[Secure-testing-commits] r48465 - data/CVE
Author: fgeek-guest Date: 2017-01-28 07:34:30 + (Sat, 28 Jan 2017) New Revision: 48465 Modified: data/CVE/list Log: use after free in libmysqlclient.so Modified: data/CVE/list === --- data/CVE/list 2017-01-28 06:42:24 UTC (rev 48464) +++ data/CVE/list 2017-01-28 07:34:30 UTC (rev 48465) @@ -1,3 +1,6 @@ +CVE-2017- [use after free in libmysqlclient.so] + NOTE: http://www.openwall.com/lists/oss-security/2017/01/28/1 + TODO: check CVE-2017- [s-nail local root privilege escalation] - s-nail NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2017/01/27/7 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48464 - data
Author: pabs Date: 2017-01-28 06:42:24 + (Sat, 28 Jan 2017) New Revision: 48464 Modified: data/embedded-code-copies Log: More boost versions that have unicode-data copies Modified: data/embedded-code-copies === --- data/embedded-code-copies 2017-01-27 21:41:19 UTC (rev 48463) +++ data/embedded-code-copies 2017-01-28 06:42:24 UTC (rev 48464) @@ -1707,6 +1707,8 @@ - boost1.58 (embed; bug #823582) - boost1.60 (embed; bug #823585) - boost1.61 (embed; bug #834560) + - boost1.62 (embed; bug #852764) + - boost1.63 (embed; bug #852763) feedparser - rawdog 2.19-1 (embed; bug #383422) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48463 - data/CVE
Author: opal Date: 2017-01-27 21:41:19 + (Fri, 27 Jan 2017) New Revision: 48463 Modified: data/CVE/list Log: Marked tiff issue as not reproducible as the previous fix was not necesary. Modified: data/CVE/list === --- data/CVE/list 2017-01-27 21:35:17 UTC (rev 48462) +++ data/CVE/list 2017-01-27 21:41:19 UTC (rev 48463) @@ -7208,6 +7208,7 @@ NOTE: http://www.openwall.com/lists/oss-security/2014/11/03/5 CVE-2016- [heap-based buffer overflow in TIFFFillStrip (tif_read.c)] - tiff 4.0.7-2 (bug #846837) + [wheezy] - tiff3 (Unreproducible) NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2608 NOTE: https://github.com/vadz/libtiff/commit/9a72a69e035ee70ff5c41541c8c61cd97990d018 CVE-2016- [tiffcrop: divide-by-zero in readSeparateStripsIntoBuffer when BitsPerSample is missing] ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48462 - data
Author: opal Date: 2017-01-27 21:35:17 + (Fri, 27 Jan 2017) New Revision: 48462 Modified: data/dla-needed.txt Log: Removed php-gettext as both CVEs were marked as no-dsa. Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-01-27 21:22:07 UTC (rev 48461) +++ data/dla-needed.txt 2017-01-27 21:35:17 UTC (rev 48462) @@ -76,8 +76,6 @@ NOTE: jessie is marked as the issue is minor enough to wait NOTE: for the next round of updates (last check: 2017-01-16) -- -php-gettext (Ola Lundqvist) --- php5 (Roberto C. Sánchez) Next upload: ASAP (we're behind jessie) WIP in git: git clone git.debian.org:/git/collab-maint/debian-lts/php5.git -b debian/wheezy ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48461 - data/CVE
Author: opal Date: 2017-01-27 21:22:07 + (Fri, 27 Jan 2017) New Revision: 48461 Modified: data/CVE/list Log: Marking CVE-2015-8980 as no-dsa following jessie. Modified: data/CVE/list === --- data/CVE/list 2017-01-27 21:21:08 UTC (rev 48460) +++ data/CVE/list 2017-01-27 21:22:07 UTC (rev 48461) @@ -4851,6 +4851,7 @@ RESERVED - php-gettext (bug #851770) [jessie] - php-gettext (Minor issue) + [wheezy] - php-gettext (Minor issue) - phpmyadmin 4:4.6.6-1 (unimportant) NOTE: For phpmyadmin, unimportant, since embeds lib but does not use in exploitable way NOTE: http://seclists.org/fulldisclosure/2016/Aug/76 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48460 - data/CVE
Author: carnil Date: 2017-01-27 21:21:08 + (Fri, 27 Jan 2017) New Revision: 48460 Modified: data/CVE/list Log: Add s-nail issue Modified: data/CVE/list === --- data/CVE/list 2017-01-27 21:10:15 UTC (rev 48459) +++ data/CVE/list 2017-01-27 21:21:08 UTC (rev 48460) @@ -1,3 +1,6 @@ +CVE-2017- [s-nail local root privilege escalation] + - s-nail + NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2017/01/27/7 CVE-2017-5600 RESERVED CVE-2017-5599 (An issue was discovered in eClinicalWorks Patient Portal 7.0 build 13. ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48459 - data/CVE
Author: sectracker Date: 2017-01-27 21:10:15 + (Fri, 27 Jan 2017) New Revision: 48459 Modified: data/CVE/list Log: automatic update Modified: data/CVE/list === --- data/CVE/list 2017-01-27 20:54:49 UTC (rev 48458) +++ data/CVE/list 2017-01-27 21:10:15 UTC (rev 48459) @@ -1,3 +1,9 @@ +CVE-2017-5600 + RESERVED +CVE-2017-5599 (An issue was discovered in eClinicalWorks Patient Portal 7.0 build 13. ...) + TODO: check +CVE-2017-5598 (An issue was discovered in eClinicalWorks healow@work 8.0 build 8. This ...) + TODO: check CVE-2017- [XSS in the posts list table] - wordpress (bug #852767) NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2017/01/27/2 @@ -987,10 +993,10 @@ NOTE: The issue is only present from 1.14 onwards, and prior to 1.14.1 since upstream NOTE: changed a malloc'ed buffer for a static one. NOTE: https://lists.gnu.org/archive/html/bug-ed/2017-01/msg1.html -CVE-2017-5329 - RESERVED -CVE-2017-5328 - RESERVED +CVE-2017-5329 (Palo Alto Networks Terminal Services Agent before 7.0.7 allows local ...) + TODO: check +CVE-2017-5328 (Palo Alto Networks Terminal Services Agent before 7.0.7 allows ...) + TODO: check CVE-2017-5327 RESERVED CVE-2017-5326 @@ -4540,14 +4546,12 @@ NOTE: http://www.openwall.com/lists/oss-security/2016/12/20/7 NOTE: When fixing this issue make sure to apply the complete correct fix to NOTE: not open ikiwiki to be vulnerable for CVE-2016-9645. -CVE-2016-10025 [x86: missing NULL pointer check in VMFUNC emulation] - RESERVED +CVE-2016-10025 (VMFUNC emulation in Xen 4.6.x through 4.8.x on x86 systems using AMD ...) - xen 4.8.0-1 [jessie] - xen (Vulnerable code introduced later) [wheezy] - xen (Vulnerable code introduced later) NOTE: https://xenbits.xen.org/xsa/advisory-203.html -CVE-2016-10024 [x86 PV guests may be able to mask interrupts] - RESERVED +CVE-2016-10024 (Xen through 4.8.x allows local x86 PV guest OS kernel administrators ...) {DLA-783-1} - xen 4.8.0-1 NOTE: https://xenbits.xen.org/xsa/advisory-202.html @@ -4691,6 +4695,7 @@ NOTE: https://www.openssl.org/news/secadv/20170126.txt CVE-2017-3731 RESERVED + {DSA-3773-1} - openssl 1.1.0d-1 - openssl1.0 1.0.2k-1 NOTE: https://www.openssl.org/news/secadv/20170126.txt @@ -4803,8 +4808,7 @@ RESERVED CVE-2016-1 RESERVED -CVE-2016-10013 [x86: Mishandling of SYSCALL singlestep during emulation] - RESERVED +CVE-2016-10013 (Xen through 4.8.x allows local 64-bit x86 HVM guest OS users to gain ...) {DLA-783-1} - xen 4.8.0-1 (bug #848713) NOTE: https://xenbits.xen.org/xsa/advisory-204.html @@ -4856,8 +4860,7 @@ NOTE: http://zeroscience.mk/en/vulnerabilities/ZSL-2016-5384.php NOTE: Fixed by: https://github.com/commontk/DCMTK/commit/1b6bb76 NOTE: http://www.openwall.com/lists/oss-security/2016/12/17/2 -CVE-2016-10003 [Issue #2, cookie headers and other client-specific private infformation leak] - RESERVED +CVE-2016-10003 (Incorrect HTTP Request header comparison in Squid HTTP Proxy 3.5.0.1 ...) - squid3 3.5.23-1 (bug #848491) [jessie] - squid3 (Does not affect Squid versions before 3.5.0.1) [wheezy] - squid3 (Does not affect Squid versions before 3.5.0.1) @@ -4871,8 +4874,7 @@ NOTE: 3.5.0.1 up to and including 3.5.22 NOTE: 4.0.1 up to and including 4.0.16 NOTE: http://www.openwall.com/lists/oss-security/2016/12/17/1 -CVE-2016-10002 [Issue #1, cookie headers and other client-specific private infformation leak] - RESERVED +CVE-2016-10002 (Incorrect processing of responses to If-None-Modified HTTP conditional ...) {DSA-3745-1 DLA-763-1} - squid3 3.5.23-1 (bug #848493) NOTE: http://www.squid-cache.org/Advisories/SQUID-2016_11.txt @@ -4992,8 +4994,7 @@ {DSA-3748-1 DLA-766-1} - libcrypto++ 5.6.4-5 (bug #848009) NOTE: https://github.com/weidai11/cryptopp/issues/346 -CVE-2016-9932 [x86 CMPXCHG8B emulation fails to ignore operand size override] - RESERVED +CVE-2016-9932 (CMPXCHG8B emulation in Xen 3.3.x through 4.7.x on x86 systems allows ...) - xen 4.8.0~rc3-1 (bug #848081) NOTE: https://xenbits.xen.org/xsa/advisory-200.html CVE-2016-9931 @@ -5763,334 +5764,299 @@ RESERVED CVE-2017-3444 RESERVED -CVE-2017-3443 - RESERVED +CVE-2017-3443 (Vulnerability in the Oracle Common Applications component of Oracle ...) NOT-FOR-US: Oracle -CVE-2017-3442 - RESERVED -CVE-2017-3441 - RESERVED -CVE-2017-3440 - RESERVED +CVE-2017-3442 (Vulnerability in the Oracle Customer Interaction History component of ...) + TODO: check +CVE-2017-3441 (Vulnerability in
[Secure-testing-commits] r48458 - data/CVE
Author: carnil Date: 2017-01-27 20:54:49 + (Fri, 27 Jan 2017) New Revision: 48458 Modified: data/CVE/list Log: Add fixing version for CVE-2017-5495/quagga Modified: data/CVE/list === --- data/CVE/list 2017-01-27 20:44:46 UTC (rev 48457) +++ data/CVE/list 2017-01-27 20:54:49 UTC (rev 48458) @@ -421,7 +421,7 @@ CVE-2017-5496 RESERVED CVE-2017-5495 (All versions of Quagga, 0.93 through 1.1.0, are vulnerable to an ...) - - quagga (bug #852454) + - quagga 1.1.1-1 (bug #852454) [jessie] - quagga (Minor issue) [wheezy] - quagga (Minor issue) NOTE: http://savannah.nongnu.org/forum/forum.php?forum_id=8783 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48457 - data/CVE
Author: carnil Date: 2017-01-27 20:44:46 + (Fri, 27 Jan 2017) New Revision: 48457 Modified: data/CVE/list Log: Record fixed version for linux in unstable Modified: data/CVE/list === --- data/CVE/list 2017-01-27 20:23:26 UTC (rev 48456) +++ data/CVE/list 2017-01-27 20:44:46 UTC (rev 48457) @@ -123,14 +123,14 @@ TODO: check affected versions CVE-2017-5577 [drm/vc4: Return -EINVAL on the overflow checks failing] RESERVED - - linux + - linux 4.9.6-1 [jessie] - linux (Vulnerable code introduced later) [wheezy] - linux (Vulnerable code introduced later) NOTE: https://lkml.org/lkml/2017/1/17/759 NOTE: Introduced by: https://github.com/torvalds/linux/commit/d5b1a78a772f1e31a94f8babfa964152ec5e9aa5 (4.5-rc1) CVE-2017-5576 [drm/vc4: Fix an integer overflow in temporary allocation layout] RESERVED - - linux + - linux 4.9.6-1 [jessie] - linux (Vulnerable code introduced later) [wheezy] - linux (Vulnerable code introduced later) NOTE: https://lkml.org/lkml/2017/1/17/761 @@ -286,7 +286,7 @@ NOTE: Fixed by: https://git.kernel.org/linus/06deeec77a5a689cc94b21a8a91a76e42176685d (v4.10-rc1) CVE-2016-10153 [libceph: introduce ceph_crypt() for in-place en/decryption] RESERVED - - linux + - linux 4.9.6-1 [jessie] - linux (Introduced in 4.9 in combination with VMAP_STACK) [wheezy] - linux (Introduced in 4.9 in combination with VMAP_STACK) NOTE: Fixed by: https://git.kernel.org/linus/a45f795c65b479b4ba107b6ccde29b896d51ee98 (v4.10-rc1) @@ -329,31 +329,31 @@ NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commit;h=33243031dad02d161225ba99d782616da133f689 CVE-2017-5551 [sgid bit not cleared on tmpfs] RESERVED - - linux + - linux 4.9.6-1 NOTE: Fixed by: https://git.kernel.org/linus/497de07d89c1410d76a15bec2bb41f24a2a89f31 (4.10-rc4) CVE-2017-5550 [fix a fencepost error in pipe_advance()] RESERVED - - linux + - linux 4.9.6-1 NOTE: Fixed by: https://git.kernel.org/linus/b9dc6f65bc5e232d1c05fe34b5daadc7e8bbf1fb (4.10-rc4) CVE-2017-5549 [USB: serial: kl5kusb105: fix line-state error handling] RESERVED - - linux + - linux 4.9.6-1 NOTE: Fixed by: https://git.kernel.org/linus/146cc8a17a3b4996f6805ee5c080e7101277c410 (4.10-rc4) CVE-2017-5548 [ieee802154: atusb: do not use the stack for buffers to make them DMA able] RESERVED - - linux + - linux 4.9.6-1 [jessie] - linux (Introduced in 4.9 in combination with VMAP_STACK) [wheezy] - linux (Introduced in 4.9 in combination with VMAP_STACK) NOTE: Fixed by: https://git.kernel.org/linus/05a974efa4bdf6e2a150e3f27dc6fcf0a9ad5655 CVE-2017-5547 [HID: corsair: fix DMA buffers on stack] RESERVED - - linux + - linux 4.9.6-1 [jessie] - linux (Vulnerable code introduced in v4.4-rc1) [wheezy] - linux (Vulnerable code introduced in v4.4-rc1) NOTE: Fixed by: https://git.kernel.org/linus/6d104af38b570d37aa32a5803b04c354f8ed513d CVE-2017-5546 [mm/slab.c: fix SLAB freelist randomization duplicate entries] RESERVED - - linux + - linux 4.9.6-1 [jessie] - linux (freelist randomisation introduced in 4.7) [wheezy] - linux (freelist randomisation introduced in 4.7) NOTE: Fixed by: https://git.kernel.org/linus/c4e490cf148e85ead0d1b1c2caaba833f1d5b29f (v4.10-rc4) @@ -8107,13 +8107,13 @@ CVE-2017-2585 RESERVED CVE-2017-2584 (arch/x86/kvm/emulate.c in the Linux kernel through 4.9.3 allows local ...) - - linux + - linux 4.9.6-1 [wheezy] - linux (Vulnerable code introduced in 3.6-rc1) NOTE: Upstream patch: https://www.spinics.net/lists/kvm/msg143571.html NOTE: Fixed by: https://git.kernel.org/linus/129a72a0d3c8e139a04512325384fe5ac119e74d CVE-2017-2583 RESERVED - - linux + - linux 4.9.6-1 [wheezy] - linux (Vulnerable code introduced in 3.6-rc1) NOTE: Fixed by: https://git.kernel.org/linus/33ab91103b3415e12457e3104f0e4517ce12d0f3 CVE-2017-2582 @@ -14807,7 +14807,7 @@ NOTE: https://git.enlightenment.org/apps/terminology.git/commit/?id=b80bedc7c21ecffe99d8d142930db696eebdd6a5 NOTE: http://www.openwall.com/lists/oss-security/2016/11/04/12 CVE-2016-9191 (The cgroup offline implementation in the Linux kernel through 4.8.11 ...) - - linux + - linux 4.9.6-1 [wheezy] - linux (Vulnerable code introduced in 3.11-rc1) NOTE: Fixed by: https://git.kernel.org/linus/93362fa47fe98b62e4a34ab408c4a418432e7939 (v4.10-rc4) NOTE: Introduced by: https://git.kernel.org/linus/f0c3b5093addc8bfe9fe3a5b01acb7ec7969eafa (v3.11-rc1) @@ -17241,7 +17241,7 @@ CVE-2016-8406 (An information
[Secure-testing-commits] r48456 - data
Author: rbalint Date: 2017-01-27 20:23:26 + (Fri, 27 Jan 2017) New Revision: 48456 Modified: data/dla-needed.txt Log: claim libgd2 for DLA Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-01-27 19:47:00 UTC (rev 48455) +++ data/dla-needed.txt 2017-01-27 20:23:26 UTC (rev 48456) @@ -50,7 +50,7 @@ NOTE: Upstream should provide new point-releases fixing open security issues in the next months. NOTE: Lots of CVEs are open, this is going to take some time. (See debian-lts ML) -- -libgd2 +libgd2 (Balint Reczey) -- libical NOTE: No known solution as of 2017-01-16. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48455 - in data: . DSA
Author: jmm Date: 2017-01-27 19:47:00 + (Fri, 27 Jan 2017) New Revision: 48455 Modified: data/DSA/list data/dsa-needed.txt Log: openssl DSA Modified: data/DSA/list === --- data/DSA/list 2017-01-27 18:54:04 UTC (rev 48454) +++ data/DSA/list 2017-01-27 19:47:00 UTC (rev 48455) @@ -1,3 +1,6 @@ +[27 Jan 2017] DSA-3773-1 openssl - security update + {CVE-2016-7056 CVE-2016-8610 CVE-2017-3731} + [jessie] - openssl 1.0.1t-1+deb8u6 [26 Jan 2017] DSA-3772-1 libxpm - security update {CVE-2016-10164} [jessie] - libxpm 1:3.5.12-0+deb8u1 Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-01-27 18:54:04 UTC (rev 48454) +++ data/dsa-needed.txt 2017-01-27 19:47:00 UTC (rev 48455) @@ -36,8 +36,6 @@ -- openjdk-7 (jmm) -- -openssl (jmm) --- php5 -- phpmyadmin ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48454 - data/CVE
Author: agx Date: 2017-01-27 18:54:04 + (Fri, 27 Jan 2017) New Revision: 48454 Modified: data/CVE/list Log: lts: CVE-2017-5509 does not affect wheezy since it correcty uses next_image in the calculation Modified: data/CVE/list === --- data/CVE/list 2017-01-27 18:02:51 UTC (rev 48453) +++ data/CVE/list 2017-01-27 18:54:04 UTC (rev 48454) @@ -874,6 +874,7 @@ CVE-2017-5509 [out of bound in psd file handling] RESERVED - imagemagick 8:6.9.7.4+dfsg-1 (bug #851377) + [wheezy] - imagemagick (Vulnerable code not present) NOTE: https://github.com/ImageMagick/ImageMagick/issues/350 NOTE: http://www.openwall.com/lists/oss-security/2017/01/16/6 CVE-2017-5510 [memory corruption heap overflow, psb file related, another one] ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48453 - data/CVE
Author: agx Date: 2017-01-27 18:02:51 + (Fri, 27 Jan 2017) New Revision: 48453 Modified: data/CVE/list Log: lts: add commit for CVE-2017-5508 Modified: data/CVE/list === --- data/CVE/list 2017-01-27 15:17:17 UTC (rev 48452) +++ data/CVE/list 2017-01-27 18:02:51 UTC (rev 48453) @@ -860,6 +860,7 @@ - imagemagick 8:6.9.7.4+dfsg-1 (bug #851381) NOTE: https://www.imagemagick.org/discourse-server/viewtopic.php?f=3=31161 NOTE: http://www.openwall.com/lists/oss-security/2017/01/16/6 + NOTE: https://github.com/ImageMagick/ImageMagick/commit/379e21cd32483df6e128147af3bc4ce1f82eb9c4 CVE-2016-10146 [memory leak in caption and label handling] RESERVED - imagemagick 8:6.9.7.0+dfsg-2 (bug #851380) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48452 - data/CVE
Author: carnil Date: 2017-01-27 15:17:17 + (Fri, 27 Jan 2017) New Revision: 48452 Modified: data/CVE/list Log: CVE-2016-9191: For completeness from kernel-sec reference introducing commit Modified: data/CVE/list === --- data/CVE/list 2017-01-27 13:35:07 UTC (rev 48451) +++ data/CVE/list 2017-01-27 15:17:17 UTC (rev 48452) @@ -14808,6 +14808,7 @@ - linux [wheezy] - linux (Vulnerable code introduced in 3.11-rc1) NOTE: Fixed by: https://git.kernel.org/linus/93362fa47fe98b62e4a34ab408c4a418432e7939 (v4.10-rc4) + NOTE: Introduced by: https://git.kernel.org/linus/f0c3b5093addc8bfe9fe3a5b01acb7ec7969eafa (v3.11-rc1) CVE-2016-9190 (Pillow before 3.3.2 allows context-dependent attackers to execute ...) {DSA-3710-1 DLA-705-1} - pillow 3.4.2-1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48451 - data/CVE
Author: fgeek-guest Date: 2017-01-27 13:35:07 + (Fri, 27 Jan 2017) New Revision: 48451 Modified: data/CVE/list Log: NFU Modified: data/CVE/list === --- data/CVE/list 2017-01-27 13:33:59 UTC (rev 48450) +++ data/CVE/list 2017-01-27 13:35:07 UTC (rev 48451) @@ -42680,19 +42680,20 @@ CVE-2016-0896 (Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.6.34 and 1.7.x ...) TODO: check CVE-2016-0895 (EMC RSA Data Loss Prevention 9.6 before SP2 P5 allows remote attackers ...) - TODO: check + NOT-FOR-US: EMC CVE-2016-0894 (EMC RSA Data Loss Prevention 9.6 before SP2 P5 allows remote ...) - TODO: check + NOT-FOR-US: EMC CVE-2016-0893 (EMC RSA Data Loss Prevention 9.6 before SP2 P5 allows remote ...) - TODO: check + NOT-FOR-US: EMC CVE-2016-0892 (Cross-site scripting (XSS) vulnerability in EMC RSA Data Loss ...) - TODO: check + NOT-FOR-US: EMC CVE-2016-0891 (Multiple cross-site request forgery (CSRF) vulnerabilities in ...) NOT-FOR-US: EMC ViPR SRM CVE-2016-0890 RESERVED + NOT-FOR-US: EMC CVE-2016-0889 (An HTTP servlet in vApp Manager in EMC Unisphere for VMAX Virtual ...) - TODO: check + NOT-FOR-US: EMC CVE-2016-0888 (EMC Documentum D2 before 4.6 lacks intended ACLs for configuration ...) NOT-FOR-US: EMC Documentum D2 CVE-2016-0887 (EMC RSA BSAFE Micro Edition Suite (MES) 4.0.x and 4.1.x before 4.1.5, ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48450 - data/CVE
Author: fgeek-guest Date: 2017-01-27 13:33:59 + (Fri, 27 Jan 2017) New Revision: 48450 Modified: data/CVE/list Log: NFU Modified: data/CVE/list === --- data/CVE/list 2017-01-27 11:26:50 UTC (rev 48449) +++ data/CVE/list 2017-01-27 13:33:59 UTC (rev 48450) @@ -4694,7 +4694,7 @@ NOTE: https://www.openssl.org/news/secadv/20170126.txt NOTE: Fix for 1.0.2: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=51d009043670a627d6abe66894126851cf3690e9 NOTE: Fix for 1.1.0: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=f3a7e57c92b2c9b87dc4b2997f2ebda6781300d0 - NOTE:and https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=00d965474b22b54e4275232bc71ee0c699c5cd21 + NOTE: and https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=00d965474b22b54e4275232bc71ee0c699c5cd21 CVE-2017-3730 RESERVED - openssl 1.1.0d-1 @@ -17873,6 +17873,7 @@ RESERVED CVE-2016-8216 RESERVED + NOT-FOR-US: EMC CVE-2016-8215 (EMC RSA Security Analytics 10.5.3 and 10.6.2 contains fixes for a ...) NOT-FOR-US: RSA Security Analytics CVE-2016-8214 (EMC Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) versions ...) @@ -22807,8 +22808,10 @@ RESERVED CVE-2016-6649 RESERVED + NOT-FOR-US: EMC CVE-2016-6648 RESERVED + NOT-FOR-US: EMC CVE-2016-6647 (Cross-site scripting (XSS) vulnerability in EMC ViPR SRM before 4.0.1 ...) NOT-FOR-US: EMC CVE-2016-6646 (The vApp Managers web application in EMC Unisphere for VMAX Virtual ...) @@ -42629,6 +42632,7 @@ NOT-FOR-US: EMC Avamar CVE-2016-0919 RESERVED + NOT-FOR-US: RSA Web Threat Detection CVE-2016-0918 (EMC RSA Identity Management and Governance before 6.8.1 P25 and 6.9.x ...) NOT-FOR-US: EMC RSA Identity Governance and Lifecycle CVE-2016-0917 (The SMB service in EMC VNXe (VNXe3200 Operating Environment prior to ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48449 - data/DLA
Author: apo Date: 2017-01-27 11:26:50 + (Fri, 27 Jan 2017) New Revision: 48449 Modified: data/DLA/list Log: Reserve DLA-781-2 for asterisk Modified: data/DLA/list === --- data/DLA/list 2017-01-27 11:22:58 UTC (rev 48448) +++ data/DLA/list 2017-01-27 11:26:50 UTC (rev 48449) @@ -1,3 +1,5 @@ +[27 Jan 2017] DLA-781-2 asterisk - regression update + [wheezy] - asterisk 1:1.8.13.1~dfsg1-3+deb7u6 [26 Jan 2017] DLA-803-1 lcms2 - security update {CVE-2016-10165} [wheezy] - lcms2 2.2+git20110628-2.2+deb7u2 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48448 - data/CVE
Author: hertzog Date: 2017-01-27 11:22:58 + (Fri, 27 Jan 2017) New Revision: 48448 Modified: data/CVE/list Log: Add links to upstream tickets for CVE-2016-5824 and CVE-2016-9584 Modified: data/CVE/list === --- data/CVE/list 2017-01-27 10:59:53 UTC (rev 48447) +++ data/CVE/list 2017-01-27 11:22:58 UTC (rev 48448) @@ -13154,6 +13154,7 @@ CVE-2016-9584 (libical allows remote attackers to cause a denial of service ...) - libical (bug #852034) NOTE: http://www.openwall.com/lists/oss-security/2016/12/15/5 + NOTE: Upstream ticket: https://github.com/libical/libical/issues/253 CVE-2016-9583 [Out of bounds heap read in jpc_pi_nextpcrl()] RESERVED - jasper (unimportant) @@ -26084,6 +26085,7 @@ NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1275400 NOTE: Reproducer: https://bugzilla.mozilla.org/attachment.cgi?id=8757553 NOTE: Upstream ticket: https://github.com/libical/libical/issues/286 + NOTE: Upstream ticket: https://github.com/libical/libical/issues/251 CVE-2016-5823 [Libical attempting free on address which was not malloc()-ed] RESERVED - libical 1.0-1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48447 - data/CVE
Author: jmm Date: 2017-01-27 10:59:53 + (Fri, 27 Jan 2017) New Revision: 48447 Modified: data/CVE/list Log: openssl updates Modified: data/CVE/list === --- data/CVE/list 2017-01-27 10:13:50 UTC (rev 48446) +++ data/CVE/list 2017-01-27 10:59:53 UTC (rev 48447) @@ -4692,6 +4692,9 @@ - openssl 1.1.0d-1 - openssl1.0 1.0.2k-1 NOTE: https://www.openssl.org/news/secadv/20170126.txt + NOTE: Fix for 1.0.2: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=51d009043670a627d6abe66894126851cf3690e9 + NOTE: Fix for 1.1.0: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=f3a7e57c92b2c9b87dc4b2997f2ebda6781300d0 + NOTE:and https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=00d965474b22b54e4275232bc71ee0c699c5cd21 CVE-2017-3730 RESERVED - openssl 1.1.0d-1 @@ -16683,7 +16686,6 @@ CVE-2016-8610 [SSL/TLS SSL3_AL_WARNING undefined alert DoS] RESERVED - openssl 1.0.2j-1 - [jessie] - openssl (Can be fixed along with the next round of openssl vulnerabilities) NOTE: http://www.openwall.com/lists/oss-security/2016/10/24/3 NOTE: Fixed by: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=af58be768ebb690f78530f796e92b8ae5c9a4401 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1384743 mentions countermeasures in gnutls @@ -21680,7 +21682,6 @@ CVE-2016-7056 [ECDSA P-256 timing attack key recovery] RESERVED - openssl 1.0.2a-1 - [jessie] - openssl (Can be fixed along with the next round of openssl vulnerabilities) - openssl1.0 (Fixed before initial upload to Debian) NOTE: https://eprint.iacr.org/2016/1195.pdf NOTE: Fixed by: https://git.openssl.org/?p=openssl.git;a=commit;h=f54be179aa4cbbd944728771d7d59ed588158a12 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48446 - data
Author: jmm Date: 2017-01-27 10:13:50 + (Fri, 27 Jan 2017) New Revision: 48446 Modified: data/dsa-needed.txt Log: add and take openssl Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-01-27 06:58:48 UTC (rev 48445) +++ data/dsa-needed.txt 2017-01-27 10:13:50 UTC (rev 48446) @@ -36,6 +36,8 @@ -- openjdk-7 (jmm) -- +openssl (jmm) +-- php5 -- phpmyadmin ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits