[Secure-testing-commits] r55893 - data/CVE
Author: jmm Date: 2017-09-19 06:41:59 + (Tue, 19 Sep 2017) New Revision: 55893 Modified: data/CVE/list Log: new pcb-rnd issue Modified: data/CVE/list === --- data/CVE/list 2017-09-19 06:28:44 UTC (rev 55892) +++ data/CVE/list 2017-09-19 06:41:59 UTC (rev 55893) @@ -1,3 +1,6 @@ +CVE-2017- [pcb code injection by malicious layout file] + - pcb-rnd 1.2.5-2 + [stretch] - pcb-rnd (Minor issue) CVE-2017-14581 RESERVED CVE-2017-14580 (XnView Classic for Windows Version 2.41 allows attackers to execute ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55892 - data/CVE
Author: carnil Date: 2017-09-19 06:28:44 + (Tue, 19 Sep 2017) New Revision: 55892 Modified: data/CVE/list Log: Process more NFUs Modified: data/CVE/list === --- data/CVE/list 2017-09-19 06:25:49 UTC (rev 55891) +++ data/CVE/list 2017-09-19 06:28:44 UTC (rev 55892) @@ -3,81 +3,81 @@ CVE-2017-14580 (XnView Classic for Windows Version 2.41 allows attackers to execute ...) NOT-FOR-US: XnView CVE-2017-14579 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or cause ...) - TODO: check + NOT-FOR-US: STDU Viewer CVE-2017-14578 (IrfanView 4.44 - 32bit allows attackers to cause a denial of service or ...) NOT-FOR-US: IrfanView CVE-2017-14577 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or cause ...) - TODO: check + NOT-FOR-US: STDU Viewer CVE-2017-14576 (STDU Viewer 1.6.375 allows attackers to cause a denial of service or ...) - TODO: check + NOT-FOR-US: STDU Viewer CVE-2017-14575 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or cause ...) - TODO: check + NOT-FOR-US: STDU Viewer CVE-2017-14574 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or cause ...) - TODO: check + NOT-FOR-US: STDU Viewer CVE-2017-14573 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or cause ...) - TODO: check + NOT-FOR-US: STDU Viewer CVE-2017-14572 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or cause ...) - TODO: check + NOT-FOR-US: STDU Viewer CVE-2017-14571 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or cause ...) - TODO: check + NOT-FOR-US: STDU Viewer CVE-2017-14570 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or cause ...) - TODO: check + NOT-FOR-US: STDU Viewer CVE-2017-14569 (STDU Viewer 1.6.375 allows attackers to cause a denial of service or ...) - TODO: check + NOT-FOR-US: STDU Viewer CVE-2017-14568 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or cause ...) - TODO: check + NOT-FOR-US: STDU Viewer CVE-2017-14567 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or cause ...) - TODO: check + NOT-FOR-US: STDU Viewer CVE-2017-14566 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or cause ...) - TODO: check + NOT-FOR-US: STDU Viewer CVE-2017-14565 (STDU Viewer 1.6.375 allows attackers to cause a denial of service or ...) - TODO: check + NOT-FOR-US: STDU Viewer CVE-2017-14564 (STDU Viewer 1.6.375 allows attackers to cause a denial of service or ...) - TODO: check + NOT-FOR-US: STDU Viewer CVE-2017-14563 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or cause ...) - TODO: check + NOT-FOR-US: STDU Viewer CVE-2017-14562 (STDU Viewer 1.6.375 allows attackers to cause a denial of service or ...) - TODO: check + NOT-FOR-US: STDU Viewer CVE-2017-14561 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or cause ...) - TODO: check + NOT-FOR-US: STDU Viewer CVE-2017-14560 (STDU Viewer 1.6.375 allows attackers to cause a denial of service or ...) - TODO: check + NOT-FOR-US: STDU Viewer CVE-2017-14559 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or cause ...) - TODO: check + NOT-FOR-US: STDU Viewer CVE-2017-14558 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or cause ...) - TODO: check + NOT-FOR-US: STDU Viewer CVE-2017-14557 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or cause ...) - TODO: check + NOT-FOR-US: STDU Viewer CVE-2017-14556 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or cause ...) - TODO: check + NOT-FOR-US: STDU Viewer CVE-2017-14555 (STDU Viewer 1.6.375 allows attackers to cause a denial of service or ...) - TODO: check + NOT-FOR-US: STDU Viewer CVE-2017-14554 (STDU Viewer 1.6.375 allows attackers to cause a denial of service or ...) - TODO: check + NOT-FOR-US: STDU Viewer CVE-2017-14553 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or cause ...) - TODO: check + NOT-FOR-US: STDU Viewer CVE-2017-14552 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or cause ...) - TODO: check + NOT-FOR-US: STDU Viewer CVE-2017-14551 (STDU Viewer 1.6.375 allows attackers to cause a denial of service or ...) - TODO: check + NOT-FOR-US: STDU Viewer CVE-2017-14550 (STDU Viewer 1.6.375 allows attackers to cause a denial of service or ...) - TODO: check + NOT-FOR-US: STDU Viewer CVE-2017-14549 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or cause ...) - TODO: check + NOT-FOR-US: STDU Viewer CVE-201
[Secure-testing-commits] r55891 - data/CVE
Author: carnil Date: 2017-09-19 06:25:49 + (Tue, 19 Sep 2017) New Revision: 55891 Modified: data/CVE/list Log: Process NFUs Modified: data/CVE/list === --- data/CVE/list 2017-09-19 04:58:46 UTC (rev 55890) +++ data/CVE/list 2017-09-19 06:25:49 UTC (rev 55891) @@ -1,11 +1,11 @@ CVE-2017-14581 RESERVED CVE-2017-14580 (XnView Classic for Windows Version 2.41 allows attackers to execute ...) - TODO: check + NOT-FOR-US: XnView CVE-2017-14579 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or cause ...) TODO: check CVE-2017-14578 (IrfanView 4.44 - 32bit allows attackers to cause a denial of service or ...) - TODO: check + NOT-FOR-US: IrfanView CVE-2017-14577 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or cause ...) TODO: check CVE-2017-14576 (STDU Viewer 1.6.375 allows attackers to cause a denial of service or ...) @@ -79,13 +79,13 @@ CVE-2017-14542 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or cause ...) TODO: check CVE-2017-14541 (XnView Classic for Windows Version 2.40 allows attackers to cause a ...) - TODO: check + NOT-FOR-US: XnView CVE-2017-14540 (IrfanView 4.44 - 32bit allows attackers to cause a denial of service or ...) - TODO: check + NOT-FOR-US: IrfanView CVE-2017-14539 (IrfanView 4.44 - 32bit allows attackers to cause a denial of service or ...) - TODO: check + NOT-FOR-US: IrfanView CVE-2017-14538 (XnView Classic for Windows Version 2.40 allows attackers to execute ...) - TODO: check + NOT-FOR-US: XnView CVE-2017-14537 RESERVED CVE-2017-14536 @@ -24554,7 +24554,7 @@ CVE-2017-6148 RESERVED CVE-2017-6147 (In F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, Link Controller, ...) - TODO: check + NOT-FOR-US: F5 BIG-IP CVE-2017-6146 RESERVED CVE-2017-6145 @@ -107041,7 +107041,7 @@ CVE-2014-6107 (IBM Security Identity Manager 6.x before 6.0.0.3 IF14 allows remote ...) NOT-FOR-US: IBM CVE-2014-6106 (Cross-site request forgery (CSRF) vulnerability in IBM Security ...) - TODO: check + NOT-FOR-US: IBM CVE-2014-6105 (IBM Security Identity Manager 6.x before 6.0.0.3 IF14 allows remote ...) NOT-FOR-US: IBM CVE-2014-6104 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55890 - data
Author: carnil Date: 2017-09-19 04:58:46 + (Tue, 19 Sep 2017) New Revision: 55890 Modified: data/dsa-needed.txt Log: Take linux from dsa-needed list Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-09-19 04:51:30 UTC (rev 55889) +++ data/dsa-needed.txt 2017-09-19 04:58:46 UTC (rev 55890) @@ -55,7 +55,7 @@ -- libytnef -- -linux +linux (benh, carnil) Wait until more issues have piled up -- openjpeg2 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55889 - data/CVE
Author: carnil Date: 2017-09-19 04:51:30 + (Tue, 19 Sep 2017) New Revision: 55889 Modified: data/CVE/list Log: Process three NFUs Modified: data/CVE/list === --- data/CVE/list 2017-09-19 04:27:16 UTC (rev 55888) +++ data/CVE/list 2017-09-19 04:51:30 UTC (rev 55889) @@ -20077,10 +20077,13 @@ NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1478373 CVE-2017-7554 RESERVED + NOT-FOR-US: Red Hat Mobile Application Platform CVE-2017-7553 RESERVED + NOT-FOR-US: Red Hat Mobile Application Platform CVE-2017-7552 RESERVED + NOT-FOR-US: Red Hat Mobile Application Platform CVE-2017-7551 (389-ds-base version before 1.3.5.19 and 1.3.6.7 are vulnerable to ...) - 389-ds-base 1.3.6.7-1 (bug #870752) NOTE: https://pagure.io/389-ds-base/issue/49336 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55888 - data/CVE
Author: carnil
Date: 2017-09-19 04:27:16 + (Tue, 19 Sep 2017)
New Revision: 55888
Modified:
data/CVE/list
Log:
Record fixed version for linux upload to unstable
Modified: data/CVE/list
===
--- data/CVE/list 2017-09-19 03:07:08 UTC (rev 55887)
+++ data/CVE/list 2017-09-19 04:27:16 UTC (rev 55888)
@@ -218,7 +218,7 @@
CVE-2017-14498 (SilverStripe CMS before 3.6.1 has XSS via an SVG document that
is ...)
NOT-FOR-US: SilverStripe CMS
CVE-2017-14497 (The tpacket_rcv function in net/packet/af_packet.c in the
Linux kernel ...)
- - linux
+ - linux 4.12.13-1
[jessie] - linux (Vulnerable code not present)
[wheezy] - linux (Vulnerable code not present)
NOTE: Fixed by:
https://git.kernel.org/linus/edbd58be15a957f6a760c4a514cd475217eb97fd (v4.13)
@@ -237,7 +237,7 @@
CVE-2017-14490
RESERVED
CVE-2017-14489 (The iscsi_if_rx function in
drivers/scsi/scsi_transport_iscsi.c in the ...)
- - linux
+ - linux 4.12.13-1
NOTE: https://patchwork.kernel.org/patch/9923803/
CVE-2017-14488
RESERVED
@@ -606,7 +606,7 @@
NOTE: https://github.com/LibRaw/LibRaw/issues/100
NOTE:
https://github.com/LibRaw/LibRaw/commit/8303e74b0567806dd5f16fc39aab70fe928de1a2
CVE-2017-14340 (The XFS_IS_REALTIME_INODE macro in fs/xfs/xfs_linux.h in the
Linux ...)
- - linux
+ - linux 4.12.13-1
NOTE: Fixed by:
https://git.kernel.org/linus/b31ff3cdf540110da4572e3e29bd172087af65cc
CVE-2017-14339
RESERVED
@@ -1106,7 +1106,7 @@
CVE-2017-14157
RESERVED
CVE-2017-14156 (The atyfb_ioctl function in
drivers/video/fbdev/aty/atyfb_base.c in the ...)
- - linux (low)
+ - linux 4.12.13-1 (low)
CVE-2017-14155
RESERVED
CVE-2017-14154
@@ -1130,14 +1130,14 @@
NOTE:
https://github.com/uclouvain/openjpeg/commit/afb308b9ccbe129608c9205cf3bb39bbefad90b9
NOTE: https://github.com/uclouvain/openjpeg/issues/982
CVE-2017-1000252 [KVM denial of service with posted interrupts on Intel
systems]
- - linux
+ - linux 4.12.13-1
[jessie] - linux (Vulnerable code not present)
[wheezy] - linux (Vulnerable code not present)
NOTE: Fixed by:
https://git.kernel.org/linus/3a8b0677fc6180a467e26cc32ce6b0c09a32f9bb
(v4.14-rc1)
NOTE: https://marc.info/?l=kvm&m=15054914575&w=2
NOTE: https://marc.info/?l=kvm&m=15054914637&w=2
CVE-2017-1000251 (The native Bluetooth stack in the Linux Kernel (BlueZ),
starting at ...)
- - linux (bug #875881)
+ - linux 4.12.13-1 (bug #875881)
NOTE: Fixed by:
https://git.kernel.org/linus/e860d2c904d1a9f38a24eb44c9f34b8f915a6ea3
NOTE: https://www.armis.com/blueborne/
NOTE: https://access.redhat.com/security/vulnerabilities/blueborne
@@ -1491,7 +1491,7 @@
CVE-2017-14035 (CrushFTP 8.x before 8.2.0 has a serialization vulnerability.
...)
NOT-FOR-US: CrushFTP
CVE-2017-14051 (An integer overflow in the qla2x00_sysfs_write_optrom_ctl
function in ...)
- - linux
+ - linux 4.12.13-1
NOTE: Fixed by:
https://git.kernel.org/linus/e6f77540c067b48dee10f1e33678415bfcc89017
NOTE: https://patchwork.kernel.org/patch/9929625/
CVE-2017-14034
@@ -6662,12 +6662,12 @@
RESERVED
CVE-2017-12154 [kvm: nVMX: L2 guest could access hardware(L0) CR8 register]
RESERVED
- - linux
+ - linux 4.12.13-1
NOTE: Fixed by:
https://git.kernel.org/linus/51aa68e7d57e3217192d88ce90fd5b8ef29ec94f
(v4.14-rc1)
NOTE: https://www.spinics.net/lists/kvm/msg155414.html
CVE-2017-12153 [null pointer dereference in nl80211_set_rekey_data()]
RESERVED
- - linux
+ - linux 4.12.13-1
NOTE: https://marc.info/?t=15052550311&r=1&w=2
NOTE: https://marc.info/?l=linux-wireless&m=150525493517953&w=2
CVE-2017-12152
@@ -20060,7 +20060,7 @@
RESERVED
CVE-2017-7558 [sctp: out-of-bounds read in inet_diag_msg_sctp{,l}addr_fill()
and sctp_get_sctp_info()]
RESERVED
- - linux
+ - linux 4.12.13-1
[jessie] - linux (Vulnerable code introduced later 4.7
and not backported)
[wheezy] - linux (Vulnerable code introduced later 4.7
and not backported)
CVE-2017-7557 (dnsdist version 1.1.0 is vulnerable to a flaw in authentication
...)
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55887 - in data: . DLA
Author: benh
Date: 2017-09-19 03:07:08 + (Tue, 19 Sep 2017)
New Revision: 55887
Modified:
data/DLA/list
data/dla-needed.txt
Log:
Reserve DLA-1099-1 for linux
Modified: data/DLA/list
===
--- data/DLA/list 2017-09-19 02:28:13 UTC (rev 55886)
+++ data/DLA/list 2017-09-19 03:07:08 UTC (rev 55887)
@@ -1,3 +1,6 @@
+[19 Sep 2017] DLA-1099-1 linux - security update
+ {CVE-2017-7482 CVE-2017-7542 CVE-2017-7889 CVE-2017-10661
CVE-2017-10911 CVE-2017-11176 CVE-2017-11600 CVE-2017-12134 CVE-2017-12153
CVE-2017-12154 CVE-2017-14106 CVE-2017-14140 CVE-2017-14156 CVE-2017-14340
CVE-2017-14489 CVE-2017-1000111 CVE-2017-1000251 CVE-2017-1000363
CVE-2017-1000365 CVE-2017-1000380}
+ [wheezy] - linux 3.2.93-1
[17 Sep 2017] DLA-1098-1 freexl - security update
{CVE-2017-2923 CVE-2017-2924}
[wheezy] - freexl 1.0.0b-1+deb7u4
Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-09-19 02:28:13 UTC (rev 55886)
+++ data/dla-needed.txt 2017-09-19 03:07:08 UTC (rev 55887)
@@ -114,8 +114,6 @@
libytnef
NOTE: 20170813: patches missing
--
-linux
---
mcollective
NOTE: See https://lists.debian.org/debian-lts/2017/03/msg8.html
--
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55886 - data/DLA
Author: pabs
Date: 2017-09-19 02:28:13 + (Tue, 19 Sep 2017)
New Revision: 55886
Modified:
data/DLA/list
Log:
Fix ipsec-tools version for DLA-1044-1 CVE-2016-10396 fix
Suggested-by: ex-parrot
Suggested-in: #debian-security
Confirmed-by: debsnap ipsec-tools --first 1:0.8.0-14+deb7u1 --last
1:0.8.0-14+deb7u3
Modified: data/DLA/list
===
--- data/DLA/list 2017-09-18 21:10:17 UTC (rev 55885)
+++ data/DLA/list 2017-09-19 02:28:13 UTC (rev 55886)
@@ -163,7 +163,7 @@
[wheezy] - graphicsmagick 1.3.16-1.1+deb7u8
[29 Jul 2017] DLA-1044-1 ipsec-tools - security update
{CVE-2016-10396}
- [wheezy] - ipsec-tools 1:0.8.0-14+deb7u1
+ [wheezy] - ipsec-tools 1:0.8.0-14+deb7u2
[29 Jul 2017] DLA-841-2 apache2 - regression update
{CVE-2016-8743}
[wheezy] - apache2 2.2.22-13+deb7u11
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55885 - data/CVE
Author: sectracker Date: 2017-09-18 21:10:17 + (Mon, 18 Sep 2017) New Revision: 55885 Modified: data/CVE/list Log: automatic update Modified: data/CVE/list === --- data/CVE/list 2017-09-18 20:48:11 UTC (rev 55884) +++ data/CVE/list 2017-09-18 21:10:17 UTC (rev 55885) @@ -1,89 +1,91 @@ -CVE-2017-14580 +CVE-2017-14581 RESERVED -CVE-2017-14579 - RESERVED -CVE-2017-14578 - RESERVED -CVE-2017-14577 - RESERVED -CVE-2017-14576 - RESERVED -CVE-2017-14575 - RESERVED -CVE-2017-14574 - RESERVED -CVE-2017-14573 - RESERVED -CVE-2017-14572 - RESERVED -CVE-2017-14571 - RESERVED -CVE-2017-14570 - RESERVED -CVE-2017-14569 - RESERVED -CVE-2017-14568 - RESERVED -CVE-2017-14567 - RESERVED -CVE-2017-14566 - RESERVED -CVE-2017-14565 - RESERVED -CVE-2017-14564 - RESERVED -CVE-2017-14563 - RESERVED -CVE-2017-14562 - RESERVED -CVE-2017-14561 - RESERVED -CVE-2017-14560 - RESERVED -CVE-2017-14559 - RESERVED -CVE-2017-14558 - RESERVED -CVE-2017-14557 - RESERVED -CVE-2017-14556 - RESERVED -CVE-2017-14555 - RESERVED -CVE-2017-14554 - RESERVED -CVE-2017-14553 - RESERVED -CVE-2017-14552 - RESERVED -CVE-2017-14551 - RESERVED -CVE-2017-14550 - RESERVED -CVE-2017-14549 - RESERVED -CVE-2017-14548 - RESERVED -CVE-2017-14547 - RESERVED -CVE-2017-14546 - RESERVED -CVE-2017-14545 - RESERVED -CVE-2017-14544 - RESERVED -CVE-2017-14543 - RESERVED -CVE-2017-14542 - RESERVED -CVE-2017-14541 - RESERVED -CVE-2017-14540 - RESERVED -CVE-2017-14539 - RESERVED -CVE-2017-14538 - RESERVED +CVE-2017-14580 (XnView Classic for Windows Version 2.41 allows attackers to execute ...) + TODO: check +CVE-2017-14579 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or cause ...) + TODO: check +CVE-2017-14578 (IrfanView 4.44 - 32bit allows attackers to cause a denial of service or ...) + TODO: check +CVE-2017-14577 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or cause ...) + TODO: check +CVE-2017-14576 (STDU Viewer 1.6.375 allows attackers to cause a denial of service or ...) + TODO: check +CVE-2017-14575 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or cause ...) + TODO: check +CVE-2017-14574 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or cause ...) + TODO: check +CVE-2017-14573 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or cause ...) + TODO: check +CVE-2017-14572 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or cause ...) + TODO: check +CVE-2017-14571 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or cause ...) + TODO: check +CVE-2017-14570 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or cause ...) + TODO: check +CVE-2017-14569 (STDU Viewer 1.6.375 allows attackers to cause a denial of service or ...) + TODO: check +CVE-2017-14568 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or cause ...) + TODO: check +CVE-2017-14567 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or cause ...) + TODO: check +CVE-2017-14566 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or cause ...) + TODO: check +CVE-2017-14565 (STDU Viewer 1.6.375 allows attackers to cause a denial of service or ...) + TODO: check +CVE-2017-14564 (STDU Viewer 1.6.375 allows attackers to cause a denial of service or ...) + TODO: check +CVE-2017-14563 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or cause ...) + TODO: check +CVE-2017-14562 (STDU Viewer 1.6.375 allows attackers to cause a denial of service or ...) + TODO: check +CVE-2017-14561 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or cause ...) + TODO: check +CVE-2017-14560 (STDU Viewer 1.6.375 allows attackers to cause a denial of service or ...) + TODO: check +CVE-2017-14559 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or cause ...) + TODO: check +CVE-2017-14558 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or cause ...) + TODO: check +CVE-2017-14557 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or cause ...) + TODO: check +CVE-2017-14556 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or cause ...) + TODO: check +CVE-2017-14555 (STDU Viewer 1.6.375 allows attackers to cause a denial of service or ...) + TODO: check +CVE-2017-14554 (STDU Viewer 1.6.375 allows attackers to cause a denial of service or ...) + TODO: check +CVE-2017-14553 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or cause ...) + TODO: check +
[Secure-testing-commits] r55884 - data/DSA
Author: jmm
Date: 2017-09-18 20:48:11 + (Mon, 18 Sep 2017)
New Revision: 55884
Modified:
data/DSA/list
Log:
gdk-pixbuf DSA
Modified: data/DSA/list
===
--- data/DSA/list 2017-09-18 20:37:08 UTC (rev 55883)
+++ data/DSA/list 2017-09-18 20:48:11 UTC (rev 55884)
@@ -1,3 +1,7 @@
+[18 Sep 2017] DSA-3978-1 gdk-pixbuf - security update
+ {CVE-2017-2862}
+ [jessie] - gdk-pixbuf 2.31.1-2+deb8u6
+ [stretch] - gdk-pixbuf 2.36.5-2+deb9u1
[18 Sep 2017] DSA-3977-1 newsbeuter - security update
{CVE-2017-14500}
[jessie] - newsbeuter 2.8-2+deb8u2
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55883 - data/CVE
Author: jmm Date: 2017-09-18 20:37:08 + (Mon, 18 Sep 2017) New Revision: 55883 Modified: data/CVE/list Log: puppet-module-puppetlabs-apache no-dsa Modified: data/CVE/list === --- data/CVE/list 2017-09-18 20:36:34 UTC (rev 55882) +++ data/CVE/list 2017-09-18 20:37:08 UTC (rev 55883) @@ -36080,6 +36080,8 @@ NOT-FOR-US: Juniper CVE-2017-2299 (Versions of the puppetlabs-apache module prior to 1.11.1 and 2.1.0 ...) - puppet-module-puppetlabs-apache (bug #875983) + [stretch] - puppet-module-puppetlabs-apache (Minor issue) + [jessie] - puppet-module-puppetlabs-apache (Minor issue) NOTE: https://puppet.com/security/cve/CVE-2017-2299 NOTE: https://github.com/puppetlabs/puppetlabs-apache/commit/7bb35c2293c12ce52329a4391fe1f20389efef06 CVE-2017-2298 (The mcollective-sshkey-security plugin before 0.5.1 for Puppet uses a ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55882 - data/CVE
Author: jmm
Date: 2017-09-18 20:36:34 + (Mon, 18 Sep 2017)
New Revision: 55882
Modified:
data/CVE/list
Log:
pngcrush no-dsa
Modified: data/CVE/list
===
--- data/CVE/list 2017-09-18 19:26:02 UTC (rev 55881)
+++ data/CVE/list 2017-09-18 20:36:34 UTC (rev 55882)
@@ -75144,6 +75144,8 @@
NOTE:
https://github.com/ntp-project/ntp/commit/79604d925e4477247eee202155215e7865293809
CVE-2015-7700 (Double-free vulnerability in the sPLT chunk structure and png.c
in ...)
- pngcrush (bug #874109)
+ [stretch] - pngcrush (Minor issue)
+ [jessie] - pngcrush (Minor issue)
NOTE:
http://sourceforge.net/p/pmt/code/ci/e8ae5a842e86324f0bee91f4d98245fddb8ea5dd
(1.7.87)
CVE-2015-7697 (Info-ZIP UnZip 6.0 allows remote attackers to cause a denial of
...)
{DSA-3386-1 DLA-330-1}
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55881 - data/CVE
Author: carnil
Date: 2017-09-18 19:26:02 + (Mon, 18 Sep 2017)
New Revision: 55881
Modified:
data/CVE/list
Log:
Add fixing commit for CVE-2017-0380
Modified: data/CVE/list
===
--- data/CVE/list 2017-09-18 18:16:03 UTC (rev 55880)
+++ data/CVE/list 2017-09-18 19:26:02 UTC (rev 55881)
@@ -40344,6 +40344,7 @@
[jessie] - tor (Issue introduced in 0.2.7.2-alpha)
[wheezy] - tor (Issue introduced in 0.2.7.2-alpha)
NOTE: https://trac.torproject.org/projects/tor/ticket/23490
+ NOTE:
https://github.com/torproject/tor/commit/09ea89764a4d3a907808ed7d4fe42abfe64bd486
CVE-2017-0379 (Libgcrypt before 1.8.1 does not properly consider Curve25519
...)
{DSA-3959-1}
- libgcrypt20 1.7.9-1 (bug #873383)
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55880 - in data: . DSA
Author: carnil
Date: 2017-09-18 18:16:03 + (Mon, 18 Sep 2017)
New Revision: 55880
Modified:
data/DSA/list
data/dsa-needed.txt
Log:
Reserve DSA number for newsbeuter update
Modified: data/DSA/list
===
--- data/DSA/list 2017-09-18 17:01:36 UTC (rev 55879)
+++ data/DSA/list 2017-09-18 18:16:03 UTC (rev 55880)
@@ -1,3 +1,7 @@
+[18 Sep 2017] DSA-3977-1 newsbeuter - security update
+ {CVE-2017-14500}
+ [jessie] - newsbeuter 2.8-2+deb8u2
+ [stretch] - newsbeuter 2.9-5+deb9u2
[17 Sep 2017] DSA-3976-1 freexl - security update
{CVE-2017-2923 CVE-2017-2924}
[jessie] - freexl 1.0.0g-1+deb8u4
Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2017-09-18 17:01:36 UTC (rev 55879)
+++ data/dsa-needed.txt 2017-09-18 18:16:03 UTC (rev 55880)
@@ -58,8 +58,6 @@
linux
Wait until more issues have piled up
--
-newsbeuter (carnil)
---
openjpeg2
--
perl (carnil)
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55879 - data/CVE
Author: carnil Date: 2017-09-18 17:01:36 + (Mon, 18 Sep 2017) New Revision: 55879 Modified: data/CVE/list Log: Add fixed version for newsbeuter Modified: data/CVE/list === --- data/CVE/list 2017-09-18 16:51:39 UTC (rev 55878) +++ data/CVE/list 2017-09-18 17:01:36 UTC (rev 55879) @@ -205,7 +205,7 @@ - libarchive (bug #875966) NOTE: https://github.com/libarchive/libarchive/issues/949 CVE-2017-14500 (Improper Neutralization of Special Elements used in an OS Command in ...) - - newsbeuter (bug #876004) + - newsbeuter 2.9-7 (bug #876004) NOTE: http://openwall.com/lists/oss-security/2017/09/16/1 NOTE: newsbeuter-2.9.x: https://github.com/akrennmair/newsbeuter/commit/26f5a4350f3ab5507bb8727051c87bb04660f333 NOTE: master: https://github.com/akrennmair/newsbeuter/commit/c8fea2f60c18ed30bdd1bb6f798e994e51a58260 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55878 - data/CVE
Author: jmm Date: 2017-09-18 16:51:39 + (Mon, 18 Sep 2017) New Revision: 55878 Modified: data/CVE/list Log: three poppler issues no-dsa Modified: data/CVE/list === --- data/CVE/list 2017-09-18 16:13:35 UTC (rev 55877) +++ data/CVE/list 2017-09-18 16:51:39 UTC (rev 55878) @@ -135,7 +135,9 @@ CVE-2017-14521 RESERVED CVE-2017-14520 (In Poppler 0.59.0, a floating point exception occurs in ...) - - poppler (bug #876081) + - poppler (low; bug #876081) + [stretch] - poppler (Minor issue) + [jessie] - poppler (Minor issue) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=102719 NOTE: https://cgit.freedesktop.org/poppler/poppler/commit/?id=504b3590182175390f474657a372e78fb1508262 CVE-2017-14519 (In Poppler 0.59.0, memory corruption occurs in a call to ...) @@ -143,11 +145,15 @@ NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=102701 NOTE: https://cgit.freedesktop.org/poppler/poppler/commit/?id=aaf5327649e8f7371c9d3270e7813c43ddfd47ee CVE-2017-14518 (In Poppler 0.59.0, a floating point exception exists in the ...) - - poppler (bug #876082) + - poppler (low; bug #876082) + [stretch] - poppler (Minor issue) + [jessie] - poppler (Minor issue) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=102688 NOTE: https://cgit.freedesktop.org/poppler/poppler/commit/?id=80f9819b6233f9f9b5fd44f0e4cad026e5d048c2 CVE-2017-14517 (In Poppler 0.59.0, a NULL Pointer Dereference exists in the ...) - - poppler (bug #876079) + - poppler (low; bug #876079) + [stretch] - poppler (Minor issue) + [jessie] - poppler (Minor issue) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=102687 NOTE: https://cgit.freedesktop.org/poppler/poppler/commit/?id=476394e7a025e02e4897da2e765df2c895d0708f CVE-2017-14516 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55877 - data
Author: jmm Date: 2017-09-18 16:13:35 + (Mon, 18 Sep 2017) New Revision: 55877 Modified: data/dsa-needed.txt Log: add xen to dsa-needed Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-09-18 14:58:52 UTC (rev 55876) +++ data/dsa-needed.txt 2017-09-18 16:13:35 UTC (rev 55877) @@ -58,6 +58,8 @@ linux Wait until more issues have piled up -- +newsbeuter (carnil) +-- openjpeg2 -- perl (carnil) @@ -90,5 +92,7 @@ 2017-05-13: asked balint@ if he wants to prepare an update now 2017-07-28: re-ping balint@ -- +xen +-- zendframework/oldstable -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55876 - data/CVE
Author: carnil
Date: 2017-09-18 14:58:52 + (Mon, 18 Sep 2017)
New Revision: 55876
Modified:
data/CVE/list
Log:
Add CVE-2017-0380/tor
Modified: data/CVE/list
===
--- data/CVE/list 2017-09-18 14:36:09 UTC (rev 55875)
+++ data/CVE/list 2017-09-18 14:58:52 UTC (rev 55876)
@@ -40332,8 +40332,12 @@
{DSA-3731-1}
- chromium-browser 55.0.2883.75-1
[wheezy] - chromium-browser (Not supported in Wheezy)
-CVE-2017-0380
+CVE-2017-0380 [Stack disclosure in hidden services logs when SafeLogging
disabled]
RESERVED
+ - tor
+ [jessie] - tor (Issue introduced in 0.2.7.2-alpha)
+ [wheezy] - tor (Issue introduced in 0.2.7.2-alpha)
+ NOTE: https://trac.torproject.org/projects/tor/ticket/23490
CVE-2017-0379 (Libgcrypt before 1.8.1 does not properly consider Curve25519
...)
{DSA-3959-1}
- libgcrypt20 1.7.9-1 (bug #873383)
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55875 - data/CVE
Author: jmm Date: 2017-09-18 14:36:09 + (Mon, 18 Sep 2017) New Revision: 55875 Modified: data/CVE/list Log: gdm not-affected in released distros one imagemagick issue unimportant Modified: data/CVE/list === --- data/CVE/list 2017-09-18 14:21:46 UTC (rev 55874) +++ data/CVE/list 2017-09-18 14:36:09 UTC (rev 55875) @@ -103,7 +103,7 @@ NOTE: https://github.com/ImageMagick/ImageMagick/commit/1942317d9208ea17ee17d976a39768cd51d74160 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/c55fb18c3f78445d100a378ab8b3c0acd53c6590 CVE-2017-14531 (ImageMagick 7.0.7-0 has a memory exhaustion issue in ReadSUNImage in ...) - - imagemagick + - imagemagick (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/718 NOTE: https://github.com/ImageMagick/ImageMagick/commit/69967f4161bd14d8e03ea463d6545da442a6ea78 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/1385a09732c261f1f403a9af6700979ca56c76d3 @@ -6626,7 +6626,11 @@ CVE-2017-12164 [lock screen can be circumvented when autologin is set] RESERVED - gdm3 3.26.0-1 + [stretch] - gdm3 (Vulnerable code not present) + [jessie] - gdm3 (Vulnerable code not present) + [wheezy] - gdm3 (Vulnerable code not present) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1490417 + NOTE: Introduced in https://git.gnome.org/browse/gdm/commit/?id=ff98b28 CVE-2017-12163 RESERVED CVE-2017-12162 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55874 - data/CVE
Author: carnil Date: 2017-09-18 14:21:46 + (Mon, 18 Sep 2017) New Revision: 55874 Modified: data/CVE/list Log: Add bug reference for apache2 issue Modified: data/CVE/list === --- data/CVE/list 2017-09-18 14:18:12 UTC (rev 55873) +++ data/CVE/list 2017-09-18 14:21:46 UTC (rev 55874) @@ -11660,7 +11660,7 @@ NOT-FOR-US: Apache Storm CVE-2017-9798 RESERVED - - apache2 + - apache2 (bug #876109) NOTE: https://blog.fuzzing-project.org/60-Optionsbleed-HTTP-OPTIONS-method-can-leak-Apaches-server-memory.html NOTE: https://github.com/hannob/optionsbleed NOTE: Patch: https://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/server/core.c?r1=1805223&r2=1807754&pathrev=1807754&view=patch ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55873 - data/CVE
Author: carnil Date: 2017-09-18 14:18:12 + (Mon, 18 Sep 2017) New Revision: 55873 Modified: data/CVE/list Log: Remove one reference, since relates to similar issue but not a security issue Modified: data/CVE/list === --- data/CVE/list 2017-09-18 13:58:27 UTC (rev 55872) +++ data/CVE/list 2017-09-18 14:18:12 UTC (rev 55873) @@ -11662,7 +11662,6 @@ RESERVED - apache2 NOTE: https://blog.fuzzing-project.org/60-Optionsbleed-HTTP-OPTIONS-method-can-leak-Apaches-server-memory.html - NOTE: https://bz.apache.org/bugzilla/show_bug.cgi?id=61207 NOTE: https://github.com/hannob/optionsbleed NOTE: Patch: https://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/server/core.c?r1=1805223&r2=1807754&pathrev=1807754&view=patch NOTE: Patch backport for 2.2: https://blog.fuzzing-project.org/uploads/apache-2.2-optionsbleed-backport.patch ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55872 - data/CVE
Author: carnil Date: 2017-09-18 13:58:27 + (Mon, 18 Sep 2017) New Revision: 55872 Modified: data/CVE/list Log: Add bug reference for CVE-2017-14341 Modified: data/CVE/list === --- data/CVE/list 2017-09-18 13:53:42 UTC (rev 55871) +++ data/CVE/list 2017-09-18 13:58:27 UTC (rev 55872) @@ -588,7 +588,7 @@ NOTE: https://github.com/ImageMagick/ImageMagick/commit/4e378ea8fb99e869768f34e900105e8c769adfcd NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/6d5b22baedd49ef8a35011789bd600762ce1ef21 CVE-2017-14341 (ImageMagick 7.0.6-6 has a large loop vulnerability in ReadWPGImage in ...) - - imagemagick (low) + - imagemagick (low; bug #876105) NOTE: https://github.com/ImageMagick/ImageMagick/issues/654 NOTE: https://github.com/ImageMagick/ImageMagick/commit/7d63315a64267c565d1f34b9cb523a14616fed24 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/4eae304e773bad8a876c3c26fdffac24d4253ae4 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55871 - in data: . CVE
Author: alteholz Date: 2017-09-18 13:53:42 + (Mon, 18 Sep 2017) New Revision: 55871 Modified: data/CVE/list data/dla-needed.txt Log: libstruts1.2-java in Wheezy not affected Modified: data/CVE/list === --- data/CVE/list 2017-09-18 13:43:06 UTC (rev 55870) +++ data/CVE/list 2017-09-18 13:53:42 UTC (rev 55871) @@ -11637,6 +11637,7 @@ RESERVED CVE-2017-9805 (The REST Plugin in Apache Struts 2.1.2 through 2.3.x before 2.3.34 and ...) - libstruts1.2-java + [wheezy] - libstruts1.2-java (vulnerable code not present) NOTE: https://struts.apache.org/docs/s2-052.html CVE-2017-9804 RESERVED @@ -11676,6 +11677,7 @@ CVE-2017-9793 RESERVED - libstruts1.2-java + [wheezy] - libstruts1.2-java (vulnerable code not present) NOTE: https://struts.apache.org/docs/s2-051.html CVE-2017-9792 RESERVED Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-09-18 13:43:06 UTC (rev 55870) +++ data/dla-needed.txt 2017-09-18 13:53:42 UTC (rev 55871) @@ -105,8 +105,6 @@ NOTE: regression update, see: NOTE: https://lists.debian.org/debian-lts/2017/05/msg00012.html -- -libstruts1.2-java (Thorsten Alteholz) --- libvorbis NOTE: 20170829: no fix available yet -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55870 - data/CVE
Author: carnil Date: 2017-09-18 13:43:06 + (Mon, 18 Sep 2017) New Revision: 55870 Modified: data/CVE/list Log: Add CVE-2017-9798 Modified: data/CVE/list === --- data/CVE/list 2017-09-18 13:04:46 UTC (rev 55869) +++ data/CVE/list 2017-09-18 13:43:06 UTC (rev 55870) @@ -11659,6 +11659,12 @@ NOT-FOR-US: Apache Storm CVE-2017-9798 RESERVED + - apache2 + NOTE: https://blog.fuzzing-project.org/60-Optionsbleed-HTTP-OPTIONS-method-can-leak-Apaches-server-memory.html + NOTE: https://bz.apache.org/bugzilla/show_bug.cgi?id=61207 + NOTE: https://github.com/hannob/optionsbleed + NOTE: Patch: https://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/server/core.c?r1=1805223&r2=1807754&pathrev=1807754&view=patch + NOTE: Patch backport for 2.2: https://blog.fuzzing-project.org/uploads/apache-2.2-optionsbleed-backport.patch CVE-2017-9797 RESERVED CVE-2017-9796 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55869 - data/CVE
Author: carnil Date: 2017-09-18 13:04:46 + (Mon, 18 Sep 2017) New Revision: 55869 Modified: data/CVE/list Log: Add bug reference for CVE-2017-14249 Modified: data/CVE/list === --- data/CVE/list 2017-09-18 12:50:28 UTC (rev 55868) +++ data/CVE/list 2017-09-18 13:04:46 UTC (rev 55869) @@ -827,7 +827,7 @@ CVE-2017-14250 RESERVED CVE-2017-14249 (ImageMagick 7.0.6-8 Q16 mishandles EOF checks in ReadMPCImage in ...) - - imagemagick (low) + - imagemagick (low; bug #876099) NOTE: https://github.com/ImageMagick/ImageMagick/issues/708 NOTE: https://github.com/ImageMagick/ImageMagick/commit/2071d67ebf729f76d73c33c1152df4816d1d79ac NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/66112b7a7b64f688efe6fec53a829874a74dea04 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55868 - data/CVE
Author: carnil Date: 2017-09-18 12:50:28 + (Mon, 18 Sep 2017) New Revision: 55868 Modified: data/CVE/list Log: Update information for CVE-2017-14249 Modified: data/CVE/list === --- data/CVE/list 2017-09-18 12:34:32 UTC (rev 55867) +++ data/CVE/list 2017-09-18 12:50:28 UTC (rev 55868) @@ -832,7 +832,7 @@ NOTE: https://github.com/ImageMagick/ImageMagick/commit/2071d67ebf729f76d73c33c1152df4816d1d79ac NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/66112b7a7b64f688efe6fec53a829874a74dea04 CVE-2017-14248 (A heap-based buffer over-read in SampleImage() in MagickCore/resize.c ...) - - imagemagick (low) + - imagemagick (Vulnerable code introduced later) NOTE: https://github.com/ImageMagick/ImageMagick/issues/717 NOTE: https://github.com/ImageMagick/ImageMagick/commit/c5402b6e0fcf8b694ae2af6a6652ebb8ce0ccf46 CVE-2017-14247 (SQL Injection exists in the EyesOfNetwork web interface (aka eonweb) ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55867 - data/CVE
Author: carnil Date: 2017-09-18 12:34:32 + (Mon, 18 Sep 2017) New Revision: 55867 Modified: data/CVE/list Log: Add bug reference for CVE-2017-14224 Modified: data/CVE/list === --- data/CVE/list 2017-09-18 10:10:31 UTC (rev 55866) +++ data/CVE/list 2017-09-18 12:34:32 UTC (rev 55867) @@ -915,7 +915,7 @@ - libav NOTE: https://github.com/FFmpeg/FFmpeg/commit/837cb4325b712ff1aab531bf41668933f61d75d2 CVE-2017-14224 (A heap-based buffer overflow in WritePCXImage in coders/pcx.c in ...) - - imagemagick + - imagemagick (bug #876097) NOTE: https://github.com/ImageMagick/ImageMagick/issues/733 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/7f2d6fe34d695d3445e2d50937db5541a1b76bde NOTE: https://github.com/ImageMagick/ImageMagick/commit/c6409227c430f114b6425337e64b848535b62e0b ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55866 - data/CVE
Author: carnil Date: 2017-09-18 10:10:31 + (Mon, 18 Sep 2017) New Revision: 55866 Modified: data/CVE/list Log: Add bug reference for CVE-2017-14519 Modified: data/CVE/list === --- data/CVE/list 2017-09-18 09:59:28 UTC (rev 55865) +++ data/CVE/list 2017-09-18 10:10:31 UTC (rev 55866) @@ -139,7 +139,7 @@ NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=102719 NOTE: https://cgit.freedesktop.org/poppler/poppler/commit/?id=504b3590182175390f474657a372e78fb1508262 CVE-2017-14519 (In Poppler 0.59.0, memory corruption occurs in a call to ...) - - poppler + - poppler (bug #876086) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=102701 NOTE: https://cgit.freedesktop.org/poppler/poppler/commit/?id=aaf5327649e8f7371c9d3270e7813c43ddfd47ee CVE-2017-14518 (In Poppler 0.59.0, a floating point exception exists in the ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55865 - data/CVE
Author: carnil Date: 2017-09-18 09:59:28 + (Mon, 18 Sep 2017) New Revision: 55865 Modified: data/CVE/list Log: Add bug references for poppler Modified: data/CVE/list === --- data/CVE/list 2017-09-18 09:40:28 UTC (rev 55864) +++ data/CVE/list 2017-09-18 09:59:28 UTC (rev 55865) @@ -135,7 +135,7 @@ CVE-2017-14521 RESERVED CVE-2017-14520 (In Poppler 0.59.0, a floating point exception occurs in ...) - - poppler + - poppler (bug #876081) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=102719 NOTE: https://cgit.freedesktop.org/poppler/poppler/commit/?id=504b3590182175390f474657a372e78fb1508262 CVE-2017-14519 (In Poppler 0.59.0, memory corruption occurs in a call to ...) @@ -143,11 +143,11 @@ NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=102701 NOTE: https://cgit.freedesktop.org/poppler/poppler/commit/?id=aaf5327649e8f7371c9d3270e7813c43ddfd47ee CVE-2017-14518 (In Poppler 0.59.0, a floating point exception exists in the ...) - - poppler + - poppler (bug #876082) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=102688 NOTE: https://cgit.freedesktop.org/poppler/poppler/commit/?id=80f9819b6233f9f9b5fd44f0e4cad026e5d048c2 CVE-2017-14517 (In Poppler 0.59.0, a NULL Pointer Dereference exists in the ...) - - poppler + - poppler (bug #876079) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=102687 NOTE: https://cgit.freedesktop.org/poppler/poppler/commit/?id=476394e7a025e02e4897da2e765df2c895d0708f CVE-2017-14516 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55864 - data/CVE
Author: carnil Date: 2017-09-18 09:40:28 + (Mon, 18 Sep 2017) New Revision: 55864 Modified: data/CVE/list Log: Add two new moodle issues Modified: data/CVE/list === --- data/CVE/list 2017-09-18 09:40:16 UTC (rev 55863) +++ data/CVE/list 2017-09-18 09:40:28 UTC (rev 55864) @@ -6640,9 +6640,11 @@ CVE-2017-12158 RESERVED CVE-2017-12157 (In Moodle 3.x, various course reports allow teachers to view details ...) - TODO: check + - moodle + NOTE: https://moodle.org/mod/forum/discuss.php?d=358586 CVE-2017-12156 (Moodle 3.x has XSS in the contact form on the "non-respondents" page in ...) - TODO: check + - moodle + NOTE: https://moodle.org/mod/forum/discuss.php?d=358585 CVE-2017-12155 RESERVED CVE-2017-12154 [kvm: nVMX: L2 guest could access hardware(L0) CR8 register] ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55863 - data/CVE
Author: carnil Date: 2017-09-18 09:40:16 + (Mon, 18 Sep 2017) New Revision: 55863 Modified: data/CVE/list Log: Process NFUs Modified: data/CVE/list === --- data/CVE/list 2017-09-18 09:32:27 UTC (rev 55862) +++ data/CVE/list 2017-09-18 09:40:16 UTC (rev 55863) @@ -91,7 +91,7 @@ CVE-2017-14535 RESERVED CVE-2017-14534 (Cross Site Scripting (XSS) exists in NexusPHP 1.5.beta5.20120707 via ...) - TODO: check + NOT-FOR-US: NexusPHP CVE-2017-14533 (ImageMagick 7.0.6-6 has a memory leak in ReadMATImage in coders/mat.c. ...) - imagemagick (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/648 @@ -108,7 +108,7 @@ NOTE: https://github.com/ImageMagick/ImageMagick/commit/69967f4161bd14d8e03ea463d6545da442a6ea78 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/1385a09732c261f1f403a9af6700979ca56c76d3 CVE-2017-14530 (WP_Admin_UI in the Crony Cronjob Manager plugin before 0.4.7 for ...) - TODO: check + NOT-FOR-US: Crony Cronjob Manager plugin for WordPress CVE-2017-14529 (The pe_print_idata function in peXXigen.c in the Binary File Descriptor ...) - binutils [stretch] - binutils (Minor issue) @@ -153,21 +153,21 @@ CVE-2017-14516 RESERVED CVE-2017-14515 (Heap-based Buffer Overflow on Tenda W15E devices before 15.11.0.14 ...) - TODO: check + NOT-FOR-US: Tenda W15E devices CVE-2017-14514 (Directory Traversal on Tenda W15E devices before 15.11.0.14 allows ...) - TODO: check + NOT-FOR-US: Tenda W15E devices CVE-2017-14513 (Directory traversal vulnerability in MetInfo 5.3.17 allows remote ...) - TODO: check + NOT-FOR-US: MetInfo CVE-2017-14512 (NexusPHP 1.5.beta5.20120707 has SQL Injection in forummanage.php via ...) - TODO: check + NOT-FOR-US: NexusPHP CVE-2017-14511 (An issue was discovered in SAP E-Recruiting (aka ERECRUIT) 605 through ...) - TODO: check + NOT-FOR-US: SAP CVE-2017-14510 (An issue was discovered in SugarCRM before 7.7.2.3, 7.8.x before ...) - TODO: check + NOT-FOR-US: SugarCRM CVE-2017-14509 (An issue was discovered in SugarCRM before 7.7.2.3, 7.8.x before ...) - TODO: check + NOT-FOR-US: SugarCRM CVE-2017-14508 (An issue was discovered in SugarCRM before 7.7.2.3, 7.8.x before ...) - TODO: check + NOT-FOR-US: SugarCRM CVE-2016-10511 RESERVED CVE-2017-14507 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55862 - data/CVE
Author: carnil Date: 2017-09-18 09:32:27 + (Mon, 18 Sep 2017) New Revision: 55862 Modified: data/CVE/list Log: Add CVE-2017-14517/poppler Modified: data/CVE/list === --- data/CVE/list 2017-09-18 09:32:16 UTC (rev 55861) +++ data/CVE/list 2017-09-18 09:32:27 UTC (rev 55862) @@ -147,7 +147,9 @@ NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=102688 NOTE: https://cgit.freedesktop.org/poppler/poppler/commit/?id=80f9819b6233f9f9b5fd44f0e4cad026e5d048c2 CVE-2017-14517 (In Poppler 0.59.0, a NULL Pointer Dereference exists in the ...) - TODO: check + - poppler + NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=102687 + NOTE: https://cgit.freedesktop.org/poppler/poppler/commit/?id=476394e7a025e02e4897da2e765df2c895d0708f CVE-2017-14516 RESERVED CVE-2017-14515 (Heap-based Buffer Overflow on Tenda W15E devices before 15.11.0.14 ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55861 - data/CVE
Author: carnil Date: 2017-09-18 09:32:16 + (Mon, 18 Sep 2017) New Revision: 55861 Modified: data/CVE/list Log: Add CVE-2017-14518/poppler Modified: data/CVE/list === --- data/CVE/list 2017-09-18 09:30:10 UTC (rev 55860) +++ data/CVE/list 2017-09-18 09:32:16 UTC (rev 55861) @@ -143,7 +143,9 @@ NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=102701 NOTE: https://cgit.freedesktop.org/poppler/poppler/commit/?id=aaf5327649e8f7371c9d3270e7813c43ddfd47ee CVE-2017-14518 (In Poppler 0.59.0, a floating point exception exists in the ...) - TODO: check + - poppler + NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=102688 + NOTE: https://cgit.freedesktop.org/poppler/poppler/commit/?id=80f9819b6233f9f9b5fd44f0e4cad026e5d048c2 CVE-2017-14517 (In Poppler 0.59.0, a NULL Pointer Dereference exists in the ...) TODO: check CVE-2017-14516 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55860 - data/CVE
Author: carnil Date: 2017-09-18 09:30:10 + (Mon, 18 Sep 2017) New Revision: 55860 Modified: data/CVE/list Log: Add CVE-2017-14519/poppler Modified: data/CVE/list === --- data/CVE/list 2017-09-18 09:29:13 UTC (rev 55859) +++ data/CVE/list 2017-09-18 09:30:10 UTC (rev 55860) @@ -139,7 +139,9 @@ NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=102719 NOTE: https://cgit.freedesktop.org/poppler/poppler/commit/?id=504b3590182175390f474657a372e78fb1508262 CVE-2017-14519 (In Poppler 0.59.0, memory corruption occurs in a call to ...) - TODO: check + - poppler + NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=102701 + NOTE: https://cgit.freedesktop.org/poppler/poppler/commit/?id=aaf5327649e8f7371c9d3270e7813c43ddfd47ee CVE-2017-14518 (In Poppler 0.59.0, a floating point exception exists in the ...) TODO: check CVE-2017-14517 (In Poppler 0.59.0, a NULL Pointer Dereference exists in the ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55859 - data/CVE
Author: carnil Date: 2017-09-18 09:29:13 + (Mon, 18 Sep 2017) New Revision: 55859 Modified: data/CVE/list Log: Add CVE-2017-14520/poppler Modified: data/CVE/list === --- data/CVE/list 2017-09-18 09:26:50 UTC (rev 55858) +++ data/CVE/list 2017-09-18 09:29:13 UTC (rev 55859) @@ -135,7 +135,9 @@ CVE-2017-14521 RESERVED CVE-2017-14520 (In Poppler 0.59.0, a floating point exception occurs in ...) - TODO: check + - poppler + NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=102719 + NOTE: https://cgit.freedesktop.org/poppler/poppler/commit/?id=504b3590182175390f474657a372e78fb1508262 CVE-2017-14519 (In Poppler 0.59.0, memory corruption occurs in a call to ...) TODO: check CVE-2017-14518 (In Poppler 0.59.0, a floating point exception exists in the ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55858 - /
Author: carnil Date: 2017-09-18 09:26:50 + (Mon, 18 Sep 2017) New Revision: 55858 Modified: TODO.gitmigration Log: Reference information for mailinglists Modified: TODO.gitmigration === --- TODO.gitmigration 2017-09-18 09:26:49 UTC (rev 55857) +++ TODO.gitmigration 2017-09-18 09:26:50 UTC (rev 55858) @@ -45,3 +45,7 @@ - move this file to git - ping federico3 to update the codebase for security-metrics.d.n (uses git-svn) + +References: +=== +Mailinglists: https://lists.debian.org/debian-devel-announce/2017/09/msg4.html ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55857 - tools/git-migration
Author: carnil Date: 2017-09-18 09:26:49 + (Mon, 18 Sep 2017) New Revision: 55857 Modified: tools/git-migration/AUTHORS.txt Log: sync AUTHORS.txt Modified: tools/git-migration/AUTHORS.txt === --- tools/git-migration/AUTHORS.txt 2017-09-18 09:26:47 UTC (rev 55856) +++ tools/git-migration/AUTHORS.txt 2017-09-18 09:26:49 UTC (rev 55857) @@ -154,6 +154,7 @@ tokkee = Sebastian Harl troyh = Troy Heber u-guest = Ulrike Uhlig +vagrant = Vagrant Cascadian vcheng = Vincent Cheng vicho = Javi Merino waldi = Bastian Blank ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55856 - tools/git-migration
Author: carnil Date: 2017-09-18 09:26:47 + (Mon, 18 Sep 2017) New Revision: 55856 Modified: tools/git-migration/README Log: Add poc conversion Modified: tools/git-migration/README === --- tools/git-migration/README 2017-09-18 09:26:46 UTC (rev 55855) +++ tools/git-migration/README 2017-09-18 09:26:47 UTC (rev 55856) @@ -13,3 +13,8 @@ $ git config remote.new-repo.push 'refs/remotes/*:refs/heads/*' $ git push --new-upstream new-repo master + +POC +--- +Proof of concept for only the conversion: +https://gitlab.com/carnil/secure-testing ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55854 - tools/git-migration
Author: carnil Date: 2017-09-18 09:26:45 + (Mon, 18 Sep 2017) New Revision: 55854 Modified: tools/git-migration/README Log: Simplify conversion procedure Keep metadata, since usefull if refernced somewhere to have still the old svn revision ids for the older commits before conversion. Modified: tools/git-migration/README === --- tools/git-migration/README 2017-09-18 09:26:09 UTC (rev 55853) +++ tools/git-migration/README 2017-09-18 09:26:45 UTC (rev 55854) @@ -4,7 +4,7 @@ 2/ Clone the subversion repository using git-svn: - $ git svn clone svn+ssh://svn.debian.org/svn/secure-testing --prefix=origin/ --no-metadata -A AUTHORS.txt tmp-git-repo + $ git svn clone svn+ssh://svn.debian.org/svn/secure-testing -A AUTHORS.txt tmp-git-repo 3/ Push repository to new bare git repo ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55855 - tools/git-migration
Author: carnil Date: 2017-09-18 09:26:46 + (Mon, 18 Sep 2017) New Revision: 55855 Added: tools/git-migration/AUTHORS.txt Log: Add current AUTHORS file used for conversion Added: tools/git-migration/AUTHORS.txt === --- tools/git-migration/AUTHORS.txt (rev 0) +++ tools/git-migration/AUTHORS.txt 2017-09-18 09:26:46 UTC (rev 55855) @@ -0,0 +1,164 @@ +aba = Andreas Barth +abartlet-guest = Andrew Bartlett +adeiacovo-guest = Andrea De Iacovo +adsb = Adam D. Barratt +agx = Guido Günther +alec-guest = Alec Berryman +alfie = Gerfried Fuchs +alteholz = Thorsten Alteholz +ametzler = Andreas Metzler +amu = Andreas Mueller +anarcat = Antoine Beaupré +andrewsh = Andrew Shadura +apo = Markus Koschany +apo-guest = Markus Koschany +atoell-guest = Arno Töll +atomo64-guest = Raphael Geissert +aurel32 = Aurelien Jarno +aw-guest = Arne Wichmann +bam = Brian May +baruch = Baruch Even +benh = Ben Hutchings +bertagaz-guest = Bert Agaz +bigeasy = Sebastian Andrzej Siewior +bigon = Laurent Bigonville +carnil = Salvatore Bonaccorso +cbiedl-guest = Christoph Biedl +cjwatson = Colin Watson +congnt-guest = Cong Nguyen +corsac = Yves-Alexis Perez +csmall = Craig Small +dannf = Dann Frazier +derevko-guest = Giuseppe Iuculano +devin-guest = Devin Carraway +dilinger-guest = Andres Salomon +directhex = Jo Shields +djoume-guest = Djoumé SALVETTI +dmn = Damyan Ivanov +dom = Dominic Hargreaves +dom-guest = Dominic Hargreaves +ecsv-guest = Sven Eckelmann +elbrus = Paul Mathijs Gevers +enerv-guest = Alex de Oliveira Silva +eric = Eric Dorland +evgeni = Evgeni Golov +federico-guest = Federico Ceratto +fgeek-guest = Henri Salo +fgeyer = Felix Geyer +finnarne-guest = Finn-Arne Johansen +fourmond = Vincent Fourmond +frolic-guest = Eder L. Marques +fw = Florian Weimer +fw-guest = Fabian Wolff +gcs = László Böszörményi +geissert = Raphael Geissert +ghedo = Alessandro Ghedini +gilbert-guest = Michael Gilbert +greuff-guest = Thomas Wana +helmut-guest = Helmut Grohne +helmutg = Helmut Grohne +henrich = Hideki Yamane +herson-guest = Herson Esquivel-Vargas +hertzog = Raphaël Hertzog +hesso-guest = Jan C. Nordholz +hle = Hugo Lefeuvre +hlieberman = Harlan Lieberman-Berg +holger = Holger Levsen +iesdebian-guest = iES Debian +intrigeri = Intrigeri +iuculano = Giuseppe Iuculano +jamessan = James McCoy +jamie-guest = James Strandboge +jbicha = Jeremy Bicha +jbicha-guest = Jeremy Bicha +jcristau = Julien Cristau +jmm = Moritz Muehlenhoff +jmm-guest = Moritz Muehlenhoff +jmw = Jonathan Wiltshire +jmw-guest = Jonathan Wiltshire +joey = Martin Schulze +joeyh = Joey Hess +jrdioko-guest = Johnathan Ritzi +js = Jonas Smedegaard +jwalkenh-guest = Janek Walkenhorst +jwilk = Jakub Wilk +jwilk-guest = Jakub Wilk +kanashiro = Lucas Kanashiro +kcd-guest = Guillaume Delacour +kees = Kees Cook +keescook-guest = Kees Cook +kitterman = Scott Kitterman +kolter = Emmanuel Bouthenot +kosh-guest = Matthias Geerdsen +kroeckx = Kurt Roeckx +lamby = Chris Lamb +locutusofborg = Gianfranco Costamagna +lucab = Luca Bruno +luciano = Luciano Bello +luk = Luk Claes +mathiasb-guest = Mathias Behrle +matteof-guest = matteo filippetto +mattia = Mattia Rizzolo +mbanck = Michael Banck +mbehrle = Mathias Behrle +mejo = Jonas Meurer +mfv = Matteo F. Vescovi +mgilbert = Michael Gilbert +mhelas-guest = Martin Zobel-Helas +micah = Micah Anderson +micha = Micha Lenk +moeller = Steffen Möller +mpalmer = Matthew Palmer +myon = Christoph Berg +neilm = Neil McGovern +nion = Nico Golde +nirgal = Jean-Michel Vourgère +nluedtke-guest = Nicholas Luedtke +noahm = Noah Meyerhans +noahm-guest = Noah Meyerhans +odyx = Didier Raboud +opal = Ola Lundqvist +pabs = Paul Wise +paulliu = Ying-Chun Liu +pdwerryh-guest = Paul Dwerryhouse +pedrib-guest = Pedro Ribeiro +pere = Petter Reinholdtsen +plessy = Charles Plessy +pochu = Emilio Pozuelo Monfort +pollux = Pierre Chifflier +rbalint = Balint Reczey +requate-guest = Arvid Requate +rhonda = Gerfried Fuchs +rhonda-guest = Gerfried Fuchs +roberto = Roberto Sanchez +santiago = Santiago Ruano Rincón +sathieu = Mathieu Parent +seanius = Sean Finney +seb = Sebastien Delafond +sebastic = Bas Couwenberg +sectracker = security tracker role +sf = Stefan Fritsch +showard = Scott Sheridan Howard +silvio-guest = Silvio Cesare +siretart = Reinhard Tartler +skitt = Stephen Kitt +skx = Steve Kemp +smcv = Simon McVittie +stef-guest = Stefan Fritsch +sunweaver = Mike Gabriel +taffit = David Prévot +tanguy = Tanguy Ortolo +tedp-guest = Ted Percival +thijs = Thijs Kinkhorst +thomasbl-guest = Thomas Bläsing +tokkee = Sebastian Harl +troyh = Troy Heber +u-guest = Ulrike Uhlig +vcheng = Vincent Cheng +vicho = Javi Merino +waldi = Bastian Blank +wart = Wartan Hachaturow +weasel = Peter Palfrader +white = Steffen Joeris +wouter = Wou
[Secure-testing-commits] r55853 - data/CVE
Author: carnil Date: 2017-09-18 09:26:09 + (Mon, 18 Sep 2017) New Revision: 55853 Modified: data/CVE/list Log: Add CVE-2017-14528/imagemagick Modified: data/CVE/list === --- data/CVE/list 2017-09-18 09:22:54 UTC (rev 55852) +++ data/CVE/list 2017-09-18 09:26:09 UTC (rev 55853) @@ -117,7 +117,9 @@ NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=4d465c689a8fb27212ef358d0aee89d60dee69a6 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=dcaaca89e8618eba35193c27afcb1cfa54f74582 CVE-2017-14528 (The TIFFSetProfiles function in coders/tiff.c in ImageMagick 7.0.6 has ...) - TODO: check + - imagemagick + NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2730 + NOTE: https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=32560 CVE-2017-14527 RESERVED CVE-2017-14526 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55852 - data/CVE
Author: carnil Date: 2017-09-18 09:22:54 + (Mon, 18 Sep 2017) New Revision: 55852 Modified: data/CVE/list Log: Add CVE-2017-14529/binutils Modified: data/CVE/list === --- data/CVE/list 2017-09-18 09:18:40 UTC (rev 55851) +++ data/CVE/list 2017-09-18 09:22:54 UTC (rev 55852) @@ -110,7 +110,12 @@ CVE-2017-14530 (WP_Admin_UI in the Crony Cronjob Manager plugin before 0.4.7 for ...) TODO: check CVE-2017-14529 (The pe_print_idata function in peXXigen.c in the Binary File Descriptor ...) - TODO: check + - binutils + [stretch] - binutils (Minor issue) + [jessie] - binutils (Minor issue) + NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22113 + NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=4d465c689a8fb27212ef358d0aee89d60dee69a6 + NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=dcaaca89e8618eba35193c27afcb1cfa54f74582 CVE-2017-14528 (The TIFFSetProfiles function in coders/tiff.c in ImageMagick 7.0.6 has ...) TODO: check CVE-2017-14527 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55851 - data/CVE
Author: carnil Date: 2017-09-18 09:18:40 + (Mon, 18 Sep 2017) New Revision: 55851 Modified: data/CVE/list Log: Add CVE-2017-14531/imagemagick Modified: data/CVE/list === --- data/CVE/list 2017-09-18 09:15:13 UTC (rev 55850) +++ data/CVE/list 2017-09-18 09:18:40 UTC (rev 55851) @@ -103,7 +103,10 @@ NOTE: https://github.com/ImageMagick/ImageMagick/commit/1942317d9208ea17ee17d976a39768cd51d74160 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/c55fb18c3f78445d100a378ab8b3c0acd53c6590 CVE-2017-14531 (ImageMagick 7.0.7-0 has a memory exhaustion issue in ReadSUNImage in ...) - TODO: check + - imagemagick + NOTE: https://github.com/ImageMagick/ImageMagick/issues/718 + NOTE: https://github.com/ImageMagick/ImageMagick/commit/69967f4161bd14d8e03ea463d6545da442a6ea78 + NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/1385a09732c261f1f403a9af6700979ca56c76d3 CVE-2017-14530 (WP_Admin_UI in the Crony Cronjob Manager plugin before 0.4.7 for ...) TODO: check CVE-2017-14529 (The pe_print_idata function in peXXigen.c in the Binary File Descriptor ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55850 - data/CVE
Author: carnil Date: 2017-09-18 09:15:13 + (Mon, 18 Sep 2017) New Revision: 55850 Modified: data/CVE/list Log: Add CVe-2017-14532/imagemagick Modified: data/CVE/list === --- data/CVE/list 2017-09-18 09:13:21 UTC (rev 55849) +++ data/CVE/list 2017-09-18 09:15:13 UTC (rev 55850) @@ -98,7 +98,10 @@ NOTE: https://github.com/ImageMagick/ImageMagick/commit/f1f2089e79bcf5714cefba7cdc47049b4ac53c6b NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/bdfc5538051ad0d1c2083ba2a29180ff6abea907 CVE-2017-14532 (ImageMagick 7.0.7-0 has a NULL Pointer Dereference in TIFFIgnoreTags in ...) - TODO: check + - imagemagick + NOTE: https://github.com/ImageMagick/ImageMagick/issues/719 + NOTE: https://github.com/ImageMagick/ImageMagick/commit/1942317d9208ea17ee17d976a39768cd51d74160 + NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/c55fb18c3f78445d100a378ab8b3c0acd53c6590 CVE-2017-14531 (ImageMagick 7.0.7-0 has a memory exhaustion issue in ReadSUNImage in ...) TODO: check CVE-2017-14530 (WP_Admin_UI in the Crony Cronjob Manager plugin before 0.4.7 for ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55849 - data/CVE
Author: carnil Date: 2017-09-18 09:13:21 + (Mon, 18 Sep 2017) New Revision: 55849 Modified: data/CVE/list Log: Add CVE-2017-14533/imagemagick Modified: data/CVE/list === --- data/CVE/list 2017-09-18 09:10:15 UTC (rev 55848) +++ data/CVE/list 2017-09-18 09:13:21 UTC (rev 55849) @@ -93,7 +93,10 @@ CVE-2017-14534 (Cross Site Scripting (XSS) exists in NexusPHP 1.5.beta5.20120707 via ...) TODO: check CVE-2017-14533 (ImageMagick 7.0.6-6 has a memory leak in ReadMATImage in coders/mat.c. ...) - TODO: check + - imagemagick (unimportant) + NOTE: https://github.com/ImageMagick/ImageMagick/issues/648 + NOTE: https://github.com/ImageMagick/ImageMagick/commit/f1f2089e79bcf5714cefba7cdc47049b4ac53c6b + NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/bdfc5538051ad0d1c2083ba2a29180ff6abea907 CVE-2017-14532 (ImageMagick 7.0.7-0 has a NULL Pointer Dereference in TIFFIgnoreTags in ...) TODO: check CVE-2017-14531 (ImageMagick 7.0.7-0 has a memory exhaustion issue in ReadSUNImage in ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55848 - data/CVE
Author: sectracker Date: 2017-09-18 09:10:15 + (Mon, 18 Sep 2017) New Revision: 55848 Modified: data/CVE/list Log: automatic update Modified: data/CVE/list === --- data/CVE/list 2017-09-18 07:46:29 UTC (rev 55847) +++ data/CVE/list 2017-09-18 09:10:15 UTC (rev 55848) @@ -1,3 +1,151 @@ +CVE-2017-14580 + RESERVED +CVE-2017-14579 + RESERVED +CVE-2017-14578 + RESERVED +CVE-2017-14577 + RESERVED +CVE-2017-14576 + RESERVED +CVE-2017-14575 + RESERVED +CVE-2017-14574 + RESERVED +CVE-2017-14573 + RESERVED +CVE-2017-14572 + RESERVED +CVE-2017-14571 + RESERVED +CVE-2017-14570 + RESERVED +CVE-2017-14569 + RESERVED +CVE-2017-14568 + RESERVED +CVE-2017-14567 + RESERVED +CVE-2017-14566 + RESERVED +CVE-2017-14565 + RESERVED +CVE-2017-14564 + RESERVED +CVE-2017-14563 + RESERVED +CVE-2017-14562 + RESERVED +CVE-2017-14561 + RESERVED +CVE-2017-14560 + RESERVED +CVE-2017-14559 + RESERVED +CVE-2017-14558 + RESERVED +CVE-2017-14557 + RESERVED +CVE-2017-14556 + RESERVED +CVE-2017-14555 + RESERVED +CVE-2017-14554 + RESERVED +CVE-2017-14553 + RESERVED +CVE-2017-14552 + RESERVED +CVE-2017-14551 + RESERVED +CVE-2017-14550 + RESERVED +CVE-2017-14549 + RESERVED +CVE-2017-14548 + RESERVED +CVE-2017-14547 + RESERVED +CVE-2017-14546 + RESERVED +CVE-2017-14545 + RESERVED +CVE-2017-14544 + RESERVED +CVE-2017-14543 + RESERVED +CVE-2017-14542 + RESERVED +CVE-2017-14541 + RESERVED +CVE-2017-14540 + RESERVED +CVE-2017-14539 + RESERVED +CVE-2017-14538 + RESERVED +CVE-2017-14537 + RESERVED +CVE-2017-14536 + RESERVED +CVE-2017-14535 + RESERVED +CVE-2017-14534 (Cross Site Scripting (XSS) exists in NexusPHP 1.5.beta5.20120707 via ...) + TODO: check +CVE-2017-14533 (ImageMagick 7.0.6-6 has a memory leak in ReadMATImage in coders/mat.c. ...) + TODO: check +CVE-2017-14532 (ImageMagick 7.0.7-0 has a NULL Pointer Dereference in TIFFIgnoreTags in ...) + TODO: check +CVE-2017-14531 (ImageMagick 7.0.7-0 has a memory exhaustion issue in ReadSUNImage in ...) + TODO: check +CVE-2017-14530 (WP_Admin_UI in the Crony Cronjob Manager plugin before 0.4.7 for ...) + TODO: check +CVE-2017-14529 (The pe_print_idata function in peXXigen.c in the Binary File Descriptor ...) + TODO: check +CVE-2017-14528 (The TIFFSetProfiles function in coders/tiff.c in ImageMagick 7.0.6 has ...) + TODO: check +CVE-2017-14527 + RESERVED +CVE-2017-14526 + RESERVED +CVE-2017-14525 + RESERVED +CVE-2017-14524 + RESERVED +CVE-2017-14523 + RESERVED +CVE-2017-14522 + RESERVED +CVE-2017-14521 + RESERVED +CVE-2017-14520 (In Poppler 0.59.0, a floating point exception occurs in ...) + TODO: check +CVE-2017-14519 (In Poppler 0.59.0, memory corruption occurs in a call to ...) + TODO: check +CVE-2017-14518 (In Poppler 0.59.0, a floating point exception exists in the ...) + TODO: check +CVE-2017-14517 (In Poppler 0.59.0, a NULL Pointer Dereference exists in the ...) + TODO: check +CVE-2017-14516 + RESERVED +CVE-2017-14515 (Heap-based Buffer Overflow on Tenda W15E devices before 15.11.0.14 ...) + TODO: check +CVE-2017-14514 (Directory Traversal on Tenda W15E devices before 15.11.0.14 allows ...) + TODO: check +CVE-2017-14513 (Directory traversal vulnerability in MetInfo 5.3.17 allows remote ...) + TODO: check +CVE-2017-14512 (NexusPHP 1.5.beta5.20120707 has SQL Injection in forummanage.php via ...) + TODO: check +CVE-2017-14511 (An issue was discovered in SAP E-Recruiting (aka ERECRUIT) 605 through ...) + TODO: check +CVE-2017-14510 (An issue was discovered in SugarCRM before 7.7.2.3, 7.8.x before ...) + TODO: check +CVE-2017-14509 (An issue was discovered in SugarCRM before 7.7.2.3, 7.8.x before ...) + TODO: check +CVE-2017-14508 (An issue was discovered in SugarCRM before 7.7.2.3, 7.8.x before ...) + TODO: check +CVE-2016-10511 + RESERVED CVE-2017-14507 RESERVED CVE-2017-14506 @@ -6467,10 +6615,10 @@ RESERVED CVE-2017-12158 RESERVED -CVE-2017-12157 - RESERVED -CVE-2017-12156 - RESERVED +CVE-2017-12157 (In Moodle 3.x, various course reports allow teachers to view details ...) + TODO: check +CVE-2017-12156 (Moodle 3.x has XSS in the contact form on the "non-respondents" page in ...) + TODO: check CVE-2017-12155 RESERVED CVE-2017-12154 [kvm: nVMX: L2 guest could access hardware(L0) CR8 register] @@ -14363,8 +14511,8 @@ NOT-FOR-US: Wordpress plugin CVE-2017-9335 RESERVED -CVE-2017-9333 - RESERVED +CVE-2017-9333 (OpenWebif 1.2.5 allows remote code execution via a URL to the CallOPKG ..
[Secure-testing-commits] r55847 - data/CVE
Author: jmm Date: 2017-09-18 07:46:29 + (Mon, 18 Sep 2017) New Revision: 55847 Modified: data/CVE/list Log: NFUs / n/a Modified: data/CVE/list === --- data/CVE/list 2017-09-18 07:34:53 UTC (rev 55846) +++ data/CVE/list 2017-09-18 07:46:29 UTC (rev 55847) @@ -67,9 +67,9 @@ CVE-2017-14485 RESERVED CVE-2017-14484 (The Gentoo sci-mathematics/gimps package before 28.10-r1 for Great ...) - TODO: check + NOT-FOR-US: Gentoo packaging flaw in gimps CVE-2017-14483 (flower.initd in the Gentoo dev-python/flower package before 0.9.1-r1 ...) - TODO: check + - flower (Gentoo-specific issue, Debian doesn't provide an init script at all) CVE-2017-1002100 (Default access permissions for Persistent Volumes (PVs) created by the ...) - kubernetes (Vulnerable code not yet present) CVE-2017-1002028 (Vulnerability in wordpress plugin wordpress-gallery-transformation ...) @@ -670,9 +670,9 @@ CVE-2017-14245 RESERVED CVE-2017-14244 (An authentication bypass vulnerability on iBall Baton ADSL2+ Home ...) - TODO: check + NOT-FOR-US: iBall CVE-2017-14243 (An authentication bypass vulnerability on UTStar WA3002G4 ADSL ...) - TODO: check + NOT-FOR-US: UTStar CVE-2017-14242 (SQL injection vulnerability in don/list.php in Dolibarr version 6.0.0 ...) - dolibarr NOTE: https://github.com/Dolibarr/dolibarr/commit/33e2179b65331d9d9179b59d746817c5be1fecdb @@ -92687,7 +92687,7 @@ CVE-2015-1528 (Integer overflow in the native_handle_create function in ...) NOT-FOR-US: Android CVE-2015-1527 (Integer overflow in IAudioPolicyService.cpp in Android allows local ...) - TODO: check + NOT-FOR-US: Android CVE-2015-1526 RESERVED CVE-2015-1525 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55846 - data
Author: lamby Date: 2017-09-18 07:34:53 + (Mon, 18 Sep 2017) New Revision: 55846 Modified: data/dla-needed.txt Log: Triage libarchive for LTS Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-09-18 06:11:52 UTC (rev 55845) +++ data/dla-needed.txt 2017-09-18 07:34:53 UTC (rev 55846) @@ -86,6 +86,8 @@ NOTE: The maintainer will not do an update. NOTE: 20170907: no fix available -- +libarchive +-- libav NOTE: Diego Biurrun (from the libav team) is working on patches. NOTE: undetermined issues are currently being triaged (Diego Biurrun and Hugo Lefeuvre ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
