] r48205 - data/CVE
Author: carnil Date: 2017-01-19 20:43:00 + (Thu, 19 Jan 2017) New Revision: 48205 Modified: data/CVE/list Log: Add CVE-2016-2087/hexchat Modified: data/CVE/list === --- data/CVE/list 2017-01-19 20:42:50 UTC (rev 48204) +++ data/CVE/list 2017-01-19 20:43:00 UTC (rev 48205) @@ -37803,6 +37803,8 @@ NOTE: https://kb.isc.org/article/AA-01351 CVE-2016-2087 RESERVED + - hexchat + NOTE: https://www.exploit-db.com/exploits/39656/ CVE-2016-2086 (Node.js 0.10.x before 0.10.42, 0.12.x before 0.12.10, 4.x before ...) - nodejs 4.3.0~dfsg-1 (unimportant) NOTE: libv8 is not covered by security support ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48204 - data/CVE
Author: carnil Date: 2017-01-19 20:42:50 + (Thu, 19 Jan 2017) New Revision: 48204 Modified: data/CVE/list Log: Add CVE-2016-2233/hexchat Modified: data/CVE/list === --- data/CVE/list 2017-01-19 20:42:40 UTC (rev 48203) +++ data/CVE/list 2017-01-19 20:42:50 UTC (rev 48204) @@ -37081,6 +37081,8 @@ RESERVED CVE-2016-2233 RESERVED + - hexchat + NOTE: https://www.exploit-db.com/exploits/39657/ CVE-2016-2231 (The Windows-based Host Interface Program (WHIP) service on Huawei ...) NOT-FOR-US: Huawei CVE-2016-2230 (OpenELEC and RasPlex devices have a hardcoded password for the root ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48203 - data/CVE
Author: carnil Date: 2017-01-19 20:42:40 + (Thu, 19 Jan 2017) New Revision: 48203 Modified: data/CVE/list Log: Group entries by source package Modified: data/CVE/list === --- data/CVE/list 2017-01-19 20:09:49 UTC (rev 48202) +++ data/CVE/list 2017-01-19 20:42:40 UTC (rev 48203) @@ -32844,9 +32844,9 @@ RESERVED CVE-2016-3625 (tif_read.c in the tiff2bw tool in LibTIFF 4.0.6 and earlier allows ...) - tiff 4.0.3-1 + [wheezy] - tiff (Can't reproduce) - tiff3 [wheezy] - tiff3 (Does not ship libtiff tools) - [wheezy] - tiff (Can't reproduce) NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2566 NOTE: Not reproducible with jessie and above, marking the version in jessie as fixed NOTE: CVE probably should/needs to be rejected, since upstream is as well unable to ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48202 - data/CVE
Author: anarcat Date: 2017-01-19 20:09:49 + (Thu, 19 Jan 2017) New Revision: 48202 Modified: data/CVE/list Log: can't reproduce CVE-2016-3625 in wheezy Modified: data/CVE/list === --- data/CVE/list 2017-01-19 19:46:56 UTC (rev 48201) +++ data/CVE/list 2017-01-19 20:09:49 UTC (rev 48202) @@ -32846,6 +32846,7 @@ - tiff 4.0.3-1 - tiff3 [wheezy] - tiff3 (Does not ship libtiff tools) + [wheezy] - tiff (Can't reproduce) NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2566 NOTE: Not reproducible with jessie and above, marking the version in jessie as fixed NOTE: CVE probably should/needs to be rejected, since upstream is as well unable to ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48201 - data/CVE
Author: carnil Date: 2017-01-19 19:46:56 + (Thu, 19 Jan 2017) New Revision: 48201 Modified: data/CVE/list Log: mariadb-10.1 fixed in unstable Modified: data/CVE/list === --- data/CVE/list 2017-01-19 19:24:27 UTC (rev 48200) +++ data/CVE/list 2017-01-19 19:46:56 UTC (rev 48201) @@ -5500,14 +5500,14 @@ - mysql-5.5 (Only affects MySQL 5.7) CVE-2017-3318 RESERVED - - mariadb-10.1 (bug #851759) + - mariadb-10.1 10.1.21-1 (bug #851759) - mariadb-10.0 (bug #851755) - mysql-5.7 (bug #851235) - mysql-5.6 (bug #851234) - mysql-5.5 (bug #851233) CVE-2017-3317 RESERVED - - mariadb-10.1 (bug #851759) + - mariadb-10.1 10.1.21-1 (bug #851759) - mariadb-10.0 (bug #851755) - mysql-5.7 (bug #851235) - mysql-5.6 (bug #851234) @@ -5530,7 +5530,7 @@ - mysql-5.5 (bug #851233) CVE-2017-3312 RESERVED - - mariadb-10.1 (bug #851759) + - mariadb-10.1 10.1.21-1 (bug #851759) - mariadb-10.0 (bug #851755) - mysql-5.7 (bug #851235) - mysql-5.6 (bug #851234) @@ -5590,7 +5590,7 @@ NOT-FOR-US: Oracle PeopleSoft CVE-2017-3291 RESERVED - - mariadb-10.1 (bug #851759) + - mariadb-10.1 10.1.21-1 (bug #851759) - mariadb-10.0 (bug #851755) - mysql-5.7 (bug #851235) - mysql-5.6 (bug #851234) @@ -5679,7 +5679,7 @@ NOT-FOR-US: Oracle CVE-2017-3265 RESERVED - - mariadb-10.1 (bug #851759) + - mariadb-10.1 10.1.21-1 (bug #851759) - mariadb-10.0 (bug #851755) - mysql-5.7 (bug #851235) - mysql-5.6 (bug #851234) @@ -5710,14 +5710,14 @@ - openjdk-6 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2017-3258 RESERVED - - mariadb-10.1 (bug #851759) + - mariadb-10.1 10.1.21-1 (bug #851759) - mariadb-10.0 (bug #851755) - mysql-5.7 (bug #851235) - mysql-5.6 (bug #851234) - mysql-5.5 (bug #851233) CVE-2017-3257 RESERVED - - mariadb-10.1 (bug #851759) + - mariadb-10.1 10.1.21-1 (bug #851759) - mariadb-10.0 (bug #851755) - mysql-5.7 (bug #851235) - mysql-5.6 (bug #851234) @@ -5769,14 +5769,14 @@ NOT-FOR-US: Oracle FLEXCUBE CVE-2017-3244 RESERVED - - mariadb-10.1 (bug #851759) + - mariadb-10.1 10.1.21-1 (bug #851759) - mariadb-10.0 (bug #851755) - mysql-5.7 (bug #851235) - mysql-5.6 (bug #851234) - mysql-5.5 (bug #851233) CVE-2017-3243 RESERVED - - mariadb-10.1 (bug #851759) + - mariadb-10.1 10.1.21-1 (bug #851759) - mariadb-10.0 (bug #851755) - mysql-5.7 (Only affects MySQL 5.5) - mysql-5.6 (Only affects MySQL 5.5) @@ -5798,7 +5798,7 @@ - glassfish (Only affects 3.x) CVE-2017-3238 RESERVED - - mariadb-10.1 (bug #851759) + - mariadb-10.1 10.1.21-1 (bug #851759) - mariadb-10.0 (bug #851755) - mysql-5.7 (bug #851235) - mysql-5.6 (bug #851234) @@ -22121,7 +22121,7 @@ CVE-2016-6665 RESERVED CVE-2016-6664 (mysqld_safe in Oracle MySQL through 5.5.51, 5.6.x through 5.6.32, and ...) - - mariadb-10.1 (bug #849435; bug #851759) + - mariadb-10.1 10.1.21-1 (bug #849435; bug #851759) - mariadb-10.0 (bug #842895; bug #851755) - mysql-5.7 5.7.15-1 - mysql-5.6 5.6.34-1 (bug #841049) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48200 - in data: . DSA
Author: carnil Date: 2017-01-19 19:24:27 + (Thu, 19 Jan 2017) New Revision: 48200 Modified: data/DSA/list data/dsa-needed.txt Log: Reserve DSA number for mysql-5.5 Modified: data/DSA/list === --- data/DSA/list 2017-01-19 18:42:07 UTC (rev 48199) +++ data/DSA/list 2017-01-19 19:24:27 UTC (rev 48200) @@ -1,3 +1,6 @@ +[19 Jan 2017] DSA-3767-1 mysql-5.5 - security update + {CVE-2017-3238 CVE-2017-3243 CVE-2017-3244 CVE-2017-3258 CVE-2017-3265 CVE-2017-3291 CVE-2017-3312 CVE-2017-3313 CVE-2017-3317 CVE-2017-3318} + [jessie] - mysql-5.5 5.5.54-0+deb8u1 [19 Jan 2017] DSA-3766-1 mapserver - security update {CVE-2017-5522} [jessie] - mapserver 6.4.1-5+deb8u3 Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-01-19 18:42:07 UTC (rev 48199) +++ data/dsa-needed.txt 2017-01-19 19:24:27 UTC (rev 48200) @@ -30,8 +30,6 @@ -- mariadb-10.0 (carnil) -- -mysql-5.5 (carnil) --- openjdk-7 (jmm) -- openjpeg2 (jmm) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48199 - data/CVE
Author: carnil Date: 2017-01-19 18:42:07 + (Thu, 19 Jan 2017) New Revision: 48199 Modified: data/CVE/list Log: Add fixed version for CVE-2017-0381 in unstable Modified: data/CVE/list === --- data/CVE/list 2017-01-19 18:35:52 UTC (rev 48198) +++ data/CVE/list 2017-01-19 18:42:07 UTC (rev 48199) @@ -12096,7 +12096,7 @@ CVE-2017-0382 (A remote code execution vulnerability in the Framesequence library ...) TODO: check CVE-2017-0381 (A remote code execution vulnerability in silk/NLSF_stabilize.c in ...) - - opus (bug #851612) + - opus 1.2~alpha2-1 (bug #851612) NOTE: Fixed by: https://github.com/xiph/opus/commit/79e8f527b0344b0897a65be35e77f7885bd99409 (v1.2-alpha) CVE-2016-9804 (In BlueZ 5.42, a buffer overflow was observed in commands_dump ...) - bluez (bug #847837) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48198 - in data: CVE DSA
Author: carnil Date: 2017-01-19 18:35:52 + (Thu, 19 Jan 2017) New Revision: 48198 Modified: data/CVE/list data/DSA/list Log: Adjust the CVE assignments for python-pysaml2 Modified: data/CVE/list === --- data/CVE/list 2017-01-19 17:46:49 UTC (rev 48197) +++ data/CVE/list 2017-01-19 18:35:52 UTC (rev 48198) @@ -805,12 +805,12 @@ CVE-2016-10125 (D-Link DGS-1100 devices with Rev.B firmware 1.01.018 have a hardcoded ...) NOT-FOR-US: D-Link CVE-2016-10127 [XML external entity attack] - RESERVED - {DSA-3759-1} + - python-pysaml2 + NOTE: https://github.com/rohe/pysaml2/issues/366 +CVE-2016-10149 [CWE-776 (Entity Expansion)] - python-pysaml2 3.0.0-5 (bug #850716) - NOTE: https://github.com/rohe/pysaml2/pull/379 + NOTE: NOTE: https://github.com/rohe/pysaml2/pull/379 NOTE: https://github.com/rohe/pysaml2/commit/6e09a25d9b4b7aa7a506853210a9a14100b8bc9b - NOTE: http://www.openwall.com/lists/oss-security/2017/01/10/6 CVE-2017- [multiple new security issues] - w3m 0.5.3-34 (bug #850432) [jessie] - w3m (Minor issues) Modified: data/DSA/list === --- data/DSA/list 2017-01-19 17:46:49 UTC (rev 48197) +++ data/DSA/list 2017-01-19 18:35:52 UTC (rev 48198) @@ -22,7 +22,7 @@ {CVE-2016-9646 CVE-2016-10026 CVE-2017-0356} [jessie] - ikiwiki 3.20141016.4 [12 Jan 2017] DSA-3759-1 python-pysaml2 - security update - {CVE-2016-10127} + {CVE-2016-10149} [jessie] - python-pysaml2 2.0.0-1+deb8u1 [11 Jan 2017] DSA-3758-1 bind9 - security update {CVE-2016-9131 CVE-2016-9147 CVE-2016-9444} ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48197 - data/CVE
Author: apo Date: 2017-01-19 17:46:49 + (Thu, 19 Jan 2017) New Revision: 48197 Modified: data/CVE/list Log: CVE-2016-10074, libphp-swiftmailer: Add more information. Modified: data/CVE/list === --- data/CVE/list 2017-01-19 17:44:54 UTC (rev 48196) +++ data/CVE/list 2017-01-19 17:46:49 UTC (rev 48197) @@ -3703,6 +3703,8 @@ CVE-2016-10074 (The mail transport (aka Swift_Transport_MailTransport) in Swift Mailer ...) - libphp-swiftmailer 5.4.2-1.1 (bug #849626) NOTE: https://legalhackers.com/advisories/SwiftMailer-Exploit-Remote-Code-Exec-CVE-2016-10074-Vuln.html + NOTE: https://github.com/swiftmailer/swiftmailer/issues/844 + NOTE: Fixed by https://github.com/swiftmailer/swiftmailer/commit/e6ccf40d856af9598b76eb313b215eed25ae9e86 CVE-2016-10073 RESERVED CVE-2016-10072 (** DISPUTED ** WampServer 3.0.6 has two files called 'wampmanager.exe' ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48196 - in data: . DLA
Author: apo Date: 2017-01-19 17:44:54 + (Thu, 19 Jan 2017) New Revision: 48196 Modified: data/DLA/list data/dla-needed.txt Log: Reserve DLA-792-1 for libphp-swiftmailer Modified: data/DLA/list === --- data/DLA/list 2017-01-19 16:09:04 UTC (rev 48195) +++ data/DLA/list 2017-01-19 17:44:54 UTC (rev 48196) @@ -1,3 +1,6 @@ +[19 Jan 2017] DLA-792-1 libphp-swiftmailer - security update + {CVE-2016-10074} + [wheezy] - libphp-swiftmailer 4.1.5-1+deb7u1 [19 Jan 2017] DLA-791-1 libav - security update {CVE-2016-9819 CVE-2016-9820 CVE-2016-9821 CVE-2016-9822} [wheezy] - libav 6:0.8.20-0+deb7u1 Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-01-19 16:09:04 UTC (rev 48195) +++ data/dla-needed.txt 2017-01-19 17:44:54 UTC (rev 48196) @@ -42,10 +42,6 @@ libical NOTE: No known solution as of 2017-01-16. -- -libphp-swiftmailer (Markus Koschany) - NOTE: According to the release note this is a critial vulnerability so it - NOTE: should have high priority. --- libplist (Emilio Pozuelo) -- libxml-twig-perl ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48195 - data/CVE
Author: jmm Date: 2017-01-19 16:09:04 + (Thu, 19 Jan 2017) New Revision: 48195 Modified: data/CVE/list Log: seafile n/a new netbeans issue NFUs Modified: data/CVE/list === --- data/CVE/list 2017-01-19 13:34:31 UTC (rev 48194) +++ data/CVE/list 2017-01-19 16:09:04 UTC (rev 48195) @@ -25954,7 +25954,7 @@ CVE-2016-5619 (Unspecified vulnerability in the Oracle FLEXCUBE Universal Banking ...) NOT-FOR-US: Oracle FLEXCUBE CVE-2016-5618 (Unspecified vulnerability in the Oracle Data Integrator component in ...) - TODO: check + NOT-FOR-US: Oracle CVE-2016-5617 REJECTED CVE-2016-5616 @@ -26001,17 +26001,17 @@ [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) CVE-2016-5604 (Unspecified vulnerability in the Enterprise Manager Base Platform ...) - TODO: check + NOT-FOR-US: Oracle CVE-2016-5603 (Unspecified vulnerability in the Oracle FLEXCUBE Universal Banking ...) TODO: check CVE-2016-5602 (Unspecified vulnerability in the Oracle Data Integrator component in ...) - TODO: check + NOT-FOR-US: Oracle CVE-2016-5601 (Unspecified vulnerability in the Oracle WebLogic Server component in ...) - TODO: check + NOT-FOR-US: Oracle CVE-2016-5600 (Unspecified vulnerability in the PeopleSoft Enterprise SCM Services ...) TODO: check CVE-2016-5599 (Unspecified vulnerability in the Oracle Advanced Supply Chain Planning ...) - TODO: check + NOT-FOR-US: Oracle CVE-2016-5598 (Unspecified vulnerability in the MySQL Connector component 2.1.3 and ...) - mysql-connector-python 2.1.5-1 (bug #841677) NOTE: https://blog.qualys.com/laws-of-vulnerabilities/2016/10/18/oracle-october-2016-critical-patch-update @@ -26024,30 +26024,30 @@ - openjdk-6 [wheezy] - openjdk-6 CVE-2016-5596 (Unspecified vulnerability in the Oracle CRM Technical Foundation ...) - TODO: check + NOT-FOR-US: Oracle CVE-2016-5595 (Unspecified vulnerability in the Oracle Customer Interaction History ...) - TODO: check + NOT-FOR-US: Oracle CVE-2016-5594 (Unspecified vulnerability in the Oracle FLEXCUBE Universal Banking ...) TODO: check CVE-2016-5593 (Unspecified vulnerability in the Oracle Customer Interaction History ...) - TODO: check + NOT-FOR-US: Oracle CVE-2016-5592 (Unspecified vulnerability in the Oracle Customer Interaction History ...) - TODO: check + NOT-FOR-US: Oracle CVE-2016-5591 (Unspecified vulnerability in the Oracle Customer Interaction History ...) - TODO: check + NOT-FOR-US: Oracle CVE-2016-5590 RESERVED NOT-FOR-US: MySQL Enterprise Monitor CVE-2016-5589 (Unspecified vulnerability in the Oracle CRM Technical Foundation ...) - TODO: check + NOT-FOR-US: Oracle CVE-2016-5588 (Unspecified vulnerability in the Oracle Outside In Technology ...) - TODO: check + NOT-FOR-US: Oracle CVE-2016-5587 (Unspecified vulnerability in the Oracle Customer Interaction History ...) - TODO: check + NOT-FOR-US: Oracle CVE-2016-5586 (Unspecified vulnerability in the Oracle Email Center component in ...) - TODO: check + NOT-FOR-US: Oracle CVE-2016-5585 (Unspecified vulnerability in the Oracle Interaction Center ...) - TODO: check + NOT-FOR-US: Oracle CVE-2016-5584 (Unspecified vulnerability in Oracle MySQL 5.5.52 and earlier, 5.6.33 ...) {DSA-3711-1 DSA-3706-1 DLA-708-1} - mariadb-10.0 10.0.28-1 @@ -26056,7 +26056,7 @@ - mysql-5.5 (bug #841050) NOTE: Fixed in MariaDB 5.5.53, MariaDB 10.0.28 CVE-2016-5583 (Unspecified vulnerability in the Oracle One-to-One Fulfillment ...) - TODO: check + NOT-FOR-US: Oracle CVE-2016-5582 (Unspecified vulnerability in Oracle Java SE 6u121, 7u111, 8u102; and ...) {DSA-3707-1 DLA-704-1} - openjdk-8 8u111-b14-1 @@ -26066,21 +26066,21 @@ - openjdk-6 [wheezy] - openjdk-6 CVE-2016-5581 (Unspecified vulnerability in the Oracle iRecruitment component in ...) - TODO: check + NOT-FOR-US: Oracle CVE-2016-5580 (Unspecified vulnerability in the Secure Global Desktop component in ...) NOT-FOR-US: Secure Global Desktop CVE-2016-5579 (Unspecified vulnerability in the Oracle Outside In Technology ...) - TODO: check + NOT-FOR-US: Oracle CVE-2016-5578 (Unspecified vulnerability in the Oracle Outside In Technology ...) - TODO: check + NOT-FOR-US: Oracle CVE-2016-5577 (Unspecified vulnerability in the Oracle Outside In Technology ...) - TODO: check + NOT-FOR-US: Oracle CVE-2016-5576 (Unspecified vulnerability in Oracle Sun Solaris 11.3 allows local ...) NOT-FOR-US: Solaris CVE-2016-5575 (Unspecified vulnerability in the Oracle Common Applications Calendar ...) TODO: check
[Secure-testing-commits] Processing r48194 failed
The error message was: data/CVE/list:80900: ITPed package seafile is in the archive Makefile:22: recipe for target 'all' failed make: *** [all] Error 1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48194 - data/CVE
Author: carnil Date: 2017-01-19 13:34:31 + (Thu, 19 Jan 2017) New Revision: 48194 Modified: data/CVE/list Log: Record moodle issues Modified: data/CVE/list === --- data/CVE/list 2017-01-19 12:24:30 UTC (rev 48193) +++ data/CVE/list 2017-01-19 13:34:31 UTC (rev 48194) @@ -24,8 +24,12 @@ - mapserver 7.0.4-1 NOTE: https://lists.osgeo.org/pipermail/mapserver-dev/2017-January/015007.html NOTE: https://github.com/mapserver/mapserver/commit/e52a436c0e1c5e9f7ef13428dba83194a800f4df -CVE-2017- [Moodle issues; invormation released on 16th of january] +CVE-2017-2578 - moodle 2.7.18+dfsg-1 + NOTE: https://moodle.org/mod/forum/discuss.php?d=345915 +CVE-2017-2576 + - moodle 2.7.18+dfsg-1 + NOTE: https://moodle.org/mod/forum/discuss.php?d=345912 CVE-2017-5521 (An issue was discovered on NETGEAR R8500, R8300, R7000, R6400, R7300, ...) TODO: check CVE-2017-5520 (The media rename feature in GeniXCMS through 0.0.8 does not consider ...) @@ -7550,12 +7554,8 @@ RESERVED CVE-2017-2579 RESERVED -CVE-2017-2578 - RESERVED CVE-2017-2577 RESERVED -CVE-2017-2576 - RESERVED CVE-2017-2575 RESERVED CVE-2017-2574 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48193 - data/DLA
Author: hle Date: 2017-01-19 12:24:30 + (Thu, 19 Jan 2017) New Revision: 48193 Modified: data/DLA/list Log: Reserve DLA number 791-1 for libav. Modified: data/DLA/list === --- data/DLA/list 2017-01-19 12:21:44 UTC (rev 48192) +++ data/DLA/list 2017-01-19 12:24:30 UTC (rev 48193) @@ -1,3 +1,6 @@ +[19 Jan 2017] DLA-791-1 libav - security update + {CVE-2016-9819 CVE-2016-9820 CVE-2016-9821 CVE-2016-9822} + [wheezy] - libav 6:0.8.20-0+deb7u1 [19 Jan 2017] DLA-790-1 mapserver - security update {CVE-2017-5522} [wheezy] - mapserver 6.0.1-3.2+deb7u4 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48192 - data/CVE
Author: carnil Date: 2017-01-19 12:21:44 + (Thu, 19 Jan 2017) New Revision: 48192 Modified: data/CVE/list Log: Track fixes for CVE-2015-5303 and CVE-2015-5323 Note for reviewers: needs a peer review still, since fixed by a new upstream version. Modified: data/CVE/list === --- data/CVE/list 2017-01-19 12:19:32 UTC (rev 48191) +++ data/CVE/list 2017-01-19 12:21:44 UTC (rev 48192) @@ -53748,7 +53748,7 @@ NOTE: https://www.samba.org/samba/security/CVE-2015-5330.html NOTE: Samba update needs as well fixed ldb CVE-2015-5329 (The TripleO Heat templates (tripleo-heat-templates), as used in Red ...) - - tripleo-heat-templates (bug #851396) + - tripleo-heat-templates 5.2.0-1 (bug #851396) CVE-2015-5328 RESERVED CVE-2015-5327 [User triggerable out-of-bounds read] @@ -53873,7 +53873,7 @@ CVE-2015-5304 (Red Hat JBoss Enterprise Application Platform (EAP) before 6.4.5 does ...) NOT-FOR-US: Red Hat JBoss Enterprise Application Platform CVE-2015-5303 (The TripleO Heat templates (tripleo-heat-templates), when deployed via ...) - - tripleo-heat-templates (bug #851396) + - tripleo-heat-templates 5.2.0-1 (bug #851396) CVE-2015-5302 (libreport 2.0.7 before 2.6.3 only saves changes to the first file when ...) NOT-FOR-US: abrt/libreport CVE-2015-5301 (providers/saml2/admin.py in the Identity Provider (IdP) server in ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48191 - data/CVE
Author: carnil Date: 2017-01-19 12:19:32 + (Thu, 19 Jan 2017) New Revision: 48191 Modified: data/CVE/list Log: Use standardized format Modified: data/CVE/list === --- data/CVE/list 2017-01-19 10:35:45 UTC (rev 48190) +++ data/CVE/list 2017-01-19 12:19:32 UTC (rev 48191) @@ -2,7 +2,7 @@ NOT-FOR-US: Plone CVE-2017- [weblate information leak] - weblate (bug #745661) - NOTE: CVE request: http://www.openwall.com/lists/oss-security/2017/01/18/11 + NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2017/01/18/11 CVE-2017-5526 [audio: memory leakage in es1370 device; CVE for the memory consumption issue] - qemu - qemu-kvm ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48190 - data/CVE
Author: jmm Date: 2017-01-19 10:35:45 + (Thu, 19 Jan 2017) New Revision: 48190 Modified: data/CVE/list Log: new plone issue Modified: data/CVE/list === --- data/CVE/list 2017-01-19 09:37:24 UTC (rev 48189) +++ data/CVE/list 2017-01-19 10:35:45 UTC (rev 48190) @@ -1,3 +1,5 @@ +CVE-2017-5524 + NOT-FOR-US: Plone CVE-2017- [weblate information leak] - weblate (bug #745661) NOTE: CVE request: http://www.openwall.com/lists/oss-security/2017/01/18/11 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48189 - data/CVE
Author: jmm Date: 2017-01-19 09:37:24 + (Thu, 19 Jan 2017) New Revision: 48189 Modified: data/CVE/list Log: new weblate issue Modified: data/CVE/list === --- data/CVE/list 2017-01-19 09:10:13 UTC (rev 48188) +++ data/CVE/list 2017-01-19 09:37:24 UTC (rev 48189) @@ -1,3 +1,6 @@ +CVE-2017- [weblate information leak] + - weblate (bug #745661) + NOTE: CVE request: http://www.openwall.com/lists/oss-security/2017/01/18/11 CVE-2017-5526 [audio: memory leakage in es1370 device; CVE for the memory consumption issue] - qemu - qemu-kvm ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48188 - data/CVE
Author: sectracker Date: 2017-01-19 09:10:13 + (Thu, 19 Jan 2017) New Revision: 48188 Modified: data/CVE/list Log: automatic update Modified: data/CVE/list === --- data/CVE/list 2017-01-19 08:55:24 UTC (rev 48187) +++ data/CVE/list 2017-01-19 09:10:13 UTC (rev 48188) @@ -15,6 +15,7 @@ RESERVED CVE-2017-5522 [stack buffer overflow] RESERVED + {DSA-3766-1 DLA-790-1} - mapserver 7.0.4-1 NOTE: https://lists.osgeo.org/pipermail/mapserver-dev/2017-January/015007.html NOTE: https://github.com/mapserver/mapserver/commit/e52a436c0e1c5e9f7ef13428dba83194a800f4df ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48187 - data/CVE
Author: jmm Date: 2017-01-19 08:55:24 + (Thu, 19 Jan 2017) New Revision: 48187 Modified: data/CVE/list Log: NFUs (concludes external check) Modified: data/CVE/list === --- data/CVE/list 2017-01-19 08:29:44 UTC (rev 48186) +++ data/CVE/list 2017-01-19 08:55:24 UTC (rev 48187) @@ -16016,6 +16016,7 @@ NOTE: Needs an attacker to compromise a controlled server. CVE-2016-8627 RESERVED + NOT-FOR-US: Red Hat JBoss EAP CVE-2016-8626 [RGW Denial of Service by sending POST object with null conditions] RESERVED - ceph 10.2.5-1 (bug #844200) @@ -26083,7 +26084,7 @@ - openjdk-6 [wheezy] - openjdk-6 CVE-2016-5572 (Unspecified vulnerability in the Kernel PDB component in Oracle ...) - TODO: check + NOT-FOR-US: Oracle CVE-2016-5571 (Unspecified vulnerability in the Oracle Applications DBA component in ...) TODO: check CVE-2016-5570 (Unspecified vulnerability in the Oracle Applications DBA component in ...) @@ -26121,7 +26122,7 @@ - openjdk-7 (specific to Oracle Java) - openjdk-8 (specific to Oracle Java) CVE-2016- (Unspecified vulnerability in the OJVM component in Oracle Database ...) - TODO: check + NOT-FOR-US: Oracle CVE-2016-5554 (Unspecified vulnerability in Oracle Java SE 6u121, 7u111, 8u102; and ...) {DSA-3707-1 DLA-704-1} - openjdk-8 8u111-b14-1 @@ -26234,7 +26235,7 @@ CVE-2016-5517 (Unspecified vulnerability in the Oracle Applications DBA component in ...) TODO: check CVE-2016-5516 (Unspecified vulnerability in the Kernel PDB component in Oracle ...) - TODO: check + NOT-FOR-US: Oracle CVE-2016-5515 (Unspecified vulnerability in the Oracle Agile PLM component in Oracle ...) TODO: check CVE-2016-5514 (Unspecified vulnerability in the Oracle Agile PLM component in Oracle ...) @@ -26259,7 +26260,7 @@ CVE-2016-5506 (Unspecified vulnerability in the Oracle Identity Manager component in ...) TODO: check CVE-2016-5505 (Unspecified vulnerability in the RDBMS Programmable Interface ...) - TODO: check + NOT-FOR-US: Oracle CVE-2016-5504 (Unspecified vulnerability in the Oracle Agile Product Lifecycle ...) TODO: check CVE-2016-5503 (Unspecified vulnerability in the Sun ZFS Storage Appliance Kit (AK) ...) @@ -26273,11 +26274,11 @@ CVE-2016-5500 (Unspecified vulnerability in the Oracle Discoverer component in Oracle ...) TODO: check CVE-2016-5499 (Unspecified vulnerability in the RDBMS Security component in Oracle ...) - TODO: check + NOT-FOR-US: Oracle CVE-2016-5498 (Unspecified vulnerability in the RDBMS Security component in Oracle ...) - TODO: check + NOT-FOR-US: Oracle CVE-2016-5497 (Unspecified vulnerability in the RDBMS Security component in Oracle ...) - TODO: check + NOT-FOR-US: Oracle CVE-2016-5496 RESERVED CVE-2016-5495 (Unspecified vulnerability in the Oracle Discoverer component in Oracle ...) @@ -33029,7 +33030,7 @@ CVE-2016-3563 (Unspecified vulnerability in the Enterprise Manager Base Platform ...) TODO: check CVE-2016-3562 (Unspecified vulnerability in the RDBMS Security and SQL*Plus ...) - TODO: check + NOT-FOR-US: Oracle CVE-2016-3561 (Unspecified vulnerability in the Oracle Agile PLM component in Oracle ...) TODO: check CVE-2016-3560 (Unspecified vulnerability in the Oracle Agile PLM component in Oracle ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48186 - in data: . DSA
Author: seb Date: 2017-01-19 08:29:44 + (Thu, 19 Jan 2017) New Revision: 48186 Modified: data/DSA/list data/dsa-needed.txt Log: Reserve DSA-3766-1 for mapserver (CVE-2017-5522) Modified: data/DSA/list === --- data/DSA/list 2017-01-19 08:28:40 UTC (rev 48185) +++ data/DSA/list 2017-01-19 08:29:44 UTC (rev 48186) @@ -1,3 +1,6 @@ +[19 Jan 2017] DSA-3766-1 mapserver - security update + {CVE-2017-5522} + [jessie] - mapserver 6.4.1-5+deb8u3 [15 Jan 2017] DSA-3743-2 python-bottle - regression update [jessie] - python-bottle 0.12.7-1+deb8u2 [14 Jan 2017] DSA-3765-1 icoutils - security update Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-01-19 08:28:40 UTC (rev 48185) +++ data/dsa-needed.txt 2017-01-19 08:29:44 UTC (rev 48186) @@ -28,9 +28,6 @@ linux wait until more issues have piled up -- -mapserver (seb) - Maintainer prepared update for CVE-2017-5522, ack'ed for upload --- mariadb-10.0 (carnil) -- mysql-5.5 (carnil) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48185 - data/CVE
Author: carnil Date: 2017-01-19 08:28:40 + (Thu, 19 Jan 2017) New Revision: 48185 Modified: data/CVE/list Log: Add CVE-2017-0386 information Modified: data/CVE/list === --- data/CVE/list 2017-01-19 07:08:24 UTC (rev 48184) +++ data/CVE/list 2017-01-19 08:28:40 UTC (rev 48185) @@ -12077,7 +12077,8 @@ CVE-2017-0387 (An elevation of privilege vulnerability in Mediaserver could enable a ...) TODO: check CVE-2017-0386 (An elevation of privilege vulnerability in the libnl library could ...) - TODO: check + - libnl3 (Specific to Android's use of libnl) + NOTE: https://github.com/thom311/libnl/issues/124 CVE-2017-0385 (An elevation of privilege vulnerability in Audioserver could enable a ...) TODO: check CVE-2017-0384 (An elevation of privilege vulnerability in ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits