[Secure-testing-commits] r53601 - data/CVE
Author: carnil Date: 2017-07-18 05:40:16 + (Tue, 18 Jul 2017) New Revision: 53601 Modified: data/CVE/list Log: faad2 issues fixed in unstable Modified: data/CVE/list === --- data/CVE/list 2017-07-18 05:30:09 UTC (rev 53600) +++ data/CVE/list 2017-07-18 05:40:16 UTC (rev 53601) @@ -5648,23 +5648,23 @@ CVE-2017-9258 RESERVED CVE-2017-9257 (The mp4ff_read_ctts function in common/mp4ff/mp4atom.c in Freeware ...) - - faad2 (low; bug #867724) + - faad2 2.8.1-1 (low; bug #867724) [stretch] - faad2 (Minor issue) [jessie] - faad2 (Minor issue) CVE-2017-9256 (The mp4ff_read_stco function in common/mp4ff/mp4atom.c in Freeware ...) - - faad2 (low; bug #867724) + - faad2 2.8.1-1 (low; bug #867724) [stretch] - faad2 (Minor issue) [jessie] - faad2 (Minor issue) CVE-2017-9255 (The mp4ff_read_stsc function in common/mp4ff/mp4atom.c in Freeware ...) - - faad2 (low; bug #867724) + - faad2 2.8.1-1 (low; bug #867724) [stretch] - faad2 (Minor issue) [jessie] - faad2 (Minor issue) CVE-2017-9254 (The mp4ff_read_stts function in common/mp4ff/mp4atom.c in Freeware ...) - - faad2 (low; bug #867724) + - faad2 2.8.1-1 (low; bug #867724) [stretch] - faad2 (Minor issue) [jessie] - faad2 (Minor issue) CVE-2017-9253 (The mp4ff_read_stsd function in common/mp4ff/mp4atom.c in Freeware ...) - - faad2 (low; bug #867724) + - faad2 2.8.1-1 (low; bug #867724) [stretch] - faad2 (Minor issue) [jessie] - faad2 (Minor issue) CVE-2016-10377 (In Open vSwitch (OvS) 2.5.0, a malformed IP packet can cause the switch ...) @@ -5786,27 +5786,27 @@ NOTE: https://github.com/kkos/oniguruma/commit/690313a061f7a4fa614ec5cc8368b4f2284e059b NOTE: https://github.com/kkos/oniguruma/issues/57 CVE-2017-9223 (The mp4ff_read_stts function in common/mp4ff/mp4atom.c in Freeware ...) - - faad2 (low; bug #867724) + - faad2 2.8.1-1 (low; bug #867724) [stretch] - faad2 (Minor issue) [jessie] - faad2 (Minor issue) CVE-2017-9222 (The mp4ff_parse_tag function in common/mp4ff/mp4meta.c in Freeware ...) - - faad2 (low; bug #867724) + - faad2 2.8.1-1 (low; bug #867724) [stretch] - faad2 (Minor issue) [jessie] - faad2 (Minor issue) CVE-2017-9221 (The mp4ff_read_mdhd function in common/mp4ff/mp4atom.c in Freeware ...) - - faad2 (low; bug #867724) + - faad2 2.8.1-1 (low; bug #867724) [stretch] - faad2 (Minor issue) [jessie] - faad2 (Minor issue) CVE-2017-9220 (The mp4ff_read_stco function in common/mp4ff/mp4atom.c in Freeware ...) - - faad2 (low; bug #867724) + - faad2 2.8.1-1 (low; bug #867724) [stretch] - faad2 (Minor issue) [jessie] - faad2 (Minor issue) CVE-2017-9219 (The mp4ff_read_stsc function in common/mp4ff/mp4atom.c in Freeware ...) - - faad2 (low; bug #867724) + - faad2 2.8.1-1 (low; bug #867724) [stretch] - faad2 (Minor issue) [jessie] - faad2 (Minor issue) CVE-2017-9218 (The mp4ff_read_stsd function in common/mp4ff/mp4atom.c in Freeware ...) - - faad2 (low; bug #867724) + - faad2 2.8.1-1 (low; bug #867724) [stretch] - faad2 (Minor issue) [jessie] - faad2 (Minor issue) CVE-2017-9217 (systemd-resolved through 233 allows remote attackers to cause a denial ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53600 - data/CVE
Author: carnil Date: 2017-07-18 05:30:09 + (Tue, 18 Jul 2017) New Revision: 53600 Modified: data/CVE/list Log: Add entry for gnome-exe-thumbnailer, #868705 Modified: data/CVE/list === --- data/CVE/list 2017-07-18 05:19:09 UTC (rev 53599) +++ data/CVE/list 2017-07-18 05:30:09 UTC (rev 53600) @@ -1,3 +1,7 @@ +CVE-2017- [Thumbnail generation for MSI files executes arbitrary VBScript] + - gnome-exe-thumbnailer (bug #868705) + NOTE: http://news.dieweltistgarnichtso.net/posts/gnome-thumbnailer-msi-fail.html + NOTE: https://github.com/gnome-exe-thumbnailer/gnome-exe-thumbnailer/commit/1d8e3102dd8fd23431ae6127d14a236da6b4a4a5 CVE-2017-11399 (Integer overflow in the ape_decode_frame function in ...) - ffmpeg NOTE: https://github.com/FFmpeg/FFmpeg/commit/ba4beaf6149f7241c8bd85fe853318c2f6837ad0 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53599 - data/CVE
Author: carnil Date: 2017-07-18 05:19:09 + (Tue, 18 Jul 2017) New Revision: 53599 Modified: data/CVE/list Log: Add CVE-2017-1{13,14,15,16,17,18}/phpmyadmin In r52282 we removed the temporary entry, arguming that if the unimportant issues get a CVE, then we can add them back. That happened now. Add with respective previous entry back and keep unimportant status associated. Modified: data/CVE/list === --- data/CVE/list 2017-07-18 05:11:10 UTC (rev 53598) +++ data/CVE/list 2017-07-18 05:19:09 UTC (rev 53599) @@ -793,17 +793,23 @@ CVE-2017-120 (SYN Flood or FIN Flood attack in ECos 1 and other versions embedded ...) NOT-FOR-US: ECos CVE-2017-118 (phpMyAdmin 4.0, 4.4., and 4.6 are vulnerable to a DOS attack in the ...) - TODO: check + - phpmyadmin 4:4.6.6-1 (unimportant) + NOTE: https://www.phpmyadmin.net/security/PMASA-2017-7 CVE-2017-117 (phpMyAdmin 4.0, 4.4 and 4.6 are vulnerable to a weakness where a user ...) - TODO: check + - phpmyadmin 4:4.6.6-1 (unimportant) + NOTE: https://www.phpmyadmin.net/security/PMASA-2017-6 CVE-2017-116 (A weakness was discovered where an attacker can inject arbitrary ...) - TODO: check + - phpmyadmin 4:4.6.6-1 (unimportant) + NOTE: https://www.phpmyadmin.net/security/PMASA-2017-5 CVE-2017-115 (phpMyAdmin 4.0, 4.4, and 4.6 are vulnerable to a CSS injection attack ...) - TODO: check + - phpmyadmin 4:4.6.6-1 (unimportant) + NOTE: https://www.phpmyadmin.net/security/PMASA-2017-4 CVE-2017-114 (phpMyAdmin 4.0, 4.4, and 4.6 are vulnerable to a DOS weakness in the ...) - TODO: check + - phpmyadmin 4:4.6.6-1 (unimportant) + NOTE: https://www.phpmyadmin.net/security/PMASA-2017-3 CVE-2017-113 (phpMyAdmin 4.0, 4.4, and 4.6 are vulnerable to an open redirect ...) - TODO: check + - phpmyadmin 4:4.6.6-1 (unimportant) + NOTE: https://www.phpmyadmin.net/security/PMASA-2017-1 CVE-2017-112 (MySQL Dumper version 1.24 is vulnerable to stored XSS when displaying ...) TODO: check CVE-2017-111 (MyWebSQL version 3.6 is vulnerable to stored XSS in the database ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53598 - data/CVE
Author: carnil Date: 2017-07-18 05:11:10 + (Tue, 18 Jul 2017) New Revision: 53598 Modified: data/CVE/list Log: Process NFUs Modified: data/CVE/list === --- data/CVE/list 2017-07-18 04:41:35 UTC (rev 53597) +++ data/CVE/list 2017-07-18 05:11:10 UTC (rev 53598) @@ -80,7 +80,7 @@ NOTE: PHP Bug: https://bugs.php.net/bug.php?id=73473 NOTE: Fixed in 7.1.7, 7.0.21 CVE-2017-11361 (Inteno routers have a JUCI ACL misconfiguration that allows the user ...) - TODO: check + NOT-FOR-US: Inteno routers CVE-2017-11360 (The ReadRLEImage function in coders\rle.c in ImageMagick 7.0.6-1 has a ...) - imagemagick 8:6.9.7.4+dfsg-12 (bug #867808) NOTE: https://github.com/ImageMagick/ImageMagick/issues/518 @@ -860,9 +860,9 @@ CVE-2017-11129 RESERVED CVE-2017-11128 (Bolt CMS 3.2.14 allows stored XSS via text input, as demonstrated by ...) - TODO: check + NOT-FOR-US: Bolt CMS CVE-2017-11127 (Bolt CMS 3.2.14 allows stored XSS by uploading an SVG document with a ...) - TODO: check + NOT-FOR-US: Bolt CMS CVE-2017-11126 (The III_i_stereo function in libmpg123/layer3.c in mpg123 through ...) - mpg123 (unimportant) NOTE: no security impact @@ -4454,7 +4454,7 @@ CVE-2017-9640 RESERVED CVE-2017-9639 (An issue was discovered in Fuji Electric V-Server Version 3.3.22.0 and ...) - TODO: check + NOT-FOR-US: Fuji Electric V-Server CVE-2017-9638 RESERVED CVE-2017-9637 @@ -9043,7 +9043,7 @@ CVE-2017-8012 RESERVED CVE-2017-8011 (EMC ViPR SRM, EMC Storage MR, EMC VNX MR, EMC MR for SAS Solution ...) - TODO: check + NOT-FOR-US: EMC CVE-2017-8010 RESERVED CVE-2017-8009 @@ -9053,11 +9053,11 @@ CVE-2017-8007 RESERVED CVE-2017-8006 (In EMC RSA Authentication Manager 8.2 SP1 Patch 1 and earlier, a ...) - TODO: check + NOT-FOR-US: EMC CVE-2017-8005 (The EMC RSA Identity Governance and Lifecycle, RSA Via Lifecycle and ...) - TODO: check + NOT-FOR-US: EMC CVE-2017-8004 (The EMC RSA Identity Governance and Lifecycle, RSA Via Lifecycle and ...) - TODO: check + NOT-FOR-US: EMC CVE-2017-8003 (EMC Data Protection Advisor prior to 6.4 contains a path traversal ...) NOT-FOR-US: EMC Data Protection Advisor CVE-2017-8002 (EMC Data Protection Advisor prior to 6.4 contains multiple blind SQL ...) @@ -9065,7 +9065,7 @@ CVE-2017-8001 RESERVED CVE-2017-8000 (In EMC RSA Authentication Manager 8.2 SP1 and earlier, a malicious RSA ...) - TODO: check + NOT-FOR-US: EMC CVE-2017-7999 (Atlassian Eucalyptus before 4.4.1, when in EDGE mode, allows remote ...) NOT-FOR-US: Atlassian Eucalyptus CVE-2017-7998 @@ -21798,7 +21798,7 @@ CVE-2017-3755 RESERVED CVE-2017-3754 (Some Lenovo brand notebook systems do not have write protections ...) - TODO: check + NOT-FOR-US: Lenovo CVE-2017-3753 RESERVED CVE-2017-3752 @@ -21822,7 +21822,7 @@ CVE-2017-3743 (If multiple users are concurrently logged into a single system where ...) NOT-FOR-US: Lenovo CVE-2017-3742 (In Lenovo Connect2 versions earlier than 4.2.5.4885 for Windows and ...) - TODO: check + NOT-FOR-US: Lenovo CVE-2017-3741 (In the Lenovo Power Management driver before 1.67.12.24, a local user ...) NOT-FOR-US: Lenovo CVE-2017-3740 (In Lenovo Active Protection System before 1.82.0.14, an attacker with ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53597 - data/CVE
Author: carnil Date: 2017-07-18 04:41:35 + (Tue, 18 Jul 2017) New Revision: 53597 Modified: data/CVE/list Log: Track one ffmpeg issue Modified: data/CVE/list === --- data/CVE/list 2017-07-18 04:33:27 UTC (rev 53596) +++ data/CVE/list 2017-07-18 04:41:35 UTC (rev 53597) @@ -1,5 +1,6 @@ CVE-2017-11399 (Integer overflow in the ape_decode_frame function in ...) - TODO: check + - ffmpeg + NOTE: https://github.com/FFmpeg/FFmpeg/commit/ba4beaf6149f7241c8bd85fe853318c2f6837ad0 CVE-2017-11398 RESERVED CVE-2017-11397 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53596 - data/CVE
Author: carnil Date: 2017-07-18 04:33:27 + (Tue, 18 Jul 2017) New Revision: 53596 Modified: data/CVE/list Log: Update CVE-2017-11143 status Modified: data/CVE/list === --- data/CVE/list 2017-07-18 04:30:56 UTC (rev 53595) +++ data/CVE/list 2017-07-18 04:33:27 UTC (rev 53596) @@ -1328,13 +1328,12 @@ NOTE: http://git.php.net/?p=php-src.git;a=commit;h=91826a311dd37f4c4e5d605fa7af331e80ddd4c3 NOTE: http://openwall.com/lists/oss-security/2017/07/10/6 CVE-2017-11143 (In PHP before 5.6.31, an invalid free in the WDDX deserialization of ...) - - php7.1 - - php7.0 + - php7.1 (Only affected 5.6) + - php7.0 (Only affected 5.6) - php5 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=74145 NOTE: http://git.php.net/?p=php-src.git;a=commitdiff;h=2aae60461c2ff7b7fbcdd194c789ac841d0747d7 NOTE: http://git.php.net/?p=php-src.git;a=commitdiff;h=f269cdcd4f76accbecd03884f327cffb9a7f1ca9 - TODO: check, claimed to be fixed in 7.0.21 but not listed, needs double-check NOTE: http://openwall.com/lists/oss-security/2017/07/10/6 CVE-2017-11142 (In PHP before 5.6.31, 7.x before 7.0.17, and 7.1.x before 7.1.3, remote ...) - php7.1 7.1.3+-1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53595 - data/CVE
Author: carnil Date: 2017-07-18 04:30:56 + (Tue, 18 Jul 2017) New Revision: 53595 Modified: data/CVE/list Log: Remove one temporary PHP entry, this was already CVE-2017-11145 Modified: data/CVE/list === --- data/CVE/list 2017-07-18 03:39:29 UTC (rev 53594) +++ data/CVE/list 2017-07-18 04:30:56 UTC (rev 53595) @@ -655,8 +655,6 @@ NOTE: When fixing this CVE make sure to make the fix complete, as per NOTE: https://marc.info/?l=oss-security=149969403317810=2 to not NOTE: open CVE-2017-11146. - NOTE: PHP Bug: https://bugs.php.net/bug.php?id=74819 - NOTE: https://gist.github.com/anonymous/bd77ac90d3bdf31ce2a5251ad92e9e75 NOTE: http://openwall.com/lists/oss-security/2017/07/10/6 CVE-2017-1000362 (The re-key admin monitor was introduced in Jenkins 1.498 and ...) - jenkins @@ -1319,14 +1317,6 @@ NOTE: Fixed in 7.1.0, 7.0.13, 5.6.28 NOTE: http://git.php.net/?p=php-src.git;a=commitdiff;h=b061fa909de77085d3822a89ab901b934d0362c4 NOTE: http://openwall.com/lists/oss-security/2017/07/10/6 -CVE-2017- [wddx_deserialize() heap out-of-bound read via php_parse_date()] - - php7.1 - - php7.0 - - php5 - NOTE: PHP Bug: https://bugs.php.net/bug.php?id=74819 - NOTE: Fixed in 7.0.21 - NOTE: http://git.php.net/?p=php-src.git;a=commitdiff;h=2aae60461c2ff7b7fbcdd194c789ac841d0747d7 (5.6.x) - NOTE: http://git.php.net/?p=php-src.git;a=commitdiff;h=6b18d956de38ecd8913c3d82ce96eb0368a1f9e5 (7.0.x) CVE-2017-11144 (In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x before 7.1.7, the ...) - php7.1 - php7.0 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53594 - in data: . DLA
Author: jamessan Date: 2017-07-18 03:39:29 + (Tue, 18 Jul 2017) New Revision: 53594 Modified: data/DLA/list data/dla-needed.txt Log: Reserve DLA-1030-1 for vim Modified: data/DLA/list === --- data/DLA/list 2017-07-17 21:10:14 UTC (rev 53593) +++ data/DLA/list 2017-07-18 03:39:29 UTC (rev 53594) @@ -1,3 +1,6 @@ +[17 Jul 2017] DLA-1030-1 vim - security update + {CVE-2017-11109} + [wheezy] - vim 2:7.3.547-7+deb7u4 [17 Jul 2017] DLA-1029-1 libmtp - security update {CVE-2017-9831 CVE-2017-9832} [wheezy] - libmtp 1.1.3-35-g0ece104-5+deb7u1 Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-07-17 21:10:14 UTC (rev 53593) +++ data/dla-needed.txt 2017-07-18 03:39:29 UTC (rev 53594) @@ -174,8 +174,6 @@ NOTE: 20170711, Version 3.9.6-11+deb7u7 fixes CVE-2017-9936 (DLA-1023-1) NOTE: CVE-2017-9935 is still unresolved upstream -- -vim (James McCoy) --- wireshark NOTE: maintainer *may* take care of this, as previously -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53593 - data/CVE
Author: sectracker Date: 2017-07-17 21:10:14 + (Mon, 17 Jul 2017) New Revision: 53593 Modified: data/CVE/list Log: automatic update Modified: data/CVE/list === --- data/CVE/list 2017-07-17 20:56:56 UTC (rev 53592) +++ data/CVE/list 2017-07-17 21:10:14 UTC (rev 53593) @@ -1,3 +1,75 @@ +CVE-2017-11399 (Integer overflow in the ape_decode_frame function in ...) + TODO: check +CVE-2017-11398 + RESERVED +CVE-2017-11397 + RESERVED +CVE-2017-11396 + RESERVED +CVE-2017-11395 + RESERVED +CVE-2017-11394 + RESERVED +CVE-2017-11393 + RESERVED +CVE-2017-11392 + RESERVED +CVE-2017-11391 + RESERVED +CVE-2017-11390 + RESERVED +CVE-2017-11389 + RESERVED +CVE-2017-11388 + RESERVED +CVE-2017-11387 + RESERVED +CVE-2017-11386 + RESERVED +CVE-2017-11385 + RESERVED +CVE-2017-11384 + RESERVED +CVE-2017-11383 + RESERVED +CVE-2017-11382 + RESERVED +CVE-2017-11381 + RESERVED +CVE-2017-11380 + RESERVED +CVE-2017-11379 + RESERVED +CVE-2017-11378 + RESERVED +CVE-2017-11377 + RESERVED +CVE-2017-11376 + RESERVED +CVE-2017-11375 + RESERVED +CVE-2017-11374 + RESERVED +CVE-2017-11373 + RESERVED +CVE-2017-11372 + RESERVED +CVE-2017-11371 + RESERVED +CVE-2017-11370 + RESERVED +CVE-2017-11369 + RESERVED +CVE-2017-11368 + RESERVED +CVE-2017-11367 (The shoco_decompress function in the API in shoco through 2017-07-17 ...) + TODO: check +CVE-2017-11366 + RESERVED +CVE-2017-11365 + RESERVED +CVE-2017-11364 + RESERVED CVE-2017-11363 RESERVED CVE-2017-11362 (In PHP 7.x before 7.0.21 and 7.1.x before 7.1.7, ...) @@ -6,8 +78,8 @@ - php5 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=73473 NOTE: Fixed in 7.1.7, 7.0.21 -CVE-2017-11361 - RESERVED +CVE-2017-11361 (Inteno routers have a JUCI ACL misconfiguration that allows the user ...) + TODO: check CVE-2017-11360 (The ReadRLEImage function in coders\rle.c in ImageMagick 7.0.6-1 has a ...) - imagemagick 8:6.9.7.4+dfsg-12 (bug #867808) NOTE: https://github.com/ImageMagick/ImageMagick/issues/518 @@ -788,10 +860,10 @@ RESERVED CVE-2017-11129 RESERVED -CVE-2017-11128 - RESERVED -CVE-2017-11127 - RESERVED +CVE-2017-11128 (Bolt CMS 3.2.14 allows stored XSS via text input, as demonstrated by ...) + TODO: check +CVE-2017-11127 (Bolt CMS 3.2.14 allows stored XSS by uploading an SVG document with a ...) + TODO: check CVE-2017-11126 (The III_i_stereo function in libmpg123/layer3.c in mpg123 through ...) - mpg123 (unimportant) NOTE: no security impact @@ -1134,81 +1206,71 @@ NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2405 NOTE: http://marc.info/?l=sqlite-users=149933696214713=2 CVE-2017-10988 [Decode 'signed' attributes correctly] - RESERVED + REJECTED - freeradius [jessie] - freeradius (Only affects 3.x series) [wheezy] - freeradius (Only affects 3.x series) NOTE: http://freeradius.org/security/fuzzer-2017.html#FR-GV-305 NOTE: https://github.com/FreeRADIUS/freeradius-server/commit/de3b3b2e4153db26442facbd5e9b268a3bf795ba -CVE-2017-10987 [DHCP - Buffer over-read in fr_dhcp_decode_suboptions()] - RESERVED +CVE-2017-10987 (An FR-GV-304 issue in FreeRADIUS 3.x before 3.0.15 allows DHCP - ...) - freeradius [jessie] - freeradius (Only affects 3.x series) [wheezy] - freeradius (Only affects 3.x series) NOTE: http://freeradius.org/security/fuzzer-2017.html#FR-GV-304 NOTE: https://github.com/FreeRADIUS/freeradius-server/commit/19a18bf7c8af649c9e9742fb6a046f6aff639866 -CVE-2017-10986 [DHCP - Infinite read in dhcp_attr2vp()] - RESERVED +CVE-2017-10986 (An FR-GV-303 issue in FreeRADIUS 3.x before 3.0.15 allows DHCP - ...) - freeradius [jessie] - freeradius (Only affects 3.x series) [wheezy] - freeradius (Only affects 3.x series) NOTE: http://freeradius.org/security/fuzzer-2017.html#FR-GV-303 NOTE: https://github.com/FreeRADIUS/freeradius-server/commit/21e2e95751bfb54c0fb0328392d06671a75c191c -CVE-2017-10985 [Infinite loop and memory exhaustion with 'concat' attributes] - RESERVED +CVE-2017-10985 (An FR-GV-302 issue in FreeRADIUS 3.x before 3.0.15 allows Infinite ...) - freeradius [jessie] - freeradius (Only affects 3.x series) [wheezy] - freeradius (Only affects 3.x series) NOTE: http://freeradius.org/security/fuzzer-2017.html#FR-GV-302 NOTE: https://github.com/FreeRADIUS/freeradius-server/commit/6726c16549b131ed39f6f8886cdf5d9d922a9a97 -CVE-2017-10984 [Write overflow in data2vp_wimax()] - RESERVED +CVE-2017-10984 (An FR-GV-301 issue in FreeRADIUS 3.x before
[Secure-testing-commits] r53592 - data
Author: apo Date: 2017-07-17 20:56:56 + (Mon, 17 Jul 2017) New Revision: 53592 Modified: data/dla-needed.txt Log: dla-needed.txt: Add comment about php5 status. Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-07-17 20:52:24 UTC (rev 53591) +++ data/dla-needed.txt 2017-07-17 20:56:56 UTC (rev 53592) @@ -124,6 +124,7 @@ NOTE: 20170707: Pinged upstream (lamby) -- php5 (Markus Koschany) + NOTE: A few more tests. Release date either 18.07 or 19.07. -- poppler NOTE: patch available for CVE-2017-9865 but not fixed upstream ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53591 - data/CVE
Author: apo Date: 2017-07-17 20:52:24 + (Mon, 17 Jul 2017) New Revision: 53591 Modified: data/CVE/list Log: CVE-2017-11142, php5: Wheezy is not affected Vulnerable code is not present Modified: data/CVE/list === --- data/CVE/list 2017-07-17 20:48:55 UTC (rev 53590) +++ data/CVE/list 2017-07-17 20:52:24 UTC (rev 53591) @@ -1288,6 +1288,7 @@ - php7.1 7.1.3+-1 - php7.0 7.0.17-1 - php5 + [wheezy] - php5 (vulnerable code not present) NOTE: PHP Bug: https://bugs.php.net/bug.php?id=73807 NOTE: Fixed in 7.1.3, 7.0.17, 5.6.31 NOTE: https://github.com/php/php-src/commit/a15bffd105ac28fd0dd9b596632dbf035238fda3 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53590 - data
Author: lamby Date: 2017-07-17 20:48:55 + (Mon, 17 Jul 2017) New Revision: 53590 Modified: data/dla-needed.txt Log: data/dla-needed.txt: Add note about apache2 requiring a regression fix. Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-07-17 20:41:53 UTC (rev 53589) +++ data/dla-needed.txt 2017-07-17 20:48:55 UTC (rev 53590) @@ -10,6 +10,10 @@ https://wiki.debian.org/LTS/Development#Triage_new_security_issues -- +apache2 + NOTE: There was a regression introduced in DLA-841-1 (2.2.22-13+deb7u8) + NOTE: See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858373 +-- ca-certificates (Antoine Beaupré) NOTE: 2017-03-27: maintainer will handle the upload, see https://lists.debian.org/1acb8e97-8c9f-8b54-348c-0c12f53a8...@pbandjelly.org NOTE: 2017-05-12: Pinged the maintainer -- Raphael Hertzog ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53589 - data/CVE
Author: carnil Date: 2017-07-17 20:41:53 + (Mon, 17 Jul 2017) New Revision: 53589 Modified: data/CVE/list Log: Add bug reference for CVE-2017-9951 Modified: data/CVE/list === --- data/CVE/list 2017-07-17 20:03:17 UTC (rev 53588) +++ data/CVE/list 2017-07-17 20:41:53 UTC (rev 53589) @@ -2251,7 +2251,7 @@ CVE-2017-9952 RESERVED CVE-2017-9951 (The try_read_command function in memcached.c in memcached before 1.4.39 ...) - - memcached + - memcached (bug #868701) NOTE: https://www.twistlock.com/2017/07/13/cve-2017-9951-heap-overflow-memcached-server-1-4-38-twistlock-vulnerability-report/ NOTE: https://github.com/memcached/memcached/commit/328629445c71e6c17074f6e9e0e3ef585b58f167 CVE-2017-9950 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53588 - data
Author: carnil Date: 2017-07-17 20:03:17 + (Mon, 17 Jul 2017) New Revision: 53588 Modified: data/dsa-needed.txt Log: add apache2 to dsa-needed list Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-07-17 19:48:59 UTC (rev 53587) +++ data/dsa-needed.txt 2017-07-17 20:03:17 UTC (rev 53588) @@ -14,6 +14,9 @@ -- 389-ds-base (fw) -- +apache2 + sf will likely be able to prepare an update +-- atril -- chromium-browser ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53587 - data
Author: anarcat Date: 2017-07-17 19:48:59 + (Mon, 17 Jul 2017) New Revision: 53587 Modified: data/dla-needed.txt Log: claim ipsec-tools Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-07-17 19:43:01 UTC (rev 53586) +++ data/dla-needed.txt 2017-07-17 19:48:59 UTC (rev 53587) @@ -44,7 +44,7 @@ -- imagemagick (Roberto C. Sánchez) -- -ipsec-tools +ipsec-tools (Antoine Beaupre) -- irssi NOTE: Maintainer plan to do the update. The issue is not urgent according to ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53586 - data/CVE
Author: carnil Date: 2017-07-17 19:43:01 + (Mon, 17 Jul 2017) New Revision: 53586 Modified: data/CVE/list Log: Record fixes for src:linux to unstable Modified: data/CVE/list === --- data/CVE/list 2017-07-17 19:34:57 UTC (rev 53585) +++ data/CVE/list 2017-07-17 19:43:01 UTC (rev 53586) @@ -461,7 +461,7 @@ CVE-2017-11177 RESERVED CVE-2017-11176 (The mq_notify function in the Linux kernel through 4.11.9 does not set ...) - - linux + - linux 4.11.11-1 NOTE: Fixed by: https://git.kernel.org/linus/f991af3daabaecff34684fd51fac80319d1baad1 CVE-2017-11175 RESERVED @@ -1616,7 +1616,7 @@ CVE-2017-10811 RESERVED CVE-2017-10810 (Memory leak in the virtio_gpu_object_create function in ...) - - linux (low) + - linux 4.11.11-1 (low) [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linux/385aee965b4e4c36551c362a334378d2985b722a @@ -3976,7 +3976,7 @@ - xen NOTE: https://xenbits.xen.org/xsa/advisory-217.html CVE-2017-10911 (The make_response function in drivers/block/xen-blkback/blkback.c in ...) - - linux + - linux 4.11.11-1 - qemu NOTE: https://xenbits.xen.org/xsa/advisory-216.html CVE-2017-1000381 (The c-ares function `ares_parse_naptr_reply()`, which is used for ...) @@ -4030,7 +4030,7 @@ [stretch] - linux 4.9.30-2+deb9u1 NOTE: https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt CVE-2017-1000365 (The Linux Kernel imposes a size restriction on the arguments and ...) - - linux + - linux 4.11.11-1 NOTE: https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt NOTE: Fixed by: https://git.kernel.org/linus/98da7d08850fb8bdeb395d6368ed15753304aa0c CVE-2017-1000366 (glibc contains a vulnerability that allows specially crafted ...) @@ -4043,11 +4043,11 @@ - exim4 4.89-3 NOTE: https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt CVE-2017-1000370 (The offset2lib patch as used in the Linux Kernel contains a ...) - - linux + - linux 4.11.11-1 [wheezy] - linux (Memory layout is different) NOTE: https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt CVE-2017-1000371 (The offset2lib patch as used by the Linux Kernel contains a ...) - - linux + - linux 4.11.11-1 [wheezy] - linux (Memory layout is different) NOTE: https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt CVE-2017-1000376 (libffi requests an executable stack allowing attackers to more easily ...) @@ -10682,7 +10682,7 @@ NOTE: http://tracker.ceph.com/issues/20240 CVE-2017-7518 [debug exception via syscall emulation] RESERVED - - linux + - linux 4.11.11-1 [wheezy] - linux (Vulnerable code not present) NOTE: http://www.openwall.com/lists/oss-security/2017/06/23/5 NOTE: https://www.spinics.net/lists/kvm/msg151817.html @@ -10835,7 +10835,7 @@ NOTE: http://www.openwall.com/lists/oss-security/2017/05/01/15 CVE-2017-7482 RESERVED - - linux + - linux 4.11.11-1 NOTE: Fixed by: https://git.kernel.org/linus/5f2f97656ada8d811d3c1bef503ced266fcd53a0 CVE-2017-7481 [Security issue with lookup return not tainting the jinja2 environment] RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53585 - data
Author: carnil Date: 2017-07-17 19:34:57 + (Mon, 17 Jul 2017) New Revision: 53585 Modified: data/dsa-needed.txt Log: Add ruby-mixlib-archive to dsa-needed list Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-07-17 19:34:19 UTC (rev 53584) +++ data/dsa-needed.txt 2017-07-17 19:34:57 UTC (rev 53585) @@ -46,6 +46,8 @@ qemu Maintainer asked to prepare updates -- +ruby-mixlib-archive +-- sudo (carnil) -- wireshark (seb) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53584 - data/CVE
Author: carnil Date: 2017-07-17 19:34:19 + (Mon, 17 Jul 2017) New Revision: 53584 Modified: data/CVE/list Log: Add CVE-2017-10978 Modified: data/CVE/list === --- data/CVE/list 2017-07-17 19:33:06 UTC (rev 53583) +++ data/CVE/list 2017-07-17 19:34:19 UTC (rev 53584) @@ -1207,8 +1207,12 @@ NOTE: Mark as fixed in 3.0.12+dfsg-3 the first 3.x version in unstable NOTE: This is not fully technically correct, the issue affects only the 2.x NOTE: series but not 3.x. -CVE-2017-10978 +CVE-2017-10978 [Read / write overflow in make_secret()] RESERVED + - freeradius + NOTE: http://freeradius.org/security/fuzzer-2017.html#FR-GV-201 + NOTE: 2.x: https://github.com/FreeRADIUS/freeradius-server/commit/38ee90f2a5a28dc5887a30bdfdc98109c0418e68 + NOTE: 3.x: https://github.com/FreeRADIUS/freeradius-server/commit/fc8662d7e827f630d515eaa0bddfa94754c8047f CVE-2017-182 (systemd v233 and earlier fails to safely parse usernames starting with ...) - systemd (unimportant) [jessie] - systemd (Vulnerable code introduced in systemd-229) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53583 - data/CVE
Author: carnil Date: 2017-07-17 19:33:06 + (Mon, 17 Jul 2017) New Revision: 53583 Modified: data/CVE/list Log: Add CVE-2017-10979 Modified: data/CVE/list === --- data/CVE/list 2017-07-17 19:30:47 UTC (rev 53582) +++ data/CVE/list 2017-07-17 19:33:06 UTC (rev 53583) @@ -1199,8 +1199,14 @@ NOTE: Mark as fixed in 3.0.12+dfsg-3 the first 3.x version in unstable NOTE: This is not fully technically correct, the issue affects only the 2.x NOTE: series but not 3.x. -CVE-2017-10979 +CVE-2017-10979 [Write overflow in rad_coalesce] RESERVED + - freeradius 3.0.12+dfsg-3 + NOTE: http://freeradius.org/security/fuzzer-2017.html#FR-GV-202 + NOTE: https://github.com/FreeRADIUS/freeradius-server/commit/ae3ba0011e7d299e92c45300e0137a56a650e8f5 + NOTE: Mark as fixed in 3.0.12+dfsg-3 the first 3.x version in unstable + NOTE: This is not fully technically correct, the issue affects only the 2.x + NOTE: series but not 3.x. CVE-2017-10978 RESERVED CVE-2017-182 (systemd v233 and earlier fails to safely parse usernames starting with ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53581 - data/CVE
Author: carnil Date: 2017-07-17 19:30:37 + (Mon, 17 Jul 2017) New Revision: 53581 Modified: data/CVE/list Log: Add CVE-2017-10981 Modified: data/CVE/list === --- data/CVE/list 2017-07-17 19:30:26 UTC (rev 53580) +++ data/CVE/list 2017-07-17 19:30:37 UTC (rev 53581) @@ -1183,8 +1183,14 @@ NOTE: Mark as fixed in 3.0.12+dfsg-3 the first 3.x version in unstable NOTE: This is not fully technically correct, the issue affects only the 2.x NOTE: series but not 3.x. -CVE-2017-10981 +CVE-2017-10981 [DHCP - Memory leak in fr_dhcp_decode()] RESERVED + - freeradius 3.0.12+dfsg-3 + NOTE: http://freeradius.org/security/fuzzer-2017.html#FR-GV-204 + NOTE: https://github.com/FreeRADIUS/freeradius-server/commit/812766e2150faa07b4c574e51393b014feaffe6c + NOTE: Mark as fixed in 3.0.12+dfsg-3 the first 3.x version in unstable + NOTE: This is not fully technically correct, the issue affects only the 2.x + NOTE: series but not 3.x. CVE-2017-10980 RESERVED CVE-2017-10979 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53582 - data/CVE
Author: carnil Date: 2017-07-17 19:30:47 + (Mon, 17 Jul 2017) New Revision: 53582 Modified: data/CVE/list Log: Add CVE-2017-10980 Modified: data/CVE/list === --- data/CVE/list 2017-07-17 19:30:37 UTC (rev 53581) +++ data/CVE/list 2017-07-17 19:30:47 UTC (rev 53582) @@ -1191,8 +1191,14 @@ NOTE: Mark as fixed in 3.0.12+dfsg-3 the first 3.x version in unstable NOTE: This is not fully technically correct, the issue affects only the 2.x NOTE: series but not 3.x. -CVE-2017-10980 +CVE-2017-10980 [DHCP - Memory leak in decode_tlv()] RESERVED + - freeradius 3.0.12+dfsg-3 + NOTE: http://freeradius.org/security/fuzzer-2017.html#FR-GV-203 + NOTE: https://github.com/FreeRADIUS/freeradius-server/commit/ef0727fc68e211a36637b5c4e4a6fa1326f0a029 + NOTE: Mark as fixed in 3.0.12+dfsg-3 the first 3.x version in unstable + NOTE: This is not fully technically correct, the issue affects only the 2.x + NOTE: series but not 3.x. CVE-2017-10979 RESERVED CVE-2017-10978 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53580 - data/CVE
Author: carnil Date: 2017-07-17 19:30:26 + (Mon, 17 Jul 2017) New Revision: 53580 Modified: data/CVE/list Log: Add CVE-2017-10982 Modified: data/CVE/list === --- data/CVE/list 2017-07-17 19:25:37 UTC (rev 53579) +++ data/CVE/list 2017-07-17 19:30:26 UTC (rev 53580) @@ -1175,8 +1175,14 @@ NOTE: http://freeradius.org/security/fuzzer-2017.html#FR-GV-206 NOTE: 2.x: https://github.com/FreeRADIUS/freeradius-server/commit/ec08b30f87066f82073d02fab57e8ffeef81373d NOTE: 3.x: https://github.com/FreeRADIUS/freeradius-server/commit/5759b20af99af6d30924f0efd8da5eac2a17163d -CVE-2017-10982 +CVE-2017-10982 [DHCP - Read overflow in fr_dhcp_decode_options()] RESERVED + - freeradius 3.0.12+dfsg-3 + NOTE: http://freeradius.org/security/fuzzer-2017.html#FR-GV-205 + NOTE: https://github.com/FreeRADIUS/freeradius-server/commit/10b6de9345c9e0d9d4d5e0426fa5c3d68d702875 + NOTE: Mark as fixed in 3.0.12+dfsg-3 the first 3.x version in unstable + NOTE: This is not fully technically correct, the issue affects only the 2.x + NOTE: series but not 3.x. CVE-2017-10981 RESERVED CVE-2017-10980 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53579 - data/CVE
Author: carnil Date: 2017-07-17 19:25:37 + (Mon, 17 Jul 2017) New Revision: 53579 Modified: data/CVE/list Log: Add CVE-2017-10983 Modified: data/CVE/list === --- data/CVE/list 2017-07-17 19:25:27 UTC (rev 53578) +++ data/CVE/list 2017-07-17 19:25:37 UTC (rev 53579) @@ -1169,8 +1169,12 @@ NOTE: http://freeradius.org/security/fuzzer-2017.html#FR-GV-301 NOTE: https://github.com/FreeRADIUS/freeradius-server/commit/931850e5d2f65193520c2d9c9878148c0cdc16a6 NOTE: https://github.com/FreeRADIUS/freeradius-server/commit/4b059296e14b6ab75dc17163077490528a819806 -CVE-2017-10983 +CVE-2017-10983 [DHCP - Read overflow when decoding option 63] RESERVED + - freeradius + NOTE: http://freeradius.org/security/fuzzer-2017.html#FR-GV-206 + NOTE: 2.x: https://github.com/FreeRADIUS/freeradius-server/commit/ec08b30f87066f82073d02fab57e8ffeef81373d + NOTE: 3.x: https://github.com/FreeRADIUS/freeradius-server/commit/5759b20af99af6d30924f0efd8da5eac2a17163d CVE-2017-10982 RESERVED CVE-2017-10981 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53578 - data/CVE
Author: carnil Date: 2017-07-17 19:25:27 + (Mon, 17 Jul 2017) New Revision: 53578 Modified: data/CVE/list Log: Add CVE-2017-10984 Modified: data/CVE/list === --- data/CVE/list 2017-07-17 19:22:23 UTC (rev 53577) +++ data/CVE/list 2017-07-17 19:25:27 UTC (rev 53578) @@ -1161,8 +1161,14 @@ [wheezy] - freeradius (Only affects 3.x series) NOTE: http://freeradius.org/security/fuzzer-2017.html#FR-GV-302 NOTE: https://github.com/FreeRADIUS/freeradius-server/commit/6726c16549b131ed39f6f8886cdf5d9d922a9a97 -CVE-2017-10984 +CVE-2017-10984 [Write overflow in data2vp_wimax()] RESERVED + - freeradius + [jessie] - freeradius (Only affects 3.x series) + [wheezy] - freeradius (Only affects 3.x series) + NOTE: http://freeradius.org/security/fuzzer-2017.html#FR-GV-301 + NOTE: https://github.com/FreeRADIUS/freeradius-server/commit/931850e5d2f65193520c2d9c9878148c0cdc16a6 + NOTE: https://github.com/FreeRADIUS/freeradius-server/commit/4b059296e14b6ab75dc17163077490528a819806 CVE-2017-10983 RESERVED CVE-2017-10982 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53577 - data/CVE
Author: carnil Date: 2017-07-17 19:22:23 + (Mon, 17 Jul 2017) New Revision: 53577 Modified: data/CVE/list Log: Add CVE-2017-10985 Modified: data/CVE/list === --- data/CVE/list 2017-07-17 19:22:13 UTC (rev 53576) +++ data/CVE/list 2017-07-17 19:22:23 UTC (rev 53577) @@ -1154,8 +1154,13 @@ [wheezy] - freeradius (Only affects 3.x series) NOTE: http://freeradius.org/security/fuzzer-2017.html#FR-GV-303 NOTE: https://github.com/FreeRADIUS/freeradius-server/commit/21e2e95751bfb54c0fb0328392d06671a75c191c -CVE-2017-10985 +CVE-2017-10985 [Infinite loop and memory exhaustion with 'concat' attributes] RESERVED + - freeradius + [jessie] - freeradius (Only affects 3.x series) + [wheezy] - freeradius (Only affects 3.x series) + NOTE: http://freeradius.org/security/fuzzer-2017.html#FR-GV-302 + NOTE: https://github.com/FreeRADIUS/freeradius-server/commit/6726c16549b131ed39f6f8886cdf5d9d922a9a97 CVE-2017-10984 RESERVED CVE-2017-10983 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53574 - data/CVE
Author: carnil Date: 2017-07-17 19:21:52 + (Mon, 17 Jul 2017) New Revision: 53574 Modified: data/CVE/list Log: Add fixing commit reference Modified: data/CVE/list === --- data/CVE/list 2017-07-17 19:16:19 UTC (rev 53573) +++ data/CVE/list 2017-07-17 19:21:52 UTC (rev 53574) @@ -1139,6 +1139,7 @@ [jessie] - freeradius (Only affects 3.x series) [wheezy] - freeradius (Only affects 3.x series) NOTE: http://freeradius.org/security/fuzzer-2017.html#FR-GV-305 + NOTE: https://github.com/FreeRADIUS/freeradius-server/commit/de3b3b2e4153db26442facbd5e9b268a3bf795ba CVE-2017-10987 RESERVED CVE-2017-10986 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53576 - data/CVE
Author: carnil Date: 2017-07-17 19:22:13 + (Mon, 17 Jul 2017) New Revision: 53576 Modified: data/CVE/list Log: Add CVE-2017-10986 Modified: data/CVE/list === --- data/CVE/list 2017-07-17 19:22:03 UTC (rev 53575) +++ data/CVE/list 2017-07-17 19:22:13 UTC (rev 53576) @@ -1147,8 +1147,13 @@ [wheezy] - freeradius (Only affects 3.x series) NOTE: http://freeradius.org/security/fuzzer-2017.html#FR-GV-304 NOTE: https://github.com/FreeRADIUS/freeradius-server/commit/19a18bf7c8af649c9e9742fb6a046f6aff639866 -CVE-2017-10986 +CVE-2017-10986 [DHCP - Infinite read in dhcp_attr2vp()] RESERVED + - freeradius + [jessie] - freeradius (Only affects 3.x series) + [wheezy] - freeradius (Only affects 3.x series) + NOTE: http://freeradius.org/security/fuzzer-2017.html#FR-GV-303 + NOTE: https://github.com/FreeRADIUS/freeradius-server/commit/21e2e95751bfb54c0fb0328392d06671a75c191c CVE-2017-10985 RESERVED CVE-2017-10984 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53575 - data/CVE
Author: carnil Date: 2017-07-17 19:22:03 + (Mon, 17 Jul 2017) New Revision: 53575 Modified: data/CVE/list Log: Add CVE-2017-10987 Modified: data/CVE/list === --- data/CVE/list 2017-07-17 19:21:52 UTC (rev 53574) +++ data/CVE/list 2017-07-17 19:22:03 UTC (rev 53575) @@ -1140,8 +1140,13 @@ [wheezy] - freeradius (Only affects 3.x series) NOTE: http://freeradius.org/security/fuzzer-2017.html#FR-GV-305 NOTE: https://github.com/FreeRADIUS/freeradius-server/commit/de3b3b2e4153db26442facbd5e9b268a3bf795ba -CVE-2017-10987 +CVE-2017-10987 [DHCP - Buffer over-read in fr_dhcp_decode_suboptions()] RESERVED + - freeradius + [jessie] - freeradius (Only affects 3.x series) + [wheezy] - freeradius (Only affects 3.x series) + NOTE: http://freeradius.org/security/fuzzer-2017.html#FR-GV-304 + NOTE: https://github.com/FreeRADIUS/freeradius-server/commit/19a18bf7c8af649c9e9742fb6a046f6aff639866 CVE-2017-10986 RESERVED CVE-2017-10985 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53573 - data/CVE
Author: carnil Date: 2017-07-17 19:16:19 + (Mon, 17 Jul 2017) New Revision: 53573 Modified: data/CVE/list Log: Add CVE-2017-10988 Modified: data/CVE/list === --- data/CVE/list 2017-07-17 18:42:23 UTC (rev 53572) +++ data/CVE/list 2017-07-17 19:16:19 UTC (rev 53573) @@ -1133,8 +1133,12 @@ NOTE: https://bugs.launchpad.net/ubuntu/+source/sqlite3/+bug/1700937 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2405 NOTE: http://marc.info/?l=sqlite-users=149933696214713=2 -CVE-2017-10988 +CVE-2017-10988 [Decode 'signed' attributes correctly] RESERVED + - freeradius + [jessie] - freeradius (Only affects 3.x series) + [wheezy] - freeradius (Only affects 3.x series) + NOTE: http://freeradius.org/security/fuzzer-2017.html#FR-GV-305 CVE-2017-10987 RESERVED CVE-2017-10986 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53572 - in data: . DLA
Author: anarcat Date: 2017-07-17 18:42:23 + (Mon, 17 Jul 2017) New Revision: 53572 Modified: data/DLA/list data/dla-needed.txt Log: Reserve DLA-1029-1 for libmtp Modified: data/DLA/list === --- data/DLA/list 2017-07-17 15:49:31 UTC (rev 53571) +++ data/DLA/list 2017-07-17 18:42:23 UTC (rev 53572) @@ -1,3 +1,6 @@ +[17 Jul 2017] DLA-1029-1 libmtp - security update + {CVE-2017-9831 CVE-2017-9832} + [wheezy] - libmtp 1.1.3-35-g0ece104-5+deb7u1 [17 Jul 2017] DLA-1028-1 apache2 - security update {CVE-2017-9788} [wheezy] - apache2 2.2.22-13+deb7u10 Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-07-17 15:49:31 UTC (rev 53571) +++ data/dla-needed.txt 2017-07-17 18:42:23 UTC (rev 53572) @@ -71,11 +71,6 @@ NOTE: 20170702, no upstream fix yet, so no need to bother maintainer yet, sent email later NOTE: 20170708: patch now available (lamby) -- -libmtp - NOTE: 20170702 sent email to maintainer - NOTE: patch and packages available for testing: https://lists.debian.org/87lgnzvjvb@curie.anarc.at - NOTE: will upload on 20170714 if no one else tests + reviews + uploads first -- antoine --- libquicktime -- libraw (Emilio Pozuelo) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53571 - data/CVE
Author: jmm Date: 2017-07-17 15:49:31 + (Mon, 17 Jul 2017) New Revision: 53571 Modified: data/CVE/list Log: NFUs Modified: data/CVE/list === --- data/CVE/list 2017-07-17 15:34:44 UTC (rev 53570) +++ data/CVE/list 2017-07-17 15:49:31 UTC (rev 53571) @@ -685,7 +685,7 @@ CVE-2017-137 (RVM automatically loads environment variables from files in $PWD ...) TODO: check CVE-2017-136 (All versions of Candy Chat are vulnerable to an XSS attack by message ...) - TODO: check + NOT-FOR-US: Candy Chat CVE-2017-135 (Tiny Tiny RSS before 829d478f is vulnerable to XSS window.opener ...) - tt-rss 17.1+git20170410+dfsg-1 NOTE: https://git.tt-rss.org/git/tt-rss/commit/829d478f1b054c8ce1eeb4f15170dc4a1abb3e47 @@ -746,7 +746,7 @@ CVE-2017-107 (txAWS (all current versions) fail to perform complete certificate ...) NOT-FOR-US: txAWS CVE-2017-106 (Plotly, Inc. plotly.js versions prior to 1.16.0 are vulnerable to an ...) - TODO: check + NOT-FOR-US: plotly.js (different from the plotly Python package) CVE-2017-105 (PHPMiniAdmin version 1.9.160630 is vulnerable to stored XSS in the ...) NOT-FOR-US: PHPMiniAdmin CVE-2017-104 (ATutor versions 2.2.1 and earlier are vulnerable to a SQL injection ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53570 - data/CVE
Author: jmm Date: 2017-07-17 15:34:44 + (Mon, 17 Jul 2017) New Revision: 53570 Modified: data/CVE/list Log: audacity n/a NFUs Modified: data/CVE/list === --- data/CVE/list 2017-07-17 12:25:55 UTC (rev 53569) +++ data/CVE/list 2017-07-17 15:34:44 UTC (rev 53570) @@ -736,19 +736,19 @@ CVE-2017-112 (MySQL Dumper version 1.24 is vulnerable to stored XSS when displaying ...) TODO: check CVE-2017-111 (MyWebSQL version 3.6 is vulnerable to stored XSS in the database ...) - TODO: check + NOT-FOR-US: MyWebSQL CVE-2017-110 (Audacity version 2.1.2 is vulnerable to Dll HIjacking in the ...) - TODO: check + - audacity (Specific to Windows packaging) CVE-2017-109 (Akeneo PIM CE and EE 1.6.6, 1.5.15, 1.4.28 are vulnerable to shell ...) - TODO: check + NOT-FOR-US: Akeneo PIM CVE-2017-108 (Chyrp Lite version 2016.04 is vulnerable to a CSRF in the user ...) - TODO: check + NOT-FOR-US: Chyrp Lite CVE-2017-107 (txAWS (all current versions) fail to perform complete certificate ...) - TODO: check + NOT-FOR-US: txAWS CVE-2017-106 (Plotly, Inc. plotly.js versions prior to 1.16.0 are vulnerable to an ...) TODO: check CVE-2017-105 (PHPMiniAdmin version 1.9.160630 is vulnerable to stored XSS in the ...) - TODO: check + NOT-FOR-US: PHPMiniAdmin CVE-2017-104 (ATutor versions 2.2.1 and earlier are vulnerable to a SQL injection ...) NOT-FOR-US: ATutor CVE-2017-103 (ATutor versions 2.2.1 and earlier are vulnerable to a incorrect access ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53569 - data/CVE
Author: carnil Date: 2017-07-17 12:25:55 + (Mon, 17 Jul 2017) New Revision: 53569 Modified: data/CVE/list Log: Add CVE-2017-11334/qemu issue Modified: data/CVE/list === --- data/CVE/list 2017-07-17 10:22:21 UTC (rev 53568) +++ data/CVE/list 2017-07-17 12:25:55 UTC (rev 53569) @@ -121,8 +121,11 @@ NOTE: https://github.com/ImageMagick/ImageMagick/issues/556 NOTE: https://github.com/ImageMagick/ImageMagick/commit/b007dd3a048097d8f58949297f5b434612e1e1a3#diff-cdb21e3ad4d6e304030bd19bdc881fce NOTE: https://github.com/ImageMagick/ImageMagick/commit/529ff26b68febb2ac03062c58452ea0b4c6edbc1#diff-cdb21e3ad4d6e304030bd19bdc881fce -CVE-2017-11334 +CVE-2017-11334 [exec: oob access during dma operation] RESERVED + - qemu + - qemu-kvm + NOTE: https://lists.gnu.org/archive/html/qemu-devel/2017-07/msg03775.html CVE-2017-11333 RESERVED CVE-2017-11332 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53568 - data/CVE
Author: carnil Date: 2017-07-17 10:22:21 + (Mon, 17 Jul 2017) New Revision: 53568 Modified: data/CVE/list Log: Add CVE-2017-9951/memcached Modified: data/CVE/list === --- data/CVE/list 2017-07-17 10:15:18 UTC (rev 53567) +++ data/CVE/list 2017-07-17 10:22:21 UTC (rev 53568) @@ -2190,7 +2190,9 @@ CVE-2017-9952 RESERVED CVE-2017-9951 (The try_read_command function in memcached.c in memcached before 1.4.39 ...) - TODO: check + - memcached + NOTE: https://www.twistlock.com/2017/07/13/cve-2017-9951-heap-overflow-memcached-server-1-4-38-twistlock-vulnerability-report/ + NOTE: https://github.com/memcached/memcached/commit/328629445c71e6c17074f6e9e0e3ef585b58f167 CVE-2017-9950 RESERVED CVE-2017-9949 (The grub_memmove function in shlr/grub/kern/misc.c in radare2 1.5.0 ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53567 - data/CVE
Author: carnil Date: 2017-07-17 10:15:18 + (Mon, 17 Jul 2017) New Revision: 53567 Modified: data/CVE/list Log: Add CVE-2017-11362/php Modified: data/CVE/list === --- data/CVE/list 2017-07-17 09:14:03 UTC (rev 53566) +++ data/CVE/list 2017-07-17 10:15:18 UTC (rev 53567) @@ -1,7 +1,11 @@ CVE-2017-11363 RESERVED CVE-2017-11362 (In PHP 7.x before 7.0.21 and 7.1.x before 7.1.7, ...) - TODO: check + - php7.1 + - php7.0 + - php5 + NOTE: PHP Bug: https://bugs.php.net/bug.php?id=73473 + NOTE: Fixed in 7.1.7, 7.0.21 CVE-2017-11361 RESERVED CVE-2017-11360 (The ReadRLEImage function in coders\rle.c in ImageMagick 7.0.6-1 has a ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53566 - data/CVE
Author: jmm Date: 2017-07-17 09:14:03 + (Mon, 17 Jul 2017) New Revision: 53566 Modified: data/CVE/list Log: imagemagick CVEfied NFUs Modified: data/CVE/list === --- data/CVE/list 2017-07-17 09:10:13 UTC (rev 53565) +++ data/CVE/list 2017-07-17 09:14:03 UTC (rev 53566) @@ -5,7 +5,9 @@ CVE-2017-11361 RESERVED CVE-2017-11360 (The ReadRLEImage function in coders\rle.c in ImageMagick 7.0.6-1 has a ...) - TODO: check + - imagemagick 8:6.9.7.4+dfsg-12 (bug #867808) + NOTE: https://github.com/ImageMagick/ImageMagick/issues/518 + NOTE: Fixed by: https://github.com/ImageMagick/ImageMagick/commit/224bc946b24824a77e8e8c52ee07e9bc65796e30 CVE-2017-11359 RESERVED CVE-2017-11358 @@ -17,23 +19,23 @@ CVE-2017-11355 RESERVED CVE-2017-11354 (Fiyo CMS v2.0.7 has an SQL injection vulnerability in ...) - TODO: check + NOT-FOR-US: Fiyo CMS CVE-2017-11351 RESERVED CVE-2017-11350 RESERVED CVE-2017-11349 (dataTaker DT8x dEX 1.72.007 allows remote attackers to compose programs ...) - TODO: check + NOT-FOR-US: dataTaker CVE-2017-11348 (In Octopus Deploy 3.x before 3.15.4, an authenticated user with ...) - TODO: check + NOT-FOR-US: Octopus Deploy CVE-2017-11347 (Authenticated Code Execution Vulnerability in MetInfo 5.3.17 allows a ...) - TODO: check + NOT-FOR-US: MetInfo CVE-2017-11346 (Zoho ManageEngine Desktop Central before build 100092 allows remote ...) - TODO: check + NOT-FOR-US: Zoho ManageEngine Desktop Central CVE-2017-11345 (Stack buffer overflow in networkmap in Asuswrt-Merlin firmware for ASUS ...) - TODO: check + NOT-FOR-US: ASUS CVE-2017-11344 (Global buffer overflow in networkmap in Asuswrt-Merlin firmware for ...) - TODO: check + NOT-FOR-US: ASUS CVE-2017-11353 (yadm (yet another dotfile manager) 1.10.0 has a race condition ...) - yadm (bug #868300) NOTE: https://github.com/TheLocehiliosan/yadm/issues/74 @@ -685,7 +687,7 @@ CVE-2017-133 (Wordpress Plugin Vospari Forms version 1.4 is vulnerable to a ...) NOT-FOR-US: WordPress plugin CVE-2017-132 (Cross-Site scripting (XSS) vulnerabilities in Cacti 0.8.8b allow ...) - TODO: check + NOTE: Seems like a duplicate, contacted MITRE for rejection CVE-2017-131 (SQL injection vulnerability in graph_templates_inputs.php in Cacti ...) TODO: check CVE-2017-130 (Oracle, GlassFish Server Open Source Edition 3.0.1 (build 22) is ...) @@ -819,10 +821,6 @@ CVE-2017- [memory exhaustion in ReadCINImage] - imagemagick 8:6.9.7.4+dfsg-12 (bug #867810) NOTE: https://github.com/ImageMagick/ImageMagick/issues/519 -CVE-2017- [CPU exhaustion in ReadRLEImage] - - imagemagick 8:6.9.7.4+dfsg-12 (bug #867808) - NOTE: https://github.com/ImageMagick/ImageMagick/issues/518 - NOTE: Fixed by: https://github.com/ImageMagick/ImageMagick/commit/224bc946b24824a77e8e8c52ee07e9bc65796e30 CVE-2017-11188 (The ReadDPXImage function in coders\dpx.c in ImageMagick 7.0.6-0 has a ...) - imagemagick 8:6.9.7.4+dfsg-12 (bug #867806) NOTE: https://github.com/ImageMagick/ImageMagick/issues/509 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53565 - data/CVE
Author: sectracker Date: 2017-07-17 09:10:13 + (Mon, 17 Jul 2017) New Revision: 53565 Modified: data/CVE/list Log: automatic update Modified: data/CVE/list === --- data/CVE/list 2017-07-17 08:37:47 UTC (rev 53564) +++ data/CVE/list 2017-07-17 09:10:13 UTC (rev 53565) @@ -1,7 +1,43 @@ -CVE-2017-11353 [race condition allows access to ssh and pgp keys] +CVE-2017-11363 + RESERVED +CVE-2017-11362 (In PHP 7.x before 7.0.21 and 7.1.x before 7.1.7, ...) + TODO: check +CVE-2017-11361 + RESERVED +CVE-2017-11360 (The ReadRLEImage function in coders\rle.c in ImageMagick 7.0.6-1 has a ...) + TODO: check +CVE-2017-11359 + RESERVED +CVE-2017-11358 + RESERVED +CVE-2017-11357 + RESERVED +CVE-2017-11356 + RESERVED +CVE-2017-11355 + RESERVED +CVE-2017-11354 (Fiyo CMS v2.0.7 has an SQL injection vulnerability in ...) + TODO: check +CVE-2017-11351 + RESERVED +CVE-2017-11350 + RESERVED +CVE-2017-11349 (dataTaker DT8x dEX 1.72.007 allows remote attackers to compose programs ...) + TODO: check +CVE-2017-11348 (In Octopus Deploy 3.x before 3.15.4, an authenticated user with ...) + TODO: check +CVE-2017-11347 (Authenticated Code Execution Vulnerability in MetInfo 5.3.17 allows a ...) + TODO: check +CVE-2017-11346 (Zoho ManageEngine Desktop Central before build 100092 allows remote ...) + TODO: check +CVE-2017-11345 (Stack buffer overflow in networkmap in Asuswrt-Merlin firmware for ASUS ...) + TODO: check +CVE-2017-11344 (Global buffer overflow in networkmap in Asuswrt-Merlin firmware for ...) + TODO: check +CVE-2017-11353 (yadm (yet another dotfile manager) 1.10.0 has a race condition ...) - yadm (bug #868300) NOTE: https://github.com/TheLocehiliosan/yadm/issues/74 -CVE-2017-11343 [algorithmic complexity attack in hash tables] +CVE-2017-11343 (Due to an incomplete fix for CVE-2012-6125, all versions of CHICKEN ...) - chicken NOTE: http://lists.nongnu.org/archive/html/chicken-announce/2017-07/msg0.html CVE-2017-11342 (There is an illegal address access in ast.cpp of LibSass 3.4.5. A ...) @@ -2151,8 +2187,8 @@ NOTE: again. Around that commit upstream source though does not build. CVE-2017-9952 RESERVED -CVE-2017-9951 - RESERVED +CVE-2017-9951 (The try_read_command function in memcached.c in memcached before 1.4.39 ...) + TODO: check CVE-2017-9950 RESERVED CVE-2017-9949 (The grub_memmove function in shlr/grub/kern/misc.c in radare2 1.5.0 ...) @@ -2554,6 +2590,7 @@ - apache2 (Only affected 2.4.26) NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#2.4.27 CVE-2017-9788 (In Apache httpd before 2.2.34 and 2.4.x before 2.4.27, the value ...) + {DLA-1028-1} - apache2 2.4.27-1 (bug #868467) NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#2.4.27 NOTE: Fixed by (2.4.x): https://svn.apache.org/r1800955 @@ -5881,7 +5918,7 @@ NOTE: https://github.com/Yeraze/ytnef/issues/47 CVE-2017-9145 (TikiFilter.php in Tiki Wiki CMS Groupware 12.x through 16.x does not ...) - tikiwiki -CVE-2017-11352 [Incomplete fix for CVE-2017-9144] +CVE-2017-11352 (In ImageMagick before 7.0.5-10, a crafted RLE image can trigger a crash ...) - imagemagick 8:6.9.7.4+dfsg-12 (bug #868469) NOTE: https://github.com/ImageMagick/ImageMagick/issues/502 CVE-2017-9144 (In ImageMagick 7.0.5-5, a crafted RLE image can trigger a crash because ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53564 - data/CVE
Author: jmm Date: 2017-07-17 08:37:47 + (Mon, 17 Jul 2017) New Revision: 53564 Modified: data/CVE/list Log: glassfish n/a Modified: data/CVE/list === --- data/CVE/list 2017-07-17 07:58:03 UTC (rev 53563) +++ data/CVE/list 2017-07-17 08:37:47 UTC (rev 53564) @@ -653,11 +653,11 @@ CVE-2017-131 (SQL injection vulnerability in graph_templates_inputs.php in Cacti ...) TODO: check CVE-2017-130 (Oracle, GlassFish Server Open Source Edition 3.0.1 (build 22) is ...) - TODO: check + - glassfish (Vulnerable code not included, see bug #853998) CVE-2017-129 (Oracle, GlassFish Server Open Source Edition 3.0.1 (build 22) is ...) - TODO: check + - glassfish (Vulnerable code not included, see bug #853998) CVE-2017-128 (Oracle, GlassFish Server Open Source Edition 4.1 is vulnerable to both ...) - TODO: check + - glassfish (Vulnerable code not included, see bug #853998) CVE-2017-127 (Koozali Foundation SME Server versions 8.x, 9.x, 10.x are vulnerable ...) NOT-FOR-US: Koozali Foundation SME Server CVE-2017-126 (Chef Software's mixlib-archive versions 0.3.0 and older are vulnerable ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53563 - in data: . DLA
Author: lamby Date: 2017-07-17 07:58:03 + (Mon, 17 Jul 2017) New Revision: 53563 Modified: data/DLA/list data/dla-needed.txt Log: Reserve DLA-1028-1 for apache2. Modified: data/DLA/list === --- data/DLA/list 2017-07-17 07:43:20 UTC (rev 53562) +++ data/DLA/list 2017-07-17 07:58:03 UTC (rev 53563) @@ -1,3 +1,6 @@ +[17 Jul 2017] DLA-1028-1 apache2 - security update + {CVE-2017-9788} + [wheezy] - apache2 2.2.22-13+deb7u10 [14 Jul 2017] DLA-1027-1 heimdal - security update {CVE-2017-11103} [wheezy] - heimdal 1.6~git20120403+dfsg1-2+deb7u1 Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-07-17 07:43:20 UTC (rev 53562) +++ data/dla-needed.txt 2017-07-17 07:58:03 UTC (rev 53563) @@ -10,8 +10,6 @@ https://wiki.debian.org/LTS/Development#Triage_new_security_issues -- -apache2 (Chris Lamb) --- ca-certificates (Antoine Beaupré) NOTE: 2017-03-27: maintainer will handle the upload, see https://lists.debian.org/1acb8e97-8c9f-8b54-348c-0c12f53a8...@pbandjelly.org NOTE: 2017-05-12: Pinged the maintainer -- Raphael Hertzog ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53562 - data/CVE
Author: carnil Date: 2017-07-17 07:43:20 + (Mon, 17 Jul 2017) New Revision: 53562 Modified: data/CVE/list Log: Add CVE-2017-11343/chicken Modified: data/CVE/list === --- data/CVE/list 2017-07-17 04:29:24 UTC (rev 53561) +++ data/CVE/list 2017-07-17 07:43:20 UTC (rev 53562) @@ -1,6 +1,9 @@ CVE-2017-11353 [race condition allows access to ssh and pgp keys] - yadm (bug #868300) NOTE: https://github.com/TheLocehiliosan/yadm/issues/74 +CVE-2017-11343 [algorithmic complexity attack in hash tables] + - chicken + NOTE: http://lists.nongnu.org/archive/html/chicken-announce/2017-07/msg0.html CVE-2017-11342 (There is an illegal address access in ast.cpp of LibSass 3.4.5. A ...) - libsass (bug #868577) [stretch] - libsass (Minor issue) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits