[Secure-testing-commits] r50160 - data
Author: carnil Date: 2017-03-29 05:45:12 + (Wed, 29 Mar 2017) New Revision: 50160 Modified: data/dsa-needed.txt Log: Take samba for regression update Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-03-29 05:43:16 UTC (rev 50159) +++ data/dsa-needed.txt 2017-03-29 05:45:12 UTC (rev 50160) @@ -36,7 +36,7 @@ -- salt -- -samba +samba (carnil) At least #858590, #858564, #858601 -- spip ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50159 - data/CVE
Author: carnil Date: 2017-03-29 05:43:16 + (Wed, 29 Mar 2017) New Revision: 50159 Modified: data/CVE/list Log: CVE-2016-10253/erlang fixed in unstable, #858313 Modified: data/CVE/list === --- data/CVE/list 2017-03-29 05:41:46 UTC (rev 50158) +++ data/CVE/list 2017-03-29 05:43:16 UTC (rev 50159) @@ -539,7 +539,7 @@ CVE-2017-7179 RESERVED CVE-2016-10253 (An issue was discovered in Erlang/OTP 18.x. Erlang's generation of ...) - - erlang (bug #858313) + - erlang 1:19.2.1+dfsg-2 (bug #858313) [jessie] - erlang (Minor issue) [wheezy] - erlang (Vulnerable code not present) NOTE: https://github.com/erlang/otp/pull/1108 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50158 - data/CVE
Author: carnil Date: 2017-03-29 05:41:46 + (Wed, 29 Mar 2017) New Revision: 50158 Modified: data/CVE/list Log: Mark CVE-2017-6542/putty as no-dsa Modified: data/CVE/list === --- data/CVE/list 2017-03-29 05:20:21 UTC (rev 50157) +++ data/CVE/list 2017-03-29 05:41:46 UTC (rev 50158) @@ -1951,8 +1951,12 @@ NOT-FOR-US: Nessus CVE-2017-6542 (The ssh_agent_channel_data function in PuTTY before 0.68 allows remote ...) - putty 0.67-3 (bug #857642) + [jessie] - putty (Minor issue) NOTE: http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-agent-fwd-overflow.html NOTE: Fixed by: https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=4ff22863d895cb7ebfced4cf923a012a614adaa8 (0.68) + NOTE: Bug only exploitable if SSH agent forwarding enabled (not the default) and if + NOTE: the attacker can already be able to connect to the Unix-domain socket + NOTE: representing the forwarded agent connection. CVE-2017-6541 (Multiple Cross-Site Scripting (XSS) issues were discovered in ...) NOT-FOR-US: webpagetest CVE-2017-6540 (Multiple Cross-Site Scripting (XSS) issues were discovered in ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50157 - bin
Author: pabs Date: 2017-03-29 05:20:21 + (Wed, 29 Mar 2017) New Revision: 50157 Modified: bin/tracker_service.py Log: Fix typo Modified: bin/tracker_service.py === --- bin/tracker_service.py 2017-03-29 04:48:56 UTC (rev 50156) +++ bin/tracker_service.py 2017-03-29 05:20:21 UTC (rev 50157) @@ -1525,7 +1525,7 @@ % (int(y), int(number))) return None -def url_dla(self, url, dla, re_dsa=re.compile(r'^DLA-(\d+)(?:-\d+)?$')): +def url_dla(self, url, dla, re_dla=re.compile(r'^DLA-(\d+)(?:-\d+)?$')): match = re_dla.match(dla) if match: # We must determine the year because there is no generic URL. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50156 - bin
Author: pabs
Date: 2017-03-29 04:48:56 + (Wed, 29 Mar 2017)
New Revision: 50156
Modified:
bin/tracker_service.py
Log:
Link to DLA details on www.d.o from the Source field (Closes: #761945)
Modified: bin/tracker_service.py
===
--- bin/tracker_service.py 2017-03-29 04:46:57 UTC (rev 50155)
+++ bin/tracker_service.py 2017-03-29 04:48:56 UTC (rev 50156)
@@ -397,7 +397,7 @@
elif source == 'DTSA':
source_xref = 'Debian Testing Security Team'
elif source == 'DLA':
-source_xref = 'Debian LTS Team'
+source_xref = self.make_dla_ref(url, bug.name, 'Debian LTS')
elif source == 'TEMP':
source_xref = (
'Automatically generated temporary name. Not for external reference.')
@@ -1525,6 +1525,18 @@
% (int(y), int(number)))
return None
+def url_dla(self, url, dla, re_dsa=re.compile(r'^DLA-(\d+)(?:-\d+)?$')):
+match = re_dla.match(dla)
+if match:
+# We must determine the year because there is no generic URL.
+(number,) = match.groups()
+for (date,) in self.db.cursor().execute(
+"SELECT release_date FROM bugs WHERE name = ?", (dla,)):
+(y, m, d) = date.split('-')
+return url.absolute("https://www.debian.org/security/%d/dla-%d;
+% (int(y), int(number)))
+return None
+
def url_debian_bug(self, url, debian):
return url.absolute("https://bugs.debian.org/cgi-bin/bugreport.cgi;,
bug=str(debian))
@@ -1649,6 +1661,15 @@
else:
return name
+def make_dla_ref(self, url, dla, name=None):
+if name is None:
+name = dla
+u = self.url_dla(url, dla)
+if u:
+return A(u, name)
+else:
+return name
+
def make_source_code_ref(self, url, pkg, name=None):
if name is None:
name = pkg
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50155 - data/CVE
Author: carnil Date: 2017-03-29 04:46:57 + (Wed, 29 Mar 2017) New Revision: 50155 Modified: data/CVE/list Log: Add CVE-2017-7294 Modified: data/CVE/list === --- data/CVE/list 2017-03-29 04:12:34 UTC (rev 50154) +++ data/CVE/list 2017-03-29 04:46:57 UTC (rev 50155) @@ -1,3 +1,5 @@ +CVE-2017-7294 [drm/vmwgfx: limit mip levels in vmw_surface_define_ioctl()] + - linux CVE-2017-7292 RESERVED CVE-2017-7291 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50154 - data/CVE
Author: carnil Date: 2017-03-29 04:12:34 + (Wed, 29 Mar 2017) New Revision: 50154 Modified: data/CVE/list Log: Update CVE-2017-7187 with kernel-sec triaging Modified: data/CVE/list === --- data/CVE/list 2017-03-28 23:23:13 UTC (rev 50153) +++ data/CVE/list 2017-03-29 04:12:34 UTC (rev 50154) @@ -522,6 +522,8 @@ RESERVED CVE-2017-7187 (The sg_ioctl function in drivers/scsi/sg.c in the Linux kernel through ...) - linux + [jessie] - linux (Introduced in 3.17) + [wheezy] - linux (Introduced in 3.17) CVE-2017-7185 RESERVED CVE-2017-7183 (The TFTP server in ExtraPuTTY 0.30 and earlier allows remote attackers ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50153 - data
Author: anarcat Date: 2017-03-28 23:23:13 + (Tue, 28 Mar 2017) New Revision: 50153 Modified: data/dla-needed.txt Log: claim firebird Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-03-28 22:06:00 UTC (rev 50152) +++ data/dla-needed.txt 2017-03-28 23:23:13 UTC (rev 50153) @@ -22,7 +22,7 @@ -- chicken -- -firebird2.5 +firebird2.5 (Antoine Beaupre) NOTE: The maintainer has told that he will not work on this update so NOTE: feel free to take this one. -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50152 - data/CVE
Author: jmm Date: 2017-03-28 22:06:00 + (Tue, 28 Mar 2017) New Revision: 50152 Modified: data/CVE/list Log: ntopng no-dsa Modified: data/CVE/list === --- data/CVE/list 2017-03-28 22:00:05 UTC (rev 50151) +++ data/CVE/list 2017-03-28 22:06:00 UTC (rev 50152) @@ -5352,6 +5352,7 @@ - serendipity CVE-2017-5473 (Cross-site request forgery (CSRF) vulnerability in ntopng through 2.4 ...) - ntopng 2.4+dfsg1-3 (bug #852109) + [jessie] - ntopng (Minor issue) NOTE: https://github.com/ntop/ntopng/commit/1b2ceac8f578a246af6351c4f476e3102cdf21b3 NOTE: https://github.com/ntop/ntopng/commit/f91fbe3d94c8346884271838ae3406ae633f6f15 CVE-2017-5472 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50151 - data/CVE
Author: jmm Date: 2017-03-28 22:00:05 + (Tue, 28 Mar 2017) New Revision: 50151 Modified: data/CVE/list Log: sleekxmpp n/a in jessie Modified: data/CVE/list === --- data/CVE/list 2017-03-28 21:47:28 UTC (rev 50150) +++ data/CVE/list 2017-03-28 22:00:05 UTC (rev 50151) @@ -4846,6 +4846,7 @@ [jessie] - profanity (Vulnerable code not present) CVE-2017-5591 (An incorrect implementation of XEP-0280: Message Carbons in multiple ...) - sleekxmpp (bug #854739) + [jessie] - sleekxmpp (vulnerable code not present, XEP-0280 not implemented) [wheezy] - sleekxmpp (vulnerable code not present, XEP-0280 not implemented) - slixmpp 1.2.2-1.1 (bug #854740) CVE-2017-5590 (An incorrect implementation of XEP-0280: Message Carbons in multiple ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50150 - data/CVE
Author: jmm Date: 2017-03-28 21:47:28 + (Tue, 28 Mar 2017) New Revision: 50150 Modified: data/CVE/list Log: android updates Modified: data/CVE/list === --- data/CVE/list 2017-03-28 21:28:15 UTC (rev 50149) +++ data/CVE/list 2017-03-28 21:47:28 UTC (rev 50150) @@ -37633,7 +37633,7 @@ CVE-2016-3922 (libril/RilSapSocket.cpp in Telephony in Android 6.x before 2016-10-01 ...) NOT-FOR-US: Android Telephony CVE-2016-3921 (libsysutils/src/FrameworkListener.cpp in Framework Listener in Android ...) - - android-platform-system-core (bug #858177) + - android-platform-system-core (libsysutils not included, bug #858177) CVE-2016-3920 (id3/ID3.cpp in libstagefright in mediaserver in Android 5.0.x before ...) NOT-FOR-US: libstagefright CVE-2016-3919 @@ -37705,7 +37705,7 @@ CVE-2016-3886 (systemui/statusbar/phone/QuickStatusBarHeader.java in the System UI ...) NOT-FOR-US: Android CVE-2016-3885 (debuggerd/debuggerd.cpp in Debuggerd in Android 5.0.x before 5.0.2, ...) - - android-platform-system-core (bug #858177) + - android-platform-system-core (debugged not provided, see bug #858177) CVE-2016-3884 (server/notification/NotificationManagerService.java in the ...) NOT-FOR-US: Android CVE-2016-3883 (internal/telephony/SMSDispatcher.java in Telephony in Android 4.x ...) @@ -37755,7 +37755,8 @@ CVE-2016-3862 (media/ExifInterface.java in mediaserver in Android 4.x before 4.4.4, ...) NOT-FOR-US: libstagefright CVE-2016-3861 (LibUtils in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before ...) - - android-platform-system-core (bug #858177) + - android-platform-system-core 1:7.0.0+r1-4 (unimportant; bug #858177) + NOTE: Not running as a privileged process in SDK CVE-2016-3860 (sound/soc/msm/qdsp6v2/audio_calibration.c in the Qualcomm sound driver ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-3859 (The Qualcomm camera driver in Android before 2016-09-05 on Nexus 5, ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50149 - data/CVE
Author: jmm Date: 2017-03-28 21:28:15 + (Tue, 28 Mar 2017) New Revision: 50149 Modified: data/CVE/list Log: NFUs Modified: data/CVE/list === --- data/CVE/list 2017-03-28 21:10:12 UTC (rev 50148) +++ data/CVE/list 2017-03-28 21:28:15 UTC (rev 50149) @@ -24010,7 +24010,7 @@ CVE-2016-8032 RESERVED CVE-2016-8031 (Software Integrity Attacks vulnerability in Intel Security Anti-Virus ...) - TODO: check + NOT-FOR-US: Intel antivirus CVE-2016-8030 RESERVED CVE-2016-8029 @@ -27430,7 +27430,7 @@ NOTE: https://tomcat.apache.org/security-jk.html#Fixed_in_Apache_Tomcat_JK_Connector_1.2.42 NOTE: This is though only Windows/IIS specific, thus marked as not-affected, cf. #84 CVE-2016-6807 (Custom commands may be executed on Ambari Agent (2.4.x, before 2.4.2) ...) - TODO: check + NOT-FOR-US: Ambari Agent CVE-2016-6806 RESERVED CVE-2016-6805 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50148 - data/CVE
Author: sectracker
Date: 2017-03-28 21:10:12 + (Tue, 28 Mar 2017)
New Revision: 50148
Modified:
data/CVE/list
Log:
automatic update
Modified: data/CVE/list
===
--- data/CVE/list 2017-03-28 20:29:31 UTC (rev 50147)
+++ data/CVE/list 2017-03-28 21:10:12 UTC (rev 50148)
@@ -1,3 +1,15 @@
+CVE-2017-7292
+ RESERVED
+CVE-2017-7291
+ RESERVED
+CVE-2017-7290
+ RESERVED
+CVE-2017-7289
+ RESERVED
+CVE-2017-7288
+ RESERVED
+CVE-2017-7287
+ RESERVED
CVE-2017-7286
RESERVED
CVE-2016-10303
@@ -248,12 +260,14 @@
NOTE:
https://github.com/vadz/libtiff/commit/9a72a69e035ee70ff5c41541c8c61cd97990d018
NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2608
CVE-2016-10269 (LibTIFF 4.0.7 allows remote attackers to cause a denial of
service ...)
+ {DLA-877-1}
- tiff 4.0.7-2
- tiff3
NOTE:
https://blogs.gentoo.org/ago/2017/01/01/libtiff-multiple-heap-based-buffer-overflow/
NOTE:
https://github.com/vadz/libtiff/commit/1044b43637fa7f70fb19b93593777b78bd20da86
NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2604
CVE-2016-10268 (tools/tiffcp.c in LibTIFF 4.0.7 allows remote attackers to
cause a ...)
+ {DLA-877-1}
- tiff 4.0.7-2
- tiff3
[wheezy] - tiff3 (issue in tiffcp that is not shipped by
the source package)
@@ -261,12 +275,14 @@
NOTE:
https://github.com/vadz/libtiff/commit/5397a417e61258c69209904e652a1f409ec3b9df
NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2598
CVE-2016-10267 (LibTIFF 4.0.7 allows remote attackers to cause a denial of
service ...)
+ {DLA-877-1}
- tiff 4.0.7-2
- tiff3
NOTE:
https://blogs.gentoo.org/ago/2017/01/01/libtiff-multiple-divide-by-zero/
NOTE:
https://github.com/vadz/libtiff/commit/43bc256d8ae44b92d2734a3c5bc73957a4d7c1ec
NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2611
CVE-2016-10266 (LibTIFF 4.0.7 allows remote attackers to cause a denial of
service ...)
+ {DLA-877-1}
- tiff 4.0.7-2
- tiff3
NOTE:
https://blogs.gentoo.org/ago/2017/01/01/libtiff-multiple-divide-by-zero
@@ -994,7 +1010,7 @@
NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21137
NOTE:
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=03f7786e2f440b9892b1c34a58fb26222ce1b493
CVE-2017-6964 (dmcrypt-get-device, as shipped in the eject package of Debian
and ...)
- {DLA-876-1}
+ {DSA-3823-1 DLA-876-1}
- eject 2.1.5+deb1+cvs20081104-13.2 (bug #858872)
NOTE: https://bugs.launchpad.net/ubuntu/+source/eject/+bug/1673627
CVE-2017-6963
@@ -1395,9 +1411,11 @@
CVE-2017-6798 (Trend Micro Endpoint Sensor 1.6 before b1290 has a DLL
hijacking ...)
NOT-FOR-US: Trend Micro Endpoint Sensor
CVE-2017-6802 (An issue was discovered in ytnef before 1.9.2. There is a
potential ...)
+ {DLA-878-1}
- libytnef 1.9.2-1
NOTE: Fixed by:
https://github.com/Yeraze/ytnef/commit/22f8346c8d4f0020a40d9f258fdb3bfc097359cc
CVE-2017-6801 (An issue was discovered in ytnef before 1.9.2. There is a
potential ...)
+ {DLA-878-1}
- libytnef 1.9.2-1
NOTE: Fixed by:
https://github.com/Yeraze/ytnef/commit/3cb0f914d6427073f262e1b2b5fd973e3043cdf7
CVE-2017-6800 (An issue was discovered in ytnef before 1.9.2. An invalid
memory access ...)
@@ -2823,41 +2841,49 @@
NOTE: http://www.openwall.com/lists/oss-security/2017/02/15/4
NOTE: fixed in
https://github.com/Yeraze/ytnef/commit/b36d6b25b7a546fc28d6c3812124e487987a4910
CVE-2017-6305 (An issue was discovered in ytnef before 1.9.1. This is related
to a ...)
+ {DLA-878-1}
- libytnef 1.9.1-1
NOTE: https://www.x41-dsec.de/lab/advisories/x41-2017-002-ytnef/
NOTE: http://www.openwall.com/lists/oss-security/2017/02/15/4
NOTE: fixed in
https://github.com/Yeraze/ytnef/commit/b36d6b25b7a546fc28d6c3812124e487987a4910
CVE-2017-6304 (An issue was discovered in ytnef before 1.9.1. This is related
to a ...)
+ {DLA-878-1}
- libytnef 1.9.1-1
NOTE: https://www.x41-dsec.de/lab/advisories/x41-2017-002-ytnef/
NOTE: http://www.openwall.com/lists/oss-security/2017/02/15/4
NOTE: fixed in
https://github.com/Yeraze/ytnef/commit/b36d6b25b7a546fc28d6c3812124e487987a4910
CVE-2017-6303 (An issue was discovered in ytnef before 1.9.1. This is related
to a ...)
+ {DLA-878-1}
- libytnef 1.9.1-1
NOTE: https://www.x41-dsec.de/lab/advisories/x41-2017-002-ytnef/
NOTE: http://www.openwall.com/lists/oss-security/2017/02/15/4
NOTE: fixed in
https://github.com/Yeraze/ytnef/commit/b36d6b25b7a546fc28d6c3812124e487987a4910
CVE-2017-6302 (An issue was discovered in ytnef before 1.9.1. This is related
to a ...)
+ {DLA-878-1}
- libytnef 1.9.1-1
NOTE:
[Secure-testing-commits] r50147 - in data: . DLA
Author: anarcat
Date: 2017-03-28 20:29:31 + (Tue, 28 Mar 2017)
New Revision: 50147
Modified:
data/DLA/list
data/dla-needed.txt
Log:
reserve DLA-547-2 regression upload
Modified: data/DLA/list
===
--- data/DLA/list 2017-03-28 20:24:27 UTC (rev 50146)
+++ data/DLA/list 2017-03-28 20:29:31 UTC (rev 50147)
@@ -1,6 +1,8 @@
[28 Mar 2017] DLA-878-1 libytnef - security update
{CVE-2017-6298 CVE-2017-6299 CVE-2017-6300 CVE-2017-6301 CVE-2017-6302
CVE-2017-6303 CVE-2017-6304 CVE-2017-6305 CVE-2017-6801 CVE-2017-6802}
[wheezy] - libytnef 1.5-4+deb7u1
+[28 Mar 2017] DLA-547-2 graphicsmagick - regression update
+ [wheezy] - graphicsmagick 1.3.16-1.1+deb7u6
[28 Mar 2017] DLA-877-1 tiff - security update
{CVE-2016-10266 CVE-2016-10267 CVE-2016-10268 CVE-2016-10269}
[wheezy] - tiff 4.0.2-6+deb7u11
Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-03-28 20:24:27 UTC (rev 50146)
+++ data/dla-needed.txt 2017-03-28 20:29:31 UTC (rev 50147)
@@ -30,13 +30,6 @@
NOTE: no update needed yet, but next update will be for ESR 52 as ESR 45 is
now
NOTE: EOL. I have already started to look at ESR 52 to anticipate any
problems
--
-graphicsmagick (Antoine Beaupre)
- NOTE: seems only a single memory/CPU DOS at this point, maybe wait for more
issues?
- NOTE: DLA-547-1 also did not fix CVE-2016-5240 so should be included in next
upload.
- NOTE: Incomplete/Incorrect fix as per
https://lists.debian.org/debian-lts/2016/12/msg00077.html
- NOTE: Subject of announce mail also contained typo (DLA-574-1 vs. DLA-547-1)
- NOTE: update available for testing in:
https://lists.debian.org/87inpe4wgu@curie.anarc.at
---
icedove
NOTE: maintainer currenlty planx to rename to thunderbird with the next
NOTE: upstream version (#851989). Jessie / Wheezy should do the same.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50146 - data
Author: alteholz Date: 2017-03-28 20:24:27 + (Tue, 28 Mar 2017) New Revision: 50146 Modified: data/dla-needed.txt Log: patches seem to be available now Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-03-28 20:19:47 UTC (rev 50145) +++ data/dla-needed.txt 2017-03-28 20:24:27 UTC (rev 50146) @@ -42,7 +42,6 @@ NOTE: upstream version (#851989). Jessie / Wheezy should do the same. -- jasper (Thorsten Alteholz) - NOTE: no upstream fixes yet -- libav (Hugo Lefeuvre) NOTE: Upstream should provide new point-releases fixing open security issues in the next months. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50145 - in data: . DLA
Author: alteholz
Date: 2017-03-28 20:19:47 + (Tue, 28 Mar 2017)
New Revision: 50145
Modified:
data/DLA/list
data/dla-needed.txt
Log:
Reserve DLA-878-1 for libytnef
Modified: data/DLA/list
===
--- data/DLA/list 2017-03-28 20:17:56 UTC (rev 50144)
+++ data/DLA/list 2017-03-28 20:19:47 UTC (rev 50145)
@@ -1,3 +1,6 @@
+[28 Mar 2017] DLA-878-1 libytnef - security update
+ {CVE-2017-6298 CVE-2017-6299 CVE-2017-6300 CVE-2017-6301 CVE-2017-6302
CVE-2017-6303 CVE-2017-6304 CVE-2017-6305 CVE-2017-6801 CVE-2017-6802}
+ [wheezy] - libytnef 1.5-4+deb7u1
[28 Mar 2017] DLA-877-1 tiff - security update
{CVE-2016-10266 CVE-2016-10267 CVE-2016-10268 CVE-2016-10269}
[wheezy] - tiff 4.0.2-6+deb7u11
Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-03-28 20:17:56 UTC (rev 50144)
+++ data/dla-needed.txt 2017-03-28 20:19:47 UTC (rev 50145)
@@ -74,8 +74,6 @@
NOTE: 2016-12-13: Upstream ping here:
https://rt.cpan.org/Public/Bug/Display.html?id=118097#txn-1690223
NOTE: 2017-01-20 and 2017-03-09: Ping upstream by private email -- Raphael
Hertzog
--
-libytnef (Thorsten Alteholz)
---
linux
--
logback
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50144 - data/CVE
Author: alteholz Date: 2017-03-28 20:17:56 + (Tue, 28 Mar 2017) New Revision: 50144 Modified: data/CVE/list Log: mark CVE-2017-6800 as not affected for Wheezy Modified: data/CVE/list === --- data/CVE/list 2017-03-28 18:50:24 UTC (rev 50143) +++ data/CVE/list 2017-03-28 20:17:56 UTC (rev 50144) @@ -1402,6 +1402,7 @@ NOTE: Fixed by: https://github.com/Yeraze/ytnef/commit/3cb0f914d6427073f262e1b2b5fd973e3043cdf7 CVE-2017-6800 (An issue was discovered in ytnef before 1.9.2. An invalid memory access ...) - libytnef 1.9.2-1 + [wheezy] - libytnef (vulnerable code not present) NOTE: Fixed by: https://github.com/Yeraze/ytnef/commit/f98f5d4adc1c4bd4033638f6167c1bb95d642f89 CVE-2017-6799 (A cross-site scripting (XSS) vulnerability in view_filters_page.php in ...) - mantis (Vulnerable versions only 2.1.0 through 2.2.0) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50143 - data/CVE
Author: carnil Date: 2017-03-28 18:50:24 + (Tue, 28 Mar 2017) New Revision: 50143 Modified: data/CVE/list Log: Update comments for CVE-2017-7275 Modified: data/CVE/list === --- data/CVE/list 2017-03-28 18:07:18 UTC (rev 50142) +++ data/CVE/list 2017-03-28 18:50:24 UTC (rev 50143) @@ -154,7 +154,8 @@ - imagemagick NOTE: https://blogs.gentoo.org/ago/2017/03/27/imagemagick-memory-allocation-failure-in-acquiremagickmemory-memory-c-incomplete-fix-for-cve-2016-8862-and-cve-2016-8866/ NOTE: https://github.com/ImageMagick/ImageMagick/issues/271 - TODO: check (need to check if we are affected by the second incomplete fix as well) + NOTE: Furthermore: upstream is not able to reproduce the problem as well + TODO: check (need to check if we are affected by the second incomplete fix as well, do not update prematurely this entry until clear from upstream) CVE-2017-7274 (The r_pkcs7_parse_cms function in libr/util/r_pkcs7.c in radare2 1.3.0 ...) - radare2 (Vulnerable parsers introduced in 1.3.0-git, cf. #858873) NOTE: https://github.com/radare/radare2/commit/7ab66cca5bbdf6cb2d69339ef4f513d95e532dbf ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50142 - data/CVE
Author: carnil
Date: 2017-03-28 18:07:18 + (Tue, 28 Mar 2017)
New Revision: 50142
Modified:
data/CVE/list
Log:
CVE-2017-5029/libxslt fixed in unstable
Modified: data/CVE/list
===
--- data/CVE/list 2017-03-28 18:00:35 UTC (rev 50141)
+++ data/CVE/list 2017-03-28 18:07:18 UTC (rev 50142)
@@ -6812,7 +6812,7 @@
{DSA-3810-1 DLA-866-1}
- chromium-browser 57.0.2987.98-1
[wheezy] - chromium-browser (Not supported in Wheezy)
- - libxslt (bug #858546)
+ - libxslt 1.1.29-2.1 (bug #858546)
NOTE: Upstream fix in libxslt:
https://git.gnome.org/browse/libxslt/commit/?id=08ab2774b870de1c7b5a48693df75e8154addae5
CVE-2017-5028
RESERVED
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50141 - data/CVE
Author: carnil Date: 2017-03-28 18:00:35 + (Tue, 28 Mar 2017) New Revision: 50141 Modified: data/CVE/list Log: Mark logback as no-dsa for jessie Modified: data/CVE/list === --- data/CVE/list 2017-03-28 17:29:51 UTC (rev 50140) +++ data/CVE/list 2017-03-28 18:00:35 UTC (rev 50141) @@ -3776,6 +3776,7 @@ NOTE: http://www.openwall.com/lists/oss-security/2017/02/07/6 CVE-2017-5929 (QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting ...) - logback 1:1.1.9-2 (bug #857343) + [jessie] - logback (Minor issue; can be fixed via point release) NOTE: https://github.com/qos-ch/logback/commit/f46044b805bca91efe5fd6afe52257cd02f775f8 CVE-2017-5928 (The W3C High Resolution Time API, as implemented in various web ...) NOT-FOR-US: Design limitation of W3C High Resolution Time API ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50140 - data/CVE
Author: carnil Date: 2017-03-28 17:29:51 + (Tue, 28 Mar 2017) New Revision: 50140 Modified: data/CVE/list Log: And CVE-2016-9571 actually got rejected, remove Apache Camel as affected source Modified: data/CVE/list === --- data/CVE/list 2017-03-28 17:28:57 UTC (rev 50139) +++ data/CVE/list 2017-03-28 17:29:51 UTC (rev 50140) @@ -18450,7 +18450,7 @@ NOTE: https://github.com/uclouvain/openjpeg/issues/863 NOTE: https://github.com/szukw000/openjpeg/commit/7b28bd2b723df6be09fe7791eba33147c1c47d0d CVE-2016-9571 (Apache Camel's camel-jackson and camel-jacksonxml components are ...) - NOT-FOR-US: Apache Camel + REJECTED CVE-2016-9570 RESERVED CVE-2016-9569 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50139 - data/CVE
Author: carnil Date: 2017-03-28 17:28:57 + (Tue, 28 Mar 2017) New Revision: 50139 Modified: data/CVE/list Log: Resolve confusion about CVE-2016-9571 and CVE-2016-9606 Modified: data/CVE/list === --- data/CVE/list 2017-03-28 16:11:01 UTC (rev 50138) +++ data/CVE/list 2017-03-28 17:28:57 UTC (rev 50139) @@ -18269,6 +18269,8 @@ RESERVED CVE-2016-9606 RESERVED + - resteasy (bug #851430) + [jessie] - resteasy (Minor issue) CVE-2016-9605 [Cross site scripting in profile page] RESERVED - cobbler (bug #858844) @@ -18448,8 +18450,7 @@ NOTE: https://github.com/uclouvain/openjpeg/issues/863 NOTE: https://github.com/szukw000/openjpeg/commit/7b28bd2b723df6be09fe7791eba33147c1c47d0d CVE-2016-9571 (Apache Camel's camel-jackson and camel-jacksonxml components are ...) - - resteasy (bug #851430) - [jessie] - resteasy (Minor issue) + NOT-FOR-US: Apache Camel CVE-2016-9570 RESERVED CVE-2016-9569 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50138 - data/CVE
Author: carnil Date: 2017-03-28 16:11:01 + (Tue, 28 Mar 2017) New Revision: 50138 Modified: data/CVE/list Log: logback fixed in unstable with 1:1.1.9-2 upload Modified: data/CVE/list === --- data/CVE/list 2017-03-28 16:01:32 UTC (rev 50137) +++ data/CVE/list 2017-03-28 16:11:01 UTC (rev 50138) @@ -3775,7 +3775,7 @@ [wheezy] - postfixadmin (Vulnerable code not present) NOTE: http://www.openwall.com/lists/oss-security/2017/02/07/6 CVE-2017-5929 (QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting ...) - - logback (bug #857343) + - logback 1:1.1.9-2 (bug #857343) NOTE: https://github.com/qos-ch/logback/commit/f46044b805bca91efe5fd6afe52257cd02f775f8 CVE-2017-5928 (The W3C High Resolution Time API, as implemented in various web ...) NOT-FOR-US: Design limitation of W3C High Resolution Time API ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50137 - data/CVE
Author: carnil Date: 2017-03-28 16:01:32 + (Tue, 28 Mar 2017) New Revision: 50137 Modified: data/CVE/list Log: Update NFUs Modified: data/CVE/list === --- data/CVE/list 2017-03-28 15:55:55 UTC (rev 50136) +++ data/CVE/list 2017-03-28 16:01:32 UTC (rev 50137) @@ -20690,7 +20690,7 @@ CVE-2016-8961 (IBM BigFix Inventory v9 could allow a remote attacker to conduct ...) NOT-FOR-US: IBM CVE-2016-8960 (IBM Cognos Business Intelligence 10.2 could allow a user with lower ...) - TODO: check + NOT-FOR-US: IBM Cognos Business Intelligence CVE-2016-8959 RESERVED CVE-2016-8958 @@ -30221,7 +30221,7 @@ CVE-2016-6103 (IBM Tivoli Key Lifecycle Manager 2.5 and 2.6 is vulnerable to ...) NOT-FOR-US: IBM CVE-2016-6102 (IBM Tivoli Key Lifecycle Manager 2.5 and 2.6 stores sensitive ...) - TODO: check + NOT-FOR-US: IBM Tivoli Key Lifecycle Manager CVE-2016-6101 RESERVED CVE-2016-6100 @@ -30313,7 +30313,7 @@ CVE-2016-6057 RESERVED CVE-2016-6056 (IBM Call Center for Commerce 9.3 and 9.4 is vulnerable to cross-site ...) - TODO: check + NOT-FOR-US: IBM Call Center for Commerce CVE-2016-6055 (IBM Rational DOORS Next Generation 4.0, 5.0, and 6.0 is vulnerable to ...) NOT-FOR-US: IBM CVE-2016-6054 (IBM Jazz Foundation is vulnerable to cross-site scripting. This ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50136 - data
Author: agx Date: 2017-03-28 15:55:55 + (Tue, 28 Mar 2017) New Revision: 50136 Modified: data/dla-needed.txt Log: Add logback Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-03-28 15:33:43 UTC (rev 50135) +++ data/dla-needed.txt 2017-03-28 15:55:55 UTC (rev 50136) @@ -78,6 +78,8 @@ -- linux -- +logback +-- mcollective NOTE: See https://lists.debian.org/debian-lts/2017/03/msg8.html -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50134 - data/CVE
Author: carnil Date: 2017-03-28 15:33:39 + (Tue, 28 Mar 2017) New Revision: 50134 Modified: data/CVE/list Log: Sort entries for apt-cacher-ng Modified: data/CVE/list === --- data/CVE/list 2017-03-28 15:29:31 UTC (rev 50133) +++ data/CVE/list 2017-03-28 15:33:39 UTC (rev 50134) @@ -203,10 +203,10 @@ CVE-2017- [apt-cacher http response splitting] - apt-cacher-ng 3-1 (bug #858833) [jessie] - apt-cacher-ng (Minor issue) + [wheezy] - apt-cacher-ng (Minor issue) - apt-cacher 1.7.15 (bug #858739) [jessie] - apt-cacher (Minor issue) [wheezy] - apt-cacher 1.7.6+deb7u1 - [wheezy] - apt-cacher-ng (Minor issue) NOTE: Workaround entry for DLA-873-1 since no CVE assigned CVE-2017-7262 (The AMD Ryzen processor with AGESA microcode through 2017-01-27 allows ...) - amd64-microcode ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50135 - data/DSA
Author: carnil
Date: 2017-03-28 15:33:43 + (Tue, 28 Mar 2017)
New Revision: 50135
Modified:
data/DSA/list
Log:
Reserve DSA number for eject
Modified: data/DSA/list
===
--- data/DSA/list 2017-03-28 15:33:39 UTC (rev 50134)
+++ data/DSA/list 2017-03-28 15:33:43 UTC (rev 50135)
@@ -1,3 +1,6 @@
+[28 Mar 2017] DSA-3823-1 eject - security update
+ {CVE-2017-6964}
+ [jessie] - eject 2.1.5+deb1+cvs20081104-13.1+deb8u1
[27 Mar 2017] DSA-3822-1 gstreamer1.0 - security update
{CVE-2017-5838}
[jessie] - gstreamer1.0 1.4.4-2+deb8u1
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50133 - data/CVE
Author: agx Date: 2017-03-28 15:29:31 + (Tue, 28 Mar 2017) New Revision: 50133 Modified: data/CVE/list Log: lts: mark apt-cacher-ng as no-dsa Modified: data/CVE/list === --- data/CVE/list 2017-03-28 15:05:24 UTC (rev 50132) +++ data/CVE/list 2017-03-28 15:29:31 UTC (rev 50133) @@ -206,6 +206,7 @@ - apt-cacher 1.7.15 (bug #858739) [jessie] - apt-cacher (Minor issue) [wheezy] - apt-cacher 1.7.6+deb7u1 + [wheezy] - apt-cacher-ng (Minor issue) NOTE: Workaround entry for DLA-873-1 since no CVE assigned CVE-2017-7262 (The AMD Ryzen processor with AGESA microcode through 2017-01-27 allows ...) - amd64-microcode ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50132 - data
Author: anarcat Date: 2017-03-28 15:05:24 + (Tue, 28 Mar 2017) New Revision: 50132 Modified: data/dla-needed.txt Log: note ca-certificates is handled by maintainer on wheezy Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-03-28 14:34:22 UTC (rev 50131) +++ data/dla-needed.txt 2017-03-28 15:05:24 UTC (rev 50132) @@ -18,9 +18,7 @@ NOTE: low impact. -- ca-certificates - NOTE: waiting for stable/sid update, see - NOTE: https://lists.debian.org/debian-lts/2017/03/msg00153.html - NOTE: likely to come in the next point release, see also #858539 + NOTE: maintainer will handle the upload, see https://lists.debian.org/1acb8e97-8c9f-8b54-348c-0c12f53a8...@pbandjelly.org -- chicken -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50131 - data/CVE
Author: hertzog
Date: 2017-03-28 14:34:22 + (Tue, 28 Mar 2017)
New Revision: 50131
Modified:
data/CVE/list
Log:
Add a bunch of missing "tiff3" assignations
Modified: data/CVE/list
===
--- data/CVE/list 2017-03-28 13:42:37 UTC (rev 50130)
+++ data/CVE/list 2017-03-28 14:34:22 UTC (rev 50131)
@@ -7084,6 +7084,7 @@
CVE-2016-10095 (Stack-based buffer overflow in the _TIFFVGetField function in
...)
- tiff (bug #850316)
[wheezy] - tiff 4.0.2-6+deb7u7
+ - tiff3
NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2625
NOTE: probably preemptively fixed in 4.0.2-6+deb7u7 wheezy upload, as
test case doesn't trigger issue
NOTE: similar to CVE-2015-7554 and CVE-2016-5318
@@ -7091,16 +7092,19 @@
{DSA-3762-1}
- tiff 4.0.7-4
[wheezy] - tiff (vulnerable code introduced later)
+ - tiff3 (vulnerable code introduced later)
NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2640
NOTE: Fixed by:
https://github.com/vadz/libtiff/commit/c7153361a4041260719b340f73f2f76b0969235c
CVE-2016-10093 (Integer overflow in tools/tiffcp.c in LibTIFF 4.0.7 allows
remote ...)
{DSA-3762-1 DLA-795-1}
- tiff 4.0.7-2
+ - tiff3
NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2610
NOTE: Fixed by:
https://github.com/vadz/libtiff/commit/787c0ee906430b772f33ca50b97b8b5ca070faec
CVE-2016-10092 (Heap-based buffer overflow in the readContigStripsIntoBuffer
function ...)
{DSA-3762-1 DLA-795-1}
- tiff 4.0.7-2
+ - tiff3
NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2620
NOTE: Fixed by:
https://github.com/vadz/libtiff/commit/9657bbe3cdce4aaa90e07d50c1c70ae52da0ba6a
CVE-2016-10091 [stack-based buffer overflows in cmd_* functions]
@@ -19707,35 +19711,43 @@
CVE-2016-9540 (tools/tiffcp.c in libtiff 4.0.6 has an out-of-bounds write on
tiled ...)
{DSA-3762-1 DLA-795-1}
- tiff 4.0.7-1
+ - tiff3 (tiff3 not shipping tools)
NOTE:
https://github.com/vadz/libtiff/commit/5ad9d8016fbb60109302d558f7edb2cb2a3bb8e3
CVE-2016-9539 (tools/tiffcrop.c in libtiff 4.0.6 has an out-of-bounds read in
...)
- tiff 4.0.7-1 (unimportant)
+ - tiff3 (tiff3 not shipping tools)
NOTE:
https://github.com/vadz/libtiff/commit/ae9365db1b271b62b35ce018eac8799b1d5e8a53
NOTE: Crash in CLI tool, no security impact
CVE-2016-9538 (tools/tiffcrop.c in libtiff 4.0.6 reads an undefined buffer in
...)
{DSA-3762-1 DLA-795-1}
- tiff 4.0.7-1
+ - tiff3 (tiff3 not shipping tools)
NOTE:
https://github.com/vadz/libtiff/commit/43c0b81a818640429317c80fea1e66771e85024b#diff-c8b4b355f9b5c06d585b23138e1c185f
CVE-2016-9537 (tools/tiffcrop.c in libtiff 4.0.6 has out-of-bounds write ...)
{DSA-3762-1 DLA-795-1}
- tiff 4.0.7-1
+ - tiff3 (tiff3 not shipping tools)
NOTE:
https://github.com/vadz/libtiff/commit/83a4b92815ea04969d494416eaae3d4c6b338e4a#diff-c8b4b355f9b5c06d585b23138e1c185f
CVE-2016-9536 (tools/tiff2pdf.c in libtiff 4.0.6 has out-of-bounds write ...)
{DSA-3762-1 DLA-795-1}
- tiff 4.0.7-1
+ - tiff3 (tiff3 not shipping tools)
NOTE:
https://github.com/vadz/libtiff/commit/83a4b92815ea04969d494416eaae3d4c6b338e4a#diff-5173a9b3b48146e4fd86d7b9b346115e
CVE-2016-9535 (tif_predict.h and tif_predict.c in libtiff 4.0.6 have
assertions that ...)
{DLA-795-1}
- tiff 4.0.7-1
+ - tiff3
NOTE:
https://github.com/vadz/libtiff/commit/3ca657a8793dd011bf869695d72ad31c779c3cc1
NOTE:
https://github.com/vadz/libtiff/commit/6a984bf7905c6621281588431f384e79d11a2e33
CVE-2016-9534 (tif_write.c in libtiff 4.0.6 has an issue in the error code
path of ...)
{DSA-3762-1 DLA-795-1}
- tiff 4.0.7-1
+ - tiff3
NOTE:
https://github.com/vadz/libtiff/commit/83a4b92815ea04969d494416eaae3d4c6b338e4a#diff-5be5ce02d0dea67050d5b2a10102d1ba
CVE-2016-9533 (tif_pixarlog.c in libtiff 4.0.6 has out-of-bounds write
vulnerabilities ...)
{DSA-3762-1 DLA-795-1}
- tiff 4.0.7-1
+ - tiff3
NOTE:
https://github.com/vadz/libtiff/commit/83a4b92815ea04969d494416eaae3d4c6b338e4a#diff-bdc795f6afeb9558c1012b3cfae729ef
CVE-2016-9532 (Integer overflow in the writeBufferToSeparateStrips function in
...)
{DSA-3762-1 DLA-716-1}
@@ -36101,6 +36113,7 @@
[wheezy] - tiff 4.0.2-6+deb7u4
NOTE: Fixed already with the patch applied in 4.0.3-12 in unstable for
the
NOTE: CVE-2014-9330 issue.
+ - tiff3 (libtiff-tools not shipped in tiff3)
CVE-2013-7455 (Double free vulnerability in the DefaultICCintents function in
...)
- lcms2 2.6-1
[wheezy] - lcms2 (vulnerable code not present, no
cmsPipelineFree(Lut); in Error:-part)
@@ -43585,24 +43598,28 @@
CVE-2015-8783 (tif_luv.c in libtiff allows
[Secure-testing-commits] r50130 - in data: . DLA
Author: hertzog
Date: 2017-03-28 13:42:37 + (Tue, 28 Mar 2017)
New Revision: 50130
Modified:
data/DLA/list
data/dla-needed.txt
Log:
Reserve DLA-877-1 for tiff
Modified: data/DLA/list
===
--- data/DLA/list 2017-03-28 13:39:43 UTC (rev 50129)
+++ data/DLA/list 2017-03-28 13:42:37 UTC (rev 50130)
@@ -1,3 +1,6 @@
+[28 Mar 2017] DLA-877-1 tiff - security update
+ {CVE-2016-10266 CVE-2016-10267 CVE-2016-10268 CVE-2016-10269}
+ [wheezy] - tiff 4.0.2-6+deb7u11
[28 Mar 2017] DLA-876-1 eject - security update
{CVE-2017-6964}
[wheezy] - eject 2.1.5+deb1+cvs20081104-13+deb7u1
Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-03-28 13:39:43 UTC (rev 50129)
+++ data/dla-needed.txt 2017-03-28 13:42:37 UTC (rev 50130)
@@ -124,8 +124,6 @@
NOTE: from my point of view backporting the introduction of these new
members to this old
NOTE: version is way to invasive and such this should be marked as
--
-tiff (Raphaël Hertzog)
---
tiff3 (Raphaël Hertzog)
--
tzdata (Emilio Pozuelo)
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50129 - data/CVE
Author: hertzog Date: 2017-03-28 13:39:43 + (Tue, 28 Mar 2017) New Revision: 50129 Modified: data/CVE/list Log: Mark CVE-2016-10268 as not affecting tiff3 in wheezy Modified: data/CVE/list === --- data/CVE/list 2017-03-28 13:16:56 UTC (rev 50128) +++ data/CVE/list 2017-03-28 13:39:43 UTC (rev 50129) @@ -254,6 +254,7 @@ CVE-2016-10268 (tools/tiffcp.c in LibTIFF 4.0.7 allows remote attackers to cause a ...) - tiff 4.0.7-2 - tiff3 + [wheezy] - tiff3 (issue in tiffcp that is not shipped by the source package) NOTE: https://blogs.gentoo.org/ago/2017/01/01/libtiff-multiple-heap-based-buffer-overflow/ NOTE: https://github.com/vadz/libtiff/commit/5397a417e61258c69209904e652a1f409ec3b9df NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2598 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50128 - data
Author: hertzog Date: 2017-03-28 13:16:56 + (Tue, 28 Mar 2017) New Revision: 50128 Modified: data/dla-needed.txt Log: Add tiff3 to dla-needed.txt Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-03-28 12:55:20 UTC (rev 50127) +++ data/dla-needed.txt 2017-03-28 13:16:56 UTC (rev 50128) @@ -126,6 +126,8 @@ -- tiff (Raphaël Hertzog) -- +tiff3 (Raphaël Hertzog) +-- tzdata (Emilio Pozuelo) -- web2py (Brian May) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50127 - data/CVE
Author: carnil Date: 2017-03-28 12:55:20 + (Tue, 28 Mar 2017) New Revision: 50127 Modified: data/CVE/list Log: Remove unecessary comment, already covered in the BTS Modified: data/CVE/list === --- data/CVE/list 2017-03-28 12:39:12 UTC (rev 50126) +++ data/CVE/list 2017-03-28 12:55:20 UTC (rev 50127) @@ -1997,7 +1997,7 @@ NOT-FOR-US: burgundy-cms CVE-2017-6507 (An issue was discovered in AppArmor before 2.12. Incorrect handling of ...) - apparmor 2.11.0-3 (bug #858768) - [jessie] - apparmor (Minor issue, cf #858768) + [jessie] - apparmor (Minor issue) [wheezy] - apparmor (Experimental/unsupported feature) NOTE: http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/revision/3647 NOTE: http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/revision/3648 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50126 - data/CVE
Author: carnil Date: 2017-03-28 12:39:12 + (Tue, 28 Mar 2017) New Revision: 50126 Modified: data/CVE/list Log: Mark CVE-2017-6507/apparmor as no-dsa for jessie Modified: data/CVE/list === --- data/CVE/list 2017-03-28 11:39:40 UTC (rev 50125) +++ data/CVE/list 2017-03-28 12:39:12 UTC (rev 50126) @@ -1997,6 +1997,7 @@ NOT-FOR-US: burgundy-cms CVE-2017-6507 (An issue was discovered in AppArmor before 2.12. Incorrect handling of ...) - apparmor 2.11.0-3 (bug #858768) + [jessie] - apparmor (Minor issue, cf #858768) [wheezy] - apparmor (Experimental/unsupported feature) NOTE: http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/revision/3647 NOTE: http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/revision/3648 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50125 - data/CVE
Author: carnil Date: 2017-03-28 11:39:40 + (Tue, 28 Mar 2017) New Revision: 50125 Modified: data/CVE/list Log: Add CVE-2017-6507/apparmor fix to unstable Modified: data/CVE/list === --- data/CVE/list 2017-03-28 11:26:22 UTC (rev 50124) +++ data/CVE/list 2017-03-28 11:39:40 UTC (rev 50125) @@ -1996,7 +1996,7 @@ CVE-2017-6509 (Smith0r/burgundy-cms before 2017-03-06 is vulnerable to a reflected XSS ...) NOT-FOR-US: burgundy-cms CVE-2017-6507 (An issue was discovered in AppArmor before 2.12. Incorrect handling of ...) - - apparmor (bug #858768) + - apparmor 2.11.0-3 (bug #858768) [wheezy] - apparmor (Experimental/unsupported feature) NOTE: http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/revision/3647 NOTE: http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/revision/3648 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50124 - data/CVE
Author: carnil
Date: 2017-03-28 11:26:22 + (Tue, 28 Mar 2017)
New Revision: 50124
Modified:
data/CVE/list
Log:
Add renamed source package for various tiff CVEs
Modified: data/CVE/list
===
--- data/CVE/list 2017-03-28 10:39:47 UTC (rev 50123)
+++ data/CVE/list 2017-03-28 11:26:22 UTC (rev 50124)
@@ -226,12 +226,14 @@
CVE-2016-10272 (LibTIFF 4.0.7 allows remote attackers to cause a denial of
service ...)
{DSA-3762-1 DLA-795-1}
- tiff 4.0.7-2
+ - tiff3
NOTE:
https://blogs.gentoo.org/ago/2017/01/01/libtiff-multiple-heap-based-buffer-overflow/
NOTE:
https://github.com/vadz/libtiff/commit/9657bbe3cdce4aaa90e07d50c1c70ae52da0ba6a
NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2620
CVE-2016-10271 (tools/tiffcrop.c in LibTIFF 4.0.7 allows remote attackers to
cause a ...)
{DSA-3762-1 DLA-795-1}
- tiff 4.0.7-2
+ - tiff3
NOTE:
https://blogs.gentoo.org/ago/2017/01/01/libtiff-multiple-heap-based-buffer-overflow/
NOTE:
https://github.com/vadz/libtiff/commit/9657bbe3cdce4aaa90e07d50c1c70ae52da0ba6a
NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2620
@@ -245,21 +247,25 @@
NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2608
CVE-2016-10269 (LibTIFF 4.0.7 allows remote attackers to cause a denial of
service ...)
- tiff 4.0.7-2
+ - tiff3
NOTE:
https://blogs.gentoo.org/ago/2017/01/01/libtiff-multiple-heap-based-buffer-overflow/
NOTE:
https://github.com/vadz/libtiff/commit/1044b43637fa7f70fb19b93593777b78bd20da86
NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2604
CVE-2016-10268 (tools/tiffcp.c in LibTIFF 4.0.7 allows remote attackers to
cause a ...)
- tiff 4.0.7-2
+ - tiff3
NOTE:
https://blogs.gentoo.org/ago/2017/01/01/libtiff-multiple-heap-based-buffer-overflow/
NOTE:
https://github.com/vadz/libtiff/commit/5397a417e61258c69209904e652a1f409ec3b9df
NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2598
CVE-2016-10267 (LibTIFF 4.0.7 allows remote attackers to cause a denial of
service ...)
- tiff 4.0.7-2
+ - tiff3
NOTE:
https://blogs.gentoo.org/ago/2017/01/01/libtiff-multiple-divide-by-zero/
NOTE:
https://github.com/vadz/libtiff/commit/43bc256d8ae44b92d2734a3c5bc73957a4d7c1ec
NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2611
CVE-2016-10266 (LibTIFF 4.0.7 allows remote attackers to cause a denial of
service ...)
- tiff 4.0.7-2
+ - tiff3
NOTE:
https://blogs.gentoo.org/ago/2017/01/01/libtiff-multiple-divide-by-zero
NOTE:
https://github.com/vadz/libtiff/commit/438274f938e046d33cb0e1230b41da32ffe223e1
NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2596
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50123 - data/CVE
Author: jmm Date: 2017-03-28 10:39:47 + (Tue, 28 Mar 2017) New Revision: 50123 Modified: data/CVE/list Log: new golang-gopkg-square-go-jose.v1 issue NFUs Modified: data/CVE/list === --- data/CVE/list 2017-03-28 10:08:55 UTC (rev 50122) +++ data/CVE/list 2017-03-28 10:39:47 UTC (rev 50123) @@ -1006,7 +1006,7 @@ CVE-2017-6958 (An XSS vulnerability in the MantisBT Source Integration Plugin (before ...) NOT-FOR-US: MantisBT Source Integration Plugin CVE-2017-6957 (Stack-based buffer overflow in the firmware in Broadcom Wi-Fi HardMAC ...) - TODO: check + NOT-FOR-US: Firmware on some Broadcom SoCs CVE-2017-6956 RESERVED CVE-2017-6955 (An issue was discovered in by-email/by-email.php in the Invite Anyone ...) @@ -6150,11 +6150,11 @@ CVE-2017-5240 RESERVED CVE-2017-5239 (Due to a lack of standard encryption when transmitting sensitive ...) - TODO: check + NOT-FOR-US: Eview GPS trackers CVE-2017-5238 (Due to a lack of bounds checking, several input configuration fields ...) - TODO: check + NOT-FOR-US: Eview GPS trackers CVE-2017-5237 (Due to a lack of authentication, an unauthenticated user who knows the ...) - TODO: check + NOT-FOR-US: Eview GPS trackers CVE-2017-5236 RESERVED CVE-2017-5235 (Rapid7 Metasploit Pro installers prior to version 4.13.0-2017022101 ...) @@ -16117,7 +16117,7 @@ CVE-2017-1154 RESERVED CVE-2017-1153 (IBM TRIRIGA Report Manager 3.2 through 3.5 contains a vulnerability ...) - TODO: check + NOT-FOR-US: IBM CVE-2017-1152 RESERVED CVE-2017-1151 (IBM WebSphere Application Server 8.0, 8.5, 8.5.5, and 9.0 using OpenID ...) @@ -16137,9 +16137,9 @@ CVE-2017-1144 RESERVED CVE-2017-1143 (IBM Kenexa LCMS Premier on Cloud 9.x and 10.0 could allow a remote ...) - TODO: check + NOT-FOR-US: IBM CVE-2017-1142 (IBM Kenexa LCMS Premier on Cloud 9.x and 10.0 could allow a remote ...) - TODO: check + NOT-FOR-US: IBM CVE-2017-1141 RESERVED CVE-2017-1140 @@ -16183,7 +16183,7 @@ CVE-2017-1121 (IBM WebSphere Application Server 7.0, 8.0, and 9.0 is vulnerable to ...) NOT-FOR-US: IBM CVE-2017-1120 (IBM WebSphere Portal 8.5 and 9.0 is vulnerable to cross-site ...) - TODO: check + NOT-FOR-US: IBM CVE-2017-1119 RESERVED CVE-2017-1118 @@ -16663,7 +16663,7 @@ NOTE: https://gitlab.com/gitlab-org/gitlab-ce/issues/29661 NOTE: https://about.gitlab.com/2017/03/20/gitlab-8-dot-17-dot-4-security-release/ CVE-2017-0881 (An error in the implementation of an autosubscribe feature in the ...) - TODO: check + NOT-FOR-US: Zulip CVE-2016-9754 (The ring_buffer_resize function in kernel/trace/ring_buffer.c in the ...) - linux 4.6.1-1 [jessie] - linux 3.16.39-1 @@ -16704,7 +16704,7 @@ CVE-2016-9738 RESERVED CVE-2016-9737 (IBM TRIRIGA 3.3, 3.4, and 3.5 is vulnerable to cross-site scripting. ...) - TODO: check + NOT-FOR-US: IBM CVE-2016-9736 RESERVED CVE-2016-9735 @@ -18899,47 +18899,47 @@ CVE-2016-9474 RESERVED CVE-2016-9473 (Brave Browser iOS before 1.2.18 and Brave Browser Android 1.9.56 and ...) - TODO: check + NOT-FOR-US: Brave Browser CVE-2016-9472 (Revive Adserver before 3.2.5 and 4.0.0 suffers from Reflected XSS. The ...) - TODO: check + NOT-FOR-US: Revive Adserver CVE-2016-9471 (Revive Adserver before 3.2.5 and 4.0.0 suffers from Special Element ...) - TODO: check + NOT-FOR-US: Revive Adserver CVE-2016-9470 (Revive Adserver before 3.2.5 and 4.0.0 suffers from Reflected File ...) - TODO: check + NOT-FOR-US: Revive Adserver CVE-2016-9469 (Multiple versions of GitLab expose a dangerous method to any ...) - gitlab 8.13.6+dfsg2-2 (bug #847157) NOTE: https://about.gitlab.com/2016/12/05/cve-2016-9469/ NOTE: https://gitlab.com/gitlab-org/gitlab-ce/issues/25064 CVE-2016-9468 (Nextcloud Server before 9.0.54 and 10.0.1 ownCloud Server before ...) - TODO: check + - nextcloud (bug #835086) CVE-2016-9467 (Nextcloud Server before 9.0.54 and 10.0.1 ownCloud Server before ...) - TODO: check + - nextcloud (bug #835086) CVE-2016-9466 (Nextcloud Server before 10.0.1 ownCloud Server before 9.0.6 and ...) - TODO: check + - nextcloud (bug #835086) CVE-2016-9465 (Nextcloud Server before 10.0.1 ownCloud Server before 9.0.6 and 9.1.2 ...) - TODO: check + - nextcloud (bug #835086) CVE-2016-9464 (Nextcloud Server before 9.0.54 and 10.0.0 suffers from an improper ...) - TODO: check + - nextcloud (bug #835086) CVE-2016-9463 (Nextcloud Server before 9.0.54 and 10.0.1 ownCloud Server before ...) - TODO: check + - nextcloud (bug #835086) CVE-2016-9462 (Nextcloud Server before 9.0.52 ownCloud Server before
[Secure-testing-commits] r50122 - data/CVE
Author: carnil Date: 2017-03-28 10:08:55 + (Tue, 28 Mar 2017) New Revision: 50122 Modified: data/CVE/list Log: Add CVE-2017-7277/linux Modified: data/CVE/list === --- data/CVE/list 2017-03-28 09:10:12 UTC (rev 50121) +++ data/CVE/list 2017-03-28 10:08:55 UTC (rev 50122) @@ -147,7 +147,7 @@ CVE-2017-7278 RESERVED CVE-2017-7277 (The TCP stack in the Linux kernel through 4.10.6 mishandles the ...) - TODO: check + - linux (Vulnerable code introduced in 4.10-rc1) CVE-2017-7276 RESERVED CVE-2017-7275 (The ReadPCXImage function in coders/pcx.c in ImageMagick 7.0.4.9 allows ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50121 - data/CVE
Author: sectracker
Date: 2017-03-28 09:10:12 + (Tue, 28 Mar 2017)
New Revision: 50121
Modified:
data/CVE/list
Log:
automatic update
Modified: data/CVE/list
===
--- data/CVE/list 2017-03-28 08:52:12 UTC (rev 50120)
+++ data/CVE/list 2017-03-28 09:10:12 UTC (rev 50121)
@@ -1,3 +1,135 @@
+CVE-2017-7286
+ RESERVED
+CVE-2016-10303
+ RESERVED
+CVE-2016-10302
+ RESERVED
+CVE-2016-10301
+ RESERVED
+CVE-2016-10300
+ RESERVED
+CVE-2016-10299
+ RESERVED
+CVE-2016-10298
+ RESERVED
+CVE-2016-10297
+ RESERVED
+CVE-2016-10296
+ RESERVED
+CVE-2016-10295
+ RESERVED
+CVE-2016-10294
+ RESERVED
+CVE-2016-10293
+ RESERVED
+CVE-2016-10292
+ RESERVED
+CVE-2016-10291
+ RESERVED
+CVE-2016-10290
+ RESERVED
+CVE-2016-10289
+ RESERVED
+CVE-2016-10288
+ RESERVED
+CVE-2016-10287
+ RESERVED
+CVE-2016-10286
+ RESERVED
+CVE-2016-10285
+ RESERVED
+CVE-2016-10284
+ RESERVED
+CVE-2016-10283
+ RESERVED
+CVE-2016-10282
+ RESERVED
+CVE-2016-10281
+ RESERVED
+CVE-2016-10280
+ RESERVED
+CVE-2016-10279
+ RESERVED
+CVE-2016-10278
+ RESERVED
+CVE-2016-10277
+ RESERVED
+CVE-2016-10276
+ RESERVED
+CVE-2016-10275
+ RESERVED
+CVE-2016-10274
+ RESERVED
+CVE-2015-9018
+ RESERVED
+CVE-2015-9017
+ RESERVED
+CVE-2015-9016
+ RESERVED
+CVE-2015-9015
+ RESERVED
+CVE-2015-9014
+ RESERVED
+CVE-2015-9013
+ RESERVED
+CVE-2015-9012
+ RESERVED
+CVE-2015-9011
+ RESERVED
+CVE-2015-9010
+ RESERVED
+CVE-2015-9009
+ RESERVED
+CVE-2015-9008
+ RESERVED
+CVE-2015-9007
+ RESERVED
+CVE-2015-9006
+ RESERVED
+CVE-2015-9005
+ RESERVED
+CVE-2015-9004
+ RESERVED
+CVE-2014-9959
+ RESERVED
+CVE-2014-9958
+ RESERVED
+CVE-2014-9957
+ RESERVED
+CVE-2014-9956
+ RESERVED
+CVE-2014-9955
+ RESERVED
+CVE-2014-9954
+ RESERVED
+CVE-2014-9953
+ RESERVED
+CVE-2014-9952
+ RESERVED
+CVE-2014-9951
+ RESERVED
+CVE-2014-9950
+ RESERVED
+CVE-2014-9949
+ RESERVED
+CVE-2014-9948
+ RESERVED
+CVE-2014-9947
+ RESERVED
+CVE-2014-9946
+ RESERVED
+CVE-2014-9945
+ RESERVED
+CVE-2014-9944
+ RESERVED
+CVE-2014-9943
+ RESERVED
+CVE-2014-9942
+ RESERVED
+CVE-2014-9941
+ RESERVED
+CVE-2014-9940
+ RESERVED
CVE-2017-7285
RESERVED
CVE-2017-7284
@@ -14,8 +146,8 @@
RESERVED
CVE-2017-7278
RESERVED
-CVE-2017-7277
- RESERVED
+CVE-2017-7277 (The TCP stack in the Linux kernel through 4.10.6 mishandles the
...)
+ TODO: check
CVE-2017-7276
RESERVED
CVE-2017-7275 (The ReadPCXImage function in coders/pcx.c in ImageMagick
7.0.4.9 allows ...)
@@ -35,6 +167,7 @@
- linux 4.9.6-1
NOTE: Fixed by:
https://git.kernel.org/linus/1ebb71143758f45dc0fa76e2f48429e13b16d110
CVE-2017-7272 (PHP through 7.1.3 enables potential SSRF in applications that
accept an ...)
+ {DLA-875-1}
- php7.1
- php7.0
- php5
@@ -851,8 +984,8 @@
[wheezy] - binutils (Minor issue)
NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21137
NOTE:
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=03f7786e2f440b9892b1c34a58fb26222ce1b493
-CVE-2017-6964 [dmcrypt-get-device does not check the return values of setuid()
or setgid()]
- RESERVED
+CVE-2017-6964 (dmcrypt-get-device, as shipped in the eject package of Debian
and ...)
+ {DLA-876-1}
- eject 2.1.5+deb1+cvs20081104-13.2 (bug #858872)
NOTE: https://bugs.launchpad.net/ubuntu/+source/eject/+bug/1673627
CVE-2017-6963
@@ -6016,12 +6149,12 @@
RESERVED
CVE-2017-5240
RESERVED
-CVE-2017-5239
- RESERVED
-CVE-2017-5238
- RESERVED
-CVE-2017-5237
- RESERVED
+CVE-2017-5239 (Due to a lack of standard encryption when transmitting
sensitive ...)
+ TODO: check
+CVE-2017-5238 (Due to a lack of bounds checking, several input configuration
fields ...)
+ TODO: check
+CVE-2017-5237 (Due to a lack of authentication, an unauthenticated user who
knows the ...)
+ TODO: check
CVE-2017-5236
RESERVED
CVE-2017-5235 (Rapid7 Metasploit Pro installers prior to version
4.13.0-2017022101 ...)
@@ -15983,8 +16116,8 @@
NOT-FOR-US: IBM
CVE-2017-1154
RESERVED
-CVE-2017-1153
- RESERVED
+CVE-2017-1153 (IBM TRIRIGA Report Manager 3.2 through 3.5 contains a
vulnerability ...)
+ TODO: check
CVE-2017-1152
RESERVED
CVE-2017-1151 (IBM WebSphere Application Server 8.0, 8.5, 8.5.5, and 9.0 using
OpenID ...)
@@ -16003,10 +16136,10 @@
NOT-FOR-US: IBM
CVE-2017-1144
RESERVED
-CVE-2017-1143
- RESERVED
-CVE-2017-1142
- RESERVED
+CVE-2017-1143 (IBM Kenexa LCMS Premier on Cloud 9.x and 10.0 could allow
[Secure-testing-commits] r50120 - data/CVE
Author: carnil Date: 2017-03-28 08:52:12 + (Tue, 28 Mar 2017) New Revision: 50120 Modified: data/CVE/list Log: correct entry for CVE-2017-5929, it is in logback, #857343 Modified: data/CVE/list === --- data/CVE/list 2017-03-28 08:47:57 UTC (rev 50119) +++ data/CVE/list 2017-03-28 08:52:12 UTC (rev 50120) @@ -3633,7 +3633,8 @@ [wheezy] - postfixadmin (Vulnerable code not present) NOTE: http://www.openwall.com/lists/oss-security/2017/02/07/6 CVE-2017-5929 (QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting ...) - NOT-FOR-US: QOS.ch Logback + - logback (bug #857343) + NOTE: https://github.com/qos-ch/logback/commit/f46044b805bca91efe5fd6afe52257cd02f775f8 CVE-2017-5928 (The W3C High Resolution Time API, as implemented in various web ...) NOT-FOR-US: Design limitation of W3C High Resolution Time API CVE-2017-5927 (Page table walks conducted by the MMU during virtual to physical ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50119 - in data: . DLA
Author: lamby
Date: 2017-03-28 08:47:57 + (Tue, 28 Mar 2017)
New Revision: 50119
Modified:
data/DLA/list
data/dla-needed.txt
Log:
Reserve DLA-876-1 for eject
Modified: data/DLA/list
===
--- data/DLA/list 2017-03-28 07:25:11 UTC (rev 50118)
+++ data/DLA/list 2017-03-28 08:47:57 UTC (rev 50119)
@@ -1,3 +1,6 @@
+[28 Mar 2017] DLA-876-1 eject - security update
+ {CVE-2017-6964}
+ [wheezy] - eject 2.1.5+deb1+cvs20081104-13+deb7u1
[28 Mar 2017] DLA-875-1 php5 - security update
{CVE-2016-7478 CVE-2016-7479 CVE-2017-7272}
[wheezy] - php5 5.4.45-0+deb7u8
Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-03-28 07:25:11 UTC (rev 50118)
+++ data/dla-needed.txt 2017-03-28 08:47:57 UTC (rev 50119)
@@ -24,8 +24,6 @@
--
chicken
--
-eject (Chris Lamb)
---
firebird2.5
NOTE: The maintainer has told that he will not work on this update so
NOTE: feel free to take this one.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50118 - data
Author: lamby Date: 2017-03-28 07:25:11 + (Tue, 28 Mar 2017) New Revision: 50118 Modified: data/dla-needed.txt Log: Claim eject in data/dla-needed.txt Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-03-28 06:22:02 UTC (rev 50117) +++ data/dla-needed.txt 2017-03-28 07:25:11 UTC (rev 50118) @@ -24,7 +24,7 @@ -- chicken -- -eject +eject (Chris Lamb) -- firebird2.5 NOTE: The maintainer has told that he will not work on this update so ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50117 - data
Author: agx Date: 2017-03-28 06:22:02 + (Tue, 28 Mar 2017) New Revision: 50117 Modified: data/dla-needed.txt Log: lts: add eject Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-03-28 05:30:57 UTC (rev 50116) +++ data/dla-needed.txt 2017-03-28 06:22:02 UTC (rev 50117) @@ -24,6 +24,8 @@ -- chicken -- +eject +-- firebird2.5 NOTE: The maintainer has told that he will not work on this update so NOTE: feel free to take this one. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
