[Secure-testing-commits] r57357 - data/CVE
Author: carnil Date: 2017-11-06 05:30:22 + (Mon, 06 Nov 2017) New Revision: 57357 Modified: data/CVE/list Log: Mark CVE-2017-5130 as unimporant Modified: data/CVE/list === --- data/CVE/list 2017-11-06 04:39:52 UTC (rev 57356) +++ data/CVE/list 2017-11-06 05:30:22 UTC (rev 57357) @@ -34344,7 +34344,8 @@ CVE-2017-5130 RESERVED - libxml2 (bug #88) - - chromium-browser (uses system libxml2) + - chromium-browser 62.0.3202.75-1 (unimportant) + NOTE: chromium-browser uses system libxml2. NOTE: https://bugs.chromium.org/p/chromium/issues/detail?id=722079 (not public) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=783026 (not public) NOTE: Fixed by: https://git.gnome.org/browse/libxml2/commit/?id=897dffbae322b46b83f99a607d527058a72c51ed ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57356 - in data: . CVE
Author: bam
Date: 2017-11-06 04:39:52 + (Mon, 06 Nov 2017)
New Revision: 57356
Modified:
data/CVE/list
data/dla-needed.txt
Log:
Mark pngcrush no-DSA
It is already no-DSA for Stretch and Jessie.
Modified: data/CVE/list
===
--- data/CVE/list 2017-11-06 04:26:08 UTC (rev 57355)
+++ data/CVE/list 2017-11-06 04:39:52 UTC (rev 57356)
@@ -81325,6 +81325,7 @@
- pngcrush (bug #874109)
[stretch] - pngcrush (Minor issue)
[jessie] - pngcrush (Minor issue)
+ [wheezy] - pngcrush (Minor issue)
NOTE:
http://sourceforge.net/p/pmt/code/ci/e8ae5a842e86324f0bee91f4d98245fddb8ea5dd
(1.7.87)
CVE-2015-7697 (Info-ZIP UnZip 6.0 allows remote attackers to cause a denial of
...)
{DSA-3386-1 DLA-330-1}
Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-11-06 04:26:08 UTC (rev 57355)
+++ data/dla-needed.txt 2017-11-06 04:39:52 UTC (rev 57356)
@@ -79,10 +79,6 @@
NOTE: I assume Kurt Roeckx will take care of it again.
NOTE: 1.0.1t-1+deb7u3 by Kurt Roeckx, DLA number already reserved, but
upload missing
--
-pngcrush
- NOTE: CVE-2015-7700: the problematic call to png_free_data() is present
- NOTE: in wheezy but it's not clear to me where the other call to free() is.
---
poppler (Emilio Pozuelo)
NOTE: not fixed in sid yet so did not ping maintainer
NOTE: drawForm is doForm1 in wheezy
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57354 - in data: . CVE DSA
Author: mgilbert
Date: 2017-11-05 21:57:41 + (Sun, 05 Nov 2017)
New Revision: 57354
Modified:
data/CVE/list
data/DSA/list
data/dsa-needed.txt
Log:
chromium dsa
Modified: data/CVE/list
===
--- data/CVE/list 2017-11-05 21:45:13 UTC (rev 57353)
+++ data/CVE/list 2017-11-05 21:57:41 UTC (rev 57354)
@@ -34344,8 +34344,7 @@
CVE-2017-5130
RESERVED
- libxml2 (bug #88)
- - chromium-browser 62.0.3202.75-1
- [wheezy] - chromium-browser (Not supported in Wheezy)
+ - chromium-browser (uses system libxml2)
NOTE: https://bugs.chromium.org/p/chromium/issues/detail?id=722079 (not
public)
NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=783026 (not public)
NOTE: Fixed by:
https://git.gnome.org/browse/libxml2/commit/?id=897dffbae322b46b83f99a607d527058a72c51ed
Modified: data/DSA/list
===
--- data/DSA/list 2017-11-05 21:45:13 UTC (rev 57353)
+++ data/DSA/list 2017-11-05 21:57:41 UTC (rev 57354)
@@ -1,3 +1,6 @@
+[05 Nov 2017] DSA-4020-1 chromium-browser - security update
+ {CVE-2017-5124 CVE-2017-5125 CVE-2017-5126 CVE-2017-5127 CVE-2017-5128
CVE-2017-5129 CVE-2017-5131 CVE-2017-5132 CVE-2017-5133 CVE-2017-15386
CVE-2017-15387 CVE-2017-15388 CVE-2017-15389 CVE-2017-15390 CVE-2017-15391
CVE-2017-15392 CVE-2017-15393 CVE-2017-15394 CVE-2017-15395 CVE-2017-15396}
+ [stretch] - chromium-browser 62.0.3202.75-1~deb9u1
[05 Nov 2017] DSA-4019-1 imagemagick - security update
{CVE-2017-9500 CVE-2017-11446 CVE-2017-11523 CVE-2017-11533
CVE-2017-11535 CVE-2017-11537 CVE-2017-11639 CVE-2017-11640 CVE-2017-12428
CVE-2017-12431 CVE-2017-12432 CVE-2017-12434 CVE-2017-12587 CVE-2017-12640
CVE-2017-12671 CVE-2017-13139 CVE-2017-13140 CVE-2017-13141 CVE-2017-13142
CVE-2017-13143 CVE-2017-13144 CVE-2017-13145}
[stretch] - imagemagick 8:6.9.7.4+dfsg-11+deb9u2
Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2017-11-05 21:45:13 UTC (rev 57353)
+++ data/dsa-needed.txt 2017-11-05 21:57:41 UTC (rev 57354)
@@ -14,8 +14,6 @@
--
389-ds-base (fw)
--
-chromium-browser
---
graphicsmagick
--
jackson-databind
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57353 - data/CVE
Author: jmm Date: 2017-11-05 21:45:13 + (Sun, 05 Nov 2017) New Revision: 57353 Modified: data/CVE/list Log: two undetermined docker issues Modified: data/CVE/list === --- data/CVE/list 2017-11-05 21:44:32 UTC (rev 57352) +++ data/CVE/list 2017-11-05 21:45:13 UTC (rev 57353) @@ -9,7 +9,7 @@ CVE-2017-16540 (OpenEMR before 5.0.0 Patch 5 allows unauthenticated remote database ...) NOT-FOR-US: OpenEMR CVE-2017-16539 (The DefaultLinuxSpec function in oci/defaults.go in Docker Moby through ...) - TODO: check + - docker.io CVE-2017-16538 (drivers/media/usb/dvb-usb-v2/lmedm04.c in the Linux kernel through ...) - linux [wheezy] - linux (Vulnerable code not present) @@ -4214,7 +4214,7 @@ CVE-2017-14993 RESERVED CVE-2017-14992 (Lack of content verification in Docker-CE (Also known as Moby) ...) - TODO: check + - docker.io CVE-2017-14991 (The sg_ioctl function in drivers/scsi/sg.c in the Linux kernel before ...) - linux 4.13.4-1 [stretch] - linux (Vulnerable code introduced later) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57352 - data/CVE
Author: jmm
Date: 2017-11-05 21:44:32 + (Sun, 05 Nov 2017)
New Revision: 57352
Modified:
data/CVE/list
Log:
NFUs
mahara issues (removed)
Modified: data/CVE/list
===
--- data/CVE/list 2017-11-05 21:10:14 UTC (rev 57351)
+++ data/CVE/list 2017-11-05 21:44:32 UTC (rev 57352)
@@ -1,11 +1,11 @@
CVE-2017-16544
RESERVED
CVE-2017-16543 (Zoho ManageEngine Applications Manager 13 allows SQL injection
via ...)
- TODO: check
+ NOT-FOR-US: Zoho
CVE-2017-16542 (Zoho ManageEngine Applications Manager 13 allows
Post-authentication ...)
- TODO: check
+ NOT-FOR-US: Zoho
CVE-2017-16541 (Tor Browser before 7.0.9 on macOS and Linux allows remote
attackers to ...)
- TODO: check
+ NOT-FOR-US: Zoho
CVE-2017-16540 (OpenEMR before 5.0.0 Patch 5 allows unauthenticated remote
database ...)
NOT-FOR-US: OpenEMR
CVE-2017-16539 (The DefaultLinuxSpec function in oci/defaults.go in Docker
Moby through ...)
@@ -78,67 +78,67 @@
CVE-2017-16514
RESERVED
CVE-2017-16513 (Ipswitch WS_FTP Professional before 12.6.0.3 has buffer
overflows in ...)
- TODO: check
+ NOT-FOR-US: Ipswitch WS_FTP Professional
CVE-2017-16512
RESERVED
CVE-2017-16511
RESERVED
CVE-2017-1000171 (Mahara Mobile before 1.2.1 is vulnerable to passwords being
sent to ...)
- TODO: check
+ - mahara
CVE-2017-1000157 (Mahara 15.04 before 15.04.13 and 16.04 before 16.04.7 and
16.10 before ...)
- TODO: check
+ - mahara
CVE-2017-1000156 (Mahara 15.04 before 15.04.9 and 15.10 before 15.10.5 and
16.04 before ...)
- TODO: check
+ - mahara
CVE-2017-1000155 (Mahara 15.04 before 15.04.8 and 15.10 before 15.10.4 and
16.04 before ...)
- TODO: check
+ - mahara
CVE-2017-1000154 (Mahara 15.04 before 15.04.8 and 15.10 before 15.10.4 and
16.04 before ...)
- TODO: check
+ - mahara
CVE-2017-1000153 (Mahara 15.04 before 15.04.10 and 15.10 before 15.10.6 and
16.04 before ...)
- TODO: check
+ - mahara
CVE-2017-1000152 (Mahara 15.04 before 15.04.7 and 15.10 before 15.10.3 running
PHP 5.3 ...)
- TODO: check
+ - mahara
CVE-2017-1000151 (Mahara 15.04 before 15.04.9 and 15.10 before 15.10.5 and
16.04 before ...)
- TODO: check
+ - mahara
CVE-2017-1000150 (Mahara 15.04 before 15.04.7 and 15.10 before 15.10.3 are
vulnerable to ...)
- TODO: check
+ - mahara
CVE-2017-1000149 (Mahara 1.10 before 1.10.9 and 15.04 before 15.04.6 and 15.10
before ...)
- TODO: check
+ - mahara
CVE-2017-1000148 (Mahara 15.04 before 15.04.8 and 15.10 before 15.10.4 and
16.04 before ...)
- TODO: check
+ - mahara
CVE-2017-1000147 (Mahara 1.9 before 1.9.8 and 1.10 before 1.10.6 and 15.04
before ...)
- TODO: check
+ - mahara
CVE-2017-1000146 (Mahara 1.9 before 1.9.7 and 1.10 before 1.10.5 and 15.04
before ...)
- TODO: check
+ - mahara
CVE-2017-1000145 (Mahara 1.9 before 1.9.7 and 1.10 before 1.10.5 and 15.04
before ...)
- TODO: check
+ - mahara
CVE-2017-1000144 (Mahara 1.9 before 1.9.6 and 1.10 before 1.10.4 and 15.04
before ...)
- TODO: check
+ - mahara
CVE-2017-1000143 (Mahara 1.8 before 1.8.7 and 1.9 before 1.9.5 and 1.10 before
1.10.3 ...)
- TODO: check
+ - mahara
CVE-2017-1000142 (Mahara 1.8 before 1.8.7 and 1.9 before 1.9.5 and 1.10 before
1.10.3 ...)
- TODO: check
+ - mahara
CVE-2017-1000141
RESERVED
CVE-2017-1000140 (Mahara 1.8 before 1.8.7 and 1.9 before 1.9.5 and 1.10 before
1.10.3 ...)
- TODO: check
+ - mahara
CVE-2017-1000139 (Mahara 1.8 before 1.8.7 and 1.9 before 1.9.5 and 1.10 before
1.10.3 ...)
- TODO: check
+ - mahara
CVE-2017-1000138 (Mahara 1.10 before 1.10.0 and 15.04 before 15.04.0 are
vulnerable to ...)
- TODO: check
+ - mahara
CVE-2017-1000137 (Mahara 1.10 before 1.10.0 and 15.04 before 15.04.0 are
vulnerable to ...)
- TODO: check
+ - mahara
CVE-2017-1000136 (Mahara 1.8 before 1.8.6 and 1.9 before 1.9.4 and 1.10 before
1.10.1 ...)
- TODO: check
+ - mahara
CVE-2017-1000135 (Mahara 1.8 before 1.8.7 and 1.9 before 1.9.5 and 1.10 before
1.10.3 ...)
- TODO: check
+ - mahara
CVE-2017-1000134 (Mahara 1.8 before 1.8.6 and 1.9 before 1.9.4 and 1.10 before
1.10.1 ...)
- TODO: check
+ - mahara
CVE-2017-1000133 (Mahara 15.04 before 15.04.8 and 15.10 before 15.10.4 and
16.04 before ...)
- TODO: check
+ - mahara
CVE-2017-1000132 (Mahara 1.8 before 1.8.7 and 1.9 before 1.9.5 and 1.10 before
1.10.3 ...)
- TODO: check
+ - mahara
CVE-2017-1000131 (Mahara 15.04 before 15.04.8 and 15.10 before 15.10.4 and
16.04 before ...)
- TODO: check
+ - mahara
CVE-2017-16510 (WordPress before 4.8.3 is affected by an issue where
$wpdb->prepare() ...)
{
[Secure-testing-commits] r57351 - data/CVE
Author: sectracker
Date: 2017-11-05 21:10:14 + (Sun, 05 Nov 2017)
New Revision: 57351
Modified:
data/CVE/list
Log:
automatic update
Modified: data/CVE/list
===
--- data/CVE/list 2017-11-05 19:35:53 UTC (rev 57350)
+++ data/CVE/list 2017-11-05 21:10:14 UTC (rev 57351)
@@ -1,3 +1,9 @@
+CVE-2017-16544
+ RESERVED
+CVE-2017-16543 (Zoho ManageEngine Applications Manager 13 allows SQL injection
via ...)
+ TODO: check
+CVE-2017-16542 (Zoho ManageEngine Applications Manager 13 allows
Post-authentication ...)
+ TODO: check
CVE-2017-16541 (Tor Browser before 7.0.9 on macOS and Linux allows remote
attackers to ...)
TODO: check
CVE-2017-16540 (OpenEMR before 5.0.0 Patch 5 allows unauthenticated remote
database ...)
@@ -1953,6 +1959,7 @@
CVE-2017-15864
RESERVED
CVE-2016-10517 (networking.c in Redis before 3.2.7 allows "Cross Protocol
Scripting" ...)
+ {DLA-1161-1}
- redis 3:3.2.7-1
NOTE:
https://github.com/antirez/redis/commit/874804da0c014a7d704b3d285aa500098a931f50
CVE-2017-15863 (Cross Site Scripting (XSS) exists in the wp-noexternallinks
plugin ...)
@@ -9107,6 +9114,7 @@
- imagemagick 8:6.9.7.4+dfsg-14 (bug #870013)
NOTE:
https://github.com/ImageMagick/ImageMagick/commit/437a35e57db5ec078f4a3ccbf71f941276e88430
CVE-2017-13141 (In ImageMagick before 6.9.9-4 and 7.x before 7.0.6-4, a
crafted file ...)
+ {DSA-4019-1}
- imagemagick 8:6.9.7.4+dfsg-15 (unimportant; bug #870116)
NOTE: https://github.com/ImageMagick/ImageMagick/issues/600
CVE-2017-13138 (DOM based Cross-site scripting (XSS) vulnerability in the
Bridge theme ...)
@@ -11046,6 +11054,7 @@
- imagemagick 8:6.9.7.4+dfsg-14 (unimportant; bug #870021)
NOTE: https://github.com/ImageMagick/ImageMagick/issues/617
CVE-2017-12671 (In ImageMagick 7.0.6-3, a missing NULL assignment was found in
...)
+ {DSA-4019-1}
- imagemagick 8:6.9.7.4+dfsg-15 (unimportant; bug #870119)
NOTE: https://github.com/ImageMagick/ImageMagick/issues/621
CVE-2017-12669 (ImageMagick 7.0.6-2 has a memory leak vulnerability in
WriteCALSImage ...)
@@ -11133,7 +11142,7 @@
NOTE: https://github.com/ImageMagick/ImageMagick/issues/550
NOTE:
https://github.com/ImageMagick/ImageMagick/commit/3320955045e5a2a22c13a04fa9422bb809e75eda
CVE-2017-12640 (ImageMagick 7.0.6-1 has an out-of-bounds read vulnerability in
...)
- {DLA-1081-1}
+ {DSA-4019-1 DLA-1081-1}
- imagemagick 8:6.9.7.4+dfsg-15 (bug #870106)
NOTE: https://github.com/ImageMagick/ImageMagick/issues/542
NOTE:
https://github.com/ImageMagick/ImageMagick/commit/78d4c5db50fbab0b4beb69c46c6167f2c6513dec
@@ -11316,7 +11325,7 @@
NOTE: https://github.com/rsyslog/rsyslog/pull/1565
NOTE: The zmq3 input and output modules are not enabled and built in
Debian
CVE-2017-12587 (ImageMagick 7.0.6-1 has a large loop vulnerability in the
ReadPWPImage ...)
- {DLA-1081-1}
+ {DSA-4019-1 DLA-1081-1}
- imagemagick 8:6.9.7.4+dfsg-16 (bug #870526)
NOTE: https://github.com/ImageMagick/ImageMagick/issues/535
NOTE:
https://github.com/ImageMagick/ImageMagick/commit/bb5b16c512977e8134701063e0adb05a4a342add
@@ -11732,7 +11741,7 @@
NOTE:
https://github.com/ImageMagick/ImageMagick/commit/7beec9a7a8a5701652b313e6e94bafd36b3627dc
NOTE: ImageMagick-6:
https://github.com/ImageMagick/ImageMagick/commit/0a170d18390d3762586f164e6abe3c4766d14620
CVE-2017-12432 (In ImageMagick 7.0.6-1, a memory exhaustion vulnerability was
found in ...)
- {DLA-1081-1}
+ {DSA-4019-1 DLA-1081-1}
- imagemagick 8:6.9.7.4+dfsg-16 (bug #870491)
NOTE: https://github.com/ImageMagick/ImageMagick/issues/536
NOTE:
https://github.com/ImageMagick/ImageMagick/commit/061de02095a56d438409c63f723f340b2d9d36c7
@@ -13291,13 +13300,14 @@
NOTE: changing the upstream pro file to enable YT_USE_YTSIG.
YT_USE_YTSIG is
NOTE: disabled by default on upstream since 17.2.0
CVE-2017-13140 (In ImageMagick before 6.9.9-1 and 7.x before 7.0.6-2, the ...)
+ {DSA-4019-1}
- imagemagick 8:6.9.7.4+dfsg-15 (bug #870111)
[wheezy] - imagemagick (Vulnerable code not present)
NOTE: https://github.com/ImageMagick/ImageMagick/issues/596
NOTE:
https://github.com/ImageMagick/ImageMagick/commit/62fcf3d9638b87cd7ac81962cadf5bf88db62fa0
NOTE: ImageMagick-6:
https://github.com/ImageMagick/ImageMagick/commit/75f7e994e4e990627a5a37385bcc9a0205013645
CVE-2017-13139 (In ImageMagick before 6.9.9-0 and 7.x before 7.0.6-1, the ...)
- {DLA-1081-1}
+ {DSA-4019-1 DLA-1081-1}
- imagemagick 8:6.9.7.4+dfsg-15 (bug #870109)
NOTE:
https://github.com/ImageMagick/ImageMagick/commit/22e0310345499ffe906c604428f2a3a668942b05
CVE-2017-12643 (ImageMagick 7.0.6-1 has a memory exhaustion v
[Secure-testing-commits] r57350 - data/CVE
Author: carnil
Date: 2017-11-05 19:35:53 + (Sun, 05 Nov 2017)
New Revision: 57350
Modified:
data/CVE/list
Log:
Add more information for CVE-2015-1239
Modified: data/CVE/list
===
--- data/CVE/list 2017-11-05 19:24:43 UTC (rev 57349)
+++ data/CVE/list 2017-11-05 19:35:53 UTC (rev 57350)
@@ -100326,10 +100326,14 @@
[wheezy] - chromium-browser
[squeeze] - chromium-browser
CVE-2015-1239 (Double free vulnerability in the j2k_read_ppm_v3 function in
OpenJPEG ...)
- - openjpeg2
+ - openjpeg2 2.1.1-1
NOTE: https://bugs.chromium.org/p/chromium/issues/detail?id=430891
NOTE: https://github.com/uclouvain/openjpeg/issues/477
- TODO: check
+ NOTE: The issue must have been fixed in one of the commits before or
with
+ NOTE:
https://github.com/uclouvain/openjpeg/commit/2d24b6000d5611615e3e6d799e20d5fdbe4e2a1e
+ NOTE: which corresponds to the r2997 commit as mentioned in the merge
which
+ NOTE: fixed the issue on Google/PDFium's side.
+ TODO: check, find exact commit
CVE-2015-1238 (Skia, as used in Google Chrome before 42.0.2311.90, allows
remote ...)
{DSA-3238-1}
- chromium-browser 42.0.2311.90-1
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57349 - data/CVE
Author: carnil Date: 2017-11-05 19:24:43 + (Sun, 05 Nov 2017) New Revision: 57349 Modified: data/CVE/list Log: Add reference to commit for CVE-2017-1000382 It would be simpler if it would just be, make the swap file force to be 600 rather to try to do complex things. Modified: data/CVE/list === --- data/CVE/list 2017-11-05 18:22:10 UTC (rev 57348) +++ data/CVE/list 2017-11-05 19:24:43 UTC (rev 57349) @@ -721,6 +721,7 @@ [jessie] - vim (Minor issue) [wheezy] - vim (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2017/10/31/15 + NOTE: https://github.com/vim/vim/commit/5a73e0ca54c77e067c3b12ea6f35e3e8681e8cf8 CVE-2017-16248 (The Catalyst-Plugin-Static-Simple module before 0.34 for Perl allows ...) - libcatalyst-plugin-static-simple-perl 0.34-1 (bug #880458) NOTE: https://rt.cpan.org/Public/Bug/Display.html?id=120558 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57348 - data/CVE
Author: carnil
Date: 2017-11-05 18:22:10 + (Sun, 05 Nov 2017)
New Revision: 57348
Modified:
data/CVE/list
Log:
CVE-2017-1000112 will be ignored for wheezy, synced from kernel-sec
Modified: data/CVE/list
===
--- data/CVE/list 2017-11-05 18:21:12 UTC (rev 57347)
+++ data/CVE/list 2017-11-05 18:22:10 UTC (rev 57348)
@@ -10740,6 +10740,7 @@
CVE-2017-1000112 (Linux kernel: Exploitable memory corruption due to UFO to
non-UFO path ...)
{DSA-3981-1}
- linux 4.12.6-1 (low)
+ [wheezy] - linux (Low severity and difficult to backport)
NOTE: Introduced by:
https://git.kernel.org/linus/e89e9cf539a28df7d0eb1d0a545368e9920b34ac
(2.6.15-rc1)
NOTE: Fixed by:
https://git.kernel.org/linus/85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa
CVE-2017-1000111 (Linux kernel: heap out-of-bounds in AF_PACKET sockets. This
new issue ...)
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57347 - data/CVE
Author: carnil Date: 2017-11-05 18:21:12 + (Sun, 05 Nov 2017) New Revision: 57347 Modified: data/CVE/list Log: Sync more CVEs with kenrnel-sec triage Modified: data/CVE/list === --- data/CVE/list 2017-11-05 18:18:17 UTC (rev 57346) +++ data/CVE/list 2017-11-05 18:21:12 UTC (rev 57347) @@ -6,6 +6,7 @@ TODO: check CVE-2017-16538 (drivers/media/usb/dvb-usb-v2/lmedm04.c in the Linux kernel through ...) - linux + [wheezy] - linux (Vulnerable code not present) CVE-2017-16537 (The imon_probe function in drivers/media/rc/imon.c in the Linux kernel ...) - linux CVE-2017-16536 (The cx231xx_usb_probe function in ...) @@ -15,6 +16,8 @@ NOTE: Fixed by: https://git.kernel.org/linus/1c0edc3633b56000e18d82fc241e3995ca18a69e CVE-2017-16534 (The cdc_parse_cdc_header function in drivers/usb/core/message.c in the ...) - linux 4.13.10-1 + [jessie] - linux (Vulnerable code not present) + [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/2e1c42391ff2556387b3cb6308b24f6f65619feb CVE-2017-16533 (The usbhid_parse function in drivers/hid/usbhid/hid-core.c in the Linux ...) - linux 4.13.10-1 @@ -27,12 +30,15 @@ NOTE: Fixed by: https://git.kernel.org/linus/bd7a3fe770ebd8391d1c7d072ff88e9e76d063eb CVE-2017-16530 (The uas driver in the Linux kernel before 4.13.6 allows local users to ...) - linux 4.13.10-1 + [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/786de92b3cb26012d3d0f00ee37adf14527f35c4 CVE-2017-16529 (The snd_usb_create_streams function in sound/usb/card.c in the Linux ...) - linux 4.13.10-1 NOTE: Fixed by: https://git.kernel.org/linus/bfc81a8bc18e3c4ba0cbaa7666ff76be2f998991 CVE-2017-16528 (sound/core/seq_device.c in the Linux kernel before 4.13.4 allows local ...) - linux 4.13.4-1 + [jessie] - linux (Vulnerable code not present) + [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/fc27fe7e8deef2f37cba3f2be2d52b6ca5eb9d57 CVE-2017-16527 (sound/usb/mixer.c in the Linux kernel before 4.13.8 allows local users ...) - linux 4.13.10-1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57346 - data/CVE
Author: carnil Date: 2017-11-05 18:18:17 + (Sun, 05 Nov 2017) New Revision: 57346 Modified: data/CVE/list Log: Sync status with kernel-sec Modified: data/CVE/list === --- data/CVE/list 2017-11-05 18:03:07 UTC (rev 57345) +++ data/CVE/list 2017-11-05 18:18:17 UTC (rev 57346) @@ -12259,6 +12259,8 @@ RESERVED CVE-2017-12188 (arch/x86/kvm/mmu.c in the Linux kernel through 4.13.5, when nested ...) - linux 4.13.4-2 + [jessie] - linux (Vulnerable code not present) + [wheezy] - linux (Vulnerable code not present) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1500380 NOTE: https://www.spinics.net/lists/kvm/msg156651.html CVE-2017-12187 @@ -45438,6 +45440,7 @@ NOT-FOR-US: Broadcom driver for Android CVE-2017-0786 (A elevation of privilege vulnerability in the Broadcom wi-fi driver. ...) - linux 4.13.4-2 + [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/17df6453d4be17910456e99c5a85025aa1b7a246 (v4.14-rc4) CVE-2017-0785 (A information disclosure vulnerability in the Android system ...) NOT-FOR-US: Android ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57345 - in data: . DSA
Author: jmm
Date: 2017-11-05 18:03:07 + (Sun, 05 Nov 2017)
New Revision: 57345
Modified:
data/DSA/list
data/dsa-needed.txt
Log:
imagemagick DSA
Modified: data/DSA/list
===
--- data/DSA/list 2017-11-05 16:26:00 UTC (rev 57344)
+++ data/DSA/list 2017-11-05 18:03:07 UTC (rev 57345)
@@ -1,3 +1,6 @@
+[05 Nov 2017] DSA-4019-1 imagemagick - security update
+ {CVE-2017-9500 CVE-2017-11446 CVE-2017-11523 CVE-2017-11533
CVE-2017-11535 CVE-2017-11537 CVE-2017-11639 CVE-2017-11640 CVE-2017-12428
CVE-2017-12431 CVE-2017-12432 CVE-2017-12434 CVE-2017-12587 CVE-2017-12640
CVE-2017-12671 CVE-2017-13139 CVE-2017-13140 CVE-2017-13141 CVE-2017-13142
CVE-2017-13143 CVE-2017-13144 CVE-2017-13145}
+ [stretch] - imagemagick 8:6.9.7.4+dfsg-11+deb9u2
[04 Nov 2017] DSA-4018-1 openssl - security update
{CVE-2017-3735}
[jessie] - openssl 1.0.1t-1+deb8u7
Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2017-11-05 16:26:00 UTC (rev 57344)
+++ data/dsa-needed.txt 2017-11-05 18:03:07 UTC (rev 57345)
@@ -18,9 +18,6 @@
--
graphicsmagick
--
-imagemagick (jmm)
- wait until more issues have piled up
---
jackson-databind
For CVE-2017-15095 (see notes for missing commits)
--
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57344 - data/DLA
Author: carnil
Date: 2017-11-05 16:26:00 + (Sun, 05 Nov 2017)
New Revision: 57344
Modified:
data/DLA/list
Log:
Adjust CVE for redis in DLA-1161-1
Modified: data/DLA/list
===
--- data/DLA/list 2017-11-05 16:18:54 UTC (rev 57343)
+++ data/DLA/list 2017-11-05 16:26:00 UTC (rev 57344)
@@ -1,5 +1,5 @@
[05 Nov 2017] DLA-1161-1 redis - security update
- {CVE-2016-1051}
+ {CVE-2016-10517}
[wheezy] - redis 2:2.4.14-1+deb7u2
[04 Nov 2017] DLA-1160-1 wordpress - security update
{CVE-2017-16510}
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57343 - in data: . DLA
Author: lamby
Date: 2017-11-05 16:18:54 + (Sun, 05 Nov 2017)
New Revision: 57343
Modified:
data/DLA/list
data/dla-needed.txt
Log:
Reserve DLA-1161-1 for redis
Modified: data/DLA/list
===
--- data/DLA/list 2017-11-05 16:01:10 UTC (rev 57342)
+++ data/DLA/list 2017-11-05 16:18:54 UTC (rev 57343)
@@ -1,3 +1,6 @@
+[05 Nov 2017] DLA-1161-1 redis - security update
+ {CVE-2016-1051}
+ [wheezy] - redis 2:2.4.14-1+deb7u2
[04 Nov 2017] DLA-1160-1 wordpress - security update
{CVE-2017-16510}
[wheezy] - wordpress 3.6.1+dfsg-1~deb7u18
Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-11-05 16:01:10 UTC (rev 57342)
+++ data/dla-needed.txt 2017-11-05 16:18:54 UTC (rev 57343)
@@ -96,10 +96,6 @@
qemu-kvm
NOTE: 20171012 Can wait for more issues to pile up
--
-redis (Chris Lamb)
- NOTE: Chris Lamb is the maintainer.
- NOTE: CLIENT_CLOSE_AFTER_REPLY -> REDIS_CLOSE_AFTER_REPLY in this version.
---
rsync (Thorsten Alteholz)
--
rtpproxy
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57342 - data/CVE
Author: carnil
Date: 2017-11-05 16:01:10 + (Sun, 05 Nov 2017)
New Revision: 57342
Modified:
data/CVE/list
Log:
Add references for CVE-2015-1239/openjpeg2
Modified: data/CVE/list
===
--- data/CVE/list 2017-11-05 11:26:52 UTC (rev 57341)
+++ data/CVE/list 2017-11-05 16:01:10 UTC (rev 57342)
@@ -100316,6 +100316,8 @@
[squeeze] - chromium-browser
CVE-2015-1239 (Double free vulnerability in the j2k_read_ppm_v3 function in
OpenJPEG ...)
- openjpeg2
+ NOTE: https://bugs.chromium.org/p/chromium/issues/detail?id=430891
+ NOTE: https://github.com/uclouvain/openjpeg/issues/477
TODO: check
CVE-2015-1238 (Skia, as used in Google Chrome before 42.0.2311.90, allows
remote ...)
{DSA-3238-1}
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57341 - data/CVE
Author: jmm Date: 2017-11-05 11:26:52 + (Sun, 05 Nov 2017) New Revision: 57341 Modified: data/CVE/list Log: mark netbeans as ignored Modified: data/CVE/list === --- data/CVE/list 2017-11-05 10:23:12 UTC (rev 57340) +++ data/CVE/list 2017-11-05 11:26:52 UTC (rev 57341) @@ -60456,8 +60456,8 @@ CVE-2016-5537 (Unspecified vulnerability in the NetBeans component in Oracle Fusion ...) [experimental] - netbeans 8.2+dfsg1-1 - netbeans (bug #852029) - [stretch] - netbeans (No details about affected code, backport of Netbeans 8.2 too intrusive) - [wheezy] - netbeans (No details about affected code, backport of Netbeans 8.2 too intrusive) + [stretch] - netbeans (No details about affected code, backport of Netbeans 8.2 too intrusive) + [wheezy] - netbeans (No details about affected code, backport of Netbeans 8.2 too intrusive) CVE-2016-5536 (Unspecified vulnerability in the Oracle Platform Security for Java ...) NOT-FOR-US: Oracle CVE-2016-5535 (Unspecified vulnerability in the Oracle WebLogic Server component in ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57340 - data/CVE
Author: carnil Date: 2017-11-05 10:23:12 + (Sun, 05 Nov 2017) New Revision: 57340 Modified: data/CVE/list Log: slurm-llnl issue fixed via new upstream version upload to sid Modified: data/CVE/list === --- data/CVE/list 2017-11-05 10:11:42 UTC (rev 57339) +++ data/CVE/list 2017-11-05 10:23:12 UTC (rev 57340) @@ -2565,7 +2565,7 @@ CVE-2017-15567 (The certificate import component in IDEMIA (formerly Morpho) ...) NOT-FOR-US: IDEMIA CVE-2017-15566 (Insecure SPANK environment variable handling exists in SchedMD Slurm ...) - - slurm-llnl (bug #880530) + - slurm-llnl 17.02.9-1 (bug #880530) [jessie] - slurm-llnl (Vulnerable code introduced later) [wheezy] - slurm-llnl (Vulnerable code introduced later) NOTE: https://bugs.schedmd.com/show_bug.cgi?id=4228 (not public) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57339 - data/CVE
Author: carnil Date: 2017-11-05 10:11:42 + (Sun, 05 Nov 2017) New Revision: 57339 Modified: data/CVE/list Log: Mark CVE-2017-5130 as well as fixed as per for the upstream version 62.0.3202.62 Modified: data/CVE/list === --- data/CVE/list 2017-11-05 09:16:02 UTC (rev 57338) +++ data/CVE/list 2017-11-05 10:11:42 UTC (rev 57339) @@ -34322,7 +34322,7 @@ CVE-2017-5130 RESERVED - libxml2 (bug #88) - - chromium-browser + - chromium-browser 62.0.3202.75-1 [wheezy] - chromium-browser (Not supported in Wheezy) NOTE: https://bugs.chromium.org/p/chromium/issues/detail?id=722079 (not public) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=783026 (not public) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57337 - data/CVE
Author: carnil Date: 2017-11-05 08:44:04 + (Sun, 05 Nov 2017) New Revision: 57337 Modified: data/CVE/list Log: Mark fixes for unstable chromium-browser upload; one CVE kept for further investigation Modified: data/CVE/list === --- data/CVE/list 2017-11-05 08:29:09 UTC (rev 57336) +++ data/CVE/list 2017-11-05 08:44:04 UTC (rev 57337) @@ -2987,49 +2987,49 @@ RESERVED CVE-2017-15396 RESERVED - - chromium-browser + - chromium-browser 62.0.3202.75-1 [wheezy] - chromium-browser (Not supported in Wheezy) - libv8 (unimportant) NOTE: libv8 not covered by security support CVE-2017-15395 RESERVED - - chromium-browser + - chromium-browser 62.0.3202.75-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15394 RESERVED - - chromium-browser + - chromium-browser 62.0.3202.75-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15393 RESERVED - - chromium-browser + - chromium-browser 62.0.3202.75-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15392 RESERVED - - chromium-browser + - chromium-browser 62.0.3202.75-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15391 RESERVED - - chromium-browser + - chromium-browser 62.0.3202.75-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15390 RESERVED - - chromium-browser + - chromium-browser 62.0.3202.75-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15389 RESERVED - - chromium-browser + - chromium-browser 62.0.3202.75-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15388 RESERVED - - chromium-browser + - chromium-browser 62.0.3202.75-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15387 RESERVED - - chromium-browser + - chromium-browser 62.0.3202.75-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15386 RESERVED - - chromium-browser + - chromium-browser 62.0.3202.75-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15385 (The store_versioninfo_gnu_verdef function in libr/bin/format/elf/elf.c ...) - radare2 (bug #879119) @@ -34309,15 +34309,15 @@ RESERVED CVE-2017-5133 RESERVED - - chromium-browser + - chromium-browser 62.0.3202.75-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5132 RESERVED - - chromium-browser + - chromium-browser 62.0.3202.75-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5131 RESERVED - - chromium-browser + - chromium-browser 62.0.3202.75-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5130 RESERVED @@ -34331,27 +34331,27 @@ TODO: waiting for upstream confirmation that mapping is correct, and initially triaged by gcs CVE-2017-5129 RESERVED - - chromium-browser + - chromium-browser 62.0.3202.75-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5128 RESERVED - - chromium-browser + - chromium-browser 62.0.3202.75-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5127 RESERVED - - chromium-browser + - chromium-browser 62.0.3202.75-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5126 RESERVED - - chromium-browser + - chromium-browser 62.0.3202.75-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5125 RESERVED - - chromium-browser + - chromium-browser 62.0.3202.75-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5124 RESERVED - - chromium-browser + - chromium-browser 62.0.3202.75-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5123 [waitid() not calling access_ok()] RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57336 - data
Author: lamby Date: 2017-11-05 08:29:09 + (Sun, 05 Nov 2017) New Revision: 57336 Modified: data/dla-needed.txt Log: Claim redis in data/dla-needed.txt Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-11-05 08:27:30 UTC (rev 57335) +++ data/dla-needed.txt 2017-11-05 08:29:09 UTC (rev 57336) @@ -96,7 +96,7 @@ qemu-kvm NOTE: 20171012 Can wait for more issues to pile up -- -redis +redis (Chris Lamb) NOTE: Chris Lamb is the maintainer. NOTE: CLIENT_CLOSE_AFTER_REPLY -> REDIS_CLOSE_AFTER_REPLY in this version. -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57335 - data
Author: carnil
Date: 2017-11-05 08:27:30 + (Sun, 05 Nov 2017)
New Revision: 57335
Modified:
data/next-oldstable-point-update.txt
data/next-point-update.txt
Log:
Add tracking of proposed {jessie,stretch}-pu for icu
Modified: data/next-oldstable-point-update.txt
===
--- data/next-oldstable-point-update.txt2017-11-04 23:24:04 UTC (rev
57334)
+++ data/next-oldstable-point-update.txt2017-11-05 08:27:30 UTC (rev
57335)
@@ -104,3 +104,5 @@
[jessie] - linux 3.16.48-1
CVE-2014-8184
[jessie] - liblouis 2.5.3-3+deb8u1
+CVE-2017-14952
+ [jessie] - icu 52.1-8+deb8u6
Modified: data/next-point-update.txt
===
--- data/next-point-update.txt 2017-11-04 23:24:04 UTC (rev 57334)
+++ data/next-point-update.txt 2017-11-05 08:27:30 UTC (rev 57335)
@@ -33,3 +33,5 @@
[stretch] - busybox 1:1.22.0-19+deb9u1
CVE-2017-2810
[stretch] - python-tablib 0.9.11-2+deb9u1
+CVE-2017-14952
+ [stretch] - icu 57.1-6+deb9u1
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57338 - data/CVE
Author: carnil Date: 2017-11-05 09:16:02 + (Sun, 05 Nov 2017) New Revision: 57338 Modified: data/CVE/list Log: Add bug reference for CVE-2012-6707 Modified: data/CVE/list === --- data/CVE/list 2017-11-05 08:44:04 UTC (rev 57337) +++ data/CVE/list 2017-11-05 09:16:02 UTC (rev 57338) @@ -2451,7 +2451,7 @@ CVE-2017-15638 RESERVED CVE-2012-6707 (WordPress through 4.8.2 uses a weak MD5-based password hashing ...) - - wordpress + - wordpress (bug #880868) NOTE: https://core.trac.wordpress.org/ticket/21022 NOTE: Proposed patch (but not merged): https://core.trac.wordpress.org/attachment/ticket/21022/21022.3.diff NOTE: Cf. https://core.trac.wordpress.org/ticket/21022#comment:80 and following. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
