[Secure-testing-commits] r50750 - data
Author: seb Date: 2017-04-18 06:30:44 + (Tue, 18 Apr 2017) New Revision: 50750 Modified: data/dsa-needed.txt Log: Add and take icu Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-04-18 06:30:01 UTC (rev 50749) +++ data/dsa-needed.txt 2017-04-18 06:30:44 UTC (rev 50750) @@ -25,6 +25,9 @@ -- icedove (jmm) -- +icu (seb) + gcs proposed debdiff, acked for upload +-- libav wait until the next 11.9 release -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50749 - data
Author: seb Date: 2017-04-18 06:30:01 + (Tue, 18 Apr 2017) New Revision: 50749 Modified: data/dsa-needed.txt Log: Document libytnef state Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-04-18 05:10:39 UTC (rev 50748) +++ data/dsa-needed.txt 2017-04-18 06:30:01 UTC (rev 50749) @@ -30,6 +30,7 @@ -- libytnef (seb) Jordi Mallach proposed debdiff, needs review and ack + [2017-04-10] Asked for full source debdiff + reproducer -- linux wait until more issues have piled up ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50748 - data/CVE
Author: carnil Date: 2017-04-18 05:10:39 + (Tue, 18 Apr 2017) New Revision: 50748 Modified: data/CVE/list Log: Reference fixing commit for CVE-2017-7859 Modified: data/CVE/list === --- data/CVE/list 2017-04-18 05:02:36 UTC (rev 50747) +++ data/CVE/list 2017-04-18 05:10:39 UTC (rev 50748) @@ -99,6 +99,8 @@ - grpc (bug #860316) CVE-2017-7859 (FFmpeg before 2017-03-05 has an out-of-bounds write caused by a ...) - ffmpeg + NOTE: https://bugzilla.novell.com/show_bug.cgi?id=1034183 + NOTE: https://github.com/FFmpeg/FFmpeg/commit/70ebc05bce51215cd0857194d6cabf1e4d1440fb CVE-2017-7858 (FreeType 2 before 2017-03-07 has an out-of-bounds write related to the ...) - freetype (Vulnerable code introduced in 2.6.4) NOTE: Introduced after: http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=813aca51d28704f7ffc470721167738fa8decb3d ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50747 - data/CVE
Author: carnil Date: 2017-04-18 05:02:36 + (Tue, 18 Apr 2017) New Revision: 50747 Modified: data/CVE/list Log: Update one libgcrypt20 issue Fix included in 1.6.4 upstream and first upload to unstable was 1.6.4-3 containing the fix. Modified: data/CVE/list === --- data/CVE/list 2017-04-18 04:49:38 UTC (rev 50746) +++ data/CVE/list 2017-04-18 05:02:36 UTC (rev 50747) @@ -57158,7 +57158,7 @@ - libgcrypt11 [wheezy] - libgcrypt11 (Minor issue; additional hardening) [squeeze] - libgcrypt11 (Minor issue; additional hardening) - - libgcrypt20 + - libgcrypt20 1.6.4-3 [jessie] - libgcrypt20 (Minor issue; additional hardening) NOTE: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=b85c8d6645039fc9d403791750510e439731d479 NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/09/08/5 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50746 - data/CVE
Author: carnil Date: 2017-04-18 04:49:38 + (Tue, 18 Apr 2017) New Revision: 50746 Modified: data/CVE/list Log: Mark CVE-2017-7697 as no-dsa Modified: data/CVE/list === --- data/CVE/list 2017-04-18 04:49:28 UTC (rev 50745) +++ data/CVE/list 2017-04-18 04:49:38 UTC (rev 50746) @@ -515,6 +515,7 @@ RESERVED CVE-2017-7697 (In libsamplerate before 0.1.9, a buffer over-read occurs in the ...) - libsamplerate (bug #860159) + [jessie] - libsamplerate (Minor issue) NOTE: https://github.com/erikd/libsamplerate/issues/11 NOTE: https://blogs.gentoo.org/ago/2017/04/11/libsamplerate-global-buffer-overflow-in-calc_output_single-src_sinc-c/ NOTE: Fixed by: https://github.com/erikd/libsamplerate/commit/c3b66186656de44da18b7058aec099dbe782dd0b ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50745 - data/CVE
Author: carnil Date: 2017-04-18 04:49:28 + (Tue, 18 Apr 2017) New Revision: 50745 Modified: data/CVE/list Log: Reference isiolated fix for CVE-2017-7697 But possibly it would be good to just upload 0.1.9 in next upload. Does not seem to need a dsa for stable as well. From upstream: >* src/src_sinc.c >Fix a read beyond end of coefficent array problem uncovered by gcc-4.8's >-fsanitize=address feature and reported by Cristian Rodr?\195?\173guez. > >Since this is reading filter coefficients from rodata memory and no write >is possible, is is not exploitable from a security point of view. > >Solution was to reduce the half_coeff_len value for each filter by one. Modified: data/CVE/list === --- data/CVE/list 2017-04-18 04:15:29 UTC (rev 50744) +++ data/CVE/list 2017-04-18 04:49:28 UTC (rev 50745) @@ -517,6 +517,7 @@ - libsamplerate (bug #860159) NOTE: https://github.com/erikd/libsamplerate/issues/11 NOTE: https://blogs.gentoo.org/ago/2017/04/11/libsamplerate-global-buffer-overflow-in-calc_output_single-src_sinc-c/ + NOTE: Fixed by: https://github.com/erikd/libsamplerate/commit/c3b66186656de44da18b7058aec099dbe782dd0b CVE-2017-7696 (SAP AS JAVA SSO Authentication Library 2.0 through 3.0 allow remote ...) NOT-FOR-US: SAP CVE-2017-7695 (Unrestricted File Upload exists in BigTree CMS before 4.2.17: if an ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50744 - data
Author: pabs Date: 2017-04-18 04:15:29 + (Tue, 18 Apr 2017) New Revision: 50744 Modified: data/embedded-code-copies Log: typo Modified: data/embedded-code-copies === --- data/embedded-code-copies 2017-04-18 04:13:48 UTC (rev 50743) +++ data/embedded-code-copies 2017-04-18 04:15:29 UTC (rev 50744) @@ -3248,7 +3248,7 @@ youtube-dl - encuentro (bug #859589) -libwebp (not packaged, no ITP) +libwebm (not packaged, no ITP) - libopenglrecorder (modified-embed) NOTE: not yet in Debian NOTE: modifications are that it is stripped down ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50743 - data
Author: pabs Date: 2017-04-18 04:13:48 + (Tue, 18 Apr 2017) New Revision: 50743 Modified: data/embedded-code-copies Log: several packages embed libwebp Modified: data/embedded-code-copies === --- data/embedded-code-copies 2017-04-18 03:40:16 UTC (rev 50742) +++ data/embedded-code-copies 2017-04-18 04:13:48 UTC (rev 50743) @@ -3247,3 +3247,15 @@ youtube-dl - encuentro (bug #859589) + +libwebp (not packaged, no ITP) + - libopenglrecorder (modified-embed) + NOTE: not yet in Debian + NOTE: modifications are that it is stripped down + - sludge (modified-embed) + NOTE: modifications are that it is stripped down + - libvpx (embed) + - chromium-browser (embed) + NOTE: 2 copies, one via a libvpx embed + - qtwebengine-opensource-src (embed) + NOTE: via chromium embed: 2 copies, one via a libvpx embed ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50742 - data/CVE
Author: carnil Date: 2017-04-18 03:40:16 + (Tue, 18 Apr 2017) New Revision: 50742 Modified: data/CVE/list Log: Add reference for additional information for CVE-2017-3137/bind9 patch backports Modified: data/CVE/list === --- data/CVE/list 2017-04-18 03:38:11 UTC (rev 50741) +++ data/CVE/list 2017-04-18 03:40:16 UTC (rev 50742) @@ -13517,6 +13517,7 @@ RESERVED - bind9 (bug #860225) NOTE: https://kb.isc.org/article/AA-01466 + NOTE: Additional information for backporting patch: http://www.openwall.com/lists/oss-security/2017/04/17/5 CVE-2017-3136 [An error handling synthesized records could cause an assertion failure when using DNS64 with "break-dnssec yes;"] RESERVED - bind9 (bug #860224) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50741 - data/CVE
Author: carnil Date: 2017-04-18 03:38:11 + (Tue, 18 Apr 2017) New Revision: 50741 Modified: data/CVE/list Log: Mark some NFUs Modified: data/CVE/list === --- data/CVE/list 2017-04-18 03:22:13 UTC (rev 50740) +++ data/CVE/list 2017-04-18 03:38:11 UTC (rev 50741) @@ -4,7 +4,7 @@ NOTE: Fixed by: https://github.com/sandstorm-io/capnproto/commit/52bc956459a5e83d7c31be95763ff6399e064ae4 TODO: according to the advisory so far only Apple's compiler has been shown to apply the problematic optimization, so possibly "unimportant" for us, but fixed in 0.5.3.1 upstream CVE-2017-7891 (sourcebans-pp (SourceBans++) 1.5.4.7 has XSS in admin.comms.php via the ...) - TODO: check + NOT-FOR-US: SourceBans++ CVE-2017-7890 RESERVED CVE-2017-7888 @@ -36683,25 +36683,25 @@ CVE-2016-4875 (Multiple cross-site scripting (XSS) vulnerabilities in the IVYWE (1) ...) NOT-FOR-US: IVYWE CVE-2016-4874 (Cybozu Office 9.0.0 through 10.4.0 allows remote attackers to conduct ...) - TODO: check + NOT-FOR-US: Cybozu CVE-2016-4873 (The "Project" function in Cybozu Office 9.0.0 through 10.4.0 does not ...) - TODO: check + NOT-FOR-US: Cybozu CVE-2016-4872 (The "breadcrumb trail" component in Cybozu Office 9.0.0 through 10.4.0 ...) - TODO: check + NOT-FOR-US: Cybozu CVE-2016-4871 (Cybozu Office 9.0.0 through 10.4.0 allows remote attackers to cause a ...) - TODO: check + NOT-FOR-US: Cybozu CVE-2016-4870 (Cross-site scripting (XSS) vulnerability in "Schedule" function in ...) - TODO: check + NOT-FOR-US: Cybozu CVE-2016-4869 (Cybozu Office 9.0.0 through 10.4.0 allows remote attackers to obtain ...) - TODO: check + NOT-FOR-US: Cybozu CVE-2016-4868 (Cybozu Office 9.0.0 through 10.4.0 allows remote attackers to inject ...) - TODO: check + NOT-FOR-US: Cybozu CVE-2016-4867 (The "Project" function in Cybozu 9.0.0 through 10.4.0 allows remote ...) - TODO: check + NOT-FOR-US: Cybozu CVE-2016-4866 (Cross-site scripting (XSS) vulnerability in the "Project" function in ...) - TODO: check + NOT-FOR-US: Cybozu CVE-2016-4865 (Cross-site scripting (XSS) vulnerability in the "Customapp" function ...) - TODO: check + NOT-FOR-US: Cybozu CVE-2016-4864 RESERVED CVE-2016-4863 @@ -52987,7 +52987,7 @@ CVE-2015-8257 RESERVED CVE-2015-8256 (Multiple cross-site scripting (XSS) vulnerabilities in Axis network ...) - TODO: check + NOT-FOR-US: Axis network cameras CVE-2015-8255 (AXIS Communications products allow CSRF, as demonstrated by ...) NOT-FOR-US: AXIS Communications CVE-2015-8254 (The Frontel protocol before 3 on RSI Video Technologies Videofied ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50740 - data/CVE
Author: carnil Date: 2017-04-18 03:22:13 + (Tue, 18 Apr 2017) New Revision: 50740 Modified: data/CVE/list Log: Add CVE-2017-7892/capnproto Modified: data/CVE/list === --- data/CVE/list 2017-04-18 03:16:53 UTC (rev 50739) +++ data/CVE/list 2017-04-18 03:22:13 UTC (rev 50740) @@ -1,3 +1,8 @@ +CVE-2017-7892 [Bounds check elided by compiler optimization] + - capnproto + NOTE: https://github.com/sandstorm-io/capnproto/blob/master/security-advisories/2017-04-17-0-apple-clang-elides-bounds-check.md + NOTE: Fixed by: https://github.com/sandstorm-io/capnproto/commit/52bc956459a5e83d7c31be95763ff6399e064ae4 + TODO: according to the advisory so far only Apple's compiler has been shown to apply the problematic optimization, so possibly "unimportant" for us, but fixed in 0.5.3.1 upstream CVE-2017-7891 (sourcebans-pp (SourceBans++) 1.5.4.7 has XSS in admin.comms.php via the ...) TODO: check CVE-2017-7890 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50739 - data/CVE
Author: carnil Date: 2017-04-18 03:16:53 + (Tue, 18 Apr 2017) New Revision: 50739 Modified: data/CVE/list Log: Add fixing version for CVE-2017-7614 in unstable upload Modified: data/CVE/list === --- data/CVE/list 2017-04-18 03:10:22 UTC (rev 50738) +++ data/CVE/list 2017-04-18 03:16:53 UTC (rev 50739) @@ -680,7 +680,7 @@ - mantis NOTE: http://www.openwall.com/lists/oss-security/2017/04/16/2 CVE-2017-7614 (elflink.c in the Binary File Descriptor (BFD) library (aka libbfd), as ...) - - binutils (low; bug #859989) + - binutils 2.28-4 (low; bug #859989) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://blogs.gentoo.org/ago/2017/04/05/binutils-two-null-pointer-dereference-in-elflink-c/ ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50738 - data/CVE
Author: carnil Date: 2017-04-18 03:10:22 + (Tue, 18 Apr 2017) New Revision: 50738 Modified: data/CVE/list Log: Add CVE-2016-5396/trafficserver Modified: data/CVE/list === --- data/CVE/list 2017-04-18 03:10:03 UTC (rev 50737) +++ data/CVE/list 2017-04-18 03:10:22 UTC (rev 50738) @@ -34197,7 +34197,8 @@ CVE-2016-5397 RESERVED CVE-2016-5396 (Apache Traffic Server 6.0.0 to 6.2.0 are affected by an HPACK Bomb ...) - TODO: check + - trafficserver 7.0.0-1 + NOTE: https://issues.apache.org/jira/browse/TS-5019 CVE-2016-5395 (Cross-site scripting (XSS) vulnerability in the create user ...) NOT-FOR-US: Apache Ranger CVE-2016-5394 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50737 - data/CVE
Author: carnil Date: 2017-04-18 03:10:03 + (Tue, 18 Apr 2017) New Revision: 50737 Modified: data/CVE/list Log: Update CVE-2017-5659/trafficserver Modified: data/CVE/list === --- data/CVE/list 2017-04-17 21:10:25 UTC (rev 50736) +++ data/CVE/list 2017-04-18 03:10:03 UTC (rev 50737) @@ -6323,7 +6323,9 @@ CVE-2017-5660 RESERVED CVE-2017-5659 (Apache Traffic Server before 6.2.1 generates a coredump when there is ...) - TODO: check + - trafficserver 7.0.0-1 + NOTE: https://issues.apache.org/jira/browse/TS-4819 + NOTE: https://issues.apache.org/jira/browse/TS-4507 CVE-2017-5658 RESERVED CVE-2017-5657 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50736 - data/CVE
Author: sectracker
Date: 2017-04-17 21:10:25 + (Mon, 17 Apr 2017)
New Revision: 50736
Modified:
data/CVE/list
Log:
automatic update
Modified: data/CVE/list
===
--- data/CVE/list 2017-04-17 20:42:01 UTC (rev 50735)
+++ data/CVE/list 2017-04-17 21:10:25 UTC (rev 50736)
@@ -1,3 +1,7 @@
+CVE-2017-7891 (sourcebans-pp (SourceBans++) 1.5.4.7 has XSS in admin.comms.php
via the ...)
+ TODO: check
+CVE-2017-7890
+ RESERVED
CVE-2017-7888
RESERVED
CVE-2017-7887
@@ -30,6 +34,7 @@
CVE-2017-7876
RESERVED
CVE-2017-7875 (In wallpaper.c in feh before v2.18.3, if a malicious client
pretends to ...)
+ {DLA-899-1}
- feh 2.18-2 (low; bug #860367)
[jessie] - feh (Minor issue)
NOTE: Fixed by:
https://github.com/derf/feh/commit/f7a547b7ef8fc8ebdeaa4c28515c9d72e592fb6d
@@ -102,6 +107,7 @@
CVE-2017-7856 (LibreOffice before 2017-03-11 has an out-of-bounds write caused
by a ...)
- libreoffice (Didn't affect the 5.2 backport)
CVE-2016-10328 (FreeType 2 before 2016-12-16 has an out-of-bounds write caused
by a ...)
+ {DLA-900-1}
[experimental] - freetype 2.7.1-0.1
- freetype (bug #860303)
NOTE:
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=beecf80a6deecbaf5d264d4f864451bde4fe98b8
@@ -3877,6 +3883,7 @@
CVE-2017-6449
RESERVED
CVE-2017-6448 (The dalvik_disassemble function in libr/asm/p/asm_dalvik.c in
radare2 ...)
+ {DLA-901-1}
[experimental] - radare2 1.3.0+dfsg-1
- radare2 1.1.0+dfsg-4 (bug #859447)
[jessie] - radare2 (Minor issue)
@@ -6315,8 +6322,8 @@
RESERVED
CVE-2017-5660
RESERVED
-CVE-2017-5659
- RESERVED
+CVE-2017-5659 (Apache Traffic Server before 6.2.1 generates a coredump when
there is ...)
+ TODO: check
CVE-2017-5658
RESERVED
CVE-2017-5657
@@ -6331,15 +6338,13 @@
RESERVED
CVE-2017-5652
RESERVED
-CVE-2017-5651
- RESERVED
+CVE-2017-5651 (In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the
...)
- tomcat9 (bug #802312)
- tomcat8 8.5.11-2 (bug #860071)
[jessie] - tomcat8 (Only affects 8.5 and later)
NOTE: http://www.openwall.com/lists/oss-security/2017/04/10/21
NOTE: Fixed by: http://svn.apache.org/r1788546 (8.5.x)
-CVE-2017-5650
- RESERVED
+CVE-2017-5650 (In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the
...)
- tomcat9 (bug #802312)
- tomcat8 8.5.11-2 (bug #860070)
[jessie] - tomcat8 (Only affects 8.5 and later)
@@ -6347,8 +6352,7 @@
NOTE: Fixed by: http://svn.apache.org/r1788480 (8.5.x)
CVE-2017-5649 (Apache Geode before 1.1.1, when a cluster has enabled security
by ...)
NOT-FOR-US: Apache Geode
-CVE-2017-5648
- RESERVED
+CVE-2017-5648 (While investigating bug 60718, it was noticed that some calls
to ...)
- tomcat9 (bug #802312)
- tomcat8 8.5.11-2 (bug #860069)
- tomcat7 7.0.72-3
@@ -6358,8 +6362,7 @@
NOTE: Fixed by: http://svn.apache.org/r1785775 (8.5.x)
NOTE: Fixed by: http://svn.apache.org/r1785776 (8.0.x)
NOTE: Fixed by: http://svn.apache.org/r1785777 (7.0.x)
-CVE-2017-5647
- RESERVED
+CVE-2017-5647 (A bug in the handling of the pipelined requests in Apache
Tomcat ...)
- tomcat9 (bug #802312)
- tomcat8 8.5.11-2 (bug #860068)
- tomcat7 7.0.72-3
@@ -28118,8 +28121,7 @@
- linux-2.6 2.6.37-1
CVE-2010-5327 (Liferay Portal through 6.2.10 allows remote authenticated users
to ...)
NOT-FOR-US: Liferay Portal
-CVE-2016-7551 [AST-2016-007]
- RESERVED
+CVE-2016-7551 (chain_sip in Asterisk Open Source 11.x before 11.23.1 and 13.x
13.11.1 ...)
{DSA-3700-1 DLA-781-1}
- asterisk 1:13.11.2~dfsg-1 (bug #838832)
NOTE: http://downloads.asterisk.org/pub/security/AST-2016-007.html
@@ -29556,10 +29558,10 @@
CVE-2016-6728 (An elevation of privilege vulnerability in the kernel ION
subsystem in ...)
NOT-FOR-US: Rowhammer hardware vulnerability on Android devices
NOTE: https://www.vusec.net/projects/drammer/
-CVE-2016-6727
- RESERVED
-CVE-2016-6726
- RESERVED
+CVE-2016-6727 (The Qualcomm GPS subsystem in Android on Android One devices
allows ...)
+ TODO: check
+CVE-2016-6726 (Unspecified vulnerability in Qualcomm components in Android on
Nexus 6 ...)
+ TODO: check
CVE-2016-6725 (A remote code execution vulnerability in the Qualcomm crypto
driver in ...)
NOT-FOR-US: Qualcomm driver for Android
CVE-2016-6724 (A denial of service vulnerability in the Input Manager Service
in ...)
@@ -34192,8 +34194,8 @@
NOT-FOR-US: JBoss BPMS
CVE-2016-5397
RESERVED
-CVE-2016-5396
- RESERVED
+CVE-2016-5396 (Apache Traffic Server 6.0.0 to 6.2.0 are affected by an HPACK
Bomb ...)
+ TODO: check
CVE-2016-5395 (Cross-site scr
[Secure-testing-commits] r50735 - in data: . DLA
Author: alteholz
Date: 2017-04-17 20:42:01 + (Mon, 17 Apr 2017)
New Revision: 50735
Modified:
data/DLA/list
data/dla-needed.txt
Log:
Reserve DLA-901-1 for radare2
Modified: data/DLA/list
===
--- data/DLA/list 2017-04-17 19:26:39 UTC (rev 50734)
+++ data/DLA/list 2017-04-17 20:42:01 UTC (rev 50735)
@@ -1,3 +1,6 @@
+[17 Apr 2017] DLA-901-1 radare2 - security update
+ {CVE-2017-6448}
+ [wheezy] - radare2 0.9-3+deb7u2
[17 Apr 2017] DLA-900-1 freetype - security update
{CVE-2016-10328}
[wheezy] - freetype 2.4.9-1.1+deb7u5
Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-04-17 19:26:39 UTC (rev 50734)
+++ data/dla-needed.txt 2017-04-17 20:42:01 UTC (rev 50735)
@@ -114,8 +114,6 @@
--
qemu-kvm (Guido Günther)
--
-radare2 (Thorsten Alteholz)
---
sane-backends (Jörg Frings-Fürst)
--
slurm-llnl
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50734 - data/CVE
Author: carnil Date: 2017-04-17 19:26:39 + (Mon, 17 Apr 2017) New Revision: 50734 Modified: data/CVE/list Log: Add bug reference for CVE-2017-5645 Modified: data/CVE/list === --- data/CVE/list 2017-04-17 19:21:04 UTC (rev 50733) +++ data/CVE/list 2017-04-17 19:26:39 UTC (rev 50734) @@ -6377,7 +6377,7 @@ RESERVED CVE-2017-5645 [Apache Log4j socket receiver deserialization vulnerability] RESERVED - - apache-log4j2 + - apache-log4j2 (bug #860489) NOTE: https://issues.apache.org/jira/browse/LOG4J2-1863 NOTE: Fixed by: https://git-wip-us.apache.org/repos/asf?p=logging-log4j2.git;h=5dcc19215827db29c993d0305ee2b0d8dd05939d CVE-2017-5644 (Apache POI in versions prior to release 3.15 allows remote attackers ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50733 - data
Author: carnil Date: 2017-04-17 19:21:04 + (Mon, 17 Apr 2017) New Revision: 50733 Modified: data/dsa-needed.txt Log: Update note for python-django Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-04-17 19:21:03 UTC (rev 50732) +++ data/dsa-needed.txt 2017-04-17 19:21:04 UTC (rev 50733) @@ -42,7 +42,7 @@ python-django lfaraone proposed debdiff, need check and ack initial review done, asked if two more CVEs currently marked no-dsa can included - 2017-04-15: no further reply from maintainer + 2017-04-17: maintainer sent new debdiff, needs new review and ack -- qemu Maintainer asked to prepare updates ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50731 - data/CVE
Author: carnil Date: 2017-04-17 19:20:58 + (Mon, 17 Apr 2017) New Revision: 50731 Modified: data/CVE/list Log: Add commit for CVE-2017-5645/apache-log4j2 Modified: data/CVE/list === --- data/CVE/list 2017-04-17 18:42:33 UTC (rev 50730) +++ data/CVE/list 2017-04-17 19:20:58 UTC (rev 50731) @@ -6379,6 +6379,7 @@ RESERVED - apache-log4j2 NOTE: https://issues.apache.org/jira/browse/LOG4J2-1863 + NOTE: Fixed by: https://git-wip-us.apache.org/repos/asf?p=logging-log4j2.git;h=5dcc19215827db29c993d0305ee2b0d8dd05939d CVE-2017-5644 (Apache POI in versions prior to release 3.15 allows remote attackers ...) - libapache-poi-java (bug #858301) [jessie] - libapache-poi-java (Minor issue) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50732 - data
Author: carnil Date: 2017-04-17 19:21:03 + (Mon, 17 Apr 2017) New Revision: 50732 Modified: data/dsa-needed.txt Log: Add heimdal to dsa-needed list Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-04-17 19:20:58 UTC (rev 50731) +++ data/dsa-needed.txt 2017-04-17 19:21:03 UTC (rev 50732) @@ -21,6 +21,8 @@ -- graphicsmagick -- +heimdal +-- icedove (jmm) -- libav ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50730 - data/CVE
Author: carnil Date: 2017-04-17 18:42:33 + (Mon, 17 Apr 2017) New Revision: 50730 Modified: data/CVE/list Log: Correct affected versions for CVE-2017-7864 CFF2 support introduced in 2.7.1 only, as such the issue appear only from 2.7.1 onwards. Mark as correctly noted for the wheezy triage, and mark freetype as not-affected for all suites (experimental still tracked via the BTS bug #860313) Modified: data/CVE/list === --- data/CVE/list 2017-04-17 17:34:35 UTC (rev 50729) +++ data/CVE/list 2017-04-17 18:42:33 UTC (rev 50730) @@ -72,8 +72,7 @@ - libav NOTE: Fixed by: https://github.com/FFmpeg/FFmpeg/commit/2080bc33717955a0e4268e738acf8c1eeddbf8cb CVE-2017-7864 (FreeType 2 before 2017-02-02 has an out-of-bounds write caused by a ...) - - freetype (bug #860313) - [wheezy] - freetype (CFF2 support was introduced later) + - freetype (Vulnerable code not present; CFF2 support introduced in 2.7.1, cf #860313) NOTE: Fixed by: https://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=e6699596af5c5d6f0ae0ea06e19df87dce088df8 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=509 CVE-2017-7863 (FFmpeg before 2017-02-04 has an out-of-bounds write caused by a ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50729 - data
Author: alteholz Date: 2017-04-17 17:34:35 + (Mon, 17 Apr 2017) New Revision: 50729 Modified: data/dla-needed.txt Log: claim icu Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-04-17 16:58:38 UTC (rev 50728) +++ data/dla-needed.txt 2017-04-17 17:34:35 UTC (rev 50729) @@ -34,7 +34,7 @@ icedove NOTE: 45.8 is waiting in NEW but. -- -icu +icu (Thorsten Alteholz) -- imagemagick (Markus Koschany) -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50728 - data/CVE
Author: nluedtke-guest Date: 2017-04-17 16:58:38 + (Mon, 17 Apr 2017) New Revision: 50728 Modified: data/CVE/list Log: Add CVE-2017-5645/apache-log4j2 Modified: data/CVE/list === --- data/CVE/list 2017-04-17 16:35:13 UTC (rev 50727) +++ data/CVE/list 2017-04-17 16:58:38 UTC (rev 50728) @@ -6376,8 +6376,10 @@ NOTE: Fixed by: http://svn.apache.org/r1789856 (6.0.x) CVE-2017-5646 RESERVED -CVE-2017-5645 +CVE-2017-5645 [Apache Log4j socket receiver deserialization vulnerability] RESERVED + - apache-log4j2 + NOTE: https://issues.apache.org/jira/browse/LOG4J2-1863 CVE-2017-5644 (Apache POI in versions prior to release 3.15 allows remote attackers ...) - libapache-poi-java (bug #858301) [jessie] - libapache-poi-java (Minor issue) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50727 - data
Author: apo Date: 2017-04-17 16:35:13 + (Mon, 17 Apr 2017) New Revision: 50727 Modified: data/dla-needed.txt Log: Claim imagemagick in dla-needed.txt Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-04-17 16:34:30 UTC (rev 50726) +++ data/dla-needed.txt 2017-04-17 16:35:13 UTC (rev 50727) @@ -36,7 +36,7 @@ -- icu -- -imagemagick +imagemagick (Markus Koschany) -- jasper (Thorsten Alteholz) -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50726 - in data: . DLA
Author: apo
Date: 2017-04-17 16:34:30 + (Mon, 17 Apr 2017)
New Revision: 50726
Modified:
data/DLA/list
data/dla-needed.txt
Log:
Reserve DLA-900-1 for freetype
Modified: data/DLA/list
===
--- data/DLA/list 2017-04-17 16:33:51 UTC (rev 50725)
+++ data/DLA/list 2017-04-17 16:34:30 UTC (rev 50726)
@@ -1,3 +1,6 @@
+[17 Apr 2017] DLA-900-1 freetype - security update
+ {CVE-2016-10328}
+ [wheezy] - freetype 2.4.9-1.1+deb7u5
[17 Apr 2017] DLA-899-1 feh - security update
{CVE-2017-7875}
[wheezy] - feh 2.3-2+deb7u1
Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-04-17 16:33:51 UTC (rev 50725)
+++ data/dla-needed.txt 2017-04-17 16:34:30 UTC (rev 50726)
@@ -24,8 +24,6 @@
NOTE: no update needed yet, but next update will be for ESR 52 as ESR 45 is
now
NOTE: EOL. I have already started to look at ESR 52 to anticipate any
problems
--
-freetype (Markus Koschany)
---
ghostscript (Raphaël Hertzog)
NOTE: 20170407: Have fixed package for CVE-2016-10219 CVE-2016-10220 and
CVE-2017-5951.
NOTE: I'm waiting to see if CVE-2016-10317 should be included as well.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50725 - in data: . DLA
Author: apo
Date: 2017-04-17 16:33:51 + (Mon, 17 Apr 2017)
New Revision: 50725
Modified:
data/DLA/list
data/dla-needed.txt
Log:
Reserve DLA-899-1 for feh
Modified: data/DLA/list
===
--- data/DLA/list 2017-04-17 15:13:58 UTC (rev 50724)
+++ data/DLA/list 2017-04-17 16:33:51 UTC (rev 50725)
@@ -1,3 +1,6 @@
+[17 Apr 2017] DLA-899-1 feh - security update
+ {CVE-2017-7875}
+ [wheezy] - feh 2.3-2+deb7u1
[16 Apr 2017] DLA-898-1 libosip2 - security update
{CVE-2016-10324 CVE-2016-10325 CVE-2016-10326 CVE-2017-7853}
[wheezy] - libosip2 3.6.0-4+deb7u1
Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-04-17 15:13:58 UTC (rev 50724)
+++ data/dla-needed.txt 2017-04-17 16:33:51 UTC (rev 50725)
@@ -20,8 +20,6 @@
--
chicken
--
-feh (Markus Koschany)
---
firefox-esr (Emilio Pozuelo)
NOTE: no update needed yet, but next update will be for ESR 52 as ESR 45 is
now
NOTE: EOL. I have already started to look at ESR 52 to anticipate any
problems
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50724 - data/CVE
Author: apo Date: 2017-04-17 15:13:58 + (Mon, 17 Apr 2017) New Revision: 50724 Modified: data/CVE/list Log: CVE-2017-7864,freetype: Wheezy is not affected CFF2 support was introduced later (2016-12-15) Modified: data/CVE/list === --- data/CVE/list 2017-04-17 12:03:21 UTC (rev 50723) +++ data/CVE/list 2017-04-17 15:13:58 UTC (rev 50724) @@ -73,6 +73,7 @@ NOTE: Fixed by: https://github.com/FFmpeg/FFmpeg/commit/2080bc33717955a0e4268e738acf8c1eeddbf8cb CVE-2017-7864 (FreeType 2 before 2017-02-02 has an out-of-bounds write caused by a ...) - freetype (bug #860313) + [wheezy] - freetype (CFF2 support was introduced later) NOTE: Fixed by: https://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=e6699596af5c5d6f0ae0ea06e19df87dce088df8 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=509 CVE-2017-7863 (FFmpeg before 2017-02-04 has an out-of-bounds write caused by a ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50723 - data
Author: jmm Date: 2017-04-17 12:03:21 + (Mon, 17 Apr 2017) New Revision: 50723 Modified: data/dsa-needed.txt Log: take icedove Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-04-17 10:44:19 UTC (rev 50722) +++ data/dsa-needed.txt 2017-04-17 12:03:21 UTC (rev 50723) @@ -21,7 +21,7 @@ -- graphicsmagick -- -icedove +icedove (jmm) -- libav wait until the next 11.9 release ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50722 - data
Author: agx Date: 2017-04-17 10:44:19 + (Mon, 17 Apr 2017) New Revision: 50722 Modified: data/dla-needed.txt Log: lts: add note aboute icedove waiting in NEW Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-04-17 09:23:16 UTC (rev 50721) +++ data/dla-needed.txt 2017-04-17 10:44:19 UTC (rev 50722) @@ -35,6 +35,9 @@ heimdal NOTE: Brian May is the maintainer -- +icedove + NOTE: 45.8 is waiting in NEW but. +-- icu -- imagemagick ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50721 - data/CVE
Author: carnil Date: 2017-04-17 09:23:16 + (Mon, 17 Apr 2017) New Revision: 50721 Modified: data/CVE/list Log: Add bug reference for CVE-2017-7885, #860460 Modified: data/CVE/list === --- data/CVE/list 2017-04-17 09:11:42 UTC (rev 50720) +++ data/CVE/list 2017-04-17 09:23:16 UTC (rev 50721) @@ -5,7 +5,7 @@ CVE-2017-7886 RESERVED CVE-2017-7885 (Artifex jbig2dec 0.13 has a heap-based buffer over-read leading to ...) - - jbig2dec + - jbig2dec (bug #860460) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=697703 CVE-2017-7884 RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50720 - data/CVE
Author: carnil Date: 2017-04-17 09:11:42 + (Mon, 17 Apr 2017) New Revision: 50720 Modified: data/CVE/list Log: Add CVE-2017-7885/jbig2dec Modified: data/CVE/list === --- data/CVE/list 2017-04-17 09:10:13 UTC (rev 50719) +++ data/CVE/list 2017-04-17 09:11:42 UTC (rev 50720) @@ -5,7 +5,8 @@ CVE-2017-7886 RESERVED CVE-2017-7885 (Artifex jbig2dec 0.13 has a heap-based buffer over-read leading to ...) - TODO: check + - jbig2dec + NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=697703 CVE-2017-7884 RESERVED CVE-2017-7889 (The mm subsystem in the Linux kernel through 4.10.10 does not properly ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50719 - data/CVE
Author: sectracker Date: 2017-04-17 09:10:13 + (Mon, 17 Apr 2017) New Revision: 50719 Modified: data/CVE/list Log: automatic update Modified: data/CVE/list === --- data/CVE/list 2017-04-17 08:51:47 UTC (rev 50718) +++ data/CVE/list 2017-04-17 09:10:13 UTC (rev 50719) @@ -1,4 +1,14 @@ -CVE-2017-7889 [CONFIG_STRICT_DEVMEM bypass / mm: Tighten x86 /dev/mem with zeroing reads] +CVE-2017-7888 + RESERVED +CVE-2017-7887 + RESERVED +CVE-2017-7886 + RESERVED +CVE-2017-7885 (Artifex jbig2dec 0.13 has a heap-based buffer over-read leading to ...) + TODO: check +CVE-2017-7884 + RESERVED +CVE-2017-7889 (The mm subsystem in the Linux kernel through 4.10.10 does not properly ...) - linux NOTE: Fixed by: https://git.kernel.org/linus/a4866aa812518ed1a37d8ea0c881dc946409de94 (v4.11-rc7) CVE-2017-7883 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50718 - data
Author: carnil Date: 2017-04-17 08:51:47 + (Mon, 17 Apr 2017) New Revision: 50718 Modified: data/dsa-needed.txt Log: Remove libical from dsa-needed list Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-04-17 08:51:44 UTC (rev 50717) +++ data/dsa-needed.txt 2017-04-17 08:51:47 UTC (rev 50718) @@ -26,8 +26,6 @@ libav wait until the next 11.9 release -- -libical --- libytnef (seb) Jordi Mallach proposed debdiff, needs review and ack -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50717 - data/CVE
Author: carnil Date: 2017-04-17 08:51:44 + (Mon, 17 Apr 2017) New Revision: 50717 Modified: data/CVE/list Log: Mark CVE-2016-9584 and CVE-2016-5824 issues as no-dsa Modified: data/CVE/list === --- data/CVE/list 2017-04-17 08:27:51 UTC (rev 50716) +++ data/CVE/list 2017-04-17 08:51:44 UTC (rev 50717) @@ -20257,6 +20257,7 @@ NOT-FOR-US: JMX endpoint of Red Hat JBoss EAP 5 CVE-2016-9584 (libical allows remote attackers to cause a denial of service ...) - libical (bug #852034) + [jessie] - libical (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2016/12/15/5 NOTE: Upstream ticket: https://github.com/libical/libical/issues/253 CVE-2016-9583 [Out of bounds heap read in jpc_pi_nextpcrl()] @@ -33017,6 +33018,7 @@ NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1280832 CVE-2016-5824 (libical 1.0 allows remote attackers to cause a denial of service ...) - libical (bug #860451) + [jessie] - libical (Minor issue) NOTE: Original report: https://github.com/libical/libical/issues/235 NOTE: Reopened at: https://bugzilla.mozilla.org/show_bug.cgi?id=1275400 NOTE: Reproducer: https://bugzilla.mozilla.org/attachment.cgi?id=8757553 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50716 - data/CVE
Author: carnil Date: 2017-04-17 08:27:51 + (Mon, 17 Apr 2017) New Revision: 50716 Modified: data/CVE/list Log: Add bug reference for CVE-2016-5824 Modified: data/CVE/list === --- data/CVE/list 2017-04-17 06:17:36 UTC (rev 50715) +++ data/CVE/list 2017-04-17 08:27:51 UTC (rev 50716) @@ -33016,7 +33016,7 @@ [wheezy] - libical (Low prio according to upstream) NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1280832 CVE-2016-5824 (libical 1.0 allows remote attackers to cause a denial of service ...) - - libical + - libical (bug #860451) NOTE: Original report: https://github.com/libical/libical/issues/235 NOTE: Reopened at: https://bugzilla.mozilla.org/show_bug.cgi?id=1275400 NOTE: Reproducer: https://bugzilla.mozilla.org/attachment.cgi?id=8757553 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
