date:20171106

[Secure-testing-commits] r57394 - data/CVE

2017-11-06 Thread Salvatore Bonaccorso

Author: carnil
Date: 2017-11-07 06:35:50 + (Tue, 07 Nov 2017)
New Revision: 57394

Modified:
   data/CVE/list
Log:
Record two fixes for chromium-browser

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-07 06:23:05 UTC (rev 57393)
+++ data/CVE/list   2017-11-07 06:35:50 UTC (rev 57394)
@@ -3183,13 +3183,13 @@
RESERVED
 CVE-2017-15399
RESERVED
-   - chromium-browser 
+   - chromium-browser 62.0.3202.89-1
[wheezy] - chromium-browser  (Not supported in Wheezy)
- libv8  (unimportant)
NOTE: libv8 not covered by security support
 CVE-2017-15398
RESERVED
-   - chromium-browser 
+   - chromium-browser 62.0.3202.89-1
[wheezy] - chromium-browser  (Not supported in Wheezy)
 CVE-2017-15397
RESERVED


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57393 - data/CVE

2017-11-06 Thread Salvatore Bonaccorso

Author: carnil
Date: 2017-11-07 06:23:05 + (Tue, 07 Nov 2017)
New Revision: 57393

Modified:
   data/CVE/list
Log:
Add CVE-2017-150102 information for jessie and wheezy

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-07 06:20:15 UTC (rev 57392)
+++ data/CVE/list   2017-11-07 06:23:05 UTC (rev 57393)
@@ -3995,6 +3995,8 @@
 CVE-2017-15102 [NULL pointer dereference due to race condition in probe 
function of legousbtower driver]
RESERVED
- linux 4.7.8-1
+   [jessie] - linux 3.16.43-1
+   [wheezy] - linux 3.2.86-1
NOTE: Fixed by: 
https://git.kernel.org/linus/2fae9e5a7babada041e2e161699ade2447a01989 (4.9-rc1)
 CVE-2017-15101
RESERVED


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57392 - data/CVE

2017-11-06 Thread Salvatore Bonaccorso

Author: carnil
Date: 2017-11-07 06:20:15 + (Tue, 07 Nov 2017)
New Revision: 57392

Modified:
   data/CVE/list
Log:
Add CVE-2017-15102/linux

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-07 05:52:46 UTC (rev 57391)
+++ data/CVE/list   2017-11-07 06:20:15 UTC (rev 57392)
@@ -3992,8 +3992,10 @@
RESERVED
 CVE-2017-15103
RESERVED
-CVE-2017-15102
+CVE-2017-15102 [NULL pointer dereference due to race condition in probe 
function of legousbtower driver]
RESERVED
+   - linux 4.7.8-1
+   NOTE: Fixed by: 
https://git.kernel.org/linus/2fae9e5a7babada041e2e161699ade2447a01989 (4.9-rc1)
 CVE-2017-15101
RESERVED
 CVE-2017-15100


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57390 - data/CVE

2017-11-06 Thread Salvatore Bonaccorso

Author: carnil
Date: 2017-11-07 05:52:36 + (Tue, 07 Nov 2017)
New Revision: 57390

Modified:
   data/CVE/list
Log:
Slightly adjust ordering of entries

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-07 02:36:56 UTC (rev 57389)
+++ data/CVE/list   2017-11-07 05:52:36 UTC (rev 57390)
@@ -7175,9 +7175,9 @@
NOTE: 
https://gitlab.com/libidn/libidn2/commit/16853b6973a1e72fee2b7cccda85472cb9951305
 CVE-2017-14060 (In ImageMagick 7.0.6-10, a NULL Pointer Dereference issue is 
present in ...)
{DLA-1131-1}
+   - imagemagick  (low; bug #878506)
[stretch] - imagemagick  (Minor issue)
[jessie] - imagemagick  (Minor issue)
-   - imagemagick  (low; bug #878506)
NOTE: https://github.com/ImageMagick/ImageMagick/issues/710
NOTE: 
https://github.com/ImageMagick/ImageMagick/commit/c535e1f1a6b1faaa35e007df4fc535ec08daa97c
NOTE: ImageMagick-6: 
https://github.com/ImageMagick/ImageMagick/commit/5bdfef29f5e6744f36f25ec04583c6b6f4a13b48


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57391 - data

2017-11-06 Thread Salvatore Bonaccorso

Author: carnil
Date: 2017-11-07 05:52:46 + (Tue, 07 Nov 2017)
New Revision: 57391

Modified:
   data/dsa-needed.txt
Log:
Add wordpress to dsa-needed list

Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2017-11-07 05:52:36 UTC (rev 57390)
+++ data/dsa-needed.txt 2017-11-07 05:52:46 UTC (rev 57391)
@@ -70,6 +70,8 @@
   2017-05-13: asked balint@ if he wants to prepare an update now
   2017-07-28: re-ping balint@
 --
+wordpress
+--
 xen
 --
 zendframework/oldstable


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57389 - data/CVE

2017-11-06 Thread Michael Gilbert

Author: mgilbert
Date: 2017-11-07 02:36:56 + (Tue, 07 Nov 2017)
New Revision: 57389

Modified:
   data/CVE/list
Log:
nfus


Modified: data/CVE/list
===
--- data/CVE/list   2017-11-06 22:07:48 UTC (rev 57388)
+++ data/CVE/list   2017-11-07 02:36:56 UTC (rev 57389)
@@ -133,11 +133,11 @@
 CVE-2017-16566
RESERVED
 CVE-2017-16565 (Cross-Site Request Forgery (CSRF) in /cgi-bin/login on Vonage 
...)
-   TODO: check
+   NOT-FOR-US: Vonage
 CVE-2017-16564 (Stored Cross-site scripting (XSS) vulnerability in 
/cgi-bin/config2 on ...)
-   TODO: check
+   NOT-FOR-US: Vonage
 CVE-2017-16563 (Cross-Site Request Forgery (CSRF) in the Basic Settings screen 
on ...)
-   TODO: check
+   NOT-FOR-US: Vonage
 CVE-2017-16562
RESERVED
 CVE-2017-16561
@@ -1417,7 +1417,7 @@
 CVE-2017-16002
RESERVED
 CVE-2017-16001 (In HashiCorp Vagrant VMware Fusion plugin (aka 
vagrant-vmware-fusion) ...)
-   TODO: check
+   NOT-FOR-US: VMware
 CVE-2017-16000 (SQL injection vulnerability in the EyesOfNetwork web interface 
(aka ...)
NOT-FOR-US: EyesOfNetwork (EON)
 CVE-2017-15999 (In the NQ Contacts Backup  Restore 
application 1.1 for Android, no ...)
@@ -15392,7 +15392,7 @@
 CVE-2017-11178 (In FineCMS through 2017-07-11, 
application/core/controller/style.php ...)
NOT-FOR-US: FineCMS
 CVE-2017-11177 (TRITON AP-EMAIL 8.2 before 8.2 IB does not properly restrict 
file ...)
-   TODO: check
+   NOT-FOR-US: TRITON
 CVE-2017-11176 (The mq_notify function in the Linux kernel through 4.11.9 does 
not set ...)
{DSA-3945-1 DSA-3927-1 DLA-1099-1}
- linux 4.11.11-1
@@ -15757,11 +15757,11 @@
 CVE-2017-11123
RESERVED
 CVE-2017-11122 (On Broadcom BCM4355C0 Wi-Fi chips 9.44.78.27.0.1.56, an 
attacker can ...)
-   TODO: check
+   NOT-FOR-US: Broadcom
 CVE-2017-11121 (On Broadcom BCM4355C0 Wi-Fi chips 9.44.78.27.0.1.56 and other 
chips, ...)
-   TODO: check
+   NOT-FOR-US: Broadcom
 CVE-2017-11120 (On Broadcom BCM4355C0 Wi-Fi chips 9.44.78.27.0.1.56 and other 
chips, ...)
-   TODO: check
+   NOT-FOR-US: Broadcom
 CVE-2017-9 (The chk_mem_access function in cpu/nes6502/nes6502.c in 
libnosefart.a ...)
- xine-lib-1.2  (it is built with --disable-nosefart)
- xine-lib  (it is built with --disable-nosefart)
@@ -26909,7 +26909,7 @@
 CVE-2017-7426
RESERVED
 CVE-2017-7425 (Multiple potential reflected XSS issues exist in NetIQ iManager 
...)
-   TODO: check
+   NOT-FOR-US: NetIQ
 CVE-2017-7424 (A Path Traversal (CWE-22) vulnerability in esfadmingui in Micro 
Focus ...)
NOT-FOR-US: Micro Focus
 CVE-2017-7423 (A Cross-Site Request Forgery (CWE-352) vulnerability in 
esfadmingui in ...)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57388 - data/CVE

2017-11-06 Thread Moritz Muehlenhoff

Author: jmm
Date: 2017-11-06 22:07:48 + (Mon, 06 Nov 2017)
New Revision: 57388

Modified:
   data/CVE/list
Log:
one java issue apparently specific to Oracle Java
koji no-dsa


Modified: data/CVE/list
===
--- data/CVE/list   2017-11-06 22:07:10 UTC (rev 57387)
+++ data/CVE/list   2017-11-06 22:07:48 UTC (rev 57388)
@@ -4106,6 +4106,7 @@
REJECTED
 CVE-2017-1002153 (Koji 1.13.0 does not properly validate SCM paths, allowing 
an attacker ...)
- koji  (bug #877921)
+   [stretch] - koji  (Minor issue)
NOTE: https://pagure.io/koji/issue/563
NOTE: https://pagure.io/koji/c/ba7b5a3cbed11ade11c3af5e834c9a6de4f6d7c3
 CVE-2017-1000257 (An IMAP FETCH response line indicates the size of the 
returned data, ...)
@@ -18463,10 +18464,9 @@
- mysql-5.5  (Only affects MySQL 5.6 and 5.7)
NOTE: 
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixMSQL
 CVE-2017-10293 (Vulnerability in the Java SE component of Oracle Java SE ...)
-   - openjdk-8 8u151-b12-1
-   - openjdk-7 
-   - openjdk-6 
-   [wheezy] - openjdk-6 
+   - openjdk-8  (Seems to be specific to Oracle Java)
+   - openjdk-7  (Seems to be specific to Oracle Java)
+   - openjdk-6  (Seems to be specific to Oracle Java)
 CVE-2017-10292 (Vulnerability in the RDBMS Security component of Oracle 
Database ...)
NOT-FOR-US: Oracle
 CVE-2017-10291


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57387 - data

2017-11-06 Thread Moritz Muehlenhoff

Author: jmm
Date: 2017-11-06 22:07:10 + (Mon, 06 Nov 2017)
New Revision: 57387

Modified:
   data/dsa-needed.txt
Log:
readd libav to dsa-needed


Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2017-11-06 22:00:09 UTC (rev 57386)
+++ data/dsa-needed.txt 2017-11-06 22:07:10 UTC (rev 57387)
@@ -19,6 +19,9 @@
 jackson-databind
   For CVE-2017-15095 (see notes for missing commits)
 --
+libav/oldstable
+  We can ship the next libav 11.x point release when available
+--
 libreoffice/oldstable
 --
 libvpx/oldstable


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57386 - data/CVE

2017-11-06 Thread Moritz Muehlenhoff

Author: jmm
Date: 2017-11-06 22:00:09 + (Mon, 06 Nov 2017)
New Revision: 57386

Modified:
   data/CVE/list
Log:
new chromium issues


Modified: data/CVE/list
===
--- data/CVE/list   2017-11-06 21:56:27 UTC (rev 57385)
+++ data/CVE/list   2017-11-06 22:00:09 UTC (rev 57386)
@@ -3183,8 +3183,14 @@
RESERVED
 CVE-2017-15399
RESERVED
+   - chromium-browser 
+   [wheezy] - chromium-browser  (Not supported in Wheezy)
+   - libv8  (unimportant)
+   NOTE: libv8 not covered by security support
 CVE-2017-15398
RESERVED
+   - chromium-browser 
+   [wheezy] - chromium-browser  (Not supported in Wheezy)
 CVE-2017-15397
RESERVED
 CVE-2017-15396


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57385 - data/CVE

2017-11-06 Thread Moritz Muehlenhoff

Author: jmm
Date: 2017-11-06 21:56:27 + (Mon, 06 Nov 2017)
New Revision: 57385

Modified:
   data/CVE/list
Log:
im triage


Modified: data/CVE/list
===
--- data/CVE/list   2017-11-06 21:42:20 UTC (rev 57384)
+++ data/CVE/list   2017-11-06 21:56:27 UTC (rev 57385)
@@ -6129,6 +6129,8 @@
 CVE-2017-14400 (In ImageMagick 7.0.7-1 Q16, the PersistPixelCache function in 
...)
{DLA-1131-1}
- imagemagick  (low; bug #878546)
+   [stretch] - imagemagick  (Minor issue)
+   [jessie] - imagemagick  (Minor issue)
NOTE: https://github.com/ImageMagick/ImageMagick/issues/746
NOTE: im6 patch: 
https://github.com/ImageMagick/ImageMagick/commit/04b863f15effa4375e4ee42f413f0246062b48af
NOTE: im6 patch: 
https://github.com/ImageMagick/ImageMagick/commit/44a55580ac8c01d8cff1e6e0063820af113f8591
@@ -6257,6 +6259,8 @@
 CVE-2017-14341 (ImageMagick 7.0.6-6 has a large loop vulnerability in 
ReadWPGImage in ...)
{DLA-1131-1}
- imagemagick  (low; bug #876105)
+   [stretch] - imagemagick  (Minor issue)
+   [jessie] - imagemagick  (Minor issue)
NOTE: https://github.com/ImageMagick/ImageMagick/issues/654
NOTE: 
https://github.com/ImageMagick/ImageMagick/commit/7d63315a64267c565d1f34b9cb523a14616fed24
NOTE: ImageMagick-6: 
https://github.com/ImageMagick/ImageMagick/commit/4eae304e773bad8a876c3c26fdffac24d4253ae4
@@ -6513,6 +6517,8 @@
 CVE-2017-14249 (ImageMagick 7.0.6-8 Q16 mishandles EOF checks in ReadMPCImage 
in ...)
{DLA-1131-1}
- imagemagick  (low; bug #876099)
+   [stretch] - imagemagick  (Minor issue)
+   [jessie] - imagemagick  (Minor issue)
NOTE: https://github.com/ImageMagick/ImageMagick/issues/708
NOTE: 
https://github.com/ImageMagick/ImageMagick/commit/2071d67ebf729f76d73c33c1152df4816d1d79ac
NOTE: ImageMagick-6: 
https://github.com/ImageMagick/ImageMagick/commit/66112b7a7b64f688efe6fec53a829874a74dea04
@@ -6728,23 +6734,31 @@
NOT-FOR-US: aacplusenc
 CVE-2017-14175 (In coders/xbm.c in ImageMagick 7.0.6-1 Q16, a DoS in 
ReadXBMImage() due ...)
{DLA-1131-1}
-   - imagemagick  (bug #875502)
+   - imagemagick  (low; bug #875502)
+   [stretch] - imagemagick  (Minor issue)
+   [jessie] - imagemagick  (Minor issue)
NOTE: https://github.com/ImageMagick/ImageMagick/issues/712
NOTE: ImageMagick-6: 
https://github.com/ImageMagick/ImageMagick/commit/b8c63b156bf26b52e710b1a0643c846a6cd01e56
 CVE-2017-14174 (In coders/psd.c in ImageMagick 7.0.7-0 Q16, a DoS in ...)
{DLA-1131-1}
-   - imagemagick  (bug #875503)
+   - imagemagick  (low; bug #875503)
+   [stretch] - imagemagick  (Minor issue)
+   [jessie] - imagemagick  (Minor issue)
NOTE: https://github.com/ImageMagick/ImageMagick/issues/714
NOTE: 
https://github.com/ImageMagick/ImageMagick/commit/04a567494786d5bb50894fc8bb8fea0cf496bea8
NOTE: ImageMagick-6: 
https://github.com/ImageMagick/ImageMagick/commit/f68a98a9d385838a1c73ec960a14102949940a64
 CVE-2017-14173 (In the function ReadTXTImage() in coders/txt.c in ImageMagick 
7.0.6-10, ...)
{DLA-1131-1}
-   - imagemagick  (bug #875504)
+   - imagemagick  (low; bug #875504)
+   [stretch] - imagemagick  (Minor issue)
+   [jessie] - imagemagick  (Minor issue)
NOTE: https://github.com/ImageMagick/ImageMagick/issues/713
NOTE: ImageMagick-6: 
https://github.com/ImageMagick/ImageMagick/commit/48bcf7c39302cdf9b0d9202ad03bf1b95152c44d
 CVE-2017-14172 (In coders/ps.c in ImageMagick 7.0.7-0 Q16, a DoS in 
ReadPSImage() due ...)
{DLA-1131-1}
-   - imagemagick  (bug #875506)
+   - imagemagick  (low; bug #875506)
+   [stretch] - imagemagick  (Minor issue)
+   [jessie] - imagemagick  (Minor issue)
NOTE: https://github.com/ImageMagick/ImageMagick/issues/715
NOTE: ImageMagick-6: 
https://github.com/ImageMagick/ImageMagick/commit/8598a497e2d1f556a34458cf54b40ba40674734c
 CVE-2017-14171 (In libavformat/nsvdec.c in FFmpeg 3.3.3, a DoS in ...)
@@ -7154,7 +7168,9 @@
NOTE: 
https://gitlab.com/libidn/libidn2/commit/16853b6973a1e72fee2b7cccda85472cb9951305
 CVE-2017-14060 (In ImageMagick 7.0.6-10, a NULL Pointer Dereference issue is 
present in ...)
{DLA-1131-1}
-   - imagemagick  (bug #878506)
+   [stretch] - imagemagick  (Minor issue)
+   [jessie] - imagemagick  (Minor issue)
+   - imagemagick  (low; bug #878506)
NOTE: https://github.com/ImageMagick/ImageMagick/issues/710
NOTE: 
https://github.com/ImageMagick/ImageMagick/commit/c535e1f1a6b1faaa35e007df4fc535ec08daa97c
NOTE: ImageMagick-6: 
https://github.com/ImageMagick/ImageMagick/commit/5bdfef29f5e6744f36f25ec04583c6b6f4a13b48
@@ -7797,6 +7813,8 @@
 CVE-2017-13768 (Null Pointer Dereference in the IdentifyImage function in ...)
{DLA-1131-1}
- imagemagick

[Secure-testing-commits] r57384 - data

2017-11-06 Thread Markus Koschany

Author: apo
Date: 2017-11-06 21:42:20 + (Mon, 06 Nov 2017)
New Revision: 57384

Modified:
   data/dla-needed.txt
Log:
Claim mupdf in dla-needed.txt


Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-11-06 21:35:31 UTC (rev 57383)
+++ data/dla-needed.txt 2017-11-06 21:42:20 UTC (rev 57384)
@@ -63,7 +63,7 @@
   NOTE: For CVE-2017-14409, 
https://security-tracker.debian.org/tracker/CVE-2017-9872 might be of interest, 
files are very similar
   NOTE: adapting/writing patches seems to be very time consuming, mp3gain is 
dead upstream so this might be a candidate for no-dsa -- Hugo Lefeuvre
 --
-mupdf
+mupdf (Markus Koschany)
   NOTE: signedness checks in xps_read_zip_dir are missing (CVE-2017-14686)
   NOTE: and xml_tag doesn't do a NULL check (CVE-2017-14687)
 --


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57383 - data/DLA

2017-11-06 Thread Chris Lamb

Author: lamby
Date: 2017-11-06 21:35:31 + (Mon, 06 Nov 2017)
New Revision: 57383

Modified:
   data/DLA/list
Log:
Reserve DLA-1163-1 for apr-util/CVE-2017-12618

Modified: data/DLA/list
===
--- data/DLA/list   2017-11-06 21:10:16 UTC (rev 57382)
+++ data/DLA/list   2017-11-06 21:35:31 UTC (rev 57383)
@@ -1,3 +1,6 @@
+[06 Nov 2017] DLA-1163-1 apr-util - security update
+   {CVE-2017-12618}
+   [wheezy] - apr-util 1.4.1-3+deb7u1
 [06 Nov 2017] DLA-1162-1 apr - security update
{CVE-2017-12613}
[wheezy] - apr 1.4.6-3+deb7u2


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57382 - data/CVE

2017-11-06 Thread security tracker role

Author: sectracker
Date: 2017-11-06 21:10:16 + (Mon, 06 Nov 2017)
New Revision: 57382

Modified:
   data/CVE/list
Log:
automatic update

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-06 20:53:43 UTC (rev 57381)
+++ data/CVE/list   2017-11-06 21:10:16 UTC (rev 57382)
@@ -1,3 +1,127 @@
+CVE-2017-16632
+   RESERVED
+CVE-2017-16631
+   RESERVED
+CVE-2017-16630
+   RESERVED
+CVE-2017-16629
+   RESERVED
+CVE-2017-16628
+   RESERVED
+CVE-2017-16627
+   RESERVED
+CVE-2017-16626
+   RESERVED
+CVE-2017-16625
+   RESERVED
+CVE-2017-16624
+   RESERVED
+CVE-2017-16623
+   RESERVED
+CVE-2017-16622
+   RESERVED
+CVE-2017-16621
+   RESERVED
+CVE-2017-16620
+   RESERVED
+CVE-2017-16619
+   RESERVED
+CVE-2017-16618
+   RESERVED
+CVE-2017-16617
+   RESERVED
+CVE-2017-16616
+   RESERVED
+CVE-2017-16615
+   RESERVED
+CVE-2017-16614
+   RESERVED
+CVE-2017-16613
+   RESERVED
+CVE-2017-16612
+   RESERVED
+CVE-2017-16611
+   RESERVED
+CVE-2017-16610
+   RESERVED
+CVE-2017-16609
+   RESERVED
+CVE-2017-16608
+   RESERVED
+CVE-2017-16607
+   RESERVED
+CVE-2017-16606
+   RESERVED
+CVE-2017-16605
+   RESERVED
+CVE-2017-16604
+   RESERVED
+CVE-2017-16603
+   RESERVED
+CVE-2017-16602
+   RESERVED
+CVE-2017-16601
+   RESERVED
+CVE-2017-16600
+   RESERVED
+CVE-2017-16599
+   RESERVED
+CVE-2017-16598
+   RESERVED
+CVE-2017-16597
+   RESERVED
+CVE-2017-16596
+   RESERVED
+CVE-2017-16595
+   RESERVED
+CVE-2017-16594
+   RESERVED
+CVE-2017-16593
+   RESERVED
+CVE-2017-16592
+   RESERVED
+CVE-2017-16591
+   RESERVED
+CVE-2017-16590
+   RESERVED
+CVE-2017-16589
+   RESERVED
+CVE-2017-16588
+   RESERVED
+CVE-2017-16587
+   RESERVED
+CVE-2017-16586
+   RESERVED
+CVE-2017-16585
+   RESERVED
+CVE-2017-16584
+   RESERVED
+CVE-2017-16583
+   RESERVED
+CVE-2017-16582
+   RESERVED
+CVE-2017-16581
+   RESERVED
+CVE-2017-16580
+   RESERVED
+CVE-2017-16579
+   RESERVED
+CVE-2017-16578
+   RESERVED
+CVE-2017-16577
+   RESERVED
+CVE-2017-16576
+   RESERVED
+CVE-2017-16575
+   RESERVED
+CVE-2017-16574
+   RESERVED
+CVE-2017-16573
+   RESERVED
+CVE-2017-16572
+   RESERVED
+CVE-2017-16571
+   RESERVED
 CVE-2017-16570 (KeystoneJS before 4.0.0-beta.7 allows application-wide CSRF 
bypass by ...)
NOT-FOR-US: KeystoneJS
 CVE-2017-16569 (An Open URL Redirect issue exists in Zurmo 3.2.1.57987acc3018 
via an ...)
@@ -1292,8 +1416,8 @@
RESERVED
 CVE-2017-16002
RESERVED
-CVE-2017-16001
-   RESERVED
+CVE-2017-16001 (In HashiCorp Vagrant VMware Fusion plugin (aka 
vagrant-vmware-fusion) ...)
+   TODO: check
 CVE-2017-16000 (SQL injection vulnerability in the EyesOfNetwork web interface 
(aka ...)
NOT-FOR-US: EyesOfNetwork (EON)
 CVE-2017-15999 (In the NQ Contacts Backup  Restore 
application 1.1 for Android, no ...)
@@ -2436,8 +2560,7 @@
RESERVED
 CVE-2017-15673
RESERVED
-CVE-2017-15672
-   RESERVED
+CVE-2017-15672 (The read_header function in libavcodec/ffv1dec.c in FFmpeg 
3.3.4 and ...)
- ffmpeg 
[stretch] - ffmpeg  (Wait until next round of security 
releases)
- libav 
@@ -3303,8 +3426,7 @@
RESERVED
 CVE-2017-15307
RESERVED
-CVE-2017-15306 [KVM: PPC: Fix oops when checking KVM_CAP_PPC_HTM]
-   RESERVED
+CVE-2017-15306 (The kvm_vm_ioctl_check_extension function in 
arch/powerpc/kvm/powerpc.c ...)
- linux 
[jessie] - linux  (Vulnerable code introduced later)
[wheezy] - linux  (Vulnerable code introduced later)
@@ -11307,6 +11429,7 @@
 CVE-2017-12614
RESERVED
 CVE-2017-12613 (When apr_exp_time*() or apr_os_exp_time*() functions are 
invoked with ...)
+   {DLA-1162-1}
- apr 1.6.3-1 (low; bug #879708)
[stretch] - apr  (Minor issue)
[jessie] - apr  (Minor issue)
@@ -15205,8 +15328,8 @@
NOT-FOR-US: FineCMS
 CVE-2017-11178 (In FineCMS through 2017-07-11, 
application/core/controller/style.php ...)
NOT-FOR-US: FineCMS
-CVE-2017-11177
-   RESERVED
+CVE-2017-11177 (TRITON AP-EMAIL 8.2 before 8.2 IB does not properly restrict 
file ...)
+   TODO: check
 CVE-2017-11176 (The mq_notify function in the Linux kernel through 4.11.9 does 
not set ...)
{DSA-3945-1 DSA-3927-1 DLA-1099-1}
- linux 4.11.11-1
@@ -26723,8 +26846,8 @@
RESERVED
 CVE-2017-7426
RESERVED
-CVE-2017-7425
-   RESERVED
+CVE-2017-7425 (Multiple potential reflected XSS issues exist in NetIQ iManager 
...)
+   TODO: check
 CVE-2017-7424 (A Path Traversal (CWE-22) vulnerability in esfadmingui in Micro 
Focus ...)
NOT-FOR-US: Micro Focus
 CVE-2017-7423 (A Cross-Site Request Forgery (CWE-352) vulnerability in 
esfadmingui in ...)
@@ -80803,8 +80926,7 @@

[Secure-testing-commits] r57381 - data/CVE

2017-11-06 Thread Ola Lundqvist

Author: opal
Date: 2017-11-06 20:53:43 + (Mon, 06 Nov 2017)
New Revision: 57381

Modified:
   data/CVE/list
Log:
Note fix.

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-06 20:51:28 UTC (rev 57380)
+++ data/CVE/list   2017-11-06 20:53:43 UTC (rev 57381)
@@ -57,12 +57,12 @@
NOTE: https://github.com/ImageMagick/ImageMagick/issues/851
 CVE-2017-16545 (The ReadWPGImage function in coders/wpg.c in GraphicsMagick 
1.3.26 does ...)
- graphicsmagick 1.3.26-18
+   [wheezy] - graphicsmagick  (Not possible to trigger with 
presented test case)
NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/e8086faa52d0
NOTE: https://sourceforge.net/p/graphicsmagick/bugs/519/
NOTE: The wheezy version gives an assert before the vulnerability can 
be triggered. Due to this
NOTE: the severity of the wheezy version is low even though the 
vulnerable code is still present.
NOTE: The patch is trivial so it may be worth fixing in combination 
with some other fix.
-   [wheezy] - graphicsmagick  (Not possible to trigger with 
presented test case)
 CVE-2017-16544
RESERVED
 CVE-2017-16543 (Zoho ManageEngine Applications Manager 13 allows SQL injection 
via ...)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57380 - in data: . DLA

2017-11-06 Thread Chris Lamb

Author: lamby
Date: 2017-11-06 20:51:28 + (Mon, 06 Nov 2017)
New Revision: 57380

Modified:
   data/DLA/list
   data/dla-needed.txt
Log:
Reserve DLA-1162-1 for apr/CVE-2017-12613.

Modified: data/DLA/list
===
--- data/DLA/list   2017-11-06 20:48:26 UTC (rev 57379)
+++ data/DLA/list   2017-11-06 20:51:28 UTC (rev 57380)
@@ -1,3 +1,6 @@
+[06 Nov 2017] DLA-1162-1 apr - security update
+   {CVE-2017-12613}
+   [wheezy] - apr 1.4.6-3+deb7u2
 [05 Nov 2017] DLA-1161-1 redis - security update
{CVE-2016-10517}
[wheezy] - redis 2:2.4.14-1+deb7u2

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-11-06 20:48:26 UTC (rev 57379)
+++ data/dla-needed.txt 2017-11-06 20:51:28 UTC (rev 57380)
@@ -10,10 +10,6 @@
 https://wiki.debian.org/LTS/Development#Triage_new_security_issues
 
 --
-apr (Chris Lamb)
---
-apr-util (Chris Lamb)
---
 ca-certificates
   NOTE: 20170719: maintainer will handle the upload, see 
https://lists.debian.org/d0b9674a-ac5b-5cc9-1982-fb6f36155...@pbandjelly.org
   NOTE: 20171013: anarcat pinged maintainer: 
https://lists.debian.org/87efpuc95w@curie.anarc.at


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57379 - data

2017-11-06 Thread Ola Lundqvist

Author: opal
Date: 2017-11-06 20:48:26 + (Mon, 06 Nov 2017)
New Revision: 57379

Modified:
   data/dla-needed.txt
Log:
Triaging.

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-11-06 20:36:58 UTC (rev 57378)
+++ data/dla-needed.txt 2017-11-06 20:48:26 UTC (rev 57379)
@@ -20,6 +20,8 @@
 --
 graphicsmagick
 --
+imagemagick
+--
 irssi (Rhonda D'Vine)
 --
 jasperreports


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57378 - in data: . CVE

2017-11-06 Thread Ola Lundqvist

Author: opal
Date: 2017-11-06 20:36:58 + (Mon, 06 Nov 2017)
New Revision: 57378

Modified:
   data/CVE/list
   data/dla-needed.txt
Log:
Triaging graphicsmagick.

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-06 20:03:20 UTC (rev 57377)
+++ data/CVE/list   2017-11-06 20:36:58 UTC (rev 57378)
@@ -59,6 +59,10 @@
- graphicsmagick 1.3.26-18
NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/e8086faa52d0
NOTE: https://sourceforge.net/p/graphicsmagick/bugs/519/
+   NOTE: The wheezy version gives an assert before the vulnerability can 
be triggered. Due to this
+   NOTE: the severity of the wheezy version is low even though the 
vulnerable code is still present.
+   NOTE: The patch is trivial so it may be worth fixing in combination 
with some other fix.
+   [wheezy] - graphicsmagick  (Not possible to trigger with 
presented test case)
 CVE-2017-16544
RESERVED
 CVE-2017-16543 (Zoho ManageEngine Applications Manager 13 allows SQL injection 
via ...)

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-11-06 20:03:20 UTC (rev 57377)
+++ data/dla-needed.txt 2017-11-06 20:36:58 UTC (rev 57378)
@@ -18,6 +18,8 @@
   NOTE: 20170719: maintainer will handle the upload, see 
https://lists.debian.org/d0b9674a-ac5b-5cc9-1982-fb6f36155...@pbandjelly.org
   NOTE: 20171013: anarcat pinged maintainer: 
https://lists.debian.org/87efpuc95w@curie.anarc.at
 --
+graphicsmagick
+--
 irssi (Rhonda D'Vine)
 --
 jasperreports


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57377 - data/CVE

2017-11-06 Thread Salvatore Bonaccorso

Author: carnil
Date: 2017-11-06 20:03:20 + (Mon, 06 Nov 2017)
New Revision: 57377

Modified:
   data/CVE/list
Log:
Update CVE-2017-16541

needs a check if this is actually a firefox vulnerablity or if the CVE
is specific to the Tor Browser.

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-06 19:54:35 UTC (rev 57376)
+++ data/CVE/list   2017-11-06 20:03:20 UTC (rev 57377)
@@ -66,7 +66,7 @@
 CVE-2017-16542 (Zoho ManageEngine Applications Manager 13 allows 
Post-authentication ...)
NOT-FOR-US: Zoho
 CVE-2017-16541 (Tor Browser before 7.0.9 on macOS and Linux allows remote 
attackers to ...)
-   NOT-FOR-US: Zoho
+   TODO: check
 CVE-2017-16540 (OpenEMR before 5.0.0 Patch 5 allows unauthenticated remote 
database ...)
NOT-FOR-US: OpenEMR
 CVE-2017-16539 (The DefaultLinuxSpec function in oci/defaults.go in Docker 
Moby through ...)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57375 - data

2017-11-06 Thread Salvatore Bonaccorso

Author: carnil
Date: 2017-11-06 19:54:34 + (Mon, 06 Nov 2017)
New Revision: 57375

Modified:
   data/dsa-needed.txt
Log:
Add note for ruby2.3

Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2017-11-06 19:37:21 UTC (rev 57374)
+++ data/dsa-needed.txt 2017-11-06 19:54:34 UTC (rev 57375)
@@ -48,6 +48,7 @@
 --
 ruby2.3
   Maintainer (terceiro) proposed update, needs review and ack
+  Upload reviewed and acked to be uploaded (including additional change)
 --
 salt
 --


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57376 - data

2017-11-06 Thread Salvatore Bonaccorso

Author: carnil
Date: 2017-11-06 19:54:35 + (Mon, 06 Nov 2017)
New Revision: 57376

Modified:
   data/dsa-needed.txt
Log:
Add slurm-llnl to dsa-needed list

Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2017-11-06 19:54:34 UTC (rev 57375)
+++ data/dsa-needed.txt 2017-11-06 19:54:35 UTC (rev 57376)
@@ -54,6 +54,9 @@
 --
 simplesamlphp
 --
+slurm-llnl
+  Maintainer proposed debdiff, asked questions back but basically ok to upload
+--
 tiff
   wait until more issues are around
 --


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57374 - data/CVE

2017-11-06 Thread Salvatore Bonaccorso

Author: carnil
Date: 2017-11-06 19:37:21 + (Mon, 06 Nov 2017)
New Revision: 57374

Modified:
   data/CVE/list
Log:
Add fixing version for CVE-2017-12613

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-06 19:36:10 UTC (rev 57373)
+++ data/CVE/list   2017-11-06 19:37:21 UTC (rev 57374)
@@ -11303,7 +11303,7 @@
 CVE-2017-12614
RESERVED
 CVE-2017-12613 (When apr_exp_time*() or apr_os_exp_time*() functions are 
invoked with ...)
-   - apr  (low; bug #879708)
+   - apr 1.6.3-1 (low; bug #879708)
[stretch] - apr  (Minor issue)
[jessie] - apr  (Minor issue)
NOTE: 
mail-archives.apache.org/mod_mbox/apr-dev/201710.mbox/%3CCACsi252POs4toeJJciwg09_eu2cO3XFg%3DUqsPjXsfjDoeC3-UQ%40mail.gmail.com%3E


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57373 - data/CVE

2017-11-06 Thread Salvatore Bonaccorso

Author: carnil
Date: 2017-11-06 19:36:10 + (Mon, 06 Nov 2017)
New Revision: 57373

Modified:
   data/CVE/list
Log:
Add fixing version for CVE-2017-12618/apr-util

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-06 18:07:03 UTC (rev 57372)
+++ data/CVE/list   2017-11-06 19:36:10 UTC (rev 57373)
@@ -11273,7 +11273,7 @@
 CVE-2017-12619
RESERVED
 CVE-2017-12618 (Apache Portable Runtime Utility (APR-util) 1.6.0 and prior 
fail to ...)
-   - apr-util  (low; bug #879996)
+   - apr-util 1.6.1-1 (low; bug #879996)
NOTE: 
mail-archives.apache.org/mod_mbox/apr-dev/201710.mbox/%3CCACsi252POs4toeJJciwg09_eu2cO3XFg%3DUqsPjXsfjDoeC3-UQ%40mail.gmail.com%3E
NOTE: 
https://github.com/apache/apr/commit/f672b565c825c34de9ee298b5bdc62c01cdd6147
 CVE-2017-12617 (When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 
to ...)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57372 - data/CVE

2017-11-06 Thread László Böszörményi

Author: gcs
Date: 2017-11-06 18:07:03 + (Mon, 06 Nov 2017)
New Revision: 57372

Modified:
   data/CVE/list
Log:
Add CVE-2017-1654[57]/graphicsmagick fixed version in unstable


Modified: data/CVE/list
===
--- data/CVE/list   2017-11-06 17:14:06 UTC (rev 57371)
+++ data/CVE/list   2017-11-06 18:07:03 UTC (rev 57372)
@@ -47,7 +47,7 @@
NOTE: https://bugzilla.samba.org/show_bug.cgi?id=13112
NOTE: 
https://git.samba.org/rsync.git/?p=rsync.git;a=commit;h=47a63d90e71d3e19e0e96052bb8c6b9cb140ecc1
 CVE-2017-16547 (The DrawImage function in magick/render.c in GraphicsMagick 
1.3.26 does ...)
-   - graphicsmagick 
+   - graphicsmagick 1.3.26-18
NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/785758bbbfcc
NOTE: https://sourceforge.net/p/graphicsmagick/bugs/517/
 CVE-2017-16546 (The ReadWPGImage function in coders/wpg.c in ImageMagick 
7.0.7-9 does ...)
@@ -56,7 +56,7 @@
NOTE: ImageMagick-6: 
https://github.com/ImageMagick/ImageMagick/commit/e04cf3e9524f50ca336253513d977224e083b816
NOTE: https://github.com/ImageMagick/ImageMagick/issues/851
 CVE-2017-16545 (The ReadWPGImage function in coders/wpg.c in GraphicsMagick 
1.3.26 does ...)
-   - graphicsmagick 
+   - graphicsmagick 1.3.26-18
NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/e8086faa52d0
NOTE: https://sourceforge.net/p/graphicsmagick/bugs/519/
 CVE-2017-16544


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57371 - data/CVE

2017-11-06 Thread Moritz Muehlenhoff

Author: jmm
Date: 2017-11-06 17:14:06 + (Mon, 06 Nov 2017)
New Revision: 57371

Modified:
   data/CVE/list
Log:
bchunk fixed


Modified: data/CVE/list
===
--- data/CVE/list   2017-11-06 16:37:55 UTC (rev 57370)
+++ data/CVE/list   2017-11-06 17:14:06 UTC (rev 57371)
@@ -1782,15 +1782,15 @@
NOT-FOR-US: ConverTo Video Downloader
 CVE-2017-15955 (bchunk (related to BinChunker) 1.2.0 and 1.2.1 is vulnerable 
to an ...)
{DLA-1158-1}
-   - bchunk  (bug #880116)
+   - bchunk 1.2.0-12.1 (bug #880116)
NOTE: https://github.com/extramaster/bchunk/issues/4
 CVE-2017-15954 (bchunk (related to BinChunker) 1.2.0 and 1.2.1 is vulnerable 
to a ...)
{DLA-1158-1}
-   - bchunk  (bug #880116)
+   - bchunk 1.2.0-12.1 (bug #880116)
NOTE: https://github.com/extramaster/bchunk/issues/3
 CVE-2017-15953 (bchunk (related to BinChunker) 1.2.0 and 1.2.1 is vulnerable 
to a ...)
{DLA-1158-1}
-   - bchunk  (bug #880116)
+   - bchunk 1.2.0-12.1 (bug #880116)
NOTE: https://github.com/extramaster/bchunk/issues/2
 CVE-2017-15952
RESERVED


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57370 - data/CVE

2017-11-06 Thread Salvatore Bonaccorso

Author: carnil
Date: 2017-11-06 16:37:55 + (Mon, 06 Nov 2017)
New Revision: 57370

Modified:
   data/CVE/list
Log:
Revert "GlusterFS issue fixed in unstable"

Further investigation shows that the issue is not fixed.

This reverts commit 700477017731d49a8df2cb0f224e28555466482c.

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-06 16:36:07 UTC (rev 57369)
+++ data/CVE/list   2017-11-06 16:37:55 UTC (rev 57370)
@@ -3874,7 +3874,7 @@
 CVE-2017-15097
RESERVED
 CVE-2017-15096 (A flaw was found in GlusterFS in versions prior to 3.10. A 
null ...)
-   - glusterfs 3.12.2-1 (bug #880017)
+   - glusterfs  (bug #880017)
[stretch] - glusterfs  (Vulnerable code introduced later)
[jessie] - glusterfs  (Vulnerable code introduced later)
[wheezy] - glusterfs  (Vulnerable code introduced later)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57369 - data/CVE

2017-11-06 Thread Salvatore Bonaccorso

Author: carnil
Date: 2017-11-06 16:36:07 + (Mon, 06 Nov 2017)
New Revision: 57369

Modified:
   data/CVE/list
Log:
GlusterFS issue fixed in unstable

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-06 16:34:00 UTC (rev 57368)
+++ data/CVE/list   2017-11-06 16:36:07 UTC (rev 57369)
@@ -3874,7 +3874,7 @@
 CVE-2017-15097
RESERVED
 CVE-2017-15096 (A flaw was found in GlusterFS in versions prior to 3.10. A 
null ...)
-   - glusterfs  (bug #880017)
+   - glusterfs 3.12.2-1 (bug #880017)
[stretch] - glusterfs  (Vulnerable code introduced later)
[jessie] - glusterfs  (Vulnerable code introduced later)
[wheezy] - glusterfs  (Vulnerable code introduced later)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57368 - data/CVE

2017-11-06 Thread Salvatore Bonaccorso

Author: carnil
Date: 2017-11-06 16:34:00 + (Mon, 06 Nov 2017)
New Revision: 57368

Modified:
   data/CVE/list
Log:
Add fixing version for irssi

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-06 13:34:33 UTC (rev 57367)
+++ data/CVE/list   2017-11-06 16:34:00 UTC (rev 57368)
@@ -2317,17 +2317,17 @@
RESERVED
 CVE-2017-15723 (In Irssi before 1.0.5, overlong nicks or targets may result in 
a NULL ...)
{DSA-4016-1}
-   - irssi  (bug #879521)
+   - irssi 1.0.5-1 (bug #879521)
NOTE: https://irssi.org/security/irssi_sa_2017_10.txt
NOTE: 
https://github.com/irssi/irssi/commit/43e44d553d44e313003cee87e6ea5e24d68b84a1
 CVE-2017-15722 (In certain cases, Irssi before 1.0.5 may fail to verify that a 
Safe ...)
{DSA-4016-1}
-   - irssi  (bug #879521)
+   - irssi 1.0.5-1 (bug #879521)
NOTE: https://irssi.org/security/irssi_sa_2017_10.txt
NOTE: 
https://github.com/irssi/irssi/commit/43e44d553d44e313003cee87e6ea5e24d68b84a1
 CVE-2017-15721 (In Irssi before 1.0.5, certain incorrectly formatted DCC CTCP 
messages ...)
{DSA-4016-1}
-   - irssi  (bug #879521)
+   - irssi 1.0.5-1 (bug #879521)
NOTE: https://irssi.org/security/irssi_sa_2017_10.txt
NOTE: 
https://github.com/irssi/irssi/commit/43e44d553d44e313003cee87e6ea5e24d68b84a1
 CVE-2017-15720
@@ -3552,12 +3552,12 @@
RESERVED
 CVE-2017-15228 (Irssi before 1.0.5, when installing themes with unterminated 
colour ...)
{DSA-4016-1}
-   - irssi  (bug #879521)
+   - irssi 1.0.5-1 (bug #879521)
NOTE: https://irssi.org/security/irssi_sa_2017_10.txt
NOTE: 
https://github.com/irssi/irssi/commit/43e44d553d44e313003cee87e6ea5e24d68b84a1
 CVE-2017-15227 (Irssi before 1.0.5, while waiting for the channel 
synchronisation, may ...)
{DSA-4016-1}
-   - irssi  (bug #879521)
+   - irssi 1.0.5-1 (bug #879521)
NOTE: https://irssi.org/security/irssi_sa_2017_10.txt
NOTE: 
https://github.com/irssi/irssi/commit/43e44d553d44e313003cee87e6ea5e24d68b84a1
 CVE-2017-15226 (Zyxel NBG6716 V1.00(AAKG.9)C0 devices allow command injection 
in the ...)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57367 - data/CVE

2017-11-06 Thread Salvatore Bonaccorso

Author: carnil
Date: 2017-11-06 13:34:33 + (Mon, 06 Nov 2017)
New Revision: 57367

Modified:
   data/CVE/list
Log:
Sync status for CVE-2017-15306/linux with kernel-sec

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-06 12:01:37 UTC (rev 57366)
+++ data/CVE/list   2017-11-06 13:34:33 UTC (rev 57367)
@@ -3302,6 +3302,8 @@
 CVE-2017-15306 [KVM: PPC: Fix oops when checking KVM_CAP_PPC_HTM]
RESERVED
- linux 
+   [jessie] - linux  (Vulnerable code introduced later)
+   [wheezy] - linux  (Vulnerable code introduced later)
NOTE: Fixed by: 
https://git.kernel.org/linus/ac64115a66c18c01745bbd3c47a36b124e5fd8c0 (4.14-rc7)
 CVE-2017-15305 (XSS exists in NexusPHP 1.5 via the keyword parameter to 
messages.php. ...)
NOT-FOR-US: NexusPHP


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57366 - data/CVE

2017-11-06 Thread Salvatore Bonaccorso

Author: carnil
Date: 2017-11-06 12:01:37 + (Mon, 06 Nov 2017)
New Revision: 57366

Modified:
   data/CVE/list
Log:
Add CVE-2017-15306/linux

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-06 09:30:54 UTC (rev 57365)
+++ data/CVE/list   2017-11-06 12:01:37 UTC (rev 57366)
@@ -3299,8 +3299,10 @@
RESERVED
 CVE-2017-15307
RESERVED
-CVE-2017-15306
+CVE-2017-15306 [KVM: PPC: Fix oops when checking KVM_CAP_PPC_HTM]
RESERVED
+   - linux 
+   NOTE: Fixed by: 
https://git.kernel.org/linus/ac64115a66c18c01745bbd3c47a36b124e5fd8c0 (4.14-rc7)
 CVE-2017-15305 (XSS exists in NexusPHP 1.5 via the keyword parameter to 
messages.php. ...)
NOT-FOR-US: NexusPHP
 CVE-2017-15304 (/bin/login.php in the Web Panel on the Airtame HDMI dongle 
with ...)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57365 - data/CVE

2017-11-06 Thread Salvatore Bonaccorso

Author: carnil
Date: 2017-11-06 09:30:54 + (Mon, 06 Nov 2017)
New Revision: 57365

Modified:
   data/CVE/list
Log:
Add bug report for CVE-2017-16548/rsync, #880954

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-06 09:19:31 UTC (rev 57364)
+++ data/CVE/list   2017-11-06 09:30:54 UTC (rev 57365)
@@ -43,7 +43,7 @@
 CVE-2017-16549
RESERVED
 CVE-2017-16548 (The receive_xattr function in xattrs.c in rsync 3.1.2 and ...)
-   - rsync 
+   - rsync  (bug #880954)
NOTE: https://bugzilla.samba.org/show_bug.cgi?id=13112
NOTE: 
https://git.samba.org/rsync.git/?p=rsync.git;a=commit;h=47a63d90e71d3e19e0e96052bb8c6b9cb140ecc1
 CVE-2017-16547 (The DrawImage function in magick/render.c in GraphicsMagick 
1.3.26 does ...)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57364 - data/CVE

2017-11-06 Thread Salvatore Bonaccorso

Author: carnil
Date: 2017-11-06 09:19:31 + (Mon, 06 Nov 2017)
New Revision: 57364

Modified:
   data/CVE/list
Log:
Process some NFUs

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-06 09:16:49 UTC (rev 57363)
+++ data/CVE/list   2017-11-06 09:19:31 UTC (rev 57364)
@@ -1,7 +1,7 @@
 CVE-2017-16570 (KeystoneJS before 4.0.0-beta.7 allows application-wide CSRF 
bypass by ...)
-   TODO: check
+   NOT-FOR-US: KeystoneJS
 CVE-2017-16569 (An Open URL Redirect issue exists in Zurmo 3.2.1.57987acc3018 
via an ...)
-   TODO: check
+   NOT-FOR-US: Zurmo
 CVE-2017-16568
RESERVED
 CVE-2017-16567
@@ -116,7 +116,7 @@
 CVE-2017-16525 (The usb_serial_console_disconnect function in ...)
- linux 4.13.10-1
 CVE-2017-16524 (Web Viewer 1.0.0.193 on Samsung SRN-1670D devices suffers from 
an ...)
-   TODO: check
+   NOT-FOR-US: Samsung SRN-1670D devices
 CVE-2017-16523 (MitraStar GPT-2541GNAC (HGU) 1.00(VNJ0)b1 and DSL-100HN-T1 ...)
NOT-FOR-US: MitraStar
 CVE-2017-16522 (MitraStar GPT-2541GNAC (HGU) 1.00(VNJ0)b1 and DSL-100HN-T1 ...)
@@ -4077,7 +4077,7 @@
 CVE-2017-15040
RESERVED
 CVE-2017-15039 (Cross-site scripting (XSS) exists in Zurmo 3.2.1.57987acc3018 
via a ...)
-   TODO: check
+   NOT-FOR-US: Zurmo
 CVE-2017-15038 (Race condition in the v9fs_xattrwalk function in hw/9pfs/9p.c 
in QEMU ...)
{DLA-1129-1 DLA-1128-1}
- qemu 1:2.10.0+dfsg-2 (bug #877890)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57363 - data/CVE

2017-11-06 Thread Salvatore Bonaccorso

Author: carnil
Date: 2017-11-06 09:16:49 + (Mon, 06 Nov 2017)
New Revision: 57363

Modified:
   data/CVE/list
Log:
Add one more graphicsmagick issue, CVE-2017-16545

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-06 09:15:49 UTC (rev 57362)
+++ data/CVE/list   2017-11-06 09:16:49 UTC (rev 57363)
@@ -56,7 +56,9 @@
NOTE: ImageMagick-6: 
https://github.com/ImageMagick/ImageMagick/commit/e04cf3e9524f50ca336253513d977224e083b816
NOTE: https://github.com/ImageMagick/ImageMagick/issues/851
 CVE-2017-16545 (The ReadWPGImage function in coders/wpg.c in GraphicsMagick 
1.3.26 does ...)
-   TODO: check
+   - graphicsmagick 
+   NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/e8086faa52d0
+   NOTE: https://sourceforge.net/p/graphicsmagick/bugs/519/
 CVE-2017-16544
RESERVED
 CVE-2017-16543 (Zoho ManageEngine Applications Manager 13 allows SQL injection 
via ...)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57362 - data/CVE

2017-11-06 Thread Salvatore Bonaccorso

Author: carnil
Date: 2017-11-06 09:15:49 + (Mon, 06 Nov 2017)
New Revision: 57362

Modified:
   data/CVE/list
Log:
Add CVE-2017-16546/imagemagick

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-06 09:13:35 UTC (rev 57361)
+++ data/CVE/list   2017-11-06 09:15:49 UTC (rev 57362)
@@ -51,7 +51,10 @@
NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/785758bbbfcc
NOTE: https://sourceforge.net/p/graphicsmagick/bugs/517/
 CVE-2017-16546 (The ReadWPGImage function in coders/wpg.c in ImageMagick 
7.0.7-9 does ...)
-   TODO: check
+   - imagemagick 
+   NOTE: 
https://github.com/ImageMagick/ImageMagick/commit/2130bf6f89ded32ef0c88a11694f107c52566c53
+   NOTE: ImageMagick-6: 
https://github.com/ImageMagick/ImageMagick/commit/e04cf3e9524f50ca336253513d977224e083b816
+   NOTE: https://github.com/ImageMagick/ImageMagick/issues/851
 CVE-2017-16545 (The ReadWPGImage function in coders/wpg.c in GraphicsMagick 
1.3.26 does ...)
TODO: check
 CVE-2017-16544


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57360 - data/CVE

2017-11-06 Thread Salvatore Bonaccorso

Author: carnil
Date: 2017-11-06 09:13:21 + (Mon, 06 Nov 2017)
New Revision: 57360

Modified:
   data/CVE/list
Log:
add graphicsmagick issue, CVE-2017-16547

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-06 09:11:41 UTC (rev 57359)
+++ data/CVE/list   2017-11-06 09:13:21 UTC (rev 57360)
@@ -47,7 +47,9 @@
NOTE: https://bugzilla.samba.org/show_bug.cgi?id=13112
NOTE: 
https://git.samba.org/rsync.git/?p=rsync.git;a=commit;h=47a63d90e71d3e19e0e96052bb8c6b9cb140ecc1
 CVE-2017-16547 (The DrawImage function in magick/render.c in GraphicsMagick 
1.3.26 does ...)
-   TODO: check
+   - graphicsmagick 
+   NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/785758bbbfcc
+   NOTE: https://sourceforge.net/p/graphicsmagick/bugs/517/
 CVE-2017-16546 (The ReadWPGImage function in coders/wpg.c in ImageMagick 
7.0.7-9 does ...)
TODO: check
 CVE-2017-16545 (The ReadWPGImage function in coders/wpg.c in GraphicsMagick 
1.3.26 does ...)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57361 - data/CVE

2017-11-06 Thread Salvatore Bonaccorso

Author: carnil
Date: 2017-11-06 09:13:35 + (Mon, 06 Nov 2017)
New Revision: 57361

Modified:
   data/CVE/list
Log:
Cleanup trailing whitespaces

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-06 09:13:21 UTC (rev 57360)
+++ data/CVE/list   2017-11-06 09:13:35 UTC (rev 57361)
@@ -33774,7 +33774,7 @@
- irssi 0.8.21-1 (low)
[jessie] - irssi 0.8.17-1+deb8u3
[wheezy] - irssi  (Minor issue)
-   NOTE: 
https://github.com/irssi/irssi/commit/6c6c42e3d1b49d90aacc0b67f8540471cae02a1d 
+   NOTE: 
https://github.com/irssi/irssi/commit/6c6c42e3d1b49d90aacc0b67f8540471cae02a1d
NOTE: 
https://blog.fuzzing-project.org/55-Fuzzing-Irssi-with-Perl-Scripts.html
NOTE: https://irssi.org/security/irssi_sa_2017_01.txt
 CVE-2017-5355


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57359 - data/CVE

2017-11-06 Thread Salvatore Bonaccorso

Author: carnil
Date: 2017-11-06 09:11:41 + (Mon, 06 Nov 2017)
New Revision: 57359

Modified:
   data/CVE/list
Log:
Add new rsync issue

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-06 09:10:22 UTC (rev 57358)
+++ data/CVE/list   2017-11-06 09:11:41 UTC (rev 57359)
@@ -43,7 +43,9 @@
 CVE-2017-16549
RESERVED
 CVE-2017-16548 (The receive_xattr function in xattrs.c in rsync 3.1.2 and ...)
-   TODO: check
+   - rsync 
+   NOTE: https://bugzilla.samba.org/show_bug.cgi?id=13112
+   NOTE: 
https://git.samba.org/rsync.git/?p=rsync.git;a=commit;h=47a63d90e71d3e19e0e96052bb8c6b9cb140ecc1
 CVE-2017-16547 (The DrawImage function in magick/render.c in GraphicsMagick 
1.3.26 does ...)
TODO: check
 CVE-2017-16546 (The ReadWPGImage function in coders/wpg.c in ImageMagick 
7.0.7-9 does ...)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57358 - data/CVE

2017-11-06 Thread security tracker role

Author: sectracker
Date: 2017-11-06 09:10:22 + (Mon, 06 Nov 2017)
New Revision: 57358

Modified:
   data/CVE/list
Log:
automatic update

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-06 05:30:22 UTC (rev 57357)
+++ data/CVE/list   2017-11-06 09:10:22 UTC (rev 57358)
@@ -1,3 +1,55 @@
+CVE-2017-16570 (KeystoneJS before 4.0.0-beta.7 allows application-wide CSRF 
bypass by ...)
+   TODO: check
+CVE-2017-16569 (An Open URL Redirect issue exists in Zurmo 3.2.1.57987acc3018 
via an ...)
+   TODO: check
+CVE-2017-16568
+   RESERVED
+CVE-2017-16567
+   RESERVED
+CVE-2017-16566
+   RESERVED
+CVE-2017-16565 (Cross-Site Request Forgery (CSRF) in /cgi-bin/login on Vonage 
...)
+   TODO: check
+CVE-2017-16564 (Stored Cross-site scripting (XSS) vulnerability in 
/cgi-bin/config2 on ...)
+   TODO: check
+CVE-2017-16563 (Cross-Site Request Forgery (CSRF) in the Basic Settings screen 
on ...)
+   TODO: check
+CVE-2017-16562
+   RESERVED
+CVE-2017-16561
+   RESERVED
+CVE-2017-16560
+   RESERVED
+CVE-2017-16559
+   RESERVED
+CVE-2017-16558
+   RESERVED
+CVE-2017-16557
+   RESERVED
+CVE-2017-16556
+   RESERVED
+CVE-2017-16555
+   RESERVED
+CVE-2017-16554
+   RESERVED
+CVE-2017-16553
+   RESERVED
+CVE-2017-16552
+   RESERVED
+CVE-2017-16551
+   RESERVED
+CVE-2017-16550
+   RESERVED
+CVE-2017-16549
+   RESERVED
+CVE-2017-16548 (The receive_xattr function in xattrs.c in rsync 3.1.2 and ...)
+   TODO: check
+CVE-2017-16547 (The DrawImage function in magick/render.c in GraphicsMagick 
1.3.26 does ...)
+   TODO: check
+CVE-2017-16546 (The ReadWPGImage function in coders/wpg.c in ImageMagick 
7.0.7-9 does ...)
+   TODO: check
+CVE-2017-16545 (The ReadWPGImage function in coders/wpg.c in GraphicsMagick 
1.3.26 does ...)
+   TODO: check
 CVE-2017-16544
RESERVED
 CVE-2017-16543 (Zoho ManageEngine Applications Manager 13 allows SQL injection 
via ...)
@@ -54,8 +106,8 @@
NOTE: Fixed by: 
https://git.kernel.org/linus/bbf26183b7a6236ba602f4d6a2f7cade35bba043
 CVE-2017-16525 (The usb_serial_console_disconnect function in ...)
- linux 4.13.10-1
-CVE-2017-16524
-   RESERVED
+CVE-2017-16524 (Web Viewer 1.0.0.193 on Samsung SRN-1670D devices suffers from 
an ...)
+   TODO: check
 CVE-2017-16523 (MitraStar GPT-2541GNAC (HGU) 1.00(VNJ0)b1 and DSL-100HN-T1 ...)
NOT-FOR-US: MitraStar
 CVE-2017-16522 (MitraStar GPT-2541GNAC (HGU) 1.00(VNJ0)b1 and DSL-100HN-T1 ...)
@@ -3001,48 +3053,59 @@
RESERVED
 CVE-2017-15396
RESERVED
+   {DSA-4020-1}
- chromium-browser 62.0.3202.75-1
[wheezy] - chromium-browser  (Not supported in Wheezy)
- libv8  (unimportant)
NOTE: libv8 not covered by security support
 CVE-2017-15395
RESERVED
+   {DSA-4020-1}
- chromium-browser 62.0.3202.75-1
[wheezy] - chromium-browser  (Not supported in Wheezy)
 CVE-2017-15394
RESERVED
+   {DSA-4020-1}
- chromium-browser 62.0.3202.75-1
[wheezy] - chromium-browser  (Not supported in Wheezy)
 CVE-2017-15393
RESERVED
+   {DSA-4020-1}
- chromium-browser 62.0.3202.75-1
[wheezy] - chromium-browser  (Not supported in Wheezy)
 CVE-2017-15392
RESERVED
+   {DSA-4020-1}
- chromium-browser 62.0.3202.75-1
[wheezy] - chromium-browser  (Not supported in Wheezy)
 CVE-2017-15391
RESERVED
+   {DSA-4020-1}
- chromium-browser 62.0.3202.75-1
[wheezy] - chromium-browser  (Not supported in Wheezy)
 CVE-2017-15390
RESERVED
+   {DSA-4020-1}
- chromium-browser 62.0.3202.75-1
[wheezy] - chromium-browser  (Not supported in Wheezy)
 CVE-2017-15389
RESERVED
+   {DSA-4020-1}
- chromium-browser 62.0.3202.75-1
[wheezy] - chromium-browser  (Not supported in Wheezy)
 CVE-2017-15388
RESERVED
+   {DSA-4020-1}
- chromium-browser 62.0.3202.75-1
[wheezy] - chromium-browser  (Not supported in Wheezy)
 CVE-2017-15387
RESERVED
+   {DSA-4020-1}
- chromium-browser 62.0.3202.75-1
[wheezy] - chromium-browser  (Not supported in Wheezy)
 CVE-2017-15386
RESERVED
+   {DSA-4020-1}
- chromium-browser 62.0.3202.75-1
[wheezy] - chromium-browser  (Not supported in Wheezy)
 CVE-2017-15385 (The store_versioninfo_gnu_verdef function in 
libr/bin/format/elf/elf.c ...)
@@ -4004,8 +4067,8 @@
NOTE: 
https://groups.google.com/d/msg/golang-dev/RinSE3EiJBI/kYL7zb07AgAJ
 CVE-2017-15040
RESERVED
-CVE-2017-15039
-   RESERVED
+CVE-2017-15039 (Cross-site scripting (XSS) exists in Zurmo 3.2.1.57987acc3018 
via a ...)
+   TODO: check
 CVE-2017-15038 (Race condition in the v9fs_xattrwalk function in hw/9pfs/9p.c 
in QEMU ...)
{DLA-1129-1 DLA-1128-1}
- qemu 1:2.10.0+dfsg-2

37 matches

Mail list logo