[Secure-testing-commits] r57298 - in data: . CVE DSA
Author: carnil
Date: 2017-11-03 23:09:43 + (Fri, 03 Nov 2017)
New Revision: 57298
Modified:
data/CVE/list
data/DSA/list
data/dsa-needed.txt
Log:
Reserve DSA number for openssl
Modified: data/CVE/list
===
--- data/CVE/list 2017-11-03 22:54:21 UTC (rev 57297)
+++ data/CVE/list 2017-11-03 23:09:43 UTC (rev 57298)
@@ -37593,6 +37593,7 @@
RESERVED
CVE-2017-3736 (There is a carry propagating bug in the x86_64 Montgomery
squaring ...)
- openssl 1.1.0g-1
+ [stretch] - openssl 1.1.0f-3+deb9u1
[jessie] - openssl (Vulnerable code not present)
[wheezy] - openssl (Vulnerable code not present)
- openssl1.0 1.0.2m-1
Modified: data/DSA/list
===
--- data/DSA/list 2017-11-03 22:54:21 UTC (rev 57297)
+++ data/DSA/list 2017-11-03 23:09:43 UTC (rev 57298)
@@ -1,3 +1,7 @@
+[04 Nov 2017] DSA-4018-1 openssl - security update
+ {CVE-2017-3735}
+ [jessie] - openssl 1.0.1t-1+deb8u7
+ [stretch] - openssl 1.1.0f-3+deb9u1
[03 Nov 2017] DSA-4017-1 openssl1.0 - security update
{CVE-2017-3735 CVE-2017-3736}
[stretch] - openssl1.0 1.0.2l-2+deb9u1
Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2017-11-03 22:54:21 UTC (rev 57297)
+++ data/dsa-needed.txt 2017-11-03 23:09:43 UTC (rev 57298)
@@ -37,8 +37,6 @@
--
openjdk-7/oldstable (jmm)
--
-openssl (carnil)
---
php-horde-image
--
php5
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57297 - in data: . DSA
Author: carnil
Date: 2017-11-03 22:54:21 + (Fri, 03 Nov 2017)
New Revision: 57297
Modified:
data/DSA/list
data/dsa-needed.txt
Log:
Reserve DSA number for openssl1.0 update
Modified: data/DSA/list
===
--- data/DSA/list 2017-11-03 22:26:45 UTC (rev 57296)
+++ data/DSA/list 2017-11-03 22:54:21 UTC (rev 57297)
@@ -1,3 +1,6 @@
+[03 Nov 2017] DSA-4017-1 openssl1.0 - security update
+ {CVE-2017-3735 CVE-2017-3736}
+ [stretch] - openssl1.0 1.0.2l-2+deb9u1
[03 Nov 2017] DSA-4016-1 irssi - security update
{CVE-2017-15227 CVE-2017-15228 CVE-2017-15721 CVE-2017-15722
CVE-2017-15723}
[jessie] - irssi 0.8.17-1+deb8u5
Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2017-11-03 22:26:45 UTC (rev 57296)
+++ data/dsa-needed.txt 2017-11-03 22:54:21 UTC (rev 57297)
@@ -39,8 +39,6 @@
--
openssl (carnil)
--
-openssl1.0/stable (carnil)
---
php-horde-image
--
php5
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57296 - data
Author: lamby Date: 2017-11-03 22:26:45 + (Fri, 03 Nov 2017) New Revision: 57296 Modified: data/dla-needed.txt Log: Claim apr-util in data/dla-needed.txt Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-11-03 22:26:44 UTC (rev 57295) +++ data/dla-needed.txt 2017-11-03 22:26:45 UTC (rev 57296) @@ -12,7 +12,7 @@ -- apr (Chris Lamb) -- -apr-util +apr-util (Chris Lamb) -- ca-certificates NOTE: 20170719: maintainer will handle the upload, see https://lists.debian.org/d0b9674a-ac5b-5cc9-1982-fb6f36155...@pbandjelly.org ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57295 - data
Author: lamby Date: 2017-11-03 22:26:44 + (Fri, 03 Nov 2017) New Revision: 57295 Modified: data/dla-needed.txt Log: Claim apr in data/dla-needed.txt Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-11-03 22:26:42 UTC (rev 57294) +++ data/dla-needed.txt 2017-11-03 22:26:44 UTC (rev 57295) @@ -10,7 +10,7 @@ https://wiki.debian.org/LTS/Development#Triage_new_security_issues -- -apr +apr (Chris Lamb) -- apr-util -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57294 - data
Author: lamby Date: 2017-11-03 22:26:42 + (Fri, 03 Nov 2017) New Revision: 57294 Modified: data/dla-needed.txt Log: data/dla-needed.txt: Correct ordering Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-11-03 21:56:06 UTC (rev 57293) +++ data/dla-needed.txt 2017-11-03 22:26:42 UTC (rev 57294) @@ -46,12 +46,12 @@ NOTE: asked for reproducers for CVE-2017-14160 and CVE-2017-14633 on NOTE: gitlab and vendor-sec -- +libxml-libxml-perl + NOTE: 20170702: no upstream fix yet, so no need to bother maintainer yet, sent email later +-- libxml2 (Thorsten Alteholz) NOTE: bugfix needs confirmation by upstream -- -libxml-libxml-perl - NOTE: 20170702: no upstream fix yet, so no need to bother maintainer yet, sent email later --- linux -- ming (Hugo Lefeuvre) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57293 - data
Author: carnil Date: 2017-11-03 21:56:06 + (Fri, 03 Nov 2017) New Revision: 57293 Modified: data/dsa-needed.txt Log: Take care of releasing openssl packages Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-11-03 21:43:20 UTC (rev 57292) +++ data/dsa-needed.txt 2017-11-03 21:56:06 UTC (rev 57293) @@ -37,9 +37,9 @@ -- openjdk-7/oldstable (jmm) -- -openssl +openssl (carnil) -- -openssl1.0/stable +openssl1.0/stable (carnil) -- php-horde-image -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57292 - data
Author: apo Date: 2017-11-03 21:43:20 + (Fri, 03 Nov 2017) New Revision: 57292 Modified: data/dla-needed.txt Log: Add libpam4j to dla-needed.txt and claim it. Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-11-03 21:39:08 UTC (rev 57291) +++ data/dla-needed.txt 2017-11-03 21:43:20 UTC (rev 57292) @@ -35,6 +35,8 @@ -- libofx (Thorsten Alteholz) -- +libpam4j (Markus Koschany) +-- libreoffice (Emilio Pozuelo) NOTE: regression update, see: NOTE: https://lists.debian.org/debian-lts/2017/05/msg00012.html ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57291 - data
Author: apo Date: 2017-11-03 21:39:08 + (Fri, 03 Nov 2017) New Revision: 57291 Modified: data/dla-needed.txt Log: Add apr and apr-util to dla-needed.txt Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-11-03 21:27:10 UTC (rev 57290) +++ data/dla-needed.txt 2017-11-03 21:39:08 UTC (rev 57291) @@ -10,6 +10,10 @@ https://wiki.debian.org/LTS/Development#Triage_new_security_issues -- +apr +-- +apr-util +-- ca-certificates NOTE: 20170719: maintainer will handle the upload, see https://lists.debian.org/d0b9674a-ac5b-5cc9-1982-fb6f36155...@pbandjelly.org NOTE: 20171013: anarcat pinged maintainer: https://lists.debian.org/87efpuc95w@curie.anarc.at ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57290 - data/CVE
Author: carnil Date: 2017-11-03 21:27:10 + (Fri, 03 Nov 2017) New Revision: 57290 Modified: data/CVE/list Log: Add bug reference for CVE-2017-16516 Modified: data/CVE/list === --- data/CVE/list 2017-11-03 21:26:20 UTC (rev 57289) +++ data/CVE/list 2017-11-03 21:27:10 UTC (rev 57290) @@ -15,7 +15,7 @@ CVE-2017-16517 RESERVED CVE-2017-16516 (In the yajl-ruby gem 1.3.0 for Ruby, when a crafted JSON file is ...) - - ruby-yajl + - ruby-yajl (bug #880691) NOTE: https://github.com/brianmario/yajl-ruby/issues/176 CVE-2017-16515 RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57289 - data/CVE
Author: carnil Date: 2017-11-03 21:26:20 + (Fri, 03 Nov 2017) New Revision: 57289 Modified: data/CVE/list Log: Process some NFUs Modified: data/CVE/list === --- data/CVE/list 2017-11-03 21:22:38 UTC (rev 57288) +++ data/CVE/list 2017-11-03 21:26:20 UTC (rev 57289) @@ -1,9 +1,9 @@ CVE-2017-16524 RESERVED CVE-2017-16523 (MitraStar GPT-2541GNAC (HGU) 1.00(VNJ0)b1 and DSL-100HN-T1 ...) - TODO: check + NOT-FOR-US: MitraStar CVE-2017-16522 (MitraStar GPT-2541GNAC (HGU) 1.00(VNJ0)b1 and DSL-100HN-T1 ...) - TODO: check + NOT-FOR-US: MitraStar CVE-2017-16521 RESERVED CVE-2017-16520 @@ -5943,7 +5943,7 @@ CVE-2017-14360 RESERVED CVE-2017-14359 (A potential security vulnerability has been identified in HPE ...) - TODO: check + NOT-FOR-US: HPE Performance Center CVE-2017-14358 (A URL redirection to untrusted site vulnerability in HP ArcSight ESM ...) NOT-FOR-US: HP ArcSight CVE-2017-14357 (A Reflected and Stored Cross-Site Scripting (XSS) vulnerability in HP ...) @@ -16221,7 +16221,7 @@ CVE-2017-10826 (Untrusted search path vulnerability in Security Kinou Mihariban ...) NOT-FOR-US: Security Kinou Mihariban CVE-2017-10825 (Untrusted search path vulnerability in Installer of Flets Easy Setup ...) - TODO: check + NOT-FOR-US: Installer of Flets Easy Setup Tool CVE-2017-10824 (Untrusted search path vulnerability in TDB CA TypeA use software ...) NOT-FOR-US: TDB CA TypeA use software CVE-2017-10823 (Untrusted search path vulnerability in Installer for Shin Kinkyuji ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57288 - data/CVE
Author: carnil Date: 2017-11-03 21:22:38 + (Fri, 03 Nov 2017) New Revision: 57288 Modified: data/CVE/list Log: Add CVE-2017-16516/ruby-yajl Modified: data/CVE/list === --- data/CVE/list 2017-11-03 21:10:17 UTC (rev 57287) +++ data/CVE/list 2017-11-03 21:22:38 UTC (rev 57288) @@ -15,7 +15,8 @@ CVE-2017-16517 RESERVED CVE-2017-16516 (In the yajl-ruby gem 1.3.0 for Ruby, when a crafted JSON file is ...) - TODO: check + - ruby-yajl + NOTE: https://github.com/brianmario/yajl-ruby/issues/176 CVE-2017-16515 RESERVED CVE-2017-16514 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57287 - data/CVE
Author: sectracker Date: 2017-11-03 21:10:17 + (Fri, 03 Nov 2017) New Revision: 57287 Modified: data/CVE/list Log: automatic update Modified: data/CVE/list === --- data/CVE/list 2017-11-03 20:48:57 UTC (rev 57286) +++ data/CVE/list 2017-11-03 21:10:17 UTC (rev 57287) @@ -1,61 +1,87 @@ -CVE-2017-16511 +CVE-2017-16524 RESERVED -CVE-2017-1000171 +CVE-2017-16523 (MitraStar GPT-2541GNAC (HGU) 1.00(VNJ0)b1 and DSL-100HN-T1 ...) + TODO: check +CVE-2017-16522 (MitraStar GPT-2541GNAC (HGU) 1.00(VNJ0)b1 and DSL-100HN-T1 ...) + TODO: check +CVE-2017-16521 RESERVED -CVE-2017-1000157 +CVE-2017-16520 RESERVED -CVE-2017-1000156 +CVE-2017-16519 RESERVED -CVE-2017-1000155 +CVE-2017-16518 RESERVED -CVE-2017-1000154 +CVE-2017-16517 RESERVED -CVE-2017-1000153 +CVE-2017-16516 (In the yajl-ruby gem 1.3.0 for Ruby, when a crafted JSON file is ...) + TODO: check +CVE-2017-16515 RESERVED -CVE-2017-1000152 +CVE-2017-16514 RESERVED -CVE-2017-1000151 +CVE-2017-16513 (Ipswitch WS_FTP Professional before 12.6.0.3 has buffer overflows in ...) + TODO: check +CVE-2017-16512 RESERVED -CVE-2017-1000150 +CVE-2017-16511 RESERVED -CVE-2017-1000149 - RESERVED -CVE-2017-1000148 - RESERVED -CVE-2017-1000147 - RESERVED -CVE-2017-1000146 - RESERVED -CVE-2017-1000145 - RESERVED -CVE-2017-1000144 - RESERVED -CVE-2017-1000143 - RESERVED -CVE-2017-1000142 - RESERVED +CVE-2017-1000171 (Mahara Mobile before 1.2.1 is vulnerable to passwords being sent to ...) + TODO: check +CVE-2017-1000157 (Mahara 15.04 before 15.04.13 and 16.04 before 16.04.7 and 16.10 before ...) + TODO: check +CVE-2017-1000156 (Mahara 15.04 before 15.04.9 and 15.10 before 15.10.5 and 16.04 before ...) + TODO: check +CVE-2017-1000155 (Mahara 15.04 before 15.04.8 and 15.10 before 15.10.4 and 16.04 before ...) + TODO: check +CVE-2017-1000154 (Mahara 15.04 before 15.04.8 and 15.10 before 15.10.4 and 16.04 before ...) + TODO: check +CVE-2017-1000153 (Mahara 15.04 before 15.04.10 and 15.10 before 15.10.6 and 16.04 before ...) + TODO: check +CVE-2017-1000152 (Mahara 15.04 before 15.04.7 and 15.10 before 15.10.3 running PHP 5.3 ...) + TODO: check +CVE-2017-1000151 (Mahara 15.04 before 15.04.9 and 15.10 before 15.10.5 and 16.04 before ...) + TODO: check +CVE-2017-1000150 (Mahara 15.04 before 15.04.7 and 15.10 before 15.10.3 are vulnerable to ...) + TODO: check +CVE-2017-1000149 (Mahara 1.10 before 1.10.9 and 15.04 before 15.04.6 and 15.10 before ...) + TODO: check +CVE-2017-1000148 (Mahara 15.04 before 15.04.8 and 15.10 before 15.10.4 and 16.04 before ...) + TODO: check +CVE-2017-1000147 (Mahara 1.9 before 1.9.8 and 1.10 before 1.10.6 and 15.04 before ...) + TODO: check +CVE-2017-1000146 (Mahara 1.9 before 1.9.7 and 1.10 before 1.10.5 and 15.04 before ...) + TODO: check +CVE-2017-1000145 (Mahara 1.9 before 1.9.7 and 1.10 before 1.10.5 and 15.04 before ...) + TODO: check +CVE-2017-1000144 (Mahara 1.9 before 1.9.6 and 1.10 before 1.10.4 and 15.04 before ...) + TODO: check +CVE-2017-1000143 (Mahara 1.8 before 1.8.7 and 1.9 before 1.9.5 and 1.10 before 1.10.3 ...) + TODO: check +CVE-2017-1000142 (Mahara 1.8 before 1.8.7 and 1.9 before 1.9.5 and 1.10 before 1.10.3 ...) + TODO: check CVE-2017-1000141 RESERVED -CVE-2017-1000140 - RESERVED -CVE-2017-1000139 - RESERVED -CVE-2017-1000138 - RESERVED -CVE-2017-1000137 - RESERVED -CVE-2017-1000136 - RESERVED -CVE-2017-1000135 - RESERVED -CVE-2017-1000134 - RESERVED -CVE-2017-1000133 - RESERVED -CVE-2017-1000132 - RESERVED -CVE-2017-1000131 - RESERVED +CVE-2017-1000140 (Mahara 1.8 before 1.8.7 and 1.9 before 1.9.5 and 1.10 before 1.10.3 ...) + TODO: check +CVE-2017-1000139 (Mahara 1.8 before 1.8.7 and 1.9 before 1.9.5 and 1.10 before 1.10.3 ...) + TODO: check +CVE-2017-1000138 (Mahara 1.10 before 1.10.0 and 15.04 before 15.04.0 are vulnerable to ...) + TODO: check +CVE-2017-1000137 (Mahara 1.10 before 1.10.0 and 15.04 before 15.04.0 are vulnerable to ...) + TODO: check +CVE-2017-1000136 (Mahara 1.8 before 1.8.6 and 1.9 before 1.9.4 and 1.10 before 1.10.1 ...) + TODO: check +CVE-2017-1000135 (Mahara 1.8 before 1.8.7 and 1.9 before 1.9.5 and 1.10 before 1.10.3 ...) + TODO: check +CVE-2017-1000134 (Mahara 1.8 before 1.8.6 and 1.9 before 1.9.4 and 1.10 before 1.10.1 ...) + TODO: check +CVE-2017-1000133 (Mahara 15.04 before 15.04.8 and 15.10 before 15.10.4 and 16.04 before ...) + TODO: check +CVE-2017-1000132 (Mahara 1.8 before 1.8.7 and 1.9 before 1.9.5 and 1.10 before 1.10.3 ...) + TODO: check +CVE-2017-1000131 (Mahara 15.04 before 15.04.8 and 15.10 before 15.10.4 and 16.04 befo
[Secure-testing-commits] r57286 - data/CVE
Author: carnil Date: 2017-11-03 20:48:57 + (Fri, 03 Nov 2017) New Revision: 57286 Modified: data/CVE/list Log: Add references for CVE-2017-12197 Modified: data/CVE/list === --- data/CVE/list 2017-11-03 20:14:42 UTC (rev 57285) +++ data/CVE/list 2017-11-03 20:48:57 UTC (rev 57286) @@ -12140,6 +12140,8 @@ RESERVED - libpam4j (bug #879001) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1503103 + NOTE: https://github.com/kohsuke/libpam4j/issues/18 + NOTE: (Non-upstream) patch: https://github.com/letonez/libpam4j/commit/84f32f4001fc6bdcc125ccc959081de022d18b6d CVE-2017-12196 RESERVED CVE-2017-12195 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57285 - data/CVE
Author: carnil Date: 2017-11-03 20:14:42 + (Fri, 03 Nov 2017) New Revision: 57285 Modified: data/CVE/list Log: Add reference for apr-util Modified: data/CVE/list === --- data/CVE/list 2017-11-03 20:10:15 UTC (rev 57284) +++ data/CVE/list 2017-11-03 20:14:42 UTC (rev 57285) @@ -11094,6 +11094,7 @@ CVE-2017-12618 (Apache Portable Runtime Utility (APR-util) 1.6.0 and prior fail to ...) - apr-util (low; bug #879996) NOTE: mail-archives.apache.org/mod_mbox/apr-dev/201710.mbox/%3CCACsi252POs4toeJJciwg09_eu2cO3XFg%3DUqsPjXsfjDoeC3-UQ%40mail.gmail.com%3E + NOTE: https://github.com/apache/apr/commit/f672b565c825c34de9ee298b5bdc62c01cdd6147 CVE-2017-12617 (When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to ...) - tomcat9 (bug #802312) - tomcat8 8.5.23-1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57284 - data/CVE
Author: carnil Date: 2017-11-03 20:10:15 + (Fri, 03 Nov 2017) New Revision: 57284 Modified: data/CVE/list Log: Add reference for CVE-2017-12613 Modified: data/CVE/list === --- data/CVE/list 2017-11-03 20:00:10 UTC (rev 57283) +++ data/CVE/list 2017-11-03 20:10:15 UTC (rev 57284) @@ -11123,6 +11123,7 @@ CVE-2017-12613 (When apr_exp_time*() or apr_os_exp_time*() functions are invoked with ...) - apr (low; bug #879708) NOTE: mail-archives.apache.org/mod_mbox/apr-dev/201710.mbox/%3CCACsi252POs4toeJJciwg09_eu2cO3XFg%3DUqsPjXsfjDoeC3-UQ%40mail.gmail.com%3E + NOTE: Fixed by: https://github.com/apache/apr/commit/ad958385a4180d7a83d90589689fcd36e3bbc57a CVE-2017-12612 (In Apache Spark 1.6.0 until 2.1.1, the launcher API performs unsafe ...) NOT-FOR-US: Apache Spark CVE-2017-12611 (In Apache Struts 2.0.1 through 2.3.33 and 2.5 through 2.5.10, using an ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57283 - data
Author: carnil Date: 2017-11-03 20:00:10 + (Fri, 03 Nov 2017) New Revision: 57283 Modified: data/dla-needed.txt Log: Add note for openssl Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-11-03 19:35:41 UTC (rev 57282) +++ data/dla-needed.txt 2017-11-03 20:00:10 UTC (rev 57283) @@ -74,6 +74,7 @@ -- openssl NOTE: I assume Kurt Roeckx will take care of it again. + NOTE: 1.0.1t-1+deb7u3 by Kurt Roeckx -- pngcrush NOTE: CVE-2015-7700: the problematic call to png_free_data() is present ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57282 - in data: . CVE DSA
Author: carnil
Date: 2017-11-03 19:35:41 + (Fri, 03 Nov 2017)
New Revision: 57282
Modified:
data/CVE/list
data/DSA/list
data/dsa-needed.txt
Log:
Reserve DSA number for irssi
Modified: data/CVE/list
===
--- data/CVE/list 2017-11-03 19:30:41 UTC (rev 57281)
+++ data/CVE/list 2017-11-03 19:35:41 UTC (rev 57282)
@@ -15904,12 +15904,14 @@
{DLA-1089-1}
- irssi 1.0.4-1 (low; bug #867598)
[stretch] - irssi 1.0.2-1+deb9u2
+ [jessie] - irssi 0.8.17-1+deb8u5
NOTE: https://irssi.org/security/irssi_sa_2017_07.txt
NOTE:
https://github.com/irssi/irssi/commit/5e26325317c72a04c1610ad952974e206384d291
CVE-2017-10965 (An issue was discovered in Irssi before 1.0.4. When receiving
messages ...)
{DLA-1089-1}
- irssi 1.0.4-1 (low; bug #867598)
[stretch] - irssi 1.0.2-1+deb9u2
+ [jessie] - irssi 0.8.17-1+deb8u5
NOTE: https://irssi.org/security/irssi_sa_2017_07.txt
NOTE:
https://github.com/irssi/irssi/commit/5e26325317c72a04c1610ad952974e206384d291
CVE-2017-10964
Modified: data/DSA/list
===
--- data/DSA/list 2017-11-03 19:30:41 UTC (rev 57281)
+++ data/DSA/list 2017-11-03 19:35:41 UTC (rev 57282)
@@ -1,3 +1,7 @@
+[03 Nov 2017] DSA-4016-1 irssi - security update
+ {CVE-2017-15227 CVE-2017-15228 CVE-2017-15721 CVE-2017-15722
CVE-2017-15723}
+ [jessie] - irssi 0.8.17-1+deb8u5
+ [stretch] - irssi 1.0.2-1+deb9u3
[02 Nov 2017] DSA-4015-1 openjdk-8 - security update
{CVE-2017-10274 CVE-2017-10281 CVE-2017-10285 CVE-2017-10295
CVE-2017-10345 CVE-2017-10346 CVE-2017-10347 CVE-2017-10348 CVE-2017-10349
CVE-2017-10350 CVE-2017-10355 CVE-2017-10356 CVE-2017-10357 CVE-2017-10388}
[stretch] - openjdk-8 8u151-b12-1~deb9u1
Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2017-11-03 19:30:41 UTC (rev 57281)
+++ data/dsa-needed.txt 2017-11-03 19:35:41 UTC (rev 57282)
@@ -21,8 +21,6 @@
imagemagick (jmm)
wait until more issues have piled up
--
-irssi
---
jackson-databind
For CVE-2017-15095 (see notes for missing commits)
--
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57281 - in data: . DLA
Author: apo
Date: 2017-11-03 19:30:41 + (Fri, 03 Nov 2017)
New Revision: 57281
Modified:
data/DLA/list
data/dla-needed.txt
Log:
Reserve DLA-1159-1 for graphicsmagick
Modified: data/DLA/list
===
--- data/DLA/list 2017-11-03 12:30:30 UTC (rev 57280)
+++ data/DLA/list 2017-11-03 19:30:41 UTC (rev 57281)
@@ -1,3 +1,6 @@
+[03 Nov 2017] DLA-1159-1 graphicsmagick - security update
+ {CVE-2017-16352 CVE-2017-16353}
+ [wheezy] - graphicsmagick 1.3.16-1.1+deb7u13
[02 Nov 2017] DLA-1158-1 bchunk - security update
{CVE-2017-15953 CVE-2017-15954 CVE-2017-15955}
[wheezy] - bchunk 1.2.0-12+deb7u1
Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-11-03 12:30:30 UTC (rev 57280)
+++ data/dla-needed.txt 2017-11-03 19:30:41 UTC (rev 57281)
@@ -14,8 +14,6 @@
NOTE: 20170719: maintainer will handle the upload, see
https://lists.debian.org/d0b9674a-ac5b-5cc9-1982-fb6f36155...@pbandjelly.org
NOTE: 20171013: anarcat pinged maintainer:
https://lists.debian.org/87efpuc95w@curie.anarc.at
--
-graphicsmagick (Markus Koschany)
---
irssi (Rhonda D'Vine)
--
jasperreports
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57280 - data/CVE
Author: carnil Date: 2017-11-03 12:30:30 + (Fri, 03 Nov 2017) New Revision: 57280 Modified: data/CVE/list Log: Add reference for one (ancient) libdata-uuid-perl issue Modified: data/CVE/list === --- data/CVE/list 2017-11-03 11:54:20 UTC (rev 57279) +++ data/CVE/list 2017-11-03 12:30:30 UTC (rev 57280) @@ -137384,6 +137384,7 @@ CVE-2013-4184 [symlink attacks] RESERVED - libdata-uuid-perl (unimportant; bug #718949) + NOTE: https://github.com/rjbs/Data-UUID/issues/5 NOTE: Neutralised by kernel temp hardening CVE-2013-4183 (The clear_volume function in LVMVolumeDriver driver in OpenStack ...) - cinder 2013.1.2-4 (bug #719010) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57279 - data/CVE
Author: jmm Date: 2017-11-03 11:54:20 + (Fri, 03 Nov 2017) New Revision: 57279 Modified: data/CVE/list Log: ffmpeg postponed Modified: data/CVE/list === --- data/CVE/list 2017-11-03 11:50:32 UTC (rev 57278) +++ data/CVE/list 2017-11-03 11:54:20 UTC (rev 57279) @@ -2283,9 +2283,9 @@ CVE-2017-15672 RESERVED - ffmpeg + [stretch] - ffmpeg (Wait until next round of security releases) - libav NOTE: Fixed by: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=c20f4fcb74da2d0432c7b54499bb98f48236b904 - TODO: check CVE-2017-15671 (The glob function in glob.c in the GNU C Library (aka glibc or libc6) ...) - glibc (low; bug #879500) [stretch] - glibc (Minor issue) @@ -3506,6 +3506,7 @@ NOTE: https://github.com/Cacti/cacti/commit/4f87256e63859117f81d2a2bd40c9c730e39b65d CVE-2017-15186 (Double free vulnerability in FFmpeg 3.3.4 and earlier allows remote ...) - ffmpeg + [stretch] - ffmpeg (Wait until next round of security releases) - libav NOTE: http://www.openwall.com/lists/oss-security/2017/10/20/4 NOTE: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/df62b70de8aaa285168e72fe8f6e740843ca91fa ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57278 - data/CVE
Author: carnil Date: 2017-11-03 11:50:32 + (Fri, 03 Nov 2017) New Revision: 57278 Modified: data/CVE/list Log: Add CVE-2017-15672 Modified: data/CVE/list === --- data/CVE/list 2017-11-03 10:59:30 UTC (rev 57277) +++ data/CVE/list 2017-11-03 11:50:32 UTC (rev 57278) @@ -2282,6 +2282,10 @@ RESERVED CVE-2017-15672 RESERVED + - ffmpeg + - libav + NOTE: Fixed by: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=c20f4fcb74da2d0432c7b54499bb98f48236b904 + TODO: check CVE-2017-15671 (The glob function in glob.c in the GNU C Library (aka glibc or libc6) ...) - glibc (low; bug #879500) [stretch] - glibc (Minor issue) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57277 - data/CVE
Author: jmm Date: 2017-11-03 10:59:30 + (Fri, 03 Nov 2017) New Revision: 57277 Modified: data/CVE/list Log: Mongoose NFUs Modified: data/CVE/list === --- data/CVE/list 2017-11-03 10:52:18 UTC (rev 57276) +++ data/CVE/list 2017-11-03 10:59:30 UTC (rev 57277) @@ -40453,8 +40453,12 @@ NOTE: https://www.gaia-gis.it/fossil/freexl/ci/40c17539ea56f0d8 CVE-2017-2922 RESERVED + NOT-FOR-US: Cesanta Mongoose + TODO: check smplayer, embeds it CVE-2017-2921 RESERVED + NOT-FOR-US: Cesanta Mongoose + TODO: check smplayer, embeds it CVE-2017-2920 (An memory corruption vulnerability exists in the .SVG parsing ...) NOT-FOR-US: Computerinsel Photoline CVE-2017-2919 @@ -40479,6 +40483,8 @@ RESERVED CVE-2017-2909 RESERVED + NOT-FOR-US: Cesanta Mongoose + TODO: check smplayer, embeds it CVE-2017-2908 RESERVED CVE-2017-2907 @@ -40507,14 +40513,24 @@ RESERVED CVE-2017-2895 RESERVED + NOT-FOR-US: Cesanta Mongoose + TODO: check smplayer, embeds it CVE-2017-2894 RESERVED + NOT-FOR-US: Cesanta Mongoose + TODO: check smplayer, embeds it CVE-2017-2893 RESERVED + NOT-FOR-US: Cesanta Mongoose + TODO: check smplayer, embeds it CVE-2017-2892 RESERVED + NOT-FOR-US: Cesanta Mongoose + TODO: check smplayer, embeds it CVE-2017-2891 RESERVED + NOT-FOR-US: Cesanta Mongoose + TODO: check smplayer, embeds it CVE-2017-2890 RESERVED CVE-2017-2889 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57276 - data
Author: jmm Date: 2017-11-03 10:52:18 + (Fri, 03 Nov 2017) New Revision: 57276 Modified: data/next-oldstable-point-update.txt Log: liblouis spu Modified: data/next-oldstable-point-update.txt === --- data/next-oldstable-point-update.txt2017-11-03 09:36:06 UTC (rev 57275) +++ data/next-oldstable-point-update.txt2017-11-03 10:52:18 UTC (rev 57276) @@ -102,3 +102,5 @@ [jessie] - sqlite3 3.8.7.1-1+deb8u3 CVE-2017-15274 [jessie] - linux 3.16.48-1 +CVE-2014-8184 + [jessie] - liblouis 2.5.3-3+deb8u1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57275 - data/CVE
Author: carnil Date: 2017-11-03 09:36:06 + (Fri, 03 Nov 2017) New Revision: 57275 Modified: data/CVE/list Log: Several previously for IfranView assigned CVEs were withdrawn by its CNA after further investigation; remove entries Modified: data/CVE/list === --- data/CVE/list 2017-11-03 09:11:04 UTC (rev 57274) +++ data/CVE/list 2017-11-03 09:36:06 UTC (rev 57275) @@ -2013,37 +2013,26 @@ NOT-FOR-US: XnView CVE-2017-15800 REJECTED - NOT-FOR-US: IrfanView CVE-2017-15799 REJECTED - NOT-FOR-US: IrfanView CVE-2017-15798 REJECTED - NOT-FOR-US: IrfanView CVE-2017-15797 REJECTED - NOT-FOR-US: IrfanView CVE-2017-15796 REJECTED - NOT-FOR-US: IrfanView CVE-2017-15795 REJECTED - NOT-FOR-US: IrfanView CVE-2017-15794 REJECTED - NOT-FOR-US: IrfanView CVE-2017-15793 REJECTED - NOT-FOR-US: IrfanView CVE-2017-15792 REJECTED - NOT-FOR-US: IrfanView CVE-2017-15791 REJECTED - NOT-FOR-US: IrfanView CVE-2017-15790 REJECTED - NOT-FOR-US: IrfanView CVE-2017-15789 (XnView Classic for Windows Version 2.43 allows attackers to execute ...) NOT-FOR-US: XnView CVE-2017-15788 (XnView Classic for Windows Version 2.43 allows attackers to execute ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57274 - data/CVE
Author: sectracker
Date: 2017-11-03 09:11:04 + (Fri, 03 Nov 2017)
New Revision: 57274
Modified:
data/CVE/list
Log:
automatic update
Modified: data/CVE/list
===
--- data/CVE/list 2017-11-03 06:17:15 UTC (rev 57273)
+++ data/CVE/list 2017-11-03 09:11:04 UTC (rev 57274)
@@ -1,3 +1,5 @@
+CVE-2017-16511
+ RESERVED
CVE-2017-1000171
RESERVED
CVE-2017-1000157
@@ -54,7 +56,7 @@
RESERVED
CVE-2017-1000131
RESERVED
-CVE-2017-16510 [Unsafe queries with wpdb->prepare]
+CVE-2017-16510 (WordPress before 4.8.3 is affected by an issue where
$wpdb->prepare() ...)
- wordpress 4.8.3+dfsg-1 (bug #880528)
NOTE: https://wpvulndb.com/vulnerabilities/8941
NOTE:
https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d
@@ -650,8 +652,8 @@
RESERVED
CVE-2017-16238
RESERVED
-CVE-2017-16237
- RESERVED
+CVE-2017-16237 (In Vir.IT eXplorer Anti-Virus before 8.5.42, the driver file
...)
+ TODO: check
CVE-2017-16236
RESERVED
CVE-2017-16235
@@ -1631,12 +1633,15 @@
CVE-2017-15956 (ConverTo Video Downloader & Converter 1.4.1 allows
Arbitrary File ...)
NOT-FOR-US: ConverTo Video Downloader
CVE-2017-15955 (bchunk (related to BinChunker) 1.2.0 and 1.2.1 is vulnerable
to an ...)
+ {DLA-1158-1}
- bchunk (bug #880116)
NOTE: https://github.com/extramaster/bchunk/issues/4
CVE-2017-15954 (bchunk (related to BinChunker) 1.2.0 and 1.2.1 is vulnerable
to a ...)
+ {DLA-1158-1}
- bchunk (bug #880116)
NOTE: https://github.com/extramaster/bchunk/issues/3
CVE-2017-15953 (bchunk (related to BinChunker) 1.2.0 and 1.2.1 is vulnerable
to a ...)
+ {DLA-1158-1}
- bchunk (bug #880116)
NOTE: https://github.com/extramaster/bchunk/issues/2
CVE-2017-15952
@@ -2006,27 +2011,38 @@
NOT-FOR-US: XnView
CVE-2017-15801 (XnView Classic for Windows Version 2.43 allows attackers to
cause a ...)
NOT-FOR-US: XnView
-CVE-2017-15800 (IrfanView version 4.50 (64bit) allows attackers to execute
arbitrary ...)
+CVE-2017-15800
+ REJECTED
NOT-FOR-US: IrfanView
-CVE-2017-15799 (IrfanView version 4.50 (64bit) allows attackers to cause a
denial of ...)
+CVE-2017-15799
+ REJECTED
NOT-FOR-US: IrfanView
-CVE-2017-15798 (IrfanView version 4.50 (64bit) allows attackers to cause a
denial of ...)
+CVE-2017-15798
+ REJECTED
NOT-FOR-US: IrfanView
-CVE-2017-15797 (IrfanView version 4.50 (64bit) allows attackers to execute
arbitrary ...)
+CVE-2017-15797
+ REJECTED
NOT-FOR-US: IrfanView
-CVE-2017-15796 (IrfanView version 4.50 (64bit) allows attackers to cause a
denial of ...)
+CVE-2017-15796
+ REJECTED
NOT-FOR-US: IrfanView
-CVE-2017-15795 (IrfanView version 4.50 (64bit) allows attackers to cause a
denial of ...)
+CVE-2017-15795
+ REJECTED
NOT-FOR-US: IrfanView
-CVE-2017-15794 (IrfanView version 4.50 (64bit) allows attackers to cause a
denial of ...)
+CVE-2017-15794
+ REJECTED
NOT-FOR-US: IrfanView
-CVE-2017-15793 (IrfanView version 4.50 (64bit) allows attackers to execute
arbitrary ...)
+CVE-2017-15793
+ REJECTED
NOT-FOR-US: IrfanView
-CVE-2017-15792 (IrfanView version 4.50 (64bit) allows attackers to cause a
denial of ...)
+CVE-2017-15792
+ REJECTED
NOT-FOR-US: IrfanView
-CVE-2017-15791 (IrfanView version 4.50 (64bit) allows attackers to cause a
denial of ...)
+CVE-2017-15791
+ REJECTED
NOT-FOR-US: IrfanView
-CVE-2017-15790 (IrfanView version 4.50 (64bit) allows attackers to cause a
denial of ...)
+CVE-2017-15790
+ REJECTED
NOT-FOR-US: IrfanView
CVE-2017-15789 (XnView Classic for Windows Version 2.43 allows attackers to
execute ...)
NOT-FOR-US: XnView
@@ -17801,6 +17817,7 @@
CVE-2017-10389 (Vulnerability in the Oracle Hospitality Suite8 component of
Oracle ...)
NOT-FOR-US: Oracle
CVE-2017-10388 (Vulnerability in the Java SE, Java SE Embedded component of
Oracle ...)
+ {DSA-4015-1}
- openjdk-9 9.0.1+11-1
- openjdk-8 8u151-b12-1
- openjdk-7
@@ -17880,18 +17897,21 @@
CVE-2017-10358 (Vulnerability in the Oracle Hyperion Financial Reporting
component of ...)
NOT-FOR-US: Oracle
CVE-2017-10357 (Vulnerability in the Java SE, Java SE Embedded component of
Oracle ...)
+ {DSA-4015-1}
- openjdk-9 9.0.1+11-1
- openjdk-8 8u151-b12-1
- openjdk-7
- openjdk-6
[wheezy] - openjdk-6
CVE-2017-10356 (Vulnerability in the Java SE, Java SE Embedded, JRockit
component of ...)
+ {DSA-4015-1}
- openjdk-9 9.0.1+11-1
- openjdk-8 8u151-b12-1
- openjdk-7
- openjdk-6
[wheezy] - openjdk-6
CVE-2017-10355 (Vulnerability in the Java SE, Java SE Embedded, JRockit
component of ...)
+ {DSA-4015-1}
