[Secure-testing-commits] r50429 - data/CVE
Author: jmm Date: 2017-04-07 08:01:48 + (Fri, 07 Apr 2017) New Revision: 50429 Modified: data/CVE/list Log: new ming issue Modified: data/CVE/list === --- data/CVE/list 2017-04-07 06:09:15 UTC (rev 50428) +++ data/CVE/list 2017-04-07 08:01:48 UTC (rev 50429) @@ -1,3 +1,7 @@ +CVE-2017-7578 [libming: heap overflow in parser.c] + - ming + NOTE: http://www.openwall.com/lists/oss-security/2017/04/07/1 + NOTE: https://github.com/libming/libming/issues/68 CVE-2017-7562 RESERVED CVE-2017-7561 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50430 - data
Author: hertzog Date: 2017-04-07 08:08:40 + (Fri, 07 Apr 2017) New Revision: 50430 Modified: data/dla-needed.txt Log: Update status of ghostscript in dla-needed.txt Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-04-07 08:01:48 UTC (rev 50429) +++ data/dla-needed.txt 2017-04-07 08:08:40 UTC (rev 50430) @@ -25,8 +25,8 @@ NOTE: EOL. I have already started to look at ESR 52 to anticipate any problems -- ghostscript (Raphaël Hertzog) - NOTE: 20170406: Have fixed package for CVE-2016-10219 CVE-2016-10220. - NOTE: I'm waiting upstream's fix for CVE-2017-5951. + NOTE: 20170407: Have fixed package for CVE-2016-10219 CVE-2016-10220 and CVE-2017-5951. + NOTE: I'm waiting to see if CVE-2016-10317 should be included as well. -- icedove NOTE: maintainer currenlty planx to rename to thunderbird with the next ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50431 - data/CVE
Author: sectracker
Date: 2017-04-07 09:10:12 + (Fri, 07 Apr 2017)
New Revision: 50431
Modified:
data/CVE/list
Log:
automatic update
Modified: data/CVE/list
===
--- data/CVE/list 2017-04-07 08:08:40 UTC (rev 50430)
+++ data/CVE/list 2017-04-07 09:10:12 UTC (rev 50431)
@@ -1,4 +1,43 @@
-CVE-2017-7578 [libming: heap overflow in parser.c]
+CVE-2017-7577 (XiongMai uc-httpd has directory traversal allowing the reading
of ...)
+ TODO: check
+CVE-2017-7576 (DragonWave Horizon 1.01.03 wireless radios have hardcoded login
...)
+ TODO: check
+CVE-2017-7575 (Schneider Electric Modicon TM221CE16R 1.3.3.3 devices allow
remote ...)
+ TODO: check
+CVE-2017-7574 (Schneider Electric SoMachine Basic 1.4 SP1 and Schneider
Electric ...)
+ TODO: check
+CVE-2017-7573
+ RESERVED
+CVE-2017-7572 (The _checkPolkitPrivilege function in serviceHelper.py in Back
In Time ...)
+ TODO: check
+CVE-2017-7571 (public/rolechangeadmin in Faveo 1.9.3 allows CSRF. The impact
is ...)
+ TODO: check
+CVE-2017-7570 (PivotX 2.3.11 allows remote authenticated Advanced users to
execute ...)
+ TODO: check
+CVE-2017-7569 (In vBulletin before 5.3.0, remote attackers can bypass the ...)
+ TODO: check
+CVE-2017-7568
+ RESERVED
+CVE-2017-7567
+ RESERVED
+CVE-2017-7566 (MyBB before 1.8.11 allows remote attackers to bypass an SSRF
protection ...)
+ TODO: check
+CVE-2017-7565 (Splunk Hadoop Connect App has a path traversal vulnerability
that ...)
+ TODO: check
+CVE-2017-7564
+ RESERVED
+CVE-2017-7563
+ RESERVED
+CVE-2016-10320 (textract before 1.5.0 allows OS Command Injection attacks via
a ...)
+ TODO: check
+CVE-2016-10319 (In ARM Trusted Firmware 1.2 and 1.3, a malformed firmware
update SMC ...)
+ TODO: check
+CVE-2016-1000307 (Multiple Cross Site Scripting (XSS) Vulnerabilities in
ClipBucket ...)
+ TODO: check
+CVE-2016-1000306
+ REJECTED
+ TODO: check
+CVE-2017-7578 (Multiple heap-based buffer overflows in parser.c in libming
0.4.7 allow ...)
- ming
NOTE: http://www.openwall.com/lists/oss-security/2017/04/07/1
NOTE: https://github.com/libming/libming/issues/68
@@ -388,7 +427,7 @@
RESERVED
CVE-2017-7398 (D-Link DIR-615 HW: T1 FW:20.09 is vulnerable to Cross-Site
Request ...)
NOT-FOR-US: D-Link
-CVE-2017-7397 (BackBox Linux 4.6 allows remote attackers to cause a denial of
service ...)
+CVE-2017-7397 (** DISPUTED ** BackBox Linux 4.6 allows remote attackers to
cause a ...)
NOT-FOR-US: BackBox OS specific CVE assignment
CVE-2017-7396 (In TigerVNC 1.7.1 (CConnection.cxx CConnection::CConnection),
an ...)
- tigervnc (bug #859259)
@@ -1012,8 +1051,8 @@
- ninka (bug #631415)
CVE-2017-7238
RESERVED
-CVE-2017-7237
- RESERVED
+CVE-2017-7237 (The Spiceworks TFTP Server, as distributed with Spiceworks
Inventory ...)
+ TODO: check
CVE-2017-7236
RESERVED
CVE-2016-10265
@@ -1191,8 +1230,8 @@
RESERVED
CVE-2017-7193
RESERVED
-CVE-2017-7192
- RESERVED
+CVE-2017-7192 (WebSocket.swift in Starscream before 2.0.4 allows an SSL
Pinning bypass ...)
+ TODO: check
CVE-2017-7190
RESERVED
CVE-2017-7189
@@ -1663,8 +1702,8 @@
NOT-FOR-US: AlienVault
CVE-2017-6970 (AlienVault USM and OSSIM before 5.3.7 and NfSen before 1.3.8
allow ...)
NOT-FOR-US: AlienVault
-CVE-2017-6968
- RESERVED
+CVE-2017-6968 (GMV Checker ATM Security prior to 5.0.18 allows remote
authenticated ...)
+ TODO: check
CVE-2017-6969 (readelf in GNU Binutils 2.28 is vulnerable to a heap-based
buffer ...)
- binutils 2.28-3 (bug #858256)
[jessie] - binutils (Minor issue)
@@ -1869,8 +1908,8 @@
- iortcw 1.50a+dfsg1-3 (bug #857714)
NOTE:
https://ioquake3.org/2017/03/13/important-security-update-please-update-ioquake3-immediately/
NOTE: Also affects openjk (only in experimental; bug #857715)
-CVE-2017-6884
- RESERVED
+CVE-2017-6884 (A command injection vulnerability was discovered on the Zyxel
EMG2926 ...)
+ TODO: check
CVE-2017-6883 (The ConvertToPDF plugin in Foxit Reader before 8.2.1 and
PhantomPDF ...)
NOT-FOR-US: Foxit
CVE-2017-6882
@@ -3987,8 +4026,8 @@
RESERVED
CVE-2017-6131
RESERVED
-CVE-2017-6130
- RESERVED
+CVE-2017-6130 (F5 SSL Intercept iApp 1.5.0 - 1.5.7 and SSL Orchestrator 2.0 is
...)
+ TODO: check
CVE-2017-6129
RESERVED
CVE-2017-6128
@@ -4694,8 +4733,8 @@
RESERVED
CVE-2017-5888
RESERVED
-CVE-2017-5887
- RESERVED
+CVE-2017-5887 (WebSocket.swift in Starscream before 2.0.4 allows an SSL
Pinning bypass ...)
+ TODO: check
CVE-2017-5885 (Multiple integer overflows in the (1)
vnc_connection_server_message ...)
{DLA-831-1}
- gtk-vnc 0.6.0-3 (bug #854450)
@@ -7899,8 +7938,8 @@
[Secure-testing-commits] r50432 - data/CVE
Author: jmm Date: 2017-04-07 09:49:16 + (Fri, 07 Apr 2017) New Revision: 50432 Modified: data/CVE/list Log: NFUs Modified: data/CVE/list === --- data/CVE/list 2017-04-07 09:10:12 UTC (rev 50431) +++ data/CVE/list 2017-04-07 09:49:16 UTC (rev 50432) @@ -1,11 +1,11 @@ CVE-2017-7577 (XiongMai uc-httpd has directory traversal allowing the reading of ...) - TODO: check + NOT-FOR-US: XiongMai uc-httpd CVE-2017-7576 (DragonWave Horizon 1.01.03 wireless radios have hardcoded login ...) - TODO: check + NOT-FOR-US: DragonWave Horizon CVE-2017-7575 (Schneider Electric Modicon TM221CE16R 1.3.3.3 devices allow remote ...) - TODO: check + NOT-FOR-US: Schneider CVE-2017-7574 (Schneider Electric SoMachine Basic 1.4 SP1 and Schneider Electric ...) - TODO: check + NOT-FOR-US: Schneider CVE-2017-7573 RESERVED CVE-2017-7572 (The _checkPolkitPrivilege function in serviceHelper.py in Back In Time ...) @@ -15,15 +15,15 @@ CVE-2017-7570 (PivotX 2.3.11 allows remote authenticated Advanced users to execute ...) TODO: check CVE-2017-7569 (In vBulletin before 5.3.0, remote attackers can bypass the ...) - TODO: check + NOT-FOR-US: vBulletin CVE-2017-7568 RESERVED CVE-2017-7567 RESERVED CVE-2017-7566 (MyBB before 1.8.11 allows remote attackers to bypass an SSRF protection ...) - TODO: check + NOT-FOR-US: MyBB CVE-2017-7565 (Splunk Hadoop Connect App has a path traversal vulnerability that ...) - TODO: check + NOT-FOR-US: Splunk Hadoop Connect App CVE-2017-7564 RESERVED CVE-2017-7563 @@ -36,7 +36,6 @@ TODO: check CVE-2016-1000306 REJECTED - TODO: check CVE-2017-7578 (Multiple heap-based buffer overflows in parser.c in libming 0.4.7 allow ...) - ming NOTE: http://www.openwall.com/lists/oss-security/2017/04/07/1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50433 - data/CVE
Author: jmm Date: 2017-04-07 09:51:54 + (Fri, 07 Apr 2017) New Revision: 50433 Modified: data/CVE/list Log: new backintime issue Modified: data/CVE/list === --- data/CVE/list 2017-04-07 09:49:16 UTC (rev 50432) +++ data/CVE/list 2017-04-07 09:51:54 UTC (rev 50433) @@ -9,7 +9,8 @@ CVE-2017-7573 RESERVED CVE-2017-7572 (The _checkPolkitPrivilege function in serviceHelper.py in Back In Time ...) - TODO: check + - backintime + NOTE: http://www.openwall.com/lists/oss-security/2017/04/07/2 CVE-2017-7571 (public/rolechangeadmin in Faveo 1.9.3 allows CSRF. The impact is ...) TODO: check CVE-2017-7570 (PivotX 2.3.11 allows remote authenticated Advanced users to execute ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50434 - data/CVE
Author: jmm
Date: 2017-04-07 09:57:33 + (Fri, 07 Apr 2017)
New Revision: 50434
Modified:
data/CVE/list
Log:
NFUs
Modified: data/CVE/list
===
--- data/CVE/list 2017-04-07 09:51:54 UTC (rev 50433)
+++ data/CVE/list 2017-04-07 09:57:33 UTC (rev 50434)
@@ -12,9 +12,9 @@
- backintime
NOTE: http://www.openwall.com/lists/oss-security/2017/04/07/2
CVE-2017-7571 (public/rolechangeadmin in Faveo 1.9.3 allows CSRF. The impact
is ...)
- TODO: check
+ NOT-FOR-US: Faveo
CVE-2017-7570 (PivotX 2.3.11 allows remote authenticated Advanced users to
execute ...)
- TODO: check
+ NOT-FOR-US: PivotX
CVE-2017-7569 (In vBulletin before 5.3.0, remote attackers can bypass the ...)
NOT-FOR-US: vBulletin
CVE-2017-7568
@@ -30,11 +30,11 @@
CVE-2017-7563
RESERVED
CVE-2016-10320 (textract before 1.5.0 allows OS Command Injection attacks via
a ...)
- TODO: check
+ NOT-FOR-US: textract
CVE-2016-10319 (In ARM Trusted Firmware 1.2 and 1.3, a malformed firmware
update SMC ...)
- TODO: check
+ NOT-FOR-US: ARM
CVE-2016-1000307 (Multiple Cross Site Scripting (XSS) Vulnerabilities in
ClipBucket ...)
- TODO: check
+ NOT-FOR-US: ClipBucker
CVE-2016-1000306
REJECTED
CVE-2017-7578 (Multiple heap-based buffer overflows in parser.c in libming
0.4.7 allow ...)
@@ -1052,7 +1052,7 @@
CVE-2017-7238
RESERVED
CVE-2017-7237 (The Spiceworks TFTP Server, as distributed with Spiceworks
Inventory ...)
- TODO: check
+ NOT-FOR-US: Spiceworks
CVE-2017-7236
RESERVED
CVE-2016-10265
@@ -1231,7 +1231,7 @@
CVE-2017-7193
RESERVED
CVE-2017-7192 (WebSocket.swift in Starscream before 2.0.4 allows an SSL
Pinning bypass ...)
- TODO: check
+ NOT-FOR-US: Starscream
CVE-2017-7190
RESERVED
CVE-2017-7189
@@ -1703,7 +1703,7 @@
CVE-2017-6970 (AlienVault USM and OSSIM before 5.3.7 and NfSen before 1.3.8
allow ...)
NOT-FOR-US: AlienVault
CVE-2017-6968 (GMV Checker ATM Security prior to 5.0.18 allows remote
authenticated ...)
- TODO: check
+ NOT-FOR-US: GMV Checker ATM Security
CVE-2017-6969 (readelf in GNU Binutils 2.28 is vulnerable to a heap-based
buffer ...)
- binutils 2.28-3 (bug #858256)
[jessie] - binutils (Minor issue)
@@ -1909,7 +1909,7 @@
NOTE:
https://ioquake3.org/2017/03/13/important-security-update-please-update-ioquake3-immediately/
NOTE: Also affects openjk (only in experimental; bug #857715)
CVE-2017-6884 (A command injection vulnerability was discovered on the Zyxel
EMG2926 ...)
- TODO: check
+ NOT-FOR-US: Zyxel
CVE-2017-6883 (The ConvertToPDF plugin in Foxit Reader before 8.2.1 and
PhantomPDF ...)
NOT-FOR-US: Foxit
CVE-2017-6882
@@ -4027,7 +4027,7 @@
CVE-2017-6131
RESERVED
CVE-2017-6130 (F5 SSL Intercept iApp 1.5.0 - 1.5.7 and SSL Orchestrator 2.0 is
...)
- TODO: check
+ NOT-FOR-US: F5
CVE-2017-6129
RESERVED
CVE-2017-6128
@@ -4734,7 +4734,7 @@
CVE-2017-5888
RESERVED
CVE-2017-5887 (WebSocket.swift in Starscream before 2.0.4 allows an SSL
Pinning bypass ...)
- TODO: check
+ NOT-FOR-US: Starscream
CVE-2017-5885 (Multiple integer overflows in the (1)
vnc_connection_server_message ...)
{DLA-831-1}
- gtk-vnc 0.6.0-3 (bug #854450)
@@ -7939,7 +7939,7 @@
CVE-2017-4965
RESERVED
CVE-2017-4964 (Cloud Foundry Foundation BOSH Azure CPI v22 could potentially
allow a ...)
- TODO: check
+ NOT-FOR-US: Cloud Foundry
CVE-2017-4963
RESERVED
CVE-2017-4962
@@ -10337,11 +10337,11 @@
CVE-2017-3835 (A vulnerability in the sponsor portal of Cisco Identity
Services Engine ...)
NOT-FOR-US: Cisco
CVE-2017-3834 (A vulnerability in Cisco Aironet 1830 Series and Cisco Aironet
1850 ...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2017-3833 (A vulnerability in the web framework of Cisco Unified
Communications ...)
NOT-FOR-US: Cisco
CVE-2017-3832 (A vulnerability in the web management interface of Cisco
Wireless LAN ...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2017-3831 (A vulnerability in the web-based GUI of Cisco Mobility Express
1800 ...)
NOT-FOR-US: Cisco
CVE-2017-3830 (A vulnerability in an internal API of the Cisco Meeting Server
(CMS) ...)
@@ -13790,7 +13790,7 @@
CVE-2017-2676
RESERVED
CVE-2017-2675 (Little Snitch version 3.0 through 3.7.3 suffer from a local
privilege ...)
- TODO: check
+ NOT-FOR-US: Little Snitch
CVE-2017-2674
RESERVED
NOT-FOR-US: Red Hat business central
@@ -20796,7 +20796,7 @@
CVE-2016-9259 (Cross-site scripting (XSS) vulnerability in Tenable Nessus
before ...)
NOT-FOR-US: Nessus
CVE-2017-0305 (F5 SSL Intercept iApp version 1.5.0 - 1.5.7 is vulnerable to an
...)
- TODO: check
+ NOT-FOR-US: F5
CVE-2017-0304
[Secure-testing-commits] r50435 - data/CVE
Author: carnil Date: 2017-04-07 13:21:34 + (Fri, 07 Apr 2017) New Revision: 50435 Modified: data/CVE/list Log: Add bug reference for CVE-2015-9019/libxslt issue Modified: data/CVE/list === --- data/CVE/list 2017-04-07 09:57:33 UTC (rev 50434) +++ data/CVE/list 2017-04-07 13:21:34 UTC (rev 50435) @@ -285,7 +285,7 @@ CVE-2016-7443 RESERVED CVE-2015-9019 (In libxslt 1.1.29 and earlier, the EXSLT math.random function was not ...) - - libxslt (low) + - libxslt (low; bug #859796) [jessie] - libxslt (Minor issue) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=758400 NOTE: https://bugzilla.suse.com/show_bug.cgi?id=934119 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50436 - data/CVE
Author: jmm
Date: 2017-04-07 15:36:18 + (Fri, 07 Apr 2017)
New Revision: 50436
Modified:
data/CVE/list
Log:
yaml-cpp, cakephp, backintime no-dsa
Modified: data/CVE/list
===
--- data/CVE/list 2017-04-07 13:21:34 UTC (rev 50435)
+++ data/CVE/list 2017-04-07 15:36:18 UTC (rev 50436)
@@ -10,6 +10,7 @@
RESERVED
CVE-2017-7572 (The _checkPolkitPrivilege function in serviceHelper.py in Back
In Time ...)
- backintime
+ [jessie] - backintime (Minor issue)
NOTE: http://www.openwall.com/lists/oss-security/2017/04/07/2
CVE-2017-7571 (public/rolechangeadmin in Faveo 1.9.3 allows CSRF. The impact
is ...)
NOT-FOR-US: Faveo
@@ -4519,8 +4520,10 @@
NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=697548
NOTE: Fixed by:
http://git.ghostscript.com/?p=user/chrisl/ghostpdl.git;a=commitdiff;h=bfa6b2ecbe48edc69a7d9d22a12419aed25960b8
CVE-2017-5950 (The SingleDocParser::HandleNode function in yaml-cpp (aka
LibYaml-C++) ...)
- - yaml-cpp
- - yaml-cpp0.3
+ - yaml-cpp (low)
+ [jessie] - yaml-cpp (Minor issue)
+ - yaml-cpp0.3 (low)
+ [jessie] - yaml-cpp0.3 (Minor issue)
NOTE: https://github.com/jbeder/yaml-cpp/issues/459
CVE-2017-5949 (JavaScriptCore in WebKit, as distributed in Safari Technology
Preview ...)
- webkitgtk (unimportant)
@@ -35977,6 +35980,7 @@
CVE-2016-4793 (The clientIp function in CakePHP 3.2.4 and earlier allows
remote ...)
{DLA-835-1}
- cakephp 2.8.3-1
+ [jessie] - cakephp (Minor issue)
NOTE:
http://legalhackers.com/advisories/CakePHP-IP-Spoofing-Vulnerability.txt
NOTE:
https://bakery.cakephp.org/2016/03/13/cakephp_2613_2711_282_3017_3112_325_released.html
NOTE: Fixed by
https://github.com/cakephp/cakephp/commit/48af49ddde16c8b99edb701f1c31283455b2b0b6
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50437 - data/CVE
Author: jmm Date: 2017-04-07 16:21:15 + (Fri, 07 Apr 2017) New Revision: 50437 Modified: data/CVE/list Log: chromium fixed Modified: data/CVE/list === --- data/CVE/list 2017-04-07 15:36:18 UTC (rev 50436) +++ data/CVE/list 2017-04-07 16:21:15 UTC (rev 50437) @@ -7564,27 +7564,27 @@ RESERVED CVE-2017-5056 RESERVED - - chromium-browser + - chromium-browser 57.0.2987.133-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5055 RESERVED - - chromium-browser + - chromium-browser 57.0.2987.133-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5054 RESERVED - - chromium-browser + - chromium-browser 57.0.2987.133-1 [wheezy] - chromium-browser (Not supported in Wheezy) - libv8 (unimportant) NOTE: libv8 not covered by security support CVE-2017-5053 RESERVED - - chromium-browser + - chromium-browser 57.0.2987.133-1 [wheezy] - chromium-browser (Not supported in Wheezy) - libv8 (unimportant) NOTE: libv8 not covered by security support CVE-2017-5052 RESERVED - - chromium-browser + - chromium-browser 57.0.2987.133-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5051 RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50438 - data/CVE
Author: jmm Date: 2017-04-07 16:31:43 + (Fri, 07 Apr 2017) New Revision: 50438 Modified: data/CVE/list Log: webkit fixed Modified: data/CVE/list === --- data/CVE/list 2017-04-07 16:21:15 UTC (rev 50437) +++ data/CVE/list 2017-04-07 16:31:43 UTC (rev 50438) @@ -14355,7 +14355,7 @@ CVE-2017-2482 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple involving Kernel component CVE-2017-2481 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) - - webkit2gtk (unimportant) + - webkit2gtk 2.14.6-1 (unimportant) NOTE: Not covered by security support CVE-2017-2480 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Webkit / if anything of this affects Chromium/webkitgtk, the Chrome sec team will know and fix @@ -14367,10 +14367,10 @@ - libxslt NOTE: contacted Apple for more information, but no reply for quite a while CVE-2017-2476 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) - - webkit2gtk (unimportant) + - webkit2gtk 2.14.6-1 (unimportant) NOTE: Not covered by security support CVE-2017-2475 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) - - webkit2gtk (unimportant) + - webkit2gtk 2.14.6-1 (unimportant) NOTE: Not covered by security support CVE-2017-2474 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple involving Kernel component @@ -14379,24 +14379,24 @@ CVE-2017-2472 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple involving Kernel component CVE-2017-2471 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) - - webkit2gtk (unimportant) + - webkit2gtk 2.14.6-1 (unimportant) NOTE: Not covered by security support CVE-2017-2470 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) - - webkit2gtk (unimportant) + - webkit2gtk 2.14.6-1 (unimportant) NOTE: Not covered by security support CVE-2017-2469 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) - webkit2gtk (unimportant) NOTE: Not covered by security support CVE-2017-2468 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) - - webkit2gtk (unimportant) + - webkit2gtk 2.14.6-1 (unimportant) NOTE: Not covered by security support CVE-2017-2467 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple involving ImageIO component CVE-2017-2466 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) - - webkit2gtk (unimportant) + - webkit2gtk 2.14.6-1 (unimportant) NOTE: Not covered by security support CVE-2017-2465 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) - - webkit2gtk (unimportant) + - webkit2gtk 2.14.6-1 (unimportant) NOTE: Not covered by security support CVE-2017-2464 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) - webkit2gtk (unimportant) @@ -14408,10 +14408,10 @@ CVE-2017-2461 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple involving CoreText component CVE-2017-2460 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) - - webkit2gtk (unimportant) + - webkit2gtk 2.14.6-1 (unimportant) NOTE: Not covered by security support CVE-2017-2459 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) - - webkit2gtk (unimportant) + - webkit2gtk 2.14.6-1 (unimportant) NOTE: Not covered by security support CVE-2017-2458 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple @@ -14500,7 +14500,7 @@ CVE-2017-2420 (An issue was discovered in certain Apple products. macOS before ...) NOT-FOR-US: Apple CVE-2017-2419 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) - - webkit2gtk (unimportant) + - webkit2gtk 2.14.6-1 (unimportant) NOTE: Not covered by security support CVE-2017-2418 (An issue was discovered in certain Apple products. macOS before ...) NOT-FOR-US: Apple @@ -14509,7 +14509,7 @@ CVE-2017-2416 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple CVE-2017-2415 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) - - webkit2gtk (unimportant) + - webkit2gtk 2.14.6-1 (unimportant) NOTE: Not covered by security support CVE-2017-2414 (An issue was discovered in certain Apple products. iOS before 10.3 is ..
[Secure-testing-commits] r50439 - in data: . DLA
Author: pochu
Date: 2017-04-07 16:34:45 + (Fri, 07 Apr 2017)
New Revision: 50439
Modified:
data/DLA/list
data/dla-needed.txt
Log:
Reserve DLA-886-1 for tzdata
Modified: data/DLA/list
===
--- data/DLA/list 2017-04-07 16:31:43 UTC (rev 50438)
+++ data/DLA/list 2017-04-07 16:34:45 UTC (rev 50439)
@@ -1,3 +1,5 @@
+[07 Apr 2017] DLA-886-1 tzdata - new upstream version
+ [wheezy] - tzdata 2017b-0+deb7u1
[05 Apr 2017] DLA-885-1 python-django - security update
{CVE-2017-7233 CVE-2017-7234}
[wheezy] - python-django 1.4.22-1+deb7u3
Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-04-07 16:31:43 UTC (rev 50438)
+++ data/dla-needed.txt 2017-04-07 16:34:45 UTC (rev 50439)
@@ -122,8 +122,6 @@
NOTE: from my point of view backporting the introduction of these new
members to this old
NOTE: version is way to invasive and such this should be marked as
--
-tzdata (Emilio Pozuelo)
---
wavpack
NOTE: issue is no-dsa in jessie but code is similar so uploading to s-p-u
might make sense
NOTE: to not diverge between Jessie and Wheezy
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50440 - in data: . DLA
Author: pochu Date: 2017-04-07 16:35:20 + (Fri, 07 Apr 2017) New Revision: 50440 Modified: data/DLA/list data/dla-needed.txt Log: Reserve DLA-887-1 for libdatetime-timezone-perl Modified: data/DLA/list === --- data/DLA/list 2017-04-07 16:34:45 UTC (rev 50439) +++ data/DLA/list 2017-04-07 16:35:20 UTC (rev 50440) @@ -1,3 +1,5 @@ +[07 Apr 2017] DLA-887-1 libdatetime-timezone-perl - new upstream version + [wheezy] - libdatetime-timezone-perl 1:1.58-1+2017b [07 Apr 2017] DLA-886-1 tzdata - new upstream version [wheezy] - tzdata 2017b-0+deb7u1 [05 Apr 2017] DLA-885-1 python-django - security update Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-04-07 16:34:45 UTC (rev 50439) +++ data/dla-needed.txt 2017-04-07 16:35:20 UTC (rev 50440) @@ -40,8 +40,6 @@ NOTE: Upstream should provide new point-releases fixing open security issues in the next months. NOTE: Lots of CVEs are open, this is going to take some time. (See debian-lts ML) -- -libdatetime-timezone-perl (Emilio Pozuelo) --- libical (Jonas Meurer) NOTE: No known solution as of 2017-01-16. NOTE: Pinged on 2017-02-06 https://github.com/libical/libical/issues/253#issuecomment-277580552 (lamby) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50441 - data
Author: pochu Date: 2017-04-07 17:01:43 + (Fri, 07 Apr 2017) New Revision: 50441 Modified: data/dla-needed.txt Log: dla: claim libxslt Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-04-07 16:35:20 UTC (rev 50440) +++ data/dla-needed.txt 2017-04-07 17:01:43 UTC (rev 50441) @@ -64,7 +64,7 @@ NOTE: 2016-12-13: Upstream ping here: https://rt.cpan.org/Public/Bug/Display.html?id=118097#txn-1690223 NOTE: 2017-01-20 and 2017-03-09: Ping upstream by private email -- Raphael Hertzog -- -libxslt +libxslt (Emilio Pozuelo) -- linux -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50442 - data
Author: pochu Date: 2017-04-07 17:14:31 + (Fri, 07 Apr 2017) New Revision: 50442 Modified: data/dla-needed.txt Log: add notes on libxslt Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-04-07 17:01:43 UTC (rev 50441) +++ data/dla-needed.txt 2017-04-07 17:14:31 UTC (rev 50442) @@ -65,6 +65,9 @@ NOTE: 2017-01-20 and 2017-03-09: Ping upstream by private email -- Raphael Hertzog -- libxslt (Emilio Pozuelo) + NOTE: it's not clear whether libxslt (the library) should call srand() itself. + NOTE: xsltproc 1.1.29 has a --seed-rand option, but that's not present in wheezy, + NOTE: and it doesn't help for other libxslt users (e.g. php as seen on the SuSE bug). -- linux -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50443 - data/CVE
Author: carnil Date: 2017-04-07 18:09:39 + (Fri, 07 Apr 2017) New Revision: 50443 Modified: data/CVE/list Log: Add bug reference for yara issues Modified: data/CVE/list === --- data/CVE/list 2017-04-07 17:14:31 UTC (rev 50442) +++ data/CVE/list 2017-04-07 18:09:39 UTC (rev 50443) @@ -4636,10 +4636,10 @@ CVE-2017-5925 (Page table walks conducted by the MMU during virtual to physical ...) NOT-FOR-US: Hardware issue in some Intel CPUs CVE-2017-5924 (libyara/grammar.y in YARA 3.5.0 allows remote attackers to cause a ...) - - yara + - yara (bug #859821) [jessie] - yara (Minor issue) CVE-2017-5923 (libyara/grammar.y in YARA 3.5.0 allows remote attackers to cause a ...) - - yara + - yara (bug #859821) [jessie] - yara (Minor issue) CVE-2017-5922 RESERVED @@ -4648,10 +4648,10 @@ CVE-2017-5920 RESERVED CVE-2016-10211 (libyara/grammar.y in YARA 3.5.0 allows remote attackers to cause a ...) - - yara + - yara (bug #859821) [jessie] - yara (Minor issue) CVE-2016-10210 (libyara/lexer.l in YARA 3.5.0 allows remote attackers to cause a denial ...) - - yara + - yara (bug #859821) [jessie] - yara (Minor issue) CVE-2016-10209 (The archive_wstring_append_from_mbs function in archive_string.c in ...) - libarchive (bug #859456) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50444 - data/CVE
Author: carnil Date: 2017-04-07 18:51:07 + (Fri, 07 Apr 2017) New Revision: 50444 Modified: data/CVE/list Log: Add bug reference for CVE-2017-7572/backintime Modified: data/CVE/list === --- data/CVE/list 2017-04-07 18:09:39 UTC (rev 50443) +++ data/CVE/list 2017-04-07 18:51:07 UTC (rev 50444) @@ -9,9 +9,10 @@ CVE-2017-7573 RESERVED CVE-2017-7572 (The _checkPolkitPrivilege function in serviceHelper.py in Back In Time ...) - - backintime + - backintime (bug #859815) [jessie] - backintime (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2017/04/07/2 + NOTE: https://github.com/bit-team/backintime/commit/7f208dc547f569b689c888103e3b593a48cd1869 CVE-2017-7571 (public/rolechangeadmin in Faveo 1.9.3 allows CSRF. The impact is ...) NOT-FOR-US: Faveo CVE-2017-7570 (PivotX 2.3.11 allows remote authenticated Advanced users to execute ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50445 - data/CVE
Author: mattia Date: 2017-04-07 19:03:31 + (Fri, 07 Apr 2017) New Revision: 50445 Modified: data/CVE/list Log: Add 3 upstream commits for libpodofo issues Modified: data/CVE/list === --- data/CVE/list 2017-04-07 18:51:07 UTC (rev 50444) +++ data/CVE/list 2017-04-07 19:03:31 UTC (rev 50445) @@ -4832,6 +4832,7 @@ [jessie] - libpodofo (Minor issue) NOTE: https://blogs.gentoo.org/ago/2017/02/03/podofo-heap-based-buffer-overflow-in-podofopdftokenizergetnexttoken-pdftokenizer-cpp NOTE: https://sourceforge.net/p/podofo/mailman/podofo-users/thread/1623824.EtgW9yDooZ%40blackgate/#msg35644693 + NOTE: upstream commit: https://sourceforge.net/p/podofo/code/1837 CVE-2017-5877 (XSS was discovered in dotCMS 3.7.0, with an unauthenticated attack ...) NOT-FOR-US: dotCMS CVE-2017-5876 (XSS was discovered in dotCMS 3.7.0, with an unauthenticated attack ...) @@ -5378,6 +5379,7 @@ [wheezy] - libpodofo (Minor issue) NOTE: https://blogs.gentoo.org/ago/2017/02/01/podofo-null-pointer-dereference-in-pdfoutputstream-cpp NOTE: https://sourceforge.net/p/podofo/mailman/podofo-users/thread/12497325.VLNgGImML2%40blackgate/#msg35640936 + NOTE: upstream commit: https://sourceforge.net/p/podofo/code/1836 CVE-2017-5853 (Integer overflow in base/PdfParser.cpp in PoDoFo 0.9.4 allows remote ...) - libpodofo (bug #854601) [jessie] - libpodofo (Minor issue) @@ -5391,6 +5393,7 @@ [wheezy] - libpodofo (Minor issue) NOTE: https://blogs.gentoo.org/ago/2017/02/01/podofo-infinite-loop-in-podofopdfpagegetinheritedkeyfromobject-pdfpage-cpp NOTE: https://sourceforge.net/p/podofo/mailman/podofo-users/thread/12497325.VLNgGImML2%40blackgate/#msg35640936 + NOTE: upstream commit: https://sourceforge.net/p/podofo/code/1835 CVE-2017-5849 (tiffttopnm in netpbm 10.47.63 does not properly use the libtiff ...) - netpbm-free (vulnerable code not present) NOTE: http://www.openwall.com/lists/oss-security/2017/02/02/2 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50447 - data/CVE
Author: carnil Date: 2017-04-07 19:49:31 + (Fri, 07 Apr 2017) New Revision: 50447 Modified: data/CVE/list Log: Add bug reference for CVE-2017-7377 Modified: data/CVE/list === --- data/CVE/list 2017-04-07 19:49:21 UTC (rev 50446) +++ data/CVE/list 2017-04-07 19:49:31 UTC (rev 50447) @@ -488,7 +488,7 @@ NOTE: http://www.openwall.com/lists/oss-security/2017/04/01/1 CVE-2017-7377 [9pfs: host memory leakage via v9fs_create] RESERVED - - qemu + - qemu (bug #859854) [jessie] - qemu (Minor issue) - qemu-kvm NOTE: https://lists.gnu.org/archive/html/qemu-devel/2017-03/msg05449.html ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50446 - data/CVE
Author: carnil Date: 2017-04-07 19:49:21 + (Fri, 07 Apr 2017) New Revision: 50446 Modified: data/CVE/list Log: Update information for CVE-2017-7377 Modified: data/CVE/list === --- data/CVE/list 2017-04-07 19:03:31 UTC (rev 50445) +++ data/CVE/list 2017-04-07 19:49:21 UTC (rev 50446) @@ -489,9 +489,12 @@ CVE-2017-7377 [9pfs: host memory leakage via v9fs_create] RESERVED - qemu + [jessie] - qemu (Minor issue) - qemu-kvm NOTE: https://lists.gnu.org/archive/html/qemu-devel/2017-03/msg05449.html + NOTE: http://git.qemu-project.org/?p=qemu.git;a=commitdiff;h=d63fb193e71644a073b77ff5ac6f1216f2f6cf6e NOTE: http://www.openwall.com/lists/oss-security/2017/04/03/2 + NOTE: For older releases affected code is in hw/9pfs/virtio-9p.c CVE-2017-7376 RESERVED CVE-2017-7375 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50448 - data/DSA
Author: jmm
Date: 2017-04-07 20:30:07 + (Fri, 07 Apr 2017)
New Revision: 50448
Modified:
data/DSA/list
Log:
jasper DSA
Modified: data/DSA/list
===
--- data/DSA/list 2017-04-07 19:49:31 UTC (rev 50447)
+++ data/DSA/list 2017-04-07 20:30:07 UTC (rev 50448)
@@ -1,3 +1,6 @@
+[07 Apr 2017] DSA-3827-1 jasper - security update
+ {CVE-2016-9591 CVE-2016-10249 CVE-2016-10251}
+ [jessie] - jasper 1.900.1-debian1-2.4+deb8u3
[04 Apr 2017] DSA-3826-1 tryton-server - security update
{CVE-2017-0360}
[jessie] - tryton-server 3.4.0-3+deb8u3
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50449 - data/CVE
Author: sectracker
Date: 2017-04-07 21:10:12 + (Fri, 07 Apr 2017)
New Revision: 50449
Modified:
data/CVE/list
Log:
automatic update
Modified: data/CVE/list
===
--- data/CVE/list 2017-04-07 20:30:07 UTC (rev 50448)
+++ data/CVE/list 2017-04-07 21:10:12 UTC (rev 50449)
@@ -1,3 +1,23 @@
+CVE-2017-7586 (In libsndfile before 1.0.28, an error in the
"header_read()" function ...)
+ TODO: check
+CVE-2017-7585 (In libsndfile before 1.0.28, an error in the
"flac_buffer_copy()" ...)
+ TODO: check
+CVE-2017-7584 (Memory Corruption Vulnerability in Foxit PDF Toolkit before 2.1
allows ...)
+ TODO: check
+CVE-2017-7583 (ILIAS before 5.2.3 has XSS via SVG documents. ...)
+ TODO: check
+CVE-2017-7582
+ RESERVED
+CVE-2017-7581 (SQL injection vulnerability in NewsController.php in the News
module ...)
+ TODO: check
+CVE-2017-7580
+ RESERVED
+CVE-2017-7579 (inc/PMF/Faq.php in phpMyFAQ before 2.9.7 has XSS in the
question field. ...)
+ TODO: check
+CVE-2007-6760
+ RESERVED
+CVE-2007-6759
+ RESERVED
CVE-2017-7577 (XiongMai uc-httpd has directory traversal allowing the reading
of ...)
NOT-FOR-US: XiongMai uc-httpd
CVE-2017-7576 (DragonWave Horizon 1.01.03 wireless radios have hardcoded login
...)
@@ -2068,6 +2088,7 @@
[wheezy] - imagemagick (vulnerable code not present)
NOTE: Fixed by:
http://git.imagemagick.org/repos/ImageMagick/commit/6790815c75bdea0357df5564345847856e995d6b
CVE-2016-10251 (Integer overflow in the jpc_pi_nextcprl function in
jpc_t2cod.c in ...)
+ {DSA-3827-1}
- jasper
NOTE: http://www.openwall.com/lists/oss-security/2016/11/04/11
NOTE:
https://github.com/mdadams/jasper/commit/1f0dfe5a42911b6880a1445f13f6d615ddb55387
@@ -2541,26 +2562,26 @@
RESERVED
CVE-2017-6607
RESERVED
-CVE-2017-6606
- RESERVED
+CVE-2017-6606 (A vulnerability in a startup script of Cisco IOS XE Software
could ...)
+ TODO: check
CVE-2017-6605
RESERVED
-CVE-2017-6604
- RESERVED
-CVE-2017-6603
- RESERVED
-CVE-2017-6602
- RESERVED
-CVE-2017-6601
- RESERVED
-CVE-2017-6600
- RESERVED
-CVE-2017-6599
- RESERVED
-CVE-2017-6598
- RESERVED
-CVE-2017-6597
- RESERVED
+CVE-2017-6604 (A vulnerability in the web interface of Cisco Integrated
Management ...)
+ TODO: check
+CVE-2017-6603 (A vulnerability in Cisco ASR 903 or ASR 920 Series Devices
running with ...)
+ TODO: check
+CVE-2017-6602 (A vulnerability in the CLI of Cisco Unified Computing System
(UCS) ...)
+ TODO: check
+CVE-2017-6601 (A vulnerability in the CLI of the Cisco Unified Computing
System (UCS) ...)
+ TODO: check
+CVE-2017-6600 (A vulnerability in the CLI of the Cisco Unified Computing
System (UCS) ...)
+ TODO: check
+CVE-2017-6599 (A vulnerability in Google-defined remote procedure call (gRPC)
handling ...)
+ TODO: check
+CVE-2017-6598 (A vulnerability in the debug plug-in functionality of the Cisco
Unified ...)
+ TODO: check
+CVE-2017-6597 (A vulnerability in the local-mgmt CLI command of the Cisco
Unified ...)
+ TODO: check
CVE-2017-6596 (partclone.chkimg in partclone 0.2.89 is prone to a heap-based
buffer ...)
[experimental] - partclone 0.2.90-1
- partclone 0.2.89-3 (bug #857966)
@@ -10236,18 +10257,18 @@
RESERVED
CVE-2017-3890 (A reflected cross-site scripting vulnerability in the
BlackBerry ...)
NOT-FOR-US: BlackBerry
-CVE-2017-3889
- RESERVED
-CVE-2017-3888
- RESERVED
-CVE-2017-3887
- RESERVED
-CVE-2017-3886
- RESERVED
-CVE-2017-3885
- RESERVED
-CVE-2017-3884
- RESERVED
+CVE-2017-3889 (A vulnerability in the web interface of the Cisco Registered
Envelope ...)
+ TODO: check
+CVE-2017-3888 (A vulnerability in the web-based management interface of Cisco
Unified ...)
+ TODO: check
+CVE-2017-3887 (A vulnerability in the detection engine that handles Secure
Sockets ...)
+ TODO: check
+CVE-2017-3886 (A vulnerability in the Cisco Unified Communications Manager web
...)
+ TODO: check
+CVE-2017-3885 (A vulnerability in the detection engine reassembly of Secure
Sockets ...)
+ TODO: check
+CVE-2017-3884 (A vulnerability in the web interface of Cisco Prime
Infrastructure and ...)
+ TODO: check
CVE-2017-3883
RESERVED
CVE-2017-3882
@@ -10318,8 +10339,8 @@
NOT-FOR-US: Cisco
CVE-2017-3849 (A vulnerability in the Autonomic Networking Infrastructure
(ANI) ...)
NOT-FOR-US: Cisco
-CVE-2017-3848
- RESERVED
+CVE-2017-3848 (A vulnerability in the HTTP web-based management interface of
Cisco ...)
+ TODO: check
CVE-2017-3847 (A vulnerability in the web framework of Cisco Firepower
Management ...)
NOT-FOR-US: Cisco
CVE-2017-3846 (A vulnerability in the Client Manager Server of Cisco Workload
...)
[Secure-testing-commits] r50451 - data
Author: lamby Date: 2017-04-07 21:13:24 + (Fri, 07 Apr 2017) New Revision: 50451 Modified: data/dla-needed.txt Log: Triage ming for LTS Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-04-07 21:13:21 UTC (rev 50450) +++ data/dla-needed.txt 2017-04-07 21:13:24 UTC (rev 50451) @@ -76,6 +76,8 @@ mcollective NOTE: See https://lists.debian.org/debian-lts/2017/03/msg8.html -- +ming +-- mp3splt NOTE: 2017-02-28: No patch available. Reproducer doesn't work with Debian NOTE: packages (tested on Stretch, Jessie and Wheezy). It's claimed to ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50452 - data
Author: lamby Date: 2017-04-07 21:13:52 + (Fri, 07 Apr 2017) New Revision: 50452 Modified: data/dla-needed.txt Log: Claim ming in data/dla-needed.txt Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-04-07 21:13:24 UTC (rev 50451) +++ data/dla-needed.txt 2017-04-07 21:13:52 UTC (rev 50452) @@ -76,7 +76,7 @@ mcollective NOTE: See https://lists.debian.org/debian-lts/2017/03/msg8.html -- -ming +ming (Chris Lamb) -- mp3splt NOTE: 2017-02-28: No patch available. Reproducer doesn't work with Debian ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50450 - data/CVE
Author: lamby Date: 2017-04-07 21:13:21 + (Fri, 07 Apr 2017) New Revision: 50450 Modified: data/CVE/list Log: CVE-2017-7572/backintime: not in 1.0.10-1/wheezy Modified: data/CVE/list === --- data/CVE/list 2017-04-07 21:10:12 UTC (rev 50449) +++ data/CVE/list 2017-04-07 21:13:21 UTC (rev 50450) @@ -31,6 +31,7 @@ CVE-2017-7572 (The _checkPolkitPrivilege function in serviceHelper.py in Back In Time ...) - backintime (bug #859815) [jessie] - backintime (Minor issue) + [wheezy] - backintime (Vulnerable code not present) NOTE: http://www.openwall.com/lists/oss-security/2017/04/07/2 NOTE: https://github.com/bit-team/backintime/commit/7f208dc547f569b689c888103e3b593a48cd1869 CVE-2017-7571 (public/rolechangeadmin in Faveo 1.9.3 allows CSRF. The impact is ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50453 - data/CVE
Author: fgeek-guest Date: 2017-04-07 21:30:18 + (Fri, 07 Apr 2017) New Revision: 50453 Modified: data/CVE/list Log: typofix Modified: data/CVE/list === --- data/CVE/list 2017-04-07 21:13:52 UTC (rev 50452) +++ data/CVE/list 2017-04-07 21:30:18 UTC (rev 50453) @@ -57,7 +57,7 @@ CVE-2016-10319 (In ARM Trusted Firmware 1.2 and 1.3, a malformed firmware update SMC ...) NOT-FOR-US: ARM CVE-2016-1000307 (Multiple Cross Site Scripting (XSS) Vulnerabilities in ClipBucket ...) - NOT-FOR-US: ClipBucker + NOT-FOR-US: ClipBucket CVE-2016-1000306 REJECTED CVE-2017-7578 (Multiple heap-based buffer overflows in parser.c in libming 0.4.7 allow ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50454 - in data: . DLA
Author: apo
Date: 2017-04-07 21:42:15 + (Fri, 07 Apr 2017)
New Revision: 50454
Modified:
data/DLA/list
data/dla-needed.txt
Log:
Reserve DLA-888-1 for logback
Modified: data/DLA/list
===
--- data/DLA/list 2017-04-07 21:30:18 UTC (rev 50453)
+++ data/DLA/list 2017-04-07 21:42:15 UTC (rev 50454)
@@ -1,3 +1,6 @@
+[07 Apr 2017] DLA-888-1 logback - security update
+ {CVE-2017-5929}
+ [wheezy] - logback 1:1.0.4-1+deb7u1
[07 Apr 2017] DLA-887-1 libdatetime-timezone-perl - new upstream version
[wheezy] - libdatetime-timezone-perl 1:1.58-1+2017b
[07 Apr 2017] DLA-886-1 tzdata - new upstream version
Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-04-07 21:30:18 UTC (rev 50453)
+++ data/dla-needed.txt 2017-04-07 21:42:15 UTC (rev 50454)
@@ -71,8 +71,6 @@
--
linux
--
-logback (Markus Koschany)
---
mcollective
NOTE: See https://lists.debian.org/debian-lts/2017/03/msg8.html
--
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50455 - data/CVE
Author: carnil
Date: 2017-04-08 05:51:19 + (Sat, 08 Apr 2017)
New Revision: 50455
Modified:
data/CVE/list
Log:
Update information for CVE-2017-758{5,6}
Modified: data/CVE/list
===
--- data/CVE/list 2017-04-07 21:42:15 UTC (rev 50454)
+++ data/CVE/list 2017-04-08 05:51:19 UTC (rev 50455)
@@ -1,7 +1,13 @@
CVE-2017-7586 (In libsndfile before 1.0.28, an error in the
"header_read()" function ...)
- TODO: check
+ - libsndfile 1.0.27-2
+ NOTE:
https://github.com/erikd/libsndfile/commit/708e996c87c5fae77b104ccfeb8f6db784c32074
+ NOTE:
https://github.com/erikd/libsndfile/commit/f457b7b5ecfe91697ed01cfc825772c4d8de1236
+ NOTE: 1.0.27-2 in unstable contain fix_bufferoverflows.patch meant to
address this issue
CVE-2017-7585 (In libsndfile before 1.0.28, an error in the
"flac_buffer_copy()" ...)
- TODO: check
+ - libsndfile 1.0.27-2
+ NOTE:
https://github.com/erikd/libsndfile/commit/60b234301adf258786d8b90be5c1d437fc8799e0
+ NOTE:
https://secuniaresearch.flexerasoftware.com/secunia_research/2017-4/
+ NOTE: 1.0.27-2 in unstable contain fix_bufferoverflows.patch meant to
address this issue
CVE-2017-7584 (Memory Corruption Vulnerability in Foxit PDF Toolkit before 2.1
allows ...)
TODO: check
CVE-2017-7583 (ILIAS before 5.2.3 has XSS via SVG documents. ...)
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50456 - data/CVE
Author: carnil Date: 2017-04-08 06:04:51 + (Sat, 08 Apr 2017) New Revision: 50456 Modified: data/CVE/list Log: Add patch reference for libsndfile Modified: data/CVE/list === --- data/CVE/list 2017-04-08 05:51:19 UTC (rev 50455) +++ data/CVE/list 2017-04-08 06:04:51 UTC (rev 50456) @@ -3,11 +3,13 @@ NOTE: https://github.com/erikd/libsndfile/commit/708e996c87c5fae77b104ccfeb8f6db784c32074 NOTE: https://github.com/erikd/libsndfile/commit/f457b7b5ecfe91697ed01cfc825772c4d8de1236 NOTE: 1.0.27-2 in unstable contain fix_bufferoverflows.patch meant to address this issue + NOTE: https://sources.debian.net/data/main/libs/libsndfile/1.0.27-2/debian/patches/fix_bufferoverflows.patch CVE-2017-7585 (In libsndfile before 1.0.28, an error in the "flac_buffer_copy()" ...) - libsndfile 1.0.27-2 NOTE: https://github.com/erikd/libsndfile/commit/60b234301adf258786d8b90be5c1d437fc8799e0 NOTE: https://secuniaresearch.flexerasoftware.com/secunia_research/2017-4/ NOTE: 1.0.27-2 in unstable contain fix_bufferoverflows.patch meant to address this issue + NOTE: https://sources.debian.net/data/main/libs/libsndfile/1.0.27-2/debian/patches/fix_bufferoverflows.patch CVE-2017-7584 (Memory Corruption Vulnerability in Foxit PDF Toolkit before 2.1 allows ...) TODO: check CVE-2017-7583 (ILIAS before 5.2.3 has XSS via SVG documents. ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50457 - data/CVE
Author: carnil Date: 2017-04-08 06:11:19 + (Sat, 08 Apr 2017) New Revision: 50457 Modified: data/CVE/list Log: Process several NFUs Modified: data/CVE/list === --- data/CVE/list 2017-04-08 06:04:51 UTC (rev 50456) +++ data/CVE/list 2017-04-08 06:11:19 UTC (rev 50457) @@ -11,17 +11,17 @@ NOTE: 1.0.27-2 in unstable contain fix_bufferoverflows.patch meant to address this issue NOTE: https://sources.debian.net/data/main/libs/libsndfile/1.0.27-2/debian/patches/fix_bufferoverflows.patch CVE-2017-7584 (Memory Corruption Vulnerability in Foxit PDF Toolkit before 2.1 allows ...) - TODO: check + NOT-FOR-US: Foxit PDF Toolkit CVE-2017-7583 (ILIAS before 5.2.3 has XSS via SVG documents. ...) - TODO: check + NOT-FOR-US: ILIAS CVE-2017-7582 RESERVED CVE-2017-7581 (SQL injection vulnerability in NewsController.php in the News module ...) - TODO: check + NOT-FOR-US: News module for TYPO3 CVE-2017-7580 RESERVED CVE-2017-7579 (inc/PMF/Faq.php in phpMyFAQ before 2.9.7 has XSS in the question field. ...) - TODO: check + NOT-FOR-US: phpMyFAQ CVE-2007-6760 RESERVED CVE-2007-6759 @@ -2572,25 +2572,25 @@ CVE-2017-6607 RESERVED CVE-2017-6606 (A vulnerability in a startup script of Cisco IOS XE Software could ...) - TODO: check + NOT-FOR-US: Cisco CVE-2017-6605 RESERVED CVE-2017-6604 (A vulnerability in the web interface of Cisco Integrated Management ...) - TODO: check + NOT-FOR-US: Cisco CVE-2017-6603 (A vulnerability in Cisco ASR 903 or ASR 920 Series Devices running with ...) - TODO: check + NOT-FOR-US: Cisco CVE-2017-6602 (A vulnerability in the CLI of Cisco Unified Computing System (UCS) ...) - TODO: check + NOT-FOR-US: Cisco CVE-2017-6601 (A vulnerability in the CLI of the Cisco Unified Computing System (UCS) ...) - TODO: check + NOT-FOR-US: Cisco CVE-2017-6600 (A vulnerability in the CLI of the Cisco Unified Computing System (UCS) ...) - TODO: check + NOT-FOR-US: Cisco CVE-2017-6599 (A vulnerability in Google-defined remote procedure call (gRPC) handling ...) TODO: check CVE-2017-6598 (A vulnerability in the debug plug-in functionality of the Cisco Unified ...) - TODO: check + NOT-FOR-US: Cisco CVE-2017-6597 (A vulnerability in the local-mgmt CLI command of the Cisco Unified ...) - TODO: check + NOT-FOR-US: Cisco CVE-2017-6596 (partclone.chkimg in partclone 0.2.89 is prone to a heap-based buffer ...) [experimental] - partclone 0.2.90-1 - partclone 0.2.89-3 (bug #857966) @@ -10267,17 +10267,17 @@ CVE-2017-3890 (A reflected cross-site scripting vulnerability in the BlackBerry ...) NOT-FOR-US: BlackBerry CVE-2017-3889 (A vulnerability in the web interface of the Cisco Registered Envelope ...) - TODO: check + NOT-FOR-US: Cisco CVE-2017-3888 (A vulnerability in the web-based management interface of Cisco Unified ...) - TODO: check + NOT-FOR-US: Cisco CVE-2017-3887 (A vulnerability in the detection engine that handles Secure Sockets ...) - TODO: check + NOT-FOR-US: Cisco CVE-2017-3886 (A vulnerability in the Cisco Unified Communications Manager web ...) - TODO: check + NOT-FOR-US: Cisco CVE-2017-3885 (A vulnerability in the detection engine reassembly of Secure Sockets ...) - TODO: check + NOT-FOR-US: Cisco CVE-2017-3884 (A vulnerability in the web interface of Cisco Prime Infrastructure and ...) - TODO: check + NOT-FOR-US: Cisco CVE-2017-3883 RESERVED CVE-2017-3882 @@ -10349,7 +10349,7 @@ CVE-2017-3849 (A vulnerability in the Autonomic Networking Infrastructure (ANI) ...) NOT-FOR-US: Cisco CVE-2017-3848 (A vulnerability in the HTTP web-based management interface of Cisco ...) - TODO: check + NOT-FOR-US: Cisco CVE-2017-3847 (A vulnerability in the web framework of Cisco Firepower Management ...) NOT-FOR-US: Cisco CVE-2017-3846 (A vulnerability in the Client Manager Server of Cisco Workload ...) @@ -10411,7 +10411,7 @@ CVE-2017-3818 (A vulnerability in the Multipurpose Internet Mail Extensions (MIME) ...) NOT-FOR-US: Cisco Email Security Appliances CVE-2017-3817 (A vulnerability in the role-based resource checking functionality of ...) - TODO: check + NOT-FOR-US: Cisco CVE-2017-3816 RESERVED CVE-2017-3815 (An API Privilege vulnerability in Cisco TelePresence Server Software ...) @@ -14608,7 +14608,7 @@ CVE-2017-2388 (An issue was discovered in certain Apple products. macOS before ...) NOT-FOR-US: Apple CVE-2017-2387 (The Apple Music (aka com.apple.android.music) application before 2.0 ...) - TODO: check + NOT-FOR-US: Apple Music application for Android CVE-2017-2386 (An issue was discovered in cer
[Secure-testing-commits] r50458 - data/CVE
Author: carnil Date: 2017-04-08 06:39:03 + (Sat, 08 Apr 2017) New Revision: 50458 Modified: data/CVE/list Log: Add commit reference fixing CVE-2017-2671 Modified: data/CVE/list === --- data/CVE/list 2017-04-08 06:11:19 UTC (rev 50457) +++ data/CVE/list 2017-04-08 06:39:03 UTC (rev 50458) @@ -13842,6 +13842,7 @@ CVE-2017-2671 (The ping_unhash function in net/ipv4/ping.c in the Linux kernel ...) - linux NOTE: http://www.openwall.com/lists/oss-security/2017/03/24/6 + NOTE: Fixed by: https://git.kernel.org/linus/43a6684519ab0a6c52024b5e25322476cabad893 CVE-2017-2670 RESERVED CVE-2017-2669 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50459 - data/CVE
Author: carnil Date: 2017-04-08 06:44:08 + (Sat, 08 Apr 2017) New Revision: 50459 Modified: data/CVE/list Log: CVE-2017-7187 fixed upstream Modified: data/CVE/list === --- data/CVE/list 2017-04-08 06:39:03 UTC (rev 50458) +++ data/CVE/list 2017-04-08 06:44:08 UTC (rev 50459) @@ -1276,6 +1276,7 @@ - linux 4.9.18-1 [jessie] - linux (Introduced in 3.17) [wheezy] - linux (Introduced in 3.17) + NOTE: Fixed by: https://git.kernel.org/linus/bf33f87dd04c371ea33feb821b60d63d754e3124 (4.11-rc5) NOTE: Introduced by: https://git.kernel.org/linus/65c26a0f39695ba01d9693754f27ca76cc8a3ab5 (3.17-rc1) CVE-2017-7185 RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50460 - data/CVE
Author: carnil Date: 2017-04-08 06:48:10 + (Sat, 08 Apr 2017) New Revision: 50460 Modified: data/CVE/list Log: Add fixing commit for CVE-2017-7261 Modified: data/CVE/list === --- data/CVE/list 2017-04-08 06:44:08 UTC (rev 50459) +++ data/CVE/list 2017-04-08 06:48:10 UTC (rev 50460) @@ -961,6 +961,7 @@ NOT-FOR-US: Hardware bug in AMD Ryzen CPUs, cannot be fixed via micro code updates, but only BIOS updates CVE-2017-7261 (The vmw_surface_define_ioctl function in ...) - linux 4.9.18-1 + NOTE: Fixed by: https://git.kernel.org/linus/36274ab8c596f1240c606bb514da329add2a1bcd CVE-2017-7260 RESERVED CVE-2017-7259 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50461 - data/CVE
Author: carnil Date: 2017-04-08 06:51:28 + (Sat, 08 Apr 2017) New Revision: 50461 Modified: data/CVE/list Log: Update information for CVE-2017-7294/linux Modified: data/CVE/list === --- data/CVE/list 2017-04-08 06:48:10 UTC (rev 50460) +++ data/CVE/list 2017-04-08 06:51:28 UTC (rev 50461) @@ -737,6 +737,7 @@ RESERVED CVE-2017-7294 (The vmw_surface_define_ioctl function in ...) - linux 4.9.18-1 + NOTE: Fixed by: https://git.kernel.org/linus/e7e11f99564222d82f0ce84bd521e57d78a6b678 CVE-2017-7292 RESERVED CVE-2017-7291 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50462 - data/CVE
Author: carnil Date: 2017-04-08 06:53:52 + (Sat, 08 Apr 2017) New Revision: 50462 Modified: data/CVE/list Log: Update information for CVE-2017-7308 Modified: data/CVE/list === --- data/CVE/list 2017-04-08 06:51:28 UTC (rev 50461) +++ data/CVE/list 2017-04-08 06:53:52 UTC (rev 50462) @@ -721,6 +721,9 @@ RESERVED CVE-2017-7308 (The packet_set_ring function in net/packet/af_packet.c in the Linux ...) - linux 4.9.18-1 + NOTE: Fixed by: https://git.kernel.org/linus/2b6867c2ce76c596676bec7d2d525af525fdc6e2 + NOTE: Fixed by: https://git.kernel.org/linus/8f8d28e4d6d815a391285e121c3a53a0b6cb9e7b + NOTE: Fixed by: https://git.kernel.org/linus/bcc5364bdcfe131e6379363f089e7b4108d35b70 CVE-2017-7298 (In Moodle 3.2.2+, there is XSS in the Course summary filter of the "Add ...) - moodle (unimportant) NOTE: http://www.daimacn.com/post/12.html ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
