[Secure-testing-commits] r55401 - data/DSA
Author: carnil Date: 2017-09-03 05:54:27 + (Sun, 03 Sep 2017) New Revision: 55401 Modified: data/DSA/list Log: Reserve DSA number for libgd2 Modified: data/DSA/list === --- data/DSA/list 2017-09-03 05:12:16 UTC (rev 55400) +++ data/DSA/list 2017-09-03 05:54:27 UTC (rev 55401) @@ -1,3 +1,7 @@ +[03 Sep 2017] DSA-3961-1 libgd2 - security update + {CVE-2017-6362} + [jessie] - libgd2 2.1.0-5+deb8u11 + [stretch] - libgd2 2.2.4-2+deb9u2 [01 Sep 2017] DSA-3960-1 gnupg - security update {CVE-2017-7526} [jessie] - gnupg 1.4.18-7+deb8u4 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55400 - data
Author: carnil Date: 2017-09-03 05:12:16 + (Sun, 03 Sep 2017) New Revision: 55400 Modified: data/dsa-needed.txt Log: Add pyjwt/stable to dsa-needed list Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-09-03 04:35:16 UTC (rev 55399) +++ data/dsa-needed.txt 2017-09-03 05:12:16 UTC (rev 55400) @@ -75,6 +75,8 @@ -- phpmyadmin -- +pyjwt/stable +-- poppler -- qemu/oldstable ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55399 - data
Author: carnil Date: 2017-09-03 04:35:16 + (Sun, 03 Sep 2017) New Revision: 55399 Modified: data/dsa-needed.txt Log: Add ruby2.3, Antonio Terceiro (terceiro) proposed an update Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-09-03 04:25:19 UTC (rev 55398) +++ data/dsa-needed.txt 2017-09-03 04:35:16 UTC (rev 55399) @@ -79,6 +79,9 @@ -- qemu/oldstable -- +ruby2.3/stable + terceiro proposed a debdiff fixing various open CVEs, needs review and ack +-- simplesamlphp -- strongswan (corsac) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55398 - data/CVE
Author: carnil Date: 2017-09-03 04:25:19 + (Sun, 03 Sep 2017) New Revision: 55398 Modified: data/CVE/list Log: asterisk fixed in unstable Modified: data/CVE/list === --- data/CVE/list 2017-09-02 21:40:33 UTC (rev 55397) +++ data/CVE/list 2017-09-03 04:25:19 UTC (rev 55398) @@ -98,16 +98,16 @@ CVE-2017-14078 RESERVED CVE-2017-14098 (In the pjsip channel driver (res_pjsip) in Asterisk 13.x before 13.17.1 ...) - - asterisk (bug #873909) + - asterisk 1:13.17.1~dfsg-1 (bug #873909) [stretch] - asterisk (Vulnerable code not present; issue introduced in 13.15) [jessie] - asterisk (Vulnerable code not present; issue introduced in 13.15) [wheezy] - asterisk (Vulnerable code not present; issue introduced in 13.15) NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-27152 CVE-2017-14100 (In Asterisk 11.x before 11.25.2, 13.x before 13.17.1, and 14.x before ...) - - asterisk (bug #873908) + - asterisk 1:13.17.1~dfsg-1 (bug #873908) NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-27103 CVE-2017-14099 (In res/res_rtp_asterisk.c in Asterisk 11.x before 11.25.2, 13.x before ...) - - asterisk (bug #873907) + - asterisk 1:13.17.1~dfsg-1 (bug #873907) NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-27013 CVE-2017-14077 RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55397 - in data: . DLA
Author: lamby Date: 2017-09-02 21:40:33 + (Sat, 02 Sep 2017) New Revision: 55397 Modified: data/DLA/list data/dla-needed.txt Log: Reserve DLA-1084-1 for libidn. Modified: data/DLA/list === --- data/DLA/list 2017-09-02 21:10:12 UTC (rev 55396) +++ data/DLA/list 2017-09-02 21:40:33 UTC (rev 55397) @@ -1,3 +1,6 @@ +[02 Sep 2017] DLA-1084-1 libidn - security update + {CVE-2017-14062} + [wheezy] - libidn 1.25-2+deb7u3 [31 Aug 2017] DLA-1083-1 openexr - security update {CVE-2017-9110 CVE-2017-9112 CVE-2017-9116} [wheezy] - openexr 1.6.1-6+deb7u1 Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-09-02 21:10:12 UTC (rev 55396) +++ data/dla-needed.txt 2017-09-02 21:40:33 UTC (rev 55397) @@ -97,8 +97,6 @@ -- libgd2 (Emilio Pozuelo) -- -libidn (Chris Lamb) --- libidn2-0 (Chris Lamb) -- libmad ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55396 - data/CVE
Author: sectracker Date: 2017-09-02 21:10:12 + (Sat, 02 Sep 2017) New Revision: 55396 Modified: data/CVE/list Log: automatic update Modified: data/CVE/list === --- data/CVE/list 2017-09-02 20:52:17 UTC (rev 55395) +++ data/CVE/list 2017-09-02 21:10:12 UTC (rev 55396) @@ -7,7 +7,7 @@ CVE-2017- [directory traversal vulnerability] - unrar-free (bug #874059) NOTE: http://www.openwall.com/lists/oss-security/2017/08/20/1 -CVE-2017-14114 [information disclosure or denial of service] +CVE-2017-14114 (RTPproxy through 2.2.alpha.20160822 has a NAT feature that results in ...) - rtpproxy (bug #874070) NOTE: https://rtpbleed.com/ CVE-2017-14113 @@ -97,16 +97,16 @@ RESERVED CVE-2017-14078 RESERVED -CVE-2017-14098 [AST-2017-007: Remote Crash Vulerability in res_pjsip] +CVE-2017-14098 (In the pjsip channel driver (res_pjsip) in Asterisk 13.x before 13.17.1 ...) - asterisk (bug #873909) [stretch] - asterisk (Vulnerable code not present; issue introduced in 13.15) [jessie] - asterisk (Vulnerable code not present; issue introduced in 13.15) [wheezy] - asterisk (Vulnerable code not present; issue introduced in 13.15) NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-27152 -CVE-2017-14100 [AST-2017-006: Shell access command injection inapp_minivm] +CVE-2017-14100 (In Asterisk 11.x before 11.25.2, 13.x before 13.17.1, and 14.x before ...) - asterisk (bug #873908) NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-27103 -CVE-2017-14099 [AST-2017-005: Media takeover in RTP stack] +CVE-2017-14099 (In res/res_rtp_asterisk.c in Asterisk 11.x before 11.25.2, 13.x before ...) - asterisk (bug #873907) NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-27013 CVE-2017-14077 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55394 - data
Author: lamby Date: 2017-09-02 20:52:16 + (Sat, 02 Sep 2017) New Revision: 55394 Modified: data/dla-needed.txt Log: Claim libidn2-0 in data/dla-needed.txt Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-09-02 20:52:15 UTC (rev 55393) +++ data/dla-needed.txt 2017-09-02 20:52:16 UTC (rev 55394) @@ -99,7 +99,7 @@ -- libidn (Chris Lamb) -- -libidn2-0 +libidn2-0 (Chris Lamb) -- libmad NOTE: Kurt wants to upload in case of available patches ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55392 - data
Author: lamby Date: 2017-09-02 20:52:14 + (Sat, 02 Sep 2017) New Revision: 55392 Modified: data/dla-needed.txt Log: Claim libidn in data/dla-needed.txt Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-09-02 20:49:17 UTC (rev 55391) +++ data/dla-needed.txt 2017-09-02 20:52:14 UTC (rev 55392) @@ -97,7 +97,7 @@ -- libgd2 (Emilio Pozuelo) -- -libidn +libidn (Chris Lamb) -- libidn2-0 -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55393 - data
Author: lamby Date: 2017-09-02 20:52:15 + (Sat, 02 Sep 2017) New Revision: 55393 Modified: data/dla-needed.txt Log: Correct ordering in data/dla-needed.txt Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-09-02 20:52:14 UTC (rev 55392) +++ data/dla-needed.txt 2017-09-02 20:52:15 UTC (rev 55393) @@ -151,15 +151,15 @@ NOTE: .ruby-version is .rbenv-version in wheezy NOTE: 20170802: No upstream patch (lamby) -- +ruby-passenger + NOTE: 20170812: I think this is ext/nginx/ContentHandler.c in create_request. (lamby) +-- ruby1.9.1 NOTE: FTBFS, see https://lists.debian.org/87h8wkzyos@curie.anarc.at -- rubygems NOTE: test package available, see https://lists.debian.org/87h8wkzyos@curie.anarc.at -- -ruby-passenger - NOTE: 20170812: I think this is ext/nginx/ContentHandler.c in create_request. (lamby) --- simplesamlphp -- sox ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55395 - data
Author: lamby Date: 2017-09-02 20:52:17 + (Sat, 02 Sep 2017) New Revision: 55395 Modified: data/dla-needed.txt Log: Update note for openexr in data/dla-needed.txt. Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-09-02 20:52:16 UTC (rev 55394) +++ data/dla-needed.txt 2017-09-02 20:52:17 UTC (rev 55395) @@ -137,7 +137,7 @@ NOTE: 20170810: Wait for more issues (see ML: https://lists.debian.org/debian-lts/2017/08/msg00039.html) -- openexr - NOTE: CVE-2017-12596: bug reported upstream but no response yet + NOTE: 20170902: CVE-2017-12596: bug reported upstream but no response yet (lamby) -- phamm NOTE: no upstream fixed yet, therefore maintainers not yet contacted ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55391 - data
Author: anarcat Date: 2017-09-02 20:49:17 + (Sat, 02 Sep 2017) New Revision: 55391 Modified: data/dla-needed.txt Log: give up on ruby for a week Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-09-02 17:22:08 UTC (rev 55390) +++ data/dla-needed.txt 2017-09-02 20:49:17 UTC (rev 55391) @@ -151,9 +151,11 @@ NOTE: .ruby-version is .rbenv-version in wheezy NOTE: 20170802: No upstream patch (lamby) -- -ruby1.9.1 (anarcat) +ruby1.9.1 + NOTE: FTBFS, see https://lists.debian.org/87h8wkzyos@curie.anarc.at -- -rubygems (anarcat) +rubygems + NOTE: test package available, see https://lists.debian.org/87h8wkzyos@curie.anarc.at -- ruby-passenger NOTE: 20170812: I think this is ext/nginx/ContentHandler.c in create_request. (lamby) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55389 - data/CVE
Author: carnil Date: 2017-09-02 17:18:07 + (Sat, 02 Sep 2017) New Revision: 55389 Modified: data/CVE/list Log: Add CVE-2017-14114/rtpproxy Modified: data/CVE/list === --- data/CVE/list 2017-09-02 17:11:49 UTC (rev 55388) +++ data/CVE/list 2017-09-02 17:18:07 UTC (rev 55389) @@ -7,6 +7,9 @@ CVE-2017- [directory traversal vulnerability] - unrar-free (bug #874059) NOTE: http://www.openwall.com/lists/oss-security/2017/08/20/1 +CVE-2017-14114 [information disclosure or denial of service] + - rtpproxy + NOTE: https://rtpbleed.com/ CVE-2017-14113 RESERVED CVE-2017-14112 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55390 - data/CVE
Author: carnil Date: 2017-09-02 17:22:08 + (Sat, 02 Sep 2017) New Revision: 55390 Modified: data/CVE/list Log: Add bug reference for CVE-2017-14114/rtpproxy Modified: data/CVE/list === --- data/CVE/list 2017-09-02 17:18:07 UTC (rev 55389) +++ data/CVE/list 2017-09-02 17:22:08 UTC (rev 55390) @@ -8,7 +8,7 @@ - unrar-free (bug #874059) NOTE: http://www.openwall.com/lists/oss-security/2017/08/20/1 CVE-2017-14114 [information disclosure or denial of service] - - rtpproxy + - rtpproxy (bug #874070) NOTE: https://rtpbleed.com/ CVE-2017-14113 RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55388 - data/CVE
Author: carnil Date: 2017-09-02 17:11:49 + (Sat, 02 Sep 2017) New Revision: 55388 Modified: data/CVE/list Log: CVEs assigned for asterisk issues Modified: data/CVE/list === --- data/CVE/list 2017-09-02 15:38:08 UTC (rev 55387) +++ data/CVE/list 2017-09-02 17:11:49 UTC (rev 55388) @@ -54,12 +54,6 @@ NOTE: http://lists.roaringpenguin.com/pipermail/mimedefang/2017-August/038085.html CVE-2017-14101 RESERVED -CVE-2017-14100 - RESERVED -CVE-2017-14099 - RESERVED -CVE-2017-14098 - RESERVED CVE-2017-14097 RESERVED CVE-2017-14096 @@ -100,16 +94,16 @@ RESERVED CVE-2017-14078 RESERVED -CVE-2017- [AST-2017-007: Remote Crash Vulerability in res_pjsip] +CVE-2017-14098 [AST-2017-007: Remote Crash Vulerability in res_pjsip] - asterisk (bug #873909) [stretch] - asterisk (Vulnerable code not present; issue introduced in 13.15) [jessie] - asterisk (Vulnerable code not present; issue introduced in 13.15) [wheezy] - asterisk (Vulnerable code not present; issue introduced in 13.15) NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-27152 -CVE-2017- [AST-2017-006: Shell access command injection inapp_minivm] +CVE-2017-14100 [AST-2017-006: Shell access command injection inapp_minivm] - asterisk (bug #873908) NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-27103 -CVE-2017- [AST-2017-005: Media takeover in RTP stack] +CVE-2017-14099 [AST-2017-005: Media takeover in RTP stack] - asterisk (bug #873907) NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-27013 CVE-2017-14077 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55387 - data/CVE
Author: carnil Date: 2017-09-02 15:38:08 + (Sat, 02 Sep 2017) New Revision: 55387 Modified: data/CVE/list Log: Add unrar-free issues Modified: data/CVE/list === --- data/CVE/list 2017-09-02 12:25:08 UTC (rev 55386) +++ data/CVE/list 2017-09-02 15:38:08 UTC (rev 55387) @@ -1,3 +1,12 @@ +CVE-2017- [null pointer dereference] + - unrar-free (bug #874061) + NOTE: http://www.openwall.com/lists/oss-security/2017/08/20/1 +CVE-2017- [stack overread vulnerability] + - unrar-free (bug #874060) + NOTE: http://www.openwall.com/lists/oss-security/2017/08/20/1 +CVE-2017- [directory traversal vulnerability] + - unrar-free (bug #874059) + NOTE: http://www.openwall.com/lists/oss-security/2017/08/20/1 CVE-2017-14113 RESERVED CVE-2017-14112 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55386 - data/CVE
Author: carnil Date: 2017-09-02 12:25:08 + (Sat, 02 Sep 2017) New Revision: 55386 Modified: data/CVE/list Log: Add three new imagemagick issues Modified: data/CVE/list === --- data/CVE/list 2017-09-02 09:17:47 UTC (rev 55385) +++ data/CVE/list 2017-09-02 12:25:08 UTC (rev 55386) @@ -3924,11 +3924,20 @@ NOTE: https://curl.haxx.se/CVE-2017-199.patch NOTE: Introduced by: https://github.com/curl/curl/commit/7c312f84ea930d8 CVE-2017-12693 (The ReadBMPImage function in coders/bmp.c in ImageMagick 7.0.6-6 ...) - TODO: check + - imagemagick + NOTE: https://github.com/ImageMagick/ImageMagick/issues/652 + NOTE: https://github.com/ImageMagick/ImageMagick/commit/75fcbf5d649bba046c6a0db650a518f7bfc0fb3f + NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/6709bd585b9609a9cf98a7042089f3e725886d5e CVE-2017-12692 (The ReadVIFFImage function in coders/viff.c in ImageMagick 7.0.6-6 ...) - TODO: check + - imagemagick + NOTE: https://github.com/ImageMagick/ImageMagick/issues/653 + NOTE: https://github.com/ImageMagick/ImageMagick/commit/4a25fe5447bfb3a1918a2e9d595928e853b09d2e + NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/5919dc606bc1d6022d3d2d205a91fdbe98de9e15 CVE-2017-12691 (The ReadOneLayer function in coders/xcf.c in ImageMagick 7.0.6-6 ...) - TODO: check + - imagemagick + NOTE: https://github.com/ImageMagick/ImageMagick/issues/656 + NOTE: https://github.com/ImageMagick/ImageMagick/commit/f1ea048a3a34df293764502401d966aeacf9179d + NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/68bbe7b8b226ed79e339296793f68f1b2bebc519 CVE-2017-12690 RESERVED CVE-2017-12689 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55385 - data/CVE
Author: jmm Date: 2017-09-02 09:17:47 + (Sat, 02 Sep 2017) New Revision: 55385 Modified: data/CVE/list Log: NFUs Modified: data/CVE/list === --- data/CVE/list 2017-09-02 09:16:05 UTC (rev 55384) +++ data/CVE/list 2017-09-02 09:17:47 UTC (rev 55385) @@ -182,7 +182,7 @@ - libav NOTE: https://github.com/FFmpeg/FFmpeg/commit/124eb202e70678539544f6268efc98131f19fa49 CVE-2017-14053 (NetApp OnCommand Unified Manager for Clustered Data ONTAP before 7.2P1 ...) - TODO: check + NOT-FOR-US: NetApp CVE-2017-14052 RESERVED CVE-2016-10510 (Cross-site scripting (XSS) vulnerability in the Security component of ...) @@ -4657,11 +4657,11 @@ NOTE: https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1266675 NOTE: https://github.com/shadow-maint/shadow/commit/954e3d2e7113e9ac06632aee3c69b8d818cc8952 (4.5) CVE-2017-12423 (NetApp Clustered Data ONTAP 8.3.x before 8.3.2P12 allows remote ...) - TODO: check + NOT-FOR-US: NetApp CVE-2017-12422 (NetApp StorageGRID Webscale 10.2.x before 10.2.2.3, 10.3.x before ...) NOT-FOR-US: NetApp CVE-2017-12421 (NetApp Clustered Data ONTAP 8.3.x before 8.3.2P12 allows remote ...) - TODO: check + NOT-FOR-US: NetApp CVE-2017-12420 (Heap-based buffer overflow in the SMB implementation in NetApp ...) NOT-FOR-US: NetApp CVE-2017-12419 (If, after successful installation of MantisBT through 2.5.2 on ...) @@ -64916,7 +64916,7 @@ CVE-2016-1896 (Race condition in the initialization process on Lexmark printers with ...) NOT-FOR-US: Firmware in Lexmark printers CVE-2016-1895 (NetApp Data ONTAP before 8.2.5 and 8.3.x before 8.3.2P12 allow remote ...) - TODO: check + NOT-FOR-US: NetApp CVE-2016-1894 (NetApp OnCommand Workflow Automation before 3.1P2 allows remote ...) NOT-FOR-US: NetApp CVE-2016-1893 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55384 - data/CVE
Author: jmm Date: 2017-09-02 09:16:05 + (Sat, 02 Sep 2017) New Revision: 55384 Modified: data/CVE/list Log: sleuthkit no-dsa Modified: data/CVE/list === --- data/CVE/list 2017-09-02 09:10:16 UTC (rev 55383) +++ data/CVE/list 2017-09-02 09:16:05 UTC (rev 55384) @@ -806,7 +806,9 @@ CVE-2017-13761 RESERVED CVE-2017-13760 (In The Sleuth Kit (TSK) 4.4.2, fls hangs on a corrupt exfat image in ...) - - sleuthkit (bug #873724) + - sleuthkit (low; bug #873724) + [stretch] - sleuthkit (Minor issue) + [jessie] - sleuthkit (Minor issue) [wheezy] - sleuthkit (Minor issue) NOTE: https://github.com/sleuthkit/sleuthkit/issues/906 CVE-2017-13759 @@ -822,11 +824,15 @@ NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22018 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=90efb6422939ca031804266fba669f77c22a274a CVE-2017-13756 (In The Sleuth Kit (TSK) 4.4.2, opening a crafted disk image triggers ...) - - sleuthkit (bug #873725) + - sleuthkit (low; bug #873725) + [stretch] - sleuthkit (Minor issue) + [jessie] - sleuthkit (Minor issue) [wheezy] - sleuthkit (Minor issue) NOTE: https://github.com/sleuthkit/sleuthkit/issues/914 CVE-2017-13755 (In The Sleuth Kit (TSK) 4.4.2, opening a crafted ISO 9660 image ...) - - sleuthkit (bug #873726) + - sleuthkit (low; bug #873726) + [stretch] - sleuthkit (Minor issue) + [jessie] - sleuthkit (Minor issue) [wheezy] - sleuthkit (Minor issue) NOTE: https://github.com/sleuthkit/sleuthkit/issues/913 CVE-2017-13754 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55383 - data/CVE
Author: sectracker Date: 2017-09-02 09:10:16 + (Sat, 02 Sep 2017) New Revision: 55383 Modified: data/CVE/list Log: automatic update Modified: data/CVE/list === --- data/CVE/list 2017-09-02 08:28:51 UTC (rev 55382) +++ data/CVE/list 2017-09-02 09:10:16 UTC (rev 55383) @@ -1,3 +1,11 @@ +CVE-2017-14113 + RESERVED +CVE-2017-14112 + RESERVED +CVE-2017-14111 + RESERVED +CVE-2017-14110 + RESERVED CVE-2017-1000201 NOT-FOR-US: tcmu-runner CVE-2017-1000200 @@ -173,8 +181,8 @@ [stretch] - ffmpeg (Can be fixed along when more severe issues are being fixed) - libav NOTE: https://github.com/FFmpeg/FFmpeg/commit/124eb202e70678539544f6268efc98131f19fa49 -CVE-2017-14053 - RESERVED +CVE-2017-14053 (NetApp OnCommand Unified Manager for Clustered Data ONTAP before 7.2P1 ...) + TODO: check CVE-2017-14052 RESERVED CVE-2016-10510 (Cross-site scripting (XSS) vulnerability in the Security component of ...) @@ -3462,22 +3470,18 @@ NOT-FOR-US: C.P.Sub CVE-2017-12854 RESERVED -CVE-2017-12874 [Incorrect signature verification] - RESERVED +CVE-2017-12874 (The InfoCard module 1.0 for SimpleSAMLphp allows attackers to spoof ...) - simplesamlphp 1.14.11-1 NOTE: Issue lies in simplesamlphp/simplesamlphp-module-infocard and fixed NOTE: in 1.0.1. The module is embedded in src:simplesamlphp NOTE: https://simplesamlphp.org/security/201612-03 -CVE-2017-12873 [Incorrect persistent NameID generation] - RESERVED +CVE-2017-12873 (SimpleSAMLphp 1.7.0 through 1.14.10 might allow attackers to obtain ...) - simplesamlphp 1.14.15-1 NOTE: https://simplesamlphp.org/security/201612-04 -CVE-2017-12872 [Multiple timing side-channel issues] - RESERVED +CVE-2017-12872 (The (1) Htpasswd authentication source in the authcrypt module and (2) ...) - simplesamlphp 1.14.15-1 NOTE: https://simplesamlphp.org/security/201703-01 -CVE-2017-12871 [Incorrect IV generation for encryption] - RESERVED +CVE-2017-12871 (The aesEncrypt method in lib/SimpleSAML/Utils/Crypto.php in ...) - simplesamlphp 1.14.15-1 [jessie] - simplesamlphp (Vulnerable code not present) [wheezy] - simplesamlphp (Vulnerable code not present) @@ -3913,12 +3917,12 @@ NOTE: https://curl.haxx.se/docs/adv_20170809C.html NOTE: https://curl.haxx.se/CVE-2017-199.patch NOTE: Introduced by: https://github.com/curl/curl/commit/7c312f84ea930d8 -CVE-2017-12693 - RESERVED -CVE-2017-12692 - RESERVED -CVE-2017-12691 - RESERVED +CVE-2017-12693 (The ReadBMPImage function in coders/bmp.c in ImageMagick 7.0.6-6 ...) + TODO: check +CVE-2017-12692 (The ReadVIFFImage function in coders/viff.c in ImageMagick 7.0.6-6 ...) + TODO: check +CVE-2017-12691 (The ReadOneLayer function in coders/xcf.c in ImageMagick 7.0.6-6 ...) + TODO: check CVE-2017-12690 RESERVED CVE-2017-12689 @@ -4646,12 +4650,12 @@ [wheezy] - shadow (Minor issue) NOTE: https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1266675 NOTE: https://github.com/shadow-maint/shadow/commit/954e3d2e7113e9ac06632aee3c69b8d818cc8952 (4.5) -CVE-2017-12423 - RESERVED +CVE-2017-12423 (NetApp Clustered Data ONTAP 8.3.x before 8.3.2P12 allows remote ...) + TODO: check CVE-2017-12422 (NetApp StorageGRID Webscale 10.2.x before 10.2.2.3, 10.3.x before ...) NOT-FOR-US: NetApp -CVE-2017-12421 - RESERVED +CVE-2017-12421 (NetApp Clustered Data ONTAP 8.3.x before 8.3.2P12 allows remote ...) + TODO: check CVE-2017-12420 (Heap-based buffer overflow in the SMB implementation in NetApp ...) NOT-FOR-US: NetApp CVE-2017-12419 (If, after successful installation of MantisBT through 2.5.2 on ...) @@ -64905,8 +64909,8 @@ NOTE: http://git.zx2c4.com/cgit/commit/?id=1c581a072651524f3b0d91f33e22a42c4166dd96 (v0.12) CVE-2016-1896 (Race condition in the initialization process on Lexmark printers with ...) NOT-FOR-US: Firmware in Lexmark printers -CVE-2016-1895 - RESERVED +CVE-2016-1895 (NetApp Data ONTAP before 8.2.5 and 8.3.x before 8.3.2P12 allow remote ...) + TODO: check CVE-2016-1894 (NetApp OnCommand Workflow Automation before 3.1P2 allows remote ...) NOT-FOR-US: NetApp CVE-2016-1893 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55382 - data/CVE
Author: jmm Date: 2017-09-02 08:28:51 + (Sat, 02 Sep 2017) New Revision: 55382 Modified: data/CVE/list Log: mark remaining ffmpeg issues as postponed add libav as undetermined Modified: data/CVE/list === --- data/CVE/list 2017-09-02 06:27:06 UTC (rev 55381) +++ data/CVE/list 2017-09-02 08:28:51 UTC (rev 55382) @@ -146,22 +146,32 @@ CVE-2017-14059 (In FFmpeg 3.3.3, a DoS in cine_read_header() due to lack of an EOF ...) - ffmpeg (low) [stretch] - ffmpeg (Can be fixed along when more severe issues are being fixed) + - libav NOTE: https://github.com/FFmpeg/FFmpeg/commit/7e80b63ecd259d69d383623e75b318bf2bd491f6 CVE-2017-14058 (In FFmpeg 3.3.3, the read_data function in libavformat/hls.c does not ...) - ffmpeg (low) [stretch] - ffmpeg (Can be fixed along when more severe issues are being fixed) + - libav NOTE: https://github.com/FFmpeg/FFmpeg/commit/7ec414892ddcad88313848494b6fc5f437c9ca4a CVE-2017-14057 (In FFmpeg 3.3.3, a DoS in asf_read_marker() due to lack of an EOF (End ...) - ffmpeg (low) + [stretch] - ffmpeg (Can be fixed along when more severe issues are being fixed) + - libav NOTE: https://github.com/FFmpeg/FFmpeg/commit/7f9ec5593e04827249e7aeb466da06a98a0d7329 CVE-2017-14056 (In libavformat/rl2.c in FFmpeg 3.3.3, a DoS in rl2_read_header() due to ...) - ffmpeg (low) + [stretch] - ffmpeg (Can be fixed along when more severe issues are being fixed) + - libav NOTE: https://github.com/FFmpeg/FFmpeg/commit/96f24d1bee7fe7bac08e2b7c74db1a046c9dc0de CVE-2017-14055 (In libavformat/mvdec.c in FFmpeg 3.3.3, a DoS in mv_read_header() due ...) - ffmpeg (low) + [stretch] - ffmpeg (Can be fixed along when more severe issues are being fixed) + - libav NOTE: https://github.com/FFmpeg/FFmpeg/commit/4f05e2e2dc1a89f38cd9f0960a6561083d714f1e CVE-2017-14054 (In libavformat/rmdec.c in FFmpeg 3.3.3, a DoS in ivr_read_header() due ...) - ffmpeg (low) + [stretch] - ffmpeg (Can be fixed along when more severe issues are being fixed) + - libav NOTE: https://github.com/FFmpeg/FFmpeg/commit/124eb202e70678539544f6268efc98131f19fa49 CVE-2017-14053 RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55381 - data/CVE
Author: carnil Date: 2017-09-02 06:27:06 + (Sat, 02 Sep 2017) New Revision: 55381 Modified: data/CVE/list Log: Add reference and comment for CVE-2017-13716 Modified: data/CVE/list === --- data/CVE/list 2017-09-01 21:59:24 UTC (rev 55380) +++ data/CVE/list 2017-09-02 06:27:06 UTC (rev 55381) @@ -991,6 +991,9 @@ - binutils (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) + NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22009 + NOTE: Underlying bug is though in the C++ demangler part of libiberty, MITRE + NOTE: might want to reassign the product for this CVE. CVE-2016-10503 (IBM Sametime Meeting Server 8.5.2 and 9.0 could allow an authenticated ...) NOT-FOR-US: IBM CVE-2017-13715 (The __skb_flow_dissect function in net/core/flow_dissector.c in the ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits