[Secure-testing-commits] r48789 - data/CVE
Author: seb Date: 2017-02-09 05:59:24 + (Thu, 09 Feb 2017) New Revision: 48789 Modified: data/CVE/list Log: CVE-2017-5938 was assigned to XSS in viewc Modified: data/CVE/list === --- data/CVE/list 2017-02-09 05:43:46 UTC (rev 48788) +++ data/CVE/list 2017-02-09 05:59:24 UTC (rev 48789) @@ -154,7 +154,7 @@ NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1023012 CVE-2016-10200 RESERVED -CVE-2017- [viewc Cross-Site Scripting (XSS) vulnerability] +CVE-2017-5938 [viewc Cross-Site Scripting (XSS) vulnerability] - viewc NOTE: CVE request at http://www.openwall.com/lists/oss-security/2017/02/08/7 NOTE: https://github.com/viewvc/viewvc/commit/9dcfc7daa4c940992920d3b2fbd317da20e44aad ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48788 - data/CVE
Author: pabs Date: 2017-02-09 05:43:46 + (Thu, 09 Feb 2017) New Revision: 48788 Modified: data/CVE/list Log: CVE-2016-9244 (Ticketbleed): NFU: proprietary F5 TLS stack Modified: data/CVE/list === --- data/CVE/list 2017-02-09 04:59:58 UTC (rev 48787) +++ data/CVE/list 2017-02-09 05:43:46 UTC (rev 48788) @@ -15828,6 +15828,8 @@ RESERVED CVE-2016-9244 RESERVED + NOT-FOR-US: F5 TLS stack + NOTE: https://ticketbleed.com/ CVE-2016-9243 [HKDF might return an empty byte-string] RESERVED - python-cryptography 1.5.3-1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48787 - data/CVE
Author: pabs Date: 2017-02-09 04:59:58 + (Thu, 09 Feb 2017) New Revision: 48787 Modified: data/CVE/list Log: CVE-2016-6271 is from src:bzrtp and has an upstream patch Modified: data/CVE/list === --- data/CVE/list 2017-02-09 01:41:32 UTC (rev 48786) +++ data/CVE/list 2017-02-09 04:59:58 UTC (rev 48787) @@ -25366,7 +25366,8 @@ NOTE: http://git.php.net/?p=php-src.git;a=commit;h=0218acb7e756a469099c4ccfb22bce6c2bd1ef87 NOTE: Fixed in 7.0.9, 5.6.24, 5.5.38 CVE-2016-6271 (The Bzrtp library (aka libbzrtp) 1.0.x before 1.0.4 allows ...) - TODO: check + - bzrtp + NOTE: Fixed by: https://github.com/BelledonneCommunications/bzrtp/commit/bbb1e6e2f467ee4bd7b9a8c800e4f07343d7d99b CVE-2016-6270 (The handle_certificate function in ...) NOT-FOR-US: Trend Micro CVE-2016-6269 (Multiple directory traversal vulnerabilities in Trend Micro Smart ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48786 - in data: . DSA
Author: luciano
Date: 2017-02-09 01:41:32 + (Thu, 09 Feb 2017)
New Revision: 48786
Modified:
data/DSA/list
data/dsa-needed.txt
Log:
php5 DSA
Modified: data/DSA/list
===
--- data/DSA/list 2017-02-09 01:33:50 UTC (rev 48785)
+++ data/DSA/list 2017-02-09 01:41:32 UTC (rev 48786)
@@ -1,3 +1,6 @@
+[08 Feb 2017] DSA-3783-1 php5 - security update
+ {CVE-2016-10158 CVE-2016-10159 CVE-2016-10160 CVE-2016-10161}
+ [jessie] - php5 5.6.30+dfsg-0+deb8u1
[08 Feb 2017] DSA-3782-1 openjdk-7 - security update
{CVE-2016-5546 CVE-2016-5547 CVE-2016-5548 CVE-2016-5552 CVE-2017-3231
CVE-2017-3241 CVE-2017-3252 CVE-2017-3253 CVE-2017-3260 CVE-2017-3261
CVE-2017-3272 CVE-2017-3289}
[jessie] - openjdk-7 7u121-2.6.8-2~deb8u1
Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2017-02-09 01:33:50 UTC (rev 48785)
+++ data/dsa-needed.txt 2017-02-09 01:41:32 UTC (rev 48786)
@@ -30,10 +30,6 @@
linux
wait until more issues have piled up
--
-php5 (luciano)
- Maintainer proposed debdiff, which needs review and ack
- (Missing Closes for open bugs)
---
phpmyadmin
--
qemu
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48785 - data/CVE
Author: luciano Date: 2017-02-09 01:33:50 + (Thu, 09 Feb 2017) New Revision: 48785 Modified: data/CVE/list Log: CVE-2016-10167 and CVE-2016-10168 Modified: data/CVE/list === --- data/CVE/list 2017-02-09 01:00:32 UTC (rev 48784) +++ data/CVE/list 2017-02-09 01:33:50 UTC (rev 48785) @@ -1095,6 +1095,7 @@ - php7.1 7.1.1-1 (unimportant) - php7.0 7.0.15-1 (unimportant) - php5 (unimportant) + [jessie] - php5 (embedded gd2 library not used) NOTE: PHP Bug: https://bugs.php.net/bug.php?id=73868 NOTE: Fixed in PHP 7.1.1, 7.0.15, 5.6.30 - libgd2 2.2.4-1 @@ -1106,6 +1107,7 @@ - php7.1 7.1.1-1 (unimportant) - php7.0 7.0.15-1 (unimportant) - php5 (unimportant) + [jessie] - php5 (embedded gd2 library not used) NOTE: PHP Bug: https://bugs.php.net/bug.php?id=73869 NOTE: Fixed in PHP 7.1.1, 7.0.15, 5.6.30 - libgd2 2.2.4-1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48784 - data/CVE
Author: luciano Date: 2017-02-09 01:00:32 + (Thu, 09 Feb 2017) New Revision: 48784 Modified: data/CVE/list Log: CVE-2017-0381 Modified: data/CVE/list === --- data/CVE/list 2017-02-08 22:36:17 UTC (rev 48783) +++ data/CVE/list 2017-02-09 01:00:32 UTC (rev 48784) @@ -13801,6 +13801,7 @@ - opus 1.2~alpha2-1 (bug #851612) [jessie] - opus (Minor issue, https://bugs.debian.org/851612#10) NOTE: Fixed by: https://github.com/xiph/opus/commit/79e8f527b0344b0897a65be35e77f7885bd99409 (v1.2-alpha) + NOTE: https://git.xiph.org/?p=opus.git;a=commitdiff;h=70a3d641b CVE-2016-9804 (In BlueZ 5.42, a buffer overflow was observed in "commands_dump" ...) - bluez (bug #847837) [jessie] - bluez (Minor issue) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48783 - data/CVE
Author: jmm Date: 2017-02-08 22:36:17 + (Wed, 08 Feb 2017) New Revision: 48783 Modified: data/CVE/list Log: NFUs Modified: data/CVE/list === --- data/CVE/list 2017-02-08 21:49:37 UTC (rev 48782) +++ data/CVE/list 2017-02-08 22:36:17 UTC (rev 48783) @@ -3,11 +3,11 @@ CVE-2017-5934 RESERVED CVE-2017-5933 (Citrix NetScaler ADC and NetScaler Gateway 10.5 before Build 65.11, ...) - TODO: check + NOT-FOR-US: Citrix CVE-2016-10213 (A10 AX1030 and possibly other devices with software before 2.7.2-P8 ...) - TODO: check + NOT-FOR-US: A10 CVE-2016-10212 (Radware devices use the same value for the first two GCM nonces, which ...) - TODO: check + NOT-FOR-US: Radware devices CVE-2017-5932 [code execution in autocompletion] RESERVED - bash 4.4-3 @@ -12159,9 +12159,9 @@ CVE-2017-1129 RESERVED CVE-2017-1128 (IBM Rational DOORS Next Generation 4.0, 5.0, and 6.0 is vulnerable to ...) - TODO: check + NOT-FOR-US: IBM CVE-2017-1127 (IBM Rational DOORS Next Generation 4.0, 5.0 and 6.0 is vulnerable to ...) - TODO: check + NOT-FOR-US: IBM CVE-2017-1126 RESERVED CVE-2017-1125 @@ -12672,7 +12672,7 @@ CVE-2016-9749 RESERVED CVE-2016-9748 (IBM Rational DOORS Next Generation 5.0 and 6.0 discloses sensitive ...) - TODO: check + NOT-FOR-US: IBM CVE-2016-9747 RESERVED CVE-2016-9746 @@ -13656,59 +13656,59 @@ CVE-2017-0452 RESERVED CVE-2017-0451 (An information disclosure vulnerability in the Qualcomm sound driver ...) - TODO: check + NOT-FOR-US: Qualcomm driver for Android CVE-2017-0450 (An elevation of privilege vulnerability in Audioserver could enable a ...) - TODO: check + NOT-FOR-US: Android Audioserver CVE-2017-0449 (An elevation of privilege vulnerability in the Broadcom Wi-Fi driver ...) - TODO: check + NOT-FOR-US: Broadcom driver for Android CVE-2017-0448 (An information disclosure vulnerability in the NVIDIA video driver ...) - TODO: check + NOT-FOR-US: NVIDIA driver for Android CVE-2017-0447 (An elevation of privilege vulnerability in the HTC touchscreen driver ...) - TODO: check + NOT-FOR-US: HTC driver for Android CVE-2017-0446 (An elevation of privilege vulnerability in the HTC touchscreen driver ...) - TODO: check + NOT-FOR-US: HTC driver for Android CVE-2017-0445 (An elevation of privilege vulnerability in the HTC touchscreen driver ...) - TODO: check + NOT-FOR-US: HTC driver for Android CVE-2017-0444 (An elevation of privilege vulnerability in the Realtek sound driver ...) TODO: check CVE-2017-0443 (An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver ...) - TODO: check + NOT-FOR-US: Qualcomm driver for Android CVE-2017-0442 (An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver ...) - TODO: check + NOT-FOR-US: Qualcomm driver for Android CVE-2017-0441 (An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver ...) - TODO: check + NOT-FOR-US: Qualcomm driver for Android CVE-2017-0440 (An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver ...) - TODO: check + NOT-FOR-US: Qualcomm driver for Android CVE-2017-0439 (An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver ...) - TODO: check + NOT-FOR-US: Qualcomm driver for Android CVE-2017-0438 (An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver ...) - TODO: check + NOT-FOR-US: Qualcomm driver for Android CVE-2017-0437 (An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver ...) - TODO: check + NOT-FOR-US: Qualcomm driver for Android CVE-2017-0436 (An elevation of privilege vulnerability in the Qualcomm sound driver ...) - TODO: check + NOT-FOR-US: Qualcomm driver for Android CVE-2017-0435 (An elevation of privilege vulnerability in the Qualcomm sound driver ...) - TODO: check + NOT-FOR-US: Qualcomm driver for Android CVE-2017-0434 (An elevation of privilege vulnerability in the Synaptics touchscreen ...) - TODO: check + NOT-FOR-US: Synaptics driver for Android CVE-2017-0433 (An elevation of privilege vulnerability in the Synaptics touchscreen ...) - TODO: check + NOT-FOR-US: Synaptics driver for Android CVE-2017-0432 (An elevation of privilege vulnerability in the MediaTek driver could ...) TODO: check CVE-2017-0431 RESERVED CVE-2017-0430 (An elevation of privilege vulnerability in the Broadcom Wi-Fi driver ...) - TODO: check + NOT-FOR-US: Broadcom driver for Android CVE-2017-0429 (An elevation of privilege vulnerability in the NVIDIA GPU driver could ...) - TODO: check + NOT-FOR-US: NVIDIA driver for Android CVE-2017-0428 (An eleva
[Secure-testing-commits] r48782 - data
Author: apo Date: 2017-02-08 21:49:37 + (Wed, 08 Feb 2017) New Revision: 48782 Modified: data/dla-needed.txt Log: Add php5 to dla-needed.txt It is vulnerable to CVE-2016-7478 Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-02-08 21:10:12 UTC (rev 48781) +++ data/dla-needed.txt 2017-02-08 21:49:37 UTC (rev 48782) @@ -84,6 +84,8 @@ -- openjdk-7 (Emilio Pozuelo) -- +php5 +-- potrace (Hugo Lefeuvre) NOTE: Try to reproduce CVE-2016-8685/cherry pick the patch from Stretch. NOTE: Upstream is not going to fix CVE-2016-8686 since it believes it is not ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48781 - data/CVE
Author: sectracker
Date: 2017-02-08 21:10:12 + (Wed, 08 Feb 2017)
New Revision: 48781
Modified:
data/CVE/list
Log:
automatic update
Modified: data/CVE/list
===
--- data/CVE/list 2017-02-08 19:51:10 UTC (rev 48780)
+++ data/CVE/list 2017-02-08 21:10:12 UTC (rev 48781)
@@ -1,3 +1,13 @@
+CVE-2017-5935
+ RESERVED
+CVE-2017-5934
+ RESERVED
+CVE-2017-5933 (Citrix NetScaler ADC and NetScaler Gateway 10.5 before Build
65.11, ...)
+ TODO: check
+CVE-2016-10213 (A10 AX1030 and possibly other devices with software before
2.7.2-P8 ...)
+ TODO: check
+CVE-2016-10212 (Radware devices use the same value for the first two GCM
nonces, which ...)
+ TODO: check
CVE-2017-5932 [code execution in autocompletion]
RESERVED
- bash 4.4-3
@@ -7255,6 +7265,7 @@
[jessie] - virtualbox (DSA-3699-1)
[wheezy] - virtualbox (DSA 3454)
CVE-2017-3289 (Vulnerability in the Java SE, Java SE Embedded component of
Oracle ...)
+ {DSA-3782-1}
- openjdk-8 8u121-b13-1
[experimental] - openjdk-7 7u121-2.6.8-2
- openjdk-7
@@ -7293,6 +7304,7 @@
- mysql-5.6 5.6.35-1 (bug #851234)
- mysql-5.5 (Only affects MySQL 5.6 and 5.7)
CVE-2017-3272 (Vulnerability in the Java SE, Java SE Embedded component of
Oracle ...)
+ {DSA-3782-1}
- openjdk-8 8u121-b13-1
[experimental] - openjdk-7 7u121-2.6.8-2
- openjdk-7
@@ -7324,12 +7336,14 @@
CVE-2017-3262 (Vulnerability in the Java SE component of Oracle Java SE ...)
- openjdk-8 (specific to Oracle Java)
CVE-2017-3261 (Vulnerability in the Java SE, Java SE Embedded component of
Oracle ...)
+ {DSA-3782-1}
- openjdk-8 8u121-b13-1
[experimental] - openjdk-7 7u121-2.6.8-2
- openjdk-7
- openjdk-6
[wheezy] - openjdk-6
CVE-2017-3260 (Vulnerability in the Java SE component of Oracle Java SE ...)
+ {DSA-3782-1}
- openjdk-8 8u121-b13-1
[experimental] - openjdk-7 7u121-2.6.8-2
- openjdk-7
@@ -7360,12 +7374,14 @@
CVE-2017-3254
RESERVED
CVE-2017-3253 (Vulnerability in the Java SE, Java SE Embedded, JRockit
component of ...)
+ {DSA-3782-1}
- openjdk-8 8u121-b13-1
[experimental] - openjdk-7 7u121-2.6.8-2
- openjdk-7
- openjdk-6
[wheezy] - openjdk-6
CVE-2017-3252 (Vulnerability in the Java SE, Java SE Embedded, JRockit
component of ...)
+ {DSA-3782-1}
- openjdk-8 8u121-b13-1
[experimental] - openjdk-7 7u121-2.6.8-2
- openjdk-7
@@ -7404,6 +7420,7 @@
CVE-2017-3242 (Vulnerability in the Oracle VM Server for Sparc component of
Oracle ...)
NOT-FOR-US: Solaris
CVE-2017-3241 (Vulnerability in the Java SE, Java SE Embedded, JRockit
component of ...)
+ {DSA-3782-1}
- openjdk-8 8u121-b13-1
[experimental] - openjdk-7 7u121-2.6.8-2
- openjdk-7
@@ -7433,6 +7450,7 @@
CVE-2017-3232
RESERVED
CVE-2017-3231 (Vulnerability in the Java SE, Java SE Embedded component of
Oracle ...)
+ {DSA-3782-1}
- openjdk-8 8u121-b13-1
[experimental] - openjdk-7 7u121-2.6.8-2
- openjdk-7
@@ -8809,8 +8827,7 @@
NOT-FOR-US: EMC Network Configuration Manager
CVE-2017-2766 (EMC Documentum eRoom version 7.4.4, EMC Documentum eRoom
version 7.4.4 ...)
NOT-FOR-US: EMC Documentum eRoom
-CVE-2017-2765
- RESERVED
+CVE-2017-2765 (EMC Isilon InsightIQ 4.1.0, 4.0.1, 4.0.0, 3.2.2, 3.2.1, 3.2.0,
3.1.1, ...)
NOT-FOR-US: EMC Isilon InsightIQ
CVE-2017-2764
RESERVED
@@ -12141,10 +12158,10 @@
RESERVED
CVE-2017-1129
RESERVED
-CVE-2017-1128
- RESERVED
-CVE-2017-1127
- RESERVED
+CVE-2017-1128 (IBM Rational DOORS Next Generation 4.0, 5.0, and 6.0 is
vulnerable to ...)
+ TODO: check
+CVE-2017-1127 (IBM Rational DOORS Next Generation 4.0, 5.0 and 6.0 is
vulnerable to ...)
+ TODO: check
CVE-2017-1126
RESERVED
CVE-2017-1125
@@ -12654,8 +12671,8 @@
RESERVED
CVE-2016-9749
RESERVED
-CVE-2016-9748
- RESERVED
+CVE-2016-9748 (IBM Rational DOORS Next Generation 5.0 and 6.0 discloses
sensitive ...)
+ TODO: check
CVE-2016-9747
RESERVED
CVE-2016-9746
@@ -13638,100 +13655,100 @@
RESERVED
CVE-2017-0452
RESERVED
-CVE-2017-0451
- RESERVED
-CVE-2017-0450
- RESERVED
-CVE-2017-0449
- RESERVED
-CVE-2017-0448
- RESERVED
-CVE-2017-0447
- RESERVED
-CVE-2017-0446
- RESERVED
-CVE-2017-0445
- RESERVED
-CVE-2017-0444
- RESERVED
-CVE-2017-0443
- RESERVED
-CVE-2017-0442
- RESERVED
-CVE-2017-0441
- RESERVED
-CVE-2017-0440
- RESERVED
-CVE-2017-0439
- RESERVED
-CVE-2017-0438
- RESERVED
-CVE-2017-0437
- RESERVED
-CVE-2017-0436
- RESERVED
-CVE-2017-0435
- RESERVED
-CVE-2017-0434
- RE
[Secure-testing-commits] r48780 - data/CVE
Author: seb Date: 2017-02-08 19:51:10 + (Wed, 08 Feb 2017) New Revision: 48780 Modified: data/CVE/list Log: Add link to CVE request for XSS in viewc Modified: data/CVE/list === --- data/CVE/list 2017-02-08 19:45:52 UTC (rev 48779) +++ data/CVE/list 2017-02-08 19:51:10 UTC (rev 48780) @@ -146,7 +146,7 @@ RESERVED CVE-2017- [viewc Cross-Site Scripting (XSS) vulnerability] - viewc - NOTE: CVE request pending + NOTE: CVE request at http://www.openwall.com/lists/oss-security/2017/02/08/7 NOTE: https://github.com/viewvc/viewvc/commit/9dcfc7daa4c940992920d3b2fbd317da20e44aad CVE-2017- [openpyxl XML External Entity (XXE) vulnerability] - openpyxl (bug #854442) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48778 - data/CVE
Author: seb Date: 2017-02-08 19:45:40 + (Wed, 08 Feb 2017) New Revision: 48778 Modified: data/CVE/list Log: Add temporary entry for XSS in viewvc Modified: data/CVE/list === --- data/CVE/list 2017-02-08 18:46:09 UTC (rev 48777) +++ data/CVE/list 2017-02-08 19:45:40 UTC (rev 48778) @@ -144,6 +144,10 @@ NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1023012 CVE-2016-10200 RESERVED +CVE-2017- [viewc Cross-Site Scripting (XSS) vulnerability] + - viewc + NOTE: CVE request pending + NOTE: https://github.com/viewvc/viewvc/commit/9dcfc7daa4c940992920d3b2fbd317da20e44aad CVE-2017- [openpyxl XML External Entity (XXE) vulnerability] - openpyxl (bug #854442) NOTE: CVE request at http://www.openwall.com/lists/oss-security/2017/02/07/5 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48779 - data/CVE
Author: seb Date: 2017-02-08 19:45:52 + (Wed, 08 Feb 2017) New Revision: 48779 Modified: data/CVE/list Log: Add link to upstream patch for XXE in openpyxl Modified: data/CVE/list === --- data/CVE/list 2017-02-08 19:45:40 UTC (rev 48778) +++ data/CVE/list 2017-02-08 19:45:52 UTC (rev 48779) @@ -151,6 +151,7 @@ CVE-2017- [openpyxl XML External Entity (XXE) vulnerability] - openpyxl (bug #854442) NOTE: CVE request at http://www.openwall.com/lists/oss-security/2017/02/07/5 + NOTE: https://bitbucket.org/openpyxl/openpyxl/commits/3b4905f428e1 CVE-2017- [gnome-keyring lives on after ssh session stops] - gnome-keyring (low; bug #395572) [jessie] - gnome-keyring (Minor issue) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48777 - data
Author: jmm Date: 2017-02-08 18:46:09 + (Wed, 08 Feb 2017) New Revision: 48777 Modified: data/dsa-needed.txt Log: take zabbix Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-02-08 18:22:23 UTC (rev 48776) +++ data/dsa-needed.txt 2017-02-08 18:46:09 UTC (rev 48777) @@ -43,5 +43,5 @@ -- xen -- -zabbix +zabbix (jmm) -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48776 - data/CVE
Author: jmm Date: 2017-02-08 18:22:23 + (Wed, 08 Feb 2017) New Revision: 48776 Modified: data/CVE/list Log: bash fixed and n/a in oldstable/stable Modified: data/CVE/list === --- data/CVE/list 2017-02-08 18:19:33 UTC (rev 48775) +++ data/CVE/list 2017-02-08 18:22:23 UTC (rev 48776) @@ -1,6 +1,8 @@ CVE-2017-5932 [code execution in autocompletion] RESERVED - - bash + - bash 4.4-3 + [jessie] - bash (Introduced in 4.4) + [wheezy] - bash (Introduced in 4.4) NOTE: https://github.com/jheyens/bash_completion_vuln/raw/master/2017-01-17.bash_completion_report.pdf NOTE: Fix http://git.savannah.gnu.org/cgit/bash.git/commit/?id=4f747edc625815f449048579f6e65869914dd715 CVE-2017-5931 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48775 - data/CVE
Author: jmm Date: 2017-02-08 18:19:33 + (Wed, 08 Feb 2017) New Revision: 48775 Modified: data/CVE/list Log: two linux issues Modified: data/CVE/list === --- data/CVE/list 2017-02-08 18:15:56 UTC (rev 48774) +++ data/CVE/list 2017-02-08 18:19:33 UTC (rev 48775) @@ -5383,7 +5383,7 @@ CVE-2016-10072 (** DISPUTED ** WampServer 3.0.6 has two files called 'wampmanager.exe' ...) NOT-FOR-US: WampServer CVE-2016-10044 (The aio_mount function in fs/aio.c in the Linux kernel before 4.7.7 ...) - TODO: check + - linux 4.8.5-1 CVE-2016-10043 (An issue was discovered in Radisys MRF Web Panel (SWMS) 9.0.1. The ...) NOT-FOR-US: Radisys MRF Web Panel CVE-2016-10042 @@ -5415,7 +5415,7 @@ NOTE: https://github.com/zendframework/zendframework/commit/7c1e89815f5a9c016f4b8088e59b07cb2bf99dc0 NOTE: http://legalhackers.com/advisories/ZendFramework-Exploit-ZendMail-Remote-Code-Exec-CVE-2016-10034-Vuln.html CVE-2014-9914 (Race condition in the ip4_datagram_release_cb function in ...) - TODO: check + - linux 3.16.2-1 CVE-2016-10045 (The isMail transport in PHPMailer before 5.2.20 might allow remote ...) - libphp-phpmailer (Incomplete fix not applied) NOTE: https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48774 - data/CVE
Author: jmm
Date: 2017-02-08 18:15:56 + (Wed, 08 Feb 2017)
New Revision: 48774
Modified:
data/CVE/list
Log:
new php non-issue
NFUs
some android-specific Linux patches
Modified: data/CVE/list
===
--- data/CVE/list 2017-02-08 18:08:33 UTC (rev 48773)
+++ data/CVE/list 2017-02-08 18:15:56 UTC (rev 48774)
@@ -853,7 +853,9 @@
CVE-2017-5631
RESERVED
CVE-2017-5630 (PECL in the download utility class in the Installer in PEAR
Base System ...)
- TODO: check
+ - php5 (unimportant)
+ - php-pear (unimportant)
+ NOTE: pear performs no kind of authentication/integrity checks for
downloads, so an attacker can MITM freely anyway
CVE-2017-5629
RESERVED
CVE-2017-5626
@@ -14528,7 +14530,6 @@
NOTE: PHP Bug: https://bugs.php.net/bug.php?id=67397
NOTE: Upstream patch:
https://bugs.php.net/patch-display.php?bug_id=67397&patch=bug67397-patch&revision=latest
NOTE: PHP workaround for CVE-2014-9911 in icu
- TODO: double-check first fixing version in unstable
CVE-2016-4412 (An issue was discovered in phpMyAdmin. A user can be tricked
into ...)
{DLA-757-1}
- phpmyadmin 4:4.1.7-1
@@ -22295,7 +22296,7 @@
NOTE: Fixed by: http://hg.moinmo.in/moin/1.9/rev/eceb70c41ecc
NOTE:
https://www.curesec.com/blog/article/blog/MoinMoin-198-XSS-175.html
CVE-2016-7147 (Cross-site scripting (XSS) vulnerability in the
manage_findResult ...)
- TODO: check
+ NOT-FOR-US: Plone
CVE-2016-7146 (MoinMoin 1.9.8 allows remote attackers to conduct
"JavaScript ...)
{DSA-3715-1 DLA-717-1}
- moin 1.9.9-1 (bug #844340)
@@ -23694,7 +23695,7 @@
CVE-2016-6699 (A remote code execution vulnerability in libstagefright in
Mediaserver ...)
NOT-FOR-US: libstagefright
CVE-2016-6698 (An information disclosure vulnerability in Qualcomm components
...)
- TODO: check
+ NOT-FOR-US: Qualcomm driver for Android
CVE-2016-6697
RESERVED
CVE-2016-6696 (sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c in a Qualcomm
QDSP6v2 ...)
@@ -23800,7 +23801,7 @@
CVE-2016-6668 (The Atlassian Hipchat Integration Plugin for Bitbucket Server
6.26.0 ...)
NOT-FOR-US: Atlassian Hipchat Integration Plugin for Bitbucket Server
CVE-2016-6667 (NetApp OnCommand Unified Manager for Clustered Data ONTAP 6.3
through ...)
- TODO: check
+ NOT-FOR-US: NetApp
CVE-2016-
RESERVED
CVE-2016-6665
@@ -24575,7 +24576,7 @@
NOTE: Introduced by:
https://git.kernel.org/linus/54dbc15172375641ef03399e8f911d7165eb90fb (v4.5-rc1)
NOTE: Fixed by:
https://git.kernel.org/linus/10eec60ce79187686e052092e5383c99b4420a20
CVE-2016-6495 (NetApp Data ONTAP before 8.2.4P5, when operating in 7-Mode,
allows ...)
- TODO: check
+ NOT-FOR-US: NetApp
CVE-2016-6493 (Citrix XenApp 6.x before 6.5 HRP07 and 7.x before 7.9 and
Citrix ...)
NOT-FOR-US: Citrix
CVE-2016- [bruteforcable challenge responses in unprotected logfile]
@@ -24618,7 +24619,7 @@
CVE-2016-6485
RESERVED
CVE-2016-6484 (CRLF injection vulnerability in Infoblox Network Automation
NetMRI ...)
- TODO: check
+ NOT-FOR-US: Infoblox Network Automation NetMR
CVE-2016-6513 (epan/dissectors/packet-wbxml.c in the WBXML dissector in
Wireshark 2.x ...)
- wireshark 2.0.5+ga3be9c6-1
[jessie] - wireshark (Only affects 2.x)
@@ -24750,41 +24751,41 @@
CVE-2016-6475
RESERVED
CVE-2016-6474 (A vulnerability in the implementation of X.509 Version 3 for
SSH ...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2016-6473 (A vulnerability in Cisco IOS on Catalyst Switches and Nexus
9300 Series ...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2016-6472 (A vulnerability in several parameters of the ccmivr page of
Cisco ...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2016-6471 (A vulnerability in the web-based management interface of Cisco
...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2016-6470 (A vulnerability in the installation procedure of the Cisco
Hybrid Media ...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2016-6469 (A vulnerability in HTTP URL parsing of Cisco AsyncOS for Cisco
Web ...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2016-6468 (A vulnerability in the web-based management interface of Cisco
...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2016-6467 (A vulnerability in IPv6 packet fragment reassembly of StarOS
for Cisco ...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2016-6466 (A vulnerability in the IPsec component of StarOS for Cisco ASR
5000 ...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2016-6465 (A vulnerability in the content filtering functionality of Cisco
AsyncOS ...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2016-6464 (A vulnerability in the web management interface of the Cisco
Unified ...)
- TODO: check
+
[Secure-testing-commits] r48773 - in data: . DSA
Author: jmm
Date: 2017-02-08 18:08:33 + (Wed, 08 Feb 2017)
New Revision: 48773
Modified:
data/DSA/list
data/dsa-needed.txt
Log:
openjdk-7 DSA
Modified: data/DSA/list
===
--- data/DSA/list 2017-02-08 16:27:16 UTC (rev 48772)
+++ data/DSA/list 2017-02-08 18:08:33 UTC (rev 48773)
@@ -1,3 +1,6 @@
+[08 Feb 2017] DSA-3782-1 openjdk-7 - security update
+ {CVE-2016-5546 CVE-2016-5547 CVE-2016-5548 CVE-2016-5552 CVE-2017-3231
CVE-2017-3241 CVE-2017-3252 CVE-2017-3253 CVE-2017-3260 CVE-2017-3261
CVE-2017-3272 CVE-2017-3289}
+ [jessie] - openjdk-7 7u121-2.6.8-2~deb8u1
[05 Feb 2017] DSA-3781-1 svgsalamander - security update
{CVE-2017-5617}
[jessie] - svgsalamander 0~svn95-1+deb8u1
Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2017-02-08 16:27:16 UTC (rev 48772)
+++ data/dsa-needed.txt 2017-02-08 18:08:33 UTC (rev 48773)
@@ -30,8 +30,6 @@
linux
wait until more issues have piled up
--
-openjdk-7 (jmm)
---
php5 (luciano)
Maintainer proposed debdiff, which needs review and ack
(Missing Closes for open bugs)
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48772 - data/CVE
Author: mattia Date: 2017-02-08 16:27:16 + (Wed, 08 Feb 2017) New Revision: 48772 Modified: data/CVE/list Log: Update libpodofo CVEs status Modified: data/CVE/list === --- data/CVE/list 2017-02-08 15:10:48 UTC (rev 48771) +++ data/CVE/list 2017-02-08 16:27:16 UTC (rev 48772) @@ -194,9 +194,9 @@ NOTE: Introduced by: https://github.com/torvalds/linux/commit/952fc18ef9ec707ebdc16c0786ec360295e5ff15 (3.6-rc1) CVE-2017-5886 [podofo: heap-based buffer overflow in PoDoFo::PdfTokenizer::GetNextToken (PdfTokenizer.cpp)] RESERVED - - libpodofo + - libpodofo (bug #854604) NOTE: https://blogs.gentoo.org/ago/2017/02/03/podofo-heap-based-buffer-overflow-in-podofopdftokenizergetnexttoken-pdftokenizer-cpp - NOTE: https://sourceforge.net/p/podofo/mailman/podofo-users/thread/20170204121312.lq26ge6osbiuwnjo%40mapreri.org/#msg35646469 + NOTE: https://sourceforge.net/p/podofo/mailman/podofo-users/thread/1623824.EtgW9yDooZ%40blackgate/#msg35644693 CVE-2017-5877 (XSS was discovered in dotCMS 3.7.0, with an unauthenticated attack ...) NOT-FOR-US: dotCMS CVE-2017-5876 (XSS was discovered in dotCMS 3.7.0, with an unauthenticated attack ...) @@ -708,30 +708,36 @@ CVE-2016-10194 RESERVED NOT-FOR-US: festivaltts4r +CVE-2017- [podofo: NULL pointer dereference in PdfInfo::GuessFormat (pdfinfo.cpp)] + - libpodofo (bug #854605) + NOTE: https://blogs.gentoo.org/ago/2017/02/01/podofo-null-pointer-dereference-in-pdfinfoguessformat-pdfinfo-cpp/ + NOTE: https://sourceforge.net/p/podofo/mailman/podofo-users/thread/12497325.VLNgGImML2%40blackgate/#msg35640936 + NOTE: https://marc.info/?l=oss-security&m=148603648823037&w=2 CVE-2015-8981 [Heap overflow in the function ReadXRefSubsection] RESERVED - - libpodofo (bug #854118) + - libpodofo 0.9.4-1 (bug #854599) NOTE: https://sourceforge.net/p/podofo/mailman/message/34205419/ NOTE: https://sourceforge.net/p/podofo/code/1672 CVE-2017-5855 [NULL pointer dereference in PoDoFo::PdfParser::ReadXRefSubsection] RESERVED - - libpodofo (bug #854118) + - libpodofo (bug #854603) NOTE: https://blogs.gentoo.org/ago/2017/02/01/podofo-null-pointer-dereference-in-podofopdfparserreadxrefsubsection-pdfparser-cpp + NOTE: https://sourceforge.net/p/podofo/mailman/podofo-users/thread/12497325.VLNgGImML2%40blackgate/#msg35640936 CVE-2017-5854 [NULL pointer dereference in PdfOutputStream.cpp] RESERVED - - libpodofo (bug #854118) + - libpodofo (bug #854602) NOTE: https://blogs.gentoo.org/ago/2017/02/01/podofo-null-pointer-dereference-in-pdfoutputstream-cpp - NOTE: https://sourceforge.net/p/podofo/mailman/podofo-users/thread/20170204121312.lq26ge6osbiuwnjo%40mapreri.org/#msg35646469 + NOTE: https://sourceforge.net/p/podofo/mailman/podofo-users/thread/12497325.VLNgGImML2%40blackgate/#msg35640936 CVE-2017-5853 [Signed integer overflow in PdfParser.cpp] RESERVED - - libpodofo (bug #854118) + - libpodofo (bug #854601) NOTE: https://blogs.gentoo.org/ago/2017/02/01/podofo-signed-integer-overflow-in-pdfparser-cpp - NOTE: https://sourceforge.net/p/podofo/mailman/podofo-users/thread/20170204121312.lq26ge6osbiuwnjo%40mapreri.org/#msg35646469 + NOTE: https://sourceforge.net/p/podofo/mailman/podofo-users/thread/12497325.VLNgGImML2%40blackgate/#msg35640936 CVE-2017-5852 [Infinite loop in PoDoFo::PdfPage::GetInheritedKeyFromObject] RESERVED - - libpodofo (bug #854118) + - libpodofo (bug #854600) NOTE: https://blogs.gentoo.org/ago/2017/02/01/podofo-infinite-loop-in-podofopdfpagegetinheritedkeyfromobject-pdfpage-cpp - NOTE: https://sourceforge.net/p/podofo/mailman/podofo-users/thread/20170204121312.lq26ge6osbiuwnjo%40mapreri.org/#msg35646469 + NOTE: https://sourceforge.net/p/podofo/mailman/podofo-users/thread/12497325.VLNgGImML2%40blackgate/#msg35640936 CVE-2017-5849 [Out-of-Bound read and write issues in put1bitbwtile() and putgreytile()] RESERVED - netpbm-free (vulnerable code not present) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48771 - data/CVE
Author: fgeek-guest Date: 2017-02-08 15:10:48 + (Wed, 08 Feb 2017) New Revision: 48771 Modified: data/CVE/list Log: CVE-2017-5932/bash Modified: data/CVE/list === --- data/CVE/list 2017-02-08 13:30:14 UTC (rev 48770) +++ data/CVE/list 2017-02-08 15:10:48 UTC (rev 48771) @@ -1,5 +1,8 @@ -CVE-2017-5932 +CVE-2017-5932 [code execution in autocompletion] RESERVED + - bash + NOTE: https://github.com/jheyens/bash_completion_vuln/raw/master/2017-01-17.bash_completion_report.pdf + NOTE: Fix http://git.savannah.gnu.org/cgit/bash.git/commit/?id=4f747edc625815f449048579f6e65869914dd715 CVE-2017-5931 RESERVED - qemu ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48770 - data/CVE
Author: fgeek-guest Date: 2017-02-08 13:30:14 + (Wed, 08 Feb 2017) New Revision: 48770 Modified: data/CVE/list Log: NFU Modified: data/CVE/list === --- data/CVE/list 2017-02-08 10:25:49 UTC (rev 48769) +++ data/CVE/list 2017-02-08 13:30:14 UTC (rev 48770) @@ -8793,6 +8793,7 @@ NOT-FOR-US: EMC Documentum eRoom CVE-2017-2765 RESERVED + NOT-FOR-US: EMC Isilon InsightIQ CVE-2017-2764 RESERVED CVE-2017-2763 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48769 - data/CVE
Author: jmm Date: 2017-02-08 10:25:49 + (Wed, 08 Feb 2017) New Revision: 48769 Modified: data/CVE/list Log: openjdk-7 n/a Modified: data/CVE/list === --- data/CVE/list 2017-02-08 09:32:08 UTC (rev 48768) +++ data/CVE/list 2017-02-08 10:25:49 UTC (rev 48769) @@ -27803,8 +27803,7 @@ RESERVED CVE-2016-5549 (Vulnerability in the Java SE, Java SE Embedded component of Oracle ...) - openjdk-8 8u121-b13-1 - - openjdk-7 - [jessie] - openjdk-7 (Too intrusive to backport, might get rolled into a future DSA if it lands in an Icedtea 7 release) + - openjdk-7 (In the Debian package, the code is removed during build time) CVE-2016-5548 (Vulnerability in the Java SE, Java SE Embedded component of Oracle ...) - openjdk-8 8u121-b13-1 [experimental] - openjdk-7 7u121-2.6.8-2 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48768 - data/CVE
Author: seb Date: 2017-02-08 09:32:08 + (Wed, 08 Feb 2017) New Revision: 48768 Modified: data/CVE/list Log: Add temporary entry for openpyxl XXE Modified: data/CVE/list === --- data/CVE/list 2017-02-08 09:26:21 UTC (rev 48767) +++ data/CVE/list 2017-02-08 09:32:08 UTC (rev 48768) @@ -139,6 +139,9 @@ NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1023012 CVE-2016-10200 RESERVED +CVE-2017- [openpyxl XML External Entity (XXE) vulnerability] + - openpyxl (bug #854442) + NOTE: CVE request at http://www.openwall.com/lists/oss-security/2017/02/07/5 CVE-2017- [gnome-keyring lives on after ssh session stops] - gnome-keyring (low; bug #395572) [jessie] - gnome-keyring (Minor issue) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48767 - data/CVE
Author: jmm Date: 2017-02-08 09:26:21 + (Wed, 08 Feb 2017) New Revision: 48767 Modified: data/CVE/list Log: new issues in mupdf and qemu Modified: data/CVE/list === --- data/CVE/list 2017-02-08 09:10:14 UTC (rev 48766) +++ data/CVE/list 2017-02-08 09:26:21 UTC (rev 48767) @@ -2,6 +2,11 @@ RESERVED CVE-2017-5931 RESERVED + - qemu + [jessie] - qemu (Vulnerable code not present) + - qemu-kvm (Vulnerable code not present) + NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2017-01/msg01368.html + NOTE: http://www.openwall.com/lists/oss-security/2017/02/07/8 CVE-2017-5930 RESERVED CVE-2017-5929 @@ -72,6 +77,9 @@ RESERVED CVE-2017-5896 RESERVED + - mupdf + NOTE: http://seclists.org/oss-sec/2017/q1/322 + NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=697515 CVE-2017-5895 RESERVED CVE-2017-5894 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48766 - data/CVE
Author: sectracker Date: 2017-02-08 09:10:14 + (Wed, 08 Feb 2017) New Revision: 48766 Modified: data/CVE/list Log: automatic update Modified: data/CVE/list === --- data/CVE/list 2017-02-08 07:44:41 UTC (rev 48765) +++ data/CVE/list 2017-02-08 09:10:14 UTC (rev 48766) @@ -1,3 +1,35 @@ +CVE-2017-5932 + RESERVED +CVE-2017-5931 + RESERVED +CVE-2017-5930 + RESERVED +CVE-2017-5929 + RESERVED +CVE-2017-5928 + RESERVED +CVE-2017-5927 + RESERVED +CVE-2017-5926 + RESERVED +CVE-2017-5925 + RESERVED +CVE-2017-5924 + RESERVED +CVE-2017-5923 + RESERVED +CVE-2017-5922 + RESERVED +CVE-2017-5921 + RESERVED +CVE-2017-5920 + RESERVED +CVE-2016-10211 + RESERVED +CVE-2016-10210 + RESERVED +CVE-2016-10209 + RESERVED CVE-2017-5919 RESERVED CVE-2017-5918 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
