[Secure-testing-commits] r55530 - data
Author: bam Date: 2017-09-07 07:31:16 + (Thu, 07 Sep 2017) New Revision: 55530 Modified: data/dla-needed.txt Log: Take graphicsmagick Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-09-07 06:06:05 UTC (rev 55529) +++ data/dla-needed.txt 2017-09-07 07:31:16 UTC (rev 55530) @@ -61,7 +61,7 @@ NOTE: wheezy version. I cannot reproduce it, needs to find a way to check NOTE: whether wheezy version is affected. (kanashiro) -- -graphicsmagick +graphicsmagick (Brian May) -- imagemagick -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55531 - data/CVE
Author: fgeek-guest Date: 2017-09-07 08:38:48 + (Thu, 07 Sep 2017) New Revision: 55531 Modified: data/CVE/list Log: TALOS-2017-0366 Modified: data/CVE/list === --- data/CVE/list 2017-09-07 07:31:16 UTC (rev 55530) +++ data/CVE/list 2017-09-07 08:38:48 UTC (rev 55531) @@ -33279,6 +33279,7 @@ NOTE: https://git.gnome.org/browse/gdk-pixbuf/commit/?id=c2a40a92fe3df4111ed9da51fe3368c079b86926 NOTE: https://git.gnome.org/browse/gdk-pixbuf/commit/?id=6dd89e126a277460faafc1f679db44ccf78446fb NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=784866 + NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0366 CVE-2017-2861 RESERVED CVE-2017-2860 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55532 - data/CVE
Author: sectracker Date: 2017-09-07 09:10:14 + (Thu, 07 Sep 2017) New Revision: 55532 Modified: data/CVE/list Log: automatic update Modified: data/CVE/list === --- data/CVE/list 2017-09-07 08:38:48 UTC (rev 55531) +++ data/CVE/list 2017-09-07 09:10:14 UTC (rev 55532) @@ -1,3 +1,21 @@ +CVE-2017-14175 (In coders/xbm.c in ImageMagick 7.0.6-1 Q16, a DoS in ReadXBMImage() due ...) + TODO: check +CVE-2017-14174 (In coders/psd.c in ImageMagick 7.0.7-0 Q16, a DoS in ...) + TODO: check +CVE-2017-14173 (In the function ReadTXTImage() in coders/txt.c in ImageMagick 7.0.6-10, ...) + TODO: check +CVE-2017-14172 (In coders/ps.c in ImageMagick 7.0.7-0 Q16, a DoS in ReadPSImage() due ...) + TODO: check +CVE-2017-14171 (In libavformat/nsvdec.c in FFmpeg 3.3.3, a DoS in ...) + TODO: check +CVE-2017-14170 (In libavformat/mxfdec.c in FFmpeg 3.3.3, a DoS in ...) + TODO: check +CVE-2017-14169 (In the mxf_read_primer_pack function in libavformat/mxfdec.c in FFmpeg ...) + TODO: check +CVE-2017-14168 + RESERVED +CVE-2017-14167 + RESERVED CVE-2017-14163 RESERVED CVE-2017-14162 @@ -72012,8 +72030,7 @@ NOTE: Commit fixing the issue: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=744692dc059845b2a3022119871846e74d4f6e11 (v2.6.34-rc1) CVE-2015-8320 (Apache Cordova-Android before 3.7.0 improperly generates random values ...) NOT-FOR-US: Apache Cordova -CVE-2015-8316 - RESERVED +CVE-2015-8316 (Array index error in LightDM (aka Light Display Manager) 1.14.3, ...) - lightdm 1.16.6-1 [jessie] - lightdm (Affects 1.14.x, 1.16.x and development 1.17.x) [wheezy] - lightdm (Affects 1.14.x, 1.16.x and development 1.17.x) @@ -75026,8 +75043,7 @@ NOTE: http://xenbits.xen.org/xsa/advisory-142.html CVE-2015-7296 (Securifi Almond devices with firmware before AL1-R201EXP10-L304-W34 ...) NOT-FOR-US: Securifi Almond devices -CVE-2015-7294 [LDAP Injection] - RESERVED +CVE-2015-7294 (ldapauth-fork before 2.3.3 allows remote attackers to perform LDAP ...) NOT-FOR-US: NodeJS ldapauth NOTE: http://www.openwall.com/lists/oss-security/2015/09/18/4 NOTE: https://github.com/vesse/node-ldapauth-fork/issues/21 @@ -75137,8 +75153,8 @@ NOT-FOR-US: Boxoft CVE-2015-7242 (Cross-site scripting (XSS) vulnerability in the Push-Service-Mails ...) NOT-FOR-US: AVM -CVE-2015-7241 - RESERVED +CVE-2015-7241 (XML External Entity (XXE) vulnerability in SAP Netweaver before 7.01. ...) + TODO: check CVE-2015-7240 RESERVED CVE-2015-7239 (SQL injection vulnerability in the BP_FIND_JOBS_WITH_PROGRAM function ...) @@ -76309,8 +76325,7 @@ NOTE: https://bugs.php.net/bug.php?id=70366 NOTE: http://www.openwall.com/lists/oss-security/2015/09/07/5 NOTE: Fixed in 5.5.45 and 5.6.13 -CVE-2015-7225 [TOTP Replay Attack] - RESERVED +CVE-2015-7225 (Tinfoil Devise-two-factor before 2.0.0 does not strictly follow ...) - ruby-devise-two-factor 2.0.0-1 (bug #798466) NOTE: http://www.openwall.com/lists/oss-security/2015/09/06/2 CVE-2015-8777 (The process_envvars function in elf/rtld.c in the GNU C Library (aka ...) @@ -78289,8 +78304,7 @@ [wheezy] - wireshark (Vulnerable code not present) [squeeze] - wireshark (Not supported in Squeeze LTS) NOTE: https://www.wireshark.org/security/wnpa-sec-2015-29.html -CVE-2015-6250 - RESERVED +CVE-2015-6250 (simple-php-captcha before commit ...) NOT-FOR-US: simple-php-captcha CVE-2015-5986 (openpgpkey_61.c in named in ISC BIND 9.9.7 before 9.9.7-P3 and 9.10.x ...) - bind9 (Vulnerable code present only since 9.9.7) @@ -78491,10 +78505,10 @@ [squeeze] - vlc (Vulnerability introduced by later changes) NOTE: https://git.videolan.org/?p=vlc/vlc-2.2.git;a=commitdiff;h=ce91452460a75d7424b165c4dc8db98114c3cbd9;hp=9e12195d3e4316278af1fa4bcb6a705ff27456fd NOTE: http://www.ocert.org/advisories/ocert-2015-009.html -CVE-2015-5948 - RESERVED -CVE-2015-5947 - RESERVED +CVE-2015-5948 (Race condition in SuiteCRM before 7.2.3 allows remote attackers to ...) + TODO: check +CVE-2015-5947 (SuiteCRM before 7.2.3 allows remote attackers to execute arbitrary ...) + TODO: check CVE-2015-5946 (Incomplete blacklist vulnerability in SuiteCRM 7.2.2 allows remote ...) NOT-FOR-US: SugarCRM CVE-2015-5945 (The Sandbox subsystem in Apple OS X before 10.11.1 allows local users ...) @@ -78905,8 +78919,7 @@ NOT-FOR-US: Veeam CVE-2015-5738 (The RSA-CRT implementation in the Cavium Software Development Kit ...) - openssl (OpenSSL upstream is not affected) -CVE-2015-5959 - RESERVED +CVE-2015-5959 (Froxlor before 0.9.33.2 with the default configuration/setup might ...) - froxlor (bug #581792)
[Secure-testing-commits] r55533 - data/CVE
Author: carnil Date: 2017-09-07 09:16:29 + (Thu, 07 Sep 2017) New Revision: 55533 Modified: data/CVE/list Log: Add CVE-2017-14175/imagemagick Modified: data/CVE/list === --- data/CVE/list 2017-09-07 09:10:14 UTC (rev 55532) +++ data/CVE/list 2017-09-07 09:16:29 UTC (rev 55533) @@ -1,5 +1,7 @@ CVE-2017-14175 (In coders/xbm.c in ImageMagick 7.0.6-1 Q16, a DoS in ReadXBMImage() due ...) - TODO: check + - imagemagick + NOTE: https://github.com/ImageMagick/ImageMagick/issues/712 + NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/b8c63b156bf26b52e710b1a0643c846a6cd01e56 CVE-2017-14174 (In coders/psd.c in ImageMagick 7.0.7-0 Q16, a DoS in ...) TODO: check CVE-2017-14173 (In the function ReadTXTImage() in coders/txt.c in ImageMagick 7.0.6-10, ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55534 - data/CVE
Author: carnil Date: 2017-09-07 09:19:54 + (Thu, 07 Sep 2017) New Revision: 55534 Modified: data/CVE/list Log: Add bug reference for CVe-2017-2862 Modified: data/CVE/list === --- data/CVE/list 2017-09-07 09:16:29 UTC (rev 55533) +++ data/CVE/list 2017-09-07 09:19:54 UTC (rev 55534) @@ -33295,7 +33295,7 @@ CVE-2017-2863 (An out-of-bounds write vulnerability exists in the PDF parsing ...) NOT-FOR-US: Iceni Infix CVE-2017-2862 (An exploitable heap overflow vulnerability exists in the ...) - - gdk-pixbuf + - gdk-pixbuf (bug #874552) NOTE: https://git.gnome.org/browse/gdk-pixbuf/commit/?id=c2a40a92fe3df4111ed9da51fe3368c079b86926 NOTE: https://git.gnome.org/browse/gdk-pixbuf/commit/?id=6dd89e126a277460faafc1f679db44ccf78446fb NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=784866 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55536 - data/CVE
Author: carnil Date: 2017-09-07 09:20:16 + (Thu, 07 Sep 2017) New Revision: 55536 Modified: data/CVE/list Log: Add CVE-2017-14173/imagemagick Modified: data/CVE/list === --- data/CVE/list 2017-09-07 09:20:06 UTC (rev 55535) +++ data/CVE/list 2017-09-07 09:20:16 UTC (rev 55536) @@ -8,7 +8,9 @@ NOTE: https://github.com/ImageMagick/ImageMagick/commit/04a567494786d5bb50894fc8bb8fea0cf496bea8 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/f68a98a9d385838a1c73ec960a14102949940a64 CVE-2017-14173 (In the function ReadTXTImage() in coders/txt.c in ImageMagick 7.0.6-10, ...) - TODO: check + - imagemagick + NOTE: https://github.com/ImageMagick/ImageMagick/issues/713 + NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/48bcf7c39302cdf9b0d9202ad03bf1b95152c44d CVE-2017-14172 (In coders/ps.c in ImageMagick 7.0.7-0 Q16, a DoS in ReadPSImage() due ...) TODO: check CVE-2017-14171 (In libavformat/nsvdec.c in FFmpeg 3.3.3, a DoS in ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55537 - data/CVE
Author: carnil Date: 2017-09-07 09:20:27 + (Thu, 07 Sep 2017) New Revision: 55537 Modified: data/CVE/list Log: Add CVE-2017-14172/imagemagick Modified: data/CVE/list === --- data/CVE/list 2017-09-07 09:20:16 UTC (rev 55536) +++ data/CVE/list 2017-09-07 09:20:27 UTC (rev 55537) @@ -12,7 +12,9 @@ NOTE: https://github.com/ImageMagick/ImageMagick/issues/713 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/48bcf7c39302cdf9b0d9202ad03bf1b95152c44d CVE-2017-14172 (In coders/ps.c in ImageMagick 7.0.7-0 Q16, a DoS in ReadPSImage() due ...) - TODO: check + - imagemagick + NOTE: https://github.com/ImageMagick/ImageMagick/issues/715 + NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/8598a497e2d1f556a34458cf54b40ba40674734c CVE-2017-14171 (In libavformat/nsvdec.c in FFmpeg 3.3.3, a DoS in ...) TODO: check CVE-2017-14170 (In libavformat/mxfdec.c in FFmpeg 3.3.3, a DoS in ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55535 - data/CVE
Author: carnil Date: 2017-09-07 09:20:06 + (Thu, 07 Sep 2017) New Revision: 55535 Modified: data/CVE/list Log: Add CVE-2017-14174/imagemagick Modified: data/CVE/list === --- data/CVE/list 2017-09-07 09:19:54 UTC (rev 55534) +++ data/CVE/list 2017-09-07 09:20:06 UTC (rev 55535) @@ -3,7 +3,10 @@ NOTE: https://github.com/ImageMagick/ImageMagick/issues/712 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/b8c63b156bf26b52e710b1a0643c846a6cd01e56 CVE-2017-14174 (In coders/psd.c in ImageMagick 7.0.7-0 Q16, a DoS in ...) - TODO: check + - imagemagick + NOTE: https://github.com/ImageMagick/ImageMagick/issues/714 + NOTE: https://github.com/ImageMagick/ImageMagick/commit/04a567494786d5bb50894fc8bb8fea0cf496bea8 + NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/f68a98a9d385838a1c73ec960a14102949940a64 CVE-2017-14173 (In the function ReadTXTImage() in coders/txt.c in ImageMagick 7.0.6-10, ...) TODO: check CVE-2017-14172 (In coders/ps.c in ImageMagick 7.0.7-0 Q16, a DoS in ReadPSImage() due ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55538 - data/CVE
Author: carnil Date: 2017-09-07 09:21:55 + (Thu, 07 Sep 2017) New Revision: 55538 Modified: data/CVE/list Log: Add new ffmpeg issues Modified: data/CVE/list === --- data/CVE/list 2017-09-07 09:20:27 UTC (rev 55537) +++ data/CVE/list 2017-09-07 09:21:55 UTC (rev 55538) @@ -16,11 +16,14 @@ NOTE: https://github.com/ImageMagick/ImageMagick/issues/715 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/8598a497e2d1f556a34458cf54b40ba40674734c CVE-2017-14171 (In libavformat/nsvdec.c in FFmpeg 3.3.3, a DoS in ...) - TODO: check + - ffmpeg + NOTE: https://github.com/FFmpeg/FFmpeg/commit/c24bcb553650b91e9eff15ef6e54ca73de2453b7 CVE-2017-14170 (In libavformat/mxfdec.c in FFmpeg 3.3.3, a DoS in ...) - TODO: check + - ffmpeg + NOTE: https://github.com/FFmpeg/FFmpeg/commit/900f39692ca0337a98a7cf047e4e2611071810c2 CVE-2017-14169 (In the mxf_read_primer_pack function in libavformat/mxfdec.c in FFmpeg ...) - TODO: check + - ffmpeg + NOTE: https://github.com/FFmpeg/FFmpeg/commit/9d00fb9d70ee8c0cc7002b89318c5be00f1bbdad CVE-2017-14168 RESERVED CVE-2017-14167 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55539 - data/CVE
Author: carnil Date: 2017-09-07 14:23:36 + (Thu, 07 Sep 2017) New Revision: 55539 Modified: data/CVE/list Log: Recording fixing version for CVE-2017-14120/unrar-free, #874059 Modified: data/CVE/list === --- data/CVE/list 2017-09-07 09:21:55 UTC (rev 55538) +++ data/CVE/list 2017-09-07 14:23:36 UTC (rev 55539) @@ -185,7 +185,7 @@ [wheezy] - unrar-free (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2017/08/20/1 CVE-2017-14120 (unrar 0.0.1 (aka unrar-free or unrar-gpl) suffers from a directory ...) - - unrar-free (bug #874059) + - unrar-free 1:0.0.1+cvs20140707-2 (bug #874059) NOTE: http://www.openwall.com/lists/oss-security/2017/08/20/1 NOTE: Proposed patch: https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=874059;filename=874059.diff.txt;msg=17 CVE-2017-14119 (In the EyesOfNetwork web interface (aka eonweb) 5.1-0, ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55540 - data/CVE
Author: carnil Date: 2017-09-07 14:24:55 + (Thu, 07 Sep 2017) New Revision: 55540 Modified: data/CVE/list Log: add CVE-2017-14167/qemu Modified: data/CVE/list === --- data/CVE/list 2017-09-07 14:23:36 UTC (rev 55539) +++ data/CVE/list 2017-09-07 14:24:55 UTC (rev 55540) @@ -26,8 +26,12 @@ NOTE: https://github.com/FFmpeg/FFmpeg/commit/9d00fb9d70ee8c0cc7002b89318c5be00f1bbdad CVE-2017-14168 RESERVED -CVE-2017-14167 +CVE-2017-14167 [i386: multiboot OOB access while loading guest kernel image] RESERVED + - qemu + - qemu-kvm + NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2017-09/msg01483.html + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1489375 CVE-2017-14163 RESERVED CVE-2017-14162 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55541 - in data: . DLA
Author: lamby
Date: 2017-09-07 15:47:02 + (Thu, 07 Sep 2017)
New Revision: 55541
Modified:
data/DLA/list
data/dla-needed.txt
Log:
Reserve DLA-1091-1 for unrar-free 1:0.0.1+cvs20071127-2+deb7u1
Modified: data/DLA/list
===
--- data/DLA/list 2017-09-07 14:24:55 UTC (rev 55540)
+++ data/DLA/list 2017-09-07 15:47:02 UTC (rev 55541)
@@ -1,3 +1,6 @@
+[07 Sep 2017] DLA-1091-1 unrar-free - security update
+ {CVE-2017-14120}
+ [wheezy] - unrar-free 1:0.0.1+cvs20071127-2+deb7u1
[05 Sep 2017] DLA-1090-1 tcpdump - security update
{CVE-2017-11108 CVE-2017-11541 CVE-2017-11542 CVE-2017-11543}
[wheezy] - tcpdump 4.9.0-1~deb7u2
Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-09-07 14:24:55 UTC (rev 55540)
+++ data/dla-needed.txt 2017-09-07 15:47:02 UTC (rev 55541)
@@ -180,10 +180,6 @@
--
tiff3 (Roberto C. Sánchez)
--
-unrar-free (Chris Lamb)
- NOTE: 20170906: No upstream patch yet, but I wrote similar ones for busybox,
etc. (lamby)
- NOTE: 20170906: Patch by me in https://bugs.debian.org/874059 (lamby)
---
wireshark
NOTE: 2017-08-28: Contacted maintainer since most NOTE: issues affect
Jessie/Stretch as well
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55542 - data/CVE
Author: lamby Date: 2017-09-07 15:49:43 + (Thu, 07 Sep 2017) New Revision: 55542 Modified: data/CVE/list Log: Update patch url for CVE-2017-14120/unrar-free Modified: data/CVE/list === --- data/CVE/list 2017-09-07 15:47:02 UTC (rev 55541) +++ data/CVE/list 2017-09-07 15:49:43 UTC (rev 55542) @@ -191,7 +191,7 @@ CVE-2017-14120 (unrar 0.0.1 (aka unrar-free or unrar-gpl) suffers from a directory ...) - unrar-free 1:0.0.1+cvs20140707-2 (bug #874059) NOTE: http://www.openwall.com/lists/oss-security/2017/08/20/1 - NOTE: Proposed patch: https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=874059;filename=874059.diff.txt;msg=17 + NOTE: Proposed patch: https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=874059;filename=874059.diff.txt;msg=29 CVE-2017-14119 (In the EyesOfNetwork web interface (aka eonweb) 5.1-0, ...) NOT-FOR-US: EyesOfNetwork (EON) CVE-2017-14118 (In the EyesOfNetwork web interface (aka eonweb) 5.1-0, ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55543 - data
Author: agx Date: 2017-09-07 16:34:42 + (Thu, 07 Sep 2017) New Revision: 55543 Modified: data/dla-needed.txt Log: lts: tcpdump dla released Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-09-07 15:49:43 UTC (rev 55542) +++ data/dla-needed.txt 2017-09-07 16:34:42 UTC (rev 55543) @@ -172,10 +172,6 @@ NOTE: https://sourceforge.net/p/sox/bugs/296/ NOTE: 2017-09-01: pinged upstream (Markus) -- -tcpdump (Guido Günther) - NOTE: Contacted upstream regarding CVE-2017-11543 - NOTE: package otherwise ready for upload --- tiff (Roberto C. Sánchez) -- tiff3 (Roberto C. Sánchez) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55544 - data/CVE
Author: atomo64-guest
Date: 2017-09-07 16:40:00 + (Thu, 07 Sep 2017)
New Revision: 55544
Modified:
data/CVE/list
Log:
NFUs
Modified: data/CVE/list
===
--- data/CVE/list 2017-09-07 16:34:42 UTC (rev 55543)
+++ data/CVE/list 2017-09-07 16:40:00 UTC (rev 55544)
@@ -75170,7 +75170,7 @@
CVE-2015-7242 (Cross-site scripting (XSS) vulnerability in the
Push-Service-Mails ...)
NOT-FOR-US: AVM
CVE-2015-7241 (XML External Entity (XXE) vulnerability in SAP Netweaver before
7.01. ...)
- TODO: check
+ NOT-FOR-US: SAP Netweaver
CVE-2015-7240
RESERVED
CVE-2015-7239 (SQL injection vulnerability in the BP_FIND_JOBS_WITH_PROGRAM
function ...)
@@ -78522,9 +78522,9 @@
NOTE:
https://git.videolan.org/?p=vlc/vlc-2.2.git;a=commitdiff;h=ce91452460a75d7424b165c4dc8db98114c3cbd9;hp=9e12195d3e4316278af1fa4bcb6a705ff27456fd
NOTE: http://www.ocert.org/advisories/ocert-2015-009.html
CVE-2015-5948 (Race condition in SuiteCRM before 7.2.3 allows remote attackers
to ...)
- TODO: check
+ NOT-FOR-US: SuiteCRM
CVE-2015-5947 (SuiteCRM before 7.2.3 allows remote attackers to execute
arbitrary ...)
- TODO: check
+ NOT-FOR-US: SuiteCRM
CVE-2015-5946 (Incomplete blacklist vulnerability in SuiteCRM 7.2.2 allows
remote ...)
NOT-FOR-US: SugarCRM
CVE-2015-5945 (The Sandbox subsystem in Apple OS X before 10.11.1 allows local
users ...)
@@ -87307,7 +87307,7 @@
CVE-2015-2944 (Multiple cross-site scripting (XSS) vulnerabilities in Apache
Sling ...)
NOT-FOR-US: Apache Sling
CVE-2015-2943 (Honda Moto LINC 1.6.1 does not verify SSL certificates. ...)
- TODO: check
+ NOT-FOR-US: Honda Moto LINC
CVE-2015-3026 (Icecast before 2.4.2, when a stream_auth handler is defined for
URL ...)
{DSA-3239-1}
- icecast2 2.4.2-1 (bug #782120)
@@ -89727,7 +89727,7 @@
[wheezy] - tcllib 1.14-dfsg-3+deb7u1
[squeeze] - tcllib (Minor issue)
CVE-2015-2210 (The help window in Epicor CRS Retail Store before 3.2.03.01.008
allows ...)
- TODO: check
+ NOT-FOR-US: Epicor CRS Retail Store
CVE-2015-2209 (DLGuard 4.5 allows remote attackers to obtain the installation
path ...)
NOT-FOR-US: DLGuard
CVE-2015-2208 (The saveObject function in moadmin.php in phpMoAdmin 1.1.2
allows ...)
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55545 - data/CVE
Author: hle Date: 2017-09-07 16:47:53 + (Thu, 07 Sep 2017) New Revision: 55545 Modified: data/CVE/list Log: Mark CVE-2017-9991 in wheezy & jessie. Modified: data/CVE/list === --- data/CVE/list 2017-09-07 16:40:00 UTC (rev 55544) +++ data/CVE/list 2017-09-07 16:47:53 UTC (rev 55545) @@ -9910,9 +9910,11 @@ NOTE: https://github.com/FFmpeg/FFmpeg/commit/f52fbf4f3ed02a7d872d8a102006f29b4421f360 CVE-2017-9991 (Heap-based buffer overflow in the xwd_decode_frame function in ...) - ffmpeg 7:3.2.5-1 - - libav - [wheezy] - libav (Vulnerable code not present) + - libav (Vulnerable feature not present) NOTE: https://github.com/FFmpeg/FFmpeg/commit/441026fcb13ac23aa10edc312bdacb6445a0ad06 + NOTE: The error occurs in the support for 8bpp XWD images where bpp and image + NOTE: depth are not checked thoroughly enough. Libav does not support 8bpp + NOTE: images and bails out early -- Diego Biurrun (libav project) CVE-2017-9990 (Stack-based buffer overflow in the color_string_to_rgba function in ...) - ffmpeg (Vulnerable code not present) - libav (Vulnerable code not present) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55546 - data/DLA
Author: agx
Date: 2017-09-07 16:51:18 + (Thu, 07 Sep 2017)
New Revision: 55546
Modified:
data/DLA/list
Log:
lts: grab DLA-1087-2 for the icedove regression
Modified: data/DLA/list
===
--- data/DLA/list 2017-09-07 16:47:53 UTC (rev 55545)
+++ data/DLA/list 2017-09-07 16:51:18 UTC (rev 55546)
@@ -1,3 +1,5 @@
+[07 Sep 2017] DLA-1087-2 icedove - regression update
+ [wheezy] - icedove 1:52.3.0-4~deb7u2
[07 Sep 2017] DLA-1091-1 unrar-free - security update
{CVE-2017-14120}
[wheezy] - unrar-free 1:0.0.1+cvs20071127-2+deb7u1
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55547 - data/CVE
Author: carnil
Date: 2017-09-07 16:53:02 + (Thu, 07 Sep 2017)
New Revision: 55547
Modified:
data/CVE/list
Log:
Mark CVE-2017-1369{3,4,5}/linux as unimportant
Modified: data/CVE/list
===
--- data/CVE/list 2017-09-07 16:51:18 UTC (rev 55546)
+++ data/CVE/list 2017-09-07 16:53:02 UTC (rev 55547)
@@ -1333,14 +1333,17 @@
NOTE: https://webkitgtk.org/security/WSA-2017-0007.html
NOTE: Not covered by security support
CVE-2017-13695 (The acpi_ns_evaluate() function in
drivers/acpi/acpica/nseval.c in the ...)
- - linux
+ - linux (unimportant)
NOTE: https://patchwork.kernel.org/patch/9850567/
+ NOTE: non-issue/no relevant security impact
CVE-2017-13694 (The acpi_ps_complete_final_op() function in ...)
- - linux
+ - linux (unimportant)
NOTE: https://patchwork.kernel.org/patch/9806085/
+ NOTE: non-issue/no relevant security impact
CVE-2017-13693 (The acpi_ds_create_operands() function in
drivers/acpi/acpica/dsutils.c ...)
- - linux
+ - linux (unimportant)
NOTE: https://patchwork.kernel.org/patch/9919053/
+ NOTE: non-issue/no relevant security impact
CVE-2017-13692 (In Tidy 5.5.31, the IsURLCodePoint function in attrs.c allows
attackers ...)
- tidy-html5 (Vulnerable code introduced later)
- tidy (Vulnerable code introduced later)
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55548 - data/CVE
Author: carnil
Date: 2017-09-07 16:55:31 + (Thu, 07 Sep 2017)
New Revision: 55548
Modified:
data/CVE/list
Log:
Sync status for CVE-2017-7558 with kernel-sec
Modified: data/CVE/list
===
--- data/CVE/list 2017-09-07 16:53:02 UTC (rev 55547)
+++ data/CVE/list 2017-09-07 16:55:31 UTC (rev 55548)
@@ -18798,6 +18798,8 @@
CVE-2017-7558 [sctp: out-of-bounds read in inet_diag_msg_sctp{,l}addr_fill()
and sctp_get_sctp_info()]
RESERVED
- linux
+ [jessie] - linux (Vulnerable code introduced later 4.7
and not backported)
+ [wheezy] - linux (Vulnerable code introduced later 4.7
and not backported)
CVE-2017-7557 (dnsdist version 1.1.0 is vulnerable to a flaw in authentication
...)
- dnsdist 1.2.0-1 (low; bug #872854)
[stretch] - dnsdist (Minor issue)
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55549 - data/CVE
Author: hle Date: 2017-09-07 16:59:42 + (Thu, 07 Sep 2017) New Revision: 55549 Modified: data/CVE/list Log: Mark CVE-2017-9996 in wheezy & jessie. Modified: data/CVE/list === --- data/CVE/list 2017-09-07 16:55:31 UTC (rev 55548) +++ data/CVE/list 2017-09-07 16:59:42 UTC (rev 55549) @@ -9886,10 +9886,11 @@ NOT-FOR-US: ubuntu-image CVE-2017-9996 (The cdxl_decode_frame function in libavcodec/cdxl.c in FFmpeg 2.8.x ...) - ffmpeg 7:3.2.5-1 - - libav - [wheezy] - libav (Vulnerable code not present) + - libav (Vulnerable feature not present) NOTE: https://github.com/FFmpeg/FFmpeg/commit/1e42736b95065c69a7481d0cf55247024f54b660 NOTE: https://github.com/FFmpeg/FFmpeg/commit/e1b60aad77c27ed5d4dfc11e5e6a05a38c70489d + NOTE: The bug affects FFmpeg's support for CHUNKY cdxl files, a feature that is + NOTE: not present in Libav. Libav detects CHUNKY files and bails out early. CVE-2017-9995 (libavcodec/scpr.c in FFmpeg 3.3 before 3.3.1 does not properly validate ...) - ffmpeg (Vulnerable code not present) - libav (Vulnerable code not present) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55550 - data/CVE
Author: opal Date: 2017-09-07 17:52:47 + (Thu, 07 Sep 2017) New Revision: 0 Modified: data/CVE/list Log: Actually not vulnerable. Modified: data/CVE/list === --- data/CVE/list 2017-09-07 16:59:42 UTC (rev 55549) +++ data/CVE/list 2017-09-07 17:52:47 UTC (rev 0) @@ -3906,8 +3906,8 @@ RESERVED - python-django 1:1.11.5-1 (low; bug #874415) [stretch] - python-django (Only affects debug mode) - [jessie] - python-django (Only affects debug mode) - [wheezy] - python-django (Only affects debug mode) + [jessie] - python-django (Vulnerable code do not exist) + [wheezy] - python-django (Vulnerable code do not exist) NOTE: https://www.djangoproject.com/weblog/2017/sep/05/security-releases/ CVE-2017-12793 RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55551 - data
Author: opal
Date: 2017-09-07 18:01:25 + (Thu, 07 Sep 2017)
New Revision: 1
Modified:
data/dla-needed.txt
Log:
Some more info.
Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-09-07 17:52:47 UTC (rev 0)
+++ data/dla-needed.txt 2017-09-07 18:01:25 UTC (rev 1)
@@ -84,6 +84,8 @@
NOTE: Patch is available for CVE-2017-13712, but wait for more infos about
CVE-2017-{69-72}
--
ledger
+ NOTE: The maintainer will not do an update.
+ NOTE: 20170907: no fix available
--
libarchive
--
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55552 - data/CVE
Author: carnil Date: 2017-09-07 19:01:50 + (Thu, 07 Sep 2017) New Revision: 2 Modified: data/CVE/list Log: Process one NFU Modified: data/CVE/list === --- data/CVE/list 2017-09-07 18:01:25 UTC (rev 1) +++ data/CVE/list 2017-09-07 19:01:50 UTC (rev 2) @@ -85670,7 +85670,7 @@ NOTE: http://www.oracle.com/technetwork/topics/security/alert-cve-2015-3456-2542656.html NOTE: http://venom.crowdstrike.com/ CVE-2015-3454 (TelescopeJS before 0.15 leaks user bcrypt password hashes in websocket ...) - TODO: check + NOT-FOR-US: TelescopeJS CVE-2015-3453 RESERVED CVE-2015-3452 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55553 - data/CVE
Author: hle
Date: 2017-09-07 19:49:24 + (Thu, 07 Sep 2017)
New Revision: 3
Modified:
data/CVE/list
Log:
Add links to upstream bug tracking system for CVE-2017-98{69-72}
Modified: data/CVE/list
===
--- data/CVE/list 2017-09-07 19:01:50 UTC (rev 2)
+++ data/CVE/list 2017-09-07 19:49:24 UTC (rev 3)
@@ -10220,21 +10220,25 @@
[stretch] - lame (Minor issue)
[jessie] - lame (Minor issue)
NOTE:
https://blogs.gentoo.org/ago/2017/06/17/lame-stack-based-buffer-overflow-in-iii_dequantize_sample-layer3-c/
+ NOTE: https://sourceforge.net/p/lame/bugs/482/
CVE-2017-9871 (The III_i_stereo function in layer3.c in mpglib, as used in ...)
- lame (bug #867725)
[stretch] - lame (Minor issue)
[jessie] - lame (Minor issue)
NOTE:
https://blogs.gentoo.org/ago/2017/06/17/lame-stack-based-buffer-overflow-in-iii_i_stereo-layer3-c/
+ NOTE: https://sourceforge.net/p/lame/bugs/483/
CVE-2017-9870 (The III_i_stereo function in layer3.c in mpglib, as used in ...)
- lame (bug #867725)
[stretch] - lame (Minor issue)
[jessie] - lame (Minor issue)
NOTE:
https://blogs.gentoo.org/ago/2017/06/17/lame-global-buffer-overflow-in-iii_i_stereo-layer3-c/
+ NOTE: https://sourceforge.net/p/lame/bugs/481/
CVE-2017-9869 (The II_step_one function in layer2.c in mpglib, as used in ...)
- lame (bug #867725)
[stretch] - lame (Minor issue)
[jessie] - lame (Minor issue)
NOTE:
https://blogs.gentoo.org/ago/2017/06/17/lame-global-buffer-overflow-in-ii_step_one-layer2-c/
+ NOTE: https://sourceforge.net/p/lame/bugs/475/
CVE-2017-9868 (In Mosquitto through 1.4.12, mosquitto.db (aka the persistence
file) is ...)
- mosquitto (bug #865959)
[stretch] - mosquitto (Minor issue)
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55554 - data
Author: hle
Date: 2017-09-07 19:57:46 + (Thu, 07 Sep 2017)
New Revision: 4
Modified:
data/dla-needed.txt
Log:
update lame entry in dla-needed
Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-09-07 19:49:24 UTC (rev 3)
+++ data/dla-needed.txt 2017-09-07 19:57:46 UTC (rev 4)
@@ -77,11 +77,9 @@
NOTE: 20170813: still no patch available yet
--
lame (Hugo Lefeuvre)
- NOTE: 20170831: no patch yet, CVE-2017-{69-72} not reproducible.
- NOTE: Contacted original reporter to get more informations about build
conditions:
- NOTE:
https://blogs.gentoo.org/ago/2017/06/17/lame-stack-based-buffer-overflow-in-iii_i_stereo-layer3-c/
- NOTE: Opened bug reports on upstream's bug tracker:
https://sourceforge.net/p/lame/bugs/475/
- NOTE: Patch is available for CVE-2017-13712, but wait for more infos about
CVE-2017-{69-72}
+ NOTE: 20170907: Upstream claims to have reproduced and fixed
CVE-2017-{69-72}. asan outputs
+ NOTE: are not exactly identical, wait for more infos.
+ NOTE: Patch is available for CVE-2017-13712, but wait for CVE-2017-{69-72}
--
ledger
NOTE: The maintainer will not do an update.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55555 - data/CVE
Author: carnil Date: 2017-09-07 20:24:22 + (Thu, 07 Sep 2017) New Revision: 5 Modified: data/CVE/list Log: Mark CVE-2017-14181 as NFU Modified: data/CVE/list === --- data/CVE/list 2017-09-07 19:57:46 UTC (rev 4) +++ data/CVE/list 2017-09-07 20:24:22 UTC (rev 5) @@ -1,3 +1,5 @@ +CVE-2017-14181 + NOT-FOR-US: aacplusenc CVE-2017-14175 (In coders/xbm.c in ImageMagick 7.0.6-1 Q16, a DoS in ReadXBMImage() due ...) - imagemagick NOTE: https://github.com/ImageMagick/ImageMagick/issues/712 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55556 - data/CVE
Author: carnil Date: 2017-09-07 20:47:41 + (Thu, 07 Sep 2017) New Revision: 6 Modified: data/CVE/list Log: Add bug reference for CVE-2017-14167/qemu Modified: data/CVE/list === --- data/CVE/list 2017-09-07 20:24:22 UTC (rev 5) +++ data/CVE/list 2017-09-07 20:47:41 UTC (rev 6) @@ -30,7 +30,7 @@ RESERVED CVE-2017-14167 [i386: multiboot OOB access while loading guest kernel image] RESERVED - - qemu + - qemu (bug #874606) - qemu-kvm NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2017-09/msg01483.html NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1489375 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55557 - data/CVE
Author: carnil Date: 2017-09-07 21:03:15 + (Thu, 07 Sep 2017) New Revision: 7 Modified: data/CVE/list Log: Add tcpdump CVEs Modified: data/CVE/list === --- data/CVE/list 2017-09-07 20:47:41 UTC (rev 6) +++ data/CVE/list 2017-09-07 21:03:15 UTC (rev 7) @@ -1218,6 +1218,7 @@ NOTE: Fixed by: https://github.com/vadz/libtiff/commit/f91ca83a21a6a583050e5a5755ce1441b2bf1d7e CVE-2017-13725 RESERVED + - tcpdump CVE-2017-13724 RESERVED CVE-2017-13723 @@ -1354,12 +1355,16 @@ RESERVED CVE-2017-13690 RESERVED + - tcpdump CVE-2017-13689 RESERVED + - tcpdump CVE-2017-13688 RESERVED + - tcpdump CVE-2017-13687 RESERVED + - tcpdump CVE-2017-13686 (net/ipv4/route.c in the Linux kernel 4.13-rc1 through 4.13-rc6 is too ...) - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/bc3aae2bbac46dd894c89db5d5e98f7f0ef9e205 @@ -2660,146 +2665,217 @@ RESERVED CVE-2017-13055 RESERVED + - tcpdump CVE-2017-13054 RESERVED + - tcpdump CVE-2017-13053 RESERVED + - tcpdump CVE-2017-13052 RESERVED + - tcpdump CVE-2017-13051 RESERVED + - tcpdump CVE-2017-13050 RESERVED + - tcpdump CVE-2017-13049 RESERVED + - tcpdump CVE-2017-13048 RESERVED + - tcpdump CVE-2017-13047 RESERVED + - tcpdump CVE-2017-13046 RESERVED + - tcpdump CVE-2017-13045 RESERVED + - tcpdump CVE-2017-13044 RESERVED + - tcpdump CVE-2017-13043 RESERVED + - tcpdump CVE-2017-13042 RESERVED + - tcpdump CVE-2017-13041 RESERVED + - tcpdump CVE-2017-13040 RESERVED + - tcpdump CVE-2017-13039 RESERVED + - tcpdump CVE-2017-13038 RESERVED + - tcpdump CVE-2017-13037 RESERVED + - tcpdump CVE-2017-13036 RESERVED + - tcpdump CVE-2017-13035 RESERVED + - tcpdump CVE-2017-13034 RESERVED + - tcpdump CVE-2017-13033 RESERVED + - tcpdump CVE-2017-13032 RESERVED + - tcpdump CVE-2017-13031 RESERVED + - tcpdump CVE-2017-13030 RESERVED + - tcpdump CVE-2017-13029 RESERVED + - tcpdump CVE-2017-13028 RESERVED + - tcpdump CVE-2017-13027 RESERVED + - tcpdump CVE-2017-13026 RESERVED + - tcpdump CVE-2017-13025 RESERVED + - tcpdump CVE-2017-13024 RESERVED + - tcpdump CVE-2017-13023 RESERVED + - tcpdump CVE-2017-13022 RESERVED + - tcpdump CVE-2017-13021 RESERVED + - tcpdump CVE-2017-13020 RESERVED + - tcpdump CVE-2017-13019 RESERVED + - tcpdump CVE-2017-13018 RESERVED + - tcpdump CVE-2017-13017 RESERVED + - tcpdump CVE-2017-13016 RESERVED + - tcpdump CVE-2017-13015 RESERVED + - tcpdump CVE-2017-13014 RESERVED + - tcpdump CVE-2017-13013 RESERVED + - tcpdump CVE-2017-13012 RESERVED + - tcpdump CVE-2017-13011 RESERVED + - tcpdump CVE-2017-13010 RESERVED + - tcpdump CVE-2017-13009 RESERVED + - tcpdump CVE-2017-13008 RESERVED + - tcpdump CVE-2017-13007 RESERVED + - tcpdump CVE-2017-13006 RESERVED + - tcpdump CVE-2017-13005 RESERVED + - tcpdump CVE-2017-13004 RESERVED + - tcpdump CVE-2017-13003 RESERVED + - tcpdump CVE-2017-13002 RESERVED + - tcpdump CVE-2017-13001 RESERVED + - tcpdump CVE-2017-13000 RESERVED + - tcpdump CVE-2017-12999 RESERVED + - tcpdump CVE-2017-12998 RESERVED + - tcpdump CVE-2017-12997 RESERVED + - tcpdump CVE-2017-12996 RESERVED + - tcpdump CVE-2017-12995 RESERVED + - tcpdump CVE-2017-12994 RESERVED + - tcpdump CVE-2017-12993 RESERVED + - tcpdump CVE-2017-12992 RESERVED + - tcpdump CVE-2017-12991 RESERVED + - tcpdump CVE-2017-12990 RESERVED + - tcpdump CVE-2017-12989 RESERVED + - tcpdump CVE-2017-12988 RESERVED + - tcpdump CVE-2017-12987 RESERVED + - tcpdump CVE-2017-12986 RESERVED + - tcpdump CVE-2017-12985 RESERVED + - tcpdump CVE-2017-12984 (PHPMyWind 5.3 has XSS in shoppingcart.php, related to message.php, ...) NOT-FOR-US: PHPMyWind CVE-2017-12983 (Heap-based buffer overflow in the ReadSFWImage function in coders
[Secure-testing-commits] r55558 - data/CVE
Author: sectracker
Date: 2017-09-07 21:10:14 + (Thu, 07 Sep 2017)
New Revision: 8
Modified:
data/CVE/list
Log:
automatic update
Modified: data/CVE/list
===
--- data/CVE/list 2017-09-07 21:03:15 UTC (rev 7)
+++ data/CVE/list 2017-09-07 21:10:14 UTC (rev 8)
@@ -1,4 +1,88 @@
-CVE-2017-14181
+CVE-2017-14218
+ RESERVED
+CVE-2017-14217
+ RESERVED
+CVE-2017-14216
+ RESERVED
+CVE-2017-14215
+ RESERVED
+CVE-2017-14214
+ RESERVED
+CVE-2017-14213
+ RESERVED
+CVE-2017-14212
+ RESERVED
+CVE-2017-14211
+ RESERVED
+CVE-2017-14210
+ RESERVED
+CVE-2017-14209
+ RESERVED
+CVE-2017-14208
+ RESERVED
+CVE-2017-14207
+ RESERVED
+CVE-2017-14206
+ RESERVED
+CVE-2017-14205
+ RESERVED
+CVE-2017-14204
+ RESERVED
+CVE-2017-14203
+ RESERVED
+CVE-2017-14202
+ RESERVED
+CVE-2017-14201
+ RESERVED
+CVE-2017-14200
+ RESERVED
+CVE-2017-14199
+ RESERVED
+CVE-2017-14198
+ RESERVED
+CVE-2017-14197
+ RESERVED
+CVE-2017-14196
+ RESERVED
+CVE-2017-14195 (The call_msg function in controllers/Form.php in dayrui
FineCms 5.0.11 ...)
+ TODO: check
+CVE-2017-14194 (The out function in controllers/member/Login.php in dayrui
FineCms ...)
+ TODO: check
+CVE-2017-14193 (The oauth function in controllers/member/api.php in dayrui
FineCms ...)
+ TODO: check
+CVE-2017-14192 (The checktitle function in controllers/member/api.php in
dayrui FineCms ...)
+ TODO: check
+CVE-2017-14191
+ RESERVED
+CVE-2017-14190
+ RESERVED
+CVE-2017-14189
+ RESERVED
+CVE-2017-14188
+ RESERVED
+CVE-2017-14187
+ RESERVED
+CVE-2017-14186
+ RESERVED
+CVE-2017-14185
+ RESERVED
+CVE-2017-14184
+ RESERVED
+CVE-2017-14183
+ RESERVED
+CVE-2017-14182
+ RESERVED
+CVE-2017-14180
+ RESERVED
+CVE-2017-14179
+ RESERVED
+CVE-2017-14178
+ RESERVED
+CVE-2017-14177
+ RESERVED
+CVE-2017-14176
+ RESERVED
+CVE-2017-14181 (DeleteBitBuffer in libbitbuf/bitbuffer.c in mp4tools
aacplusenc 0.17.5 ...)
NOT-FOR-US: aacplusenc
CVE-2017-14175 (In coders/xbm.c in ImageMagick 7.0.6-1 Q16, a DoS in
ReadXBMImage() due ...)
- imagemagick
@@ -103,8 +187,8 @@
NOT-FOR-US: GoAhead
CVE-2017-14148
RESERVED
-CVE-2017-14147
- RESERVED
+CVE-2017-14147 (An issue was discovered on FiberHome User End Routers Bearing
Model ...)
+ TODO: check
CVE-2017-14146 (HelpDEZk 1.1.1 allows remote authenticated users to execute
arbitrary ...)
NOT-FOR-US: HelpDEZk
CVE-2017-14145 (HelpDEZk 1.1.1 has SQL Injection in ...)
@@ -191,6 +275,7 @@
[wheezy] - unrar-free (Minor issue)
NOTE: http://www.openwall.com/lists/oss-security/2017/08/20/1
CVE-2017-14120 (unrar 0.0.1 (aka unrar-free or unrar-gpl) suffers from a
directory ...)
+ {DLA-1091-1}
- unrar-free 1:0.0.1+cvs20140707-2 (bug #874059)
NOTE: http://www.openwall.com/lists/oss-security/2017/08/20/1
NOTE: Proposed patch:
https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=874059;filename=874059.diff.txt;msg=29
@@ -974,8 +1059,8 @@
RESERVED
CVE-2017-13772
RESERVED
-CVE-2017-13771
- RESERVED
+CVE-2017-13771 (Lexmark Scan To Network (SNF) 3.2.9 and earlier stores network
...)
+ TODO: check
CVE-2017-13770
RESERVED
CVE-2017-13769 (The WriteTHUMBNAILImage function in coders/thumbnail.c in
ImageMagick ...)
@@ -1048,8 +1133,8 @@
[jessie] - sleuthkit (Minor issue)
[wheezy] - sleuthkit (Minor issue)
NOTE: https://github.com/sleuthkit/sleuthkit/issues/913
-CVE-2017-13754
- RESERVED
+CVE-2017-13754 (Cross-site scripting (XSS) vulnerability in the "advanced
settings - ...)
+ TODO: check
CVE-2016-10507 (Integer overflow vulnerability in the bmp24toimage function in
...)
- openjpeg2 2.1.2-1
[jessie] - openjpeg2 (Vulnerable code introduced later)
@@ -1253,8 +1338,8 @@
NOTE: Introduced by:
https://git.kernel.org/linus/b3baa0fbd02a1a9d493d8cb92ae4a4491b9e9d13 (4.2-rc1)
CVE-2017-13714
RESERVED
-CVE-2017-13713
- RESERVED
+CVE-2017-13713 (T&W WIFI Repeater BE126 allows remote authenticated users
to execute ...)
+ TODO: check
CVE-2017-13712 (NULL Pointer Dereference in the id3v2AddAudioDuration function
in ...)
- lame
[stretch] - lame (Minor issue)
@@ -3152,10 +3237,10 @@
RESERVED
CVE-2017-12913
RESERVED
-CVE-2017-12912
- RESERVED
-CVE-2017-12911
- RESERVED
+CVE-2017-12912 (The "mpglibDBL/layer3.c" file in MP3Gain 1.5.2.r2
has a vulnerability ...)
+ TODO: check
+CVE-2017-12911 (The "apetag.c" file in MP3Gain 1.5.2.r2 has a
vulnerability which ...)
+ TODO: check
CVE-2017-12910 (SQL injection vulnerability in massmail.php in NexusPHP 1.5
allows ...)
NOT-FOR-US: Ne
[Secure-testing-commits] r55559 - data/CVE
Author: carnil
Date: 2017-09-07 21:12:04 + (Thu, 07 Sep 2017)
New Revision: 9
Modified:
data/CVE/list
Log:
Reference fix for CVE-2017-11108
Modified: data/CVE/list
===
--- data/CVE/list 2017-09-07 21:10:14 UTC (rev 8)
+++ data/CVE/list 2017-09-07 21:12:04 UTC (rev 9)
@@ -8745,6 +8745,7 @@
[jessie] - tcpdump (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1468504
NOTE: Proposed patch:
https://github.com/the-tcpdump-group/tcpdump/pull/617
+ NOTE:
https://github.com/the-tcpdump-group/tcpdump/commit/d9e65de3d94698ec90dbca42962a30dd2f0680e1
(4.9.1)
CVE-2017-11107 (phpLDAPadmin through 1.2.3 has XSS in htdocs/entry_chooser.php
via the ...)
{DLA-1019-1}
- phpldapadmin (bug #867719)
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55560 - data/CVE
Author: carnil
Date: 2017-09-08 04:58:18 + (Fri, 08 Sep 2017)
New Revision: 55560
Modified:
data/CVE/list
Log:
Process NFUs
Modified: data/CVE/list
===
--- data/CVE/list 2017-09-07 21:12:04 UTC (rev 9)
+++ data/CVE/list 2017-09-08 04:58:18 UTC (rev 55560)
@@ -45,13 +45,13 @@
CVE-2017-14196
RESERVED
CVE-2017-14195 (The call_msg function in controllers/Form.php in dayrui
FineCms 5.0.11 ...)
- TODO: check
+ NOT-FOR-US: dayrui FineCms
CVE-2017-14194 (The out function in controllers/member/Login.php in dayrui
FineCms ...)
- TODO: check
+ NOT-FOR-US: dayrui FineCms
CVE-2017-14193 (The oauth function in controllers/member/api.php in dayrui
FineCms ...)
- TODO: check
+ NOT-FOR-US: dayrui FineCms
CVE-2017-14192 (The checktitle function in controllers/member/api.php in
dayrui FineCms ...)
- TODO: check
+ NOT-FOR-US: dayrui FineCms
CVE-2017-14191
RESERVED
CVE-2017-14190
@@ -1060,7 +1060,7 @@
CVE-2017-13772
RESERVED
CVE-2017-13771 (Lexmark Scan To Network (SNF) 3.2.9 and earlier stores network
...)
- TODO: check
+ NOT-FOR-US: Lexmark Scan To Network
CVE-2017-13770
RESERVED
CVE-2017-13769 (The WriteTHUMBNAILImage function in coders/thumbnail.c in
ImageMagick ...)
@@ -1339,7 +1339,7 @@
CVE-2017-13714
RESERVED
CVE-2017-13713 (T&W WIFI Repeater BE126 allows remote authenticated users
to execute ...)
- TODO: check
+ NOT-FOR-US: T&W WIFI Repeater BE126
CVE-2017-13712 (NULL Pointer Dereference in the id3v2AddAudioDuration function
in ...)
- lame
[stretch] - lame (Minor issue)
@@ -3250,7 +3250,7 @@
CVE-2017-12907 (Cross-Site Scripting (XSS) exists in NexusPHP version v1.5 via
the url ...)
NOT-FOR-US: NexusPHP
CVE-2017-12906 (Multiple cross-site scripting (XSS) vulnerabilities in
NexusPHP allow ...)
- TODO: check
+ NOT-FOR-US: NexusPHP
CVE-2017-12905
RESERVED
CVE-2017-12904 (Improper Neutralization of Special Elements used in an OS
Command in ...)
@@ -3968,7 +3968,7 @@
CVE-2017-12839
RESERVED
CVE-2017-12838 (Cross-site request forgery (CSRF) vulnerability in NexusPHP
1.5 allows ...)
- TODO: check
+ NOT-FOR-US: NexusPHP
CVE-2017-12837
RESERVED
CVE-2017-12835
@@ -4050,7 +4050,7 @@
CVE-2017-12800
RESERVED
CVE-2016-10405 (Session fixation vulnerability in D-Link DIR-600L routers
(rev. Ax) ...)
- TODO: check
+ NOT-FOR-US: D-Link
CVE-2017-12836 (CVS 1.12.x, when configured to use SSH for remote
repositories, might ...)
{DSA-3940-1 DLA-1056-1}
- cvs 2:1.12.13+real-24 (bug #871810)
@@ -5111,7 +5111,7 @@
CVE-2017-12417
RESERVED
CVE-2017-12416 (Cross-site scripting (XSS) vulnerability in the GlobalProtect
internal ...)
- TODO: check
+ NOT-FOR-US: Palo Alto Networks PAN-OS
CVE-2017-12415
RESERVED
CVE-2015-9107 (Zoho ManageEngine OpManager 11 through 12.2 uses a custom
encryption ...)
@@ -10504,7 +10504,7 @@
NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=697985
NOTE:
http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=cfde94be1d4286bc47633c6e6eaf4e659bd78066
CVE-2017-9834 (SQL injection vulnerability in the WatuPRO plugin before
5.5.3.7 for ...)
- TODO: check
+ NOT-FOR-US: WatuPRO plugin for WordPress
CVE-2017-9833 (/cgi-bin/wapopen in BOA Webserver 0.94.14rc21 allows the
injection of ...)
NOT-FOR-US: Undetermined product
NOTE: /wapopen is not part of BOA, it's probably an insecure CGI
@@ -13065,7 +13065,7 @@
CVE-2017-9459 (Cross-site scripting (XSS) vulnerability in the management web
...)
NOT-FOR-US: Palo Alto Networks PAN-OS
CVE-2017-9458 (XML external entity (XXE) vulnerability in the GlobalProtect
internal ...)
- TODO: check
+ NOT-FOR-US: Palo Alto Networks PAN-OS
CVE-2017-9457 (Intense PC Phoenix SecureCore UEFI firmware does not perform
capsule ...)
NOT-FOR-US: Intense PC (aka MintBox 2) Phoenix SecureCore UEFI firmware
CVE-2017-9456
@@ -36568,7 +36568,7 @@
CVE-2017-1503
RESERVED
CVE-2017-1502 (IBM Content Navigator & CMIS 2.0.3, 3.0.0, and 3.0.1 is
vulnerable to ...)
- TODO: check
+ NOT-FOR-US: IBM
CVE-2017-1501 (IBM WebSphere Application Server 8.0, 8.5, and 9.0 could
provide ...)
NOT-FOR-US: IBM
CVE-2017-1500 (A Reflected Cross Site Scripting (XSS) vulnerability exists in
the ...)
@@ -37194,7 +37194,7 @@
CVE-2017-1190 (IBM Emptoris Strategic Supply Management Platform 10.x and 10.1
could ...)
NOT-FOR-US: IBM
CVE-2017-1189 (IBM WebSphere Portal and Web Content Manager 6.1, 7.0, and 8.0
is ...)
- TODO: check
+ NOT-FOR-US: IBM
CVE-2017-1188
RESERVED
CVE-2017-1187
@@ -37376,7 +37376,7 @@
CVE-2017-1099 (IBM Jazz Foundation could expose potentially sensitive
information to ...)
NOT-FOR-US: IB
[Secure-testing-commits] r55561 - data/CVE
Author: carnil
Date: 2017-09-08 04:58:31 + (Fri, 08 Sep 2017)
New Revision: 55561
Modified:
data/CVE/list
Log:
Add one ocaml issue
Modified: data/CVE/list
===
--- data/CVE/list 2017-09-08 04:58:18 UTC (rev 55560)
+++ data/CVE/list 2017-09-08 04:58:31 UTC (rev 55561)
@@ -12019,7 +12019,10 @@
- check-mk (bug #865497)
NOTE:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commitdiff;h=c248f0b6ff7b15ced9f07a3df8a80fad656ea5b1
CVE-2017-9779 (OCaml compiler allows attackers to have unspecified impact via
unknown ...)
- TODO: check
+ - ocaml
+ NOTE: https://sympa.inria.fr/sympa/arc/caml-list/2017-06/msg00094.html
+ NOTE: https://caml.inria.fr/mantis/view.php?id=7557
+ TODO: check affected versions
CVE-2012-6706 (A VMSF_DELTA memory corruption was discovered in unrar before
5.5.5, as ...)
{DLA-1014-1 DLA-1003-1}
- unrar-nonfree 1:5.5.5-1 (bug #865461)
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55562 - data/CVE
Author: carnil Date: 2017-09-08 05:58:30 + (Fri, 08 Sep 2017) New Revision: 55562 Modified: data/CVE/list Log: Add CVE-2017-12611 Modified: data/CVE/list === --- data/CVE/list 2017-09-08 04:58:31 UTC (rev 55561) +++ data/CVE/list 2017-09-08 05:58:30 UTC (rev 55562) @@ -4569,6 +4569,8 @@ RESERVED CVE-2017-12611 RESERVED + - libstruts1.2-java + NOTE: https://struts.apache.org/docs/s2-053.html CVE-2017-12610 RESERVED CVE-2017-12609 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
