[Secure-testing-commits] r57191 - data/CVE
Author: carnil Date: 2017-11-01 05:34:38 + (Wed, 01 Nov 2017) New Revision: 57191 Modified: data/CVE/list Log: CVE assigned for libcatalyst-plugin-static-simple-perl Modified: data/CVE/list === --- data/CVE/list 2017-11-01 05:27:13 UTC (rev 57190) +++ data/CVE/list 2017-11-01 05:34:38 UTC (rev 57191) @@ -8,7 +8,7 @@ CVE-2017-1000382 (VIM version 8.0.1187 (and other versions most likely) ignores umask ...) - vim NOTE: http://www.openwall.com/lists/oss-security/2017/10/31/15 -CVE-2017- [leaks files without extention, inadvertently] +CVE-2017-16248 [leaks files without extention, inadvertently] - libcatalyst-plugin-static-simple-perl 0.34-1 (bug #880458) NOTE: https://rt.cpan.org/Public/Bug/Display.html?id=120558 CVE-2017-16241 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57190 - data/CVE
Author: carnil Date: 2017-11-01 05:27:13 + (Wed, 01 Nov 2017) New Revision: 57190 Modified: data/CVE/list Log: CVE-2014-8184 reported upstream Modified: data/CVE/list === --- data/CVE/list 2017-10-31 23:28:50 UTC (rev 57189) +++ data/CVE/list 2017-11-01 05:27:13 UTC (rev 57190) @@ -107105,6 +107105,7 @@ CVE-2014-8184 [stack-based buffer overflow in findTable()] RESERVED - liblouis + NOTE: https://github.com/liblouis/liblouis/issues/425 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1492701 CVE-2014-8183 RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57188 - data/CVE
Author: apo Date: 2017-10-31 23:22:43 + (Tue, 31 Oct 2017) New Revision: 57188 Modified: data/CVE/list Log: CVE-2013-4366,httpcomponents-client: Wheezy is not affected The vulnerable code is not present in 4.1.x. Modified: data/CVE/list === --- data/CVE/list 2017-10-31 23:07:08 UTC (rev 57187) +++ data/CVE/list 2017-10-31 23:22:43 UTC (rev 57188) @@ -135999,6 +135999,7 @@ NOT-FOR-US: ovirt CVE-2013-4366 (http/impl/client/HttpClientBuilder.java in Apache HttpClient 4.3.x ...) - httpcomponents-client 4.3.2-1 + [wheezy] - httpcomponents-client (vulnerable code not present) NOTE: http://svn.apache.org/r1528614 CVE-2013-4365 (Heap-based buffer overflow in the fcgid_header_bucket_read function in ...) {DSA-2778-1} ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57186 - in data: . CVE
Author: apo Date: 2017-10-31 23:01:41 + (Tue, 31 Oct 2017) New Revision: 57186 Modified: data/CVE/list data/dla-needed.txt Log: Mark jbossas4 as end-of-life for Wheezy. Remove the package from dla-needed.txt. It is obsolete. The JBoss Application Server was also never completely packaged. Modified: data/CVE/list === --- data/CVE/list 2017-10-31 22:09:06 UTC (rev 57185) +++ data/CVE/list 2017-10-31 23:01:41 UTC (rev 57186) @@ -11640,6 +11640,7 @@ NOTE: https://www.samba.org/samba/security/CVE-2017-12150.html CVE-2017-12149 (In Jboss Application Server as shipped with Red Hat Enterprise ...) - jbossas4 + [wheezy] - jbossas4 (incomplete packaging, 4.x series released more than nine years ago.) CVE-2017-12148 RESERVED NOT-FOR-US: Ansible Tower Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-10-31 22:09:06 UTC (rev 57185) +++ data/dla-needed.txt 2017-10-31 23:01:41 UTC (rev 57186) @@ -21,8 +21,6 @@ jasperreports NOTE: 20171031: No details available. Asked upstream for clarification. -- -jbossas4 --- lame (Hugo Lefeuvre) NOTE: Couldn't reproduce CVE-2017-{69-72}. Wait for next upstream release 3.100 ? NOTE: https://lists.debian.org/debian-lts/2017/09/msg00082.html ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57183 - data/CVE
Author: apo Date: 2017-10-31 21:54:23 + (Tue, 31 Oct 2017) New Revision: 57183 Modified: data/CVE/list Log: Add bug number for jasperreports issues. Modified: data/CVE/list === --- data/CVE/list 2017-10-31 21:52:24 UTC (rev 57182) +++ data/CVE/list 2017-10-31 21:54:23 UTC (rev 57183) @@ -3591,7 +3591,7 @@ CVE-2017-14942 (Intelbras WRN 150 devices allow remote attackers to read the ...) NOT-FOR-US: Intelbras WRN 150 devices CVE-2017-14941 (Jaspersoft JasperReports 4.7 suffers from a saved credential disclosure ...) - - jasperreports + - jasperreports (bug #880467) NOTE: https://github.com/binary1985/VulnerabilityDisclosure/blob/master/JasperSoft%20JasperReports%20-%204.7%20-%20CVE-2017-14941 CVE-2017-14940 (scan_unit_for_symbols in dwarf2.c in the Binary File Descriptor (BFD) ...) - binutils @@ -31901,10 +31901,10 @@ CVE-2017-5530 RESERVED CVE-2017-5529 (JasperReports library components contain an information disclosure ...) - - jasperreports + - jasperreports (bug #880467) NOTE: https://www.tibco.com/support/advisories/2017/06/tibco-security-advisory-june-28-2017-tibco-jasperreports-server-2017-0 CVE-2017-5528 (Multiple JasperReports Server components contain vulnerabilities ...) - - jasperreports + - jasperreports (bug #880467) NOTE: https://www.tibco.com/support/advisories/2017/06/tibco-security-advisory-june-28-2017-tibco-jasperreports-server-2017 CVE-2017-5527 (TIBCO Spotfire Server 7.0.X before 7.0.2, 7.5.x before 7.5.1, 7.6.x ...) NOT-FOR-US: TIBCO Spotfire Server ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57182 - data/CVE
Author: jmm Date: 2017-10-31 21:52:24 + (Tue, 31 Oct 2017) New Revision: 57182 Modified: data/CVE/list Log: two openjpeg issues n/a for jessie Modified: data/CVE/list === --- data/CVE/list 2017-10-31 21:41:42 UTC (rev 57181) +++ data/CVE/list 2017-10-31 21:52:24 UTC (rev 57182) @@ -5858,6 +5858,7 @@ NOTE: to not make openjpeg2 vulnerable to CVE-2017-14164. CVE-2017-14151 (An off-by-one error was discovered in ...) - openjpeg2 2.3.0-1 (bug #874430) + [jessie] - openjpeg2 (Vulnerable code introduced later, see #874430) NOTE: https://blogs.gentoo.org/ago/2017/08/16/openjpeg-heap-based-buffer-overflow-in-opj_mqc_flush-mqc-c/ NOTE: https://github.com/uclouvain/openjpeg/commit/afb308b9ccbe129608c9205cf3bb39bbefad90b9 NOTE: https://github.com/uclouvain/openjpeg/issues/982 @@ -6900,6 +6901,7 @@ NOTE: https://github.com/uclouvain/openjpeg/issues/792 CVE-2016-10504 (Heap-based buffer overflow vulnerability in the opj_mqc_byteout ...) - openjpeg2 2.2.0-1 (bug #874113) + [jessie] - openjpeg2 (Vulnerable code introduced later, see #874113) NOTE: https://github.com/uclouvain/openjpeg/commit/397f62c0a838e15d667ef50e27d5d011d2c79c04 NOTE: https://github.com/uclouvain/openjpeg/issues/835 CVE-2017-13753 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57181 - data/CVE
Author: jmm Date: 2017-10-31 21:41:42 + (Tue, 31 Oct 2017) New Revision: 57181 Modified: data/CVE/list Log: NFU several im issues unimportant Modified: data/CVE/list === --- data/CVE/list 2017-10-31 21:20:23 UTC (rev 57180) +++ data/CVE/list 2017-10-31 21:41:42 UTC (rev 57181) @@ -10277,7 +10277,7 @@ NOTE: https://github.com/ImageMagick/ImageMagick/issues/571 CVE-2017-12668 (ImageMagick 7.0.6-2 has a memory leak vulnerability in WritePCXImage in ...) {DLA-1081-1} - - imagemagick 8:6.9.7.4+dfsg-16 (bug #870489) + - imagemagick 8:6.9.7.4+dfsg-16 (unimportant; bug #870489) NOTE: https://github.com/ImageMagick/ImageMagick/issues/575 NOTE: https://github.com/ImageMagick/ImageMagick/commit/2ba8f335fa06daf1165e0878462686028e633a74 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/560e6e512961008938aa1d1b9aab06347b1c8f9b @@ -10285,7 +10285,7 @@ - imagemagick 8:6.9.7.4+dfsg-14 (unimportant; bug #870015) NOTE: https://github.com/ImageMagick/ImageMagick/issues/553 CVE-2017-12666 (ImageMagick 7.0.6-2 has a memory leak vulnerability in WriteINLINEImage ...) - - imagemagick 8:6.9.7.4+dfsg-16 (bug #870482) + - imagemagick 8:6.9.7.4+dfsg-16 (unimportant; bug #870482) [jessie] - imagemagick (Vulnerable code not present) [wheezy] - imagemagick (Vulnerable code not present) NOTE: https://github.com/ImageMagick/ImageMagick/issues/572 @@ -10293,7 +10293,7 @@ NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/45aeda5da9eb328689afc221fa3b7dfa5cdea54d CVE-2017-12665 (ImageMagick 7.0.6-2 has a memory leak vulnerability in WritePICTImage ...) {DLA-1081-1} - - imagemagick 8:6.9.7.4+dfsg-16 (bug #870501) + - imagemagick 8:6.9.7.4+dfsg-16 (unimportant; bug #870501) NOTE: https://github.com/ImageMagick/ImageMagick/issues/577 NOTE: https://github.com/ImageMagick/ImageMagick/commit/c1b09bbec148f6ae11d0b686fdb89ac6dc0ab14e NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/859084b4fd966ac007965c3d85caabccd8aee9b4 @@ -10349,11 +10349,11 @@ NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/9f375e7080a2c1044cd546854d0548b4bfb429d0 CVE-2017-12642 (ImageMagick 7.0.6-1 has a memory leak vulnerability in ReadMPCImage in ...) {DLA-1081-1} - - imagemagick 8:6.9.7.4+dfsg-13 (bug #869796) + - imagemagick 8:6.9.7.4+dfsg-13 (unimportant; bug #869796) NOTE: https://github.com/ImageMagick/ImageMagick/issues/552 CVE-2017-12641 (ImageMagick 7.0.6-1 has a memory leak vulnerability in ReadOneJNGImage ...) {DLA-1081-1} - - imagemagick 8:6.9.7.4+dfsg-15 (bug #870108) + - imagemagick 8:6.9.7.4+dfsg-15 (unimportant; bug #870108) NOTE: https://github.com/ImageMagick/ImageMagick/issues/550 NOTE: https://github.com/ImageMagick/ImageMagick/commit/3320955045e5a2a22c13a04fa9422bb809e75eda CVE-2017-12640 (ImageMagick 7.0.6-1 has an out-of-bounds read vulnerability in ...) @@ -10396,6 +10396,7 @@ RESERVED CVE-2017-12625 RESERVED + NOT-FOR-US: Apache Hive CVE-2017-12624 RESERVED CVE-2017-12623 (An authorized user could upload a template which contained malicious ...) @@ -10578,19 +10579,19 @@ NOT-FOR-US: Quest KACE Asset Management Appliance CVE-2017-12566 (In ImageMagick 7.0.6-2, a memory leak vulnerability was found in the ...) {DLA-1081-1} - - imagemagick 8:6.9.7.4+dfsg-16 (bug #870503) + - imagemagick 8:6.9.7.4+dfsg-16 (unimportant; bug #870503) NOTE: https://github.com/ImageMagick/ImageMagick/issues/603 NOTE: https://github.com/ImageMagick/ImageMagick/commit/2477eacf09d3a26efe814590a5dbbe1efd16764f NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/27b3b9ca5cfb7b8935852cf315abc005ea7c1e16 CVE-2017-12565 (In ImageMagick 7.0.6-2, a memory leak vulnerability was found in the ...) {DLA-1081-1} - - imagemagick 8:6.9.7.4+dfsg-15 (bug #870115) + - imagemagick 8:6.9.7.4+dfsg-15 (unimportant; bug #870115) NOTE: https://github.com/ImageMagick/ImageMagick/issues/602 NOTE: https://github.com/ImageMagick/ImageMagick/commit/e0e544bb173213df00f82a810d66321e1bb4f3c8 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/4d0ac66c9778faebd2d1fac7140462b043626458 CVE-2017-12564 (In ImageMagick 7.0.6-2, a memory leak vulnerability was found in the ...) {DLA-1081-1} - - imagemagick 8:6.9.7.4+dfsg-14 (bug #870017) + - imagemagick 8:6.9.7.4+dfsg-14 (unimportant; bug #870017) NOTE: https://github.com/ImageMagick/ImageMagick/issues/601 NOTE: https://github.com/ImageMagick/ImageMagick/commit/ff3faa31166439d81b72de22daea2b6404569137 NOTE: ImageMagick-6:
[Secure-testing-commits] r57179 - data/CVE
Author: carnil Date: 2017-10-31 21:20:12 + (Tue, 31 Oct 2017) New Revision: 57179 Modified: data/CVE/list Log: Process NFU Modified: data/CVE/list === --- data/CVE/list 2017-10-31 21:14:30 UTC (rev 57178) +++ data/CVE/list 2017-10-31 21:20:12 UTC (rev 57179) @@ -30,7 +30,7 @@ CVE-2017-16233 RESERVED CVE-2016-10699 (D-Link DSL-2740E 1.00_BG_20150720 devices are prone to persistent XSS ...) - TODO: check + NOT-FOR-US: D-Link devices CVE-2015-9245 (Insecure default configuration in Progress Software OpenEdge 10.2x and ...) TODO: check CVE-2017-16232 @@ -1013,7 +1013,7 @@ [wheezy] - linux (Vulnerable code introduced later) NOTE: Fixed by: https://git.kernel.org/linus/363b02dab09b3226f3bd1420dad9c72b79a42a76 (v4.14-rc6) CVE-2017-15950 (Flexense SyncBreeze Enterprise version 10.1.16 is vulnerable to a ...) - TODO: check + NOT-FOR-US: Flexense SyncBreeze CVE-2017-15949 (Xavier PHP Management Panel 2.4 allows SQL injection via the usertoedit ...) NOT-FOR-US: Xavier PHP Management Panel CVE-2017-15948 (Perch Content Management System 3.0.3 allows unrestricted file upload ...) @@ -5239,11 +5239,11 @@ CVE-2017-14359 RESERVED CVE-2017-14358 (A URL redirection to untrusted site vulnerability in HP ArcSight ESM ...) - TODO: check + NOT-FOR-US: HP ArcSight CVE-2017-14357 (A Reflected and Stored Cross-Site Scripting (XSS) vulnerability in HP ...) - TODO: check + NOT-FOR-US: HP ArcSight CVE-2017-14356 (An SQL Injection vulnerability in HP ArcSight ESM and HP ArcSight ESM ...) - TODO: check + NOT-FOR-US: HP ArcSight CVE-2017-14355 RESERVED CVE-2017-14354 (A remote cross-site scripting vulnerability in HP UCMDB Foundation ...) @@ -5533,7 +5533,7 @@ - typo3-src [wheezy] - typo3-src (Not supported in Wheezy LTS) CVE-2017-14250 (In TP-LINK TL-WR741N / TL-WR741ND 150M Wireless Lite N Router with ...) - TODO: check + NOT-FOR-US: TP-LINK Router CVE-2017-14249 (ImageMagick 7.0.6-8 Q16 mishandles EOF checks in ReadMPCImage in ...) {DLA-1131-1} - imagemagick (low; bug #876099) @@ -15244,7 +15244,7 @@ CVE-2017-10955 (** DISPUTED ** This vulnerability allows remote attackers to execute ...) NOT-FOR-US: EMC CVE-2017-10954 (This vulnerability allows remote attackers to execute arbitrary code ...) - TODO: check + NOT-FOR-US: Bitdefender Internet Security Internet Security 2018 CVE-2017-10953 (This vulnerability allows remote attackers to execute arbitrary code ...) TODO: check CVE-2017-10952 (This vulnerability allows remote attackers to execute arbitrary code ...) @@ -36298,9 +36298,9 @@ CVE-2017-3935 (Network Data Loss Prevention is vulnerable to MIME type sniffing which ...) TODO: check CVE-2017-3934 (Missing HTTP Strict Transport Security state information vulnerability ...) - TODO: check + NOT-FOR-US: McAfee Network Data Loss Prevention CVE-2017-3933 (Embedding Script (XSS) in HTTP Headers vulnerability in McAfee Network ...) - TODO: check + NOT-FOR-US: McAfee Network Data Loss Prevention CVE-2017-3932 RESERVED CVE-2017-3931 @@ -48018,7 +48018,7 @@ CVE-2016-9098 REJECTED CVE-2016-9097 (The Symantec Advanced Secure Gateway (ASG) 6.6 prior to 6.6.5.8, ...) - TODO: check + NOT-FOR-US: Symantec CVE-2016-9096 REJECTED CVE-2016-9095 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57177 - data/CVE
Author: sectracker Date: 2017-10-31 21:10:19 + (Tue, 31 Oct 2017) New Revision: 57177 Modified: data/CVE/list Log: automatic update Modified: data/CVE/list === --- data/CVE/list 2017-10-31 20:37:37 UTC (rev 57176) +++ data/CVE/list 2017-10-31 21:10:19 UTC (rev 57177) @@ -1,9 +1,11 @@ -CVE-2017-1000383 +CVE-2017-16242 + RESERVED +CVE-2017-1000383 (GNU Emacs version 25.3.1 (and other versions most likely) ignores ...) - emacs25 - emacs24 - emacs23 NOTE: http://www.openwall.com/lists/oss-security/2017/10/31/15 -CVE-2017-1000382 +CVE-2017-1000382 (VIM version 8.0.1187 (and other versions most likely) ignores umask ...) - vim NOTE: http://www.openwall.com/lists/oss-security/2017/10/31/15 CVE-2017- [leaks files without extention, inadvertently] @@ -48,7 +50,7 @@ NOTE: This is similar class of issue as for CVE-2017-1000117/git NOTE: But needs a separate CVE since different codebasis. CVE-2017-16227 (The aspath_put function in bgpd/bgp_aspath.c in Quagga before 1.2.2 ...) - {DSA-4011-1} + {DSA-4011-1 DLA-1152-1} - quagga (bug #879474) NOTE: https://lists.quagga.net/pipermail/quagga-dev/2017-September/033284.html NOTE: http://git.savannah.gnu.org/cgit/quagga.git/commit/?id=7a42b78be9a4108d98833069a88e6fddb9285008 @@ -1010,8 +1012,8 @@ [jessie] - linux (Vulnerable code introduced later) [wheezy] - linux (Vulnerable code introduced later) NOTE: Fixed by: https://git.kernel.org/linus/363b02dab09b3226f3bd1420dad9c72b79a42a76 (v4.14-rc6) -CVE-2017-15950 - RESERVED +CVE-2017-15950 (Flexense SyncBreeze Enterprise version 10.1.16 is vulnerable to a ...) + TODO: check CVE-2017-15949 (Xavier PHP Management Panel 2.4 allows SQL injection via the usertoedit ...) NOT-FOR-US: Xavier PHP Management Panel CVE-2017-15948 (Perch Content Management System 3.0.3 allows unrestricted file upload ...) @@ -1068,6 +1070,7 @@ NOTE: https://github.com/radare/radare2/commit/c6d0076c924891ad9948a62d89d0bcdaf965f0cd NOTE: https://github.com/radare/radare2/issues/8731 CVE-2017-15930 (In ReadOneJNGImage in coders/png.c in GraphicsMagick 1.3.26, a Null ...) + {DLA-1154-1} - graphicsmagick 1.3.26-16 (bug #87) NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick?cmd=changeset;node=6fc54b6d2be8 NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick?cmd=changeset;node=da135eaedc3b @@ -1174,8 +1177,8 @@ RESERVED CVE-2017-15885 (Reflected XSS in the web administration portal on the Axis 2100 Network ...) NOT-FOR-US: Axis -CVE-2017-15884 - RESERVED +CVE-2017-15884 (In HashiCorp Vagrant VMware Fusion plugin (aka vagrant-vmware-fusion) ...) + TODO: check CVE-2017-15883 RESERVED CVE-2017-15882 (The London Trust Media Private Internet Access (PIA) application before ...) @@ -2594,8 +2597,7 @@ [stretch] - linux 4.9.47-1 [wheezy] - linux 3.2.93-1 NOTE: Fixed by: https://git.kernel.org/linus/5649645d725c73df4302428ee4e02c869248b4c5 (4.12-rc5) -CVE-2017-15273 - RESERVED +CVE-2017-15273 (Mahara 15.04 before 15.04.15, 16.04 before 16.04.9, 16.10 before ...) - mahara NOTE: https://mahara.org/interaction/forum/topic.php?id=8081 CVE-2017-15272 @@ -3129,8 +3131,7 @@ {DSA-4007-1 DLA-1143-1} - curl 7.56.1-1 NOTE: https://curl.haxx.se/docs/adv_20171023.html -CVE-2017-1000256 [LSN-2017-0002: TLS certificate verification disabled for clients] - RESERVED +CVE-2017-1000256 (libvirt version 2.3.0 and later is vulnerable to a bad default ...) {DSA-4003-1} - libvirt 3.8.0-3 (bug #878799) [jessie] - libvirt (Vulnerable code introduced later) @@ -3450,7 +3451,7 @@ CVE-2017-14758 (OpenText Document Sciences xPression (formerly EMC Document Sciences ...) NOT-FOR-US: EMC CVE-2017-14990 (WordPress 4.8.2 stores cleartext wp_signups.activation_key values (but ...) - {DSA-3997-1} + {DSA-3997-1 DLA-1151-1} - wordpress 4.8.2+dfsg-2 (bug #877629) NOTE: https://core.trac.wordpress.org/ticket/38474 CVE-2017-14989 (A use-after-free in RenderFreetype in MagickCore/annotate.c in ...) @@ -4098,8 +4099,7 @@ NOT-FOR-US: OpenText Document Sciences xPression CVE-2017-14753 (Cross-site scripting (XSS) vulnerability in the EyesOfNetwork web ...) NOT-FOR-US: EyesOfNetwork (EON) -CVE-2017-14752 - RESERVED +CVE-2017-14752 (Mahara 15.04 before 15.04.15, 16.04 before 16.04.9, 16.10 before ...) - mahara NOTE: https://mahara.org/interaction/forum/topic.php?id=8083 CVE-2017-14751 (The Intense WP WP Jobs plugin 1.5 for WordPress has XSS, related to ...) @@ -4197,7 +4197,7 @@ [wheezy] - wordpress (Vulnerable code not present) NOTE:
[Secure-testing-commits] r57176 - data/CVE
Author: carnil Date: 2017-10-31 20:37:37 + (Tue, 31 Oct 2017) New Revision: 57176 Modified: data/CVE/list Log: Add vim and emacs entries Modified: data/CVE/list === --- data/CVE/list 2017-10-31 20:25:42 UTC (rev 57175) +++ data/CVE/list 2017-10-31 20:37:37 UTC (rev 57176) @@ -1,3 +1,11 @@ +CVE-2017-1000383 + - emacs25 + - emacs24 + - emacs23 + NOTE: http://www.openwall.com/lists/oss-security/2017/10/31/15 +CVE-2017-1000382 + - vim + NOTE: http://www.openwall.com/lists/oss-security/2017/10/31/15 CVE-2017- [leaks files without extention, inadvertently] - libcatalyst-plugin-static-simple-perl (bug #880458) NOTE: https://rt.cpan.org/Public/Bug/Display.html?id=120558 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57171 - in data: . DLA
Author: pochu Date: 2017-10-31 18:32:58 + (Tue, 31 Oct 2017) New Revision: 57171 Modified: data/DLA/list data/dla-needed.txt Log: Reserve DLA-1155-1 for tzdata Modified: data/DLA/list === --- data/DLA/list 2017-10-31 17:14:39 UTC (rev 57170) +++ data/DLA/list 2017-10-31 18:32:58 UTC (rev 57171) @@ -1,3 +1,5 @@ +[31 Oct 2017] DLA-1155-1 tzdata - security update + [wheezy] - tzdata 2017c-0+deb7u1 [31 Oct 2017] DLA-1154-1 graphicsmagick - security update {CVE-2017-15930} [wheezy] - graphicsmagick 1.3.16-1.1+deb7u12 Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-10-31 17:14:39 UTC (rev 57170) +++ data/dla-needed.txt 2017-10-31 18:32:58 UTC (rev 57171) @@ -129,8 +129,6 @@ -- tomcat7 (Roberto C. Sánchez) -- -tzdata (Emilio Pozuelo) --- wireshark (Thorsten Alteholz) NOTE: 2017-08-28: Contacted maintainer since most NOTE: issues affect Jessie/Stretch as well ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57170 - in data: . DLA
Author: anarcat Date: 2017-10-31 17:14:39 + (Tue, 31 Oct 2017) New Revision: 57170 Modified: data/DLA/list data/dla-needed.txt Log: Reserve DLA-1154-1 for graphicsmagick Modified: data/DLA/list === --- data/DLA/list 2017-10-31 16:48:46 UTC (rev 57169) +++ data/DLA/list 2017-10-31 17:14:39 UTC (rev 57170) @@ -1,3 +1,6 @@ +[31 Oct 2017] DLA-1154-1 graphicsmagick - security update + {CVE-2017-15930} + [wheezy] - graphicsmagick 1.3.16-1.1+deb7u12 [31 Oct 2017] DLA-1153-1 thunderbird - security update {CVE-2017-7793 CVE-2017-7805 CVE-2017-7810 CVE-2017-7814 CVE-2017-7818 CVE-2017-7819 CVE-2017-7823 CVE-2017-7824} [wheezy] - thunderbird 1:52.4.0-1~deb7u1 Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-10-31 16:48:46 UTC (rev 57169) +++ data/dla-needed.txt 2017-10-31 17:14:39 UTC (rev 57170) @@ -14,8 +14,6 @@ NOTE: 20170719: maintainer will handle the upload, see https://lists.debian.org/d0b9674a-ac5b-5cc9-1982-fb6f36155...@pbandjelly.org NOTE: 20171013: anarcat pinged maintainer: https://lists.debian.org/87efpuc95w@curie.anarc.at -- -graphicsmagick (anarcat) --- icedove (Guido Günther) -- irssi (Rhonda D'Vine) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57169 - data/CVE
Author: pochu Date: 2017-10-31 16:48:46 + (Tue, 31 Oct 2017) New Revision: 57169 Modified: data/CVE/list Log: dulwich no-dsa on wheezy Modified: data/CVE/list === --- data/CVE/list 2017-10-31 16:42:49 UTC (rev 57168) +++ data/CVE/list 2017-10-31 16:48:46 UTC (rev 57169) @@ -32,6 +32,7 @@ - dulwich 0.18.5-1 [stretch] - dulwich (Minor issue) [jessie] - dulwich (Minor issue) + [wheezy] - dulwich (Minor issue) NOTE: https://www.dulwich.io/code/dulwich/commit/7116a0cbbda571f7dac863f4b1c00b6e16d6d8d6/ NOTE: This is similar class of issue as for CVE-2017-1000117/git NOTE: But needs a separate CVE since different codebasis. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57168 - in data: . CVE
Author: pochu Date: 2017-10-31 16:42:49 + (Tue, 31 Oct 2017) New Revision: 57168 Modified: data/CVE/list data/dla-needed.txt Log: ruby-passenger no-dsa on wheezy too, minor issue and risk or regressions Modified: data/CVE/list === --- data/CVE/list 2017-10-31 16:42:11 UTC (rev 57167) +++ data/CVE/list 2017-10-31 16:42:49 UTC (rev 57168) @@ -81053,6 +81053,7 @@ - passenger 5.0.22-1 (bug #807354) - ruby-passenger (bug #864651) [jessie] - ruby-passenger (Minor issue) + [wheezy] - ruby-passenger (Minor issue) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=956281 NOTE: https://github.com/phusion/passenger/commit/c04590871ca0878d4d3ac1220c5a554b049056b4 (4.x) NOTE: https://github.com/phusion/passenger/commit/ddb8ecc4ebf260e4967f57f271d4f5761abeac3e (5.x) Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-10-31 16:42:11 UTC (rev 57167) +++ data/dla-needed.txt 2017-10-31 16:42:49 UTC (rev 57168) @@ -103,9 +103,6 @@ rtpproxy NOTE: it's not clear to me if a fix is even possible. -- Raphaël Hertzog -- -ruby-passenger - NOTE: 20170812: I think this is ext/nginx/ContentHandler.c in create_request. (lamby) --- ruby1.9.1 (Lucas Kanashiro) -- rubygems (Lucas Kanashiro) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57166 - data/CVE
Author: pochu Date: 2017-10-31 16:25:15 + (Tue, 31 Oct 2017) New Revision: 57166 Modified: data/CVE/list Log: glibc no-dsa on wheezy Modified: data/CVE/list === --- data/CVE/list 2017-10-31 16:11:44 UTC (rev 57165) +++ data/CVE/list 2017-10-31 16:25:15 UTC (rev 57166) @@ -1345,7 +1345,8 @@ - glibc (low; bug #879955) [stretch] - glibc (Minor issue) [jessie] - glibc (Minor issue) - - eglibc + - eglibc (low; bug #879955) + [wheezy] - eglibc (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22332 NOTE: https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=a159b53fa059947cc2548e3b0d5bdcf7b9630ba8 CVE-2017-15803 (XnView Classic for Windows Version 2.43 allows attackers to cause a ...) @@ -1626,14 +1627,16 @@ - glibc (low; bug #879500) [stretch] - glibc (Minor issue) [jessie] - glibc (Minor issue) - - eglibc + - eglibc (low; bug #879500) + [wheezy] - eglibc (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22325 NOTE: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=c66c908230169c1bab1f83b071eb585baa214b9f CVE-2017-15670 (The GNU C Library (aka glibc or libc6) before 2.27 contains an ...) - glibc (low; bug #879501) [stretch] - glibc (Minor issue) [jessie] - glibc (Minor issue) - - eglibc + - eglibc (low; bug #879501) + [wheezy] - eglibc (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22320 NOTE: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=c369d66e5426a30e4725b100d5cd28e372754f90 (master) NOTE: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=a76376df7c07e577a9515c3faa5dbd50bda5da07 (release/2.26/master) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57165 - data/DLA
Author: carnil Date: 2017-10-31 16:11:44 + (Tue, 31 Oct 2017) New Revision: 57165 Modified: data/DLA/list Log: Remove CVE-2017-7825, CVE is only Mac OS X specific for thunderbird Modified: data/DLA/list === --- data/DLA/list 2017-10-31 15:59:07 UTC (rev 57164) +++ data/DLA/list 2017-10-31 16:11:44 UTC (rev 57165) @@ -1,5 +1,5 @@ [31 Oct 2017] DLA-1153-1 thunderbird - security update - {CVE-2017-7793 CVE-2017-7805 CVE-2017-7810 CVE-2017-7814 CVE-2017-7818 CVE-2017-7819 CVE-2017-7823 CVE-2017-7824 CVE-2017-7825} + {CVE-2017-7793 CVE-2017-7805 CVE-2017-7810 CVE-2017-7814 CVE-2017-7818 CVE-2017-7819 CVE-2017-7823 CVE-2017-7824} [wheezy] - thunderbird 1:52.4.0-1~deb7u1 [31 Oct 2017] DLA-1152-1 quagga - security update {CVE-2017-16227} ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57164 - data/DLA
Author: agx Date: 2017-10-31 15:59:07 + (Tue, 31 Oct 2017) New Revision: 57164 Modified: data/DLA/list Log: lts: grab DLA for icedove/thunderbird Modified: data/DLA/list === --- data/DLA/list 2017-10-31 14:55:47 UTC (rev 57163) +++ data/DLA/list 2017-10-31 15:59:07 UTC (rev 57164) @@ -1,3 +1,6 @@ +[31 Oct 2017] DLA-1153-1 thunderbird - security update + {CVE-2017-7793 CVE-2017-7805 CVE-2017-7810 CVE-2017-7814 CVE-2017-7818 CVE-2017-7819 CVE-2017-7823 CVE-2017-7824 CVE-2017-7825} + [wheezy] - thunderbird 1:52.4.0-1~deb7u1 [31 Oct 2017] DLA-1152-1 quagga - security update {CVE-2017-16227} [wheezy] - quagga 0.99.22.4-1+wheezy3+deb7u2 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57163 - data/DLA
Author: hle Date: 2017-10-31 14:55:47 + (Tue, 31 Oct 2017) New Revision: 57163 Modified: data/DLA/list Log: Fix bad version in DLA 1152-1 Modified: data/DLA/list === --- data/DLA/list 2017-10-31 14:46:14 UTC (rev 57162) +++ data/DLA/list 2017-10-31 14:55:47 UTC (rev 57163) @@ -1,6 +1,6 @@ [31 Oct 2017] DLA-1152-1 quagga - security update {CVE-2017-16227} - [wheezy] - quagga quagga_0.99.22.4-1+wheezy3+deb7u2 + [wheezy] - quagga 0.99.22.4-1+wheezy3+deb7u2 [31 Oct 2017] DLA-1151-1 wordpress - security update {CVE-2016-9263 CVE-2017-14718 CVE-2017-14719 CVE-2017-14720 CVE-2017-14721 CVE-2017-14722 CVE-2017-14723 CVE-2017-14725 CVE-2017-14990} [wheezy] - wordpress 3.6.1+dfsg-1~deb7u17 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] Processing r57162 failed
The error message was: data/DLA/list:3: expected package entry, got: '[wheezy] - quagga quagga_0.99.22.4-1+wheezy3+deb7u2' Makefile:21: recipe for target 'all' failed make: *** [all] Error 1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] Processing r57162 failed
The error message was: data/DLA/list:3: expected package entry, got: '[wheezy] - quagga quagga_0.99.22.4-1+wheezy3+deb7u2' Makefile:21: recipe for target 'all' failed make: *** [all] Error 1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57161 - data
Author: apo Date: 2017-10-31 14:36:27 + (Tue, 31 Oct 2017) New Revision: 57161 Modified: data/dla-needed.txt Log: Claim jasperreports in dla-needed.txt Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-10-31 14:09:58 UTC (rev 57160) +++ data/dla-needed.txt 2017-10-31 14:36:27 UTC (rev 57161) @@ -20,7 +20,7 @@ -- irssi (Rhonda D'Vine) -- -jasperreports +jasperreports (Markus Koschany) -- jbossas4 -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57159 - in data: . DLA
Author: anarcat Date: 2017-10-31 13:32:35 + (Tue, 31 Oct 2017) New Revision: 57159 Modified: data/DLA/list data/dla-needed.txt Log: reserve DLA-1150-1 for pending wpa KRACK upload Modified: data/DLA/list === --- data/DLA/list 2017-10-31 12:19:59 UTC (rev 57158) +++ data/DLA/list 2017-10-31 13:32:35 UTC (rev 57159) @@ -1,3 +1,6 @@ +[31 Oct 2017] DLA-1150-1 wpa - security update + {CVE-2017-13077 CVE-2017-13078 CVE-2017-13079 CVE-2017-13080 CVE-2017-13081 CVE-2017-13082 CVE-2017-13086 CVE-2017-13087 CVE-2017-13088} + [wheezy] - wpa 1.0-3+deb7u5 [27 Oct 2017] DLA-1149-1 wget - security update {CVE-2017-13089 CVE-2017-13090} [wheezy] - wget 1.13.4-3+deb7u5 Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-10-31 12:19:59 UTC (rev 57158) +++ data/dla-needed.txt 2017-10-31 13:32:35 UTC (rev 57159) @@ -145,8 +145,6 @@ -- wordpress (Markus Koschany) -- -wpa (anarcat) --- xen -- xorg-server (Emilio Pozuelo) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57157 - data/CVE
Author: geissert Date: 2017-10-31 12:16:28 + (Tue, 31 Oct 2017) New Revision: 57157 Modified: data/CVE/list Log: some NFUs Modified: data/CVE/list === --- data/CVE/list 2017-10-31 12:06:01 UTC (rev 57156) +++ data/CVE/list 2017-10-31 12:16:28 UTC (rev 57157) @@ -907,39 +907,39 @@ NOTE: https://git.samba.org/?p=rsync.git;a=commit;h=9a480deec4d20277d8e20bc55515ef0640ca1e55 NOTE: https://git.samba.org/?p=rsync.git;a=commit;h=c252546ceeb0925eb8a4061315e3ff0a8c55b48b CVE-2017-15993 (Zomato Clone Script allows SQL Injection via the restaurant-menu.php ...) - TODO: check + NOT-FOR-US: Zomato Clone Script CVE-2017-15992 (Website Broker Script allows SQL Injection via the 'status_id' ...) - TODO: check + NOT-FOR-US: Website Broker Script CVE-2017-15991 (Vastal I-Tech Agent Zone (aka The Real Estate Script) allows SQL ...) - TODO: check + NOT-FOR-US: Vastal I-Tech Agent Zone CVE-2017-15990 (Php Inventory Invoice Management System allows Arbitrary File Upload ...) - TODO: check + NOT-FOR-US: Php Inventory & Invoice Management System CVE-2017-15989 (Online Exam Test Application allows SQL Injection via the resources.php ...) - TODO: check + NOT-FOR-US: Online Exam Test Application CVE-2017-15988 (Nice PHP FAQ Script allows SQL Injection via the index.php nice_theme ...) - TODO: check + NOT-FOR-US: PHP FAQ Script CVE-2017-15987 (Fake Magazine Cover Script allows SQL Injection via the rate.php value ...) - TODO: check + NOT-FOR-US: Fake Magazine Cover Script CVE-2017-15986 (CPA Lead Reward Script allows SQL Injection via the username parameter. ...) - TODO: check + NOT-FOR-US: CPA Lead Reward Script CVE-2017-15985 (Basic B2B Script allows SQL Injection via the product_view1.php pid or ...) - TODO: check + NOT-FOR-US: Basic B2B Script CVE-2017-15984 (Creative Management System (CMS) Lite 1.4 allows SQL Injection via the ...) - TODO: check + NOT-FOR-US: Creative Management System (CMS) Lite CVE-2017-15983 (MyMagazine Magazine Blog CMS 1.0 allows SQL Injection via the id ...) - TODO: check + NOT-FOR-US: MyMagazine Magazine & Blog CMS CVE-2017-15982 (Dynamic News Magazine Blog CMS 1.0 allows SQL Injection via the id ...) - TODO: check + NOT-FOR-US: Dynamic News Magazine & Blog CMS CVE-2017-15981 (Responsive Newspaper Magazine Blog CMS 1.0 allows SQL Injection via ...) - TODO: check + NOT-FOR-US: Responsive Newspaper Magazine & Blog CMS CVE-2017-15980 (US Zip Codes Database Script 1.0 allows SQL Injection via the state ...) - TODO: check + NOT-FOR-US: US Zip Codes Database Script CVE-2017-15979 (Shareet - Photo Sharing Social Network 1.0 allows SQL Injection via the ...) - TODO: check + NOT-FOR-US: Shareet - Photo Sharing Social Network CVE-2017-15978 (AROX School ERP PHP Script 1.0 allows SQL Injection via the ...) - TODO: check + NOT-FOR-US: AROX School ERP PHP Script CVE-2017-15977 (Protected Links - Expiring Download Links 1.0 allows SQL Injection via ...) - TODO: check + NOT-FOR-US: Protected Links - Expiring Download Links CVE-2017-15976 (ZeeBuddy 2x allows SQL Injection via the admin/editadgroup.php groupid ...) NOT-FOR-US: ZeeBuddy CVE-2017-15975 (Vastal I-Tech Dating Zone 0.9.9 allows SQL Injection via the ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57156 - data
Author: agx Date: 2017-10-31 12:06:01 + (Tue, 31 Oct 2017) New Revision: 57156 Modified: data/dla-needed.txt Log: lts: grab icedove/thunderbird Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-10-31 11:30:35 UTC (rev 57155) +++ data/dla-needed.txt 2017-10-31 12:06:01 UTC (rev 57156) @@ -16,8 +16,7 @@ -- graphicsmagick (anarcat) -- -icedove - NOTE: Guido Gunter has promised to handle this once a version is available for sid. +icedove (Guido Günther) -- irssi (Rhonda D'Vine) -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57155 - data/CVE
Author: jmm Date: 2017-10-31 11:30:35 + (Tue, 31 Oct 2017) New Revision: 57155 Modified: data/CVE/list Log: exiv2 n/a revised redis fix Modified: data/CVE/list === --- data/CVE/list 2017-10-31 09:29:05 UTC (rev 57154) +++ data/CVE/list 2017-10-31 11:30:35 UTC (rev 57155) @@ -3165,7 +3165,7 @@ CVE-2017-15048 RESERVED CVE-2017-15047 (The clusterLoadConfig function in cluster.c in Redis 4.0.2 allows ...) - - redis 4:4.0.2-4 (bug #878076; unimportant) + - redis 4:4.0.2-5 (bug #878076; unimportant) [jessie] - redis (Vulnerable code introduced later) [wheezy] - redis (Vulnerable code introduced later) NOTE: https://github.com/antirez/redis/issues/4278 @@ -13122,8 +13122,9 @@ CVE-2017-11593 (Cross-site scripting (XSS) vulnerability in the Markdown Preview Plus ...) NOT-FOR-US: Chrome extension Markdown Preview Plus CVE-2017-11592 (There is a Mismatched Memory Management Routines vulnerability in the ...) - - exiv2 (low) - [wheezy] - exiv2 (Vulnerable code not present) + [experimental] - exiv2 + - exiv2 (printTiffStructure introduced in 0.26) + TODO: Report against experimental NOTE: https://github.com/Exiv2/exiv2/issues/56 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1473889 NOTE: Not reproducible in wheezy/jessie/stretch/sid(0.25-3.1). ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57153 - data/CVE
Author: carnil Date: 2017-10-31 09:25:22 + (Tue, 31 Oct 2017) New Revision: 57153 Modified: data/CVE/list Log: Some issues got REJECTED Modified: data/CVE/list === --- data/CVE/list 2017-10-31 09:10:13 UTC (rev 57152) +++ data/CVE/list 2017-10-31 09:25:22 UTC (rev 57153) @@ -14419,16 +14419,12 @@ - jenkins CVE-2017-181 REJECTED - NOT-FOR-US: ONOS CVE-2017-180 REJECTED - NOT-FOR-US: ONOS CVE-2017-179 REJECTED - NOT-FOR-US: ONOS CVE-2017-178 REJECTED - NOT-FOR-US: ONOS CVE-2017-177 REJECTED CVE-2017-176 @@ -14481,7 +14477,6 @@ NOT-FOR-US: chevereto CMS CVE-2017-157 REJECTED - NOT-FOR-US: GetSimple CMS CVE-2017-156 (Kubernetes version 1.5.0-1.5.4 is vulnerable to a privilege escalation ...) - kubernetes 1.5.5+dfsg-1 NOTE: https://github.com/kubernetes/kubernetes/issues/43459 @@ -14510,7 +14505,6 @@ NOT-FOR-US: Mautic CVE-2017-145 REJECTED - NOT-FOR-US: Mautic CVE-2017-143 (Mapbox.js versions 1.x prior to 1.6.6 and 2.x prior to 2.2.4 are ...) NOT-FOR-US: Mapbox.js CVE-2017-142 (Mapbox.js versions 1.x prior to 1.6.5 and 2.x prior to 2.1.7 are ...) @@ -14523,7 +14517,6 @@ NOT-FOR-US: RVM CVE-2017-136 REJECTED - NOT-FOR-US: Candy Chat CVE-2017-135 (Tiny Tiny RSS before 829d478f is vulnerable to XSS window.opener ...) - tt-rss 17.1+git20170410+dfsg-1 NOTE: https://git.tt-rss.org/git/tt-rss/commit/829d478f1b054c8ce1eeb4f15170dc4a1abb3e47 @@ -14577,13 +14570,10 @@ - shotwell 0.25.4+really0.24.5-0.1 (unimportant) CVE-2017-123 REJECTED - NOT-FOR-US: LogicalDoc CVE-2017-122 REJECTED - NOT-FOR-US: LogicalDoc CVE-2017-121 REJECTED - NOT-FOR-US: LogicalDoc CVE-2017-120 (SYN Flood or FIN Flood attack in ECos 1 and other versions embedded ...) NOT-FOR-US: ECos CVE-2017-118 (phpMyAdmin 4.0, 4.4., and 4.6 are vulnerable to a DOS attack in the ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits