[Secure-testing-commits] r56475 - data/CVE
Author: jmm Date: 2017-10-06 22:10:24 + (Fri, 06 Oct 2017) New Revision: 56475 Modified: data/CVE/list Log: NFUs historic chrome issue Modified: data/CVE/list === --- data/CVE/list 2017-10-06 22:04:14 UTC (rev 56474) +++ data/CVE/list 2017-10-06 22:10:24 UTC (rev 56475) @@ -7966,7 +7966,7 @@ CVE-2017-12271 RESERVED CVE-2017-12270 (A vulnerability in the gRPC code of Cisco IOS XR Software for Cisco ...) - TODO: check + NOT-FOR-US: Cisco CVE-2017-12269 (A vulnerability in the web UI of Cisco Spark Messaging Software could ...) NOT-FOR-US: Cisco CVE-2017-12268 (A vulnerability in the Network Access Manager (NAM) of Cisco AnyConnect ...) @@ -16432,9 +16432,9 @@ CVE-2017-9274 RESERVED CVE-2017-9273 (The Bi-directional driver in IDM 4.5 before 4.0.3.0 could be ...) - TODO: check + NOT-FOR-US: IDM CVE-2017-9272 (The Bi-directional driver in IDM 4.5 before 4.0.3.0 could be ...) - TODO: check + NOT-FOR-US: IDM CVE-2017-9271 RESERVED CVE-2017-9270 @@ -40907,49 +40907,49 @@ CVE-2017-0828 (An elevation of privilege vulnerability in the Huawei bootloader. ...) NOT-FOR-US: Huawei bootloader CVE-2017-0827 (An elevation of privilege vulnerability in the MediaTek soc driver. ...) - TODO: check + NOT-FOR-US: MediaTek driver for Android CVE-2017-0826 (An elevation of privilege vulnerability in the HTC bootloader. ...) NOT-FOR-US: HTC bootloader CVE-2017-0825 (An information disclosure vulnerability in the Broadcom wifi driver. ...) - TODO: check + NOT-FOR-US: Broadcom driver for Android CVE-2017-0824 (An elevation of privilege vulnerability in the Broadcom wifi driver. ...) - TODO: check + NOT-FOR-US: Broadcom driver for Android CVE-2017-0823 (An information disclosure vulnerability in the Android system (rild). ...) - TODO: check + NOT-FOR-US: Android CVE-2017-0822 (An elevation of privilege vulnerability in the Android system ...) - TODO: check + NOT-FOR-US: Android CVE-2017-0821 RESERVED CVE-2017-0820 (A vulnerability in the Android media framework (n/a). Product: ...) - TODO: check + NOT-FOR-US: Android media framework CVE-2017-0819 (A vulnerability in the Android media framework (n/a). Product: ...) - TODO: check + NOT-FOR-US: Android media framework CVE-2017-0818 (A vulnerability in the Android media framework (n/a). Product: ...) - TODO: check + NOT-FOR-US: Android media framework CVE-2017-0817 (An information disclosure vulnerability in the Android media framework ...) - TODO: check + NOT-FOR-US: Android media framework CVE-2017-0816 (An information disclosure vulnerability in the Android media framework ...) - TODO: check + NOT-FOR-US: Android media framework CVE-2017-0815 (An information disclosure vulnerability in the Android media framework ...) - TODO: check + NOT-FOR-US: Android media framework CVE-2017-0814 (An information disclosure vulnerability in the Android media framework ...) - TODO: check + NOT-FOR-US: Android media framework CVE-2017-0813 (A denial of service vulnerability in the Android media framework ...) - TODO: check + NOT-FOR-US: Android media framework CVE-2017-0812 (An elevation of privilege vulnerability in the Android media framework ...) - TODO: check + NOT-FOR-US: Android media framework CVE-2017-0811 (A remote code execution vulnerability in the Android media framework ...) - TODO: check + NOT-FOR-US: Android media framework CVE-2017-0810 (A remote code execution vulnerability in the Android media framework ...) - TODO: check + NOT-FOR-US: Android media framework CVE-2017-0809 (A remote code execution vulnerability in the Android media framework ...) - TODO: check + NOT-FOR-US: Android media framework CVE-2017-0808 (An information disclosure vulnerability in the Android framework (file ...) - TODO: check + NOT-FOR-US: Android CVE-2017-0807 (An elevation of privilege vulnerability in the Android framework (ui ...) - TODO: check + NOT-FOR-US: Android CVE-2017-0806 (An elevation of privilege vulnerability in the Android framework ...) - TODO: check + NOT-FOR-US: Android CVE-2017-0805 (A elevation of privilege vulnerability in the Android media framework ...) NOT-FOR-US: Android media framework CVE-2017-0804 (A elevation of privilege vulnerability in the MediaTek mmc driver. ...) @@ -95996,7 +95996,7 @@ - libav NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=3859868c75313e318ebc5d0d33baada62d45dd75 CVE-2015-1206 (Heap-based buffer overflow in Google Chrome before M40 allows remote ...) - TODO: check + - chromium-browser 40.0.2214.91-1 CVE-2015-1204 (Cross-site scripting
[Secure-testing-commits] r56474 - data/CVE
Author: jmm Date: 2017-10-06 22:04:14 + (Fri, 06 Oct 2017) New Revision: 56474 Modified: data/CVE/list Log: new kfreebsd issue Modified: data/CVE/list === --- data/CVE/list 2017-10-06 22:03:48 UTC (rev 56473) +++ data/CVE/list 2017-10-06 22:04:14 UTC (rev 56474) @@ -120,7 +120,8 @@ - qemu-kvm NOTE: https://lists.gnu.org/archive/html/qemu-devel/2017-10/msg00729.html CVE-2017-15037 (In FreeBSD through 11.1, the smb_strdupin function in ...) - TODO: check + - kfreebsd-10 (unimportant; bug #877903) + NOTE: kfreebsd not covered by security support CVE-2017-15036 RESERVED CVE-2017-15035 (EmTec PyroBatchFTP before 3.18 allows remote servers to cause a denial ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r56473 - in data: . DSA
Author: jmm
Date: 2017-10-06 22:03:48 + (Fri, 06 Oct 2017)
New Revision: 56473
Modified:
data/DSA/list
data/dsa-needed.txt
Log:
tor DSA
Modified: data/DSA/list
===
--- data/DSA/list 2017-10-06 21:42:27 UTC (rev 56472)
+++ data/DSA/list 2017-10-06 22:03:48 UTC (rev 56473)
@@ -1,3 +1,6 @@
+[06 Oct 2017] DSA-3993-1 tor - security update
+ {CVE-2017-0380}
+ [stretch] - tor 0.2.9.12-1
[06 Oct 2017] DSA-3992-1 curl - security update
{CVE-2017-1000100 CVE-2017-1000101 CVE-2017-1000254}
[jessie] - curl 7.38.0-4+deb8u6
Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2017-10-06 21:42:27 UTC (rev 56472)
+++ data/dsa-needed.txt 2017-10-06 22:03:48 UTC (rev 56473)
@@ -63,8 +63,6 @@
tiff
wait until more issues are around
--
-tor (likely jmm)
---
vlc
wait until 2.2.7 release
--
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r56471 - data
Author: jmm Date: 2017-10-06 21:42:07 + (Fri, 06 Oct 2017) New Revision: 56471 Modified: data/dsa-needed.txt Log: add issues to dsa-needed Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-10-06 21:40:50 UTC (rev 56470) +++ data/dsa-needed.txt 2017-10-06 21:42:07 UTC (rev 56471) @@ -25,6 +25,8 @@ libav/oldstable several issues unfixed upstream -- +libxfont +-- libvpx/oldstable -- libxml-libxml-perl (carnil) @@ -36,6 +38,8 @@ -- nautilus (corsac) -- +nss +-- mupdf -- openjpeg2 @@ -72,5 +76,7 @@ -- xen -- +xorg-server +-- zendframework/oldstable -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r56472 - data/CVE
Author: jmm Date: 2017-10-06 21:42:27 + (Fri, 06 Oct 2017) New Revision: 56472 Modified: data/CVE/list Log: upx-ucl unimportant Modified: data/CVE/list === --- data/CVE/list 2017-10-06 21:42:07 UTC (rev 56471) +++ data/CVE/list 2017-10-06 21:42:27 UTC (rev 56472) @@ -57,9 +57,10 @@ CVE-2017-15057 RESERVED CVE-2017-15056 (p_lx_elf.cpp in UPX 3.94 mishandles ELF headers, which allows remote ...) - - upx-ucl + - upx-ucl (unimportant) NOTE: https://github.com/upx/upx/issues/128 NOTE: https://github.com/upx/upx/commit/ef336dbcc6dc8344482f8cf6c909ae96c3286317 + NOTE: crash in CLI tool, no security impact CVE-2017-15055 RESERVED CVE-2017-15054 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r56470 - data/CVE
Author: carnil Date: 2017-10-06 21:40:50 + (Fri, 06 Oct 2017) New Revision: 56470 Modified: data/CVE/list Log: Process NFUs Modified: data/CVE/list === --- data/CVE/list 2017-10-06 21:35:53 UTC (rev 56469) +++ data/CVE/list 2017-10-06 21:40:50 UTC (rev 56470) @@ -7,37 +7,37 @@ CVE-2017-15080 RESERVED CVE-2017-15079 (The Smush Image Compression and Optimization plugin before 2.7.6 for ...) - TODO: check + NOT-FOR-US: Smush Image Compression and Optimization plugin for WordPress CVE-2017-15078 (The Intel Puma 5, 6, and 7 chips, as used on Virgin Media branded Arris ...) - TODO: check + NOT-FOR-US: Intel CVE-2017-15077 (The Intel Puma 5, 6, and 7 chips, as used on UPC branded Compal ...) - TODO: check + NOT-FOR-US: Intel CVE-2017-15076 (** DISPUTED ** The Intel Puma 5, 6, and 7 chips, as used on Telstra ...) - TODO: check + NOT-FOR-US: Intel CVE-2017-15075 (The Intel Puma 5, 6, and 7 chips, as used on various Technicolor ...) - TODO: check + NOT-FOR-US: Intel CVE-2017-15074 (The Intel Puma 5, 6, and 7 chips, as used on SMC D3G2408 devices, allow ...) - TODO: check + NOT-FOR-US: Intel CVE-2017-15073 (The Intel Puma 5, 6, and 7 chips, as used on Samsung Home Media Server ...) - TODO: check + NOT-FOR-US: Intel CVE-2017-15072 (The Intel Puma 5, 6, and 7 chips, as used on various Quantenna devices, ...) - TODO: check + NOT-FOR-US: Intel CVE-2017-15071 (The Intel Puma 5, 6, and 7 chips, as used on NETGEAR C6300, CM400, ...) - TODO: check + NOT-FOR-US: Intel CVE-2017-15070 (The Intel Puma 5, 6, and 7 chips, as used on various Linksys devices, ...) - TODO: check + NOT-FOR-US: Intel CVE-2017-15069 (The Intel Puma 5, 6, and 7 chips, as used on various Hitron devices, ...) - TODO: check + NOT-FOR-US: Intel CVE-2017-15068 (The Intel Puma 5, 6, and 7 chips, as used on various Comcast branded ...) - TODO: check + NOT-FOR-US: Intel CVE-2017-15067 (The Intel Puma 5, 6, and 7 chips, as used on various Compal devices, ...) - TODO: check + NOT-FOR-US: Intel CVE-2017-15066 (The Intel Puma 5, 6, and 7 chips, as used on various AVM FRITZ!Box ...) - TODO: check + NOT-FOR-US: Intel CVE-2017-15065 (The Intel Puma 5, 6, and 7 chips, as used on ASUS CM-32 devices, allow ...) - TODO: check + NOT-FOR-US: Intel CVE-2017-15064 (The Intel Puma 5, 6, and 7 chips, as used on various Arris devices, ...) - TODO: check + NOT-FOR-US: Intel CVE-2017-1002153 (Koji 1.13.0 does not properly validate SCM paths, allowing an attacker ...) TODO: check CVE-2017-1000255 @@ -5202,9 +5202,9 @@ CVE-2017-13070 RESERVED CVE-2017-13069 (QNAP discovered a number of command injection vulnerabilities found in ...) - TODO: check + NOT-FOR-US: QNAP CVE-2017-13068 (QNAP has already patched this vulnerability. This security concern ...) - TODO: check + NOT-FOR-US: QNAP CVE-2017-13067 (QNAP has patched a remote code execution vulnerability affecting the ...) NOT-FOR-US: QNAP CVE-2017-13066 (GraphicsMagick 1.3.26 has a memory leak vulnerability in the function ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r56469 - data/CVE
Author: carnil Date: 2017-10-06 21:35:53 + (Fri, 06 Oct 2017) New Revision: 56469 Modified: data/CVE/list Log: Add reference for CVE-2017-9781 Modified: data/CVE/list === --- data/CVE/list 2017-10-06 21:24:13 UTC (rev 56468) +++ data/CVE/list 2017-10-06 21:35:53 UTC (rev 56469) @@ -14640,6 +14640,7 @@ CVE-2017-9781 (A cross site scripting (XSS) vulnerability exists in Check_MK versions ...) [experimental] - check-mk 1.4.0p9-1 - check-mk (bug #865497) + NOTE: http://mathias-kettner.com/check_mk_werks.php?werk_id=4757 NOTE: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commitdiff;h=c248f0b6ff7b15ced9f07a3df8a80fad656ea5b1 CVE-2017-9779 (OCaml compiler allows attackers to have unspecified impact via unknown ...) - ocaml (bug #874700) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r56468 - data/CVE
Author: carnil Date: 2017-10-06 21:24:13 + (Fri, 06 Oct 2017) New Revision: 56468 Modified: data/CVE/list Log: Revert "Mark CVE-2017-9781 as fixed in unstable" After double-checking the entry, the fix seem not applied to the uploaded version. This reverts commit 6b4215cf90a140c5313e330c40d8d6cf0ef286ac. Modified: data/CVE/list === --- data/CVE/list 2017-10-06 21:16:11 UTC (rev 56467) +++ data/CVE/list 2017-10-06 21:24:13 UTC (rev 56468) @@ -14639,7 +14639,7 @@ NOTE: https://github.com/mdadams/jasper/issues/140 CVE-2017-9781 (A cross site scripting (XSS) vulnerability exists in Check_MK versions ...) [experimental] - check-mk 1.4.0p9-1 - - check-mk 1.2.8p26-1 (bug #865497) + - check-mk (bug #865497) NOTE: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commitdiff;h=c248f0b6ff7b15ced9f07a3df8a80fad656ea5b1 CVE-2017-9779 (OCaml compiler allows attackers to have unspecified impact via unknown ...) - ocaml (bug #874700) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r56467 - data/CVE
Author: carnil Date: 2017-10-06 21:16:11 + (Fri, 06 Oct 2017) New Revision: 56467 Modified: data/CVE/list Log: Two libxfont issues fixed in unstable Modified: data/CVE/list === --- data/CVE/list 2017-10-06 21:16:00 UTC (rev 56466) +++ data/CVE/list 2017-10-06 21:16:11 UTC (rev 56467) @@ -3792,7 +3792,7 @@ NOTE: https://cgit.freedesktop.org/xorg/xserver/commit/?id=94f11ca5cf011ef123bd222cabeaef6f424d76ac CVE-2017-13722 [pcfGetProperties: Check string boundaries] RESERVED - - libxfont + - libxfont 1:2.0.1-4 NOTE: Fixed by: https://cgit.freedesktop.org/xorg/lib/libXfont/commit/?id=672bb944311392e2415b39c0d63b1e1902905bcd CVE-2017-13721 [Xext/shm: Validate shmseg resource id] RESERVED @@ -3800,7 +3800,7 @@ NOTE: https://cgit.freedesktop.org/xorg/xserver/commit/?id=b95f25af141d33a65f6f821ea9c003f66a01e1f1 CVE-2017-13720 [Check for end of string in PatternMatch] RESERVED - - libxfont + - libxfont 1:2.0.1-4 NOTE: Fixed by: https://cgit.freedesktop.org/xorg/lib/libXfont/commit/?id=d1e670a4a8704b8708e493ab6155589bcd570608 CVE-2017-13719 RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r56466 - data/CVE
Author: carnil Date: 2017-10-06 21:16:00 + (Fri, 06 Oct 2017) New Revision: 56466 Modified: data/CVE/list Log: Mark CVE-2017-9781 as fixed in unstable Modified: data/CVE/list === --- data/CVE/list 2017-10-06 21:14:44 UTC (rev 56465) +++ data/CVE/list 2017-10-06 21:16:00 UTC (rev 56466) @@ -14639,7 +14639,7 @@ NOTE: https://github.com/mdadams/jasper/issues/140 CVE-2017-9781 (A cross site scripting (XSS) vulnerability exists in Check_MK versions ...) [experimental] - check-mk 1.4.0p9-1 - - check-mk (bug #865497) + - check-mk 1.2.8p26-1 (bug #865497) NOTE: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commitdiff;h=c248f0b6ff7b15ced9f07a3df8a80fad656ea5b1 CVE-2017-9779 (OCaml compiler allows attackers to have unspecified impact via unknown ...) - ocaml (bug #874700) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r56465 - in data: . DLA
Author: alteholz
Date: 2017-10-06 21:14:44 + (Fri, 06 Oct 2017)
New Revision: 56465
Modified:
data/DLA/list
data/dla-needed.txt
Log:
Reserve DLA-1125-1 for botan1.10
Modified: data/DLA/list
===
--- data/DLA/list 2017-10-06 21:10:13 UTC (rev 56464)
+++ data/DLA/list 2017-10-06 21:14:44 UTC (rev 56465)
@@ -1,3 +1,6 @@
+[06 Oct 2017] DLA-1125-1 botan1.10 - security update
+ {CVE-2017-14737}
+ [wheezy] - botan1.10 1.10.5-1+deb7u4
[06 Oct 2017] DLA-1124-1 dnsmasq - security update
{CVE-2017-14491 CVE-2017-14492 CVE-2017-14494}
[wheezy] - dnsmasq 2.62-3+deb7u4
Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-10-06 21:10:13 UTC (rev 56464)
+++ data/dla-needed.txt 2017-10-06 21:14:44 UTC (rev 56465)
@@ -10,8 +10,6 @@
https://wiki.debian.org/LTS/Development#Triage_new_security_issues
--
-botan1.10 (Thorsten Alteholz)
---
ca-certificates
NOTE: 20170719: maintainer will handle the upload, see
https://lists.debian.org/d0b9674a-ac5b-5cc9-1982-fb6f36155...@pbandjelly.org
--
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r56464 - data/CVE
Author: sectracker
Date: 2017-10-06 21:10:13 + (Fri, 06 Oct 2017)
New Revision: 56464
Modified:
data/CVE/list
Log:
automatic update
Modified: data/CVE/list
===
--- data/CVE/list 2017-10-06 21:00:09 UTC (rev 56463)
+++ data/CVE/list 2017-10-06 21:10:13 UTC (rev 56464)
@@ -1,3 +1,47 @@
+CVE-2017-15083
+ RESERVED
+CVE-2017-15082
+ RESERVED
+CVE-2017-15081
+ RESERVED
+CVE-2017-15080
+ RESERVED
+CVE-2017-15079 (The Smush Image Compression and Optimization plugin before
2.7.6 for ...)
+ TODO: check
+CVE-2017-15078 (The Intel Puma 5, 6, and 7 chips, as used on Virgin Media
branded Arris ...)
+ TODO: check
+CVE-2017-15077 (The Intel Puma 5, 6, and 7 chips, as used on UPC branded
Compal ...)
+ TODO: check
+CVE-2017-15076 (** DISPUTED ** The Intel Puma 5, 6, and 7 chips, as used on
Telstra ...)
+ TODO: check
+CVE-2017-15075 (The Intel Puma 5, 6, and 7 chips, as used on various
Technicolor ...)
+ TODO: check
+CVE-2017-15074 (The Intel Puma 5, 6, and 7 chips, as used on SMC D3G2408
devices, allow ...)
+ TODO: check
+CVE-2017-15073 (The Intel Puma 5, 6, and 7 chips, as used on Samsung Home
Media Server ...)
+ TODO: check
+CVE-2017-15072 (The Intel Puma 5, 6, and 7 chips, as used on various Quantenna
devices, ...)
+ TODO: check
+CVE-2017-15071 (The Intel Puma 5, 6, and 7 chips, as used on NETGEAR C6300,
CM400, ...)
+ TODO: check
+CVE-2017-15070 (The Intel Puma 5, 6, and 7 chips, as used on various Linksys
devices, ...)
+ TODO: check
+CVE-2017-15069 (The Intel Puma 5, 6, and 7 chips, as used on various Hitron
devices, ...)
+ TODO: check
+CVE-2017-15068 (The Intel Puma 5, 6, and 7 chips, as used on various Comcast
branded ...)
+ TODO: check
+CVE-2017-15067 (The Intel Puma 5, 6, and 7 chips, as used on various Compal
devices, ...)
+ TODO: check
+CVE-2017-15066 (The Intel Puma 5, 6, and 7 chips, as used on various AVM
FRITZ!Box ...)
+ TODO: check
+CVE-2017-15065 (The Intel Puma 5, 6, and 7 chips, as used on ASUS CM-32
devices, allow ...)
+ TODO: check
+CVE-2017-15064 (The Intel Puma 5, 6, and 7 chips, as used on various Arris
devices, ...)
+ TODO: check
+CVE-2017-1002153 (Koji 1.13.0 does not properly validate SCM paths, allowing
an attacker ...)
+ TODO: check
+CVE-2017-1000255
+ RESERVED
CVE-2017-15063 (There are CSRF vulnerabilities in Subrion CMS before 4.2.0
because of a ...)
NOT-FOR-US: Subrion CMS
CVE-2017-15062
@@ -35,10 +79,10 @@
CVE-2017-15047 (The clusterLoadConfig function in cluster.c in Redis 4.0.2
allows ...)
- redis
NOTE: https://github.com/antirez/redis/issues/4278
-CVE-2017-15046 (LAME 3.99.5 has a stack-based buffer overflow, a different ...)
+CVE-2017-15046 (LAME 3.99.5 has a stack-based buffer overflow in
unpack_read_samples ...)
- lame
NOTE: https://sourceforge.net/p/lame/bugs/479/
-CVE-2017-15045 (LAME 3.99.5 has a heap-based buffer over-read, a different ...)
+CVE-2017-15045 (LAME 3.99.5 has a heap-based buffer over-read in fill_buffer
in ...)
- lame
NOTE: https://sourceforge.net/p/lame/bugs/478/
CVE-2017-15044
@@ -1597,7 +1641,7 @@
NOTE:
https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html
NOTE:
http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=51eadb692a5123b9838e5a68ecace3ac579a3a45
CVE-2017-14494 (dnsmasq before 2.78, when configured as a relay, allows remote
...)
- {DSA-3989-1}
+ {DSA-3989-1 DLA-1124-1}
- dnsmasq 2.78-1
NOTE:
https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html
NOTE:
http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=33e3f1029c9ec6c63e430ff51063a6301d4b2262
@@ -1608,12 +1652,12 @@
NOTE:
https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html
NOTE:
http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=3d4ff1ba8419546490b464418223132529514033
CVE-2017-14492 (Heap-based buffer overflow in dnsmasq before 2.78 allows
remote ...)
- {DSA-3989-1}
+ {DSA-3989-1 DLA-1124-1}
- dnsmasq 2.78-1
NOTE:
https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html
NOTE:
http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=24036ea507862c7b7898b68289c8130f85599c10
CVE-2017-14491 (Heap-based buffer overflow in dnsmasq before 2.78 allows
remote ...)
- {DSA-3989-1}
+ {DSA-3989-1 DLA-1124-1}
- dnsmasq 2.78-1
NOTE:
https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html
NOTE:
http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=0549c73b7ea6b22a3c49beb4d432f185a81efcbc
@@ -2559,8 +2603,8 @@
NOTE:
https://blogs.gentoo.org/ago/2017/08/16/openjpeg-heap-based-buffer-overflow-in-opj_mqc_flush-mqc-c/
[Secure-testing-commits] r56463 - in data: CVE DLA DSA
Author: carnil
Date: 2017-10-06 21:00:09 + (Fri, 06 Oct 2017)
New Revision: 56463
Modified:
data/CVE/list
data/DLA/list
data/DSA/list
Log:
CVE-2017-0605 was REJECTED
The issue was invalid as security flaw, and has been withdrawn. Cf.
https://marc.info/?l=oss-security=150703005326252=2
Modified: data/CVE/list
===
--- data/CVE/list 2017-10-06 20:27:07 UTC (rev 56462)
+++ data/CVE/list 2017-10-06 21:00:09 UTC (rev 56463)
@@ -41323,9 +41323,6 @@
NOT-FOR-US: Qualcomm driver for Android
CVE-2017-0605
REJECTED
- {DSA-3886-1 DLA-993-1}
- - linux 4.9.30-1
- NOTE: Fixed by:
https://git.kernel.org/linus/e09e28671cda63e6308b31798b997639120e2a21
CVE-2017-0604 (An elevation of privilege vulnerability in the kernel Qualcomm
power ...)
NOT-FOR-US: Qualcomm driver for Android
CVE-2017-0603 (A denial of service vulnerability in libstagefright in
Mediaserver ...)
Modified: data/DLA/list
===
--- data/DLA/list 2017-10-06 20:27:07 UTC (rev 56462)
+++ data/DLA/list 2017-10-06 21:00:09 UTC (rev 56463)
@@ -398,7 +398,7 @@
{CVE-2017-5974 CVE-2017-5975 CVE-2017-5976 CVE-2017-5978 CVE-2017-5979
CVE-2017-5980 CVE-2017-5981}
[wheezy] - zziplib 0.13.56-1.1+deb7u1
[20 Jun 2017] DLA-993-1 linux - security update
- {CVE-2017-0605 CVE-2017-7487 CVE-2017-7645 CVE-2017-7895 CVE-2017-8890
CVE-2017-8924 CVE-2017-8925 CVE-2017-9074 CVE-2017-9075 CVE-2017-9076
CVE-2017-9077 CVE-2017-9242 CVE-2017-1000364}
+ {CVE-2017-7487 CVE-2017-7645 CVE-2017-7895 CVE-2017-8890 CVE-2017-8924
CVE-2017-8925 CVE-2017-9074 CVE-2017-9075 CVE-2017-9076 CVE-2017-9077
CVE-2017-9242 CVE-2017-1000364}
[wheezy] - linux 3.2.89-1
[19 Jun 2017] DLA-992-1 eglibc - security update
{CVE-2017-1000366}
Modified: data/DSA/list
===
--- data/DSA/list 2017-10-06 20:27:07 UTC (rev 56462)
+++ data/DSA/list 2017-10-06 21:00:09 UTC (rev 56463)
@@ -390,7 +390,7 @@
[jessie] - glibc 2.19-18+deb8u10
[stretch] - glibc 2.24-11+deb9u1
[19 Jun 2017] DSA-3886-1 linux - security update
- {CVE-2017-0605 CVE-2017-7487 CVE-2017-7645 CVE-2017-7895 CVE-2017-8064
CVE-2017-8890 CVE-2017-8924 CVE-2017-8925 CVE-2017-9074 CVE-2017-9075
CVE-2017-9076 CVE-2017-9077 CVE-2017-9242 CVE-2017-1000364}
+ {CVE-2017-7487 CVE-2017-7645 CVE-2017-7895 CVE-2017-8064 CVE-2017-8890
CVE-2017-8924 CVE-2017-8925 CVE-2017-9074 CVE-2017-9075 CVE-2017-9076
CVE-2017-9077 CVE-2017-9242 CVE-2017-1000364}
[jessie] - linux 3.16.43-2+deb8u1
[18 Jun 2017] DSA-3885-1 irssi - security update
{CVE-2017-9468 CVE-2017-9469}
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r56462 - in data: . DSA
Author: carnil
Date: 2017-10-06 20:27:07 + (Fri, 06 Oct 2017)
New Revision: 56462
Modified:
data/DSA/list
data/dsa-needed.txt
Log:
Reserve DSA number for curl update
Modified: data/DSA/list
===
--- data/DSA/list 2017-10-06 19:57:59 UTC (rev 56461)
+++ data/DSA/list 2017-10-06 20:27:07 UTC (rev 56462)
@@ -1,3 +1,7 @@
+[06 Oct 2017] DSA-3992-1 curl - security update
+ {CVE-2017-1000100 CVE-2017-1000101 CVE-2017-1000254}
+ [jessie] - curl 7.38.0-4+deb8u6
+ [stretch] - curl 7.52.1-5+deb9u1
[03 Oct 2017] DSA-3991-1 qemu - security update
{CVE-2017-9375 CVE-2017-12809 CVE-2017-13672 CVE-2017-13711
CVE-2017-14167}
[stretch] - qemu 1:2.8+dfsg-6+deb9u3
Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2017-10-06 19:57:59 UTC (rev 56461)
+++ data/dsa-needed.txt 2017-10-06 20:27:07 UTC (rev 56462)
@@ -14,8 +14,6 @@
--
389-ds-base (fw)
--
-curl (ghedo, carnil)
---
graphicsmagick
--
git-annex (seb)
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r56461 - data
Author: carnil Date: 2017-10-06 19:57:59 + (Fri, 06 Oct 2017) New Revision: 56461 Modified: data/dsa-needed.txt Log: Take care of releasing curl, prepared by ghedo Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-10-06 18:59:36 UTC (rev 56460) +++ data/dsa-needed.txt 2017-10-06 19:57:59 UTC (rev 56461) @@ -14,7 +14,7 @@ -- 389-ds-base (fw) -- -curl (ghedo) +curl (ghedo, carnil) -- graphicsmagick -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r56460 - data
Author: carnil Date: 2017-10-06 18:59:36 + (Fri, 06 Oct 2017) New Revision: 56460 Modified: data/next-point-update.txt Log: Slightly shuffle around the list On top I'm listing those which up to now seem the ones which will likely be included in the point release on 2017-10-07. This is done just for easier review on given date (tomorrow). Modified: data/next-point-update.txt === --- data/next-point-update.txt 2017-10-06 18:40:51 UTC (rev 56459) +++ data/next-point-update.txt 2017-10-06 18:59:36 UTC (rev 56460) @@ -75,10 +75,6 @@ [stretch] - dnsdist 1.1.0-2+deb9u1 CVE-2017-11353 [stretch] - yadm 1.06-1+deb9u1 -CVE-2017-13709 - [stretch] - flightgear 1:2016.4.4+dfsg-3+deb9u1 -CVE-2017-9951 - [stretch] - memcached 1.4.33-1+deb9u1 CVE-2017-8831 [stretch] - linux 4.9.47-1 CVE-2017-14226 @@ -88,6 +84,16 @@ NOTE: for #876139, #876540 CVE-2017-10140 [stretch] - db5.3 5.3.28-12+deb9u1 +CVE-2017-11109 + [stretch] - vim 2:8.0.0197-4+deb9u1 +CVE-2017-12424 + [stretch] - shadow 1:4.4-4.1+deb9u1 +CVE-2017-10989 + [stretch] - sqlite3 3.16.2-5+deb9u1 +CVE-2017-13709 + [stretch] - flightgear 1:2016.4.4+dfsg-3+deb9u1 +CVE-2017-9951 + [stretch] - memcached 1.4.33-1+deb9u1 CVE-2017-13738 [stretch] - liblouis 3.0.0-3+deb9u1 CVE-2017-13739 @@ -113,9 +119,3 @@ [stretch] - busybox 1:1.22.0-19+deb9u1 CVE-2011-5325 [stretch] - busybox 1:1.22.0-19+deb9u1 -CVE-2017-11109 - [stretch] - vim 2:8.0.0197-4+deb9u1 -CVE-2017-12424 - [stretch] - shadow 1:4.4-4.1+deb9u1 -CVE-2017-10989 - [stretch] - sqlite3 3.16.2-5+deb9u1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r56459 - data/CVE
Author: carnil Date: 2017-10-06 18:40:51 + (Fri, 06 Oct 2017) New Revision: 56459 Modified: data/CVE/list Log: Add bug reference for CVE-2017-15038, mark as no-dsa Modified: data/CVE/list === --- data/CVE/list 2017-10-06 18:25:14 UTC (rev 56458) +++ data/CVE/list 2017-10-06 18:40:51 UTC (rev 56459) @@ -69,7 +69,9 @@ RESERVED CVE-2017-15038 [Qemu: 9p: virtfs: information disclosure when reading extended attributes] RESERVED - - qemu + - qemu (bug #877890) + [stretch] - qemu (Minor issue) + [jessie] - qemu (Minor issue) - qemu-kvm NOTE: https://lists.gnu.org/archive/html/qemu-devel/2017-10/msg00729.html CVE-2017-15037 (In FreeBSD through 11.1, the smb_strdupin function in ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r56458 - data/CVE
Author: carnil Date: 2017-10-06 18:25:14 + (Fri, 06 Oct 2017) New Revision: 56458 Modified: data/CVE/list Log: Add bug reference for sssd issue Modified: data/CVE/list === --- data/CVE/list 2017-10-06 18:24:19 UTC (rev 56457) +++ data/CVE/list 2017-10-06 18:25:14 UTC (rev 56458) @@ -8122,7 +8122,7 @@ RESERVED CVE-2017-12173 [unsanitized input when searching in local cache database] RESERVED - - sssd + - sssd (bug #877885) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1498173 CVE-2017-12172 RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r56457 - data/CVE
Author: carnil Date: 2017-10-06 18:24:19 + (Fri, 06 Oct 2017) New Revision: 56457 Modified: data/CVE/list Log: Mark CVE-2017-15042/golang-1.7 as unfixed Modified: data/CVE/list === --- data/CVE/list 2017-10-06 17:05:34 UTC (rev 56456) +++ data/CVE/list 2017-10-06 18:24:19 UTC (rev 56457) @@ -48,7 +48,7 @@ CVE-2017-15042 (An unintended cleartext issue exists in Go before 1.8.4 and 1.9.x ...) - golang-1.9 1.9.1-1 - golang-1.8 1.8.4-1 - - golang-1.7 + - golang-1.7 - golang NOTE: https://github.com/golang/go/issues/22134 NOTE: https://golang.org/cl/68023 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r56456 - data/CVE
Author: carnil Date: 2017-10-06 17:05:34 + (Fri, 06 Oct 2017) New Revision: 56456 Modified: data/CVE/list Log: Update golang-1.7 information for CVE-2017-15041 Modified: data/CVE/list === --- data/CVE/list 2017-10-06 17:00:15 UTC (rev 56455) +++ data/CVE/list 2017-10-06 17:05:34 UTC (rev 56456) @@ -57,7 +57,7 @@ CVE-2017-15041 (Go before 1.8.4 and 1.9.x before 1.9.1 allows go get remote command ...) - golang-1.9 1.9.1-1 - golang-1.8 1.8.4-1 - - golang-1.7 + - golang-1.7 - golang NOTE: https://github.com/golang/go/issues/22125 NOTE: https://golang.org/cl/68022 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r56455 - data/CVE
Author: carnil Date: 2017-10-06 17:00:15 + (Fri, 06 Oct 2017) New Revision: 56455 Modified: data/CVE/list Log: Update CVE-2017-2920, something wrong with that CVE Modified: data/CVE/list === --- data/CVE/list 2017-10-06 14:58:35 UTC (rev 56454) +++ data/CVE/list 2017-10-06 17:00:15 UTC (rev 56455) @@ -36103,8 +36103,8 @@ CVE-2017-2921 RESERVED CVE-2017-2920 (An exploitable buffer overflow vulnerability exists in the tag parsing ...) - - libofx NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0427 + TODO: check, discrepancy on MITRE and TALOS information, contacted MITRE CVE-2017-2919 RESERVED CVE-2017-2918 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r56454 - data/CVE
Author: agx
Date: 2017-10-06 14:58:35 + (Fri, 06 Oct 2017)
New Revision: 56454
Modified:
data/CVE/list
Log:
lts: triage CVE-2017-13672 for qemu{,-kvm}
Modified: data/CVE/list
===
--- data/CVE/list 2017-10-06 13:16:07 UTC (rev 56453)
+++ data/CVE/list 2017-10-06 14:58:35 UTC (rev 56454)
@@ -3940,8 +3940,11 @@
{DSA-3991-1}
- qemu 1:2.10.0-1 (low; bug #873851)
[jessie] - qemu (Can be fixed along in a future DSA)
+ [wheezy] - qemu (Can be fixed along in a future DSA)
- qemu-kvm
+ [wheezy] - qemu-kvm (Can be fixed along in a future DSA)
NOTE:
https://lists.gnu.org/archive/html/qemu-devel/2017-08/msg04684.html
+ NOTE: Fixed by
https://git.qemu.org/gitweb.cgi?p=qemu.git;a=commit;h=3d90c6254863693a6b13d918d2b8682e08bbc681
CVE-2017-13671 (app/View/Helper/CommandHelper.php in MISP before 2.4.79 has
persistent ...)
NOT-FOR-US: MISP (Malware Information Sharing Platform and Threat
Sharing)
CVE-2017-13670 (In BlackCat CMS 1.2, remote authenticated users can upload any
file via ...)
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r56453 - in data: . DLA
Author: benh
Date: 2017-10-06 13:16:07 + (Fri, 06 Oct 2017)
New Revision: 56453
Modified:
data/DLA/list
data/dla-needed.txt
Log:
Reserve DLA-1124-1 for dnsmasq
Modified: data/DLA/list
===
--- data/DLA/list 2017-10-06 10:16:03 UTC (rev 56452)
+++ data/DLA/list 2017-10-06 13:16:07 UTC (rev 56453)
@@ -1,3 +1,6 @@
+[06 Oct 2017] DLA-1124-1 dnsmasq - security update
+ {CVE-2017-14491 CVE-2017-14492 CVE-2017-14494}
+ [wheezy] - dnsmasq 2.62-3+deb7u4
[06 Oct 2017] DLA-1123-1 golang - security update
{CVE-2017-198}
[wheezy] - golang 2:1.0.2-1.1+deb7u1
Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-10-06 10:16:03 UTC (rev 56452)
+++ data/dla-needed.txt 2017-10-06 13:16:07 UTC (rev 56453)
@@ -32,8 +32,6 @@
db4.8 (Emilio Pozuelo)
NOTE: see comments on db.
--
-dnsmasq (Ben Hutchings)
---
exiv2 (Raphaël Hertzog)
NOTE: 20170702, no upstream fix yet, so no need to bother maintainer yet,
sent email later
--
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r56452 - data
Author: geissert Date: 2017-10-06 10:16:03 + (Fri, 06 Oct 2017) New Revision: 56452 Modified: data/embedded-code-copies Log: mp3gain was removed for jessie Modified: data/embedded-code-copies === --- data/embedded-code-copies 2017-10-06 10:12:47 UTC (rev 56451) +++ data/embedded-code-copies 2017-10-06 10:16:03 UTC (rev 56452) @@ -2923,7 +2923,7 @@ - jqapi (embed) lame - - mp3gain (modified-embed) + - mp3gain (modified-embed) NOTE: ancient copy, part of mpglib which was probably part of mpg123 at some point zopfli ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r56451 - data/CVE
Author: carnil Date: 2017-10-06 10:12:47 + (Fri, 06 Oct 2017) New Revision: 56451 Modified: data/CVE/list Log: Add references for lame issues Modified: data/CVE/list === --- data/CVE/list 2017-10-06 10:12:02 UTC (rev 56450) +++ data/CVE/list 2017-10-06 10:12:47 UTC (rev 56451) @@ -37,10 +37,10 @@ NOTE: https://github.com/antirez/redis/issues/4278 CVE-2017-15046 (LAME 3.99.5 has a stack-based buffer overflow, a different ...) - lame - TODO: check + NOTE: https://sourceforge.net/p/lame/bugs/479/ CVE-2017-15045 (LAME 3.99.5 has a heap-based buffer over-read, a different ...) - lame - TODO: check + NOTE: https://sourceforge.net/p/lame/bugs/478/ CVE-2017-15044 RESERVED CVE-2017-15043 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r56450 - data/CVE
Author: carnil Date: 2017-10-06 10:12:02 + (Fri, 06 Oct 2017) New Revision: 56450 Modified: data/CVE/list Log: Add CVE-2017-15047/redis Modified: data/CVE/list === --- data/CVE/list 2017-10-06 10:10:35 UTC (rev 56449) +++ data/CVE/list 2017-10-06 10:12:02 UTC (rev 56450) @@ -34,7 +34,7 @@ RESERVED CVE-2017-15047 (The clusterLoadConfig function in cluster.c in Redis 4.0.2 allows ...) - redis - TODO: check + NOTE: https://github.com/antirez/redis/issues/4278 CVE-2017-15046 (LAME 3.99.5 has a stack-based buffer overflow, a different ...) - lame TODO: check ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r56449 - data/CVE
Author: carnil Date: 2017-10-06 10:10:35 + (Fri, 06 Oct 2017) New Revision: 56449 Modified: data/CVE/list Log: Add references for CVE-2017-15056/upx-ucl Modified: data/CVE/list === --- data/CVE/list 2017-10-06 09:20:42 UTC (rev 56448) +++ data/CVE/list 2017-10-06 10:10:35 UTC (rev 56449) @@ -14,7 +14,8 @@ RESERVED CVE-2017-15056 (p_lx_elf.cpp in UPX 3.94 mishandles ELF headers, which allows remote ...) - upx-ucl - TODO: check + NOTE: https://github.com/upx/upx/issues/128 + NOTE: https://github.com/upx/upx/commit/ef336dbcc6dc8344482f8cf6c909ae96c3286317 CVE-2017-15055 RESERVED CVE-2017-15054 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r56448 - data/CVE
Author: geissert Date: 2017-10-06 09:20:42 + (Fri, 06 Oct 2017) New Revision: 56448 Modified: data/CVE/list Log: redis, upx and lame issues, NFUs Modified: data/CVE/list === --- data/CVE/list 2017-10-06 09:10:13 UTC (rev 56447) +++ data/CVE/list 2017-10-06 09:20:42 UTC (rev 56448) @@ -1,5 +1,5 @@ CVE-2017-15063 (There are CSRF vulnerabilities in Subrion CMS before 4.2.0 because of a ...) - TODO: check + NOT-FOR-US: Subrion CMS CVE-2017-15062 RESERVED CVE-2017-15061 @@ -13,6 +13,7 @@ CVE-2017-15057 RESERVED CVE-2017-15056 (p_lx_elf.cpp in UPX 3.94 mishandles ELF headers, which allows remote ...) + - upx-ucl TODO: check CVE-2017-15055 RESERVED @@ -31,10 +32,13 @@ CVE-2017-15048 RESERVED CVE-2017-15047 (The clusterLoadConfig function in cluster.c in Redis 4.0.2 allows ...) + - redis TODO: check CVE-2017-15046 (LAME 3.99.5 has a stack-based buffer overflow, a different ...) + - lame TODO: check CVE-2017-15045 (LAME 3.99.5 has a heap-based buffer over-read, a different ...) + - lame TODO: check CVE-2017-15044 RESERVED @@ -3017,19 +3021,19 @@ CVE-2017-13999 RESERVED CVE-2017-13998 (An Insufficiently Protected Credentials issue was discovered in LOYTEC ...) - TODO: check + NOT-FOR-US: LOYTEC LVIS-3ME CVE-2017-13997 (A Missing Authentication for Critical Function issue was discovered in ...) NOT-FOR-US: Schneider CVE-2017-13996 (A Relative Path Traversal issue was discovered in LOYTEC LVIS-3ME ...) - TODO: check + NOT-FOR-US: LOYTEC LVIS-3ME CVE-2017-13995 (An Improper Authentication issue was discovered in iniNet Solutions ...) NOT-FOR-US: iniNet Solutions iniNet Webserver CVE-2017-13994 (A Cross-site Scripting issue was discovered in LOYTEC LVIS-3ME versions ...) - TODO: check + NOT-FOR-US: LOYTEC LVIS-3ME CVE-2017-13993 (An Uncontrolled Search Path or Element issue was discovered in i-SENS ...) NOT-FOR-US: i-SENS SmartLog Diabetes Management Software CVE-2017-13992 (An Insufficient Entropy issue was discovered in LOYTEC LVIS-3ME ...) - TODO: check + NOT-FOR-US: LOYTEC LVIS-3ME CVE-2017-13991 (An information leakage vulnerability in ArcSight ESM and ArcSight ESM ...) NOT-FOR-US: ArcSight CVE-2017-13990 (An information leakage vulnerability in ArcSight ESM and ArcSight ESM ...) @@ -6729,11 +6733,11 @@ CVE-2017-12733 (A Missing Authentication for Critical Function issue was discovered in ...) NOT-FOR-US: SiteSentinel CVE-2017-12732 (A Stack-based Buffer Overflow issue was discovered in GE CIMPLICITY ...) - TODO: check + NOT-FOR-US: GE CIMPLICITY CVE-2017-12731 (A SQL Injection issue was discovered in OPW Fuel Management Systems ...) NOT-FOR-US: SiteSentinel CVE-2017-12730 (An Unquoted Search Path issue was discovered in mySCADA myPRO Versions ...) - TODO: check + NOT-FOR-US: mySCADA myPRO CVE-2017-12729 RESERVED CVE-2017-12728 (An Improper Privilege Management issue was discovered in SpiderControl ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r56447 - data/CVE
Author: sectracker
Date: 2017-10-06 09:10:13 + (Fri, 06 Oct 2017)
New Revision: 56447
Modified:
data/CVE/list
Log:
automatic update
Modified: data/CVE/list
===
--- data/CVE/list 2017-10-06 08:30:39 UTC (rev 56446)
+++ data/CVE/list 2017-10-06 09:10:13 UTC (rev 56447)
@@ -1,4 +1,46 @@
-CVE-2017-15042
+CVE-2017-15063 (There are CSRF vulnerabilities in Subrion CMS before 4.2.0
because of a ...)
+ TODO: check
+CVE-2017-15062
+ RESERVED
+CVE-2017-15061
+ RESERVED
+CVE-2017-15060
+ RESERVED
+CVE-2017-15059
+ RESERVED
+CVE-2017-15058
+ RESERVED
+CVE-2017-15057
+ RESERVED
+CVE-2017-15056 (p_lx_elf.cpp in UPX 3.94 mishandles ELF headers, which allows
remote ...)
+ TODO: check
+CVE-2017-15055
+ RESERVED
+CVE-2017-15054
+ RESERVED
+CVE-2017-15053
+ RESERVED
+CVE-2017-15052
+ RESERVED
+CVE-2017-15051
+ RESERVED
+CVE-2017-15050
+ RESERVED
+CVE-2017-15049
+ RESERVED
+CVE-2017-15048
+ RESERVED
+CVE-2017-15047 (The clusterLoadConfig function in cluster.c in Redis 4.0.2
allows ...)
+ TODO: check
+CVE-2017-15046 (LAME 3.99.5 has a stack-based buffer overflow, a different ...)
+ TODO: check
+CVE-2017-15045 (LAME 3.99.5 has a heap-based buffer over-read, a different ...)
+ TODO: check
+CVE-2017-15044
+ RESERVED
+CVE-2017-15043
+ RESERVED
+CVE-2017-15042 (An unintended cleartext issue exists in Go before 1.8.4 and
1.9.x ...)
- golang-1.9 1.9.1-1
- golang-1.8 1.8.4-1
- golang-1.7
@@ -7,7 +49,7 @@
NOTE: https://golang.org/cl/68023
NOTE: https://golang.org/cl/68210
NOTE:
https://groups.google.com/d/msg/golang-dev/RinSE3EiJBI/kYL7zb07AgAJ
-CVE-2017-15041
+CVE-2017-15041 (Go before 1.8.4 and 1.9.x before 1.9.1 allows go
get remote command ...)
- golang-1.9 1.9.1-1
- golang-1.8 1.8.4-1
- golang-1.7
@@ -153,6 +195,7 @@
CVE-2017-1000102 (The Details view of some Static Analysis Utilities based
plugins, was ...)
NOT-FOR-US: Jenkins plugin
CVE-2017-198 (The net/http package's Request.ParseMultipartForm method
starts ...)
+ {DLA-1123-1}
- golang-1.9 (Fixed before initial release to Debian)
- golang-1.8 (Fixed before initial release to Debian)
- golang-1.7 1.7.4-1
@@ -868,7 +911,7 @@
NOTE: for 2.x:
https://github.com/randombit/botan/commit/95df7f155570949837e8e28e733f3d59408092da
CVE-2017-14736
RESERVED
-CVE-2017-14735 (OWASP AntiSamy through 1.5.7 allows XSS via HTML5 entities, as
...)
+CVE-2017-14735 (OWASP AntiSamy before 1.5.7 allows XSS via HTML5 entities, as
...)
NOT-FOR-US: OWASP AntiSamy
CVE-2017-14734 (The build_msps function in libbpg.c in libbpg 0.9.7 allows
remote ...)
NOT-FOR-US: libbpg
@@ -2973,20 +3016,20 @@
NOT-FOR-US: Ctek SkyRouter
CVE-2017-13999
RESERVED
-CVE-2017-13998
- RESERVED
+CVE-2017-13998 (An Insufficiently Protected Credentials issue was discovered
in LOYTEC ...)
+ TODO: check
CVE-2017-13997 (A Missing Authentication for Critical Function issue was
discovered in ...)
NOT-FOR-US: Schneider
-CVE-2017-13996
- RESERVED
+CVE-2017-13996 (A Relative Path Traversal issue was discovered in LOYTEC
LVIS-3ME ...)
+ TODO: check
CVE-2017-13995 (An Improper Authentication issue was discovered in iniNet
Solutions ...)
NOT-FOR-US: iniNet Solutions iniNet Webserver
-CVE-2017-13994
- RESERVED
+CVE-2017-13994 (A Cross-site Scripting issue was discovered in LOYTEC LVIS-3ME
versions ...)
+ TODO: check
CVE-2017-13993 (An Uncontrolled Search Path or Element issue was discovered in
i-SENS ...)
NOT-FOR-US: i-SENS SmartLog Diabetes Management Software
-CVE-2017-13992
- RESERVED
+CVE-2017-13992 (An Insufficient Entropy issue was discovered in LOYTEC
LVIS-3ME ...)
+ TODO: check
CVE-2017-13991 (An information leakage vulnerability in ArcSight ESM and
ArcSight ESM ...)
NOT-FOR-US: ArcSight
CVE-2017-13990 (An information leakage vulnerability in ArcSight ESM and
ArcSight ESM ...)
@@ -6685,12 +6728,12 @@
NOT-FOR-US: Siemens
CVE-2017-12733 (A Missing Authentication for Critical Function issue was
discovered in ...)
NOT-FOR-US: SiteSentinel
-CVE-2017-12732
- RESERVED
+CVE-2017-12732 (A Stack-based Buffer Overflow issue was discovered in GE
CIMPLICITY ...)
+ TODO: check
CVE-2017-12731 (A SQL Injection issue was discovered in OPW Fuel Management
Systems ...)
NOT-FOR-US: SiteSentinel
-CVE-2017-12730
- RESERVED
+CVE-2017-12730 (An Unquoted Search Path issue was discovered in mySCADA myPRO
Versions ...)
+ TODO: check
CVE-2017-12729
RESERVED
CVE-2017-12728 (An Improper Privilege Management issue was discovered in
SpiderControl ...)
___
Secure-testing-commits
[Secure-testing-commits] r56446 - data/CVE
Author: jmm Date: 2017-10-06 08:30:39 + (Fri, 06 Oct 2017) New Revision: 56446 Modified: data/CVE/list Log: NFUs (concludes external check) Modified: data/CVE/list === --- data/CVE/list 2017-10-06 07:56:45 UTC (rev 56445) +++ data/CVE/list 2017-10-06 08:30:39 UTC (rev 56446) @@ -552,6 +552,7 @@ RESERVED CVE-2017-14868 RESERVED + - restlet (bug #596472) CVE-2017-14866 (There is a heap-based buffer overflow in the Exiv2::s2Data function of ...) - exiv2 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1494781 @@ -8065,6 +8066,7 @@ RESERVED CVE-2017-12175 RESERVED + NOT-FOR-US: Red Hat Satellite CVE-2017-12174 RESERVED CVE-2017-12173 [unsanitized input when searching in local cache database] ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r56445 - data/CVE
Author: carnil Date: 2017-10-06 07:56:45 + (Fri, 06 Oct 2017) New Revision: 56445 Modified: data/CVE/list Log: Add CVE-2017-15038/qemu for tracking Modified: data/CVE/list === --- data/CVE/list 2017-10-06 07:50:20 UTC (rev 56444) +++ data/CVE/list 2017-10-06 07:56:45 UTC (rev 56445) @@ -20,8 +20,11 @@ RESERVED CVE-2017-15039 RESERVED -CVE-2017-15038 +CVE-2017-15038 [Qemu: 9p: virtfs: information disclosure when reading extended attributes] RESERVED + - qemu + - qemu-kvm + NOTE: https://lists.gnu.org/archive/html/qemu-devel/2017-10/msg00729.html CVE-2017-15037 (In FreeBSD through 11.1, the smb_strdupin function in ...) TODO: check CVE-2017-15036 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r56444 - in data: . DLA
Author: lamby
Date: 2017-10-06 07:50:20 + (Fri, 06 Oct 2017)
New Revision: 56444
Modified:
data/DLA/list
data/dla-needed.txt
Log:
Reserve DLA-1123-1 for golang.
Modified: data/DLA/list
===
--- data/DLA/list 2017-10-06 07:45:41 UTC (rev 56443)
+++ data/DLA/list 2017-10-06 07:50:20 UTC (rev 56444)
@@ -1,3 +1,6 @@
+[06 Oct 2017] DLA-1123-1 golang - security update
+ {CVE-2017-198}
+ [wheezy] - golang 2:1.0.2-1.1+deb7u1
[05 Oct 2017] DLA-1122-1 asterisk - security update
{CVE-2017-14100}
[wheezy] - asterisk 1:1.8.13.1~dfsg1-3+deb7u7
Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-10-06 07:45:41 UTC (rev 56443)
+++ data/dla-needed.txt 2017-10-06 07:50:20 UTC (rev 56444)
@@ -41,8 +41,6 @@
NOTE: The upstream patch modifies some ssh modules that are not present in
NOTE: wheezy version. Confirmed affected: 87y3p0ozap@curie.anarc.at
--
-golang (Chris Lamb)
---
graphicsmagick (Brian May)
--
imagemagick (Roberto C. Sánchez)
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r56443 - data/CVE
Author: carnil Date: 2017-10-06 07:45:41 + (Fri, 06 Oct 2017) New Revision: 56443 Modified: data/CVE/list Log: Track source packages for golang issues Modified: data/CVE/list === --- data/CVE/list 2017-10-06 07:42:51 UTC (rev 56442) +++ data/CVE/list 2017-10-06 07:45:41 UTC (rev 56443) @@ -1,11 +1,17 @@ CVE-2017-15042 - - golang + - golang-1.9 1.9.1-1 + - golang-1.8 1.8.4-1 + - golang-1.7 + - golang NOTE: https://github.com/golang/go/issues/22134 NOTE: https://golang.org/cl/68023 NOTE: https://golang.org/cl/68210 NOTE: https://groups.google.com/d/msg/golang-dev/RinSE3EiJBI/kYL7zb07AgAJ CVE-2017-15041 - - golang + - golang-1.9 1.9.1-1 + - golang-1.8 1.8.4-1 + - golang-1.7 + - golang NOTE: https://github.com/golang/go/issues/22125 NOTE: https://golang.org/cl/68022 NOTE: https://golang.org/cl/68190 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r56442 - data
Author: lamby Date: 2017-10-06 07:42:51 + (Fri, 06 Oct 2017) New Revision: 56442 Modified: data/dla-needed.txt Log: Claim golang in data/dla-needed.txt Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-10-06 07:33:15 UTC (rev 56441) +++ data/dla-needed.txt 2017-10-06 07:42:51 UTC (rev 56442) @@ -41,6 +41,8 @@ NOTE: The upstream patch modifies some ssh modules that are not present in NOTE: wheezy version. Confirmed affected: 87y3p0ozap@curie.anarc.at -- +golang (Chris Lamb) +-- graphicsmagick (Brian May) -- imagemagick (Roberto C. Sánchez) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r56441 - data/CVE
Author: jmm Date: 2017-10-06 07:33:15 + (Fri, 06 Oct 2017) New Revision: 56441 Modified: data/CVE/list Log: mark as , but needs further check whether that old version is actually affected Modified: data/CVE/list === --- data/CVE/list 2017-10-06 06:06:02 UTC (rev 56440) +++ data/CVE/list 2017-10-06 07:33:15 UTC (rev 56441) @@ -8147,7 +8147,7 @@ - samba 2:4.6.7+dfsg-2 NOTE: https://www.samba.org/samba/security/CVE-2017-12150.html CVE-2017-12149 (In Jboss Application Server as shipped with Red Hat Enterprise ...) - TODO: check, maybe in jbossas4 + - jbossas4 CVE-2017-12148 RESERVED NOT-FOR-US: Ansible Tower ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r56440 - data/CVE
Author: fgeek-guest Date: 2017-10-06 06:06:02 + (Fri, 06 Oct 2017) New Revision: 56440 Modified: data/CVE/list Log: CVE-2017-15041, CVE-2017-15042 Modified: data/CVE/list === --- data/CVE/list 2017-10-06 04:32:50 UTC (rev 56439) +++ data/CVE/list 2017-10-06 06:06:02 UTC (rev 56440) @@ -1,3 +1,15 @@ +CVE-2017-15042 + - golang + NOTE: https://github.com/golang/go/issues/22134 + NOTE: https://golang.org/cl/68023 + NOTE: https://golang.org/cl/68210 + NOTE: https://groups.google.com/d/msg/golang-dev/RinSE3EiJBI/kYL7zb07AgAJ +CVE-2017-15041 + - golang + NOTE: https://github.com/golang/go/issues/22125 + NOTE: https://golang.org/cl/68022 + NOTE: https://golang.org/cl/68190 + NOTE: https://groups.google.com/d/msg/golang-dev/RinSE3EiJBI/kYL7zb07AgAJ CVE-2017-15040 RESERVED CVE-2017-15039 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
