[Secure-testing-commits] r50160 - data
Author: carnil Date: 2017-03-29 05:45:12 + (Wed, 29 Mar 2017) New Revision: 50160 Modified: data/dsa-needed.txt Log: Take samba for regression update Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-03-29 05:43:16 UTC (rev 50159) +++ data/dsa-needed.txt 2017-03-29 05:45:12 UTC (rev 50160) @@ -36,7 +36,7 @@ -- salt -- -samba +samba (carnil) At least #858590, #858564, #858601 -- spip ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50159 - data/CVE
Author: carnil Date: 2017-03-29 05:43:16 + (Wed, 29 Mar 2017) New Revision: 50159 Modified: data/CVE/list Log: CVE-2016-10253/erlang fixed in unstable, #858313 Modified: data/CVE/list === --- data/CVE/list 2017-03-29 05:41:46 UTC (rev 50158) +++ data/CVE/list 2017-03-29 05:43:16 UTC (rev 50159) @@ -539,7 +539,7 @@ CVE-2017-7179 RESERVED CVE-2016-10253 (An issue was discovered in Erlang/OTP 18.x. Erlang's generation of ...) - - erlang (bug #858313) + - erlang 1:19.2.1+dfsg-2 (bug #858313) [jessie] - erlang (Minor issue) [wheezy] - erlang (Vulnerable code not present) NOTE: https://github.com/erlang/otp/pull/1108 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50158 - data/CVE
Author: carnil Date: 2017-03-29 05:41:46 + (Wed, 29 Mar 2017) New Revision: 50158 Modified: data/CVE/list Log: Mark CVE-2017-6542/putty as no-dsa Modified: data/CVE/list === --- data/CVE/list 2017-03-29 05:20:21 UTC (rev 50157) +++ data/CVE/list 2017-03-29 05:41:46 UTC (rev 50158) @@ -1951,8 +1951,12 @@ NOT-FOR-US: Nessus CVE-2017-6542 (The ssh_agent_channel_data function in PuTTY before 0.68 allows remote ...) - putty 0.67-3 (bug #857642) + [jessie] - putty (Minor issue) NOTE: http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-agent-fwd-overflow.html NOTE: Fixed by: https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=4ff22863d895cb7ebfced4cf923a012a614adaa8 (0.68) + NOTE: Bug only exploitable if SSH agent forwarding enabled (not the default) and if + NOTE: the attacker can already be able to connect to the Unix-domain socket + NOTE: representing the forwarded agent connection. CVE-2017-6541 (Multiple Cross-Site Scripting (XSS) issues were discovered in ...) NOT-FOR-US: webpagetest CVE-2017-6540 (Multiple Cross-Site Scripting (XSS) issues were discovered in ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50157 - bin
Author: pabs Date: 2017-03-29 05:20:21 + (Wed, 29 Mar 2017) New Revision: 50157 Modified: bin/tracker_service.py Log: Fix typo Modified: bin/tracker_service.py === --- bin/tracker_service.py 2017-03-29 04:48:56 UTC (rev 50156) +++ bin/tracker_service.py 2017-03-29 05:20:21 UTC (rev 50157) @@ -1525,7 +1525,7 @@ % (int(y), int(number))) return None -def url_dla(self, url, dla, re_dsa=re.compile(r'^DLA-(\d+)(?:-\d+)?$')): +def url_dla(self, url, dla, re_dla=re.compile(r'^DLA-(\d+)(?:-\d+)?$')): match = re_dla.match(dla) if match: # We must determine the year because there is no generic URL. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50156 - bin
Author: pabs Date: 2017-03-29 04:48:56 + (Wed, 29 Mar 2017) New Revision: 50156 Modified: bin/tracker_service.py Log: Link to DLA details on www.d.o from the Source field (Closes: #761945) Modified: bin/tracker_service.py === --- bin/tracker_service.py 2017-03-29 04:46:57 UTC (rev 50155) +++ bin/tracker_service.py 2017-03-29 04:48:56 UTC (rev 50156) @@ -397,7 +397,7 @@ elif source == 'DTSA': source_xref = 'Debian Testing Security Team' elif source == 'DLA': -source_xref = 'Debian LTS Team' +source_xref = self.make_dla_ref(url, bug.name, 'Debian LTS') elif source == 'TEMP': source_xref = ( 'Automatically generated temporary name. Not for external reference.') @@ -1525,6 +1525,18 @@ % (int(y), int(number))) return None +def url_dla(self, url, dla, re_dsa=re.compile(r'^DLA-(\d+)(?:-\d+)?$')): +match = re_dla.match(dla) +if match: +# We must determine the year because there is no generic URL. +(number,) = match.groups() +for (date,) in self.db.cursor().execute( +"SELECT release_date FROM bugs WHERE name = ?", (dla,)): +(y, m, d) = date.split('-') +return url.absolute("https://www.debian.org/security/%d/dla-%d; +% (int(y), int(number))) +return None + def url_debian_bug(self, url, debian): return url.absolute("https://bugs.debian.org/cgi-bin/bugreport.cgi;, bug=str(debian)) @@ -1649,6 +1661,15 @@ else: return name +def make_dla_ref(self, url, dla, name=None): +if name is None: +name = dla +u = self.url_dla(url, dla) +if u: +return A(u, name) +else: +return name + def make_source_code_ref(self, url, pkg, name=None): if name is None: name = pkg ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50155 - data/CVE
Author: carnil Date: 2017-03-29 04:46:57 + (Wed, 29 Mar 2017) New Revision: 50155 Modified: data/CVE/list Log: Add CVE-2017-7294 Modified: data/CVE/list === --- data/CVE/list 2017-03-29 04:12:34 UTC (rev 50154) +++ data/CVE/list 2017-03-29 04:46:57 UTC (rev 50155) @@ -1,3 +1,5 @@ +CVE-2017-7294 [drm/vmwgfx: limit mip levels in vmw_surface_define_ioctl()] + - linux CVE-2017-7292 RESERVED CVE-2017-7291 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50154 - data/CVE
Author: carnil Date: 2017-03-29 04:12:34 + (Wed, 29 Mar 2017) New Revision: 50154 Modified: data/CVE/list Log: Update CVE-2017-7187 with kernel-sec triaging Modified: data/CVE/list === --- data/CVE/list 2017-03-28 23:23:13 UTC (rev 50153) +++ data/CVE/list 2017-03-29 04:12:34 UTC (rev 50154) @@ -522,6 +522,8 @@ RESERVED CVE-2017-7187 (The sg_ioctl function in drivers/scsi/sg.c in the Linux kernel through ...) - linux + [jessie] - linux (Introduced in 3.17) + [wheezy] - linux (Introduced in 3.17) CVE-2017-7185 RESERVED CVE-2017-7183 (The TFTP server in ExtraPuTTY 0.30 and earlier allows remote attackers ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50153 - data
Author: anarcat Date: 2017-03-28 23:23:13 + (Tue, 28 Mar 2017) New Revision: 50153 Modified: data/dla-needed.txt Log: claim firebird Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-03-28 22:06:00 UTC (rev 50152) +++ data/dla-needed.txt 2017-03-28 23:23:13 UTC (rev 50153) @@ -22,7 +22,7 @@ -- chicken -- -firebird2.5 +firebird2.5 (Antoine Beaupre) NOTE: The maintainer has told that he will not work on this update so NOTE: feel free to take this one. -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50152 - data/CVE
Author: jmm Date: 2017-03-28 22:06:00 + (Tue, 28 Mar 2017) New Revision: 50152 Modified: data/CVE/list Log: ntopng no-dsa Modified: data/CVE/list === --- data/CVE/list 2017-03-28 22:00:05 UTC (rev 50151) +++ data/CVE/list 2017-03-28 22:06:00 UTC (rev 50152) @@ -5352,6 +5352,7 @@ - serendipity CVE-2017-5473 (Cross-site request forgery (CSRF) vulnerability in ntopng through 2.4 ...) - ntopng 2.4+dfsg1-3 (bug #852109) + [jessie] - ntopng (Minor issue) NOTE: https://github.com/ntop/ntopng/commit/1b2ceac8f578a246af6351c4f476e3102cdf21b3 NOTE: https://github.com/ntop/ntopng/commit/f91fbe3d94c8346884271838ae3406ae633f6f15 CVE-2017-5472 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50151 - data/CVE
Author: jmm Date: 2017-03-28 22:00:05 + (Tue, 28 Mar 2017) New Revision: 50151 Modified: data/CVE/list Log: sleekxmpp n/a in jessie Modified: data/CVE/list === --- data/CVE/list 2017-03-28 21:47:28 UTC (rev 50150) +++ data/CVE/list 2017-03-28 22:00:05 UTC (rev 50151) @@ -4846,6 +4846,7 @@ [jessie] - profanity (Vulnerable code not present) CVE-2017-5591 (An incorrect implementation of XEP-0280: Message Carbons in multiple ...) - sleekxmpp (bug #854739) + [jessie] - sleekxmpp (vulnerable code not present, XEP-0280 not implemented) [wheezy] - sleekxmpp (vulnerable code not present, XEP-0280 not implemented) - slixmpp 1.2.2-1.1 (bug #854740) CVE-2017-5590 (An incorrect implementation of XEP-0280: Message Carbons in multiple ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50150 - data/CVE
Author: jmm Date: 2017-03-28 21:47:28 + (Tue, 28 Mar 2017) New Revision: 50150 Modified: data/CVE/list Log: android updates Modified: data/CVE/list === --- data/CVE/list 2017-03-28 21:28:15 UTC (rev 50149) +++ data/CVE/list 2017-03-28 21:47:28 UTC (rev 50150) @@ -37633,7 +37633,7 @@ CVE-2016-3922 (libril/RilSapSocket.cpp in Telephony in Android 6.x before 2016-10-01 ...) NOT-FOR-US: Android Telephony CVE-2016-3921 (libsysutils/src/FrameworkListener.cpp in Framework Listener in Android ...) - - android-platform-system-core (bug #858177) + - android-platform-system-core (libsysutils not included, bug #858177) CVE-2016-3920 (id3/ID3.cpp in libstagefright in mediaserver in Android 5.0.x before ...) NOT-FOR-US: libstagefright CVE-2016-3919 @@ -37705,7 +37705,7 @@ CVE-2016-3886 (systemui/statusbar/phone/QuickStatusBarHeader.java in the System UI ...) NOT-FOR-US: Android CVE-2016-3885 (debuggerd/debuggerd.cpp in Debuggerd in Android 5.0.x before 5.0.2, ...) - - android-platform-system-core (bug #858177) + - android-platform-system-core (debugged not provided, see bug #858177) CVE-2016-3884 (server/notification/NotificationManagerService.java in the ...) NOT-FOR-US: Android CVE-2016-3883 (internal/telephony/SMSDispatcher.java in Telephony in Android 4.x ...) @@ -37755,7 +37755,8 @@ CVE-2016-3862 (media/ExifInterface.java in mediaserver in Android 4.x before 4.4.4, ...) NOT-FOR-US: libstagefright CVE-2016-3861 (LibUtils in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before ...) - - android-platform-system-core (bug #858177) + - android-platform-system-core 1:7.0.0+r1-4 (unimportant; bug #858177) + NOTE: Not running as a privileged process in SDK CVE-2016-3860 (sound/soc/msm/qdsp6v2/audio_calibration.c in the Qualcomm sound driver ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-3859 (The Qualcomm camera driver in Android before 2016-09-05 on Nexus 5, ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50149 - data/CVE
Author: jmm Date: 2017-03-28 21:28:15 + (Tue, 28 Mar 2017) New Revision: 50149 Modified: data/CVE/list Log: NFUs Modified: data/CVE/list === --- data/CVE/list 2017-03-28 21:10:12 UTC (rev 50148) +++ data/CVE/list 2017-03-28 21:28:15 UTC (rev 50149) @@ -24010,7 +24010,7 @@ CVE-2016-8032 RESERVED CVE-2016-8031 (Software Integrity Attacks vulnerability in Intel Security Anti-Virus ...) - TODO: check + NOT-FOR-US: Intel antivirus CVE-2016-8030 RESERVED CVE-2016-8029 @@ -27430,7 +27430,7 @@ NOTE: https://tomcat.apache.org/security-jk.html#Fixed_in_Apache_Tomcat_JK_Connector_1.2.42 NOTE: This is though only Windows/IIS specific, thus marked as not-affected, cf. #84 CVE-2016-6807 (Custom commands may be executed on Ambari Agent (2.4.x, before 2.4.2) ...) - TODO: check + NOT-FOR-US: Ambari Agent CVE-2016-6806 RESERVED CVE-2016-6805 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50148 - data/CVE
Author: sectracker Date: 2017-03-28 21:10:12 + (Tue, 28 Mar 2017) New Revision: 50148 Modified: data/CVE/list Log: automatic update Modified: data/CVE/list === --- data/CVE/list 2017-03-28 20:29:31 UTC (rev 50147) +++ data/CVE/list 2017-03-28 21:10:12 UTC (rev 50148) @@ -1,3 +1,15 @@ +CVE-2017-7292 + RESERVED +CVE-2017-7291 + RESERVED +CVE-2017-7290 + RESERVED +CVE-2017-7289 + RESERVED +CVE-2017-7288 + RESERVED +CVE-2017-7287 + RESERVED CVE-2017-7286 RESERVED CVE-2016-10303 @@ -248,12 +260,14 @@ NOTE: https://github.com/vadz/libtiff/commit/9a72a69e035ee70ff5c41541c8c61cd97990d018 NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2608 CVE-2016-10269 (LibTIFF 4.0.7 allows remote attackers to cause a denial of service ...) + {DLA-877-1} - tiff 4.0.7-2 - tiff3 NOTE: https://blogs.gentoo.org/ago/2017/01/01/libtiff-multiple-heap-based-buffer-overflow/ NOTE: https://github.com/vadz/libtiff/commit/1044b43637fa7f70fb19b93593777b78bd20da86 NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2604 CVE-2016-10268 (tools/tiffcp.c in LibTIFF 4.0.7 allows remote attackers to cause a ...) + {DLA-877-1} - tiff 4.0.7-2 - tiff3 [wheezy] - tiff3 (issue in tiffcp that is not shipped by the source package) @@ -261,12 +275,14 @@ NOTE: https://github.com/vadz/libtiff/commit/5397a417e61258c69209904e652a1f409ec3b9df NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2598 CVE-2016-10267 (LibTIFF 4.0.7 allows remote attackers to cause a denial of service ...) + {DLA-877-1} - tiff 4.0.7-2 - tiff3 NOTE: https://blogs.gentoo.org/ago/2017/01/01/libtiff-multiple-divide-by-zero/ NOTE: https://github.com/vadz/libtiff/commit/43bc256d8ae44b92d2734a3c5bc73957a4d7c1ec NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2611 CVE-2016-10266 (LibTIFF 4.0.7 allows remote attackers to cause a denial of service ...) + {DLA-877-1} - tiff 4.0.7-2 - tiff3 NOTE: https://blogs.gentoo.org/ago/2017/01/01/libtiff-multiple-divide-by-zero @@ -994,7 +1010,7 @@ NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21137 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=03f7786e2f440b9892b1c34a58fb26222ce1b493 CVE-2017-6964 (dmcrypt-get-device, as shipped in the eject package of Debian and ...) - {DLA-876-1} + {DSA-3823-1 DLA-876-1} - eject 2.1.5+deb1+cvs20081104-13.2 (bug #858872) NOTE: https://bugs.launchpad.net/ubuntu/+source/eject/+bug/1673627 CVE-2017-6963 @@ -1395,9 +1411,11 @@ CVE-2017-6798 (Trend Micro Endpoint Sensor 1.6 before b1290 has a DLL hijacking ...) NOT-FOR-US: Trend Micro Endpoint Sensor CVE-2017-6802 (An issue was discovered in ytnef before 1.9.2. There is a potential ...) + {DLA-878-1} - libytnef 1.9.2-1 NOTE: Fixed by: https://github.com/Yeraze/ytnef/commit/22f8346c8d4f0020a40d9f258fdb3bfc097359cc CVE-2017-6801 (An issue was discovered in ytnef before 1.9.2. There is a potential ...) + {DLA-878-1} - libytnef 1.9.2-1 NOTE: Fixed by: https://github.com/Yeraze/ytnef/commit/3cb0f914d6427073f262e1b2b5fd973e3043cdf7 CVE-2017-6800 (An issue was discovered in ytnef before 1.9.2. An invalid memory access ...) @@ -2823,41 +2841,49 @@ NOTE: http://www.openwall.com/lists/oss-security/2017/02/15/4 NOTE: fixed in https://github.com/Yeraze/ytnef/commit/b36d6b25b7a546fc28d6c3812124e487987a4910 CVE-2017-6305 (An issue was discovered in ytnef before 1.9.1. This is related to a ...) + {DLA-878-1} - libytnef 1.9.1-1 NOTE: https://www.x41-dsec.de/lab/advisories/x41-2017-002-ytnef/ NOTE: http://www.openwall.com/lists/oss-security/2017/02/15/4 NOTE: fixed in https://github.com/Yeraze/ytnef/commit/b36d6b25b7a546fc28d6c3812124e487987a4910 CVE-2017-6304 (An issue was discovered in ytnef before 1.9.1. This is related to a ...) + {DLA-878-1} - libytnef 1.9.1-1 NOTE: https://www.x41-dsec.de/lab/advisories/x41-2017-002-ytnef/ NOTE: http://www.openwall.com/lists/oss-security/2017/02/15/4 NOTE: fixed in https://github.com/Yeraze/ytnef/commit/b36d6b25b7a546fc28d6c3812124e487987a4910 CVE-2017-6303 (An issue was discovered in ytnef before 1.9.1. This is related to a ...) + {DLA-878-1} - libytnef 1.9.1-1 NOTE: https://www.x41-dsec.de/lab/advisories/x41-2017-002-ytnef/ NOTE: http://www.openwall.com/lists/oss-security/2017/02/15/4 NOTE: fixed in https://github.com/Yeraze/ytnef/commit/b36d6b25b7a546fc28d6c3812124e487987a4910 CVE-2017-6302 (An issue was discovered in ytnef before 1.9.1. This is related to a ...) + {DLA-878-1} - libytnef 1.9.1-1 NOTE:
[Secure-testing-commits] r50147 - in data: . DLA
Author: anarcat Date: 2017-03-28 20:29:31 + (Tue, 28 Mar 2017) New Revision: 50147 Modified: data/DLA/list data/dla-needed.txt Log: reserve DLA-547-2 regression upload Modified: data/DLA/list === --- data/DLA/list 2017-03-28 20:24:27 UTC (rev 50146) +++ data/DLA/list 2017-03-28 20:29:31 UTC (rev 50147) @@ -1,6 +1,8 @@ [28 Mar 2017] DLA-878-1 libytnef - security update {CVE-2017-6298 CVE-2017-6299 CVE-2017-6300 CVE-2017-6301 CVE-2017-6302 CVE-2017-6303 CVE-2017-6304 CVE-2017-6305 CVE-2017-6801 CVE-2017-6802} [wheezy] - libytnef 1.5-4+deb7u1 +[28 Mar 2017] DLA-547-2 graphicsmagick - regression update + [wheezy] - graphicsmagick 1.3.16-1.1+deb7u6 [28 Mar 2017] DLA-877-1 tiff - security update {CVE-2016-10266 CVE-2016-10267 CVE-2016-10268 CVE-2016-10269} [wheezy] - tiff 4.0.2-6+deb7u11 Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-03-28 20:24:27 UTC (rev 50146) +++ data/dla-needed.txt 2017-03-28 20:29:31 UTC (rev 50147) @@ -30,13 +30,6 @@ NOTE: no update needed yet, but next update will be for ESR 52 as ESR 45 is now NOTE: EOL. I have already started to look at ESR 52 to anticipate any problems -- -graphicsmagick (Antoine Beaupre) - NOTE: seems only a single memory/CPU DOS at this point, maybe wait for more issues? - NOTE: DLA-547-1 also did not fix CVE-2016-5240 so should be included in next upload. - NOTE: Incomplete/Incorrect fix as per https://lists.debian.org/debian-lts/2016/12/msg00077.html - NOTE: Subject of announce mail also contained typo (DLA-574-1 vs. DLA-547-1) - NOTE: update available for testing in: https://lists.debian.org/87inpe4wgu@curie.anarc.at --- icedove NOTE: maintainer currenlty planx to rename to thunderbird with the next NOTE: upstream version (#851989). Jessie / Wheezy should do the same. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50146 - data
Author: alteholz Date: 2017-03-28 20:24:27 + (Tue, 28 Mar 2017) New Revision: 50146 Modified: data/dla-needed.txt Log: patches seem to be available now Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-03-28 20:19:47 UTC (rev 50145) +++ data/dla-needed.txt 2017-03-28 20:24:27 UTC (rev 50146) @@ -42,7 +42,6 @@ NOTE: upstream version (#851989). Jessie / Wheezy should do the same. -- jasper (Thorsten Alteholz) - NOTE: no upstream fixes yet -- libav (Hugo Lefeuvre) NOTE: Upstream should provide new point-releases fixing open security issues in the next months. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50145 - in data: . DLA
Author: alteholz Date: 2017-03-28 20:19:47 + (Tue, 28 Mar 2017) New Revision: 50145 Modified: data/DLA/list data/dla-needed.txt Log: Reserve DLA-878-1 for libytnef Modified: data/DLA/list === --- data/DLA/list 2017-03-28 20:17:56 UTC (rev 50144) +++ data/DLA/list 2017-03-28 20:19:47 UTC (rev 50145) @@ -1,3 +1,6 @@ +[28 Mar 2017] DLA-878-1 libytnef - security update + {CVE-2017-6298 CVE-2017-6299 CVE-2017-6300 CVE-2017-6301 CVE-2017-6302 CVE-2017-6303 CVE-2017-6304 CVE-2017-6305 CVE-2017-6801 CVE-2017-6802} + [wheezy] - libytnef 1.5-4+deb7u1 [28 Mar 2017] DLA-877-1 tiff - security update {CVE-2016-10266 CVE-2016-10267 CVE-2016-10268 CVE-2016-10269} [wheezy] - tiff 4.0.2-6+deb7u11 Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-03-28 20:17:56 UTC (rev 50144) +++ data/dla-needed.txt 2017-03-28 20:19:47 UTC (rev 50145) @@ -74,8 +74,6 @@ NOTE: 2016-12-13: Upstream ping here: https://rt.cpan.org/Public/Bug/Display.html?id=118097#txn-1690223 NOTE: 2017-01-20 and 2017-03-09: Ping upstream by private email -- Raphael Hertzog -- -libytnef (Thorsten Alteholz) --- linux -- logback ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50144 - data/CVE
Author: alteholz Date: 2017-03-28 20:17:56 + (Tue, 28 Mar 2017) New Revision: 50144 Modified: data/CVE/list Log: mark CVE-2017-6800 as not affected for Wheezy Modified: data/CVE/list === --- data/CVE/list 2017-03-28 18:50:24 UTC (rev 50143) +++ data/CVE/list 2017-03-28 20:17:56 UTC (rev 50144) @@ -1402,6 +1402,7 @@ NOTE: Fixed by: https://github.com/Yeraze/ytnef/commit/3cb0f914d6427073f262e1b2b5fd973e3043cdf7 CVE-2017-6800 (An issue was discovered in ytnef before 1.9.2. An invalid memory access ...) - libytnef 1.9.2-1 + [wheezy] - libytnef (vulnerable code not present) NOTE: Fixed by: https://github.com/Yeraze/ytnef/commit/f98f5d4adc1c4bd4033638f6167c1bb95d642f89 CVE-2017-6799 (A cross-site scripting (XSS) vulnerability in view_filters_page.php in ...) - mantis (Vulnerable versions only 2.1.0 through 2.2.0) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50143 - data/CVE
Author: carnil Date: 2017-03-28 18:50:24 + (Tue, 28 Mar 2017) New Revision: 50143 Modified: data/CVE/list Log: Update comments for CVE-2017-7275 Modified: data/CVE/list === --- data/CVE/list 2017-03-28 18:07:18 UTC (rev 50142) +++ data/CVE/list 2017-03-28 18:50:24 UTC (rev 50143) @@ -154,7 +154,8 @@ - imagemagick NOTE: https://blogs.gentoo.org/ago/2017/03/27/imagemagick-memory-allocation-failure-in-acquiremagickmemory-memory-c-incomplete-fix-for-cve-2016-8862-and-cve-2016-8866/ NOTE: https://github.com/ImageMagick/ImageMagick/issues/271 - TODO: check (need to check if we are affected by the second incomplete fix as well) + NOTE: Furthermore: upstream is not able to reproduce the problem as well + TODO: check (need to check if we are affected by the second incomplete fix as well, do not update prematurely this entry until clear from upstream) CVE-2017-7274 (The r_pkcs7_parse_cms function in libr/util/r_pkcs7.c in radare2 1.3.0 ...) - radare2 (Vulnerable parsers introduced in 1.3.0-git, cf. #858873) NOTE: https://github.com/radare/radare2/commit/7ab66cca5bbdf6cb2d69339ef4f513d95e532dbf ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50142 - data/CVE
Author: carnil Date: 2017-03-28 18:07:18 + (Tue, 28 Mar 2017) New Revision: 50142 Modified: data/CVE/list Log: CVE-2017-5029/libxslt fixed in unstable Modified: data/CVE/list === --- data/CVE/list 2017-03-28 18:00:35 UTC (rev 50141) +++ data/CVE/list 2017-03-28 18:07:18 UTC (rev 50142) @@ -6812,7 +6812,7 @@ {DSA-3810-1 DLA-866-1} - chromium-browser 57.0.2987.98-1 [wheezy] - chromium-browser (Not supported in Wheezy) - - libxslt (bug #858546) + - libxslt 1.1.29-2.1 (bug #858546) NOTE: Upstream fix in libxslt: https://git.gnome.org/browse/libxslt/commit/?id=08ab2774b870de1c7b5a48693df75e8154addae5 CVE-2017-5028 RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50141 - data/CVE
Author: carnil Date: 2017-03-28 18:00:35 + (Tue, 28 Mar 2017) New Revision: 50141 Modified: data/CVE/list Log: Mark logback as no-dsa for jessie Modified: data/CVE/list === --- data/CVE/list 2017-03-28 17:29:51 UTC (rev 50140) +++ data/CVE/list 2017-03-28 18:00:35 UTC (rev 50141) @@ -3776,6 +3776,7 @@ NOTE: http://www.openwall.com/lists/oss-security/2017/02/07/6 CVE-2017-5929 (QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting ...) - logback 1:1.1.9-2 (bug #857343) + [jessie] - logback (Minor issue; can be fixed via point release) NOTE: https://github.com/qos-ch/logback/commit/f46044b805bca91efe5fd6afe52257cd02f775f8 CVE-2017-5928 (The W3C High Resolution Time API, as implemented in various web ...) NOT-FOR-US: Design limitation of W3C High Resolution Time API ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50140 - data/CVE
Author: carnil Date: 2017-03-28 17:29:51 + (Tue, 28 Mar 2017) New Revision: 50140 Modified: data/CVE/list Log: And CVE-2016-9571 actually got rejected, remove Apache Camel as affected source Modified: data/CVE/list === --- data/CVE/list 2017-03-28 17:28:57 UTC (rev 50139) +++ data/CVE/list 2017-03-28 17:29:51 UTC (rev 50140) @@ -18450,7 +18450,7 @@ NOTE: https://github.com/uclouvain/openjpeg/issues/863 NOTE: https://github.com/szukw000/openjpeg/commit/7b28bd2b723df6be09fe7791eba33147c1c47d0d CVE-2016-9571 (Apache Camel's camel-jackson and camel-jacksonxml components are ...) - NOT-FOR-US: Apache Camel + REJECTED CVE-2016-9570 RESERVED CVE-2016-9569 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50139 - data/CVE
Author: carnil Date: 2017-03-28 17:28:57 + (Tue, 28 Mar 2017) New Revision: 50139 Modified: data/CVE/list Log: Resolve confusion about CVE-2016-9571 and CVE-2016-9606 Modified: data/CVE/list === --- data/CVE/list 2017-03-28 16:11:01 UTC (rev 50138) +++ data/CVE/list 2017-03-28 17:28:57 UTC (rev 50139) @@ -18269,6 +18269,8 @@ RESERVED CVE-2016-9606 RESERVED + - resteasy (bug #851430) + [jessie] - resteasy (Minor issue) CVE-2016-9605 [Cross site scripting in profile page] RESERVED - cobbler (bug #858844) @@ -18448,8 +18450,7 @@ NOTE: https://github.com/uclouvain/openjpeg/issues/863 NOTE: https://github.com/szukw000/openjpeg/commit/7b28bd2b723df6be09fe7791eba33147c1c47d0d CVE-2016-9571 (Apache Camel's camel-jackson and camel-jacksonxml components are ...) - - resteasy (bug #851430) - [jessie] - resteasy (Minor issue) + NOT-FOR-US: Apache Camel CVE-2016-9570 RESERVED CVE-2016-9569 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50138 - data/CVE
Author: carnil Date: 2017-03-28 16:11:01 + (Tue, 28 Mar 2017) New Revision: 50138 Modified: data/CVE/list Log: logback fixed in unstable with 1:1.1.9-2 upload Modified: data/CVE/list === --- data/CVE/list 2017-03-28 16:01:32 UTC (rev 50137) +++ data/CVE/list 2017-03-28 16:11:01 UTC (rev 50138) @@ -3775,7 +3775,7 @@ [wheezy] - postfixadmin (Vulnerable code not present) NOTE: http://www.openwall.com/lists/oss-security/2017/02/07/6 CVE-2017-5929 (QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting ...) - - logback (bug #857343) + - logback 1:1.1.9-2 (bug #857343) NOTE: https://github.com/qos-ch/logback/commit/f46044b805bca91efe5fd6afe52257cd02f775f8 CVE-2017-5928 (The W3C High Resolution Time API, as implemented in various web ...) NOT-FOR-US: Design limitation of W3C High Resolution Time API ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50137 - data/CVE
Author: carnil Date: 2017-03-28 16:01:32 + (Tue, 28 Mar 2017) New Revision: 50137 Modified: data/CVE/list Log: Update NFUs Modified: data/CVE/list === --- data/CVE/list 2017-03-28 15:55:55 UTC (rev 50136) +++ data/CVE/list 2017-03-28 16:01:32 UTC (rev 50137) @@ -20690,7 +20690,7 @@ CVE-2016-8961 (IBM BigFix Inventory v9 could allow a remote attacker to conduct ...) NOT-FOR-US: IBM CVE-2016-8960 (IBM Cognos Business Intelligence 10.2 could allow a user with lower ...) - TODO: check + NOT-FOR-US: IBM Cognos Business Intelligence CVE-2016-8959 RESERVED CVE-2016-8958 @@ -30221,7 +30221,7 @@ CVE-2016-6103 (IBM Tivoli Key Lifecycle Manager 2.5 and 2.6 is vulnerable to ...) NOT-FOR-US: IBM CVE-2016-6102 (IBM Tivoli Key Lifecycle Manager 2.5 and 2.6 stores sensitive ...) - TODO: check + NOT-FOR-US: IBM Tivoli Key Lifecycle Manager CVE-2016-6101 RESERVED CVE-2016-6100 @@ -30313,7 +30313,7 @@ CVE-2016-6057 RESERVED CVE-2016-6056 (IBM Call Center for Commerce 9.3 and 9.4 is vulnerable to cross-site ...) - TODO: check + NOT-FOR-US: IBM Call Center for Commerce CVE-2016-6055 (IBM Rational DOORS Next Generation 4.0, 5.0, and 6.0 is vulnerable to ...) NOT-FOR-US: IBM CVE-2016-6054 (IBM Jazz Foundation is vulnerable to cross-site scripting. This ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50136 - data
Author: agx Date: 2017-03-28 15:55:55 + (Tue, 28 Mar 2017) New Revision: 50136 Modified: data/dla-needed.txt Log: Add logback Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-03-28 15:33:43 UTC (rev 50135) +++ data/dla-needed.txt 2017-03-28 15:55:55 UTC (rev 50136) @@ -78,6 +78,8 @@ -- linux -- +logback +-- mcollective NOTE: See https://lists.debian.org/debian-lts/2017/03/msg8.html -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50134 - data/CVE
Author: carnil Date: 2017-03-28 15:33:39 + (Tue, 28 Mar 2017) New Revision: 50134 Modified: data/CVE/list Log: Sort entries for apt-cacher-ng Modified: data/CVE/list === --- data/CVE/list 2017-03-28 15:29:31 UTC (rev 50133) +++ data/CVE/list 2017-03-28 15:33:39 UTC (rev 50134) @@ -203,10 +203,10 @@ CVE-2017- [apt-cacher http response splitting] - apt-cacher-ng 3-1 (bug #858833) [jessie] - apt-cacher-ng (Minor issue) + [wheezy] - apt-cacher-ng (Minor issue) - apt-cacher 1.7.15 (bug #858739) [jessie] - apt-cacher (Minor issue) [wheezy] - apt-cacher 1.7.6+deb7u1 - [wheezy] - apt-cacher-ng (Minor issue) NOTE: Workaround entry for DLA-873-1 since no CVE assigned CVE-2017-7262 (The AMD Ryzen processor with AGESA microcode through 2017-01-27 allows ...) - amd64-microcode ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50135 - data/DSA
Author: carnil Date: 2017-03-28 15:33:43 + (Tue, 28 Mar 2017) New Revision: 50135 Modified: data/DSA/list Log: Reserve DSA number for eject Modified: data/DSA/list === --- data/DSA/list 2017-03-28 15:33:39 UTC (rev 50134) +++ data/DSA/list 2017-03-28 15:33:43 UTC (rev 50135) @@ -1,3 +1,6 @@ +[28 Mar 2017] DSA-3823-1 eject - security update + {CVE-2017-6964} + [jessie] - eject 2.1.5+deb1+cvs20081104-13.1+deb8u1 [27 Mar 2017] DSA-3822-1 gstreamer1.0 - security update {CVE-2017-5838} [jessie] - gstreamer1.0 1.4.4-2+deb8u1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50133 - data/CVE
Author: agx Date: 2017-03-28 15:29:31 + (Tue, 28 Mar 2017) New Revision: 50133 Modified: data/CVE/list Log: lts: mark apt-cacher-ng as no-dsa Modified: data/CVE/list === --- data/CVE/list 2017-03-28 15:05:24 UTC (rev 50132) +++ data/CVE/list 2017-03-28 15:29:31 UTC (rev 50133) @@ -206,6 +206,7 @@ - apt-cacher 1.7.15 (bug #858739) [jessie] - apt-cacher (Minor issue) [wheezy] - apt-cacher 1.7.6+deb7u1 + [wheezy] - apt-cacher-ng (Minor issue) NOTE: Workaround entry for DLA-873-1 since no CVE assigned CVE-2017-7262 (The AMD Ryzen processor with AGESA microcode through 2017-01-27 allows ...) - amd64-microcode ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50132 - data
Author: anarcat Date: 2017-03-28 15:05:24 + (Tue, 28 Mar 2017) New Revision: 50132 Modified: data/dla-needed.txt Log: note ca-certificates is handled by maintainer on wheezy Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-03-28 14:34:22 UTC (rev 50131) +++ data/dla-needed.txt 2017-03-28 15:05:24 UTC (rev 50132) @@ -18,9 +18,7 @@ NOTE: low impact. -- ca-certificates - NOTE: waiting for stable/sid update, see - NOTE: https://lists.debian.org/debian-lts/2017/03/msg00153.html - NOTE: likely to come in the next point release, see also #858539 + NOTE: maintainer will handle the upload, see https://lists.debian.org/1acb8e97-8c9f-8b54-348c-0c12f53a8...@pbandjelly.org -- chicken -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50131 - data/CVE
Author: hertzog Date: 2017-03-28 14:34:22 + (Tue, 28 Mar 2017) New Revision: 50131 Modified: data/CVE/list Log: Add a bunch of missing "tiff3" assignations Modified: data/CVE/list === --- data/CVE/list 2017-03-28 13:42:37 UTC (rev 50130) +++ data/CVE/list 2017-03-28 14:34:22 UTC (rev 50131) @@ -7084,6 +7084,7 @@ CVE-2016-10095 (Stack-based buffer overflow in the _TIFFVGetField function in ...) - tiff (bug #850316) [wheezy] - tiff 4.0.2-6+deb7u7 + - tiff3 NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2625 NOTE: probably preemptively fixed in 4.0.2-6+deb7u7 wheezy upload, as test case doesn't trigger issue NOTE: similar to CVE-2015-7554 and CVE-2016-5318 @@ -7091,16 +7092,19 @@ {DSA-3762-1} - tiff 4.0.7-4 [wheezy] - tiff (vulnerable code introduced later) + - tiff3 (vulnerable code introduced later) NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2640 NOTE: Fixed by: https://github.com/vadz/libtiff/commit/c7153361a4041260719b340f73f2f76b0969235c CVE-2016-10093 (Integer overflow in tools/tiffcp.c in LibTIFF 4.0.7 allows remote ...) {DSA-3762-1 DLA-795-1} - tiff 4.0.7-2 + - tiff3 NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2610 NOTE: Fixed by: https://github.com/vadz/libtiff/commit/787c0ee906430b772f33ca50b97b8b5ca070faec CVE-2016-10092 (Heap-based buffer overflow in the readContigStripsIntoBuffer function ...) {DSA-3762-1 DLA-795-1} - tiff 4.0.7-2 + - tiff3 NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2620 NOTE: Fixed by: https://github.com/vadz/libtiff/commit/9657bbe3cdce4aaa90e07d50c1c70ae52da0ba6a CVE-2016-10091 [stack-based buffer overflows in cmd_* functions] @@ -19707,35 +19711,43 @@ CVE-2016-9540 (tools/tiffcp.c in libtiff 4.0.6 has an out-of-bounds write on tiled ...) {DSA-3762-1 DLA-795-1} - tiff 4.0.7-1 + - tiff3 (tiff3 not shipping tools) NOTE: https://github.com/vadz/libtiff/commit/5ad9d8016fbb60109302d558f7edb2cb2a3bb8e3 CVE-2016-9539 (tools/tiffcrop.c in libtiff 4.0.6 has an out-of-bounds read in ...) - tiff 4.0.7-1 (unimportant) + - tiff3 (tiff3 not shipping tools) NOTE: https://github.com/vadz/libtiff/commit/ae9365db1b271b62b35ce018eac8799b1d5e8a53 NOTE: Crash in CLI tool, no security impact CVE-2016-9538 (tools/tiffcrop.c in libtiff 4.0.6 reads an undefined buffer in ...) {DSA-3762-1 DLA-795-1} - tiff 4.0.7-1 + - tiff3 (tiff3 not shipping tools) NOTE: https://github.com/vadz/libtiff/commit/43c0b81a818640429317c80fea1e66771e85024b#diff-c8b4b355f9b5c06d585b23138e1c185f CVE-2016-9537 (tools/tiffcrop.c in libtiff 4.0.6 has out-of-bounds write ...) {DSA-3762-1 DLA-795-1} - tiff 4.0.7-1 + - tiff3 (tiff3 not shipping tools) NOTE: https://github.com/vadz/libtiff/commit/83a4b92815ea04969d494416eaae3d4c6b338e4a#diff-c8b4b355f9b5c06d585b23138e1c185f CVE-2016-9536 (tools/tiff2pdf.c in libtiff 4.0.6 has out-of-bounds write ...) {DSA-3762-1 DLA-795-1} - tiff 4.0.7-1 + - tiff3 (tiff3 not shipping tools) NOTE: https://github.com/vadz/libtiff/commit/83a4b92815ea04969d494416eaae3d4c6b338e4a#diff-5173a9b3b48146e4fd86d7b9b346115e CVE-2016-9535 (tif_predict.h and tif_predict.c in libtiff 4.0.6 have assertions that ...) {DLA-795-1} - tiff 4.0.7-1 + - tiff3 NOTE: https://github.com/vadz/libtiff/commit/3ca657a8793dd011bf869695d72ad31c779c3cc1 NOTE: https://github.com/vadz/libtiff/commit/6a984bf7905c6621281588431f384e79d11a2e33 CVE-2016-9534 (tif_write.c in libtiff 4.0.6 has an issue in the error code path of ...) {DSA-3762-1 DLA-795-1} - tiff 4.0.7-1 + - tiff3 NOTE: https://github.com/vadz/libtiff/commit/83a4b92815ea04969d494416eaae3d4c6b338e4a#diff-5be5ce02d0dea67050d5b2a10102d1ba CVE-2016-9533 (tif_pixarlog.c in libtiff 4.0.6 has out-of-bounds write vulnerabilities ...) {DSA-3762-1 DLA-795-1} - tiff 4.0.7-1 + - tiff3 NOTE: https://github.com/vadz/libtiff/commit/83a4b92815ea04969d494416eaae3d4c6b338e4a#diff-bdc795f6afeb9558c1012b3cfae729ef CVE-2016-9532 (Integer overflow in the writeBufferToSeparateStrips function in ...) {DSA-3762-1 DLA-716-1} @@ -36101,6 +36113,7 @@ [wheezy] - tiff 4.0.2-6+deb7u4 NOTE: Fixed already with the patch applied in 4.0.3-12 in unstable for the NOTE: CVE-2014-9330 issue. + - tiff3 (libtiff-tools not shipped in tiff3) CVE-2013-7455 (Double free vulnerability in the DefaultICCintents function in ...) - lcms2 2.6-1 [wheezy] - lcms2 (vulnerable code not present, no cmsPipelineFree(Lut); in Error:-part) @@ -43585,24 +43598,28 @@ CVE-2015-8783 (tif_luv.c in libtiff allows
[Secure-testing-commits] r50130 - in data: . DLA
Author: hertzog Date: 2017-03-28 13:42:37 + (Tue, 28 Mar 2017) New Revision: 50130 Modified: data/DLA/list data/dla-needed.txt Log: Reserve DLA-877-1 for tiff Modified: data/DLA/list === --- data/DLA/list 2017-03-28 13:39:43 UTC (rev 50129) +++ data/DLA/list 2017-03-28 13:42:37 UTC (rev 50130) @@ -1,3 +1,6 @@ +[28 Mar 2017] DLA-877-1 tiff - security update + {CVE-2016-10266 CVE-2016-10267 CVE-2016-10268 CVE-2016-10269} + [wheezy] - tiff 4.0.2-6+deb7u11 [28 Mar 2017] DLA-876-1 eject - security update {CVE-2017-6964} [wheezy] - eject 2.1.5+deb1+cvs20081104-13+deb7u1 Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-03-28 13:39:43 UTC (rev 50129) +++ data/dla-needed.txt 2017-03-28 13:42:37 UTC (rev 50130) @@ -124,8 +124,6 @@ NOTE: from my point of view backporting the introduction of these new members to this old NOTE: version is way to invasive and such this should be marked as -- -tiff (Raphaël Hertzog) --- tiff3 (Raphaël Hertzog) -- tzdata (Emilio Pozuelo) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50129 - data/CVE
Author: hertzog Date: 2017-03-28 13:39:43 + (Tue, 28 Mar 2017) New Revision: 50129 Modified: data/CVE/list Log: Mark CVE-2016-10268 as not affecting tiff3 in wheezy Modified: data/CVE/list === --- data/CVE/list 2017-03-28 13:16:56 UTC (rev 50128) +++ data/CVE/list 2017-03-28 13:39:43 UTC (rev 50129) @@ -254,6 +254,7 @@ CVE-2016-10268 (tools/tiffcp.c in LibTIFF 4.0.7 allows remote attackers to cause a ...) - tiff 4.0.7-2 - tiff3 + [wheezy] - tiff3 (issue in tiffcp that is not shipped by the source package) NOTE: https://blogs.gentoo.org/ago/2017/01/01/libtiff-multiple-heap-based-buffer-overflow/ NOTE: https://github.com/vadz/libtiff/commit/5397a417e61258c69209904e652a1f409ec3b9df NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2598 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50128 - data
Author: hertzog Date: 2017-03-28 13:16:56 + (Tue, 28 Mar 2017) New Revision: 50128 Modified: data/dla-needed.txt Log: Add tiff3 to dla-needed.txt Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-03-28 12:55:20 UTC (rev 50127) +++ data/dla-needed.txt 2017-03-28 13:16:56 UTC (rev 50128) @@ -126,6 +126,8 @@ -- tiff (Raphaël Hertzog) -- +tiff3 (Raphaël Hertzog) +-- tzdata (Emilio Pozuelo) -- web2py (Brian May) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50127 - data/CVE
Author: carnil Date: 2017-03-28 12:55:20 + (Tue, 28 Mar 2017) New Revision: 50127 Modified: data/CVE/list Log: Remove unecessary comment, already covered in the BTS Modified: data/CVE/list === --- data/CVE/list 2017-03-28 12:39:12 UTC (rev 50126) +++ data/CVE/list 2017-03-28 12:55:20 UTC (rev 50127) @@ -1997,7 +1997,7 @@ NOT-FOR-US: burgundy-cms CVE-2017-6507 (An issue was discovered in AppArmor before 2.12. Incorrect handling of ...) - apparmor 2.11.0-3 (bug #858768) - [jessie] - apparmor (Minor issue, cf #858768) + [jessie] - apparmor (Minor issue) [wheezy] - apparmor (Experimental/unsupported feature) NOTE: http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/revision/3647 NOTE: http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/revision/3648 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50126 - data/CVE
Author: carnil Date: 2017-03-28 12:39:12 + (Tue, 28 Mar 2017) New Revision: 50126 Modified: data/CVE/list Log: Mark CVE-2017-6507/apparmor as no-dsa for jessie Modified: data/CVE/list === --- data/CVE/list 2017-03-28 11:39:40 UTC (rev 50125) +++ data/CVE/list 2017-03-28 12:39:12 UTC (rev 50126) @@ -1997,6 +1997,7 @@ NOT-FOR-US: burgundy-cms CVE-2017-6507 (An issue was discovered in AppArmor before 2.12. Incorrect handling of ...) - apparmor 2.11.0-3 (bug #858768) + [jessie] - apparmor (Minor issue, cf #858768) [wheezy] - apparmor (Experimental/unsupported feature) NOTE: http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/revision/3647 NOTE: http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/revision/3648 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50125 - data/CVE
Author: carnil Date: 2017-03-28 11:39:40 + (Tue, 28 Mar 2017) New Revision: 50125 Modified: data/CVE/list Log: Add CVE-2017-6507/apparmor fix to unstable Modified: data/CVE/list === --- data/CVE/list 2017-03-28 11:26:22 UTC (rev 50124) +++ data/CVE/list 2017-03-28 11:39:40 UTC (rev 50125) @@ -1996,7 +1996,7 @@ CVE-2017-6509 (Smith0r/burgundy-cms before 2017-03-06 is vulnerable to a reflected XSS ...) NOT-FOR-US: burgundy-cms CVE-2017-6507 (An issue was discovered in AppArmor before 2.12. Incorrect handling of ...) - - apparmor (bug #858768) + - apparmor 2.11.0-3 (bug #858768) [wheezy] - apparmor (Experimental/unsupported feature) NOTE: http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/revision/3647 NOTE: http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/revision/3648 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50124 - data/CVE
Author: carnil Date: 2017-03-28 11:26:22 + (Tue, 28 Mar 2017) New Revision: 50124 Modified: data/CVE/list Log: Add renamed source package for various tiff CVEs Modified: data/CVE/list === --- data/CVE/list 2017-03-28 10:39:47 UTC (rev 50123) +++ data/CVE/list 2017-03-28 11:26:22 UTC (rev 50124) @@ -226,12 +226,14 @@ CVE-2016-10272 (LibTIFF 4.0.7 allows remote attackers to cause a denial of service ...) {DSA-3762-1 DLA-795-1} - tiff 4.0.7-2 + - tiff3 NOTE: https://blogs.gentoo.org/ago/2017/01/01/libtiff-multiple-heap-based-buffer-overflow/ NOTE: https://github.com/vadz/libtiff/commit/9657bbe3cdce4aaa90e07d50c1c70ae52da0ba6a NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2620 CVE-2016-10271 (tools/tiffcrop.c in LibTIFF 4.0.7 allows remote attackers to cause a ...) {DSA-3762-1 DLA-795-1} - tiff 4.0.7-2 + - tiff3 NOTE: https://blogs.gentoo.org/ago/2017/01/01/libtiff-multiple-heap-based-buffer-overflow/ NOTE: https://github.com/vadz/libtiff/commit/9657bbe3cdce4aaa90e07d50c1c70ae52da0ba6a NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2620 @@ -245,21 +247,25 @@ NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2608 CVE-2016-10269 (LibTIFF 4.0.7 allows remote attackers to cause a denial of service ...) - tiff 4.0.7-2 + - tiff3 NOTE: https://blogs.gentoo.org/ago/2017/01/01/libtiff-multiple-heap-based-buffer-overflow/ NOTE: https://github.com/vadz/libtiff/commit/1044b43637fa7f70fb19b93593777b78bd20da86 NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2604 CVE-2016-10268 (tools/tiffcp.c in LibTIFF 4.0.7 allows remote attackers to cause a ...) - tiff 4.0.7-2 + - tiff3 NOTE: https://blogs.gentoo.org/ago/2017/01/01/libtiff-multiple-heap-based-buffer-overflow/ NOTE: https://github.com/vadz/libtiff/commit/5397a417e61258c69209904e652a1f409ec3b9df NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2598 CVE-2016-10267 (LibTIFF 4.0.7 allows remote attackers to cause a denial of service ...) - tiff 4.0.7-2 + - tiff3 NOTE: https://blogs.gentoo.org/ago/2017/01/01/libtiff-multiple-divide-by-zero/ NOTE: https://github.com/vadz/libtiff/commit/43bc256d8ae44b92d2734a3c5bc73957a4d7c1ec NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2611 CVE-2016-10266 (LibTIFF 4.0.7 allows remote attackers to cause a denial of service ...) - tiff 4.0.7-2 + - tiff3 NOTE: https://blogs.gentoo.org/ago/2017/01/01/libtiff-multiple-divide-by-zero NOTE: https://github.com/vadz/libtiff/commit/438274f938e046d33cb0e1230b41da32ffe223e1 NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2596 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50123 - data/CVE
Author: jmm Date: 2017-03-28 10:39:47 + (Tue, 28 Mar 2017) New Revision: 50123 Modified: data/CVE/list Log: new golang-gopkg-square-go-jose.v1 issue NFUs Modified: data/CVE/list === --- data/CVE/list 2017-03-28 10:08:55 UTC (rev 50122) +++ data/CVE/list 2017-03-28 10:39:47 UTC (rev 50123) @@ -1006,7 +1006,7 @@ CVE-2017-6958 (An XSS vulnerability in the MantisBT Source Integration Plugin (before ...) NOT-FOR-US: MantisBT Source Integration Plugin CVE-2017-6957 (Stack-based buffer overflow in the firmware in Broadcom Wi-Fi HardMAC ...) - TODO: check + NOT-FOR-US: Firmware on some Broadcom SoCs CVE-2017-6956 RESERVED CVE-2017-6955 (An issue was discovered in by-email/by-email.php in the Invite Anyone ...) @@ -6150,11 +6150,11 @@ CVE-2017-5240 RESERVED CVE-2017-5239 (Due to a lack of standard encryption when transmitting sensitive ...) - TODO: check + NOT-FOR-US: Eview GPS trackers CVE-2017-5238 (Due to a lack of bounds checking, several input configuration fields ...) - TODO: check + NOT-FOR-US: Eview GPS trackers CVE-2017-5237 (Due to a lack of authentication, an unauthenticated user who knows the ...) - TODO: check + NOT-FOR-US: Eview GPS trackers CVE-2017-5236 RESERVED CVE-2017-5235 (Rapid7 Metasploit Pro installers prior to version 4.13.0-2017022101 ...) @@ -16117,7 +16117,7 @@ CVE-2017-1154 RESERVED CVE-2017-1153 (IBM TRIRIGA Report Manager 3.2 through 3.5 contains a vulnerability ...) - TODO: check + NOT-FOR-US: IBM CVE-2017-1152 RESERVED CVE-2017-1151 (IBM WebSphere Application Server 8.0, 8.5, 8.5.5, and 9.0 using OpenID ...) @@ -16137,9 +16137,9 @@ CVE-2017-1144 RESERVED CVE-2017-1143 (IBM Kenexa LCMS Premier on Cloud 9.x and 10.0 could allow a remote ...) - TODO: check + NOT-FOR-US: IBM CVE-2017-1142 (IBM Kenexa LCMS Premier on Cloud 9.x and 10.0 could allow a remote ...) - TODO: check + NOT-FOR-US: IBM CVE-2017-1141 RESERVED CVE-2017-1140 @@ -16183,7 +16183,7 @@ CVE-2017-1121 (IBM WebSphere Application Server 7.0, 8.0, and 9.0 is vulnerable to ...) NOT-FOR-US: IBM CVE-2017-1120 (IBM WebSphere Portal 8.5 and 9.0 is vulnerable to cross-site ...) - TODO: check + NOT-FOR-US: IBM CVE-2017-1119 RESERVED CVE-2017-1118 @@ -16663,7 +16663,7 @@ NOTE: https://gitlab.com/gitlab-org/gitlab-ce/issues/29661 NOTE: https://about.gitlab.com/2017/03/20/gitlab-8-dot-17-dot-4-security-release/ CVE-2017-0881 (An error in the implementation of an autosubscribe feature in the ...) - TODO: check + NOT-FOR-US: Zulip CVE-2016-9754 (The ring_buffer_resize function in kernel/trace/ring_buffer.c in the ...) - linux 4.6.1-1 [jessie] - linux 3.16.39-1 @@ -16704,7 +16704,7 @@ CVE-2016-9738 RESERVED CVE-2016-9737 (IBM TRIRIGA 3.3, 3.4, and 3.5 is vulnerable to cross-site scripting. ...) - TODO: check + NOT-FOR-US: IBM CVE-2016-9736 RESERVED CVE-2016-9735 @@ -18899,47 +18899,47 @@ CVE-2016-9474 RESERVED CVE-2016-9473 (Brave Browser iOS before 1.2.18 and Brave Browser Android 1.9.56 and ...) - TODO: check + NOT-FOR-US: Brave Browser CVE-2016-9472 (Revive Adserver before 3.2.5 and 4.0.0 suffers from Reflected XSS. The ...) - TODO: check + NOT-FOR-US: Revive Adserver CVE-2016-9471 (Revive Adserver before 3.2.5 and 4.0.0 suffers from Special Element ...) - TODO: check + NOT-FOR-US: Revive Adserver CVE-2016-9470 (Revive Adserver before 3.2.5 and 4.0.0 suffers from Reflected File ...) - TODO: check + NOT-FOR-US: Revive Adserver CVE-2016-9469 (Multiple versions of GitLab expose a dangerous method to any ...) - gitlab 8.13.6+dfsg2-2 (bug #847157) NOTE: https://about.gitlab.com/2016/12/05/cve-2016-9469/ NOTE: https://gitlab.com/gitlab-org/gitlab-ce/issues/25064 CVE-2016-9468 (Nextcloud Server before 9.0.54 and 10.0.1 ownCloud Server before ...) - TODO: check + - nextcloud (bug #835086) CVE-2016-9467 (Nextcloud Server before 9.0.54 and 10.0.1 ownCloud Server before ...) - TODO: check + - nextcloud (bug #835086) CVE-2016-9466 (Nextcloud Server before 10.0.1 ownCloud Server before 9.0.6 and ...) - TODO: check + - nextcloud (bug #835086) CVE-2016-9465 (Nextcloud Server before 10.0.1 ownCloud Server before 9.0.6 and 9.1.2 ...) - TODO: check + - nextcloud (bug #835086) CVE-2016-9464 (Nextcloud Server before 9.0.54 and 10.0.0 suffers from an improper ...) - TODO: check + - nextcloud (bug #835086) CVE-2016-9463 (Nextcloud Server before 9.0.54 and 10.0.1 ownCloud Server before ...) - TODO: check + - nextcloud (bug #835086) CVE-2016-9462 (Nextcloud Server before 9.0.52 ownCloud Server before
[Secure-testing-commits] r50122 - data/CVE
Author: carnil Date: 2017-03-28 10:08:55 + (Tue, 28 Mar 2017) New Revision: 50122 Modified: data/CVE/list Log: Add CVE-2017-7277/linux Modified: data/CVE/list === --- data/CVE/list 2017-03-28 09:10:12 UTC (rev 50121) +++ data/CVE/list 2017-03-28 10:08:55 UTC (rev 50122) @@ -147,7 +147,7 @@ CVE-2017-7278 RESERVED CVE-2017-7277 (The TCP stack in the Linux kernel through 4.10.6 mishandles the ...) - TODO: check + - linux (Vulnerable code introduced in 4.10-rc1) CVE-2017-7276 RESERVED CVE-2017-7275 (The ReadPCXImage function in coders/pcx.c in ImageMagick 7.0.4.9 allows ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50121 - data/CVE
Author: sectracker Date: 2017-03-28 09:10:12 + (Tue, 28 Mar 2017) New Revision: 50121 Modified: data/CVE/list Log: automatic update Modified: data/CVE/list === --- data/CVE/list 2017-03-28 08:52:12 UTC (rev 50120) +++ data/CVE/list 2017-03-28 09:10:12 UTC (rev 50121) @@ -1,3 +1,135 @@ +CVE-2017-7286 + RESERVED +CVE-2016-10303 + RESERVED +CVE-2016-10302 + RESERVED +CVE-2016-10301 + RESERVED +CVE-2016-10300 + RESERVED +CVE-2016-10299 + RESERVED +CVE-2016-10298 + RESERVED +CVE-2016-10297 + RESERVED +CVE-2016-10296 + RESERVED +CVE-2016-10295 + RESERVED +CVE-2016-10294 + RESERVED +CVE-2016-10293 + RESERVED +CVE-2016-10292 + RESERVED +CVE-2016-10291 + RESERVED +CVE-2016-10290 + RESERVED +CVE-2016-10289 + RESERVED +CVE-2016-10288 + RESERVED +CVE-2016-10287 + RESERVED +CVE-2016-10286 + RESERVED +CVE-2016-10285 + RESERVED +CVE-2016-10284 + RESERVED +CVE-2016-10283 + RESERVED +CVE-2016-10282 + RESERVED +CVE-2016-10281 + RESERVED +CVE-2016-10280 + RESERVED +CVE-2016-10279 + RESERVED +CVE-2016-10278 + RESERVED +CVE-2016-10277 + RESERVED +CVE-2016-10276 + RESERVED +CVE-2016-10275 + RESERVED +CVE-2016-10274 + RESERVED +CVE-2015-9018 + RESERVED +CVE-2015-9017 + RESERVED +CVE-2015-9016 + RESERVED +CVE-2015-9015 + RESERVED +CVE-2015-9014 + RESERVED +CVE-2015-9013 + RESERVED +CVE-2015-9012 + RESERVED +CVE-2015-9011 + RESERVED +CVE-2015-9010 + RESERVED +CVE-2015-9009 + RESERVED +CVE-2015-9008 + RESERVED +CVE-2015-9007 + RESERVED +CVE-2015-9006 + RESERVED +CVE-2015-9005 + RESERVED +CVE-2015-9004 + RESERVED +CVE-2014-9959 + RESERVED +CVE-2014-9958 + RESERVED +CVE-2014-9957 + RESERVED +CVE-2014-9956 + RESERVED +CVE-2014-9955 + RESERVED +CVE-2014-9954 + RESERVED +CVE-2014-9953 + RESERVED +CVE-2014-9952 + RESERVED +CVE-2014-9951 + RESERVED +CVE-2014-9950 + RESERVED +CVE-2014-9949 + RESERVED +CVE-2014-9948 + RESERVED +CVE-2014-9947 + RESERVED +CVE-2014-9946 + RESERVED +CVE-2014-9945 + RESERVED +CVE-2014-9944 + RESERVED +CVE-2014-9943 + RESERVED +CVE-2014-9942 + RESERVED +CVE-2014-9941 + RESERVED +CVE-2014-9940 + RESERVED CVE-2017-7285 RESERVED CVE-2017-7284 @@ -14,8 +146,8 @@ RESERVED CVE-2017-7278 RESERVED -CVE-2017-7277 - RESERVED +CVE-2017-7277 (The TCP stack in the Linux kernel through 4.10.6 mishandles the ...) + TODO: check CVE-2017-7276 RESERVED CVE-2017-7275 (The ReadPCXImage function in coders/pcx.c in ImageMagick 7.0.4.9 allows ...) @@ -35,6 +167,7 @@ - linux 4.9.6-1 NOTE: Fixed by: https://git.kernel.org/linus/1ebb71143758f45dc0fa76e2f48429e13b16d110 CVE-2017-7272 (PHP through 7.1.3 enables potential SSRF in applications that accept an ...) + {DLA-875-1} - php7.1 - php7.0 - php5 @@ -851,8 +984,8 @@ [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21137 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=03f7786e2f440b9892b1c34a58fb26222ce1b493 -CVE-2017-6964 [dmcrypt-get-device does not check the return values of setuid() or setgid()] - RESERVED +CVE-2017-6964 (dmcrypt-get-device, as shipped in the eject package of Debian and ...) + {DLA-876-1} - eject 2.1.5+deb1+cvs20081104-13.2 (bug #858872) NOTE: https://bugs.launchpad.net/ubuntu/+source/eject/+bug/1673627 CVE-2017-6963 @@ -6016,12 +6149,12 @@ RESERVED CVE-2017-5240 RESERVED -CVE-2017-5239 - RESERVED -CVE-2017-5238 - RESERVED -CVE-2017-5237 - RESERVED +CVE-2017-5239 (Due to a lack of standard encryption when transmitting sensitive ...) + TODO: check +CVE-2017-5238 (Due to a lack of bounds checking, several input configuration fields ...) + TODO: check +CVE-2017-5237 (Due to a lack of authentication, an unauthenticated user who knows the ...) + TODO: check CVE-2017-5236 RESERVED CVE-2017-5235 (Rapid7 Metasploit Pro installers prior to version 4.13.0-2017022101 ...) @@ -15983,8 +16116,8 @@ NOT-FOR-US: IBM CVE-2017-1154 RESERVED -CVE-2017-1153 - RESERVED +CVE-2017-1153 (IBM TRIRIGA Report Manager 3.2 through 3.5 contains a vulnerability ...) + TODO: check CVE-2017-1152 RESERVED CVE-2017-1151 (IBM WebSphere Application Server 8.0, 8.5, 8.5.5, and 9.0 using OpenID ...) @@ -16003,10 +16136,10 @@ NOT-FOR-US: IBM CVE-2017-1144 RESERVED -CVE-2017-1143 - RESERVED -CVE-2017-1142 - RESERVED +CVE-2017-1143 (IBM Kenexa LCMS Premier on Cloud 9.x and 10.0 could allow
[Secure-testing-commits] r50120 - data/CVE
Author: carnil Date: 2017-03-28 08:52:12 + (Tue, 28 Mar 2017) New Revision: 50120 Modified: data/CVE/list Log: correct entry for CVE-2017-5929, it is in logback, #857343 Modified: data/CVE/list === --- data/CVE/list 2017-03-28 08:47:57 UTC (rev 50119) +++ data/CVE/list 2017-03-28 08:52:12 UTC (rev 50120) @@ -3633,7 +3633,8 @@ [wheezy] - postfixadmin (Vulnerable code not present) NOTE: http://www.openwall.com/lists/oss-security/2017/02/07/6 CVE-2017-5929 (QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting ...) - NOT-FOR-US: QOS.ch Logback + - logback (bug #857343) + NOTE: https://github.com/qos-ch/logback/commit/f46044b805bca91efe5fd6afe52257cd02f775f8 CVE-2017-5928 (The W3C High Resolution Time API, as implemented in various web ...) NOT-FOR-US: Design limitation of W3C High Resolution Time API CVE-2017-5927 (Page table walks conducted by the MMU during virtual to physical ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50119 - in data: . DLA
Author: lamby Date: 2017-03-28 08:47:57 + (Tue, 28 Mar 2017) New Revision: 50119 Modified: data/DLA/list data/dla-needed.txt Log: Reserve DLA-876-1 for eject Modified: data/DLA/list === --- data/DLA/list 2017-03-28 07:25:11 UTC (rev 50118) +++ data/DLA/list 2017-03-28 08:47:57 UTC (rev 50119) @@ -1,3 +1,6 @@ +[28 Mar 2017] DLA-876-1 eject - security update + {CVE-2017-6964} + [wheezy] - eject 2.1.5+deb1+cvs20081104-13+deb7u1 [28 Mar 2017] DLA-875-1 php5 - security update {CVE-2016-7478 CVE-2016-7479 CVE-2017-7272} [wheezy] - php5 5.4.45-0+deb7u8 Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-03-28 07:25:11 UTC (rev 50118) +++ data/dla-needed.txt 2017-03-28 08:47:57 UTC (rev 50119) @@ -24,8 +24,6 @@ -- chicken -- -eject (Chris Lamb) --- firebird2.5 NOTE: The maintainer has told that he will not work on this update so NOTE: feel free to take this one. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50118 - data
Author: lamby Date: 2017-03-28 07:25:11 + (Tue, 28 Mar 2017) New Revision: 50118 Modified: data/dla-needed.txt Log: Claim eject in data/dla-needed.txt Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-03-28 06:22:02 UTC (rev 50117) +++ data/dla-needed.txt 2017-03-28 07:25:11 UTC (rev 50118) @@ -24,7 +24,7 @@ -- chicken -- -eject +eject (Chris Lamb) -- firebird2.5 NOTE: The maintainer has told that he will not work on this update so ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50117 - data
Author: agx Date: 2017-03-28 06:22:02 + (Tue, 28 Mar 2017) New Revision: 50117 Modified: data/dla-needed.txt Log: lts: add eject Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-03-28 05:30:57 UTC (rev 50116) +++ data/dla-needed.txt 2017-03-28 06:22:02 UTC (rev 50117) @@ -24,6 +24,8 @@ -- chicken -- +eject +-- firebird2.5 NOTE: The maintainer has told that he will not work on this update so NOTE: feel free to take this one. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits