[Secure-testing-commits] r49783 - data/DLA
Author: lamby
Date: 2017-03-18 22:23:20 + (Sat, 18 Mar 2017)
New Revision: 49783
Modified:
data/DLA/list
Log:
Reserve DLA-862-1 for sitesummary on behalf of hol...@debian.org.
Modified: data/DLA/list
===
--- data/DLA/list 2017-03-18 21:25:53 UTC (rev 49782)
+++ data/DLA/list 2017-03-18 22:23:20 UTC (rev 49783)
@@ -1,3 +1,6 @@
+[18 Mar 2017] DLA-862-1 sitesummary - security update
+ {CVE-2016-8743}
+ [wheezy] - sitesummary 0.1.8+deb7u2
[17 Mar 2017] DLA-861-1 r-base - security update
{CVE-2016-8714}
[wheezy] - r-base 2.15.1-4+deb7u1
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r49782 - data
Author: apo Date: 2017-03-18 21:25:53 + (Sat, 18 Mar 2017) New Revision: 49782 Modified: data/dla-needed.txt Log: Update status of libplist in dla-needed.txt Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-03-18 21:22:47 UTC (rev 49781) +++ data/dla-needed.txt 2017-03-18 21:25:53 UTC (rev 49782) @@ -56,6 +56,8 @@ NOTE: Pinged on 2017-02-06 https://github.com/libical/libical/issues/253#issuecomment-277580552 (lamby) -- libplist (Markus Koschany) + NOTE: Fixed CVE-2017-6435, CVE-2017-6436. CVE-2017-6439 is probably a duplicate of CVE-2017-6436. + NOTE: The rest is still unfixed/more information needed. -- libpodofo NOTE: 20170310: No patches available. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r49781 - data
Author: apo Date: 2017-03-18 21:22:47 + (Sat, 18 Mar 2017) New Revision: 49781 Modified: data/dla-needed.txt Log: Claim php5 in dla-needed.txt Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-03-18 21:10:13 UTC (rev 49780) +++ data/dla-needed.txt 2017-03-18 21:22:47 UTC (rev 49781) @@ -88,7 +88,7 @@ -- partclone -- -php5 +php5 (Markus Koschany) NOTE: only one issue at the time of writing (CVE-2016-7478) NOTE: backported patch available, but maybe wait for more issues? NOTE: -- 2017-02-20 Antoine Beaupre ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r49780 - data/CVE
Author: sectracker
Date: 2017-03-18 21:10:13 + (Sat, 18 Mar 2017)
New Revision: 49780
Modified:
data/CVE/list
Log:
automatic update
Modified: data/CVE/list
===
--- data/CVE/list 2017-03-18 20:56:12 UTC (rev 49779)
+++ data/CVE/list 2017-03-18 21:10:13 UTC (rev 49780)
@@ -605,6 +605,7 @@
CVE-2017-6885
RESERVED
CVE-2017-6903 (In ioquake3 before 2017-03-14, the auto-downloading feature has
...)
+ {DSA-3812-1}
- ioquake3 1.36+u20161101+dfsg1-2 (bug #857699)
- iortcw 1.50a+dfsg1-3 (bug #857714)
NOTE:
https://ioquake3.org/2017/03/13/important-security-update-please-update-ioquake3-immediately/
@@ -1583,49 +1584,49 @@
CVE-2017-6475
RESERVED
CVE-2017-6474 (In Wireshark 2.2.0 to 2.2.4 and 2.0.0 to 2.0.10, there is a
NetScaler ...)
- {DLA-858-1}
+ {DSA-3811-1 DLA-858-1}
- wireshark 2.2.5+g440fd4d-2
NOTE: https://www.wireshark.org/security/wnpa-sec-2017-07.html
NOTE:
https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=a998c9195f183d85f5b0bbeebba21a2d4d303d47
NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13429
CVE-2017-6473 (In Wireshark 2.2.0 to 2.2.4 and 2.0.0 to 2.0.10, there is a K12
file ...)
- {DLA-858-1}
+ {DSA-3811-1 DLA-858-1}
- wireshark 2.2.5+g440fd4d-2
NOTE: https://www.wireshark.org/security/wnpa-sec-2017-09.html
NOTE:
https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=7edc761a01cda8e1b37677f673985582330317d2
NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13431
CVE-2017-6472 (In Wireshark 2.2.0 to 2.2.4 and 2.0.0 to 2.0.10, there is an
RTMPT ...)
- {DLA-858-1}
+ {DSA-3811-1 DLA-858-1}
- wireshark 2.2.5+g440fd4d-2
NOTE: https://www.wireshark.org/security/wnpa-sec-2017-04.html
NOTE:
https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=2b3a0909beff8963b390034c594e0b6be6a4e531
NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13347
CVE-2017-6471 (In Wireshark 2.2.0 to 2.2.4 and 2.0.0 to 2.0.10, there is a WSP
...)
- {DLA-858-1}
+ {DSA-3811-1 DLA-858-1}
- wireshark 2.2.5+g440fd4d-2
NOTE: https://www.wireshark.org/security/wnpa-sec-2017-05.html
NOTE:
https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=62afef41277dfac37f515207ca73d33306e3302b
NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13348
CVE-2017-6470 (In Wireshark 2.2.0 to 2.2.4 and 2.0.0 to 2.0.10, there is an
IAX2 ...)
- {DLA-858-1}
+ {DSA-3811-1 DLA-858-1}
- wireshark 2.2.5+g440fd4d-2
NOTE: https://www.wireshark.org/security/wnpa-sec-2017-10.html
NOTE:
https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=0b89174ef4c531a1917437fff586fe525ee7bf2d
NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13432
CVE-2017-6469 (In Wireshark 2.2.0 to 2.2.4 and 2.0.0 to 2.0.10, there is an
LDSS ...)
- {DLA-858-1}
+ {DSA-3811-1 DLA-858-1}
- wireshark 2.2.5+g440fd4d-2
NOTE: https://www.wireshark.org/security/wnpa-sec-2017-03.html
NOTE:
https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=4f753c127082d5e28abf482d6d175cbfee6661f7
NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13346
CVE-2017-6468 (In Wireshark 2.2.0 to 2.2.4 and 2.0.0 to 2.0.10, there is a
NetScaler ...)
- {DLA-858-1}
+ {DSA-3811-1 DLA-858-1}
- wireshark 2.2.5+g440fd4d-2
NOTE: https://www.wireshark.org/security/wnpa-sec-2017-08.html
NOTE:
https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=9f3bc84b7e7e435c50b8b68f0fc526d0f5676cbf
NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13430
CVE-2017-6467 (In Wireshark 2.2.0 to 2.2.4 and 2.0.0 to 2.0.10, there is a
Netscaler ...)
- {DLA-858-1}
+ {DSA-3811-1 DLA-858-1}
- wireshark 2.2.5+g440fd4d-2
NOTE: https://www.wireshark.org/security/wnpa-sec-2017-11.html
NOTE:
https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=284ad58d288722a8725401967bff0c4455488f0c
@@ -2842,7 +2843,7 @@
CVE-2017-6015
RESERVED
CVE-2017-6014 (In Wireshark 2.2.4 and earlier, a crafted or malformed STANAG
4607 ...)
- {DLA-826-1}
+ {DSA-3811-1 DLA-826-1}
- wireshark 2.2.5+g440fd4d-2 (bug #855408)
NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13416
CVE-2017-6013
@@ -4294,12 +4295,12 @@
NOTE: Introduced in (master):
http://git.savannah.gnu.org/cgit/screen.git/commit/?id=c575c40c9bd7653470639da32e06faed0a9b2ec4
NOTE: http://www.openwall.com/lists/oss-security/2017/01/24/10
CVE-2017-5597 (In Wireshark 2.2.0 to 2.2.3 and 2.0.0 to 2.0.9, the DHCPv6
dissector ...)
- {DLA-858-1}
+ {DSA-3811-1 DLA-858-1}
- wireshark 2.2.4+gcc3d
[Secure-testing-commits] r49779 - data/CVE
Author: carnil Date: 2017-03-18 20:56:12 + (Sat, 18 Mar 2017) New Revision: 49779 Modified: data/CVE/list Log: Add bug reference for CVE-2017-6967 Modified: data/CVE/list === --- data/CVE/list 2017-03-18 20:56:00 UTC (rev 49778) +++ data/CVE/list 2017-03-18 20:56:12 UTC (rev 49779) @@ -426,7 +426,7 @@ - binutils NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21156 CVE-2017-6967 (xrdp 0.9.1 calls the PAM function auth_start_session() in an incorrect ...) - - xrdp + - xrdp (bug #858143) NOTE: https://bugs.launchpad.net/ubuntu/+source/xrdp/+bug/1672742 NOTE: https://github.com/neutrinolabs/xrdp/issues/350 NOTE: First attempt: https://github.com/neutrinolabs/xrdp/pull/694 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r49778 - data/CVE
Author: carnil Date: 2017-03-18 20:56:00 + (Sat, 18 Mar 2017) New Revision: 49778 Modified: data/CVE/list Log: Add information for CVE-2017-6967 Modified: data/CVE/list === --- data/CVE/list 2017-03-18 20:28:38 UTC (rev 49777) +++ data/CVE/list 2017-03-18 20:56:00 UTC (rev 49778) @@ -429,7 +429,10 @@ - xrdp NOTE: https://bugs.launchpad.net/ubuntu/+source/xrdp/+bug/1672742 NOTE: https://github.com/neutrinolabs/xrdp/issues/350 - NOTE: https://github.com/neutrinolabs/xrdp/pull/694 + NOTE: First attempt: https://github.com/neutrinolabs/xrdp/pull/694 + NOTE: Followed by: https://github.com/neutrinolabs/xrdp/pull/696 + NOTE: http://www.openwall.com/lists/oss-security/2017/03/18/1 + NOTE: https://github.com/neutrinolabs/xrdp/pull/696/commits/44129acd210c803fc8bbcfaf1b0db05e5bb4034f CVE-2017-6966 (readelf in GNU Binutils 2.28 has a use-after-free (specifically ...) - binutils NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21139 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r49777 - data/CVE
Author: benh Date: 2017-03-18 20:28:38 + (Sat, 18 Mar 2017) New Revision: 49777 Modified: data/CVE/list Log: Triage some Android issues; mark most as NOT-FOR-US Modified: data/CVE/list === --- data/CVE/list 2017-03-18 18:47:34 UTC (rev 49776) +++ data/CVE/list 2017-03-18 20:28:38 UTC (rev 49777) @@ -37078,7 +37078,7 @@ CVE-2016-3890 (The Java Debug Wire Protocol (JDWP) implementation in adb/sockets.cpp ...) TODO: check CVE-2016-3889 (Android 6.x before 2016-09-01 and 7.0 before 2016-09-01 allows ...) - TODO: check + NOT-FOR-US: Android CVE-2016-3888 (internal/telephony/SMSDispatcher.java in Android 4.x before 4.4.4, ...) NOT-FOR-US: Android CVE-2016-3887 (providers/settings/SettingsProvider.java in Android 7.0 before ...) @@ -37227,7 +37227,7 @@ CVE-2016-3819 (Integer overflow in codecs/on2/h264dec/source/h264bsd_dpb.c in ...) NOT-FOR-US: libstagefright CVE-2016-3818 (libc in Android 4.x before 4.4.4 allows remote attackers to cause a ...) - TODO: check + NOT-FOR-US: Android libc CVE-2016-3817 RESERVED CVE-2016-3816 (The MediaTek display driver in Android before 2016-07-05 on Android ...) @@ -37257,9 +37257,13 @@ CVE-2016-3804 (The MediaTek power management driver in Android before 2016-07-05 on ...) NOT-FOR-US: MediaTek driver for Android CVE-2016-3803 (The kernel filesystem implementation in Android before 2016-07-05 on ...) - TODO: check + - linux + NOTE: https://source.android.com/security/bulletin/2016-07-01.html + NOTE: No source patch available, so may relate to Apache-licensed sdcardfs. CVE-2016-3802 (The kernel filesystem implementation in Android before 2016-07-05 on ...) - TODO: check + - linux + NOTE: https://source.android.com/security/bulletin/2016-07-01.html + NOTE: No source patch available, so may relate to Apache-licensed sdcardfs. CVE-2016-3801 (The MediaTek GPS driver in Android before 2016-07-05 on Android One ...) NOT-FOR-US: MediaTek driver for Android CVE-2016-3800 (The MediaTek video driver in Android before 2016-07-05 on Android One ...) @@ -37313,7 +37317,9 @@ CVE-2016-3776 RESERVED CVE-2016-3775 (The kernel filesystem implementation in Android before 2016-07-05 on ...) - TODO: check + - linux + NOTE: https://source.android.com/security/bulletin/2016-07-01.html + NOTE: No source patch available, so may relate to Apache-licensed sdcardfs. CVE-2016-3774 (The MediaTek drivers in Android before 2016-07-05 on Android One ...) NOT-FOR-US: MediaTek drivers for Android CVE-2016-3773 (The MediaTek drivers in Android before 2016-07-05 on Android One ...) @@ -37339,7 +37345,7 @@ CVE-2016-3763 (net/PacProxySelector.java in the Proxy Auto-Config (PAC) feature in ...) NOT-FOR-US: Android CVE-2016-3762 (The sockets subsystem in Android 5.0.x before 5.0.2, 5.1.x before ...) - TODO: check + NOT-FOR-US: Android SELinux policy CVE-2016-3761 (NfcService.java in NFC in Android 4.x before 4.4.4, 5.0.x before ...) NOT-FOR-US: Android CVE-2016-3760 (Bluetooth in Android 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x ...) @@ -37347,9 +37353,9 @@ CVE-2016-3759 (The Framework APIs in Android 5.0.x before 5.0.2, 5.1.x before 5.1.1, ...) NOT-FOR-US: Android CVE-2016-3758 (Multiple buffer overflows in libdex/OptInvocation.cpp in ...) - TODO: check + - android-platform-dalvik 6.0.1+r55-1 CVE-2016-3757 (The print_maps function in toolbox/lsof.c in Android 4.x before 4.4.4, ...) - TODO: check + NOT-FOR-US: toolbox CVE-2016-3756 (Tremolo/res012.c in mediaserver in Android 4.x before 4.4.4, 5.0.x ...) NOT-FOR-US: Android Mediaserver CVE-2016-3755 (decoder/ih264d_parse_pslice.c in mediaserver in Android 6.x before ...) @@ -37367,11 +37373,11 @@ CVE-2016-3749 (server/LockSettingsService.java in LockSettingsService in Android 6.x ...) NOT-FOR-US: Android CVE-2016-3748 (The sockets subsystem in Android 6.x before 2016-07-01 allows ...) - TODO: check + NOT-FOR-US: Android SELinux policy CVE-2016-3747 (Use-after-free vulnerability in the mm-video-v4l2 venc component in ...) - TODO: check + NOT-FOR-US: Android Mediaserver CVE-2016-3746 (Use-after-free vulnerability in the mm-video-v4l2 vdec component in ...) - TODO: check + NOT-FOR-US: Android Mediaserver CVE-2016-3745 (Multiple buffer overflows in mediaserver in Android 4.x before 4.4.4, ...) NOT-FOR-US: Android Mediaserver CVE-2016-3744 (Buffer overflow in the create_pbuf function in btif/src/btif_hh.c in ...) @@ -55221,7 +55227,9 @@ CVE-2015-6647 (The Widevine QSEE TrustZone application in Android 5.x before 5.1.1 ...) NOT-FOR-US: Android CVE-2015-6646 (The System V IPC implementation in the kernel in Android before 6.0 ...) -
[Secure-testing-commits] r49776 - data/CVE
Author: carnil Date: 2017-03-18 18:47:34 + (Sat, 18 Mar 2017) New Revision: 49776 Modified: data/CVE/list Log: Mark CVE-2017-2614 as NFU Modified: data/CVE/list === --- data/CVE/list 2017-03-18 18:45:53 UTC (rev 49775) +++ data/CVE/list 2017-03-18 18:47:34 UTC (rev 49776) @@ -12498,6 +12498,7 @@ NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commit;h=62d4c6bd5263bb8413a06c80144fc678df6dfb64 CVE-2017-2614 RESERVED + NOT-FOR-US: Red Hat ovirt-aaa-jdbc-tool tools CVE-2017-2613 RESERVED - jenkins ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r49775 - data/CVE
Author: carnil Date: 2017-03-18 18:45:53 + (Sat, 18 Mar 2017) New Revision: 49775 Modified: data/CVE/list Log: Mark CVE-2017-5643 as NFU Modified: data/CVE/list === --- data/CVE/list 2017-03-18 18:38:06 UTC (rev 49774) +++ data/CVE/list 2017-03-18 18:45:53 UTC (rev 49775) @@ -3991,7 +3991,7 @@ CVE-2017-5644 RESERVED CVE-2017-5643 (Apache Camel's Validation Component is vulnerable against SSRF via ...) - TODO: check + NOT-FOR-US: Apache Camel CVE-2017-5642 RESERVED CVE-2017-5641 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r49774 - data
Author: carnil Date: 2017-03-18 18:38:06 + (Sat, 18 Mar 2017) New Revision: 49774 Modified: data/dsa-needed.txt Log: Take audiofile Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-03-18 18:35:21 UTC (rev 49773) +++ data/dsa-needed.txt 2017-03-18 18:38:06 UTC (rev 49774) @@ -12,7 +12,7 @@ If needed, specify the release by adding a slash after the name of the source package. -- -audiofile +audiofile (carnil) -- 389-ds-base (fw) -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r49773 - data
Author: jmm Date: 2017-03-18 18:35:21 + (Sat, 18 Mar 2017) New Revision: 49773 Modified: data/next-point-update.txt Log: wget spu Modified: data/next-point-update.txt === --- data/next-point-update.txt 2017-03-18 17:04:06 UTC (rev 49772) +++ data/next-point-update.txt 2017-03-18 18:35:21 UTC (rev 49773) @@ -92,3 +92,5 @@ [jessie] - vim 2:7.4.488-7+deb8u3 CVE-2017-6350 [jessie] - vim 2:7.4.488-7+deb8u3 +CVE-2017-6508 + [jessie] - wget 1.16-1+deb8u2 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r49772 - data
Author: lamby Date: 2017-03-18 17:04:06 + (Sat, 18 Mar 2017) New Revision: 49772 Modified: data/dla-needed.txt Log: Triage chicken for LTS Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-03-18 16:32:20 UTC (rev 49771) +++ data/dla-needed.txt 2017-03-18 17:04:06 UTC (rev 49772) @@ -23,6 +23,8 @@ NOTE: 2017-03-10: Sent a mail to the cPanel security team and asked them to NOTE: share their security fixes for cgiemail. -- Jonas Meurer -- +chicken +-- gdk-pixbuf (Emilio Pozuelo) -- graphicsmagick ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r49771 - data/CVE
Author: carnil Date: 2017-03-18 16:32:20 + (Sat, 18 Mar 2017) New Revision: 49771 Modified: data/CVE/list Log: Add one required commit for audiofile issues Modified: data/CVE/list === --- data/CVE/list 2017-03-18 15:55:26 UTC (rev 49770) +++ data/CVE/list 2017-03-18 16:32:20 UTC (rev 49771) @@ -685,6 +685,7 @@ NOTE: https://blogs.gentoo.org/ago/2017/02/20/audiofile-multiple-ubsan-crashes/ NOTE: https://github.com/mpruett/audiofile/issues/41 NOTE: https://github.com/antlarr/audiofile/commit/7d65f89defb092b63bcbc5d98349fb222ca73b3c + NOTE: https://github.com/antlarr/audiofile/commit/ce536d707b8e2a26baca77320398c45238224ca7 CVE-2017-6837 RESERVED - audiofile 0.3.6-4 (bug #857651) @@ -697,6 +698,7 @@ NOTE: https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-expand3to4modulerun-simplemodule-h NOTE: https://github.com/mpruett/audiofile/issues/40 NOTE: https://github.com/mpruett/audiofile/commit/7d65f89defb092b63bcbc5d98349fb222ca73b3c + NOTE: https://github.com/antlarr/audiofile/commit/ce536d707b8e2a26baca77320398c45238224ca7 CVE-2017-6835 RESERVED - audiofile 0.3.6-4 (bug #857651) @@ -709,6 +711,7 @@ NOTE: https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-ulaw2linear_buf-g711-cpp NOTE: https://github.com/mpruett/audiofile/issues/38 NOTE: https://github.com/mpruett/audiofile/commit/7d65f89defb092b63bcbc5d98349fb222ca73b3c + NOTE: https://github.com/antlarr/audiofile/commit/ce536d707b8e2a26baca77320398c45238224ca7 CVE-2017-6833 RESERVED - audiofile 0.3.6-4 (bug #857651) @@ -733,6 +736,7 @@ NOTE: https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-alaw2linear_buf-g711-cpp NOTE: https://github.com/mpruett/audiofile/issues/34 NOTE: https://github.com/mpruett/audiofile/commit/7d65f89defb092b63bcbc5d98349fb222ca73b3c + NOTE: https://github.com/antlarr/audiofile/commit/ce536d707b8e2a26baca77320398c45238224ca7 CVE-2017-6829 RESERVED - audiofile 0.3.6-4 (bug #857651) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r49770 - data/CVE
Author: carnil
Date: 2017-03-18 15:55:26 + (Sat, 18 Mar 2017)
New Revision: 49770
Modified:
data/CVE/list
Log:
Add fixing version for CVE-2017-6508/wget
Modified: data/CVE/list
===
--- data/CVE/list 2017-03-18 13:29:14 UTC (rev 49769)
+++ data/CVE/list 2017-03-18 15:55:26 UTC (rev 49770)
@@ -1466,7 +1466,7 @@
NOTE:
https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829
CVE-2017-6508 (CRLF injection vulnerability in the url_parse function in url.c
in Wget ...)
{DLA-851-1}
- - wget (bug #857073)
+ - wget 1.19.1-2 (bug #857073)
[jessie] - wget (Minor issue)
NOTE: http://lists.gnu.org/archive/html/bug-wget/2017-03/msg00018.html
NOTE:
http://git.savannah.gnu.org/cgit/wget.git/commit/?id=4d729e322fae359a1aefaafec1144764a54e8ad4
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r49769 - data/CVE
Author: carnil Date: 2017-03-18 13:29:14 + (Sat, 18 Mar 2017) New Revision: 49769 Modified: data/CVE/list Log: Add new mat issue, #858058 Modified: data/CVE/list === --- data/CVE/list 2017-03-18 13:21:06 UTC (rev 49768) +++ data/CVE/list 2017-03-18 13:29:14 UTC (rev 49769) @@ -1,3 +1,11 @@ +CVE-2017- ["Clean metadata" contextual menu silently fails] + - mat 0.6.1-4 (bug #858058) + [jessie] - mat (Vulnerable code not present) + [wheezy] - mat (Vulnerable code not present) + NOTE: https://0xacab.org/mat/mat/issues/11527 + NOTE: Fixed by: https://0xacab.org/mat/mat/commit/94ca62a429bb6a3a5f293de26053e54bbfeea9f9 + NOTE: Fixed by: https://0xacab.org/mat/mat/commit/8f6303a1f26fe8dad83ba96ab8328dbdfa3af59a + NOTE: Introduced by: https://0xacab.org/mat/mat/commit/0d1fe2555e90db35eeb531a1b6026ff64f1f5ae5 CVE-2017-7176 RESERVED CVE-2017-7175 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r49768 - data
Author: carnil Date: 2017-03-18 13:21:06 + (Sat, 18 Mar 2017) New Revision: 49768 Modified: data/dsa-needed.txt Log: Add libytnef for dsa-needed list Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-03-18 13:06:13 UTC (rev 49767) +++ data/dsa-needed.txt 2017-03-18 13:21:06 UTC (rev 49768) @@ -22,6 +22,8 @@ -- libical -- +libytnef +-- linux wait until more issues have piled up -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r49767 - data/CVE
Author: carnil Date: 2017-03-18 13:06:13 + (Sat, 18 Mar 2017) New Revision: 49767 Modified: data/CVE/list Log: Checked unstable upload, audiofile 0.3.6-4 contains fix for CVE-2017-6830 Modified: data/CVE/list === --- data/CVE/list 2017-03-18 13:03:43 UTC (rev 49766) +++ data/CVE/list 2017-03-18 13:06:13 UTC (rev 49767) @@ -721,7 +721,7 @@ NOTE: https://github.com/antlarr/audiofile/commit/a2e9eab8ea87c4ffc494d839ebb4ea145eb9f2e6 CVE-2017-6830 RESERVED - - audiofile (bug #857651) + - audiofile 0.3.6-4 (bug #857651) NOTE: https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-alaw2linear_buf-g711-cpp NOTE: https://github.com/mpruett/audiofile/issues/34 NOTE: https://github.com/mpruett/audiofile/commit/7d65f89defb092b63bcbc5d98349fb222ca73b3c ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r49766 - in data: . DSA
Author: jmm
Date: 2017-03-18 13:03:43 + (Sat, 18 Mar 2017)
New Revision: 49766
Modified:
data/DSA/list
data/dsa-needed.txt
Log:
ioquake, wireshark DSA
Modified: data/DSA/list
===
--- data/DSA/list 2017-03-18 13:01:40 UTC (rev 49765)
+++ data/DSA/list 2017-03-18 13:03:43 UTC (rev 49766)
@@ -1,3 +1,9 @@
+[18 Mar 2017] DSA-3812-1 ioquake3 - security update
+ {CVE-2017-6903}
+ [jessie] - ioquake3 1.36+u20140802+gca9eebb-2+deb8u1
+[18 Mar 2017] DSA-3811-1 wireshark - security update
+ {CVE-2017-5596 CVE-2017-5597 CVE-2017-6014 CVE-2017-6467 CVE-2017-6468
CVE-2017-6469 CVE-2017-6470 CVE-2017-6471 CVE-2017-6472 CVE-2017-6473
CVE-2017-6474}
+ [jessie] - wireshark 1.12.1+g01b65bf-4+deb8u11
[15 Mar 2017] DSA-3810-1 chromium-browser - security update
{CVE-2017-5029 CVE-2017-5030 CVE-2017-5031 CVE-2017-5032 CVE-2017-5033
CVE-2017-5034 CVE-2017-5035 CVE-2017-5036 CVE-2017-5037 CVE-2017-5038
CVE-2017-5039 CVE-2017-5040 CVE-2017-5041 CVE-2017-5042 CVE-2017-5043
CVE-2017-5044 CVE-2017-5045 CVE-2017-5046}
[jessie] - chromium-browser 57.0.2987.98-1~deb8u1
Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2017-03-18 13:01:40 UTC (rev 49765)
+++ data/dsa-needed.txt 2017-03-18 13:03:43 UTC (rev 49766)
@@ -20,8 +20,6 @@
--
icedove
--
-ioquake3 (jmm)
---
libical
--
linux
@@ -44,8 +42,6 @@
tnef
Needs possibly a regression update: #857342
--
-wireshark (jmm)
---
wordpress (seb)
Craig prepared an update
--
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r49765 - data/CVE
Author: carnil Date: 2017-03-18 13:01:40 + (Sat, 18 Mar 2017) New Revision: 49765 Modified: data/CVE/list Log: Add reference for firefox Modified: data/CVE/list === --- data/CVE/list 2017-03-18 12:53:46 UTC (rev 49764) +++ data/CVE/list 2017-03-18 13:01:40 UTC (rev 49765) @@ -4777,6 +4777,7 @@ RESERVED - firefox-esr (Only affects 52 ESR, which isn't packaged yet except experimental where it's fixed) - firefox 52.0.1-1 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-08/#CVE-2017-5428 CVE-2017-5427 RESERVED - firefox 52.0-1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r49764 - data/CVE
Author: jmm Date: 2017-03-18 12:53:46 + (Sat, 18 Mar 2017) New Revision: 49764 Modified: data/CVE/list Log: firefox firefox-esr as n/a Modified: data/CVE/list === --- data/CVE/list 2017-03-18 12:48:46 UTC (rev 49763) +++ data/CVE/list 2017-03-18 12:53:46 UTC (rev 49764) @@ -4775,7 +4775,7 @@ RESERVED CVE-2017-5428 RESERVED - - firefox-esr + - firefox-esr (Only affects 52 ESR, which isn't packaged yet except experimental where it's fixed) - firefox 52.0.1-1 CVE-2017-5427 RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r49763 - data/CVE
Author: jmm Date: 2017-03-18 12:48:46 + (Sat, 18 Mar 2017) New Revision: 49763 Modified: data/CVE/list Log: new firefox issue Modified: data/CVE/list === --- data/CVE/list 2017-03-18 12:46:17 UTC (rev 49762) +++ data/CVE/list 2017-03-18 12:48:46 UTC (rev 49763) @@ -4775,6 +4775,8 @@ RESERVED CVE-2017-5428 RESERVED + - firefox-esr + - firefox 52.0.1-1 CVE-2017-5427 RESERVED - firefox 52.0-1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r49762 - data/CVE
Author: jmm Date: 2017-03-18 12:46:17 + (Sat, 18 Mar 2017) New Revision: 49762 Modified: data/CVE/list Log: audiofile fixed (one CVE ID not listed, needs to be doublechecked) Modified: data/CVE/list === --- data/CVE/list 2017-03-18 12:43:19 UTC (rev 49761) +++ data/CVE/list 2017-03-18 12:46:17 UTC (rev 49762) @@ -667,55 +667,55 @@ RESERVED CVE-2017-6839 RESERVED - - audiofile (bug #857651) + - audiofile 0.3.6-4 (bug #857651) NOTE: https://blogs.gentoo.org/ago/2017/02/20/audiofile-multiple-ubsan-crashes/ NOTE: https://github.com/mpruett/audiofile/issues/41 NOTE: https://github.com/antlarr/audiofile/commit/beacc44eb8cdf6d58717ec1a5103c5141f1b37f9 CVE-2017-6838 RESERVED - - audiofile (bug #857651) + - audiofile 0.3.6-4 (bug #857651) NOTE: https://blogs.gentoo.org/ago/2017/02/20/audiofile-multiple-ubsan-crashes/ NOTE: https://github.com/mpruett/audiofile/issues/41 NOTE: https://github.com/antlarr/audiofile/commit/7d65f89defb092b63bcbc5d98349fb222ca73b3c CVE-2017-6837 RESERVED - - audiofile (bug #857651) + - audiofile 0.3.6-4 (bug #857651) NOTE: https://blogs.gentoo.org/ago/2017/02/20/audiofile-multiple-ubsan-crashes/ NOTE: https://github.com/mpruett/audiofile/issues/41 NOTE: https://github.com/antlarr/audiofile/commit/c48e4c6503f7dabd41f11d4c9c7b7f8960e7f2c0 CVE-2017-6836 RESERVED - - audiofile (bug #857651) + - audiofile 0.3.6-4 (bug #857651) NOTE: https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-expand3to4modulerun-simplemodule-h NOTE: https://github.com/mpruett/audiofile/issues/40 NOTE: https://github.com/mpruett/audiofile/commit/7d65f89defb092b63bcbc5d98349fb222ca73b3c CVE-2017-6835 RESERVED - - audiofile (bug #857651) + - audiofile 0.3.6-4 (bug #857651) NOTE: https://blogs.gentoo.org/ago/2017/02/20/audiofile-divide-by-zero-in-blockcodecreset1-blockcodec-cpp NOTE: https://github.com/mpruett/audiofile/issues/39 NOTE: https://github.com/mpruett/audiofile/commit/c48e4c6503f7dabd41f11d4c9c7b7f8960e7f2c0 CVE-2017-6834 RESERVED - - audiofile (bug #857651) + - audiofile 0.3.6-4 (bug #857651) NOTE: https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-ulaw2linear_buf-g711-cpp NOTE: https://github.com/mpruett/audiofile/issues/38 NOTE: https://github.com/mpruett/audiofile/commit/7d65f89defb092b63bcbc5d98349fb222ca73b3c CVE-2017-6833 RESERVED - - audiofile (bug #857651) + - audiofile 0.3.6-4 (bug #857651) NOTE: https://blogs.gentoo.org/ago/2017/02/20/audiofile-divide-by-zero-in-blockcodecrunpull-blockcodec-cpp NOTE: https://github.com/mpruett/audiofile/issues/37 NOTE: https://github.com/mpruett/audiofile/commit/c48e4c6503f7dabd41f11d4c9c7b7f8960e7f2c0 CVE-2017-6832 RESERVED - - audiofile (bug #857651) + - audiofile 0.3.6-4 (bug #857651) NOTE: https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-msadpcmdecodeblock-msadpcm-cpp NOTE: https://github.com/mpruett/audiofile/issues/36 NOTE: https://github.com/mpruett/audiofile/commit/c48e4c6503f7dabd41f11d4c9c7b7f8960e7f2c0 CVE-2017-6831 RESERVED - - audiofile (bug #857651) + - audiofile 0.3.6-4 (bug #857651) NOTE: https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-imadecodeblockwave-ima-cpp NOTE: https://github.com/mpruett/audiofile/issues/35 NOTE: https://github.com/antlarr/audiofile/commit/a2e9eab8ea87c4ffc494d839ebb4ea145eb9f2e6 @@ -727,17 +727,17 @@ NOTE: https://github.com/mpruett/audiofile/commit/7d65f89defb092b63bcbc5d98349fb222ca73b3c CVE-2017-6829 RESERVED - - audiofile (bug #857651) + - audiofile 0.3.6-4 (bug #857651) NOTE: https://github.com/mpruett/audiofile/issues/33 NOTE: https://blogs.gentoo.org/ago/2017/02/20/audiofile-global-buffer-overflow-in-decodesample-ima-cpp NOTE: https://github.com/mpruett/audiofile/pull/43/commits/25eb00ce913452c2e614548d7df93070bf0d066f CVE-2017-6828 (Heap-based buffer overflow in the readValue function in FileHandle.cpp ...) - - audiofile (bug #857651) + - audiofile 0.3.6-4 (bug #857651) NOTE: https://github.com/mpruett/audiofile/issues/31 NOTE: https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-readvalue-filehandle-cpp NOTE: https://github.com/mpruett/audiofile/commit/c48e4c6503f7dabd41f11d4c9c7b7f8960e7f2c0 CVE-2017-6827 (Heap-based buffer overflow in the MSADPCM::initializeCoefficients ...) - - audiofile (bug #857651) + - audiofile 0.3.6-4 (bug #857651)
[Secure-testing-commits] r49761 - data/CVE
Author: jmm Date: 2017-03-18 12:43:19 + (Sat, 18 Mar 2017) New Revision: 49761 Modified: data/CVE/list Log: mark webkit as unimportant Modified: data/CVE/list === --- data/CVE/list 2017-03-18 10:34:25 UTC (rev 49760) +++ data/CVE/list 2017-03-18 12:43:19 UTC (rev 49761) @@ -34674,8 +34674,9 @@ - libxml2 2.9.4+dfsg1-2.1 (bug #840553) NOTE: Fixed by: https://git.gnome.org/browse/libxml2/commit/?id=c1d1f7121194036608bf555f08d3062a36fd344b CVE-2016-4657 (WebKit in Apple iOS before 9.3.5 allows remote attackers to execute ...) - TODO: check + - webkitgtk (unimportant) NOTE: https://www.youtube.com/watch?v=xkdPjbaLngE + NOTE: Not covered by security support CVE-2016-4656 (The kernel in Apple iOS before 9.3.5 allows attackers to execute ...) NOT-FOR-US: Apple CVE-2016-4655 (The kernel in Apple iOS before 9.3.5 allows attackers to obtain ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r49760 - data/CVE
Author: pabs Date: 2017-03-18 10:34:25 + (Sat, 18 Mar 2017) New Revision: 49760 Modified: data/CVE/list Log: CVE-2016-4657: not NFU as it works on Nintendo Switch too See: https://www.youtube.com/watch?v=xkdPjbaLngE Modified: data/CVE/list === --- data/CVE/list 2017-03-18 09:49:10 UTC (rev 49759) +++ data/CVE/list 2017-03-18 10:34:25 UTC (rev 49760) @@ -34674,7 +34674,8 @@ - libxml2 2.9.4+dfsg1-2.1 (bug #840553) NOTE: Fixed by: https://git.gnome.org/browse/libxml2/commit/?id=c1d1f7121194036608bf555f08d3062a36fd344b CVE-2016-4657 (WebKit in Apple iOS before 9.3.5 allows remote attackers to execute ...) - NOT-FOR-US: Webkit as used by Apple + TODO: check + NOTE: https://www.youtube.com/watch?v=xkdPjbaLngE CVE-2016-4656 (The kernel in Apple iOS before 9.3.5 allows attackers to execute ...) NOT-FOR-US: Apple CVE-2016-4655 (The kernel in Apple iOS before 9.3.5 allows attackers to obtain ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r49759 - data/CVE
Author: carnil Date: 2017-03-18 09:49:10 + (Sat, 18 Mar 2017) New Revision: 49759 Modified: data/CVE/list Log: Mark owncloud as no-dsa, will be removed from jessie Modified: data/CVE/list === --- data/CVE/list 2017-03-18 09:39:03 UTC (rev 49758) +++ data/CVE/list 2017-03-18 09:49:10 UTC (rev 49759) @@ -3368,10 +3368,13 @@ RESERVED CVE-2017-5867 (ownCloud Server before 8.1.11, 8.2.x before 8.2.9, 9.0.x before 9.0.7, ...) - owncloud + [jessie] - owncloud (Will be removed in point release) CVE-2017-5866 (The autocomplete feature in the E-Mail share dialog in ownCloud Server ...) - owncloud + [jessie] - owncloud (Will be removed in point release) CVE-2017-5865 (The password reset functionality in ownCloud Server before 8.1.11, ...) - owncloud + [jessie] - owncloud (Will be removed in point release) CVE-2017-5864 RESERVED CVE-2017-5863 @@ -30090,6 +30093,7 @@ NOTE: Starting with 5.4.0-1 Debian uses the system copy of libgd CVE-2016-5876 (ownCloud server before 8.2.6 and 9.x before 9.0.3, when the gallery ...) - owncloud + [jessie] - owncloud (Will be removed in point release) NOTE: https://owncloud.org/security/advisory/?id=oc-sa-2016-010 CVE-2016-5875 [tiff: heap-based buffer overflow when using the PixarLog compression format] RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r49758 - data/CVE
Author: carnil Date: 2017-03-18 09:39:03 + (Sat, 18 Mar 2017) New Revision: 49758 Modified: data/CVE/list Log: Triage some issues, all NFUs in Cisco products plus one in Chef Manage Modified: data/CVE/list === --- data/CVE/list 2017-03-18 09:21:11 UTC (rev 49757) +++ data/CVE/list 2017-03-18 09:39:03 UTC (rev 49758) @@ -3,7 +3,7 @@ CVE-2017-7175 RESERVED CVE-2017-7174 (The user-account creation feature in Chef Manage 2.1.0 through 2.4.4 ...) - TODO: check + NOT-FOR-US: Chef Manage CVE-2017-7173 RESERVED CVE-2017-7172 @@ -8734,37 +8734,37 @@ CVE-2017-3882 RESERVED CVE-2017-3881 (A vulnerability in the Cisco Cluster Management Protocol (CMP) ...) - TODO: check + NOT-FOR-US: Cisco CVE-2017-3880 (An Authentication Bypass vulnerability in Cisco WebEx Meetings Server ...) - TODO: check + NOT-FOR-US: Cisco CVE-2017-3879 (A Denial of Service vulnerability in the remote login functionality for ...) - TODO: check + NOT-FOR-US: Cisco CVE-2017-3878 (A Denial of Service vulnerability in the Telnet remote login ...) - TODO: check + NOT-FOR-US: Cisco CVE-2017-3877 (A vulnerability in the web framework of Cisco Unified Communications ...) - TODO: check + NOT-FOR-US: Cisco CVE-2017-3876 RESERVED CVE-2017-3875 (An Access-Control Filtering Mechanisms Bypass vulnerability in certain ...) - TODO: check + NOT-FOR-US: Cisco CVE-2017-3874 (A vulnerability in the web framework of Cisco Unified Communications ...) - TODO: check + NOT-FOR-US: Cisco CVE-2017-3873 RESERVED CVE-2017-3872 (A cross-site scripting (XSS) filter bypass vulnerability in the ...) - TODO: check + NOT-FOR-US: Cisco CVE-2017-3871 (A RADIUS Secret Disclosure vulnerability in the web network management ...) - TODO: check + NOT-FOR-US: Cisco CVE-2017-3870 (A vulnerability in the URL filtering feature of Cisco AsyncOS Software ...) - TODO: check + NOT-FOR-US: Cisco CVE-2017-3869 (An API Credentials Management vulnerability in the APIs for Cisco Prime ...) - TODO: check + NOT-FOR-US: Cisco CVE-2017-3868 (A vulnerability in the web-based management interface of Cisco UCS ...) - TODO: check + NOT-FOR-US: Cisco CVE-2017-3867 (A vulnerability in the Border Gateway Protocol (BGP) Bidirectional ...) - TODO: check + NOT-FOR-US: Cisco CVE-2017-3866 (A vulnerability in the web framework code of Cisco Prime Service ...) - TODO: check + NOT-FOR-US: Cisco CVE-2017-3865 RESERVED CVE-2017-3864 @@ -8858,7 +8858,7 @@ CVE-2017-3820 (A vulnerability in Simple Network Management Protocol (SNMP) functions ...) NOT-FOR-US: Cisco IOS XE CVE-2017-3819 (A privilege escalation vulnerability in the Secure Shell (SSH) ...) - TODO: check + NOT-FOR-US: Cisco CVE-2017-3818 (A vulnerability in the Multipurpose Internet Mail Extensions (MIME) ...) NOT-FOR-US: Cisco Email Security Appliances CVE-2017-3817 @@ -8866,7 +8866,7 @@ CVE-2017-3816 RESERVED CVE-2017-3815 (An API Privilege vulnerability in Cisco TelePresence Server Software ...) - TODO: check + NOT-FOR-US: Cisco CVE-2017-3814 (A vulnerability in Cisco Firepower System Software could allow an ...) NOT-FOR-US: Cisco Firepower System Software CVE-2017-3813 (A vulnerability in the Start Before Logon (SBL) module of Cisco ...) @@ -8874,7 +8874,7 @@ CVE-2017-3812 (A vulnerability in the implementation of Common Industrial Protocol ...) NOT-FOR-US: Cisco Industrial Ethernet 2000 Series Switches CVE-2017-3811 (An XML External Entity vulnerability in Cisco WebEx Meetings Server ...) - TODO: check + NOT-FOR-US: Cisco CVE-2017-3810 (A vulnerability in the web framework of Cisco Prime Service Catalog ...) NOT-FOR-US: Cisco Prime Service Catalog CVE-2017-3809 (A vulnerability in the Policy deployment module of the Cisco Firepower ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r49757 - data/CVE
Author: carnil Date: 2017-03-18 09:21:11 + (Sat, 18 Mar 2017) New Revision: 49757 Modified: data/CVE/list Log: Cleanup rejected CVE Modified: data/CVE/list === --- data/CVE/list 2017-03-18 09:10:12 UTC (rev 49756) +++ data/CVE/list 2017-03-18 09:21:11 UTC (rev 49757) @@ -813,7 +813,6 @@ RESERVED CVE-2017-6804 REJECTED - NOT-FOR-US: WP Markdown Editor plugin for Wordpress CVE-2017-6803 RESERVED CVE-2017-6798 (Trend Micro Endpoint Sensor 1.6 before b1290 has a DLL hijacking ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r49756 - data/CVE
Author: sectracker
Date: 2017-03-18 09:10:12 + (Sat, 18 Mar 2017)
New Revision: 49756
Modified:
data/CVE/list
Log:
automatic update
Modified: data/CVE/list
===
--- data/CVE/list 2017-03-18 07:32:15 UTC (rev 49755)
+++ data/CVE/list 2017-03-18 09:10:12 UTC (rev 49756)
@@ -1,3 +1,9 @@
+CVE-2017-7176
+ RESERVED
+CVE-2017-7175
+ RESERVED
+CVE-2017-7174 (The user-account creation feature in Chef Manage 2.1.0 through
2.4.4 ...)
+ TODO: check
CVE-2017-7173
RESERVED
CVE-2017-7172
@@ -8728,38 +8734,38 @@
RESERVED
CVE-2017-3882
RESERVED
-CVE-2017-3881
- RESERVED
-CVE-2017-3880
- RESERVED
-CVE-2017-3879
- RESERVED
-CVE-2017-3878
- RESERVED
-CVE-2017-3877
- RESERVED
+CVE-2017-3881 (A vulnerability in the Cisco Cluster Management Protocol (CMP)
...)
+ TODO: check
+CVE-2017-3880 (An Authentication Bypass vulnerability in Cisco WebEx Meetings
Server ...)
+ TODO: check
+CVE-2017-3879 (A Denial of Service vulnerability in the remote login
functionality for ...)
+ TODO: check
+CVE-2017-3878 (A Denial of Service vulnerability in the Telnet remote login
...)
+ TODO: check
+CVE-2017-3877 (A vulnerability in the web framework of Cisco Unified
Communications ...)
+ TODO: check
CVE-2017-3876
RESERVED
-CVE-2017-3875
- RESERVED
-CVE-2017-3874
- RESERVED
+CVE-2017-3875 (An Access-Control Filtering Mechanisms Bypass vulnerability in
certain ...)
+ TODO: check
+CVE-2017-3874 (A vulnerability in the web framework of Cisco Unified
Communications ...)
+ TODO: check
CVE-2017-3873
RESERVED
-CVE-2017-3872
- RESERVED
-CVE-2017-3871
- RESERVED
-CVE-2017-3870
- RESERVED
-CVE-2017-3869
- RESERVED
-CVE-2017-3868
- RESERVED
-CVE-2017-3867
- RESERVED
-CVE-2017-3866
- RESERVED
+CVE-2017-3872 (A cross-site scripting (XSS) filter bypass vulnerability in the
...)
+ TODO: check
+CVE-2017-3871 (A RADIUS Secret Disclosure vulnerability in the web network
management ...)
+ TODO: check
+CVE-2017-3870 (A vulnerability in the URL filtering feature of Cisco AsyncOS
Software ...)
+ TODO: check
+CVE-2017-3869 (An API Credentials Management vulnerability in the APIs for
Cisco Prime ...)
+ TODO: check
+CVE-2017-3868 (A vulnerability in the web-based management interface of Cisco
UCS ...)
+ TODO: check
+CVE-2017-3867 (A vulnerability in the Border Gateway Protocol (BGP)
Bidirectional ...)
+ TODO: check
+CVE-2017-3866 (A vulnerability in the web framework code of Cisco Prime
Service ...)
+ TODO: check
CVE-2017-3865
RESERVED
CVE-2017-3864
@@ -8860,16 +8866,16 @@
RESERVED
CVE-2017-3816
RESERVED
-CVE-2017-3815
- RESERVED
+CVE-2017-3815 (An API Privilege vulnerability in Cisco TelePresence Server
Software ...)
+ TODO: check
CVE-2017-3814 (A vulnerability in Cisco Firepower System Software could allow
an ...)
NOT-FOR-US: Cisco Firepower System Software
CVE-2017-3813 (A vulnerability in the Start Before Logon (SBL) module of Cisco
...)
NOT-FOR-US: Cisco
CVE-2017-3812 (A vulnerability in the implementation of Common Industrial
Protocol ...)
NOT-FOR-US: Cisco Industrial Ethernet 2000 Series Switches
-CVE-2017-3811
- RESERVED
+CVE-2017-3811 (An XML External Entity vulnerability in Cisco WebEx Meetings
Server ...)
+ TODO: check
CVE-2017-3810 (A vulnerability in the web framework of Cisco Prime Service
Catalog ...)
NOT-FOR-US: Cisco Prime Service Catalog
CVE-2017-3809 (A vulnerability in the Policy deployment module of the Cisco
Firepower ...)
@@ -12309,7 +12315,7 @@
CVE-2017-2657
RESERVED
CVE-2017-2656
- RESERVED
+ REJECTED
CVE-2017-2655
RESERVED
CVE-2017-2654
@@ -20593,6 +20599,7 @@
CVE-2016-8715 (An exploitable heap corruption vulnerability exists in the
loadTrailer ...)
NOT-FOR-US: Iceni Argus
CVE-2016-8714 (An exploitable buffer overflow vulnerability exists in the ...)
+ {DLA-861-1}
- r-base 3.3.3-1 (bug #857466)
NOTE: http://www.talosintelligence.com/reports/TALOS-2016-0227/
CVE-2016-8713 (A remote out of bound write / memory corruption vulnerability
exists ...)
@@ -22925,7 +22932,7 @@
NOT-FOR-US: Microsoft
CVE-2017-0039 (Microsoft Windows Vista SP2 and Server 2008 SP2 mishandle
dynamic link ...)
NOT-FOR-US: Microsoft
-CVE-2017-0038 (gdi32.dll in Graphics Device Interface (GDI) in Microsoft
Windows Vista ...)
+CVE-2017-0038 (gdi32.dll in Graphics Device Interface (GDI) in Microsoft
Windows ...)
NOT-FOR-US: Microsoft
CVE-2017-0037 (Microsoft Internet Explorer 10 and 11 and Microsoft Edge have a
type ...)
NOT-FOR-US: Microsoft
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.de
[Secure-testing-commits] r49755 - data/CVE
Author: carnil Date: 2017-03-18 07:32:15 + (Sat, 18 Mar 2017) New Revision: 49755 Modified: data/CVE/list Log: Process more NFUs Modified: data/CVE/list === --- data/CVE/list 2017-03-18 07:25:17 UTC (rev 49754) +++ data/CVE/list 2017-03-18 07:32:15 UTC (rev 49755) @@ -435,15 +435,15 @@ CVE-2017-6959 RESERVED CVE-2017-6958 (An XSS vulnerability in the MantisBT Source Integration Plugin (before ...) - TODO: check + NOT-FOR-US: MantisBT Source Integration Plugin CVE-2017-6957 RESERVED CVE-2017-6956 RESERVED CVE-2017-6955 (An issue was discovered in by-email/by-email.php in the Invite Anyone ...) - TODO: check + NOT-FOR-US: wordpress Anyone plugin CVE-2017-6954 (An issue was discovered in includes/component.php in the BuddyPress ...) - TODO: check + NOT-FOR-US: wordpress buddypress docs plugin CVE-2017-6953 RESERVED CVE-2017-6952 (Integer overflow in the cs_winkernel_malloc function in winkernel_mm.c ...) @@ -601,7 +601,7 @@ CVE-2017-6881 RESERVED CVE-2017-6880 (Buffer overflow in Cerberus FTP Server 8.0.10.3 allows remote attackers ...) - TODO: check + NOT-FOR-US: Cerberus FTP Server CVE-2017-6879 RESERVED CVE-2017-6878 @@ -1960,13 +1960,13 @@ CVE-2017-6371 RESERVED CVE-2017-6370 (TYPO3 7.6.15 sends an http request to an index.php?loginProvider URI in ...) - TODO: check + NOT-FOR-US: Typo3 CVE-2017-6369 RESERVED CVE-2017-6368 RESERVED CVE-2017-6367 (In Cerberus FTP Server 8.0.10.1, a crafted HTTP request causes the ...) - TODO: check + NOT-FOR-US: Cerberus FTP Server CVE-2017-6366 (Cross-site request forgery (CSRF) vulnerability in NETGEAR DGN2200 ...) NOT-FOR-US: Netgear CVE-2017-6365 @@ -62865,13 +62865,13 @@ NOT-FOR-US: proxychains-ng NOTE: proxychains does not contain the vulnerable code CVE-2015-3884 (Unrestricted file upload vulnerability in the (1) myAccount, (2) ...) - TODO: check + NOT-FOR-US: qdPM CVE-2015-3883 (Multiple cross-site scripting (XSS) vulnerabilities in qdPM 8.3 allow ...) - TODO: check + NOT-FOR-US: qdPM CVE-2015-3882 (qdPM 8.3 allows remote attackers to obtain sensitive information via ...) - TODO: check + NOT-FOR-US: qdPM CVE-2015-3881 (Information disclosure issue in qdPM 8.3 allows remote attackers to ...) - TODO: check + NOT-FOR-US: qdPM CVE-2015-3879 (Media Player Framework in Android before 5.1.1 LMY48T allows attackers ...) NOT-FOR-US: Media Player Framework in Android CVE-2015-3878 (Media Projection in Android 5.x before 5.1.1 LMY48T and 6.0 before ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r49754 - data/CVE
Author: carnil Date: 2017-03-18 07:25:17 + (Sat, 18 Mar 2017) New Revision: 49754 Modified: data/CVE/list Log: More NFUs Modified: data/CVE/list === --- data/CVE/list 2017-03-18 07:25:03 UTC (rev 49753) +++ data/CVE/list 2017-03-18 07:25:17 UTC (rev 49754) @@ -77501,9 +77501,9 @@ CVE-2014-8724 (Cross-site scripting (XSS) vulnerability in the W3 Total Cache plugin ...) NOT-FOR-US: W3 Total Cache plugin for WordPress CVE-2014-8723 (GetSimple CMS 3.3.4 allows remote attackers to obtain sensitive ...) - TODO: check + NOT-FOR-US: GetSimple CMS CVE-2014-8722 (GetSimple CMS 3.3.4 allows remote attackers to obtain sensitive ...) - TODO: check + NOT-FOR-US: GetSimple CMS CVE-2014-8721 RESERVED CVE-2014-8720 @@ -77517,11 +77517,11 @@ CVE-2014-8715 RESERVED CVE-2014-8708 (Pluck CMS 4.7.2 allows remote attackers to execute arbitrary code via ...) - TODO: check + NOT-FOR-US: Pluck CMS CVE-2014-8707 (Cross-site scripting (XSS) vulnerability in TinyMCE in Pluck CMS 4.7.2 ...) - TODO: check + NOT-FOR-US: Pluck CMS CVE-2014-8706 (Pluck CMS 4.7.2 allows remote attackers to obtain sensitive ...) - TODO: check + NOT-FOR-US: Pluck CMS CVE-2014-8705 (PHP remote file inclusion vulnerability in editInplace.php in Wonder ...) NOT-FOR-US: Wonder CMS CVE-2014-8704 (Directory traversal vulnerability in index.php in Wonder CMS 2014 ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r49753 - data/CVE
Author: carnil Date: 2017-03-18 07:25:03 + (Sat, 18 Mar 2017) New Revision: 49753 Modified: data/CVE/list Log: Mark NFUs for wonder cms Modified: data/CVE/list === --- data/CVE/list 2017-03-17 21:50:04 UTC (rev 49752) +++ data/CVE/list 2017-03-18 07:25:03 UTC (rev 49753) @@ -77523,15 +77523,15 @@ CVE-2014-8706 (Pluck CMS 4.7.2 allows remote attackers to obtain sensitive ...) TODO: check CVE-2014-8705 (PHP remote file inclusion vulnerability in editInplace.php in Wonder ...) - TODO: check + NOT-FOR-US: Wonder CMS CVE-2014-8704 (Directory traversal vulnerability in index.php in Wonder CMS 2014 ...) - TODO: check + NOT-FOR-US: Wonder CMS CVE-2014-8703 (Cross-site scripting (XSS) vulnerability in Wonder CMS 2014 allows ...) - TODO: check + NOT-FOR-US: Wonder CMS CVE-2014-8702 (Wonder CMS 2014 allows remote attackers to obtain sensitive ...) - TODO: check + NOT-FOR-US: Wonder CMS CVE-2014-8701 (Wonder CMS 2014 allows remote attackers to obtain sensitive ...) - TODO: check + NOT-FOR-US: Wonder CMS CVE-2014-8700 RESERVED CVE-2014-8699 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
