[Secure-testing-commits] r48596 - data/CVE
Author: carnil Date: 2017-01-31 07:46:57 + (Tue, 31 Jan 2017) New Revision: 48596 Modified: data/CVE/list Log: Add upstream patchset for CVE-2016-9602 Modified: data/CVE/list === --- data/CVE/list 2017-01-31 07:43:38 UTC (rev 48595) +++ data/CVE/list 2017-01-31 07:46:57 UTC (rev 48596) @@ -13305,6 +13305,7 @@ NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1413929 NOTE: The original proposed patch does not fix the issue, cf. NOTE: http://www.openwall.com/lists/oss-security/2017/01/17/14 + NOTE: Upstream patchset: https://lists.gnu.org/archive/html/qemu-devel/2017-01/msg06225.html CVE-2016-9601 [Heap-buffer overflow due to Integer overflow in jbig2_image_new function] RESERVED - jbig2dec 0.13-4 (bug #850497) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48595 - in data: . DLA
Author: lamby Date: 2017-01-31 07:43:38 + (Tue, 31 Jan 2017) New Revision: 48595 Modified: data/DLA/list data/dla-needed.txt Log: Reserve 3.0.4-3+wheezy5+deb7u1 for libarchive. Modified: data/DLA/list === --- data/DLA/list 2017-01-31 07:43:31 UTC (rev 48594) +++ data/DLA/list 2017-01-31 07:43:38 UTC (rev 48595) @@ -1,3 +1,6 @@ +[31 Jan 2017] DLA-810-1 libarchive - security update + {CVE-2017-5601} + [wheezy] - libarchive 3.0.4-3+wheezy5+deb7u1 [30 Jan 2017] DLA-809-1 tcpdump - security update {CVE-2016-7922 CVE-2016-7923 CVE-2016-7924 CVE-2016-7925 CVE-2016-7926 CVE-2016-7927 CVE-2016-7928 CVE-2016-7929 CVE-2016-7930 CVE-2016-7931 CVE-2016-7932 CVE-2016-7933 CVE-2016-7934 CVE-2016-7935 CVE-2016-7936 CVE-2016-7937 CVE-2016-7938 CVE-2016-7939 CVE-2016-7940 CVE-2016-7973 CVE-2016-7974 CVE-2016-7975 CVE-2016-7983 CVE-2016-7984 CVE-2016-7985 CVE-2016-7986 CVE-2016-7992 CVE-2016-7993 CVE-2016-8574 CVE-2016-8575 CVE-2017-5202 CVE-2017-5203 CVE-2017-5204 CVE-2017-5205 CVE-2017-5341 CVE-2017-5342 CVE-2017-5482 CVE-2017-5483 CVE-2017-5484 CVE-2017-5485 CVE-2017-5486} [wheezy] - tcpdump 4.9.0-1~deb7u1 Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-01-31 07:43:31 UTC (rev 48594) +++ data/dla-needed.txt 2017-01-31 07:43:38 UTC (rev 48595) @@ -53,8 +53,6 @@ -- kgb-bot -- -libarchive (Chris Lamb) --- libav (Hugo Lefeuvre) NOTE: Upstream should provide new point-releases fixing open security issues in the next months. NOTE: Lots of CVEs are open, this is going to take some time. (See debian-lts ML) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48594 - data/CVE
Author: carnil Date: 2017-01-31 07:43:31 + (Tue, 31 Jan 2017) New Revision: 48594 Modified: data/CVE/list Log: Add bug reference for not yet fixed bitlbee issue in unstable, #853282 Modified: data/CVE/list === --- data/CVE/list 2017-01-31 07:38:08 UTC (rev 48593) +++ data/CVE/list 2017-01-31 07:43:31 UTC (rev 48594) @@ -139,7 +139,7 @@ NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1417559 NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2017/01/30/2 CVE-2017- [Incomplete fix for "Null pointer dereference with file transfer request from unknown contacts"] - - bitlbee + - bitlbee (bug #853282) NOTE: https://bugs.bitlbee.org/ticket/1282 NOTE: Fixed by: https://github.com/bitlbee/bitlbee/commit/30d598ce7cd3f136ee9d7097f39fa9818a272441 (3.5.1) NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2017/01/30/4 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48593 - data
Author: lamby Date: 2017-01-31 07:38:08 + (Tue, 31 Jan 2017) New Revision: 48593 Modified: data/dla-needed.txt Log: Correct ordering in dla-needed.txt Signed-off-by: Chris LambModified: data/dla-needed.txt === --- data/dla-needed.txt 2017-01-31 07:38:04 UTC (rev 48592) +++ data/dla-needed.txt 2017-01-31 07:38:08 UTC (rev 48593) @@ -16,13 +16,13 @@ -- bitlbee -- -cgiemail --- calibre NOTE: We will need to investigate the issue much further. NOTE: In particular, it seems likely that there are more undocumented but NOTE: public security issues in Calibre. See for example bug #853004. -- +cgiemail +-- glassfish (Balint Reczey) NOTE: Needs further triaging as there is very little information on many of NOTE: the issues. However one of them looks like a major problem so the @@ -97,6 +97,12 @@ NOTE: Upstream is not going to fix CVE-2016-8686 since it believes it is not NOTE: a bug (see #843861). -- +qemu (Guido Günther) + NOTE: Need further triaging as some of the issues looks minor. However at + NOTE: least one issue looks major so it needs a DLA. +-- +qemu-kvm (Guido Günther) +-- slurm-llnl NOTE: the patch from upstream uses new members of the struct batch_job_launch_msg_t NOTE: from my point of view backporting the introduction of these new members to this old @@ -104,12 +110,6 @@ -- svgsalamander -- -qemu (Guido Günther) - NOTE: Need further triaging as some of the issues looks minor. However at - NOTE: least one issue looks major so it needs a DLA. --- -qemu-kvm (Guido Günther) --- wavpack NOTE: the provided testcases don't crash but this hunk NOTE: https://github.com/dbry/WavPack/commit/4bc05fc490b66ef2d45b1de26abf1455b486b0dc#diff-bc1807cb462afb05056502f77834c6ebR291 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48592 - data
Author: lamby Date: 2017-01-31 07:38:04 + (Tue, 31 Jan 2017) New Revision: 48592 Modified: data/dla-needed.txt Log: Claim libarchive in data/dla-needed.txt Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-01-31 07:31:15 UTC (rev 48591) +++ data/dla-needed.txt 2017-01-31 07:38:04 UTC (rev 48592) @@ -53,7 +53,7 @@ -- kgb-bot -- -libarchive +libarchive (Chris Lamb) -- libav (Hugo Lefeuvre) NOTE: Upstream should provide new point-releases fixing open security issues in the next months. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48591 - data
Author: agx Date: 2017-01-31 07:31:15 + (Tue, 31 Jan 2017) New Revision: 48591 Modified: data/dla-needed.txt Log: lts: triage bitlbee, libphp-phpmailer and libarchive Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-01-31 06:56:25 UTC (rev 48590) +++ data/dla-needed.txt 2017-01-31 07:31:15 UTC (rev 48591) @@ -14,6 +14,8 @@ NOTE: update needs testing in https://lists.debian.org/87fukh7hcq@curie.anarc.at NOTE: ready to upload after smoke tests, read the above thread. -- +bitlbee +-- cgiemail -- calibre @@ -51,6 +53,8 @@ -- kgb-bot -- +libarchive +-- libav (Hugo Lefeuvre) NOTE: Upstream should provide new point-releases fixing open security issues in the next months. NOTE: Lots of CVEs are open, this is going to take some time. (See debian-lts ML) @@ -58,6 +62,8 @@ libical NOTE: No known solution as of 2017-01-16. -- +libphp-phpmailer +-- libplist (Emilio Pozuelo) -- libxml-twig-perl ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48590 - data/CVE
Author: fgeek-guest Date: 2017-01-31 06:56:25 + (Tue, 31 Jan 2017) New Revision: 48590 Modified: data/CVE/list Log: NFU Modified: data/CVE/list === --- data/CVE/list 2017-01-31 06:16:38 UTC (rev 48589) +++ data/CVE/list 2017-01-31 06:56:25 UTC (rev 48590) @@ -17119,6 +17119,7 @@ RESERVED CVE-2016-8523 RESERVED + NOT-FOR-US: HP Smart Storage Administrator CVE-2016-8522 RESERVED NOT-FOR-US: HPE Diagnostics ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48589 - data/CVE
Author: carnil Date: 2017-01-31 06:16:38 + (Tue, 31 Jan 2017) New Revision: 48589 Modified: data/CVE/list Log: More NFUs Modified: data/CVE/list === --- data/CVE/list 2017-01-31 06:15:46 UTC (rev 48588) +++ data/CVE/list 2017-01-31 06:16:38 UTC (rev 48589) @@ -13495,9 +13495,9 @@ NOTE: non-issue, legitimate media file. If a server application uses libav* on untrusted media NOTE: files, it needs to set resource limits CVE-2016-9554 (The Sophos Web Appliance Remote / Secure Web Gateway server (version ...) - TODO: check + NOT-FOR-US: Sophos CVE-2016-9553 (The Sophos Web Appliance (version 4.2.1.3) is vulnerable to two Remote ...) - TODO: check + NOT-FOR-US: Sophos CVE-2016-9552 RESERVED CVE-2016-9551 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48588 - data/CVE
Author: carnil Date: 2017-01-31 06:15:46 + (Tue, 31 Jan 2017) New Revision: 48588 Modified: data/CVE/list Log: Add two NFUs Modified: data/CVE/list === --- data/CVE/list 2017-01-31 06:10:13 UTC (rev 48587) +++ data/CVE/list 2017-01-31 06:15:46 UTC (rev 48588) @@ -398,9 +398,9 @@ CVE-2017-5574 (SQL injection vulnerability in register.php in GeniXCMS before 1.0.0 ...) NOT-FOR-US: GenixCMS CVE-2017-5573 (An issue was discovered in Linux Foundation xapi in Citrix XenServer ...) - TODO: check + NOT-FOR-US: Citrix CVE-2017-5572 (An issue was discovered in Linux Foundation xapi in Citrix XenServer ...) - TODO: check + NOT-FOR-US: Citrix CVE-2017-5571 RESERVED CVE-2017-5570 (An issue was discovered in eClinicalWorks Patient Portal 7.0 build 13. ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48587 - data/CVE
Author: carnil Date: 2017-01-31 06:10:13 + (Tue, 31 Jan 2017) New Revision: 48587 Modified: data/CVE/list Log: Update several NFUs Modified: data/CVE/list === --- data/CVE/list 2017-01-31 06:07:22 UTC (rev 48586) +++ data/CVE/list 2017-01-31 06:10:13 UTC (rev 48587) @@ -105,31 +105,31 @@ NOTE: Fixed by: https://github.com/libarchive/libarchive/commit/98dcbbf0bf4854bf987557e55e55fff7abbf3ea9 NOTE: https://secunia.com/secunia_research/2017-3/ CVE-2016-10186 (An issue was discovered on the D-Link DWR-932B router. ...) - TODO: check + NOT-FOR-US: D-Link CVE-2016-10185 (An issue was discovered on the D-Link DWR-932B router. A secure_mode=no ...) - TODO: check + NOT-FOR-US: D-Link CVE-2016-10184 (An issue was discovered on the D-Link DWR-932B router. qmiweb allows ...) - TODO: check + NOT-FOR-US: D-Link CVE-2016-10183 (An issue was discovered on the D-Link DWR-932B router. qmiweb allows ...) - TODO: check + NOT-FOR-US: D-Link CVE-2016-10182 (An issue was discovered on the D-Link DWR-932B router. qmiweb allows ...) - TODO: check + NOT-FOR-US: D-Link CVE-2016-10181 (An issue was discovered on the D-Link DWR-932B router. qmiweb provides ...) - TODO: check + NOT-FOR-US: D-Link CVE-2016-10180 (An issue was discovered on the D-Link DWR-932B router. WPS PIN ...) - TODO: check + NOT-FOR-US: D-Link CVE-2016-10179 (An issue was discovered on the D-Link DWR-932B router. There is a ...) - TODO: check + NOT-FOR-US: D-Link CVE-2016-10178 (An issue was discovered on the D-Link DWR-932B router. HELODBG on port ...) - TODO: check + NOT-FOR-US: D-Link CVE-2016-10177 (An issue was discovered on the D-Link DWR-932B router. Undocumented ...) - TODO: check + NOT-FOR-US: D-Link CVE-2016-10176 (The NETGEAR WNR2000v5 router allows an administrator to perform ...) - TODO: check + NOT-FOR-US: Netgear CVE-2016-10175 (The NETGEAR WNR2000v5 router leaks its serial number when performing a ...) - TODO: check + NOT-FOR-US: Netgear CVE-2016-10174 (The NETGEAR WNR2000v5 router contains a buffer overflow in the ...) - TODO: check + NOT-FOR-US: Netgear CVE-2004-2778 RESERVED CVE-2017- [sd: sdhci OOB access during multi block SDMA transfer] ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48586 - data/CVE
Author: carnil Date: 2017-01-31 06:07:22 + (Tue, 31 Jan 2017) New Revision: 48586 Modified: data/CVE/list Log: Triage CVE-2017-5601/libarchive Modified: data/CVE/list === --- data/CVE/list 2017-01-31 05:45:51 UTC (rev 48585) +++ data/CVE/list 2017-01-31 06:07:22 UTC (rev 48586) @@ -101,7 +101,9 @@ CVE-2017-5602 RESERVED CVE-2017-5601 (An error in the lha_read_file_header_1() function ...) - TODO: check + - libarchive (bug #853278) + NOTE: Fixed by: https://github.com/libarchive/libarchive/commit/98dcbbf0bf4854bf987557e55e55fff7abbf3ea9 + NOTE: https://secunia.com/secunia_research/2017-3/ CVE-2016-10186 (An issue was discovered on the D-Link DWR-932B router. ...) TODO: check CVE-2016-10185 (An issue was discovered on the D-Link DWR-932B router. A secure_mode=no ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48585 - data/CVE
Author: carnil Date: 2017-01-31 05:45:51 + (Tue, 31 Jan 2017) New Revision: 48585 Modified: data/CVE/list Log: Add CVE-2017-5609/serendipity Modified: data/CVE/list === --- data/CVE/list 2017-01-31 05:33:23 UTC (rev 48584) +++ data/CVE/list 2017-01-31 05:45:51 UTC (rev 48585) @@ -87,7 +87,7 @@ CVE-2017-5619 RESERVED CVE-2017-5609 (SQL injection vulnerability in include/functions_entries.inc.php in ...) - TODO: check + - serendipity CVE-2017-5607 RESERVED CVE-2017-5606 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48584 - data/CVE
Author: carnil Date: 2017-01-31 05:33:23 + (Tue, 31 Jan 2017) New Revision: 48584 Modified: data/CVE/list Log: Mark wavpack issues as fixed with unstable upload Modified: data/CVE/list === --- data/CVE/list 2017-01-31 01:27:58 UTC (rev 48583) +++ data/CVE/list 2017-01-31 05:33:23 UTC (rev 48584) @@ -233,23 +233,23 @@ NOTE: https://bugzilla.opensuse.org/show_bug.cgi?id=1021740 CVE-2016-10172 [heap oob read in read_new_config_info / open_utils.c] RESERVED - - wavpack (bug #853076) + - wavpack 5.0.0-2 (bug #853076) [wheezy] - wavpack (Vulnerable code not present) NOTE: https://sourceforge.net/p/wavpack/mailman/message/35561951/ NOTE: Fixed by: https://github.com/dbry/WavPack/commit/4bc05fc490b66ef2d45b1de26abf1455b486b0dc (5.1.0) CVE-2016-10171 [heap out of bounds read in unreorder_channels / wvunpack.c] RESERVED - - wavpack (bug #853076) + - wavpack 5.0.0-2 (bug #853076) NOTE: https://sourceforge.net/p/wavpack/mailman/message/35561939/ NOTE: Fixed by: https://github.com/dbry/WavPack/commit/4bc05fc490b66ef2d45b1de26abf1455b486b0dc (5.1.0) CVE-2016-10170 [heap out of bounds read in WriteCaffHeader / caff.c] RESERVED - - wavpack (bug #853076) + - wavpack 5.0.0-2 (bug #853076) NOTE: https://sourceforge.net/p/wavpack/mailman/message/35561921/ NOTE: Fixed by: https://github.com/dbry/WavPack/commit/4bc05fc490b66ef2d45b1de26abf1455b486b0dc (5.1.0) CVE-2016-10169 [global buffer overread in read_code / read_words.c] RESERVED - - wavpack (bug #853076) + - wavpack 5.0.0-2 (bug #853076) NOTE: https://sourceforge.net/p/wavpack/mailman/message/35557889/ NOTE: Fixed by: https://github.com/dbry/WavPack/commit/4bc05fc490b66ef2d45b1de26abf1455b486b0dc (5.1.0) CVE-2016-10166 [Fix potential unsigned underflow] ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48583 - data/CVE
Author: mgilbert Date: 2017-01-31 01:27:58 + (Tue, 31 Jan 2017) New Revision: 48583 Modified: data/CVE/list Log: chromium linked to ffmpeg Modified: data/CVE/list === --- data/CVE/list 2017-01-31 01:17:35 UTC (rev 48582) +++ data/CVE/list 2017-01-31 01:27:58 UTC (rev 48583) @@ -2076,12 +2076,12 @@ [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5025 RESERVED - - chromium-browser + - chromium-browser 44.0.2403.157-1 [wheezy] - chromium-browser (Not supported in Wheezy) - ffmpeg CVE-2017-5024 RESERVED - - chromium-browser + - chromium-browser 44.0.2403.157-1 [wheezy] - chromium-browser (Not supported in Wheezy) - ffmpeg CVE-2017-5023 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48582 - data/DSA
Author: mgilbert Date: 2017-01-31 01:17:35 + (Tue, 31 Jan 2017) New Revision: 48582 Modified: data/DSA/list Log: add missing chromium cve Modified: data/DSA/list === --- data/DSA/list 2017-01-31 00:56:47 UTC (rev 48581) +++ data/DSA/list 2017-01-31 01:17:35 UTC (rev 48582) @@ -1,5 +1,5 @@ [31 Jan 2017] DSA-3776-1 chromium-browser - security update - {CVE-2017-5006 CVE-2017-5007 CVE-2017-5008 CVE-2017-5009 CVE-2017-5010 CVE-2017-5012 CVE-2017-5013 CVE-2017-5014 CVE-2017-5015 CVE-2017-5016 CVE-2017-5017 CVE-2017-5018 CVE-2017-5019 CVE-2017-5020 CVE-2017-5021 CVE-2017-5022 CVE-2017-5023 CVE-2017-5024 CVE-2017-5025 CVE-2017-5026} + {CVE-2017-5006 CVE-2017-5007 CVE-2017-5008 CVE-2017-5009 CVE-2017-5010 CVE-2017-5011 CVE-2017-5012 CVE-2017-5013 CVE-2017-5014 CVE-2017-5015 CVE-2017-5016 CVE-2017-5017 CVE-2017-5018 CVE-2017-5019 CVE-2017-5020 CVE-2017-5021 CVE-2017-5022 CVE-2017-5023 CVE-2017-5024 CVE-2017-5025 CVE-2017-5026} [jessie] - chromium-browser 56.0.2924.76-1~deb8u1 [29 Jan 2017] DSA-3775-1 tcpdump - security update {CVE-2016-7922 CVE-2016-7923 CVE-2016-7924 CVE-2016-7925 CVE-2016-7926 CVE-2016-7927 CVE-2016-7928 CVE-2016-7929 CVE-2016-7930 CVE-2016-7931 CVE-2016-7932 CVE-2016-7933 CVE-2016-7934 CVE-2016-7935 CVE-2016-7936 CVE-2016-7937 CVE-2016-7938 CVE-2016-7939 CVE-2016-7940 CVE-2016-7973 CVE-2016-7974 CVE-2016-7975 CVE-2016-7983 CVE-2016-7984 CVE-2016-7985 CVE-2016-7986 CVE-2016-7992 CVE-2016-7993 CVE-2016-8574 CVE-2016-8575 CVE-2017-5202 CVE-2017-5203 CVE-2017-5204 CVE-2017-5205 CVE-2017-5341 CVE-2017-5342 CVE-2017-5482 CVE-2017-5483 CVE-2017-5484 CVE-2017-5485 CVE-2017-5486} ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48581 - in data: . DSA
Author: mgilbert Date: 2017-01-31 00:56:47 + (Tue, 31 Jan 2017) New Revision: 48581 Modified: data/DSA/list data/dsa-needed.txt Log: chromium dsa Modified: data/DSA/list === --- data/DSA/list 2017-01-30 23:55:28 UTC (rev 48580) +++ data/DSA/list 2017-01-31 00:56:47 UTC (rev 48581) @@ -1,3 +1,6 @@ +[31 Jan 2017] DSA-3776-1 chromium-browser - security update + {CVE-2017-5006 CVE-2017-5007 CVE-2017-5008 CVE-2017-5009 CVE-2017-5010 CVE-2017-5012 CVE-2017-5013 CVE-2017-5014 CVE-2017-5015 CVE-2017-5016 CVE-2017-5017 CVE-2017-5018 CVE-2017-5019 CVE-2017-5020 CVE-2017-5021 CVE-2017-5022 CVE-2017-5023 CVE-2017-5024 CVE-2017-5025 CVE-2017-5026} + [jessie] - chromium-browser 56.0.2924.76-1~deb8u1 [29 Jan 2017] DSA-3775-1 tcpdump - security update {CVE-2016-7922 CVE-2016-7923 CVE-2016-7924 CVE-2016-7925 CVE-2016-7926 CVE-2016-7927 CVE-2016-7928 CVE-2016-7929 CVE-2016-7930 CVE-2016-7931 CVE-2016-7932 CVE-2016-7933 CVE-2016-7934 CVE-2016-7935 CVE-2016-7936 CVE-2016-7937 CVE-2016-7938 CVE-2016-7939 CVE-2016-7940 CVE-2016-7973 CVE-2016-7974 CVE-2016-7975 CVE-2016-7983 CVE-2016-7984 CVE-2016-7985 CVE-2016-7986 CVE-2016-7992 CVE-2016-7993 CVE-2016-8574 CVE-2016-8575 CVE-2017-5202 CVE-2017-5203 CVE-2017-5204 CVE-2017-5205 CVE-2017-5341 CVE-2017-5342 CVE-2017-5482 CVE-2017-5483 CVE-2017-5484 CVE-2017-5485 CVE-2017-5486} [jessie] - tcpdump 4.9.0-1~deb8u1 Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-01-30 23:55:28 UTC (rev 48580) +++ data/dsa-needed.txt 2017-01-31 00:56:47 UTC (rev 48581) @@ -21,8 +21,6 @@ John Lightsey from cPanel provided patches for 4 vulnerabilities. CVEs asked on oss-sec. -- -chromium-browser --- graphicsmagick -- icedove ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48580 - data
Author: pochu Date: 2017-01-30 23:55:28 + (Mon, 30 Jan 2017) New Revision: 48580 Modified: data/dla-needed.txt Log: dla: claim ikiwiki Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-01-30 22:03:48 UTC (rev 48579) +++ data/dla-needed.txt 2017-01-30 23:55:28 UTC (rev 48580) @@ -37,7 +37,7 @@ NOTE: maintainer currenlty planx to rename to thunderbird with the next NOTE: upstream version (#851989). Jessie / Wheezy should do the same. -- -ikiwiki +ikiwiki (Emilio Pozuelo) NOTE: CVE-2016-9646, CVE-2016-10026 were minor but CVE-2017-0356 is rather bad NOTE: maintainer has prepared a backport, LTS team please test/release NOTE: https://lists.debian.org/debian-lts/2017/01/msg00059.html ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48579 - in data: . DLA
Author: opal Date: 2017-01-30 22:03:48 + (Mon, 30 Jan 2017) New Revision: 48579 Modified: data/DLA/list data/dla-needed.txt Log: Reserve DLA-809-1 for tcpdump Modified: data/DLA/list === --- data/DLA/list 2017-01-30 21:22:09 UTC (rev 48578) +++ data/DLA/list 2017-01-30 22:03:48 UTC (rev 48579) @@ -1,3 +1,6 @@ +[30 Jan 2017] DLA-809-1 tcpdump - security update + {CVE-2016-7922 CVE-2016-7923 CVE-2016-7924 CVE-2016-7925 CVE-2016-7926 CVE-2016-7927 CVE-2016-7928 CVE-2016-7929 CVE-2016-7930 CVE-2016-7931 CVE-2016-7932 CVE-2016-7933 CVE-2016-7934 CVE-2016-7935 CVE-2016-7936 CVE-2016-7937 CVE-2016-7938 CVE-2016-7939 CVE-2016-7940 CVE-2016-7973 CVE-2016-7974 CVE-2016-7975 CVE-2016-7983 CVE-2016-7984 CVE-2016-7985 CVE-2016-7986 CVE-2016-7992 CVE-2016-7993 CVE-2016-8574 CVE-2016-8575 CVE-2017-5202 CVE-2017-5203 CVE-2017-5204 CVE-2017-5205 CVE-2017-5341 CVE-2017-5342 CVE-2017-5482 CVE-2017-5483 CVE-2017-5484 CVE-2017-5485 CVE-2017-5486} + [wheezy] - tcpdump 4.9.0-1~deb7u1 [30 Jan 2017] DLA-808-1 ruby-archive-tar-minitar - security update {CVE-2016-10173} [wheezy] - ruby-archive-tar-minitar 0.5.2-2+deb7u1 Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-01-30 21:22:09 UTC (rev 48578) +++ data/dla-needed.txt 2017-01-30 22:03:48 UTC (rev 48579) @@ -98,10 +98,6 @@ -- svgsalamander -- -tcpdump - NOTE: I can prepare packages for wheezy as well if you need, but I'm not yet - NOTE: familiar with how to get them uploaded to wheezy-lts. --- qemu (Guido Günther) NOTE: Need further triaging as some of the issues looks minor. However at NOTE: least one issue looks major so it needs a DLA. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48578 - data/CVE
Author: alteholz Date: 2017-01-30 21:22:09 + (Mon, 30 Jan 2017) New Revision: 48578 Modified: data/CVE/list Log: according to https://lists.apple.com/archives/security-announce/2016/Mar/msg5.html this belongs to Safari Modified: data/CVE/list === --- data/CVE/list 2017-01-30 21:10:11 UTC (rev 48577) +++ data/CVE/list 2017-01-30 21:22:09 UTC (rev 48578) @@ -169152,7 +169152,7 @@ CVE-2009-2198 (Apple GarageBand before 5.1 reconfigures Safari to accept all cookies ...) NOT-FOR-US: Apple GarageBand CVE-2009-2197 (Apple Safari before 9.1 allows remote attackers to spoof the user ...) - TODO: check + NOT-FOR-US: Apple Safari CVE-2009-2196 (Unspecified vulnerability in Apple Safari 4 before 4.0.3 allows remote ...) NOT-FOR-US: Apple Safari CVE-2009-2195 (Buffer overflow in WebKit in Apple Safari before 4.0.3 allows remote ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48577 - data/CVE
Author: sectracker Date: 2017-01-30 21:10:11 + (Mon, 30 Jan 2017) New Revision: 48577 Modified: data/CVE/list Log: automatic update Modified: data/CVE/list === --- data/CVE/list 2017-01-30 21:06:19 UTC (rev 48576) +++ data/CVE/list 2017-01-30 21:10:11 UTC (rev 48577) @@ -1,3 +1,135 @@ +CVE-2017-5664 + RESERVED +CVE-2017-5663 + RESERVED +CVE-2017-5662 + RESERVED +CVE-2017-5661 + RESERVED +CVE-2017-5660 + RESERVED +CVE-2017-5659 + RESERVED +CVE-2017-5658 + RESERVED +CVE-2017-5657 + RESERVED +CVE-2017-5656 + RESERVED +CVE-2017-5655 + RESERVED +CVE-2017-5654 + RESERVED +CVE-2017-5653 + RESERVED +CVE-2017-5652 + RESERVED +CVE-2017-5651 + RESERVED +CVE-2017-5650 + RESERVED +CVE-2017-5649 + RESERVED +CVE-2017-5648 + RESERVED +CVE-2017-5647 + RESERVED +CVE-2017-5646 + RESERVED +CVE-2017-5645 + RESERVED +CVE-2017-5644 + RESERVED +CVE-2017-5643 + RESERVED +CVE-2017-5642 + RESERVED +CVE-2017-5641 + RESERVED +CVE-2017-5640 + RESERVED +CVE-2017-5639 + RESERVED +CVE-2017-5638 + RESERVED +CVE-2017-5637 + RESERVED +CVE-2017-5636 + RESERVED +CVE-2017-5635 + RESERVED +CVE-2017-5634 + RESERVED +CVE-2017-5633 + RESERVED +CVE-2017-5632 (An issue was discovered on the ASUS RT-N56U Wireless Router with ...) + TODO: check +CVE-2017-5631 + RESERVED +CVE-2017-5630 + RESERVED +CVE-2017-5629 + RESERVED +CVE-2017-5626 + RESERVED +CVE-2017-5625 + RESERVED +CVE-2017-5624 + RESERVED +CVE-2017-5623 + RESERVED +CVE-2017-5622 + RESERVED +CVE-2017-5621 + RESERVED +CVE-2017-5620 + RESERVED +CVE-2017-5619 + RESERVED +CVE-2017-5609 (SQL injection vulnerability in include/functions_entries.inc.php in ...) + TODO: check +CVE-2017-5607 + RESERVED +CVE-2017-5606 + RESERVED +CVE-2017-5605 + RESERVED +CVE-2017-5604 + RESERVED +CVE-2017-5603 + RESERVED +CVE-2017-5602 + RESERVED +CVE-2017-5601 (An error in the lha_read_file_header_1() function ...) + TODO: check +CVE-2016-10186 (An issue was discovered on the D-Link DWR-932B router. ...) + TODO: check +CVE-2016-10185 (An issue was discovered on the D-Link DWR-932B router. A secure_mode=no ...) + TODO: check +CVE-2016-10184 (An issue was discovered on the D-Link DWR-932B router. qmiweb allows ...) + TODO: check +CVE-2016-10183 (An issue was discovered on the D-Link DWR-932B router. qmiweb allows ...) + TODO: check +CVE-2016-10182 (An issue was discovered on the D-Link DWR-932B router. qmiweb allows ...) + TODO: check +CVE-2016-10181 (An issue was discovered on the D-Link DWR-932B router. qmiweb provides ...) + TODO: check +CVE-2016-10180 (An issue was discovered on the D-Link DWR-932B router. WPS PIN ...) + TODO: check +CVE-2016-10179 (An issue was discovered on the D-Link DWR-932B router. There is a ...) + TODO: check +CVE-2016-10178 (An issue was discovered on the D-Link DWR-932B router. HELODBG on port ...) + TODO: check +CVE-2016-10177 (An issue was discovered on the D-Link DWR-932B router. Undocumented ...) + TODO: check +CVE-2016-10176 (The NETGEAR WNR2000v5 router allows an administrator to perform ...) + TODO: check +CVE-2016-10175 (The NETGEAR WNR2000v5 router leaks its serial number when performing a ...) + TODO: check +CVE-2016-10174 (The NETGEAR WNR2000v5 router contains a buffer overflow in the ...) + TODO: check +CVE-2004-2778 + RESERVED CVE-2017- [sd: sdhci OOB access during multi block SDMA transfer] - qemu - qemu-kvm @@ -48,15 +180,16 @@ NOTE: https://git.sdaoden.eu/cgit/s-nail.git/commit/?id=f797c27efecad45af191c518b7f87fda32ada160 NOTE: https://git.sdaoden.eu/cgit/s-nail.git/commit/?id=f2699449b66dd702a98925bd1b11153a6f7294bf NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2017/01/27/7 -CVE-2017-5628 +CVE-2017-5628 (An issue was discovered in Artifex Software, Inc. MuJS before ...) NOT-FOR-US: MuJS -CVE-2017-5627 +CVE-2017-5627 (An issue was discovered in Artifex Software, Inc. MuJS before ...) NOT-FOR-US: MuJS CVE-2017-5617 [SSRF issue] + RESERVED - svgsalamander (bug #853134) NOTE: https://github.com/blackears/svgSalamander/issues/11 NOTE: http://www.openwall.com/lists/oss-security/2017/01/27/3 -CVE-2017-5608 +CVE-2017-5608 (Cross-site scripting (XSS) vulnerability in the image upload function ...) - piwigo CVE-2017-5600 RESERVED @@ -64,15 +197,15 @@ NOT-FOR-US: eClinicalWorks CVE-2017-5598 (An issue was discovered in eClinicalWorks healow@work 8.0 build 8. This ...) NOT-FOR-US: eClinicalWorks -CVE-2017-5612 [XSS in the posts list table]
[Secure-testing-commits] r48575 - data
Author: carnil Date: 2017-01-30 20:51:10 + (Mon, 30 Jan 2017) New Revision: 48575 Modified: data/dsa-needed.txt Log: Add ruby-archive-tar-minitar Note: the fix is easy, and I did already ruby-minitar for unstable. But I will wait a bit to see if any report is raised on the SuSE patch. I do not expect any problem, as the patch is easy and emulates was as well gnu tar would do. Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-01-30 20:38:46 UTC (rev 48574) +++ data/dsa-needed.txt 2017-01-30 20:51:10 UTC (rev 48575) @@ -50,6 +50,10 @@ qemu Maintainer asked to prepare updates -- +ruby-archive-tar-minitar (carnil) + NOTE: will wait a bit before fix migrates to testing and to see +if any report is raised +-- spip -- wordpress (seb) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48573 - data/CVE
Author: carnil Date: 2017-01-30 20:32:45 + (Mon, 30 Jan 2017) New Revision: 48573 Modified: data/CVE/list Log: Update information for CVE-2016-8867 according to Tianon GraviModified: data/CVE/list === --- data/CVE/list 2017-01-30 20:27:58 UTC (rev 48572) +++ data/CVE/list 2017-01-30 20:32:45 UTC (rev 48573) @@ -15773,11 +15773,13 @@ RESERVED CVE-2016-8867 (Docker Engine 1.12.2 enabled ambient capabilities with misconfigured ...) - docker.io - - runc (bug #853240) + - runc ("ambient capabilities" introduced later, cf bug #853240) NOTE: https://github.com/docker/docker/issues/27590 NOTE: docker: https://github.com/docker/docker/pull/27610/commits/d60a3418d0268745dff38947bc8c929fbd24f837 (1.12.3) NOTE: runc: https://github.com/opencontainers/runc/commit/a83f5bac28554fa0fd49bc1559a3c79f5907348f NOTE: docker.io not directly affected but will need to be updated to include new runc version + NOTE: runc: "ambient capabilities" functionality added upstream with https://github.com/opencontainers/runc/pull/1086 + NOTE: and later changes. CVE-2016-8865 RESERVED CVE-2016-8864 (named in ISC BIND 9.x before 9.9.9-P4, 9.10.x before 9.10.4-P4, and ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48570 - data/CVE
Author: carnil Date: 2017-01-30 20:17:44 + (Mon, 30 Jan 2017) New Revision: 48570 Modified: data/CVE/list Log: Add tag information for bitlbee issues Modified: data/CVE/list === --- data/CVE/list 2017-01-30 20:15:30 UTC (rev 48569) +++ data/CVE/list 2017-01-30 20:17:44 UTC (rev 48570) @@ -1,17 +1,17 @@ CVE-2017- [Incomplete fix for "Null pointer dereference with file transfer request from unknown contacts"] - bitlbee NOTE: https://bugs.bitlbee.org/ticket/1282 - NOTE: Fixed by: https://github.com/bitlbee/bitlbee/commit/30d598ce7cd3f136ee9d7097f39fa9818a272441 + NOTE: Fixed by: https://github.com/bitlbee/bitlbee/commit/30d598ce7cd3f136ee9d7097f39fa9818a272441 (3.5.1) NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2017/01/30/4 CVE-2017- [Null pointer dereference with file transfer request from unknown contacts] - bitlbee 3.5-1 NOTE: https://bugs.bitlbee.org/ticket/1282 - NOTE: Fixed by: https://github.com/bitlbee/bitlbee/commit/701ab8129ba9ea64f569daedca9a8603abad740f + NOTE: Fixed by: https://github.com/bitlbee/bitlbee/commit/701ab8129ba9ea64f569daedca9a8603abad740f (3.5) NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2017/01/30/4 CVE-2017- [bitlbee-libpurple: Use after free when expiring file transfer requests] - bitlbee 3.5-1 NOTE: https://bugs.bitlbee.org/ticket/1281 - NOTE: Fixed by: https://github.com/bitlbee/bitlbee/commit/ea902752503fc5b356d6513911081ec932d804f2 + NOTE: Fixed by: https://github.com/bitlbee/bitlbee/commit/ea902752503fc5b356d6513911081ec932d804f2 (3.5) NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2017/01/30/4 CVE-2017- [Incomplete fix for CVE-2017-5180] - firejail 0.9.44.6-1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48569 - data/CVE
Author: carnil Date: 2017-01-30 20:15:30 + (Mon, 30 Jan 2017) New Revision: 48569 Modified: data/CVE/list Log: Add three bitlbee issues Modified: data/CVE/list === --- data/CVE/list 2017-01-30 20:06:29 UTC (rev 48568) +++ data/CVE/list 2017-01-30 20:15:30 UTC (rev 48569) @@ -1,3 +1,18 @@ +CVE-2017- [Incomplete fix for "Null pointer dereference with file transfer request from unknown contacts"] + - bitlbee + NOTE: https://bugs.bitlbee.org/ticket/1282 + NOTE: Fixed by: https://github.com/bitlbee/bitlbee/commit/30d598ce7cd3f136ee9d7097f39fa9818a272441 + NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2017/01/30/4 +CVE-2017- [Null pointer dereference with file transfer request from unknown contacts] + - bitlbee 3.5-1 + NOTE: https://bugs.bitlbee.org/ticket/1282 + NOTE: Fixed by: https://github.com/bitlbee/bitlbee/commit/701ab8129ba9ea64f569daedca9a8603abad740f + NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2017/01/30/4 +CVE-2017- [bitlbee-libpurple: Use after free when expiring file transfer requests] + - bitlbee 3.5-1 + NOTE: https://bugs.bitlbee.org/ticket/1281 + NOTE: Fixed by: https://github.com/bitlbee/bitlbee/commit/ea902752503fc5b356d6513911081ec932d804f2 + NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2017/01/30/4 CVE-2017- [Incomplete fix for CVE-2017-5180] - firejail 0.9.44.6-1 NOTE: Changelog mentions the new fix for CVE-2017-5180 in RELNOTES for 0.9.44.6 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48568 - data/CVE
Author: rbalint Date: 2017-01-30 20:06:29 + (Mon, 30 Jan 2017) New Revision: 48568 Modified: data/CVE/list Log: Add bug reference for ruby-archive-tar-minitar issue, #853249 Modified: data/CVE/list === --- data/CVE/list 2017-01-30 19:16:33 UTC (rev 48567) +++ data/CVE/list 2017-01-30 20:06:29 UTC (rev 48568) @@ -71,7 +71,7 @@ RESERVED CVE-2016-10173 [directory traversal vulnerability] - ruby-minitar 0.5.4-3.1 (bug #853075) - - ruby-archive-tar-minitar + - ruby-archive-tar-minitar (bug #853249) NOTE: https://github.com/halostatue/minitar/issues/16 NOTE: https://github.com/halostatue/minitar/commit/e25205ecbb6277ae8a3df1e6a306d7ed4458b6e4 NOTE: https://bugzilla.opensuse.org/show_bug.cgi?id=1021740 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48566 - data/CVE
Author: alteholz Date: 2017-01-30 19:05:33 + (Mon, 30 Jan 2017) New Revision: 48566 Modified: data/CVE/list Log: add bug number Modified: data/CVE/list === --- data/CVE/list 2017-01-30 18:57:10 UTC (rev 48565) +++ data/CVE/list 2017-01-30 19:05:33 UTC (rev 48566) @@ -15752,7 +15752,7 @@ RESERVED CVE-2016-8867 (Docker Engine 1.12.2 enabled ambient capabilities with misconfigured ...) - docker.io - - runc + - runc (bug #853240) NOTE: https://github.com/docker/docker/issues/27590 NOTE: docker: https://github.com/docker/docker/pull/27610/commits/d60a3418d0268745dff38947bc8c929fbd24f837 (1.12.3) NOTE: runc: https://github.com/opencontainers/runc/commit/a83f5bac28554fa0fd49bc1559a3c79f5907348f ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48565 - data/CVE
Author: carnil Date: 2017-01-30 18:57:10 + (Mon, 30 Jan 2017) New Revision: 48565 Modified: data/CVE/list Log: Add bug reference for libphp-phpmailer issue, #853232 Modified: data/CVE/list === --- data/CVE/list 2017-01-30 18:56:16 UTC (rev 48564) +++ data/CVE/list 2017-01-30 18:57:10 UTC (rev 48565) @@ -1335,7 +1335,7 @@ CVE-2017-5224 RESERVED CVE-2017-5223 (An issue was discovered in PHPMailer before 5.2.22. PHPMailer's msgHTML ...) - - libphp-phpmailer + - libphp-phpmailer (bug #853232) NOTE: Fixed by: https://github.com/PHPMailer/PHPMailer/commit/ad4cb09682682da2217799a0c521d4cdc6753402 (v5.2.22) NOTE: http://kalilinux.co/2017/01/12/phpmailer-cve-2017-5223-local-information-disclosure-vulnerability-analysis/ CVE-2017-5222 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48564 - data/CVE
Author: carnil Date: 2017-01-30 18:56:16 + (Mon, 30 Jan 2017) New Revision: 48564 Modified: data/CVE/list Log: Add references for CVE-2017-5223 Modified: data/CVE/list === --- data/CVE/list 2017-01-30 18:52:20 UTC (rev 48563) +++ data/CVE/list 2017-01-30 18:56:16 UTC (rev 48564) @@ -1336,6 +1336,8 @@ RESERVED CVE-2017-5223 (An issue was discovered in PHPMailer before 5.2.22. PHPMailer's msgHTML ...) - libphp-phpmailer + NOTE: Fixed by: https://github.com/PHPMailer/PHPMailer/commit/ad4cb09682682da2217799a0c521d4cdc6753402 (v5.2.22) + NOTE: http://kalilinux.co/2017/01/12/phpmailer-cve-2017-5223-local-information-disclosure-vulnerability-analysis/ CVE-2017-5222 RESERVED CVE-2017-5221 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48563 - data/CVE
Author: carnil Date: 2017-01-30 18:52:20 + (Mon, 30 Jan 2017) New Revision: 48563 Modified: data/CVE/list Log: Add CVE-2017-5608 Modified: data/CVE/list === --- data/CVE/list 2017-01-30 18:39:27 UTC (rev 48562) +++ data/CVE/list 2017-01-30 18:52:20 UTC (rev 48563) @@ -35,6 +35,8 @@ - svgsalamander (bug #853134) NOTE: https://github.com/blackears/svgSalamander/issues/11 NOTE: http://www.openwall.com/lists/oss-security/2017/01/27/3 +CVE-2017-5608 + - piwigo CVE-2017-5600 RESERVED CVE-2017-5599 (An issue was discovered in eClinicalWorks Patient Portal 7.0 build 13. ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48562 - data
Author: rbalint Date: 2017-01-30 18:39:27 + (Mon, 30 Jan 2017) New Revision: 48562 Modified: data/dla-needed.txt Log: Claim glassfish and ruby-archive-tar-minitar for DLA Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-01-30 18:32:21 UTC (rev 48561) +++ data/dla-needed.txt 2017-01-30 18:39:27 UTC (rev 48562) @@ -21,7 +21,7 @@ NOTE: In particular, it seems likely that there are more undocumented but NOTE: public security issues in Calibre. See for example bug #853004. -- -glassfish +glassfish (Balint Reczey) NOTE: Needs further triaging as there is very little information on many of NOTE: the issues. However one of them looks like a major problem so the NOTE: package needs a DLA. @@ -91,7 +91,7 @@ NOTE: Upstream is not going to fix CVE-2016-8686 since it believes it is not NOTE: a bug (see #843861). -- -ruby-archive-tar-minitar +ruby-archive-tar-minitar (Balint Reczey) NOTE: Vulnerable code is in lib/archive/tar/minitar/command.rb -- slurm-llnl ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48560 - data/CVE
Author: jmm Date: 2017-01-30 17:41:41 + (Mon, 30 Jan 2017) New Revision: 48560 Modified: data/CVE/list Log: NFUs some ITPs for ox Modified: data/CVE/list === --- data/CVE/list 2017-01-30 17:30:41 UTC (rev 48559) +++ data/CVE/list 2017-01-30 17:41:41 UTC (rev 48560) @@ -56,7 +56,7 @@ CVE-2017-5595 RESERVED CVE-2017-5594 (An issue was discovered in Pagekit CMS before 1.0.11. In this ...) - TODO: check + NOT-FOR-US: Pagekit CMS CVE-2017-5593 RESERVED CVE-2017-5592 @@ -6021,123 +6021,123 @@ CVE-2017-3393 RESERVED CVE-2017-3392 (Vulnerability in the Oracle Advanced Outbound Telephony component of ...) - TODO: check + NOT-FOR-US: Oracle CVE-2017-3391 (Vulnerability in the Oracle Advanced Outbound Telephony component of ...) - TODO: check + NOT-FOR-US: Oracle CVE-2017-3390 (Vulnerability in the Oracle Advanced Outbound Telephony component of ...) - TODO: check + NOT-FOR-US: Oracle CVE-2017-3389 (Vulnerability in the Oracle Advanced Outbound Telephony component of ...) - TODO: check + NOT-FOR-US: Oracle CVE-2017-3388 (Vulnerability in the Oracle Advanced Outbound Telephony component of ...) - TODO: check + NOT-FOR-US: Oracle CVE-2017-3387 (Vulnerability in the Oracle Advanced Outbound Telephony component of ...) NOT-FOR-US: Oracle CVE-2017-3386 (Vulnerability in the Oracle Advanced Outbound Telephony component of ...) - TODO: check + NOT-FOR-US: Oracle CVE-2017-3385 (Vulnerability in the Oracle Advanced Outbound Telephony component of ...) - TODO: check + NOT-FOR-US: Oracle CVE-2017-3384 (Vulnerability in the Oracle Advanced Outbound Telephony component of ...) - TODO: check + NOT-FOR-US: Oracle CVE-2017-3383 (Vulnerability in the Oracle Advanced Outbound Telephony component of ...) - TODO: check + NOT-FOR-US: Oracle CVE-2017-3382 (Vulnerability in the Oracle Advanced Outbound Telephony component of ...) - TODO: check + NOT-FOR-US: Oracle CVE-2017-3381 (Vulnerability in the Oracle Advanced Outbound Telephony component of ...) - TODO: check + NOT-FOR-US: Oracle CVE-2017-3380 (Vulnerability in the Oracle Advanced Outbound Telephony component of ...) - TODO: check + NOT-FOR-US: Oracle CVE-2017-3379 (Vulnerability in the Oracle Advanced Outbound Telephony component of ...) - TODO: check + NOT-FOR-US: Oracle CVE-2017-3378 (Vulnerability in the Oracle Advanced Outbound Telephony component of ...) - TODO: check + NOT-FOR-US: Oracle CVE-2017-3377 (Vulnerability in the Oracle Advanced Outbound Telephony component of ...) - TODO: check + NOT-FOR-US: Oracle CVE-2017-3376 (Vulnerability in the Oracle Advanced Outbound Telephony component of ...) - TODO: check + NOT-FOR-US: Oracle CVE-2017-3375 (Vulnerability in the Oracle Advanced Outbound Telephony component of ...) - TODO: check + NOT-FOR-US: Oracle CVE-2017-3374 (Vulnerability in the Oracle Advanced Outbound Telephony component of ...) - TODO: check + NOT-FOR-US: Oracle CVE-2017-3373 (Vulnerability in the Oracle Advanced Outbound Telephony component of ...) NOT-FOR-US: Oracle CVE-2017-3372 (Vulnerability in the Oracle Interaction Blending component of Oracle ...) NOT-FOR-US: Oracle CVE-2017-3371 (Vulnerability in the Oracle iSupport component of Oracle E-Business ...) - TODO: check + NOT-FOR-US: Oracle CVE-2017-3370 (Vulnerability in the Oracle iSupport component of Oracle E-Business ...) - TODO: check + NOT-FOR-US: Oracle CVE-2017-3369 (Vulnerability in the Oracle iSupport component of Oracle E-Business ...) NOT-FOR-US: Oracle CVE-2017-3368 (Vulnerability in the Oracle iStore component of Oracle E-Business ...) NOT-FOR-US: Oracle CVE-2017-3367 (Vulnerability in the Oracle Knowledge Management component of Oracle ...) - TODO: check + NOT-FOR-US: Oracle CVE-2017-3366 (Vulnerability in the Oracle Knowledge Management component of Oracle ...) - TODO: check + NOT-FOR-US: Oracle CVE-2017-3365 (Vulnerability in the Oracle Knowledge Management component of Oracle ...) - TODO: check + NOT-FOR-US: Oracle CVE-2017-3364 (Vulnerability in the Oracle Knowledge Management component of Oracle ...) - TODO: check + NOT-FOR-US: Oracle CVE-2017-3363 (Vulnerability in the Oracle Knowledge Management component of Oracle ...) - TODO: check + NOT-FOR-US: Oracle CVE-2017-3362 (Vulnerability in the Oracle Knowledge Management component of Oracle ...) NOT-FOR-US: Oracle CVE-2017-3361 (Vulnerability in the Oracle Installed Base component of Oracle ...) NOT-FOR-US: Oracle CVE-2017-3360 (Vulnerability in the Oracle Customer Intelligence component of Oracle ...)
[Secure-testing-commits] r48559 - data
Author: agx Date: 2017-01-30 17:30:41 + (Mon, 30 Jan 2017) New Revision: 48559 Modified: data/dla-needed.txt Log: lts: triage icedove Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-01-30 16:38:15 UTC (rev 48558) +++ data/dla-needed.txt 2017-01-30 17:30:41 UTC (rev 48559) @@ -33,6 +33,10 @@ NOTE: Subject of announce mail also contained typo (DLA-574-1 vs. DLA-547-1) NOTE: update available for testing in: https://lists.debian.org/87inpe4wgu@curie.anarc.at -- +icedove + NOTE: maintainer currenlty planx to rename to thunderbird with the next + NOTE: upstream version (#851989). Jessie / Wheezy should do the same. +-- ikiwiki NOTE: CVE-2016-9646, CVE-2016-10026 were minor but CVE-2017-0356 is rather bad NOTE: maintainer has prepared a backport, LTS team please test/release ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48554 - data/CVE
Author: carnil Date: 2017-01-30 16:15:16 + (Mon, 30 Jan 2017) New Revision: 48554 Modified: data/CVE/list Log: Add two more NFUs Modified: data/CVE/list === --- data/CVE/list 2017-01-30 13:49:05 UTC (rev 48553) +++ data/CVE/list 2017-01-30 16:15:16 UTC (rev 48554) @@ -27,6 +27,10 @@ NOTE: https://git.sdaoden.eu/cgit/s-nail.git/commit/?id=f797c27efecad45af191c518b7f87fda32ada160 NOTE: https://git.sdaoden.eu/cgit/s-nail.git/commit/?id=f2699449b66dd702a98925bd1b11153a6f7294bf NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2017/01/27/7 +CVE-2017-5628 + NOT-FOR-US: MuJS +CVE-2017-5627 + NOT-FOR-US: MuJS CVE-2017-5617 [SSRF issue] - svgsalamander (bug #853134) NOTE: https://github.com/blackears/svgSalamander/issues/11 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48553 - data/DLA
Author: hertzog Date: 2017-01-30 13:49:05 + (Mon, 30 Jan 2017) New Revision: 48553 Modified: data/DLA/list Log: DLA-610-2 for tiff3 regression in wheezy-security Modified: data/DLA/list === --- data/DLA/list 2017-01-30 10:43:45 UTC (rev 48552) +++ data/DLA/list 2017-01-30 13:49:05 UTC (rev 48553) @@ -1,3 +1,5 @@ +[30 Jan 2017] DLA-610-2 tiff3 - regression update + [wheezy] - tiff3 3.9.6-11+deb7u3 [30 Jan 2017] DLA-807-1 imagemagick - security update {CVE-2016-10144 CVE-2016-10145 CVE-2016-10146 CVE-2017-5506 CVE-2017-5507 CVE-2017-5508 CVE-2017-5510 CVE-2017-5511} [wheezy] - imagemagick 8:6.7.7.10-5+deb7u11 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48552 - data
Author: alteholz Date: 2017-01-30 10:43:45 + (Mon, 30 Jan 2017) New Revision: 48552 Modified: data/dla-needed.txt Log: jasper notes Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-01-30 10:29:52 UTC (rev 48551) +++ data/dla-needed.txt 2017-01-30 10:43:45 UTC (rev 48552) @@ -39,7 +39,7 @@ NOTE: https://lists.debian.org/debian-lts/2017/01/msg00059.html -- jasper (Thorsten Alteholz) - NOTE: not really clear what CVEs need to be fixed + NOTE: no upstream fixes yet -- jbig2dec (Raphaël Hertzog) NOTE: No known solution as of 2017-01-20. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48551 - in data: . CVE
Author: rbalint Date: 2017-01-30 10:29:52 + (Mon, 30 Jan 2017) New Revision: 48551 Modified: data/CVE/list data/dla-needed.txt Log: Current wireshark CVE-s can wait in wheezy, too Modified: data/CVE/list === --- data/CVE/list 2017-01-30 09:19:40 UTC (rev 48550) +++ data/CVE/list 2017-01-30 10:29:52 UTC (rev 48551) @@ -150,11 +150,13 @@ CVE-2017-5597 (In Wireshark 2.2.0 to 2.2.3 and 2.0.0 to 2.0.9, the DHCPv6 dissector ...) - wireshark 2.2.4+gcc3dc1b-1 [jessie] - wireshark (Can be fixed along with the next round of Wireshark vulnerabilities) + [wheezy] - wireshark (Can be fixed along with the next round of Wireshark vulnerabilities) NOTE: https://www.wireshark.org/security/wnpa-sec-2017-02.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13345 CVE-2017-5596 (In Wireshark 2.2.0 to 2.2.3 and 2.0.0 to 2.0.9, the ASTERIX dissector ...) - wireshark 2.2.4+gcc3dc1b-1 [jessie] - wireshark (Can be fixed along with the next round of Wireshark vulnerabilities) + [wheezy] - wireshark (Can be fixed along with the next round of Wireshark vulnerabilities) NOTE: https://www.wireshark.org/security/wnpa-sec-2017-01.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13344 CVE-2017- [phpMyAdmin PMASA-2017-1 - PMASA-2017-7] Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-01-30 09:19:40 UTC (rev 48550) +++ data/dla-needed.txt 2017-01-30 10:29:52 UTC (rev 48551) @@ -112,8 +112,6 @@ NOTE: https://github.com/dbry/WavPack/commit/4bc05fc490b66ef2d45b1de26abf1455b486b0dc#diff-bc1807cb462afb05056502f77834c6ebR291 NOTE: is missing in the wheezy version -- -wireshark (Balint Reczey) --- wordpress (Markus Koschany) -- xen ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48550 - data/CVE
Author: carnil Date: 2017-01-30 09:19:40 + (Mon, 30 Jan 2017) New Revision: 48550 Modified: data/CVE/list Log: Add fixing version for CVE-2016-10173/ruby-minitar Modified: data/CVE/list === --- data/CVE/list 2017-01-30 09:10:15 UTC (rev 48549) +++ data/CVE/list 2017-01-30 09:19:40 UTC (rev 48550) @@ -64,7 +64,7 @@ CVE-2017-5589 RESERVED CVE-2016-10173 [directory traversal vulnerability] - - ruby-minitar + - ruby-minitar 0.5.4-3.1 (bug #853075) - ruby-archive-tar-minitar NOTE: https://github.com/halostatue/minitar/issues/16 NOTE: https://github.com/halostatue/minitar/commit/e25205ecbb6277ae8a3df1e6a306d7ed4458b6e4 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48549 - data/CVE
Author: sectracker Date: 2017-01-30 09:10:15 + (Mon, 30 Jan 2017) New Revision: 48549 Modified: data/CVE/list Log: automatic update Modified: data/CVE/list === --- data/CVE/list 2017-01-30 07:26:15 UTC (rev 48548) +++ data/CVE/list 2017-01-30 09:10:15 UTC (rev 48549) @@ -945,22 +945,26 @@ NOTE: https://github.com/mdadams/jasper/issues/62 CVE-2017-5506 [double free in profile] RESERVED + {DLA-807-1} - imagemagick 8:6.9.7.4+dfsg-1 (bug #851383) NOTE: https://github.com/ImageMagick/ImageMagick/issues/354 NOTE: http://www.openwall.com/lists/oss-security/2017/01/16/6 CVE-2017-5507 [memory leak in MPC file handling] RESERVED + {DLA-807-1} - imagemagick 8:6.9.7.4+dfsg-1 (bug #851382) NOTE: https://github.com/ImageMagick/ImageMagick/commit/4493d9ca1124564da17f9b628ef9d0f1a6be9738 NOTE: http://www.openwall.com/lists/oss-security/2017/01/16/6 CVE-2017-5508 [Crash - PushQuantumPixel - Heap-Buffer-Overflow (TIFF)] RESERVED + {DLA-807-1} - imagemagick 8:6.9.7.4+dfsg-1 (bug #851381) NOTE: https://www.imagemagick.org/discourse-server/viewtopic.php?f=3=31161 NOTE: http://www.openwall.com/lists/oss-security/2017/01/16/6 NOTE: https://github.com/ImageMagick/ImageMagick/commit/379e21cd32483df6e128147af3bc4ce1f82eb9c4 CVE-2016-10146 [memory leak in caption and label handling] RESERVED + {DLA-807-1} - imagemagick 8:6.9.7.0+dfsg-2 (bug #851380) NOTE: https://github.com/ImageMagick/ImageMagick/commit/aeff00de228bc5a158c2a975ab47845d8a1db456 NOTE: http://www.openwall.com/lists/oss-security/2017/01/16/6 @@ -978,21 +982,25 @@ NOTE: http://www.openwall.com/lists/oss-security/2017/01/16/6 CVE-2017-5510 [memory corruption heap overflow, psb file related, another one] RESERVED + {DLA-807-1} - imagemagick 8:6.9.7.4+dfsg-1 (bug #851376) NOTE: https://github.com/ImageMagick/ImageMagick/issues/348 NOTE: http://www.openwall.com/lists/oss-security/2017/01/16/6 CVE-2017-5511 [memory corruption heap overflow, psb file related] RESERVED + {DLA-807-1} - imagemagick 8:6.9.7.4+dfsg-1 (bug #851374) NOTE: https://github.com/ImageMagick/ImageMagick/issues/347 NOTE: http://www.openwall.com/lists/oss-security/2017/01/16/6 CVE-2016-10144 [ipl file missing malloc check] RESERVED + {DLA-807-1} - imagemagick 8:6.9.7.4+dfsg-1 (bug #851485) NOTE: Fixed by: https://github.com/ImageMagick/ImageMagick/commit/97566cf2806c0a5a86e884c96831a0c3b1ec6c20 NOTE: http://www.openwall.com/lists/oss-security/2017/01/16/6 CVE-2016-10145 [wpg file off by one] RESERVED + {DLA-807-1} - imagemagick 8:6.9.7.4+dfsg-1 (bug #851483) NOTE: Fixed by: https://github.com/ImageMagick/ImageMagick/commit/d23beebe7b1179fb75db1e85fbca3100e49593d9 NOTE: http://www.openwall.com/lists/oss-security/2017/01/16/6 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits