[Secure-testing-commits] r57569 - data/CVE
Author: carnil Date: 2017-11-11 21:54:00 + (Sat, 11 Nov 2017) New Revision: 57569 Modified: data/CVE/list Log: Add fixing version for xdeb issue, #781595 Modified: data/CVE/list === --- data/CVE/list 2017-11-11 21:43:21 UTC (rev 57568) +++ data/CVE/list 2017-11-11 21:54:00 UTC (rev 57569) @@ -95991,7 +95991,7 @@ CVE-2015-2789 (Unquoted Windows search path vulnerability in the Foxit Cloud Safe ...) NOT-FOR-US: Foxit Reader CVE-2015- [xdeb: disables apt's signature checks] - - xdeb (bug #781595) + - xdeb 0.6.7 (bug #781595) [wheezy] - xdeb (Minor issue) CVE-2015-2931 (Incomplete blacklist vulnerability in includes/upload/UploadBase.php ...) - mediawiki 1:1.19.20+dfsg-2.3 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57568 - data/CVE
Author: carnil Date: 2017-11-11 21:43:21 + (Sat, 11 Nov 2017) New Revision: 57568 Modified: data/CVE/list Log: Remove previous note, workaround was later on dropped upstream Modified: data/CVE/list === --- data/CVE/list 2017-11-11 21:38:34 UTC (rev 57567) +++ data/CVE/list 2017-11-11 21:43:21 UTC (rev 57568) @@ -70681,8 +70681,6 @@ NOTE: Restricting ioctl on the kernel side seems the better approach, patches have been posted to kernel-hardening list NOTE: http://www.openwall.com/lists/oss-security/2016/02/27/1 NOTE: https://marc.info/?l=util-linux-ng&m=145694736107128&w=2 - NOTE: Upstream libseccomp based workaround: - NOTE: https://github.com/karelzak/util-linux/commit/8e4925016875c6a4f2ab4f833ba66f0fc57396a2 CVE-2016- [Partial SMAP bypass on 64-bit Linux kernels] - linux 4.4.4-1 [jessie] - linux 3.16.7-ckt25-2+deb8u1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57567 - data/CVE
Author: carnil Date: 2017-11-11 21:38:34 + (Sat, 11 Nov 2017) New Revision: 57567 Modified: data/CVE/list Log: CVE-2016-2779: add information on workaround Not a real solution but still add as reference to the respective CVE entry. Modified: data/CVE/list === --- data/CVE/list 2017-11-11 21:26:03 UTC (rev 57566) +++ data/CVE/list 2017-11-11 21:38:34 UTC (rev 57567) @@ -70676,11 +70676,13 @@ - util-linux (bug #815922) [stretch] - util-linux (Minor issue) [jessie] - util-linux (Minor issue) - NOTE: Restricting ioctl on the kernel side seems the better approach, patches have been posted to kernel-hardening list [wheezy] - util-linux (runuser[.c] not yet present) [squeeze] - util-linux (runuser[.c] not yet present) + NOTE: Restricting ioctl on the kernel side seems the better approach, patches have been posted to kernel-hardening list NOTE: http://www.openwall.com/lists/oss-security/2016/02/27/1 NOTE: https://marc.info/?l=util-linux-ng&m=145694736107128&w=2 + NOTE: Upstream libseccomp based workaround: + NOTE: https://github.com/karelzak/util-linux/commit/8e4925016875c6a4f2ab4f833ba66f0fc57396a2 CVE-2016- [Partial SMAP bypass on 64-bit Linux kernels] - linux 4.4.4-1 [jessie] - linux 3.16.7-ckt25-2+deb8u1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57566 - data/CVE
Author: carnil Date: 2017-11-11 21:26:03 + (Sat, 11 Nov 2017) New Revision: 57566 Modified: data/CVE/list Log: Add bug reference for CVE-2017-15928/ruby-ox Modified: data/CVE/list === --- data/CVE/list 2017-11-11 21:22:51 UTC (rev 57565) +++ data/CVE/list 2017-11-11 21:26:03 UTC (rev 57566) @@ -2361,7 +2361,7 @@ CVE-2017-15929 RESERVED CVE-2017-15928 (In the Ox gem 2.8.0 for Ruby, the process crashes with a segmentation ...) - - ruby-ox + - ruby-ox (bug #881445) [stretch] - ruby-ox (Minor issue) [jessie] - ruby-ox (Minor issue) NOTE: https://github.com/ohler55/ox/issues/194 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57565 - data/CVE
Author: carnil Date: 2017-11-11 21:22:51 + (Sat, 11 Nov 2017) New Revision: 57565 Modified: data/CVE/list Log: Mark CVE-2017-15928/ruby-ox as no-dsa Modified: data/CVE/list === --- data/CVE/list 2017-11-11 21:14:28 UTC (rev 57564) +++ data/CVE/list 2017-11-11 21:22:51 UTC (rev 57565) @@ -2362,6 +2362,8 @@ RESERVED CVE-2017-15928 (In the Ox gem 2.8.0 for Ruby, the process crashes with a segmentation ...) - ruby-ox + [stretch] - ruby-ox (Minor issue) + [jessie] - ruby-ox (Minor issue) NOTE: https://github.com/ohler55/ox/issues/194 NOTE: https://github.com/ohler55/ox/commit/e4565dbc167f0d38c3f93243d7a4fcfc391cbfc8 CVE-2017-15927 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57564 - data/CVE
Author: carnil Date: 2017-11-11 21:14:28 + (Sat, 11 Nov 2017) New Revision: 57564 Modified: data/CVE/list Log: Add commit reference for CVE-2017-15928/ruby-ox Modified: data/CVE/list === --- data/CVE/list 2017-11-11 21:10:14 UTC (rev 57563) +++ data/CVE/list 2017-11-11 21:14:28 UTC (rev 57564) @@ -2363,7 +2363,7 @@ CVE-2017-15928 (In the Ox gem 2.8.0 for Ruby, the process crashes with a segmentation ...) - ruby-ox NOTE: https://github.com/ohler55/ox/issues/194 - NOTE: https://rubygems.org/gems/ox/versions/2.8.0 + NOTE: https://github.com/ohler55/ox/commit/e4565dbc167f0d38c3f93243d7a4fcfc391cbfc8 CVE-2017-15927 RESERVED CVE-2017-15926 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57563 - data/CVE
Author: sectracker Date: 2017-11-11 21:10:14 + (Sat, 11 Nov 2017) New Revision: 57563 Modified: data/CVE/list Log: automatic update Modified: data/CVE/list === --- data/CVE/list 2017-11-11 20:32:20 UTC (rev 57562) +++ data/CVE/list 2017-11-11 21:10:14 UTC (rev 57563) @@ -7682,7 +7682,7 @@ CVE-2017-14034 RESERVED CVE-2017-14033 (The decode method in the OpenSSL::ASN1 module in Ruby before 2.2.8, ...) - {DLA-1114-1} + {DSA-4031-1 DLA-1114-1} - ruby2.3 (bug #875928) - ruby2.1 - ruby1.9.1 @@ -17180,7 +17180,7 @@ CVE-2017-10785 RESERVED CVE-2017-10784 (The Basic authentication code in WEBrick library in Ruby before 2.2.8, ...) - {DLA-1114-1 DLA-1113-1} + {DSA-4031-1 DLA-1114-1 DLA-1113-1} - ruby2.3 (bug #875931) - ruby2.1 - ruby1.9.1 @@ -23030,7 +23030,7 @@ RESERVED CVE-2017-8806 RESERVED - {DSA-4029-1} + {DSA-4029-1 DLA-1169-1} - postgresql-common 188 CVE-2017-8805 (Debian ftpsync before 20171017 does not use the rsync --safe-links ...) - archvsync 20171017 @@ -45883,6 +45883,7 @@ CVE-2017-0904 RESERVED CVE-2017-0903 (RubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a ...) + {DSA-4031-1} - ruby2.3 (bug #879231) - ruby2.1 - ruby1.9.1 @@ -45936,7 +45937,7 @@ NOTE: For Ruby 2.2.7: https://bugs.ruby-lang.org/attachments/download/6690/rubygems-2613-ruby22.patch NOTE: Not considered a vulnerability per se, if this affects a terminal emulator it's a bug there CVE-2017-0898 (Ruby before 2.4.2, 2.3.5, and 2.2.8 is vulnerable to a malicious ...) - {DLA-1114-1 DLA-1113-1} + {DSA-4031-1 DLA-1114-1 DLA-1113-1} - ruby2.3 (bug #875936) - ruby2.1 - ruby1.9.1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57562 - data/CVE
Author: carnil Date: 2017-11-11 20:32:20 + (Sat, 11 Nov 2017) New Revision: 57562 Modified: data/CVE/list Log: Adjust one webkit2gtk entry Modified: data/CVE/list === --- data/CVE/list 2017-11-11 19:46:47 UTC (rev 57561) +++ data/CVE/list 2017-11-11 20:32:20 UTC (rev 57562) @@ -8206,7 +8206,7 @@ RESERVED CVE-2017-13788 RESERVED - - webkit2gtk 2.18.1-1 (unimportant) + - webkit2gtk 2.18.3-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0009.html NOTE: Not covered by security support CVE-2017-13787 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57561 - data/CVE
Author: carnil Date: 2017-11-11 19:46:47 + (Sat, 11 Nov 2017) New Revision: 57561 Modified: data/CVE/list Log: Drop broken entry Rationale: No need to add as well the release notes for 9.5.10 only. But defintively it's not needed to add a reference to the debian-security-announce entry (it got added anyway to an unrelated CVE entry). Modified: data/CVE/list === --- data/CVE/list 2017-11-11 19:21:50 UTC (rev 57560) +++ data/CVE/list 2017-11-11 19:46:47 UTC (rev 57561) @@ -4407,9 +4407,7 @@ - postgresql-9.1 [jessie] - postgresql-9.1 (postgresql-9.1 in jessie only provides PL/Perl) [wheezy] - postgresql-9.1 (Vulnerable code does not exist) - NOTE: https://www.postgresql.org/docs/current/static/release-9-5-10.html CVE-2017-15097 - NOTE: https://lists.debian.org/debian-security-announce/2017/msg00291.html RESERVED CVE-2017-15096 (A flaw was found in GlusterFS in versions prior to 3.10. A null ...) - glusterfs 3.12.2-2 (bug #880017) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57558 - data
Author: opal Date: 2017-11-11 19:13:13 + (Sat, 11 Nov 2017) New Revision: 57558 Modified: data/dla-needed.txt Log: Triage result. Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-11-11 19:07:08 UTC (rev 57557) +++ data/dla-needed.txt 2017-11-11 19:13:13 UTC (rev 57558) @@ -90,6 +90,9 @@ qemu-kvm NOTE: 20171012 Can wait for more issues to pile up -- +roundcube + NOTE: Regarding CVE-2017-16651. The code looks vulnerable in a similar way as later versions but patches will not apply cleanly as the code is rather different. The problem sounds serious though so it should be fixed. +-- rsync (Thorsten Alteholz) -- rtpproxy ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57560 - data
Author: opal Date: 2017-11-11 19:21:50 + (Sat, 11 Nov 2017) New Revision: 57560 Modified: data/dla-needed.txt Log: Told that the package shall be removed. Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-11-11 19:19:22 UTC (rev 57559) +++ data/dla-needed.txt 2017-11-11 19:21:50 UTC (rev 57560) @@ -35,6 +35,11 @@ libextractor NOTE: not all patches available, so didn't bothered maintainer yet -- +libnet-ping-external-perl + NOTE: The solution for jessie is to remove the package from the archieve. + NOTE: The same should be done in wheezy too. So the action for this + NOTE: package is to contact the FTP masters in order to handle this. +-- libofx (Thorsten Alteholz) -- libreoffice (Emilio Pozuelo) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57559 - data/CVE
Author: opal Date: 2017-11-11 19:19:22 + (Sat, 11 Nov 2017) New Revision: 57559 Modified: data/CVE/list Log: Triage result. Modified: data/CVE/list === --- data/CVE/list 2017-11-11 19:13:13 UTC (rev 57558) +++ data/CVE/list 2017-11-11 19:19:22 UTC (rev 57559) @@ -159,6 +159,7 @@ RESERVED CVE-2017-16711 (The swf_DefineLosslessBitsTagToImage function in lib/modules/swfbits.c ...) - swftools (bug #881390) + [wheezy] - swftools (Minor issue) NOTE: https://github.com/matthiaskramm/swftools/issues/46 CVE-2017-16710 RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57557 - data
Author: opal Date: 2017-11-11 19:07:08 + (Sat, 11 Nov 2017) New Revision: 57557 Modified: data/dla-needed.txt Log: Triage update. Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-11-11 19:01:12 UTC (rev 57556) +++ data/dla-needed.txt 2017-11-11 19:07:08 UTC (rev 57557) @@ -74,6 +74,8 @@ openjdk-7 (Emilio Pozuelo) -- php5 + NOTE: Proposed release date 2017-12-15. The one issue seen so far is not severe. + NOTE: See packages/php5.txt for further information about handling. -- poppler (Markus Koschany) NOTE: not fixed in sid yet so did not ping maintainer ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57556 - data
Author: opal Date: 2017-11-11 19:01:12 + (Sat, 11 Nov 2017) New Revision: 57556 Modified: data/dla-needed.txt Log: Triage result Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-11-11 18:50:19 UTC (rev 57555) +++ data/dla-needed.txt 2017-11-11 19:01:12 UTC (rev 57556) @@ -73,6 +73,8 @@ -- openjdk-7 (Emilio Pozuelo) -- +php5 +-- poppler (Markus Koschany) NOTE: not fixed in sid yet so did not ping maintainer NOTE: drawForm is doForm1 in wheezy ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57555 - data
Author: opal Date: 2017-11-11 18:50:19 + (Sat, 11 Nov 2017) New Revision: 57555 Modified: data/dla-needed.txt Log: Triage result Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-11-11 18:30:04 UTC (rev 57554) +++ data/dla-needed.txt 2017-11-11 18:50:19 UTC (rev 57555) @@ -41,6 +41,8 @@ NOTE: regression update, see: NOTE: https://lists.debian.org/debian-lts/2017/05/msg00012.html -- +libspring-ldap-java +-- libvorbis (Guido Günther) NOTE: 20170829: no fix available yet NOTE: asked for reproducers for CVE-2017-14160 and CVE-2017-14633 on ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57554 - data/CVE
Author: opal Date: 2017-11-11 18:30:04 + (Sat, 11 Nov 2017) New Revision: 57554 Modified: data/CVE/list Log: Triage result. Modified: data/CVE/list === --- data/CVE/list 2017-11-11 18:04:31 UTC (rev 57553) +++ data/CVE/list 2017-11-11 18:30:04 UTC (rev 57554) @@ -238,11 +238,13 @@ NOT-FOR-US: Datto Backup Agent CVE-2017-16672 (An issue was discovered in Asterisk Open Source 13 before 13.18.1, 14 ...) - asterisk 1:13.18.1~dfsg-1 (bug #881256) + [wheezy] - asterisk (Minor issue) NOTE: http://downloads.digium.com/pub/security/AST-2017-011.html NOTE: http://downloads.asterisk.org/pub/security/AST-2017-011-13.diff NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-27345 CVE-2017-16671 (A Buffer Overflow issue was discovered in Asterisk Open Source 13 ...) - asterisk 1:13.18.1~dfsg-1 (bug #881257) + [wheezy] - asterisk (Vulnerable code do not exist) NOTE: http://downloads.digium.com/pub/security/AST-2017-010.html NOTE: http://downloads.asterisk.org/pub/security/AST-2017-010-13.diff NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-27337 @@ -270,6 +272,7 @@ RESERVED CVE-2017-16667 (backintime (aka Back in Time) before 1.1.24 did improper ...) - backintime (bug #881205) + [wheezy] - backintime (Vulnerable code does not exist) NOTE: https://github.com/bit-team/backintime/issues/834 NOTE: https://github.com/bit-team/backintime/commit/cef81d0da93ff601252607df3db1a48f7f6f01b3 CVE-2017-16663 (In sam2p 0.49.4, there are integer overflows (with resultant heap-based ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57553 - data/CVE
Author: opal Date: 2017-11-11 18:04:31 + (Sat, 11 Nov 2017) New Revision: 57553 Modified: data/CVE/list Log: Triage result. Modified: data/CVE/list === --- data/CVE/list 2017-11-11 14:39:13 UTC (rev 57552) +++ data/CVE/list 2017-11-11 18:04:31 UTC (rev 57553) @@ -4402,7 +4402,10 @@ - postgresql-9.4 - postgresql-9.1 [jessie] - postgresql-9.1 (postgresql-9.1 in jessie only provides PL/Perl) + [wheezy] - postgresql-9.1 (Vulnerable code does not exist) + NOTE: https://www.postgresql.org/docs/current/static/release-9-5-10.html CVE-2017-15097 + NOTE: https://lists.debian.org/debian-security-announce/2017/msg00291.html RESERVED CVE-2017-15096 (A flaw was found in GlusterFS in versions prior to 3.10. A null ...) - glusterfs 3.12.2-2 (bug #880017) @@ -13076,6 +13079,7 @@ [jessie] - postgresql-9.4 9.4.15-0+deb8u1 - postgresql-9.1 (unimportant) [jessie] - postgresql-9.1 (postgresql-9.1 in jessie only provides PL/Perl) + [wheezy] - postgresql-9.1 (Vulnerable code not installed) NOTE: Issue in sample init-scirpt as provided by postgresql project, but not installed CVE-2017-12171 [httpd: # character matches all IPs] RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57552 - in data: . DSA
Author: carnil Date: 2017-11-11 14:39:13 + (Sat, 11 Nov 2017) New Revision: 57552 Modified: data/DSA/list data/dsa-needed.txt Log: Reserve DSA number for ruby2.3 update Modified: data/DSA/list === --- data/DSA/list 2017-11-11 12:59:39 UTC (rev 57551) +++ data/DSA/list 2017-11-11 14:39:13 UTC (rev 57552) @@ -1,3 +1,6 @@ +[11 Nov 2017] DSA-4031-1 ruby2.3 - security update + {CVE-2017-0898 CVE-2017-0903 CVE-2017-10784 CVE-2017-14033} + [stretch] - ruby2.3 2.3.3-1+deb9u2 [10 Nov 2017] DSA-4006-2 mupdf - security update {CVE-2017-15587} [jessie] - mupdf 1.5-1+deb8u3 Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-11-11 12:59:39 UTC (rev 57551) +++ data/dsa-needed.txt 2017-11-11 14:39:13 UTC (rev 57552) @@ -45,10 +45,6 @@ -- qemu/oldstable -- -ruby2.3 (carnil) - Maintainer (terceiro) proposed update, needs review and ack - Upload reviewed and acked to be uploaded (including additional change) --- salt -- simplesamlphp ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57551 - data/CVE
Author: jbicha Date: 2017-11-11 12:59:39 + (Sat, 11 Nov 2017) New Revision: 57551 Modified: data/CVE/list Log: correct a few recent webkit2gtk version references Modified: data/CVE/list === --- data/CVE/list 2017-11-11 11:10:48 UTC (rev 57550) +++ data/CVE/list 2017-11-11 12:59:39 UTC (rev 57551) @@ -8144,7 +8144,7 @@ RESERVED CVE-2017-13803 RESERVED - - webkit2gtk 2.18.1-1 (unimportant) + - webkit2gtk 2.18.3-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0009.html NOTE: Not covered by security support CVE-2017-13802 @@ -8160,7 +8160,7 @@ RESERVED CVE-2017-13798 RESERVED - - webkit2gtk 2.18.1-1 (unimportant) + - webkit2gtk 2.18.3-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0009.html NOTE: Not covered by security support CVE-2017-13797 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57550 - data/DLA
Author: myon Date: 2017-11-11 11:10:48 + (Sat, 11 Nov 2017) New Revision: 57550 Modified: data/DLA/list Log: postgresql-common 134wheezy6 (CVE-2017-8806) Modified: data/DLA/list === --- data/DLA/list 2017-11-11 10:05:34 UTC (rev 57549) +++ data/DLA/list 2017-11-11 11:10:48 UTC (rev 57550) @@ -1,3 +1,6 @@ +[11 Nov 2017] DLA-1169-1 postgresql-common - security update + {CVE-2017-8806} + [wheezy] - postgresql-common 134wheezy6 [10 Nov 2017] DLA-1168-1 graphicsmagick - security update {CVE-2017-16669} [wheezy] - graphicsmagick 1.3.16-1.1+deb7u14 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57549 - data
Author: carnil Date: 2017-11-11 10:05:34 + (Sat, 11 Nov 2017) New Revision: 57549 Modified: data/dsa-needed.txt Log: Take ruby2.3 from dsa-needed list Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-11-11 09:36:59 UTC (rev 57548) +++ data/dsa-needed.txt 2017-11-11 10:05:34 UTC (rev 57549) @@ -45,7 +45,7 @@ -- qemu/oldstable -- -ruby2.3 +ruby2.3 (carnil) Maintainer (terceiro) proposed update, needs review and ack Upload reviewed and acked to be uploaded (including additional change) -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57548 - data/CVE
Author: gcs Date: 2017-11-11 09:36:59 + (Sat, 11 Nov 2017) New Revision: 57548 Modified: data/CVE/list Log: Add CVE-2017-13134/graphicsmagick Modified: data/CVE/list === --- data/CVE/list 2017-11-11 09:15:34 UTC (rev 57547) +++ data/CVE/list 2017-11-11 09:36:59 UTC (rev 57548) @@ -9812,9 +9812,11 @@ CVE-2017-13134 (In ImageMagick 7.0.6-6, a heap-based buffer over-read was found in the ...) {DLA-1081-1} - imagemagick (bug #873099) + - graphicsmagick NOTE: https://github.com/ImageMagick/ImageMagick/issues/670 NOTE: https://github.com/ImageMagick/ImageMagick/commit/5304ae14655a67b9a3db00563fe44d9abd6de4f0 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/1b234b4fe2ec864b2d5af898a31c06c9736da904 + NOTE: GraphicsMagick: http://hg.code.sf.net/p/graphicsmagick/code/rev/1b47e0078e05 CVE-2017-13133 (In ImageMagick 7.0.6-8, the load_level function in coders/xcf.c lacks ...) {DLA-1081-1} - imagemagick (low; bug #873100) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57547 - data/CVE
Author: carnil Date: 2017-11-11 09:15:34 + (Sat, 11 Nov 2017) New Revision: 57547 Modified: data/CVE/list Log: Process NFUs Modified: data/CVE/list === --- data/CVE/list 2017-11-11 09:10:16 UTC (rev 57546) +++ data/CVE/list 2017-11-11 09:15:34 UTC (rev 57547) @@ -9,15 +9,15 @@ CVE-2017-16786 RESERVED CVE-2017-16784 (In CMS Made Simple 2.2.2, there is Reflected XSS via the ...) - TODO: check + NOT-FOR-US: CMS Made Simple CVE-2017-16783 (In CMS Made Simple 2.1.6, there is Server-Side Template Injection via ...) - TODO: check + NOT-FOR-US: CMS Made Simple CVE-2017-16782 (In Home Assistant before 0.57, it is possible to inject JavaScript code ...) TODO: check CVE-2017-16781 (The installer in MyBB before 1.8.13 has XSS. ...) - TODO: check + NOT-FOR-US: MyBB CVE-2017-16780 (The installer in MyBB before 1.8.13 allows remote attackers to execute ...) - TODO: check + NOT-FOR-US: MyBB CVE-2017-16785 (Cacti 1.1.27 has reflected XSS via the PATH_INFO to host.php. ...) - cacti NOTE: https://github.com/Cacti/cacti/issues/1071 @@ -615,7 +615,7 @@ CVE-2017-16521 (In Inedo BuildMaster before 5.8.2, XslTransform was used where ...) NOT-FOR-US: Inedo BuildMaster CVE-2017-16520 (Inedo BuildMaster before 5.8.2 does not properly restrict creation of ...) - TODO: check + NOT-FOR-US: Inedo BuildMaster CVE-2017-16519 RESERVED CVE-2017-16518 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57546 - data/CVE
Author: sectracker Date: 2017-11-11 09:10:16 + (Sat, 11 Nov 2017) New Revision: 57546 Modified: data/CVE/list Log: automatic update Modified: data/CVE/list === --- data/CVE/list 2017-11-11 09:08:20 UTC (rev 57545) +++ data/CVE/list 2017-11-11 09:10:16 UTC (rev 57546) @@ -1,4 +1,24 @@ -CVE-2017-16785 [reflected XSS via the PATH_INFO to host.php] +CVE-2017-16790 + RESERVED +CVE-2017-16789 + RESERVED +CVE-2017-16788 + RESERVED +CVE-2017-16787 + RESERVED +CVE-2017-16786 + RESERVED +CVE-2017-16784 (In CMS Made Simple 2.2.2, there is Reflected XSS via the ...) + TODO: check +CVE-2017-16783 (In CMS Made Simple 2.1.6, there is Server-Side Template Injection via ...) + TODO: check +CVE-2017-16782 (In Home Assistant before 0.57, it is possible to inject JavaScript code ...) + TODO: check +CVE-2017-16781 (The installer in MyBB before 1.8.13 has XSS. ...) + TODO: check +CVE-2017-16780 (The installer in MyBB before 1.8.13 allows remote attackers to execute ...) + TODO: check +CVE-2017-16785 (Cacti 1.1.27 has reflected XSS via the PATH_INFO to host.php. ...) - cacti NOTE: https://github.com/Cacti/cacti/issues/1071 CVE-2017-16779 @@ -594,8 +614,8 @@ NOT-FOR-US: MitraStar CVE-2017-16521 (In Inedo BuildMaster before 5.8.2, XslTransform was used where ...) NOT-FOR-US: Inedo BuildMaster -CVE-2017-16520 - RESERVED +CVE-2017-16520 (Inedo BuildMaster before 5.8.2 does not properly restrict creation of ...) + TODO: check CVE-2017-16519 RESERVED CVE-2017-16518 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57545 - data/CVE
Author: fgeek-guest Date: 2017-11-11 09:08:20 + (Sat, 11 Nov 2017) New Revision: 57545 Modified: data/CVE/list Log: NFU Modified: data/CVE/list === --- data/CVE/list 2017-11-11 09:04:54 UTC (rev 57544) +++ data/CVE/list 2017-11-11 09:08:20 UTC (rev 57545) @@ -478,7 +478,7 @@ CVE-2017-16563 (Cross-Site Request Forgery (CSRF) in the Basic Settings screen on ...) NOT-FOR-US: Vonage CVE-2017-16562 (The UserPro plugin before 4.9.17.1 for WordPress, when used on a site ...) - TODO: check + NOT-FOR-US: WordPress plugin userpro CVE-2017-16561 (/view/friend_profile.php in Ingenious School Management System 2.3.0 is ...) NOT-FOR-US: Ingenious School Management System CVE-2017-16560 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57543 - data/CVE
Author: fgeek-guest Date: 2017-11-11 09:04:22 + (Sat, 11 Nov 2017) New Revision: 57543 Modified: data/CVE/list Log: CVE-2017-16711/swftools Modified: data/CVE/list === --- data/CVE/list 2017-11-11 09:02:16 UTC (rev 57542) +++ data/CVE/list 2017-11-11 09:04:22 UTC (rev 57543) @@ -138,7 +138,8 @@ CVE-2017-16712 RESERVED CVE-2017-16711 (The swf_DefineLosslessBitsTagToImage function in lib/modules/swfbits.c ...) - TODO: check + - swftools (bug #881390) + NOTE: https://github.com/matthiaskramm/swftools/issues/46 CVE-2017-16710 RESERVED CVE-2017-16709 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57544 - data/CVE
Author: carnil Date: 2017-11-11 09:04:54 + (Sat, 11 Nov 2017) New Revision: 57544 Modified: data/CVE/list Log: Add bug reference for CVE-2017-16546/imagemagick Modified: data/CVE/list === --- data/CVE/list 2017-11-11 09:04:22 UTC (rev 57543) +++ data/CVE/list 2017-11-11 09:04:54 UTC (rev 57544) @@ -514,7 +514,7 @@ NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/785758bbbfcc NOTE: https://sourceforge.net/p/graphicsmagick/bugs/517/ CVE-2017-16546 (The ReadWPGImage function in coders/wpg.c in ImageMagick 7.0.7-9 does ...) - - imagemagick + - imagemagick (bug #881392) NOTE: https://github.com/ImageMagick/ImageMagick/commit/2130bf6f89ded32ef0c88a11694f107c52566c53 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/e04cf3e9524f50ca336253513d977224e083b816 NOTE: https://github.com/ImageMagick/ImageMagick/issues/851 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57542 - data/CVE
Author: carnil Date: 2017-11-11 09:02:16 + (Sat, 11 Nov 2017) New Revision: 57542 Modified: data/CVE/list Log: Add bug reference for CVE-2017-16669/graphicsmagick Modified: data/CVE/list === --- data/CVE/list 2017-11-11 08:50:44 UTC (rev 57541) +++ data/CVE/list 2017-11-11 09:02:16 UTC (rev 57542) @@ -229,7 +229,7 @@ RESERVED CVE-2017-16669 (coders/wpg.c in GraphicsMagick 1.3.26 allows remote attackers to cause ...) {DLA-1168-1} - - graphicsmagick + - graphicsmagick (bug #881391) NOTE: https://sourceforge.net/p/graphicsmagick/bugs/450/ NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/135bdcb88b8d NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/1b9e64a8901e ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57541 - data/CVE
Author: fgeek-guest Date: 2017-11-11 08:50:44 + (Sat, 11 Nov 2017) New Revision: 57541 Modified: data/CVE/list Log: NFU Modified: data/CVE/list === --- data/CVE/list 2017-11-11 07:16:36 UTC (rev 57540) +++ data/CVE/list 2017-11-11 08:50:44 UTC (rev 57541) @@ -34,7 +34,7 @@ CVE-2017-16764 (An exploitable vulnerability exists in the YAML parsing functionality ...) NOT-FOR-US: django_make_app CVE-2017-16763 (An exploitable vulnerability exists in the YAML parsing functionality ...) - TODO: check + NOT-FOR-US: Confire CVE-2017-16762 (Sanic before 0.5.1 allows reading arbitrary files with directory ...) NOT-FOR-US: Sanic CVE-2017-16761 (An Open Redirect vulnerability in Inedo BuildMaster before 5.8.2 allows ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits