[Secure-testing-commits] r53697 - data
Author: agx Date: 2017-07-20 06:46:05 + (Thu, 20 Jul 2017) New Revision: 53697 Modified: data/dla-needed.txt Log: lts: add memcached Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-07-20 06:35:14 UTC (rev 53696) +++ data/dla-needed.txt 2017-07-20 06:46:05 UTC (rev 53697) @@ -108,6 +108,8 @@ mcollective NOTE: See https://lists.debian.org/debian-lts/2017/03/msg8.html -- +memcached +-- ming (Emilio Pozuelo) NOTE: 20170719: patches unavailable -- @@ -134,6 +136,7 @@ openjdk-7 (Emilio Pozuelo) -- phamm + NOTE: no upstream fixed yet, therefore maintainers not yet contacted -- php5 (Markus Koschany) NOTE: A few more tests. Release date either 18.07 or 19.07. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53696 - data
Author: agx Date: 2017-07-20 06:35:14 + (Thu, 20 Jul 2017) New Revision: 53696 Modified: data/dla-needed.txt Log: lts: Add phamm to dla-needed.txt Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-07-20 06:31:27 UTC (rev 53695) +++ data/dla-needed.txt 2017-07-20 06:35:14 UTC (rev 53696) @@ -133,6 +133,8 @@ -- openjdk-7 (Emilio Pozuelo) -- +phamm +-- php5 (Markus Koschany) NOTE: A few more tests. Release date either 18.07 or 19.07. -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53695 - data
Author: seb Date: 2017-07-20 06:31:27 + (Thu, 20 Jul 2017) New Revision: 53695 Modified: data/dsa-needed.txt Log: Take ruby-mixlib-archive Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-07-20 06:08:52 UTC (rev 53694) +++ data/dsa-needed.txt 2017-07-20 06:31:27 UTC (rev 53695) @@ -54,7 +54,8 @@ qemu Maintainer asked to prepare updates -- -ruby-mixlib-archive +ruby-mixlib-archive (seb) + Maintainer prepared upload, acked -- sudo (carnil) -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53694 - data/CVE
Author: carnil Date: 2017-07-20 06:08:52 + (Thu, 20 Jul 2017) New Revision: 53694 Modified: data/CVE/list Log: Add one openjdk issue, CVE-2017-10135 Modified: data/CVE/list === --- data/CVE/list 2017-07-20 06:04:59 UTC (rev 53693) +++ data/CVE/list 2017-07-20 06:08:52 UTC (rev 53694) @@ -3915,8 +3915,13 @@ RESERVED CVE-2017-10136 RESERVED -CVE-2017-10135 +CVE-2017-10135 [OpenJDK: PKCS#8 implementation timing attack (JCE, 8176760)] RESERVED + - openjdk-9 + - openjdk-8 + - openjdk-7 + - openjdk-6 + NOTE: OpenJDK-8 upstream commit: http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/079cd6c5de27 CVE-2017-10134 RESERVED CVE-2017-10133 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53693 - data/CVE
Author: carnil Date: 2017-07-20 06:04:59 + (Thu, 20 Jul 2017) New Revision: 53693 Modified: data/CVE/list Log: Add CVE-2017-11473 Modified: data/CVE/list === --- data/CVE/list 2017-07-20 06:04:48 UTC (rev 53692) +++ data/CVE/list 2017-07-20 06:04:59 UTC (rev 53693) @@ -1,3 +1,5 @@ +CVE-2017-11473 [x86/acpi: Prevent out of bound access caused by broken ACPI tables] + - linux CVE-2017-11472 [ACPICA: Namespace: fix operand cache leak] - linux NOTE: Fixed by: https://git.kernel.org/linus/3b2d69114fefa474fca542e51119036dceb4aa6f (4.12-rc1) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53692 - data/CVE
Author: carnil Date: 2017-07-20 06:04:48 + (Thu, 20 Jul 2017) New Revision: 53692 Modified: data/CVE/list Log: Add CVE-2017-11472 Modified: data/CVE/list === --- data/CVE/list 2017-07-20 05:53:56 UTC (rev 53691) +++ data/CVE/list 2017-07-20 06:04:48 UTC (rev 53692) @@ -1,3 +1,6 @@ +CVE-2017-11472 [ACPICA: Namespace: fix operand cache leak] + - linux + NOTE: Fixed by: https://git.kernel.org/linus/3b2d69114fefa474fca542e51119036dceb4aa6f (4.12-rc1) CVE-2017-11466 NOT-FOR-US: dotCMS CVE-2017-11463 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53691 - data/CVE
Author: carnil Date: 2017-07-20 05:53:56 + (Thu, 20 Jul 2017) New Revision: 53691 Modified: data/CVE/list Log: Two new glpi issues Modified: data/CVE/list === --- data/CVE/list 2017-07-20 05:53:40 UTC (rev 53690) +++ data/CVE/list 2017-07-20 05:53:56 UTC (rev 53691) @@ -38234,13 +38234,15 @@ NOTE: seem to be the ultimate fix upstream, introducing commit should as well still be NOTE: found. CVE-2016-7509 (Cross-site scripting (XSS) vulnerability in GLPI 0.90.4 allows remote ...) - TODO: check + - glpi (unimportant) + NOTE: Only supported behind an authenticated HTTP zone CVE-2016-7508 (Multiple SQL injection vulnerabilities in GLPI 0.90.4 allow an ...) - glpi (unimportant) NOTE: https://github.com/glpi-project/glpi/issues/1047 NOTE: Only supported behind an authenticated HTTP zone CVE-2016-7507 (Cross-Site Request Forgery (CSRF) vulnerability in GLPI 0.90.4 allows ...) - TODO: check + - glpi (unimportant) + NOTE: Only supported behind an authenticated HTTP zone CVE-2016-7506 (An out-of-bounds read vulnerability was observed in Sp_replace_regexp ...) NOT-FOR-US: MuJS CVE-2016-7505 (A buffer overflow vulnerability was observed in divby function of ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53690 - data/CVE
Author: carnil Date: 2017-07-20 05:53:40 + (Thu, 20 Jul 2017) New Revision: 53690 Modified: data/CVE/list Log: Process some IBM specific CVEs as NFU Modified: data/CVE/list === --- data/CVE/list 2017-07-20 03:39:48 UTC (rev 53689) +++ data/CVE/list 2017-07-20 05:53:40 UTC (rev 53690) @@ -28617,7 +28617,7 @@ CVE-2017-1310 (IBM Informix Dynamic Server 12.1 could allow an authenticated user to ...) NOT-FOR-US: IBM CVE-2017-1309 (IBM InfoSphere Master Data Management Server 11.0 - 11.6 stores user ...) - TODO: check + NOT-FOR-US: IBM CVE-2017-1308 (IBM Daeja ViewONE Professional, Standard & Virtual 4.1.5.1 and 5.0 ...) NOT-FOR-US: IBM CVE-2017-1307 @@ -28787,9 +28787,9 @@ CVE-2017-1225 RESERVED CVE-2017-1224 (IBM Tivoli Endpoint Manager uses weaker than expected cryptographic ...) - TODO: check + NOT-FOR-US: IBM CVE-2017-1223 (IBM Tivoli Endpoint Manager could allow a remote attacker to conduct ...) - TODO: check + NOT-FOR-US: IBM CVE-2017-1222 RESERVED CVE-2017-1221 @@ -28797,9 +28797,9 @@ CVE-2017-1220 RESERVED CVE-2017-1219 (IBM Tivoli Endpoint Manager is vulnerable to a XML External Entity ...) - TODO: check + NOT-FOR-US: IBM CVE-2017-1218 (IBM Tivoli Endpoint Manager is vulnerable to cross-site request ...) - TODO: check + NOT-FOR-US: IBM CVE-2017-1217 (IBM WebSphere Portal 8.5 and 9.0 is vulnerable to cross-site ...) NOT-FOR-US: IBM CVE-2017-1216 @@ -28829,7 +28829,7 @@ CVE-2017-1204 RESERVED CVE-2017-1203 (IBM Tivoli Endpoint Manager (for Lifecycle/Power/Patch) Platform and ...) - TODO: check + NOT-FOR-US: IBM CVE-2017-1202 RESERVED CVE-2017-1201 @@ -43322,7 +43322,7 @@ CVE-2016-6019 (IBM Emptoris Strategic Supply Management Platform 10.0.0.x through ...) NOT-FOR-US: IBM CVE-2016-6018 (IBM Emptoris Contract Management 10.0 and 10.1 reveals detailed error ...) - TODO: check + NOT-FOR-US: IBM CVE-2016-6017 RESERVED CVE-2016-6016 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53689 - data/CVE
Author: carnil Date: 2017-07-20 03:39:48 + (Thu, 20 Jul 2017) New Revision: 53689 Modified: data/CVE/list Log: Add CVE-2017-0378/phamm to CVE list Modified: data/CVE/list === --- data/CVE/list 2017-07-20 03:11:10 UTC (rev 53688) +++ data/CVE/list 2017-07-20 03:39:48 UTC (rev 53689) @@ -30836,8 +30836,10 @@ RESERVED CVE-2017-0379 RESERVED -CVE-2017-0378 +CVE-2017-0378 [reflected XSS] RESERVED + - phamm (bug #868988) + NOTE: https://github.com/lota/phamm/issues/21 CVE-2017-0377 (Tor 0.3.x before 0.3.0.9 has a guard-selection algorithm that only ...) - tor (Affects only 0.3.x series) NOTE: https://trac.torproject.org/projects/tor/ticket/22753 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53688 - data/CVE
Author: carnil Date: 2017-07-20 03:11:10 + (Thu, 20 Jul 2017) New Revision: 53688 Modified: data/CVE/list Log: Add reference to SuSE patch for CVE-2017-9765 Modified: data/CVE/list === --- data/CVE/list 2017-07-20 02:15:33 UTC (rev 53687) +++ data/CVE/list 2017-07-20 03:11:10 UTC (rev 53688) @@ -4341,6 +4341,7 @@ - gsoap 2.8.48-1 NOTE: http://blog.senr.io/blog/devils-ivy-flaw-in-widely-used-third-party-code-impacts-millions NOTE: https://www.genivia.com/changelog.html#Version_2.8.48_upd_(06/21/2017) + NOTE: SuSE patch: https://bugzilla.suse.com/attachment.cgi?id=733005 CVE-2017-9764 (Cross-site scripting (XSS) vulnerability in MetInfo 5.3.17 allows ...) TODO: check CVE-2017-9780 (In Flatpak before 0.8.7, a third-party app repository could include ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53687 - data/CVE
Author: fgeek-guest Date: 2017-07-20 02:15:33 + (Thu, 20 Jul 2017) New Revision: 53687 Modified: data/CVE/list Log: NFU Modified: data/CVE/list === --- data/CVE/list 2017-07-19 21:10:15 UTC (rev 53686) +++ data/CVE/list 2017-07-20 02:15:33 UTC (rev 53687) @@ -1,3 +1,5 @@ +CVE-2017-11466 + NOT-FOR-US: dotCMS CVE-2017-11463 RESERVED CVE-2017-11462 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53686 - data/CVE
Author: sectracker
Date: 2017-07-19 21:10:15 + (Wed, 19 Jul 2017)
New Revision: 53686
Modified:
data/CVE/list
Log:
automatic update
Modified: data/CVE/list
===
--- data/CVE/list 2017-07-19 20:48:57 UTC (rev 53685)
+++ data/CVE/list 2017-07-19 21:10:15 UTC (rev 53686)
@@ -1,3 +1,17 @@
+CVE-2017-11463
+ RESERVED
+CVE-2017-11462
+ RESERVED
+CVE-2017-11461
+ RESERVED
+CVE-2017-11460
+ RESERVED
+CVE-2017-11459
+ RESERVED
+CVE-2017-11458
+ RESERVED
+CVE-2017-11457
+ RESERVED
CVE-2017-11456 (Geneko GWR routers allow directory traversal sequences
starting with a ...)
NOT-FOR-US: Geneko GWR routers
CVE-2017-11455
@@ -11,19 +25,23 @@
CVE-2017-11451
RESERVED
CVE-2017-11450 (coders/jpeg.c in ImageMagick before 7.0.6-1 allows remote
attackers to ...)
+ {DSA-3914-1}
- imagemagick 8:6.9.7.4+dfsg-12 (bug #867894)
NOTE: https://github.com/ImageMagick/ImageMagick/issues/556
NOTE:
https://github.com/ImageMagick/ImageMagick/commit/948356eec65aea91995d4b7cc487d197d2c5f602
CVE-2017-11449 (coders/mpc.c in ImageMagick before 7.0.6-1 does not enable
seekable ...)
+ {DSA-3914-1}
- imagemagick 8:6.9.7.4+dfsg-12 (bug #867896)
NOTE: https://github.com/ImageMagick/ImageMagick/issues/556
NOTE:
https://github.com/ImageMagick/ImageMagick/commit/b007dd3a048097d8f58949297f5b434612e1e1a3#diff-cdb21e3ad4d6e304030bd19bdc881fce
NOTE:
https://github.com/ImageMagick/ImageMagick/commit/529ff26b68febb2ac03062c58452ea0b4c6edbc1#diff-cdb21e3ad4d6e304030bd19bdc881fce
CVE-2017-11448 (The ReadJPEGImage function in coders/jpeg.c in ImageMagick
before ...)
+ {DSA-3914-1}
- imagemagick 8:6.9.7.4+dfsg-12 (bug #867893)
NOTE: https://github.com/ImageMagick/ImageMagick/issues/556
NOTE:
https://github.com/ImageMagick/ImageMagick/commit/1737ac82b335e53376382c07b9a500d73dd2aa11
CVE-2017-11447 (The ReadSCREENSHOTImage function in coders/screenshot.c in
ImageMagick ...)
+ {DSA-3914-1}
- imagemagick 8:6.9.7.4+dfsg-12 (bug #867897)
NOTE: https://github.com/ImageMagick/ImageMagick/issues/556
NOTE:
https://github.com/ImageMagick/ImageMagick/commit/8c10b9247509c0484b55330458846115131ec2ae#diff-0a5dc34e461f3c458e758c199f2dc46d
@@ -980,7 +998,7 @@
NOT-FOR-US: plotly.js (different from the plotly Python package)
CVE-2017-105 (PHPMiniAdmin version 1.9.160630 is vulnerable to stored XSS
in the ...)
NOT-FOR-US: PHPMiniAdmin
-CVE-2017-104 (ATutor versions 2.2.1 and earlier are vulnerable to a SQL
injection ...)
+CVE-2017-104 (ATutor version 2.2.1 and earlier are vulnerable to a SQL
injection in ...)
NOT-FOR-US: ATutor
CVE-2017-103 (ATutor versions 2.2.1 and earlier are vulnerable to a
incorrect access ...)
NOT-FOR-US: ATutor
@@ -4321,8 +4339,8 @@
- gsoap 2.8.48-1
NOTE:
http://blog.senr.io/blog/devils-ivy-flaw-in-widely-used-third-party-code-impacts-millions
NOTE:
https://www.genivia.com/changelog.html#Version_2.8.48_upd_(06/21/2017)
-CVE-2017-9764
- RESERVED
+CVE-2017-9764 (Cross-site scripting (XSS) vulnerability in MetInfo 5.3.17
allows ...)
+ TODO: check
CVE-2017-9780 (In Flatpak before 0.8.7, a third-party app repository could
include ...)
{DSA-3895-1}
- flatpak 0.8.7-1 (bug #865413)
@@ -9469,8 +9487,8 @@
NOT-FOR-US: Samsung
CVE-2017-7979 (The cookie feature in the packet action API implementation in
...)
- linux (Only affects 4.11-rc1 onwards)
-CVE-2017-7977
- RESERVED
+CVE-2017-7977 (The Screensavercc component in eLux RP before 5.5.0 allows
attackers ...)
+ TODO: check
CVE-2017-7976 (Artifex jbig2dec 0.13 allows out-of-bounds writes and reads
because of ...)
{DSA-3855-1 DLA-942-1}
- jbig2dec 0.13-4.1 (bug #860787)
@@ -28595,8 +28613,8 @@
RESERVED
CVE-2017-1310 (IBM Informix Dynamic Server 12.1 could allow an authenticated
user to ...)
NOT-FOR-US: IBM
-CVE-2017-1309
- RESERVED
+CVE-2017-1309 (IBM InfoSphere Master Data Management Server 11.0 - 11.6 stores
user ...)
+ TODO: check
CVE-2017-1308 (IBM Daeja ViewONE Professional, Standard & Virtual 4.1.5.1
and 5.0 ...)
NOT-FOR-US: IBM
CVE-2017-1307
@@ -28765,20 +28783,20 @@
RESERVED
CVE-2017-1225
RESERVED
-CVE-2017-1224
- RESERVED
-CVE-2017-1223
- RESERVED
+CVE-2017-1224 (IBM Tivoli Endpoint Manager uses weaker than expected
cryptographic ...)
+ TODO: check
+CVE-2017-1223 (IBM Tivoli Endpoint Manager could allow a remote attacker to
conduct ...)
+ TODO: check
CVE-2017-1222
RESERVED
CVE-2017-1221
RESERVED
CVE-2017-1220
RESERVED
-CVE-2017-1219
- RESERVED
-CVE-2017-1218
- RESERVED
+CVE-2017-1219 (IBM Tivoli Endpoint Manager is vulnerable to a XML External
Entity ...
[Secure-testing-commits] r53685 - data/CVE
Author: fgeek-guest Date: 2017-07-19 20:48:57 + (Wed, 19 Jul 2017) New Revision: 53685 Modified: data/CVE/list Log: NFU Modified: data/CVE/list === --- data/CVE/list 2017-07-19 20:35:13 UTC (rev 53684) +++ data/CVE/list 2017-07-19 20:48:57 UTC (rev 53685) @@ -2171,6 +2171,8 @@ RESERVED CVE-2017-10674 (Antiy Antivirus Engine 5.0.0.06281654 allows local users to cause a ...) NOT-FOR-US: Antiy Antivirus Engine +CVE-2015-9106 + NOT-FOR-US: WordPress plugin the-holiday-calendar CVE-2015-9105 (Multiple cross-site scripting (XSS) vulnerabilities in Synology Video ...) NOT-FOR-US: Synology CVE-2015-9104 (Cross-site scripting (XSS) vulnerabilities in Synology Audio Station ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53684 - data
Author: anarcat Date: 2017-07-19 20:35:13 + (Wed, 19 Jul 2017) New Revision: 53684 Modified: data/dla-needed.txt Log: LTS: claim tcpdump Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-07-19 20:21:20 UTC (rev 53683) +++ data/dla-needed.txt 2017-07-19 20:35:13 UTC (rev 53684) @@ -164,7 +164,7 @@ -- swftools -- -tcpdump +tcpdump (Antoine Beaupre) -- teamspeak-client NOTE: non-free ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53683 - data/CVE
Author: carnil Date: 2017-07-19 20:21:20 + (Wed, 19 Jul 2017) New Revision: 53683 Modified: data/CVE/list Log: Add bug reference for libmspack issue, #868956 Modified: data/CVE/list === --- data/CVE/list 2017-07-19 20:19:55 UTC (rev 53682) +++ data/CVE/list 2017-07-19 20:21:20 UTC (rev 53683) @@ -80,7 +80,7 @@ CVE-2017-11424 RESERVED CVE-2017-11423 (The cabd_read_string function in mspack/cabd.c in libmspack 0.5alpha, ...) - - libmspack + - libmspack (bug #868956) NOTE: https://bugzilla.clamav.net/show_bug.cgi?id=11873 (not public) NOTE: https://github.com/hackerlib/hackerlib-vul/tree/master/clamav-vul CVE-2017-11422 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53682 - data/CVE
Author: carnil Date: 2017-07-19 20:19:55 + (Wed, 19 Jul 2017) New Revision: 53682 Modified: data/CVE/list Log: Add Info for CVE-2017-11423 Modified: data/CVE/list === --- data/CVE/list 2017-07-19 19:10:54 UTC (rev 53681) +++ data/CVE/list 2017-07-19 20:19:55 UTC (rev 53682) @@ -81,6 +81,8 @@ RESERVED CVE-2017-11423 (The cabd_read_string function in mspack/cabd.c in libmspack 0.5alpha, ...) - libmspack + NOTE: https://bugzilla.clamav.net/show_bug.cgi?id=11873 (not public) + NOTE: https://github.com/hackerlib/hackerlib-vul/tree/master/clamav-vul CVE-2017-11422 RESERVED CVE-2017-11420 (Stack-based buffer overflow in ASUS_Discovery.c in networkmap in ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53680 - data/CVE
Author: carnil Date: 2017-07-19 19:10:03 + (Wed, 19 Jul 2017) New Revision: 53680 Modified: data/CVE/list Log: Mark CVE-2017-11310 as not-affected Modified: data/CVE/list === --- data/CVE/list 2017-07-19 19:03:38 UTC (rev 53679) +++ data/CVE/list 2017-07-19 19:10:03 UTC (rev 53680) @@ -403,7 +403,7 @@ - libopenmpt 0.2.8461~beta26-1 (bug #867579) [stretch] - libopenmpt (Scheduled for point release) CVE-2017-11310 (The read_user_chunk_callback function in coders\png.c in ImageMagick ...) - - imagemagick + - imagemagick (Vulnerable code not present, Only affects ImageMagick-7) NOTE: https://github.com/ImageMagick/ImageMagick/issues/517 NOTE: Fixed by: https://github.com/ImageMagick/ImageMagick/commit/8ca35831e91c3db8c6d281d09b605001003bec08 CVE-2017-11309 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53681 - data/CVE
Author: carnil Date: 2017-07-19 19:10:54 + (Wed, 19 Jul 2017) New Revision: 53681 Modified: data/CVE/list Log: Add bug reference for CVE-2017-11446, #868950 Modified: data/CVE/list === --- data/CVE/list 2017-07-19 19:10:03 UTC (rev 53680) +++ data/CVE/list 2017-07-19 19:10:54 UTC (rev 53681) @@ -28,7 +28,7 @@ NOTE: https://github.com/ImageMagick/ImageMagick/issues/556 NOTE: https://github.com/ImageMagick/ImageMagick/commit/8c10b9247509c0484b55330458846115131ec2ae#diff-0a5dc34e461f3c458e758c199f2dc46d CVE-2017-11446 (The ReadPESImage function in coders\pes.c in ImageMagick 7.0.6-1 has an ...) - - imagemagick + - imagemagick (bug #868950) NOTE: https://github.com/ImageMagick/ImageMagick/issues/537 NOTE: ImageMagick-7: https://github.com/ImageMagick/ImageMagick/commit/787ee25e9fb0e4e0509121342371d925fe5044f8 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/96182884778bfc43d6a9a0abd90cedb5d8cf8977 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53679 - data
Author: jmm Date: 2017-07-19 19:03:38 + (Wed, 19 Jul 2017) New Revision: 53679 Modified: data/dsa-needed.txt Log: add imagemagick issue Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-07-19 19:01:51 UTC (rev 53678) +++ data/dsa-needed.txt 2017-07-19 19:03:38 UTC (rev 53679) @@ -23,6 +23,9 @@ -- icedove -- +imagemagick + wait until more issues have piled up +-- ipsec-tools -- libav/oldstable ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53678 - data
Author: jmm Date: 2017-07-19 19:01:51 + (Wed, 19 Jul 2017) New Revision: 53678 Modified: data/dsa-needed.txt Log: claim openjdk Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-07-19 17:17:07 UTC (rev 53677) +++ data/dsa-needed.txt 2017-07-19 19:01:51 UTC (rev 53678) @@ -37,9 +37,9 @@ -- mysql-5.5 -- -openjdk-7/oldstable +openjdk-7/oldstable (jmm) -- -openjdk-8/stable +openjdk-8/stable (jmm) -- php-horde-image -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53677 - data
Author: anarcat Date: 2017-07-19 17:17:07 + (Wed, 19 Jul 2017) New Revision: 53677 Modified: data/dla-needed.txt Log: claim apache Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-07-19 16:51:48 UTC (rev 53676) +++ data/dla-needed.txt 2017-07-19 17:17:07 UTC (rev 53677) @@ -10,7 +10,7 @@ https://wiki.debian.org/LTS/Development#Triage_new_security_issues -- -apache2 +apache2 (Antoine Beaupre) NOTE: There was a regression introduced in DLA-841-1 (2.2.22-13+deb7u8) NOTE: See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858373 -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53676 - data
Author: anarcat Date: 2017-07-19 16:51:48 + (Wed, 19 Jul 2017) New Revision: 53676 Modified: data/dla-needed.txt Log: unclaim ipsec-tools: let's wait for upstream more Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-07-19 16:25:24 UTC (rev 53675) +++ data/dla-needed.txt 2017-07-19 16:51:48 UTC (rev 53676) @@ -51,7 +51,10 @@ -- imagemagick (Roberto C. Sánchez) -- -ipsec-tools (Antoine Beaupre) +ipsec-tools + NOTE: patch disputed. sent a new version which needs a review. + NOTE: https://gnats.netbsd.org/cgi-bin/query-pr-single.pl?number=51682 + NOTE: no PoC makes this hard to test, obviously. -- irssi NOTE: Maintainer plan to do the update. The issue is not urgent according to ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53675 - data/CVE
Author: pochu Date: 2017-07-19 16:25:24 + (Wed, 19 Jul 2017) New Revision: 53675 Modified: data/CVE/list Log: mark openjdk-6 as EOL for wheezy Modified: data/CVE/list === --- data/CVE/list 2017-07-19 15:05:04 UTC (rev 53674) +++ data/CVE/list 2017-07-19 16:25:24 UTC (rev 53675) @@ -3612,6 +3612,7 @@ - openjdk-8 - openjdk-7 - openjdk-6 + [wheezy] - openjdk-6 NOTE: Possibly limited to Oracle Java CVE-2017-10242 RESERVED @@ -3743,6 +3744,7 @@ - openjdk-8 - openjdk-7 - openjdk-6 + [wheezy] - openjdk-6 CVE-2017-10197 RESERVED CVE-2017-10196 @@ -3757,6 +3759,7 @@ - openjdk-8 - openjdk-7 - openjdk-6 + [wheezy] - openjdk-6 CVE-2017-10192 RESERVED CVE-2017-10191 @@ -3848,6 +3851,7 @@ - openjdk-8 - openjdk-7 - openjdk-6 + [wheezy] - openjdk-6 CVE-2017-10152 RESERVED CVE-2017-10151 @@ -3936,12 +3940,14 @@ - openjdk-8 - openjdk-7 - openjdk-6 + [wheezy] - openjdk-6 CVE-2017-10115 RESERVED - openjdk-9 - openjdk-8 - openjdk-7 - openjdk-6 + [wheezy] - openjdk-6 CVE-2017-10114 RESERVED - openjfx @@ -3959,24 +3965,28 @@ - openjdk-8 - openjdk-7 - openjdk-6 + [wheezy] - openjdk-6 CVE-2017-10109 RESERVED - openjdk-9 - openjdk-8 - openjdk-7 - openjdk-6 + [wheezy] - openjdk-6 CVE-2017-10108 RESERVED - openjdk-9 - openjdk-8 - openjdk-7 - openjdk-6 + [wheezy] - openjdk-6 CVE-2017-10107 RESERVED - openjdk-9 - openjdk-8 - openjdk-7 - openjdk-6 + [wheezy] - openjdk-6 CVE-2017-10106 RESERVED CVE-2017-10105 @@ -4039,6 +4049,7 @@ - openjdk-8 - openjdk-7 - openjdk-6 + [wheezy] - openjdk-6 CVE-2017-10088 RESERVED CVE-2017-10087 @@ -4047,6 +4058,7 @@ - openjdk-8 - openjdk-7 - openjdk-6 + [wheezy] - openjdk-6 CVE-2017-10086 RESERVED - openjfx @@ -4064,6 +4076,7 @@ - openjdk-8 - openjdk-7 - openjdk-6 + [wheezy] - openjdk-6 CVE-2017-10080 RESERVED CVE-2017-10079 @@ -4084,6 +4097,7 @@ - openjdk-8 - openjdk-7 - openjdk-6 + [wheezy] - openjdk-6 CVE-2017-10073 RESERVED CVE-2017-10072 @@ -4102,6 +4116,7 @@ - openjdk-8 - openjdk-7 - openjdk-6 + [wheezy] - openjdk-6 CVE-2017-10066 RESERVED CVE-2017-10065 @@ -4134,6 +4149,7 @@ - openjdk-8 - openjdk-7 - openjdk-6 + [wheezy] - openjdk-6 CVE-2017-10052 RESERVED CVE-2017-10051 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53674 - data
Author: pochu Date: 2017-07-19 15:05:04 + (Wed, 19 Jul 2017) New Revision: 53674 Modified: data/dla-needed.txt Log: dla: claim ncurses Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-07-19 14:49:27 UTC (rev 53673) +++ data/dla-needed.txt 2017-07-19 15:05:04 UTC (rev 53674) @@ -123,7 +123,7 @@ nasm NOTE: 20170702 sent email to maintainer -- -ncurses +ncurses (Emilio Pozuelo) -- openexr NOTE: 20170707: Pinged upstream (lamby) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53673 - data
Author: pochu Date: 2017-07-19 14:49:27 + (Wed, 19 Jul 2017) New Revision: 53673 Modified: data/dla-needed.txt Log: dla: claim poppler Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-07-19 14:47:22 UTC (rev 53672) +++ data/dla-needed.txt 2017-07-19 14:49:27 UTC (rev 53673) @@ -133,7 +133,7 @@ php5 (Markus Koschany) NOTE: A few more tests. Release date either 18.07 or 19.07. -- -poppler +poppler (Emilio Pozuelo) NOTE: patch available for CVE-2017-9865 but not fixed upstream NOTE: yet. two more issues fixed upstream, but not in a release nor NOTE: unstable. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53672 - data
Author: pochu Date: 2017-07-19 14:47:22 + (Wed, 19 Jul 2017) New Revision: 53672 Modified: data/dla-needed.txt Log: dla: update status of ming Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-07-19 14:44:38 UTC (rev 53671) +++ data/dla-needed.txt 2017-07-19 14:47:22 UTC (rev 53672) @@ -106,7 +106,7 @@ NOTE: See https://lists.debian.org/debian-lts/2017/03/msg8.html -- ming (Emilio Pozuelo) - NOTE: only available in Wheezy and probably orphaned + NOTE: 20170719: patches unavailable -- mosquitto (Roger A. Leigh/Gianfranco Costamagna) -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53671 - data/CVE
Author: pochu Date: 2017-07-19 14:44:38 + (Wed, 19 Jul 2017) New Revision: 53671 Modified: data/CVE/list Log: mark chicken as no-dsa in wheezy Modified: data/CVE/list === --- data/CVE/list 2017-07-19 14:35:21 UTC (rev 53670) +++ data/CVE/list 2017-07-19 14:44:38 UTC (rev 53671) @@ -274,6 +274,7 @@ - chicken [stretch] - chicken (Minor issue) [jessie] - chicken (Minor issue) + [wheezy] - chicken (Minor issue) NOTE: http://lists.nongnu.org/archive/html/chicken-announce/2017-07/msg0.html CVE-2017-11342 (There is an illegal address access in ast.cpp of LibSass 3.4.5. A ...) - libsass (bug #868577) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53670 - data/CVE
Author: pochu Date: 2017-07-19 14:35:21 + (Wed, 19 Jul 2017) New Revision: 53670 Modified: data/CVE/list Log: mark cairo as no-dsa in wheezy Modified: data/CVE/list === --- data/CVE/list 2017-07-19 14:34:44 UTC (rev 53669) +++ data/CVE/list 2017-07-19 14:35:21 UTC (rev 53670) @@ -2819,6 +2819,7 @@ - cairo (low; bug #868580) [stretch] - cairo (Minor issue) [jessie] - cairo (Minor issue) + [wheezy] - cairo (Minor issue) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=101547 CVE-2017-9813 (In Kaspersky Anti-Virus for Linux File Server before Maintenance Pack ...) NOT-FOR-US: Kaspersky Anti-Virus @@ -11256,6 +11257,7 @@ - cairo (low) [stretch] - cairo (Minor issue) [jessie] - cairo (Minor issue) + [wheezy] - cairo (Minor issue) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=100763 CVE-2017-7474 (It was found that the Keycloak Node.js adapter 2.5 - 3.0 did not ...) NOT-FOR-US: Keycloak ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53669 - data/CVE
Author: carnil
Date: 2017-07-19 14:34:44 + (Wed, 19 Jul 2017)
New Revision: 53669
Modified:
data/CVE/list
Log:
Add reference to the comment on the patch
Modified: data/CVE/list
===
--- data/CVE/list 2017-07-19 14:32:01 UTC (rev 53668)
+++ data/CVE/list 2017-07-19 14:34:44 UTC (rev 53669)
@@ -1611,7 +1611,7 @@
- ipsec-tools (bug #867986)
NOTE: NetBSD applied patch:
http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c.diff?r1=1.5&r2=1.5.36.1
NOTE: NetBSD Problem report:
https://gnats.netbsd.org/cgi-bin/query-pr-single.pl?number=51682
- NOTE: patch disputed
+ NOTE: patch disputed, cf. https://bugs.debian.org/867986#19
CVE-2017-10929 (The grub_memmove function in shlr/grub/kern/misc.c in radare2
1.5.0 ...)
{DLA-1016-1}
- radare2 (low; bug #867369)
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53668 - data/CVE
Author: anarcat
Date: 2017-07-19 14:32:01 + (Wed, 19 Jul 2017)
New Revision: 53668
Modified:
data/CVE/list
Log:
note the ipsec-tools patch is disputed
Modified: data/CVE/list
===
--- data/CVE/list 2017-07-19 14:31:21 UTC (rev 53667)
+++ data/CVE/list 2017-07-19 14:32:01 UTC (rev 53668)
@@ -1611,6 +1611,7 @@
- ipsec-tools (bug #867986)
NOTE: NetBSD applied patch:
http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c.diff?r1=1.5&r2=1.5.36.1
NOTE: NetBSD Problem report:
https://gnats.netbsd.org/cgi-bin/query-pr-single.pl?number=51682
+ NOTE: patch disputed
CVE-2017-10929 (The grub_memmove function in shlr/grub/kern/misc.c in radare2
1.5.0 ...)
{DLA-1016-1}
- radare2 (low; bug #867369)
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53667 - data/DLA
Author: anarcat
Date: 2017-07-19 14:31:21 + (Wed, 19 Jul 2017)
New Revision: 53667
Modified:
data/DLA/list
Log:
reserve DLA-1032-1 for u-u
Modified: data/DLA/list
===
--- data/DLA/list 2017-07-19 13:11:17 UTC (rev 53666)
+++ data/DLA/list 2017-07-19 14:31:21 UTC (rev 53667)
@@ -1,3 +1,5 @@
+[19 Jul 2017] DLA-1032-1 unattended-upgrades - regression update
+ [wheezy] - unattended-upgrades 0.79.5+wheezy3
[18 Jul 2017] DLA-1031-1 evince - security update
{CVE-2017-183}
[wheezy] - evince 3.4.0-3.1+deb7u1
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53666 - in data: . CVE
Author: jmm Date: 2017-07-19 13:11:17 + (Wed, 19 Jul 2017) New Revision: 53666 Modified: data/CVE/list data/dsa-needed.txt Log: vbox issues add openjdk to dsa-needed Modified: data/CVE/list === --- data/CVE/list 2017-07-19 12:05:57 UTC (rev 53665) +++ data/CVE/list 2017-07-19 13:11:17 UTC (rev 53666) @@ -3612,24 +3612,51 @@ NOTE: Possibly limited to Oracle Java CVE-2017-10242 RESERVED + - virtualbox 5.1.24-dfsg-1 + [jessie] - virtualbox (DSA-3699-1) + [wheezy] - virtualbox (DSA 3454) CVE-2017-10241 RESERVED + - virtualbox 5.1.24-dfsg-1 + [jessie] - virtualbox (DSA-3699-1) + [wheezy] - virtualbox (DSA 3454) CVE-2017-10240 RESERVED + - virtualbox 5.1.24-dfsg-1 + [jessie] - virtualbox (DSA-3699-1) + [wheezy] - virtualbox (DSA 3454) CVE-2017-10239 RESERVED + - virtualbox 5.1.24-dfsg-1 + [jessie] - virtualbox (DSA-3699-1) + [wheezy] - virtualbox (DSA 3454) CVE-2017-10238 RESERVED + - virtualbox 5.1.24-dfsg-1 + [jessie] - virtualbox (DSA-3699-1) + [wheezy] - virtualbox (DSA 3454) CVE-2017-10237 RESERVED + - virtualbox 5.1.24-dfsg-1 + [jessie] - virtualbox (DSA-3699-1) + [wheezy] - virtualbox (DSA 3454) CVE-2017-10236 RESERVED + - virtualbox 5.1.24-dfsg-1 + [jessie] - virtualbox (DSA-3699-1) + [wheezy] - virtualbox (DSA 3454) CVE-2017-10235 RESERVED + - virtualbox 5.1.24-dfsg-1 + [jessie] - virtualbox (DSA-3699-1) + [wheezy] - virtualbox (DSA 3454) CVE-2017-10234 RESERVED CVE-2017-10233 RESERVED + - virtualbox 5.1.24-dfsg-1 + [jessie] - virtualbox (DSA-3699-1) + [wheezy] - virtualbox (DSA 3454) CVE-2017-10232 RESERVED CVE-2017-10231 @@ -3676,8 +3703,14 @@ RESERVED CVE-2017-10210 RESERVED + - virtualbox 5.1.24-dfsg-1 + [jessie] - virtualbox (DSA-3699-1) + [wheezy] - virtualbox (DSA 3454) CVE-2017-10209 RESERVED + - virtualbox 5.1.24-dfsg-1 + [jessie] - virtualbox (DSA-3699-1) + [wheezy] - virtualbox (DSA 3454) CVE-2017-10208 RESERVED CVE-2017-10207 @@ -3688,6 +3721,9 @@ RESERVED CVE-2017-10204 RESERVED + - virtualbox 5.1.24-dfsg-1 + [jessie] - virtualbox (DSA-3699-1) + [wheezy] - virtualbox (DSA 3454) CVE-2017-10203 RESERVED CVE-2017-10202 @@ -3730,6 +3766,9 @@ RESERVED CVE-2017-10187 RESERVED + - virtualbox 5.1.24-dfsg-1 + [jessie] - virtualbox (DSA-3699-1) + [wheezy] - virtualbox (DSA 3454) CVE-2017-10186 RESERVED CVE-2017-10185 @@ -3854,6 +3893,9 @@ RESERVED CVE-2017-10129 RESERVED + - virtualbox 5.1.24-dfsg-1 + [jessie] - virtualbox (DSA-3699-1) + [wheezy] - virtualbox (DSA 3454) CVE-2017-10128 RESERVED CVE-2017-10127 Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-07-19 12:05:57 UTC (rev 53665) +++ data/dsa-needed.txt 2017-07-19 13:11:17 UTC (rev 53666) @@ -37,6 +37,10 @@ -- mysql-5.5 -- +openjdk-7/oldstable +-- +openjdk-8/stable +-- php-horde-image -- php5 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53665 - data
Author: santiago Date: 2017-07-19 12:05:57 + (Wed, 19 Jul 2017) New Revision: 53665 Modified: data/dsa-needed.txt Log: preparing debdiff for atril Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-07-19 11:34:59 UTC (rev 53664) +++ data/dsa-needed.txt 2017-07-19 12:05:57 UTC (rev 53665) @@ -15,6 +15,7 @@ 389-ds-base (fw) -- atril + santiago sent a patch, and is preparing a debdiff for jessie and stretch -- chromium-browser -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53664 - data
Author: pochu Date: 2017-07-19 11:34:59 + (Wed, 19 Jul 2017) New Revision: 53664 Modified: data/dla-needed.txt Log: dla: claim openjdk-7 Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-07-19 11:33:36 UTC (rev 53663) +++ data/dla-needed.txt 2017-07-19 11:34:59 UTC (rev 53664) @@ -128,6 +128,8 @@ openexr NOTE: 20170707: Pinged upstream (lamby) -- +openjdk-7 (Emilio Pozuelo) +-- php5 (Markus Koschany) NOTE: A few more tests. Release date either 18.07 or 19.07. -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53663 - data
Author: pochu Date: 2017-07-19 11:33:36 + (Wed, 19 Jul 2017) New Revision: 53663 Modified: data/dla-needed.txt Log: dla: claim mysql-5.5 Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-07-19 10:31:15 UTC (rev 53662) +++ data/dla-needed.txt 2017-07-19 11:33:36 UTC (rev 53663) @@ -112,6 +112,8 @@ -- mupdf -- +mysql-5.5 (Emilio Pozuelo) +-- mysql-connector-python NOTE: No patch to apply. Upstream has released new upstream version 2.1.6 NOTE: with claimed fixes. Diff from prior version is 2198 lines long and ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53662 - data/CVE
Author: carnil Date: 2017-07-19 10:31:15 + (Wed, 19 Jul 2017) New Revision: 53662 Modified: data/CVE/list Log: Add six new wireshark issues Modified: data/CVE/list === --- data/CVE/list 2017-07-19 10:24:27 UTC (rev 53661) +++ data/CVE/list 2017-07-19 10:31:15 UTC (rev 53662) @@ -102,17 +102,36 @@ CVE-2017-11412 (Fiyo CMS 2.0.7 has SQL injection in ...) NOT-FOR-US: Fiyo CMS CVE-2017-11411 (In Wireshark through 2.0.13 and 2.2.x through 2.2.7, the openSAFETY ...) - TODO: check + - wireshark + NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13755 + NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=a83a324acdfc07a0ca8b65e6ebaba3374ab19c76 + NOTE: https://www.wireshark.org/security/wnpa-sec-2017-28.html CVE-2017-11410 (In Wireshark through 2.0.13 and 2.2.x through 2.2.7, the WBXML ...) - TODO: check + - wireshark + NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13796 + NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=3c7168cc5f044b4da8747d35da0b2b204dabf398 + NOTE: https://www.wireshark.org/security/wnpa-sec-2017-13.html CVE-2017-11409 (In Wireshark 2.0.0 to 2.0.13, the GPRS LLC dissector could go into a ...) - TODO: check + - wireshark + NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13603 + NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=57b83bbbd76f543eb8d108919f13b662910bff9a + NOTE: https://www.wireshark.org/security/wnpa-sec-2017-37.html CVE-2017-11408 (In Wireshark 2.2.0 to 2.2.7 and 2.0.0 to 2.0.13, the AMQP dissector ...) - TODO: check + - wireshark + NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13780 + NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=a102c172b0b2fe231fdb49f4f6694603f5b93b0c + NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=e57c86ef8e3b57b7f90c224f6053d1eacf20e1ba + NOTE: https://www.wireshark.org/security/wnpa-sec-2017-34.html CVE-2017-11407 (In Wireshark 2.2.0 to 2.2.7 and 2.0.0 to 2.0.13, the MQ dissector could ...) - TODO: check + - wireshark + NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13792 + NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=4e54dae7f0d7840836ee6d5ce1e688f152ab2978 + NOTE: https://www.wireshark.org/security/wnpa-sec-2017-35.html CVE-2017-11406 (In Wireshark 2.2.0 to 2.2.7 and 2.0.0 to 2.0.13, the DOCSIS dissector ...) - TODO: check + - wireshark + NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13797 + NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=250216263c3a3f2c651e80d9c6b3dc0adc53dc2c + NOTE: https://www.wireshark.org/security/wnpa-sec-2017-36.html CVE-2017-11405 (In CMS Made Simple (CMSMS) 2.2.2, remote authenticated administrators ...) NOT-FOR-US: CMS Made Simple CVE-2017-11404 (In CMS Made Simple (CMSMS) 2.2.2, remote authenticated administrators ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53661 - data/CVE
Author: carnil Date: 2017-07-19 10:24:27 + (Wed, 19 Jul 2017) New Revision: 53661 Modified: data/CVE/list Log: Add new imagemagick issue Modified: data/CVE/list === --- data/CVE/list 2017-07-19 10:22:31 UTC (rev 53660) +++ data/CVE/list 2017-07-19 10:24:27 UTC (rev 53661) @@ -28,7 +28,10 @@ NOTE: https://github.com/ImageMagick/ImageMagick/issues/556 NOTE: https://github.com/ImageMagick/ImageMagick/commit/8c10b9247509c0484b55330458846115131ec2ae#diff-0a5dc34e461f3c458e758c199f2dc46d CVE-2017-11446 (The ReadPESImage function in coders\pes.c in ImageMagick 7.0.6-1 has an ...) - TODO: check + - imagemagick + NOTE: https://github.com/ImageMagick/ImageMagick/issues/537 + NOTE: ImageMagick-7: https://github.com/ImageMagick/ImageMagick/commit/787ee25e9fb0e4e0509121342371d925fe5044f8 + NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/96182884778bfc43d6a9a0abd90cedb5d8cf8977 CVE-2017-11445 (Subrion CMS before 4.1.6 has a SQL injection vulnerability in ...) NOT-FOR-US: Subrion CMS CVE-2017-11444 (Subrion CMS before 4.1.5.10 has a SQL injection vulnerability in ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53660 - data/CVE
Author: carnil Date: 2017-07-19 10:22:31 + (Wed, 19 Jul 2017) New Revision: 53660 Modified: data/CVE/list Log: Process NFUs Modified: data/CVE/list === --- data/CVE/list 2017-07-19 10:10:41 UTC (rev 53659) +++ data/CVE/list 2017-07-19 10:22:31 UTC (rev 53660) @@ -1,5 +1,5 @@ CVE-2017-11456 (Geneko GWR routers allow directory traversal sequences starting with a ...) - TODO: check + NOT-FOR-US: Geneko GWR routers CVE-2017-11455 RESERVED CVE-2017-11454 @@ -30,15 +30,15 @@ CVE-2017-11446 (The ReadPESImage function in coders\pes.c in ImageMagick 7.0.6-1 has an ...) TODO: check CVE-2017-11445 (Subrion CMS before 4.1.6 has a SQL injection vulnerability in ...) - TODO: check + NOT-FOR-US: Subrion CMS CVE-2017-11444 (Subrion CMS before 4.1.5.10 has a SQL injection vulnerability in ...) - TODO: check + NOT-FOR-US: Subrion CMS CVE-2017-11443 RESERVED CVE-2017-11442 RESERVED CVE-2017-11441 (The WHM Upload Locale interface in cPanel before 56.0.51, 58.x before ...) - TODO: check + NOT-FOR-US: WHM Upload Locale interface in cPanel CVE-2017-11440 (In Sitecore 8.2, there is absolute path traversal via the ...) TODO: check CVE-2017-11439 (In Sitecore 8.2, there is reflected XSS in the ...) @@ -48,9 +48,9 @@ CVE-2017-11437 RESERVED CVE-2017-11436 (D-Link DIR-615 before v20.12PTb04 has a second admin account with a 0x1 ...) - TODO: check + NOT-FOR-US: D-Link CVE-2017-11435 (The Humax Wi-Fi Router model HG100R-* 2.0.6 is prone to an ...) - TODO: check + NOT-FOR-US: Humax Wi-Fi Router model HG100R-* CVE-2017-11434 [slirp: out-of-bounds read while parsing dhcp options] RESERVED - qemu @@ -5932,7 +5932,7 @@ CVE-2017-9246 (New Relic .NET Agent before 6.3.123.0 adds SQL injection flaws to safe ...) NOT-FOR-US: New Relic .NET Agent CVE-2017-9245 (The Google News and Weather application before 3.3.1 for Android allows ...) - TODO: check + NOT-FOR-US: Google News and Weather application for Android CVE-2017-9244 RESERVED CVE-2017-9243 (Aries QWR-1104 Wireless-N Router with Firmware Version WRC.253.2.0913 ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53659 - data
Author: alteholz Date: 2017-07-19 10:10:41 + (Wed, 19 Jul 2017) New Revision: 53659 Modified: data/dla-needed.txt Log: add bind9 Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-07-19 09:56:30 UTC (rev 53658) +++ data/dla-needed.txt 2017-07-19 10:10:41 UTC (rev 53659) @@ -14,6 +14,9 @@ NOTE: There was a regression introduced in DLA-841-1 (2.2.22-13+deb7u8) NOTE: See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858373 -- +bind9 (Thorsten Alteholz) + NOTE: probably regression introduced in latest upload +-- ca-certificates (Antoine Beaupré) NOTE: 2017-03-27: maintainer will handle the upload, see https://lists.debian.org/1acb8e97-8c9f-8b54-348c-0c12f53a8...@pbandjelly.org NOTE: 2017-05-12: Pinged the maintainer -- Raphael Hertzog ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53658 - data/CVE
Author: jmm Date: 2017-07-19 09:56:30 + (Wed, 19 Jul 2017) New Revision: 53658 Modified: data/CVE/list Log: new openjdk issues Modified: data/CVE/list === --- data/CVE/list 2017-07-19 09:17:11 UTC (rev 53657) +++ data/CVE/list 2017-07-19 09:56:30 UTC (rev 53658) @@ -3583,6 +3583,11 @@ RESERVED CVE-2017-10243 RESERVED + - openjdk-9 + - openjdk-8 + - openjdk-7 + - openjdk-6 + NOTE: Possibly limited to Oracle Java CVE-2017-10242 RESERVED CVE-2017-10241 @@ -3673,6 +3678,10 @@ RESERVED CVE-2017-10198 RESERVED + - openjdk-9 + - openjdk-8 + - openjdk-7 + - openjdk-6 CVE-2017-10197 RESERVED CVE-2017-10196 @@ -3683,6 +3692,10 @@ RESERVED CVE-2017-10193 RESERVED + - openjdk-9 + - openjdk-8 + - openjdk-7 + - openjdk-6 CVE-2017-10192 RESERVED CVE-2017-10191 @@ -3717,6 +3730,9 @@ RESERVED CVE-2017-10176 RESERVED + - openjdk-9 + - openjdk-8 + - openjdk-7 CVE-2017-10175 RESERVED CVE-2017-10174 @@ -3761,8 +3777,13 @@ RESERVED CVE-2017-10154 RESERVED + NOT-FOR-US: Java Advanced Management Console CVE-2017-10153 RESERVED + - openjdk-9 + - openjdk-8 + - openjdk-7 + - openjdk-6 CVE-2017-10152 RESERVED CVE-2017-10151 @@ -3819,6 +3840,8 @@ RESERVED CVE-2017-10125 RESERVED + - openjdk-8 (Deployment components not part of OpenJDK, only present in Oracle Java) + - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2017-10124 RESERVED CVE-2017-10123 @@ -3827,46 +3850,92 @@ RESERVED CVE-2017-10121 RESERVED + NOT-FOR-US: Java Advanced Management Console CVE-2017-10120 RESERVED CVE-2017-10119 RESERVED CVE-2017-10118 RESERVED + - openjdk-9 + - openjdk-8 + - openjdk-7 CVE-2017-10117 RESERVED + NOT-FOR-US: Java Advanced Management Console CVE-2017-10116 RESERVED + - openjdk-9 + - openjdk-8 + - openjdk-7 + - openjdk-6 CVE-2017-10115 RESERVED + - openjdk-9 + - openjdk-8 + - openjdk-7 + - openjdk-6 CVE-2017-10114 RESERVED + - openjfx CVE-2017-10113 RESERVED CVE-2017-10112 RESERVED CVE-2017-10111 RESERVED + - openjdk-9 + - openjdk-8 CVE-2017-10110 RESERVED + - openjdk-9 + - openjdk-8 + - openjdk-7 + - openjdk-6 CVE-2017-10109 RESERVED + - openjdk-9 + - openjdk-8 + - openjdk-7 + - openjdk-6 CVE-2017-10108 RESERVED + - openjdk-9 + - openjdk-8 + - openjdk-7 + - openjdk-6 CVE-2017-10107 RESERVED + - openjdk-9 + - openjdk-8 + - openjdk-7 + - openjdk-6 CVE-2017-10106 RESERVED CVE-2017-10105 RESERVED + - openjdk-8 (Deployment components not part of OpenJDK, only present in Oracle Java) + - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) + - openjdk-6 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2017-10104 RESERVED + NOT-FOR-US: Java Advanced Management Console CVE-2017-10103 RESERVED CVE-2017-10102 RESERVED + - openjdk-9 + - openjdk-8 + - openjdk-7 + - openjdk-6 + NOTE: Possibly limited to Oracle Java CVE-2017-10101 RESERVED + - openjdk-9 + - openjdk-8 + - openjdk-7 + - openjdk-6 + NOTE: Possibly limited to Oracle Java CVE-2017-10100 RESERVED CVE-2017-10099 @@ -3877,6 +3946,11 @@ RESERVED CVE-2017-10096 RESERVED + - openjdk-9 + - openjdk-8 + - openjdk-7 + - openjdk-6 + NOTE: Possibly limited to Oracle Java CVE-2017-10095 RESERVED CVE-2017-10094 @@ -3889,14 +3963,26 @@ RESERVED CVE-2017-10090 RESERVED + - openjdk-9 + - openjdk-8 + - openjdk-7 CVE-2017-10089 RESERVED + - openjdk-9 + - openjdk-8 + - openjdk-7 + - openjdk-6 CVE-2017-10088 RESERVED CVE-2017-10087 RESERVED + - openjdk-9 + - openjdk-8 + - openjdk-7 + - openjdk-6 CVE-2017-10086 RESERVED + - openjfx CVE-2017-10085 RESERVED CVE-2017-10084 @@ -3907,12 +3993,18 @@ RESERVED CVE-2017-10081 RESERVED + - openjdk-9 + - openjdk-8 + - openjdk-7 + - openjdk-6 CVE-2017-10080 RESERVED CVE-2017-10079 RESERVED CVE-2017-10078 RESERVED + - openjdk-9 + - openjdk-8 CVE-2017-10077 RESE
[Secure-testing-commits] r53657 - in data: CVE DSA
Author: jmm
Date: 2017-07-19 09:17:11 + (Wed, 19 Jul 2017)
New Revision: 53657
Modified:
data/CVE/list
data/DSA/list
Log:
imagemagick CVEfied
Modified: data/CVE/list
===
--- data/CVE/list 2017-07-19 09:15:52 UTC (rev 53656)
+++ data/CVE/list 2017-07-19 09:17:11 UTC (rev 53657)
@@ -11,7 +11,9 @@
CVE-2017-11451
RESERVED
CVE-2017-11450 (coders/jpeg.c in ImageMagick before 7.0.6-1 allows remote
attackers to ...)
- TODO: check
+ - imagemagick 8:6.9.7.4+dfsg-12 (bug #867894)
+ NOTE: https://github.com/ImageMagick/ImageMagick/issues/556
+ NOTE:
https://github.com/ImageMagick/ImageMagick/commit/948356eec65aea91995d4b7cc487d197d2c5f602
CVE-2017-11449 (coders/mpc.c in ImageMagick before 7.0.6-1 does not enable
seekable ...)
- imagemagick 8:6.9.7.4+dfsg-12 (bug #867896)
NOTE: https://github.com/ImageMagick/ImageMagick/issues/556
@@ -291,12 +293,6 @@
- tiff3
NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2715
NOTE: Fixed by:
https://github.com/vadz/libtiff/commit/69bfeec247899776b1b396651adb47436e5f1556
-CVE-2017- [Avoid heap based overflow for jpeg]
- - imagemagick 8:6.9.7.4+dfsg-12 (bug #867894)
- [stretch] - imagemagick 8:6.9.7.4+dfsg-11+deb9u1
- [jessie] - imagemagick 8:6.8.9.9-5+deb8u10
- NOTE: https://github.com/ImageMagick/ImageMagick/issues/556
- NOTE:
https://github.com/ImageMagick/ImageMagick/commit/948356eec65aea91995d4b7cc487d197d2c5f602
CVE-2017- [memory leak in ReadMATImage in mat.c]
- imagemagick 8:6.9.7.4+dfsg-12 (bug #867823)
[stretch] - imagemagick 8:6.9.7.4+dfsg-11+deb9u1
Modified: data/DSA/list
===
--- data/DSA/list 2017-07-19 09:15:52 UTC (rev 53656)
+++ data/DSA/list 2017-07-19 09:17:11 UTC (rev 53657)
@@ -1,5 +1,5 @@
[18 Jul 2017] DSA-3914-1 imagemagick - security update
- {CVE-2017-9439 CVE-2017-9440 CVE-2017-9500 CVE-2017-9501 CVE-2017-10928
CVE-2017-11141 CVE-2017-11170 CVE-2017-11188 CVE-2017-11360 CVE-2017-11352
CVE-2017-11449 CVE-2017-11448 CVE-2017-11447}
+ {CVE-2017-9439 CVE-2017-9440 CVE-2017-9500 CVE-2017-9501 CVE-2017-10928
CVE-2017-11141 CVE-2017-11170 CVE-2017-11188 CVE-2017-11360 CVE-2017-11352
CVE-2017-11449 CVE-2017-11448 CVE-2017-11447 CVE-2017-11450}
[jessie] - imagemagick 8:6.8.9.9-5+deb8u10
[stretch] - imagemagick 8:6.9.7.4+dfsg-11+deb9u1
[18 Jul 2017] DSA-3913-1 apache2 - security update
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53656 - in data: CVE DSA
Author: jmm
Date: 2017-07-19 09:15:52 + (Wed, 19 Jul 2017)
New Revision: 53656
Modified:
data/CVE/list
data/DSA/list
Log:
imagemagick CVEfied
Modified: data/CVE/list
===
--- data/CVE/list 2017-07-19 09:14:39 UTC (rev 53655)
+++ data/CVE/list 2017-07-19 09:15:52 UTC (rev 53656)
@@ -22,7 +22,9 @@
NOTE: https://github.com/ImageMagick/ImageMagick/issues/556
NOTE:
https://github.com/ImageMagick/ImageMagick/commit/1737ac82b335e53376382c07b9a500d73dd2aa11
CVE-2017-11447 (The ReadSCREENSHOTImage function in coders/screenshot.c in
ImageMagick ...)
- TODO: check
+ - imagemagick 8:6.9.7.4+dfsg-12 (bug #867897)
+ NOTE: https://github.com/ImageMagick/ImageMagick/issues/556
+ NOTE:
https://github.com/ImageMagick/ImageMagick/commit/8c10b9247509c0484b55330458846115131ec2ae#diff-0a5dc34e461f3c458e758c199f2dc46d
CVE-2017-11446 (The ReadPESImage function in coders\pes.c in ImageMagick
7.0.6-1 has an ...)
TODO: check
CVE-2017-11445 (Subrion CMS before 4.1.6 has a SQL injection vulnerability in
...)
@@ -289,12 +291,6 @@
- tiff3
NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2715
NOTE: Fixed by:
https://github.com/vadz/libtiff/commit/69bfeec247899776b1b396651adb47436e5f1556
-CVE-2017- [avoid a memory leak during screenshot]
- - imagemagick 8:6.9.7.4+dfsg-12 (bug #867897)
- [stretch] - imagemagick 8:6.9.7.4+dfsg-11+deb9u1
- [jessie] - imagemagick 8:6.8.9.9-5+deb8u10
- NOTE: https://github.com/ImageMagick/ImageMagick/issues/556
- NOTE:
https://github.com/ImageMagick/ImageMagick/commit/8c10b9247509c0484b55330458846115131ec2ae#diff-0a5dc34e461f3c458e758c199f2dc46d
CVE-2017- [Avoid heap based overflow for jpeg]
- imagemagick 8:6.9.7.4+dfsg-12 (bug #867894)
[stretch] - imagemagick 8:6.9.7.4+dfsg-11+deb9u1
Modified: data/DSA/list
===
--- data/DSA/list 2017-07-19 09:14:39 UTC (rev 53655)
+++ data/DSA/list 2017-07-19 09:15:52 UTC (rev 53656)
@@ -1,5 +1,5 @@
[18 Jul 2017] DSA-3914-1 imagemagick - security update
- {CVE-2017-9439 CVE-2017-9440 CVE-2017-9500 CVE-2017-9501 CVE-2017-10928
CVE-2017-11141 CVE-2017-11170 CVE-2017-11188 CVE-2017-11360 CVE-2017-11352
CVE-2017-11449 CVE-2017-11448}
+ {CVE-2017-9439 CVE-2017-9440 CVE-2017-9500 CVE-2017-9501 CVE-2017-10928
CVE-2017-11141 CVE-2017-11170 CVE-2017-11188 CVE-2017-11360 CVE-2017-11352
CVE-2017-11449 CVE-2017-11448 CVE-2017-11447}
[jessie] - imagemagick 8:6.8.9.9-5+deb8u10
[stretch] - imagemagick 8:6.9.7.4+dfsg-11+deb9u1
[18 Jul 2017] DSA-3913-1 apache2 - security update
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53655 - in data: CVE DSA
Author: jmm
Date: 2017-07-19 09:14:39 + (Wed, 19 Jul 2017)
New Revision: 53655
Modified:
data/CVE/list
data/DSA/list
Log:
imagemagick issue CVEfied
Modified: data/CVE/list
===
--- data/CVE/list 2017-07-19 09:13:37 UTC (rev 53654)
+++ data/CVE/list 2017-07-19 09:14:39 UTC (rev 53655)
@@ -18,7 +18,9 @@
NOTE:
https://github.com/ImageMagick/ImageMagick/commit/b007dd3a048097d8f58949297f5b434612e1e1a3#diff-cdb21e3ad4d6e304030bd19bdc881fce
NOTE:
https://github.com/ImageMagick/ImageMagick/commit/529ff26b68febb2ac03062c58452ea0b4c6edbc1#diff-cdb21e3ad4d6e304030bd19bdc881fce
CVE-2017-11448 (The ReadJPEGImage function in coders/jpeg.c in ImageMagick
before ...)
- TODO: check
+ - imagemagick 8:6.9.7.4+dfsg-12 (bug #867893)
+ NOTE: https://github.com/ImageMagick/ImageMagick/issues/556
+ NOTE:
https://github.com/ImageMagick/ImageMagick/commit/1737ac82b335e53376382c07b9a500d73dd2aa11
CVE-2017-11447 (The ReadSCREENSHOTImage function in coders/screenshot.c in
ImageMagick ...)
TODO: check
CVE-2017-11446 (The ReadPESImage function in coders\pes.c in ImageMagick
7.0.6-1 has an ...)
@@ -304,12 +306,6 @@
[stretch] - imagemagick 8:6.9.7.4+dfsg-11+deb9u1
[jessie] - imagemagick 8:6.8.9.9-5+deb8u10
NOTE: https://github.com/ImageMagick/ImageMagick/issues/525
-CVE-2017- [clear jpeg memory in order to avoid data leak]
- - imagemagick 8:6.9.7.4+dfsg-12 (bug #867893)
- [stretch] - imagemagick 8:6.9.7.4+dfsg-11+deb9u1
- [jessie] - imagemagick 8:6.8.9.9-5+deb8u10
- NOTE: https://github.com/ImageMagick/ImageMagick/issues/556
- NOTE:
https://github.com/ImageMagick/ImageMagick/commit/1737ac82b335e53376382c07b9a500d73dd2aa11
CVE-2017- [CPU exhaustion in ReadOneDJVUImage]
- imagemagick 8:6.9.7.4+dfsg-12 (bug #867826)
[stretch] - imagemagick 8:6.9.7.4+dfsg-11+deb9u1
Modified: data/DSA/list
===
--- data/DSA/list 2017-07-19 09:13:37 UTC (rev 53654)
+++ data/DSA/list 2017-07-19 09:14:39 UTC (rev 53655)
@@ -1,5 +1,5 @@
[18 Jul 2017] DSA-3914-1 imagemagick - security update
- {CVE-2017-9439 CVE-2017-9440 CVE-2017-9500 CVE-2017-9501 CVE-2017-10928
CVE-2017-11141 CVE-2017-11170 CVE-2017-11188 CVE-2017-11360 CVE-2017-11352
CVE-2017-11449}
+ {CVE-2017-9439 CVE-2017-9440 CVE-2017-9500 CVE-2017-9501 CVE-2017-10928
CVE-2017-11141 CVE-2017-11170 CVE-2017-11188 CVE-2017-11360 CVE-2017-11352
CVE-2017-11449 CVE-2017-11448}
[jessie] - imagemagick 8:6.8.9.9-5+deb8u10
[stretch] - imagemagick 8:6.9.7.4+dfsg-11+deb9u1
[18 Jul 2017] DSA-3913-1 apache2 - security update
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53654 - in data: CVE DSA
Author: jmm
Date: 2017-07-19 09:13:37 + (Wed, 19 Jul 2017)
New Revision: 53654
Modified:
data/CVE/list
data/DSA/list
Log:
one imagemagick issue CVEfied
Modified: data/CVE/list
===
--- data/CVE/list 2017-07-19 09:10:15 UTC (rev 53653)
+++ data/CVE/list 2017-07-19 09:13:37 UTC (rev 53654)
@@ -13,7 +13,10 @@
CVE-2017-11450 (coders/jpeg.c in ImageMagick before 7.0.6-1 allows remote
attackers to ...)
TODO: check
CVE-2017-11449 (coders/mpc.c in ImageMagick before 7.0.6-1 does not enable
seekable ...)
- TODO: check
+ - imagemagick 8:6.9.7.4+dfsg-12 (bug #867896)
+ NOTE: https://github.com/ImageMagick/ImageMagick/issues/556
+ NOTE:
https://github.com/ImageMagick/ImageMagick/commit/b007dd3a048097d8f58949297f5b434612e1e1a3#diff-cdb21e3ad4d6e304030bd19bdc881fce
+ NOTE:
https://github.com/ImageMagick/ImageMagick/commit/529ff26b68febb2ac03062c58452ea0b4c6edbc1#diff-cdb21e3ad4d6e304030bd19bdc881fce
CVE-2017-11448 (The ReadJPEGImage function in coders/jpeg.c in ImageMagick
before ...)
TODO: check
CVE-2017-11447 (The ReadSCREENSHOTImage function in coders/screenshot.c in
ImageMagick ...)
@@ -332,13 +335,6 @@
[stretch] - imagemagick 8:6.9.7.4+dfsg-11+deb9u1
[jessie] - imagemagick 8:6.8.9.9-5+deb8u10
NOTE: https://github.com/ImageMagick/ImageMagick/issues/506
-CVE-2017- [enable heap overflow check for stdin for mpc files]
- - imagemagick 8:6.9.7.4+dfsg-12 (bug #867896)
- [stretch] - imagemagick 8:6.9.7.4+dfsg-11+deb9u1
- [jessie] - imagemagick 8:6.8.9.9-5+deb8u10
- NOTE: https://github.com/ImageMagick/ImageMagick/issues/556
- NOTE:
https://github.com/ImageMagick/ImageMagick/commit/b007dd3a048097d8f58949297f5b434612e1e1a3#diff-cdb21e3ad4d6e304030bd19bdc881fce
- NOTE:
https://github.com/ImageMagick/ImageMagick/commit/529ff26b68febb2ac03062c58452ea0b4c6edbc1#diff-cdb21e3ad4d6e304030bd19bdc881fce
CVE-2017-11334 [exec: oob access during dma operation]
RESERVED
- qemu
Modified: data/DSA/list
===
--- data/DSA/list 2017-07-19 09:10:15 UTC (rev 53653)
+++ data/DSA/list 2017-07-19 09:13:37 UTC (rev 53654)
@@ -1,5 +1,5 @@
[18 Jul 2017] DSA-3914-1 imagemagick - security update
- {CVE-2017-9439 CVE-2017-9440 CVE-2017-9500 CVE-2017-9501 CVE-2017-10928
CVE-2017-11141 CVE-2017-11170 CVE-2017-11188 CVE-2017-11360 CVE-2017-11352}
+ {CVE-2017-9439 CVE-2017-9440 CVE-2017-9500 CVE-2017-9501 CVE-2017-10928
CVE-2017-11141 CVE-2017-11170 CVE-2017-11188 CVE-2017-11360 CVE-2017-11352
CVE-2017-11449}
[jessie] - imagemagick 8:6.8.9.9-5+deb8u10
[stretch] - imagemagick 8:6.9.7.4+dfsg-11+deb9u1
[18 Jul 2017] DSA-3913-1 apache2 - security update
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53653 - data/CVE
Author: sectracker
Date: 2017-07-19 09:10:15 + (Wed, 19 Jul 2017)
New Revision: 53653
Modified:
data/CVE/list
Log:
automatic update
Modified: data/CVE/list
===
--- data/CVE/list 2017-07-19 09:03:24 UTC (rev 53652)
+++ data/CVE/list 2017-07-19 09:10:15 UTC (rev 53653)
@@ -1,3 +1,47 @@
+CVE-2017-11456 (Geneko GWR routers allow directory traversal sequences
starting with a ...)
+ TODO: check
+CVE-2017-11455
+ RESERVED
+CVE-2017-11454
+ RESERVED
+CVE-2017-11453
+ RESERVED
+CVE-2017-11452
+ RESERVED
+CVE-2017-11451
+ RESERVED
+CVE-2017-11450 (coders/jpeg.c in ImageMagick before 7.0.6-1 allows remote
attackers to ...)
+ TODO: check
+CVE-2017-11449 (coders/mpc.c in ImageMagick before 7.0.6-1 does not enable
seekable ...)
+ TODO: check
+CVE-2017-11448 (The ReadJPEGImage function in coders/jpeg.c in ImageMagick
before ...)
+ TODO: check
+CVE-2017-11447 (The ReadSCREENSHOTImage function in coders/screenshot.c in
ImageMagick ...)
+ TODO: check
+CVE-2017-11446 (The ReadPESImage function in coders\pes.c in ImageMagick
7.0.6-1 has an ...)
+ TODO: check
+CVE-2017-11445 (Subrion CMS before 4.1.6 has a SQL injection vulnerability in
...)
+ TODO: check
+CVE-2017-11444 (Subrion CMS before 4.1.5.10 has a SQL injection vulnerability
in ...)
+ TODO: check
+CVE-2017-11443
+ RESERVED
+CVE-2017-11442
+ RESERVED
+CVE-2017-11441 (The WHM Upload Locale interface in cPanel before 56.0.51, 58.x
before ...)
+ TODO: check
+CVE-2017-11440 (In Sitecore 8.2, there is absolute path traversal via the ...)
+ TODO: check
+CVE-2017-11439 (In Sitecore 8.2, there is reflected XSS in the ...)
+ TODO: check
+CVE-2017-11438
+ RESERVED
+CVE-2017-11437
+ RESERVED
+CVE-2017-11436 (D-Link DIR-615 before v20.12PTb04 has a second admin account
with a 0x1 ...)
+ TODO: check
+CVE-2017-11435 (The Humax Wi-Fi Router model HG100R-* 2.0.6 is prone to an ...)
+ TODO: check
CVE-2017-11434 [slirp: out-of-bounds read while parsing dhcp options]
RESERVED
- qemu
@@ -45,18 +89,18 @@
NOT-FOR-US: Fiyo CMS
CVE-2017-11412 (Fiyo CMS 2.0.7 has SQL injection in ...)
NOT-FOR-US: Fiyo CMS
-CVE-2017-11411
- RESERVED
-CVE-2017-11410
- RESERVED
-CVE-2017-11409
- RESERVED
-CVE-2017-11408
- RESERVED
-CVE-2017-11407
- RESERVED
-CVE-2017-11406
- RESERVED
+CVE-2017-11411 (In Wireshark through 2.0.13 and 2.2.x through 2.2.7, the
openSAFETY ...)
+ TODO: check
+CVE-2017-11410 (In Wireshark through 2.0.13 and 2.2.x through 2.2.7, the WBXML
...)
+ TODO: check
+CVE-2017-11409 (In Wireshark 2.0.0 to 2.0.13, the GPRS LLC dissector could go
into a ...)
+ TODO: check
+CVE-2017-11408 (In Wireshark 2.2.0 to 2.2.7 and 2.0.0 to 2.0.13, the AMQP
dissector ...)
+ TODO: check
+CVE-2017-11407 (In Wireshark 2.2.0 to 2.2.7 and 2.0.0 to 2.0.13, the MQ
dissector could ...)
+ TODO: check
+CVE-2017-11406 (In Wireshark 2.2.0 to 2.2.7 and 2.0.0 to 2.0.13, the DOCSIS
dissector ...)
+ TODO: check
CVE-2017-11405 (In CMS Made Simple (CMSMS) 2.2.2, remote authenticated
administrators ...)
NOT-FOR-US: CMS Made Simple
CVE-2017-11404 (In CMS Made Simple (CMSMS) 2.2.2, remote authenticated
administrators ...)
@@ -159,6 +203,7 @@
CVE-2017-11361 (Inteno routers have a JUCI ACL misconfiguration that allows
the "user" ...)
NOT-FOR-US: Inteno routers
CVE-2017-11360 (The ReadRLEImage function in coders\rle.c in ImageMagick
7.0.6-1 has a ...)
+ {DSA-3914-1}
- imagemagick 8:6.9.7.4+dfsg-12 (bug #867808)
NOTE: https://github.com/ImageMagick/ImageMagick/issues/518
NOTE: Fixed by:
https://github.com/ImageMagick/ImageMagick/commit/224bc946b24824a77e8e8c52ee07e9bc65796e30
@@ -686,6 +731,7 @@
CVE-2017-11171 (Bad reference counting in the context of
accept_ice_connection() in ...)
- gnome-session 2.30.0-1
CVE-2017-11170 (The ReadTGAImage function in coders\tga.c in ImageMagick
7.0.5-6 has a ...)
+ {DSA-3914-1}
- imagemagick 8:6.9.7.4+dfsg-12 (low; bug #868184)
NOTE: https://github.com/ImageMagick/ImageMagick/issues/472
CVE-2017-11169
@@ -865,7 +911,7 @@
CVE-2017-132 (Cross-Site scripting (XSS) vulnerabilities in Cacti 0.8.8b
allow ...)
NOTE: Seems like a duplicate, contacted MITRE for rejection
CVE-2017-131 (SQL injection vulnerability in graph_templates_inputs.php in
Cacti ...)
-- cacti
+ - cacti
NOTE:
https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2016-007/?fid=7789
CVE-2017-130 (Oracle, GlassFish Server Open Source Edition 3.0.1 (build
22) is ...)
- glassfish (Vulnerable code not included, see bug
#853998)
@@ -935,6 +981,7 @@
- fedmsg (bug #868508)
NOTE: https://github.com/fedora-infra/fedmsg/commit/5c21cf88a
[Secure-testing-commits] r53652 - data/CVE
Author: carnil Date: 2017-07-19 09:03:24 + (Wed, 19 Jul 2017) New Revision: 53652 Modified: data/CVE/list Log: Add new qemu issue, CVE-2017-11434 Modified: data/CVE/list === --- data/CVE/list 2017-07-19 06:39:18 UTC (rev 53651) +++ data/CVE/list 2017-07-19 09:03:24 UTC (rev 53652) @@ -1,5 +1,8 @@ -CVE-2017-11434 +CVE-2017-11434 [slirp: out-of-bounds read while parsing dhcp options] RESERVED + - qemu + - qemu-kvm + NOTE: https://lists.gnu.org/archive/html/qemu-devel/2017-07/msg05001.html CVE-2017-11433 RESERVED CVE-2017-11432 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
