[Secure-testing-commits] r57522 - org

[Chris Lamb]

Author: lamby
Date: 2017-11-10 07:52:38 + (Fri, 10 Nov 2017)
New Revision: 57522

Modified:
   org/lts-frontdesk.2018.txt
Log:
org/lts-frontdesk.2018.txt: Take some dates for 2018.

Modified: org/lts-frontdesk.2018.txt
===
--- org/lts-frontdesk.2018.txt  2017-11-10 07:52:37 UTC (rev 57521)
+++ org/lts-frontdesk.2018.txt  2017-11-10 07:52:38 UTC (rev 57522)
@@ -11,55 +11,55 @@
 Who is in charge ?
 --
 
-From 01-01 to 07-01:
+From 01-01 to 07-01:Chris Lamb 
 From 08-01 to 14-01:
 From 15-01 to 21-01:
 From 22-01 to 28-01:
 From 29-01 to 04-02:
 From 05-02 to 11-02:
 From 12-02 to 18-02:
-From 19-02 to 25-02:
+From 19-02 to 25-02:Chris Lamb 
 From 26-02 to 04-03:
-From 05-03 to 11-03:
+From 05-03 to 11-03:Chris Lamb 
 From 12-03 to 18-03:
 From 19-03 to 25-03:
 From 26-03 to 01-04:
-From 02-04 to 08-04:
+From 02-04 to 08-04:Chris Lamb 
 From 09-04 to 15-04:
 From 16-04 to 22-04:
 From 23-04 to 29-04:
 From 30-04 to 06-05:
 From 07-05 to 13-05:
-From 14-05 to 20-05:
+From 14-05 to 20-05:Chris Lamb 
 From 21-05 to 27-05:
 From 28-05 to 03-06:
-From 04-06 to 10-06:
+From 04-06 to 10-06:Chris Lamb 
 From 11-06 to 17-06:
 From 18-06 to 24-06:
 From 25-06 to 01-07:
 From 02-07 to 08-07:
 From 09-07 to 15-07:
 From 16-07 to 22-07:
-From 23-07 to 29-07:
+From 23-07 to 29-07:Chris Lamb 
 From 30-07 to 05-08:
 From 06-08 to 12-08:
 From 13-08 to 19-08:
-From 20-08 to 26-08:
+From 20-08 to 26-08:Chris Lamb 
 From 27-08 to 02-09:
-From 03-09 to 09-09:
+From 03-09 to 09-09:Chris Lamb 
 From 10-09 to 16-09:
 From 17-09 to 23-09:
 From 24-09 to 30-09:
-From 01-10 to 07-10:
+From 01-10 to 07-10:Chris Lamb 
 From 08-10 to 14-10:
 From 15-10 to 21-10:
 From 22-10 to 28-10:
 From 29-10 to 04-11:
-From 05-11 to 11-11:
+From 05-11 to 11-11:Chris Lamb 
 From 12-11 to 18-11:
 From 19-11 to 25-11:
 From 26-11 to 02-12:
-From 03-12 to 09-12:
+From 03-12 to 09-12:Chris Lamb 
 From 10-12 to 16-12:
 From 17-12 to 23-12:
 From 24-12 to 30-12:


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57521 - org

[Chris Lamb]

Author: lamby
Date: 2017-11-10 07:52:37 + (Fri, 10 Nov 2017)
New Revision: 57521

Added:
   org/lts-frontdesk.2018.txt
Log:
org/lts-frontdesk.2018.txt: Add empty 2018 template

Added: org/lts-frontdesk.2018.txt
===
--- org/lts-frontdesk.2018.txt  (rev 0)
+++ org/lts-frontdesk.2018.txt  2017-11-10 07:52:37 UTC (rev 57521)
@@ -0,0 +1,66 @@
+Presentation
+
+
+The LTS frontdesk handles:
+
+ * CVE triaging:
+   https://wiki.debian.org/LTS/Development#Triage_new_security_issues
+
+ * Making sure that queries on debian-...@lists.debian.org get an answer.
+
+Who is in charge ?
+--
+
+From 01-01 to 07-01:
+From 08-01 to 14-01:
+From 15-01 to 21-01:
+From 22-01 to 28-01:
+From 29-01 to 04-02:
+From 05-02 to 11-02:
+From 12-02 to 18-02:
+From 19-02 to 25-02:
+From 26-02 to 04-03:
+From 05-03 to 11-03:
+From 12-03 to 18-03:
+From 19-03 to 25-03:
+From 26-03 to 01-04:
+From 02-04 to 08-04:
+From 09-04 to 15-04:
+From 16-04 to 22-04:
+From 23-04 to 29-04:
+From 30-04 to 06-05:
+From 07-05 to 13-05:
+From 14-05 to 20-05:
+From 21-05 to 27-05:
+From 28-05 to 03-06:
+From 04-06 to 10-06:
+From 11-06 to 17-06:
+From 18-06 to 24-06:
+From 25-06 to 01-07:
+From 02-07 to 08-07:
+From 09-07 to 15-07:
+From 16-07 to 22-07:
+From 23-07 to 29-07:
+From 30-07 to 05-08:
+From 06-08 to 12-08:
+From 13-08 to 19-08:
+From 20-08 to 26-08:
+From 27-08 to 02-09:
+From 03-09 to 09-09:
+From 10-09 to 16-09:
+From 17-09 to 23-09:
+From 24-09 to 30-09:
+From 01-10 to 07-10:
+From 08-10 to 14-10:
+From 15-10 to 21-10:
+From 22-10 to 28-10:
+From 29-10 to 04-11:
+From 05-11 to 11-11:
+From 12-11 to 18-11:
+From 19-11 to 25-11:
+From 26-11 to 02-12:
+From 03-12 to 09-12:
+From 10-12 to 16-12:
+From 17-12 to 23-12:
+From 24-12 to 30-12:
+From 31-12 to 06-01:


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57520 - org

[Chris Lamb]

Author: lamby
Date: 2017-11-10 07:52:35 + (Fri, 10 Nov 2017)
New Revision: 57520

Added:
   org/lts-frontdesk.py
Log:
org/lts-frontdesk.py: New script to generate weeks for frontdesk years.

Added: org/lts-frontdesk.py
===
--- org/lts-frontdesk.py(rev 0)
+++ org/lts-frontdesk.py2017-11-10 07:52:35 UTC (rev 57520)
@@ -0,0 +1,42 @@
+#!/usr/bin/env python3
+
+import sys
+import datetime
+
+HEADER = """
+Presentation
+
+
+The LTS frontdesk handles:
+
+ * CVE triaging:
+   https://wiki.debian.org/LTS/Development#Triage_new_security_issues
+
+ * Making sure that queries on debian-...@lists.debian.org get an answer.
+
+Who is in charge ?
+--
+"""
+
+LINE = """From {0.day:02d}-{0.month:02d} to {1.day:02d}-{1.month:02d}:"""
+
+
+def main(year):
+print(HEADER.strip())
+print()
+
+for x, y in generate_weeks(int(year)):
+print(LINE.format(x, y))
+
+
+def generate_weeks(year):
+dt = datetime.date(year, 1, 1)
+
+while dt.year == year:
+if dt.weekday() == 0:
+yield (dt, dt + datetime.timedelta(days=6))
+dt += datetime.timedelta(days=1)
+
+
+if __name__ == '__main__':
+sys.exit(main(*sys.argv[1:]))


Property changes on: org/lts-frontdesk.py
___
Added: svn:executable
   + *


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57519 - data

[Brian May]

Author: bam
Date: 2017-11-10 06:42:22 + (Fri, 10 Nov 2017)
New Revision: 57519

Modified:
   data/dla-needed.txt
Log:
Take tiff

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-11-10 05:27:39 UTC (rev 57518)
+++ data/dla-needed.txt 2017-11-10 06:42:22 UTC (rev 57519)
@@ -102,11 +102,11 @@
 suricata
   NOTE: 2017-10-27: At a quick glance, I can't see that this is vulnerable. 
--lamby
 --
-tiff
+tiff (Brian May)
   NOTE: CVE-2017-9935: no upstream fix -- Brian May 2017-11-06
   NOTE: CVE-2017-11613: no upstream fix, "not a bug" according to RH -- 
anarcat 2017-10-24
 --
-tiff3
+tiff3 (Brian May)
   NOTE: CVE-2017-9935: no upstream fix -- Brian May 2017-11-06
   NOTE: CVE-2017-11613: no upstream fix, "not a bug" according to RH -- 
anarcat 2017-10-24
 --


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57518 - data/CVE

[Salvatore Bonaccorso]

Author: carnil
Date: 2017-11-10 05:27:39 + (Fri, 10 Nov 2017)
New Revision: 57518

Modified:
   data/CVE/list
Log:
Two asterisk issues fixed

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-09 21:46:07 UTC (rev 57517)
+++ data/CVE/list   2017-11-10 05:27:39 UTC (rev 57518)
@@ -167,12 +167,12 @@
 CVE-2017-16673 (Datto Backup Agent 1.0.6.0 and earlier does not authenticate 
incoming ...)
NOT-FOR-US: Datto Backup Agent
 CVE-2017-16672 (An issue was discovered in Asterisk Open Source 13 before 
13.18.1, 14 ...)
-   - asterisk  (bug #881256)
+   - asterisk 1:13.18.1~dfsg-1 (bug #881256)
NOTE: http://downloads.digium.com/pub/security/AST-2017-011.html
NOTE: http://downloads.asterisk.org/pub/security/AST-2017-011-13.diff
NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-27345
 CVE-2017-16671 (A Buffer Overflow issue was discovered in Asterisk Open Source 
13 ...)
-   - asterisk  (bug #881257)
+   - asterisk 1:13.18.1~dfsg-1 (bug #881257)
NOTE: http://downloads.digium.com/pub/security/AST-2017-010.html
NOTE: http://downloads.asterisk.org/pub/security/AST-2017-010-13.diff
NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-27337


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57517 - data/CVE

[Moritz Muehlenhoff]

Author: jmm
Date: 2017-11-09 21:46:07 + (Thu, 09 Nov 2017)
New Revision: 57517

Modified:
   data/CVE/list
Log:
ffmpeg fixed (version from experimental uploaded to sid)


Modified: data/CVE/list
===
--- data/CVE/list   2017-11-09 21:21:34 UTC (rev 57516)
+++ data/CVE/list   2017-11-09 21:46:07 UTC (rev 57517)
@@ -2853,7 +2853,7 @@
 CVE-2017-15673
RESERVED
 CVE-2017-15672 (The read_header function in libavcodec/ffv1dec.c in FFmpeg 
3.3.4 and ...)
-   - ffmpeg 
+   - ffmpeg 7:3.4-1
[stretch] - ffmpeg  (Wait until next round of security 
releases)
- libav 
NOTE: Fixed by: 
http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=c20f4fcb74da2d0432c7b54499bb98f48236b904
@@ -4124,7 +4124,7 @@
NOTE: 
https://github.com/Cacti/cacti/commit/93f661d8adcfa6618b11522cdab30e97bada33fd
NOTE: 
https://github.com/Cacti/cacti/commit/4f87256e63859117f81d2a2bd40c9c730e39b65d
 CVE-2017-15186 (Double free vulnerability in FFmpeg 3.3.4 and earlier allows 
remote ...)
-   - ffmpeg 
+   - ffmpeg 7:3.4-1
[stretch] - ffmpeg  (Wait until next round of security 
releases)
- libav 
NOTE: http://www.openwall.com/lists/oss-security/2017/10/20/4


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57516 - data/CVE

[Salvatore Bonaccorso]

Author: carnil
Date: 2017-11-09 21:21:34 + (Thu, 09 Nov 2017)
New Revision: 57516

Modified:
   data/CVE/list
Log:
Add fixed version for CVE-2017-8806/postgresql-common in unstable

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-09 21:18:13 UTC (rev 57515)
+++ data/CVE/list   2017-11-09 21:21:34 UTC (rev 57516)
@@ -22914,7 +22914,7 @@
 CVE-2017-8806
RESERVED
{DSA-4029-1}
-   - postgresql-common 
+   - postgresql-common 188
 CVE-2017-8805 (Debian ftpsync before 20171017 does not use the rsync 
--safe-links ...)
- archvsync 20171017
NOTE: http://www.openwall.com/lists/oss-security/2017/10/17/2


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57515 - data/CVE

[Salvatore Bonaccorso]

Author: carnil
Date: 2017-11-09 21:18:13 + (Thu, 09 Nov 2017)
New Revision: 57515

Modified:
   data/CVE/list
Log:
Process some NFUs

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-09 21:11:15 UTC (rev 57514)
+++ data/CVE/list   2017-11-09 21:18:13 UTC (rev 57515)
@@ -3,7 +3,7 @@
 CVE-2017-16755
RESERVED
 CVE-2017-16754 (Bolt before 3.3.6 does not properly restrict access to 
_profiler ...)
-   TODO: check
+   NOT-FOR-US: Bolt CMS
 CVE-2017-16753
RESERVED
 CVE-2017-16752
@@ -283,9 +283,9 @@
 CVE-2017-16635 (In TinyWebGallery v2.4, an XSS vulnerability is located in the 
...)
NOT-FOR-US: TinyWebGallery
 CVE-2017-16634 (In Joomla! before 3.8.2, a bug allowed third parties to bypass 
a ...)
-   TODO: check
+   NOT-FOR-US: Joomla!
 CVE-2017-16633 (In Joomla! before 3.8.2, a logic bug in com_fields exposed 
read-only ...)
-   TODO: check
+   NOT-FOR-US: Joomla!
 CVE-2017-16632
RESERVED
 CVE-2017-16631
@@ -415,9 +415,9 @@
 CVE-2017-16569 (An Open URL Redirect issue exists in Zurmo 3.2.1.57987acc3018 
via an ...)
NOT-FOR-US: Zurmo
 CVE-2017-16568 (Cross-site scripting (XSS) vulnerability in Logitech Media 
Server ...)
-   TODO: check
+   NOT-FOR-US: Logitech Media Server
 CVE-2017-16567 (Cross-site scripting (XSS) vulnerability in Logitech Media 
Server ...)
-   TODO: check
+   NOT-FOR-US: Logitech Media Server
 CVE-2017-16566
RESERVED
 CVE-2017-16565 (Cross-Site Request Forgery (CSRF) in /cgi-bin/login on Vonage 
...)
@@ -2943,7 +2943,7 @@
 CVE-2017-15639 (tasks/feed/readRSS.cfm in Mura CMS before 6.2 allows attackers 
to ...)
NOT-FOR-US: Mura CMS
 CVE-2017-15638 (The SuSEfirewall2 package before 3.6.312-2.13.1 in SUSE Linux 
...)
-   TODO: check
+   NOT-FOR-US: SuSEfirewall2 in SUSE
 CVE-2012-6707 (WordPress through 4.8.2 uses a weak MD5-based password hashing 
...)
- wordpress  (bug #880868)
NOTE: https://core.trac.wordpress.org/ticket/21022
@@ -10224,7 +10224,7 @@
 CVE-2017-12970 (Cross-site request forgery (CSRF) vulnerability in 
Apache2Triad 1.5.4 ...)
NOT-FOR-US: Apache2Triad
 CVE-2017-12969 (Buffer overflow in the ViewerCtrlLib.ViewerCtrl ActiveX 
control in ...)
-   TODO: check
+   NOT-FOR-US: Avaya IP Office Contact Center
 CVE-2017-12968
RESERVED
 CVE-2017-12967 (The getsym function in tekhex.c in the Binary File Descriptor 
(BFD) ...)
@@ -14983,7 +14983,7 @@
NOTE: Fixed by: 
https://github.com/krb5/krb5/commit/56f7b1bc95a2a3eeb420e069e7655fb181ade5cf
NOTE: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8598
 CVE-2017-11461 (NetApp OnCommand Unified Manager for 7-mode (core package) 
versions ...)
-   TODO: check
+   NOT-FOR-US: NetApp
 CVE-2017-11460 (Cross-site scripting (XSS) vulnerability in the 
DataArchivingService ...)
NOT-FOR-US: SAP
 CVE-2017-11459 (SAP TREX 7.10 allows remote attackers to (1) read arbitrary 
files via ...)
@@ -15474,7 +15474,7 @@
NOTE: https://github.com/ImageMagick/ImageMagick/issues/517
NOTE: Fixed by: 
https://github.com/ImageMagick/ImageMagick/commit/8ca35831e91c3db8c6d281d09b605001003bec08
 CVE-2017-11309 (Buffer overflow in the SoftConsole client in Avaya IP Office 
before ...)
-   TODO: check
+   NOT-FOR-US: Avaya IP Office
 CVE-2017-11308
RESERVED
 CVE-2017-11307
@@ -19799,7 +19799,7 @@
 CVE-2017-9759 (SQL Injection exists in admin/index.php in Zenbership 1.0.8 via 
the ...)
NOT-FOR-US: Zenbership
 CVE-2017-9758 (Savitech driver packages for Windows silently install a 
self-signed ...)
-   TODO: check
+   NOT-FOR-US: Savitech driver packages for Windows
 CVE-2017-9757 (IPFire 2.19 has a Remote Command Injection vulnerability in 
ids.cgi via ...)
NOT-FOR-US: IPFire
 CVE-2017-1000375 (NetBSD maps the run-time link-editor ld.so directly below 
the stack ...)
@@ -34662,7 +34662,7 @@
{DSA-3775-1 DLA-809-1}
- tcpdump 4.9.0-1
 CVE-2017-5201 (NetApp Clustered Data ONTAP before 8.3.2P8 and 9.0 before P2 
allow ...)
-   TODO: check
+   NOT-FOR-US: NetApp
 CVE-2017-5200 (Salt-api in SaltStack Salt before 2015.8.13, 2016.3.x before 
2016.3.5, ...)
- salt 2016.11.2+ds-1
[jessie] - salt  (Vulnerable code not present)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57513 - data/CVE

[security tracker role]

Author: sectracker
Date: 2017-11-09 21:10:15 + (Thu, 09 Nov 2017)
New Revision: 57513

Modified:
   data/CVE/list
Log:
automatic update

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-09 20:53:15 UTC (rev 57512)
+++ data/CVE/list   2017-11-09 21:10:15 UTC (rev 57513)
@@ -1,3 +1,161 @@
+CVE-2017-16756
+   RESERVED
+CVE-2017-16755
+   RESERVED
+CVE-2017-16754 (Bolt before 3.3.6 does not properly restrict access to 
_profiler ...)
+   TODO: check
+CVE-2017-16753
+   RESERVED
+CVE-2017-16752
+   RESERVED
+CVE-2017-16751
+   RESERVED
+CVE-2017-16750
+   RESERVED
+CVE-2017-16749
+   RESERVED
+CVE-2017-16748
+   RESERVED
+CVE-2017-16747
+   RESERVED
+CVE-2017-16746
+   RESERVED
+CVE-2017-16745
+   RESERVED
+CVE-2017-16744
+   RESERVED
+CVE-2017-16743
+   RESERVED
+CVE-2017-16742
+   RESERVED
+CVE-2017-16741
+   RESERVED
+CVE-2017-16740
+   RESERVED
+CVE-2017-16739
+   RESERVED
+CVE-2017-16738
+   RESERVED
+CVE-2017-16737
+   RESERVED
+CVE-2017-16736
+   RESERVED
+CVE-2017-16735
+   RESERVED
+CVE-2017-16734
+   RESERVED
+CVE-2017-16733
+   RESERVED
+CVE-2017-16732
+   RESERVED
+CVE-2017-16731
+   RESERVED
+CVE-2017-16730
+   RESERVED
+CVE-2017-16729
+   RESERVED
+CVE-2017-16728
+   RESERVED
+CVE-2017-16727
+   RESERVED
+CVE-2017-16726
+   RESERVED
+CVE-2017-16725
+   RESERVED
+CVE-2017-16724
+   RESERVED
+CVE-2017-16723
+   RESERVED
+CVE-2017-16722
+   RESERVED
+CVE-2017-16721
+   RESERVED
+CVE-2017-16720
+   RESERVED
+CVE-2017-16719
+   RESERVED
+CVE-2017-16718
+   RESERVED
+CVE-2017-16717
+   RESERVED
+CVE-2017-16716
+   RESERVED
+CVE-2017-16715
+   RESERVED
+CVE-2017-16714
+   RESERVED
+CVE-2017-16713
+   RESERVED
+CVE-2017-16712
+   RESERVED
+CVE-2017-16711 (The swf_DefineLosslessBitsTagToImage function in 
lib/modules/swfbits.c ...)
+   TODO: check
+CVE-2017-16710
+   RESERVED
+CVE-2017-16709
+   RESERVED
+CVE-2017-16708
+   RESERVED
+CVE-2017-16707
+   RESERVED
+CVE-2017-16706
+   RESERVED
+CVE-2017-16705
+   RESERVED
+CVE-2017-16704
+   RESERVED
+CVE-2017-16703
+   RESERVED
+CVE-2017-16702
+   RESERVED
+CVE-2017-16701
+   RESERVED
+CVE-2017-16700
+   RESERVED
+CVE-2017-16699
+   RESERVED
+CVE-2017-16698
+   RESERVED
+CVE-2017-16697
+   RESERVED
+CVE-2017-16696
+   RESERVED
+CVE-2017-16695
+   RESERVED
+CVE-2017-16694
+   RESERVED
+CVE-2017-16693
+   RESERVED
+CVE-2017-16692
+   RESERVED
+CVE-2017-16691
+   RESERVED
+CVE-2017-16690
+   RESERVED
+CVE-2017-16689
+   RESERVED
+CVE-2017-16688
+   RESERVED
+CVE-2017-16687
+   RESERVED
+CVE-2017-16686
+   RESERVED
+CVE-2017-16685
+   RESERVED
+CVE-2017-16684
+   RESERVED
+CVE-2017-16683
+   RESERVED
+CVE-2017-16682
+   RESERVED
+CVE-2017-16681
+   RESERVED
+CVE-2017-16680
+   RESERVED
+CVE-2017-16679
+   RESERVED
+CVE-2017-16678
+   RESERVED
 CVE-2017-16677
RESERVED
 CVE-2017-16676
@@ -65,8 +223,8 @@
RESERVED
 CVE-2017-16652
RESERVED
-CVE-2017-16651 [file disclosure vulnerabliity]
-   RESERVED
+CVE-2017-16651 (Roundcube Webmail before 1.1.10, 1.2.x before 1.2.7, and 1.3.x 
before ...)
+   {DSA-4030-1}
- roundcube 1.3.3+dfsg.1-1
NOTE: master: 
https://github.com/roundcube/roundcubemail/commit/2a32f51c91d5e9c7b1a9d931846dd44c008ff36d
NOTE: release-1.3: 
https://github.com/roundcube/roundcubemail/commit/c90ad5a97784fb32683b8e3c21d6c95baab6d806
@@ -124,10 +282,10 @@
NOT-FOR-US: Bludit
 CVE-2017-16635 (In TinyWebGallery v2.4, an XSS vulnerability is located in the 
...)
NOT-FOR-US: TinyWebGallery
-CVE-2017-16634
-   RESERVED
-CVE-2017-16633
-   RESERVED
+CVE-2017-16634 (In Joomla! before 3.8.2, a bug allowed third parties to bypass 
a ...)
+   TODO: check
+CVE-2017-16633 (In Joomla! before 3.8.2, a logic bug in com_fields exposed 
read-only ...)
+   TODO: check
 CVE-2017-16632
RESERVED
 CVE-2017-16631
@@ -256,10 +414,10 @@
NOT-FOR-US: KeystoneJS
 CVE-2017-16569 (An Open URL Redirect issue exists in Zurmo 3.2.1.57987acc3018 
via an ...)
NOT-FOR-US: Zurmo
-CVE-2017-16568
-   RESERVED
-CVE-2017-16567
-   RESERVED
+CVE-2017-16568 (Cross-site scripting (XSS) vulnerability in Logitech Media 
Server ...)
+   TODO: check
+CVE-2017-16567 (Cross-site scripting (XSS) vulnerability in Logitech Media 
Server ...)
+   TODO: check
 CVE-2017-16566
RESERVED
 CVE-2017-16565 (Cross-Site Request Forgery (CSRF) in /cgi-bin/login on Vonage 
...)
@@ -268,8 +426,8 @@
NOT-FOR-US: Vonage
 CVE-2017-16563 (Cross-Site Request Forgery (CSRF) in the Basic Settings screen 
on ...)
NOT-FOR-US: Vonage
-CVE-2017-16562
-   RESERVED
+CVE-2017-16562 (The 

[Secure-testing-commits] r57514 - data/CVE

[Salvatore Bonaccorso]

Author: carnil
Date: 2017-11-09 21:11:15 + (Thu, 09 Nov 2017)
New Revision: 57514

Modified:
   data/CVE/list
Log:
Update CVE-2017-14687: mark as no-dsa

Reasoning: The issue was not directly triggerable with the provided poc.
Non-tags in tag name comparisons were handled by using fz_xml_is_tag
instead of  the fz_xml_tag && !strcmp idioms, which are found in several
places in related code.

It's not entirely clear if the vulerable code is not present e.g. back
in 1.5-1+deb8u2 since the reporter did not provide pocs publicly and the
description from https://bugs.ghostscript.com/show_bug.cgi?id=698558 is
unhelpful.

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-09 21:10:15 UTC (rev 57513)
+++ data/CVE/list   2017-11-09 21:11:15 UTC (rev 57514)
@@ -5625,9 +5625,10 @@
 CVE-2017-14687 (Artifex MuPDF 1.11 allows attackers to cause a denial of 
service or ...)
{DSA-4006-1 DLA-1164-1}
- mupdf 1.11+ds1-1.1 (bug #877379)
-   [jessie] - mupdf  (poc not effective)
+   [jessie] - mupdf  (Minor issue)
NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=698558
NOTE: Fixed by: 
http://git.ghostscript.com/?p=mupdf.git;h=2b16dbd8f73269cb15ca61ece75cf8d2d196ed28
+   NOTE: Several fz_xml_tag && !strcmp idoms are used in older versions
 CVE-2017-14686 (Artifex MuPDF 1.11 allows attackers to execute arbitrary code 
or cause ...)
{DSA-4006-1}
- mupdf 1.11+ds1-1.1 (bug #877379)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57512 - data/CVE

[Salvatore Bonaccorso]

Author: carnil
Date: 2017-11-09 20:53:15 + (Thu, 09 Nov 2017)
New Revision: 57512

Modified:
   data/CVE/list
Log:
Add references for CVE-2017-16539/docker.io

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-09 19:18:48 UTC (rev 57511)
+++ data/CVE/list   2017-11-09 20:53:15 UTC (rev 57512)
@@ -330,7 +330,9 @@
 CVE-2017-16540 (OpenEMR before 5.0.0 Patch 5 allows unauthenticated remote 
database ...)
NOT-FOR-US: OpenEMR
 CVE-2017-16539 (The DefaultLinuxSpec function in oci/defaults.go in Docker 
Moby through ...)
-   - docker.io 
+   - docker.io 
+   NOTE: https://github.com/moby/moby/pull/35399
+   NOTE: 
https://github.com/moby/moby/pull/35399/commits/a21ecdf3c8a343a7c94e4c4d01b178c87ca7aaa1
 CVE-2017-16538 (drivers/media/usb/dvb-usb-v2/lmedm04.c in the Linux kernel 
through ...)
- linux 
[wheezy] - linux  (Vulnerable code not present)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57511 - in data: . DSA

[Salvatore Bonaccorso]

Author: carnil
Date: 2017-11-09 19:18:48 + (Thu, 09 Nov 2017)
New Revision: 57511

Modified:
   data/DSA/list
   data/dsa-needed.txt
Log:
Reserve DSA number for roundcube update

Modified: data/DSA/list
===
--- data/DSA/list   2017-11-09 19:12:08 UTC (rev 57510)
+++ data/DSA/list   2017-11-09 19:18:48 UTC (rev 57511)
@@ -1,3 +1,6 @@
+[09 Nov 2017] DSA-4030-1 roundcube - security update
+   {CVE-2017-16651}
+   [stretch] - roundcube 1.2.3+dfsg.1-4+deb9u1
 [09 Nov 2017] DSA-4029-1 postgresql-common - security update
{CVE-2017-8806}
[jessie] - postgresql-common 165+deb8u3

Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2017-11-09 19:12:08 UTC (rev 57510)
+++ data/dsa-needed.txt 2017-11-09 19:18:48 UTC (rev 57511)
@@ -51,8 +51,6 @@
   Maintainer (terceiro) proposed update, needs review and ack
   Upload reviewed and acked to be uploaded (including additional change)
 --
-roundcube/stable (carnil)
---
 salt
 --
 simplesamlphp


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57510 - data/CVE

[Salvatore Bonaccorso]

Author: carnil
Date: 2017-11-09 19:12:08 + (Thu, 09 Nov 2017)
New Revision: 57510

Modified:
   data/CVE/list
Log:
Add fixed version for unimportant issues

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-09 19:07:56 UTC (rev 57509)
+++ data/CVE/list   2017-11-09 19:12:08 UTC (rev 57510)
@@ -12797,7 +12797,9 @@
RESERVED
- postgresql-10 10.1-1 (unimportant)
- postgresql-9.6  (unimportant)
+   [stretch] - postgresql-9.6 9.6.6-0+deb9u1
- postgresql-9.4  (unimportant)
+   [jessie] - postgresql-9.4 9.4.15-0+deb8u1
- postgresql-9.1  (unimportant)
[jessie] - postgresql-9.1  (postgresql-9.1 in jessie only 
provides PL/Perl)
NOTE: Issue in sample init-scirpt as provided by postgresql project, 
but not installed


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57509 - data/CVE

[Salvatore Bonaccorso]

Author: carnil
Date: 2017-11-09 19:07:56 + (Thu, 09 Nov 2017)
New Revision: 57509

Modified:
   data/CVE/list
Log:
Correct status for CVE-2017-15099

I seem to have messed up the entry when I added the not-affected status
based on the feature introducion and thus marking 9.4 and 9.1 as
not-affected.

Correct this.

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-09 18:42:25 UTC (rev 57508)
+++ data/CVE/list   2017-11-09 19:07:56 UTC (rev 57509)
@@ -4159,7 +4159,7 @@
 CVE-2017-15099
RESERVED
- postgresql-10 10.1-1
-   - postgresql-9.6  (ON CONFLICT DO UPDATE and RLS 
introduced in 9.5)
+   - postgresql-9.6 
- postgresql-9.4  (ON CONFLICT DO UPDATE and RLS 
introduced in 9.5)
- postgresql-9.1  (ON CONFLICT DO UPDATE and RLS 
introduced in 9.5)
 CVE-2017-15098


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57508 - data/DSA

[Moritz Muehlenhoff]

Author: jmm
Date: 2017-11-09 18:42:25 + (Thu, 09 Nov 2017)
New Revision: 57508

Modified:
   data/DSA/list
Log:
reserve IDs for postgres DSA


Modified: data/DSA/list
===
--- data/DSA/list   2017-11-09 18:35:25 UTC (rev 57507)
+++ data/DSA/list   2017-11-09 18:42:25 UTC (rev 57508)
@@ -1,3 +1,13 @@
+[09 Nov 2017] DSA-4029-1 postgresql-common - security update
+   {CVE-2017-8806}
+   [jessie] - postgresql-common 165+deb8u3
+   [stretch] - postgresql-common 181+deb9u1
+[09 Nov 2017] DSA-4028-1 postgresql-9.6 - security update
+   {CVE-2017-15098 CVE-2017-15099}
+   [stretch] - postgresql-9.6 9.6.6-0+deb9u1
+[09 Nov 2017] DSA-4027-1 postgresql-9.4 - security update
+   {CVE-2017-15098}
+   [jessie] - postgresql-9.4 9.4.15-0+deb8u1
 [09 Nov 2017] DSA-4026-1 bchunk - security update
{CVE-2017-15953 CVE-2017-15954 CVE-2017-15955}
[jessie] - bchunk 1.2.0-12+deb8u1


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57507 - data/CVE

[Moritz Muehlenhoff]

Author: jmm
Date: 2017-11-09 18:35:25 + (Thu, 09 Nov 2017)
New Revision: 57507

Modified:
   data/CVE/list
Log:
further imagemagick triage


Modified: data/CVE/list
===
--- data/CVE/list   2017-11-09 17:36:25 UTC (rev 57506)
+++ data/CVE/list   2017-11-09 18:35:25 UTC (rev 57507)
@@ -3676,6 +3676,8 @@
 CVE-2017-15281 (ReadPSDImage in coders/psd.c in ImageMagick 7.0.7-6 allows 
remote ...)
{DLA-1139-1}
- imagemagick  (low; bug #878579)
+   [stretch] - imagemagick  (Minor issue)
+   [jessie] - imagemagick  (Minor issue)
NOTE: https://github.com/ImageMagick/ImageMagick/issues/832
NOTE: ImageMagick-6: 
https://github.com/ImageMagick/ImageMagick/commit/e9d1c2adae866861a291535997b2263f26becb1e
NOTE: 
https://github.com/ImageMagick/ImageMagick/commit/32cbfc57962321b2ead627129c9d9ffbfcdb
@@ -4476,7 +4478,9 @@
NOTE: severity:unimportant for stretch onwards, but we don't have 
suite-specific severity annotations
 CVE-2017-15017 (ImageMagick 7.0.7-0 Q16 has a NULL pointer dereference 
vulnerability in ...)
{DLA-1131-1}
-   - imagemagick  (bug #878554)
+   - imagemagick  (low; bug #878554)
+   [stretch] - imagemagick  (Minor issue)
+   [jessie] - imagemagick  (Minor issue)
NOTE: https://github.com/ImageMagick/ImageMagick/issues/723
NOTE: ImageMagick-6: 
https://github.com/ImageMagick/ImageMagick/commit/5a1006a249516a875558c3d642e719b1eac8f820
NOTE: 
https://github.com/ImageMagick/ImageMagick/commit/0cff8bac0a47f8693cfe57f026fcd752689ff375
@@ -4488,7 +4492,9 @@
NOTE: 
https://github.com/ImageMagick/ImageMagick/commit/27f8ba82ddd665ab41cef6588128f680cbd69905
NOTE: emf.c not compiled under Debian
 CVE-2017-15015 (ImageMagick 7.0.7-0 Q16 has a NULL pointer dereference 
vulnerability in ...)
-   - imagemagick  (bug #878555)
+   - imagemagick  (low; bug #878555)
+   [stretch] - imagemagick  (Minor issue)
+   [jessie] - imagemagick  (Minor issue)
[wheezy] - imagemagick  (Vulnerable code not present)
NOTE: https://github.com/ImageMagick/ImageMagick/issues/724
NOTE: ImageMagick-6: 
https://github.com/ImageMagick/ImageMagick/commit/0cbb3b3b02e7af493a9aafa8f7e7d23fc70644e4
@@ -5280,7 +5286,9 @@
RESERVED
 CVE-2017-14741 (The ReadCAPTIONImage function in coders/caption.c in 
ImageMagick ...)
{DLA-1131-1}
-   - imagemagick  (bug #878548)
+   - imagemagick  (low; bug #878548)
+   [stretch] - imagemagick  (Minor issue)
+   [jessie] - imagemagick  (Minor issue)
NOTE: https://github.com/ImageMagick/ImageMagick/issues/771
NOTE: 
https://github.com/ImageMagick/ImageMagick/commit/7d8e14899c562157c7760a77fc91625a27cb596f
NOTE: ImageMagick-6: 
https://github.com/ImageMagick/ImageMagick/commit/bb11d07139efe0f5e4ce0e4afda32abdbe82fa9d
@@ -5288,7 +5296,9 @@
RESERVED
 CVE-2017-14739 (The AcquireResampleFilterThreadSet function in ...)
{DLA-1131-1}
-   - imagemagick  (bug #878547)
+   - imagemagick  (low; bug #878547)
+   [stretch] - imagemagick  (Minor issue)
+   [jessie] - imagemagick  (Minor issue)
NOTE: https://github.com/ImageMagick/ImageMagick/issues/780
NOTE: 
https://github.com/ImageMagick/ImageMagick/commit/6017a80fe8327fefb77fa677d81154db2b857d1d
NOTE: ImageMagick-6: 
https://github.com/ImageMagick/ImageMagick/commit/700fcf95b2c3f554dfbe75833b91f19dde208089
@@ -5640,19 +5650,25 @@
 CVE-2017-14627 (Stack-based buffer overflows in CyberLink LabelPrint 2.5 allow 
remote ...)
NOT-FOR-US: CyberLink LabelPrint
 CVE-2017-14626 (ImageMagick 7.0.7-0 Q16 has a NULL Pointer Dereference 
vulnerability in ...)
-   - imagemagick  (bug #878524)
+   - imagemagick  (low; bug #878524)
+   [stretch] - imagemagick  (Minor issue)
+   [jessie] - imagemagick  (Minor issue)
[wheezy] - imagemagick  (Vulnerable code not present)
NOTE: https://github.com/ImageMagick/ImageMagick/issues/720
NOTE: https://github.com/ImageMagick/ImageMagick/issues/721
NOTE: ImageMagick-6: 
https://github.com/ImageMagick/ImageMagick/commit/90b301db18434b2c2228776d06c2898b5fed74f0
NOTE: ImageMagick-6: 
https://github.com/ImageMagick/ImageMagick/commit/cc797c296c30f3ec31cd02418b58a2c27549b0a9
 CVE-2017-14625 (ImageMagick 7.0.7-0 Q16 has a NULL Pointer Dereference 
vulnerability in ...)
-   - imagemagick  (bug #877355)
+   - imagemagick  (low; bug #877355)
+   [stretch] - imagemagick  (Minor issue)
+   [jessie] - imagemagick  (Minor issue)
[wheezy] - imagemagick  (Vulnerable code not present)
NOTE: https://github.com/ImageMagick/ImageMagick/issues/721
NOTE: ImageMagick-6: 
https://github.com/ImageMagick/ImageMagick/commit/cc797c296c30f3ec31cd02418b58a2c27549b0a9
 CVE-2017-14624 (ImageMagick 7.0.7-0 Q16 has a NULL Pointer Dereference 

[Secure-testing-commits] r57506 - in data: . DSA

[Sebastien Delafond]

Author: seb
Date: 2017-11-09 17:36:25 + (Thu, 09 Nov 2017)
New Revision: 57506

Modified:
   data/DSA/list
   data/dsa-needed.txt
Log:
Reserve DSA-4026-1 for bchunk (CVE-2017-15953, CVE-2017-15954, CVE-2017-15955)

Modified: data/DSA/list
===
--- data/DSA/list   2017-11-09 16:41:21 UTC (rev 57505)
+++ data/DSA/list   2017-11-09 17:36:25 UTC (rev 57506)
@@ -1,3 +1,7 @@
+[09 Nov 2017] DSA-4026-1 bchunk - security update
+   {CVE-2017-15953 CVE-2017-15954 CVE-2017-15955}
+   [jessie] - bchunk 1.2.0-12+deb8u1
+   [stretch] - bchunk 1.2.0-12+deb9u1
 [08 Nov 2017] DSA-4025-1 libpam4j - security update
{CVE-2017-12197}
[jessie] - libpam4j 1.4-2+deb8u1

Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2017-11-09 16:41:21 UTC (rev 57505)
+++ data/dsa-needed.txt 2017-11-09 17:36:25 UTC (rev 57506)
@@ -14,10 +14,6 @@
 --
 389-ds-base (fw)
 --
-bchunk (seb)
- Markus Koschany proposed update, needs review and ack
- 2017-11-09: ack upload
---
 graphicsmagick
 --
 jackson-databind (seb)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57505 - data/CVE

[Luciano Bello]

Author: luciano
Date: 2017-11-09 16:41:21 + (Thu, 09 Nov 2017)
New Revision: 57505

Modified:
   data/CVE/list
Log:
mupdf issues: pocs not effective in jessie

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-09 16:16:04 UTC (rev 57504)
+++ data/CVE/list   2017-11-09 16:41:21 UTC (rev 57505)
@@ -5453,19 +5453,20 @@
 CVE-2017-14687 (Artifex MuPDF 1.11 allows attackers to cause a denial of 
service or ...)
{DSA-4006-1 DLA-1164-1}
- mupdf 1.11+ds1-1.1 (bug #877379)
+   [jessie] - mupdf  (poc not effective)
NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=698558
NOTE: Fixed by: 
http://git.ghostscript.com/?p=mupdf.git;h=2b16dbd8f73269cb15ca61ece75cf8d2d196ed28
 CVE-2017-14686 (Artifex MuPDF 1.11 allows attackers to execute arbitrary code 
or cause ...)
{DSA-4006-1}
- mupdf 1.11+ds1-1.1 (bug #877379)
-   [jessie] - mupdf  (vulnerable code not present)
+   [jessie] - mupdf  (vulnerable code not present, poc not 
effective)
[wheezy] - mupdf  (vulnerable code not present)
NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=698540
NOTE: Fixed by: 
http://git.ghostscript.com/?p=mupdf.git;h=0f0fbc07d9be31f5e83ec5328d7311fdfd8328b1
 CVE-2017-14685 (Artifex MuPDF 1.11 allows attackers to cause a denial of 
service or ...)
{DSA-4006-1}
- mupdf 1.11+ds1-1.1 (bug #877379)
-   [jessie] - mupdf  (vulnerable code not present)
+   [jessie] - mupdf  (vulnerable code not present, poc not 
effective)
[wheezy] - mupdf  (vulnerable code not present)
NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=698539
NOTE: Fixed by: 
http://git.ghostscript.com/?p=mupdf.git;h=ab1a420613dec93c686acbee2c165274e922f82a


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57504 - data

[Markus Koschany]

Author: apo
Date: 2017-11-09 16:16:04 + (Thu, 09 Nov 2017)
New Revision: 57504

Modified:
   data/dla-needed.txt
Log:
Claim poppler in dla-needed.txt


Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-11-09 15:30:34 UTC (rev 57503)
+++ data/dla-needed.txt 2017-11-09 16:16:04 UTC (rev 57504)
@@ -71,7 +71,7 @@
 --
 openjdk-7 (Emilio Pozuelo)
 --
-poppler
+poppler (Markus Koschany)
   NOTE: not fixed in sid yet so did not ping maintainer
   NOTE: drawForm is doForm1 in wheezy
   NOTE: exploit does not loop but code looks affected


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57503 - data/CVE

[Salvatore Bonaccorso]

Author: carnil
Date: 2017-11-09 15:30:34 + (Thu, 09 Nov 2017)
New Revision: 57503

Modified:
   data/CVE/list
Log:
Update CVE-2017-15099 information

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-09 15:21:04 UTC (rev 57502)
+++ data/CVE/list   2017-11-09 15:30:34 UTC (rev 57503)
@@ -4157,9 +4157,9 @@
 CVE-2017-15099
RESERVED
- postgresql-10 10.1-1
-   - postgresql-9.6 
-   - postgresql-9.4 
-   - postgresql-9.1 
+   - postgresql-9.6  (ON CONFLICT DO UPDATE and RLS 
introduced in 9.5)
+   - postgresql-9.4  (ON CONFLICT DO UPDATE and RLS 
introduced in 9.5)
+   - postgresql-9.1  (ON CONFLICT DO UPDATE and RLS 
introduced in 9.5)
 CVE-2017-15098
RESERVED
- postgresql-10 10.1-1


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57502 - data/CVE

[Salvatore Bonaccorso]

Author: carnil
Date: 2017-11-09 15:21:04 + (Thu, 09 Nov 2017)
New Revision: 57502

Modified:
   data/CVE/list
Log:
Add fixing version for postgrsql-10

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-09 15:19:33 UTC (rev 57501)
+++ data/CVE/list   2017-11-09 15:21:04 UTC (rev 57502)
@@ -4156,13 +4156,13 @@
- foreman  (bug #663101)
 CVE-2017-15099
RESERVED
-   - postgresql-10 
+   - postgresql-10 10.1-1
- postgresql-9.6 
- postgresql-9.4 
-   - postgresql-9.1 
+   - postgresql-9.1 
 CVE-2017-15098
RESERVED
-   - postgresql-10 
+   - postgresql-10 10.1-1
- postgresql-9.6 
- postgresql-9.4 
- postgresql-9.1 
@@ -12774,7 +12774,7 @@
NOTE: Introduced by 
https://pagure.io/SSSD/sssd/c/7ecb5aea65cb1899f16e7a41bffa93d074defd4a 
(sssd-1_12_0)
 CVE-2017-12172
RESERVED
-   - postgresql-10  (unimportant)
+   - postgresql-10 10.1-1 (unimportant)
- postgresql-9.6  (unimportant)
- postgresql-9.4  (unimportant)
- postgresql-9.1  (unimportant)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57501 - data/CVE

[Salvatore Bonaccorso]

Author: carnil
Date: 2017-11-09 15:19:33 + (Thu, 09 Nov 2017)
New Revision: 57501

Modified:
   data/CVE/list
Log:
Add postgresql-9.1

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-09 15:19:20 UTC (rev 57500)
+++ data/CVE/list   2017-11-09 15:19:33 UTC (rev 57501)
@@ -4159,11 +4159,14 @@
- postgresql-10 
- postgresql-9.6 
- postgresql-9.4 
+   - postgresql-9.1 
 CVE-2017-15098
RESERVED
- postgresql-10 
- postgresql-9.6 
- postgresql-9.4 
+   - postgresql-9.1 
+   [jessie] - postgresql-9.1  (postgresql-9.1 in jessie only 
provides PL/Perl)
 CVE-2017-15097
RESERVED
 CVE-2017-15096 (A flaw was found in GlusterFS in versions prior to 3.10. A 
null ...)
@@ -12774,6 +12777,8 @@
- postgresql-10  (unimportant)
- postgresql-9.6  (unimportant)
- postgresql-9.4  (unimportant)
+   - postgresql-9.1  (unimportant)
+   [jessie] - postgresql-9.1  (postgresql-9.1 in jessie only 
provides PL/Perl)
NOTE: Issue in sample init-scirpt as provided by postgresql project, 
but not installed
 CVE-2017-12171 [httpd: # character matches all IPs]
RESERVED


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57500 - data/CVE

[Salvatore Bonaccorso]

Author: carnil
Date: 2017-11-09 15:19:20 + (Thu, 09 Nov 2017)
New Revision: 57500

Modified:
   data/CVE/list
Log:
Add postgresql-9.4

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-09 15:17:24 UTC (rev 57499)
+++ data/CVE/list   2017-11-09 15:19:20 UTC (rev 57500)
@@ -4158,10 +4158,12 @@
RESERVED
- postgresql-10 
- postgresql-9.6 
+   - postgresql-9.4 
 CVE-2017-15098
RESERVED
- postgresql-10 
- postgresql-9.6 
+   - postgresql-9.4 
 CVE-2017-15097
RESERVED
 CVE-2017-15096 (A flaw was found in GlusterFS in versions prior to 3.10. A 
null ...)
@@ -12771,6 +12773,7 @@
RESERVED
- postgresql-10  (unimportant)
- postgresql-9.6  (unimportant)
+   - postgresql-9.4  (unimportant)
NOTE: Issue in sample init-scirpt as provided by postgresql project, 
but not installed
 CVE-2017-12171 [httpd: # character matches all IPs]
RESERVED


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57499 - data

[Markus Koschany]

Author: apo
Date: 2017-11-09 15:17:24 + (Thu, 09 Nov 2017)
New Revision: 57499

Modified:
   data/dla-needed.txt
Log:
Remove openssl from dla-needed.txt

Uploaded.


Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-11-09 15:12:53 UTC (rev 57498)
+++ data/dla-needed.txt 2017-11-09 15:17:24 UTC (rev 57499)
@@ -71,10 +71,6 @@
 --
 openjdk-7 (Emilio Pozuelo)
 --
-openssl
-  NOTE: I assume Kurt Roeckx will take care of it again.
-  NOTE: 1.0.1t-1+deb7u3 by Kurt Roeckx, DLA number already reserved, but 
upload missing
---
 poppler
   NOTE: not fixed in sid yet so did not ping maintainer
   NOTE: drawForm is doForm1 in wheezy


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57497 - data/CVE

[Salvatore Bonaccorso]

Author: carnil
Date: 2017-11-09 15:12:41 + (Thu, 09 Nov 2017)
New Revision: 57497

Modified:
   data/CVE/list
Log:
Add postgresql-common issue

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-09 15:12:27 UTC (rev 57496)
+++ data/CVE/list   2017-11-09 15:12:41 UTC (rev 57497)
@@ -22712,6 +22712,7 @@
RESERVED
 CVE-2017-8806
RESERVED
+   - postgresql-common 
 CVE-2017-8805 (Debian ftpsync before 20171017 does not use the rsync 
--safe-links ...)
- archvsync 20171017
NOTE: http://www.openwall.com/lists/oss-security/2017/10/17/2


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57498 - data/CVE

[Salvatore Bonaccorso]

Author: carnil
Date: 2017-11-09 15:12:53 + (Thu, 09 Nov 2017)
New Revision: 57498

Modified:
   data/CVE/list
Log:
Add postgresql-9.6

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-09 15:12:41 UTC (rev 57497)
+++ data/CVE/list   2017-11-09 15:12:53 UTC (rev 57498)
@@ -4157,9 +4157,11 @@
 CVE-2017-15099
RESERVED
- postgresql-10 
+   - postgresql-9.6 
 CVE-2017-15098
RESERVED
- postgresql-10 
+   - postgresql-9.6 
 CVE-2017-15097
RESERVED
 CVE-2017-15096 (A flaw was found in GlusterFS in versions prior to 3.10. A 
null ...)
@@ -12768,6 +12770,7 @@
 CVE-2017-12172
RESERVED
- postgresql-10  (unimportant)
+   - postgresql-9.6  (unimportant)
NOTE: Issue in sample init-scirpt as provided by postgresql project, 
but not installed
 CVE-2017-12171 [httpd: # character matches all IPs]
RESERVED


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57496 - data/CVE

[Salvatore Bonaccorso]

Author: carnil
Date: 2017-11-09 15:12:27 + (Thu, 09 Nov 2017)
New Revision: 57496

Modified:
   data/CVE/list
Log:
Add postgresql-10 issues

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-09 14:10:34 UTC (rev 57495)
+++ data/CVE/list   2017-11-09 15:12:27 UTC (rev 57496)
@@ -4156,8 +4156,10 @@
- foreman  (bug #663101)
 CVE-2017-15099
RESERVED
+   - postgresql-10 
 CVE-2017-15098
RESERVED
+   - postgresql-10 
 CVE-2017-15097
RESERVED
 CVE-2017-15096 (A flaw was found in GlusterFS in versions prior to 3.10. A 
null ...)
@@ -12765,6 +12767,8 @@
NOTE: Introduced by 
https://pagure.io/SSSD/sssd/c/7ecb5aea65cb1899f16e7a41bffa93d074defd4a 
(sssd-1_12_0)
 CVE-2017-12172
RESERVED
+   - postgresql-10  (unimportant)
+   NOTE: Issue in sample init-scirpt as provided by postgresql project, 
but not installed
 CVE-2017-12171 [httpd: # character matches all IPs]
RESERVED
- apache2  (Introduced by Red Hat RHEL 6.9 specific 
non-security patch)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57495 - data

[Emilio Pozuelo Monfort]

Author: pochu
Date: 2017-11-09 14:10:34 + (Thu, 09 Nov 2017)
New Revision: 57495

Modified:
   data/dla-needed.txt
Log:
dla: unclaim poppler, no time for it yet

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-11-09 13:04:29 UTC (rev 57494)
+++ data/dla-needed.txt 2017-11-09 14:10:34 UTC (rev 57495)
@@ -75,7 +75,7 @@
   NOTE: I assume Kurt Roeckx will take care of it again.
   NOTE: 1.0.1t-1+deb7u3 by Kurt Roeckx, DLA number already reserved, but 
upload missing
 --
-poppler (Emilio Pozuelo)
+poppler
   NOTE: not fixed in sid yet so did not ping maintainer
   NOTE: drawForm is doForm1 in wheezy
   NOTE: exploit does not loop but code looks affected


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57494 - data/CVE

[Salvatore Bonaccorso]

Author: carnil
Date: 2017-11-09 13:04:29 + (Thu, 09 Nov 2017)
New Revision: 57494

Modified:
   data/CVE/list
Log:
Add bug reference for CVE-2017-16671, #881257

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-09 13:03:01 UTC (rev 57493)
+++ data/CVE/list   2017-11-09 13:04:29 UTC (rev 57494)
@@ -14,7 +14,7 @@
NOTE: http://downloads.asterisk.org/pub/security/AST-2017-011-13.diff
NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-27345
 CVE-2017-16671 (A Buffer Overflow issue was discovered in Asterisk Open Source 
13 ...)
-   - asterisk 
+   - asterisk  (bug #881257)
NOTE: http://downloads.digium.com/pub/security/AST-2017-010.html
NOTE: http://downloads.asterisk.org/pub/security/AST-2017-010-13.diff
NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-27337


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57493 - data/CVE

[Salvatore Bonaccorso]

Author: carnil
Date: 2017-11-09 13:03:01 + (Thu, 09 Nov 2017)
New Revision: 57493

Modified:
   data/CVE/list
Log:
Add bug reference for CVE-2017-16672, #881256

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-09 12:56:17 UTC (rev 57492)
+++ data/CVE/list   2017-11-09 13:03:01 UTC (rev 57493)
@@ -9,7 +9,7 @@
 CVE-2017-16673 (Datto Backup Agent 1.0.6.0 and earlier does not authenticate 
incoming ...)
NOT-FOR-US: Datto Backup Agent
 CVE-2017-16672 (An issue was discovered in Asterisk Open Source 13 before 
13.18.1, 14 ...)
-   - asterisk 
+   - asterisk  (bug #881256)
NOTE: http://downloads.digium.com/pub/security/AST-2017-011.html
NOTE: http://downloads.asterisk.org/pub/security/AST-2017-011-13.diff
NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-27345


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57492 - data/CVE

[Salvatore Bonaccorso]

Author: carnil
Date: 2017-11-09 12:56:17 + (Thu, 09 Nov 2017)
New Revision: 57492

Modified:
   data/CVE/list
Log:
Update information for CVE-2017-16671

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-09 12:50:52 UTC (rev 57491)
+++ data/CVE/list   2017-11-09 12:56:17 UTC (rev 57492)
@@ -16,8 +16,8 @@
 CVE-2017-16671 (A Buffer Overflow issue was discovered in Asterisk Open Source 
13 ...)
- asterisk 
NOTE: http://downloads.digium.com/pub/security/AST-2017-010.html
+   NOTE: http://downloads.asterisk.org/pub/security/AST-2017-010-13.diff
NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-27337
-   TODO: check
 CVE-2017-16670
RESERVED
 CVE-2017-16669 (coders/wpg.c in GraphicsMagick 1.3.26 allows remote attackers 
to cause ...)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57491 - data/CVE

[Salvatore Bonaccorso]

Author: carnil
Date: 2017-11-09 12:50:52 + (Thu, 09 Nov 2017)
New Revision: 57491

Modified:
   data/CVE/list
Log:
Update information on CVE-2017-16672/asterisk, remove TODO

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-09 11:33:46 UTC (rev 57490)
+++ data/CVE/list   2017-11-09 12:50:52 UTC (rev 57491)
@@ -11,8 +11,8 @@
 CVE-2017-16672 (An issue was discovered in Asterisk Open Source 13 before 
13.18.1, 14 ...)
- asterisk 
NOTE: http://downloads.digium.com/pub/security/AST-2017-011.html
+   NOTE: http://downloads.asterisk.org/pub/security/AST-2017-011-13.diff
NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-27345
-   TODO: check
 CVE-2017-16671 (A Buffer Overflow issue was discovered in Asterisk Open Source 
13 ...)
- asterisk 
NOTE: http://downloads.digium.com/pub/security/AST-2017-010.html


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57490 - data

[Sebastien Delafond]

Author: seb
Date: 2017-11-09 11:33:46 + (Thu, 09 Nov 2017)
New Revision: 57490

Modified:
   data/dsa-needed.txt
Log:
Take jackson-databind from dsa-needed (CVE-2017-15095)

Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2017-11-09 11:29:51 UTC (rev 57489)
+++ data/dsa-needed.txt 2017-11-09 11:33:46 UTC (rev 57490)
@@ -20,7 +20,7 @@
 --
 graphicsmagick
 --
-jackson-databind
+jackson-databind (seb)
   For CVE-2017-15095 (see notes for missing commits)
 --
 libav/oldstable


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57489 - data

[Sebastien Delafond]

Author: seb
Date: 2017-11-09 11:29:51 + (Thu, 09 Nov 2017)
New Revision: 57489

Modified:
   data/dsa-needed.txt
Log:
Take bchunk (CVE-2017-15953, CVE-2017-15954, CVE-2017-15955) from dsa-needed

Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2017-11-09 09:17:24 UTC (rev 57488)
+++ data/dsa-needed.txt 2017-11-09 11:29:51 UTC (rev 57489)
@@ -14,8 +14,9 @@
 --
 389-ds-base (fw)
 --
-bchunk
+bchunk (seb)
  Markus Koschany proposed update, needs review and ack
+ 2017-11-09: ack upload
 --
 graphicsmagick
 --


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57488 - data/CVE

[Salvatore Bonaccorso]

Author: carnil
Date: 2017-11-09 09:17:24 + (Thu, 09 Nov 2017)
New Revision: 57488

Modified:
   data/CVE/list
Log:
Two more NFUs

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-09 09:15:41 UTC (rev 57487)
+++ data/CVE/list   2017-11-09 09:17:24 UTC (rev 57488)
@@ -14643,9 +14643,9 @@
 CVE-2017-11513
RESERVED
 CVE-2017-11512 (The ManageEngine ServiceDesk 9.3.9328 is vulnerable to 
arbitrary file ...)
-   TODO: check
+   NOT-FOR-US: ManageEngine ServiceDesk
 CVE-2017-11511 (The ManageEngine ServiceDesk 9.3.9328 is vulnerable to 
arbitrary file ...)
-   TODO: check
+   NOT-FOR-US: ManageEngine ServiceDesk
 CVE-2017-11510
RESERVED
 CVE-2017-11509


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57487 - data/CVE

[Salvatore Bonaccorso]

Author: carnil
Date: 2017-11-09 09:15:41 + (Thu, 09 Nov 2017)
New Revision: 57487

Modified:
   data/CVE/list
Log:
Add two NFUs

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-09 09:13:59 UTC (rev 57486)
+++ data/CVE/list   2017-11-09 09:15:41 UTC (rev 57487)
@@ -5,9 +5,9 @@
 CVE-2017-16675
RESERVED
 CVE-2017-16674 (Datto Windows Agent allows unauthenticated remote command 
execution via ...)
-   TODO: check
+   NOT-FOR-US: Datto Windows Agent
 CVE-2017-16673 (Datto Backup Agent 1.0.6.0 and earlier does not authenticate 
incoming ...)
-   TODO: check
+   NOT-FOR-US: Datto Backup Agent
 CVE-2017-16672 (An issue was discovered in Asterisk Open Source 13 before 
13.18.1, 14 ...)
- asterisk 
NOTE: http://downloads.digium.com/pub/security/AST-2017-011.html


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57486 - data/CVE

[Salvatore Bonaccorso]

Author: carnil
Date: 2017-11-09 09:13:59 + (Thu, 09 Nov 2017)
New Revision: 57486

Modified:
   data/CVE/list
Log:
Add graphicsmagick issue

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-09 09:12:03 UTC (rev 57485)
+++ data/CVE/list   2017-11-09 09:13:59 UTC (rev 57486)
@@ -21,7 +21,16 @@
 CVE-2017-16670
RESERVED
 CVE-2017-16669 (coders/wpg.c in GraphicsMagick 1.3.26 allows remote attackers 
to cause ...)
-   TODO: check
+   - graphicsmagick 
+   NOTE: https://sourceforge.net/p/graphicsmagick/bugs/450/
+   NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/135bdcb88b8d
+   NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/1b9e64a8901e
+   NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/2a21cda3145b
+   NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/2b7c826d36af
+   NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/3dc7b4e3779d
+   NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/75245a215fff
+   NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/e8086faa52d0
+   NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/fcd3ed3394f6
 CVE-2017-16668
RESERVED
 CVE-2017-1


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57485 - data/CVE

[Salvatore Bonaccorso]

Author: carnil
Date: 2017-11-09 09:12:03 + (Thu, 09 Nov 2017)
New Revision: 57485

Modified:
   data/CVE/list
Log:
Add two asterisk issues

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-09 09:10:13 UTC (rev 57484)
+++ data/CVE/list   2017-11-09 09:12:03 UTC (rev 57485)
@@ -9,8 +9,14 @@
 CVE-2017-16673 (Datto Backup Agent 1.0.6.0 and earlier does not authenticate 
incoming ...)
TODO: check
 CVE-2017-16672 (An issue was discovered in Asterisk Open Source 13 before 
13.18.1, 14 ...)
+   - asterisk 
+   NOTE: http://downloads.digium.com/pub/security/AST-2017-011.html
+   NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-27345
TODO: check
 CVE-2017-16671 (A Buffer Overflow issue was discovered in Asterisk Open Source 
13 ...)
+   - asterisk 
+   NOTE: http://downloads.digium.com/pub/security/AST-2017-010.html
+   NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-27337
TODO: check
 CVE-2017-16670
RESERVED


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57484 - data/CVE

[security tracker role]

Author: sectracker
Date: 2017-11-09 09:10:13 + (Thu, 09 Nov 2017)
New Revision: 57484

Modified:
   data/CVE/list
Log:
automatic update

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-09 07:26:10 UTC (rev 57483)
+++ data/CVE/list   2017-11-09 09:10:13 UTC (rev 57484)
@@ -1,3 +1,21 @@
+CVE-2017-16677
+   RESERVED
+CVE-2017-16676
+   RESERVED
+CVE-2017-16675
+   RESERVED
+CVE-2017-16674 (Datto Windows Agent allows unauthenticated remote command 
execution via ...)
+   TODO: check
+CVE-2017-16673 (Datto Backup Agent 1.0.6.0 and earlier does not authenticate 
incoming ...)
+   TODO: check
+CVE-2017-16672 (An issue was discovered in Asterisk Open Source 13 before 
13.18.1, 14 ...)
+   TODO: check
+CVE-2017-16671 (A Buffer Overflow issue was discovered in Asterisk Open Source 
13 ...)
+   TODO: check
+CVE-2017-16670
+   RESERVED
+CVE-2017-16669 (coders/wpg.c in GraphicsMagick 1.3.26 allows remote attackers 
to cause ...)
+   TODO: check
 CVE-2017-16668
RESERVED
 CVE-2017-1
@@ -12622,7 +12640,7 @@
RESERVED
 CVE-2017-12197
RESERVED
-   {DLA-1165-1}
+   {DSA-4025-1 DLA-1165-1}
- libpam4j 1.4-3 (bug #879001)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1503103
NOTE: https://github.com/kohsuke/libpam4j/issues/18
@@ -14609,10 +14627,10 @@
RESERVED
 CVE-2017-11513
RESERVED
-CVE-2017-11512
-   RESERVED
-CVE-2017-11511
-   RESERVED
+CVE-2017-11512 (The ManageEngine ServiceDesk 9.3.9328 is vulnerable to 
arbitrary file ...)
+   TODO: check
+CVE-2017-11511 (The ManageEngine ServiceDesk 9.3.9328 is vulnerable to 
arbitrary file ...)
+   TODO: check
 CVE-2017-11510
RESERVED
 CVE-2017-11509


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits