[Secure-testing-commits] r52970 - data/CVE
Author: carnil Date: 2017-06-28 05:04:50 + (Wed, 28 Jun 2017) New Revision: 52970 Modified: data/CVE/list Log: Process NFUs Modified: data/CVE/list === --- data/CVE/list 2017-06-28 05:04:28 UTC (rev 52969) +++ data/CVE/list 2017-06-28 05:04:50 UTC (rev 52970) @@ -12027,11 +12027,11 @@ CVE-2017-6327 RESERVED CVE-2017-6326 (The Symantec Messaging Gateway can encounter an issue of remote code ...) - TODO: check + NOT-FOR-US: Symantec CVE-2017-6325 (The Symantec Messaging Gateway can encounter a file inclusion ...) - TODO: check + NOT-FOR-US: Symantec CVE-2017-6324 (The Symantec Messaging Gateway, when processing a specific email ...) - TODO: check + NOT-FOR-US: Symantec CVE-2017-6323 RESERVED CVE-2017-6322 @@ -19522,7 +19522,7 @@ CVE-2016-9973 (IBM Jazz Foundation is vulnerable to cross-site scripting. This ...) NOT-FOR-US: IBM CVE-2016-9972 (IBM QRadar 7.2 and 7.3 could allow a remote attacker to obtain ...) - TODO: check + NOT-FOR-US: IBM CVE-2016-9971 RESERVED CVE-2016-9970 @@ -22422,11 +22422,11 @@ CVE-2017-2844 RESERVED CVE-2017-2843 (In the web management interface in Foscam C1 Indoor HD Camera running ...) - TODO: check + NOT-FOR-US: Foscam C1 Indoor HD Camera CVE-2017-2842 (In the web management interface in Foscam C1 Indoor HD Camera running ...) - TODO: check + NOT-FOR-US: Foscam C1 Indoor HD Camera CVE-2017-2841 (An exploitable command injection vulnerability exists in the web ...) - TODO: check + NOT-FOR-US: Foscam C1 Indoor HD Camera CVE-2017-2840 RESERVED CVE-2017-2839 @@ -25757,7 +25757,7 @@ CVE-2017-1323 RESERVED CVE-2017-1322 (IBM API Connect 5.0.6.0 is vulnerable to an XML External Entity ...) - TODO: check + NOT-FOR-US: IBM CVE-2017-1321 RESERVED CVE-2017-1320 (IBM Tivoli Federated Identity Manager 6.2 is vulnerable to cross-site ...) @@ -25807,7 +25807,7 @@ CVE-2017-1298 REJECTED CVE-2017-1297 (IBM DB2 for Linux, UNIX and Windows 9.2, 10.1, 10.5, and 11.1 ...) - TODO: check + NOT-FOR-US: IBM CVE-2017-1296 RESERVED CVE-2017-1295 @@ -25933,7 +25933,7 @@ CVE-2017-1235 RESERVED CVE-2017-1234 (IBM QRadar 7.2 and 7.3 is vulnerable to cross-site scripting. This ...) - TODO: check + NOT-FOR-US: IBM CVE-2017-1233 RESERVED CVE-2017-1232 @@ -26192,7 +26192,7 @@ CVE-2017-1106 RESERVED CVE-2017-1105 (IBM DB2 for Linux, UNIX and Windows 9.2, 10.1, 10.5, and 11.1 ...) - TODO: check + NOT-FOR-US: IBM CVE-2017-1104 (IBM Quality Manager (RQM) 4.0, 5.0, and 6.0 is vulnerable to ...) NOT-FOR-US: IBM CVE-2017-1103 (IBM Team Concert (RTC) is vulnerable to a denial of service, caused by ...) @@ -26679,7 +26679,7 @@ CVE-2016-9739 (IBM Security Identity Manager Virtual Appliance stores user ...) NOT-FOR-US: IBM CVE-2016-9738 (IBM QRadar 7.2 and 7.3 does not require that users should have strong ...) - TODO: check + NOT-FOR-US: IBM CVE-2016-9737 (IBM TRIRIGA 3.3, 3.4, and 3.5 is vulnerable to cross-site scripting. ...) NOT-FOR-US: IBM CVE-2016-9736 (IBM WebSphere Application Server using malformed SOAP requests could ...) @@ -40354,7 +40354,7 @@ CVE-2016-6084 (IBM BigFix Platform could allow an attacker on the local network to ...) NOT-FOR-US: IBM CVE-2016-6083 (IBM Tivoli Monitoring V6 could allow an unauthenticated user to access ...) - TODO: check + NOT-FOR-US: IBM CVE-2016-6082 (IBM BigFix Platform could allow a remote attacker to execute arbitrary ...) NOT-FOR-US: IBM CVE-2016-6081 @@ -62155,13 +62155,13 @@ CVE-2015-7900 (Infinite Automation Mango Automation 2.5.x and 2.6.x before 2.6.0 ...) NOT-FOR-US: Mango Automation CVE-2015-7898 (Samsung Gallery in the Samsung Galaxy S6 allows local users to cause a ...) - TODO: check + NOT-FOR-US: Samsung CVE-2015-7897 (The media scanning functionality in the face recognition library in ...) NOT-FOR-US: Samsung CVE-2015-7896 RESERVED CVE-2015-7895 (Samsung Gallery on the Samsung Galaxy S6 allows local users to cause a ...) - TODO: check + NOT-FOR-US: Samsung CVE-2015-7894 RESERVED CVE-2015-7893 (SecEmailUI in Samsung Galaxy S6 does not sanitize HTML email content, ...) @@ -62566,9 +62566,9 @@ CVE-2015-7782 (Cross-site scripting (XSS) vulnerability in Let's PHP! Frame ...) NOT-FOR-US: Let's PHP! CVE-2015-7781 (ManageEngine Firewall Analyzer before 8.0 does not restrict access ...) - TODO: check + NOT-FOR-US: ManageEngine Firewall Analyzer CVE-2015-7780 (Directory traversal vulnerability in ManageEngine Firewall Analyzer ...) - TODO: check + NOT-FOR-US: ManageEngine Firewall Analyzer CVE-2015-7779 REJECTED CVE-2015-7778
[Secure-testing-commits] r52969 - data/CVE
Author: carnil Date: 2017-06-28 05:04:28 + (Wed, 28 Jun 2017) New Revision: 52969 Modified: data/CVE/list Log: Add CVE-2017-7524/tpm2-tools Modified: data/CVE/list === --- data/CVE/list 2017-06-28 05:04:13 UTC (rev 52968) +++ data/CVE/list 2017-06-28 05:04:28 UTC (rev 52969) @@ -8325,7 +8325,8 @@ CVE-2017-7525 RESERVED CVE-2017-7524 (tpm2-tools versions before 1.1.1 are vulnerable to a password leak due ...) - TODO: check + - tpm2-tools + NOTE: https://github.com/01org/tpm2.0-tools/commit/c5d72beaab1cbbbe68271f4bc4b6670d69985157 CVE-2017-7523 RESERVED CVE-2017-7522 (OpenVPN versions before 2.4.3 and before 2.3.17 are vulnerable to ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r52967 - data/CVE
Author: carnil Date: 2017-06-28 05:03:56 + (Wed, 28 Jun 2017) New Revision: 52967 Modified: data/CVE/list Log: Add CVE-2017-9841/phpunit Modified: data/CVE/list === --- data/CVE/list 2017-06-28 05:03:42 UTC (rev 52966) +++ data/CVE/list 2017-06-28 05:03:56 UTC (rev 52967) @@ -317,7 +317,9 @@ CVE-2017-9842 RESERVED CVE-2017-9841 (Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 ...) - TODO: check + - phpunit + NOTE: https://github.com/sebastianbergmann/phpunit/pull/1956 + NOTE: https://github.com/sebastianbergmann/phpunit/commit/284a69fb88a2d0845d23f42974a583d8f59bf5a5 CVE-2017-9840 (Dolibarr ERP/CRM 5.0.3 and prior allows low-privilege users to upload ...) - dolibarr CVE-2017-9839 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r52968 - data/CVE
Author: carnil Date: 2017-06-28 05:04:13 + (Wed, 28 Jun 2017) New Revision: 52968 Modified: data/CVE/list Log: Add CVE-2017-9145/tikiwiki, removed Modified: data/CVE/list === --- data/CVE/list 2017-06-28 05:03:56 UTC (rev 52967) +++ data/CVE/list 2017-06-28 05:04:13 UTC (rev 52968) @@ -3724,7 +3724,7 @@ [jessie] - libytnef (Minor issue, can be fixed via a point update) NOTE: https://github.com/Yeraze/ytnef/issues/47 CVE-2017-9145 (TikiFilter.php in Tiki Wiki CMS Groupware 12.x through 16.x does not ...) - TODO: check + - tikiwiki CVE-2017-9144 (In ImageMagick 7.0.5-5, a crafted RLE image can trigger a crash because ...) {DSA-3863-1 DLA-960-1} - imagemagick 8:6.9.7.4+dfsg-9 (bug #863126) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r52966 - data/CVE
Author: carnil Date: 2017-06-28 05:03:42 + (Wed, 28 Jun 2017) New Revision: 52966 Modified: data/CVE/list Log: Add CVE-2017-9982/teamspeak-client Modified: data/CVE/list === --- data/CVE/list 2017-06-28 04:47:09 UTC (rev 52965) +++ data/CVE/list 2017-06-28 05:03:42 UTC (rev 52966) @@ -1,7 +1,7 @@ CVE-2017-9983 RESERVED CVE-2017-9982 (TeamSpeak Client 3.0.19 allows remote attackers to cause a denial of ...) - TODO: check + - teamspeak-client CVE-2017-9981 RESERVED CVE-2017-9980 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r52965 - data/CVE
Author: carnil Date: 2017-06-28 04:47:09 + (Wed, 28 Jun 2017) New Revision: 52965 Modified: data/CVE/list Log: Add new issues in faad2 Modified: data/CVE/list === --- data/CVE/list 2017-06-27 21:10:14 UTC (rev 52964) +++ data/CVE/list 2017-06-28 04:47:09 UTC (rev 52965) @@ -3345,15 +3345,15 @@ CVE-2017-9258 RESERVED CVE-2017-9257 (The mp4ff_read_ctts function in common/mp4ff/mp4atom.c in Freeware ...) - TODO: check + - faad2 CVE-2017-9256 (The mp4ff_read_stco function in common/mp4ff/mp4atom.c in Freeware ...) - TODO: check + - faad2 CVE-2017-9255 (The mp4ff_read_stsc function in common/mp4ff/mp4atom.c in Freeware ...) - TODO: check + - faad2 CVE-2017-9254 (The mp4ff_read_stts function in common/mp4ff/mp4atom.c in Freeware ...) - TODO: check + - faad2 CVE-2017-9253 (The mp4ff_read_stsd function in common/mp4ff/mp4atom.c in Freeware ...) - TODO: check + - faad2 CVE-2016-10377 (In Open vSwitch (OvS) 2.5.0, a malformed IP packet can cause the switch ...) - openvswitch 2.6.1+git20161123-1 [jessie] - openvswitch (Vulnerable code using tot_len introduced later) @@ -3473,17 +3473,17 @@ NOTE: https://github.com/kkos/oniguruma/commit/690313a061f7a4fa614ec5cc8368b4f2284e059b NOTE: https://github.com/kkos/oniguruma/issues/57 CVE-2017-9223 (The mp4ff_read_stts function in common/mp4ff/mp4atom.c in Freeware ...) - TODO: check + - faad2 CVE-2017-9222 (The mp4ff_parse_tag function in common/mp4ff/mp4meta.c in Freeware ...) - TODO: check + - faad2 CVE-2017-9221 (The mp4ff_read_mdhd function in common/mp4ff/mp4atom.c in Freeware ...) - TODO: check + - faad2 CVE-2017-9220 (The mp4ff_read_stco function in common/mp4ff/mp4atom.c in Freeware ...) - TODO: check + - faad2 CVE-2017-9219 (The mp4ff_read_stsc function in common/mp4ff/mp4atom.c in Freeware ...) - TODO: check + - faad2 CVE-2017-9218 (The mp4ff_read_stsd function in common/mp4ff/mp4atom.c in Freeware ...) - TODO: check + - faad2 CVE-2017-9217 (systemd-resolved through 233 allows remote attackers to cause a denial ...) [experimental] - systemd 233-8 - systemd 232-24 (bug #863277) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r52964 - data/CVE
Author: sectracker Date: 2017-06-27 21:10:14 + (Tue, 27 Jun 2017) New Revision: 52964 Modified: data/CVE/list Log: automatic update Modified: data/CVE/list === --- data/CVE/list 2017-06-27 20:07:31 UTC (rev 52963) +++ data/CVE/list 2017-06-27 21:10:14 UTC (rev 52964) @@ -1,3 +1,7 @@ +CVE-2017-9983 + RESERVED +CVE-2017-9982 (TeamSpeak Client 3.0.19 allows remote attackers to cause a denial of ...) + TODO: check CVE-2017-9981 RESERVED CVE-2017-9980 @@ -312,8 +316,8 @@ RESERVED CVE-2017-9842 RESERVED -CVE-2017-9841 - RESERVED +CVE-2017-9841 (Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 ...) + TODO: check CVE-2017-9840 (Dolibarr ERP/CRM 5.0.3 and prior allows low-privilege users to upload ...) - dolibarr CVE-2017-9839 @@ -340,8 +344,8 @@ [jessie] - libmtp (Minor issue; can be fixed in a point release) NOTE: https://sourceforge.net/p/libmtp/mailman/message/35735992/ NOTE: https://sourceforge.net/p/libmtp/code/ci/aa7d91a789873a9d86969028e57f888a1241c085/ -CVE-2017-9830 - RESERVED +CVE-2017-9830 (Remote Code Execution is possible in Code42 CrashPlan 5.4.x via the ...) + TODO: check CVE-2017-9829 ('/cgi-bin/admin/downloadMedias.cgi' of the web service in most of the ...) NOT-FOR-US: VIVOTEK Network Cameras CVE-2017-9828 ('/cgi-bin/admin/testserver.cgi' of the web service in most of the ...) @@ -3340,16 +3344,16 @@ RESERVED CVE-2017-9258 RESERVED -CVE-2017-9257 - RESERVED -CVE-2017-9256 - RESERVED -CVE-2017-9255 - RESERVED -CVE-2017-9254 - RESERVED -CVE-2017-9253 - RESERVED +CVE-2017-9257 (The mp4ff_read_ctts function in common/mp4ff/mp4atom.c in Freeware ...) + TODO: check +CVE-2017-9256 (The mp4ff_read_stco function in common/mp4ff/mp4atom.c in Freeware ...) + TODO: check +CVE-2017-9255 (The mp4ff_read_stsc function in common/mp4ff/mp4atom.c in Freeware ...) + TODO: check +CVE-2017-9254 (The mp4ff_read_stts function in common/mp4ff/mp4atom.c in Freeware ...) + TODO: check +CVE-2017-9253 (The mp4ff_read_stsd function in common/mp4ff/mp4atom.c in Freeware ...) + TODO: check CVE-2016-10377 (In Open vSwitch (OvS) 2.5.0, a malformed IP packet can cause the switch ...) - openvswitch 2.6.1+git20161123-1 [jessie] - openvswitch (Vulnerable code using tot_len introduced later) @@ -3468,18 +3472,18 @@ [jessie] - libonig (Minor issue) NOTE: https://github.com/kkos/oniguruma/commit/690313a061f7a4fa614ec5cc8368b4f2284e059b NOTE: https://github.com/kkos/oniguruma/issues/57 -CVE-2017-9223 - RESERVED -CVE-2017-9222 - RESERVED -CVE-2017-9221 - RESERVED -CVE-2017-9220 - RESERVED -CVE-2017-9219 - RESERVED -CVE-2017-9218 - RESERVED +CVE-2017-9223 (The mp4ff_read_stts function in common/mp4ff/mp4atom.c in Freeware ...) + TODO: check +CVE-2017-9222 (The mp4ff_parse_tag function in common/mp4ff/mp4meta.c in Freeware ...) + TODO: check +CVE-2017-9221 (The mp4ff_read_mdhd function in common/mp4ff/mp4atom.c in Freeware ...) + TODO: check +CVE-2017-9220 (The mp4ff_read_stco function in common/mp4ff/mp4atom.c in Freeware ...) + TODO: check +CVE-2017-9219 (The mp4ff_read_stsc function in common/mp4ff/mp4atom.c in Freeware ...) + TODO: check +CVE-2017-9218 (The mp4ff_read_stsd function in common/mp4ff/mp4atom.c in Freeware ...) + TODO: check CVE-2017-9217 (systemd-resolved through 233 allows remote attackers to cause a denial ...) [experimental] - systemd 233-8 - systemd 232-24 (bug #863277) @@ -8318,12 +8322,11 @@ RESERVED CVE-2017-7525 RESERVED -CVE-2017-7524 - RESERVED +CVE-2017-7524 (tpm2-tools versions before 1.1.1 are vulnerable to a password leak due ...) + TODO: check CVE-2017-7523 RESERVED -CVE-2017-7522 [Crash mbed TLS/PolarSSL-based server] - RESERVED +CVE-2017-7522 (OpenVPN versions before 2.4.3 and before 2.3.17 are vulnerable to ...) - openvpn 2.4.3-1 (unimportant) [jessie] - openvpn (x509-track implemented in 2.4.0) [wheezy] - openvpn (x509-track implemented in 2.4.0) @@ -8332,8 +8335,8 @@ NOTE: http://www.openwall.com/lists/oss-security/2017/06/21/6 NOTE: In Debian openvpn is compiled against OpenSSL, thus even affected NOTE: code present. -CVE-2017-7521 [Potential double-free in --x509-alt-username and memory leaks] - RESERVED +CVE-2017-7521 (OpenVPN versions before 2.4.3 and before 2.3.17 are vulnerable to ...) + {DSA-3900-1} - openvpn 2.4.3-1 (bug #865480) NOTE: Fixed by (master): https://github.com/OpenVPN/openvpn/commit/2d032c7fcdfd692c851ea2fa858b4c2d9ea7d52d NOTE: Fixed by (master):
[Secure-testing-commits] r52963 - data/CVE
Author: carnil Date: 2017-06-27 20:07:31 + (Tue, 27 Jun 2017) New Revision: 52963 Modified: data/CVE/list Log: Add source package name for CVE-2017-9953 Modified: data/CVE/list === --- data/CVE/list 2017-06-27 19:58:04 UTC (rev 52962) +++ data/CVE/list 2017-06-27 20:07:31 UTC (rev 52963) @@ -61,6 +61,8 @@ [jessie] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21670 CVE-2017-9953 (There is an invalid free in Image::printIFDStructure that leads to a ...) + - exiv2 + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1465061 TODO: check CVE-2017-9952 RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r52962 - in data: CVE DSA
Author: seb Date: 2017-06-27 19:58:04 + (Tue, 27 Jun 2017) New Revision: 52962 Modified: data/CVE/list data/DSA/list Log: Record that CVE-2017-7479 was already fixed in stretch outside of DSA-3900-1 Modified: data/CVE/list === --- data/CVE/list 2017-06-27 19:54:02 UTC (rev 52961) +++ data/CVE/list 2017-06-27 19:58:04 UTC (rev 52962) @@ -8512,6 +8512,7 @@ CVE-2017-7479 (OpenVPN versions before 2.3.15 and before 2.4.2 are vulnerable to ...) {DLA-944-1} - openvpn 2.4.0-5 (low) + [jessie] - openvpn 2.3.4-5+deb8u2 NOTE: https://github.com/OpenVPN/openvpn/commit/e498cb0ea8d3a451b39eaf6f9b6a7488f18250b8 (master) NOTE: https://github.com/OpenVPN/openvpn/commit/591a4e574c43cb9e820950f15dcaabda261def78 (2.4.x) NOTE: https://github.com/OpenVPN/openvpn/commit/b727643cdf4e078f132a90e1c474a879a5760578 (2.3.x) Modified: data/DSA/list === --- data/DSA/list 2017-06-27 19:54:02 UTC (rev 52961) +++ data/DSA/list 2017-06-27 19:58:04 UTC (rev 52962) @@ -1,5 +1,5 @@ [27 Jun 2017] DSA-3900-1 openvpn - security update - {CVE-2017-7479 CVE-2017-7508 CVE-2017-7520 CVE-2017-7521} + {CVE-2017-7508 CVE-2017-7520 CVE-2017-7521} [jessie] - openvpn 2.3.4-5+deb8u2 [stretch] - openvpn 2.4.0-6+deb9u1 [27 Jun 2017] DSA-3886-2 linux - regression update ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r52961 - data/CVE
Author: carnil Date: 2017-06-27 19:54:02 + (Tue, 27 Jun 2017) New Revision: 52961 Modified: data/CVE/list Log: Add CVE-2017-9954/binutils Modified: data/CVE/list === --- data/CVE/list 2017-06-27 19:13:31 UTC (rev 52960) +++ data/CVE/list 2017-06-27 19:54:02 UTC (rev 52961) @@ -56,7 +56,10 @@ [jessie] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21665 CVE-2017-9954 (The getvalue function in tekhex.c in the Binary File Descriptor (BFD) ...) - TODO: check + - binutils + [stretch] - binutils (Minor issue) + [jessie] - binutils (Minor issue) + NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21670 CVE-2017-9953 (There is an invalid free in Image::printIFDStructure that leads to a ...) TODO: check CVE-2017-9952 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r52960 - in data: . DSA
Author: seb Date: 2017-06-27 19:13:31 + (Tue, 27 Jun 2017) New Revision: 52960 Modified: data/DSA/list data/dsa-needed.txt Log: Reserve DSA-3900-1 for openvpn (CVE-2017-7479, CVE-2017-7508, CVE-2017-7520, CVE-2017-7521) Modified: data/DSA/list === --- data/DSA/list 2017-06-27 18:54:40 UTC (rev 52959) +++ data/DSA/list 2017-06-27 19:13:31 UTC (rev 52960) @@ -1,3 +1,7 @@ +[27 Jun 2017] DSA-3900-1 openvpn - security update + {CVE-2017-7479 CVE-2017-7508 CVE-2017-7520 CVE-2017-7521} + [jessie] - openvpn 2.3.4-5+deb8u2 + [stretch] - openvpn 2.4.0-6+deb9u1 [27 Jun 2017] DSA-3886-2 linux - regression update [jessie] - linux 3.16.43-2+deb8u2 [stretch] - linux 4.9.30-2+deb9u2 Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-06-27 18:54:40 UTC (rev 52959) +++ data/dsa-needed.txt 2017-06-27 19:13:31 UTC (rev 52960) @@ -29,9 +29,6 @@ linux wait until more issues have piled up -- -openvpn (seb) - Maintainer prepared an update, needs review and ack to upload --- php5 wait until more issues have piled up/next upstream point release -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r52959 - data/CVE
Author: carnil Date: 2017-06-27 18:54:40 + (Tue, 27 Jun 2017) New Revision: 52959 Modified: data/CVE/list Log: Add bug reference for CVE-207-9445, #866147 Modified: data/CVE/list === --- data/CVE/list 2017-06-27 18:46:50 UTC (rev 52958) +++ data/CVE/list 2017-06-27 18:54:40 UTC (rev 52959) @@ -2641,7 +2641,7 @@ RESERVED CVE-2017-9445 [Out-of-bounds write in systemd-resolved with crafted TCP payload] RESERVED - - systemd + - systemd (bug #866147) [stretch] - systemd (Minor issue, systemd-resolved not enabled by default) [jessie] - systemd (Vulnerable code not present) [wheezy] - systemd (Vulnerable code not present) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r52958 - data/CVE
Author: carnil Date: 2017-06-27 18:46:50 + (Tue, 27 Jun 2017) New Revision: 52958 Modified: data/CVE/list Log: Add temporary description for CVE-2017-9445 and more notes Modified: data/CVE/list === --- data/CVE/list 2017-06-27 18:44:44 UTC (rev 52957) +++ data/CVE/list 2017-06-27 18:46:50 UTC (rev 52958) @@ -2639,11 +2639,14 @@ RESERVED CVE-2017-9446 RESERVED -CVE-2017-9445 +CVE-2017-9445 [Out-of-bounds write in systemd-resolved with crafted TCP payload] RESERVED - systemd [stretch] - systemd (Minor issue, systemd-resolved not enabled by default) [jessie] - systemd (Vulnerable code not present) + [wheezy] - systemd (Vulnerable code not present) + NOTE: Introduced by: https://github.com/systemd/systemd/commit/a0166609f782da91710dea9183d1bf138538db37 + NOTE: http://www.openwall.com/lists/oss-security/2017/06/27/8 CVE-2017-9444 (BigTree CMS through 4.2.18 has CSRF related to the ...) NOT-FOR-US: BigTree CMS CVE-2017-9443 (** DISPUTED ** BigTree CMS through 4.2.18 allows remote authenticated ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r52957 - data/CVE
Author: carnil Date: 2017-06-27 18:44:44 + (Tue, 27 Jun 2017) New Revision: 52957 Modified: data/CVE/list Log: Add CVE-2017-9445/systemd Modified: data/CVE/list === --- data/CVE/list 2017-06-27 18:41:12 UTC (rev 52956) +++ data/CVE/list 2017-06-27 18:44:44 UTC (rev 52957) @@ -2641,6 +2641,9 @@ RESERVED CVE-2017-9445 RESERVED + - systemd + [stretch] - systemd (Minor issue, systemd-resolved not enabled by default) + [jessie] - systemd (Vulnerable code not present) CVE-2017-9444 (BigTree CMS through 4.2.18 has CSRF related to the ...) NOT-FOR-US: BigTree CMS CVE-2017-9443 (** DISPUTED ** BigTree CMS through 4.2.18 allows remote authenticated ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r52956 - data/CVE
Author: carnil Date: 2017-06-27 18:41:12 + (Tue, 27 Jun 2017) New Revision: 52956 Modified: data/CVE/list Log: Add CVE-2017-9955/binutils Modified: data/CVE/list === --- data/CVE/list 2017-06-27 18:36:28 UTC (rev 52955) +++ data/CVE/list 2017-06-27 18:41:12 UTC (rev 52956) @@ -51,7 +51,10 @@ CVE-2017-9956 RESERVED CVE-2017-9955 (The get_build_id function in opncls.c in the Binary File Descriptor ...) - TODO: check + - binutils + [stretch] - binutils (Minor issue) + [jessie] - binutils (Minor issue) + NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21665 CVE-2017-9954 (The getvalue function in tekhex.c in the Binary File Descriptor (BFD) ...) TODO: check CVE-2017-9953 (There is an invalid free in Image::printIFDStructure that leads to a ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r52955 - data
Author: anarcat Date: 2017-06-27 18:36:28 + (Tue, 27 Jun 2017) New Revision: 52955 Modified: data/dla-needed.txt Log: claim mercurial Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-06-27 18:16:58 UTC (rev 52954) +++ data/dla-needed.txt 2017-06-27 18:36:28 UTC (rev 52955) @@ -84,7 +84,7 @@ mcollective NOTE: See https://lists.debian.org/debian-lts/2017/03/msg8.html -- -mercurial +mercurial (Antoine Beaupre) -- mupdf -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r52954 - in data: . CVE
Author: anarcat Date: 2017-06-27 18:16:58 + (Tue, 27 Jun 2017) New Revision: 52954 Modified: data/CVE/list data/dla-needed.txt Log: mark TS as N/A in wheezy Modified: data/CVE/list === --- data/CVE/list 2017-06-27 18:02:28 UTC (rev 52953) +++ data/CVE/list 2017-06-27 18:16:58 UTC (rev 52954) @@ -14024,6 +14024,7 @@ RESERVED CVE-2017-5659 (Apache Traffic Server before 6.2.1 generates a coredump when there is ...) - trafficserver 7.0.0-1 + [wheezy] - trafficserver (PoC doesn't crash the server, fix too hard to backport) NOTE: https://issues.apache.org/jira/browse/TS-4507 NOTE: reproducer in https://issues.apache.org/jira/browse/TS-4819 (dupe of above) NOTE: https://github.com/apache/trafficserver/pull/787/commits/85c021123fd94c4d97a6015484eb1d8054bec9eb Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-06-27 18:02:28 UTC (rev 52953) +++ data/dla-needed.txt 2017-06-27 18:16:58 UTC (rev 52954) @@ -117,10 +117,6 @@ NOTE: this is about https://www.sudo.ws/repos/sudo/raw-rev/15a46f4007dd NOTE: which might well be fixed once more issues piled up -- -trafficserver - NOTE: maintainer contacted 2017-04-26 - NOTE: reproducer doesn't crash server in a test VM - ? --anarcat --- wireshark NOTE: maintainer *may* take care of this, as previously -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r52953 - in data: . DSA
Author: carnil Date: 2017-06-27 18:02:28 + (Tue, 27 Jun 2017) New Revision: 52953 Modified: data/DSA/list data/dsa-needed.txt Log: Reserve DSA number for linux regression update Modified: data/DSA/list === --- data/DSA/list 2017-06-27 17:57:32 UTC (rev 52952) +++ data/DSA/list 2017-06-27 18:02:28 UTC (rev 52953) @@ -1,3 +1,6 @@ +[27 Jun 2017] DSA-3886-2 linux - regression update + [jessie] - linux 3.16.43-2+deb8u2 + [stretch] - linux 4.9.30-2+deb9u2 [27 Jun 2017] DSA-3899-1 vlc - security update {CVE-2017-8310 CVE-2017-8311 CVE-2017-8312 CVE-2017-8313} [jessie] - vlc 2.2.6-1~deb8u1 Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-06-27 17:57:32 UTC (rev 52952) +++ data/dsa-needed.txt 2017-06-27 18:02:28 UTC (rev 52953) @@ -26,7 +26,7 @@ -- libytnef -- -linux (carnil) +linux wait until more issues have piled up -- openvpn (seb) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r52952 - data/CVE
Author: carnil Date: 2017-06-27 17:57:32 + (Tue, 27 Jun 2017) New Revision: 52952 Modified: data/CVE/list Log: Add fixing version for unstable for CVE-2017-8797 Modified: data/CVE/list === --- data/CVE/list 2017-06-27 14:28:33 UTC (rev 52951) +++ data/CVE/list 2017-06-27 17:57:32 UTC (rev 52952) @@ -4728,7 +4728,7 @@ NOTE: Fixed by: https://github.com/miniupnp/miniupnp/commit/f0f1f4b22d6a98536377a1bb07e7c20e4703d229 CVE-2017-8797 [nfsd: remote DoS] RESERVED - - linux + - linux 4.9.30-1 NOTE: Fixed by: https://git.kernel.org/linus/b550a32e60a4941994b437a8d662432a486235a5 (4.12-rc1) NOTE: Fixed by: https://git.kernel.org/linus/f961e3f2acae94b727380c0b74e2d3954d0edf79 (4.12-rc1) CVE-2017-8796 (An issue was discovered on Accellion FTA devices before FTA_9_12_180. ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r52951 - data
Author: anarcat Date: 2017-06-27 14:28:33 + (Tue, 27 Jun 2017) New Revision: 52951 Modified: data/dla-needed.txt Log: claim puppet Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-06-27 14:25:02 UTC (rev 52950) +++ data/dla-needed.txt 2017-06-27 14:28:33 UTC (rev 52951) @@ -99,7 +99,7 @@ postgresql-9.1 (Christoph Berg) NOTE: maintainer will give it a try tomorrow (2017-05-28) -- -puppet +puppet (Antoine Beaupre) NOTE: 2017-06-01: Seems to be at puppet/indirector/catalog/compiler.rb (line 25), NOTE: 2017-06-01: however I don't know whether pson is the only supported format NOTE: 2017-06-01: in this older version of puppet. -- lamby@d.o ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r52950 - data
Author: anarcat Date: 2017-06-27 14:25:02 + (Tue, 27 Jun 2017) New Revision: 52950 Modified: data/dla-needed.txt Log: claim ca-certificates Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-06-27 14:02:26 UTC (rev 52949) +++ data/dla-needed.txt 2017-06-27 14:25:02 UTC (rev 52950) @@ -16,9 +16,10 @@ boa NOTE: only available in Wheezy and orphaned -- -ca-certificates +ca-certificates (Antoine Beaupré) NOTE: 2017-03-27: maintainer will handle the upload, see https://lists.debian.org/1acb8e97-8c9f-8b54-348c-0c12f53a8...@pbandjelly.org NOTE: 2017-05-12: Pinged the maintainer -- Raphael Hertzog + NOTE: 2017-06-27: gave a 3-day deadline to maintainer -- Antoine -- check-mk NOTE: the code is different in wheezy but from a cursory look, there ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r52949 - data/CVE
Author: carnil Date: 2017-06-27 14:02:26 + (Tue, 27 Jun 2017) New Revision: 52949 Modified: data/CVE/list Log: Add CVE-2017-8797/linux Modified: data/CVE/list === --- data/CVE/list 2017-06-27 12:43:06 UTC (rev 52948) +++ data/CVE/list 2017-06-27 14:02:26 UTC (rev 52949) @@ -4726,8 +4726,11 @@ - miniupnpc 1.9.20140610-3 (bug #862273) NOTE: https://github.com/tintinweb/pub/blob/master/pocs/cve-2017-8798/Readme.md NOTE: Fixed by: https://github.com/miniupnp/miniupnp/commit/f0f1f4b22d6a98536377a1bb07e7c20e4703d229 -CVE-2017-8797 +CVE-2017-8797 [nfsd: remote DoS] RESERVED + - linux + NOTE: Fixed by: https://git.kernel.org/linus/b550a32e60a4941994b437a8d662432a486235a5 (4.12-rc1) + NOTE: Fixed by: https://git.kernel.org/linus/f961e3f2acae94b727380c0b74e2d3954d0edf79 (4.12-rc1) CVE-2017-8796 (An issue was discovered on Accellion FTA devices before FTA_9_12_180. ...) NOT-FOR-US: Accellion FTA devices CVE-2017-8795 (An issue was discovered on Accellion FTA devices before FTA_9_12_180. ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r52948 - data/CVE
Author: carnil Date: 2017-06-27 12:43:06 + (Tue, 27 Jun 2017) New Revision: 52948 Modified: data/CVE/list Log: Add bug reference for CVE-2017-9936/tiff, #866113 Modified: data/CVE/list === --- data/CVE/list 2017-06-27 12:31:10 UTC (rev 52947) +++ data/CVE/list 2017-06-27 12:43:06 UTC (rev 52948) @@ -97,7 +97,7 @@ NOTE: to see this as an issue in libjbig itself. TODO: wait for futher development on upstream CVE-2017-9936 (In LibTIFF 4.0.8, there is a memory leak in tif_jbig.c. A crafted TIFF ...) - - tiff + - tiff (bug #866113) - tiff3 NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2706 NOTE: Fixed by: https://github.com/vadz/libtiff/commit/fe8d7165956b88df4837034a9161dc5fd20cf67a ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r52947 - data/CVE
Author: carnil Date: 2017-06-27 12:31:10 + (Tue, 27 Jun 2017) New Revision: 52947 Modified: data/CVE/list Log: Add bug reporte for CVE-2017-9935/tiff, #866109 Remove Note about unreproducibility. Both 4.0.8-2 and as well testing against 2017-06-26 Even Rouault * libtiff/tif_jbig.c: fix memory leak in error code path of JBIGDecode() Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2706 Reported by team OWL337 exercises the problem with all four provided reproducers. Oder versions have not been checked source-wise for the issue. Modified: data/CVE/list === --- data/CVE/list 2017-06-27 11:29:19 UTC (rev 52946) +++ data/CVE/list 2017-06-27 12:31:10 UTC (rev 52947) @@ -102,10 +102,9 @@ NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2706 NOTE: Fixed by: https://github.com/vadz/libtiff/commit/fe8d7165956b88df4837034a9161dc5fd20cf67a CVE-2017-9935 (In LibTIFF 4.0.8, there is a heap-based buffer overflow in the ...) - - tiff + - tiff (bug #866109) - tiff3 NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2704 - NOTE: Could not reproduce with the latest CVS version CVE-2017-9934 RESERVED CVE-2017-9933 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r52946 - data/CVE
Author: fgeek-guest Date: 2017-06-27 11:29:19 + (Tue, 27 Jun 2017) New Revision: 52946 Modified: data/CVE/list Log: CVE-2017-9935/tiff Modified: data/CVE/list === --- data/CVE/list 2017-06-27 09:10:16 UTC (rev 52945) +++ data/CVE/list 2017-06-27 11:29:19 UTC (rev 52946) @@ -105,6 +105,7 @@ - tiff - tiff3 NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2704 + NOTE: Could not reproduce with the latest CVS version CVE-2017-9934 RESERVED CVE-2017-9933 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r52945 - data/CVE
Author: sectracker Date: 2017-06-27 09:10:16 + (Tue, 27 Jun 2017) New Revision: 52945 Modified: data/CVE/list Log: automatic update Modified: data/CVE/list === --- data/CVE/list 2017-06-27 09:07:54 UTC (rev 52944) +++ data/CVE/list 2017-06-27 09:10:16 UTC (rev 52945) @@ -1,3 +1,63 @@ +CVE-2017-9981 + RESERVED +CVE-2017-9980 + RESERVED +CVE-2017-9979 + RESERVED +CVE-2017-9978 + RESERVED +CVE-2017-9977 + RESERVED +CVE-2017-9976 + RESERVED +CVE-2017-9975 + RESERVED +CVE-2017-9974 + RESERVED +CVE-2017-9973 + RESERVED +CVE-2017-9972 + RESERVED +CVE-2017-9971 + RESERVED +CVE-2017-9970 + RESERVED +CVE-2017-9969 + RESERVED +CVE-2017-9968 + RESERVED +CVE-2017-9967 + RESERVED +CVE-2017-9966 + RESERVED +CVE-2017-9965 + RESERVED +CVE-2017-9964 + RESERVED +CVE-2017-9963 + RESERVED +CVE-2017-9962 + RESERVED +CVE-2017-9961 + RESERVED +CVE-2017-9960 + RESERVED +CVE-2017-9959 + RESERVED +CVE-2017-9958 + RESERVED +CVE-2017-9957 + RESERVED +CVE-2017-9956 + RESERVED +CVE-2017-9955 (The get_build_id function in opncls.c in the Binary File Descriptor ...) + TODO: check +CVE-2017-9954 (The getvalue function in tekhex.c in the Binary File Descriptor (BFD) ...) + TODO: check +CVE-2017-9953 (There is an invalid free in Image::printIFDStructure that leads to a ...) + TODO: check +CVE-2017-9952 + RESERVED CVE-2017-9951 RESERVED CVE-2017-9950 @@ -1589,6 +1649,7 @@ CVE-2017-9779 RESERVED CVE-2012-6706 (A VMSF_DELTA memory corruption was discovered in unrar before 5.5.5, as ...) + {DLA-1003-1} - unrar-nonfree 1:5.5.5-1 (bug #865461) [stretch] - unrar-nonfree (Non-free not supported) [jessie] - unrar-nonfree (Non-free not supported) @@ -5859,18 +5920,22 @@ NOTE: http://blog.checkpoint.com/2017/05/23/hacked-in-translation/ NOTE: https://kodi.tv/article/kodi-v172-minor-bug-fix-and-security-release CVE-2017-8313 (Heap out-of-bound read in ParseJSS in VideoLAN VLC before 2.2.5 due to ...) + {DSA-3899-1} - vlc 2.2.5-1 [wheezy] - vlc (Not supported in wheezy LTS) NOTE: http://git.videolan.org/?p=vlc/vlc-2.2.git;a=commitdiff;h=05b653355ce303ada3b5e0e645ae717fea39186c CVE-2017-8312 (Heap out-of-bound read in ParseJSS in VideoLAN VLC due to missing ...) + {DSA-3899-1} - vlc 2.2.6-1~deb9u1 [wheezy] - vlc (Not supported in wheezy LTS) NOTE: http://git.videolan.org/?p=vlc.git;a=commitdiff;h=611398fc8d32f3fe4331f60b220c52ba3557beaa CVE-2017-8311 (Potential heap based buffer overflow in ParseJSS in VideoLAN VLC ...) + {DSA-3899-1} - vlc 2.2.5-1 [wheezy] - vlc (Not supported in wheezy LTS) NOTE: http://git.videolan.org/?p=vlc.git;a=commitdiff;h=775de716add17322f24b476439f903a829446eb6 CVE-2017-8310 (Heap out-of-bound read in CreateHtmlSubtitle in VideoLAN VLC 2.2.x due ...) + {DSA-3899-1} - vlc 2.2.5.1-1~deb9u1 [wheezy] - vlc (Not supported in wheezy LTS) NOTE: http://git.videolan.org/?p=vlc/vlc-2.2.git;a=commit;h=7cac839692ab79dbfe5e4ebd4c4e37d9a8b1b328 @@ -8525,8 +8590,8 @@ RESERVED CVE-2017-7459 (ntopng before 3.0 allows HTTP Response Splitting. ...) TODO: check -CVE-2017-7458 - RESERVED +CVE-2017-7458 (The NetworkInterface::getHost function in NetworkInterface.cpp in ...) + TODO: check CVE-2017-7457 (XML External Entity via .AOP files used by Moxa MX-AOPC Server 1.5 ...) NOT-FOR-US: Moxa CVE-2017-7456 (Moxa MXView 2.8 allows remote attackers to cause a Denial of Service ...) @@ -11938,12 +12003,12 @@ RESERVED CVE-2017-6327 RESERVED -CVE-2017-6326 - RESERVED -CVE-2017-6325 - RESERVED -CVE-2017-6324 - RESERVED +CVE-2017-6326 (The Symantec Messaging Gateway can encounter an issue of remote code ...) + TODO: check +CVE-2017-6325 (The Symantec Messaging Gateway can encounter a file inclusion ...) + TODO: check +CVE-2017-6324 (The Symantec Messaging Gateway, when processing a specific email ...) + TODO: check CVE-2017-6323 RESERVED CVE-2017-6322 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r52944 - in data: . DSA
Author: carnil Date: 2017-06-27 09:07:54 + (Tue, 27 Jun 2017) New Revision: 52944 Modified: data/DSA/list data/dsa-needed.txt Log: Reserve DSA number for vlc Modified: data/DSA/list === --- data/DSA/list 2017-06-27 09:00:47 UTC (rev 52943) +++ data/DSA/list 2017-06-27 09:07:54 UTC (rev 52944) @@ -1,3 +1,6 @@ +[27 Jun 2017] DSA-3899-1 vlc - security update + {CVE-2017-8310 CVE-2017-8311 CVE-2017-8312 CVE-2017-8313} + [jessie] - vlc 2.2.6-1~deb8u1 [25 Jun 2017] DSA-3898-1 expat - security update {CVE-2017-9233} [jessie] - expat 2.1.0-6+deb8u4 Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-06-27 09:00:47 UTC (rev 52943) +++ data/dsa-needed.txt 2017-06-27 09:07:54 UTC (rev 52944) @@ -45,9 +45,6 @@ tiff wait until more issues have piled up -- -vlc (carnil) - Maintainer proposed debdiff, needs review and ack --- wireshark (seb) 2017-05-13: asked balint@ if he wants to prepare an update now -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r52943 - in data: . DLA
Author: waldi Date: 2017-06-27 09:00:47 + (Tue, 27 Jun 2017) New Revision: 52943 Modified: data/DLA/list data/dla-needed.txt Log: Reserve DLA-1003-1 for unrar-nonfree Modified: data/DLA/list === --- data/DLA/list 2017-06-27 08:33:37 UTC (rev 52942) +++ data/DLA/list 2017-06-27 09:00:47 UTC (rev 52943) @@ -1,3 +1,6 @@ +[27 Jun 2017] DLA-1003-1 unrar-nonfree - security update + {CVE-2012-6706} + [wheezy] - unrar-nonfree 1:4.1.4-1+deb7u2 [25 Jun 2017] DLA-1002-1 smb4k - security update {CVE-2017-8849} [wheezy] - smb4k 1.2.1-2~deb7u1 Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-06-27 08:33:37 UTC (rev 52942) +++ data/dla-needed.txt 2017-06-27 09:00:47 UTC (rev 52943) @@ -120,11 +120,6 @@ NOTE: maintainer contacted 2017-04-26 NOTE: reproducer doesn't crash server in a test VM - ? --anarcat -- -unrar-nonfree (Bastian Blank) - NOTE: package is non-free but used by LTS sponsors. Aim to not spend too - NOTE: much time on it, possibly just bumping to the latest upstream - NOTE: release without security issues. --- wireshark NOTE: maintainer *may* take care of this, as previously -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r52942 - data
Author: seb Date: 2017-06-27 08:33:37 + (Tue, 27 Jun 2017) New Revision: 52942 Modified: data/dsa-needed.txt Log: Take openvpn from dsa-needed Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-06-27 06:45:39 UTC (rev 52941) +++ data/dsa-needed.txt 2017-06-27 08:33:37 UTC (rev 52942) @@ -29,7 +29,7 @@ linux (carnil) wait until more issues have piled up -- -openvpn +openvpn (seb) Maintainer prepared an update, needs review and ack to upload -- php5 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r52941 - data/CVE
Author: carnil Date: 2017-06-27 06:45:39 + (Tue, 27 Jun 2017) New Revision: 52941 Modified: data/CVE/list Log: wireshark fixed in unstable Modified: data/CVE/list === --- data/CVE/list 2017-06-27 06:13:51 UTC (rev 52940) +++ data/CVE/list 2017-06-27 06:45:39 UTC (rev 52941) @@ -2845,58 +2845,58 @@ CVE-2017-9355 (XML external entity (XXE) vulnerability in the import playlist feature ...) NOT-FOR-US: Subsonic CVE-2017-9354 (In Wireshark 2.2.0 to 2.2.6 and 2.0.0 to 2.0.12, the RGMP dissector ...) - - wireshark (bug #864058) + - wireshark 2.2.7-1 (bug #864058) NOTE: https://www.wireshark.org/security/wnpa-sec-2017-32.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13646 CVE-2017-9353 (In Wireshark 2.2.0 to 2.2.6, the IPv6 dissector could crash. This was ...) - - wireshark (bug #864058) + - wireshark 2.2.7-1 (bug #864058) [jessie] - wireshark (Only affects 2.2.x) [wheezy] - wireshark (Only affects 2.2.x) NOTE: https://www.wireshark.org/security/wnpa-sec-2017-33.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13675 CVE-2017-9352 (In Wireshark 2.2.0 to 2.2.6 and 2.0.0 to 2.0.12, the Bazaar dissector ...) - - wireshark (bug #864058) + - wireshark 2.2.7-1 (bug #864058) NOTE: https://www.wireshark.org/security/wnpa-sec-2017-22.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13599 CVE-2017-9351 (In Wireshark 2.2.0 to 2.2.6 and 2.0.0 to 2.0.12, the DHCP dissector ...) - - wireshark (bug #864058) + - wireshark 2.2.7-1 (bug #864058) NOTE: https://www.wireshark.org/security/wnpa-sec-2017-24.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13628 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13609 CVE-2017-9350 (In Wireshark 2.2.0 to 2.2.6 and 2.0.0 to 2.0.12, the openSAFETY ...) - - wireshark (bug #864058) + - wireshark 2.2.7-1 (bug #864058) NOTE: https://www.wireshark.org/security/wnpa-sec-2017-28.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13649 CVE-2017-9349 (In Wireshark 2.2.0 to 2.2.6 and 2.0.0 to 2.0.12, the DICOM dissector ...) - - wireshark (bug #864058) + - wireshark 2.2.7-1 (bug #864058) NOTE: https://www.wireshark.org/security/wnpa-sec-2017-27.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13685 CVE-2017-9348 (In Wireshark 2.2.0 to 2.2.6, the DOF dissector could read past the end ...) - - wireshark (bug #864058) + - wireshark 2.2.7-1 (bug #864058) [jessie] - wireshark (Only affects 2.2.x) [wheezy] - wireshark (Only affects 2.2.x) NOTE: https://www.wireshark.org/security/wnpa-sec-2017-23.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13608 CVE-2017-9347 (In Wireshark 2.2.0 to 2.2.6, the ROS dissector could crash with a NULL ...) - - wireshark (bug #864058) + - wireshark 2.2.7-1 (bug #864058) [jessie] - wireshark (Only affects 2.2.x) [wheezy] - wireshark (Only affects 2.2.x) NOTE: https://www.wireshark.org/security/wnpa-sec-2017-31.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13637 CVE-2017-9346 (In Wireshark 2.2.0 to 2.2.6 and 2.0.0 to 2.0.12, the SoulSeek dissector ...) - - wireshark (bug #864058) + - wireshark 2.2.7-1 (bug #864058) NOTE: https://www.wireshark.org/security/wnpa-sec-2017-25.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13631 CVE-2017-9345 (In Wireshark 2.2.0 to 2.2.6 and 2.0.0 to 2.0.12, the DNS dissector ...) - - wireshark (bug #864058) + - wireshark 2.2.7-1 (bug #864058) NOTE: https://www.wireshark.org/security/wnpa-sec-2017-26.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13633 CVE-2017-9344 (In Wireshark 2.2.0 to 2.2.6 and 2.0.0 to 2.0.12, the Bluetooth L2CAP ...) - - wireshark (bug #864058) + - wireshark 2.2.7-1 (bug #864058) NOTE: https://www.wireshark.org/security/wnpa-sec-2017-29.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13701 CVE-2017-9343 (In Wireshark 2.2.0 to 2.2.6 and 2.0.0 to 2.0.12, the MSNIP dissector ...) - - wireshark (bug #864058) + - wireshark 2.2.7-1 (bug #864058) NOTE: https://www.wireshark.org/security/wnpa-sec-2017-30.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13725 CVE-2017-9342 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r52940 - data/CVE
Author: carnil Date: 2017-06-27 06:13:51 + (Tue, 27 Jun 2017) New Revision: 52940 Modified: data/CVE/list Log: Mark CVE-2017-7496 as NFU Modified: data/CVE/list === --- data/CVE/list 2017-06-27 05:24:26 UTC (rev 52939) +++ data/CVE/list 2017-06-27 06:13:51 UTC (rev 52940) @@ -8352,7 +8352,7 @@ RESERVED NOT-FOR-US: Red Hat CloudForms Management Engine CVE-2017-7496 (fedora-arm-installer up to and including 1.99.16 is vulnerable to ...) - TODO: check + NOT-FOR-US: fedora-arm-installer CVE-2017-7495 (fs/ext4/inode.c in the Linux kernel before 4.6.2, when ext4 ...) - linux 4.6.2-1 [jessie] - linux 3.16.39-1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits