[Secure-testing-commits] r49066 - data
Author: carnil Date: 2017-02-20 07:33:35 + (Mon, 20 Feb 2017) New Revision: 49066 Modified: data/dsa-needed.txt Log: Add note for bind9 Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-02-20 01:11:59 UTC (rev 49065) +++ data/dsa-needed.txt 2017-02-20 07:33:35 UTC (rev 49066) @@ -18,6 +18,7 @@ sf is working on an update, but needs extra testing due to invasive changes -- bind9 + carnil: prepared tentative update, sent to mgilbert and team -- graphicsmagick -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r49065 - data/CVE
Author: mgilbert Date: 2017-02-20 01:11:59 + (Mon, 20 Feb 2017) New Revision: 49065 Modified: data/CVE/list Log: bind fixed Modified: data/CVE/list === --- data/CVE/list 2017-02-19 21:10:12 UTC (rev 49064) +++ data/CVE/list 2017-02-20 01:11:59 UTC (rev 49065) @@ -8271,7 +8271,7 @@ RESERVED CVE-2017-3135 [Assertion failure when using DNS64 and RPZ can lead to crash] RESERVED - - bind9 (bug #855520) + - bind9 1:9.10.3.dfsg.P4-12 (bug #855520) NOTE: https://kb.isc.org/article/AA-01453 NOTE: Fixed by https://bugzilla.redhat.com/attachment.cgi?id=1248550 (diff between bind-9.9.9-P5 and bind-9.9.9-P6) CVE-2017-3134 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r49064 - data/CVE
Author: sectracker Date: 2017-02-19 21:10:12 + (Sun, 19 Feb 2017) New Revision: 49064 Modified: data/CVE/list Log: automatic update Modified: data/CVE/list === --- data/CVE/list 2017-02-19 17:17:43 UTC (rev 49063) +++ data/CVE/list 2017-02-19 21:10:12 UTC (rev 49064) @@ -1,3 +1,5 @@ +CVE-2017-6101 + RESERVED CVE-2017-6099 RESERVED CVE-2017-6098 @@ -39205,6 +39207,7 @@ NOTE: https://github.com/jmacd/xdelta-devel/commit/ef93ff74203e030073b898c05e8b4860b5d09ef2 NOTE: http://www.openwall.com/lists/oss-security/2016/02/08/1 CVE-2017-6100 [LFI posting internal files externally abusing default parameter] + RESERVED - tcpdf 6.2.12+dfsg2-1 (bug #814030) NOTE: https://sourceforge.net/p/tcpdf/bugs/1005/ CVE-2015-8808 (The DecodeImage function in coders/gif.c in GraphicsMagick 1.3.18 ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r49063 - data/CVE
Author: carnil Date: 2017-02-19 17:17:43 + (Sun, 19 Feb 2017) New Revision: 49063 Modified: data/CVE/list Log: Add bug reference for bind9 Modified: data/CVE/list === --- data/CVE/list 2017-02-19 16:36:53 UTC (rev 49062) +++ data/CVE/list 2017-02-19 17:17:43 UTC (rev 49063) @@ -8267,9 +8267,9 @@ RESERVED CVE-2017-3136 RESERVED -CVE-2017-3135 +CVE-2017-3135 [Assertion failure when using DNS64 and RPZ can lead to crash] RESERVED - - bind9 + - bind9 (bug #855520) NOTE: https://kb.isc.org/article/AA-01453 NOTE: Fixed by https://bugzilla.redhat.com/attachment.cgi?id=1248550 (diff between bind-9.9.9-P5 and bind-9.9.9-P6) CVE-2017-3134 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r49062 - data/CVE
Author: carnil Date: 2017-02-19 16:36:53 + (Sun, 19 Feb 2017) New Revision: 49062 Modified: data/CVE/list Log: CVE-2017-6100/tcpdf assigned Modified: data/CVE/list === --- data/CVE/list 2017-02-19 13:35:14 UTC (rev 49061) +++ data/CVE/list 2017-02-19 16:36:53 UTC (rev 49062) @@ -39204,7 +39204,7 @@ - xdelta3 3.0.8-dfsg-1.1 (bug #814067) NOTE: https://github.com/jmacd/xdelta-devel/commit/ef93ff74203e030073b898c05e8b4860b5d09ef2 NOTE: http://www.openwall.com/lists/oss-security/2016/02/08/1 -CVE-2014- [LFI posting internal files externally abusing default parameter] +CVE-2017-6100 [LFI posting internal files externally abusing default parameter] - tcpdf 6.2.12+dfsg2-1 (bug #814030) NOTE: https://sourceforge.net/p/tcpdf/bugs/1005/ CVE-2015-8808 (The DecodeImage function in coders/gif.c in GraphicsMagick 1.3.18 ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r49061 - data/CVE
Author: carnil Date: 2017-02-19 13:35:14 + (Sun, 19 Feb 2017) New Revision: 49061 Modified: data/CVE/list Log: Update for pcre3 CVE Modified: data/CVE/list === --- data/CVE/list 2017-02-19 09:49:09 UTC (rev 49060) +++ data/CVE/list 2017-02-19 13:35:14 UTC (rev 49061) @@ -203,6 +203,8 @@ RESERVED CVE-2017-6004 (The compile_bracket_matchingpath function in pcre_jit_compile.c in PCRE ...) - pcre3 2:8.39-2.1 (bug #855405) + [jessie] - pcre3 (Vulnerable code introduced later) + [wheezy] - pcre3 (Vulnerable code introduced later) NOTE: https://vcs.pcre.org/pcre/code/trunk/pcre_jit_compile.c?r1=1676&r2=1680&view=patch NOTE: https://bugs.exim.org/show_bug.cgi?id=2035 CVE-2017-6003 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r49060 - bin
Author: pabs Date: 2017-02-19 09:49:09 + (Sun, 19 Feb 2017) New Revision: 49060 Modified: bin/compare-nvd-cve Log: Avoid hard-coding the list of years since 2002 Calculate the range based on the current year. Modified: bin/compare-nvd-cve === --- bin/compare-nvd-cve 2017-02-19 09:35:23 UTC (rev 49059) +++ bin/compare-nvd-cve 2017-02-19 09:49:09 UTC (rev 49060) @@ -45,26 +45,10 @@ close $fh; # -# Fetched from http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-2016.xml.gz +# Fetched from https://nvd.nist.gov/download.aspx # -for my $cvelist -( - "nvdcve-2.0-2016.xml", - "nvdcve-2.0-2015.xml", - "nvdcve-2.0-2014.xml", - "nvdcve-2.0-2013.xml", - "nvdcve-2.0-2012.xml", - "nvdcve-2.0-2011.xml", - "nvdcve-2.0-2010.xml", - "nvdcve-2.0-2009.xml", - "nvdcve-2.0-2008.xml", - "nvdcve-2.0-2007.xml", - "nvdcve-2.0-2006.xml", - "nvdcve-2.0-2005.xml", - "nvdcve-2.0-2004.xml", - "nvdcve-2.0-2003.xml", - "nvdcve-2.0-2002.xml", -) { +for my $year (reverse 2002 .. (gmtime())[5]+1900) { +my $cvelist = "nvdcve-2.0-$year.xml"; print STDERR "Loading $cvelist\n" if $debug; my $ref = XMLin("data/nvd2/" . $cvelist); for my $cve (sort {$b cmp $a} keys %{$ref->{entry}}) { ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r49059 - data/CVE
Author: carnil Date: 2017-02-19 09:35:23 + (Sun, 19 Feb 2017) New Revision: 49059 Modified: data/CVE/list Log: Update CVE-2017-6074/linux Modified: data/CVE/list === --- data/CVE/list 2017-02-19 09:10:13 UTC (rev 49058) +++ data/CVE/list 2017-02-19 09:35:23 UTC (rev 49059) @@ -51,7 +51,8 @@ CVE-2017-6075 RESERVED CVE-2017-6074 (The dccp_rcv_state_process function in net/dccp/input.c in the Linux ...) - TODO: check + - linux + NOTE: Fixed by: https://git.kernel.org/linus/5edabca9d4cff7f1f2b68f0bac55ef99d9798ba4 CVE-2017-6073 RESERVED CVE-2017-6072 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r49058 - data/CVE
Author: sectracker Date: 2017-02-19 09:10:13 + (Sun, 19 Feb 2017) New Revision: 49058 Modified: data/CVE/list Log: automatic update Modified: data/CVE/list === --- data/CVE/list 2017-02-19 09:02:25 UTC (rev 49057) +++ data/CVE/list 2017-02-19 09:10:13 UTC (rev 49058) @@ -1,3 +1,51 @@ +CVE-2017-6099 + RESERVED +CVE-2017-6098 + RESERVED +CVE-2017-6097 + RESERVED +CVE-2017-6096 + RESERVED +CVE-2017-6095 + RESERVED +CVE-2017-6094 + RESERVED +CVE-2017-6093 + RESERVED +CVE-2017-6092 + RESERVED +CVE-2017-6091 + RESERVED +CVE-2017-6090 + RESERVED +CVE-2017-6089 + RESERVED +CVE-2017-6088 + RESERVED +CVE-2017-6087 + RESERVED +CVE-2017-6086 + RESERVED +CVE-2017-6085 + RESERVED +CVE-2017-6084 + RESERVED +CVE-2017-6083 + RESERVED +CVE-2017-6082 + RESERVED +CVE-2017-6081 + RESERVED +CVE-2017-6080 + RESERVED +CVE-2017-6079 + RESERVED +CVE-2017-6078 + RESERVED +CVE-2017-6077 + RESERVED +CVE-2016-10227 + RESERVED CVE-2017-6076 RESERVED CVE-2017-6075 @@ -2,4 +50,4 @@ RESERVED -CVE-2017-6074 - RESERVED +CVE-2017-6074 (The dccp_rcv_state_process function in net/dccp/input.c in the Linux ...) + TODO: check CVE-2017-6073 @@ -168,8 +216,7 @@ RESERVED CVE-2014-9916 RESERVED -CVE-2017-6001 [Incomplete fix for CVE-2016-6786] - RESERVED +CVE-2017-6001 (Race condition in kernel/events/core.c in the Linux kernel before ...) - linux 4.9.10-1 NOTE: Fixed by: https://git.kernel.org/linus/321027c1fe77f892f4ea07846aeae08cefbbb290 CVE-2017-6000 @@ -217,8 +264,7 @@ - qemu - qemu-kvm NOTE: https://lists.gnu.org/archive/html/qemu-devel/2017-02/msg02776.html -CVE-2017-5986 [Reachable BUG_ON from userspace in sctp_wait_for_sndbuf()] - RESERVED +CVE-2017-5986 (Race condition in the sctp_wait_for_sndbuf function in ...) - linux 4.9.10-1 NOTE: Fixed by: https://git.kernel.org/linus/2dcab598484185dea7ec22219c76dcdd59e3cb90 CVE-2017-5985 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r49056 - /
Author: pabs Date: 2017-02-19 09:02:19 + (Sun, 19 Feb 2017) New Revision: 49056 Modified: Makefile Log: Use the local mirror instead Modified: Makefile === --- Makefile2017-02-18 21:10:13 UTC (rev 49055) +++ Makefile2017-02-19 09:02:19 UTC (rev 49056) @@ -5,7 +5,7 @@ # Adjust these if necessary. The architecture selection is rather # arbitrary at the moment. More architectures can be added later. -MIRROR = http://ftp.de.debian.org/debian/ +MIRROR = http://debian.csail.mit.edu/debian/ squeeze_ARCHS = amd64 armel i386 ia64 mips mipsel powerpc s390 sparc kfreebsd-i386 kfreebsd-amd64 squeeze_LTS_ARCHS = amd64 i386 wheezy_ARCHS = amd64 armel armhf i386 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r49057 - /
Author: pabs Date: 2017-02-19 09:02:25 + (Sun, 19 Feb 2017) New Revision: 49057 Modified: TODO.gitmigration Log: Correct a domain name typo Modified: TODO.gitmigration === --- TODO.gitmigration 2017-02-19 09:02:19 UTC (rev 49056) +++ TODO.gitmigration 2017-02-19 09:02:25 UTC (rev 49057) @@ -41,7 +41,7 @@ to the svn repository in recent years?) - get the DD acl applied (then point above only applies to -guest users) -team-security.debian.org website +security-team.debian.org website - move this file to git - ping federico3 to update the codebase for security-metrics.d.n (uses git-svn) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits