[Secure-testing-commits] r57483 - data/CVE
Author: carnil
Date: 2017-11-09 07:26:10 + (Thu, 09 Nov 2017)
New Revision: 57483
Modified:
data/CVE/list
Log:
Mark mariadb-10.0 as no-dsa
Modified: data/CVE/list
===
--- data/CVE/list 2017-11-09 07:26:00 UTC (rev 57482)
+++ data/CVE/list 2017-11-09 07:26:10 UTC (rev 57483)
@@ -18356,6 +18356,7 @@
CVE-2017-10378 (Vulnerability in the MySQL Server component of Oracle MySQL
...)
{DSA-4002-1 DLA-1141-1}
- mariadb-10.0
+ [jessie] - mariadb-10.0 (Minor issue)
- mysql-5.7 (Fixed before initial release to Debian,
upstream 5.7.12)
- mysql-5.5 (bug #878402)
NOTE:
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixMSQL
@@ -18672,6 +18673,7 @@
CVE-2017-10268 (Vulnerability in the MySQL Server component of Oracle MySQL
...)
{DSA-4002-1 DLA-1141-1}
- mariadb-10.0
+ [jessie] - mariadb-10.0 (Minor issue)
- mysql-5.7 (bug #878398)
- mysql-5.5 (bug #878402)
NOTE:
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixMSQL
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57482 - data
Author: carnil Date: 2017-11-09 07:26:00 + (Thu, 09 Nov 2017) New Revision: 57482 Modified: data/dsa-needed.txt Log: Take roundcube from dsa-needed list Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-11-09 06:39:31 UTC (rev 57481) +++ data/dsa-needed.txt 2017-11-09 07:26:00 UTC (rev 57482) @@ -54,7 +54,7 @@ Maintainer (terceiro) proposed update, needs review and ack Upload reviewed and acked to be uploaded (including additional change) -- -roundcube/stable +roundcube/stable (carnil) -- salt -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57481 - data
Author: carnil Date: 2017-11-09 06:39:31 + (Thu, 09 Nov 2017) New Revision: 57481 Modified: data/dsa-needed.txt Log: Add roundcube for stretch Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-11-09 06:39:28 UTC (rev 57480) +++ data/dsa-needed.txt 2017-11-09 06:39:31 UTC (rev 57481) @@ -54,6 +54,8 @@ Maintainer (terceiro) proposed update, needs review and ack Upload reviewed and acked to be uploaded (including additional change) -- +roundcube/stable +-- salt -- simplesamlphp ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57480 - data/CVE
Author: carnil Date: 2017-11-09 06:39:28 + (Thu, 09 Nov 2017) New Revision: 57480 Modified: data/CVE/list Log: Add commit for release-1.2 Modified: data/CVE/list === --- data/CVE/list 2017-11-09 06:25:15 UTC (rev 57479) +++ data/CVE/list 2017-11-09 06:39:28 UTC (rev 57480) @@ -37,6 +37,7 @@ - roundcube 1.3.3+dfsg.1-1 NOTE: master: https://github.com/roundcube/roundcubemail/commit/2a32f51c91d5e9c7b1a9d931846dd44c008ff36d NOTE: release-1.3: https://github.com/roundcube/roundcubemail/commit/c90ad5a97784fb32683b8e3c21d6c95baab6d806 + NOTE: release-1.2: https://github.com/roundcube/roundcubemail/commit/9be2224c779d7abc7b29eea2b83a8a3671c543e0 NOTE: https://github.com/roundcube/roundcubemail/issues/6026 CVE-2017-16650 (The qmi_wwan_bind function in drivers/net/usb/qmi_wwan.c in the Linux ...) - linux ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57479 - data/CVE
Author: carnil Date: 2017-11-09 06:25:15 + (Thu, 09 Nov 2017) New Revision: 57479 Modified: data/CVE/list Log: Add CVE-2017-8028/libspring-ldap-java Modified: data/CVE/list === --- data/CVE/list 2017-11-09 06:20:47 UTC (rev 57478) +++ data/CVE/list 2017-11-09 06:25:15 UTC (rev 57479) @@ -24685,6 +24685,9 @@ RESERVED CVE-2017-8028 RESERVED + - libspring-ldap-java + NOTE: https://pivotal.io/security/cve-2017-8028 + NOTE: https://github.com/spring-projects/spring-ldap/issues/430 CVE-2017-8027 RESERVED CVE-2017-8026 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57478 - data/CVE
Author: carnil Date: 2017-11-09 06:20:47 + (Thu, 09 Nov 2017) New Revision: 57478 Modified: data/CVE/list Log: Add note for CVE-2017-16541 Modified: data/CVE/list === --- data/CVE/list 2017-11-09 06:17:32 UTC (rev 57477) +++ data/CVE/list 2017-11-09 06:20:47 UTC (rev 57478) @@ -290,7 +290,9 @@ CVE-2017-16542 (Zoho ManageEngine Applications Manager 13 allows Post-authentication ...) NOT-FOR-US: Zoho CVE-2017-16541 (Tor Browser before 7.0.9 on macOS and Linux allows remote attackers to ...) - TODO: check + NOTE: https://trac.torproject.org/projects/tor/ticket/24052 + NOTE: https://blog.torproject.org/tor-browser-709-released + TODO: check, this is possibly just specific to the Tor Browser Bundle assigned CVE-2017-16540 (OpenEMR before 5.0.0 Patch 5 allows unauthenticated remote database ...) NOT-FOR-US: OpenEMR CVE-2017-16539 (The DefaultLinuxSpec function in oci/defaults.go in Docker Moby through ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57477 - data/CVE
Author: carnil Date: 2017-11-09 06:17:32 + (Thu, 09 Nov 2017) New Revision: 57477 Modified: data/CVE/list Log: roundcube fixed in unstable Modified: data/CVE/list === --- data/CVE/list 2017-11-09 06:14:42 UTC (rev 57476) +++ data/CVE/list 2017-11-09 06:17:32 UTC (rev 57477) @@ -34,7 +34,7 @@ RESERVED CVE-2017-16651 [file disclosure vulnerabliity] RESERVED - - roundcube + - roundcube 1.3.3+dfsg.1-1 NOTE: master: https://github.com/roundcube/roundcubemail/commit/2a32f51c91d5e9c7b1a9d931846dd44c008ff36d NOTE: release-1.3: https://github.com/roundcube/roundcubemail/commit/c90ad5a97784fb32683b8e3c21d6c95baab6d806 NOTE: https://github.com/roundcube/roundcubemail/issues/6026 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57476 - data/CVE
Author: carnil Date: 2017-11-09 06:14:42 + (Thu, 09 Nov 2017) New Revision: 57476 Modified: data/CVE/list Log: Add description and commit references for master Modified: data/CVE/list === --- data/CVE/list 2017-11-09 06:12:45 UTC (rev 57475) +++ data/CVE/list 2017-11-09 06:14:42 UTC (rev 57476) @@ -32,10 +32,11 @@ RESERVED CVE-2017-16652 RESERVED -CVE-2017-16651 +CVE-2017-16651 [file disclosure vulnerabliity] RESERVED - roundcube - NOTE: https://github.com/roundcube/roundcubemail/commit/c90ad5a97784fb32683b8e3c21d6c95baab6d806 + NOTE: master: https://github.com/roundcube/roundcubemail/commit/2a32f51c91d5e9c7b1a9d931846dd44c008ff36d + NOTE: release-1.3: https://github.com/roundcube/roundcubemail/commit/c90ad5a97784fb32683b8e3c21d6c95baab6d806 NOTE: https://github.com/roundcube/roundcubemail/issues/6026 CVE-2017-16650 (The qmi_wwan_bind function in drivers/net/usb/qmi_wwan.c in the Linux ...) - linux ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57475 - data/CVE
Author: carnil Date: 2017-11-09 06:12:45 + (Thu, 09 Nov 2017) New Revision: 57475 Modified: data/CVE/list Log: Add CVE-2017-16651/roundcube Modified: data/CVE/list === --- data/CVE/list 2017-11-09 05:11:58 UTC (rev 57474) +++ data/CVE/list 2017-11-09 06:12:45 UTC (rev 57475) @@ -34,6 +34,9 @@ RESERVED CVE-2017-16651 RESERVED + - roundcube + NOTE: https://github.com/roundcube/roundcubemail/commit/c90ad5a97784fb32683b8e3c21d6c95baab6d806 + NOTE: https://github.com/roundcube/roundcubemail/issues/6026 CVE-2017-16650 (The qmi_wwan_bind function in drivers/net/usb/qmi_wwan.c in the Linux ...) - linux CVE-2017-16649 (The usbnet_generic_cdc_bind function in drivers/net/usb/cdc_ether.c in ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57474 - data/DLA
Author: roberto
Date: 2017-11-09 05:11:58 + (Thu, 09 Nov 2017)
New Revision: 57474
Modified:
data/DLA/list
Log:
Reserve DLA-1166-2 number for tomcat7 regression update
Modified: data/DLA/list
===
--- data/DLA/list 2017-11-08 21:47:21 UTC (rev 57473)
+++ data/DLA/list 2017-11-09 05:11:58 UTC (rev 57474)
@@ -1,3 +1,5 @@
+[08 Nov 2017] DLA-1166-2 tomcat7 - regression update
+ [wheezy] - tomcat7 7.0.28-4+deb7u17
[08 Nov 2017] DLA-1167-1 ruby-yajl - security update
{CVE-2017-16516}
[wheezy] - ruby-yajl 1.1.0-2+deb7u1
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57473 - data/CVE
Author: carnil Date: 2017-11-08 21:47:21 + (Wed, 08 Nov 2017) New Revision: 57473 Modified: data/CVE/list Log: Reference CVE-2017-1000383 upstream report Depending on how Emacs upstream decide we might readd the individual source packages, but rather with unimportant severity? Modified: data/CVE/list === --- data/CVE/list 2017-11-08 21:41:41 UTC (rev 57472) +++ data/CVE/list 2017-11-08 21:47:21 UTC (rev 57473) @@ -1000,6 +1000,7 @@ CVE-2017-1000383 (GNU Emacs version 25.3.1 (and other versions most likely) ignores ...) NOTE: This CVE assignment is nonsense, GNU emacs reuses the umask of the original NOTE: file when creating a backup file. That's hardly incorrect behaviour + NOTE: Upstream report: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=29182 CVE-2017-1000382 (VIM version 8.0.1187 (and other versions most likely) ignores umask ...) - vim [stretch] - vim (Minor issue) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57472 - data/CVE
Author: jmm
Date: 2017-11-08 21:41:41 + (Wed, 08 Nov 2017)
New Revision: 57472
Modified:
data/CVE/list
Log:
- Diese und die folgenden Zeilen werden ignoriert --
Mdata/CVE/list
Modified: data/CVE/list
===
--- data/CVE/list 2017-11-08 21:40:26 UTC (rev 57471)
+++ data/CVE/list 2017-11-08 21:41:41 UTC (rev 57472)
@@ -11552,6 +11552,8 @@
CVE-2017-12618 (Apache Portable Runtime Utility (APR-util) 1.6.0 and prior
fail to ...)
{DLA-1163-1}
- apr-util 1.6.1-1 (low; bug #879996)
+ [stretch] - apr-util (Minor issue)
+ [jessie] - apr-util (Minor issue)
NOTE:
mail-archives.apache.org/mod_mbox/apr-dev/201710.mbox/%3CCACsi252POs4toeJJciwg09_eu2cO3XFg%3DUqsPjXsfjDoeC3-UQ%40mail.gmail.com%3E
NOTE:
https://github.com/apache/apr/commit/f672b565c825c34de9ee298b5bdc62c01cdd6147
CVE-2017-12617 (When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0
to ...)
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57470 - in data: . DSA
Author: jmm
Date: 2017-11-08 21:40:04 + (Wed, 08 Nov 2017)
New Revision: 57470
Modified:
data/DSA/list
data/dsa-needed.txt
Log:
libpam4j DSA
Modified: data/DSA/list
===
--- data/DSA/list 2017-11-08 21:30:17 UTC (rev 57469)
+++ data/DSA/list 2017-11-08 21:40:04 UTC (rev 57470)
@@ -1,3 +1,7 @@
+[08 Nov 2017] DSA-4025-1 libpam4j - security update
+ {CVE-2017-12197}
+ [jessie] - libpam4j 1.4-2+deb8u1
+ [stretch] - libpam4j 1.4-2+deb9u1
[08 Nov 2017] DSA-4024-1 chromium-browser - security update
{CVE-2017-15398 CVE-2017-15399}
[stretch] - chromium-browser 62.0.3202.89-1~deb9u1
Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2017-11-08 21:30:17 UTC (rev 57469)
+++ data/dsa-needed.txt 2017-11-08 21:40:04 UTC (rev 57470)
@@ -25,8 +25,6 @@
libav/oldstable
We can ship the next libav 11.x point release when available
--
-libpam4j (jmm)
---
libvpx/oldstable
--
libxml-libxml-perl (carnil)
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57471 - data/CVE
Author: jmm Date: 2017-11-08 21:40:26 + (Wed, 08 Nov 2017) New Revision: 57471 Modified: data/CVE/list Log: emacs CVE ID is nonsense Modified: data/CVE/list === --- data/CVE/list 2017-11-08 21:40:04 UTC (rev 57470) +++ data/CVE/list 2017-11-08 21:40:26 UTC (rev 57471) @@ -998,14 +998,8 @@ CVE-2017-16242 RESERVED CVE-2017-1000383 (GNU Emacs version 25.3.1 (and other versions most likely) ignores ...) - - emacs25 - [stretch] - emacs25 (Minor issue) - - emacs24 - [stretch] - emacs24 (Minor issue) - [jessie] - emacs24 (Minor issue) - - emacs23 - [wheezy] - emacs23 (Minor issue) - NOTE: http://www.openwall.com/lists/oss-security/2017/10/31/15 + NOTE: This CVE assignment is nonsense, GNU emacs reuses the umask of the original + NOTE: file when creating a backup file. That's hardly incorrect behaviour CVE-2017-1000382 (VIM version 8.0.1187 (and other versions most likely) ignores umask ...) - vim [stretch] - vim (Minor issue) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57469 - data/CVE
Author: opal Date: 2017-11-08 21:30:17 + (Wed, 08 Nov 2017) New Revision: 57469 Modified: data/CVE/list Log: Triage result. Modified: data/CVE/list === --- data/CVE/list 2017-11-08 21:19:59 UTC (rev 57468) +++ data/CVE/list 2017-11-08 21:30:17 UTC (rev 57469) @@ -42200,16 +42200,19 @@ NOTE: Not covered by security support CVE-2017-2520 (An issue was discovered in certain Apple products. iOS before 10.3.2 ...) - sqlite3 3.16.2-1 + [wheezy] - sqlite3 (Vulnerable code not present) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=384 NOTE: https://clusterfuzz-external.appspot.com/testcase?key=5694101458518016 NOTE: Fixed by: https://www.sqlite.org/src/info/2dc7eeb5b4d2eaf1 CVE-2017-2519 (An issue was discovered in certain Apple products. iOS before 10.3.2 ...) - sqlite3 3.16.0-1 + [wheezy] - sqlite3 (Vulnerable code not present) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=288 NOTE: https://clusterfuzz-external.appspot.com/testcase?key=6739028850245632 NOTE: Fixed by: https://www.sqlite.org/src/info/d08b72c38ff6fae6 CVE-2017-2518 (An issue was discovered in certain Apple products. iOS before 10.3.2 ...) - sqlite3 3.15.2-1 + [wheezy] - sqlite3 (Minor issue) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=199 NOTE: https://clusterfuzz-external.appspot.com/testcase?key=4603622180519936 NOTE: Fixed by: https://www.sqlite.org/src/info/0a98c8d76ac86412 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57468 - data/CVE
Author: jmm Date: 2017-11-08 21:19:59 + (Wed, 08 Nov 2017) New Revision: 57468 Modified: data/CVE/list Log: NFUs Modified: data/CVE/list === --- data/CVE/list 2017-11-08 21:16:02 UTC (rev 57467) +++ data/CVE/list 2017-11-08 21:19:59 UTC (rev 57468) @@ -3,7 +3,7 @@ CVE-2017-1 RESERVED CVE-2017-16665 (RemObjects Remoting SDK 9 1.0.0.0 for Delphi is vulnerable to a ...) - TODO: check + NOT-FOR-US: RemObjects Remoting SDK CVE-2017-16664 RESERVED CVE-2017-16667 (backintime (aka Back in Time) before 1.1.24 did improper ...) @@ -6339,7 +6339,7 @@ CVE-2017-14361 RESERVED CVE-2017-14360 (A potential security vulnerability has been identified in HPE Content ...) - TODO: check + NOT-FOR-US: HPE CVE-2017-14359 (A potential security vulnerability has been identified in HPE ...) NOT-FOR-US: HPE Performance Center CVE-2017-14358 (A URL redirection to untrusted site vulnerability in HP ArcSight ESM ...) @@ -10972,7 +10972,7 @@ CVE-2017-12825 RESERVED CVE-2017-12824 (Special crafted InPage document leads to arbitrary code execution in ...) - TODO: check + NOT-FOR-US: InPage CVE-2017-12823 RESERVED CVE-2017-12822 (Remote enabling and disabling admin interface in Gemalto's HASP SRM, ...) @@ -21853,7 +21853,7 @@ CVE-2017-9097 (In Anti-Web through 3.8.7, as used on NetBiter FGW200 devices through ...) NOT-FOR-US: Anti-Web CVE-2017-9096 (The XML parsers in iText before 5.5.12 and 7.x before 7.0.3 do not ...) - TODO: check + NOT-FOR-US: iText CVE-2017-9095 (XXE in Diving Log 6.0 allows attackers to remotely view local files ...) NOT-FOR-US: Diving Log CVE-2017-9094 (The lzw_add_to_dict function in imagew-gif.c in libimageworsener.a in ...) @@ -92268,7 +92268,7 @@ CVE-2015-3934 RESERVED CVE-2015-3933 (Multiple SQL injection vulnerabilities in inc/lib/User.class.php in ...) - TODO: check + NOT-FOR-US: MetalGenix GeniXCMS CVE-2015-3932 (Netlock Mokka before 2.7.8.1204 allows remote attackers to perform XML ...) NOT-FOR-US: Netlock Mokka CVE-2015-3931 (Microsec e-Szigno before 3.2.7.12 allows remote attackers to perform ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57467 - data/CVE
Author: carnil Date: 2017-11-08 21:16:02 + (Wed, 08 Nov 2017) New Revision: 57467 Modified: data/CVE/list Log: Add CVE-2017-15865/frr, itp'ed Modified: data/CVE/list === --- data/CVE/list 2017-11-08 21:10:14 UTC (rev 57466) +++ data/CVE/list 2017-11-08 21:16:02 UTC (rev 57467) @@ -2240,7 +2240,7 @@ CVE-2017-15866 RESERVED CVE-2017-15865 (bgpd in FRRouting (FRR) before 2.0.2 and 3.x before 3.0.2, as used in ...) - TODO: check + - frr (bug #863249) CVE-2017-15864 RESERVED CVE-2016-10517 (networking.c in Redis before 3.2.7 allows "Cross Protocol Scripting" ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57466 - data/CVE
Author: sectracker
Date: 2017-11-08 21:10:14 + (Wed, 08 Nov 2017)
New Revision: 57466
Modified:
data/CVE/list
Log:
automatic update
Modified: data/CVE/list
===
--- data/CVE/list 2017-11-08 20:49:18 UTC (rev 57465)
+++ data/CVE/list 2017-11-08 21:10:14 UTC (rev 57466)
@@ -1,4 +1,12 @@
-CVE-2017-16667 [shell injection in notify-send]
+CVE-2017-16668
+ RESERVED
+CVE-2017-1
+ RESERVED
+CVE-2017-16665 (RemObjects Remoting SDK 9 1.0.0.0 for Delphi is vulnerable to
a ...)
+ TODO: check
+CVE-2017-16664
+ RESERVED
+CVE-2017-16667 (backintime (aka Back in Time) before 1.1.24 did improper ...)
- backintime (bug #881205)
NOTE: https://github.com/bit-team/backintime/issues/834
NOTE:
https://github.com/bit-team/backintime/commit/cef81d0da93ff601252607df3db1a48f7f6f01b3
@@ -344,6 +352,7 @@
CVE-2017-16517
RESERVED
CVE-2017-16516 (In the yajl-ruby gem 1.3.0 for Ruby, when a crafted JSON file
is ...)
+ {DLA-1167-1}
- ruby-yajl 1.2.0-3.1 (low; bug #880691)
[stretch] - ruby-yajl (Minor issue)
[jessie] - ruby-yajl (Minor issue)
@@ -2230,8 +2239,8 @@
NOT-FOR-US: user-login-history plugin for WordPress
CVE-2017-15866
RESERVED
-CVE-2017-15865
- RESERVED
+CVE-2017-15865 (bgpd in FRRouting (FRR) before 2.0.2 and 3.x before 3.0.2, as
used in ...)
+ TODO: check
CVE-2017-15864
RESERVED
CVE-2016-10517 (networking.c in Redis before 3.2.7 allows "Cross Protocol
Scripting" ...)
@@ -3272,6 +3281,7 @@
RESERVED
CVE-2017-15399
RESERVED
+ {DSA-4024-1}
- chromium-browser 62.0.3202.89-1
[jessie] - chromium-browser (End of life, see DSA 4020)
[wheezy] - chromium-browser (Not supported in Wheezy)
@@ -3279,6 +3289,7 @@
NOTE: libv8 not covered by security support
CVE-2017-15398
RESERVED
+ {DSA-4024-1}
- chromium-browser 62.0.3202.89-1
[jessie] - chromium-browser (End of life, see DSA 4020)
[wheezy] - chromium-browser (Not supported in Wheezy)
@@ -4162,14 +4173,11 @@
NOTE: runs on client systems, and only with a certificate that is
explicitly
NOTE: configured locally, leading to a local kinit crash if passed a
crafted
NOTE: local certificate. This is hardly has any harmful security
implication.
-CVE-2017-15087
- RESERVED
+CVE-2017-15087 (It was discovered that the fix for CVE-2017-12163 was not
properly ...)
- samba (Incomplete Red Hat backport for CVE-2017-12163)
-CVE-2017-15086
- RESERVED
+CVE-2017-15086 (It was discovered that the fix for CVE-2017-12151 was not
properly ...)
- samba (Incomplete Red Hat backport for CVE-2017-12151)
-CVE-2017-15085
- RESERVED
+CVE-2017-15085 (It was discovered that the fix for CVE-2017-12150 was not
properly ...)
- samba (Incomplete Red Hat backport for CVE-2017-12150)
CVE-2017-15084 (The web UI in Rapid7 Metasploit before 4.14.1-20170828 allows
logout ...)
NOT-FOR-US: Metasploit Framework
@@ -6330,8 +6338,8 @@
RESERVED
CVE-2017-14361
RESERVED
-CVE-2017-14360
- RESERVED
+CVE-2017-14360 (A potential security vulnerability has been identified in HPE
Content ...)
+ TODO: check
CVE-2017-14359 (A potential security vulnerability has been identified in HPE
...)
NOT-FOR-US: HPE Performance Center
CVE-2017-14358 (A URL redirection to untrusted site vulnerability in HP
ArcSight ESM ...)
@@ -10963,8 +10971,8 @@
RESERVED
CVE-2017-12825
RESERVED
-CVE-2017-12824
- RESERVED
+CVE-2017-12824 (Special crafted InPage document leads to arbitrary code
execution in ...)
+ TODO: check
CVE-2017-12823
RESERVED
CVE-2017-12822 (Remote enabling and disabling admin interface in Gemalto's
HASP SRM, ...)
@@ -20895,7 +20903,7 @@
[wheezy] - chicken (Minor issue)
NOTE: Original announcement:
http://lists.nongnu.org/archive/html/chicken-announce/2017-05/msg0.html
NOTE: Patch:
http://lists.nongnu.org/archive/html/chicken-hackers/2017-05/msg00099.html
-CVE-2017-9330 (QEMU (aka Quick Emulator), when built with the USB OHCI
Emulation ...)
+CVE-2017-9330 (QEMU (aka Quick Emulator) before 2.9.0, when built with the USB
OHCI ...)
{DSA-3920-1}
- qemu 1:2.8+dfsg-7 (bug #863943)
[jessie] - qemu (Minor issue)
@@ -21844,8 +21852,8 @@
NOTE:
https://scarybeastsecurity.blogspot.com/2017/05/bleed-continues-18-byte-file-14k-bounty.html
CVE-2017-9097 (In Anti-Web through 3.8.7, as used on NetBiter FGW200 devices
through ...)
NOT-FOR-US: Anti-Web
-CVE-2017-9096
- RESERVED
+CVE-2017-9096 (The XML parsers in iText before 5.5.12 and 7.x before 7.0.3 do
not ...)
+ TODO: check
CVE-2017-9095 (XXE in Diving Log 6.0 allows attackers to remotely view local
files ...)
NOT-FOR-US: Diving Log
CVE-201
[Secure-testing-commits] r57465 - in data: . DLA
Author: apo
Date: 2017-11-08 20:49:18 + (Wed, 08 Nov 2017)
New Revision: 57465
Modified:
data/DLA/list
data/dla-needed.txt
Log:
Reserve DLA-1167-1 for ruby-yajl
Modified: data/DLA/list
===
--- data/DLA/list 2017-11-08 20:26:09 UTC (rev 57464)
+++ data/DLA/list 2017-11-08 20:49:18 UTC (rev 57465)
@@ -1,3 +1,6 @@
+[08 Nov 2017] DLA-1167-1 ruby-yajl - security update
+ {CVE-2017-16516}
+ [wheezy] - ruby-yajl 1.1.0-2+deb7u1
[07 Nov 2017] DLA-1166-1 tomcat7 - security update
{CVE-2017-12617}
[wheezy] - tomcat7 7.0.28-4+deb7u16
Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-11-08 20:26:09 UTC (rev 57464)
+++ data/dla-needed.txt 2017-11-08 20:49:18 UTC (rev 57465)
@@ -93,8 +93,6 @@
rtpproxy
NOTE: it's not clear to me if a fix is even possible. -- Raphaël Hertzog
--
-ruby-yajl (Markus Koschany)
---
simplesamlphp
NOTE: 2017-09-04: Maintainer will handle this.
NOTE: https://lists.debian.org/debian-lts/2017/09/msg00010.html
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57464 - data/CVE
Author: opal Date: 2017-11-08 20:26:09 + (Wed, 08 Nov 2017) New Revision: 57464 Modified: data/CVE/list Log: Triage result. Modified: data/CVE/list === --- data/CVE/list 2017-11-08 20:20:04 UTC (rev 57463) +++ data/CVE/list 2017-11-08 20:26:09 UTC (rev 57464) @@ -4,6 +4,7 @@ NOTE: https://github.com/bit-team/backintime/commit/cef81d0da93ff601252607df3db1a48f7f6f01b3 CVE-2017-16663 (In sam2p 0.49.4, there are integer overflows (with resultant heap-based ...) - sam2p + [wheezy] - sam2p (Minor issue) NOTE: https://github.com/pts/sam2p/issues/16 CVE-2017-16662 RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57463 - data
Author: opal Date: 2017-11-08 20:20:04 + (Wed, 08 Nov 2017) New Revision: 57463 Modified: data/dla-needed.txt Log: Triaging result. Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-11-08 20:07:10 UTC (rev 57462) +++ data/dla-needed.txt 2017-11-08 20:20:04 UTC (rev 57463) @@ -14,6 +14,8 @@ NOTE: 20170719: maintainer will handle the upload, see https://lists.debian.org/d0b9674a-ac5b-5cc9-1982-fb6f36155...@pbandjelly.org NOTE: 20171013: anarcat pinged maintainer: https://lists.debian.org/87efpuc95w@curie.anarc.at -- +cacti +-- graphicsmagick (Roberto C. Sánchez) -- imagemagick (Roberto C. Sánchez) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57462 - data/CVE
Author: carnil Date: 2017-11-08 20:07:10 + (Wed, 08 Nov 2017) New Revision: 57462 Modified: data/CVE/list Log: Add bug reference for backintime issue, #881205 Modified: data/CVE/list === --- data/CVE/list 2017-11-08 20:04:40 UTC (rev 57461) +++ data/CVE/list 2017-11-08 20:07:10 UTC (rev 57462) @@ -1,5 +1,5 @@ CVE-2017-16667 [shell injection in notify-send] - - backintime + - backintime (bug #881205) NOTE: https://github.com/bit-team/backintime/issues/834 NOTE: https://github.com/bit-team/backintime/commit/cef81d0da93ff601252607df3db1a48f7f6f01b3 CVE-2017-16663 (In sam2p 0.49.4, there are integer overflows (with resultant heap-based ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57461 - data
Author: carnil Date: 2017-11-08 20:04:40 + (Wed, 08 Nov 2017) New Revision: 57461 Modified: data/dsa-needed.txt Log: Add bchunk to dsa-needed list, proposed update, needs review and ack Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-11-08 19:54:42 UTC (rev 57460) +++ data/dsa-needed.txt 2017-11-08 20:04:40 UTC (rev 57461) @@ -14,6 +14,9 @@ -- 389-ds-base (fw) -- +bchunk + Markus Koschany proposed update, needs review and ack +-- graphicsmagick -- jackson-databind ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57460 - data/CVE
Author: carnil Date: 2017-11-08 19:54:42 + (Wed, 08 Nov 2017) New Revision: 57460 Modified: data/CVE/list Log: Add CVE-2017-15101/liblouis, incomplete fix CVE, not affecting Debian Modified: data/CVE/list === --- data/CVE/list 2017-11-08 19:40:28 UTC (rev 57459) +++ data/CVE/list 2017-11-08 19:54:42 UTC (rev 57460) @@ -4099,8 +4099,11 @@ [jessie] - linux 3.16.43-1 [wheezy] - linux 3.2.86-1 NOTE: Fixed by: https://git.kernel.org/linus/2fae9e5a7babada041e2e161699ade2447a01989 (4.9-rc1) -CVE-2017-15101 +CVE-2017-15101 [Incomplete fix for CVE-2014-8184] RESERVED + - liblouis (Incomplete fix not applied in Debian) + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1492701#c12 + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1511023 CVE-2017-15100 RESERVED - foreman (bug #663101) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57459 - data/CVE
Author: carnil Date: 2017-11-08 19:40:28 + (Wed, 08 Nov 2017) New Revision: 57459 Modified: data/CVE/list Log: Add issue in backintime, CVE-2017-16667 Modified: data/CVE/list === --- data/CVE/list 2017-11-08 17:18:17 UTC (rev 57458) +++ data/CVE/list 2017-11-08 19:40:28 UTC (rev 57459) @@ -1,3 +1,7 @@ +CVE-2017-16667 [shell injection in notify-send] + - backintime + NOTE: https://github.com/bit-team/backintime/issues/834 + NOTE: https://github.com/bit-team/backintime/commit/cef81d0da93ff601252607df3db1a48f7f6f01b3 CVE-2017-16663 (In sam2p 0.49.4, there are integer overflows (with resultant heap-based ...) - sam2p NOTE: https://github.com/pts/sam2p/issues/16 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57458 - data/CVE
Author: jmm Date: 2017-11-08 17:18:17 + (Wed, 08 Nov 2017) New Revision: 57458 Modified: data/CVE/list Log: NFU Modified: data/CVE/list === --- data/CVE/list 2017-11-08 16:19:17 UTC (rev 57457) +++ data/CVE/list 2017-11-08 17:18:17 UTC (rev 57458) @@ -4,7 +4,7 @@ CVE-2017-16662 RESERVED CVE-2017-16659 (The Gentoo mail-filter/assp package 1.9.8.13030 and earlier allows ...) - TODO: check + NOT-FOR-US: assp as packaged by Gentoo CVE-2017-16658 RESERVED CVE-2017-16657 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57457 - data
Author: lamby Date: 2017-11-08 16:19:17 + (Wed, 08 Nov 2017) New Revision: 57457 Modified: data/dla-needed.txt Log: data/dla-needed.txt: I clearly typod here! Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-11-08 15:16:34 UTC (rev 57456) +++ data/dla-needed.txt 2017-11-08 16:19:17 UTC (rev 57457) @@ -91,8 +91,6 @@ rtpproxy NOTE: it's not clear to me if a fix is even possible. -- Raphaël Hertzog -- -ruby-yahl (Chris Lamb) --- ruby-yajl (Markus Koschany) -- simplesamlphp ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57456 - data/CVE
Author: santiago Date: 2017-11-08 15:16:34 + (Wed, 08 Nov 2017) New Revision: 57456 Modified: data/CVE/list Log: sqlite3/CVE-2017-2513 wheezy and jessie not vulnerable Modified: data/CVE/list === --- data/CVE/list 2017-11-08 14:40:16 UTC (rev 57455) +++ data/CVE/list 2017-11-08 15:16:34 UTC (rev 57456) @@ -42209,6 +42209,8 @@ NOTE: Not covered by security support CVE-2017-2513 (An issue was discovered in certain Apple products. iOS before 10.3.2 ...) - sqlite3 3.15.2-1 + [jessie] - sqlite3 (Vulnerable code not present) + [wheezy] - sqlite3 (Vulnerable code not present) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=171 NOTE: https://clusterfuzz-external.appspot.com/testcase?key=5770842466156544 NOTE: Fixed by: https://www.sqlite.org/src/info/c5dbc599b910c02a ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57455 - data/CVE
Author: carnil Date: 2017-11-08 14:40:16 + (Wed, 08 Nov 2017) New Revision: 57455 Modified: data/CVE/list Log: Add fixing version for ruby-yajl to unstable Modified: data/CVE/list === --- data/CVE/list 2017-11-08 13:03:44 UTC (rev 57454) +++ data/CVE/list 2017-11-08 14:40:16 UTC (rev 57455) @@ -339,7 +339,7 @@ CVE-2017-16517 RESERVED CVE-2017-16516 (In the yajl-ruby gem 1.3.0 for Ruby, when a crafted JSON file is ...) - - ruby-yajl (low; bug #880691) + - ruby-yajl 1.2.0-3.1 (low; bug #880691) [stretch] - ruby-yajl (Minor issue) [jessie] - ruby-yajl (Minor issue) NOTE: https://github.com/brianmario/yajl-ruby/issues/176 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57451 - data/CVE
Author: carnil Date: 2017-11-08 12:57:09 + (Wed, 08 Nov 2017) New Revision: 57451 Modified: data/CVE/list Log: Fix for CVE-2017-2520 is included in 3.16.2, fixed in 3.16.2-1 Modified: data/CVE/list === --- data/CVE/list 2017-11-08 12:12:17 UTC (rev 57450) +++ data/CVE/list 2017-11-08 12:57:09 UTC (rev 57451) @@ -42183,7 +42183,7 @@ - webkit2gtk 2.16.3-2 (unimportant) NOTE: Not covered by security support CVE-2017-2520 (An issue was discovered in certain Apple products. iOS before 10.3.2 ...) - - sqlite3 + - sqlite3 3.16.2-1 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=384 NOTE: https://clusterfuzz-external.appspot.com/testcase?key=5694101458518016 NOTE: Fixed by: https://www.sqlite.org/src/info/2dc7eeb5b4d2eaf1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57453 - data/CVE
Author: carnil Date: 2017-11-08 13:02:38 + (Wed, 08 Nov 2017) New Revision: 57453 Modified: data/CVE/list Log: Update status for CVE-2017-2518, fixed in 3.15.2-1 Modified: data/CVE/list === --- data/CVE/list 2017-11-08 13:00:16 UTC (rev 57452) +++ data/CVE/list 2017-11-08 13:02:38 UTC (rev 57453) @@ -42193,7 +42193,7 @@ NOTE: https://clusterfuzz-external.appspot.com/testcase?key=6739028850245632 NOTE: Fixed by: https://www.sqlite.org/src/info/d08b72c38ff6fae6 CVE-2017-2518 (An issue was discovered in certain Apple products. iOS before 10.3.2 ...) - - sqlite3 + - sqlite3 3.15.2-1 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=199 NOTE: https://clusterfuzz-external.appspot.com/testcase?key=4603622180519936 NOTE: Fixed by: https://www.sqlite.org/src/info/0a98c8d76ac86412 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57454 - data/CVE
Author: carnil Date: 2017-11-08 13:03:44 + (Wed, 08 Nov 2017) New Revision: 57454 Modified: data/CVE/list Log: Add fixed version for CVE-2017-2513 Modified: data/CVE/list === --- data/CVE/list 2017-11-08 13:02:38 UTC (rev 57453) +++ data/CVE/list 2017-11-08 13:03:44 UTC (rev 57454) @@ -42208,7 +42208,7 @@ - webkit2gtk 2.16.3-2 (unimportant) NOTE: Not covered by security support CVE-2017-2513 (An issue was discovered in certain Apple products. iOS before 10.3.2 ...) - - sqlite3 + - sqlite3 3.15.2-1 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=171 NOTE: https://clusterfuzz-external.appspot.com/testcase?key=5770842466156544 NOTE: Fixed by: https://www.sqlite.org/src/info/c5dbc599b910c02a ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57452 - data/CVE
Author: carnil Date: 2017-11-08 13:00:16 + (Wed, 08 Nov 2017) New Revision: 57452 Modified: data/CVE/list Log: CVE-2017-2519 adressed in 3.16.0, fixed in 3.16.0-1 Modified: data/CVE/list === --- data/CVE/list 2017-11-08 12:57:09 UTC (rev 57451) +++ data/CVE/list 2017-11-08 13:00:16 UTC (rev 57452) @@ -42188,7 +42188,7 @@ NOTE: https://clusterfuzz-external.appspot.com/testcase?key=5694101458518016 NOTE: Fixed by: https://www.sqlite.org/src/info/2dc7eeb5b4d2eaf1 CVE-2017-2519 (An issue was discovered in certain Apple products. iOS before 10.3.2 ...) - - sqlite3 + - sqlite3 3.16.0-1 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=288 NOTE: https://clusterfuzz-external.appspot.com/testcase?key=6739028850245632 NOTE: Fixed by: https://www.sqlite.org/src/info/d08b72c38ff6fae6 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57450 - data/DSA
Author: mgilbert
Date: 2017-11-08 12:12:17 + (Wed, 08 Nov 2017)
New Revision: 57450
Modified:
data/DSA/list
Log:
chromium dsa
Modified: data/DSA/list
===
--- data/DSA/list 2017-11-08 10:34:40 UTC (rev 57449)
+++ data/DSA/list 2017-11-08 12:12:17 UTC (rev 57450)
@@ -1,3 +1,6 @@
+[08 Nov 2017] DSA-4024-1 chromium-browser - security update
+ {CVE-2017-15398 CVE-2017-15399}
+ [stretch] - chromium-browser 62.0.3202.89-1~deb9u1
[07 Nov 2017] DSA-4023-1 slurm-llnl - security update
{CVE-2017-15566}
[stretch] - slurm-llnl 16.05.9-1+deb9u1
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57449 - data/CVE
Author: santiago Date: 2017-11-08 10:34:40 + (Wed, 08 Nov 2017) New Revision: 57449 Modified: data/CVE/list Log: sqlite3/CVE-2017-2513,CVE-2017-2518,CVE-2017-2519,CVE-2017-2520: include fix urls Modified: data/CVE/list === --- data/CVE/list 2017-11-08 09:56:57 UTC (rev 57448) +++ data/CVE/list 2017-11-08 10:34:40 UTC (rev 57449) @@ -42186,14 +42186,17 @@ - sqlite3 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=384 NOTE: https://clusterfuzz-external.appspot.com/testcase?key=5694101458518016 + NOTE: Fixed by: https://www.sqlite.org/src/info/2dc7eeb5b4d2eaf1 CVE-2017-2519 (An issue was discovered in certain Apple products. iOS before 10.3.2 ...) - sqlite3 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=288 NOTE: https://clusterfuzz-external.appspot.com/testcase?key=6739028850245632 + NOTE: Fixed by: https://www.sqlite.org/src/info/d08b72c38ff6fae6 CVE-2017-2518 (An issue was discovered in certain Apple products. iOS before 10.3.2 ...) - sqlite3 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=199 NOTE: https://clusterfuzz-external.appspot.com/testcase?key=4603622180519936 + NOTE: Fixed by: https://www.sqlite.org/src/info/0a98c8d76ac86412 CVE-2017-2517 (An issue was discovered in certain Apple products. iOS before 10.3.3 ...) NOT-FOR-US: Apple Safari CVE-2017-2516 (An issue was discovered in certain Apple products. macOS before ...) @@ -42208,6 +42211,7 @@ - sqlite3 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=171 NOTE: https://clusterfuzz-external.appspot.com/testcase?key=5770842466156544 + NOTE: Fixed by: https://www.sqlite.org/src/info/c5dbc599b910c02a CVE-2017-2512 (An issue was discovered in certain Apple products. macOS before ...) NOT-FOR-US: Apple CVE-2017-2511 (An issue was discovered in certain Apple products. Safari before ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57448 - data/CVE
Author: carnil Date: 2017-11-08 09:56:57 + (Wed, 08 Nov 2017) New Revision: 57448 Modified: data/CVE/list Log: Add sam2p issue Modified: data/CVE/list === --- data/CVE/list 2017-11-08 09:55:54 UTC (rev 57447) +++ data/CVE/list 2017-11-08 09:56:57 UTC (rev 57448) @@ -1,5 +1,6 @@ CVE-2017-16663 (In sam2p 0.49.4, there are integer overflows (with resultant heap-based ...) - TODO: check + - sam2p + NOTE: https://github.com/pts/sam2p/issues/16 CVE-2017-16662 RESERVED CVE-2017-16659 (The Gentoo mail-filter/assp package 1.9.8.13030 and earlier allows ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57447 - data/CVE
Author: carnil Date: 2017-11-08 09:55:54 + (Wed, 08 Nov 2017) New Revision: 57447 Modified: data/CVE/list Log: Add one new php issue Modified: data/CVE/list === --- data/CVE/list 2017-11-08 09:42:21 UTC (rev 57446) +++ data/CVE/list 2017-11-08 09:55:54 UTC (rev 57447) @@ -37,7 +37,13 @@ CVE-2017-16643 (The parse_hid_report_descriptor function in drivers/input/tablet/gtco.c ...) - linux CVE-2017-16642 (In PHP before 5.6.32, 7.x before 7.0.25, and 7.1.x before 7.1.11, an ...) - TODO: check + - php7.1 + - php7.0 + - php5 + NOTE: Fixed in: 5.6.32, 7.0.25, 7.1.11 + NOTE: PHP Bug: https://bugs.php.net/bug.php?id=75055 + NOTE: https://github.com/derickr/timelib/commit/aa9156006e88565e1f1a5f7cc088b18322d57536 + NOTE: https://github.com/php/php-src/commit/5c0455bf2c8cd3c25401407f158e820aa3b239e1 CVE-2017-16661 (Cacti 1.1.27 allows remote authenticated administrators to read ...) - cacti NOTE: https://github.com/Cacti/cacti/issues/1066 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57446 - data/CVE
Author: carnil Date: 2017-11-08 09:42:21 + (Wed, 08 Nov 2017) New Revision: 57446 Modified: data/CVE/list Log: Add CVE-2017-16643/linux Modified: data/CVE/list === --- data/CVE/list 2017-11-08 09:41:19 UTC (rev 57445) +++ data/CVE/list 2017-11-08 09:42:21 UTC (rev 57446) @@ -35,7 +35,7 @@ CVE-2017-16644 (The hdpvr_probe function in drivers/media/usb/hdpvr/hdpvr-core.c in the ...) - linux CVE-2017-16643 (The parse_hid_report_descriptor function in drivers/input/tablet/gtco.c ...) - TODO: check + - linux CVE-2017-16642 (In PHP before 5.6.32, 7.x before 7.0.25, and 7.1.x before 7.1.11, an ...) TODO: check CVE-2017-16661 (Cacti 1.1.27 allows remote authenticated administrators to read ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57445 - data/CVE
Author: carnil Date: 2017-11-08 09:41:19 + (Wed, 08 Nov 2017) New Revision: 57445 Modified: data/CVE/list Log: Add CVE-2017-16644/linux Modified: data/CVE/list === --- data/CVE/list 2017-11-08 09:37:28 UTC (rev 57444) +++ data/CVE/list 2017-11-08 09:41:19 UTC (rev 57445) @@ -33,7 +33,7 @@ CVE-2017-16645 (The ims_pcu_get_cdc_union_desc function in drivers/input/misc/ims-pcu.c ...) - linux CVE-2017-16644 (The hdpvr_probe function in drivers/media/usb/hdpvr/hdpvr-core.c in the ...) - TODO: check + - linux CVE-2017-16643 (The parse_hid_report_descriptor function in drivers/input/tablet/gtco.c ...) TODO: check CVE-2017-16642 (In PHP before 5.6.32, 7.x before 7.0.25, and 7.1.x before 7.1.11, an ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57443 - data/CVE
Author: carnil Date: 2017-11-08 09:37:17 + (Wed, 08 Nov 2017) New Revision: 57443 Modified: data/CVE/list Log: Add CVE-2017-16647/linux Modified: data/CVE/list === --- data/CVE/list 2017-11-08 09:33:38 UTC (rev 57442) +++ data/CVE/list 2017-11-08 09:37:17 UTC (rev 57443) @@ -27,7 +27,7 @@ CVE-2017-16648 (The dvb_frontend_free function in drivers/media/dvb-core/dvb_frontend.c ...) - linux CVE-2017-16647 (drivers/net/usb/asix_devices.c in the Linux kernel through 4.13.11 ...) - TODO: check + - linux CVE-2017-16646 (drivers/media/usb/dvb-usb/dib0700_devices.c in the Linux kernel through ...) TODO: check CVE-2017-16645 (The ims_pcu_get_cdc_union_desc function in drivers/input/misc/ims-pcu.c ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57444 - data/CVE
Author: carnil Date: 2017-11-08 09:37:28 + (Wed, 08 Nov 2017) New Revision: 57444 Modified: data/CVE/list Log: Add CVE-2017-16646 and CVE-2017-16645 Modified: data/CVE/list === --- data/CVE/list 2017-11-08 09:37:17 UTC (rev 57443) +++ data/CVE/list 2017-11-08 09:37:28 UTC (rev 57444) @@ -29,9 +29,9 @@ CVE-2017-16647 (drivers/net/usb/asix_devices.c in the Linux kernel through 4.13.11 ...) - linux CVE-2017-16646 (drivers/media/usb/dvb-usb/dib0700_devices.c in the Linux kernel through ...) - TODO: check + - linux CVE-2017-16645 (The ims_pcu_get_cdc_union_desc function in drivers/input/misc/ims-pcu.c ...) - TODO: check + - linux CVE-2017-16644 (The hdpvr_probe function in drivers/media/usb/hdpvr/hdpvr-core.c in the ...) TODO: check CVE-2017-16643 (The parse_hid_report_descriptor function in drivers/input/tablet/gtco.c ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57442 - data/CVE
Author: carnil Date: 2017-11-08 09:33:38 + (Wed, 08 Nov 2017) New Revision: 57442 Modified: data/CVE/list Log: Add CVE-2017-16648/linux Modified: data/CVE/list === --- data/CVE/list 2017-11-08 09:33:27 UTC (rev 57441) +++ data/CVE/list 2017-11-08 09:33:38 UTC (rev 57442) @@ -25,7 +25,7 @@ CVE-2017-16649 (The usbnet_generic_cdc_bind function in drivers/net/usb/cdc_ether.c in ...) - linux CVE-2017-16648 (The dvb_frontend_free function in drivers/media/dvb-core/dvb_frontend.c ...) - TODO: check + - linux CVE-2017-16647 (drivers/net/usb/asix_devices.c in the Linux kernel through 4.13.11 ...) TODO: check CVE-2017-16646 (drivers/media/usb/dvb-usb/dib0700_devices.c in the Linux kernel through ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57441 - data/CVE
Author: carnil Date: 2017-11-08 09:33:27 + (Wed, 08 Nov 2017) New Revision: 57441 Modified: data/CVE/list Log: Add CVE-2017-16649/linux Modified: data/CVE/list === --- data/CVE/list 2017-11-08 09:29:20 UTC (rev 57440) +++ data/CVE/list 2017-11-08 09:33:27 UTC (rev 57441) @@ -23,7 +23,7 @@ CVE-2017-16650 (The qmi_wwan_bind function in drivers/net/usb/qmi_wwan.c in the Linux ...) - linux CVE-2017-16649 (The usbnet_generic_cdc_bind function in drivers/net/usb/cdc_ether.c in ...) - TODO: check + - linux CVE-2017-16648 (The dvb_frontend_free function in drivers/media/dvb-core/dvb_frontend.c ...) TODO: check CVE-2017-16647 (drivers/net/usb/asix_devices.c in the Linux kernel through 4.13.11 ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57439 - data/CVE
Author: carnil Date: 2017-11-08 09:29:08 + (Wed, 08 Nov 2017) New Revision: 57439 Modified: data/CVE/list Log: Order list Modified: data/CVE/list === --- data/CVE/list 2017-11-08 09:14:34 UTC (rev 57438) +++ data/CVE/list 2017-11-08 09:29:08 UTC (rev 57439) @@ -4300,8 +4300,8 @@ [stretch] - golang-1.8 (Minor issue) - golang-1.7 [stretch] - golang-1.7 (Minor issue) + - golang [jessie] - golang (Minor issue) - - golang NOTE: https://go.googlesource.com/go/+/a4544a0f8af001d1fb6df0e70750f570ec49ccf9%5E%21/ NOTE: https://github.com/golang/go/issues/22125 NOTE: https://golang.org/cl/68022 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57440 - data/CVE
Author: carnil Date: 2017-11-08 09:29:20 + (Wed, 08 Nov 2017) New Revision: 57440 Modified: data/CVE/list Log: Add CVE-2017-16650/linux Modified: data/CVE/list === --- data/CVE/list 2017-11-08 09:29:08 UTC (rev 57439) +++ data/CVE/list 2017-11-08 09:29:20 UTC (rev 57440) @@ -21,7 +21,7 @@ CVE-2017-16651 RESERVED CVE-2017-16650 (The qmi_wwan_bind function in drivers/net/usb/qmi_wwan.c in the Linux ...) - TODO: check + - linux CVE-2017-16649 (The usbnet_generic_cdc_bind function in drivers/net/usb/cdc_ether.c in ...) TODO: check CVE-2017-16648 (The dvb_frontend_free function in drivers/media/dvb-core/dvb_frontend.c ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57438 - data/CVE
Author: jmm Date: 2017-11-08 09:14:34 + (Wed, 08 Nov 2017) New Revision: 57438 Modified: data/CVE/list Log: NFUs golang no-dsa Modified: data/CVE/list === --- data/CVE/list 2017-11-08 09:10:21 UTC (rev 57437) +++ data/CVE/list 2017-11-08 09:14:34 UTC (rev 57438) @@ -99,13 +99,13 @@ CVE-2017-16619 RESERVED CVE-2017-16618 (An exploitable vulnerability exists in the YAML loading functionality ...) - TODO: check + NOT-FOR-US: OwlMixin CVE-2017-16617 RESERVED CVE-2017-16616 (An exploitable vulnerability exists in the YAML parsing functionality ...) - TODO: check + NOT-FOR-US: pyanyapi CVE-2017-16615 (An exploitable vulnerability exists in the YAML parsing functionality ...) - TODO: check + NOT-FOR-US: MLAlchemy CVE-2017-16614 RESERVED CVE-2017-16613 @@ -213,7 +213,7 @@ CVE-2017-16562 RESERVED CVE-2017-16561 (/view/friend_profile.php in Ingenious School Management System 2.3.0 is ...) - TODO: check + NOT-FOR-US: Ingenious School Management System CVE-2017-16560 RESERVED CVE-2017-16559 @@ -4287,6 +4287,7 @@ - golang-1.7 [stretch] - golang-1.7 (Minor issue, would require builds of all go packages in stable) - golang + [jessie] - golang (Minor issue, would require builds of all go packages in stable) [wheezy] - golang (Vulnerable code introduced later in version 1.1) NOTE: https://github.com/golang/go/issues/22134 NOTE: https://golang.org/cl/68023 @@ -4299,6 +4300,7 @@ [stretch] - golang-1.8 (Minor issue) - golang-1.7 [stretch] - golang-1.7 (Minor issue) + [jessie] - golang (Minor issue) - golang NOTE: https://go.googlesource.com/go/+/a4544a0f8af001d1fb6df0e70750f570ec49ccf9%5E%21/ NOTE: https://github.com/golang/go/issues/22125 @@ -76735,7 +76737,7 @@ CVE-2016-0873 RESERVED CVE-2016-0872 (A Plaintext Storage of a Password issue was discovered in Kabona AB ...) - TODO: check + NOT-FOR-US: Kabona AB WebDatorCentral CVE-2016-0871 (Eaton Lighting EG2 Web Control 4.04P and earlier allows remote ...) NOT-FOR-US: Eaton Lighting EG2 Web Control CVE-2016-0870 (The web server in Trane Tracer SC 4.2.1134 and earlier allows remote ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57437 - data/CVE
Author: sectracker
Date: 2017-11-08 09:10:21 + (Wed, 08 Nov 2017)
New Revision: 57437
Modified:
data/CVE/list
Log:
automatic update
Modified: data/CVE/list
===
--- data/CVE/list 2017-11-08 08:28:25 UTC (rev 57436)
+++ data/CVE/list 2017-11-08 09:10:21 UTC (rev 57437)
@@ -1,7 +1,47 @@
-CVE-2017-16661 [Local File Read]
+CVE-2017-16663 (In sam2p 0.49.4, there are integer overflows (with resultant
heap-based ...)
+ TODO: check
+CVE-2017-16662
+ RESERVED
+CVE-2017-16659 (The Gentoo mail-filter/assp package 1.9.8.13030 and earlier
allows ...)
+ TODO: check
+CVE-2017-16658
+ RESERVED
+CVE-2017-16657
+ RESERVED
+CVE-2017-16656
+ RESERVED
+CVE-2017-16655
+ RESERVED
+CVE-2017-16654
+ RESERVED
+CVE-2017-16653
+ RESERVED
+CVE-2017-16652
+ RESERVED
+CVE-2017-16651
+ RESERVED
+CVE-2017-16650 (The qmi_wwan_bind function in drivers/net/usb/qmi_wwan.c in
the Linux ...)
+ TODO: check
+CVE-2017-16649 (The usbnet_generic_cdc_bind function in
drivers/net/usb/cdc_ether.c in ...)
+ TODO: check
+CVE-2017-16648 (The dvb_frontend_free function in
drivers/media/dvb-core/dvb_frontend.c ...)
+ TODO: check
+CVE-2017-16647 (drivers/net/usb/asix_devices.c in the Linux kernel through
4.13.11 ...)
+ TODO: check
+CVE-2017-16646 (drivers/media/usb/dvb-usb/dib0700_devices.c in the Linux
kernel through ...)
+ TODO: check
+CVE-2017-16645 (The ims_pcu_get_cdc_union_desc function in
drivers/input/misc/ims-pcu.c ...)
+ TODO: check
+CVE-2017-16644 (The hdpvr_probe function in
drivers/media/usb/hdpvr/hdpvr-core.c in the ...)
+ TODO: check
+CVE-2017-16643 (The parse_hid_report_descriptor function in
drivers/input/tablet/gtco.c ...)
+ TODO: check
+CVE-2017-16642 (In PHP before 5.6.32, 7.x before 7.0.25, and 7.1.x before
7.1.11, an ...)
+ TODO: check
+CVE-2017-16661 (Cacti 1.1.27 allows remote authenticated administrators to
read ...)
- cacti
NOTE: https://github.com/Cacti/cacti/issues/1066
-CVE-2017-16660 [RCE]
+CVE-2017-16660 (Cacti 1.1.27 allows remote authenticated administrators to
conduct ...)
- cacti
NOTE: https://github.com/Cacti/cacti/issues/1066
CVE-2017-16641 (lib/rrd.php in Cacti 1.1.27 allows remote authenticated
administrators ...)
@@ -12,7 +52,7 @@
RESERVED
CVE-2017-16639
RESERVED
-CVE-2008-7319 [command injection via crafted arguments]
+CVE-2008-7319 (The Net::Ping::External extension through 0.15 for Perl does
not ...)
- libnet-ping-external-perl (bug #881097)
[stretch] - libnet-ping-external-perl (Remove in next point
update)
[jessie] - libnet-ping-external-perl (Remove in next point
update)
@@ -58,14 +98,14 @@
RESERVED
CVE-2017-16619
RESERVED
-CVE-2017-16618
- RESERVED
+CVE-2017-16618 (An exploitable vulnerability exists in the YAML loading
functionality ...)
+ TODO: check
CVE-2017-16617
RESERVED
-CVE-2017-16616
- RESERVED
-CVE-2017-16615
- RESERVED
+CVE-2017-16616 (An exploitable vulnerability exists in the YAML parsing
functionality ...)
+ TODO: check
+CVE-2017-16615 (An exploitable vulnerability exists in the YAML parsing
functionality ...)
+ TODO: check
CVE-2017-16614
RESERVED
CVE-2017-16613
@@ -172,8 +212,8 @@
NOT-FOR-US: Vonage
CVE-2017-16562
RESERVED
-CVE-2017-16561
- RESERVED
+CVE-2017-16561 (/view/friend_profile.php in Ingenious School Management System
2.3.0 is ...)
+ TODO: check
CVE-2017-16560
RESERVED
CVE-2017-16559
@@ -2803,6 +2843,7 @@
CVE-2017-15567 (The certificate import component in IDEMIA (formerly Morpho)
...)
NOT-FOR-US: IDEMIA
CVE-2017-15566 (Insecure SPANK environment variable handling exists in SchedMD
Slurm ...)
+ {DSA-4023-1}
- slurm-llnl 17.02.9-1 (bug #880530)
[jessie] - slurm-llnl (Vulnerable code introduced later)
[wheezy] - slurm-llnl (Vulnerable code introduced later)
@@ -76693,8 +76734,8 @@
RESERVED
CVE-2016-0873
RESERVED
-CVE-2016-0872
- RESERVED
+CVE-2016-0872 (A Plaintext Storage of a Password issue was discovered in
Kabona AB ...)
+ TODO: check
CVE-2016-0871 (Eaton Lighting EG2 Web Control 4.04P and earlier allows remote
...)
NOT-FOR-US: Eaton Lighting EG2 Web Control
CVE-2016-0870 (The web server in Trane Tracer SC 4.2.1134 and earlier allows
remote ...)
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57436 - data/CVE
Author: carnil Date: 2017-11-08 08:28:25 + (Wed, 08 Nov 2017) New Revision: 57436 Modified: data/CVE/list Log: Add two cacti issues Modified: data/CVE/list === --- data/CVE/list 2017-11-08 06:43:33 UTC (rev 57435) +++ data/CVE/list 2017-11-08 08:28:25 UTC (rev 57436) @@ -1,3 +1,9 @@ +CVE-2017-16661 [Local File Read] + - cacti + NOTE: https://github.com/Cacti/cacti/issues/1066 +CVE-2017-16660 [RCE] + - cacti + NOTE: https://github.com/Cacti/cacti/issues/1066 CVE-2017-16641 (lib/rrd.php in Cacti 1.1.27 allows remote authenticated administrators ...) - cacti (bug #881110) NOTE: https://github.com/Cacti/cacti/issues/1057 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
