[Secure-testing-commits] r52220 - data/CVE
Author: jmm Date: 2017-06-02 07:00:05 + (Fri, 02 Jun 2017) New Revision: 52220 Modified: data/CVE/list Log: new hadoop issue Modified: data/CVE/list === --- data/CVE/list 2017-06-02 06:56:15 UTC (rev 52219) +++ data/CVE/list 2017-06-02 07:00:05 UTC (rev 52220) @@ -4608,6 +4608,7 @@ RESERVED CVE-2017-7669 RESERVED + - hadoop (bug #793644) CVE-2017-7668 RESERVED CVE-2017-7667 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r52221 - data/CVE
Author: jmm Date: 2017-06-02 07:46:30 + (Fri, 02 Jun 2017) New Revision: 52221 Modified: data/CVE/list Log: magnum fixed Modified: data/CVE/list === --- data/CVE/list 2017-06-02 07:00:05 UTC (rev 52220) +++ data/CVE/list 2017-06-02 07:46:30 UTC (rev 52221) @@ -32265,7 +32265,7 @@ NOTE: https://secure.ucc.asn.au/hg/dropbear/rev/b66a483f3dcb CVE-2016-7404 [Magnum created instances have full API access to creating user's OpenStack account] RESERVED - - magnum (bug #863547) + - magnum 3.1.1-5 (bug #863547) NOTE: https://git.openstack.org/cgit/openstack/magnum/commit/?id=0bb0d6486d6771ee21bbf897a091b1aa59e01b22 CVE-2016-7403 RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r52222 - data/CVE
Author: agx Date: 2017-06-02 07:49:42 + (Fri, 02 Jun 2017) New Revision: 5 Modified: data/CVE/list Log: lts: mark autotrace EOL as per https://lists.debian.org/debian-lts/2017/05/msg00124.html Modified: data/CVE/list === --- data/CVE/list 2017-06-02 07:46:30 UTC (rev 52221) +++ data/CVE/list 2017-06-02 07:49:42 UTC (rev 5) @@ -528,104 +528,154 @@ NOTE: https://git.kernel.org/linus/9933e113c2e87a9f46a40fde8dafbf801dca1ab9 CVE-2017-9200 (libautotrace.a in AutoTrace 0.31.1 has a "cannot be represented in type ...) - autotrace + [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9199 (libautotrace.a in AutoTrace 0.31.1 has a "cannot be represented in type ...) - autotrace + [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9198 (libautotrace.a in AutoTrace 0.31.1 has a "cannot be represented in type ...) - autotrace + [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9197 (libautotrace.a in AutoTrace 0.31.1 has a "cannot be represented in type ...) - autotrace + [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9196 (libautotrace.a in AutoTrace 0.31.1 has a "negative-size-param" issue in ...) - autotrace + [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9195 (libautotrace.a in AutoTrace 0.31.1 has a heap-based buffer over-read in ...) - autotrace + [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9194 (libautotrace.a in AutoTrace 0.31.1 has a heap-based buffer over-read in ...) - autotrace + [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9193 (libautotrace.a in AutoTrace 0.31.1 has a heap-based buffer over-read in ...) - autotrace + [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9192 (libautotrace.a in AutoTrace 0.31.1 has a heap-based buffer overflow in ...) - autotrace + [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9191 (libautotrace.a in AutoTrace 0.31.1 has a heap-based buffer overflow in ...) - autotrace + [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9190 (libautotrace.a in AutoTrace 0.31.1 allows remote attackers to cause a ...) - autotrace + [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9189 (libautotrace.a in AutoTrace 0.31.1 allows remote attackers to cause a ...) - autotrace + [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9188 (libautotrace.a in AutoTrace 0.31.1 has a "left shift ... cannot be ...) - autotrace + [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9187 (libautotrace.a in AutoTrace 0.31.1 has a "cannot be represented in type ...) - autotrace + [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9186 (libautotrace.a in AutoTrace 0.31.1 has a "cannot be represented in type ...) - autotrace + [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9185 (libautotrace.a in AutoTrace 0.31.1 has a "cannot be represented in type ...) - autotrace + [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9184 (libautotrace.a in AutoTrace 0.31.1 has a "cannot be represented in type ...) - autotrace + [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9183 (libautotrace.a in AutoTrace 0.31.1 has a "cannot be represented in type ...) - autotrace + [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9182 (libautotrace.a in AutoTrace 0.31.1 allows remote attackers to cause a ...) - autotrace + [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9181 (libautotrace.a in AutoTrace 0.31.1 allows remote attackers to cause a ...) - autotrace + [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9180 (libautotrace.a in AutoTrace 0.31.1 allows remote attackers to cause a ...) - autotrace + [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9179 (libautotrace.a in AutoTrace 0.31.1 allows remote attackers to cause a ...) - autotrace + [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9178 (libautotrace.a in AutoTrace 0.31.1 allows remote attackers to cause a ...) - autotrace + [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9177 (libautotrace.a in AutoTrace 0.31.1 allows remote attackers to cause a ...) - autotrace + [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9176 (libautotrace.a in AutoTrace 0.31.1 allows remote attackers to cause a ...) - autotrace + [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9175 (libautotrace.a in AutoTrace 0.31.1 allows remote attackers to cause a ...) - autotrace +
[Secure-testing-commits] r52223 - data
Author: agx Date: 2017-06-02 08:43:28 + (Fri, 02 Jun 2017) New Revision: 52223 Modified: data/dla-needed.txt Log: lts: triage ming Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-06-02 07:49:42 UTC (rev 5) +++ data/dla-needed.txt 2017-06-02 08:43:28 UTC (rev 52223) @@ -58,6 +58,8 @@ mcollective NOTE: See https://lists.debian.org/debian-lts/2017/03/msg8.html -- +ming +-- mp3splt NOTE: 2017-02-28: No patch available. Reproducer doesn't work with Debian NOTE: packages (tested on Stretch, Jessie and Wheezy). It's claimed to ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r52224 - data
Author: agx Date: 2017-06-02 08:43:30 + (Fri, 02 Jun 2017) New Revision: 52224 Modified: data/dla-needed.txt Log: lts: triage yodl Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-06-02 08:43:28 UTC (rev 52223) +++ data/dla-needed.txt 2017-06-02 08:43:30 UTC (rev 52224) @@ -123,6 +123,8 @@ yaml-cpp NOTE: fix sent upstream, waiting for review -- +yodl +-- zoneminder NOTE: Sql injection and session fixation vulerability fixes: NOTE: https://github.com/ZoneMinder/ZoneMinder/pull/1764/files ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r52225 - data
Author: lamby Date: 2017-06-02 08:45:36 + (Fri, 02 Jun 2017) New Revision: 52225 Modified: data/dla-needed.txt Log: Claim yodl in data/dla-needed.txt Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-06-02 08:43:30 UTC (rev 52224) +++ data/dla-needed.txt 2017-06-02 08:45:36 UTC (rev 52225) @@ -123,7 +123,7 @@ yaml-cpp NOTE: fix sent upstream, waiting for review -- -yodl +yodl (Chris Lamb) -- zoneminder NOTE: Sql injection and session fixation vulerability fixes: ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r52226 - data/CVE
Author: sectracker
Date: 2017-06-02 09:10:13 + (Fri, 02 Jun 2017)
New Revision: 52226
Modified:
data/CVE/list
Log:
automatic update
Modified: data/CVE/list
===
--- data/CVE/list 2017-06-02 08:45:36 UTC (rev 52225)
+++ data/CVE/list 2017-06-02 09:10:13 UTC (rev 52226)
@@ -1,36 +1,54 @@
-CVE-2017-9358 [AST-2017-004: Memory exhaustion on short SCCP packets]
+CVE-2017-9366 (Telaxus EPESI 1.8.2 and earlier has a Stored Cross-site
Scripting (XSS) ...)
+ TODO: check
+CVE-2017-9365 (CSRF exists in BigTree CMS through 4.2.18 with the force
parameter to ...)
+ TODO: check
+CVE-2017-9364 (Unrestricted File Upload exists in BigTree CMS through 4.2.18:
if an ...)
+ TODO: check
+CVE-2017-9363 (Untrusted Java serialization in Soffid IAM console before 1.7.5
allows ...)
+ TODO: check
+CVE-2017-9362
+ RESERVED
+CVE-2017-9361 (WebsiteBaker v2.10.0 has a stored XSS vulnerability in ...)
+ TODO: check
+CVE-2017-9360 (WebsiteBaker v2.10.0 has a SQL injection vulnerability in ...)
+ TODO: check
+CVE-2017-9357
+ RESERVED
+CVE-2017-9356
+ RESERVED
+CVE-2017-9358 (A memory exhaustion vulnerability exists in Asterisk Open
Source 13.x ...)
- asterisk (bug #863906)
NOTE: http://downloads.asterisk.org/pub/security/AST-2017-004.txt
-CVE-2017-9359 [AST-2017-003: Crash in PJSIP multi-part body parser]
+CVE-2017-9359 (The multi-part body parser in PJSIP, as used in Asterisk Open
Source ...)
- pjproject (bug #863902)
NOTE: http://downloads.asterisk.org/pub/security/AST-2017-003.txt
NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-26939
CVE-2017-9355
RESERVED
-CVE-2017-9354
- RESERVED
-CVE-2017-9353
- RESERVED
-CVE-2017-9352
- RESERVED
-CVE-2017-9351
- RESERVED
-CVE-2017-9350
- RESERVED
-CVE-2017-9349
- RESERVED
-CVE-2017-9348
- RESERVED
-CVE-2017-9347
- RESERVED
-CVE-2017-9346
- RESERVED
-CVE-2017-9345
- RESERVED
-CVE-2017-9344
- RESERVED
-CVE-2017-9343
- RESERVED
+CVE-2017-9354 (In Wireshark 2.2.0 to 2.2.6 and 2.0.0 to 2.0.12, the RGMP
dissector ...)
+ TODO: check
+CVE-2017-9353 (In Wireshark 2.2.0 to 2.2.6, the IPv6 dissector could crash.
This was ...)
+ TODO: check
+CVE-2017-9352 (In Wireshark 2.2.0 to 2.2.6 and 2.0.0 to 2.0.12, the Bazaar
dissector ...)
+ TODO: check
+CVE-2017-9351 (In Wireshark 2.2.0 to 2.2.6 and 2.0.0 to 2.0.12, the DHCP
dissector ...)
+ TODO: check
+CVE-2017-9350 (In Wireshark 2.2.0 to 2.2.6 and 2.0.0 to 2.0.12, the openSAFETY
...)
+ TODO: check
+CVE-2017-9349 (In Wireshark 2.2.0 to 2.2.6 and 2.0.0 to 2.0.12, the DICOM
dissector ...)
+ TODO: check
+CVE-2017-9348 (In Wireshark 2.2.0 to 2.2.6, the DOF dissector could read past
the end ...)
+ TODO: check
+CVE-2017-9347 (In Wireshark 2.2.0 to 2.2.6, the ROS dissector could crash with
a NULL ...)
+ TODO: check
+CVE-2017-9346 (In Wireshark 2.2.0 to 2.2.6 and 2.0.0 to 2.0.12, the SoulSeek
dissector ...)
+ TODO: check
+CVE-2017-9345 (In Wireshark 2.2.0 to 2.2.6 and 2.0.0 to 2.0.12, the DNS
dissector ...)
+ TODO: check
+CVE-2017-9344 (In Wireshark 2.2.0 to 2.2.6 and 2.0.0 to 2.0.12, the Bluetooth
L2CAP ...)
+ TODO: check
+CVE-2017-9343 (In Wireshark 2.2.0 to 2.2.6 and 2.0.0 to 2.0.12, the MSNIP
dissector ...)
+ TODO: check
CVE-2017-9342
RESERVED
CVE-2017-9341
@@ -408,6 +426,7 @@
CVE-2017-9243 (Aries QWR-1104 Wireless-N Router with Firmware Version
WRC.253.2.0913 ...)
NOT-FOR-US: Aries QWR-1104 Wireless-N Router
CVE-2015-9059 (picocom before 2.0 has a command injection vulnerability in the
'send ...)
+ {DLA-974-1}
- picocom (bug #863671)
NOTE:
https://github.com/npat-efault/picocom/commit/1ebc60b20fbe9a02436d5cbbf8951714e749ddb1
CVE-2017-9242 (The __ip6_append_data function in net/ipv6/ip6_output.c in the
Linux ...)
@@ -46308,7 +46327,7 @@
NOTE: PHP bug: https://bugs.php.net/bug.php?id=71912
NOTE: HHVM fix:
https://github.com/facebook/hhvm/commit/29a6487d648d1593e1e2fa615d9b3a844756ddc3
CVE-2016-3073
- RESERVED
+ REJECTED
CVE-2016-3072 (Multiple SQL injection vulnerabilities in the scoped_search
function ...)
NOT-FOR-US: Katello
CVE-2016-3071 (Libreswan 3.16 might allow remote attackers to cause a denial
of ...)
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r52227 - data/CVE
Author: jmm Date: 2017-06-02 09:27:30 + (Fri, 02 Jun 2017) New Revision: 52227 Modified: data/CVE/list Log: new wireshark issues Modified: data/CVE/list === --- data/CVE/list 2017-06-02 09:10:13 UTC (rev 52226) +++ data/CVE/list 2017-06-02 09:27:30 UTC (rev 52227) @@ -26,29 +26,60 @@ CVE-2017-9355 RESERVED CVE-2017-9354 (In Wireshark 2.2.0 to 2.2.6 and 2.0.0 to 2.0.12, the RGMP dissector ...) - TODO: check + - wireshark + NOTE: https://www.wireshark.org/security/wnpa-sec-2017-32.html + NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13646 CVE-2017-9353 (In Wireshark 2.2.0 to 2.2.6, the IPv6 dissector could crash. This was ...) - TODO: check + - wireshark + [jessie] - wireshark (Only affects 2.2.x) + [wheezy] - wireshark (Only affects 2.2.x) + NOTE: https://www.wireshark.org/security/wnpa-sec-2017-33.html + NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13675 CVE-2017-9352 (In Wireshark 2.2.0 to 2.2.6 and 2.0.0 to 2.0.12, the Bazaar dissector ...) - TODO: check + - wireshark + NOTE: https://www.wireshark.org/security/wnpa-sec-2017-22.html + NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13599 CVE-2017-9351 (In Wireshark 2.2.0 to 2.2.6 and 2.0.0 to 2.0.12, the DHCP dissector ...) - TODO: check + - wireshark + NOTE: https://www.wireshark.org/security/wnpa-sec-2017-24.html + NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13628 + NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13609 CVE-2017-9350 (In Wireshark 2.2.0 to 2.2.6 and 2.0.0 to 2.0.12, the openSAFETY ...) - TODO: check + - wireshark + NOTE: https://www.wireshark.org/security/wnpa-sec-2017-28.html + NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13649 CVE-2017-9349 (In Wireshark 2.2.0 to 2.2.6 and 2.0.0 to 2.0.12, the DICOM dissector ...) - TODO: check + - wireshark + NOTE: https://www.wireshark.org/security/wnpa-sec-2017-27.html + NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13685 CVE-2017-9348 (In Wireshark 2.2.0 to 2.2.6, the DOF dissector could read past the end ...) - TODO: check + - wireshark + [jessie] - wireshark (Only affects 2.2.x) + [wheezy] - wireshark (Only affects 2.2.x) + NOTE: https://www.wireshark.org/security/wnpa-sec-2017-23.html + NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13608 CVE-2017-9347 (In Wireshark 2.2.0 to 2.2.6, the ROS dissector could crash with a NULL ...) - TODO: check + - wireshark + [jessie] - wireshark (Only affects 2.2.x) + [wheezy] - wireshark (Only affects 2.2.x) + NOTE: https://www.wireshark.org/security/wnpa-sec-2017-31.html + NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13637 CVE-2017-9346 (In Wireshark 2.2.0 to 2.2.6 and 2.0.0 to 2.0.12, the SoulSeek dissector ...) - TODO: check + - wireshark + NOTE: https://www.wireshark.org/security/wnpa-sec-2017-25.html + NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13631 CVE-2017-9345 (In Wireshark 2.2.0 to 2.2.6 and 2.0.0 to 2.0.12, the DNS dissector ...) - TODO: check + - wireshark + NOTE: https://www.wireshark.org/security/wnpa-sec-2017-26.html + NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13633 CVE-2017-9344 (In Wireshark 2.2.0 to 2.2.6 and 2.0.0 to 2.0.12, the Bluetooth L2CAP ...) - TODO: check + - wireshark + NOTE: https://www.wireshark.org/security/wnpa-sec-2017-29.html + NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13701 CVE-2017-9343 (In Wireshark 2.2.0 to 2.2.6 and 2.0.0 to 2.0.12, the MSNIP dissector ...) - TODO: check + - wireshark + NOTE: https://www.wireshark.org/security/wnpa-sec-2017-30.html + NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13725 CVE-2017-9342 RESERVED CVE-2017-9341 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r52228 - data/CVE
Author: agx Date: 2017-06-02 10:10:14 + (Fri, 02 Jun 2017) New Revision: 52228 Modified: data/CVE/list Log: lts: mark kfreebsd-* as end-of-life in wheezy Modified: data/CVE/list === --- data/CVE/list 2017-06-02 09:27:30 UTC (rev 52227) +++ data/CVE/list 2017-06-02 10:10:14 UTC (rev 52228) @@ -88633,6 +88633,8 @@ - kfreebsd-8 - kfreebsd-9 - kfreebsd-10 (bug #778367) + [wheezy] - kfreebsd-8 (Not supported in wheezy LTS) + [wheezy] - kfreebsd-9 (Not supported in wheezy LTS) CVE-2014-7249 (Buffer overflow on the Allied Telesis AR440S, AR441S, AR442S, AR745, ...) NOT-FOR-US: Allied Telesis CVE-2014-7248 (Cross-site scripting (XSS) vulnerability in IPA iLogScanner 4.0 allows ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r52229 - data/CVE
Author: agx Date: 2017-06-02 10:10:26 + (Fri, 02 Jun 2017) New Revision: 52229 Modified: data/CVE/list Log: lts: mark asterisk as unaffected by CVE-2017-9358 the while(1) loop is not there and chan_skinny.c:read_input checks that data was returned after both read() calls so it breaks out of the for (;;) loop in case of EOF. Modified: data/CVE/list === --- data/CVE/list 2017-06-02 10:10:14 UTC (rev 52228) +++ data/CVE/list 2017-06-02 10:10:26 UTC (rev 52229) @@ -18,6 +18,7 @@ RESERVED CVE-2017-9358 (A memory exhaustion vulnerability exists in Asterisk Open Source 13.x ...) - asterisk (bug #863906) + [wheezy] - asterisk (Vulnerable code not present) NOTE: http://downloads.asterisk.org/pub/security/AST-2017-004.txt CVE-2017-9359 (The multi-part body parser in PJSIP, as used in Asterisk Open Source ...) - pjproject (bug #863902) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r52230 - data/CVE
Author: carnil Date: 2017-06-02 10:16:46 + (Fri, 02 Jun 2017) New Revision: 52230 Modified: data/CVE/list Log: CVE-2014-7250: Sort entries Modified: data/CVE/list === --- data/CVE/list 2017-06-02 10:10:26 UTC (rev 52229) +++ data/CVE/list 2017-06-02 10:16:46 UTC (rev 52230) @@ -88632,10 +88632,10 @@ NOT-FOR-US: Yokogawa CVE-2014-7250 (The TCP stack in 4.3BSD Net/2, as used in FreeBSD 5.4, NetBSD possibly ...) - kfreebsd-8 + [wheezy] - kfreebsd-8 (Not supported in wheezy LTS) - kfreebsd-9 + [wheezy] - kfreebsd-9 (Not supported in wheezy LTS) - kfreebsd-10 (bug #778367) - [wheezy] - kfreebsd-8 (Not supported in wheezy LTS) - [wheezy] - kfreebsd-9 (Not supported in wheezy LTS) CVE-2014-7249 (Buffer overflow on the Allied Telesis AR440S, AR441S, AR442S, AR745, ...) NOT-FOR-US: Allied Telesis CVE-2014-7248 (Cross-site scripting (XSS) vulnerability in IPA iLogScanner 4.0 allows ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r52231 - data/CVE
Author: carnil Date: 2017-06-02 10:45:08 + (Fri, 02 Jun 2017) New Revision: 52231 Modified: data/CVE/list Log: pjproject issues fixed in unstable Modified: data/CVE/list === --- data/CVE/list 2017-06-02 10:16:46 UTC (rev 52230) +++ data/CVE/list 2017-06-02 10:45:08 UTC (rev 52231) @@ -21,9 +21,12 @@ [wheezy] - asterisk (Vulnerable code not present) NOTE: http://downloads.asterisk.org/pub/security/AST-2017-004.txt CVE-2017-9359 (The multi-part body parser in PJSIP, as used in Asterisk Open Source ...) - - pjproject (bug #863902) + - pjproject 2.5.5~dfsg-6 (bug #863902) NOTE: http://downloads.asterisk.org/pub/security/AST-2017-003.txt NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-26939 +CVE-2017- [AST-2017-002: Buffer Overrun in PJSIP transaction layer] + - pjproject 2.5.5~dfsg-6 (bug #863901) + NOTE: http://downloads.asterisk.org/pub/security/AST-2017-002.txt CVE-2017-9355 RESERVED CVE-2017-9354 (In Wireshark 2.2.0 to 2.2.6 and 2.0.0 to 2.0.12, the RGMP dissector ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r52232 - data/CVE
Author: carnil
Date: 2017-06-02 11:26:40 + (Fri, 02 Jun 2017)
New Revision: 52232
Modified:
data/CVE/list
Log:
Process NFUs
Modified: data/CVE/list
===
--- data/CVE/list 2017-06-02 10:45:08 UTC (rev 52231)
+++ data/CVE/list 2017-06-02 11:26:40 UTC (rev 52232)
@@ -1,17 +1,17 @@
CVE-2017-9366 (Telaxus EPESI 1.8.2 and earlier has a Stored Cross-site
Scripting (XSS) ...)
- TODO: check
+ NOT-FOR-US: Telaxus EPESI
CVE-2017-9365 (CSRF exists in BigTree CMS through 4.2.18 with the force
parameter to ...)
- TODO: check
+ NOT-FOR-US: BigTree CMS
CVE-2017-9364 (Unrestricted File Upload exists in BigTree CMS through 4.2.18:
if an ...)
- TODO: check
+ NOT-FOR-US: BigTree CMS
CVE-2017-9363 (Untrusted Java serialization in Soffid IAM console before 1.7.5
allows ...)
- TODO: check
+ NOT-FOR-US: Soffid IAM console
CVE-2017-9362
RESERVED
CVE-2017-9361 (WebsiteBaker v2.10.0 has a stored XSS vulnerability in ...)
- TODO: check
+ NOT-FOR-US: WebsiteBaker
CVE-2017-9360 (WebsiteBaker v2.10.0 has a SQL injection vulnerability in ...)
- TODO: check
+ NOT-FOR-US: WebsiteBaker
CVE-2017-9357
RESERVED
CVE-2017-9356
@@ -5600,7 +5600,7 @@
CVE-2017-7385
RESERVED
CVE-2017-7384 (Cross-site scripting (XSS) vulnerability in FlipBuilder Flip
PDF ...)
- TODO: check
+ NOT-FOR-US: FlipBuilder Flip PDF
CVE-2017-7383 (The PdfFontFactory.cpp:195:62 code in PoDoFo 0.9.5 allows
remote ...)
{DLA-968-1}
- libpodofo 0.9.4-6 (bug #859329)
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r52233 - data/CVE
Author: carnil Date: 2017-06-02 12:20:44 + (Fri, 02 Jun 2017) New Revision: 52233 Modified: data/CVE/list Log: CVE-2017-9372/pjproject, #863901 Modified: data/CVE/list === --- data/CVE/list 2017-06-02 11:26:40 UTC (rev 52232) +++ data/CVE/list 2017-06-02 12:20:44 UTC (rev 52233) @@ -24,7 +24,7 @@ - pjproject 2.5.5~dfsg-6 (bug #863902) NOTE: http://downloads.asterisk.org/pub/security/AST-2017-003.txt NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-26939 -CVE-2017- [AST-2017-002: Buffer Overrun in PJSIP transaction layer] +CVE-2017-9372 [AST-2017-002: Buffer Overrun in PJSIP transaction layer] - pjproject 2.5.5~dfsg-6 (bug #863901) NOTE: http://downloads.asterisk.org/pub/security/AST-2017-002.txt CVE-2017-9355 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r52234 - in data: . DLA
Author: apo
Date: 2017-06-02 12:32:25 + (Fri, 02 Jun 2017)
New Revision: 52234
Modified:
data/DLA/list
data/dla-needed.txt
Log:
Reserve DLA-975-1 for wordpress
Modified: data/DLA/list
===
--- data/DLA/list 2017-06-02 12:20:44 UTC (rev 52233)
+++ data/DLA/list 2017-06-02 12:32:25 UTC (rev 52234)
@@ -1,3 +1,6 @@
+[02 Jun 2017] DLA-975-1 wordpress - security update
+ {CVE-2017-8295 CVE-2017-9061 CVE-2017-9062 CVE-2017-9063 CVE-2017-9064
CVE-2017-9065}
+ [wheezy] - wordpress 3.6.1+dfsg-1~deb7u15
[01 Jun 2017] DLA-974-1 picocom - security update
{CVE-2015-9059}
[wheezy] - picocom 1.7-1+deb7u1
Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-06-02 12:20:44 UTC (rev 52233)
+++ data/dla-needed.txt 2017-06-02 12:32:25 UTC (rev 52234)
@@ -112,8 +112,6 @@
wireshark
NOTE: maintainer *may* take care of this, as previously
--
-wordpress (Markus Koschany)
---
xbmc
NOTE: Reproduced: https://lists.debian.org/debian-lts/2017/04/msg00025.html
NOTE: no upstream fix, may require refactoring
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r52235 - data
Author: agx Date: 2017-06-02 13:35:03 + (Fri, 02 Jun 2017) New Revision: 52235 Modified: data/dla-needed.txt Log: lts: add link to ming d-s-s bug Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-06-02 12:32:25 UTC (rev 52234) +++ data/dla-needed.txt 2017-06-02 13:35:03 UTC (rev 52235) @@ -59,6 +59,7 @@ NOTE: See https://lists.debian.org/debian-lts/2017/03/msg8.html -- ming + NOTE: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=851275 -- mp3splt NOTE: 2017-02-28: No patch available. Reproducer doesn't work with Debian ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r52236 - data/CVE
Author: carnil Date: 2017-06-02 18:23:43 + (Fri, 02 Jun 2017) New Revision: 52236 Modified: data/CVE/list Log: Add CVE-2017-9358/asterisk fixed version for unstable Modified: data/CVE/list === --- data/CVE/list 2017-06-02 13:35:03 UTC (rev 52235) +++ data/CVE/list 2017-06-02 18:23:43 UTC (rev 52236) @@ -17,7 +17,7 @@ CVE-2017-9356 RESERVED CVE-2017-9358 (A memory exhaustion vulnerability exists in Asterisk Open Source 13.x ...) - - asterisk (bug #863906) + - asterisk 1:13.14.1~dfsg-2 (bug #863906) [wheezy] - asterisk (Vulnerable code not present) NOTE: http://downloads.asterisk.org/pub/security/AST-2017-004.txt CVE-2017-9359 (The multi-part body parser in PJSIP, as used in Asterisk Open Source ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r52237 - data/CVE
Author: carnil
Date: 2017-06-02 18:58:06 + (Fri, 02 Jun 2017)
New Revision: 52237
Modified:
data/CVE/list
Log:
Add followup issue in sudo
Modified: data/CVE/list
===
--- data/CVE/list 2017-06-02 18:23:43 UTC (rev 52236)
+++ data/CVE/list 2017-06-02 18:58:06 UTC (rev 52237)
@@ -299,6 +299,10 @@
RESERVED
CVE-2014-9971
RESERVED
+CVE-2017- [Incomplete fix for CVE-2017-1000367; Arbitrary terminal access]
+ - sudo (bug #863897)
+ NOTE: http://www.openwall.com/lists/oss-security/2017/06/02/7
+ NOTE: https://www.sudo.ws/repos/sudo/raw-rev/15a46f4007dd
CVE-2017-1000367 [Potential overwrite of arbitrary files]
{DSA-3867-1 DLA-970-1}
- sudo 1.8.20p1-1 (bug #863731)
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r52238 - data/CVE
Author: sectracker
Date: 2017-06-02 21:10:14 + (Fri, 02 Jun 2017)
New Revision: 52238
Modified:
data/CVE/list
Log:
automatic update
Modified: data/CVE/list
===
--- data/CVE/list 2017-06-02 18:58:06 UTC (rev 52237)
+++ data/CVE/list 2017-06-02 21:10:14 UTC (rev 52238)
@@ -1,3 +1,93 @@
+CVE-2017-9412
+ RESERVED
+CVE-2017-9411
+ RESERVED
+CVE-2017-9410
+ RESERVED
+CVE-2017-9409 (In ImageMagick 7.0.5-5, the ReadMPCImage function in mpc.c
allows ...)
+ TODO: check
+CVE-2017-9408 (In Poppler 0.54.0, a memory leak vulnerability was found in the
...)
+ TODO: check
+CVE-2017-9407 (In ImageMagick 7.0.5-5, the ReadPALMImage function in palm.c
allows ...)
+ TODO: check
+CVE-2017-9406 (In Poppler 0.54.0, a memory leak vulnerability was found in the
...)
+ TODO: check
+CVE-2017-9405 (In ImageMagick 7.0.5-5, the ReadICONImage function in
icon.c:452 allows ...)
+ TODO: check
+CVE-2017-9404 (In LibTIFF 4.0.7, a memory leak vulnerability was found in the
function ...)
+ TODO: check
+CVE-2017-9403 (In LibTIFF 4.0.7, a memory leak vulnerability was found in the
function ...)
+ TODO: check
+CVE-2017-9402
+ RESERVED
+CVE-2017-9401
+ RESERVED
+CVE-2017-9400
+ RESERVED
+CVE-2017-9399
+ RESERVED
+CVE-2017-9398
+ RESERVED
+CVE-2017-9397
+ RESERVED
+CVE-2017-9396
+ RESERVED
+CVE-2017-9395
+ RESERVED
+CVE-2017-9394
+ RESERVED
+CVE-2017-9393
+ RESERVED
+CVE-2017-9392
+ RESERVED
+CVE-2017-9391
+ RESERVED
+CVE-2017-9390
+ RESERVED
+CVE-2017-9389
+ RESERVED
+CVE-2017-9388
+ RESERVED
+CVE-2017-9387
+ RESERVED
+CVE-2017-9386
+ RESERVED
+CVE-2017-9385
+ RESERVED
+CVE-2017-9384
+ RESERVED
+CVE-2017-9383
+ RESERVED
+CVE-2017-9382
+ RESERVED
+CVE-2017-9381
+ RESERVED
+CVE-2017-9380 (OpenEMR 5.0.0 and prior allows low-privilege users to upload
files of ...)
+ TODO: check
+CVE-2017-9379 (Multiple CSRF issues exist in BigTree CMS through 4.2.18 - the
clear ...)
+ TODO: check
+CVE-2017-9378 (BigTree CMS through 4.2.18 does not prevent a user from
deleting their ...)
+ TODO: check
+CVE-2017-9377
+ RESERVED
+CVE-2017-9376
+ RESERVED
+CVE-2017-9375
+ RESERVED
+CVE-2017-9374
+ RESERVED
+CVE-2017-9373
+ RESERVED
+CVE-2017-9371
+ RESERVED
+CVE-2017-9370
+ RESERVED
+CVE-2017-9369
+ RESERVED
+CVE-2017-9368
+ RESERVED
+CVE-2017-9367
+ RESERVED
CVE-2017-9366 (Telaxus EPESI 1.8.2 and earlier has a Stored Cross-site
Scripting (XSS) ...)
NOT-FOR-US: Telaxus EPESI
CVE-2017-9365 (CSRF exists in BigTree CMS through 4.2.18 with the force
parameter to ...)
@@ -24,7 +114,7 @@
- pjproject 2.5.5~dfsg-6 (bug #863902)
NOTE: http://downloads.asterisk.org/pub/security/AST-2017-003.txt
NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-26939
-CVE-2017-9372 [AST-2017-002: Buffer Overrun in PJSIP transaction layer]
+CVE-2017-9372 (PJSIP, as used in Asterisk Open Source 13.x before 13.15.1 and
14.x ...)
- pjproject 2.5.5~dfsg-6 (bug #863901)
NOTE: http://downloads.asterisk.org/pub/security/AST-2017-002.txt
CVE-2017-9355
@@ -1139,27 +1229,27 @@
NOTE: https://wordpress.org/news/2017/05/wordpress-4-7-5/
NOTE:
https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11
CVE-2017-9065 (In WordPress before 4.7.5, there is a lack of capability checks
for ...)
- {DSA-3870-1}
+ {DSA-3870-1 DLA-975-1}
- wordpress 4.7.5+dfsg-1 (bug #862816)
NOTE: https://wordpress.org/news/2017/05/wordpress-4-7-5/
NOTE:
https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4
CVE-2017-9064 (In WordPress before 4.7.5, a Cross Site Request Forgery (CSRF)
...)
- {DSA-3870-1}
+ {DSA-3870-1 DLA-975-1}
- wordpress 4.7.5+dfsg-1 (bug #862816)
NOTE: https://wordpress.org/news/2017/05/wordpress-4-7-5/
NOTE:
https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67
CVE-2017-9063 (In WordPress before 4.7.5, a cross-site scripting (XSS)
vulnerability ...)
- {DSA-3870-1}
+ {DSA-3870-1 DLA-975-1}
- wordpress 4.7.5+dfsg-1 (bug #862816)
NOTE: https://wordpress.org/news/2017/05/wordpress-4-7-5/
NOTE:
https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3
CVE-2017-9062 (In WordPress before 4.7.5, there is improper handling of post
meta data ...)
- {DSA-3870-1}
+ {DSA-3870-1 DLA-975-1}
- wordpress 4.7.5+dfsg-1 (bug #862816)
NOTE: https://wordpress.org/news/2017/05/wordpress-4-7-5/
NOTE:
https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381
CVE-2017-9061 (In WordPress before 4.7.5, a cross-s
[Secure-testing-commits] r52239 - data/CVE
Author: fgeek-guest Date: 2017-06-02 21:52:15 + (Fri, 02 Jun 2017) New Revision: 52239 Modified: data/CVE/list Log: CVE-2017-9403, CVE-2017-9404 Modified: data/CVE/list === --- data/CVE/list 2017-06-02 21:10:14 UTC (rev 52238) +++ data/CVE/list 2017-06-02 21:52:15 UTC (rev 52239) @@ -15,8 +15,14 @@ CVE-2017-9405 (In ImageMagick 7.0.5-5, the ReadICONImage function in icon.c:452 allows ...) TODO: check CVE-2017-9404 (In LibTIFF 4.0.7, a memory leak vulnerability was found in the function ...) + - tiff + - tiff3 + NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2688 TODO: check CVE-2017-9403 (In LibTIFF 4.0.7, a memory leak vulnerability was found in the function ...) + - tiff + - tiff3 + NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2689 TODO: check CVE-2017-9402 RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r52240 - data/CVE
Author: gcs
Date: 2017-06-02 22:05:50 + (Fri, 02 Jun 2017)
New Revision: 52240
Modified:
data/CVE/list
Log:
Add CVE-2017-940{3,4}/tiff fixed version
Modified: data/CVE/list
===
--- data/CVE/list 2017-06-02 21:52:15 UTC (rev 52239)
+++ data/CVE/list 2017-06-02 22:05:50 UTC (rev 52240)
@@ -15,12 +15,12 @@
CVE-2017-9405 (In ImageMagick 7.0.5-5, the ReadICONImage function in
icon.c:452 allows ...)
TODO: check
CVE-2017-9404 (In LibTIFF 4.0.7, a memory leak vulnerability was found in the
function ...)
- - tiff
+ - tiff 4.0.8-1
- tiff3
NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2688
TODO: check
CVE-2017-9403 (In LibTIFF 4.0.7, a memory leak vulnerability was found in the
function ...)
- - tiff
+ - tiff 4.0.8-1
- tiff3
NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2689
TODO: check
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r52242 - data/CVE
Author: carnil Date: 2017-06-03 03:13:28 + (Sat, 03 Jun 2017) New Revision: 52242 Modified: data/CVE/list Log: Add CVE-2017-9408/poppler Modified: data/CVE/list === --- data/CVE/list 2017-06-03 03:13:08 UTC (rev 52241) +++ data/CVE/list 2017-06-03 03:13:28 UTC (rev 52242) @@ -8,7 +8,9 @@ - imagemagick NOTE: https://github.com/ImageMagick/ImageMagick/issues/458 CVE-2017-9408 (In Poppler 0.54.0, a memory leak vulnerability was found in the ...) - TODO: check + - poppler + NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=100776 + NOTE: https://cgit.freedesktop.org/poppler/poppler/commit/?id=b21b041f7948680c03109f0c404400a9dbc4544c CVE-2017-9407 (In ImageMagick 7.0.5-5, the ReadPALMImage function in palm.c allows ...) TODO: check CVE-2017-9406 (In Poppler 0.54.0, a memory leak vulnerability was found in the ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r52241 - data/CVE
Author: carnil Date: 2017-06-03 03:13:08 + (Sat, 03 Jun 2017) New Revision: 52241 Modified: data/CVE/list Log: Add CVE-2017-9409/imagemagick Modified: data/CVE/list === --- data/CVE/list 2017-06-02 22:05:50 UTC (rev 52240) +++ data/CVE/list 2017-06-03 03:13:08 UTC (rev 52241) @@ -5,7 +5,8 @@ CVE-2017-9410 RESERVED CVE-2017-9409 (In ImageMagick 7.0.5-5, the ReadMPCImage function in mpc.c allows ...) - TODO: check + - imagemagick + NOTE: https://github.com/ImageMagick/ImageMagick/issues/458 CVE-2017-9408 (In Poppler 0.54.0, a memory leak vulnerability was found in the ...) TODO: check CVE-2017-9407 (In ImageMagick 7.0.5-5, the ReadPALMImage function in palm.c allows ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r52243 - data/CVE
Author: carnil Date: 2017-06-03 03:13:39 + (Sat, 03 Jun 2017) New Revision: 52243 Modified: data/CVE/list Log: Add CVE-2017-9407/imagemagick Modified: data/CVE/list === --- data/CVE/list 2017-06-03 03:13:28 UTC (rev 52242) +++ data/CVE/list 2017-06-03 03:13:39 UTC (rev 52243) @@ -12,7 +12,8 @@ NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=100776 NOTE: https://cgit.freedesktop.org/poppler/poppler/commit/?id=b21b041f7948680c03109f0c404400a9dbc4544c CVE-2017-9407 (In ImageMagick 7.0.5-5, the ReadPALMImage function in palm.c allows ...) - TODO: check + - imagemagick + NOTE: https://github.com/ImageMagick/ImageMagick/issues/459 CVE-2017-9406 (In Poppler 0.54.0, a memory leak vulnerability was found in the ...) TODO: check CVE-2017-9405 (In ImageMagick 7.0.5-5, the ReadICONImage function in icon.c:452 allows ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r52244 - data/CVE
Author: carnil Date: 2017-06-03 03:13:49 + (Sat, 03 Jun 2017) New Revision: 52244 Modified: data/CVE/list Log: Add CVE-2017-9406/poppler Modified: data/CVE/list === --- data/CVE/list 2017-06-03 03:13:39 UTC (rev 52243) +++ data/CVE/list 2017-06-03 03:13:49 UTC (rev 52244) @@ -15,7 +15,9 @@ - imagemagick NOTE: https://github.com/ImageMagick/ImageMagick/issues/459 CVE-2017-9406 (In Poppler 0.54.0, a memory leak vulnerability was found in the ...) - TODO: check + - poppler + NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=100775 + NOTE: https://cgit.freedesktop.org/poppler/poppler/commit/?id=278439531b13b0b047dbe3a75aa3f1b3407c8bd4 CVE-2017-9405 (In ImageMagick 7.0.5-5, the ReadICONImage function in icon.c:452 allows ...) TODO: check CVE-2017-9404 (In LibTIFF 4.0.7, a memory leak vulnerability was found in the function ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r52245 - data/CVE
Author: carnil
Date: 2017-06-03 03:14:00 + (Sat, 03 Jun 2017)
New Revision: 52245
Modified:
data/CVE/list
Log:
Add fixing version for CVE-2015-9059/picocom
Modified: data/CVE/list
===
--- data/CVE/list 2017-06-03 03:13:49 UTC (rev 52244)
+++ data/CVE/list 2017-06-03 03:14:00 UTC (rev 52245)
@@ -568,7 +568,7 @@
NOT-FOR-US: Aries QWR-1104 Wireless-N Router
CVE-2015-9059 (picocom before 2.0 has a command injection vulnerability in the
'send ...)
{DLA-974-1}
- - picocom (bug #863671)
+ - picocom 1.7-2 (bug #863671)
NOTE:
https://github.com/npat-efault/picocom/commit/1ebc60b20fbe9a02436d5cbbf8951714e749ddb1
CVE-2017-9242 (The __ip6_append_data function in net/ipv6/ip6_output.c in the
Linux ...)
- linux
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r52247 - data/CVE
Author: carnil Date: 2017-06-03 03:22:03 + (Sat, 03 Jun 2017) New Revision: 52247 Modified: data/CVE/list Log: Add CVE-2017-9405/imagemagick Modified: data/CVE/list === --- data/CVE/list 2017-06-03 03:21:53 UTC (rev 52246) +++ data/CVE/list 2017-06-03 03:22:03 UTC (rev 52247) @@ -19,7 +19,8 @@ NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=100775 NOTE: https://cgit.freedesktop.org/poppler/poppler/commit/?id=278439531b13b0b047dbe3a75aa3f1b3407c8bd4 CVE-2017-9405 (In ImageMagick 7.0.5-5, the ReadICONImage function in icon.c:452 allows ...) - TODO: check + - imagemagick + NOTE: https://github.com/ImageMagick/ImageMagick/issues/457 CVE-2017-9404 (In LibTIFF 4.0.7, a memory leak vulnerability was found in the function ...) - tiff 4.0.8-1 - tiff3 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r52248 - data/CVE
Author: carnil Date: 2017-06-03 03:22:13 + (Sat, 03 Jun 2017) New Revision: 52248 Modified: data/CVE/list Log: Add note for CVE-2017-9404 Modified: data/CVE/list === --- data/CVE/list 2017-06-03 03:22:03 UTC (rev 52247) +++ data/CVE/list 2017-06-03 03:22:13 UTC (rev 52248) @@ -25,7 +25,7 @@ - tiff 4.0.8-1 - tiff3 NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2688 - TODO: check + TODO: check, possibly fixed with the 2017-04-27 commit to libtiff/tif_ojpeg.c CVE-2017-9403 (In LibTIFF 4.0.7, a memory leak vulnerability was found in the function ...) - tiff 4.0.8-1 - tiff3 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r52249 - data/CVE
Author: carnil Date: 2017-06-03 03:22:24 + (Sat, 03 Jun 2017) New Revision: 52249 Modified: data/CVE/list Log: Add fix reference for CVE-2017-9403/tiff Modified: data/CVE/list === --- data/CVE/list 2017-06-03 03:22:13 UTC (rev 52248) +++ data/CVE/list 2017-06-03 03:22:24 UTC (rev 52249) @@ -30,7 +30,7 @@ - tiff 4.0.8-1 - tiff3 NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2689 - TODO: check + NOTE: Fixed by: https://github.com/vadz/libtiff/commit/fb3dc46a2fcf6197ff3b93fc76f0c37fddc0333b CVE-2017-9402 RESERVED CVE-2017-9401 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r52246 - data/CVE
Author: carnil Date: 2017-06-03 03:21:53 + (Sat, 03 Jun 2017) New Revision: 52246 Modified: data/CVE/list Log: Add bug reference for CVE-2017-9408 Modified: data/CVE/list === --- data/CVE/list 2017-06-03 03:14:00 UTC (rev 52245) +++ data/CVE/list 2017-06-03 03:21:53 UTC (rev 52246) @@ -8,7 +8,7 @@ - imagemagick NOTE: https://github.com/ImageMagick/ImageMagick/issues/458 CVE-2017-9408 (In Poppler 0.54.0, a memory leak vulnerability was found in the ...) - - poppler + - poppler (bug #864009) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=100776 NOTE: https://cgit.freedesktop.org/poppler/poppler/commit/?id=b21b041f7948680c03109f0c404400a9dbc4544c CVE-2017-9407 (In ImageMagick 7.0.5-5, the ReadPALMImage function in palm.c allows ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r52250 - data/CVE
Author: carnil Date: 2017-06-03 03:23:09 + (Sat, 03 Jun 2017) New Revision: 52250 Modified: data/CVE/list Log: Add bug reference for CVE-2017-9406 Modified: data/CVE/list === --- data/CVE/list 2017-06-03 03:22:24 UTC (rev 52249) +++ data/CVE/list 2017-06-03 03:23:09 UTC (rev 52250) @@ -15,7 +15,7 @@ - imagemagick NOTE: https://github.com/ImageMagick/ImageMagick/issues/459 CVE-2017-9406 (In Poppler 0.54.0, a memory leak vulnerability was found in the ...) - - poppler + - poppler (bug #864010) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=100775 NOTE: https://cgit.freedesktop.org/poppler/poppler/commit/?id=278439531b13b0b047dbe3a75aa3f1b3407c8bd4 CVE-2017-9405 (In ImageMagick 7.0.5-5, the ReadICONImage function in icon.c:452 allows ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r52251 - data/CVE
Author: carnil Date: 2017-06-03 04:21:15 + (Sat, 03 Jun 2017) New Revision: 52251 Modified: data/CVE/list Log: Add more or less extensive note for CVE-2017-9404 Note for reviewers, remove the TODO if you agree with the NOTE analysis (which might be reduced to not clutter the security tracker). Modified: data/CVE/list === --- data/CVE/list 2017-06-03 03:23:09 UTC (rev 52250) +++ data/CVE/list 2017-06-03 04:21:15 UTC (rev 52251) @@ -25,7 +25,18 @@ - tiff 4.0.8-1 - tiff3 NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2688 - TODO: check, possibly fixed with the 2017-04-27 commit to libtiff/tif_ojpeg.c + NOTE: Fixed by: https://github.com/vadz/libtiff/commit/2ea32f7372b65c24b2816f11c04bf59b5090d05b + NOTE: Possibly sensible to add the other memory leaks fixes in OJPEGReadHeaderInfoSecTables + NOTE: method from tif_ojpeg.c, i.e.: + NOTE: https://github.com/vadz/libtiff/commit/e9bd1b06fe25219cf0873fca70e46f01843fd9f4 + NOTE: https://github.com/vadz/libtiff/commit/8283e4d1b7e53340684d12932880cbcbaf23a8c1 + NOTE: Reproducing the issue itself is "covered" after fixing https://github.com/vadz/libtiff/commit/5ed9fea523316c2f5cec4d393e4d5d671c2dbc33 + NOTE: To verify 2ea32f7372b65c24b2816f11c04bf59b5090d05b fixes the issue build src:tiff + NOTE: with ASAN with 5ed9fea523316c2f5cec4d393e4d5d671c2dbc33 reverted. Before the + NOTE: 2ea32f7372b65c24b2816f11c04bf59b5090d05b commit the Direct leak of 73 byte + NOTE: with backtrace following the methods in http://bugzilla.maptools.org/show_bug.cgi?id=2688 + NOTE: is shown. + TODO: check, not able to reproducing the issue does not necessarly mean the issue is fixed, but the 'direct leak' via OJPEGReadHeaderInfoSecTables should be fixed by the three commits at latest in 4.0.8. CVE-2017-9403 (In LibTIFF 4.0.7, a memory leak vulnerability was found in the function ...) - tiff 4.0.8-1 - tiff3 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r52252 - data/CVE
Author: carnil Date: 2017-06-03 06:11:48 + (Sat, 03 Jun 2017) New Revision: 52252 Modified: data/CVE/list Log: Mark CVE-2017-4971 as NFU Modified: data/CVE/list === --- data/CVE/list 2017-06-03 04:21:15 UTC (rev 52251) +++ data/CVE/list 2017-06-03 06:11:48 UTC (rev 52252) @@ -13517,6 +13517,7 @@ RESERVED CVE-2017-4971 RESERVED + NOT-FOR-US: Spring Web Flow CVE-2017-4970 RESERVED CVE-2017-4969 (The Cloud Controller in Cloud Foundry cf-release versions prior to v255 ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r52253 - data
Author: carnil Date: 2017-06-03 06:29:08 + (Sat, 03 Jun 2017) New Revision: 52253 Modified: data/dsa-needed.txt Log: Take sudo from dsa-needed list Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-06-03 06:11:48 UTC (rev 52252) +++ data/dsa-needed.txt 2017-06-03 06:29:08 UTC (rev 52253) @@ -31,6 +31,8 @@ qemu Maintainer asked to prepare updates -- +sudo (carnil) +-- tiff wait until more issues have piled up -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
