[Secure-testing-commits] r54926 - data/CVE
Author: carnil Date: 2017-08-21 07:02:41 + (Mon, 21 Aug 2017) New Revision: 54926 Modified: data/CVE/list Log: Add new openjpeg2 issue Modified: data/CVE/list === --- data/CVE/list 2017-08-21 06:53:57 UTC (rev 54925) +++ data/CVE/list 2017-08-21 07:02:41 UTC (rev 54926) @@ -1,3 +1,7 @@ +CVE-2017-12982 [memory allocation failure in opj_aligned_alloc_n (opj_malloc.c)] + - openjpeg2 + NOTE: https://github.com/uclouvain/openjpeg/issues/983 + NOTE: https://github.com/uclouvain/openjpeg/commit/baf0c1ad4572daa89caa3b12985bdd93530f0dd7 CVE-2017-12975 RESERVED CVE-2017-12974 (Nimbus JOSE+JWT before 4.36 proceeds with ECKey construction without ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r54927 - in data: . DSA
Author: seb
Date: 2017-08-21 08:57:33 + (Mon, 21 Aug 2017)
New Revision: 54927
Modified:
data/DSA/list
data/dsa-needed.txt
Log:
Reserve DSA-3949-1 for augeas (CVE-2017-7555)
Modified: data/DSA/list
===
--- data/DSA/list 2017-08-21 07:02:41 UTC (rev 54926)
+++ data/DSA/list 2017-08-21 08:57:33 UTC (rev 54927)
@@ -1,3 +1,7 @@
+[21 Aug 2017] DSA-3949-1 augeas - security update
+ {CVE-2017-7555}
+ [jessie] - augeas 1.2.0-0.2+deb8u2
+ [stretch] - augeas 1.8.0-1+deb9u1
[19 Aug 2017] DSA-3948-1 ioquake3 - security update
{CVE-2017-11721}
[jessie] - ioquake3 1.36+u20140802+gca9eebb-2+deb8u2
Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2017-08-21 07:02:41 UTC (rev 54926)
+++ data/dsa-needed.txt 2017-08-21 08:57:33 UTC (rev 54927)
@@ -14,9 +14,6 @@
--
389-ds-base (fw)
--
-augeas (seb)
- 2017-08-18: Hilko Bergen prepared debdiff, ack'ed for upload
---
curl (ghedo)
--
db/oldstable
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r54928 - in data: . CVE
Author: jmm Date: 2017-08-21 09:00:11 + (Mon, 21 Aug 2017) New Revision: 54928 Modified: data/CVE/list data/dsa-needed.txt Log: NFUs openjpeg unimportant Modified: data/CVE/list === --- data/CVE/list 2017-08-21 08:57:33 UTC (rev 54927) +++ data/CVE/list 2017-08-21 09:00:11 UTC (rev 54928) @@ -1,15 +1,15 @@ CVE-2017-12982 [memory allocation failure in opj_aligned_alloc_n (opj_malloc.c)] - - openjpeg2 + - openjpeg2 (unimportant) NOTE: https://github.com/uclouvain/openjpeg/issues/983 NOTE: https://github.com/uclouvain/openjpeg/commit/baf0c1ad4572daa89caa3b12985bdd93530f0dd7 CVE-2017-12975 RESERVED CVE-2017-12974 (Nimbus JOSE+JWT before 4.36 proceeds with ECKey construction without ...) - TODO: check + NOT-FOR-US: Nimbus JOSE + JWT CVE-2017-12973 (Nimbus JOSE+JWT before 4.39 proceeds improperly after detection of an ...) - TODO: check + NOT-FOR-US: Nimbus JOSE + JWT CVE-2017-12972 (In Nimbus JOSE+JWT before 4.39, there is no integer-overflow check when ...) - TODO: check + NOT-FOR-US: Nimbus JOSE + JWT CVE-2017-12976 [Command injection via malicious ssh URLs] - git-annex 6.20170818-1 NOTE: http://source.git-annex.branchable.com/?p=source.git;a=commit;h=df11e54788b254efebb4898b474de11ae8d3b471 Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-08-21 08:57:33 UTC (rev 54927) +++ data/dsa-needed.txt 2017-08-21 09:00:11 UTC (rev 54928) @@ -38,7 +38,7 @@ -- graphicsmagick -- -imagemagick +imagemagick (jmm) wait until more issues have piled up -- jbig2dec ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r54929 - data/CVE
Author: sectracker
Date: 2017-08-21 09:10:19 + (Mon, 21 Aug 2017)
New Revision: 54929
Modified:
data/CVE/list
Log:
automatic update
Modified: data/CVE/list
===
--- data/CVE/list 2017-08-21 09:00:11 UTC (rev 54928)
+++ data/CVE/list 2017-08-21 09:10:19 UTC (rev 54929)
@@ -1,4 +1,69 @@
-CVE-2017-12982 [memory allocation failure in opj_aligned_alloc_n
(opj_malloc.c)]
+CVE-2017-12984 (PHPMyWind 5.3 has XSS in shoppingcart.php, related to
message.php, ...)
+ TODO: check
+CVE-2017-12983 (Heap-based buffer overflow in the ReadSFWImage function in
coders/sfw.c ...)
+ TODO: check
+CVE-2017-12981 (NexusPHP 1.5.beta5.20120707 has SQL Injection in
forummanage.php via ...)
+ TODO: check
+CVE-2017-12980 (DokuWiki through 2017-02-19c has stored XSS when rendering a
malicious ...)
+ TODO: check
+CVE-2017-12979 (DokuWiki through 2017-02-19c has stored XSS when rendering a
malicious ...)
+ TODO: check
+CVE-2017-12978 (lib/html.php in Cacti before 1.1.18 has XSS via the title
field of an ...)
+ TODO: check
+CVE-2017-12977 (The Web-Dorado "Photo Gallery by WD - Responsive Photo
Gallery" plugin ...)
+ TODO: check
+CVE-2017-1000216
+ REJECTED
+ TODO: check
+CVE-2017-1000205
+ REJECTED
+ TODO: check
+CVE-2017-1000202
+ REJECTED
+ TODO: check
+CVE-2017-1000184
+ REJECTED
+ TODO: check
+CVE-2017-1000183
+ REJECTED
+ TODO: check
+CVE-2017-1000181
+ REJECTED
+ TODO: check
+CVE-2017-1000180
+ REJECTED
+ TODO: check
+CVE-2017-1000179
+ REJECTED
+ TODO: check
+CVE-2017-1000178
+ REJECTED
+ TODO: check
+CVE-2017-1000177
+ REJECTED
+ TODO: check
+CVE-2017-1000175
+ REJECTED
+ TODO: check
+CVE-2017-1000167
+ REJECTED
+ TODO: check
+CVE-2017-1000166
+ REJECTED
+ TODO: check
+CVE-2017-1000165
+ REJECTED
+ TODO: check
+CVE-2017-1000162
+ REJECTED
+ TODO: check
+CVE-2017-1000124
+ REJECTED
+ TODO: check
+CVE-2017-1000123
+ REJECTED
+ TODO: check
+CVE-2017-12982 (The bmp_read_info_header function in bin/jp2/convertbmp.c in
OpenJPEG ...)
- openjpeg2 (unimportant)
NOTE: https://github.com/uclouvain/openjpeg/issues/983
NOTE:
https://github.com/uclouvain/openjpeg/commit/baf0c1ad4572daa89caa3b12985bdd93530f0dd7
@@ -10,7 +75,7 @@
NOT-FOR-US: Nimbus JOSE + JWT
CVE-2017-12972 (In Nimbus JOSE+JWT before 4.39, there is no integer-overflow
check when ...)
NOT-FOR-US: Nimbus JOSE + JWT
-CVE-2017-12976 [Command injection via malicious ssh URLs]
+CVE-2017-12976 (git-annex before 6.20170818 allows remote attackers to execute
...)
- git-annex 6.20170818-1
NOTE:
http://source.git-annex.branchable.com/?p=source.git;a=commit;h=df11e54788b254efebb4898b474de11ae8d3b471
NOTE:
http://source.git-annex.branchable.com/?p=source.git;a=commit;h=c24d0f0e8984576654e2be149005bc884fe0403a
@@ -1033,8 +1098,8 @@
RESERVED
CVE-2017-12785
RESERVED
-CVE-2017-12784
- RESERVED
+CVE-2017-12784 (In Youngzsoft CCFile (aka CC File Transfer) 3.6, by sending a
crafted ...)
+ TODO: check
CVE-2017-12783
RESERVED
CVE-2017-12782
@@ -4582,8 +4647,8 @@
NOTE:
https://github.com/krb5/krb5/pull/678/commits/a860385dd8fbd239fdb31b347e07f4e6b2fbdcc2
CVE-2017-11367 (The shoco_decompress function in the API in shoco through
2017-07-17 ...)
NOT-FOR-US: shoco
-CVE-2017-11366
- RESERVED
+CVE-2017-11366 (components/filemanager/class.filemanager.php in Codiad before
2.8.4 is ...)
+ TODO: check
CVE-2017-11365
RESERVED
CVE-2017-11364 (The CMS installer in Joomla! before 3.7.4 does not verify a
user's ...)
@@ -15631,6 +15696,7 @@
CVE-2017-7556 (Hawtio versions up to and including 1.5.3 are vulnerable to
CSRF ...)
NOT-FOR-US: hawtio
CVE-2017-7555 (Augeas versions up to and including 1.8.0 are vulnerable to
heap-based ...)
+ {DSA-3949-1}
- augeas 1.8.1-1 (bug #872400)
NOTE: https://github.com/hercules-team/augeas/pull/480
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1478373
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r54930 - data/CVE
Author: carnil Date: 2017-08-21 09:12:00 + (Mon, 21 Aug 2017) New Revision: 54930 Modified: data/CVE/list Log: Add one cacti issue Modified: data/CVE/list === --- data/CVE/list 2017-08-21 09:10:19 UTC (rev 54929) +++ data/CVE/list 2017-08-21 09:12:00 UTC (rev 54930) @@ -9,7 +9,9 @@ CVE-2017-12979 (DokuWiki through 2017-02-19c has stored XSS when rendering a malicious ...) TODO: check CVE-2017-12978 (lib/html.php in Cacti before 1.1.18 has XSS via the title field of an ...) - TODO: check + - cacti 1.1.18+ds1-1 + NOTE: https://github.com/Cacti/cacti/commit/9c610a7a4e29595dcaf7d7082134e4b89619ea24 + NOTE: https://github.com/Cacti/cacti/issues/918 CVE-2017-12977 (The Web-Dorado "Photo Gallery by WD - Responsive Photo Gallery" plugin ...) TODO: check CVE-2017-1000216 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r54931 - data/CVE
Author: carnil Date: 2017-08-21 09:13:10 + (Mon, 21 Aug 2017) New Revision: 54931 Modified: data/CVE/list Log: Add CVE-2017-12983/imagemagick Modified: data/CVE/list === --- data/CVE/list 2017-08-21 09:12:00 UTC (rev 54930) +++ data/CVE/list 2017-08-21 09:13:10 UTC (rev 54931) @@ -1,7 +1,8 @@ CVE-2017-12984 (PHPMyWind 5.3 has XSS in shoppingcart.php, related to message.php, ...) TODO: check CVE-2017-12983 (Heap-based buffer overflow in the ReadSFWImage function in coders/sfw.c ...) - TODO: check + - imagemagick + NOTE: https://github.com/ImageMagick/ImageMagick/issues/682 CVE-2017-12981 (NexusPHP 1.5.beta5.20120707 has SQL Injection in forummanage.php via ...) TODO: check CVE-2017-12980 (DokuWiki through 2017-02-19c has stored XSS when rendering a malicious ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r54932 - data/CVE
Author: carnil Date: 2017-08-21 09:14:06 + (Mon, 21 Aug 2017) New Revision: 54932 Modified: data/CVE/list Log: Process two NFUs Modified: data/CVE/list === --- data/CVE/list 2017-08-21 09:13:10 UTC (rev 54931) +++ data/CVE/list 2017-08-21 09:14:06 UTC (rev 54932) @@ -1,10 +1,10 @@ CVE-2017-12984 (PHPMyWind 5.3 has XSS in shoppingcart.php, related to message.php, ...) - TODO: check + NOT-FOR-US: PHPMyWind CVE-2017-12983 (Heap-based buffer overflow in the ReadSFWImage function in coders/sfw.c ...) - imagemagick NOTE: https://github.com/ImageMagick/ImageMagick/issues/682 CVE-2017-12981 (NexusPHP 1.5.beta5.20120707 has SQL Injection in forummanage.php via ...) - TODO: check + NOT-FOR-US: NexusPHP CVE-2017-12980 (DokuWiki through 2017-02-19c has stored XSS when rendering a malicious ...) TODO: check CVE-2017-12979 (DokuWiki through 2017-02-19c has stored XSS when rendering a malicious ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r54933 - data/CVE
Author: carnil Date: 2017-08-21 09:15:55 + (Mon, 21 Aug 2017) New Revision: 54933 Modified: data/CVE/list Log: Add two new dokuwiki issues Modified: data/CVE/list === --- data/CVE/list 2017-08-21 09:14:06 UTC (rev 54932) +++ data/CVE/list 2017-08-21 09:15:55 UTC (rev 54933) @@ -6,9 +6,11 @@ CVE-2017-12981 (NexusPHP 1.5.beta5.20120707 has SQL Injection in forummanage.php via ...) NOT-FOR-US: NexusPHP CVE-2017-12980 (DokuWiki through 2017-02-19c has stored XSS when rendering a malicious ...) - TODO: check + - dokuwiki + NOTE: https://github.com/splitbrain/dokuwiki/issues/2081 CVE-2017-12979 (DokuWiki through 2017-02-19c has stored XSS when rendering a malicious ...) - TODO: check + - dokuwiki + NOTE: https://github.com/splitbrain/dokuwiki/issues/2080 CVE-2017-12978 (lib/html.php in Cacti before 1.1.18 has XSS via the title field of an ...) - cacti 1.1.18+ds1-1 NOTE: https://github.com/Cacti/cacti/commit/9c610a7a4e29595dcaf7d7082134e4b89619ea24 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r54934 - data/CVE
Author: carnil Date: 2017-08-21 09:22:14 + (Mon, 21 Aug 2017) New Revision: 54934 Modified: data/CVE/list Log: Process TODOs and NFUs Modified: data/CVE/list === --- data/CVE/list 2017-08-21 09:15:55 UTC (rev 54933) +++ data/CVE/list 2017-08-21 09:22:14 UTC (rev 54934) @@ -16,58 +16,41 @@ NOTE: https://github.com/Cacti/cacti/commit/9c610a7a4e29595dcaf7d7082134e4b89619ea24 NOTE: https://github.com/Cacti/cacti/issues/918 CVE-2017-12977 (The Web-Dorado "Photo Gallery by WD - Responsive Photo Gallery" plugin ...) - TODO: check + NOT-FOR-US: Web-Dorado plugin for Wordpress CVE-2017-1000216 REJECTED - TODO: check CVE-2017-1000205 REJECTED - TODO: check CVE-2017-1000202 REJECTED - TODO: check CVE-2017-1000184 REJECTED - TODO: check CVE-2017-1000183 REJECTED - TODO: check CVE-2017-1000181 REJECTED - TODO: check CVE-2017-1000180 REJECTED - TODO: check CVE-2017-1000179 REJECTED - TODO: check CVE-2017-1000178 REJECTED - TODO: check CVE-2017-1000177 REJECTED - TODO: check CVE-2017-1000175 REJECTED - TODO: check CVE-2017-1000167 REJECTED - TODO: check CVE-2017-1000166 REJECTED - TODO: check CVE-2017-1000165 REJECTED - TODO: check CVE-2017-1000162 REJECTED - TODO: check CVE-2017-1000124 REJECTED - TODO: check CVE-2017-1000123 REJECTED - TODO: check CVE-2017-12982 (The bmp_read_info_header function in bin/jp2/convertbmp.c in OpenJPEG ...) - openjpeg2 (unimportant) NOTE: https://github.com/uclouvain/openjpeg/issues/983 @@ -1104,7 +1087,7 @@ CVE-2017-12785 RESERVED CVE-2017-12784 (In Youngzsoft CCFile (aka CC File Transfer) 3.6, by sending a crafted ...) - TODO: check + NOT-FOR-US: Youngzsoft CCFile CVE-2017-12783 RESERVED CVE-2017-12782 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r54935 - data/CVE
Author: carnil Date: 2017-08-21 11:33:35 + (Mon, 21 Aug 2017) New Revision: 54935 Modified: data/CVE/list Log: Add CVE-2017-12809/qemu Modified: data/CVE/list === --- data/CVE/list 2017-08-21 09:22:14 UTC (rev 54934) +++ data/CVE/list 2017-08-21 11:33:35 UTC (rev 54935) @@ -1020,8 +1020,11 @@ RESERVED CVE-2017-12810 RESERVED -CVE-2017-12809 +CVE-2017-12809 [ide: flushing of empty CDROM drives leads to NULL dereference] RESERVED + - qemu + - qemu-kvm + NOTE: https://lists.gnu.org/archive/html/qemu-devel/2017-08/msg01850.html CVE-2017-12808 RESERVED CVE-2017-12807 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r54936 - data/CVE
Author: jmm Date: 2017-08-21 13:35:38 + (Mon, 21 Aug 2017) New Revision: 54936 Modified: data/CVE/list Log: unrar-nonfree fixed in sid Modified: data/CVE/list === --- data/CVE/list 2017-08-21 11:33:35 UTC (rev 54935) +++ data/CVE/list 2017-08-21 13:35:38 UTC (rev 54936) @@ -157,25 +157,25 @@ CVE-2017-12939 (A Remote Code Execution vulnerability was identified in all Windows ...) NOT-FOR-US: Unity Editor CVE-2017-12942 (libunrar.a in UnRAR before 5.5.7 has a buffer overflow in the ...) - - unrar-nonfree + - unrar-nonfree 1:5.5.8-1 [stretch] - unrar-nonfree (Non-free not supported) [jessie] - unrar-nonfree (Non-free not supported) [wheezy] - unrar-nonfree (Non-free not supported) NOTE: http://www.openwall.com/lists/oss-security/2017/08/18/6 CVE-2017-12941 (libunrar.a in UnRAR before 5.5.7 has an out-of-bounds read in the ...) - - unrar-nonfree + - unrar-nonfree 1:5.5.8-1 [stretch] - unrar-nonfree (Non-free not supported) [jessie] - unrar-nonfree (Non-free not supported) [wheezy] - unrar-nonfree (Non-free not supported) NOTE: http://www.openwall.com/lists/oss-security/2017/08/18/6 CVE-2017-12940 (libunrar.a in UnRAR before 5.5.7 has an out-of-bounds read in the ...) - - unrar-nonfree + - unrar-nonfree 1:5.5.8-1 [stretch] - unrar-nonfree (Non-free not supported) [jessie] - unrar-nonfree (Non-free not supported) [wheezy] - unrar-nonfree (Non-free not supported) NOTE: http://www.openwall.com/lists/oss-security/2017/08/18/6 CVE-2017-12938 (UnRAR before 5.5.7 allows remote attackers to bypass a ...) - - unrar-nonfree + - unrar-nonfree 1:5.5.8-1 [stretch] - unrar-nonfree (Non-free not supported) [jessie] - unrar-nonfree (Non-free not supported) [wheezy] - unrar-nonfree (Non-free not supported) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r54937 - data
Author: jmm Date: 2017-08-21 16:47:10 + (Mon, 21 Aug 2017) New Revision: 54937 Modified: data/dsa-needed.txt Log: add smb4k Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-08-21 13:35:38 UTC (rev 54936) +++ data/dsa-needed.txt 2017-08-21 16:47:10 UTC (rev 54937) @@ -85,6 +85,9 @@ -- qemu/oldstable -- +smb4k/oldstable (jmm) + apo created backport +-- strongswan (corsac) -- tcpdump ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r54938 - data/CVE
Author: jmm Date: 2017-08-21 16:48:42 + (Mon, 21 Aug 2017) New Revision: 54938 Modified: data/CVE/list Log: mark libjpeg as undetermined Modified: data/CVE/list === --- data/CVE/list 2017-08-21 16:47:10 UTC (rev 54937) +++ data/CVE/list 2017-08-21 16:48:42 UTC (rev 54938) @@ -9402,8 +9402,9 @@ CVE-2017-9615 (Password exposure in Cognito Software Moneyworks 8.0.3 and earlier ...) NOT-FOR-US: Cognito Software Moneyworks CVE-2017-9614 (The fill_input_buffer function in jdatasrc.c in libjpeg-turbo 1.5.1 ...) - - libjpeg-turbo (bug #869927) + - libjpeg-turbo (bug #869927) NOTE: https://github.com/libjpeg-turbo/libjpeg-turbo/issues/167 + NOTE: Not reproducible by upstream, might be an error in the application using libjpeg CVE-2017-9613 (Stored Cross-site scripting (XSS) vulnerability in SAP SuccessFactors ...) NOT-FOR-US: SAP SuccessFactors CVE-2017-9612 (The Ins_IP function in base/ttinterp.c in Artifex Ghostscript GhostXPS ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r54939 - data/CVE
Author: carnil Date: 2017-08-21 17:00:17 + (Mon, 21 Aug 2017) New Revision: 54939 Modified: data/CVE/list Log: Add CVE-2017-12685/connman Modified: data/CVE/list === --- data/CVE/list 2017-08-21 16:48:42 UTC (rev 54938) +++ data/CVE/list 2017-08-21 17:00:17 UTC (rev 54939) @@ -856,8 +856,10 @@ RESERVED CVE-2017-12866 RESERVED -CVE-2017-12865 +CVE-2017-12865 [stack overflow in dns proxy feature] RESERVED + - connman 1.35-1 + NOTE: https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=5c281d182ecdd0a424b64f7698f32467f8f67b71 (1.35) CVE-2017-12864 (In opencv/modules/imgcodecs/src/grfmt_pxm.cpp, function ReadNumber did ...) - opencv NOTE: https://github.com/opencv/opencv/issues/9372 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r54940 - data/CVE
Author: jmm Date: 2017-08-21 17:28:22 + (Mon, 21 Aug 2017) New Revision: 54940 Modified: data/CVE/list Log: asn1c no-dsa Modified: data/CVE/list === --- data/CVE/list 2017-08-21 17:00:17 UTC (rev 54939) +++ data/CVE/list 2017-08-21 17:28:22 UTC (rev 54940) @@ -85,6 +85,7 @@ NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21962 CVE-2017-12966 (The asn1f_lookup_symbol_impl function in asn1fix_retrieve.c in ...) - asn1c + [stretch] - asn1c (Minor issue) CVE-2017-12965 RESERVED CVE-2017-12964 (There is a stack consumption issue in LibSass 3.4.5 that is triggered ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r54941 - data/CVE
Author: luciano Date: 2017-08-21 17:37:33 + (Mon, 21 Aug 2017) New Revision: 54941 Modified: data/CVE/list Log: CVE-2017-7206: ffmpeg Modified: data/CVE/list === --- data/CVE/list 2017-08-21 17:28:22 UTC (rev 54940) +++ data/CVE/list 2017-08-21 17:37:33 UTC (rev 54941) @@ -17176,7 +17176,7 @@ CVE-2017-7206 (The ff_h2645_extract_rbsp function in libavcodec in libav 9.21 allows ...) - libav [jessie] - libav (Vulnerable code not present) - - ffmpeg (bug #872517) + - ffmpeg (bug #872517; Previous patches mitigated the issue) NOTE: https://bugzilla.libav.org/show_bug.cgi?id=1002 NOTE: https://git.libav.org/?p=libav.git;a=commit;h=83b2b34d06e74cc8775ba3d833f9782505e17539 CVE-2017-7205 (A Cross-Site Scripting (XSS) was discovered in GamePanelX-V3 3.0.12. ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r54942 - data/CVE
Author: carnil Date: 2017-08-21 19:02:18 + (Mon, 21 Aug 2017) New Revision: 54942 Modified: data/CVE/list Log: Mark asn1c as well no-dsa for jessie Modified: data/CVE/list === --- data/CVE/list 2017-08-21 17:37:33 UTC (rev 54941) +++ data/CVE/list 2017-08-21 19:02:18 UTC (rev 54942) @@ -86,6 +86,7 @@ CVE-2017-12966 (The asn1f_lookup_symbol_impl function in asn1fix_retrieve.c in ...) - asn1c [stretch] - asn1c (Minor issue) + [jessie] - asn1c (Minor issue) CVE-2017-12965 RESERVED CVE-2017-12964 (There is a stack consumption issue in LibSass 3.4.5 that is triggered ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r54943 - data/CVE
Author: carnil
Date: 2017-08-21 19:09:51 + (Mon, 21 Aug 2017)
New Revision: 54943
Modified:
data/CVE/list
Log:
Add icedove tracking entries
Modified: data/CVE/list
===
--- data/CVE/list 2017-08-21 19:02:18 UTC (rev 54942)
+++ data/CVE/list 2017-08-21 19:09:51 UTC (rev 54943)
@@ -14732,6 +14732,7 @@
{DSA-3928-1 DLA-1053-1}
- firefox 55.0-1
- firefox-esr 52.3.0esr-1
+ - icedove (bug #872834)
CVE-2017-7808
RESERVED
- firefox 55.0-1
@@ -14740,6 +14741,7 @@
{DSA-3928-1 DLA-1053-1}
- firefox 55.0-1
- firefox-esr 52.3.0esr-1
+ - icedove (bug #872834)
CVE-2017-7806
RESERVED
- firefox 55.0-1
@@ -14749,26 +14751,31 @@
RESERVED
- firefox (Windows-specific)
- firefox-esr (Windows-specific)
+ - icedove (Windows-specific)
CVE-2017-7803
RESERVED
{DSA-3928-1 DLA-1053-1}
- firefox 55.0-1
- firefox-esr 52.3.0esr-1
+ - icedove (bug #872834)
CVE-2017-7802
RESERVED
{DSA-3928-1 DLA-1053-1}
- firefox 55.0-1
- firefox-esr 52.3.0esr-1
+ - icedove (bug #872834)
CVE-2017-7801
RESERVED
{DSA-3928-1 DLA-1053-1}
- firefox 55.0-1
- firefox-esr 52.3.0esr-1
+ - icedove (bug #872834)
CVE-2017-7800
RESERVED
{DSA-3928-1 DLA-1053-1}
- firefox 55.0-1
- firefox-esr 52.3.0esr-1
+ - icedove (bug #872834)
CVE-2017-7799
RESERVED
- firefox 55.0-1
@@ -14795,11 +14802,13 @@
{DSA-3928-1 DLA-1053-1}
- firefox 55.0-1
- firefox-esr 52.3.0esr-1
+ - icedove (bug #872834)
CVE-2017-7791
RESERVED
{DSA-3928-1 DLA-1053-1}
- firefox 55.0-1
- firefox-esr 52.3.0esr-1
+ - icedove (bug #872834)
CVE-2017-7790
RESERVED
- firefox (Windows-specific)
@@ -14815,21 +14824,25 @@
{DSA-3928-1 DLA-1053-1}
- firefox 55.0-1
- firefox-esr 52.3.0esr-1
+ - icedove (bug #872834)
CVE-2017-7786
RESERVED
{DSA-3928-1 DLA-1053-1}
- firefox 55.0-1
- firefox-esr 52.3.0esr-1
+ - icedove (bug #872834)
CVE-2017-7785
RESERVED
{DSA-3928-1 DLA-1053-1}
- firefox 55.0-1
- firefox-esr 52.3.0esr-1
+ - icedove (bug #872834)
CVE-2017-7784
RESERVED
{DSA-3928-1 DLA-1053-1}
- firefox 55.0-1
- firefox-esr 52.3.0esr-1
+ - icedove (bug #872834)
CVE-2017-7783
RESERVED
- firefox 55.0-1
@@ -14837,6 +14850,7 @@
RESERVED
- firefox (Windows-specific)
- firefox-esr (Windows-specific)
+ - icedove (Windows-specific)
CVE-2017-7781
RESERVED
- firefox 55.0-1
@@ -14848,6 +14862,7 @@
{DSA-3928-1 DLA-1053-1}
- firefox 55.0-1
- firefox-esr 52.3.0esr-1
+ - icedove (bug #872834)
CVE-2017-7778
RESERVED
{DSA-3918-1 DSA-3894-1 DSA-3881-1 DLA-1013-1 DLA-1007-1 DLA-991-1}
@@ -15032,6 +15047,7 @@
{DSA-3928-1 DLA-1053-1}
- firefox 55.0-1
- firefox-esr 52.3.0esr-1
+ - icedove (bug #872834)
CVE-2017-7752
RESERVED
{DSA-3918-1 DSA-3881-1 DLA-1007-1 DLA-991-1}
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r54944 - data
Author: carnil Date: 2017-08-21 19:09:53 + (Mon, 21 Aug 2017) New Revision: 54944 Modified: data/dsa-needed.txt Log: Add icedove to dsa-needed list Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-08-21 19:09:51 UTC (rev 54943) +++ data/dsa-needed.txt 2017-08-21 19:09:53 UTC (rev 54944) @@ -38,6 +38,8 @@ -- graphicsmagick -- +icedove +-- imagemagick (jmm) wait until more issues have piled up -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r54945 - data
Author: luciano Date: 2017-08-21 19:18:22 + (Mon, 21 Aug 2017) New Revision: 54945 Modified: data/dsa-needed.txt Log: aodh DSA Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-08-21 19:09:53 UTC (rev 54944) +++ data/dsa-needed.txt 2017-08-21 19:18:22 UTC (rev 54945) @@ -14,6 +14,9 @@ -- 389-ds-base (fw) -- +aodh (luciano) + Maintainer sumitted the fix to team. Waiting for upload. +-- curl (ghedo) -- db/oldstable ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r54946 - data/CVE
Author: carnil Date: 2017-08-21 19:19:04 + (Mon, 21 Aug 2017) New Revision: 54946 Modified: data/CVE/list Log: Drop one end-of-life entry since fixed before the version present Modified: data/CVE/list === --- data/CVE/list 2017-08-21 19:18:22 UTC (rev 54945) +++ data/CVE/list 2017-08-21 19:19:04 UTC (rev 54946) @@ -120156,7 +120156,6 @@ - iceweasel 24.2.0esr-1 [squeeze] - iceweasel - icedove 24.2.0-1 - [wheezy] - icedove [squeeze] - icedove - iceape [wheezy] - iceape ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r54947 - in data: . DLA
Author: alteholz
Date: 2017-08-21 19:43:36 + (Mon, 21 Aug 2017)
New Revision: 54947
Modified:
data/DLA/list
data/dla-needed.txt
Log:
Reserve DLA-1063-1 for extplorer
Modified: data/DLA/list
===
--- data/DLA/list 2017-08-21 19:19:04 UTC (rev 54946)
+++ data/DLA/list 2017-08-21 19:43:36 UTC (rev 54947)
@@ -1,3 +1,6 @@
+[21 Aug 2017] DLA-1063-1 extplorer - security update
+ {CVE-2017-12756}
+ [wheezy] - extplorer 2.1.0b6+dfsg.3-4+deb7u5
[20 Aug 2017] DLA-1062-1 curl - security update
{CVE-2017-1000100}
[wheezy] - curl 7.26.0-1+wheezy20
Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-08-21 19:19:04 UTC (rev 54946)
+++ data/dla-needed.txt 2017-08-21 19:43:36 UTC (rev 54947)
@@ -39,8 +39,6 @@
exiv2
NOTE: 20170702, no upstream fix yet, so no need to bother maintainer yet,
sent email later
--
-extplorer (Thorsten Alteholz)
---
faad2
NOTE: 20170702, no upstream fix yet, so no need to bother maintainer yet,
sent email later
--
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r54948 - data/CVE
Author: carnil Date: 2017-08-21 19:52:20 + (Mon, 21 Aug 2017) New Revision: 54948 Modified: data/CVE/list Log: Add bug reference for CVE-2017-12865 Modified: data/CVE/list === --- data/CVE/list 2017-08-21 19:43:36 UTC (rev 54947) +++ data/CVE/list 2017-08-21 19:52:20 UTC (rev 54948) @@ -860,7 +860,7 @@ RESERVED CVE-2017-12865 [stack overflow in dns proxy feature] RESERVED - - connman 1.35-1 + - connman 1.35-1 (bug #872844) NOTE: https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=5c281d182ecdd0a424b64f7698f32467f8f67b71 (1.35) CVE-2017-12864 (In opencv/modules/imgcodecs/src/grfmt_pxm.cpp, function ReadNumber did ...) - opencv ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r54949 - data/CVE
Author: carnil
Date: 2017-08-21 20:13:31 + (Mon, 21 Aug 2017)
New Revision: 54949
Modified:
data/CVE/list
Log:
Add two dnsdist issues
Modified: data/CVE/list
===
--- data/CVE/list 2017-08-21 19:52:20 UTC (rev 54948)
+++ data/CVE/list 2017-08-21 20:13:31 UTC (rev 54949)
@@ -15703,8 +15703,11 @@
RESERVED
CVE-2017-7558
RESERVED
-CVE-2017-7557
+CVE-2017-7557 [Alteration of ACLs via API authentication bypass]
RESERVED
+ - dnsdist
+ NOTE:
https://dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2017-02.html
+ NOTE: https://downloads.powerdns.com/patches/2017-02
CVE-2017-7556 (Hawtio versions up to and including 1.5.3 are vulnerable to
CSRF ...)
NOT-FOR-US: hawtio
CVE-2017-7555 (Augeas versions up to and including 1.8.0 are vulnerable to
heap-based ...)
@@ -44683,8 +44686,11 @@
NOT-FOR-US: Red Hat CloudForms
CVE-2016-7070
RESERVED
-CVE-2016-7069
+CVE-2016-7069 [Crafted backend responses can cause a denial of service]
RESERVED
+ - dnsdist
+ NOTE:
https://dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2017-01.html
+ NOTE: https://downloads.powerdns.com/patches/2017-01
CVE-2016-7068
RESERVED
{DSA-3764-1 DSA-3763-1 DLA-798-1 DLA-788-1}
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r54950 - data/CVE
Author: carnil Date: 2017-08-21 20:19:41 + (Mon, 21 Aug 2017) New Revision: 54950 Modified: data/CVE/list Log: Add bug reference for dnsdist Modified: data/CVE/list === --- data/CVE/list 2017-08-21 20:13:31 UTC (rev 54949) +++ data/CVE/list 2017-08-21 20:19:41 UTC (rev 54950) @@ -15705,7 +15705,7 @@ RESERVED CVE-2017-7557 [Alteration of ACLs via API authentication bypass] RESERVED - - dnsdist + - dnsdist (bug #872854) NOTE: https://dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2017-02.html NOTE: https://downloads.powerdns.com/patches/2017-02 CVE-2017-7556 (Hawtio versions up to and including 1.5.3 are vulnerable to CSRF ...) @@ -44688,7 +44688,7 @@ RESERVED CVE-2016-7069 [Crafted backend responses can cause a denial of service] RESERVED - - dnsdist + - dnsdist (bug #872854) NOTE: https://dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2017-01.html NOTE: https://downloads.powerdns.com/patches/2017-01 CVE-2016-7068 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r54951 - data/CVE
Author: sectracker
Date: 2017-08-21 21:10:13 + (Mon, 21 Aug 2017)
New Revision: 54951
Modified:
data/CVE/list
Log:
automatic update
Modified: data/CVE/list
===
--- data/CVE/list 2017-08-21 20:19:41 UTC (rev 54950)
+++ data/CVE/list 2017-08-21 21:10:13 UTC (rev 54951)
@@ -1,3 +1,145 @@
+CVE-2017-13055
+ RESERVED
+CVE-2017-13054
+ RESERVED
+CVE-2017-13053
+ RESERVED
+CVE-2017-13052
+ RESERVED
+CVE-2017-13051
+ RESERVED
+CVE-2017-13050
+ RESERVED
+CVE-2017-13049
+ RESERVED
+CVE-2017-13048
+ RESERVED
+CVE-2017-13047
+ RESERVED
+CVE-2017-13046
+ RESERVED
+CVE-2017-13045
+ RESERVED
+CVE-2017-13044
+ RESERVED
+CVE-2017-13043
+ RESERVED
+CVE-2017-13042
+ RESERVED
+CVE-2017-13041
+ RESERVED
+CVE-2017-13040
+ RESERVED
+CVE-2017-13039
+ RESERVED
+CVE-2017-13038
+ RESERVED
+CVE-2017-13037
+ RESERVED
+CVE-2017-13036
+ RESERVED
+CVE-2017-13035
+ RESERVED
+CVE-2017-13034
+ RESERVED
+CVE-2017-13033
+ RESERVED
+CVE-2017-13032
+ RESERVED
+CVE-2017-13031
+ RESERVED
+CVE-2017-13030
+ RESERVED
+CVE-2017-13029
+ RESERVED
+CVE-2017-13028
+ RESERVED
+CVE-2017-13027
+ RESERVED
+CVE-2017-13026
+ RESERVED
+CVE-2017-13025
+ RESERVED
+CVE-2017-13024
+ RESERVED
+CVE-2017-13023
+ RESERVED
+CVE-2017-13022
+ RESERVED
+CVE-2017-13021
+ RESERVED
+CVE-2017-13020
+ RESERVED
+CVE-2017-13019
+ RESERVED
+CVE-2017-13018
+ RESERVED
+CVE-2017-13017
+ RESERVED
+CVE-2017-13016
+ RESERVED
+CVE-2017-13015
+ RESERVED
+CVE-2017-13014
+ RESERVED
+CVE-2017-13013
+ RESERVED
+CVE-2017-13012
+ RESERVED
+CVE-2017-13011
+ RESERVED
+CVE-2017-13010
+ RESERVED
+CVE-2017-13009
+ RESERVED
+CVE-2017-13008
+ RESERVED
+CVE-2017-13007
+ RESERVED
+CVE-2017-13006
+ RESERVED
+CVE-2017-13005
+ RESERVED
+CVE-2017-13004
+ RESERVED
+CVE-2017-13003
+ RESERVED
+CVE-2017-13002
+ RESERVED
+CVE-2017-13001
+ RESERVED
+CVE-2017-13000
+ RESERVED
+CVE-2017-12999
+ RESERVED
+CVE-2017-12998
+ RESERVED
+CVE-2017-12997
+ RESERVED
+CVE-2017-12996
+ RESERVED
+CVE-2017-12995
+ RESERVED
+CVE-2017-12994
+ RESERVED
+CVE-2017-12993
+ RESERVED
+CVE-2017-12992
+ RESERVED
+CVE-2017-12991
+ RESERVED
+CVE-2017-12990
+ RESERVED
+CVE-2017-12989
+ RESERVED
+CVE-2017-12988
+ RESERVED
+CVE-2017-12987
+ RESERVED
+CVE-2017-12986
+ RESERVED
+CVE-2017-12985
+ RESERVED
CVE-2017-12984 (PHPMyWind 5.3 has XSS in shoppingcart.php, related to
message.php, ...)
NOT-FOR-US: PHPMyWind
CVE-2017-12983 (Heap-based buffer overflow in the ReadSFWImage function in
coders/sfw.c ...)
@@ -1183,6 +1325,7 @@
CVE-2017-12757
RESERVED
CVE-2017-12756 (Command inject in transfer from another server in extplorer
2.1.9 and ...)
+ {DLA-1063-1}
- extplorer
NOTE: http://extplorer.net/news/21
CVE-2017-12755
@@ -4161,10 +4304,12 @@
- timidity (unimportant; bug #870338)
NOTE: http://seclists.org/fulldisclosure/2017/Jul/83
NOTE: Crash in CLI tool, no security impact
-CVE-2017-11545 (tcpdump 4.9.0 has a Segmentation Violation in the
compressed_sl_print ...)
+CVE-2017-11545
+ REJECTED
- tcpdump
NOTE:
https://github.com/hackerlib/hackerlib-vul/tree/master/tcpdump-vul/segv/print-sl
-CVE-2017-11544 (tcpdump 4.9.0 has a Segmentation Violation in the
compressed_sl_print ...)
+CVE-2017-11544
+ REJECTED
- tcpdump
NOTE:
https://github.com/hackerlib/hackerlib-vul/tree/master/tcpdump-vul/segv/print-sl
CVE-2017-11543 (tcpdump 4.9.0 has a buffer overflow in the sliplink_print
function in ...)
@@ -7223,33 +7368,33 @@
NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=100774
NOTE:
http://somevulnsofadlab.blogspot.com/2017/06/popplerstack-buffer-overflow-in.html
NOTE: Fixed by:
https://cgit.freedesktop.org/poppler/poppler/commit/?id=75fff6556eaf0ef3a6fcdef2c2229d0b6d1c58d9
-CVE-2017-9864 (An issue was discovered in SMA Solar Technology products. An
attacker ...)
+CVE-2017-9864 (** DISPUTED ** An issue was discovered in SMA Solar Technology
...)
NOT-FOR-US: SMA Solar Technology products
-CVE-2017-9863 (An issue was discovered in SMA Solar Technology products. If a
user ...)
+CVE-2017-9863 (** DISPUTED ** An issue was discovered in SMA Solar Technology
...)
NOT-FOR-US: SMA Solar Technology products
-CVE-2017-9862 (An issue was discovered in SMA Solar Technology products. When
signed ...)
+CVE-2017-9862 (** DISPUTED ** An issue was discovered in SMA Solar Technology
...)
NOT-FOR-US: SMA Solar Technology products
-CVE-2017-9861 (An issue was discovered in SMA Solar Technology products.
[Secure-testing-commits] r54952 - data/CVE
Author: jmm Date: 2017-08-21 21:21:27 + (Mon, 21 Aug 2017) New Revision: 54952 Modified: data/CVE/list Log: NFUs Modified: data/CVE/list === --- data/CVE/list 2017-08-21 21:10:13 UTC (rev 54951) +++ data/CVE/list 2017-08-21 21:21:27 UTC (rev 54952) @@ -4788,7 +4788,7 @@ CVE-2017-11367 (The shoco_decompress function in the API in shoco through 2017-07-17 ...) NOT-FOR-US: shoco CVE-2017-11366 (components/filemanager/class.filemanager.php in Codiad before 2.8.4 is ...) - TODO: check + NOT-FOR-US: Codiad CVE-2017-11365 RESERVED CVE-2017-11364 (The CMS installer in Joomla! before 3.7.4 does not verify a user's ...) @@ -16390,15 +16390,15 @@ CVE-2017-7425 RESERVED CVE-2017-7424 (A Path Traversal (CWE-22) vulnerability in esfadmingui in Micro Focus ...) - TODO: check + NOT-FOR-US: Micro Focus CVE-2017-7423 (A Cross-Site Request Forgery (CWE-352) vulnerability in esfadmingui in ...) - TODO: check + NOT-FOR-US: Micro Focus CVE-2017-7422 (Reflected and stored Cross-Site Scripting (XSS, CWE-79) ...) - TODO: check + NOT-FOR-US: Micro Focus CVE-2017-7421 (Reflected and stored Cross-Site Scripting (XSS, CWE-79) ...) - TODO: check + NOT-FOR-US: Micro Focus CVE-2017-7420 (An Authentication Bypass (CWE-287) vulnerability in ESMAC (aka ...) - TODO: check + NOT-FOR-US: Micro Focus CVE-2017-7419 RESERVED CVE-2017-7418 (ProFTPD before 1.3.5e and 1.3.6 before 1.3.6rc5 controls whether the ...) @@ -19801,7 +19801,7 @@ CVE-2017-6330 RESERVED CVE-2017-6329 (Symantec VIP Access for Desktop prior to 2.2.4 can be susceptible to a ...) - TODO: check + NOT-FOR-US: Symantec CVE-2017-6328 (The Symantec Messaging Gateway before 10.6.3-267 can encounter an ...) NOT-FOR-US: Symantec CVE-2017-6327 (The Symantec Messaging Gateway before 10.6.3-267 can encounter an ...) @@ -23780,7 +23780,7 @@ CVE-2017-5188 RESERVED CVE-2017-5187 (A Cross-Site Request Forgery (CWE-352) vulnerability in Directory ...) - TODO: check + NOT-FOR-US: Micro Focus CVE-2017-5186 (Novell iManager 2.7 before SP7 Patch 9, NetIQ iManager 3.x before ...) NOT-FOR-US: Novell iManager CVE-2017-5185 (A vulnerability was discovered in NetIQ Sentinel Server 8.0 before ...) @@ -35154,7 +35154,7 @@ CVE-2017-0688 (A denial of service vulnerability in the Android media framework. ...) NOT-FOR-US: Android media framework CVE-2017-0687 (A denial of service vulnerability in the Android media framework ...) - TODO: check + NOT-FOR-US: Android media framework CVE-2017-0686 (A denial of service vulnerability in the Android media framework. ...) NOT-FOR-US: Android media framework CVE-2017-0685 (A denial of service vulnerability in the Android media framework. ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r54953 - data/CVE
Author: jmm
Date: 2017-08-21 21:25:35 + (Mon, 21 Aug 2017)
New Revision: 54953
Modified:
data/CVE/list
Log:
icedove fixed
Modified: data/CVE/list
===
--- data/CVE/list 2017-08-21 21:21:27 UTC (rev 54952)
+++ data/CVE/list 2017-08-21 21:25:35 UTC (rev 54953)
@@ -14877,7 +14877,7 @@
{DSA-3928-1 DLA-1053-1}
- firefox 55.0-1
- firefox-esr 52.3.0esr-1
- - icedove (bug #872834)
+ - icedove 1:52.3.0-1 (bug #872834)
CVE-2017-7808
RESERVED
- firefox 55.0-1
@@ -14886,7 +14886,7 @@
{DSA-3928-1 DLA-1053-1}
- firefox 55.0-1
- firefox-esr 52.3.0esr-1
- - icedove (bug #872834)
+ - icedove 1:52.3.0-1 (bug #872834)
CVE-2017-7806
RESERVED
- firefox 55.0-1
@@ -14902,25 +14902,25 @@
{DSA-3928-1 DLA-1053-1}
- firefox 55.0-1
- firefox-esr 52.3.0esr-1
- - icedove (bug #872834)
+ - icedove 1:52.3.0-1 (bug #872834)
CVE-2017-7802
RESERVED
{DSA-3928-1 DLA-1053-1}
- firefox 55.0-1
- firefox-esr 52.3.0esr-1
- - icedove (bug #872834)
+ - icedove 1:52.3.0-1 (bug #872834)
CVE-2017-7801
RESERVED
{DSA-3928-1 DLA-1053-1}
- firefox 55.0-1
- firefox-esr 52.3.0esr-1
- - icedove (bug #872834)
+ - icedove 1:52.3.0-1 (bug #872834)
CVE-2017-7800
RESERVED
{DSA-3928-1 DLA-1053-1}
- firefox 55.0-1
- firefox-esr 52.3.0esr-1
- - icedove (bug #872834)
+ - icedove 1:52.3.0-1 (bug #872834)
CVE-2017-7799
RESERVED
- firefox 55.0-1
@@ -14947,13 +14947,13 @@
{DSA-3928-1 DLA-1053-1}
- firefox 55.0-1
- firefox-esr 52.3.0esr-1
- - icedove (bug #872834)
+ - icedove 1:52.3.0-1 (bug #872834)
CVE-2017-7791
RESERVED
{DSA-3928-1 DLA-1053-1}
- firefox 55.0-1
- firefox-esr 52.3.0esr-1
- - icedove (bug #872834)
+ - icedove 1:52.3.0-1 (bug #872834)
CVE-2017-7790
RESERVED
- firefox (Windows-specific)
@@ -14969,25 +14969,25 @@
{DSA-3928-1 DLA-1053-1}
- firefox 55.0-1
- firefox-esr 52.3.0esr-1
- - icedove (bug #872834)
+ - icedove 1:52.3.0-1 (bug #872834)
CVE-2017-7786
RESERVED
{DSA-3928-1 DLA-1053-1}
- firefox 55.0-1
- firefox-esr 52.3.0esr-1
- - icedove (bug #872834)
+ - icedove 1:52.3.0-1 (bug #872834)
CVE-2017-7785
RESERVED
{DSA-3928-1 DLA-1053-1}
- firefox 55.0-1
- firefox-esr 52.3.0esr-1
- - icedove (bug #872834)
+ - icedove 1:52.3.0-1 (bug #872834)
CVE-2017-7784
RESERVED
{DSA-3928-1 DLA-1053-1}
- firefox 55.0-1
- firefox-esr 52.3.0esr-1
- - icedove (bug #872834)
+ - icedove 1:52.3.0-1 (bug #872834)
CVE-2017-7783
RESERVED
- firefox 55.0-1
@@ -15007,7 +15007,7 @@
{DSA-3928-1 DLA-1053-1}
- firefox 55.0-1
- firefox-esr 52.3.0esr-1
- - icedove (bug #872834)
+ - icedove 1:52.3.0-1 (bug #872834)
CVE-2017-7778
RESERVED
{DSA-3918-1 DSA-3894-1 DSA-3881-1 DLA-1013-1 DLA-1007-1 DLA-991-1}
@@ -15192,7 +15192,7 @@
{DSA-3928-1 DLA-1053-1}
- firefox 55.0-1
- firefox-esr 52.3.0esr-1
- - icedove (bug #872834)
+ - icedove 1:52.3.0-1 (bug #872834)
CVE-2017-7752
RESERVED
{DSA-3918-1 DSA-3881-1 DLA-1007-1 DLA-991-1}
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r54954 - in data: . DSA
Author: luciano
Date: 2017-08-21 21:44:19 + (Mon, 21 Aug 2017)
New Revision: 54954
Modified:
data/DSA/list
data/dsa-needed.txt
Log:
DSA-3950-1: libraw
Modified: data/DSA/list
===
--- data/DSA/list 2017-08-21 21:25:35 UTC (rev 54953)
+++ data/DSA/list 2017-08-21 21:44:19 UTC (rev 54954)
@@ -1,3 +1,7 @@
+[21 Aug 2017] DSA-3950-1 libraw - security update
+ {CVE-2017-6886 CVE-2017-6887}
+ [jessie] - libraw 0.16.0-9+deb8u3
+ [stretch] - libraw 0.17.2-6+deb9u1
[21 Aug 2017] DSA-3949-1 augeas - security update
{CVE-2017-7555}
[jessie] - augeas 1.2.0-0.2+deb8u2
Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2017-08-21 21:25:35 UTC (rev 54953)
+++ data/dsa-needed.txt 2017-08-21 21:44:19 UTC (rev 54954)
@@ -51,8 +51,6 @@
libav/oldstable
several issues unfixed upstream
--
-libraw (luciano)
---
libvpx/oldstable
--
libxml-libxml-perl (carnil)
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r54955 - data
Author: luciano Date: 2017-08-22 00:34:52 + (Tue, 22 Aug 2017) New Revision: 54955 Modified: data/dsa-needed.txt Log: the update of ffmpeg Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-08-21 21:44:19 UTC (rev 54954) +++ data/dsa-needed.txt 2017-08-22 00:34:52 UTC (rev 54955) @@ -31,7 +31,8 @@ Existing applications might rely on existing behaviour, monitor in unstable for a month -- -ffmpeg/stable (luciano) +ffmpeg/stable + The maintainer will upload 3.2.7 in early September -- ghostscript (carnil) -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r54956 - data/CVE
Author: carnil Date: 2017-08-22 04:59:00 + (Tue, 22 Aug 2017) New Revision: 54956 Modified: data/CVE/list Log: Two tcpdump CVEs were duplicates Modified: data/CVE/list === --- data/CVE/list 2017-08-22 00:34:52 UTC (rev 54955) +++ data/CVE/list 2017-08-22 04:59:00 UTC (rev 54956) @@ -4306,12 +4306,8 @@ NOTE: Crash in CLI tool, no security impact CVE-2017-11545 REJECTED - - tcpdump - NOTE: https://github.com/hackerlib/hackerlib-vul/tree/master/tcpdump-vul/segv/print-sl CVE-2017-11544 REJECTED - - tcpdump - NOTE: https://github.com/hackerlib/hackerlib-vul/tree/master/tcpdump-vul/segv/print-sl CVE-2017-11543 (tcpdump 4.9.0 has a buffer overflow in the sliplink_print function in ...) - tcpdump NOTE: https://github.com/hackerlib/hackerlib-vul/tree/master/tcpdump-vul/global-overflow/print-sl ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r54957 - data/CVE
Author: carnil Date: 2017-08-22 05:19:23 + (Tue, 22 Aug 2017) New Revision: 54957 Modified: data/CVE/list Log: Record fixing version for virglrenderer Modified: data/CVE/list === --- data/CVE/list 2017-08-22 04:59:00 UTC (rev 54956) +++ data/CVE/list 2017-08-22 05:19:23 UTC (rev 54957) @@ -19748,7 +19748,7 @@ CVE-2013-7460 (A write protection and execution bypass vulnerability in McAfee (now ...) NOT-FOR-US: Intel antivirus CVE-2017-6355 (Integer overflow in the vrend_create_shader function in ...) - - virglrenderer (bug #858255) + - virglrenderer 0.6.0-1 (bug #858255) NOTE: Fixed by: https://cgit.freedesktop.org/virglrenderer/commit/?id=93761787b29f37fa627dea9082cdfc1a1ec608d6 (0.6.0) CVE-2017-6354 RESERVED @@ -19862,7 +19862,7 @@ [wheezy] - graphicsmagick (vulnerable code not present) NOTE: Fixed by: https://sourceforge.net/p/graphicsmagick/code/ci/6156b4c2992d855ece6079653b3b93c3229fc4b8/ CVE-2017-6317 (Memory leak in the add_shader_program function in vrend_renderer.c in ...) - - virglrenderer (bug #858255) + - virglrenderer 0.6.0-1 (bug #858255) NOTE: https://cgit.freedesktop.org/virglrenderer/commit/?id=a2f12a1b0f95b13b6f8dc3d05d7b74b4386394e4 (0.6.0) CVE-2017-6314 (The make_available_at_least function in io-tiff.c in gdk-pixbuf allows ...) - gdk-pixbuf (bug #856448) @@ -20157,10 +20157,10 @@ - linux 4.9.13-1 NOTE: Fixed by: https://git.kernel.org/linus/ccf7abb93af09ad0868ae9033d1ca8108bdaec82 (v4.10-rc8) CVE-2017-6210 (The vrend_decode_reset function in vrend_decode.c in virglrenderer ...) - - virglrenderer (bug #858255) + - virglrenderer 0.6.0-1 (bug #858255) NOTE: Fixed by: https://cgit.freedesktop.org/virglrenderer/commit/?id=0a5dff15912207b83018485f83e067474e818bab (0.6.0) CVE-2017-6209 (Stack-based buffer overflow in the parse_identifier function in ...) - - virglrenderer (bug #858255) + - virglrenderer 0.6.0-1 (bug #858255) NOTE: Fixed by: https://cgit.freedesktop.org/virglrenderer/commit/?id=e534b51ca3c3cd25f3990589932a9ed711c59b27 (0.6.0) CVE-2017-6208 RESERVED @@ -20671,11 +20671,11 @@ [jessie] - xen (Too intrusive to backport) NOTE: https://xenbits.xen.org/xsa/advisory-206.html CVE-2017-5994 (Heap-based buffer overflow in the vrend_create_vertex_elements_state ...) - - virglrenderer (bug #858255) + - virglrenderer 0.6.0-1 (bug #858255) NOTE: https://cgit.freedesktop.org/virglrenderer/commit/?id=114688c526fe45f341d75ccd1d85473c3b08f7a7 (0.6.0) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1422452 CVE-2017-5993 (Memory leak in the vrend_renderer_init_blit_ctx function in ...) - - virglrenderer (bug #858255) + - virglrenderer 0.6.0-1 (bug #858255) NOTE: https://cgit.freedesktop.org/virglrenderer/commit/?id=6eb13f7a2dcf391ec9e19b4c2a79e68305f63c22 (0.6.0) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1422438 CVE-2017-5991 (An issue was discovered in Artifex Software, Inc. MuPDF before ...) @@ -20825,11 +20825,11 @@ CVE-2017-5958 RESERVED CVE-2017-5957 (Stack-based buffer overflow in the vrend_decode_set_framebuffer_state ...) - - virglrenderer (bug #858255) + - virglrenderer 0.6.0-1 (bug #858255) NOTE: https://cgit.freedesktop.org/virglrenderer/commit/?id=926b9b3460a48f6454d8bbe9e44313d86a65447f (0.6.0) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1421126 CVE-2017-5956 (The vrend_draw_vbo function in virglrenderer before 0.6.0 allows local ...) - - virglrenderer (bug #858255) + - virglrenderer 0.6.0-1 (bug #858255) NOTE: https://cgit.freedesktop.org/virglrenderer/commit/?id=a5ac49940c40ae415eac0cf912eac7070b4ba95d (0.6.0) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1421073 NOTE: The original fix opens a memory leak: http://www.openwall.com/lists/oss-security/2017/02/24/2 @@ -20919,11 +20919,11 @@ CVE-2017-5936 (OpenStack Nova-LXD before 13.1.1 uses the wrong name for the veth ...) NOT-FOR-US: Nova-LXD CVE-2017-5937 (The util_format_is_pure_uint function in vrend_renderer.c in Virgil 3d ...) - - virglrenderer (bug #854728) + - virglrenderer 0.6.0-1 (bug #854728) NOTE: https://cgit.freedesktop.org/virglrenderer/commit/?id=48f67f60967f963b698ec8df57ec6912a43d6282 (0.6.0) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1420246 CVE-2016-10214 (Memory leak in the virgl_resource_attach_backing function in ...) - - virglrenderer (bug #854728) + - virglrenderer 0.6.0-1 (bug #854728) NOTE: https://cgit.freedesktop.org/virglrenderer/commit/?id=40b0e7813325b08077b6f541b3989edb2d86d837 (0.6.0) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1420266 CVE-2017-5935 @@ -22238,7 +22238,7 @@
[Secure-testing-commits] r54958 - data/CVE
Author: carnil Date: 2017-08-22 05:34:29 + (Tue, 22 Aug 2017) New Revision: 54958 Modified: data/CVE/list Log: Record the separate bug for CVE-2017-6386 Modified: data/CVE/list === --- data/CVE/list 2017-08-22 05:19:23 UTC (rev 54957) +++ data/CVE/list 2017-08-22 05:34:29 UTC (rev 54958) @@ -19644,7 +19644,7 @@ NOTE: https://github.com/radare/radare2/commit/ead645853a63bf83d8386702cad0cf23b31d7eeb NOTE: https://github.com/radare/radare2/issues/6857 CVE-2017-6386 (Memory leak in the vrend_create_vertex_elements_state function in ...) - - virglrenderer (bug #858255) + - virglrenderer (bug #858255; bug #872884) NOTE: Fixed by: https://cgit.freedesktop.org/virglrenderer/commit/?id=737c3350850ca4dbc5633b3bdb4118176ce59920 CVE-2017-6385 RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
