[Secure-testing-commits] r50399 - data/CVE
Author: carnil Date: 2017-04-06 06:29:25 + (Thu, 06 Apr 2017) New Revision: 50399 Modified: data/CVE/list Log: Update CVE-2017-5951/ghostscript Modified: data/CVE/list === --- data/CVE/list 2017-04-06 06:04:51 UTC (rev 50398) +++ data/CVE/list 2017-04-06 06:29:25 UTC (rev 50399) @@ -4221,9 +4221,8 @@ CVE-2017-5952 RESERVED CVE-2017-5951 (The mem_get_bits_rectangle function in base/gdevmem.c in Artifex ...) - - ghostscript + - ghostscript (bug #859696) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=697548 - TODO: check CVE-2017-5950 (The SingleDocParser::HandleNode function in yaml-cpp (aka LibYaml-C++) ...) - yaml-cpp - yaml-cpp0.3 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50398 - data/CVE
Author: carnil Date: 2017-04-06 06:04:51 + (Thu, 06 Apr 2017) New Revision: 50398 Modified: data/CVE/list Log: Update CVE-2016-10220/ghostscript Modified: data/CVE/list === --- data/CVE/list 2017-04-06 04:47:39 UTC (rev 50397) +++ data/CVE/list 2017-04-06 06:04:51 UTC (rev 50398) @@ -4256,10 +4256,9 @@ NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=697400 TODO: check CVE-2016-10220 (The gs_makewordimagedevice function in base/gsdevmem.c in Artifex ...) - - ghostscript + - ghostscript (bug #859694) NOTE: http://www.ghostscript.com/cgi-bin/findgit.cgi?daf85701dab05f17e924a48a81edc9195b4a04e8 NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=697450 - TODO: check CVE-2016-10219 (The intersect function in base/gxfill.c in Artifex Software, Inc. ...) - ghostscript (bug #859666) NOTE: http://www.ghostscript.com/cgi-bin/findgit.cgi?4bef1a1d32e29b68855616020dbff574b9cda08f ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50397 - data/CVE
Author: carnil Date: 2017-04-06 04:47:39 + (Thu, 06 Apr 2017) New Revision: 50397 Modified: data/CVE/list Log: Process more NFUs Modified: data/CVE/list === --- data/CVE/list 2017-04-06 04:45:28 UTC (rev 50396) +++ data/CVE/list 2017-04-06 04:47:39 UTC (rev 50397) @@ -20895,7 +20895,7 @@ CVE-2016-9092 RESERVED CVE-2016-9091 (Blue Coat Advanced Secure Gateway (ASG) 6.6 before 6.6.5.4 and Content ...) - TODO: check + NOT-FOR-US: Blue Coat Advanced Secure Gateway CVE-2016-9090 RESERVED CVE-2016-9089 @@ -30861,7 +30861,7 @@ CVE-2016-6101 RESERVED CVE-2016-6100 (IBM Disposal and Governance Management for IT and IBM Global Retention ...) - TODO: check + NOT-FOR-US: IBM CVE-2016-6099 (IBM Tivoli Key Lifecycle Manager 2.5 and 2.6 discloses sensitive ...) NOT-FOR-US: IBM CVE-2016-6098 @@ -40545,7 +40545,7 @@ CVE-2016-3032 RESERVED CVE-2016-3031 (IBM Cognos Analytics 11.0 is vulnerable to cross-site scripting. This ...) - TODO: check + NOT-FOR-US: IBM CVE-2016-3030 RESERVED CVE-2016-3029 (IBM Security Access Manager for Web is vulnerable to cross-site ...) @@ -40577,7 +40577,7 @@ CVE-2016-3016 (IBM Security Access Manager for Web processes patches, image backups ...) NOT-FOR-US: IBM CVE-2016-3015 (IBM Cognos Analytics 11.0 is vulnerable to cross-site scripting. This ...) - TODO: check + NOT-FOR-US: IBM CVE-2016-3014 (Cross-site scripting (XSS) vulnerability in IBM Rational Collaborative ...) NOT-FOR-US: IBM CVE-2016-3013 (IBM WebSphere MQ 8.0 could allow an authenticated user to crash the MQ ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50396 - data/CVE
Author: carnil Date: 2017-04-06 04:45:28 + (Thu, 06 Apr 2017) New Revision: 50396 Modified: data/CVE/list Log: Process nextcloud entries, itp'ed, #835086 Modified: data/CVE/list === --- data/CVE/list 2017-04-06 04:42:04 UTC (rev 50395) +++ data/CVE/list 2017-04-06 04:45:28 UTC (rev 50396) @@ -17249,18 +17249,16 @@ RESERVED CVE-2017-0889 RESERVED -CVE-2017-0888 (Nextcloud Server before 9.0.55 and 10.0.2 suffers from a ...) - TODO: check -CVE-2017-0887 (Nextcloud Server before 9.0.55 and 10.0.2 suffers from a bypass in the ...) - TODO: check +CVE-2017-0888 (Nextcloud Server before 9.0.55 and 10.0.2 suffers from a bypass in the ...) + - nextcloud (bug #835086) CVE-2017-0886 (Nextcloud Server before 9.0.55 and 10.0.2 suffers from a Denial of ...) - TODO: check + - nextcloud (bug #835086) CVE-2017-0885 (Nextcloud Server before 9.0.55 and 10.0.2 suffers from a error message ...) - TODO: check + - nextcloud (bug #835086) CVE-2017-0884 (Nextcloud Server before 9.0.55 and 10.0.2 suffers from a creation of ...) - TODO: check + - nextcloud (bug #835086) CVE-2017-0883 (Nextcloud Server before 9.0.55 and 10.0.2 suffers from a permission ...) - TODO: check + - nextcloud (bug #835086) CVE-2017-0882 (Multiple versions of GitLab expose sensitive user credentials when ...) - gitlab 8.13.11+dfsg-7 (bug #858410) NOTE: https://gitlab.com/gitlab-org/gitlab-ce/issues/29661 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50395 - data/CVE
Author: carnil Date: 2017-04-06 04:42:04 + (Thu, 06 Apr 2017) New Revision: 50395 Modified: data/CVE/list Log: Process NFUs Modified: data/CVE/list === --- data/CVE/list 2017-04-06 04:38:48 UTC (rev 50394) +++ data/CVE/list 2017-04-06 04:42:04 UTC (rev 50395) @@ -1399,7 +1399,7 @@ CVE-2017-6976 RESERVED CVE-2017-6975 (Wi-Fi in Apple iOS before 10.3.1 does not prevent CVE-2017-6956 stack ...) - TODO: check + NOT-FOR-US: Applie CVE-2017-6974 (An issue was discovered in certain Apple products. macOS before ...) NOT-FOR-US: Apple CVE-2017-6973 (A cross-site scripting (XSS) vulnerability in the MantisBT ...) @@ -3191,11 +3191,11 @@ CVE-2017-6341 (Dahua DHI-HCVR7216A-S3 devices with NVR Firmware 3.210.0001.10 ...) NOT-FOR-US: Dahua devices CVE-2017-6340 (Trend Micro InterScan Web Security Virtual Appliance (IWSVA) 6.5 before ...) - TODO: check + NOT-FOR-US: Trend Micro CVE-2017-6339 (Trend Micro InterScan Web Security Virtual Appliance (IWSVA) 6.5 before ...) - TODO: check + NOT-FOR-US: Trend Micro CVE-2017-6338 (Multiple Access Control issues in Trend Micro InterScan Web Security ...) - TODO: check + NOT-FOR-US: Trend Micro CVE-2017-6337 RESERVED CVE-2017-6336 @@ -1,7 +1,7 @@ CVE-2017-1181 RESERVED CVE-2017-1180 (The IBM TRIRIGA Document Manager contains a vulnerability that could ...) - TODO: check + NOT-FOR-US: IBM TRIRIGA Document Manager CVE-2017-1179 RESERVED CVE-2017-1178 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50394 - data/CVE
Author: carnil Date: 2017-04-06 04:38:48 + (Thu, 06 Apr 2017) New Revision: 50394 Modified: data/CVE/list Log: CVE-2017-7444 NFU Modified: data/CVE/list === --- data/CVE/list 2017-04-06 04:35:59 UTC (rev 50393) +++ data/CVE/list 2017-04-06 04:38:48 UTC (rev 50394) @@ -1,5 +1,5 @@ CVE-2017-7444 (In Veritas System Recovery before 16 SP1, there is a DLL hijacking ...) - TODO: check + NOT-FOR-US: Veritas System Recovery CVE-2017-7442 RESERVED CVE-2017-7441 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50393 - data/CVE
Author: carnil
Date: 2017-04-06 04:35:59 + (Thu, 06 Apr 2017)
New Revision: 50393
Modified:
data/CVE/list
Log:
Update CVE-2014-7913: patch not yet applied
Modified: data/CVE/list
===
--- data/CVE/list 2017-04-06 04:29:13 UTC (rev 50392)
+++ data/CVE/list 2017-04-06 04:35:59 UTC (rev 50393)
@@ -81158,7 +81158,7 @@
RESERVED
CVE-2014-7913 (The print_option function in dhcp-common.c in dhcpcd through
6.9.1, as ...)
{DLA-506-1}
- - dhcpcd5 6.9.1-1 (unimportant; bug #846938)
+ - dhcpcd5 (unimportant; bug #846938)
NOTE:
https://dev.marples.name/rDHC93f3066bb0bc0974eab1943543205312a6b512ad
NOTE: Not exploitable according to upstream, possibly limited to Bionic
CVE-2014-7912 (The get_option function in dhcp.c in dhcpcd before 6.2.0, as
used in ...)
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50392 - data/DLA
Author: carnil
Date: 2017-04-06 04:29:13 + (Thu, 06 Apr 2017)
New Revision: 50392
Modified:
data/DLA/list
Log:
apt-cacher CVE ified, add for DLA-873-1
Modified: data/DLA/list
===
--- data/DLA/list 2017-04-06 04:28:50 UTC (rev 50391)
+++ data/DLA/list 2017-04-06 04:29:13 UTC (rev 50392)
@@ -37,6 +37,7 @@
{CVE-2016-9601}
[wheezy] - jbig2dec 0.13-4~deb7u1
[27 Mar 2017] DLA-873-1 apt-cacher - security update
+ {CVE-2017-7443}
[wheezy] - apt-cacher 1.7.6+deb7u1
[27 Mar 2017] DLA-872-1 xrdp - security update
{CVE-2017-6967}
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50391 - data
Author: carnil Date: 2017-04-06 04:28:50 + (Thu, 06 Apr 2017) New Revision: 50391 Modified: data/next-point-update.txt Log: apt-cacher CVEified Modified: data/next-point-update.txt === --- data/next-point-update.txt 2017-04-06 04:28:02 UTC (rev 50390) +++ data/next-point-update.txt 2017-04-06 04:28:50 UTC (rev 50391) @@ -96,6 +96,5 @@ [jessie] - wget 1.16-1+deb8u2 CVE-2016-10253 [jessie] - erlang 1:17.3-dfsg-4+deb8u1 -CVE-2017- [HTTP response splitting] +CVE-2017-7443 [HTTP response splitting] [jessie] - apt-cacher 1.7.10+deb8u1 - NOTE: For #858739 (no CVE allocated) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50390 - data/CVE
Author: carnil Date: 2017-04-06 04:28:02 + (Thu, 06 Apr 2017) New Revision: 50390 Modified: data/CVE/list Log: Correct apt-cacher(-ng) CVE Modified: data/CVE/list === --- data/CVE/list 2017-04-05 22:03:30 UTC (rev 50389) +++ data/CVE/list 2017-04-06 04:28:02 UTC (rev 50390) @@ -1,7 +1,5 @@ CVE-2017-7444 (In Veritas System Recovery before 16 SP1, there is a DLL hijacking ...) TODO: check -CVE-2017-7443 (apt-cacher before 1.7.15 and apt-cacher-ng before 3.4 allow HTTP ...) - TODO: check CVE-2017-7442 RESERVED CVE-2017-7441 @@ -26087,15 +26085,13 @@ NOTE: https://github.com/uclouvain/openjpeg/issues/843 NOTE: PoC: https://github.com/STARLABSEC/pocs/raw/master/openjpeg-nullptr-github-issue-842.ppm NOTE: No code injection, function only exposed in the CLI tool -CVE-2016-7443 [apt-cacher http response splitting] +CVE-2017-7443 [apt-cacher http response splitting] RESERVED - apt-cacher-ng 3-1 (bug #858833) [jessie] - apt-cacher-ng (Minor issue) [wheezy] - apt-cacher-ng (Minor issue) - apt-cacher 1.7.15 (bug #858739) [jessie] - apt-cacher (Minor issue) - [wheezy] - apt-cacher 1.7.6+deb7u1 - NOTE: Workaround entry for DLA-873-1 since no CVE assigned CVE-2016-7442 (The Frontend component in Sophos UTM with firmware 9.405-5 and earlier ...) NOT-FOR-US: Sophos UTM CVE-2016-7441 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50389 - in data: . CVE
Author: bam Date: 2017-04-05 22:03:30 + (Wed, 05 Apr 2017) New Revision: 50389 Modified: data/CVE/list data/dla-needed.txt Log: Claim XBMC and link to my findings Modified: data/CVE/list === --- data/CVE/list 2017-04-05 21:10:14 UTC (rev 50388) +++ data/CVE/list 2017-04-05 22:03:30 UTC (rev 50389) @@ -4113,6 +4113,7 @@ - xbmc NOTE: http://seclists.org/fulldisclosure/2017/Feb/27 NOTE: http://trac.kodi.tv/ticket/17314 + NOTE: https://lists.debian.org/debian-lts/2017/04/msg00025.html CVE-2017-5681 (The RSA-CRT implementation in the Intel QuickAssist Technology (QAT) ...) NOT-FOR-US: Intel QuickAssist Technology (QAT) Engine CVE-2017-6056 (It was discovered that a programming error in the processing of HTTPS ...) Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-04-05 21:10:14 UTC (rev 50388) +++ data/dla-needed.txt 2017-04-05 22:03:30 UTC (rev 50389) @@ -131,9 +131,8 @@ NOTE: See email sent to debian-lts mailing list: NOTE: https://lists.debian.org/debian-lts/2017/03/msg00046.html -- -xbmc - NOTE: under reserve, could not reproduce with 2:12.3+dfsg1-3ubuntu1, which is newer than the Wheezy version - NOTE: no mail to maintainer yet +xbmc (Brian May) + NOTE: Reproduced: https://lists.debian.org/debian-lts/2017/04/msg00025.html -- xen -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50388 - data/CVE
Author: sectracker Date: 2017-04-05 21:10:14 + (Wed, 05 Apr 2017) New Revision: 50388 Modified: data/CVE/list Log: automatic update Modified: data/CVE/list === --- data/CVE/list 2017-04-05 20:57:30 UTC (rev 50387) +++ data/CVE/list 2017-04-05 21:10:14 UTC (rev 50388) @@ -1,3 +1,15 @@ +CVE-2017-7444 (In Veritas System Recovery before 16 SP1, there is a DLL hijacking ...) + TODO: check +CVE-2017-7443 (apt-cacher before 1.7.15 and apt-cacher-ng before 3.4 allow HTTP ...) + TODO: check +CVE-2017-7442 + RESERVED +CVE-2017-7441 + RESERVED +CVE-2017-7440 + RESERVED +CVE-2017-7439 + RESERVED CVE-2017-7438 RESERVED CVE-2017-7437 @@ -1388,8 +1400,8 @@ RESERVED CVE-2017-6976 RESERVED -CVE-2017-6975 - RESERVED +CVE-2017-6975 (Wi-Fi in Apple iOS before 10.3.1 does not prevent CVE-2017-6956 stack ...) + TODO: check CVE-2017-6974 (An issue was discovered in certain Apple products. macOS before ...) NOT-FOR-US: Apple CVE-2017-6973 (A cross-site scripting (XSS) vulnerability in the MantisBT ...) @@ -1455,8 +1467,8 @@ NOT-FOR-US: MantisBT Source Integration Plugin CVE-2017-6957 (Stack-based buffer overflow in the firmware in Broadcom Wi-Fi HardMAC ...) NOT-FOR-US: Firmware on some Broadcom SoCs -CVE-2017-6956 - RESERVED +CVE-2017-6956 (On the Broadcom Wi-Fi HardMAC SoC with fbt firmware, a stack buffer ...) + TODO: check CVE-2017-6955 (An issue was discovered in by-email/by-email.php in the Invite Anyone ...) NOT-FOR-US: wordpress Anyone plugin CVE-2017-6954 (An issue was discovered in includes/component.php in the BuddyPress ...) @@ -3180,12 +3192,12 @@ NOT-FOR-US: Dahua devices CVE-2017-6341 (Dahua DHI-HCVR7216A-S3 devices with NVR Firmware 3.210.0001.10 ...) NOT-FOR-US: Dahua devices -CVE-2017-6340 - RESERVED -CVE-2017-6339 - RESERVED -CVE-2017-6338 - RESERVED +CVE-2017-6340 (Trend Micro InterScan Web Security Virtual Appliance (IWSVA) 6.5 before ...) + TODO: check +CVE-2017-6339 (Trend Micro InterScan Web Security Virtual Appliance (IWSVA) 6.5 before ...) + TODO: check +CVE-2017-6338 (Multiple Access Control issues in Trend Micro InterScan Web Security ...) + TODO: check CVE-2017-6337 RESERVED CVE-2017-6336 @@ -16654,8 +1,8 @@ NOT-FOR-US: Oracle Primavera CVE-2017-1181 RESERVED -CVE-2017-1180 - RESERVED +CVE-2017-1180 (The IBM TRIRIGA Document Manager contains a vulnerability that could ...) + TODO: check CVE-2017-1179 RESERVED CVE-2017-1178 @@ -17238,18 +17250,18 @@ RESERVED CVE-2017-0889 RESERVED -CVE-2017-0888 - RESERVED -CVE-2017-0887 - RESERVED -CVE-2017-0886 - RESERVED -CVE-2017-0885 - RESERVED -CVE-2017-0884 - RESERVED -CVE-2017-0883 - RESERVED +CVE-2017-0888 (Nextcloud Server before 9.0.55 and 10.0.2 suffers from a ...) + TODO: check +CVE-2017-0887 (Nextcloud Server before 9.0.55 and 10.0.2 suffers from a bypass in the ...) + TODO: check +CVE-2017-0886 (Nextcloud Server before 9.0.55 and 10.0.2 suffers from a Denial of ...) + TODO: check +CVE-2017-0885 (Nextcloud Server before 9.0.55 and 10.0.2 suffers from a error message ...) + TODO: check +CVE-2017-0884 (Nextcloud Server before 9.0.55 and 10.0.2 suffers from a creation of ...) + TODO: check +CVE-2017-0883 (Nextcloud Server before 9.0.55 and 10.0.2 suffers from a permission ...) + TODO: check CVE-2017-0882 (Multiple versions of GitLab expose sensitive user credentials when ...) - gitlab 8.13.11+dfsg-7 (bug #858410) NOTE: https://gitlab.com/gitlab-org/gitlab-ce/issues/29661 @@ -18755,8 +18767,7 @@ RESERVED CVE-2017-0340 RESERVED -CVE-2017-0339 - RESERVED +CVE-2017-0339 (An elevation of privilege vulnerability in the NVIDIA crypto driver ...) NOT-FOR-US: NVIDIA driver for Android CVE-2017-0338 (An elevation of privilege vulnerability in the NVIDIA GPU driver could ...) NOT-FOR-US: NVIDIA driver for Android @@ -18770,27 +18781,21 @@ NOT-FOR-US: NVIDIA driver for Android CVE-2017-0333 (An elevation of privilege vulnerability in the NVIDIA GPU driver could ...) NOT-FOR-US: NVIDIA driver for Android -CVE-2017-0332 - RESERVED +CVE-2017-0332 (An elevation of privilege vulnerability in the NVIDIA crypto driver ...) NOT-FOR-US: NVIDIA driver for Android CVE-2017-0331 RESERVED -CVE-2017-0330 - RESERVED +CVE-2017-0330 (An information disclosure vulnerability in the NVIDIA crypto driver ...) NOT-FOR-US: NVIDIA driver for Android -CVE-2017-0329 - RESERVED +CVE-2017-0329 (An elevation of privilege vulnerability in the NVIDIA boot and power ...) NOT-FOR-US: NVIDIA driver for Android -CVE-2017-0328 - RESERVED +CVE-2017-0328 (An
[Secure-testing-commits] r50387 - data
Author: lamby Date: 2017-04-05 20:57:30 + (Wed, 05 Apr 2017) New Revision: 50387 Modified: data/dla-needed.txt Log: Triage ghostscript for LTS Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-04-05 20:51:29 UTC (rev 50386) +++ data/dla-needed.txt 2017-04-05 20:57:30 UTC (rev 50387) @@ -24,6 +24,8 @@ NOTE: no update needed yet, but next update will be for ESR 52 as ESR 45 is now NOTE: EOL. I have already started to look at ESR 52 to anticipate any problems -- +ghostscript +-- icedove NOTE: maintainer currenlty planx to rename to thunderbird with the next NOTE: upstream version (#851989). Jessie / Wheezy should do the same. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50386 - data/CVE
Author: jmm
Date: 2017-04-05 20:51:29 + (Wed, 05 Apr 2017)
New Revision: 50386
Modified:
data/CVE/list
Log:
horizon n/a
mysql-connector-python n/a
dhcpcd5 two n/a, one non-issue
fix links to dhcpcd patches to point to new git links instead, old ones
inaccessible
Modified: data/CVE/list
===
--- data/CVE/list 2017-04-05 20:48:23 UTC (rev 50385)
+++ data/CVE/list 2017-04-05 20:51:29 UTC (rev 50386)
@@ -91,6 +91,7 @@
NOTE:
https://github.com/collectd/collectd/commit/f6be4f9b49b949b379326c3d7002476e6ce4f211
CVE-2017-7400 (OpenStack Horizon 9.x through 9.1.1, 10.x through 10.0.2, and
11.0.0 ...)
- horizon 3:10.0.1-1 (bug #859559)
+ [jessie] - horizon (Vulnerable code not present)
NOTE: https://launchpad.net/bugs/1667086
CVE-2016-10317 (The fill_threshhold_buffer function in base/gxht_thresh.c in
Artifex ...)
- ghostscript
@@ -32279,6 +32280,7 @@
NOT-FOR-US: Oracle
CVE-2016-5598 (Unspecified vulnerability in the MySQL Connector component
2.1.3 and ...)
- mysql-connector-python 2.1.5-1 (bug #841677)
+ [jessie] - mysql-connector-python (Vulnerable code not
present)
[wheezy] - mysql-connector-python (Only the Python 3
code is affected which is not shipped in binary package)
NOTE:
https://blog.qualys.com/laws-of-vulnerabilities/2016/10/18/oracle-october-2016-critical-patch-update
CVE-2016-5597 (Unspecified vulnerability in Oracle Java SE 6u121, 7u111,
8u102; and ...)
@@ -46179,17 +46181,19 @@
NOTE: Introduced in 1.4.36:
http://web.archive.org/web/20150906061055/http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2976
CVE-2016-1503 (dhcpcd before 6.10.0, as used in Android 4.x before 4.4.4,
5.0.x ...)
- dhcpcd5 6.10.1-1 (bug #810621)
+ [jessie] - dhcpcd5 (Vulnerable code not present)
[wheezy] - dhcpcd5 (Vulnerable code not present)
- dhcpcd (Vulnerable code not present)
- NOTE:
http://roy.marples.name/projects/dhcpcd/info/76a1609352263bd9def1300d7ba990679571fa30
+ NOTE:
https://dev.marples.name/rDHC1475a702df74b120db847991bc011e3441a045b8
NOTE: http://www.openwall.com/lists/oss-security/2016/01/07/3
NOTE: dhcpcd 3.2.3- in squeeze and wheezy differ very much from
dhcpcd5 in later Debian versions.
CVE-2016-1504 (dhcpcd before 6.10.0 allows remote attackers to cause a denial
of ...)
- dhcpcd5 6.10.1-1 (bug #810620)
+ [jessie] - dhcpcd5 (Vulnerable code not present)
[wheezy] - dhcpcd5 (Vulnerable code not present)
- dhcpcd (Vulnerable code not present)
[squeeze] - dhcpcd (Vulnerable code not present)
- NOTE:
http://roy.marples.name/projects/dhcpcd/info/595883e2a431f65d8fabf33059aa4689cca17403
+ NOTE:
https://dev.marples.name/rDHC33c03b26c01201152774ef92e7b773281b8d8443
NOTE: http://www.openwall.com/lists/oss-security/2016/01/07/3
NOTE: dhcpcd 3.2.3- in squeeze and wheezy differ very much from
dhcpcd5 in later Debian versions.
CVE-2016- [Missing normalization]
@@ -81154,14 +81158,13 @@
RESERVED
CVE-2014-7913 (The print_option function in dhcp-common.c in dhcpcd through
6.9.1, as ...)
{DLA-506-1}
- - dhcpcd5 (bug #846938)
- NOTE: Fixed for Android in
https://android.googlesource.com/platform/external/dhcpcd/+/73c09dd8067250734511d955d8f792b41c7213f0%5E!/
- NOTE: Fixed on upstream trunk in
http://roy.marples.name/projects/dhcpcd/ci/528541c4c619520e?sbs=0
+ - dhcpcd5 6.9.1-1 (unimportant; bug #846938)
+ NOTE:
https://dev.marples.name/rDHC93f3066bb0bc0974eab1943543205312a6b512ad
+ NOTE: Not exploitable according to upstream, possibly limited to Bionic
CVE-2014-7912 (The get_option function in dhcp.c in dhcpcd before 6.2.0, as
used in ...)
{DLA-506-1}
- dhcpcd5 6.9.1-1
- NOTE: Fixed for Android in
https://android.googlesource.com/platform/external/dhcpcd/+/73c09dd8067250734511d955d8f792b41c7213f0%5E!/
- NOTE: Fixed on upstream trunk in
http://roy.marples.name/projects/dhcpcd/ci/d71cfd8aa203bffe?sbs=0
+ NOTE:
https://dev.marples.name/rDHCc204b018d1cfe740fb3179532070ae10fe34aaf3
CVE-2014-7911 (luni/src/main/java/java/io/ObjectInputStream.java in the ...)
NOT-FOR-US: Android
CVE-2014-7910 (Multiple unspecified vulnerabilities in Google Chrome before
...)
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50385 - data/CVE
Author: jmm Date: 2017-04-05 20:48:23 + (Wed, 05 Apr 2017) New Revision: 50385 Modified: data/CVE/list Log: apt-cacher CVEfied Modified: data/CVE/list === --- data/CVE/list 2017-04-05 18:53:58 UTC (rev 50384) +++ data/CVE/list 2017-04-05 20:48:23 UTC (rev 50385) @@ -621,14 +621,6 @@ NOTE: This CVE is for an incomplete fix of CVE-2016-8698 CVE-2016-10273 (Multiple stack buffer overflow vulnerabilities in Jensen of Scandinavia ...) NOT-FOR-US: Jensen of Scandinavia Air:Link Routers -CVE-2017- [apt-cacher http response splitting] - - apt-cacher-ng 3-1 (bug #858833) - [jessie] - apt-cacher-ng (Minor issue) - [wheezy] - apt-cacher-ng (Minor issue) - - apt-cacher 1.7.15 (bug #858739) - [jessie] - apt-cacher (Minor issue) - [wheezy] - apt-cacher 1.7.6+deb7u1 - NOTE: Workaround entry for DLA-873-1 since no CVE assigned CVE-2017-7262 (The AMD Ryzen processor with AGESA microcode through 2017-01-27 allows ...) NOT-FOR-US: Hardware bug in AMD Ryzen CPUs, cannot be fixed via micro code updates, but only BIOS updates CVE-2017-7261 (The vmw_surface_define_ioctl function in ...) @@ -26088,8 +26080,15 @@ NOTE: https://github.com/uclouvain/openjpeg/issues/843 NOTE: PoC: https://github.com/STARLABSEC/pocs/raw/master/openjpeg-nullptr-github-issue-842.ppm NOTE: No code injection, function only exposed in the CLI tool -CVE-2016-7443 +CVE-2016-7443 [apt-cacher http response splitting] RESERVED + - apt-cacher-ng 3-1 (bug #858833) + [jessie] - apt-cacher-ng (Minor issue) + [wheezy] - apt-cacher-ng (Minor issue) + - apt-cacher 1.7.15 (bug #858739) + [jessie] - apt-cacher (Minor issue) + [wheezy] - apt-cacher 1.7.6+deb7u1 + NOTE: Workaround entry for DLA-873-1 since no CVE assigned CVE-2016-7442 (The Frontend component in Sophos UTM with firmware 9.405-5 and earlier ...) NOT-FOR-US: Sophos UTM CVE-2016-7441 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50384 - data/CVE
Author: carnil Date: 2017-04-05 18:53:58 + (Wed, 05 Apr 2017) New Revision: 50384 Modified: data/CVE/list Log: Add bug reference for CVE-2016-10219, #859666 Modified: data/CVE/list === --- data/CVE/list 2017-04-05 18:50:23 UTC (rev 50383) +++ data/CVE/list 2017-04-05 18:53:58 UTC (rev 50384) @@ -4257,7 +4257,7 @@ NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=697450 TODO: check CVE-2016-10219 (The intersect function in base/gxfill.c in Artifex Software, Inc. ...) - - ghostscript + - ghostscript (bug #859666) NOTE: http://www.ghostscript.com/cgi-bin/findgit.cgi?4bef1a1d32e29b68855616020dbff574b9cda08f NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=697453 CVE-2016-10218 (The pdf14_pop_transparency_group function in base/gdevp14.c in the PDF ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50383 - data/CVE
Author: carnil Date: 2017-04-05 18:50:23 + (Wed, 05 Apr 2017) New Revision: 50383 Modified: data/CVE/list Log: Update CVE-2016-10219/ghostscript Modified: data/CVE/list === --- data/CVE/list 2017-04-05 18:40:37 UTC (rev 50382) +++ data/CVE/list 2017-04-05 18:50:23 UTC (rev 50383) @@ -4257,10 +4257,9 @@ NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=697450 TODO: check CVE-2016-10219 (The intersect function in base/gxfill.c in Artifex Software, Inc. ...) - - ghostscript + - ghostscript NOTE: http://www.ghostscript.com/cgi-bin/findgit.cgi?4bef1a1d32e29b68855616020dbff574b9cda08f NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=697453 - TODO: check CVE-2016-10218 (The pdf14_pop_transparency_group function in base/gdevp14.c in the PDF ...) - ghostscript (Vulnerable code introduced later) NOTE: Fixed by: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=d621292fb2c8157d9899dcd83fd04dd250e30fe4 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50382 - data/CVE
Author: carnil Date: 2017-04-05 18:40:37 + (Wed, 05 Apr 2017) New Revision: 50382 Modified: data/CVE/list Log: Update CVE-2016-10218/ghostscript Modified: data/CVE/list === --- data/CVE/list 2017-04-05 18:27:15 UTC (rev 50381) +++ data/CVE/list 2017-04-05 18:40:37 UTC (rev 50382) @@ -4262,10 +4262,10 @@ NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=697453 TODO: check CVE-2016-10218 (The pdf14_pop_transparency_group function in base/gdevp14.c in the PDF ...) - - ghostscript - NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=d621292fb2c8157d9899dcd83fd04dd250e30fe4 + - ghostscript (Vulnerable code introduced later) + NOTE: Fixed by: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=d621292fb2c8157d9899dcd83fd04dd250e30fe4 + NOTE: Introduced by: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=47294ff5b168d25bfc7db64f51572d64b8ebde91 NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=697444 - TODO: check CVE-2016-10217 (The pdf14_open function in base/gdevp14.c in Artifex Software, Inc. ...) - ghostscript (bug #859662) NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=90fd0c7ca3efc1ddff64a86f4104b13b3ac969eb ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50381 - data/CVE
Author: carnil Date: 2017-04-05 18:27:15 + (Wed, 05 Apr 2017) New Revision: 50381 Modified: data/CVE/list Log: Add bug reference for CVE-2016-10217 Modified: data/CVE/list === --- data/CVE/list 2017-04-05 17:27:26 UTC (rev 50380) +++ data/CVE/list 2017-04-05 18:27:15 UTC (rev 50381) @@ -4267,7 +4267,7 @@ NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=697444 TODO: check CVE-2016-10217 (The pdf14_open function in base/gdevp14.c in Artifex Software, Inc. ...) - - ghostscript + - ghostscript (bug #859662) NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=90fd0c7ca3efc1ddff64a86f4104b13b3ac969eb NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=697456 CVE-2016-10216 (An issue was discovered in IT ITems DataBase (ITDB) through 1.23. The ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50380 - data/CVE
Author: carnil Date: 2017-04-05 17:27:26 + (Wed, 05 Apr 2017) New Revision: 50380 Modified: data/CVE/list Log: Triaged CVE-2016-10217/ghostscript Modified: data/CVE/list === --- data/CVE/list 2017-04-05 17:13:06 UTC (rev 50379) +++ data/CVE/list 2017-04-05 17:27:26 UTC (rev 50380) @@ -4267,10 +4267,9 @@ NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=697444 TODO: check CVE-2016-10217 (The pdf14_open function in base/gdevp14.c in Artifex Software, Inc. ...) - - ghostscript + - ghostscript NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=90fd0c7ca3efc1ddff64a86f4104b13b3ac969eb NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=697456 - TODO: check CVE-2016-10216 (An issue was discovered in IT ITems DataBase (ITDB) through 1.23. The ...) NOT-FOR-US: IT ITems DataBase CVE-2016-10215 (An issue was discovered in Fastspot BigTree bigtree-form-builder before ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50379 - data/CVE
Author: carnil Date: 2017-04-05 17:13:06 + (Wed, 05 Apr 2017) New Revision: 50379 Modified: data/CVE/list Log: CVE-2016-4491/binutils fixed with 2.28-3 Modified: data/CVE/list === --- data/CVE/list 2017-04-05 17:02:22 UTC (rev 50378) +++ data/CVE/list 2017-04-05 17:13:06 UTC (rev 50379) @@ -36364,7 +36364,7 @@ - ht (low) [jessie] - ht (Minor issue) [wheezy] - ht (Minor issue) - - binutils (low) + - binutils 2.28-3 (low) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) - gdb (low) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50378 - data/CVE
Author: jmm Date: 2017-04-05 17:02:22 + (Wed, 05 Apr 2017) New Revision: 50378 Modified: data/CVE/list Log: binutils fixed Modified: data/CVE/list === --- data/CVE/list 2017-04-05 15:09:03 UTC (rev 50377) +++ data/CVE/list 2017-04-05 17:02:22 UTC (rev 50378) @@ -875,13 +875,13 @@ CVE-2017-7211 RESERVED CVE-2017-7210 (objdump in GNU Binutils 2.28 is vulnerable to multiple heap-based ...) - - binutils (low; bug #858324) + - binutils 2.28-3 (low; bug #858324) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21157 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=a2dea0b20bc66a4c287c3c50002b8c3b3e9d953a CVE-2017-7209 (The dump_section_as_bytes function in readelf in GNU Binutils 2.28 ...) - - binutils (low; bug #858323) + - binutils 2.28-3 (low; bug #858323) [jessie] - binutils (Vulnerable code introduced later) [wheezy] - binutils (Vulnerable code introduced later) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21135 @@ -1411,7 +1411,7 @@ CVE-2017-6968 RESERVED CVE-2017-6969 (readelf in GNU Binutils 2.28 is vulnerable to a heap-based buffer ...) - - binutils (bug #858256) + - binutils 2.28-3 (bug #858256) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21156 @@ -1428,13 +1428,13 @@ NOTE: http://www.openwall.com/lists/oss-security/2017/03/18/1 NOTE: https://github.com/neutrinolabs/xrdp/pull/696/commits/44129acd210c803fc8bbcfaf1b0db05e5bb4034f CVE-2017-6966 (readelf in GNU Binutils 2.28 has a use-after-free (specifically ...) - - binutils (bug #858263) + - binutils 2.28-3 (bug #858263) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21139 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f84ce13b6708801ca1d6289b7c4003e2f5a6d7f9 CVE-2017-6965 (readelf in GNU Binutils 2.28 writes to illegal addresses while ...) - - binutils (bug #858264) + - binutils 2.28-3 (bug #858264) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21137 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50377 - data/CVE
Author: carnil Date: 2017-04-05 15:09:03 + (Wed, 05 Apr 2017) New Revision: 50377 Modified: data/CVE/list Log: Report bug for CVE-2017-3204, #859655 Modified: data/CVE/list === --- data/CVE/list 2017-04-05 15:04:25 UTC (rev 50376) +++ data/CVE/list 2017-04-05 15:09:03 UTC (rev 50377) @@ -12135,7 +12135,7 @@ CVE-2017-3205 RESERVED CVE-2017-3204 (The Go SSH library (x/crypto/ssh) by default does not verify host ...) - - golang-go.crypto + - golang-go.crypto (bug #859655) NOTE: https://github.com/golang/crypto/commit/e4e2799dd7aab89f583e1d898300d96367750991 NOTE: https://github.com/golang/go/issues/19767 CVE-2017-3203 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50376 - data/CVE
Author: carnil Date: 2017-04-05 15:04:25 + (Wed, 05 Apr 2017) New Revision: 50376 Modified: data/CVE/list Log: Update CVE-2017-3204/golang-go.crypto Modified: data/CVE/list === --- data/CVE/list 2017-04-05 13:32:12 UTC (rev 50375) +++ data/CVE/list 2017-04-05 15:04:25 UTC (rev 50376) @@ -12135,7 +12135,9 @@ CVE-2017-3205 RESERVED CVE-2017-3204 (The Go SSH library (x/crypto/ssh) by default does not verify host ...) - TODO: check + - golang-go.crypto + NOTE: https://github.com/golang/crypto/commit/e4e2799dd7aab89f583e1d898300d96367750991 + NOTE: https://github.com/golang/go/issues/19767 CVE-2017-3203 RESERVED CVE-2017-3202 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50375 - data/CVE
Author: carnil Date: 2017-04-05 13:32:12 + (Wed, 05 Apr 2017) New Revision: 50375 Modified: data/CVE/list Log: CVE-2017-7400/horizon fixed in unstable Modified: data/CVE/list === --- data/CVE/list 2017-04-05 12:33:26 UTC (rev 50374) +++ data/CVE/list 2017-04-05 13:32:12 UTC (rev 50375) @@ -90,7 +90,7 @@ NOTE: https://github.com/collectd/collectd/issues/2174 NOTE: https://github.com/collectd/collectd/commit/f6be4f9b49b949b379326c3d7002476e6ce4f211 CVE-2017-7400 (OpenStack Horizon 9.x through 9.1.1, 10.x through 10.0.2, and 11.0.0 ...) - - horizon (bug #859559) + - horizon 3:10.0.1-1 (bug #859559) NOTE: https://launchpad.net/bugs/1667086 CVE-2016-10317 (The fill_threshhold_buffer function in base/gxht_thresh.c in Artifex ...) - ghostscript ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50374 - data/CVE
Author: carnil Date: 2017-04-05 12:33:26 + (Wed, 05 Apr 2017) New Revision: 50374 Modified: data/CVE/list Log: Add bug reference #859635 for php-horde-crypt Modified: data/CVE/list === --- data/CVE/list 2017-04-05 11:12:53 UTC (rev 50373) +++ data/CVE/list 2017-04-05 12:33:26 UTC (rev 50374) @@ -55,9 +55,9 @@ [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) CVE-2017-7414 (In Horde_Crypt before 2.7.6, as used in Horde Groupware Webmail Edition ...) - - php-horde-crypt + - php-horde-crypt (bug #859635) CVE-2017-7413 (In Horde_Crypt before 2.7.6, as used in Horde Groupware Webmail Edition ...) - - php-horde-crypt + - php-horde-crypt (bug #859635) CVE-2017-7412 (NixOS 17.03 before 17.03.887 has a world-writable Docker socket, which ...) NOT-FOR-US: NixOS specific Docker issue CVE-2017-7411 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50373 - data/CVE
Author: jmm Date: 2017-04-05 11:12:53 + (Wed, 05 Apr 2017) New Revision: 50373 Modified: data/CVE/list Log: new php-horde-crypt issues Modified: data/CVE/list === --- data/CVE/list 2017-04-05 09:10:14 UTC (rev 50372) +++ data/CVE/list 2017-04-05 11:12:53 UTC (rev 50373) @@ -55,9 +55,9 @@ [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) CVE-2017-7414 (In Horde_Crypt before 2.7.6, as used in Horde Groupware Webmail Edition ...) - TODO: check + - php-horde-crypt CVE-2017-7413 (In Horde_Crypt before 2.7.6, as used in Horde Groupware Webmail Edition ...) - TODO: check + - php-horde-crypt CVE-2017-7412 (NixOS 17.03 before 17.03.887 has a world-writable Docker socket, which ...) NOT-FOR-US: NixOS specific Docker issue CVE-2017-7411 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50372 - data/CVE
Author: sectracker
Date: 2017-04-05 09:10:14 + (Wed, 05 Apr 2017)
New Revision: 50372
Modified:
data/CVE/list
Log:
automatic update
Modified: data/CVE/list
===
--- data/CVE/list 2017-04-05 08:57:04 UTC (rev 50371)
+++ data/CVE/list 2017-04-05 09:10:14 UTC (rev 50372)
@@ -1,3 +1,43 @@
+CVE-2017-7438
+ RESERVED
+CVE-2017-7437
+ RESERVED
+CVE-2017-7436
+ RESERVED
+CVE-2017-7435
+ RESERVED
+CVE-2017-7434
+ RESERVED
+CVE-2017-7433
+ RESERVED
+CVE-2017-7432
+ RESERVED
+CVE-2017-7431
+ RESERVED
+CVE-2017-7430
+ RESERVED
+CVE-2017-7429
+ RESERVED
+CVE-2017-7428
+ RESERVED
+CVE-2017-7427
+ RESERVED
+CVE-2017-7426
+ RESERVED
+CVE-2017-7425
+ RESERVED
+CVE-2017-7424
+ RESERVED
+CVE-2017-7423
+ RESERVED
+CVE-2017-7422
+ RESERVED
+CVE-2017-7421
+ RESERVED
+CVE-2017-7420
+ RESERVED
+CVE-2017-7419
+ RESERVED
CVE-2017-7418 (ProFTPD before 1.3.5e and 1.3.6 before 1.3.6rc5 controls
whether the ...)
- proftpd-dfsg (low; bug #859592)
[jessie] - proftpd-dfsg (Minor issue)
@@ -187,8 +227,7 @@
NOT-FOR-US: Pixie CMS
CVE-2017-7359 (Pixie 1.0.4 allows an admin/index.php s=login&m= XSS
attack. ...)
NOT-FOR-US: Pixie CMS
-CVE-2017-7358
- RESERVED
+CVE-2017-7358 (In LightDM through 1.22.0, a directory traversal issue in ...)
- lightdm (Vulnerable code not present)
NOTE: https://launchpad.net/bugs/1677924
NOTE: Specific script debian/guest-account.sh not merged from Ubuntu
@@ -745,10 +784,12 @@
CVE-2017-7235 (An issue was discovered in cloudflare-scrape 1.6.6 through
1.7.1. A ...)
NOT-FOR-US: cloudflare-scrape
CVE-2017-7234 (A maliciously crafted URL to a Django (1.10 before 1.10.7, 1.9
before ...)
+ {DLA-885-1}
- python-django 1:1.10.7-1 (bug #859516)
NOTE:
https://www.djangoproject.com/weblog/2017/apr/04/security-releases/
NOTE: Fixed by (master):
https://github.com/django/django/commit/a1f948b468b6621083a03b0d53432341b7a4d753
CVE-2017-7233 (Django 1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before
1.8.18 ...)
+ {DLA-885-1}
- python-django 1:1.10.7-1 (bug #859515)
NOTE:
https://www.djangoproject.com/weblog/2017/apr/04/security-releases/
NOTE: Fixed by (master):
https://github.com/django/django/commit/5ea48a70afac5e5684b504f09286e7defdd1a81a
@@ -2324,11 +2365,11 @@
RESERVED
CVE-2017-6550 (Multiple SQL injection vulnerabilities in Kinsey Infor-Lawson
...)
NOT-FOR-US: Kinsey Infor-Lawson
-CVE-2017-6549 (Session hijack vulnerability in httpd in ASUS ASUSWRT on
RT-AC53 ...)
+CVE-2017-6549 (Session hijack vulnerability in httpd on ASUS RT-N56U, RT-N66U,
...)
NOT-FOR-US: ASUS
-CVE-2017-6548 (Buffer overflows in networkmap in ASUS ASUSWRT on RT-AC53 ...)
+CVE-2017-6548 (Buffer overflows in networkmap on ASUS RT-N56U, RT-N66U,
RT-AC66U, ...)
NOT-FOR-US: ASUS
-CVE-2017-6547 (Cross-site scripting (XSS) vulnerability in httpd in ASUS
ASUSWRT on ...)
+CVE-2017-6547 (Cross-site scripting (XSS) vulnerability in httpd on ASUS
RT-N56U, ...)
NOT-FOR-US: ASUS
CVE-2017-6546
RESERVED
@@ -13452,8 +13493,7 @@
RESERVED
CVE-2017-2672
RESERVED
-CVE-2017-2671 [Linux kernel ping socket / AF_LLC connect() sin_family race]
- RESERVED
+CVE-2017-2671 (The ping_unhash function in net/ipv4/ping.c in the Linux kernel
...)
- linux
NOTE: http://www.openwall.com/lists/oss-security/2017/03/24/6
CVE-2017-2670
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50371 - in data: . DLA
Author: lamby
Date: 2017-04-05 08:57:04 + (Wed, 05 Apr 2017)
New Revision: 50371
Modified:
data/DLA/list
data/dla-needed.txt
Log:
Reserve DLA-885-1 for python-django
Modified: data/DLA/list
===
--- data/DLA/list 2017-04-05 07:58:19 UTC (rev 50370)
+++ data/DLA/list 2017-04-05 08:57:04 UTC (rev 50371)
@@ -1,3 +1,6 @@
+[05 Apr 2017] DLA-885-1 python-django - security update
+ {CVE-2017-7233 CVE-2017-7234}
+ [wheezy] - python-django 1.4.22-1+deb7u3
[04 Apr 2017] DLA-884-1 collectd - security update
{CVE-2017-7401}
[wheezy] - collectd 5.1.0-3+deb7u3
Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-04-05 07:58:19 UTC (rev 50370)
+++ data/dla-needed.txt 2017-04-05 08:57:04 UTC (rev 50371)
@@ -95,8 +95,6 @@
--
putty (Jonas Meurer)
--
-python-django (Chris Lamb)
---
qbittorrent (Thorsten Alteholz)
--
qemu (Guido Günther)
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50370 - data
Author: lamby Date: 2017-04-05 07:58:19 + (Wed, 05 Apr 2017) New Revision: 50370 Modified: data/dla-needed.txt Log: Claim python-django in data/dla-needed.txt Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-04-05 07:58:17 UTC (rev 50369) +++ data/dla-needed.txt 2017-04-05 07:58:19 UTC (rev 50370) @@ -95,7 +95,7 @@ -- putty (Jonas Meurer) -- -python-django +python-django (Chris Lamb) -- qbittorrent (Thorsten Alteholz) -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50368 - data
Author: lamby Date: 2017-04-05 07:58:16 + (Wed, 05 Apr 2017) New Revision: 50368 Modified: data/dla-needed.txt Log: Triage proftpd-dfsg for LTS Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-04-05 07:16:35 UTC (rev 50367) +++ data/dla-needed.txt 2017-04-05 07:58:16 UTC (rev 50368) @@ -91,6 +91,8 @@ NOTE: Upstream is not going to fix CVE-2016-8686 since it believes it is not NOTE: a bug (see #843861). -- +proftpd-dfsg +-- putty (Jonas Meurer) -- qbittorrent (Thorsten Alteholz) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50369 - data
Author: lamby Date: 2017-04-05 07:58:17 + (Wed, 05 Apr 2017) New Revision: 50369 Modified: data/dla-needed.txt Log: Triage python-django for LTS Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-04-05 07:58:16 UTC (rev 50368) +++ data/dla-needed.txt 2017-04-05 07:58:17 UTC (rev 50369) @@ -95,6 +95,8 @@ -- putty (Jonas Meurer) -- +python-django +-- qbittorrent (Thorsten Alteholz) -- qemu (Guido Günther) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50367 - data/CVE
Author: jmm Date: 2017-04-05 07:16:35 + (Wed, 05 Apr 2017) New Revision: 50367 Modified: data/CVE/list Log: NFUs Modified: data/CVE/list === --- data/CVE/list 2017-04-05 06:58:06 UTC (rev 50366) +++ data/CVE/list 2017-04-05 07:16:35 UTC (rev 50367) @@ -4841,7 +4841,7 @@ CVE-2017-5684 (The BIOS in Intel Compute Stick systems based on 6th Gen Intel Core ...) NOT-FOR-US: BIOS in Intel NUC systems CVE-2017-5683 (Privilege escalation in IntelHAXM.sys driver in the Intel Hardware ...) - TODO: check + NOT-FOR-US: Intel Hardware Accelerated Execution Manager CVE-2017-5682 (Intel PSET Application Install wrapper of Intel Parallel Studio XE, ...) NOT-FOR-US: Intel PSET CVE-2017-5680 @@ -5132,7 +5132,7 @@ CVE-2017-5643 (Apache Camel's Validation Component is vulnerable against SSRF via ...) NOT-FOR-US: Apache Camel CVE-2017-5642 (During installation of Ambari 2.4.0 through 2.4.2, Ambari Server ...) - TODO: check + NOT-FOR-US: Apache Ambari CVE-2017-5641 RESERVED CVE-2017-5640 @@ -31330,7 +31330,7 @@ CVE-2016-5871 RESERVED CVE-2016-5870 (The msm_ipc_router_close function in net/ipc_router/ipc_router_socket.c ...) - TODO: check + - linux (Qualcomm-specific kernel patch) CVE-2016-5869 RESERVED CVE-2016-5868 @@ -90602,13 +90602,13 @@ CVE-2014-3931 (fastping.c in MRLG (aka Multi-Router Looking Glass) before 5.5.0 ...) NOT-FOR-US: Multi-Router Looking Glass CVE-2014-3930 (lg.pl in Cistron-LG 1.01 stores sensitive information under the web ...) - TODO: check + NOT-FOR-US: Cistron-LG CVE-2014-3929 (The default configuration for Cougar-LG stores sensitive information ...) - TODO: check + NOT-FOR-US: Cougar-LG CVE-2014-3928 (Cougar-LG stores sensitive information under the web root with ...) - TODO: check + NOT-FOR-US: Cougar-LG CVE-2014-3927 (mrlg-lib.php in mrlg4php before 1.0.8 allows remote attackers to ...) - TODO: check + NOT-FOR-US: mrlg4php CVE-2014-3926 (Cross-site scripting (XSS) vulnerability in lg.cgi in Cougar LG 1.9 ...) NOT-FOR-US: Cougar LG CVE-2014-3924 (Multiple cross-site scripting (XSS) vulnerabilities in Webmin before ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
