[Secure-testing-commits] r57522 - org
Author: lamby Date: 2017-11-10 07:52:38 + (Fri, 10 Nov 2017) New Revision: 57522 Modified: org/lts-frontdesk.2018.txt Log: org/lts-frontdesk.2018.txt: Take some dates for 2018. Modified: org/lts-frontdesk.2018.txt === --- org/lts-frontdesk.2018.txt 2017-11-10 07:52:37 UTC (rev 57521) +++ org/lts-frontdesk.2018.txt 2017-11-10 07:52:38 UTC (rev 57522) @@ -11,55 +11,55 @@ Who is in charge ? -- -From 01-01 to 07-01: +From 01-01 to 07-01:Chris LambFrom 08-01 to 14-01: From 15-01 to 21-01: From 22-01 to 28-01: From 29-01 to 04-02: From 05-02 to 11-02: From 12-02 to 18-02: -From 19-02 to 25-02: +From 19-02 to 25-02:Chris Lamb From 26-02 to 04-03: -From 05-03 to 11-03: +From 05-03 to 11-03:Chris Lamb From 12-03 to 18-03: From 19-03 to 25-03: From 26-03 to 01-04: -From 02-04 to 08-04: +From 02-04 to 08-04:Chris Lamb From 09-04 to 15-04: From 16-04 to 22-04: From 23-04 to 29-04: From 30-04 to 06-05: From 07-05 to 13-05: -From 14-05 to 20-05: +From 14-05 to 20-05:Chris Lamb From 21-05 to 27-05: From 28-05 to 03-06: -From 04-06 to 10-06: +From 04-06 to 10-06:Chris Lamb From 11-06 to 17-06: From 18-06 to 24-06: From 25-06 to 01-07: From 02-07 to 08-07: From 09-07 to 15-07: From 16-07 to 22-07: -From 23-07 to 29-07: +From 23-07 to 29-07:Chris Lamb From 30-07 to 05-08: From 06-08 to 12-08: From 13-08 to 19-08: -From 20-08 to 26-08: +From 20-08 to 26-08:Chris Lamb From 27-08 to 02-09: -From 03-09 to 09-09: +From 03-09 to 09-09:Chris Lamb From 10-09 to 16-09: From 17-09 to 23-09: From 24-09 to 30-09: -From 01-10 to 07-10: +From 01-10 to 07-10:Chris Lamb From 08-10 to 14-10: From 15-10 to 21-10: From 22-10 to 28-10: From 29-10 to 04-11: -From 05-11 to 11-11: +From 05-11 to 11-11:Chris Lamb From 12-11 to 18-11: From 19-11 to 25-11: From 26-11 to 02-12: -From 03-12 to 09-12: +From 03-12 to 09-12:Chris Lamb From 10-12 to 16-12: From 17-12 to 23-12: From 24-12 to 30-12: ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57521 - org
Author: lamby Date: 2017-11-10 07:52:37 + (Fri, 10 Nov 2017) New Revision: 57521 Added: org/lts-frontdesk.2018.txt Log: org/lts-frontdesk.2018.txt: Add empty 2018 template Added: org/lts-frontdesk.2018.txt === --- org/lts-frontdesk.2018.txt (rev 0) +++ org/lts-frontdesk.2018.txt 2017-11-10 07:52:37 UTC (rev 57521) @@ -0,0 +1,66 @@ +Presentation + + +The LTS frontdesk handles: + + * CVE triaging: + https://wiki.debian.org/LTS/Development#Triage_new_security_issues + + * Making sure that queries on debian-...@lists.debian.org get an answer. + +Who is in charge ? +-- + +From 01-01 to 07-01: +From 08-01 to 14-01: +From 15-01 to 21-01: +From 22-01 to 28-01: +From 29-01 to 04-02: +From 05-02 to 11-02: +From 12-02 to 18-02: +From 19-02 to 25-02: +From 26-02 to 04-03: +From 05-03 to 11-03: +From 12-03 to 18-03: +From 19-03 to 25-03: +From 26-03 to 01-04: +From 02-04 to 08-04: +From 09-04 to 15-04: +From 16-04 to 22-04: +From 23-04 to 29-04: +From 30-04 to 06-05: +From 07-05 to 13-05: +From 14-05 to 20-05: +From 21-05 to 27-05: +From 28-05 to 03-06: +From 04-06 to 10-06: +From 11-06 to 17-06: +From 18-06 to 24-06: +From 25-06 to 01-07: +From 02-07 to 08-07: +From 09-07 to 15-07: +From 16-07 to 22-07: +From 23-07 to 29-07: +From 30-07 to 05-08: +From 06-08 to 12-08: +From 13-08 to 19-08: +From 20-08 to 26-08: +From 27-08 to 02-09: +From 03-09 to 09-09: +From 10-09 to 16-09: +From 17-09 to 23-09: +From 24-09 to 30-09: +From 01-10 to 07-10: +From 08-10 to 14-10: +From 15-10 to 21-10: +From 22-10 to 28-10: +From 29-10 to 04-11: +From 05-11 to 11-11: +From 12-11 to 18-11: +From 19-11 to 25-11: +From 26-11 to 02-12: +From 03-12 to 09-12: +From 10-12 to 16-12: +From 17-12 to 23-12: +From 24-12 to 30-12: +From 31-12 to 06-01: ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57520 - org
Author: lamby Date: 2017-11-10 07:52:35 + (Fri, 10 Nov 2017) New Revision: 57520 Added: org/lts-frontdesk.py Log: org/lts-frontdesk.py: New script to generate weeks for frontdesk years. Added: org/lts-frontdesk.py === --- org/lts-frontdesk.py(rev 0) +++ org/lts-frontdesk.py2017-11-10 07:52:35 UTC (rev 57520) @@ -0,0 +1,42 @@ +#!/usr/bin/env python3 + +import sys +import datetime + +HEADER = """ +Presentation + + +The LTS frontdesk handles: + + * CVE triaging: + https://wiki.debian.org/LTS/Development#Triage_new_security_issues + + * Making sure that queries on debian-...@lists.debian.org get an answer. + +Who is in charge ? +-- +""" + +LINE = """From {0.day:02d}-{0.month:02d} to {1.day:02d}-{1.month:02d}:""" + + +def main(year): +print(HEADER.strip()) +print() + +for x, y in generate_weeks(int(year)): +print(LINE.format(x, y)) + + +def generate_weeks(year): +dt = datetime.date(year, 1, 1) + +while dt.year == year: +if dt.weekday() == 0: +yield (dt, dt + datetime.timedelta(days=6)) +dt += datetime.timedelta(days=1) + + +if __name__ == '__main__': +sys.exit(main(*sys.argv[1:])) Property changes on: org/lts-frontdesk.py ___ Added: svn:executable + * ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57519 - data
Author: bam Date: 2017-11-10 06:42:22 + (Fri, 10 Nov 2017) New Revision: 57519 Modified: data/dla-needed.txt Log: Take tiff Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-11-10 05:27:39 UTC (rev 57518) +++ data/dla-needed.txt 2017-11-10 06:42:22 UTC (rev 57519) @@ -102,11 +102,11 @@ suricata NOTE: 2017-10-27: At a quick glance, I can't see that this is vulnerable. --lamby -- -tiff +tiff (Brian May) NOTE: CVE-2017-9935: no upstream fix -- Brian May 2017-11-06 NOTE: CVE-2017-11613: no upstream fix, "not a bug" according to RH -- anarcat 2017-10-24 -- -tiff3 +tiff3 (Brian May) NOTE: CVE-2017-9935: no upstream fix -- Brian May 2017-11-06 NOTE: CVE-2017-11613: no upstream fix, "not a bug" according to RH -- anarcat 2017-10-24 -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57518 - data/CVE
Author: carnil Date: 2017-11-10 05:27:39 + (Fri, 10 Nov 2017) New Revision: 57518 Modified: data/CVE/list Log: Two asterisk issues fixed Modified: data/CVE/list === --- data/CVE/list 2017-11-09 21:46:07 UTC (rev 57517) +++ data/CVE/list 2017-11-10 05:27:39 UTC (rev 57518) @@ -167,12 +167,12 @@ CVE-2017-16673 (Datto Backup Agent 1.0.6.0 and earlier does not authenticate incoming ...) NOT-FOR-US: Datto Backup Agent CVE-2017-16672 (An issue was discovered in Asterisk Open Source 13 before 13.18.1, 14 ...) - - asterisk (bug #881256) + - asterisk 1:13.18.1~dfsg-1 (bug #881256) NOTE: http://downloads.digium.com/pub/security/AST-2017-011.html NOTE: http://downloads.asterisk.org/pub/security/AST-2017-011-13.diff NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-27345 CVE-2017-16671 (A Buffer Overflow issue was discovered in Asterisk Open Source 13 ...) - - asterisk (bug #881257) + - asterisk 1:13.18.1~dfsg-1 (bug #881257) NOTE: http://downloads.digium.com/pub/security/AST-2017-010.html NOTE: http://downloads.asterisk.org/pub/security/AST-2017-010-13.diff NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-27337 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57517 - data/CVE
Author: jmm Date: 2017-11-09 21:46:07 + (Thu, 09 Nov 2017) New Revision: 57517 Modified: data/CVE/list Log: ffmpeg fixed (version from experimental uploaded to sid) Modified: data/CVE/list === --- data/CVE/list 2017-11-09 21:21:34 UTC (rev 57516) +++ data/CVE/list 2017-11-09 21:46:07 UTC (rev 57517) @@ -2853,7 +2853,7 @@ CVE-2017-15673 RESERVED CVE-2017-15672 (The read_header function in libavcodec/ffv1dec.c in FFmpeg 3.3.4 and ...) - - ffmpeg + - ffmpeg 7:3.4-1 [stretch] - ffmpeg (Wait until next round of security releases) - libav NOTE: Fixed by: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=c20f4fcb74da2d0432c7b54499bb98f48236b904 @@ -4124,7 +4124,7 @@ NOTE: https://github.com/Cacti/cacti/commit/93f661d8adcfa6618b11522cdab30e97bada33fd NOTE: https://github.com/Cacti/cacti/commit/4f87256e63859117f81d2a2bd40c9c730e39b65d CVE-2017-15186 (Double free vulnerability in FFmpeg 3.3.4 and earlier allows remote ...) - - ffmpeg + - ffmpeg 7:3.4-1 [stretch] - ffmpeg (Wait until next round of security releases) - libav NOTE: http://www.openwall.com/lists/oss-security/2017/10/20/4 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57516 - data/CVE
Author: carnil Date: 2017-11-09 21:21:34 + (Thu, 09 Nov 2017) New Revision: 57516 Modified: data/CVE/list Log: Add fixed version for CVE-2017-8806/postgresql-common in unstable Modified: data/CVE/list === --- data/CVE/list 2017-11-09 21:18:13 UTC (rev 57515) +++ data/CVE/list 2017-11-09 21:21:34 UTC (rev 57516) @@ -22914,7 +22914,7 @@ CVE-2017-8806 RESERVED {DSA-4029-1} - - postgresql-common + - postgresql-common 188 CVE-2017-8805 (Debian ftpsync before 20171017 does not use the rsync --safe-links ...) - archvsync 20171017 NOTE: http://www.openwall.com/lists/oss-security/2017/10/17/2 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57515 - data/CVE
Author: carnil Date: 2017-11-09 21:18:13 + (Thu, 09 Nov 2017) New Revision: 57515 Modified: data/CVE/list Log: Process some NFUs Modified: data/CVE/list === --- data/CVE/list 2017-11-09 21:11:15 UTC (rev 57514) +++ data/CVE/list 2017-11-09 21:18:13 UTC (rev 57515) @@ -3,7 +3,7 @@ CVE-2017-16755 RESERVED CVE-2017-16754 (Bolt before 3.3.6 does not properly restrict access to _profiler ...) - TODO: check + NOT-FOR-US: Bolt CMS CVE-2017-16753 RESERVED CVE-2017-16752 @@ -283,9 +283,9 @@ CVE-2017-16635 (In TinyWebGallery v2.4, an XSS vulnerability is located in the ...) NOT-FOR-US: TinyWebGallery CVE-2017-16634 (In Joomla! before 3.8.2, a bug allowed third parties to bypass a ...) - TODO: check + NOT-FOR-US: Joomla! CVE-2017-16633 (In Joomla! before 3.8.2, a logic bug in com_fields exposed read-only ...) - TODO: check + NOT-FOR-US: Joomla! CVE-2017-16632 RESERVED CVE-2017-16631 @@ -415,9 +415,9 @@ CVE-2017-16569 (An Open URL Redirect issue exists in Zurmo 3.2.1.57987acc3018 via an ...) NOT-FOR-US: Zurmo CVE-2017-16568 (Cross-site scripting (XSS) vulnerability in Logitech Media Server ...) - TODO: check + NOT-FOR-US: Logitech Media Server CVE-2017-16567 (Cross-site scripting (XSS) vulnerability in Logitech Media Server ...) - TODO: check + NOT-FOR-US: Logitech Media Server CVE-2017-16566 RESERVED CVE-2017-16565 (Cross-Site Request Forgery (CSRF) in /cgi-bin/login on Vonage ...) @@ -2943,7 +2943,7 @@ CVE-2017-15639 (tasks/feed/readRSS.cfm in Mura CMS before 6.2 allows attackers to ...) NOT-FOR-US: Mura CMS CVE-2017-15638 (The SuSEfirewall2 package before 3.6.312-2.13.1 in SUSE Linux ...) - TODO: check + NOT-FOR-US: SuSEfirewall2 in SUSE CVE-2012-6707 (WordPress through 4.8.2 uses a weak MD5-based password hashing ...) - wordpress (bug #880868) NOTE: https://core.trac.wordpress.org/ticket/21022 @@ -10224,7 +10224,7 @@ CVE-2017-12970 (Cross-site request forgery (CSRF) vulnerability in Apache2Triad 1.5.4 ...) NOT-FOR-US: Apache2Triad CVE-2017-12969 (Buffer overflow in the ViewerCtrlLib.ViewerCtrl ActiveX control in ...) - TODO: check + NOT-FOR-US: Avaya IP Office Contact Center CVE-2017-12968 RESERVED CVE-2017-12967 (The getsym function in tekhex.c in the Binary File Descriptor (BFD) ...) @@ -14983,7 +14983,7 @@ NOTE: Fixed by: https://github.com/krb5/krb5/commit/56f7b1bc95a2a3eeb420e069e7655fb181ade5cf NOTE: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8598 CVE-2017-11461 (NetApp OnCommand Unified Manager for 7-mode (core package) versions ...) - TODO: check + NOT-FOR-US: NetApp CVE-2017-11460 (Cross-site scripting (XSS) vulnerability in the DataArchivingService ...) NOT-FOR-US: SAP CVE-2017-11459 (SAP TREX 7.10 allows remote attackers to (1) read arbitrary files via ...) @@ -15474,7 +15474,7 @@ NOTE: https://github.com/ImageMagick/ImageMagick/issues/517 NOTE: Fixed by: https://github.com/ImageMagick/ImageMagick/commit/8ca35831e91c3db8c6d281d09b605001003bec08 CVE-2017-11309 (Buffer overflow in the SoftConsole client in Avaya IP Office before ...) - TODO: check + NOT-FOR-US: Avaya IP Office CVE-2017-11308 RESERVED CVE-2017-11307 @@ -19799,7 +19799,7 @@ CVE-2017-9759 (SQL Injection exists in admin/index.php in Zenbership 1.0.8 via the ...) NOT-FOR-US: Zenbership CVE-2017-9758 (Savitech driver packages for Windows silently install a self-signed ...) - TODO: check + NOT-FOR-US: Savitech driver packages for Windows CVE-2017-9757 (IPFire 2.19 has a Remote Command Injection vulnerability in ids.cgi via ...) NOT-FOR-US: IPFire CVE-2017-1000375 (NetBSD maps the run-time link-editor ld.so directly below the stack ...) @@ -34662,7 +34662,7 @@ {DSA-3775-1 DLA-809-1} - tcpdump 4.9.0-1 CVE-2017-5201 (NetApp Clustered Data ONTAP before 8.3.2P8 and 9.0 before P2 allow ...) - TODO: check + NOT-FOR-US: NetApp CVE-2017-5200 (Salt-api in SaltStack Salt before 2015.8.13, 2016.3.x before 2016.3.5, ...) - salt 2016.11.2+ds-1 [jessie] - salt (Vulnerable code not present) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57513 - data/CVE
Author: sectracker Date: 2017-11-09 21:10:15 + (Thu, 09 Nov 2017) New Revision: 57513 Modified: data/CVE/list Log: automatic update Modified: data/CVE/list === --- data/CVE/list 2017-11-09 20:53:15 UTC (rev 57512) +++ data/CVE/list 2017-11-09 21:10:15 UTC (rev 57513) @@ -1,3 +1,161 @@ +CVE-2017-16756 + RESERVED +CVE-2017-16755 + RESERVED +CVE-2017-16754 (Bolt before 3.3.6 does not properly restrict access to _profiler ...) + TODO: check +CVE-2017-16753 + RESERVED +CVE-2017-16752 + RESERVED +CVE-2017-16751 + RESERVED +CVE-2017-16750 + RESERVED +CVE-2017-16749 + RESERVED +CVE-2017-16748 + RESERVED +CVE-2017-16747 + RESERVED +CVE-2017-16746 + RESERVED +CVE-2017-16745 + RESERVED +CVE-2017-16744 + RESERVED +CVE-2017-16743 + RESERVED +CVE-2017-16742 + RESERVED +CVE-2017-16741 + RESERVED +CVE-2017-16740 + RESERVED +CVE-2017-16739 + RESERVED +CVE-2017-16738 + RESERVED +CVE-2017-16737 + RESERVED +CVE-2017-16736 + RESERVED +CVE-2017-16735 + RESERVED +CVE-2017-16734 + RESERVED +CVE-2017-16733 + RESERVED +CVE-2017-16732 + RESERVED +CVE-2017-16731 + RESERVED +CVE-2017-16730 + RESERVED +CVE-2017-16729 + RESERVED +CVE-2017-16728 + RESERVED +CVE-2017-16727 + RESERVED +CVE-2017-16726 + RESERVED +CVE-2017-16725 + RESERVED +CVE-2017-16724 + RESERVED +CVE-2017-16723 + RESERVED +CVE-2017-16722 + RESERVED +CVE-2017-16721 + RESERVED +CVE-2017-16720 + RESERVED +CVE-2017-16719 + RESERVED +CVE-2017-16718 + RESERVED +CVE-2017-16717 + RESERVED +CVE-2017-16716 + RESERVED +CVE-2017-16715 + RESERVED +CVE-2017-16714 + RESERVED +CVE-2017-16713 + RESERVED +CVE-2017-16712 + RESERVED +CVE-2017-16711 (The swf_DefineLosslessBitsTagToImage function in lib/modules/swfbits.c ...) + TODO: check +CVE-2017-16710 + RESERVED +CVE-2017-16709 + RESERVED +CVE-2017-16708 + RESERVED +CVE-2017-16707 + RESERVED +CVE-2017-16706 + RESERVED +CVE-2017-16705 + RESERVED +CVE-2017-16704 + RESERVED +CVE-2017-16703 + RESERVED +CVE-2017-16702 + RESERVED +CVE-2017-16701 + RESERVED +CVE-2017-16700 + RESERVED +CVE-2017-16699 + RESERVED +CVE-2017-16698 + RESERVED +CVE-2017-16697 + RESERVED +CVE-2017-16696 + RESERVED +CVE-2017-16695 + RESERVED +CVE-2017-16694 + RESERVED +CVE-2017-16693 + RESERVED +CVE-2017-16692 + RESERVED +CVE-2017-16691 + RESERVED +CVE-2017-16690 + RESERVED +CVE-2017-16689 + RESERVED +CVE-2017-16688 + RESERVED +CVE-2017-16687 + RESERVED +CVE-2017-16686 + RESERVED +CVE-2017-16685 + RESERVED +CVE-2017-16684 + RESERVED +CVE-2017-16683 + RESERVED +CVE-2017-16682 + RESERVED +CVE-2017-16681 + RESERVED +CVE-2017-16680 + RESERVED +CVE-2017-16679 + RESERVED +CVE-2017-16678 + RESERVED CVE-2017-16677 RESERVED CVE-2017-16676 @@ -65,8 +223,8 @@ RESERVED CVE-2017-16652 RESERVED -CVE-2017-16651 [file disclosure vulnerabliity] - RESERVED +CVE-2017-16651 (Roundcube Webmail before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before ...) + {DSA-4030-1} - roundcube 1.3.3+dfsg.1-1 NOTE: master: https://github.com/roundcube/roundcubemail/commit/2a32f51c91d5e9c7b1a9d931846dd44c008ff36d NOTE: release-1.3: https://github.com/roundcube/roundcubemail/commit/c90ad5a97784fb32683b8e3c21d6c95baab6d806 @@ -124,10 +282,10 @@ NOT-FOR-US: Bludit CVE-2017-16635 (In TinyWebGallery v2.4, an XSS vulnerability is located in the ...) NOT-FOR-US: TinyWebGallery -CVE-2017-16634 - RESERVED -CVE-2017-16633 - RESERVED +CVE-2017-16634 (In Joomla! before 3.8.2, a bug allowed third parties to bypass a ...) + TODO: check +CVE-2017-16633 (In Joomla! before 3.8.2, a logic bug in com_fields exposed read-only ...) + TODO: check CVE-2017-16632 RESERVED CVE-2017-16631 @@ -256,10 +414,10 @@ NOT-FOR-US: KeystoneJS CVE-2017-16569 (An Open URL Redirect issue exists in Zurmo 3.2.1.57987acc3018 via an ...) NOT-FOR-US: Zurmo -CVE-2017-16568 - RESERVED -CVE-2017-16567 - RESERVED +CVE-2017-16568 (Cross-site scripting (XSS) vulnerability in Logitech Media Server ...) + TODO: check +CVE-2017-16567 (Cross-site scripting (XSS) vulnerability in Logitech Media Server ...) + TODO: check CVE-2017-16566 RESERVED CVE-2017-16565 (Cross-Site Request Forgery (CSRF) in /cgi-bin/login on Vonage ...) @@ -268,8 +426,8 @@ NOT-FOR-US: Vonage CVE-2017-16563 (Cross-Site Request Forgery (CSRF) in the Basic Settings screen on ...) NOT-FOR-US: Vonage -CVE-2017-16562 - RESERVED +CVE-2017-16562 (The
[Secure-testing-commits] r57514 - data/CVE
Author: carnil Date: 2017-11-09 21:11:15 + (Thu, 09 Nov 2017) New Revision: 57514 Modified: data/CVE/list Log: Update CVE-2017-14687: mark as no-dsa Reasoning: The issue was not directly triggerable with the provided poc. Non-tags in tag name comparisons were handled by using fz_xml_is_tag instead of the fz_xml_tag && !strcmp idioms, which are found in several places in related code. It's not entirely clear if the vulerable code is not present e.g. back in 1.5-1+deb8u2 since the reporter did not provide pocs publicly and the description from https://bugs.ghostscript.com/show_bug.cgi?id=698558 is unhelpful. Modified: data/CVE/list === --- data/CVE/list 2017-11-09 21:10:15 UTC (rev 57513) +++ data/CVE/list 2017-11-09 21:11:15 UTC (rev 57514) @@ -5625,9 +5625,10 @@ CVE-2017-14687 (Artifex MuPDF 1.11 allows attackers to cause a denial of service or ...) {DSA-4006-1 DLA-1164-1} - mupdf 1.11+ds1-1.1 (bug #877379) - [jessie] - mupdf (poc not effective) + [jessie] - mupdf (Minor issue) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=698558 NOTE: Fixed by: http://git.ghostscript.com/?p=mupdf.git;h=2b16dbd8f73269cb15ca61ece75cf8d2d196ed28 + NOTE: Several fz_xml_tag && !strcmp idoms are used in older versions CVE-2017-14686 (Artifex MuPDF 1.11 allows attackers to execute arbitrary code or cause ...) {DSA-4006-1} - mupdf 1.11+ds1-1.1 (bug #877379) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57512 - data/CVE
Author: carnil Date: 2017-11-09 20:53:15 + (Thu, 09 Nov 2017) New Revision: 57512 Modified: data/CVE/list Log: Add references for CVE-2017-16539/docker.io Modified: data/CVE/list === --- data/CVE/list 2017-11-09 19:18:48 UTC (rev 57511) +++ data/CVE/list 2017-11-09 20:53:15 UTC (rev 57512) @@ -330,7 +330,9 @@ CVE-2017-16540 (OpenEMR before 5.0.0 Patch 5 allows unauthenticated remote database ...) NOT-FOR-US: OpenEMR CVE-2017-16539 (The DefaultLinuxSpec function in oci/defaults.go in Docker Moby through ...) - - docker.io + - docker.io + NOTE: https://github.com/moby/moby/pull/35399 + NOTE: https://github.com/moby/moby/pull/35399/commits/a21ecdf3c8a343a7c94e4c4d01b178c87ca7aaa1 CVE-2017-16538 (drivers/media/usb/dvb-usb-v2/lmedm04.c in the Linux kernel through ...) - linux [wheezy] - linux (Vulnerable code not present) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57511 - in data: . DSA
Author: carnil Date: 2017-11-09 19:18:48 + (Thu, 09 Nov 2017) New Revision: 57511 Modified: data/DSA/list data/dsa-needed.txt Log: Reserve DSA number for roundcube update Modified: data/DSA/list === --- data/DSA/list 2017-11-09 19:12:08 UTC (rev 57510) +++ data/DSA/list 2017-11-09 19:18:48 UTC (rev 57511) @@ -1,3 +1,6 @@ +[09 Nov 2017] DSA-4030-1 roundcube - security update + {CVE-2017-16651} + [stretch] - roundcube 1.2.3+dfsg.1-4+deb9u1 [09 Nov 2017] DSA-4029-1 postgresql-common - security update {CVE-2017-8806} [jessie] - postgresql-common 165+deb8u3 Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-11-09 19:12:08 UTC (rev 57510) +++ data/dsa-needed.txt 2017-11-09 19:18:48 UTC (rev 57511) @@ -51,8 +51,6 @@ Maintainer (terceiro) proposed update, needs review and ack Upload reviewed and acked to be uploaded (including additional change) -- -roundcube/stable (carnil) --- salt -- simplesamlphp ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57510 - data/CVE
Author: carnil Date: 2017-11-09 19:12:08 + (Thu, 09 Nov 2017) New Revision: 57510 Modified: data/CVE/list Log: Add fixed version for unimportant issues Modified: data/CVE/list === --- data/CVE/list 2017-11-09 19:07:56 UTC (rev 57509) +++ data/CVE/list 2017-11-09 19:12:08 UTC (rev 57510) @@ -12797,7 +12797,9 @@ RESERVED - postgresql-10 10.1-1 (unimportant) - postgresql-9.6 (unimportant) + [stretch] - postgresql-9.6 9.6.6-0+deb9u1 - postgresql-9.4 (unimportant) + [jessie] - postgresql-9.4 9.4.15-0+deb8u1 - postgresql-9.1 (unimportant) [jessie] - postgresql-9.1 (postgresql-9.1 in jessie only provides PL/Perl) NOTE: Issue in sample init-scirpt as provided by postgresql project, but not installed ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57509 - data/CVE
Author: carnil Date: 2017-11-09 19:07:56 + (Thu, 09 Nov 2017) New Revision: 57509 Modified: data/CVE/list Log: Correct status for CVE-2017-15099 I seem to have messed up the entry when I added the not-affected status based on the feature introducion and thus marking 9.4 and 9.1 as not-affected. Correct this. Modified: data/CVE/list === --- data/CVE/list 2017-11-09 18:42:25 UTC (rev 57508) +++ data/CVE/list 2017-11-09 19:07:56 UTC (rev 57509) @@ -4159,7 +4159,7 @@ CVE-2017-15099 RESERVED - postgresql-10 10.1-1 - - postgresql-9.6 (ON CONFLICT DO UPDATE and RLS introduced in 9.5) + - postgresql-9.6 - postgresql-9.4 (ON CONFLICT DO UPDATE and RLS introduced in 9.5) - postgresql-9.1 (ON CONFLICT DO UPDATE and RLS introduced in 9.5) CVE-2017-15098 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57508 - data/DSA
Author: jmm Date: 2017-11-09 18:42:25 + (Thu, 09 Nov 2017) New Revision: 57508 Modified: data/DSA/list Log: reserve IDs for postgres DSA Modified: data/DSA/list === --- data/DSA/list 2017-11-09 18:35:25 UTC (rev 57507) +++ data/DSA/list 2017-11-09 18:42:25 UTC (rev 57508) @@ -1,3 +1,13 @@ +[09 Nov 2017] DSA-4029-1 postgresql-common - security update + {CVE-2017-8806} + [jessie] - postgresql-common 165+deb8u3 + [stretch] - postgresql-common 181+deb9u1 +[09 Nov 2017] DSA-4028-1 postgresql-9.6 - security update + {CVE-2017-15098 CVE-2017-15099} + [stretch] - postgresql-9.6 9.6.6-0+deb9u1 +[09 Nov 2017] DSA-4027-1 postgresql-9.4 - security update + {CVE-2017-15098} + [jessie] - postgresql-9.4 9.4.15-0+deb8u1 [09 Nov 2017] DSA-4026-1 bchunk - security update {CVE-2017-15953 CVE-2017-15954 CVE-2017-15955} [jessie] - bchunk 1.2.0-12+deb8u1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57507 - data/CVE
Author: jmm Date: 2017-11-09 18:35:25 + (Thu, 09 Nov 2017) New Revision: 57507 Modified: data/CVE/list Log: further imagemagick triage Modified: data/CVE/list === --- data/CVE/list 2017-11-09 17:36:25 UTC (rev 57506) +++ data/CVE/list 2017-11-09 18:35:25 UTC (rev 57507) @@ -3676,6 +3676,8 @@ CVE-2017-15281 (ReadPSDImage in coders/psd.c in ImageMagick 7.0.7-6 allows remote ...) {DLA-1139-1} - imagemagick (low; bug #878579) + [stretch] - imagemagick (Minor issue) + [jessie] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/832 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/e9d1c2adae866861a291535997b2263f26becb1e NOTE: https://github.com/ImageMagick/ImageMagick/commit/32cbfc57962321b2ead627129c9d9ffbfcdb @@ -4476,7 +4478,9 @@ NOTE: severity:unimportant for stretch onwards, but we don't have suite-specific severity annotations CVE-2017-15017 (ImageMagick 7.0.7-0 Q16 has a NULL pointer dereference vulnerability in ...) {DLA-1131-1} - - imagemagick (bug #878554) + - imagemagick (low; bug #878554) + [stretch] - imagemagick (Minor issue) + [jessie] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/723 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/5a1006a249516a875558c3d642e719b1eac8f820 NOTE: https://github.com/ImageMagick/ImageMagick/commit/0cff8bac0a47f8693cfe57f026fcd752689ff375 @@ -4488,7 +4492,9 @@ NOTE: https://github.com/ImageMagick/ImageMagick/commit/27f8ba82ddd665ab41cef6588128f680cbd69905 NOTE: emf.c not compiled under Debian CVE-2017-15015 (ImageMagick 7.0.7-0 Q16 has a NULL pointer dereference vulnerability in ...) - - imagemagick (bug #878555) + - imagemagick (low; bug #878555) + [stretch] - imagemagick (Minor issue) + [jessie] - imagemagick (Minor issue) [wheezy] - imagemagick (Vulnerable code not present) NOTE: https://github.com/ImageMagick/ImageMagick/issues/724 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/0cbb3b3b02e7af493a9aafa8f7e7d23fc70644e4 @@ -5280,7 +5286,9 @@ RESERVED CVE-2017-14741 (The ReadCAPTIONImage function in coders/caption.c in ImageMagick ...) {DLA-1131-1} - - imagemagick (bug #878548) + - imagemagick (low; bug #878548) + [stretch] - imagemagick (Minor issue) + [jessie] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/771 NOTE: https://github.com/ImageMagick/ImageMagick/commit/7d8e14899c562157c7760a77fc91625a27cb596f NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/bb11d07139efe0f5e4ce0e4afda32abdbe82fa9d @@ -5288,7 +5296,9 @@ RESERVED CVE-2017-14739 (The AcquireResampleFilterThreadSet function in ...) {DLA-1131-1} - - imagemagick (bug #878547) + - imagemagick (low; bug #878547) + [stretch] - imagemagick (Minor issue) + [jessie] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/780 NOTE: https://github.com/ImageMagick/ImageMagick/commit/6017a80fe8327fefb77fa677d81154db2b857d1d NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/700fcf95b2c3f554dfbe75833b91f19dde208089 @@ -5640,19 +5650,25 @@ CVE-2017-14627 (Stack-based buffer overflows in CyberLink LabelPrint 2.5 allow remote ...) NOT-FOR-US: CyberLink LabelPrint CVE-2017-14626 (ImageMagick 7.0.7-0 Q16 has a NULL Pointer Dereference vulnerability in ...) - - imagemagick (bug #878524) + - imagemagick (low; bug #878524) + [stretch] - imagemagick (Minor issue) + [jessie] - imagemagick (Minor issue) [wheezy] - imagemagick (Vulnerable code not present) NOTE: https://github.com/ImageMagick/ImageMagick/issues/720 NOTE: https://github.com/ImageMagick/ImageMagick/issues/721 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/90b301db18434b2c2228776d06c2898b5fed74f0 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/cc797c296c30f3ec31cd02418b58a2c27549b0a9 CVE-2017-14625 (ImageMagick 7.0.7-0 Q16 has a NULL Pointer Dereference vulnerability in ...) - - imagemagick (bug #877355) + - imagemagick (low; bug #877355) + [stretch] - imagemagick (Minor issue) + [jessie] - imagemagick (Minor issue) [wheezy] - imagemagick (Vulnerable code not present) NOTE: https://github.com/ImageMagick/ImageMagick/issues/721 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/cc797c296c30f3ec31cd02418b58a2c27549b0a9 CVE-2017-14624 (ImageMagick 7.0.7-0 Q16 has a NULL Pointer Dereference
[Secure-testing-commits] r57506 - in data: . DSA
Author: seb Date: 2017-11-09 17:36:25 + (Thu, 09 Nov 2017) New Revision: 57506 Modified: data/DSA/list data/dsa-needed.txt Log: Reserve DSA-4026-1 for bchunk (CVE-2017-15953, CVE-2017-15954, CVE-2017-15955) Modified: data/DSA/list === --- data/DSA/list 2017-11-09 16:41:21 UTC (rev 57505) +++ data/DSA/list 2017-11-09 17:36:25 UTC (rev 57506) @@ -1,3 +1,7 @@ +[09 Nov 2017] DSA-4026-1 bchunk - security update + {CVE-2017-15953 CVE-2017-15954 CVE-2017-15955} + [jessie] - bchunk 1.2.0-12+deb8u1 + [stretch] - bchunk 1.2.0-12+deb9u1 [08 Nov 2017] DSA-4025-1 libpam4j - security update {CVE-2017-12197} [jessie] - libpam4j 1.4-2+deb8u1 Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-11-09 16:41:21 UTC (rev 57505) +++ data/dsa-needed.txt 2017-11-09 17:36:25 UTC (rev 57506) @@ -14,10 +14,6 @@ -- 389-ds-base (fw) -- -bchunk (seb) - Markus Koschany proposed update, needs review and ack - 2017-11-09: ack upload --- graphicsmagick -- jackson-databind (seb) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57505 - data/CVE
Author: luciano Date: 2017-11-09 16:41:21 + (Thu, 09 Nov 2017) New Revision: 57505 Modified: data/CVE/list Log: mupdf issues: pocs not effective in jessie Modified: data/CVE/list === --- data/CVE/list 2017-11-09 16:16:04 UTC (rev 57504) +++ data/CVE/list 2017-11-09 16:41:21 UTC (rev 57505) @@ -5453,19 +5453,20 @@ CVE-2017-14687 (Artifex MuPDF 1.11 allows attackers to cause a denial of service or ...) {DSA-4006-1 DLA-1164-1} - mupdf 1.11+ds1-1.1 (bug #877379) + [jessie] - mupdf (poc not effective) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=698558 NOTE: Fixed by: http://git.ghostscript.com/?p=mupdf.git;h=2b16dbd8f73269cb15ca61ece75cf8d2d196ed28 CVE-2017-14686 (Artifex MuPDF 1.11 allows attackers to execute arbitrary code or cause ...) {DSA-4006-1} - mupdf 1.11+ds1-1.1 (bug #877379) - [jessie] - mupdf (vulnerable code not present) + [jessie] - mupdf (vulnerable code not present, poc not effective) [wheezy] - mupdf (vulnerable code not present) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=698540 NOTE: Fixed by: http://git.ghostscript.com/?p=mupdf.git;h=0f0fbc07d9be31f5e83ec5328d7311fdfd8328b1 CVE-2017-14685 (Artifex MuPDF 1.11 allows attackers to cause a denial of service or ...) {DSA-4006-1} - mupdf 1.11+ds1-1.1 (bug #877379) - [jessie] - mupdf (vulnerable code not present) + [jessie] - mupdf (vulnerable code not present, poc not effective) [wheezy] - mupdf (vulnerable code not present) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=698539 NOTE: Fixed by: http://git.ghostscript.com/?p=mupdf.git;h=ab1a420613dec93c686acbee2c165274e922f82a ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57504 - data
Author: apo Date: 2017-11-09 16:16:04 + (Thu, 09 Nov 2017) New Revision: 57504 Modified: data/dla-needed.txt Log: Claim poppler in dla-needed.txt Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-11-09 15:30:34 UTC (rev 57503) +++ data/dla-needed.txt 2017-11-09 16:16:04 UTC (rev 57504) @@ -71,7 +71,7 @@ -- openjdk-7 (Emilio Pozuelo) -- -poppler +poppler (Markus Koschany) NOTE: not fixed in sid yet so did not ping maintainer NOTE: drawForm is doForm1 in wheezy NOTE: exploit does not loop but code looks affected ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57503 - data/CVE
Author: carnil Date: 2017-11-09 15:30:34 + (Thu, 09 Nov 2017) New Revision: 57503 Modified: data/CVE/list Log: Update CVE-2017-15099 information Modified: data/CVE/list === --- data/CVE/list 2017-11-09 15:21:04 UTC (rev 57502) +++ data/CVE/list 2017-11-09 15:30:34 UTC (rev 57503) @@ -4157,9 +4157,9 @@ CVE-2017-15099 RESERVED - postgresql-10 10.1-1 - - postgresql-9.6 - - postgresql-9.4 - - postgresql-9.1 + - postgresql-9.6 (ON CONFLICT DO UPDATE and RLS introduced in 9.5) + - postgresql-9.4 (ON CONFLICT DO UPDATE and RLS introduced in 9.5) + - postgresql-9.1 (ON CONFLICT DO UPDATE and RLS introduced in 9.5) CVE-2017-15098 RESERVED - postgresql-10 10.1-1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57502 - data/CVE
Author: carnil Date: 2017-11-09 15:21:04 + (Thu, 09 Nov 2017) New Revision: 57502 Modified: data/CVE/list Log: Add fixing version for postgrsql-10 Modified: data/CVE/list === --- data/CVE/list 2017-11-09 15:19:33 UTC (rev 57501) +++ data/CVE/list 2017-11-09 15:21:04 UTC (rev 57502) @@ -4156,13 +4156,13 @@ - foreman (bug #663101) CVE-2017-15099 RESERVED - - postgresql-10 + - postgresql-10 10.1-1 - postgresql-9.6 - postgresql-9.4 - - postgresql-9.1 + - postgresql-9.1 CVE-2017-15098 RESERVED - - postgresql-10 + - postgresql-10 10.1-1 - postgresql-9.6 - postgresql-9.4 - postgresql-9.1 @@ -12774,7 +12774,7 @@ NOTE: Introduced by https://pagure.io/SSSD/sssd/c/7ecb5aea65cb1899f16e7a41bffa93d074defd4a (sssd-1_12_0) CVE-2017-12172 RESERVED - - postgresql-10 (unimportant) + - postgresql-10 10.1-1 (unimportant) - postgresql-9.6 (unimportant) - postgresql-9.4 (unimportant) - postgresql-9.1 (unimportant) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57501 - data/CVE
Author: carnil Date: 2017-11-09 15:19:33 + (Thu, 09 Nov 2017) New Revision: 57501 Modified: data/CVE/list Log: Add postgresql-9.1 Modified: data/CVE/list === --- data/CVE/list 2017-11-09 15:19:20 UTC (rev 57500) +++ data/CVE/list 2017-11-09 15:19:33 UTC (rev 57501) @@ -4159,11 +4159,14 @@ - postgresql-10 - postgresql-9.6 - postgresql-9.4 + - postgresql-9.1 CVE-2017-15098 RESERVED - postgresql-10 - postgresql-9.6 - postgresql-9.4 + - postgresql-9.1 + [jessie] - postgresql-9.1 (postgresql-9.1 in jessie only provides PL/Perl) CVE-2017-15097 RESERVED CVE-2017-15096 (A flaw was found in GlusterFS in versions prior to 3.10. A null ...) @@ -12774,6 +12777,8 @@ - postgresql-10 (unimportant) - postgresql-9.6 (unimportant) - postgresql-9.4 (unimportant) + - postgresql-9.1 (unimportant) + [jessie] - postgresql-9.1 (postgresql-9.1 in jessie only provides PL/Perl) NOTE: Issue in sample init-scirpt as provided by postgresql project, but not installed CVE-2017-12171 [httpd: # character matches all IPs] RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57500 - data/CVE
Author: carnil Date: 2017-11-09 15:19:20 + (Thu, 09 Nov 2017) New Revision: 57500 Modified: data/CVE/list Log: Add postgresql-9.4 Modified: data/CVE/list === --- data/CVE/list 2017-11-09 15:17:24 UTC (rev 57499) +++ data/CVE/list 2017-11-09 15:19:20 UTC (rev 57500) @@ -4158,10 +4158,12 @@ RESERVED - postgresql-10 - postgresql-9.6 + - postgresql-9.4 CVE-2017-15098 RESERVED - postgresql-10 - postgresql-9.6 + - postgresql-9.4 CVE-2017-15097 RESERVED CVE-2017-15096 (A flaw was found in GlusterFS in versions prior to 3.10. A null ...) @@ -12771,6 +12773,7 @@ RESERVED - postgresql-10 (unimportant) - postgresql-9.6 (unimportant) + - postgresql-9.4 (unimportant) NOTE: Issue in sample init-scirpt as provided by postgresql project, but not installed CVE-2017-12171 [httpd: # character matches all IPs] RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57499 - data
Author: apo Date: 2017-11-09 15:17:24 + (Thu, 09 Nov 2017) New Revision: 57499 Modified: data/dla-needed.txt Log: Remove openssl from dla-needed.txt Uploaded. Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-11-09 15:12:53 UTC (rev 57498) +++ data/dla-needed.txt 2017-11-09 15:17:24 UTC (rev 57499) @@ -71,10 +71,6 @@ -- openjdk-7 (Emilio Pozuelo) -- -openssl - NOTE: I assume Kurt Roeckx will take care of it again. - NOTE: 1.0.1t-1+deb7u3 by Kurt Roeckx, DLA number already reserved, but upload missing --- poppler NOTE: not fixed in sid yet so did not ping maintainer NOTE: drawForm is doForm1 in wheezy ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57497 - data/CVE
Author: carnil Date: 2017-11-09 15:12:41 + (Thu, 09 Nov 2017) New Revision: 57497 Modified: data/CVE/list Log: Add postgresql-common issue Modified: data/CVE/list === --- data/CVE/list 2017-11-09 15:12:27 UTC (rev 57496) +++ data/CVE/list 2017-11-09 15:12:41 UTC (rev 57497) @@ -22712,6 +22712,7 @@ RESERVED CVE-2017-8806 RESERVED + - postgresql-common CVE-2017-8805 (Debian ftpsync before 20171017 does not use the rsync --safe-links ...) - archvsync 20171017 NOTE: http://www.openwall.com/lists/oss-security/2017/10/17/2 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57498 - data/CVE
Author: carnil Date: 2017-11-09 15:12:53 + (Thu, 09 Nov 2017) New Revision: 57498 Modified: data/CVE/list Log: Add postgresql-9.6 Modified: data/CVE/list === --- data/CVE/list 2017-11-09 15:12:41 UTC (rev 57497) +++ data/CVE/list 2017-11-09 15:12:53 UTC (rev 57498) @@ -4157,9 +4157,11 @@ CVE-2017-15099 RESERVED - postgresql-10 + - postgresql-9.6 CVE-2017-15098 RESERVED - postgresql-10 + - postgresql-9.6 CVE-2017-15097 RESERVED CVE-2017-15096 (A flaw was found in GlusterFS in versions prior to 3.10. A null ...) @@ -12768,6 +12770,7 @@ CVE-2017-12172 RESERVED - postgresql-10 (unimportant) + - postgresql-9.6 (unimportant) NOTE: Issue in sample init-scirpt as provided by postgresql project, but not installed CVE-2017-12171 [httpd: # character matches all IPs] RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57496 - data/CVE
Author: carnil Date: 2017-11-09 15:12:27 + (Thu, 09 Nov 2017) New Revision: 57496 Modified: data/CVE/list Log: Add postgresql-10 issues Modified: data/CVE/list === --- data/CVE/list 2017-11-09 14:10:34 UTC (rev 57495) +++ data/CVE/list 2017-11-09 15:12:27 UTC (rev 57496) @@ -4156,8 +4156,10 @@ - foreman (bug #663101) CVE-2017-15099 RESERVED + - postgresql-10 CVE-2017-15098 RESERVED + - postgresql-10 CVE-2017-15097 RESERVED CVE-2017-15096 (A flaw was found in GlusterFS in versions prior to 3.10. A null ...) @@ -12765,6 +12767,8 @@ NOTE: Introduced by https://pagure.io/SSSD/sssd/c/7ecb5aea65cb1899f16e7a41bffa93d074defd4a (sssd-1_12_0) CVE-2017-12172 RESERVED + - postgresql-10 (unimportant) + NOTE: Issue in sample init-scirpt as provided by postgresql project, but not installed CVE-2017-12171 [httpd: # character matches all IPs] RESERVED - apache2 (Introduced by Red Hat RHEL 6.9 specific non-security patch) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57495 - data
Author: pochu Date: 2017-11-09 14:10:34 + (Thu, 09 Nov 2017) New Revision: 57495 Modified: data/dla-needed.txt Log: dla: unclaim poppler, no time for it yet Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-11-09 13:04:29 UTC (rev 57494) +++ data/dla-needed.txt 2017-11-09 14:10:34 UTC (rev 57495) @@ -75,7 +75,7 @@ NOTE: I assume Kurt Roeckx will take care of it again. NOTE: 1.0.1t-1+deb7u3 by Kurt Roeckx, DLA number already reserved, but upload missing -- -poppler (Emilio Pozuelo) +poppler NOTE: not fixed in sid yet so did not ping maintainer NOTE: drawForm is doForm1 in wheezy NOTE: exploit does not loop but code looks affected ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57494 - data/CVE
Author: carnil Date: 2017-11-09 13:04:29 + (Thu, 09 Nov 2017) New Revision: 57494 Modified: data/CVE/list Log: Add bug reference for CVE-2017-16671, #881257 Modified: data/CVE/list === --- data/CVE/list 2017-11-09 13:03:01 UTC (rev 57493) +++ data/CVE/list 2017-11-09 13:04:29 UTC (rev 57494) @@ -14,7 +14,7 @@ NOTE: http://downloads.asterisk.org/pub/security/AST-2017-011-13.diff NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-27345 CVE-2017-16671 (A Buffer Overflow issue was discovered in Asterisk Open Source 13 ...) - - asterisk + - asterisk (bug #881257) NOTE: http://downloads.digium.com/pub/security/AST-2017-010.html NOTE: http://downloads.asterisk.org/pub/security/AST-2017-010-13.diff NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-27337 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57493 - data/CVE
Author: carnil Date: 2017-11-09 13:03:01 + (Thu, 09 Nov 2017) New Revision: 57493 Modified: data/CVE/list Log: Add bug reference for CVE-2017-16672, #881256 Modified: data/CVE/list === --- data/CVE/list 2017-11-09 12:56:17 UTC (rev 57492) +++ data/CVE/list 2017-11-09 13:03:01 UTC (rev 57493) @@ -9,7 +9,7 @@ CVE-2017-16673 (Datto Backup Agent 1.0.6.0 and earlier does not authenticate incoming ...) NOT-FOR-US: Datto Backup Agent CVE-2017-16672 (An issue was discovered in Asterisk Open Source 13 before 13.18.1, 14 ...) - - asterisk + - asterisk (bug #881256) NOTE: http://downloads.digium.com/pub/security/AST-2017-011.html NOTE: http://downloads.asterisk.org/pub/security/AST-2017-011-13.diff NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-27345 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57492 - data/CVE
Author: carnil Date: 2017-11-09 12:56:17 + (Thu, 09 Nov 2017) New Revision: 57492 Modified: data/CVE/list Log: Update information for CVE-2017-16671 Modified: data/CVE/list === --- data/CVE/list 2017-11-09 12:50:52 UTC (rev 57491) +++ data/CVE/list 2017-11-09 12:56:17 UTC (rev 57492) @@ -16,8 +16,8 @@ CVE-2017-16671 (A Buffer Overflow issue was discovered in Asterisk Open Source 13 ...) - asterisk NOTE: http://downloads.digium.com/pub/security/AST-2017-010.html + NOTE: http://downloads.asterisk.org/pub/security/AST-2017-010-13.diff NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-27337 - TODO: check CVE-2017-16670 RESERVED CVE-2017-16669 (coders/wpg.c in GraphicsMagick 1.3.26 allows remote attackers to cause ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57491 - data/CVE
Author: carnil Date: 2017-11-09 12:50:52 + (Thu, 09 Nov 2017) New Revision: 57491 Modified: data/CVE/list Log: Update information on CVE-2017-16672/asterisk, remove TODO Modified: data/CVE/list === --- data/CVE/list 2017-11-09 11:33:46 UTC (rev 57490) +++ data/CVE/list 2017-11-09 12:50:52 UTC (rev 57491) @@ -11,8 +11,8 @@ CVE-2017-16672 (An issue was discovered in Asterisk Open Source 13 before 13.18.1, 14 ...) - asterisk NOTE: http://downloads.digium.com/pub/security/AST-2017-011.html + NOTE: http://downloads.asterisk.org/pub/security/AST-2017-011-13.diff NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-27345 - TODO: check CVE-2017-16671 (A Buffer Overflow issue was discovered in Asterisk Open Source 13 ...) - asterisk NOTE: http://downloads.digium.com/pub/security/AST-2017-010.html ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57490 - data
Author: seb Date: 2017-11-09 11:33:46 + (Thu, 09 Nov 2017) New Revision: 57490 Modified: data/dsa-needed.txt Log: Take jackson-databind from dsa-needed (CVE-2017-15095) Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-11-09 11:29:51 UTC (rev 57489) +++ data/dsa-needed.txt 2017-11-09 11:33:46 UTC (rev 57490) @@ -20,7 +20,7 @@ -- graphicsmagick -- -jackson-databind +jackson-databind (seb) For CVE-2017-15095 (see notes for missing commits) -- libav/oldstable ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57489 - data
Author: seb Date: 2017-11-09 11:29:51 + (Thu, 09 Nov 2017) New Revision: 57489 Modified: data/dsa-needed.txt Log: Take bchunk (CVE-2017-15953, CVE-2017-15954, CVE-2017-15955) from dsa-needed Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-11-09 09:17:24 UTC (rev 57488) +++ data/dsa-needed.txt 2017-11-09 11:29:51 UTC (rev 57489) @@ -14,8 +14,9 @@ -- 389-ds-base (fw) -- -bchunk +bchunk (seb) Markus Koschany proposed update, needs review and ack + 2017-11-09: ack upload -- graphicsmagick -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57488 - data/CVE
Author: carnil Date: 2017-11-09 09:17:24 + (Thu, 09 Nov 2017) New Revision: 57488 Modified: data/CVE/list Log: Two more NFUs Modified: data/CVE/list === --- data/CVE/list 2017-11-09 09:15:41 UTC (rev 57487) +++ data/CVE/list 2017-11-09 09:17:24 UTC (rev 57488) @@ -14643,9 +14643,9 @@ CVE-2017-11513 RESERVED CVE-2017-11512 (The ManageEngine ServiceDesk 9.3.9328 is vulnerable to arbitrary file ...) - TODO: check + NOT-FOR-US: ManageEngine ServiceDesk CVE-2017-11511 (The ManageEngine ServiceDesk 9.3.9328 is vulnerable to arbitrary file ...) - TODO: check + NOT-FOR-US: ManageEngine ServiceDesk CVE-2017-11510 RESERVED CVE-2017-11509 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57487 - data/CVE
Author: carnil Date: 2017-11-09 09:15:41 + (Thu, 09 Nov 2017) New Revision: 57487 Modified: data/CVE/list Log: Add two NFUs Modified: data/CVE/list === --- data/CVE/list 2017-11-09 09:13:59 UTC (rev 57486) +++ data/CVE/list 2017-11-09 09:15:41 UTC (rev 57487) @@ -5,9 +5,9 @@ CVE-2017-16675 RESERVED CVE-2017-16674 (Datto Windows Agent allows unauthenticated remote command execution via ...) - TODO: check + NOT-FOR-US: Datto Windows Agent CVE-2017-16673 (Datto Backup Agent 1.0.6.0 and earlier does not authenticate incoming ...) - TODO: check + NOT-FOR-US: Datto Backup Agent CVE-2017-16672 (An issue was discovered in Asterisk Open Source 13 before 13.18.1, 14 ...) - asterisk NOTE: http://downloads.digium.com/pub/security/AST-2017-011.html ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57486 - data/CVE
Author: carnil Date: 2017-11-09 09:13:59 + (Thu, 09 Nov 2017) New Revision: 57486 Modified: data/CVE/list Log: Add graphicsmagick issue Modified: data/CVE/list === --- data/CVE/list 2017-11-09 09:12:03 UTC (rev 57485) +++ data/CVE/list 2017-11-09 09:13:59 UTC (rev 57486) @@ -21,7 +21,16 @@ CVE-2017-16670 RESERVED CVE-2017-16669 (coders/wpg.c in GraphicsMagick 1.3.26 allows remote attackers to cause ...) - TODO: check + - graphicsmagick + NOTE: https://sourceforge.net/p/graphicsmagick/bugs/450/ + NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/135bdcb88b8d + NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/1b9e64a8901e + NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/2a21cda3145b + NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/2b7c826d36af + NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/3dc7b4e3779d + NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/75245a215fff + NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/e8086faa52d0 + NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/fcd3ed3394f6 CVE-2017-16668 RESERVED CVE-2017-1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57485 - data/CVE
Author: carnil Date: 2017-11-09 09:12:03 + (Thu, 09 Nov 2017) New Revision: 57485 Modified: data/CVE/list Log: Add two asterisk issues Modified: data/CVE/list === --- data/CVE/list 2017-11-09 09:10:13 UTC (rev 57484) +++ data/CVE/list 2017-11-09 09:12:03 UTC (rev 57485) @@ -9,8 +9,14 @@ CVE-2017-16673 (Datto Backup Agent 1.0.6.0 and earlier does not authenticate incoming ...) TODO: check CVE-2017-16672 (An issue was discovered in Asterisk Open Source 13 before 13.18.1, 14 ...) + - asterisk + NOTE: http://downloads.digium.com/pub/security/AST-2017-011.html + NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-27345 TODO: check CVE-2017-16671 (A Buffer Overflow issue was discovered in Asterisk Open Source 13 ...) + - asterisk + NOTE: http://downloads.digium.com/pub/security/AST-2017-010.html + NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-27337 TODO: check CVE-2017-16670 RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57484 - data/CVE
Author: sectracker Date: 2017-11-09 09:10:13 + (Thu, 09 Nov 2017) New Revision: 57484 Modified: data/CVE/list Log: automatic update Modified: data/CVE/list === --- data/CVE/list 2017-11-09 07:26:10 UTC (rev 57483) +++ data/CVE/list 2017-11-09 09:10:13 UTC (rev 57484) @@ -1,3 +1,21 @@ +CVE-2017-16677 + RESERVED +CVE-2017-16676 + RESERVED +CVE-2017-16675 + RESERVED +CVE-2017-16674 (Datto Windows Agent allows unauthenticated remote command execution via ...) + TODO: check +CVE-2017-16673 (Datto Backup Agent 1.0.6.0 and earlier does not authenticate incoming ...) + TODO: check +CVE-2017-16672 (An issue was discovered in Asterisk Open Source 13 before 13.18.1, 14 ...) + TODO: check +CVE-2017-16671 (A Buffer Overflow issue was discovered in Asterisk Open Source 13 ...) + TODO: check +CVE-2017-16670 + RESERVED +CVE-2017-16669 (coders/wpg.c in GraphicsMagick 1.3.26 allows remote attackers to cause ...) + TODO: check CVE-2017-16668 RESERVED CVE-2017-1 @@ -12622,7 +12640,7 @@ RESERVED CVE-2017-12197 RESERVED - {DLA-1165-1} + {DSA-4025-1 DLA-1165-1} - libpam4j 1.4-3 (bug #879001) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1503103 NOTE: https://github.com/kohsuke/libpam4j/issues/18 @@ -14609,10 +14627,10 @@ RESERVED CVE-2017-11513 RESERVED -CVE-2017-11512 - RESERVED -CVE-2017-11511 - RESERVED +CVE-2017-11512 (The ManageEngine ServiceDesk 9.3.9328 is vulnerable to arbitrary file ...) + TODO: check +CVE-2017-11511 (The ManageEngine ServiceDesk 9.3.9328 is vulnerable to arbitrary file ...) + TODO: check CVE-2017-11510 RESERVED CVE-2017-11509 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits