[Secure-testing-commits] r53883 - data/CVE
Author: carnil Date: 2017-07-25 05:59:33 + (Tue, 25 Jul 2017) New Revision: 53883 Modified: data/CVE/list Log: Record as well CVE-2017-10243 as fixed in openjdk-8 Modified: data/CVE/list === --- data/CVE/list 2017-07-25 05:38:24 UTC (rev 53882) +++ data/CVE/list 2017-07-25 05:59:33 UTC (rev 53883) @@ -4008,7 +4008,7 @@ RESERVED CVE-2017-10243 RESERVED - - openjdk-8 + - openjdk-8 8u141-b15-1 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53882 - data
Author: carnil Date: 2017-07-25 05:38:24 + (Tue, 25 Jul 2017) New Revision: 53882 Modified: data/next-point-update.txt Log: Record proposed fix for kdepim in stretch via pu Modified: data/next-point-update.txt === --- data/next-point-update.txt 2017-07-25 05:38:16 UTC (rev 53881) +++ data/next-point-update.txt 2017-07-25 05:38:24 UTC (rev 53882) @@ -6,3 +6,5 @@ [stretch] - ncurses 6.0+20161126-1+deb9u1 CVE-2017-10685 [stretch] - ncurses 6.0+20161126-1+deb9u1 +CVE-2017-9604 + [stretch] - kdepim 4:16.04.3-3+deb9u1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53881 - data
Author: carnil Date: 2017-07-25 05:38:16 + (Tue, 25 Jul 2017) New Revision: 53881 Modified: data/next-oldstable-point-update.txt Log: Add propsed fix for CVE-2017-9604 via jessie-pu Modified: data/next-oldstable-point-update.txt === --- data/next-oldstable-point-update.txt2017-07-25 04:45:59 UTC (rev 53880) +++ data/next-oldstable-point-update.txt2017-07-25 05:38:16 UTC (rev 53881) @@ -48,3 +48,5 @@ [jessie] - ncurses 5.9+20140913-1+deb8u1 CVE-2017-10685 [jessie] - ncurses 5.9+20140913-1+deb8u1 +CVE-2017-9604 + [jessie] - kdepim 4:4.14.1-1+deb8u1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53880 - data/CVE
Author: carnil Date: 2017-07-25 04:45:59 + (Tue, 25 Jul 2017) New Revision: 53880 Modified: data/CVE/list Log: Add CVE-2015-5191/open-vm-tools Modified: data/CVE/list === --- data/CVE/list 2017-07-25 04:36:49 UTC (rev 53879) +++ data/CVE/list 2017-07-25 04:45:59 UTC (rev 53880) @@ -73049,8 +73049,12 @@ REJECTED CVE-2015-5192 REJECTED -CVE-2015-5191 +CVE-2015-5191 [local privilege escalation] RESERVED + - open-vm-tools + NOTE: 9.10.x: https://github.com/vmware/open-vm-tools/commit/c1304ce8bfd9c0c33999e496bf7049d5c3d45821 + NOTE: 10.0.x: https://github.com/vmware/open-vm-tools/commit/b3068b04880eda4ca3e13f2d34fb8ce336ad1a4f + NOTE: 10.1.x: https://github.com/vmware/open-vm-tools/commit/22e58289f71232310d30cf162b83b5151a937bac CVE-2015-5190 (The pcsd web UI in PCS 0.9.139 and earlier allows remote authenticated ...) - pcs (Fixed before initial release to Debian) NOTE: https://github.com/feist/pcs/commit/634f6d93e4091946441f366e29859ed64a2c977a (0.9.144) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53879 - data/CVE
Author: carnil Date: 2017-07-25 04:36:49 + (Tue, 25 Jul 2017) New Revision: 53879 Modified: data/CVE/list Log: Mark libsass issues as no-dsa Modified: data/CVE/list === --- data/CVE/list 2017-07-25 04:29:54 UTC (rev 53878) +++ data/CVE/list 2017-07-25 04:36:49 UTC (rev 53879) @@ -6,6 +6,7 @@ RESERVED CVE-2017-11608 (There is a heap-based buffer over-read in the ...) - libsass + [stretch] - libsass (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1474276 CVE-2017-11607 RESERVED @@ -13,6 +14,7 @@ RESERVED CVE-2017-11605 (There is a heap based buffer over-read in LibSass 3.4.5, related to ...) - libsass + [stretch] - libsass (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1474019 CVE-2017-11604 RESERVED @@ -130,12 +132,15 @@ RESERVED CVE-2017-11556 (There is a stack consumption vulnerability in the ...) - libsass + [stretch] - libsass (Minor issue) NOTE: https://github.com/sass/libsass/issues/2447 CVE-2017-11555 (There is an illegal address access in the Eval::operator function in ...) - libsass + [stretch] - libsass (Minor issue) NOTE: https://github.com/sass/libsass/issues/2446 CVE-2017-11554 (There is a stack consumption vulnerability in the lex function in ...) - libsass + [stretch] - libsass (Minor issue) NOTE: https://github.com/sass/libsass/issues/2445 CVE-2017-11553 (There is an illegal address access in the extend_alias_table function ...) - exiv2 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53878 - data/CVE
Author: carnil Date: 2017-07-25 04:29:54 + (Tue, 25 Jul 2017) New Revision: 53878 Modified: data/CVE/list Log: Process NFUs Modified: data/CVE/list === --- data/CVE/list 2017-07-25 04:29:44 UTC (rev 53877) +++ data/CVE/list 2017-07-25 04:29:54 UTC (rev 53878) @@ -2458,7 +2458,7 @@ CVE-2017-10712 RESERVED CVE-2017-10711 (In SimpleRisk 20170614-001, a CSRF attack on reset.php (aka the Send ...) - TODO: check + NOT-FOR-US: SimpleRisk CVE-2017-10710 RESERVED CVE-2017-10709 (The lockscreen on Elephone P9000 devices (running Android 6.0) allows ...) @@ -5348,9 +5348,9 @@ CVE-2017-9555 RESERVED CVE-2017-9554 (An information exposure vulnerability in forget_passwd.cgi in Synology ...) - TODO: check + NOT-FOR-US: Synology DiskStation Manager CVE-2017-9553 (A design flaw in SYNO.API.Encryption in Synology DiskStation Manager ...) - TODO: check + NOT-FOR-US: Synology DiskStation Manager CVE-2017-9552 (A design flaw in authentication in Synology Photo Station 6.0-2528 ...) NOT-FOR-US: Synology Photo Station CVE-2015-9096 (Net::SMTP in Ruby before 2.4.0 is vulnerable to SMTP command injection ...) @@ -81708,9 +81708,9 @@ CVE-2015-2281 (Stack-based buffer overflow in collectoragent.exe in Fortinet Single ...) NOT-FOR-US: Fortinet Single Sign On CVE-2015-2280 (snwrite.cgi in AirLink101 SkyIPCam1620W Wireless N MPEG4 3GPP network ...) - TODO: check + NOT-FOR-US: AirLink101 SkyIPCam1620W Wireless N MPEG4 3GPP network camera CVE-2015-2279 (cgi_test.cgi in AirLive BU-2015 with firmware 1.03.18, BU-3026 with ...) - TODO: check + NOT-FOR-US: AirLive CVE-2015-2278 (The LZH decompression implementation (CsObjectInt::BuildHufTree ...) NOT-FOR-US: SAP CVE-2015-2277 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53877 - data/CVE
Author: carnil Date: 2017-07-25 04:29:44 + (Tue, 25 Jul 2017) New Revision: 53877 Modified: data/CVE/list Log: Add new issue in libsass Modified: data/CVE/list === --- data/CVE/list 2017-07-25 04:24:36 UTC (rev 53876) +++ data/CVE/list 2017-07-25 04:29:44 UTC (rev 53877) @@ -5,7 +5,8 @@ CVE-2017-11609 RESERVED CVE-2017-11608 (There is a heap-based buffer over-read in the ...) - TODO: check + - libsass + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1474276 CVE-2017-11607 RESERVED CVE-2017-11606 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53875 - data/CVE
Author: carnil Date: 2017-07-25 04:24:26 + (Tue, 25 Jul 2017) New Revision: 53875 Modified: data/CVE/list Log: Double-check rejected CVE-2017-2605, was a duplicate Modified: data/CVE/list === --- data/CVE/list 2017-07-25 04:24:02 UTC (rev 53874) +++ data/CVE/list 2017-07-25 04:24:26 UTC (rev 53875) @@ -26266,8 +26266,6 @@ NOTE: https://jenkins.io/security/advisory/2017-02-01/ CVE-2017-2605 REJECTED - - jenkins - NOTE: https://jenkins.io/security/advisory/2017-02-01/ CVE-2017-2604 RESERVED - jenkins ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53876 - data/CVE
Author: carnil Date: 2017-07-25 04:24:36 + (Tue, 25 Jul 2017) New Revision: 53876 Modified: data/CVE/list Log: One CVE was REJECTED Double-checked discussion which lead to the CVE assignment to be invalid. Only the second CVE assigned for irssi back then was valid. The CVE is redundant with CVE-2010-1155. Modified: data/CVE/list === --- data/CVE/list 2017-07-25 04:24:26 UTC (rev 53875) +++ data/CVE/list 2017-07-25 04:24:36 UTC (rev 53876) @@ -175995,8 +175995,6 @@ [lenny] - irssi (Minor issue) CVE-2010-1154 REJECTED - - irssi 0.8.15-1 (low) - [lenny] - irssi (Minor issue) CVE-2010-1153 (PHP remote file inclusion vulnerability in the autoloader in TYPO3 ...) - typo3-src 4.3.3-1 (bug #577993) [lenny] - typo3-src (Only affects 4.3.x) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53874 - data/CVE
Author: carnil Date: 2017-07-25 04:24:02 + (Tue, 25 Jul 2017) New Revision: 53874 Modified: data/CVE/list Log: Identify fix for CVE-2017-10790 Modified: data/CVE/list === --- data/CVE/list 2017-07-24 21:36:46 UTC (rev 53873) +++ data/CVE/list 2017-07-25 04:24:02 UTC (rev 53874) @@ -2295,7 +2295,7 @@ [jessie] - libtasn1-6 (Minor issue) - libtasn1-3 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1464141 - NOTE: probably fix in http://git.savannah.gnu.org/gitweb/?p=libtasn1.git;a=commit;h=d8d805e1f2e6799bb2dff4871a8598dc83088a39 + NOTE: Fixed by: http://git.savannah.gnu.org/gitweb/?p=libtasn1.git;a=commit;h=d8d805e1f2e6799bb2dff4871a8598dc83088a39 CVE-2017-10789 (The DBD::mysql module through 4.043 for Perl uses the mysql_ssl=1 ...) - libdbd-mysql-perl (bug #866821) NOTE: https://github.com/perl5-dbi/DBD-mysql/issues/110 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53873 - data/CVE
Author: fgeek-guest Date: 2017-07-24 21:36:46 + (Mon, 24 Jul 2017) New Revision: 53873 Modified: data/CVE/list Log: NFU Modified: data/CVE/list === --- data/CVE/list 2017-07-24 21:10:14 UTC (rev 53872) +++ data/CVE/list 2017-07-24 21:36:46 UTC (rev 53873) @@ -751,13 +751,13 @@ - yara 3.6.3+dfsg-1 NOTE: Fixed by: https://github.com/VirusTotal/yara/commit/4a342f01e5439b9bb901aff1c6c23c536baeeb3f CVE-2017-11327 (An issue was discovered in Tilde CMS 1.0.1. It is possible to retrieve ...) - TODO: check + NOT-FOR-US: Tilde CMS CVE-2017-11326 (An issue was discovered in Tilde CMS 1.0.1. It is possible to bypass ...) - TODO: check + NOT-FOR-US: Tilde CMS CVE-2017-11325 (An issue was discovered in Tilde CMS 1.0.1. Arbitrary files can be read ...) - TODO: check + NOT-FOR-US: Tilde CMS CVE-2017-11324 (An issue was discovered in Tilde CMS 1.0.1. Due to missing escaping of ...) - TODO: check + NOT-FOR-US: Tilde CMS CVE-2017-11323 RESERVED CVE-2017-11322 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53872 - data/CVE
Author: sectracker
Date: 2017-07-24 21:10:14 + (Mon, 24 Jul 2017)
New Revision: 53872
Modified:
data/CVE/list
Log:
automatic update
Modified: data/CVE/list
===
--- data/CVE/list 2017-07-24 20:23:41 UTC (rev 53871)
+++ data/CVE/list 2017-07-24 21:10:14 UTC (rev 53872)
@@ -1,3 +1,11 @@
+CVE-2017-11611
+ RESERVED
+CVE-2017-11610
+ RESERVED
+CVE-2017-11609
+ RESERVED
+CVE-2017-11608 (There is a heap-based buffer over-read in the ...)
+ TODO: check
CVE-2017-11607
RESERVED
CVE-2017-11606
@@ -459,8 +467,8 @@
- libmspack (bug #868956)
NOTE: https://bugzilla.clamav.net/show_bug.cgi?id=11873 (not public)
NOTE: https://github.com/hackerlib/hackerlib-vul/tree/master/clamav-vul
-CVE-2017-11422
- RESERVED
+CVE-2017-11422 (Statamic framework before 2.6.0 does not correctly check a
session's ...)
+ TODO: check
CVE-2017-11420 (Stack-based buffer overflow in ASUS_Discovery.c in networkmap
in ...)
NOT-FOR-US: ASUS
CVE-2017-11419 (Fiyo CMS 2.0.7 has SQL injection in ...)
@@ -742,14 +750,14 @@
CVE-2017-11328 (Heap buffer overflow in the yr_object_array_set_item()
function in ...)
- yara 3.6.3+dfsg-1
NOTE: Fixed by:
https://github.com/VirusTotal/yara/commit/4a342f01e5439b9bb901aff1c6c23c536baeeb3f
-CVE-2017-11327
- RESERVED
-CVE-2017-11326
- RESERVED
-CVE-2017-11325
- RESERVED
-CVE-2017-11324
- RESERVED
+CVE-2017-11327 (An issue was discovered in Tilde CMS 1.0.1. It is possible to
retrieve ...)
+ TODO: check
+CVE-2017-11326 (An issue was discovered in Tilde CMS 1.0.1. It is possible to
bypass ...)
+ TODO: check
+CVE-2017-11325 (An issue was discovered in Tilde CMS 1.0.1. Arbitrary files
can be read ...)
+ TODO: check
+CVE-2017-11324 (An issue was discovered in Tilde CMS 1.0.1. Due to missing
escaping of ...)
+ TODO: check
CVE-2017-11323
RESERVED
CVE-2017-11322
@@ -1459,7 +1467,7 @@
[jessie] - nasm (Minor issue)
NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392415
CVE-2017-0 (The ole_init function in ole.c in catdoc 0.95 allows remote
attackers ...)
- {DSA-3917-1}
+ {DSA-3917-1 DLA-1037-1}
- catdoc 1:0.95-3 (bug #867717)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1468471
CVE-2017-11109 (Vim 8.0 allows attackers to cause a denial of service (invalid
free) or ...)
@@ -2281,6 +2289,7 @@
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1467004
NOTE: No security impact as built in Debian
CVE-2017-10790 (The _asn1_check_identifier function in GNU Libtasn1 through
4.12 causes ...)
+ {DLA-1038-1}
- libtasn1-6 (bug #867398)
[stretch] - libtasn1-6 (Minor issue)
[jessie] - libtasn1-6 (Minor issue)
@@ -2447,8 +2456,8 @@
RESERVED
CVE-2017-10712
RESERVED
-CVE-2017-10711
- RESERVED
+CVE-2017-10711 (In SimpleRisk 20170614-001, a CSRF attack on reset.php (aka
the Send ...)
+ TODO: check
CVE-2017-10710
RESERVED
CVE-2017-10709 (The lockscreen on Elephone P9000 devices (running Android 6.0)
allows ...)
@@ -4675,6 +4684,7 @@
NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13811
NOTE:
https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=d6e888400ba64de3147da4c23edf389b
CVE-2017-9765 (Integer overflow in the soap_get function in Genivia gSOAP
2.7.x and ...)
+ {DLA-1036-1}
- gsoap 2.8.48-1
NOTE:
http://blog.senr.io/blog/devils-ivy-flaw-in-widely-used-third-party-code-impacts-millions
NOTE:
https://www.genivia.com/changelog.html#Version_2.8.48_upd_(06/21/2017)
@@ -5336,10 +5346,10 @@
RESERVED
CVE-2017-9555
RESERVED
-CVE-2017-9554
- RESERVED
-CVE-2017-9553
- RESERVED
+CVE-2017-9554 (An information exposure vulnerability in forget_passwd.cgi in
Synology ...)
+ TODO: check
+CVE-2017-9553 (A design flaw in SYNO.API.Encryption in Synology DiskStation
Manager ...)
+ TODO: check
CVE-2017-9552 (A design flaw in authentication in Synology Photo Station
6.0-2528 ...)
NOT-FOR-US: Synology Photo Station
CVE-2015-9096 (Net::SMTP in Ruby before 2.4.0 is vulnerable to SMTP command
injection ...)
@@ -9691,8 +9701,8 @@
RESERVED
CVE-2017-8037
RESERVED
-CVE-2017-8036
- RESERVED
+CVE-2017-8036 (An issue was discovered in the Cloud Controller API in Cloud
Foundry ...)
+ TODO: check
CVE-2017-8035
RESERVED
CVE-2017-8034 (The Cloud Controller and Router in Cloud Foundry (CAPI-release
capi ...)
@@ -26255,7 +26265,7 @@
- jenkins
NOTE: https://jenkins.io/security/advisory/2017-02-01/
CVE-2017-2605
- RESERVED
+ REJECTED
- jenkins
NOTE: https://jenkins.io/security/advisory/2017-02-01/
CVE-2017-2604
@@ -66007,8 +66017,7 @@
NOTE:
[Secure-testing-commits] r53871 - data/CVE
Author: carnil Date: 2017-07-24 20:23:41 + (Mon, 24 Jul 2017) New Revision: 53871 Modified: data/CVE/list Log: Add bug reference for fontforge issues Modified: data/CVE/list === --- data/CVE/list 2017-07-24 20:18:04 UTC (rev 53870) +++ data/CVE/list 2017-07-24 20:23:41 UTC (rev 53871) @@ -67,34 +67,34 @@ CVE-2017-11578 RESERVED CVE-2017-11577 (FontForge 20161012 is vulnerable to a buffer over-read in getsid ...) - - fontforge + - fontforge (bug #869614) NOTE: https://github.com/fontforge/fontforge/issues/3088 CVE-2017-11576 (FontForge 20161012 does not ensure a positive size in a weight vector ...) - - fontforge + - fontforge (bug #869614) NOTE: https://github.com/fontforge/fontforge/issues/3091 CVE-2017-11575 (FontForge 20161012 is vulnerable to a buffer over-read in strnmatch ...) - - fontforge + - fontforge (bug #869614) NOTE: https://github.com/fontforge/fontforge/issues/3096 CVE-2017-11574 (FontForge 20161012 is vulnerable to a heap-based buffer overflow in ...) - - fontforge + - fontforge (bug #869614) NOTE: https://github.com/fontforge/fontforge/issues/3090 CVE-2017-11573 (FontForge 20161012 is vulnerable to a buffer over-read in ...) - - fontforge + - fontforge (bug #869614) NOTE: https://github.com/fontforge/fontforge/issues/3098 CVE-2017-11572 (FontForge 20161012 is vulnerable to a heap-based buffer over-read in ...) - - fontforge + - fontforge (bug #869614) NOTE: https://github.com/fontforge/fontforge/issues/3092 CVE-2017-11571 (FontForge 20161012 is vulnerable to a stack-based buffer overflow in ...) - - fontforge + - fontforge (bug #869614) NOTE: https://github.com/fontforge/fontforge/issues/3087 CVE-2017-11570 (FontForge 20161012 is vulnerable to a buffer over-read in umodenc ...) - - fontforge + - fontforge (bug #869614) NOTE: https://github.com/fontforge/fontforge/issues/3097 CVE-2017-11569 (FontForge 20161012 is vulnerable to a heap-based buffer over-read in ...) - - fontforge + - fontforge (bug #869614) NOTE: https://github.com/fontforge/fontforge/issues/3093 CVE-2017-11568 (FontForge 20161012 is vulnerable to a heap-based buffer over-read in ...) - - fontforge + - fontforge (bug #869614) NOTE: https://github.com/fontforge/fontforge/issues/3089 CVE-2017-11567 RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53870 - in data: . DLA
Author: alteholz
Date: 2017-07-24 20:18:04 + (Mon, 24 Jul 2017)
New Revision: 53870
Modified:
data/DLA/list
data/dla-needed.txt
Log:
Reserve DLA-1038-1 for libtasn1-3
Modified: data/DLA/list
===
--- data/DLA/list 2017-07-24 20:13:27 UTC (rev 53869)
+++ data/DLA/list 2017-07-24 20:18:04 UTC (rev 53870)
@@ -1,3 +1,6 @@
+[24 Jul 2017] DLA-1038-1 libtasn1-3 - security update
+ {CVE-2017-10790}
+ [wheezy] - libtasn1-3 2.13-2+deb7u5
[24 Jul 2017] DLA-1037-1 catdoc - security update
{CVE-2017-0}
[wheezy] - catdoc 0.94.4-1.1+deb7u1
Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-07-24 20:13:27 UTC (rev 53869)
+++ data/dla-needed.txt 2017-07-24 20:18:04 UTC (rev 53870)
@@ -94,8 +94,6 @@
NOTE: regression update, see:
NOTE: https://lists.debian.org/debian-lts/2017/05/msg00012.html
--
-libtasn1-3 (Thorsten Alteholz)
---
libxml-libxml-perl
NOTE: 20170702, no upstream fix yet, so no need to bother maintainer yet,
sent email later
--
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53869 - in data: . DLA
Author: apo
Date: 2017-07-24 20:13:27 + (Mon, 24 Jul 2017)
New Revision: 53869
Modified:
data/DLA/list
data/dla-needed.txt
Log:
Reserve DLA-1037-1 for catdoc
Modified: data/DLA/list
===
--- data/DLA/list 2017-07-24 19:49:02 UTC (rev 53868)
+++ data/DLA/list 2017-07-24 20:13:27 UTC (rev 53869)
@@ -1,3 +1,6 @@
+[24 Jul 2017] DLA-1037-1 catdoc - security update
+ {CVE-2017-0}
+ [wheezy] - catdoc 0.94.4-1.1+deb7u1
[24 Jul 2017] DLA-1036-1 gsoap - security update
{CVE-2017-9765}
[wheezy] - gsoap 2.8.7-2+deb7u1
Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-07-24 19:49:02 UTC (rev 53868)
+++ data/dla-needed.txt 2017-07-24 20:13:27 UTC (rev 53869)
@@ -23,8 +23,6 @@
--
cairo (Emilio Pozuelo)
--
-catdoc (Markus Koschany)
---
check-mk
NOTE: the code is different in wheezy but from a cursory look, there
NOTE: might be multiple places where error messages are not properly
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53868 - data/CVE
Author: carnil Date: 2017-07-24 19:49:02 + (Mon, 24 Jul 2017) New Revision: 53868 Modified: data/CVE/list Log: Add two more exiv2 issues Modified: data/CVE/list === --- data/CVE/list 2017-07-24 19:37:19 UTC (rev 53867) +++ data/CVE/list 2017-07-24 19:49:02 UTC (rev 53868) @@ -31,9 +31,11 @@ CVE-2017-11593 (Cross-site scripting (XSS) vulnerability in the Markdown Preview Plus ...) TODO: check CVE-2017-11592 (There is a Mismatched Memory Management Routines vulnerability in the ...) - TODO: check + - exiv2 + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1473889 CVE-2017-11591 (There is a Floating point exception in the Exiv2::ValueType function in ...) - TODO: check + - exiv2 + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1473888 CVE-2017-11590 (There is a NULL pointer dereference in the caseless_hash function in ...) - libgxps [stretch] - libgxps (Vulnerable function introduced later) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53867 - in data: . CVE
Author: apo
Date: 2017-07-24 19:37:19 + (Mon, 24 Jul 2017)
New Revision: 53867
Modified:
data/CVE/list
data/dla-needed.txt
Log:
Claim catdoc in dla-needed.txt and remove no-dsa tag for
CVE-2017-0. The version of catdoc in Wheezy and Jessie are identical. We
just follow Jessie because the issue was already fixed there.
Modified: data/CVE/list
===
--- data/CVE/list 2017-07-24 18:11:01 UTC (rev 53866)
+++ data/CVE/list 2017-07-24 19:37:19 UTC (rev 53867)
@@ -1459,7 +1459,6 @@
CVE-2017-0 (The ole_init function in ole.c in catdoc 0.95 allows remote
attackers ...)
{DSA-3917-1}
- catdoc 1:0.95-3 (bug #867717)
- [wheezy] - catdoc (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1468471
CVE-2017-11109 (Vim 8.0 allows attackers to cause a denial of service (invalid
free) or ...)
{DLA-1030-1}
Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-07-24 18:11:01 UTC (rev 53866)
+++ data/dla-needed.txt 2017-07-24 19:37:19 UTC (rev 53867)
@@ -23,6 +23,8 @@
--
cairo (Emilio Pozuelo)
--
+catdoc (Markus Koschany)
+--
check-mk
NOTE: the code is different in wheezy but from a cursory look, there
NOTE: might be multiple places where error messages are not properly
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53866 - data
Author: apo Date: 2017-07-24 18:11:01 + (Mon, 24 Jul 2017) New Revision: 53866 Modified: data/dla-needed.txt Log: Claim graphicsmagick in dla-needed.txt Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-07-24 18:08:24 UTC (rev 53865) +++ data/dla-needed.txt 2017-07-24 18:11:01 UTC (rev 53866) @@ -44,7 +44,7 @@ freeradius NOTE: CVE-2017-10983 is in fr_dhcp_decode since fr_dhcp_decode_options doesn't exist yet -- -graphicsmagick +graphicsmagick (Markus Koschany) -- imagemagick (Roberto C. Sánchez) -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53865 - in data: . DLA
Author: apo
Date: 2017-07-24 18:08:24 + (Mon, 24 Jul 2017)
New Revision: 53865
Modified:
data/DLA/list
data/dla-needed.txt
Log:
Reserve DLA-1036-1 for gsoap
Modified: data/DLA/list
===
--- data/DLA/list 2017-07-24 15:48:26 UTC (rev 53864)
+++ data/DLA/list 2017-07-24 18:08:24 UTC (rev 53865)
@@ -1,3 +1,6 @@
+[24 Jul 2017] DLA-1036-1 gsoap - security update
+ {CVE-2017-9765}
+ [wheezy] - gsoap 2.8.7-2+deb7u1
[21 Jul 2017] DLA-1035-1 qemu - security update
{CVE-2016-9602 CVE-2016-9603 CVE-2017-7377 CVE-2017-7471 CVE-2017-7493
CVE-2017-7718 CVE-2017-7980 CVE-2017-8086}
[wheezy] - qemu 1.1.2+dfsg-6+deb7u22
Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-07-24 15:48:26 UTC (rev 53864)
+++ data/dla-needed.txt 2017-07-24 18:08:24 UTC (rev 53865)
@@ -46,8 +46,6 @@
--
graphicsmagick
--
-gsoap (Markus Koschany)
---
imagemagick (Roberto C. Sánchez)
--
ipsec-tools
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53864 - data
Author: carnil Date: 2017-07-24 15:48:26 + (Mon, 24 Jul 2017) New Revision: 53864 Modified: data/dsa-needed.txt Log: Add note for mysql-5.5 Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-07-24 15:45:10 UTC (rev 53863) +++ data/dsa-needed.txt 2017-07-24 15:48:26 UTC (rev 53864) @@ -40,6 +40,7 @@ mariadb-10.0 (carnil) -- mysql-5.5 (carnil) + James Page will sponsor the upload -- openjdk-7/oldstable (jmm) -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53863 - data
Author: carnil Date: 2017-07-24 15:45:10 + (Mon, 24 Jul 2017) New Revision: 53863 Modified: data/dsa-needed.txt Log: Add krb5 to dsa-needed Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-07-24 15:37:01 UTC (rev 53862) +++ data/dsa-needed.txt 2017-07-24 15:45:10 UTC (rev 53863) @@ -25,6 +25,8 @@ -- ipsec-tools -- +krb5 +-- libav/oldstable several issues unfixed upstream -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53862 - data/CVE
Author: carnil Date: 2017-07-24 15:37:01 + (Mon, 24 Jul 2017) New Revision: 53862 Modified: data/CVE/list Log: Update status for CVE-2017-11590 Modified: data/CVE/list === --- data/CVE/list 2017-07-24 14:41:01 UTC (rev 53861) +++ data/CVE/list 2017-07-24 15:37:01 UTC (rev 53862) @@ -36,6 +36,9 @@ TODO: check CVE-2017-11590 (There is a NULL pointer dereference in the caseless_hash function in ...) - libgxps + [stretch] - libgxps (Vulnerable function introduced later) + [jessie] - libgxps (Vulnerable function introduced later) + [wheezy] - libgxps (Vulnerable function introduced later) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1473167 CVE-2017-11589 (On Cisco DDR2200 ADSL2+ Residential Gateway ...) NOT-FOR-US: Cisco ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53861 - data
Author: jmm Date: 2017-07-24 14:41:01 + (Mon, 24 Jul 2017) New Revision: 53861 Modified: data/dsa-needed.txt Log: claim some DSAs Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-07-24 14:12:15 UTC (rev 53860) +++ data/dsa-needed.txt 2017-07-24 14:41:01 UTC (rev 53861) @@ -18,7 +18,7 @@ -- graphicsmagick -- -icedove +icedove (jmm) -- imagemagick wait until more issues have piled up @@ -51,7 +51,7 @@ -- phpmyadmin -- -qemu +qemu (jmm) Maintainer asked to prepare updates -- sudo (carnil) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53859 - data/CVE
Author: carnil Date: 2017-07-24 14:12:03 + (Mon, 24 Jul 2017) New Revision: 53859 Modified: data/CVE/list Log: Add fontforge issues Modified: data/CVE/list === --- data/CVE/list 2017-07-24 13:18:30 UTC (rev 53858) +++ data/CVE/list 2017-07-24 14:12:03 UTC (rev 53859) @@ -61,25 +61,35 @@ CVE-2017-11578 RESERVED CVE-2017-11577 (FontForge 20161012 is vulnerable to a buffer over-read in getsid ...) - TODO: check + - fontforge + NOTE: https://github.com/fontforge/fontforge/issues/3088 CVE-2017-11576 (FontForge 20161012 does not ensure a positive size in a weight vector ...) - TODO: check + - fontforge + NOTE: https://github.com/fontforge/fontforge/issues/3091 CVE-2017-11575 (FontForge 20161012 is vulnerable to a buffer over-read in strnmatch ...) - TODO: check + - fontforge + NOTE: https://github.com/fontforge/fontforge/issues/3096 CVE-2017-11574 (FontForge 20161012 is vulnerable to a heap-based buffer overflow in ...) - TODO: check + - fontforge + NOTE: https://github.com/fontforge/fontforge/issues/3090 CVE-2017-11573 (FontForge 20161012 is vulnerable to a buffer over-read in ...) - TODO: check + - fontforge + NOTE: https://github.com/fontforge/fontforge/issues/3098 CVE-2017-11572 (FontForge 20161012 is vulnerable to a heap-based buffer over-read in ...) - TODO: check + - fontforge + NOTE: https://github.com/fontforge/fontforge/issues/3092 CVE-2017-11571 (FontForge 20161012 is vulnerable to a stack-based buffer overflow in ...) - TODO: check + - fontforge + NOTE: https://github.com/fontforge/fontforge/issues/3087 CVE-2017-11570 (FontForge 20161012 is vulnerable to a buffer over-read in umodenc ...) - TODO: check + - fontforge + NOTE: https://github.com/fontforge/fontforge/issues/3097 CVE-2017-11569 (FontForge 20161012 is vulnerable to a heap-based buffer over-read in ...) - TODO: check + - fontforge + NOTE: https://github.com/fontforge/fontforge/issues/3093 CVE-2017-11568 (FontForge 20161012 is vulnerable to a heap-based buffer over-read in ...) - TODO: check + - fontforge + NOTE: https://github.com/fontforge/fontforge/issues/3089 CVE-2017-11567 RESERVED CVE-2017-11566 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53860 - data/CVE
Author: carnil Date: 2017-07-24 14:12:15 + (Mon, 24 Jul 2017) New Revision: 53860 Modified: data/CVE/list Log: Add issue in libgxps Modified: data/CVE/list === --- data/CVE/list 2017-07-24 14:12:03 UTC (rev 53859) +++ data/CVE/list 2017-07-24 14:12:15 UTC (rev 53860) @@ -35,7 +35,8 @@ CVE-2017-11591 (There is a Floating point exception in the Exiv2::ValueType function in ...) TODO: check CVE-2017-11590 (There is a NULL pointer dereference in the caseless_hash function in ...) - TODO: check + - libgxps + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1473167 CVE-2017-11589 (On Cisco DDR2200 ADSL2+ Residential Gateway ...) NOT-FOR-US: Cisco CVE-2017-11588 (On Cisco DDR2200 ADSL2+ Residential Gateway ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53858 - data
Author: apo Date: 2017-07-24 13:18:30 + (Mon, 24 Jul 2017) New Revision: 53858 Modified: data/dla-needed.txt Log: Claim gsoap in dla-needed.txt Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-07-24 13:13:33 UTC (rev 53857) +++ data/dla-needed.txt 2017-07-24 13:18:30 UTC (rev 53858) @@ -46,7 +46,7 @@ -- graphicsmagick -- -gsoap +gsoap (Markus Koschany) -- imagemagick (Roberto C. Sánchez) -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53857 - data
Author: apo Date: 2017-07-24 13:13:33 + (Mon, 24 Jul 2017) New Revision: 53857 Modified: data/dla-needed.txt Log: Give back spice in dla-needed.txt Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-07-24 10:07:24 UTC (rev 53856) +++ data/dla-needed.txt 2017-07-24 13:13:33 UTC (rev 53857) @@ -171,8 +171,11 @@ rkhunter (Thorsten Alteholz) NOTE: 20170702 sent email to maintainer -- -spice (Markus Koschany) +spice NOTE: CVE-2017-7506 already fixed in jessie. Can take patch there. + NOTE: (Markus Koschany) Patch from Jessie does not apply. Function + NOTE: reds_on_main_agent_monitors_config does not exist. Unclear how issue + NOTE: can be triggered/verified in this version -- swftools -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53856 - data/CVE
Author: carnil
Date: 2017-07-24 10:07:24 + (Mon, 24 Jul 2017)
New Revision: 53856
Modified:
data/CVE/list
Log:
Add fixing version for atril
Modified: data/CVE/list
===
--- data/CVE/list 2017-07-24 09:17:40 UTC (rev 53855)
+++ data/CVE/list 2017-07-24 10:07:24 UTC (rev 53856)
@@ -971,7 +971,7 @@
RESERVED
{DSA-3916-1 DSA-3911-1 DLA-1031-1}
- evince 3.22.1-4
- - atril (bug #868500)
+ - atril 1.16.1-2.1 (bug #868500)
NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=784630
CVE-2017-11208
RESERVED
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53855 - data/CVE
Author: carnil Date: 2017-07-24 09:17:40 + (Mon, 24 Jul 2017) New Revision: 53855 Modified: data/CVE/list Log: Process some NFUs Modified: data/CVE/list === --- data/CVE/list 2017-07-24 09:15:38 UTC (rev 53854) +++ data/CVE/list 2017-07-24 09:17:40 UTC (rev 53855) @@ -37,23 +37,23 @@ CVE-2017-11590 (There is a NULL pointer dereference in the caseless_hash function in ...) TODO: check CVE-2017-11589 (On Cisco DDR2200 ADSL2+ Residential Gateway ...) - TODO: check + NOT-FOR-US: Cisco CVE-2017-11588 (On Cisco DDR2200 ADSL2+ Residential Gateway ...) - TODO: check + NOT-FOR-US: Cisco CVE-2017-11587 (On Cisco DDR2200 ADSL2+ Residential Gateway ...) - TODO: check + NOT-FOR-US: Cisco CVE-2017-11586 (dayrui FineCms 5.0.9 has URL Redirector Abuse via the url parameter in ...) - TODO: check + NOT-FOR-US: FineCms CVE-2017-11585 (dayrui FineCms 5.0.9 has remote PHP code execution via the param ...) - TODO: check + NOT-FOR-US: FineCms CVE-2017-11584 (dayrui FineCms 5.0.9 has SQL Injection via the field parameter in an ...) - TODO: check + NOT-FOR-US: FineCms CVE-2017-11583 (dayrui FineCms 5.0.9 has SQL Injection via the catid parameter in an ...) - TODO: check + NOT-FOR-US: FineCms CVE-2017-11582 (dayrui FineCms 5.0.9 has SQL Injection via the num parameter in an ...) - TODO: check + NOT-FOR-US: FineCms CVE-2017-11581 (dayrui FineCms 5.0.9 has Cross Site Scripting (XSS) in admin/Login.php ...) - TODO: check + NOT-FOR-US: FineCms CVE-2017-11580 RESERVED CVE-2017-11579 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53854 - data/CVE
Author: carnil Date: 2017-07-24 09:15:38 + (Mon, 24 Jul 2017) New Revision: 53854 Modified: data/CVE/list Log: Add CVE-2017-11605 Modified: data/CVE/list === --- data/CVE/list 2017-07-24 09:12:28 UTC (rev 53853) +++ data/CVE/list 2017-07-24 09:15:38 UTC (rev 53854) @@ -3,7 +3,8 @@ CVE-2017-11606 RESERVED CVE-2017-11605 (There is a heap based buffer over-read in LibSass 3.4.5, related to ...) - TODO: check + - libsass + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1474019 CVE-2017-11604 RESERVED CVE-2017-11603 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53853 - data/CVE
Author: carnil Date: 2017-07-24 09:12:28 + (Mon, 24 Jul 2017) New Revision: 53853 Modified: data/CVE/list Log: Add CVE-2017-11600/linux Modified: data/CVE/list === --- data/CVE/list 2017-07-24 09:10:24 UTC (rev 53852) +++ data/CVE/list 2017-07-24 09:12:28 UTC (rev 53853) @@ -13,7 +13,8 @@ CVE-2017-11601 RESERVED CVE-2017-11600 (net/xfrm/xfrm_policy.c in the Linux kernel through 4.12.3, when ...) - TODO: check + - linux + NOTE: http://seclists.org/bugtraq/2017/Jul/30 CVE-2017-11599 RESERVED CVE-2017-11598 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53852 - data/CVE
Author: sectracker Date: 2017-07-24 09:10:24 + (Mon, 24 Jul 2017) New Revision: 53852 Modified: data/CVE/list Log: automatic update Modified: data/CVE/list === --- data/CVE/list 2017-07-24 08:45:20 UTC (rev 53851) +++ data/CVE/list 2017-07-24 09:10:24 UTC (rev 53852) @@ -1,3 +1,85 @@ +CVE-2017-11607 + RESERVED +CVE-2017-11606 + RESERVED +CVE-2017-11605 (There is a heap based buffer over-read in LibSass 3.4.5, related to ...) + TODO: check +CVE-2017-11604 + RESERVED +CVE-2017-11603 + RESERVED +CVE-2017-11602 + RESERVED +CVE-2017-11601 + RESERVED +CVE-2017-11600 (net/xfrm/xfrm_policy.c in the Linux kernel through 4.12.3, when ...) + TODO: check +CVE-2017-11599 + RESERVED +CVE-2017-11598 + RESERVED +CVE-2017-11597 + RESERVED +CVE-2017-11596 + RESERVED +CVE-2017-11595 + RESERVED +CVE-2017-11594 (Cross-site scripting (XSS) vulnerability in the Markdown parser in ...) + TODO: check +CVE-2017-11593 (Cross-site scripting (XSS) vulnerability in the Markdown Preview Plus ...) + TODO: check +CVE-2017-11592 (There is a Mismatched Memory Management Routines vulnerability in the ...) + TODO: check +CVE-2017-11591 (There is a Floating point exception in the Exiv2::ValueType function in ...) + TODO: check +CVE-2017-11590 (There is a NULL pointer dereference in the caseless_hash function in ...) + TODO: check +CVE-2017-11589 (On Cisco DDR2200 ADSL2+ Residential Gateway ...) + TODO: check +CVE-2017-11588 (On Cisco DDR2200 ADSL2+ Residential Gateway ...) + TODO: check +CVE-2017-11587 (On Cisco DDR2200 ADSL2+ Residential Gateway ...) + TODO: check +CVE-2017-11586 (dayrui FineCms 5.0.9 has URL Redirector Abuse via the url parameter in ...) + TODO: check +CVE-2017-11585 (dayrui FineCms 5.0.9 has remote PHP code execution via the param ...) + TODO: check +CVE-2017-11584 (dayrui FineCms 5.0.9 has SQL Injection via the field parameter in an ...) + TODO: check +CVE-2017-11583 (dayrui FineCms 5.0.9 has SQL Injection via the catid parameter in an ...) + TODO: check +CVE-2017-11582 (dayrui FineCms 5.0.9 has SQL Injection via the num parameter in an ...) + TODO: check +CVE-2017-11581 (dayrui FineCms 5.0.9 has Cross Site Scripting (XSS) in admin/Login.php ...) + TODO: check +CVE-2017-11580 + RESERVED +CVE-2017-11579 + RESERVED +CVE-2017-11578 + RESERVED +CVE-2017-11577 (FontForge 20161012 is vulnerable to a buffer over-read in getsid ...) + TODO: check +CVE-2017-11576 (FontForge 20161012 does not ensure a positive size in a weight vector ...) + TODO: check +CVE-2017-11575 (FontForge 20161012 is vulnerable to a buffer over-read in strnmatch ...) + TODO: check +CVE-2017-11574 (FontForge 20161012 is vulnerable to a heap-based buffer overflow in ...) + TODO: check +CVE-2017-11573 (FontForge 20161012 is vulnerable to a buffer over-read in ...) + TODO: check +CVE-2017-11572 (FontForge 20161012 is vulnerable to a heap-based buffer over-read in ...) + TODO: check +CVE-2017-11571 (FontForge 20161012 is vulnerable to a stack-based buffer overflow in ...) + TODO: check +CVE-2017-11570 (FontForge 20161012 is vulnerable to a buffer over-read in umodenc ...) + TODO: check +CVE-2017-11569 (FontForge 20161012 is vulnerable to a heap-based buffer over-read in ...) + TODO: check +CVE-2017-11568 (FontForge 20161012 is vulnerable to a heap-based buffer over-read in ...) + TODO: check +CVE-2017-11567 + RESERVED CVE-2017-11566 RESERVED CVE-2017-1002151 [pagure: private repositories accessible through ssh] @@ -143,7 +225,7 @@ RESERVED CVE-2017-11506 RESERVED -CVE-2017-11565 [Tor in stretch silently scraps apparmor] +CVE-2017-11565 (debian/tor.init in the Debian tor_0.2.9.11-1~deb9u1 package for Tor was ...) - tor (bug #869153) [stretch] - tor (Minor issue) [jessie] - tor (aa-exec in jessie is located in /usr/sbin/) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53851 - data/CVE
Author: carnil Date: 2017-07-24 08:45:20 + (Mon, 24 Jul 2017) New Revision: 53851 Modified: data/CVE/list Log: Fix a source package name Modified: data/CVE/list === --- data/CVE/list 2017-07-24 04:50:09 UTC (rev 53850) +++ data/CVE/list 2017-07-24 08:45:20 UTC (rev 53851) @@ -29,7 +29,7 @@ - libsass NOTE: https://github.com/sass/libsass/issues/2445 CVE-2017-11553 (There is an illegal address access in the extend_alias_table function ...) - - eviv2 + - exiv2 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1471772 TODO: check CVE-2017-11552 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
