[Secure-testing-commits] r48943 - data/CVE
Author: seb Date: 2017-02-15 09:01:58 + (Wed, 15 Feb 2017) New Revision: 48943 Modified: data/CVE/list Log: Add https://bitbucket.org/openpyxl/openpyxl/issues/749 as a note to openpyxl XXE Modified: data/CVE/list === --- data/CVE/list 2017-02-15 07:50:35 UTC (rev 48942) +++ data/CVE/list 2017-02-15 09:01:58 UTC (rev 48943) @@ -342,6 +342,7 @@ - openpyxl (bug #854442) [wheezy] - openpyxl (vulnerable code not present) NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2017/02/07/5 + NOTE: https://bitbucket.org/openpyxl/openpyxl/issues/749 NOTE: https://bitbucket.org/openpyxl/openpyxl/commits/3b4905f428e1 CVE-2017- [gnome-keyring lives on after ssh session stops] - gnome-keyring (low; bug #395572) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48944 - data/CVE
Author: sectracker Date: 2017-02-15 09:10:11 + (Wed, 15 Feb 2017) New Revision: 48944 Modified: data/CVE/list Log: automatic update Modified: data/CVE/list === --- data/CVE/list 2017-02-15 09:01:58 UTC (rev 48943) +++ data/CVE/list 2017-02-15 09:10:11 UTC (rev 48944) @@ -1,3 +1,11 @@ +CVE-2017-5991 (An issue was discovered in Artifex Software, Inc. MuPDF before ...) + TODO: check +CVE-2017-5990 (An issue was discovered in PhreeBooksERP before 2017-02-13. The ...) + TODO: check +CVE-2017-5989 + RESERVED +CVE-2017-5988 + RESERVED CVE-2017-5987 [sd: infinite loop issue in multi block transfers] RESERVED - qemu @@ -8261,64 +8269,64 @@ RESERVED CVE-2017-2997 RESERVED -CVE-2017-2996 - RESERVED -CVE-2017-2995 - RESERVED -CVE-2017-2994 - RESERVED -CVE-2017-2993 - RESERVED -CVE-2017-2992 - RESERVED -CVE-2017-2991 - RESERVED -CVE-2017-2990 - RESERVED +CVE-2017-2996 (Adobe Flash Player versions 24.0.0.194 and earlier have an exploitable ...) + TODO: check +CVE-2017-2995 (Adobe Flash Player versions 24.0.0.194 and earlier have an exploitable ...) + TODO: check +CVE-2017-2994 (Adobe Flash Player versions 24.0.0.194 and earlier have an exploitable ...) + TODO: check +CVE-2017-2993 (Adobe Flash Player versions 24.0.0.194 and earlier have an exploitable ...) + TODO: check +CVE-2017-2992 (Adobe Flash Player versions 24.0.0.194 and earlier have an exploitable ...) + TODO: check +CVE-2017-2991 (Adobe Flash Player versions 24.0.0.194 and earlier have an exploitable ...) + TODO: check +CVE-2017-2990 (Adobe Flash Player versions 24.0.0.194 and earlier have an exploitable ...) + TODO: check CVE-2017-2989 RESERVED -CVE-2017-2988 - RESERVED -CVE-2017-2987 - RESERVED -CVE-2017-2986 - RESERVED -CVE-2017-2985 - RESERVED -CVE-2017-2984 - RESERVED +CVE-2017-2988 (Adobe Flash Player versions 24.0.0.194 and earlier have an exploitable ...) + TODO: check +CVE-2017-2987 (Adobe Flash Player versions 24.0.0.194 and earlier have an exploitable ...) + TODO: check +CVE-2017-2986 (Adobe Flash Player versions 24.0.0.194 and earlier have an exploitable ...) + TODO: check +CVE-2017-2985 (Adobe Flash Player versions 24.0.0.194 and earlier have an exploitable ...) + TODO: check +CVE-2017-2984 (Adobe Flash Player versions 24.0.0.194 and earlier have an exploitable ...) + TODO: check CVE-2017-2983 RESERVED -CVE-2017-2982 - RESERVED -CVE-2017-2981 - RESERVED -CVE-2017-2980 - RESERVED -CVE-2017-2979 - RESERVED -CVE-2017-2978 - RESERVED -CVE-2017-2977 - RESERVED -CVE-2017-2976 - RESERVED -CVE-2017-2975 - RESERVED -CVE-2017-2974 - RESERVED -CVE-2017-2973 - RESERVED +CVE-2017-2982 (Adobe Flash Player versions 24.0.0.194 and earlier have an exploitable ...) + TODO: check +CVE-2017-2981 (Adobe Digital Editions versions 4.5.3 and earlier have an exploitable ...) + TODO: check +CVE-2017-2980 (Adobe Digital Editions versions 4.5.3 and earlier have an exploitable ...) + TODO: check +CVE-2017-2979 (Adobe Digital Editions versions 4.5.3 and earlier have an exploitable ...) + TODO: check +CVE-2017-2978 (Adobe Digital Editions versions 4.5.3 and earlier have an exploitable ...) + TODO: check +CVE-2017-2977 (Adobe Digital Editions versions 4.5.3 and earlier have an exploitable ...) + TODO: check +CVE-2017-2976 (Adobe Digital Editions versions 4.5.3 and earlier have an exploitable ...) + TODO: check +CVE-2017-2975 (Adobe Digital Editions versions 4.5.3 and earlier have an exploitable ...) + TODO: check +CVE-2017-2974 (Adobe Digital Editions versions 4.5.3 and earlier have an exploitable ...) + TODO: check +CVE-2017-2973 (Adobe Digital Editions versions 4.5.3 and earlier have an exploitable ...) + TODO: check CVE-2017-2972 (Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-2971 (Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-2970 (Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 ...) NOT-FOR-US: Adobe Acrobat Reader -CVE-2017-2969 - RESERVED -CVE-2017-2968 - RESERVED +CVE-2017-2969 (Adobe Campaign versions 16.4 Build 8724 and earlier have a cross-site ...) + TODO: check +CVE-2017-2968 (Adobe Campaign versions 16.4 Build 8724 and earlier have a code ...) + TODO: check CVE-2017-2967 (Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-2966 (Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 ...) __
[Secure-testing-commits] r48945 - data/CVE
Author: seb Date: 2017-02-15 11:06:05 + (Wed, 15 Feb 2017) New Revision: 48945 Modified: data/CVE/list Log: openpyxl in jessie is unaffected by XXE Modified: data/CVE/list === --- data/CVE/list 2017-02-15 09:10:11 UTC (rev 48944) +++ data/CVE/list 2017-02-15 11:06:05 UTC (rev 48945) @@ -349,6 +349,7 @@ CVE-2017- [openpyxl XML External Entity (XXE) vulnerability] - openpyxl (bug #854442) [wheezy] - openpyxl (vulnerable code not present) + [jessie] - openpyxl (vulnerable code not present) NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2017/02/07/5 NOTE: https://bitbucket.org/openpyxl/openpyxl/issues/749 NOTE: https://bitbucket.org/openpyxl/openpyxl/commits/3b4905f428e1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48946 - data/CVE
Author: jmm Date: 2017-02-15 11:58:53 + (Wed, 15 Feb 2017) New Revision: 48946 Modified: data/CVE/list Log: glibc regex issue unimportant mysql no-dsa NFUs Modified: data/CVE/list === --- data/CVE/list 2017-02-15 11:06:05 UTC (rev 48945) +++ data/CVE/list 2017-02-15 11:58:53 UTC (rev 48946) @@ -7407,6 +7407,7 @@ - mysql-5.7 (Fixed before initial release in Debian) - mysql-5.6 (Fixed before initial release in Debian) - mysql-5.5 (bug #854713) + [jessie] - mysql-5.5 (Can wait until the next Oracle CPU) NOTE: Fixed by: https://github.com/mysql/mysql-server/commit/4797ea0b772d5f4c5889bc552424132806f46e93 NOTE: Fixed in Oracle MySQL 5.6.21, 5.7.5 NOTE: https://bugs.mysql.com/bug.php?id=70429 @@ -8271,53 +8272,53 @@ CVE-2017-2997 RESERVED CVE-2017-2996 (Adobe Flash Player versions 24.0.0.194 and earlier have an exploitable ...) - TODO: check + NOT-FOR-US: Adobe Flash CVE-2017-2995 (Adobe Flash Player versions 24.0.0.194 and earlier have an exploitable ...) - TODO: check + NOT-FOR-US: Adobe Flash CVE-2017-2994 (Adobe Flash Player versions 24.0.0.194 and earlier have an exploitable ...) - TODO: check + NOT-FOR-US: Adobe Flash CVE-2017-2993 (Adobe Flash Player versions 24.0.0.194 and earlier have an exploitable ...) - TODO: check + NOT-FOR-US: Adobe Flash CVE-2017-2992 (Adobe Flash Player versions 24.0.0.194 and earlier have an exploitable ...) - TODO: check + NOT-FOR-US: Adobe Flash CVE-2017-2991 (Adobe Flash Player versions 24.0.0.194 and earlier have an exploitable ...) - TODO: check + NOT-FOR-US: Adobe Flash CVE-2017-2990 (Adobe Flash Player versions 24.0.0.194 and earlier have an exploitable ...) - TODO: check + NOT-FOR-US: Adobe Flash CVE-2017-2989 RESERVED CVE-2017-2988 (Adobe Flash Player versions 24.0.0.194 and earlier have an exploitable ...) - TODO: check + NOT-FOR-US: Adobe Flash CVE-2017-2987 (Adobe Flash Player versions 24.0.0.194 and earlier have an exploitable ...) - TODO: check + NOT-FOR-US: Adobe Flash CVE-2017-2986 (Adobe Flash Player versions 24.0.0.194 and earlier have an exploitable ...) - TODO: check + NOT-FOR-US: Adobe Flash CVE-2017-2985 (Adobe Flash Player versions 24.0.0.194 and earlier have an exploitable ...) - TODO: check + NOT-FOR-US: Adobe Flash CVE-2017-2984 (Adobe Flash Player versions 24.0.0.194 and earlier have an exploitable ...) - TODO: check + NOT-FOR-US: Adobe Flash CVE-2017-2983 RESERVED CVE-2017-2982 (Adobe Flash Player versions 24.0.0.194 and earlier have an exploitable ...) - TODO: check + NOT-FOR-US: Adobe Flash CVE-2017-2981 (Adobe Digital Editions versions 4.5.3 and earlier have an exploitable ...) - TODO: check + NOT-FOR-US: Adobe CVE-2017-2980 (Adobe Digital Editions versions 4.5.3 and earlier have an exploitable ...) - TODO: check + NOT-FOR-US: Adobe CVE-2017-2979 (Adobe Digital Editions versions 4.5.3 and earlier have an exploitable ...) - TODO: check + NOT-FOR-US: Adobe CVE-2017-2978 (Adobe Digital Editions versions 4.5.3 and earlier have an exploitable ...) - TODO: check + NOT-FOR-US: Adobe CVE-2017-2977 (Adobe Digital Editions versions 4.5.3 and earlier have an exploitable ...) - TODO: check + NOT-FOR-US: Adobe CVE-2017-2976 (Adobe Digital Editions versions 4.5.3 and earlier have an exploitable ...) - TODO: check + NOT-FOR-US: Adobe CVE-2017-2975 (Adobe Digital Editions versions 4.5.3 and earlier have an exploitable ...) - TODO: check + NOT-FOR-US: Adobe CVE-2017-2974 (Adobe Digital Editions versions 4.5.3 and earlier have an exploitable ...) - TODO: check + NOT-FOR-US: Adobe CVE-2017-2973 (Adobe Digital Editions versions 4.5.3 and earlier have an exploitable ...) - TODO: check + NOT-FOR-US: Adobe CVE-2017-2972 (Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-2971 (Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 ...) @@ -8325,9 +8326,9 @@ CVE-2017-2970 (Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-2969 (Adobe Campaign versions 16.4 Build 8724 and earlier have a cross-site ...) - TODO: check + NOT-FOR-US: Adobe CVE-2017-2968 (Adobe Campaign versions 16.4 Build 8724 and earlier have a code ...) - TODO: check + NOT-FOR-US: Adobe CVE-2017-2967 (Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-2966 (Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 ...) @@ -65422,9 +65423,9 @@ NOT-FOR-U
[Secure-testing-commits] r48947 - data/CVE
Author: jmm Date: 2017-02-15 12:47:54 + (Wed, 15 Feb 2017) New Revision: 48947 Modified: data/CVE/list Log: "new" linux issue Modified: data/CVE/list === --- data/CVE/list 2017-02-15 11:58:53 UTC (rev 48946) +++ data/CVE/list 2017-02-15 12:47:54 UTC (rev 48947) @@ -27288,7 +27288,7 @@ CVE-2014-9871 (Multiple buffer overflows in ...) - linux (Android-specific driver) CVE-2014-9870 (The Linux kernel before 3.11 on ARM platforms, as used in Android ...) - TODO: check + - linux 3.11.5-1 CVE-2014-9869 (drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c in the ...) - linux (Android-specific driver) CVE-2014-9868 (drivers/media/platform/msm/camera_v2/sensor/csiphy/msm_csiphy.c in the ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48948 - data/CVE
Author: jmm Date: 2017-02-15 13:15:54 + (Wed, 15 Feb 2017) New Revision: 48948 Modified: data/CVE/list Log: add upstream bug for kodi Modified: data/CVE/list === --- data/CVE/list 2017-02-15 12:47:54 UTC (rev 48947) +++ data/CVE/list 2017-02-15 13:15:54 UTC (rev 48948) @@ -24,7 +24,9 @@ CVE-2017-5982 [local file inclusion] RESERVED - kodi + - xbmc NOTE: http://seclists.org/fulldisclosure/2017/Feb/27 + NOTE: http://trac.kodi.tv/ticket/17314 CVE-2017-5681 RESERVED CVE-2017- [tomcat DoS via infinite loop in HTTPS request processing] ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48949 - data/CVE
Author: carnil Date: 2017-02-15 13:19:41 + (Wed, 15 Feb 2017) New Revision: 48949 Modified: data/CVE/list Log: Order top-town one entry Modified: data/CVE/list === --- data/CVE/list 2017-02-15 13:15:54 UTC (rev 48948) +++ data/CVE/list 2017-02-15 13:19:41 UTC (rev 48949) @@ -350,8 +350,8 @@ NOTE: https://github.com/viewvc/viewvc/commit/9dcfc7daa4c940992920d3b2fbd317da20e44aad CVE-2017- [openpyxl XML External Entity (XXE) vulnerability] - openpyxl (bug #854442) + [jessie] - openpyxl (vulnerable code not present) [wheezy] - openpyxl (vulnerable code not present) - [jessie] - openpyxl (vulnerable code not present) NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2017/02/07/5 NOTE: https://bitbucket.org/openpyxl/openpyxl/issues/749 NOTE: https://bitbucket.org/openpyxl/openpyxl/commits/3b4905f428e1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48950 - data/DSA
Author: seb
Date: 2017-02-15 13:23:10 + (Wed, 15 Feb 2017)
New Revision: 48950
Modified:
data/DSA/list
Log:
Reserve DSA-3789-1 for libevent (CVE-2016-10195, CVE-2016-10196, CVE-2016-10197)
Modified: data/DSA/list
===
--- data/DSA/list 2017-02-15 13:19:41 UTC (rev 48949)
+++ data/DSA/list 2017-02-15 13:23:10 UTC (rev 48950)
@@ -1,3 +1,6 @@
+[15 Feb 2017] DSA-3789-1 libevent - security update
+ {CVE-2016-10195 CVE-2016-10196 CVE-2016-10197}
+ [jessie] - libevent 2.0.21-stable-2+deb8u1
[13 Feb 2017] DSA-3788-1 tomcat8 - security update
[jessie] - tomcat8 8.0.14-1+deb8u7
[13 Feb 2017] DSA-3787-1 tomcat7 - security update
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48951 - data/CVE
Author: carnil Date: 2017-02-15 13:23:39 + (Wed, 15 Feb 2017) New Revision: 48951 Modified: data/CVE/list Log: Add CVE-2017-2630/qemu Modified: data/CVE/list === --- data/CVE/list 2017-02-15 13:23:10 UTC (rev 48950) +++ data/CVE/list 2017-02-15 13:23:39 UTC (rev 48951) @@ -9283,8 +9283,13 @@ RESERVED CVE-2017-2631 RESERVED -CVE-2017-2630 +CVE-2017-2630 [nbd: oob stack write in client routine drop_sync] RESERVED + - qemu + - qemu-kvm + NOTE: Upstream patch: https://lists.gnu.org/archive/html/qemu-devel/2017-02/msg01246.html + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1422415 + TODO: check affected versions CVE-2017-2629 RESERVED CVE-2017-2628 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48952 - data/CVE
Author: carnil Date: 2017-02-15 13:25:21 + (Wed, 15 Feb 2017) New Revision: 48952 Modified: data/CVE/list Log: Add new xen issue Modified: data/CVE/list === --- data/CVE/list 2017-02-15 13:23:39 UTC (rev 48951) +++ data/CVE/list 2017-02-15 13:25:21 UTC (rev 48952) @@ -1,3 +1,6 @@ +CVE-2017- [XSA-207: memory leak when destroying guest without PT devices] + - xen + NOTE: https://xenbits.xen.org/xsa/advisory-207.html CVE-2017-5991 (An issue was discovered in Artifex Software, Inc. MuPDF before ...) TODO: check CVE-2017-5990 (An issue was discovered in PhreeBooksERP before 2017-02-13. The ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48953 - data/CVE
Author: carnil Date: 2017-02-15 13:28:03 + (Wed, 15 Feb 2017) New Revision: 48953 Modified: data/CVE/list Log: Add temporary entry for libytnef issues, no CVEs are assigned yet Modified: data/CVE/list === --- data/CVE/list 2017-02-15 13:25:21 UTC (rev 48952) +++ data/CVE/list 2017-02-15 13:28:03 UTC (rev 48953) @@ -1,3 +1,7 @@ +CVE-2017- [9 issues in ytnef -- X41-2017-002] + - libytnef + NOTE: https://www.x41-dsec.de/lab/advisories/x41-2017-002-ytnef/ + NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2017/02/15/4 CVE-2017- [XSA-207: memory leak when destroying guest without PT devices] - xen NOTE: https://xenbits.xen.org/xsa/advisory-207.html ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48954 - in data: . DLA
Author: rbalint
Date: 2017-02-15 15:12:40 + (Wed, 15 Feb 2017)
New Revision: 48954
Modified:
data/DLA/list
data/dla-needed.txt
Log:
Reserve DLA-824-1 for libevent
Modified: data/DLA/list
===
--- data/DLA/list 2017-02-15 13:28:03 UTC (rev 48953)
+++ data/DLA/list 2017-02-15 15:12:40 UTC (rev 48954)
@@ -1,3 +1,6 @@
+[15 Feb 2017] DLA-824-1 libevent - security update
+ {CVE-2016-10195 CVE-2016-10196 CVE-2016-10197}
+ [wheezy] - libevent 2.0.19-stable-3+deb7u2
[14 Feb 2017] DLA-823-1 tomcat7 - security update
[wheezy] - tomcat7 7.0.28-4+deb7u10
[13 Feb 2017] DLA-822-1 vim - security update
Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-02-15 13:28:03 UTC (rev 48953)
+++ data/dla-needed.txt 2017-02-15 15:12:40 UTC (rev 48954)
@@ -64,8 +64,6 @@
NOTE: Upstream should provide new point-releases fixing open security issues
in the next months.
NOTE: Lots of CVEs are open, this is going to take some time. (See
debian-lts ML)
--
-libevent (Roberto C. Sánchez)
---
libical
NOTE: No known solution as of 2017-01-16.
NOTE: Pinged on 2017-02-06
https://github.com/libical/libical/issues/253#issuecomment-277580552 (lamby)
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48955 - data/CVE
Author: seb Date: 2017-02-15 16:47:15 + (Wed, 15 Feb 2017) New Revision: 48955 Modified: data/CVE/list Log: openpyxl XXE is CVE-2017-5992. Modified: data/CVE/list === --- data/CVE/list 2017-02-15 15:12:40 UTC (rev 48954) +++ data/CVE/list 2017-02-15 16:47:15 UTC (rev 48955) @@ -355,7 +355,7 @@ - viewvc 1.1.26-1 (bug #854681) NOTE: http://www.openwall.com/lists/oss-security/2017/02/08/7 NOTE: https://github.com/viewvc/viewvc/commit/9dcfc7daa4c940992920d3b2fbd317da20e44aad -CVE-2017- [openpyxl XML External Entity (XXE) vulnerability] +CVE-2017-5992 [openpyxl XML External Entity (XXE) vulnerability] - openpyxl (bug #854442) [jessie] - openpyxl (vulnerable code not present) [wheezy] - openpyxl (vulnerable code not present) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48956 - data/CVE
Author: carnil Date: 2017-02-15 17:42:34 + (Wed, 15 Feb 2017) New Revision: 48956 Modified: data/CVE/list Log: Remove CVE request annotation since CVE assigned Modified: data/CVE/list === --- data/CVE/list 2017-02-15 16:47:15 UTC (rev 48955) +++ data/CVE/list 2017-02-15 17:42:34 UTC (rev 48956) @@ -359,7 +359,7 @@ - openpyxl (bug #854442) [jessie] - openpyxl (vulnerable code not present) [wheezy] - openpyxl (vulnerable code not present) - NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2017/02/07/5 + NOTE: http://www.openwall.com/lists/oss-security/2017/02/07/5 NOTE: https://bitbucket.org/openpyxl/openpyxl/issues/749 NOTE: https://bitbucket.org/openpyxl/openpyxl/commits/3b4905f428e1 CVE-2017- [gnome-keyring lives on after ssh session stops] ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48957 - data/CVE
Author: carnil Date: 2017-02-15 17:44:01 + (Wed, 15 Feb 2017) New Revision: 48957 Modified: data/CVE/list Log: Mark CVE-2014-9870 as no-dsa Modified: data/CVE/list === --- data/CVE/list 2017-02-15 17:42:34 UTC (rev 48956) +++ data/CVE/list 2017-02-15 17:44:01 UTC (rev 48957) @@ -27303,6 +27303,7 @@ - linux (Android-specific driver) CVE-2014-9870 (The Linux kernel before 3.11 on ARM platforms, as used in Android ...) - linux 3.11.5-1 + [wheezy] - linux (Minor issue, hardly a security impact, cf. kernel-sec) CVE-2014-9869 (drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c in the ...) - linux (Android-specific driver) CVE-2014-9868 (drivers/media/platform/msm/camera_v2/sensor/csiphy/msm_csiphy.c in the ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48958 - data/CVE
Author: carnil Date: 2017-02-15 17:53:58 + (Wed, 15 Feb 2017) New Revision: 48958 Modified: data/CVE/list Log: Update information for CVE-2016-8636/linux Modified: data/CVE/list === --- data/CVE/list 2017-02-15 17:44:01 UTC (rev 48957) +++ data/CVE/list 2017-02-15 17:53:58 UTC (rev 48958) @@ -17882,6 +17882,8 @@ CVE-2016-8636 [mem_check_range integer overflow] RESERVED - linux + [jessie] - linux (Vulnerable code not present) + [wheezy] - linux (Vulnerable code not present) NOTE: Fix https://github.com/torvalds/linux/commit/647bf3d8a8e5777319da92af672289b2a6c4dc66 CVE-2016-8635 [small-subgroups attack flaw] RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48959 - data/CVE
Author: carnil Date: 2017-02-15 17:55:08 + (Wed, 15 Feb 2017) New Revision: 48959 Modified: data/CVE/list Log: Mark CVE-2016-10147 n/a for jessie and wheezy Modified: data/CVE/list === --- data/CVE/list 2017-02-15 17:53:58 UTC (rev 48958) +++ data/CVE/list 2017-02-15 17:55:08 UTC (rev 48959) @@ -2075,6 +2075,8 @@ RESERVED CVE-2016-10147 (crypto/mcryptd.c in the Linux kernel before 4.8.15 allows local users ...) - linux 4.8.15-1 + [jessie] - linux (Vulnerable code not present) + [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/48a992727d82cb7db076fa15d372178743b1f4cd (v4.9) CVE-2016-10143 (A vulnerability in Tiki Wiki CMS 15.2 could allow a remote attacker to ...) - tikiwiki ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48960 - data/CVE
Author: jmm Date: 2017-02-15 18:03:05 + (Wed, 15 Feb 2017) New Revision: 48960 Modified: data/CVE/list Log: NFUs Modified: data/CVE/list === --- data/CVE/list 2017-02-15 17:55:08 UTC (rev 48959) +++ data/CVE/list 2017-02-15 18:03:05 UTC (rev 48960) @@ -38024,43 +38024,43 @@ CVE-2016-2484 (libstagefright in mediaserver in Android 4.x before 4.4.4, 5.0.x ...) NOT-FOR-US: libstagefright CVE-2016-2483 (The mm-video-v4l2 venc component in mediaserver in Android 4.x before ...) - TODO: check + NOT-FOR-US: Android Mediaserver CVE-2016-2482 (The mm-video-v4l2 vdec component in mediaserver in Android 4.x before ...) - TODO: check + NOT-FOR-US: Android Mediaserver CVE-2016-2481 (The mm-video-v4l2 venc component in mediaserver in Android 4.x before ...) - TODO: check + NOT-FOR-US: Android Mediaserver CVE-2016-2480 (The mm-video-v4l2 vidc component in mediaserver in Android 4.x before ...) - TODO: check + NOT-FOR-US: Android Mediaserver CVE-2016-2479 (The mm-video-v4l2 vdec component in mediaserver in Android 4.x before ...) - TODO: check + NOT-FOR-US: Android Mediaserver CVE-2016-2478 (mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp in mediaserver in ...) - TODO: check + NOT-FOR-US: Android Mediaserver CVE-2016-2477 (mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp in mediaserver in ...) - TODO: check + NOT-FOR-US: Android Mediaserver CVE-2016-2476 (mediaserver in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x ...) - TODO: check + NOT-FOR-US: Android Mediaserver CVE-2016-2475 (The Broadcom Wi-Fi driver in Android before 2016-06-01 on Nexus 5, ...) - TODO: check + NOT-FOR-US: Broadcom driver for Android CVE-2016-2474 (The Qualcomm Wi-Fi driver in Android before 2016-06-01 on Nexus 5X ...) - TODO: check + NOT-FOR-US: Qualcomm driver for Android CVE-2016-2473 (The Qualcomm Wi-Fi driver in Android before 2016-06-01 on Nexus 7 ...) - TODO: check + NOT-FOR-US: Qualcomm driver for Android CVE-2016-2472 (The Qualcomm Wi-Fi driver in Android before 2016-06-01 on Nexus 7 ...) - TODO: check + NOT-FOR-US: Qualcomm driver for Android CVE-2016-2471 (The Qualcomm Wi-Fi driver in Android before 2016-06-01 on Nexus 7 ...) - TODO: check + NOT-FOR-US: Qualcomm driver for Android CVE-2016-2470 (The Qualcomm Wi-Fi driver in Android before 2016-06-01 on Nexus 7 ...) - TODO: check + NOT-FOR-US: Qualcomm driver for Android CVE-2016-2469 (The Qualcomm sound driver in Android before 2016-06-01 on Nexus 5, 6, ...) - TODO: check + NOT-FOR-US: Qualcomm driver for Android CVE-2016-2468 (The Qualcomm GPU driver in Android before 2016-06-01 on Nexus 5, 5X, ...) - TODO: check + NOT-FOR-US: Qualcomm driver for Android CVE-2016-2467 (The Qualcomm sound driver in Android before 2016-06-01 on Nexus 5 ...) - TODO: check + NOT-FOR-US: Qualcomm driver for Android CVE-2016-2466 (The Qualcomm sound driver in Android before 2016-06-01 on Nexus 6 ...) - TODO: check + NOT-FOR-US: Qualcomm driver for Android CVE-2016-2465 (The Qualcomm video driver in Android before 2016-06-01 on Nexus 5, 5X, ...) - TODO: check + NOT-FOR-US: Qualcomm driver for Android CVE-2016-2464 (libvpx in libwebm in mediaserver in Android 4.x before 4.4.4, 5.0.x ...) TODO: check CVE-2016-2463 (Multiple integer overflows in the h264dec component in libstagefright ...) @@ -38839,7 +38839,7 @@ CVE-2016-2247 REJECTED CVE-2016-2246 (HP ThinPro 4.4 through 6.1 mishandles the keyboard layout control ...) - TODO: check + NOT-FOR-US: HP ThinPro CVE-2016-2245 (HP Support Assistant before 8.1.52.1 allows remote attackers to bypass ...) NOT-FOR-US: HP Support Assistant CVE-2016-2244 (HP LaserJet printers and MFPs and OfficeJet Enterprise printers with ...) @@ -38884,7 +38884,7 @@ NOTE: Possibly introduced after http://vcs.pcre.org/pcre?view=revision&revision=1266 NOTE: Fixed by: http://vcs.pcre.org/pcre?view=revision&revision=1638 (8.39) CVE-2016-2242 (Exponent CMS 2.x before 2.3.7 Patch 3 allows remote attackers to ...) - TODO: check + NOT-FOR-US: Exponent CMS CVE-2016-2241 RESERVED CVE-2016-2240 @@ -43142,7 +43142,7 @@ NOTE: https://github.com/Dolibarr/dolibarr/issues/4291 NOTE: https://github.com/GPCsolutions/dolibarr/commit/0d3181324c816bdf664ca5e1548dfe8eb05c54f8 CVE-2015-8684 (Exponent CMS before 2.3.7 does not properly restrict the types of ...) - TODO: check + NOT-FOR-US: Exponent CMS CVE-2015-8682 (The Video0 driver in Huawei P8 smartphones with software GRA-UL00 ...) TODO: check CVE-2015-8681 (The ovisp driver in Huawei P8 smartphones with software GRA-TL00 ...) @@ -46134,15 +46134,15 @@ CVE-2015-8524
[Secure-testing-commits] r48961 - data/CVE
Author: carnil Date: 2017-02-15 18:12:08 + (Wed, 15 Feb 2017) New Revision: 48961 Modified: data/CVE/list Log: Reported bug for CVE-2017-5982 to ask clarification from maintainers Modified: data/CVE/list === --- data/CVE/list 2017-02-15 18:03:05 UTC (rev 48960) +++ data/CVE/list 2017-02-15 18:12:08 UTC (rev 48961) @@ -30,7 +30,7 @@ RESERVED CVE-2017-5982 [local file inclusion] RESERVED - - kodi + - kodi (bug #855225) - xbmc NOTE: http://seclists.org/fulldisclosure/2017/Feb/27 NOTE: http://trac.kodi.tv/ticket/17314 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48962 - data/CVE
Author: jmm Date: 2017-02-15 18:18:59 + (Wed, 15 Feb 2017) New Revision: 48962 Modified: data/CVE/list Log: new mupdf issue Modified: data/CVE/list === --- data/CVE/list 2017-02-15 18:12:08 UTC (rev 48961) +++ data/CVE/list 2017-02-15 18:18:59 UTC (rev 48962) @@ -6,7 +6,9 @@ - xen NOTE: https://xenbits.xen.org/xsa/advisory-207.html CVE-2017-5991 (An issue was discovered in Artifex Software, Inc. MuPDF before ...) - TODO: check + - mupdf (low) + NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=697500 + NOTE: http://git.ghostscript.com/?p=mupdf.git;h=1912de5f08e90af1d9d0a9791f58ba3afdb9d465 CVE-2017-5990 (An issue was discovered in PhreeBooksERP before 2017-02-13. The ...) TODO: check CVE-2017-5989 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48963 - data/CVE
Author: carnil Date: 2017-02-15 18:21:06 + (Wed, 15 Feb 2017) New Revision: 48963 Modified: data/CVE/list Log: Update information for CVE-2017-2630/qemu Modified: data/CVE/list === --- data/CVE/list 2017-02-15 18:18:59 UTC (rev 48962) +++ data/CVE/list 2017-02-15 18:21:06 UTC (rev 48963) @@ -9297,10 +9297,11 @@ CVE-2017-2630 [nbd: oob stack write in client routine drop_sync] RESERVED - qemu - - qemu-kvm + [jessie] - qemu (Vulnerable code introduced in v2.8.0-rc0) + [wheezy] - qemu (Vulnerable code introduced in v2.8.0-rc0) + - qemu-kvm (Vulnerable code introduced later) NOTE: Upstream patch: https://lists.gnu.org/archive/html/qemu-devel/2017-02/msg01246.html NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1422415 - TODO: check affected versions CVE-2017-2629 RESERVED CVE-2017-2628 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48964 - data/CVE
Author: carnil Date: 2017-02-15 18:24:26 + (Wed, 15 Feb 2017) New Revision: 48964 Modified: data/CVE/list Log: Add bug reference for CVE-2017-2630, #855227 Modified: data/CVE/list === --- data/CVE/list 2017-02-15 18:21:06 UTC (rev 48963) +++ data/CVE/list 2017-02-15 18:24:26 UTC (rev 48964) @@ -9296,7 +9296,7 @@ RESERVED CVE-2017-2630 [nbd: oob stack write in client routine drop_sync] RESERVED - - qemu + - qemu (bug #855227) [jessie] - qemu (Vulnerable code introduced in v2.8.0-rc0) [wheezy] - qemu (Vulnerable code introduced in v2.8.0-rc0) - qemu-kvm (Vulnerable code introduced later) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48965 - data/CVE
Author: carnil Date: 2017-02-15 18:44:42 + (Wed, 15 Feb 2017) New Revision: 48965 Modified: data/CVE/list Log: Add CVE-2017-5993/virglrenderer Modified: data/CVE/list === --- data/CVE/list 2017-02-15 18:24:26 UTC (rev 48964) +++ data/CVE/list 2017-02-15 18:44:42 UTC (rev 48965) @@ -5,6 +5,10 @@ CVE-2017- [XSA-207: memory leak when destroying guest without PT devices] - xen NOTE: https://xenbits.xen.org/xsa/advisory-207.html +CVE-2017-5993 [host memory leakage when initialising blitter context] + - virglrenderer + NOTE: https://cgit.freedesktop.org/virglrenderer/commit/?id=6eb13f7a2dcf391ec9e19b4c2a79e68305f63c22 + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1422438 CVE-2017-5991 (An issue was discovered in Artifex Software, Inc. MuPDF before ...) - mupdf (low) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=697500 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48966 - data/CVE
Author: carnil Date: 2017-02-15 18:45:43 + (Wed, 15 Feb 2017) New Revision: 48966 Modified: data/CVE/list Log: Add CVE-2017-5994/virglrenderer Modified: data/CVE/list === --- data/CVE/list 2017-02-15 18:44:42 UTC (rev 48965) +++ data/CVE/list 2017-02-15 18:45:43 UTC (rev 48966) @@ -5,6 +5,10 @@ CVE-2017- [XSA-207: memory leak when destroying guest without PT devices] - xen NOTE: https://xenbits.xen.org/xsa/advisory-207.html +CVE-2017-5994 [out-of-bounds access in vrend_create_vertex_elements_state] + - virglrenderer + NOTE: https://cgit.freedesktop.org/virglrenderer/commit/?id=114688c526fe45f341d75ccd1d85473c3b08f7a7 + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1422452 CVE-2017-5993 [host memory leakage when initialising blitter context] - virglrenderer NOTE: https://cgit.freedesktop.org/virglrenderer/commit/?id=6eb13f7a2dcf391ec9e19b4c2a79e68305f63c22 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48967 - data/CVE
Author: jmm Date: 2017-02-15 18:47:05 + (Wed, 15 Feb 2017) New Revision: 48967 Modified: data/CVE/list Log: gst-plugins-bad0.10, podofo no-dsa Modified: data/CVE/list === --- data/CVE/list 2017-02-15 18:45:43 UTC (rev 48966) +++ data/CVE/list 2017-02-15 18:47:05 UTC (rev 48967) @@ -797,6 +797,7 @@ CVE-2017-5848 (The gst_ps_demux_parse_psm function in gst/mpegdemux/gstmpegdemux.c in ...) - gst-plugins-bad1.0 (low) - gst-plugins-bad0.10 (low) + [jessie] - gst-plugins-bad0.10 (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2017/02/01/7 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=777957 NOTE: Patch: https://bugzilla.gnome.org/show_bug.cgi?id=777957#c3 @@ -824,6 +825,7 @@ CVE-2017-5843 (Multiple use-after-free vulnerabilities in the (1) ...) - gst-plugins-bad1.0 1.10.3-1 - gst-plugins-bad0.10 (low) + [jessie] - gst-plugins-bad0.10 (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2017/02/01/7 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=777503 CVE-2017-5842 (The html_context_handle_element function in gst/subparse/samiparse.c ...) @@ -922,32 +924,38 @@ NOT-FOR-US: festivaltts4r CVE-2017- [podofo: NULL pointer dereference in PdfInfo::GuessFormat (pdfinfo.cpp)] - libpodofo (bug #854605) + [jessie] - libpodofo (Minor issue) NOTE: https://blogs.gentoo.org/ago/2017/02/01/podofo-null-pointer-dereference-in-pdfinfoguessformat-pdfinfo-cpp/ NOTE: https://sourceforge.net/p/podofo/mailman/podofo-users/thread/12497325.VLNgGImML2%40blackgate/#msg35640936 NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2017/02/02/21 CVE-2015-8981 [Heap overflow in the function ReadXRefSubsection] RESERVED - libpodofo 0.9.4-1 (bug #854599) + [jessie] - libpodofo (Minor issue) NOTE: https://sourceforge.net/p/podofo/mailman/message/34205419/ NOTE: https://sourceforge.net/p/podofo/code/1672 CVE-2017-5855 [NULL pointer dereference in PoDoFo::PdfParser::ReadXRefSubsection] RESERVED - libpodofo (bug #854603) + [jessie] - libpodofo (Minor issue) NOTE: https://blogs.gentoo.org/ago/2017/02/01/podofo-null-pointer-dereference-in-podofopdfparserreadxrefsubsection-pdfparser-cpp NOTE: https://sourceforge.net/p/podofo/mailman/podofo-users/thread/12497325.VLNgGImML2%40blackgate/#msg35640936 CVE-2017-5854 [NULL pointer dereference in PdfOutputStream.cpp] RESERVED - libpodofo (bug #854602) + [jessie] - libpodofo (Minor issue) NOTE: https://blogs.gentoo.org/ago/2017/02/01/podofo-null-pointer-dereference-in-pdfoutputstream-cpp NOTE: https://sourceforge.net/p/podofo/mailman/podofo-users/thread/12497325.VLNgGImML2%40blackgate/#msg35640936 CVE-2017-5853 [Signed integer overflow in PdfParser.cpp] RESERVED - libpodofo (bug #854601) + [jessie] - libpodofo (Minor issue) NOTE: https://blogs.gentoo.org/ago/2017/02/01/podofo-signed-integer-overflow-in-pdfparser-cpp NOTE: https://sourceforge.net/p/podofo/mailman/podofo-users/thread/12497325.VLNgGImML2%40blackgate/#msg35640936 CVE-2017-5852 [Infinite loop in PoDoFo::PdfPage::GetInheritedKeyFromObject] RESERVED - libpodofo (bug #854600) + [jessie] - libpodofo (Minor issue) NOTE: https://blogs.gentoo.org/ago/2017/02/01/podofo-infinite-loop-in-podofopdfpagegetinheritedkeyfromobject-pdfpage-cpp NOTE: https://sourceforge.net/p/podofo/mailman/podofo-users/thread/12497325.VLNgGImML2%40blackgate/#msg35640936 CVE-2017-5849 [Out-of-Bound read and write issues in put1bitbwtile() and putgreytile()] ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48968 - data
Author: carnil Date: 2017-02-15 19:14:58 + (Wed, 15 Feb 2017) New Revision: 48968 Modified: data/dsa-needed.txt Log: Add spice and take Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-02-15 18:47:05 UTC (rev 48967) +++ data/dsa-needed.txt 2017-02-15 19:14:58 UTC (rev 48968) @@ -35,6 +35,8 @@ qemu Maintainer asked to prepare updates -- +spice (carnil) +-- spip -- xen ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48969 - data/CVE
Author: carnil
Date: 2017-02-15 19:35:55 + (Wed, 15 Feb 2017)
New Revision: 48969
Modified:
data/CVE/list
Log:
Replace spice commits with official ones from upstream
Modified: data/CVE/list
===
--- data/CVE/list 2017-02-15 19:14:58 UTC (rev 48968)
+++ data/CVE/list 2017-02-15 19:35:55 UTC (rev 48969)
@@ -14558,11 +14558,12 @@
CVE-2016-9578
RESERVED
- spice (bug #854336)
- NOTE: Fixed by
http://pkgs.fedoraproject.org/cgit/rpms/spice.git/commit/?id=d919d639ae5f83a9735a04d843eed675f9357c0d
+ NOTE: Fixed by:
https://cgit.freedesktop.org/spice/spice/commit/?h=0.12&id=1c6517973095a67c8cb57f3550fc1298404ab556
(0.12.x)
+ NOTE: Fixed by:
https://cgit.freedesktop.org/spice/spice/commit/?h=0.12&id=f66dc643635518e53dfbe5262f814a64eec54e4a
(0.12.x)
CVE-2016-9577
RESERVED
- spice (bug #854336)
- NOTE: Fixed by
http://pkgs.fedoraproject.org/cgit/rpms/spice.git/commit/?id=d919d639ae5f83a9735a04d843eed675f9357c0d
+ NOTE: Fixed by:
https://cgit.freedesktop.org/spice/spice/commit/?h=0.12&id=5f96b596353d73bdf4bb3cd2de61e48a7fd5b4c3
(0.12.x)
CVE-2016-10088 (The sg implementation in the Linux kernel through 4.9 does not
...)
{DLA-772-1}
- linux 4.8.15-2
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48970 - data
Author: carnil Date: 2017-02-15 19:51:33 + (Wed, 15 Feb 2017) New Revision: 48970 Modified: data/dsa-needed.txt Log: Spice packages prepared for jessie Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-02-15 19:35:55 UTC (rev 48969) +++ data/dsa-needed.txt 2017-02-15 19:51:33 UTC (rev 48970) @@ -36,6 +36,7 @@ Maintainer asked to prepare updates -- spice (carnil) + Packages prepared, waiting for peer-review by a second team member -- spip -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48971 - data/CVE
Author: carnil
Date: 2017-02-15 19:52:33 + (Wed, 15 Feb 2017)
New Revision: 48971
Modified:
data/CVE/list
Log:
Record fix for spice which will enter the archive in 2h
Modified: data/CVE/list
===
--- data/CVE/list 2017-02-15 19:51:33 UTC (rev 48970)
+++ data/CVE/list 2017-02-15 19:52:33 UTC (rev 48971)
@@ -14557,12 +14557,12 @@
NOTE: http://tracker.ceph.com/issues/18187
CVE-2016-9578
RESERVED
- - spice (bug #854336)
+ - spice 0.12.8-2.1 (bug #854336)
NOTE: Fixed by:
https://cgit.freedesktop.org/spice/spice/commit/?h=0.12&id=1c6517973095a67c8cb57f3550fc1298404ab556
(0.12.x)
NOTE: Fixed by:
https://cgit.freedesktop.org/spice/spice/commit/?h=0.12&id=f66dc643635518e53dfbe5262f814a64eec54e4a
(0.12.x)
CVE-2016-9577
RESERVED
- - spice (bug #854336)
+ - spice 0.12.8-2.1 (bug #854336)
NOTE: Fixed by:
https://cgit.freedesktop.org/spice/spice/commit/?h=0.12&id=5f96b596353d73bdf4bb3cd2de61e48a7fd5b4c3
(0.12.x)
CVE-2016-10088 (The sg implementation in the Linux kernel through 4.9 does not
...)
{DLA-772-1}
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48972 - data/CVE
Author: sectracker
Date: 2017-02-15 21:10:14 + (Wed, 15 Feb 2017)
New Revision: 48972
Modified:
data/CVE/list
Log:
automatic update
Modified: data/CVE/list
===
--- data/CVE/list 2017-02-15 19:52:33 UTC (rev 48971)
+++ data/CVE/list 2017-02-15 21:10:14 UTC (rev 48972)
@@ -1,3 +1,15 @@
+CVE-2017-6000
+ RESERVED
+CVE-2017-5999
+ RESERVED
+CVE-2017-5998
+ RESERVED
+CVE-2017-5997 (The SAP Message Server HTTP daemon in SAP KERNEL 7.21-7.49
allows ...)
+ TODO: check
+CVE-2017-5996
+ RESERVED
+CVE-2017-5995
+ RESERVED
CVE-2017- [9 issues in ytnef -- X41-2017-002]
- libytnef
NOTE: https://www.x41-dsec.de/lab/advisories/x41-2017-002-ytnef/
@@ -6,10 +18,12 @@
- xen
NOTE: https://xenbits.xen.org/xsa/advisory-207.html
CVE-2017-5994 [out-of-bounds access in vrend_create_vertex_elements_state]
+ RESERVED
- virglrenderer
NOTE:
https://cgit.freedesktop.org/virglrenderer/commit/?id=114688c526fe45f341d75ccd1d85473c3b08f7a7
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1422452
CVE-2017-5993 [host memory leakage when initialising blitter context]
+ RESERVED
- virglrenderer
NOTE:
https://cgit.freedesktop.org/virglrenderer/commit/?id=6eb13f7a2dcf391ec9e19b4c2a79e68305f63c22
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1422438
@@ -291,8 +305,7 @@
RESERVED
CVE-2017-5900
RESERVED
-CVE-2017-5896
- RESERVED
+CVE-2017-5896 (Heap-based buffer overflow in the fz_subsample_pixmap function
in ...)
- mupdf (bug #854734)
[wheezy] - mupdf (vulnerable code not present)
NOTE: http://seclists.org/oss-sec/2017/q1/322
@@ -365,7 +378,7 @@
- viewvc 1.1.26-1 (bug #854681)
NOTE: http://www.openwall.com/lists/oss-security/2017/02/08/7
NOTE:
https://github.com/viewvc/viewvc/commit/9dcfc7daa4c940992920d3b2fbd317da20e44aad
-CVE-2017-5992 [openpyxl XML External Entity (XXE) vulnerability]
+CVE-2017-5992 (Openpyxl 2.4.1 resolves external entities by default, which
allows ...)
- openpyxl (bug #854442)
[jessie] - openpyxl (vulnerable code not present)
[wheezy] - openpyxl (vulnerable code not present)
@@ -781,16 +794,19 @@
RESERVED
CVE-2016-10197
RESERVED
+ {DSA-3789-1 DLA-824-1}
- libevent 2.0.21-stable-3 (bug #854092)
NOTE: https://github.com/libevent/libevent/issues/332
NOTE: http://www.openwall.com/lists/oss-security/2017/01/31/17
CVE-2016-10196
RESERVED
+ {DSA-3789-1 DLA-824-1}
- libevent 2.0.21-stable-3 (bug #854092)
NOTE: https://github.com/libevent/libevent/issues/318
NOTE: http://www.openwall.com/lists/oss-security/2017/01/31/17
CVE-2016-10195
RESERVED
+ {DSA-3789-1 DLA-824-1}
- libevent 2.0.21-stable-3 (bug #854092)
NOTE: https://github.com/libevent/libevent/issues/317
NOTE: http://www.openwall.com/lists/oss-security/2017/01/31/17
@@ -6211,8 +6227,7 @@
NOTE: For phpmyadmin, unimportant, since embeds lib but does not use in
exploitable way
NOTE: http://seclists.org/fulldisclosure/2016/Aug/76
NOTE: Upstream patch:
https://bazaar.launchpad.net/~danilo/php-gettext/trunk/revision/61
-CVE-2015-8979 [remote stack buffer overflow]
- RESERVED
+CVE-2015-8979 (Stack-based buffer overflow in the parsePresentationContext
function ...)
{DSA-3749-1 DLA-755-1}
- dcmtk 3.6.1~20160216-2 (bug #848830)
NOTE: 3.6.1~20160216-2 is the first version in unstable containing the
fix
@@ -12981,8 +12996,8 @@
RESERVED
CVE-2016-9707
RESERVED
-CVE-2016-9706
- RESERVED
+CVE-2016-9706 (IBM Integration Bus 9.0 and 10.0 and WebSphere Message Broker
SOAP ...)
+ TODO: check
CVE-2016-9705
RESERVED
CVE-2016-9704 (IBM Security Identity Manager Virtual Appliance is vulnerable
to ...)
@@ -15022,8 +15037,7 @@
NOTE: https://github.com/tats/w3m/issues/32
CVE-2016-9621
REJECTED
-CVE-2016-9560 [stack-based buffer overflow in jpc_tsfb_getbands2 (jpc_tsfb.c)]
- RESERVED
+CVE-2016-9560 (Stack-based buffer overflow in the jpc_tsfb_getbands2 function
in ...)
{DSA-3785-1 DLA-739-1}
- jasper
NOTE:
https://blogs.gentoo.org/ago/2016/11/20/jasper-stack-based-buffer-overflow-in-jpc_tsfb_getbands2-jpc_tsfb-c
@@ -16776,8 +16790,8 @@
NOTE:
https://github.com/django/django/commit/da7910d4834726eca596af0a830762fa5fb2dfd9
CVE-2016-9012 (CloudVision Portal (CVP) before 2016.1.2.1 allows remote
authenticated ...)
NOT-FOR-US: CloudVision Portal
-CVE-2016-9010
- RESERVED
+CVE-2016-9010 (IBM WebSphere Message Broker 9.0 and 10.0 could allow a remote
...)
+ TODO: check
CVE-2016-9009
RESERVED
CVE-2016-9008 (IBM UrbanCode Deploy could allow a malicious user to access the
Agent
[Secure-testing-commits] r48973 - in data: CVE DSA
Author: jmm
Date: 2017-02-15 22:33:18 + (Wed, 15 Feb 2017)
New Revision: 48973
Modified:
data/CVE/list
data/DSA/list
Log:
php issue already fixed
Modified: data/CVE/list
===
--- data/CVE/list 2017-02-15 21:10:14 UTC (rev 48972)
+++ data/CVE/list 2017-02-15 22:33:18 UTC (rev 48973)
@@ -21596,10 +21596,12 @@
NOTE: PHP Bug: https://bugs.php.net/bug.php?id=73092
NOTE: Fixed in 7.0.15
CVE-2016-7478 (Zend/zend_exceptions.c in PHP, possibly 5.x before 5.6.28 and
7.x ...)
+ {DSA-3732-1}
- php7.1
- php7.0
- php5
NOTE: PHP Bug: https://bugs.php.net/bug.php?id=73093
+ NOTE: Patch for 5.6.x:
http://git.php.net/?p=php-src.git;a=commit;h=40e7baab3c90001beee4c8f0ed0ef79ad18ee0d6
(5.6.28)
CVE-2016-7477
RESERVED
- libav (unimportant)
Modified: data/DSA/list
===
--- data/DSA/list 2017-02-15 21:10:14 UTC (rev 48972)
+++ data/DSA/list 2017-02-15 22:33:18 UTC (rev 48973)
@@ -174,7 +174,7 @@
{CVE-2016-1252}
[jessie] - apt 1.0.9.8.4
[13 Dec 2016] DSA-3732-1 php5 - security update
- {CVE-2016-9138 CVE-2016-9933 CVE-2016-9934}
+ {CVE-2016-9138 CVE-2016-9933 CVE-2016-9934 CVE-2016-7478}
[jessie] - php5 5.6.28+dfsg-0+deb8u1
[11 Dec 2016] DSA-3731-1 chromium-browser - security update
{CVE-2016-5181 CVE-2016-5182 CVE-2016-5183 CVE-2016-5184 CVE-2016-5185
CVE-2016-5186 CVE-2016-5187 CVE-2016-5188 CVE-2016-5189 CVE-2016-5190
CVE-2016-5191 CVE-2016-5192 CVE-2016-5193 CVE-2016-5194 CVE-2016-5198
CVE-2016-5199 CVE-2016-5200 CVE-2016-5201 CVE-2016-5202 CVE-2016-5203
CVE-2016-5204 CVE-2016-5205 CVE-2016-5206 CVE-2016-5207 CVE-2016-5208
CVE-2016-5209 CVE-2016-5210 CVE-2016-5211 CVE-2016-5212 CVE-2016-5213
CVE-2016-5214 CVE-2016-5215 CVE-2016-5216 CVE-2016-5217 CVE-2016-5218
CVE-2016-5219 CVE-2016-5220 CVE-2016-5221 CVE-2016-5222 CVE-2016-5223
CVE-2016-5224 CVE-2016-5225 CVE-2016-5226 CVE-2016-9650 CVE-2016-9651
CVE-2016-9652}
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48975 - data
Author: lamby Date: 2017-02-15 22:39:26 + (Wed, 15 Feb 2017) New Revision: 48975 Modified: data/dla-needed.txt Log: Triage libytnef for LTS Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-02-15 22:39:22 UTC (rev 48974) +++ data/dla-needed.txt 2017-02-15 22:39:26 UTC (rev 48975) @@ -90,6 +90,8 @@ -- libxml2 -- +libytnef +-- linux -- mcollective ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48974 - data
Author: lamby Date: 2017-02-15 22:39:22 + (Wed, 15 Feb 2017) New Revision: 48974 Modified: data/dla-needed.txt Log: Triage https://security-tracker.debian.org/tracker/CVE-2016-2399 for LTS Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-02-15 22:33:18 UTC (rev 48973) +++ data/dla-needed.txt 2017-02-15 22:39:22 UTC (rev 48974) @@ -47,6 +47,8 @@ -- gtk-vnc -- +https://security-tracker.debian.org/tracker/CVE-2016-2399 +-- icedove NOTE: maintainer currenlty planx to rename to thunderbird with the next NOTE: upstream version (#851989). Jessie / Wheezy should do the same. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48976 - data
Author: lamby Date: 2017-02-15 22:49:14 + (Wed, 15 Feb 2017) New Revision: 48976 Modified: data/dla-needed.txt Log: Revert "Triage https://security-tracker.debian.org/tracker/CVE-2016-2399 for LTS" This reverts commit 02661029a762f8127c1457eac781952a703478f4. Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-02-15 22:39:26 UTC (rev 48975) +++ data/dla-needed.txt 2017-02-15 22:49:14 UTC (rev 48976) @@ -47,8 +47,6 @@ -- gtk-vnc -- -https://security-tracker.debian.org/tracker/CVE-2016-2399 --- icedove NOTE: maintainer currenlty planx to rename to thunderbird with the next NOTE: upstream version (#851989). Jessie / Wheezy should do the same. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48977 - data/CVE
Author: jmm
Date: 2017-02-15 22:51:21 + (Wed, 15 Feb 2017)
New Revision: 48977
Modified:
data/CVE/list
Log:
php7 also fixed
Modified: data/CVE/list
===
--- data/CVE/list 2017-02-15 22:49:14 UTC (rev 48976)
+++ data/CVE/list 2017-02-15 22:51:21 UTC (rev 48977)
@@ -21598,7 +21598,7 @@
CVE-2016-7478 (Zend/zend_exceptions.c in PHP, possibly 5.x before 5.6.28 and
7.x ...)
{DSA-3732-1}
- php7.1
- - php7.0
+ - php7.0 7.0.13-1
- php5
NOTE: PHP Bug: https://bugs.php.net/bug.php?id=73093
NOTE: Patch for 5.6.x:
http://git.php.net/?p=php-src.git;a=commit;h=40e7baab3c90001beee4c8f0ed0ef79ad18ee0d6
(5.6.28)
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48978 - data/CVE
Author: carnil Date: 2017-02-16 04:29:07 + (Thu, 16 Feb 2017) New Revision: 48978 Modified: data/CVE/list Log: Mark one NFU Modified: data/CVE/list === --- data/CVE/list 2017-02-15 22:51:21 UTC (rev 48977) +++ data/CVE/list 2017-02-16 04:29:07 UTC (rev 48978) @@ -5,7 +5,7 @@ CVE-2017-5998 RESERVED CVE-2017-5997 (The SAP Message Server HTTP daemon in SAP KERNEL 7.21-7.49 allows ...) - TODO: check + NOT-FOR-US: SAP Message Server CVE-2017-5996 RESERVED CVE-2017-5995 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48979 - data/CVE
Author: carnil Date: 2017-02-16 04:29:19 + (Thu, 16 Feb 2017) New Revision: 48979 Modified: data/CVE/list Log: Add CVE-2017-6001/linux Modified: data/CVE/list === --- data/CVE/list 2017-02-16 04:29:07 UTC (rev 48978) +++ data/CVE/list 2017-02-16 04:29:19 UTC (rev 48979) @@ -1,3 +1,6 @@ +CVE-2017-6001 [Incomplete fix for CVE-2016-6786] + - linux + NOTE: Fixed by: https://git.kernel.org/linus/321027c1fe77f892f4ea07846aeae08cefbbb290 CVE-2017-6000 RESERVED CVE-2017-5999 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48980 - data/CVE
Author: carnil Date: 2017-02-16 04:31:36 + (Thu, 16 Feb 2017) New Revision: 48980 Modified: data/CVE/list Log: Add TODO note for libytnef Modified: data/CVE/list === --- data/CVE/list 2017-02-16 04:29:19 UTC (rev 48979) +++ data/CVE/list 2017-02-16 04:31:36 UTC (rev 48980) @@ -17,6 +17,7 @@ - libytnef NOTE: https://www.x41-dsec.de/lab/advisories/x41-2017-002-ytnef/ NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2017/02/15/4 + TODO: wait some days for the CVE assignments (which seem requested by x41-dsec), otherwise go ahead with re-request CVE-2017- [XSA-207: memory leak when destroying guest without PT devices] - xen NOTE: https://xenbits.xen.org/xsa/advisory-207.html ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48981 - data/CVE
Author: carnil Date: 2017-02-16 04:34:11 + (Thu, 16 Feb 2017) New Revision: 48981 Modified: data/CVE/list Log: Add CVE-2016-10225 Modified: data/CVE/list === --- data/CVE/list 2017-02-16 04:31:36 UTC (rev 48980) +++ data/CVE/list 2017-02-16 04:34:11 UTC (rev 48981) @@ -99,6 +99,8 @@ CVE-2017-5972 (The TCP stack in the Linux kernel 3.x does not properly implement a ...) - linux TODO: check/investigate, further triage first in kernel-sec +CVE-2016-10225 + NOT-FOR-US: sunxi-debug driver in Allwinner kernel CVE-2016-10224 (An issue was discovered in Sauter NovaWeb web HMI. The application uses ...) NOT-FOR-US: Sauter NovaWeb CVE-2016-10223 (An issue was discovered in BigTree CMS before 4.2.15. The vulnerability ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48982 - data/CVE
Author: carnil Date: 2017-02-16 04:53:46 + (Thu, 16 Feb 2017) New Revision: 48982 Modified: data/CVE/list Log: Add CVE-2017-6000/qemu Modified: data/CVE/list === --- data/CVE/list 2017-02-16 04:34:11 UTC (rev 48981) +++ data/CVE/list 2017-02-16 04:53:46 UTC (rev 48982) @@ -1,8 +1,13 @@ CVE-2017-6001 [Incomplete fix for CVE-2016-6786] - linux NOTE: Fixed by: https://git.kernel.org/linus/321027c1fe77f892f4ea07846aeae08cefbbb290 -CVE-2017-6000 +CVE-2017-6000 [crypto: memory leakage in qcrypto_ivgen_essiv_init] RESERVED + - qemu + - qemu-kvm + NOTE: https://lists.gnu.org/archive/html/qemu-devel/2017-01/msg00295.html + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1422656#c3 + TODO: check versions, and as well original analysis by Red Hat was incomplete CVE-2017-5999 RESERVED CVE-2017-5998 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48983 - data/CVE
Author: carnil Date: 2017-02-16 04:56:23 + (Thu, 16 Feb 2017) New Revision: 48983 Modified: data/CVE/list Log: Add CVE-2017-5981/zziplib Modified: data/CVE/list === --- data/CVE/list 2017-02-16 04:53:46 UTC (rev 48982) +++ data/CVE/list 2017-02-16 04:56:23 UTC (rev 48983) @@ -79,8 +79,10 @@ NOTE: Workaround entry for DSA-3787-1 until CVE assigned NOTE: Since 7.0.72-3, src:tomcat7 only builds the Servlet API NOTE: https://bz.apache.org/bugzilla/show_bug.cgi?id=57544 -CVE-2017-5981 +CVE-2017-5981 [assertion failure in seeko.c] RESERVED + - zziplib + NOTE: http://blogs.gentoo.org/ago/2017/02/09/zziplib-assertion-failure-in-seeko-c/ CVE-2017-5980 RESERVED CVE-2017-5979 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48984 - data/CVE
Author: carnil Date: 2017-02-16 04:59:55 + (Thu, 16 Feb 2017) New Revision: 48984 Modified: data/CVE/list Log: More zziplib issues Modified: data/CVE/list === --- data/CVE/list 2017-02-16 04:56:23 UTC (rev 48983) +++ data/CVE/list 2017-02-16 04:59:55 UTC (rev 48984) @@ -85,18 +85,32 @@ NOTE: http://blogs.gentoo.org/ago/2017/02/09/zziplib-assertion-failure-in-seeko-c/ CVE-2017-5980 RESERVED + - zziplib + NOTE: http://blogs.gentoo.org/ago/2017/02/09/zziplib-null-pointer-dereference-in-zzip_mem_entry_new-memdisk-c/ CVE-2017-5979 RESERVED + - zziplib + NOTE: http://blogs.gentoo.org/ago/2017/02/09/zziplib-null-pointer-dereference-in-prescan_entry-fseeko-c/ CVE-2017-5978 RESERVED + - zziplib + NOTE: http://blogs.gentoo.org/ago/2017/02/09/zziplib-out-of-bounds-read-in-zzip_mem_entry_new-memdisk-c/ CVE-2017-5977 RESERVED + - zziplib + NOTE: http://blogs.gentoo.org/ago/2017/02/09/zziplib-invalid-memory-read-in-zzip_mem_entry_extra_block-memdisk-c/ CVE-2017-5976 RESERVED + - zziplib + NOTE: http://blogs.gentoo.org/ago/2017/02/09/zziplib-heap-based-buffer-overflow-in-zzip_mem_entry_extra_block-memdisk-c/ CVE-2017-5975 RESERVED + - zziplib + NOTE: http://blogs.gentoo.org/ago/2017/02/09/zziplib-heap-based-buffer-overflow-in-__zzip_get64-fetch-c/ CVE-2017-5974 RESERVED + - zziplib + NOTE: http://blogs.gentoo.org/ago/2017/02/09/zziplib-heap-based-buffer-overflow-in-__zzip_get32-fetch-c/ CVE-2017-5973 [Qemu: usb: infinite loop while doing control transfer in xhci_kick_epctx] RESERVED - qemu ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48985 - data/CVE
Author: fgeek-guest Date: 2017-02-16 06:10:33 + (Thu, 16 Feb 2017) New Revision: 48985 Modified: data/CVE/list Log: CVE-2017-2621/heat Modified: data/CVE/list === --- data/CVE/list 2017-02-16 04:59:55 UTC (rev 48984) +++ data/CVE/list 2017-02-16 06:10:33 UTC (rev 48985) @@ -9376,8 +9376,11 @@ RESERVED CVE-2017-2622 RESERVED -CVE-2017-2621 +CVE-2017-2621 [/var/log/heat/ is world readable] RESERVED + - heat + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2621 + TODO: check CVE-2017-2620 RESERVED CVE-2017-2619 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48986 - data/CVE
Author: fgeek-guest Date: 2017-02-16 06:11:41 + (Thu, 16 Feb 2017) New Revision: 48986 Modified: data/CVE/list Log: CVE-2017-2622 Modified: data/CVE/list === --- data/CVE/list 2017-02-16 06:10:33 UTC (rev 48985) +++ data/CVE/list 2017-02-16 06:11:41 UTC (rev 48986) @@ -9374,8 +9374,10 @@ RESERVED CVE-2017-2623 RESERVED -CVE-2017-2622 +CVE-2017-2622 [openstack-mistral: /var/log/mistral/ is world readable] RESERVED + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2622 + TODO: check CVE-2017-2621 [/var/log/heat/ is world readable] RESERVED - heat ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48987 - data/CVE
Author: fgeek-guest Date: 2017-02-16 06:13:18 + (Thu, 16 Feb 2017) New Revision: 48987 Modified: data/CVE/list Log: CVE-2017-2627 Modified: data/CVE/list === --- data/CVE/list 2017-02-16 06:11:41 UTC (rev 48986) +++ data/CVE/list 2017-02-16 06:13:18 UTC (rev 48987) @@ -9364,8 +9364,10 @@ RESERVED CVE-2017-2628 RESERVED -CVE-2017-2627 +CVE-2017-2627 [openstack-tripleo-common: sudoers file is too permissive] RESERVED + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1421917 + TODO: check CVE-2017-2626 RESERVED CVE-2017-2625 @@ -9376,7 +9378,7 @@ RESERVED CVE-2017-2622 [openstack-mistral: /var/log/mistral/ is world readable] RESERVED - NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2622 + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1420992 TODO: check CVE-2017-2621 [/var/log/heat/ is world readable] RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48988 - data/CVE
Author: fgeek-guest Date: 2017-02-16 06:15:33 + (Thu, 16 Feb 2017) New Revision: 48988 Modified: data/CVE/list Log: NFU Modified: data/CVE/list === --- data/CVE/list 2017-02-16 06:13:18 UTC (rev 48987) +++ data/CVE/list 2017-02-16 06:15:33 UTC (rev 48988) @@ -1358,6 +1358,7 @@ RESERVED CVE-2017-5585 RESERVED + NOT-FOR-US: OpenText Documentum Content Server CVE-2017-5584 RESERVED CVE-2017-5583 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48989 - data/CVE
Author: fgeek-guest Date: 2017-02-16 06:22:04 + (Thu, 16 Feb 2017) New Revision: 48989 Modified: data/CVE/list Log: NFU Modified: data/CVE/list === --- data/CVE/list 2017-02-16 06:15:33 UTC (rev 48988) +++ data/CVE/list 2017-02-16 06:22:04 UTC (rev 48989) @@ -1356,6 +1356,7 @@ RESERVED CVE-2017-5586 RESERVED + NOT-FOR-US: OpenText Documentum D2 CVE-2017-5585 RESERVED NOT-FOR-US: OpenText Documentum Content Server ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48990 - data/CVE
Author: jmm Date: 2017-02-16 07:54:57 + (Thu, 16 Feb 2017) New Revision: 48990 Modified: data/CVE/list Log: add bug reference for zziplib Modified: data/CVE/list === --- data/CVE/list 2017-02-16 06:22:04 UTC (rev 48989) +++ data/CVE/list 2017-02-16 07:54:57 UTC (rev 48990) @@ -81,35 +81,35 @@ NOTE: https://bz.apache.org/bugzilla/show_bug.cgi?id=57544 CVE-2017-5981 [assertion failure in seeko.c] RESERVED - - zziplib + - zziplib (bug #854727) NOTE: http://blogs.gentoo.org/ago/2017/02/09/zziplib-assertion-failure-in-seeko-c/ CVE-2017-5980 RESERVED - - zziplib + - zziplib (bug #854727) NOTE: http://blogs.gentoo.org/ago/2017/02/09/zziplib-null-pointer-dereference-in-zzip_mem_entry_new-memdisk-c/ CVE-2017-5979 RESERVED - - zziplib + - zziplib (bug #854727) NOTE: http://blogs.gentoo.org/ago/2017/02/09/zziplib-null-pointer-dereference-in-prescan_entry-fseeko-c/ CVE-2017-5978 RESERVED - - zziplib + - zziplib (bug #854727) NOTE: http://blogs.gentoo.org/ago/2017/02/09/zziplib-out-of-bounds-read-in-zzip_mem_entry_new-memdisk-c/ CVE-2017-5977 RESERVED - - zziplib + - zziplib (bug #854727) NOTE: http://blogs.gentoo.org/ago/2017/02/09/zziplib-invalid-memory-read-in-zzip_mem_entry_extra_block-memdisk-c/ CVE-2017-5976 RESERVED - - zziplib + - zziplib (bug #854727) NOTE: http://blogs.gentoo.org/ago/2017/02/09/zziplib-heap-based-buffer-overflow-in-zzip_mem_entry_extra_block-memdisk-c/ CVE-2017-5975 RESERVED - - zziplib + - zziplib (bug #854727) NOTE: http://blogs.gentoo.org/ago/2017/02/09/zziplib-heap-based-buffer-overflow-in-__zzip_get64-fetch-c/ CVE-2017-5974 RESERVED - - zziplib + - zziplib (bug #854727) NOTE: http://blogs.gentoo.org/ago/2017/02/09/zziplib-heap-based-buffer-overflow-in-__zzip_get32-fetch-c/ CVE-2017-5973 [Qemu: usb: infinite loop while doing control transfer in xhci_kick_epctx] RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48991 - data/CVE
Author: jmm Date: 2017-02-16 07:57:26 + (Thu, 16 Feb 2017) New Revision: 48991 Modified: data/CVE/list Log: qemu n/a for jessie/wheezy Modified: data/CVE/list === --- data/CVE/list 2017-02-16 07:54:57 UTC (rev 48990) +++ data/CVE/list 2017-02-16 07:57:26 UTC (rev 48991) @@ -4,10 +4,10 @@ CVE-2017-6000 [crypto: memory leakage in qcrypto_ivgen_essiv_init] RESERVED - qemu - - qemu-kvm + [jessie] - qemu (Vulnerable code not present) + - qemu-kvm (Vulnerable code not present) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2017-01/msg00295.html NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1422656#c3 - TODO: check versions, and as well original analysis by Red Hat was incomplete CVE-2017-5999 RESERVED CVE-2017-5998 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
