[Secure-testing-commits] r57394 - data/CVE
Author: carnil Date: 2017-11-07 06:35:50 + (Tue, 07 Nov 2017) New Revision: 57394 Modified: data/CVE/list Log: Record two fixes for chromium-browser Modified: data/CVE/list === --- data/CVE/list 2017-11-07 06:23:05 UTC (rev 57393) +++ data/CVE/list 2017-11-07 06:35:50 UTC (rev 57394) @@ -3183,13 +3183,13 @@ RESERVED CVE-2017-15399 RESERVED - - chromium-browser + - chromium-browser 62.0.3202.89-1 [wheezy] - chromium-browser (Not supported in Wheezy) - libv8 (unimportant) NOTE: libv8 not covered by security support CVE-2017-15398 RESERVED - - chromium-browser + - chromium-browser 62.0.3202.89-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15397 RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57393 - data/CVE
Author: carnil Date: 2017-11-07 06:23:05 + (Tue, 07 Nov 2017) New Revision: 57393 Modified: data/CVE/list Log: Add CVE-2017-150102 information for jessie and wheezy Modified: data/CVE/list === --- data/CVE/list 2017-11-07 06:20:15 UTC (rev 57392) +++ data/CVE/list 2017-11-07 06:23:05 UTC (rev 57393) @@ -3995,6 +3995,8 @@ CVE-2017-15102 [NULL pointer dereference due to race condition in probe function of legousbtower driver] RESERVED - linux 4.7.8-1 + [jessie] - linux 3.16.43-1 + [wheezy] - linux 3.2.86-1 NOTE: Fixed by: https://git.kernel.org/linus/2fae9e5a7babada041e2e161699ade2447a01989 (4.9-rc1) CVE-2017-15101 RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57392 - data/CVE
Author: carnil Date: 2017-11-07 06:20:15 + (Tue, 07 Nov 2017) New Revision: 57392 Modified: data/CVE/list Log: Add CVE-2017-15102/linux Modified: data/CVE/list === --- data/CVE/list 2017-11-07 05:52:46 UTC (rev 57391) +++ data/CVE/list 2017-11-07 06:20:15 UTC (rev 57392) @@ -3992,8 +3992,10 @@ RESERVED CVE-2017-15103 RESERVED -CVE-2017-15102 +CVE-2017-15102 [NULL pointer dereference due to race condition in probe function of legousbtower driver] RESERVED + - linux 4.7.8-1 + NOTE: Fixed by: https://git.kernel.org/linus/2fae9e5a7babada041e2e161699ade2447a01989 (4.9-rc1) CVE-2017-15101 RESERVED CVE-2017-15100 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57390 - data/CVE
Author: carnil Date: 2017-11-07 05:52:36 + (Tue, 07 Nov 2017) New Revision: 57390 Modified: data/CVE/list Log: Slightly adjust ordering of entries Modified: data/CVE/list === --- data/CVE/list 2017-11-07 02:36:56 UTC (rev 57389) +++ data/CVE/list 2017-11-07 05:52:36 UTC (rev 57390) @@ -7175,9 +7175,9 @@ NOTE: https://gitlab.com/libidn/libidn2/commit/16853b6973a1e72fee2b7cccda85472cb9951305 CVE-2017-14060 (In ImageMagick 7.0.6-10, a NULL Pointer Dereference issue is present in ...) {DLA-1131-1} + - imagemagick (low; bug #878506) [stretch] - imagemagick (Minor issue) [jessie] - imagemagick (Minor issue) - - imagemagick (low; bug #878506) NOTE: https://github.com/ImageMagick/ImageMagick/issues/710 NOTE: https://github.com/ImageMagick/ImageMagick/commit/c535e1f1a6b1faaa35e007df4fc535ec08daa97c NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/5bdfef29f5e6744f36f25ec04583c6b6f4a13b48 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57391 - data
Author: carnil Date: 2017-11-07 05:52:46 + (Tue, 07 Nov 2017) New Revision: 57391 Modified: data/dsa-needed.txt Log: Add wordpress to dsa-needed list Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-11-07 05:52:36 UTC (rev 57390) +++ data/dsa-needed.txt 2017-11-07 05:52:46 UTC (rev 57391) @@ -70,6 +70,8 @@ 2017-05-13: asked balint@ if he wants to prepare an update now 2017-07-28: re-ping balint@ -- +wordpress +-- xen -- zendframework/oldstable ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57389 - data/CVE
Author: mgilbert Date: 2017-11-07 02:36:56 + (Tue, 07 Nov 2017) New Revision: 57389 Modified: data/CVE/list Log: nfus Modified: data/CVE/list === --- data/CVE/list 2017-11-06 22:07:48 UTC (rev 57388) +++ data/CVE/list 2017-11-07 02:36:56 UTC (rev 57389) @@ -133,11 +133,11 @@ CVE-2017-16566 RESERVED CVE-2017-16565 (Cross-Site Request Forgery (CSRF) in /cgi-bin/login on Vonage ...) - TODO: check + NOT-FOR-US: Vonage CVE-2017-16564 (Stored Cross-site scripting (XSS) vulnerability in /cgi-bin/config2 on ...) - TODO: check + NOT-FOR-US: Vonage CVE-2017-16563 (Cross-Site Request Forgery (CSRF) in the Basic Settings screen on ...) - TODO: check + NOT-FOR-US: Vonage CVE-2017-16562 RESERVED CVE-2017-16561 @@ -1417,7 +1417,7 @@ CVE-2017-16002 RESERVED CVE-2017-16001 (In HashiCorp Vagrant VMware Fusion plugin (aka vagrant-vmware-fusion) ...) - TODO: check + NOT-FOR-US: VMware CVE-2017-16000 (SQL injection vulnerability in the EyesOfNetwork web interface (aka ...) NOT-FOR-US: EyesOfNetwork (EON) CVE-2017-15999 (In the NQ Contacts Backup Restore application 1.1 for Android, no ...) @@ -15392,7 +15392,7 @@ CVE-2017-11178 (In FineCMS through 2017-07-11, application/core/controller/style.php ...) NOT-FOR-US: FineCMS CVE-2017-11177 (TRITON AP-EMAIL 8.2 before 8.2 IB does not properly restrict file ...) - TODO: check + NOT-FOR-US: TRITON CVE-2017-11176 (The mq_notify function in the Linux kernel through 4.11.9 does not set ...) {DSA-3945-1 DSA-3927-1 DLA-1099-1} - linux 4.11.11-1 @@ -15757,11 +15757,11 @@ CVE-2017-11123 RESERVED CVE-2017-11122 (On Broadcom BCM4355C0 Wi-Fi chips 9.44.78.27.0.1.56, an attacker can ...) - TODO: check + NOT-FOR-US: Broadcom CVE-2017-11121 (On Broadcom BCM4355C0 Wi-Fi chips 9.44.78.27.0.1.56 and other chips, ...) - TODO: check + NOT-FOR-US: Broadcom CVE-2017-11120 (On Broadcom BCM4355C0 Wi-Fi chips 9.44.78.27.0.1.56 and other chips, ...) - TODO: check + NOT-FOR-US: Broadcom CVE-2017-9 (The chk_mem_access function in cpu/nes6502/nes6502.c in libnosefart.a ...) - xine-lib-1.2 (it is built with --disable-nosefart) - xine-lib (it is built with --disable-nosefart) @@ -26909,7 +26909,7 @@ CVE-2017-7426 RESERVED CVE-2017-7425 (Multiple potential reflected XSS issues exist in NetIQ iManager ...) - TODO: check + NOT-FOR-US: NetIQ CVE-2017-7424 (A Path Traversal (CWE-22) vulnerability in esfadmingui in Micro Focus ...) NOT-FOR-US: Micro Focus CVE-2017-7423 (A Cross-Site Request Forgery (CWE-352) vulnerability in esfadmingui in ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57388 - data/CVE
Author: jmm Date: 2017-11-06 22:07:48 + (Mon, 06 Nov 2017) New Revision: 57388 Modified: data/CVE/list Log: one java issue apparently specific to Oracle Java koji no-dsa Modified: data/CVE/list === --- data/CVE/list 2017-11-06 22:07:10 UTC (rev 57387) +++ data/CVE/list 2017-11-06 22:07:48 UTC (rev 57388) @@ -4106,6 +4106,7 @@ REJECTED CVE-2017-1002153 (Koji 1.13.0 does not properly validate SCM paths, allowing an attacker ...) - koji (bug #877921) + [stretch] - koji (Minor issue) NOTE: https://pagure.io/koji/issue/563 NOTE: https://pagure.io/koji/c/ba7b5a3cbed11ade11c3af5e834c9a6de4f6d7c3 CVE-2017-1000257 (An IMAP FETCH response line indicates the size of the returned data, ...) @@ -18463,10 +18464,9 @@ - mysql-5.5 (Only affects MySQL 5.6 and 5.7) NOTE: http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixMSQL CVE-2017-10293 (Vulnerability in the Java SE component of Oracle Java SE ...) - - openjdk-8 8u151-b12-1 - - openjdk-7 - - openjdk-6 - [wheezy] - openjdk-6 + - openjdk-8 (Seems to be specific to Oracle Java) + - openjdk-7 (Seems to be specific to Oracle Java) + - openjdk-6 (Seems to be specific to Oracle Java) CVE-2017-10292 (Vulnerability in the RDBMS Security component of Oracle Database ...) NOT-FOR-US: Oracle CVE-2017-10291 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57387 - data
Author: jmm Date: 2017-11-06 22:07:10 + (Mon, 06 Nov 2017) New Revision: 57387 Modified: data/dsa-needed.txt Log: readd libav to dsa-needed Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-11-06 22:00:09 UTC (rev 57386) +++ data/dsa-needed.txt 2017-11-06 22:07:10 UTC (rev 57387) @@ -19,6 +19,9 @@ jackson-databind For CVE-2017-15095 (see notes for missing commits) -- +libav/oldstable + We can ship the next libav 11.x point release when available +-- libreoffice/oldstable -- libvpx/oldstable ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57386 - data/CVE
Author: jmm Date: 2017-11-06 22:00:09 + (Mon, 06 Nov 2017) New Revision: 57386 Modified: data/CVE/list Log: new chromium issues Modified: data/CVE/list === --- data/CVE/list 2017-11-06 21:56:27 UTC (rev 57385) +++ data/CVE/list 2017-11-06 22:00:09 UTC (rev 57386) @@ -3183,8 +3183,14 @@ RESERVED CVE-2017-15399 RESERVED + - chromium-browser + [wheezy] - chromium-browser (Not supported in Wheezy) + - libv8 (unimportant) + NOTE: libv8 not covered by security support CVE-2017-15398 RESERVED + - chromium-browser + [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15397 RESERVED CVE-2017-15396 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57385 - data/CVE
Author: jmm Date: 2017-11-06 21:56:27 + (Mon, 06 Nov 2017) New Revision: 57385 Modified: data/CVE/list Log: im triage Modified: data/CVE/list === --- data/CVE/list 2017-11-06 21:42:20 UTC (rev 57384) +++ data/CVE/list 2017-11-06 21:56:27 UTC (rev 57385) @@ -6129,6 +6129,8 @@ CVE-2017-14400 (In ImageMagick 7.0.7-1 Q16, the PersistPixelCache function in ...) {DLA-1131-1} - imagemagick (low; bug #878546) + [stretch] - imagemagick (Minor issue) + [jessie] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/746 NOTE: im6 patch: https://github.com/ImageMagick/ImageMagick/commit/04b863f15effa4375e4ee42f413f0246062b48af NOTE: im6 patch: https://github.com/ImageMagick/ImageMagick/commit/44a55580ac8c01d8cff1e6e0063820af113f8591 @@ -6257,6 +6259,8 @@ CVE-2017-14341 (ImageMagick 7.0.6-6 has a large loop vulnerability in ReadWPGImage in ...) {DLA-1131-1} - imagemagick (low; bug #876105) + [stretch] - imagemagick (Minor issue) + [jessie] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/654 NOTE: https://github.com/ImageMagick/ImageMagick/commit/7d63315a64267c565d1f34b9cb523a14616fed24 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/4eae304e773bad8a876c3c26fdffac24d4253ae4 @@ -6513,6 +6517,8 @@ CVE-2017-14249 (ImageMagick 7.0.6-8 Q16 mishandles EOF checks in ReadMPCImage in ...) {DLA-1131-1} - imagemagick (low; bug #876099) + [stretch] - imagemagick (Minor issue) + [jessie] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/708 NOTE: https://github.com/ImageMagick/ImageMagick/commit/2071d67ebf729f76d73c33c1152df4816d1d79ac NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/66112b7a7b64f688efe6fec53a829874a74dea04 @@ -6728,23 +6734,31 @@ NOT-FOR-US: aacplusenc CVE-2017-14175 (In coders/xbm.c in ImageMagick 7.0.6-1 Q16, a DoS in ReadXBMImage() due ...) {DLA-1131-1} - - imagemagick (bug #875502) + - imagemagick (low; bug #875502) + [stretch] - imagemagick (Minor issue) + [jessie] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/712 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/b8c63b156bf26b52e710b1a0643c846a6cd01e56 CVE-2017-14174 (In coders/psd.c in ImageMagick 7.0.7-0 Q16, a DoS in ...) {DLA-1131-1} - - imagemagick (bug #875503) + - imagemagick (low; bug #875503) + [stretch] - imagemagick (Minor issue) + [jessie] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/714 NOTE: https://github.com/ImageMagick/ImageMagick/commit/04a567494786d5bb50894fc8bb8fea0cf496bea8 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/f68a98a9d385838a1c73ec960a14102949940a64 CVE-2017-14173 (In the function ReadTXTImage() in coders/txt.c in ImageMagick 7.0.6-10, ...) {DLA-1131-1} - - imagemagick (bug #875504) + - imagemagick (low; bug #875504) + [stretch] - imagemagick (Minor issue) + [jessie] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/713 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/48bcf7c39302cdf9b0d9202ad03bf1b95152c44d CVE-2017-14172 (In coders/ps.c in ImageMagick 7.0.7-0 Q16, a DoS in ReadPSImage() due ...) {DLA-1131-1} - - imagemagick (bug #875506) + - imagemagick (low; bug #875506) + [stretch] - imagemagick (Minor issue) + [jessie] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/715 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/8598a497e2d1f556a34458cf54b40ba40674734c CVE-2017-14171 (In libavformat/nsvdec.c in FFmpeg 3.3.3, a DoS in ...) @@ -7154,7 +7168,9 @@ NOTE: https://gitlab.com/libidn/libidn2/commit/16853b6973a1e72fee2b7cccda85472cb9951305 CVE-2017-14060 (In ImageMagick 7.0.6-10, a NULL Pointer Dereference issue is present in ...) {DLA-1131-1} - - imagemagick (bug #878506) + [stretch] - imagemagick (Minor issue) + [jessie] - imagemagick (Minor issue) + - imagemagick (low; bug #878506) NOTE: https://github.com/ImageMagick/ImageMagick/issues/710 NOTE: https://github.com/ImageMagick/ImageMagick/commit/c535e1f1a6b1faaa35e007df4fc535ec08daa97c NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/5bdfef29f5e6744f36f25ec04583c6b6f4a13b48 @@ -7797,6 +7813,8 @@ CVE-2017-13768 (Null Pointer Dereference in the IdentifyImage function in ...) {DLA-1131-1} - imagemagick
[Secure-testing-commits] r57384 - data
Author: apo Date: 2017-11-06 21:42:20 + (Mon, 06 Nov 2017) New Revision: 57384 Modified: data/dla-needed.txt Log: Claim mupdf in dla-needed.txt Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-11-06 21:35:31 UTC (rev 57383) +++ data/dla-needed.txt 2017-11-06 21:42:20 UTC (rev 57384) @@ -63,7 +63,7 @@ NOTE: For CVE-2017-14409, https://security-tracker.debian.org/tracker/CVE-2017-9872 might be of interest, files are very similar NOTE: adapting/writing patches seems to be very time consuming, mp3gain is dead upstream so this might be a candidate for no-dsa -- Hugo Lefeuvre -- -mupdf +mupdf (Markus Koschany) NOTE: signedness checks in xps_read_zip_dir are missing (CVE-2017-14686) NOTE: and xml_tag doesn't do a NULL check (CVE-2017-14687) -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57383 - data/DLA
Author: lamby Date: 2017-11-06 21:35:31 + (Mon, 06 Nov 2017) New Revision: 57383 Modified: data/DLA/list Log: Reserve DLA-1163-1 for apr-util/CVE-2017-12618 Modified: data/DLA/list === --- data/DLA/list 2017-11-06 21:10:16 UTC (rev 57382) +++ data/DLA/list 2017-11-06 21:35:31 UTC (rev 57383) @@ -1,3 +1,6 @@ +[06 Nov 2017] DLA-1163-1 apr-util - security update + {CVE-2017-12618} + [wheezy] - apr-util 1.4.1-3+deb7u1 [06 Nov 2017] DLA-1162-1 apr - security update {CVE-2017-12613} [wheezy] - apr 1.4.6-3+deb7u2 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57382 - data/CVE
Author: sectracker Date: 2017-11-06 21:10:16 + (Mon, 06 Nov 2017) New Revision: 57382 Modified: data/CVE/list Log: automatic update Modified: data/CVE/list === --- data/CVE/list 2017-11-06 20:53:43 UTC (rev 57381) +++ data/CVE/list 2017-11-06 21:10:16 UTC (rev 57382) @@ -1,3 +1,127 @@ +CVE-2017-16632 + RESERVED +CVE-2017-16631 + RESERVED +CVE-2017-16630 + RESERVED +CVE-2017-16629 + RESERVED +CVE-2017-16628 + RESERVED +CVE-2017-16627 + RESERVED +CVE-2017-16626 + RESERVED +CVE-2017-16625 + RESERVED +CVE-2017-16624 + RESERVED +CVE-2017-16623 + RESERVED +CVE-2017-16622 + RESERVED +CVE-2017-16621 + RESERVED +CVE-2017-16620 + RESERVED +CVE-2017-16619 + RESERVED +CVE-2017-16618 + RESERVED +CVE-2017-16617 + RESERVED +CVE-2017-16616 + RESERVED +CVE-2017-16615 + RESERVED +CVE-2017-16614 + RESERVED +CVE-2017-16613 + RESERVED +CVE-2017-16612 + RESERVED +CVE-2017-16611 + RESERVED +CVE-2017-16610 + RESERVED +CVE-2017-16609 + RESERVED +CVE-2017-16608 + RESERVED +CVE-2017-16607 + RESERVED +CVE-2017-16606 + RESERVED +CVE-2017-16605 + RESERVED +CVE-2017-16604 + RESERVED +CVE-2017-16603 + RESERVED +CVE-2017-16602 + RESERVED +CVE-2017-16601 + RESERVED +CVE-2017-16600 + RESERVED +CVE-2017-16599 + RESERVED +CVE-2017-16598 + RESERVED +CVE-2017-16597 + RESERVED +CVE-2017-16596 + RESERVED +CVE-2017-16595 + RESERVED +CVE-2017-16594 + RESERVED +CVE-2017-16593 + RESERVED +CVE-2017-16592 + RESERVED +CVE-2017-16591 + RESERVED +CVE-2017-16590 + RESERVED +CVE-2017-16589 + RESERVED +CVE-2017-16588 + RESERVED +CVE-2017-16587 + RESERVED +CVE-2017-16586 + RESERVED +CVE-2017-16585 + RESERVED +CVE-2017-16584 + RESERVED +CVE-2017-16583 + RESERVED +CVE-2017-16582 + RESERVED +CVE-2017-16581 + RESERVED +CVE-2017-16580 + RESERVED +CVE-2017-16579 + RESERVED +CVE-2017-16578 + RESERVED +CVE-2017-16577 + RESERVED +CVE-2017-16576 + RESERVED +CVE-2017-16575 + RESERVED +CVE-2017-16574 + RESERVED +CVE-2017-16573 + RESERVED +CVE-2017-16572 + RESERVED +CVE-2017-16571 + RESERVED CVE-2017-16570 (KeystoneJS before 4.0.0-beta.7 allows application-wide CSRF bypass by ...) NOT-FOR-US: KeystoneJS CVE-2017-16569 (An Open URL Redirect issue exists in Zurmo 3.2.1.57987acc3018 via an ...) @@ -1292,8 +1416,8 @@ RESERVED CVE-2017-16002 RESERVED -CVE-2017-16001 - RESERVED +CVE-2017-16001 (In HashiCorp Vagrant VMware Fusion plugin (aka vagrant-vmware-fusion) ...) + TODO: check CVE-2017-16000 (SQL injection vulnerability in the EyesOfNetwork web interface (aka ...) NOT-FOR-US: EyesOfNetwork (EON) CVE-2017-15999 (In the NQ Contacts Backup Restore application 1.1 for Android, no ...) @@ -2436,8 +2560,7 @@ RESERVED CVE-2017-15673 RESERVED -CVE-2017-15672 - RESERVED +CVE-2017-15672 (The read_header function in libavcodec/ffv1dec.c in FFmpeg 3.3.4 and ...) - ffmpeg [stretch] - ffmpeg (Wait until next round of security releases) - libav @@ -3303,8 +3426,7 @@ RESERVED CVE-2017-15307 RESERVED -CVE-2017-15306 [KVM: PPC: Fix oops when checking KVM_CAP_PPC_HTM] - RESERVED +CVE-2017-15306 (The kvm_vm_ioctl_check_extension function in arch/powerpc/kvm/powerpc.c ...) - linux [jessie] - linux (Vulnerable code introduced later) [wheezy] - linux (Vulnerable code introduced later) @@ -11307,6 +11429,7 @@ CVE-2017-12614 RESERVED CVE-2017-12613 (When apr_exp_time*() or apr_os_exp_time*() functions are invoked with ...) + {DLA-1162-1} - apr 1.6.3-1 (low; bug #879708) [stretch] - apr (Minor issue) [jessie] - apr (Minor issue) @@ -15205,8 +15328,8 @@ NOT-FOR-US: FineCMS CVE-2017-11178 (In FineCMS through 2017-07-11, application/core/controller/style.php ...) NOT-FOR-US: FineCMS -CVE-2017-11177 - RESERVED +CVE-2017-11177 (TRITON AP-EMAIL 8.2 before 8.2 IB does not properly restrict file ...) + TODO: check CVE-2017-11176 (The mq_notify function in the Linux kernel through 4.11.9 does not set ...) {DSA-3945-1 DSA-3927-1 DLA-1099-1} - linux 4.11.11-1 @@ -26723,8 +26846,8 @@ RESERVED CVE-2017-7426 RESERVED -CVE-2017-7425 - RESERVED +CVE-2017-7425 (Multiple potential reflected XSS issues exist in NetIQ iManager ...) + TODO: check CVE-2017-7424 (A Path Traversal (CWE-22) vulnerability in esfadmingui in Micro Focus ...) NOT-FOR-US: Micro Focus CVE-2017-7423 (A Cross-Site Request Forgery (CWE-352) vulnerability in esfadmingui in ...) @@ -80803,8 +80926,7 @@
[Secure-testing-commits] r57381 - data/CVE
Author: opal Date: 2017-11-06 20:53:43 + (Mon, 06 Nov 2017) New Revision: 57381 Modified: data/CVE/list Log: Note fix. Modified: data/CVE/list === --- data/CVE/list 2017-11-06 20:51:28 UTC (rev 57380) +++ data/CVE/list 2017-11-06 20:53:43 UTC (rev 57381) @@ -57,12 +57,12 @@ NOTE: https://github.com/ImageMagick/ImageMagick/issues/851 CVE-2017-16545 (The ReadWPGImage function in coders/wpg.c in GraphicsMagick 1.3.26 does ...) - graphicsmagick 1.3.26-18 + [wheezy] - graphicsmagick (Not possible to trigger with presented test case) NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/e8086faa52d0 NOTE: https://sourceforge.net/p/graphicsmagick/bugs/519/ NOTE: The wheezy version gives an assert before the vulnerability can be triggered. Due to this NOTE: the severity of the wheezy version is low even though the vulnerable code is still present. NOTE: The patch is trivial so it may be worth fixing in combination with some other fix. - [wheezy] - graphicsmagick (Not possible to trigger with presented test case) CVE-2017-16544 RESERVED CVE-2017-16543 (Zoho ManageEngine Applications Manager 13 allows SQL injection via ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57380 - in data: . DLA
Author: lamby Date: 2017-11-06 20:51:28 + (Mon, 06 Nov 2017) New Revision: 57380 Modified: data/DLA/list data/dla-needed.txt Log: Reserve DLA-1162-1 for apr/CVE-2017-12613. Modified: data/DLA/list === --- data/DLA/list 2017-11-06 20:48:26 UTC (rev 57379) +++ data/DLA/list 2017-11-06 20:51:28 UTC (rev 57380) @@ -1,3 +1,6 @@ +[06 Nov 2017] DLA-1162-1 apr - security update + {CVE-2017-12613} + [wheezy] - apr 1.4.6-3+deb7u2 [05 Nov 2017] DLA-1161-1 redis - security update {CVE-2016-10517} [wheezy] - redis 2:2.4.14-1+deb7u2 Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-11-06 20:48:26 UTC (rev 57379) +++ data/dla-needed.txt 2017-11-06 20:51:28 UTC (rev 57380) @@ -10,10 +10,6 @@ https://wiki.debian.org/LTS/Development#Triage_new_security_issues -- -apr (Chris Lamb) --- -apr-util (Chris Lamb) --- ca-certificates NOTE: 20170719: maintainer will handle the upload, see https://lists.debian.org/d0b9674a-ac5b-5cc9-1982-fb6f36155...@pbandjelly.org NOTE: 20171013: anarcat pinged maintainer: https://lists.debian.org/87efpuc95w@curie.anarc.at ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57379 - data
Author: opal Date: 2017-11-06 20:48:26 + (Mon, 06 Nov 2017) New Revision: 57379 Modified: data/dla-needed.txt Log: Triaging. Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-11-06 20:36:58 UTC (rev 57378) +++ data/dla-needed.txt 2017-11-06 20:48:26 UTC (rev 57379) @@ -20,6 +20,8 @@ -- graphicsmagick -- +imagemagick +-- irssi (Rhonda D'Vine) -- jasperreports ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57378 - in data: . CVE
Author: opal Date: 2017-11-06 20:36:58 + (Mon, 06 Nov 2017) New Revision: 57378 Modified: data/CVE/list data/dla-needed.txt Log: Triaging graphicsmagick. Modified: data/CVE/list === --- data/CVE/list 2017-11-06 20:03:20 UTC (rev 57377) +++ data/CVE/list 2017-11-06 20:36:58 UTC (rev 57378) @@ -59,6 +59,10 @@ - graphicsmagick 1.3.26-18 NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/e8086faa52d0 NOTE: https://sourceforge.net/p/graphicsmagick/bugs/519/ + NOTE: The wheezy version gives an assert before the vulnerability can be triggered. Due to this + NOTE: the severity of the wheezy version is low even though the vulnerable code is still present. + NOTE: The patch is trivial so it may be worth fixing in combination with some other fix. + [wheezy] - graphicsmagick (Not possible to trigger with presented test case) CVE-2017-16544 RESERVED CVE-2017-16543 (Zoho ManageEngine Applications Manager 13 allows SQL injection via ...) Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-11-06 20:03:20 UTC (rev 57377) +++ data/dla-needed.txt 2017-11-06 20:36:58 UTC (rev 57378) @@ -18,6 +18,8 @@ NOTE: 20170719: maintainer will handle the upload, see https://lists.debian.org/d0b9674a-ac5b-5cc9-1982-fb6f36155...@pbandjelly.org NOTE: 20171013: anarcat pinged maintainer: https://lists.debian.org/87efpuc95w@curie.anarc.at -- +graphicsmagick +-- irssi (Rhonda D'Vine) -- jasperreports ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57377 - data/CVE
Author: carnil Date: 2017-11-06 20:03:20 + (Mon, 06 Nov 2017) New Revision: 57377 Modified: data/CVE/list Log: Update CVE-2017-16541 needs a check if this is actually a firefox vulnerablity or if the CVE is specific to the Tor Browser. Modified: data/CVE/list === --- data/CVE/list 2017-11-06 19:54:35 UTC (rev 57376) +++ data/CVE/list 2017-11-06 20:03:20 UTC (rev 57377) @@ -66,7 +66,7 @@ CVE-2017-16542 (Zoho ManageEngine Applications Manager 13 allows Post-authentication ...) NOT-FOR-US: Zoho CVE-2017-16541 (Tor Browser before 7.0.9 on macOS and Linux allows remote attackers to ...) - NOT-FOR-US: Zoho + TODO: check CVE-2017-16540 (OpenEMR before 5.0.0 Patch 5 allows unauthenticated remote database ...) NOT-FOR-US: OpenEMR CVE-2017-16539 (The DefaultLinuxSpec function in oci/defaults.go in Docker Moby through ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57375 - data
Author: carnil Date: 2017-11-06 19:54:34 + (Mon, 06 Nov 2017) New Revision: 57375 Modified: data/dsa-needed.txt Log: Add note for ruby2.3 Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-11-06 19:37:21 UTC (rev 57374) +++ data/dsa-needed.txt 2017-11-06 19:54:34 UTC (rev 57375) @@ -48,6 +48,7 @@ -- ruby2.3 Maintainer (terceiro) proposed update, needs review and ack + Upload reviewed and acked to be uploaded (including additional change) -- salt -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57376 - data
Author: carnil Date: 2017-11-06 19:54:35 + (Mon, 06 Nov 2017) New Revision: 57376 Modified: data/dsa-needed.txt Log: Add slurm-llnl to dsa-needed list Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-11-06 19:54:34 UTC (rev 57375) +++ data/dsa-needed.txt 2017-11-06 19:54:35 UTC (rev 57376) @@ -54,6 +54,9 @@ -- simplesamlphp -- +slurm-llnl + Maintainer proposed debdiff, asked questions back but basically ok to upload +-- tiff wait until more issues are around -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57374 - data/CVE
Author: carnil Date: 2017-11-06 19:37:21 + (Mon, 06 Nov 2017) New Revision: 57374 Modified: data/CVE/list Log: Add fixing version for CVE-2017-12613 Modified: data/CVE/list === --- data/CVE/list 2017-11-06 19:36:10 UTC (rev 57373) +++ data/CVE/list 2017-11-06 19:37:21 UTC (rev 57374) @@ -11303,7 +11303,7 @@ CVE-2017-12614 RESERVED CVE-2017-12613 (When apr_exp_time*() or apr_os_exp_time*() functions are invoked with ...) - - apr (low; bug #879708) + - apr 1.6.3-1 (low; bug #879708) [stretch] - apr (Minor issue) [jessie] - apr (Minor issue) NOTE: mail-archives.apache.org/mod_mbox/apr-dev/201710.mbox/%3CCACsi252POs4toeJJciwg09_eu2cO3XFg%3DUqsPjXsfjDoeC3-UQ%40mail.gmail.com%3E ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57373 - data/CVE
Author: carnil Date: 2017-11-06 19:36:10 + (Mon, 06 Nov 2017) New Revision: 57373 Modified: data/CVE/list Log: Add fixing version for CVE-2017-12618/apr-util Modified: data/CVE/list === --- data/CVE/list 2017-11-06 18:07:03 UTC (rev 57372) +++ data/CVE/list 2017-11-06 19:36:10 UTC (rev 57373) @@ -11273,7 +11273,7 @@ CVE-2017-12619 RESERVED CVE-2017-12618 (Apache Portable Runtime Utility (APR-util) 1.6.0 and prior fail to ...) - - apr-util (low; bug #879996) + - apr-util 1.6.1-1 (low; bug #879996) NOTE: mail-archives.apache.org/mod_mbox/apr-dev/201710.mbox/%3CCACsi252POs4toeJJciwg09_eu2cO3XFg%3DUqsPjXsfjDoeC3-UQ%40mail.gmail.com%3E NOTE: https://github.com/apache/apr/commit/f672b565c825c34de9ee298b5bdc62c01cdd6147 CVE-2017-12617 (When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57372 - data/CVE
Author: gcs Date: 2017-11-06 18:07:03 + (Mon, 06 Nov 2017) New Revision: 57372 Modified: data/CVE/list Log: Add CVE-2017-1654[57]/graphicsmagick fixed version in unstable Modified: data/CVE/list === --- data/CVE/list 2017-11-06 17:14:06 UTC (rev 57371) +++ data/CVE/list 2017-11-06 18:07:03 UTC (rev 57372) @@ -47,7 +47,7 @@ NOTE: https://bugzilla.samba.org/show_bug.cgi?id=13112 NOTE: https://git.samba.org/rsync.git/?p=rsync.git;a=commit;h=47a63d90e71d3e19e0e96052bb8c6b9cb140ecc1 CVE-2017-16547 (The DrawImage function in magick/render.c in GraphicsMagick 1.3.26 does ...) - - graphicsmagick + - graphicsmagick 1.3.26-18 NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/785758bbbfcc NOTE: https://sourceforge.net/p/graphicsmagick/bugs/517/ CVE-2017-16546 (The ReadWPGImage function in coders/wpg.c in ImageMagick 7.0.7-9 does ...) @@ -56,7 +56,7 @@ NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/e04cf3e9524f50ca336253513d977224e083b816 NOTE: https://github.com/ImageMagick/ImageMagick/issues/851 CVE-2017-16545 (The ReadWPGImage function in coders/wpg.c in GraphicsMagick 1.3.26 does ...) - - graphicsmagick + - graphicsmagick 1.3.26-18 NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/e8086faa52d0 NOTE: https://sourceforge.net/p/graphicsmagick/bugs/519/ CVE-2017-16544 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57371 - data/CVE
Author: jmm Date: 2017-11-06 17:14:06 + (Mon, 06 Nov 2017) New Revision: 57371 Modified: data/CVE/list Log: bchunk fixed Modified: data/CVE/list === --- data/CVE/list 2017-11-06 16:37:55 UTC (rev 57370) +++ data/CVE/list 2017-11-06 17:14:06 UTC (rev 57371) @@ -1782,15 +1782,15 @@ NOT-FOR-US: ConverTo Video Downloader CVE-2017-15955 (bchunk (related to BinChunker) 1.2.0 and 1.2.1 is vulnerable to an ...) {DLA-1158-1} - - bchunk (bug #880116) + - bchunk 1.2.0-12.1 (bug #880116) NOTE: https://github.com/extramaster/bchunk/issues/4 CVE-2017-15954 (bchunk (related to BinChunker) 1.2.0 and 1.2.1 is vulnerable to a ...) {DLA-1158-1} - - bchunk (bug #880116) + - bchunk 1.2.0-12.1 (bug #880116) NOTE: https://github.com/extramaster/bchunk/issues/3 CVE-2017-15953 (bchunk (related to BinChunker) 1.2.0 and 1.2.1 is vulnerable to a ...) {DLA-1158-1} - - bchunk (bug #880116) + - bchunk 1.2.0-12.1 (bug #880116) NOTE: https://github.com/extramaster/bchunk/issues/2 CVE-2017-15952 RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57370 - data/CVE
Author: carnil Date: 2017-11-06 16:37:55 + (Mon, 06 Nov 2017) New Revision: 57370 Modified: data/CVE/list Log: Revert "GlusterFS issue fixed in unstable" Further investigation shows that the issue is not fixed. This reverts commit 700477017731d49a8df2cb0f224e28555466482c. Modified: data/CVE/list === --- data/CVE/list 2017-11-06 16:36:07 UTC (rev 57369) +++ data/CVE/list 2017-11-06 16:37:55 UTC (rev 57370) @@ -3874,7 +3874,7 @@ CVE-2017-15097 RESERVED CVE-2017-15096 (A flaw was found in GlusterFS in versions prior to 3.10. A null ...) - - glusterfs 3.12.2-1 (bug #880017) + - glusterfs (bug #880017) [stretch] - glusterfs (Vulnerable code introduced later) [jessie] - glusterfs (Vulnerable code introduced later) [wheezy] - glusterfs (Vulnerable code introduced later) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57369 - data/CVE
Author: carnil Date: 2017-11-06 16:36:07 + (Mon, 06 Nov 2017) New Revision: 57369 Modified: data/CVE/list Log: GlusterFS issue fixed in unstable Modified: data/CVE/list === --- data/CVE/list 2017-11-06 16:34:00 UTC (rev 57368) +++ data/CVE/list 2017-11-06 16:36:07 UTC (rev 57369) @@ -3874,7 +3874,7 @@ CVE-2017-15097 RESERVED CVE-2017-15096 (A flaw was found in GlusterFS in versions prior to 3.10. A null ...) - - glusterfs (bug #880017) + - glusterfs 3.12.2-1 (bug #880017) [stretch] - glusterfs (Vulnerable code introduced later) [jessie] - glusterfs (Vulnerable code introduced later) [wheezy] - glusterfs (Vulnerable code introduced later) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57368 - data/CVE
Author: carnil Date: 2017-11-06 16:34:00 + (Mon, 06 Nov 2017) New Revision: 57368 Modified: data/CVE/list Log: Add fixing version for irssi Modified: data/CVE/list === --- data/CVE/list 2017-11-06 13:34:33 UTC (rev 57367) +++ data/CVE/list 2017-11-06 16:34:00 UTC (rev 57368) @@ -2317,17 +2317,17 @@ RESERVED CVE-2017-15723 (In Irssi before 1.0.5, overlong nicks or targets may result in a NULL ...) {DSA-4016-1} - - irssi (bug #879521) + - irssi 1.0.5-1 (bug #879521) NOTE: https://irssi.org/security/irssi_sa_2017_10.txt NOTE: https://github.com/irssi/irssi/commit/43e44d553d44e313003cee87e6ea5e24d68b84a1 CVE-2017-15722 (In certain cases, Irssi before 1.0.5 may fail to verify that a Safe ...) {DSA-4016-1} - - irssi (bug #879521) + - irssi 1.0.5-1 (bug #879521) NOTE: https://irssi.org/security/irssi_sa_2017_10.txt NOTE: https://github.com/irssi/irssi/commit/43e44d553d44e313003cee87e6ea5e24d68b84a1 CVE-2017-15721 (In Irssi before 1.0.5, certain incorrectly formatted DCC CTCP messages ...) {DSA-4016-1} - - irssi (bug #879521) + - irssi 1.0.5-1 (bug #879521) NOTE: https://irssi.org/security/irssi_sa_2017_10.txt NOTE: https://github.com/irssi/irssi/commit/43e44d553d44e313003cee87e6ea5e24d68b84a1 CVE-2017-15720 @@ -3552,12 +3552,12 @@ RESERVED CVE-2017-15228 (Irssi before 1.0.5, when installing themes with unterminated colour ...) {DSA-4016-1} - - irssi (bug #879521) + - irssi 1.0.5-1 (bug #879521) NOTE: https://irssi.org/security/irssi_sa_2017_10.txt NOTE: https://github.com/irssi/irssi/commit/43e44d553d44e313003cee87e6ea5e24d68b84a1 CVE-2017-15227 (Irssi before 1.0.5, while waiting for the channel synchronisation, may ...) {DSA-4016-1} - - irssi (bug #879521) + - irssi 1.0.5-1 (bug #879521) NOTE: https://irssi.org/security/irssi_sa_2017_10.txt NOTE: https://github.com/irssi/irssi/commit/43e44d553d44e313003cee87e6ea5e24d68b84a1 CVE-2017-15226 (Zyxel NBG6716 V1.00(AAKG.9)C0 devices allow command injection in the ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57367 - data/CVE
Author: carnil Date: 2017-11-06 13:34:33 + (Mon, 06 Nov 2017) New Revision: 57367 Modified: data/CVE/list Log: Sync status for CVE-2017-15306/linux with kernel-sec Modified: data/CVE/list === --- data/CVE/list 2017-11-06 12:01:37 UTC (rev 57366) +++ data/CVE/list 2017-11-06 13:34:33 UTC (rev 57367) @@ -3302,6 +3302,8 @@ CVE-2017-15306 [KVM: PPC: Fix oops when checking KVM_CAP_PPC_HTM] RESERVED - linux + [jessie] - linux (Vulnerable code introduced later) + [wheezy] - linux (Vulnerable code introduced later) NOTE: Fixed by: https://git.kernel.org/linus/ac64115a66c18c01745bbd3c47a36b124e5fd8c0 (4.14-rc7) CVE-2017-15305 (XSS exists in NexusPHP 1.5 via the keyword parameter to messages.php. ...) NOT-FOR-US: NexusPHP ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57366 - data/CVE
Author: carnil Date: 2017-11-06 12:01:37 + (Mon, 06 Nov 2017) New Revision: 57366 Modified: data/CVE/list Log: Add CVE-2017-15306/linux Modified: data/CVE/list === --- data/CVE/list 2017-11-06 09:30:54 UTC (rev 57365) +++ data/CVE/list 2017-11-06 12:01:37 UTC (rev 57366) @@ -3299,8 +3299,10 @@ RESERVED CVE-2017-15307 RESERVED -CVE-2017-15306 +CVE-2017-15306 [KVM: PPC: Fix oops when checking KVM_CAP_PPC_HTM] RESERVED + - linux + NOTE: Fixed by: https://git.kernel.org/linus/ac64115a66c18c01745bbd3c47a36b124e5fd8c0 (4.14-rc7) CVE-2017-15305 (XSS exists in NexusPHP 1.5 via the keyword parameter to messages.php. ...) NOT-FOR-US: NexusPHP CVE-2017-15304 (/bin/login.php in the Web Panel on the Airtame HDMI dongle with ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57365 - data/CVE
Author: carnil Date: 2017-11-06 09:30:54 + (Mon, 06 Nov 2017) New Revision: 57365 Modified: data/CVE/list Log: Add bug report for CVE-2017-16548/rsync, #880954 Modified: data/CVE/list === --- data/CVE/list 2017-11-06 09:19:31 UTC (rev 57364) +++ data/CVE/list 2017-11-06 09:30:54 UTC (rev 57365) @@ -43,7 +43,7 @@ CVE-2017-16549 RESERVED CVE-2017-16548 (The receive_xattr function in xattrs.c in rsync 3.1.2 and ...) - - rsync + - rsync (bug #880954) NOTE: https://bugzilla.samba.org/show_bug.cgi?id=13112 NOTE: https://git.samba.org/rsync.git/?p=rsync.git;a=commit;h=47a63d90e71d3e19e0e96052bb8c6b9cb140ecc1 CVE-2017-16547 (The DrawImage function in magick/render.c in GraphicsMagick 1.3.26 does ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57364 - data/CVE
Author: carnil Date: 2017-11-06 09:19:31 + (Mon, 06 Nov 2017) New Revision: 57364 Modified: data/CVE/list Log: Process some NFUs Modified: data/CVE/list === --- data/CVE/list 2017-11-06 09:16:49 UTC (rev 57363) +++ data/CVE/list 2017-11-06 09:19:31 UTC (rev 57364) @@ -1,7 +1,7 @@ CVE-2017-16570 (KeystoneJS before 4.0.0-beta.7 allows application-wide CSRF bypass by ...) - TODO: check + NOT-FOR-US: KeystoneJS CVE-2017-16569 (An Open URL Redirect issue exists in Zurmo 3.2.1.57987acc3018 via an ...) - TODO: check + NOT-FOR-US: Zurmo CVE-2017-16568 RESERVED CVE-2017-16567 @@ -116,7 +116,7 @@ CVE-2017-16525 (The usb_serial_console_disconnect function in ...) - linux 4.13.10-1 CVE-2017-16524 (Web Viewer 1.0.0.193 on Samsung SRN-1670D devices suffers from an ...) - TODO: check + NOT-FOR-US: Samsung SRN-1670D devices CVE-2017-16523 (MitraStar GPT-2541GNAC (HGU) 1.00(VNJ0)b1 and DSL-100HN-T1 ...) NOT-FOR-US: MitraStar CVE-2017-16522 (MitraStar GPT-2541GNAC (HGU) 1.00(VNJ0)b1 and DSL-100HN-T1 ...) @@ -4077,7 +4077,7 @@ CVE-2017-15040 RESERVED CVE-2017-15039 (Cross-site scripting (XSS) exists in Zurmo 3.2.1.57987acc3018 via a ...) - TODO: check + NOT-FOR-US: Zurmo CVE-2017-15038 (Race condition in the v9fs_xattrwalk function in hw/9pfs/9p.c in QEMU ...) {DLA-1129-1 DLA-1128-1} - qemu 1:2.10.0+dfsg-2 (bug #877890) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57363 - data/CVE
Author: carnil Date: 2017-11-06 09:16:49 + (Mon, 06 Nov 2017) New Revision: 57363 Modified: data/CVE/list Log: Add one more graphicsmagick issue, CVE-2017-16545 Modified: data/CVE/list === --- data/CVE/list 2017-11-06 09:15:49 UTC (rev 57362) +++ data/CVE/list 2017-11-06 09:16:49 UTC (rev 57363) @@ -56,7 +56,9 @@ NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/e04cf3e9524f50ca336253513d977224e083b816 NOTE: https://github.com/ImageMagick/ImageMagick/issues/851 CVE-2017-16545 (The ReadWPGImage function in coders/wpg.c in GraphicsMagick 1.3.26 does ...) - TODO: check + - graphicsmagick + NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/e8086faa52d0 + NOTE: https://sourceforge.net/p/graphicsmagick/bugs/519/ CVE-2017-16544 RESERVED CVE-2017-16543 (Zoho ManageEngine Applications Manager 13 allows SQL injection via ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57362 - data/CVE
Author: carnil Date: 2017-11-06 09:15:49 + (Mon, 06 Nov 2017) New Revision: 57362 Modified: data/CVE/list Log: Add CVE-2017-16546/imagemagick Modified: data/CVE/list === --- data/CVE/list 2017-11-06 09:13:35 UTC (rev 57361) +++ data/CVE/list 2017-11-06 09:15:49 UTC (rev 57362) @@ -51,7 +51,10 @@ NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/785758bbbfcc NOTE: https://sourceforge.net/p/graphicsmagick/bugs/517/ CVE-2017-16546 (The ReadWPGImage function in coders/wpg.c in ImageMagick 7.0.7-9 does ...) - TODO: check + - imagemagick + NOTE: https://github.com/ImageMagick/ImageMagick/commit/2130bf6f89ded32ef0c88a11694f107c52566c53 + NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/e04cf3e9524f50ca336253513d977224e083b816 + NOTE: https://github.com/ImageMagick/ImageMagick/issues/851 CVE-2017-16545 (The ReadWPGImage function in coders/wpg.c in GraphicsMagick 1.3.26 does ...) TODO: check CVE-2017-16544 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57360 - data/CVE
Author: carnil Date: 2017-11-06 09:13:21 + (Mon, 06 Nov 2017) New Revision: 57360 Modified: data/CVE/list Log: add graphicsmagick issue, CVE-2017-16547 Modified: data/CVE/list === --- data/CVE/list 2017-11-06 09:11:41 UTC (rev 57359) +++ data/CVE/list 2017-11-06 09:13:21 UTC (rev 57360) @@ -47,7 +47,9 @@ NOTE: https://bugzilla.samba.org/show_bug.cgi?id=13112 NOTE: https://git.samba.org/rsync.git/?p=rsync.git;a=commit;h=47a63d90e71d3e19e0e96052bb8c6b9cb140ecc1 CVE-2017-16547 (The DrawImage function in magick/render.c in GraphicsMagick 1.3.26 does ...) - TODO: check + - graphicsmagick + NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/785758bbbfcc + NOTE: https://sourceforge.net/p/graphicsmagick/bugs/517/ CVE-2017-16546 (The ReadWPGImage function in coders/wpg.c in ImageMagick 7.0.7-9 does ...) TODO: check CVE-2017-16545 (The ReadWPGImage function in coders/wpg.c in GraphicsMagick 1.3.26 does ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57361 - data/CVE
Author: carnil Date: 2017-11-06 09:13:35 + (Mon, 06 Nov 2017) New Revision: 57361 Modified: data/CVE/list Log: Cleanup trailing whitespaces Modified: data/CVE/list === --- data/CVE/list 2017-11-06 09:13:21 UTC (rev 57360) +++ data/CVE/list 2017-11-06 09:13:35 UTC (rev 57361) @@ -33774,7 +33774,7 @@ - irssi 0.8.21-1 (low) [jessie] - irssi 0.8.17-1+deb8u3 [wheezy] - irssi (Minor issue) - NOTE: https://github.com/irssi/irssi/commit/6c6c42e3d1b49d90aacc0b67f8540471cae02a1d + NOTE: https://github.com/irssi/irssi/commit/6c6c42e3d1b49d90aacc0b67f8540471cae02a1d NOTE: https://blog.fuzzing-project.org/55-Fuzzing-Irssi-with-Perl-Scripts.html NOTE: https://irssi.org/security/irssi_sa_2017_01.txt CVE-2017-5355 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57359 - data/CVE
Author: carnil Date: 2017-11-06 09:11:41 + (Mon, 06 Nov 2017) New Revision: 57359 Modified: data/CVE/list Log: Add new rsync issue Modified: data/CVE/list === --- data/CVE/list 2017-11-06 09:10:22 UTC (rev 57358) +++ data/CVE/list 2017-11-06 09:11:41 UTC (rev 57359) @@ -43,7 +43,9 @@ CVE-2017-16549 RESERVED CVE-2017-16548 (The receive_xattr function in xattrs.c in rsync 3.1.2 and ...) - TODO: check + - rsync + NOTE: https://bugzilla.samba.org/show_bug.cgi?id=13112 + NOTE: https://git.samba.org/rsync.git/?p=rsync.git;a=commit;h=47a63d90e71d3e19e0e96052bb8c6b9cb140ecc1 CVE-2017-16547 (The DrawImage function in magick/render.c in GraphicsMagick 1.3.26 does ...) TODO: check CVE-2017-16546 (The ReadWPGImage function in coders/wpg.c in ImageMagick 7.0.7-9 does ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57358 - data/CVE
Author: sectracker Date: 2017-11-06 09:10:22 + (Mon, 06 Nov 2017) New Revision: 57358 Modified: data/CVE/list Log: automatic update Modified: data/CVE/list === --- data/CVE/list 2017-11-06 05:30:22 UTC (rev 57357) +++ data/CVE/list 2017-11-06 09:10:22 UTC (rev 57358) @@ -1,3 +1,55 @@ +CVE-2017-16570 (KeystoneJS before 4.0.0-beta.7 allows application-wide CSRF bypass by ...) + TODO: check +CVE-2017-16569 (An Open URL Redirect issue exists in Zurmo 3.2.1.57987acc3018 via an ...) + TODO: check +CVE-2017-16568 + RESERVED +CVE-2017-16567 + RESERVED +CVE-2017-16566 + RESERVED +CVE-2017-16565 (Cross-Site Request Forgery (CSRF) in /cgi-bin/login on Vonage ...) + TODO: check +CVE-2017-16564 (Stored Cross-site scripting (XSS) vulnerability in /cgi-bin/config2 on ...) + TODO: check +CVE-2017-16563 (Cross-Site Request Forgery (CSRF) in the Basic Settings screen on ...) + TODO: check +CVE-2017-16562 + RESERVED +CVE-2017-16561 + RESERVED +CVE-2017-16560 + RESERVED +CVE-2017-16559 + RESERVED +CVE-2017-16558 + RESERVED +CVE-2017-16557 + RESERVED +CVE-2017-16556 + RESERVED +CVE-2017-16555 + RESERVED +CVE-2017-16554 + RESERVED +CVE-2017-16553 + RESERVED +CVE-2017-16552 + RESERVED +CVE-2017-16551 + RESERVED +CVE-2017-16550 + RESERVED +CVE-2017-16549 + RESERVED +CVE-2017-16548 (The receive_xattr function in xattrs.c in rsync 3.1.2 and ...) + TODO: check +CVE-2017-16547 (The DrawImage function in magick/render.c in GraphicsMagick 1.3.26 does ...) + TODO: check +CVE-2017-16546 (The ReadWPGImage function in coders/wpg.c in ImageMagick 7.0.7-9 does ...) + TODO: check +CVE-2017-16545 (The ReadWPGImage function in coders/wpg.c in GraphicsMagick 1.3.26 does ...) + TODO: check CVE-2017-16544 RESERVED CVE-2017-16543 (Zoho ManageEngine Applications Manager 13 allows SQL injection via ...) @@ -54,8 +106,8 @@ NOTE: Fixed by: https://git.kernel.org/linus/bbf26183b7a6236ba602f4d6a2f7cade35bba043 CVE-2017-16525 (The usb_serial_console_disconnect function in ...) - linux 4.13.10-1 -CVE-2017-16524 - RESERVED +CVE-2017-16524 (Web Viewer 1.0.0.193 on Samsung SRN-1670D devices suffers from an ...) + TODO: check CVE-2017-16523 (MitraStar GPT-2541GNAC (HGU) 1.00(VNJ0)b1 and DSL-100HN-T1 ...) NOT-FOR-US: MitraStar CVE-2017-16522 (MitraStar GPT-2541GNAC (HGU) 1.00(VNJ0)b1 and DSL-100HN-T1 ...) @@ -3001,48 +3053,59 @@ RESERVED CVE-2017-15396 RESERVED + {DSA-4020-1} - chromium-browser 62.0.3202.75-1 [wheezy] - chromium-browser (Not supported in Wheezy) - libv8 (unimportant) NOTE: libv8 not covered by security support CVE-2017-15395 RESERVED + {DSA-4020-1} - chromium-browser 62.0.3202.75-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15394 RESERVED + {DSA-4020-1} - chromium-browser 62.0.3202.75-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15393 RESERVED + {DSA-4020-1} - chromium-browser 62.0.3202.75-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15392 RESERVED + {DSA-4020-1} - chromium-browser 62.0.3202.75-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15391 RESERVED + {DSA-4020-1} - chromium-browser 62.0.3202.75-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15390 RESERVED + {DSA-4020-1} - chromium-browser 62.0.3202.75-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15389 RESERVED + {DSA-4020-1} - chromium-browser 62.0.3202.75-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15388 RESERVED + {DSA-4020-1} - chromium-browser 62.0.3202.75-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15387 RESERVED + {DSA-4020-1} - chromium-browser 62.0.3202.75-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15386 RESERVED + {DSA-4020-1} - chromium-browser 62.0.3202.75-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15385 (The store_versioninfo_gnu_verdef function in libr/bin/format/elf/elf.c ...) @@ -4004,8 +4067,8 @@ NOTE: https://groups.google.com/d/msg/golang-dev/RinSE3EiJBI/kYL7zb07AgAJ CVE-2017-15040 RESERVED -CVE-2017-15039 - RESERVED +CVE-2017-15039 (Cross-site scripting (XSS) exists in Zurmo 3.2.1.57987acc3018 via a ...) + TODO: check CVE-2017-15038 (Race condition in the v9fs_xattrwalk function in hw/9pfs/9p.c in QEMU ...) {DLA-1129-1 DLA-1128-1} - qemu 1:2.10.0+dfsg-2