[Secure-testing-commits] r56372 - data/CVE
Author: fgeek-guest Date: 2017-10-03 05:25:51 + (Tue, 03 Oct 2017) New Revision: 56372 Modified: data/CVE/list Log: references Modified: data/CVE/list === --- data/CVE/list 2017-10-02 22:36:48 UTC (rev 56371) +++ data/CVE/list 2017-10-03 05:25:51 UTC (rev 56372) @@ -134,6 +134,7 @@ [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22166 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=0d76029f92182c3682d8be2c833d45bc9a2068fe + NOTE: https://blogs.gentoo.org/ago/2017/09/26/binutils-null-pointer-dereference-in-scan_unit_for_symbols-dwarf2-c CVE-2017-14939 (decode_line_info in dwarf2.c in the Binary File Descriptor (BFD) ...) - binutils [stretch] - binutils (Minor issue) @@ -141,6 +142,7 @@ [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22169 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=515f23e63c0074ab531bc954f84ca40c6281a724 + NOTE: https://blogs.gentoo.org/ago/2017/09/26/binutils-heap-based-buffer-overflow-in-read_1_byte-dwarf2-c CVE-2017-14938 (_bfd_elf_slurp_version_tables in elf.c in the Binary File Descriptor ...) - binutils [stretch] - binutils (Minor issue) @@ -148,6 +150,7 @@ [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22166 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=bd61e135492ecf624880e6b78e5fcde3c9716df6 + NOTE: https://blogs.gentoo.org/ago/2017/09/26/binutils-memory-allocation-failure-in-_bfd_elf_slurp_version_tables-elf-c/ CVE-2017-14937 RESERVED CVE-2017-14936 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r56371 - data/CVE
Author: jmm Date: 2017-10-02 22:36:48 + (Mon, 02 Oct 2017) New Revision: 56371 Modified: data/CVE/list Log: remove haskell-tls entry it was never clarified whether haskell-tls was actually affected by this issue in particular, instead all tls implementations were simply listed. in the bug log, the upstream maintainers are not certain of being affected either, so dropping this unless a specific vulnerability in haskell-tls can ne shown Modified: data/CVE/list === --- data/CVE/list 2017-10-02 21:30:10 UTC (rev 56370) +++ data/CVE/list 2017-10-02 22:36:48 UTC (rev 56371) @@ -144303,10 +144303,6 @@ [squeeze] - gnutls26 (Too intrusive to backport) - gnutls28 3.0.22-3 - cyassl 2.9.4+dfsg-1 - - haskell-tls (bug #796342) - [stretch] - haskell-tls (Minor issue) - [jessie] - haskell-tls (Minor issue) - [wheezy] - haskell-tls (Minor issue) - matrixssl (low) [squeeze] - matrixssl (Minor issue) [wheezy] - matrixssl (Minor issue) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r56370 - data/CVE
Author: jmm Date: 2017-10-02 21:30:10 + (Mon, 02 Oct 2017) New Revision: 56370 Modified: data/CVE/list Log: NFUs Modified: data/CVE/list === --- data/CVE/list 2017-10-02 21:28:01 UTC (rev 56369) +++ data/CVE/list 2017-10-02 21:30:10 UTC (rev 56370) @@ -87802,7 +87802,7 @@ NOTE: https://github.com/zeromq/zeromq4-x/commit/b6e3e0f601e2c1ec1f3aac880ed6a3fe63043e51 NOTE: http://www.openwall.com/lists/oss-security/2015/05/07/8 CVE-2015-3643 (usb-creator before 0.2.38.3ubuntu0.1 on Ubuntu 12.04 LTS, before ...) - TODO: check + NOT-FOR-US: usb-creator CVE-2015-3642 (The TLS and DTLS processing functionality in Citrix NetScaler ...) NOT-FOR-US: Citrix CVE-2015-3641 @@ -88641,7 +88641,7 @@ CVE-2015-3322 (Lenovo ThinkServer RD350, RD450, RD550, RD650, and TD350 servers ...) NOT-FOR-US: ThinkServer CVE-2015-3321 (Services and files in Lenovo Fingerprint Manager before 8.01.42 have ...) - TODO: check + NOT-FOR-US: Lenovo CVE-2015-3320 (Lenovo USB Enhanced Performance Keyboard software before 2.0.2.2 ...) NOT-FOR-US: Lenovo USB Enhanced Performance Keyboard software CVE-2014-9717 (fs/namespace.c in the Linux kernel before 4.0.2 processes MNT_DETACH ...) @@ -125222,7 +125222,7 @@ - mumble 1.2.4-0.2 (bug #737739) [squeeze] - mumble (Opus support not present) CVE-2014-0043 (In Apache Wicket 1.5.10 or 6.13.0, by issuing requests to special urls ...) - TODO: check + NOT-FOR-US: Apache Wicket CVE-2014-0042 (OpenStack Heat Templates (heat-templates), as used in Red Hat ...) NOT-FOR-US: openstack-heat-templates CVE-2014-0041 (OpenStack Heat Templates (heat-templates), as used in Red Hat ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r56369 - data/CVE
Author: jmm Date: 2017-10-02 21:28:01 + (Mon, 02 Oct 2017) New Revision: 56369 Modified: data/CVE/list Log: NFUs Modified: data/CVE/list === --- data/CVE/list 2017-10-02 21:23:48 UTC (rev 56368) +++ data/CVE/list 2017-10-02 21:28:01 UTC (rev 56369) @@ -26,7 +26,7 @@ CVE-2017-14980 RESERVED CVE-2017-14979 (Gxlcms uses an unsafe character-replacement approach in an attempt to ...) - TODO: check + NOT-FOR-US: Gxlcms CVE-2017-14978 RESERVED CVE-2017-14977 (The FoFiTrueType::getCFFBlock function in FoFiTrueType.cc in Poppler ...) @@ -574,17 +574,15 @@ CVE-2017-14760 (SQL Injection exists in /includes/event-management/index.php in the ...) NOT-FOR-US: Event Espresso Lite CVE-2017-14759 (OpenText Document Sciences xPression (formerly EMC Document Sciences ...) - TODO: check -CVE-2017-14758 (OpenText Document Sciences xPression (formerly EMC Document Sciences ...) - TODO: check + NOT-FOR-US: OpenText Document Sciences xPression CVE-2017-14757 (OpenText Document Sciences xPression (formerly EMC Document Sciences ...) - TODO: check + NOT-FOR-US: OpenText Document Sciences xPression CVE-2017-14756 (OpenText Document Sciences xPression (formerly EMC Document Sciences ...) - TODO: check + NOT-FOR-US: OpenText Document Sciences xPression CVE-2017-14755 (OpenText Document Sciences xPression (formerly EMC Document Sciences ...) - TODO: check + NOT-FOR-US: OpenText Document Sciences xPression CVE-2017-14754 (OpenText Document Sciences xPression (formerly EMC Document Sciences ...) - TODO: check + NOT-FOR-US: OpenText Document Sciences xPression CVE-2017-14753 (Cross-site scripting (XSS) vulnerability in the EyesOfNetwork web ...) NOT-FOR-US: EyesOfNetwork (EON) CVE-2017-14752 @@ -6278,7 +6276,7 @@ CVE-2017-12793 RESERVED CVE-2017-12792 (Multiple cross-site request forgery (CSRF) vulnerabilities in NexusPHP ...) - TODO: check + NOT-FOR-US: NexusPHP CVE-2017-12791 (Directory traversal vulnerability in minion id validation in SaltStack ...) - salt (bug #872399) [stretch] - salt (Minor issue) @@ -15156,9 +15154,9 @@ CVE-2017-9539 RESERVED CVE-2017-9538 (The 'Upload logo from external path' function of SolarWinds Network ...) - TODO: check + NOT-FOR-US: SolarWinds Network Performance Monitor CVE-2017-9537 (Persistent cross-site scripting (XSS) in the Add Node function of ...) - TODO: check + NOT-FOR-US: SolarWinds Network Performance Monitor CVE-2017-9536 (IrfanView version 4.44 (32bit) with FPX Plugin 4.46 allows attackers to ...) NOT-FOR-US: IrfanView CVE-2017-9535 (IrfanView version 4.44 (32bit) with FPX Plugin 4.46 allows attackers to ...) @@ -25993,9 +25991,9 @@ CVE-2017-6091 RESERVED CVE-2017-6090 (Unrestricted file upload vulnerability in clients/editclient.php in ...) - TODO: check + NOT-FOR-US: PhpCollab CVE-2017-6089 (SQL injection vulnerability in PhpCollab 2.5.1 and earlier allows ...) - TODO: check + NOT-FOR-US: PhpCollab CVE-2017-6088 (Multiple SQL injection vulnerabilities in EyesOfNetwork (aka EON) 5.0 ...) NOT-FOR-US: EyesOfNetwork CVE-2017-6087 (EyesOfNetwork (EON) 5.0 and earlier allows remote authenticated ...) @@ -38902,7 +38900,7 @@ CVE-2017-1570 RESERVED CVE-2017-1569 (IBM WebSphere Commerce 7.0 and 8.0 contains an unspecified ...) - TODO: check + NOT-FOR-US: IBM CVE-2017-1568 RESERVED CVE-2017-1567 @@ -39182,7 +39180,7 @@ CVE-2017-1430 RESERVED CVE-2017-1429 (IBM RELM 4.0, 5.0, and 6.0 is vulnerable to cross-site scripting. This ...) - TODO: check + NOT-FOR-US: IBM CVE-2017-1428 (IBM Cognos Analytics 11.0 could allow a remote attacker to hijack the ...) NOT-FOR-US: IBM CVE-2017-1427 (IBM Cognos Analytics 11.0 is vulnerable to cross-site scripting. This ...) @@ -39302,7 +39300,7 @@ CVE-2017-1370 (IBM Jazz Reporting Service (JRS) 5.0 and 6.0 could disclose sensitive ...) NOT-FOR-US: IBM CVE-2017-1369 (IBM RELM 4.0, 5.0, and 6.0 is vulnerable to cross-site scripting. This ...) - TODO: check + NOT-FOR-US: IBM CVE-2017-1368 RESERVED CVE-2017-1367 @@ -39312,7 +39310,7 @@ CVE-2017-1365 RESERVED CVE-2017-1364 (IBM RELM 4.0, 5.0, and 6.0 is vulnerable to cross-site scripting. This ...) - TODO: check + NOT-FOR-US: IBM CVE-2017-1363 RESERVED CVE-2017-1362 (IBM Security Identity Manager Adapters 6.0 and 7.0 stores user ...) @@ -39322,7 +39320,7 @@ CVE-2017-1360 RESERVED CVE-2017-1359 (IBM RELM 4.0, 5.0, and 6.0 is vulnerable to cross-site scripting. This ...) - TODO: check + NOT-FOR-US: IBM CVE-2017-1358 RESERVED CVE-2017-1357 (IBM Maximo Asset Management 7.5 and 7.6 could allow an
[Secure-testing-commits] r56368 - data/CVE
Author: jmm Date: 2017-10-02 21:23:48 + (Mon, 02 Oct 2017) New Revision: 56368 Modified: data/CVE/list Log: new wordpress issue Modified: data/CVE/list === --- data/CVE/list 2017-10-02 21:10:14 UTC (rev 56367) +++ data/CVE/list 2017-10-02 21:23:48 UTC (rev 56368) @@ -1,5 +1,6 @@ CVE-2017-14990 (WordPress 4.8.2 stores cleartext wp_signups.activation_key values (but ...) - TODO: check + - wordpress + NOTE: https://core.trac.wordpress.org/ticket/38474 CVE-2017-14989 (A use-after-free in RenderFreetype in MagickCore/annotate.c in ...) - imagemagick NOTE: https://github.com/ImageMagick/ImageMagick/issues/781 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r56367 - data/CVE
Author: sectracker Date: 2017-10-02 21:10:14 + (Mon, 02 Oct 2017) New Revision: 56367 Modified: data/CVE/list Log: automatic update Modified: data/CVE/list === --- data/CVE/list 2017-10-02 21:01:41 UTC (rev 56366) +++ data/CVE/list 2017-10-02 21:10:14 UTC (rev 56367) @@ -1,3 +1,5 @@ +CVE-2017-14990 (WordPress 4.8.2 stores cleartext wp_signups.activation_key values (but ...) + TODO: check CVE-2017-14989 (A use-after-free in RenderFreetype in MagickCore/annotate.c in ...) - imagemagick NOTE: https://github.com/ImageMagick/ImageMagick/issues/781 @@ -22,12 +24,12 @@ NOT-FOR-US: ATutor CVE-2017-14980 RESERVED -CVE-2017-14979 - RESERVED +CVE-2017-14979 (Gxlcms uses an unsafe character-replacement approach in an attempt to ...) + TODO: check CVE-2017-14978 RESERVED CVE-2017-14977 (The FoFiTrueType::getCFFBlock function in FoFiTrueType.cc in Poppler ...) - - poppler (low) + - poppler (low) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=103045 NOTE: https://cgit.freedesktop.org/poppler/poppler/commit/?id=19eedc6fb693a62f305e13079501e3105f869f3c CVE-2017-14976 (The FoFiType1C::convertToType0 function in FoFiType1C.cc in Poppler ...) @@ -35,7 +37,7 @@ NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=102724 NOTE: https://cgit.freedesktop.org/poppler/poppler/commit/?id=da63c35549e8852a410946ab016a3f25ac701bdf CVE-2017-14975 (The FoFiType1C::convertToType0 function in FoFiType1C.cc in Poppler ...) - - poppler (low) + - poppler (low) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=102653 NOTE: https://cgit.freedesktop.org/poppler/poppler/commit/?id=a5e5649ecf16fa05770620dbbd4985935dc2bbff CVE-2017-14974 (The *_get_synthetic_symtab functions in the Binary File Descriptor ...) @@ -570,18 +572,18 @@ NOT-FOR-US: GeniXCMS CVE-2017-14760 (SQL Injection exists in /includes/event-management/index.php in the ...) NOT-FOR-US: Event Espresso Lite -CVE-2017-14759 - RESERVED -CVE-2017-14758 - RESERVED -CVE-2017-14757 - RESERVED -CVE-2017-14756 - RESERVED -CVE-2017-14755 - RESERVED -CVE-2017-14754 - RESERVED +CVE-2017-14759 (OpenText Document Sciences xPression (formerly EMC Document Sciences ...) + TODO: check +CVE-2017-14758 (OpenText Document Sciences xPression (formerly EMC Document Sciences ...) + TODO: check +CVE-2017-14757 (OpenText Document Sciences xPression (formerly EMC Document Sciences ...) + TODO: check +CVE-2017-14756 (OpenText Document Sciences xPression (formerly EMC Document Sciences ...) + TODO: check +CVE-2017-14755 (OpenText Document Sciences xPression (formerly EMC Document Sciences ...) + TODO: check +CVE-2017-14754 (OpenText Document Sciences xPression (formerly EMC Document Sciences ...) + TODO: check CVE-2017-14753 (Cross-site scripting (XSS) vulnerability in the EyesOfNetwork web ...) NOT-FOR-US: EyesOfNetwork (EON) CVE-2017-14752 @@ -607,7 +609,7 @@ NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=94670f6cf11fc29cc6db6814b38c4305d9bcac96 (master) NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e6ff33ca50c1180725dde11c84ee93fcdb4235ef (binutils-2_29-branch) CVE-2017-14867 (Git before 2.10.5, 2.11.x before 2.11.4, 2.12.x before 2.12.5, 2.13.x ...) - {DSA-3984-1} + {DSA-3984-1 DLA-1120-1} - git 1:2.14.2-1 (bug #876854) NOTE: http://www.openwall.com/lists/oss-security/2017/09/26/9 NOTE: https://public-inbox.org/git/xmqqy3p29ekj@gitster.mtv.corp.google.com/T/#u @@ -1319,21 +1321,25 @@ NOTE: http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=51eadb692a5123b9838e5a68ecace3ac579a3a45 CVE-2017-14494 RESERVED + {DSA-3989-1} - dnsmasq 2.78-1 NOTE: https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html NOTE: http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=33e3f1029c9ec6c63e430ff51063a6301d4b2262 CVE-2017-14493 RESERVED + {DSA-3989-1} - dnsmasq 2.78-1 NOTE: https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html NOTE: http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=3d4ff1ba8419546490b464418223132529514033 CVE-2017-14492 RESERVED + {DSA-3989-1} - dnsmasq 2.78-1 NOTE: https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html NOTE: http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=24036ea507862c7b7898b68289c8130f85599c10 CVE-2017-14491 RESERVED + {DSA-3989-1} - dnsmasq 2.78-1 NOTE: https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html NOTE:
[Secure-testing-commits] r56366 - in data: . DLA
Author: anarcat Date: 2017-10-02 21:01:41 + (Mon, 02 Oct 2017) New Revision: 56366 Modified: data/DLA/list data/dla-needed.txt Log: reserve DLA-1120-1 for git upload Modified: data/DLA/list === --- data/DLA/list 2017-10-02 19:13:10 UTC (rev 56365) +++ data/DLA/list 2017-10-02 21:01:41 UTC (rev 56366) @@ -1,3 +1,6 @@ +[02 Oct 2017] DLA-1120-1 git - security update + {CVE-2017-14867} + [wheezy] - git 1:1.7.10.4-1+wheezy6 [30 Sep 2017] DLA-1119-1 otrs2 - security update {CVE-2014-1695 CVE-2014-2553 CVE-2014-2554 CVE-2017-14635} [wheezy] - otrs2 3.3.18-1~deb7u1 Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-10-02 19:13:10 UTC (rev 56365) +++ data/dla-needed.txt 2017-10-02 21:01:41 UTC (rev 56366) @@ -37,8 +37,6 @@ exiv2 (Raphaël Hertzog) NOTE: 20170702, no upstream fix yet, so no need to bother maintainer yet, sent email later -- -git (anarcat) --- git-annex NOTE: The upstream patch modifies some ssh modules that are not present in NOTE: wheezy version. Confirmed affected: 87y3p0ozap@curie.anarc.at ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r56365 - data/CVE
Author: carnil Date: 2017-10-02 19:13:10 + (Mon, 02 Oct 2017) New Revision: 56365 Modified: data/CVE/list Log: Add nss source package for CVE-2017-7805 Modified: data/CVE/list === --- data/CVE/list 2017-10-02 18:47:25 UTC (rev 56364) +++ data/CVE/list 2017-10-02 19:13:10 UTC (rev 56365) @@ -20375,6 +20375,8 @@ {DSA-3987-1 DLA-1118-1} - firefox 56.0-1 - firefox-esr 52.4.0esr-2 + - nss + NOTE: https://hg.mozilla.org/projects/nss/rev/839200ce0943166a079284bdf45dcc37bb672925 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-21/#CVE-2017-7805 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-22/#CVE-2017-7805 CVE-2017-7804 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r56364 - data/CVE
Author: carnil Date: 2017-10-02 18:47:25 + (Mon, 02 Oct 2017) New Revision: 56364 Modified: data/CVE/list Log: Mark kgb-bot issue as ignored for stretch, jessie and wheezy Modified: data/CVE/list === --- data/CVE/list 2017-10-02 18:44:12 UTC (rev 56363) +++ data/CVE/list 2017-10-02 18:47:25 UTC (rev 56364) @@ -94965,9 +94965,9 @@ NOT-FOR-US: typo3 extension CVE-2015-1554 (kgb-bot 1.33-2 allows remote attackers to cause a denial of service ...) - kgb-bot (low; bug #776424) - [stretch] - kgb-bot (Minor issue) - [jessie] - kgb-bot (Minor issue) - [wheezy] - kgb-bot (Minor issue) + [stretch] - kgb-bot (Minor issue) + [jessie] - kgb-bot (Minor issue) + [wheezy] - kgb-bot (Minor issue) CVE-2015-1369 (SQL injection vulnerability in Sequelize before 2.0.0-rc7 for Node.js ...) NOT-FOR-US: sequelize CVE-2015-1354 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r56363 - data/CVE
Author: carnil Date: 2017-10-02 18:44:12 + (Mon, 02 Oct 2017) New Revision: 56363 Modified: data/CVE/list Log: CVE-2017-14974/binutils fixed with 2.29.1-2 upload Modified: data/CVE/list === --- data/CVE/list 2017-10-02 18:40:23 UTC (rev 56362) +++ data/CVE/list 2017-10-02 18:44:12 UTC (rev 56363) @@ -39,10 +39,12 @@ NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=102653 NOTE: https://cgit.freedesktop.org/poppler/poppler/commit/?id=a5e5649ecf16fa05770620dbbd4985935dc2bbff CVE-2017-14974 (The *_get_synthetic_symtab functions in the Binary File Descriptor ...) - - binutils + - binutils 2.29.1-2 [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) + NOTE: First version containing the fix was 2.29.1-2, which was quickly followed by + NOTE: a fixed 2.29.1-3 for unrelated issues. NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22163 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e70c19e3a4c26e9c1ebf0c9170d105039b56d7cf CVE-2017-14973 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r56362 - data/CVE
Author: carnil Date: 2017-10-02 18:40:23 + (Mon, 02 Oct 2017) New Revision: 56362 Modified: data/CVE/list Log: Reference upstream commits for CVE-2017-14989 Modified: data/CVE/list === --- data/CVE/list 2017-10-02 18:39:05 UTC (rev 56361) +++ data/CVE/list 2017-10-02 18:40:23 UTC (rev 56362) @@ -1,6 +1,8 @@ CVE-2017-14989 (A use-after-free in RenderFreetype in MagickCore/annotate.c in ...) - imagemagick NOTE: https://github.com/ImageMagick/ImageMagick/issues/781 + NOTE: https://github.com/ImageMagick/ImageMagick/commit/97740ccc177ee264e79091fa573d994eb6b05628 + NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/28bad01242898d7f863deedbfa8502c348293093 CVE-2017-14988 (Header::readfrom in IlmImf/ImfHeader.cpp in OpenEXR 2.2.0 allows remote ...) - openexr NOTE: https://github.com/openexr/openexr/issues/248 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r56361 - data/CVE
Author: carnil Date: 2017-10-02 18:39:05 + (Mon, 02 Oct 2017) New Revision: 56361 Modified: data/CVE/list Log: Add fixing commit for CVE-2017-14975 Modified: data/CVE/list === --- data/CVE/list 2017-10-02 18:37:25 UTC (rev 56360) +++ data/CVE/list 2017-10-02 18:39:05 UTC (rev 56361) @@ -35,6 +35,7 @@ CVE-2017-14975 (The FoFiType1C::convertToType0 function in FoFiType1C.cc in Poppler ...) - poppler (low) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=102653 + NOTE: https://cgit.freedesktop.org/poppler/poppler/commit/?id=a5e5649ecf16fa05770620dbbd4985935dc2bbff CVE-2017-14974 (The *_get_synthetic_symtab functions in the Binary File Descriptor ...) - binutils [stretch] - binutils (Minor issue) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r56360 - data/CVE
Author: carnil Date: 2017-10-02 18:37:25 + (Mon, 02 Oct 2017) New Revision: 56360 Modified: data/CVE/list Log: Reference fix for CVE-2017-14977/poppler Modified: data/CVE/list === --- data/CVE/list 2017-10-02 18:34:53 UTC (rev 56359) +++ data/CVE/list 2017-10-02 18:37:25 UTC (rev 56360) @@ -27,6 +27,7 @@ CVE-2017-14977 (The FoFiTrueType::getCFFBlock function in FoFiTrueType.cc in Poppler ...) - poppler (low) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=103045 + NOTE: https://cgit.freedesktop.org/poppler/poppler/commit/?id=19eedc6fb693a62f305e13079501e3105f869f3c CVE-2017-14976 (The FoFiType1C::convertToType0 function in FoFiType1C.cc in Poppler ...) - poppler (low) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=102724 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r56359 - data/CVE
Author: jmm Date: 2017-10-02 18:34:53 + (Mon, 02 Oct 2017) New Revision: 56359 Modified: data/CVE/list Log: openvswitch non-issue Modified: data/CVE/list === --- data/CVE/list 2017-10-02 18:27:33 UTC (rev 56358) +++ data/CVE/list 2017-10-02 18:34:53 UTC (rev 56359) @@ -48,9 +48,10 @@ CVE-2017-14971 RESERVED CVE-2017-14970 (In lib/ofp-util.c in Open vSwitch (OvS) before 2.8.1, there are ...) - - openvswitch (low; bug #877543) + - openvswitch (unimportant; bug #877543) NOTE: https://mail.openvswitch.org/pipermail/ovs-dev/2017-September/339085.html NOTE: https://mail.openvswitch.org/pipermail/ovs-dev/2017-September/339086.html + NOTE: Not considered a security issue by upstream, see #877543 CVE-2017-14969 RESERVED CVE-2017-14968 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r56358 - data/CVE
Author: carnil Date: 2017-10-02 18:27:33 + (Mon, 02 Oct 2017) New Revision: 56358 Modified: data/CVE/list Log: Cleanup trailing whitespaces Modified: data/CVE/list === --- data/CVE/list 2017-10-02 18:18:51 UTC (rev 56357) +++ data/CVE/list 2017-10-02 18:27:33 UTC (rev 56358) @@ -35,7 +35,7 @@ - poppler (low) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=102653 CVE-2017-14974 (The *_get_synthetic_symtab functions in the Binary File Descriptor ...) - - binutils + - binutils [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r56357 - in data: CVE DSA
Author: carnil Date: 2017-10-02 18:18:51 + (Mon, 02 Oct 2017) New Revision: 56357 Modified: data/CVE/list data/DSA/list Log: Reserve DSA number for dnsmasq update Modified: data/CVE/list === --- data/CVE/list 2017-10-02 17:23:27 UTC (rev 56356) +++ data/CVE/list 2017-10-02 18:18:51 UTC (rev 56357) @@ -1299,12 +1299,14 @@ CVE-2017-14496 RESERVED - dnsmasq 2.78-1 + [stretch] - dnsmasq 2.76-5+deb9u1 [jessie] - dnsmasq (Vulnerable code introduced later) NOTE: https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html NOTE: http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=897c113fda0886a28a986cc6ba17bb93bd6cb1c7 CVE-2017-14495 RESERVED - dnsmasq 2.78-1 + [stretch] - dnsmasq 2.76-5+deb9u1 [jessie] - dnsmasq (Vulnerable code introduced later) NOTE: https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html NOTE: http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=51eadb692a5123b9838e5a68ecace3ac579a3a45 Modified: data/DSA/list === --- data/DSA/list 2017-10-02 17:23:27 UTC (rev 56356) +++ data/DSA/list 2017-10-02 18:18:51 UTC (rev 56357) @@ -1,3 +1,7 @@ +[02 Oct 2017] DSA-3989-1 dnsmasq - security update + {CVE-2017-14491 CVE-2017-14492 CVE-2017-14493 CVE-2017-14494} + [jessie] - dnsmasq 2.72-3+deb8u2 + [stretch] - dnsmasq 2.76-5+deb9u1 [30 Sep 2017] DSA-3988-1 libidn2-0 - security update {CVE-2017-14062} [jessie] - libidn2-0 0.10-2+deb8u1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r56356 - data/CVE
Author: jmm Date: 2017-10-02 17:23:27 + (Mon, 02 Oct 2017) New Revision: 56356 Modified: data/CVE/list Log: openvswitch bug Modified: data/CVE/list === --- data/CVE/list 2017-10-02 17:15:56 UTC (rev 56355) +++ data/CVE/list 2017-10-02 17:23:27 UTC (rev 56356) @@ -48,7 +48,7 @@ CVE-2017-14971 RESERVED CVE-2017-14970 (In lib/ofp-util.c in Open vSwitch (OvS) before 2.8.1, there are ...) - - openvswitch + - openvswitch (low; bug #877543) NOTE: https://mail.openvswitch.org/pipermail/ovs-dev/2017-September/339085.html NOTE: https://mail.openvswitch.org/pipermail/ovs-dev/2017-September/339086.html CVE-2017-14969 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r56355 - data/CVE
Author: jmm Date: 2017-10-02 17:15:56 + (Mon, 02 Oct 2017) New Revision: 56355 Modified: data/CVE/list Log: NFU Modified: data/CVE/list === --- data/CVE/list 2017-10-02 17:10:49 UTC (rev 56354) +++ data/CVE/list 2017-10-02 17:15:56 UTC (rev 56355) @@ -6733,6 +6733,7 @@ NOTE: http://www.openwall.com/lists/oss-security/2017/09/27/6 CVE-2017-12620 RESERVED + NOT-FOR-US: Apache OpenNLP CVE-2017-12619 RESERVED CVE-2017-12618 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r56354 - data/CVE
Author: jmm Date: 2017-10-02 17:10:49 + (Mon, 02 Oct 2017) New Revision: 56354 Modified: data/CVE/list Log: stretch no-dsa triage: tenshi, sipcrack unimportant python-restkit, libnet-server-perl ignored Modified: data/CVE/list === --- data/CVE/list 2017-10-02 16:59:21 UTC (rev 56353) +++ data/CVE/list 2017-10-02 17:10:49 UTC (rev 56354) @@ -8813,10 +8813,10 @@ NOTE: https://github.com/tinyproxy/tinyproxy/issues/106 CVE-2017-11746 (Tenshi 0.15 creates a tenshi.pid file after dropping privileges to a ...) {DLA-1069-1} - - tenshi (bug #871321) - [stretch] - tenshi (Minor issue) + - tenshi (unimportant; bug #871321) NOTE: https://github.com/inversepath/tenshi/issues/6 NOTE: https://github.com/inversepath/tenshi/commit/d0e7f28c13ffbd5888b31d6532c2faf78f10f176 + NOTE: Negligable security impact CVE-2017-11745 RESERVED CVE-2017-11744 (In MODX Revolution 2.5.7, the key and name parameters in the System ...) @@ -9146,17 +9146,13 @@ CVE-2017-11656 RESERVED CVE-2017-11655 (A memory leak was found in the way SIPcrack 0.2 handled processing of ...) - - sipcrack (bug #869803) - [stretch] - sipcrack (Minor issue) - [jessie] - sipcrack (Minor issue) - [wheezy] - sipcrack (Minor issue) + - sipcrack (unimportant; bug #869803) NOTE: http://www.openwall.com/lists/oss-security/2017/07/26/1 + NOTE: Negligable security impact CVE-2017-11654 (An out-of-bounds read and write flaw was found in the way SIPcrack 0.2 ...) - - sipcrack (bug #869803) - [stretch] - sipcrack (Minor issue) - [jessie] - sipcrack (Minor issue) - [wheezy] - sipcrack (Minor issue) + - sipcrack (unimportant; bug #869803) NOTE: http://www.openwall.com/lists/oss-security/2017/07/26/1 + NOTE: Negligable security impact CVE-2017-11653 (Razer Synapse 2.20.15.1104 and earlier uses weak permissions for the ...) NOT-FOR-US: Razer Synapse CVE-2017-11652 (Razer Synapse 2.20.15.1104 and earlier uses weak permissions for the ...) @@ -92068,9 +92064,9 @@ NOT-FOR-US: ZeusCart CVE-2015-2674 (Restkit allows man-in-the-middle attackers to spoof TLS servers by ...) - python-restkit (bug #781813) - [stretch] - python-restkit (Minor issue) - [jessie] - python-restkit (Minor issue) - [wheezy] - python-restkit (Minor issue) + [stretch] - python-restkit (Minor issue) + [jessie] - python-restkit (Minor issue) + [wheezy] - python-restkit (Minor issue) [squeeze] - python-restkit (Minor issue) NOTE: https://github.com/benoitc/restkit/issues/140 NOTE: http://www.openwall.com/lists/oss-security/2015/03/12/9 @@ -139016,9 +139012,9 @@ - typo3-src 4.5.19+dfsg1-5 (bug #702574) CVE-2013-1841 (Net-Server, when the reverse-lookups option is enabled, does not check ...) - libnet-server-perl (low; bug #702914) - [stretch] - libnet-server-perl (Minor issue) - [jessie] - libnet-server-perl (Minor issue) - [wheezy] - libnet-server-perl (Minor issue) + [stretch] - libnet-server-perl (Minor issue) + [jessie] - libnet-server-perl (Minor issue) + [wheezy] - libnet-server-perl (Minor issue) [squeeze] - libnet-server-perl (Minor issue) NOTE: https://rt.cpan.org/Ticket/Display.html?id=83909 CVE-2013-1840 (The v1 API in OpenStack Glance Essex (2012.1), Folsom (2012.2), and ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r56353 - data/CVE
Author: carnil Date: 2017-10-02 16:59:21 + (Mon, 02 Oct 2017) New Revision: 56353 Modified: data/CVE/list Log: dnsmasq fixed in unstable Modified: data/CVE/list === --- data/CVE/list 2017-10-02 16:57:42 UTC (rev 56352) +++ data/CVE/list 2017-10-02 16:59:21 UTC (rev 56353) @@ -1298,34 +1298,34 @@ NOTE: Fixed by: https://git.kernel.org/linus/edbd58be15a957f6a760c4a514cd475217eb97fd (v4.13) CVE-2017-14496 RESERVED - - dnsmasq + - dnsmasq 2.78-1 [jessie] - dnsmasq (Vulnerable code introduced later) NOTE: https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html NOTE: http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=897c113fda0886a28a986cc6ba17bb93bd6cb1c7 CVE-2017-14495 RESERVED - - dnsmasq + - dnsmasq 2.78-1 [jessie] - dnsmasq (Vulnerable code introduced later) NOTE: https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html NOTE: http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=51eadb692a5123b9838e5a68ecace3ac579a3a45 CVE-2017-14494 RESERVED - - dnsmasq + - dnsmasq 2.78-1 NOTE: https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html NOTE: http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=33e3f1029c9ec6c63e430ff51063a6301d4b2262 CVE-2017-14493 RESERVED - - dnsmasq + - dnsmasq 2.78-1 NOTE: https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html NOTE: http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=3d4ff1ba8419546490b464418223132529514033 CVE-2017-14492 RESERVED - - dnsmasq + - dnsmasq 2.78-1 NOTE: https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html NOTE: http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=24036ea507862c7b7898b68289c8130f85599c10 CVE-2017-14491 RESERVED - - dnsmasq + - dnsmasq 2.78-1 NOTE: https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html NOTE: http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=0549c73b7ea6b22a3c49beb4d432f185a81efcbc NOTE: http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=62cb936cb7ad5f219715515ae7d32dd281a5aa1f @@ -3535,7 +3535,7 @@ RESERVED CVE-2017-13704 [Size parameter overflow via large DNS query] RESERVED - - dnsmasq (bug #877102) + - dnsmasq 2.78-1 (bug #877102) [stretch] - dnsmasq (Vulnerable code not present; Upstream: Regression introduced in 2.77) [jessie] - dnsmasq (Vulnerable code not present; Upstream: Regression introduced in 2.77) [wheezy] - dnsmasq (Vulnerable code not present; Upstream: Regression introduced in 2.77) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r56352 - data/CVE
Author: carnil Date: 2017-10-02 16:57:42 + (Mon, 02 Oct 2017) New Revision: 56352 Modified: data/CVE/list Log: Reference commits for dnsmasq Modified: data/CVE/list === --- data/CVE/list 2017-10-02 16:55:21 UTC (rev 56351) +++ data/CVE/list 2017-10-02 16:57:42 UTC (rev 56352) @@ -1301,27 +1301,34 @@ - dnsmasq [jessie] - dnsmasq (Vulnerable code introduced later) NOTE: https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html + NOTE: http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=897c113fda0886a28a986cc6ba17bb93bd6cb1c7 CVE-2017-14495 RESERVED - dnsmasq [jessie] - dnsmasq (Vulnerable code introduced later) NOTE: https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html + NOTE: http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=51eadb692a5123b9838e5a68ecace3ac579a3a45 CVE-2017-14494 RESERVED - dnsmasq NOTE: https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html + NOTE: http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=33e3f1029c9ec6c63e430ff51063a6301d4b2262 CVE-2017-14493 RESERVED - dnsmasq NOTE: https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html + NOTE: http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=3d4ff1ba8419546490b464418223132529514033 CVE-2017-14492 RESERVED - dnsmasq NOTE: https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html + NOTE: http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=24036ea507862c7b7898b68289c8130f85599c10 CVE-2017-14491 RESERVED - dnsmasq NOTE: https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html + NOTE: http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=0549c73b7ea6b22a3c49beb4d432f185a81efcbc + NOTE: http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=62cb936cb7ad5f219715515ae7d32dd281a5aa1f CVE-2017-14490 RESERVED CVE-2017-14489 (The iscsi_if_rx function in drivers/scsi/scsi_transport_iscsi.c in the ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r56351 - data/CVE
Author: carnil Date: 2017-10-02 16:55:21 + (Mon, 02 Oct 2017) New Revision: 56351 Modified: data/CVE/list Log: Two CVEs N/A for jessie Modified: data/CVE/list === --- data/CVE/list 2017-10-02 14:30:05 UTC (rev 56350) +++ data/CVE/list 2017-10-02 16:55:21 UTC (rev 56351) @@ -1299,10 +1299,12 @@ CVE-2017-14496 RESERVED - dnsmasq + [jessie] - dnsmasq (Vulnerable code introduced later) NOTE: https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html CVE-2017-14495 RESERVED - dnsmasq + [jessie] - dnsmasq (Vulnerable code introduced later) NOTE: https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html CVE-2017-14494 RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r56350 - data/CVE
Author: geissert Date: 2017-10-02 14:30:05 + (Mon, 02 Oct 2017) New Revision: 56350 Modified: data/CVE/list Log: add dnsmasq issues Modified: data/CVE/list === --- data/CVE/list 2017-10-02 13:15:26 UTC (rev 56349) +++ data/CVE/list 2017-10-02 14:30:05 UTC (rev 56350) @@ -1298,16 +1298,28 @@ NOTE: Fixed by: https://git.kernel.org/linus/edbd58be15a957f6a760c4a514cd475217eb97fd (v4.13) CVE-2017-14496 RESERVED + - dnsmasq + NOTE: https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html CVE-2017-14495 RESERVED + - dnsmasq + NOTE: https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html CVE-2017-14494 RESERVED + - dnsmasq + NOTE: https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html CVE-2017-14493 RESERVED + - dnsmasq + NOTE: https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html CVE-2017-14492 RESERVED + - dnsmasq + NOTE: https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html CVE-2017-14491 RESERVED + - dnsmasq + NOTE: https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html CVE-2017-14490 RESERVED CVE-2017-14489 (The iscsi_if_rx function in drivers/scsi/scsi_transport_iscsi.c in the ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r56349 - data/CVE
Author: jmm Date: 2017-10-02 13:15:26 + (Mon, 02 Oct 2017) New Revision: 56349 Modified: data/CVE/list Log: golang ignored Modified: data/CVE/list === --- data/CVE/list 2017-10-02 13:14:23 UTC (rev 56348) +++ data/CVE/list 2017-10-02 13:15:26 UTC (rev 56349) @@ -17173,9 +17173,9 @@ [wheezy] - perltidy (Minor issue) CVE-2017-8932 (A bug in the standard library ScalarMult implementation of curve P-256 ...) - golang-1.8 1.8.3-1 (bug #863307) - [stretch] - golang-1.8 (Minor issue) + [stretch] - golang-1.8 (Minor issue, would require builds of all go packages in stable) - golang-1.7 1.7.6-1 (bug #863308) - [stretch] - golang-1.7 (Minor issue) + [stretch] - golang-1.7 (Minor issue, would require builds of all go packages in stable) - golang [wheezy] - golang (Vulnerable code not present, no ASM implementation of the p256 elliptic curve) [jessie] - golang (Vulnerable code not present, no ASM implementation of the p256 elliptic curve) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r56348 - data/CVE
Author: jmm Date: 2017-10-02 13:14:23 + (Mon, 02 Oct 2017) New Revision: 56348 Modified: data/CVE/list Log: openldap unimportant arc ignored Modified: data/CVE/list === --- data/CVE/list 2017-10-02 12:05:51 UTC (rev 56347) +++ data/CVE/list 2017-10-02 13:14:23 UTC (rev 56348) @@ -2211,11 +2211,9 @@ - bzr 2.7.0+bzr6622-7 (bug #874429) NOTE: https://bugs.launchpad.net/bzr/+bug/1710979 CVE-2017-14159 (slapd in OpenLDAP 2.4.45 and earlier creates a PID file after dropping ...) - - openldap - [stretch] - openldap (Minor issue) - [jessie] - openldap (Minor issue) - [wheezy] - openldap (Minor issue) + - openldap (unimportant) NOTE: http://www.openldap.org/its/index.cgi?findid=8703 + NOTE: Negligable security impact, but filed #877512 CVE-2017-14158 (Scrapy 1.4 allows remote attackers to cause a denial of service (memory ...) - python-scrapy (bug #875947) [stretch] - python-scrapy (Minor issue) @@ -98226,8 +98224,8 @@ NOTE: CVE Request: https://marc.info/?l=oss-security=142024361327375=2 CVE-2015- [buffer over-read] - arc (low; bug #774439) - [stretch] - arc (Minor issue) - [jessie] - arc (Minor issue) + [stretch] - arc (Minor issue) + [jessie] - arc (Minor issue) [wheezy] - arc (Minor issue) [squeeze] - arc (Minor issue) CVE-2015-0557 (Open-source ARJ archiver 3.10.22 does not properly remove leading ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r56347 - data
Author: hle Date: 2017-10-02 12:05:51 + (Mon, 02 Oct 2017) New Revision: 56347 Modified: data/dla-needed.txt Log: Update NOTEs for entry ming in dla-needed. Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-10-02 11:17:30 UTC (rev 56346) +++ data/dla-needed.txt 2017-10-02 12:05:51 UTC (rev 56347) @@ -76,7 +76,7 @@ linux -- ming (Hugo Lefeuvre) - NOTE: 20170930: patches unavailable + NOTE: 20170930: patches unavailable, currently working on it with upstream, might take a while NOTE: Successfully reproduced CVE-2017-117{04, 28, 29, 30, 32, 34}. -- mosquitto (Roger A. Leigh/Gianfranco Costamagna) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r56346 - data
Author: corsac Date: 2017-10-02 11:17:30 + (Mon, 02 Oct 2017) New Revision: 56346 Modified: data/dsa-needed.txt Log: take wordpress for review Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-10-02 11:13:53 UTC (rev 56345) +++ data/dsa-needed.txt 2017-10-02 11:17:30 UTC (rev 56346) @@ -73,7 +73,7 @@ 2017-05-13: asked balint@ if he wants to prepare an update now 2017-07-28: re-ping balint@ -- -wordpress +wordpress (csmall+corsac) -- xen -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r56345 - data
Author: corsac Date: 2017-10-02 11:13:53 + (Mon, 02 Oct 2017) New Revision: 56345 Modified: data/dsa-needed.txt Log: remove jbig2dec since it's marked as no-dsa Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-10-02 10:37:11 UTC (rev 56344) +++ data/dsa-needed.txt 2017-10-02 11:13:53 UTC (rev 56345) @@ -27,8 +27,6 @@ imagemagick (jmm) wait until more issues have piled up -- -jbig2dec --- libav/oldstable several issues unfixed upstream -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r56344 - bin
Author: geissert Date: 2017-10-02 10:37:11 + (Mon, 02 Oct 2017) New Revision: 56344 Modified: bin/check-new-issues Log: Add -D option to skip the downloads Useful when invoking check-new-issues multiple times Modified: bin/check-new-issues === --- bin/check-new-issues2017-10-02 10:27:08 UTC (rev 56343) +++ bin/check-new-issues2017-10-02 10:37:11 UTC (rev 56344) @@ -7,7 +7,7 @@ use Term::ReadLine; my %opts; -getopts('ln:fhi:t:Tca:e:uUs', \%opts); +getopts('ln:fhi:t:Tca:e:uUsD', \%opts); sub print_commands { print <<'EOF'; @@ -55,6 +55,7 @@ display only the count (default 10) -s: skip automatic apt-cache/apt-file searches, suggest the command to run instead +-D: skip the download operations EOF @@ -102,8 +103,10 @@ my $editor=$ENV{EDITOR} || $ENV{VISUAL} || "vi"; -system "cd $basedir/.. ; wget -N $allitemsurl"; -system "cd $basedir/.. ; wget -N $wnppurl"; +unless ($opts{D}) { + system "cd $basedir/.. ; wget -N $allitemsurl"; + system "cd $basedir/.. ; wget -N $wnppurl"; +} print "Reading data...\n"; ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r56343 - bin
Author: geissert Date: 2017-10-02 10:27:08 + (Mon, 02 Oct 2017) New Revision: 56343 Modified: bin/check-new-issues Log: Allow an entry to be added directly by typing '- package[...]' Modified: bin/check-new-issues === --- bin/check-new-issues2017-10-02 10:11:55 UTC (rev 56342) +++ bin/check-new-issues2017-10-02 10:27:08 UTC (rev 56343) @@ -19,6 +19,7 @@ * .rpackage to launch an editor with a report of the issue against "package" * !command to execute a command with system() without any escaping * v or e to launch an editor with the current item + * - package-entry to add an entry for "package" and lunch an editor (e.g. - poppler ) * q to save and quit * CTRL-C to quit without saving * everything else is inserted as product name for a NOT-FOR-US @@ -104,7 +105,6 @@ system "cd $basedir/.. ; wget -N $allitemsurl"; system "cd $basedir/.. ; wget -N $wnppurl"; - print "Reading data...\n"; my $entries=read_file($datafile, qr/^CVE/ ); @@ -284,6 +284,21 @@ next TODO; } } + elsif ($r=~ /^(\-\s+.+)$/ ) { + my @comps=split /\s+/, $1; + push @comps, '' + unless (scalar(@comps)>2); + my $inputentry = join(' ', @comps); + + my $preventry=${$data->{$todo}->{entry}}; + $preventry =~ + s/^\s*TODO: check/\t$inputentry\n$&/m ; + + my $newentry=edit_entry($preventry); + ${$data->{$todo}->{entry}}=$newentry; + print "New entry set to:\n$newentry"; + next TODO; + } elsif ($r=~ /^\.r(.*)$/ ) { my $tmp=new File::Temp(); my $tmpname=$tmp->filename; ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r56340 - data/CVE
Author: jmm Date: 2017-10-02 10:08:39 + (Mon, 02 Oct 2017) New Revision: 56340 Modified: data/CVE/list Log: new binutils issue Modified: data/CVE/list === --- data/CVE/list 2017-10-02 10:07:29 UTC (rev 56339) +++ data/CVE/list 2017-10-02 10:08:39 UTC (rev 56340) @@ -35,7 +35,12 @@ - poppler (low) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=102653 CVE-2017-14974 (The *_get_synthetic_symtab functions in the Binary File Descriptor ...) - TODO: check + - binutils + [stretch] - binutils (Minor issue) + [jessie] - binutils (Minor issue) + [wheezy] - binutils (Minor issue) + NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22163 + NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e70c19e3a4c26e9c1ebf0c9170d105039b56d7cf CVE-2017-14973 RESERVED CVE-2017-14972 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r56341 - data/CVE
Author: geissert Date: 2017-10-02 10:09:34 + (Mon, 02 Oct 2017) New Revision: 56341 Modified: data/CVE/list Log: NFUs Modified: data/CVE/list === --- data/CVE/list 2017-10-02 10:08:39 UTC (rev 56340) +++ data/CVE/list 2017-10-02 10:09:34 UTC (rev 56341) @@ -18342,7 +18342,7 @@ CVE-2017-8448 (An error was found in the permission model used by X-Pack Alerting ...) - kibana (bug #700337) CVE-2017-8447 (An error was found in the X-Pack Security 5.3.0 to 5.5.2 privilege ...) - TODO: check + NOT-FOR-US: X-Pack Security CVE-2017-8446 (The Reporting feature in X-Pack in versions prior to 5.5.2 and ...) NOT-FOR-US: X-Pack plugin for Kibana CVE-2017-8445 (An error was found in the X-Pack Security TLS trust manager for ...) @@ -19565,13 +19565,13 @@ CVE-2017-8022 RESERVED CVE-2017-8021 (EMC Elastic Cloud Storage (ECS) before 3.1 is affected by an ...) - TODO: check + NOT-FOR-US: EMC Elastic Cloud Storage CVE-2017-8020 RESERVED CVE-2017-8019 RESERVED CVE-2017-8018 (EMC AppSync host plug-in versions 3.5 and below (Windows platform only) ...) - TODO: check + NOT-FOR-US: EMC AppSync CVE-2017-8017 RESERVED CVE-2017-8016 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r56342 - data/CVE
Author: jmm Date: 2017-10-02 10:11:55 + (Mon, 02 Oct 2017) New Revision: 56342 Modified: data/CVE/list Log: NFUs Modified: data/CVE/list === --- data/CVE/list 2017-10-02 10:09:34 UTC (rev 56341) +++ data/CVE/list 2017-10-02 10:11:55 UTC (rev 56342) @@ -74,7 +74,7 @@ CVE-2017-14959 RESERVED CVE-2017-14958 (lib.php in PivotX 2.3.11 does not properly block uploads of dangerous ...) - TODO: check + NOT-FOR-US: PivotX CVE-2017-14957 (Stored XSS vulnerability via a comment in inc/conv.php in BlogoText ...) NOT-FOR-US: BlogoText CVE-2017-14956 @@ -2710,7 +2710,7 @@ CVE-2017-13998 RESERVED CVE-2017-13997 (A Missing Authentication for Critical Function issue was discovered in ...) - TODO: check + NOT-FOR-US: Schneider CVE-2017-13996 RESERVED CVE-2017-13995 @@ -18342,13 +18342,13 @@ CVE-2017-8448 (An error was found in the permission model used by X-Pack Alerting ...) - kibana (bug #700337) CVE-2017-8447 (An error was found in the X-Pack Security 5.3.0 to 5.5.2 privilege ...) - NOT-FOR-US: X-Pack Security + NOT-FOR-US: X-Pack plugin for Kibana CVE-2017-8446 (The Reporting feature in X-Pack in versions prior to 5.5.2 and ...) NOT-FOR-US: X-Pack plugin for Kibana CVE-2017-8445 (An error was found in the X-Pack Security TLS trust manager for ...) NOT-FOR-US: X-PackSecurity TLS trust manager plugin for Elasticsearch CVE-2017-8444 (The client-forwarder in Elastic Cloud Enterprise versions prior to ...) - TODO: check + NOT-FOR-US: Elastic Cloud Enterprise CVE-2017-8443 (In Kibana X-Pack security versions prior to 5.4.3 if a Kibana user ...) NOT-FOR-US: Kibana X-Pack Security CVE-2017-8442 (Elasticsearch X-Pack Security versions 5.0.0 to 5.4.3, when enabled, ...) @@ -74760,7 +74760,7 @@ CVE-2015-8252 (The Frontel protocol before 3 on RSI Video Technologies Videofied ...) NOT-FOR-US: Frontel CVE-2015-8251 (OpenStage 60 and OpenScape Desk Phone IP 55G SIP V3, OpenStage 15, ...) - TODO: check + NOT-FOR-US: OpenStage CVE-2015-8250 RESERVED CVE-2015-8249 (The FileUploadServlet class in ManageEngine Desktop Central 9 before ...) @@ -77409,9 +77409,9 @@ CVE-2015-7392 (Heap-based buffer overflow in the parse_string function in ...) - freeswitch (bug #389591) CVE-2015-7391 (Multiple cross-site scripting (XSS) vulnerabilities in TestLink before ...) - TODO: check + NOT-FOR-US: TestLink CVE-2015-7390 (SQL injection vulnerability in TestLink before 1.9.14 allows remote ...) - TODO: check + NOT-FOR-US: TestLink CVE-2015-7389 RESERVED CVE-2015-7388 @@ -77645,7 +77645,7 @@ NOTE: https://github.com/vesse/node-ldapauth-fork/commit/3feea43e243698bcaeffa904a7324f4d96df60e4 NOTE: https://nodesecurity.io/advisories/19 CVE-2015-7293 (Multiple cross-site request forgery (CSRF) vulnerabilities in Zope ...) - TODO: check + NOT-FOR-US: Zope Management Interface CVE-2015-7292 (Stack-based buffer overflow in the havok_write function in ...) NOT-FOR-US: Amazon Fire OS CVE-2015-7291 (Cross-site request forgery (CSRF) vulnerability in adv_pwd_cgi in the ...) @@ -84912,11 +84912,11 @@ CVE-2015-4670 (Directory traversal vulnerability in the AjaxFileUpload control in ...) NOT-FOR-US: AjaxControlToolkit CVE-2015-4669 (The MySQL root user in Xsuite 2.3.0 and 2.4.3.0 does not have a ...) - TODO: check + NOT-FOR-US: Xsuite CVE-2015-4668 (Open redirect vulnerability in Xsuite 2.3.0 and 2.4.3.0 allows remote ...) - TODO: check + NOT-FOR-US: Xsuite CVE-2015-4667 (Multiple hardcoded credentials in Xsuite 2.3.0 and 2.4.3.0. ...) - TODO: check + NOT-FOR-US: Xsuite CVE-2015-4666 (Directory traversal vulnerability in opm/read_sessionlog.php in ...) NOT-FOR-US: Xceedium Xsuite CVE-2015-4665 (Cross-site scripting (XSS) vulnerability in ajax_cmd.php in Xceedium ...) @@ -88692,7 +88692,7 @@ CVE-2015-3298 RESERVED CVE-2015-3296 (Multiple cross-site scripting (XSS) vulnerabilities in NodeBB before ...) - TODO: check + NOT-FOR-US: NodeBB CVE-2015-3295 (markdown-it before 4.1.0 does not block data: URLs. ...) - ruby-rails-assets-markdown-it 4.2.1-1 CVE-2015-3294 (The tcp_request function in Dnsmasq before 2.73rc4 does not properly ...) @@ -94155,7 +94155,7 @@ CVE-2015-1538 (Integer overflow in the SampleTable::setSampleToChunkParams function ...) NOT-FOR-US: libstagefright in Android CVE-2015-1537 (Integer overflow in IHDCP.cpp in the media_server component in Android ...) - TODO: check + NOT-FOR-US: Android CVE-2015-1536 (Integer overflow in the Bitmap_createFromParcel function in ...) NOT-FOR-US: Android CVE-2015-1535 @@ -94177,7 +94177,7 @@ CVE-2015-1527 (Integer overflow in IAudioPolicyService.cpp
[Secure-testing-commits] r56339 - data/CVE
Author: jmm Date: 2017-10-02 10:07:29 + (Mon, 02 Oct 2017) New Revision: 56339 Modified: data/CVE/list Log: new openexr issue Modified: data/CVE/list === --- data/CVE/list 2017-10-02 10:06:29 UTC (rev 56338) +++ data/CVE/list 2017-10-02 10:07:29 UTC (rev 56339) @@ -2,7 +2,8 @@ - imagemagick NOTE: https://github.com/ImageMagick/ImageMagick/issues/781 CVE-2017-14988 (Header::readfrom in IlmImf/ImfHeader.cpp in OpenEXR 2.2.0 allows remote ...) - TODO: check + - openexr + NOTE: https://github.com/openexr/openexr/issues/248 CVE-2017-14987 RESERVED CVE-2017-14986 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r56338 - data/CVE
Author: jmm Date: 2017-10-02 10:06:29 + (Mon, 02 Oct 2017) New Revision: 56338 Modified: data/CVE/list Log: new im issue Modified: data/CVE/list === --- data/CVE/list 2017-10-02 10:05:21 UTC (rev 56337) +++ data/CVE/list 2017-10-02 10:06:29 UTC (rev 56338) @@ -1,5 +1,6 @@ CVE-2017-14989 (A use-after-free in RenderFreetype in MagickCore/annotate.c in ...) - TODO: check + - imagemagick + NOTE: https://github.com/ImageMagick/ImageMagick/issues/781 CVE-2017-14988 (Header::readfrom in IlmImf/ImfHeader.cpp in OpenEXR 2.2.0 allows remote ...) TODO: check CVE-2017-14987 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r56337 - data/CVE
Author: jmm Date: 2017-10-02 10:05:21 + (Mon, 02 Oct 2017) New Revision: 56337 Modified: data/CVE/list Log: new poppler issues Modified: data/CVE/list === --- data/CVE/list 2017-10-02 10:02:40 UTC (rev 56336) +++ data/CVE/list 2017-10-02 10:05:21 UTC (rev 56337) @@ -23,11 +23,15 @@ CVE-2017-14978 RESERVED CVE-2017-14977 (The FoFiTrueType::getCFFBlock function in FoFiTrueType.cc in Poppler ...) - TODO: check + - poppler (low) + NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=103045 CVE-2017-14976 (The FoFiType1C::convertToType0 function in FoFiType1C.cc in Poppler ...) - TODO: check + - poppler (low) + NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=102724 + NOTE: https://cgit.freedesktop.org/poppler/poppler/commit/?id=da63c35549e8852a410946ab016a3f25ac701bdf CVE-2017-14975 (The FoFiType1C::convertToType0 function in FoFiType1C.cc in Poppler ...) - TODO: check + - poppler (low) + NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=102653 CVE-2017-14974 (The *_get_synthetic_symtab functions in the Binary File Descriptor ...) TODO: check CVE-2017-14973 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r56336 - data/CVE
Author: jmm Date: 2017-10-02 10:02:40 + (Mon, 02 Oct 2017) New Revision: 56336 Modified: data/CVE/list Log: NFUs Modified: data/CVE/list === --- data/CVE/list 2017-10-02 09:10:20 UTC (rev 56335) +++ data/CVE/list 2017-10-02 10:02:40 UTC (rev 56336) @@ -7,15 +7,15 @@ CVE-2017-14986 RESERVED CVE-2017-14985 (Cross-site scripting (XSS) vulnerability in the EyesOfNetwork web ...) - TODO: check + NOT-FOR-US: EyesOfNetwork (EON) CVE-2017-14984 (Cross-site scripting (XSS) vulnerability in the EyesOfNetwork web ...) - TODO: check + NOT-FOR-US: EyesOfNetwork (EON) CVE-2017-14983 (Cross-site scripting (XSS) vulnerability in the EyesOfNetwork web ...) - TODO: check + NOT-FOR-US: EyesOfNetwork (EON) CVE-2017-14982 RESERVED CVE-2017-14981 (Cross-Site Scripting (XSS) was discovered in ATutor before 2.2.3. The ...) - TODO: check + NOT-FOR-US: ATutor CVE-2017-14980 RESERVED CVE-2017-14979 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r56335 - data/CVE
Author: sectracker Date: 2017-10-02 09:10:20 + (Mon, 02 Oct 2017) New Revision: 56335 Modified: data/CVE/list Log: automatic update Modified: data/CVE/list === --- data/CVE/list 2017-10-02 04:35:08 UTC (rev 56334) +++ data/CVE/list 2017-10-02 09:10:20 UTC (rev 56335) @@ -1,3 +1,41 @@ +CVE-2017-14989 (A use-after-free in RenderFreetype in MagickCore/annotate.c in ...) + TODO: check +CVE-2017-14988 (Header::readfrom in IlmImf/ImfHeader.cpp in OpenEXR 2.2.0 allows remote ...) + TODO: check +CVE-2017-14987 + RESERVED +CVE-2017-14986 + RESERVED +CVE-2017-14985 (Cross-site scripting (XSS) vulnerability in the EyesOfNetwork web ...) + TODO: check +CVE-2017-14984 (Cross-site scripting (XSS) vulnerability in the EyesOfNetwork web ...) + TODO: check +CVE-2017-14983 (Cross-site scripting (XSS) vulnerability in the EyesOfNetwork web ...) + TODO: check +CVE-2017-14982 + RESERVED +CVE-2017-14981 (Cross-Site Scripting (XSS) was discovered in ATutor before 2.2.3. The ...) + TODO: check +CVE-2017-14980 + RESERVED +CVE-2017-14979 + RESERVED +CVE-2017-14978 + RESERVED +CVE-2017-14977 (The FoFiTrueType::getCFFBlock function in FoFiTrueType.cc in Poppler ...) + TODO: check +CVE-2017-14976 (The FoFiType1C::convertToType0 function in FoFiType1C.cc in Poppler ...) + TODO: check +CVE-2017-14975 (The FoFiType1C::convertToType0 function in FoFiType1C.cc in Poppler ...) + TODO: check +CVE-2017-14974 (The *_get_synthetic_symtab functions in the Binary File Descriptor ...) + TODO: check +CVE-2017-14973 + RESERVED +CVE-2017-14972 + RESERVED +CVE-2017-14971 + RESERVED CVE-2017-14970 (In lib/ofp-util.c in Open vSwitch (OvS) before 2.8.1, there are ...) - openvswitch NOTE: https://mail.openvswitch.org/pipermail/ovs-dev/2017-September/339085.html @@ -2660,8 +2698,8 @@ RESERVED CVE-2017-13998 RESERVED -CVE-2017-13997 - RESERVED +CVE-2017-13997 (A Missing Authentication for Critical Function issue was discovered in ...) + TODO: check CVE-2017-13996 RESERVED CVE-2017-13995 @@ -19515,14 +19553,14 @@ RESERVED CVE-2017-8022 RESERVED -CVE-2017-8021 - RESERVED +CVE-2017-8021 (EMC Elastic Cloud Storage (ECS) before 3.1 is affected by an ...) + TODO: check CVE-2017-8020 RESERVED CVE-2017-8019 RESERVED -CVE-2017-8018 - RESERVED +CVE-2017-8018 (EMC AppSync host plug-in versions 3.5 and below (Windows platform only) ...) + TODO: check CVE-2017-8017 RESERVED CVE-2017-8016 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits