date:20170130

[Secure-testing-commits] r48596 - data/CVE

2017-01-30 Thread Salvatore Bonaccorso

Author: carnil
Date: 2017-01-31 07:46:57 + (Tue, 31 Jan 2017)
New Revision: 48596

Modified:
   data/CVE/list
Log:
Add upstream patchset for CVE-2016-9602

Modified: data/CVE/list
===
--- data/CVE/list   2017-01-31 07:43:38 UTC (rev 48595)
+++ data/CVE/list   2017-01-31 07:46:57 UTC (rev 48596)
@@ -13305,6 +13305,7 @@
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1413929
NOTE: The original proposed patch does not fix the issue, cf.
NOTE: http://www.openwall.com/lists/oss-security/2017/01/17/14
+   NOTE: Upstream patchset: 
https://lists.gnu.org/archive/html/qemu-devel/2017-01/msg06225.html
 CVE-2016-9601 [Heap-buffer overflow due to Integer overflow in jbig2_image_new 
function]
RESERVED
- jbig2dec 0.13-4 (bug #850497)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r48595 - in data: . DLA

2017-01-30 Thread Chris Lamb

Author: lamby
Date: 2017-01-31 07:43:38 + (Tue, 31 Jan 2017)
New Revision: 48595

Modified:
   data/DLA/list
   data/dla-needed.txt
Log:
Reserve 3.0.4-3+wheezy5+deb7u1 for libarchive.

Modified: data/DLA/list
===
--- data/DLA/list   2017-01-31 07:43:31 UTC (rev 48594)
+++ data/DLA/list   2017-01-31 07:43:38 UTC (rev 48595)
@@ -1,3 +1,6 @@
+[31 Jan 2017] DLA-810-1 libarchive - security update
+   {CVE-2017-5601}
+   [wheezy] - libarchive 3.0.4-3+wheezy5+deb7u1
 [30 Jan 2017] DLA-809-1 tcpdump - security update
{CVE-2016-7922 CVE-2016-7923 CVE-2016-7924 CVE-2016-7925 CVE-2016-7926 
CVE-2016-7927 CVE-2016-7928 CVE-2016-7929 CVE-2016-7930 CVE-2016-7931 
CVE-2016-7932 CVE-2016-7933 CVE-2016-7934 CVE-2016-7935 CVE-2016-7936 
CVE-2016-7937 CVE-2016-7938 CVE-2016-7939 CVE-2016-7940 CVE-2016-7973 
CVE-2016-7974 CVE-2016-7975 CVE-2016-7983 CVE-2016-7984 CVE-2016-7985 
CVE-2016-7986 CVE-2016-7992 CVE-2016-7993 CVE-2016-8574 CVE-2016-8575 
CVE-2017-5202 CVE-2017-5203 CVE-2017-5204 CVE-2017-5205 CVE-2017-5341 
CVE-2017-5342 CVE-2017-5482 CVE-2017-5483 CVE-2017-5484 CVE-2017-5485 
CVE-2017-5486}
[wheezy] - tcpdump 4.9.0-1~deb7u1

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-01-31 07:43:31 UTC (rev 48594)
+++ data/dla-needed.txt 2017-01-31 07:43:38 UTC (rev 48595)
@@ -53,8 +53,6 @@
 --
 kgb-bot
 --
-libarchive (Chris Lamb)
---
 libav (Hugo Lefeuvre)
   NOTE: Upstream should provide new point-releases fixing open security issues 
in the next months.
   NOTE: Lots of CVEs are open, this is going to take some time. (See 
debian-lts ML)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r48594 - data/CVE

2017-01-30 Thread Salvatore Bonaccorso

Author: carnil
Date: 2017-01-31 07:43:31 + (Tue, 31 Jan 2017)
New Revision: 48594

Modified:
   data/CVE/list
Log:
Add bug reference for not yet fixed bitlbee issue in unstable, #853282

Modified: data/CVE/list
===
--- data/CVE/list   2017-01-31 07:38:08 UTC (rev 48593)
+++ data/CVE/list   2017-01-31 07:43:31 UTC (rev 48594)
@@ -139,7 +139,7 @@
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1417559
NOTE: CVE Request: 
http://www.openwall.com/lists/oss-security/2017/01/30/2
 CVE-2017- [Incomplete fix for "Null pointer dereference with file transfer 
request from unknown contacts"]
-   - bitlbee 
+   - bitlbee  (bug #853282)
NOTE: https://bugs.bitlbee.org/ticket/1282
NOTE: Fixed by: 
https://github.com/bitlbee/bitlbee/commit/30d598ce7cd3f136ee9d7097f39fa9818a272441
 (3.5.1)
NOTE: CVE Request: 
http://www.openwall.com/lists/oss-security/2017/01/30/4


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r48593 - data

2017-01-30 Thread Chris Lamb

Author: lamby
Date: 2017-01-31 07:38:08 + (Tue, 31 Jan 2017)
New Revision: 48593

Modified:
   data/dla-needed.txt
Log:
Correct ordering in dla-needed.txt

Signed-off-by: Chris Lamb 

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-01-31 07:38:04 UTC (rev 48592)
+++ data/dla-needed.txt 2017-01-31 07:38:08 UTC (rev 48593)
@@ -16,13 +16,13 @@
 --
 bitlbee
 --
-cgiemail
---
 calibre
   NOTE: We will need to investigate the issue much further.
   NOTE: In particular, it seems likely that there are more undocumented but
   NOTE: public security issues in Calibre. See for example bug #853004.
 --
+cgiemail
+--
 glassfish (Balint Reczey)
   NOTE: Needs further triaging as there is very little information on many of
   NOTE: the issues. However one of them looks like a major problem so the
@@ -97,6 +97,12 @@
   NOTE: Upstream is not going to fix CVE-2016-8686 since it believes it is not
   NOTE: a bug (see #843861).
 --
+qemu (Guido Günther)
+  NOTE: Need further triaging as some of the issues looks minor. However at
+  NOTE: least one issue looks major so it needs a DLA.
+--
+qemu-kvm (Guido Günther)
+--
 slurm-llnl
   NOTE: the patch from upstream uses new members of the struct 
batch_job_launch_msg_t
   NOTE: from my point of view backporting the introduction of these new 
members to this old
@@ -104,12 +110,6 @@
 --
 svgsalamander
 --
-qemu (Guido Günther)
-  NOTE: Need further triaging as some of the issues looks minor. However at
-  NOTE: least one issue looks major so it needs a DLA.
---
-qemu-kvm (Guido Günther)
---
 wavpack
   NOTE: the provided testcases don't crash but this hunk
   NOTE: 
https://github.com/dbry/WavPack/commit/4bc05fc490b66ef2d45b1de26abf1455b486b0dc#diff-bc1807cb462afb05056502f77834c6ebR291


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r48592 - data

2017-01-30 Thread Chris Lamb

Author: lamby
Date: 2017-01-31 07:38:04 + (Tue, 31 Jan 2017)
New Revision: 48592

Modified:
   data/dla-needed.txt
Log:
Claim libarchive in data/dla-needed.txt

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-01-31 07:31:15 UTC (rev 48591)
+++ data/dla-needed.txt 2017-01-31 07:38:04 UTC (rev 48592)
@@ -53,7 +53,7 @@
 --
 kgb-bot
 --
-libarchive
+libarchive (Chris Lamb)
 --
 libav (Hugo Lefeuvre)
   NOTE: Upstream should provide new point-releases fixing open security issues 
in the next months.


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r48591 - data

2017-01-30 Thread Guido Guenther

Author: agx
Date: 2017-01-31 07:31:15 + (Tue, 31 Jan 2017)
New Revision: 48591

Modified:
   data/dla-needed.txt
Log:
lts: triage bitlbee, libphp-phpmailer and libarchive

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-01-31 06:56:25 UTC (rev 48590)
+++ data/dla-needed.txt 2017-01-31 07:31:15 UTC (rev 48591)
@@ -14,6 +14,8 @@
   NOTE: update needs testing in 
https://lists.debian.org/87fukh7hcq@curie.anarc.at
   NOTE: ready to upload after smoke tests, read the above thread.
 --
+bitlbee
+--
 cgiemail
 --
 calibre
@@ -51,6 +53,8 @@
 --
 kgb-bot
 --
+libarchive
+--
 libav (Hugo Lefeuvre)
   NOTE: Upstream should provide new point-releases fixing open security issues 
in the next months.
   NOTE: Lots of CVEs are open, this is going to take some time. (See 
debian-lts ML)
@@ -58,6 +62,8 @@
 libical
   NOTE: No known solution as of 2017-01-16.
 --
+libphp-phpmailer
+--
 libplist (Emilio Pozuelo)
 --
 libxml-twig-perl


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r48590 - data/CVE

2017-01-30 Thread Henri Salo

Author: fgeek-guest
Date: 2017-01-31 06:56:25 + (Tue, 31 Jan 2017)
New Revision: 48590

Modified:
   data/CVE/list
Log:
NFU

Modified: data/CVE/list
===
--- data/CVE/list   2017-01-31 06:16:38 UTC (rev 48589)
+++ data/CVE/list   2017-01-31 06:56:25 UTC (rev 48590)
@@ -17119,6 +17119,7 @@
RESERVED
 CVE-2016-8523
RESERVED
+   NOT-FOR-US: HP Smart Storage Administrator
 CVE-2016-8522
RESERVED
NOT-FOR-US: HPE Diagnostics


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r48589 - data/CVE

2017-01-30 Thread Salvatore Bonaccorso

Author: carnil
Date: 2017-01-31 06:16:38 + (Tue, 31 Jan 2017)
New Revision: 48589

Modified:
   data/CVE/list
Log:
More NFUs

Modified: data/CVE/list
===
--- data/CVE/list   2017-01-31 06:15:46 UTC (rev 48588)
+++ data/CVE/list   2017-01-31 06:16:38 UTC (rev 48589)
@@ -13495,9 +13495,9 @@
NOTE: non-issue, legitimate media file. If a server application uses 
libav* on untrusted media
NOTE: files, it needs to set resource limits
 CVE-2016-9554 (The Sophos Web Appliance Remote / Secure Web Gateway server 
(version ...)
-   TODO: check
+   NOT-FOR-US: Sophos
 CVE-2016-9553 (The Sophos Web Appliance (version 4.2.1.3) is vulnerable to two 
Remote ...)
-   TODO: check
+   NOT-FOR-US: Sophos
 CVE-2016-9552
RESERVED
 CVE-2016-9551


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r48588 - data/CVE

2017-01-30 Thread Salvatore Bonaccorso

Author: carnil
Date: 2017-01-31 06:15:46 + (Tue, 31 Jan 2017)
New Revision: 48588

Modified:
   data/CVE/list
Log:
Add two NFUs

Modified: data/CVE/list
===
--- data/CVE/list   2017-01-31 06:10:13 UTC (rev 48587)
+++ data/CVE/list   2017-01-31 06:15:46 UTC (rev 48588)
@@ -398,9 +398,9 @@
 CVE-2017-5574 (SQL injection vulnerability in register.php in GeniXCMS before 
1.0.0 ...)
NOT-FOR-US: GenixCMS
 CVE-2017-5573 (An issue was discovered in Linux Foundation xapi in Citrix 
XenServer ...)
-   TODO: check
+   NOT-FOR-US: Citrix
 CVE-2017-5572 (An issue was discovered in Linux Foundation xapi in Citrix 
XenServer ...)
-   TODO: check
+   NOT-FOR-US: Citrix
 CVE-2017-5571
RESERVED
 CVE-2017-5570 (An issue was discovered in eClinicalWorks Patient Portal 7.0 
build 13. ...)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r48587 - data/CVE

2017-01-30 Thread Salvatore Bonaccorso

Author: carnil
Date: 2017-01-31 06:10:13 + (Tue, 31 Jan 2017)
New Revision: 48587

Modified:
   data/CVE/list
Log:
Update several NFUs

Modified: data/CVE/list
===
--- data/CVE/list   2017-01-31 06:07:22 UTC (rev 48586)
+++ data/CVE/list   2017-01-31 06:10:13 UTC (rev 48587)
@@ -105,31 +105,31 @@
NOTE: Fixed by: 
https://github.com/libarchive/libarchive/commit/98dcbbf0bf4854bf987557e55e55fff7abbf3ea9
NOTE: https://secunia.com/secunia_research/2017-3/
 CVE-2016-10186 (An issue was discovered on the D-Link DWR-932B router. ...)
-   TODO: check
+   NOT-FOR-US: D-Link
 CVE-2016-10185 (An issue was discovered on the D-Link DWR-932B router. A 
secure_mode=no ...)
-   TODO: check
+   NOT-FOR-US: D-Link
 CVE-2016-10184 (An issue was discovered on the D-Link DWR-932B router. qmiweb 
allows ...)
-   TODO: check
+   NOT-FOR-US: D-Link
 CVE-2016-10183 (An issue was discovered on the D-Link DWR-932B router. qmiweb 
allows ...)
-   TODO: check
+   NOT-FOR-US: D-Link
 CVE-2016-10182 (An issue was discovered on the D-Link DWR-932B router. qmiweb 
allows ...)
-   TODO: check
+   NOT-FOR-US: D-Link
 CVE-2016-10181 (An issue was discovered on the D-Link DWR-932B router. qmiweb 
provides ...)
-   TODO: check
+   NOT-FOR-US: D-Link
 CVE-2016-10180 (An issue was discovered on the D-Link DWR-932B router. WPS PIN 
...)
-   TODO: check
+   NOT-FOR-US: D-Link
 CVE-2016-10179 (An issue was discovered on the D-Link DWR-932B router. There 
is a ...)
-   TODO: check
+   NOT-FOR-US: D-Link
 CVE-2016-10178 (An issue was discovered on the D-Link DWR-932B router. HELODBG 
on port ...)
-   TODO: check
+   NOT-FOR-US: D-Link
 CVE-2016-10177 (An issue was discovered on the D-Link DWR-932B router. 
Undocumented ...)
-   TODO: check
+   NOT-FOR-US: D-Link
 CVE-2016-10176 (The NETGEAR WNR2000v5 router allows an administrator to 
perform ...)
-   TODO: check
+   NOT-FOR-US: Netgear
 CVE-2016-10175 (The NETGEAR WNR2000v5 router leaks its serial number when 
performing a ...)
-   TODO: check
+   NOT-FOR-US: Netgear
 CVE-2016-10174 (The NETGEAR WNR2000v5 router contains a buffer overflow in the 
...)
-   TODO: check
+   NOT-FOR-US: Netgear
 CVE-2004-2778
RESERVED
 CVE-2017- [sd: sdhci OOB access during multi block SDMA transfer]


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r48586 - data/CVE

2017-01-30 Thread Salvatore Bonaccorso

Author: carnil
Date: 2017-01-31 06:07:22 + (Tue, 31 Jan 2017)
New Revision: 48586

Modified:
   data/CVE/list
Log:
Triage CVE-2017-5601/libarchive

Modified: data/CVE/list
===
--- data/CVE/list   2017-01-31 05:45:51 UTC (rev 48585)
+++ data/CVE/list   2017-01-31 06:07:22 UTC (rev 48586)
@@ -101,7 +101,9 @@
 CVE-2017-5602
RESERVED
 CVE-2017-5601 (An error in the lha_read_file_header_1() function ...)
-   TODO: check
+   - libarchive  (bug #853278)
+   NOTE: Fixed by: 
https://github.com/libarchive/libarchive/commit/98dcbbf0bf4854bf987557e55e55fff7abbf3ea9
+   NOTE: https://secunia.com/secunia_research/2017-3/
 CVE-2016-10186 (An issue was discovered on the D-Link DWR-932B router. ...)
TODO: check
 CVE-2016-10185 (An issue was discovered on the D-Link DWR-932B router. A 
secure_mode=no ...)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r48585 - data/CVE

2017-01-30 Thread Salvatore Bonaccorso

Author: carnil
Date: 2017-01-31 05:45:51 + (Tue, 31 Jan 2017)
New Revision: 48585

Modified:
   data/CVE/list
Log:
Add CVE-2017-5609/serendipity

Modified: data/CVE/list
===
--- data/CVE/list   2017-01-31 05:33:23 UTC (rev 48584)
+++ data/CVE/list   2017-01-31 05:45:51 UTC (rev 48585)
@@ -87,7 +87,7 @@
 CVE-2017-5619
RESERVED
 CVE-2017-5609 (SQL injection vulnerability in 
include/functions_entries.inc.php in ...)
-   TODO: check
+   - serendipity 
 CVE-2017-5607
RESERVED
 CVE-2017-5606


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r48584 - data/CVE

2017-01-30 Thread Salvatore Bonaccorso

Author: carnil
Date: 2017-01-31 05:33:23 + (Tue, 31 Jan 2017)
New Revision: 48584

Modified:
   data/CVE/list
Log:
Mark wavpack issues as fixed with unstable upload

Modified: data/CVE/list
===
--- data/CVE/list   2017-01-31 01:27:58 UTC (rev 48583)
+++ data/CVE/list   2017-01-31 05:33:23 UTC (rev 48584)
@@ -233,23 +233,23 @@
NOTE: https://bugzilla.opensuse.org/show_bug.cgi?id=1021740
 CVE-2016-10172 [heap oob read in read_new_config_info / open_utils.c]
RESERVED
-   - wavpack  (bug #853076)
+   - wavpack 5.0.0-2 (bug #853076)
[wheezy] - wavpack  (Vulnerable code not present)
NOTE: https://sourceforge.net/p/wavpack/mailman/message/35561951/
NOTE: Fixed by: 
https://github.com/dbry/WavPack/commit/4bc05fc490b66ef2d45b1de26abf1455b486b0dc 
(5.1.0)
 CVE-2016-10171 [heap out of bounds read in unreorder_channels / wvunpack.c]
RESERVED
-   - wavpack  (bug #853076)
+   - wavpack 5.0.0-2 (bug #853076)
NOTE: https://sourceforge.net/p/wavpack/mailman/message/35561939/
NOTE: Fixed by: 
https://github.com/dbry/WavPack/commit/4bc05fc490b66ef2d45b1de26abf1455b486b0dc 
(5.1.0)
 CVE-2016-10170 [heap out of bounds read in WriteCaffHeader / caff.c]
RESERVED
-   - wavpack  (bug #853076)
+   - wavpack 5.0.0-2 (bug #853076)
NOTE: https://sourceforge.net/p/wavpack/mailman/message/35561921/
NOTE: Fixed by: 
https://github.com/dbry/WavPack/commit/4bc05fc490b66ef2d45b1de26abf1455b486b0dc 
(5.1.0)
 CVE-2016-10169 [global buffer overread in read_code / read_words.c]
RESERVED
-   - wavpack  (bug #853076)
+   - wavpack 5.0.0-2 (bug #853076)
NOTE: https://sourceforge.net/p/wavpack/mailman/message/35557889/
NOTE: Fixed by: 
https://github.com/dbry/WavPack/commit/4bc05fc490b66ef2d45b1de26abf1455b486b0dc 
(5.1.0)
 CVE-2016-10166 [Fix potential unsigned underflow]


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r48583 - data/CVE

2017-01-30 Thread Michael Gilbert

Author: mgilbert
Date: 2017-01-31 01:27:58 + (Tue, 31 Jan 2017)
New Revision: 48583

Modified:
   data/CVE/list
Log:
chromium linked to ffmpeg

Modified: data/CVE/list
===
--- data/CVE/list   2017-01-31 01:17:35 UTC (rev 48582)
+++ data/CVE/list   2017-01-31 01:27:58 UTC (rev 48583)
@@ -2076,12 +2076,12 @@
[wheezy] - chromium-browser  (Not supported in Wheezy)
 CVE-2017-5025
RESERVED
-   - chromium-browser 
+   - chromium-browser 44.0.2403.157-1
[wheezy] - chromium-browser  (Not supported in Wheezy)
- ffmpeg 
 CVE-2017-5024
RESERVED
-   - chromium-browser 
+   - chromium-browser 44.0.2403.157-1
[wheezy] - chromium-browser  (Not supported in Wheezy)
- ffmpeg 
 CVE-2017-5023


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r48582 - data/DSA

2017-01-30 Thread Michael Gilbert

Author: mgilbert
Date: 2017-01-31 01:17:35 + (Tue, 31 Jan 2017)
New Revision: 48582

Modified:
   data/DSA/list
Log:
add missing chromium cve

Modified: data/DSA/list
===
--- data/DSA/list   2017-01-31 00:56:47 UTC (rev 48581)
+++ data/DSA/list   2017-01-31 01:17:35 UTC (rev 48582)
@@ -1,5 +1,5 @@
 [31 Jan 2017] DSA-3776-1 chromium-browser - security update
-   {CVE-2017-5006 CVE-2017-5007 CVE-2017-5008 CVE-2017-5009 CVE-2017-5010 
CVE-2017-5012 CVE-2017-5013 CVE-2017-5014 CVE-2017-5015 CVE-2017-5016 
CVE-2017-5017 CVE-2017-5018 CVE-2017-5019 CVE-2017-5020 CVE-2017-5021 
CVE-2017-5022 CVE-2017-5023 CVE-2017-5024 CVE-2017-5025 CVE-2017-5026}
+   {CVE-2017-5006 CVE-2017-5007 CVE-2017-5008 CVE-2017-5009 CVE-2017-5010 
CVE-2017-5011 CVE-2017-5012 CVE-2017-5013 CVE-2017-5014 CVE-2017-5015 
CVE-2017-5016 CVE-2017-5017 CVE-2017-5018 CVE-2017-5019 CVE-2017-5020 
CVE-2017-5021 CVE-2017-5022 CVE-2017-5023 CVE-2017-5024 CVE-2017-5025 
CVE-2017-5026}
[jessie] - chromium-browser 56.0.2924.76-1~deb8u1
 [29 Jan 2017] DSA-3775-1 tcpdump - security update
{CVE-2016-7922 CVE-2016-7923 CVE-2016-7924 CVE-2016-7925 CVE-2016-7926 
CVE-2016-7927 CVE-2016-7928 CVE-2016-7929 CVE-2016-7930 CVE-2016-7931 
CVE-2016-7932 CVE-2016-7933 CVE-2016-7934 CVE-2016-7935 CVE-2016-7936 
CVE-2016-7937 CVE-2016-7938 CVE-2016-7939 CVE-2016-7940 CVE-2016-7973 
CVE-2016-7974 CVE-2016-7975 CVE-2016-7983 CVE-2016-7984 CVE-2016-7985 
CVE-2016-7986 CVE-2016-7992 CVE-2016-7993 CVE-2016-8574 CVE-2016-8575 
CVE-2017-5202 CVE-2017-5203 CVE-2017-5204 CVE-2017-5205 CVE-2017-5341 
CVE-2017-5342 CVE-2017-5482 CVE-2017-5483 CVE-2017-5484 CVE-2017-5485 
CVE-2017-5486}


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r48581 - in data: . DSA

2017-01-30 Thread Michael Gilbert

Author: mgilbert
Date: 2017-01-31 00:56:47 + (Tue, 31 Jan 2017)
New Revision: 48581

Modified:
   data/DSA/list
   data/dsa-needed.txt
Log:
chromium dsa

Modified: data/DSA/list
===
--- data/DSA/list   2017-01-30 23:55:28 UTC (rev 48580)
+++ data/DSA/list   2017-01-31 00:56:47 UTC (rev 48581)
@@ -1,3 +1,6 @@
+[31 Jan 2017] DSA-3776-1 chromium-browser - security update
+   {CVE-2017-5006 CVE-2017-5007 CVE-2017-5008 CVE-2017-5009 CVE-2017-5010 
CVE-2017-5012 CVE-2017-5013 CVE-2017-5014 CVE-2017-5015 CVE-2017-5016 
CVE-2017-5017 CVE-2017-5018 CVE-2017-5019 CVE-2017-5020 CVE-2017-5021 
CVE-2017-5022 CVE-2017-5023 CVE-2017-5024 CVE-2017-5025 CVE-2017-5026}
+   [jessie] - chromium-browser 56.0.2924.76-1~deb8u1
 [29 Jan 2017] DSA-3775-1 tcpdump - security update
{CVE-2016-7922 CVE-2016-7923 CVE-2016-7924 CVE-2016-7925 CVE-2016-7926 
CVE-2016-7927 CVE-2016-7928 CVE-2016-7929 CVE-2016-7930 CVE-2016-7931 
CVE-2016-7932 CVE-2016-7933 CVE-2016-7934 CVE-2016-7935 CVE-2016-7936 
CVE-2016-7937 CVE-2016-7938 CVE-2016-7939 CVE-2016-7940 CVE-2016-7973 
CVE-2016-7974 CVE-2016-7975 CVE-2016-7983 CVE-2016-7984 CVE-2016-7985 
CVE-2016-7986 CVE-2016-7992 CVE-2016-7993 CVE-2016-8574 CVE-2016-8575 
CVE-2017-5202 CVE-2017-5203 CVE-2017-5204 CVE-2017-5205 CVE-2017-5341 
CVE-2017-5342 CVE-2017-5482 CVE-2017-5483 CVE-2017-5484 CVE-2017-5485 
CVE-2017-5486}
[jessie] - tcpdump 4.9.0-1~deb8u1

Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2017-01-30 23:55:28 UTC (rev 48580)
+++ data/dsa-needed.txt 2017-01-31 00:56:47 UTC (rev 48581)
@@ -21,8 +21,6 @@
  John Lightsey from cPanel provided patches for 4 vulnerabilities.
  CVEs asked on oss-sec.
 --
-chromium-browser
---
 graphicsmagick
 --
 icedove


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r48580 - data

2017-01-30 Thread Emilio Pozuelo Monfort

Author: pochu
Date: 2017-01-30 23:55:28 + (Mon, 30 Jan 2017)
New Revision: 48580

Modified:
   data/dla-needed.txt
Log:
dla: claim ikiwiki

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-01-30 22:03:48 UTC (rev 48579)
+++ data/dla-needed.txt 2017-01-30 23:55:28 UTC (rev 48580)
@@ -37,7 +37,7 @@
   NOTE: maintainer currenlty planx to rename to thunderbird with the next
   NOTE: upstream version (#851989). Jessie / Wheezy should do the same.
 --
-ikiwiki
+ikiwiki (Emilio Pozuelo)
   NOTE: CVE-2016-9646, CVE-2016-10026 were minor but CVE-2017-0356 is rather 
bad
   NOTE: maintainer has prepared a backport, LTS team please test/release
   NOTE: https://lists.debian.org/debian-lts/2017/01/msg00059.html


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r48579 - in data: . DLA

2017-01-30 Thread Ola Lundqvist

Author: opal
Date: 2017-01-30 22:03:48 + (Mon, 30 Jan 2017)
New Revision: 48579

Modified:
   data/DLA/list
   data/dla-needed.txt
Log:
Reserve DLA-809-1 for tcpdump

Modified: data/DLA/list
===
--- data/DLA/list   2017-01-30 21:22:09 UTC (rev 48578)
+++ data/DLA/list   2017-01-30 22:03:48 UTC (rev 48579)
@@ -1,3 +1,6 @@
+[30 Jan 2017] DLA-809-1 tcpdump - security update
+   {CVE-2016-7922 CVE-2016-7923 CVE-2016-7924 CVE-2016-7925 CVE-2016-7926 
CVE-2016-7927 CVE-2016-7928 CVE-2016-7929 CVE-2016-7930 CVE-2016-7931 
CVE-2016-7932 CVE-2016-7933 CVE-2016-7934 CVE-2016-7935 CVE-2016-7936 
CVE-2016-7937 CVE-2016-7938 CVE-2016-7939 CVE-2016-7940 CVE-2016-7973 
CVE-2016-7974 CVE-2016-7975 CVE-2016-7983 CVE-2016-7984 CVE-2016-7985 
CVE-2016-7986 CVE-2016-7992 CVE-2016-7993 CVE-2016-8574 CVE-2016-8575 
CVE-2017-5202 CVE-2017-5203 CVE-2017-5204 CVE-2017-5205 CVE-2017-5341 
CVE-2017-5342 CVE-2017-5482 CVE-2017-5483 CVE-2017-5484 CVE-2017-5485 
CVE-2017-5486}
+   [wheezy] - tcpdump 4.9.0-1~deb7u1
 [30 Jan 2017] DLA-808-1 ruby-archive-tar-minitar - security update
{CVE-2016-10173}
[wheezy] - ruby-archive-tar-minitar 0.5.2-2+deb7u1

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-01-30 21:22:09 UTC (rev 48578)
+++ data/dla-needed.txt 2017-01-30 22:03:48 UTC (rev 48579)
@@ -98,10 +98,6 @@
 --
 svgsalamander
 --
-tcpdump
-  NOTE: I can prepare packages for wheezy as well if you need, but I'm not yet
-  NOTE: familiar with how to get them uploaded to wheezy-lts.
---
 qemu (Guido Günther)
   NOTE: Need further triaging as some of the issues looks minor. However at
   NOTE: least one issue looks major so it needs a DLA.


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r48578 - data/CVE

2017-01-30 Thread Thorsten Alteholz

Author: alteholz
Date: 2017-01-30 21:22:09 + (Mon, 30 Jan 2017)
New Revision: 48578

Modified:
   data/CVE/list
Log:
according to 
https://lists.apple.com/archives/security-announce/2016/Mar/msg5.html this 
belongs to Safari

Modified: data/CVE/list
===
--- data/CVE/list   2017-01-30 21:10:11 UTC (rev 48577)
+++ data/CVE/list   2017-01-30 21:22:09 UTC (rev 48578)
@@ -169152,7 +169152,7 @@
 CVE-2009-2198 (Apple GarageBand before 5.1 reconfigures Safari to accept all 
cookies ...)
NOT-FOR-US: Apple GarageBand
 CVE-2009-2197 (Apple Safari before 9.1 allows remote attackers to spoof the 
user ...)
-   TODO: check
+   NOT-FOR-US: Apple Safari
 CVE-2009-2196 (Unspecified vulnerability in Apple Safari 4 before 4.0.3 allows 
remote ...)
NOT-FOR-US: Apple Safari
 CVE-2009-2195 (Buffer overflow in WebKit in Apple Safari before 4.0.3 allows 
remote ...)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r48577 - data/CVE

2017-01-30 Thread security tracker role

Author: sectracker
Date: 2017-01-30 21:10:11 + (Mon, 30 Jan 2017)
New Revision: 48577

Modified:
   data/CVE/list
Log:
automatic update

Modified: data/CVE/list
===
--- data/CVE/list   2017-01-30 21:06:19 UTC (rev 48576)
+++ data/CVE/list   2017-01-30 21:10:11 UTC (rev 48577)
@@ -1,3 +1,135 @@
+CVE-2017-5664
+   RESERVED
+CVE-2017-5663
+   RESERVED
+CVE-2017-5662
+   RESERVED
+CVE-2017-5661
+   RESERVED
+CVE-2017-5660
+   RESERVED
+CVE-2017-5659
+   RESERVED
+CVE-2017-5658
+   RESERVED
+CVE-2017-5657
+   RESERVED
+CVE-2017-5656
+   RESERVED
+CVE-2017-5655
+   RESERVED
+CVE-2017-5654
+   RESERVED
+CVE-2017-5653
+   RESERVED
+CVE-2017-5652
+   RESERVED
+CVE-2017-5651
+   RESERVED
+CVE-2017-5650
+   RESERVED
+CVE-2017-5649
+   RESERVED
+CVE-2017-5648
+   RESERVED
+CVE-2017-5647
+   RESERVED
+CVE-2017-5646
+   RESERVED
+CVE-2017-5645
+   RESERVED
+CVE-2017-5644
+   RESERVED
+CVE-2017-5643
+   RESERVED
+CVE-2017-5642
+   RESERVED
+CVE-2017-5641
+   RESERVED
+CVE-2017-5640
+   RESERVED
+CVE-2017-5639
+   RESERVED
+CVE-2017-5638
+   RESERVED
+CVE-2017-5637
+   RESERVED
+CVE-2017-5636
+   RESERVED
+CVE-2017-5635
+   RESERVED
+CVE-2017-5634
+   RESERVED
+CVE-2017-5633
+   RESERVED
+CVE-2017-5632 (An issue was discovered on the ASUS RT-N56U Wireless Router 
with ...)
+   TODO: check
+CVE-2017-5631
+   RESERVED
+CVE-2017-5630
+   RESERVED
+CVE-2017-5629
+   RESERVED
+CVE-2017-5626
+   RESERVED
+CVE-2017-5625
+   RESERVED
+CVE-2017-5624
+   RESERVED
+CVE-2017-5623
+   RESERVED
+CVE-2017-5622
+   RESERVED
+CVE-2017-5621
+   RESERVED
+CVE-2017-5620
+   RESERVED
+CVE-2017-5619
+   RESERVED
+CVE-2017-5609 (SQL injection vulnerability in 
include/functions_entries.inc.php in ...)
+   TODO: check
+CVE-2017-5607
+   RESERVED
+CVE-2017-5606
+   RESERVED
+CVE-2017-5605
+   RESERVED
+CVE-2017-5604
+   RESERVED
+CVE-2017-5603
+   RESERVED
+CVE-2017-5602
+   RESERVED
+CVE-2017-5601 (An error in the lha_read_file_header_1() function ...)
+   TODO: check
+CVE-2016-10186 (An issue was discovered on the D-Link DWR-932B router. ...)
+   TODO: check
+CVE-2016-10185 (An issue was discovered on the D-Link DWR-932B router. A 
secure_mode=no ...)
+   TODO: check
+CVE-2016-10184 (An issue was discovered on the D-Link DWR-932B router. qmiweb 
allows ...)
+   TODO: check
+CVE-2016-10183 (An issue was discovered on the D-Link DWR-932B router. qmiweb 
allows ...)
+   TODO: check
+CVE-2016-10182 (An issue was discovered on the D-Link DWR-932B router. qmiweb 
allows ...)
+   TODO: check
+CVE-2016-10181 (An issue was discovered on the D-Link DWR-932B router. qmiweb 
provides ...)
+   TODO: check
+CVE-2016-10180 (An issue was discovered on the D-Link DWR-932B router. WPS PIN 
...)
+   TODO: check
+CVE-2016-10179 (An issue was discovered on the D-Link DWR-932B router. There 
is a ...)
+   TODO: check
+CVE-2016-10178 (An issue was discovered on the D-Link DWR-932B router. HELODBG 
on port ...)
+   TODO: check
+CVE-2016-10177 (An issue was discovered on the D-Link DWR-932B router. 
Undocumented ...)
+   TODO: check
+CVE-2016-10176 (The NETGEAR WNR2000v5 router allows an administrator to 
perform ...)
+   TODO: check
+CVE-2016-10175 (The NETGEAR WNR2000v5 router leaks its serial number when 
performing a ...)
+   TODO: check
+CVE-2016-10174 (The NETGEAR WNR2000v5 router contains a buffer overflow in the 
...)
+   TODO: check
+CVE-2004-2778
+   RESERVED
 CVE-2017- [sd: sdhci OOB access during multi block SDMA transfer]
- qemu 
- qemu-kvm 
@@ -48,15 +180,16 @@
NOTE: 
https://git.sdaoden.eu/cgit/s-nail.git/commit/?id=f797c27efecad45af191c518b7f87fda32ada160
NOTE: 
https://git.sdaoden.eu/cgit/s-nail.git/commit/?id=f2699449b66dd702a98925bd1b11153a6f7294bf
NOTE: CVE Request: 
http://www.openwall.com/lists/oss-security/2017/01/27/7
-CVE-2017-5628
+CVE-2017-5628 (An issue was discovered in Artifex Software, Inc. MuJS before 
...)
NOT-FOR-US: MuJS
-CVE-2017-5627
+CVE-2017-5627 (An issue was discovered in Artifex Software, Inc. MuJS before 
...)
NOT-FOR-US: MuJS
 CVE-2017-5617 [SSRF issue]
+   RESERVED
- svgsalamander  (bug #853134)
NOTE: https://github.com/blackears/svgSalamander/issues/11
NOTE: http://www.openwall.com/lists/oss-security/2017/01/27/3
-CVE-2017-5608
+CVE-2017-5608 (Cross-site scripting (XSS) vulnerability in the image upload 
function ...)
- piwigo 
 CVE-2017-5600
RESERVED
@@ -64,15 +197,15 @@
NOT-FOR-US: eClinicalWorks
 CVE-2017-5598 (An issue was discovered in eClinicalWorks healow@work 8.0 build 
8. This ...)
NOT-FOR-US: eClinicalWorks
-CVE-2017-5612 [XSS in the posts list table]

[Secure-testing-commits] r48575 - data

2017-01-30 Thread Salvatore Bonaccorso

Author: carnil
Date: 2017-01-30 20:51:10 + (Mon, 30 Jan 2017)
New Revision: 48575

Modified:
   data/dsa-needed.txt
Log:
Add ruby-archive-tar-minitar

Note: the fix is easy, and I did already ruby-minitar for unstable. But
I will wait a bit to see if any report is raised on the SuSE patch. I do
not expect any problem, as the patch is easy and emulates was as well
gnu tar would do.

Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2017-01-30 20:38:46 UTC (rev 48574)
+++ data/dsa-needed.txt 2017-01-30 20:51:10 UTC (rev 48575)
@@ -50,6 +50,10 @@
 qemu
   Maintainer asked to prepare updates
 --
+ruby-archive-tar-minitar (carnil)
+  NOTE: will wait a bit before fix migrates to testing and to see 
+if any report is raised
+--
 spip
 --
 wordpress (seb)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r48573 - data/CVE

2017-01-30 Thread Salvatore Bonaccorso

Author: carnil
Date: 2017-01-30 20:32:45 + (Mon, 30 Jan 2017)
New Revision: 48573

Modified:
   data/CVE/list
Log:
Update information for CVE-2016-8867 according to Tianon Gravi 


Modified: data/CVE/list
===
--- data/CVE/list   2017-01-30 20:27:58 UTC (rev 48572)
+++ data/CVE/list   2017-01-30 20:32:45 UTC (rev 48573)
@@ -15773,11 +15773,13 @@
RESERVED
 CVE-2016-8867 (Docker Engine 1.12.2 enabled ambient capabilities with 
misconfigured ...)
- docker.io 
-   - runc  (bug #853240)
+   - runc  ("ambient capabilities" introduced later, cf bug 
#853240)
NOTE: https://github.com/docker/docker/issues/27590
NOTE: docker: 
https://github.com/docker/docker/pull/27610/commits/d60a3418d0268745dff38947bc8c929fbd24f837
 (1.12.3)
NOTE: runc: 
https://github.com/opencontainers/runc/commit/a83f5bac28554fa0fd49bc1559a3c79f5907348f
NOTE: docker.io not directly affected but will need to be updated to 
include new runc version
+   NOTE: runc: "ambient capabilities" functionality added upstream with 
https://github.com/opencontainers/runc/pull/1086
+   NOTE: and later changes.
 CVE-2016-8865
RESERVED
 CVE-2016-8864 (named in ISC BIND 9.x before 9.9.9-P4, 9.10.x before 9.10.4-P4, 
and ...)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r48570 - data/CVE

2017-01-30 Thread Salvatore Bonaccorso

Author: carnil
Date: 2017-01-30 20:17:44 + (Mon, 30 Jan 2017)
New Revision: 48570

Modified:
   data/CVE/list
Log:
Add tag information for bitlbee issues

Modified: data/CVE/list
===
--- data/CVE/list   2017-01-30 20:15:30 UTC (rev 48569)
+++ data/CVE/list   2017-01-30 20:17:44 UTC (rev 48570)
@@ -1,17 +1,17 @@
 CVE-2017- [Incomplete fix for "Null pointer dereference with file transfer 
request from unknown contacts"]
- bitlbee 
NOTE: https://bugs.bitlbee.org/ticket/1282
-   NOTE: Fixed by: 
https://github.com/bitlbee/bitlbee/commit/30d598ce7cd3f136ee9d7097f39fa9818a272441
+   NOTE: Fixed by: 
https://github.com/bitlbee/bitlbee/commit/30d598ce7cd3f136ee9d7097f39fa9818a272441
 (3.5.1)
NOTE: CVE Request: 
http://www.openwall.com/lists/oss-security/2017/01/30/4
 CVE-2017- [Null pointer dereference with file transfer request from 
unknown contacts]
- bitlbee 3.5-1
NOTE: https://bugs.bitlbee.org/ticket/1282
-   NOTE: Fixed by: 
https://github.com/bitlbee/bitlbee/commit/701ab8129ba9ea64f569daedca9a8603abad740f
+   NOTE: Fixed by: 
https://github.com/bitlbee/bitlbee/commit/701ab8129ba9ea64f569daedca9a8603abad740f
 (3.5)
NOTE: CVE Request: 
http://www.openwall.com/lists/oss-security/2017/01/30/4
 CVE-2017- [bitlbee-libpurple: Use after free when expiring file transfer 
requests]
- bitlbee 3.5-1
NOTE: https://bugs.bitlbee.org/ticket/1281
-   NOTE: Fixed by: 
https://github.com/bitlbee/bitlbee/commit/ea902752503fc5b356d6513911081ec932d804f2
+   NOTE: Fixed by: 
https://github.com/bitlbee/bitlbee/commit/ea902752503fc5b356d6513911081ec932d804f2
 (3.5)
NOTE: CVE Request: 
http://www.openwall.com/lists/oss-security/2017/01/30/4
 CVE-2017- [Incomplete fix for CVE-2017-5180]
- firejail 0.9.44.6-1


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r48569 - data/CVE

2017-01-30 Thread Salvatore Bonaccorso

Author: carnil
Date: 2017-01-30 20:15:30 + (Mon, 30 Jan 2017)
New Revision: 48569

Modified:
   data/CVE/list
Log:
Add three bitlbee issues

Modified: data/CVE/list
===
--- data/CVE/list   2017-01-30 20:06:29 UTC (rev 48568)
+++ data/CVE/list   2017-01-30 20:15:30 UTC (rev 48569)
@@ -1,3 +1,18 @@
+CVE-2017- [Incomplete fix for "Null pointer dereference with file transfer 
request from unknown contacts"]
+   - bitlbee 
+   NOTE: https://bugs.bitlbee.org/ticket/1282
+   NOTE: Fixed by: 
https://github.com/bitlbee/bitlbee/commit/30d598ce7cd3f136ee9d7097f39fa9818a272441
+   NOTE: CVE Request: 
http://www.openwall.com/lists/oss-security/2017/01/30/4
+CVE-2017- [Null pointer dereference with file transfer request from 
unknown contacts]
+   - bitlbee 3.5-1
+   NOTE: https://bugs.bitlbee.org/ticket/1282
+   NOTE: Fixed by: 
https://github.com/bitlbee/bitlbee/commit/701ab8129ba9ea64f569daedca9a8603abad740f
+   NOTE: CVE Request: 
http://www.openwall.com/lists/oss-security/2017/01/30/4
+CVE-2017- [bitlbee-libpurple: Use after free when expiring file transfer 
requests]
+   - bitlbee 3.5-1
+   NOTE: https://bugs.bitlbee.org/ticket/1281
+   NOTE: Fixed by: 
https://github.com/bitlbee/bitlbee/commit/ea902752503fc5b356d6513911081ec932d804f2
+   NOTE: CVE Request: 
http://www.openwall.com/lists/oss-security/2017/01/30/4
 CVE-2017- [Incomplete fix for CVE-2017-5180]
- firejail 0.9.44.6-1
NOTE: Changelog mentions the new fix for CVE-2017-5180 in RELNOTES for 
0.9.44.6


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r48568 - data/CVE

2017-01-30 Thread Balint Reczey

Author: rbalint
Date: 2017-01-30 20:06:29 + (Mon, 30 Jan 2017)
New Revision: 48568

Modified:
   data/CVE/list
Log:
Add bug reference for ruby-archive-tar-minitar issue, #853249

Modified: data/CVE/list
===
--- data/CVE/list   2017-01-30 19:16:33 UTC (rev 48567)
+++ data/CVE/list   2017-01-30 20:06:29 UTC (rev 48568)
@@ -71,7 +71,7 @@
RESERVED
 CVE-2016-10173 [directory traversal vulnerability]
- ruby-minitar 0.5.4-3.1 (bug #853075)
-   - ruby-archive-tar-minitar 
+   - ruby-archive-tar-minitar  (bug #853249)
NOTE: https://github.com/halostatue/minitar/issues/16
NOTE: 
https://github.com/halostatue/minitar/commit/e25205ecbb6277ae8a3df1e6a306d7ed4458b6e4
NOTE: https://bugzilla.opensuse.org/show_bug.cgi?id=1021740


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r48566 - data/CVE

2017-01-30 Thread Thorsten Alteholz

Author: alteholz
Date: 2017-01-30 19:05:33 + (Mon, 30 Jan 2017)
New Revision: 48566

Modified:
   data/CVE/list
Log:
add bug number

Modified: data/CVE/list
===
--- data/CVE/list   2017-01-30 18:57:10 UTC (rev 48565)
+++ data/CVE/list   2017-01-30 19:05:33 UTC (rev 48566)
@@ -15752,7 +15752,7 @@
RESERVED
 CVE-2016-8867 (Docker Engine 1.12.2 enabled ambient capabilities with 
misconfigured ...)
- docker.io 
-   - runc 
+   - runc  (bug #853240)
NOTE: https://github.com/docker/docker/issues/27590
NOTE: docker: 
https://github.com/docker/docker/pull/27610/commits/d60a3418d0268745dff38947bc8c929fbd24f837
 (1.12.3)
NOTE: runc: 
https://github.com/opencontainers/runc/commit/a83f5bac28554fa0fd49bc1559a3c79f5907348f


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r48565 - data/CVE

2017-01-30 Thread Salvatore Bonaccorso

Author: carnil
Date: 2017-01-30 18:57:10 + (Mon, 30 Jan 2017)
New Revision: 48565

Modified:
   data/CVE/list
Log:
Add bug reference for libphp-phpmailer issue, #853232

Modified: data/CVE/list
===
--- data/CVE/list   2017-01-30 18:56:16 UTC (rev 48564)
+++ data/CVE/list   2017-01-30 18:57:10 UTC (rev 48565)
@@ -1335,7 +1335,7 @@
 CVE-2017-5224
RESERVED
 CVE-2017-5223 (An issue was discovered in PHPMailer before 5.2.22. PHPMailer's 
msgHTML ...)
-   - libphp-phpmailer 
+   - libphp-phpmailer  (bug #853232)
NOTE: Fixed by: 
https://github.com/PHPMailer/PHPMailer/commit/ad4cb09682682da2217799a0c521d4cdc6753402
 (v5.2.22)
NOTE: 
http://kalilinux.co/2017/01/12/phpmailer-cve-2017-5223-local-information-disclosure-vulnerability-analysis/
 CVE-2017-5222


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r48564 - data/CVE

2017-01-30 Thread Salvatore Bonaccorso

Author: carnil
Date: 2017-01-30 18:56:16 + (Mon, 30 Jan 2017)
New Revision: 48564

Modified:
   data/CVE/list
Log:
Add references for CVE-2017-5223

Modified: data/CVE/list
===
--- data/CVE/list   2017-01-30 18:52:20 UTC (rev 48563)
+++ data/CVE/list   2017-01-30 18:56:16 UTC (rev 48564)
@@ -1336,6 +1336,8 @@
RESERVED
 CVE-2017-5223 (An issue was discovered in PHPMailer before 5.2.22. PHPMailer's 
msgHTML ...)
- libphp-phpmailer 
+   NOTE: Fixed by: 
https://github.com/PHPMailer/PHPMailer/commit/ad4cb09682682da2217799a0c521d4cdc6753402
 (v5.2.22)
+   NOTE: 
http://kalilinux.co/2017/01/12/phpmailer-cve-2017-5223-local-information-disclosure-vulnerability-analysis/
 CVE-2017-5222
RESERVED
 CVE-2017-5221


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r48563 - data/CVE

2017-01-30 Thread Salvatore Bonaccorso

Author: carnil
Date: 2017-01-30 18:52:20 + (Mon, 30 Jan 2017)
New Revision: 48563

Modified:
   data/CVE/list
Log:
Add CVE-2017-5608

Modified: data/CVE/list
===
--- data/CVE/list   2017-01-30 18:39:27 UTC (rev 48562)
+++ data/CVE/list   2017-01-30 18:52:20 UTC (rev 48563)
@@ -35,6 +35,8 @@
- svgsalamander  (bug #853134)
NOTE: https://github.com/blackears/svgSalamander/issues/11
NOTE: http://www.openwall.com/lists/oss-security/2017/01/27/3
+CVE-2017-5608
+   - piwigo 
 CVE-2017-5600
RESERVED
 CVE-2017-5599 (An issue was discovered in eClinicalWorks Patient Portal 7.0 
build 13. ...)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r48562 - data

2017-01-30 Thread Balint Reczey

Author: rbalint
Date: 2017-01-30 18:39:27 + (Mon, 30 Jan 2017)
New Revision: 48562

Modified:
   data/dla-needed.txt
Log:
Claim glassfish and ruby-archive-tar-minitar for DLA

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-01-30 18:32:21 UTC (rev 48561)
+++ data/dla-needed.txt 2017-01-30 18:39:27 UTC (rev 48562)
@@ -21,7 +21,7 @@
   NOTE: In particular, it seems likely that there are more undocumented but
   NOTE: public security issues in Calibre. See for example bug #853004.
 --
-glassfish
+glassfish (Balint Reczey)
   NOTE: Needs further triaging as there is very little information on many of
   NOTE: the issues. However one of them looks like a major problem so the
   NOTE: package needs a DLA.
@@ -91,7 +91,7 @@
   NOTE: Upstream is not going to fix CVE-2016-8686 since it believes it is not
   NOTE: a bug (see #843861).
 --
-ruby-archive-tar-minitar
+ruby-archive-tar-minitar (Balint Reczey)
   NOTE: Vulnerable code is in lib/archive/tar/minitar/command.rb
 --
 slurm-llnl


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r48560 - data/CVE

2017-01-30 Thread Moritz Muehlenhoff

Author: jmm
Date: 2017-01-30 17:41:41 + (Mon, 30 Jan 2017)
New Revision: 48560

Modified:
   data/CVE/list
Log:
NFUs
some ITPs for ox


Modified: data/CVE/list
===
--- data/CVE/list   2017-01-30 17:30:41 UTC (rev 48559)
+++ data/CVE/list   2017-01-30 17:41:41 UTC (rev 48560)
@@ -56,7 +56,7 @@
 CVE-2017-5595
RESERVED
 CVE-2017-5594 (An issue was discovered in Pagekit CMS before 1.0.11. In this 
...)
-   TODO: check
+   NOT-FOR-US: Pagekit CMS
 CVE-2017-5593
RESERVED
 CVE-2017-5592
@@ -6021,123 +6021,123 @@
 CVE-2017-3393
RESERVED
 CVE-2017-3392 (Vulnerability in the Oracle Advanced Outbound Telephony 
component of ...)
-   TODO: check
+   NOT-FOR-US: Oracle
 CVE-2017-3391 (Vulnerability in the Oracle Advanced Outbound Telephony 
component of ...)
-   TODO: check
+   NOT-FOR-US: Oracle
 CVE-2017-3390 (Vulnerability in the Oracle Advanced Outbound Telephony 
component of ...)
-   TODO: check
+   NOT-FOR-US: Oracle
 CVE-2017-3389 (Vulnerability in the Oracle Advanced Outbound Telephony 
component of ...)
-   TODO: check
+   NOT-FOR-US: Oracle
 CVE-2017-3388 (Vulnerability in the Oracle Advanced Outbound Telephony 
component of ...)
-   TODO: check
+   NOT-FOR-US: Oracle
 CVE-2017-3387 (Vulnerability in the Oracle Advanced Outbound Telephony 
component of ...)
NOT-FOR-US: Oracle
 CVE-2017-3386 (Vulnerability in the Oracle Advanced Outbound Telephony 
component of ...)
-   TODO: check
+   NOT-FOR-US: Oracle
 CVE-2017-3385 (Vulnerability in the Oracle Advanced Outbound Telephony 
component of ...)
-   TODO: check
+   NOT-FOR-US: Oracle
 CVE-2017-3384 (Vulnerability in the Oracle Advanced Outbound Telephony 
component of ...)
-   TODO: check
+   NOT-FOR-US: Oracle
 CVE-2017-3383 (Vulnerability in the Oracle Advanced Outbound Telephony 
component of ...)
-   TODO: check
+   NOT-FOR-US: Oracle
 CVE-2017-3382 (Vulnerability in the Oracle Advanced Outbound Telephony 
component of ...)
-   TODO: check
+   NOT-FOR-US: Oracle
 CVE-2017-3381 (Vulnerability in the Oracle Advanced Outbound Telephony 
component of ...)
-   TODO: check
+   NOT-FOR-US: Oracle
 CVE-2017-3380 (Vulnerability in the Oracle Advanced Outbound Telephony 
component of ...)
-   TODO: check
+   NOT-FOR-US: Oracle
 CVE-2017-3379 (Vulnerability in the Oracle Advanced Outbound Telephony 
component of ...)
-   TODO: check
+   NOT-FOR-US: Oracle
 CVE-2017-3378 (Vulnerability in the Oracle Advanced Outbound Telephony 
component of ...)
-   TODO: check
+   NOT-FOR-US: Oracle
 CVE-2017-3377 (Vulnerability in the Oracle Advanced Outbound Telephony 
component of ...)
-   TODO: check
+   NOT-FOR-US: Oracle
 CVE-2017-3376 (Vulnerability in the Oracle Advanced Outbound Telephony 
component of ...)
-   TODO: check
+   NOT-FOR-US: Oracle
 CVE-2017-3375 (Vulnerability in the Oracle Advanced Outbound Telephony 
component of ...)
-   TODO: check
+   NOT-FOR-US: Oracle
 CVE-2017-3374 (Vulnerability in the Oracle Advanced Outbound Telephony 
component of ...)
-   TODO: check
+   NOT-FOR-US: Oracle
 CVE-2017-3373 (Vulnerability in the Oracle Advanced Outbound Telephony 
component of ...)
NOT-FOR-US: Oracle
 CVE-2017-3372 (Vulnerability in the Oracle Interaction Blending component of 
Oracle ...)
NOT-FOR-US: Oracle
 CVE-2017-3371 (Vulnerability in the Oracle iSupport component of Oracle 
E-Business ...)
-   TODO: check
+   NOT-FOR-US: Oracle
 CVE-2017-3370 (Vulnerability in the Oracle iSupport component of Oracle 
E-Business ...)
-   TODO: check
+   NOT-FOR-US: Oracle
 CVE-2017-3369 (Vulnerability in the Oracle iSupport component of Oracle 
E-Business ...)
NOT-FOR-US: Oracle
 CVE-2017-3368 (Vulnerability in the Oracle iStore component of Oracle 
E-Business ...)
NOT-FOR-US: Oracle
 CVE-2017-3367 (Vulnerability in the Oracle Knowledge Management component of 
Oracle ...)
-   TODO: check
+   NOT-FOR-US: Oracle
 CVE-2017-3366 (Vulnerability in the Oracle Knowledge Management component of 
Oracle ...)
-   TODO: check
+   NOT-FOR-US: Oracle
 CVE-2017-3365 (Vulnerability in the Oracle Knowledge Management component of 
Oracle ...)
-   TODO: check
+   NOT-FOR-US: Oracle
 CVE-2017-3364 (Vulnerability in the Oracle Knowledge Management component of 
Oracle ...)
-   TODO: check
+   NOT-FOR-US: Oracle
 CVE-2017-3363 (Vulnerability in the Oracle Knowledge Management component of 
Oracle ...)
-   TODO: check
+   NOT-FOR-US: Oracle
 CVE-2017-3362 (Vulnerability in the Oracle Knowledge Management component of 
Oracle ...)
NOT-FOR-US: Oracle
 CVE-2017-3361 (Vulnerability in the Oracle Installed Base component of Oracle 
...)
NOT-FOR-US: Oracle
 CVE-2017-3360 (Vulnerability in the Oracle Customer Intelligence component of 
Oracle ...)

[Secure-testing-commits] r48559 - data

2017-01-30 Thread Guido Guenther

Author: agx
Date: 2017-01-30 17:30:41 + (Mon, 30 Jan 2017)
New Revision: 48559

Modified:
   data/dla-needed.txt
Log:
lts: triage icedove

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-01-30 16:38:15 UTC (rev 48558)
+++ data/dla-needed.txt 2017-01-30 17:30:41 UTC (rev 48559)
@@ -33,6 +33,10 @@
   NOTE: Subject of announce mail also contained typo (DLA-574-1 vs. DLA-547-1)
   NOTE: update available for testing in: 
https://lists.debian.org/87inpe4wgu@curie.anarc.at
 --
+icedove
+  NOTE: maintainer currenlty planx to rename to thunderbird with the next
+  NOTE: upstream version (#851989). Jessie / Wheezy should do the same.
+--
 ikiwiki
   NOTE: CVE-2016-9646, CVE-2016-10026 were minor but CVE-2017-0356 is rather 
bad
   NOTE: maintainer has prepared a backport, LTS team please test/release


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r48554 - data/CVE

2017-01-30 Thread Salvatore Bonaccorso

Author: carnil
Date: 2017-01-30 16:15:16 + (Mon, 30 Jan 2017)
New Revision: 48554

Modified:
   data/CVE/list
Log:
Add two more NFUs

Modified: data/CVE/list
===
--- data/CVE/list   2017-01-30 13:49:05 UTC (rev 48553)
+++ data/CVE/list   2017-01-30 16:15:16 UTC (rev 48554)
@@ -27,6 +27,10 @@
NOTE: 
https://git.sdaoden.eu/cgit/s-nail.git/commit/?id=f797c27efecad45af191c518b7f87fda32ada160
NOTE: 
https://git.sdaoden.eu/cgit/s-nail.git/commit/?id=f2699449b66dd702a98925bd1b11153a6f7294bf
NOTE: CVE Request: 
http://www.openwall.com/lists/oss-security/2017/01/27/7
+CVE-2017-5628
+   NOT-FOR-US: MuJS
+CVE-2017-5627
+   NOT-FOR-US: MuJS
 CVE-2017-5617 [SSRF issue]
- svgsalamander  (bug #853134)
NOTE: https://github.com/blackears/svgSalamander/issues/11


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r48553 - data/DLA

2017-01-30 Thread Raphaël Hertzog

Author: hertzog
Date: 2017-01-30 13:49:05 + (Mon, 30 Jan 2017)
New Revision: 48553

Modified:
   data/DLA/list
Log:
DLA-610-2 for tiff3 regression in wheezy-security

Modified: data/DLA/list
===
--- data/DLA/list   2017-01-30 10:43:45 UTC (rev 48552)
+++ data/DLA/list   2017-01-30 13:49:05 UTC (rev 48553)
@@ -1,3 +1,5 @@
+[30 Jan 2017] DLA-610-2 tiff3 - regression update
+   [wheezy] - tiff3 3.9.6-11+deb7u3
 [30 Jan 2017] DLA-807-1 imagemagick - security update
{CVE-2016-10144 CVE-2016-10145 CVE-2016-10146 CVE-2017-5506 
CVE-2017-5507 CVE-2017-5508 CVE-2017-5510 CVE-2017-5511}
[wheezy] - imagemagick 8:6.7.7.10-5+deb7u11


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r48552 - data

2017-01-30 Thread Thorsten Alteholz

Author: alteholz
Date: 2017-01-30 10:43:45 + (Mon, 30 Jan 2017)
New Revision: 48552

Modified:
   data/dla-needed.txt
Log:
jasper notes

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-01-30 10:29:52 UTC (rev 48551)
+++ data/dla-needed.txt 2017-01-30 10:43:45 UTC (rev 48552)
@@ -39,7 +39,7 @@
   NOTE: https://lists.debian.org/debian-lts/2017/01/msg00059.html
 --
 jasper (Thorsten Alteholz)
-  NOTE: not really clear what CVEs need to be fixed
+  NOTE: no upstream fixes yet
 --
 jbig2dec (Raphaël Hertzog)
   NOTE: No known solution as of 2017-01-20.


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r48551 - in data: . CVE

2017-01-30 Thread Balint Reczey

Author: rbalint
Date: 2017-01-30 10:29:52 + (Mon, 30 Jan 2017)
New Revision: 48551

Modified:
   data/CVE/list
   data/dla-needed.txt
Log:
Current wireshark CVE-s can wait in wheezy, too

Modified: data/CVE/list
===
--- data/CVE/list   2017-01-30 09:19:40 UTC (rev 48550)
+++ data/CVE/list   2017-01-30 10:29:52 UTC (rev 48551)
@@ -150,11 +150,13 @@
 CVE-2017-5597 (In Wireshark 2.2.0 to 2.2.3 and 2.0.0 to 2.0.9, the DHCPv6 
dissector ...)
- wireshark 2.2.4+gcc3dc1b-1
[jessie] - wireshark  (Can be fixed along with the next round 
of Wireshark vulnerabilities)
+   [wheezy] - wireshark  (Can be fixed along with the next round 
of Wireshark vulnerabilities)
NOTE: https://www.wireshark.org/security/wnpa-sec-2017-02.html
NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13345
 CVE-2017-5596 (In Wireshark 2.2.0 to 2.2.3 and 2.0.0 to 2.0.9, the ASTERIX 
dissector ...)
- wireshark 2.2.4+gcc3dc1b-1
[jessie] - wireshark  (Can be fixed along with the next round 
of Wireshark vulnerabilities)
+   [wheezy] - wireshark  (Can be fixed along with the next round 
of Wireshark vulnerabilities)
NOTE: https://www.wireshark.org/security/wnpa-sec-2017-01.html
NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13344
 CVE-2017- [phpMyAdmin PMASA-2017-1 - PMASA-2017-7]

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-01-30 09:19:40 UTC (rev 48550)
+++ data/dla-needed.txt 2017-01-30 10:29:52 UTC (rev 48551)
@@ -112,8 +112,6 @@
   NOTE: 
https://github.com/dbry/WavPack/commit/4bc05fc490b66ef2d45b1de26abf1455b486b0dc#diff-bc1807cb462afb05056502f77834c6ebR291
   NOTE: is missing in the wheezy version
 --
-wireshark (Balint Reczey)
---
 wordpress (Markus Koschany)
 --
 xen


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r48550 - data/CVE

2017-01-30 Thread Salvatore Bonaccorso

Author: carnil
Date: 2017-01-30 09:19:40 + (Mon, 30 Jan 2017)
New Revision: 48550

Modified:
   data/CVE/list
Log:
Add fixing version for CVE-2016-10173/ruby-minitar

Modified: data/CVE/list
===
--- data/CVE/list   2017-01-30 09:10:15 UTC (rev 48549)
+++ data/CVE/list   2017-01-30 09:19:40 UTC (rev 48550)
@@ -64,7 +64,7 @@
 CVE-2017-5589
RESERVED
 CVE-2016-10173 [directory traversal vulnerability]
-   - ruby-minitar 
+   - ruby-minitar 0.5.4-3.1 (bug #853075)
- ruby-archive-tar-minitar 
NOTE: https://github.com/halostatue/minitar/issues/16
NOTE: 
https://github.com/halostatue/minitar/commit/e25205ecbb6277ae8a3df1e6a306d7ed4458b6e4


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r48549 - data/CVE

2017-01-30 Thread security tracker role

Author: sectracker
Date: 2017-01-30 09:10:15 + (Mon, 30 Jan 2017)
New Revision: 48549

Modified:
   data/CVE/list
Log:
automatic update

Modified: data/CVE/list
===
--- data/CVE/list   2017-01-30 07:26:15 UTC (rev 48548)
+++ data/CVE/list   2017-01-30 09:10:15 UTC (rev 48549)
@@ -945,22 +945,26 @@
NOTE: https://github.com/mdadams/jasper/issues/62
 CVE-2017-5506 [double free in profile]
RESERVED
+   {DLA-807-1}
- imagemagick 8:6.9.7.4+dfsg-1 (bug #851383)
NOTE: https://github.com/ImageMagick/ImageMagick/issues/354
NOTE: http://www.openwall.com/lists/oss-security/2017/01/16/6
 CVE-2017-5507 [memory leak in MPC file handling]
RESERVED
+   {DLA-807-1}
- imagemagick 8:6.9.7.4+dfsg-1 (bug #851382)
NOTE: 
https://github.com/ImageMagick/ImageMagick/commit/4493d9ca1124564da17f9b628ef9d0f1a6be9738
NOTE: http://www.openwall.com/lists/oss-security/2017/01/16/6
 CVE-2017-5508 [Crash - PushQuantumPixel - Heap-Buffer-Overflow (TIFF)]
RESERVED
+   {DLA-807-1}
- imagemagick 8:6.9.7.4+dfsg-1 (bug #851381)
NOTE: 
https://www.imagemagick.org/discourse-server/viewtopic.php?f=3=31161
NOTE: http://www.openwall.com/lists/oss-security/2017/01/16/6
NOTE: 
https://github.com/ImageMagick/ImageMagick/commit/379e21cd32483df6e128147af3bc4ce1f82eb9c4
 CVE-2016-10146 [memory leak in caption and label handling]
RESERVED
+   {DLA-807-1}
- imagemagick 8:6.9.7.0+dfsg-2 (bug #851380)
NOTE: 
https://github.com/ImageMagick/ImageMagick/commit/aeff00de228bc5a158c2a975ab47845d8a1db456
NOTE: http://www.openwall.com/lists/oss-security/2017/01/16/6
@@ -978,21 +982,25 @@
NOTE: http://www.openwall.com/lists/oss-security/2017/01/16/6
 CVE-2017-5510 [memory corruption heap overflow, psb file related, another one]
RESERVED
+   {DLA-807-1}
- imagemagick 8:6.9.7.4+dfsg-1 (bug #851376)
NOTE: https://github.com/ImageMagick/ImageMagick/issues/348
NOTE: http://www.openwall.com/lists/oss-security/2017/01/16/6
 CVE-2017-5511 [memory corruption heap overflow, psb file related]
RESERVED
+   {DLA-807-1}
- imagemagick 8:6.9.7.4+dfsg-1 (bug #851374)
NOTE: https://github.com/ImageMagick/ImageMagick/issues/347
NOTE: http://www.openwall.com/lists/oss-security/2017/01/16/6
 CVE-2016-10144 [ipl file missing malloc check]
RESERVED
+   {DLA-807-1}
- imagemagick 8:6.9.7.4+dfsg-1 (bug #851485)
NOTE: Fixed by: 
https://github.com/ImageMagick/ImageMagick/commit/97566cf2806c0a5a86e884c96831a0c3b1ec6c20
NOTE: http://www.openwall.com/lists/oss-security/2017/01/16/6
 CVE-2016-10145 [wpg file off by one]
RESERVED
+   {DLA-807-1}
- imagemagick 8:6.9.7.4+dfsg-1 (bug #851483)
NOTE: Fixed by: 
https://github.com/ImageMagick/ImageMagick/commit/d23beebe7b1179fb75db1e85fbca3100e49593d9
NOTE: http://www.openwall.com/lists/oss-security/2017/01/16/6


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

38 matches

Mail list logo