[Secure-testing-commits] r57647 - data/CVE
Author: fgeek-guest Date: 2017-11-15 07:19:41 + (Wed, 15 Nov 2017) New Revision: 57647 Modified: data/CVE/list Log: CVE-2017-1001001/pluxml verified, bug submitted Modified: data/CVE/list === --- data/CVE/list 2017-11-15 06:41:59 UTC (rev 57646) +++ data/CVE/list 2017-11-15 07:19:41 UTC (rev 57647) @@ -1147,9 +1147,8 @@ NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick?cmd=changeset;node=7292230dd185 NOTE: https://blogs.securiteam.com/index.php/archives/3494 CVE-2017-1001001 (PluXml version 5.6 is vulnerable to stored cross-site scripting ...) - - pluxml + - pluxml (bug #881796) NOTE: https://github.com/pluxml/PluXml/issues/253 - TODO: check CVE-2017-1000244 (Jenkins Favorite Plugin version 2.2.0 and older is vulnerable to CSRF ...) NOT-FOR-US: Jenkins plugin CVE-2017-1000243 (Jenkins Favorite Plugin 2.1.4 and older does not perform permission ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57646 - data/CVE
Author: carnil Date: 2017-11-15 06:41:59 + (Wed, 15 Nov 2017) New Revision: 57646 Modified: data/CVE/list Log: Process NFUs Modified: data/CVE/list === --- data/CVE/list 2017-11-15 06:33:29 UTC (rev 57645) +++ data/CVE/list 2017-11-15 06:41:59 UTC (rev 57646) @@ -15869,6 +15869,7 @@ NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11225 RESERVED + NOT-FOR-US: Adobe CVE-2017-11224 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11223 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ...) @@ -15889,10 +15890,12 @@ NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11215 RESERVED + NOT-FOR-US: Adobe CVE-2017-11214 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11213 RESERVED + NOT-FOR-US: Adobe CVE-2017-11212 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11211 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ...) @@ -40941,10 +40944,12 @@ NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3114 RESERVED + NOT-FOR-US: Adobe CVE-2017-3113 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3112 RESERVED + NOT-FOR-US: Adobe CVE-2017-3111 RESERVED CVE-2017-3110 (Adobe Experience Manager 6.1 and earlier has a sensitive data exposure ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57645 - data/CVE
Author: carnil Date: 2017-11-15 06:33:29 + (Wed, 15 Nov 2017) New Revision: 57645 Modified: data/CVE/list Log: Firefox issues fixed in unstable Modified: data/CVE/list === --- data/CVE/list 2017-11-15 06:30:36 UTC (rev 57644) +++ data/CVE/list 2017-11-15 06:33:29 UTC (rev 57645) @@ -25830,53 +25830,53 @@ RESERVED CVE-2017-7842 RESERVED - - firefox + - firefox 57.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-24/#CVE-2017-7842 CVE-2017-7841 RESERVED CVE-2017-7840 RESERVED - - firefox + - firefox 57.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-24/#CVE-2017-7840 CVE-2017-7839 RESERVED - - firefox + - firefox 57.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-24/#CVE-2017-7839 CVE-2017-7838 RESERVED - - firefox + - firefox 57.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-24/#CVE-2017-7838 CVE-2017-7837 RESERVED - - firefox + - firefox 57.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-24/#CVE-2017-7837 CVE-2017-7836 RESERVED - - firefox + - firefox 57.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-24/#CVE-2017-7836 CVE-2017-7835 RESERVED - - firefox + - firefox 57.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-24/#CVE-2017-7835 CVE-2017-7834 RESERVED - - firefox + - firefox 57.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-24/#CVE-2017-7834 CVE-2017-7833 RESERVED - - firefox + - firefox 57.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-24/#CVE-2017-7833 CVE-2017-7832 RESERVED - - firefox + - firefox 57.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-24/#CVE-2017-7832 CVE-2017-7831 RESERVED - - firefox + - firefox 57.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-24/#CVE-2017-7831 CVE-2017-7830 RESERVED - - firefox + - firefox 57.0-1 - firefox-esr 52.5.0esr-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-24/#CVE-2017-7830 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-25/#CVE-2017-7828 @@ -25884,17 +25884,17 @@ RESERVED CVE-2017-7828 RESERVED - - firefox + - firefox 57.0-1 - firefox-esr 52.5.0esr-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-24/#CVE-2017-7828 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-25/#CVE-2017-7828 CVE-2017-7827 RESERVED - - firefox + - firefox 57.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-24/#CVE-2017-7827 CVE-2017-7826 RESERVED - - firefox + - firefox 57.0-1 - firefox-esr 52.5.0esr-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-24/#CVE-2017-7826 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-25/#CVE-2017-7826 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57644 - data/CVE
Author: carnil Date: 2017-11-15 06:30:36 + (Wed, 15 Nov 2017) New Revision: 57644 Modified: data/CVE/list Log: firefox-esr issues fixed in unstable Modified: data/CVE/list === --- data/CVE/list 2017-11-15 06:28:52 UTC (rev 57643) +++ data/CVE/list 2017-11-15 06:30:36 UTC (rev 57644) @@ -25877,7 +25877,7 @@ CVE-2017-7830 RESERVED - firefox - - firefox-esr + - firefox-esr 52.5.0esr-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-24/#CVE-2017-7830 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-25/#CVE-2017-7828 CVE-2017-7829 @@ -25885,6 +25885,7 @@ CVE-2017-7828 RESERVED - firefox + - firefox-esr 52.5.0esr-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-24/#CVE-2017-7828 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-25/#CVE-2017-7828 CVE-2017-7827 @@ -25894,7 +25895,7 @@ CVE-2017-7826 RESERVED - firefox - - firefox-esr + - firefox-esr 52.5.0esr-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-24/#CVE-2017-7826 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-25/#CVE-2017-7826 CVE-2017-7825 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57643 - data/CVE
Author: carnil
Date: 2017-11-15 06:28:52 + (Wed, 15 Nov 2017)
New Revision: 57643
Modified:
data/CVE/list
Log:
Record fixes for chicken in experimental
Modified: data/CVE/list
===
--- data/CVE/list 2017-11-15 05:33:19 UTC (rev 57642)
+++ data/CVE/list 2017-11-15 06:28:52 UTC (rev 57643)
@@ -15536,6 +15536,7 @@
[stretch] - yadm 1.06-1+deb9u1
NOTE: https://github.com/TheLocehiliosan/yadm/issues/74
CVE-2017-11343 (Due to an incomplete fix for CVE-2012-6125, all versions of
CHICKEN ...)
+ [experimental] - chicken 4.12.0-0.2
- chicken (bug #870266)
[stretch] - chicken (Minor issue)
[jessie] - chicken (Minor issue)
@@ -21364,6 +21365,7 @@
CVE-2017-9325
RESERVED
CVE-2017-9334 (An incorrect "pair?" check in the Scheme
"length" procedure results in ...)
+ [experimental] - chicken 4.12.0-0.2
- chicken (low; bug #863884)
[stretch] - chicken (Minor issue)
[jessie] - chicken (Minor issue)
@@ -29210,6 +29212,7 @@
NOT-FOR-US: SAP
CVE-2017-6949 (An issue was discovered in CHICKEN Scheme through 4.12.0. When
using a ...)
{DLA-908-1}
+ [experimental] - chicken 4.12.0-0.2
- chicken (bug #858057)
[stretch] - chicken (Minor issue)
[jessie] - chicken (Minor issue)
@@ -38791,6 +38794,7 @@
NOTE: https://github.com/docker/docker/compare/v1.12.5...v1.12.6
NOTE:
https://github.com/opencontainers/runc/commit/50a19c6ff828c58e5dab13830bd3dacde268afe5
CVE-2016-9954 (The backtrack compilation code in the Irregex package (aka
IrRegular ...)
+ [experimental] - chicken 4.12.0-0.2
- chicken (low; bug #851278)
[stretch] - chicken (Minor issue)
[jessie] - chicken (Minor issue)
@@ -56987,12 +56991,14 @@
NOTE: Claimed to not affect ffmpeg
CVE-2016-6831 (The "process-execute" and "process-spawn"
procedures did not free ...)
{DLA-643-1}
+ [experimental] - chicken 4.12.0-0.2
- chicken (bug #834845)
[stretch] - chicken (Minor issue)
[jessie] - chicken (Minor issue)
NOTE: Fixed in the same upstream patch which is provided for
CVE-2016-6830
CVE-2016-6830 (The "process-execute" and "process-spawn"
procedures in CHICKEN Scheme ...)
{DLA-643-1}
+ [experimental] - chicken 4.12.0-0.2
- chicken (bug #834845)
[stretch] - chicken (Minor issue)
[jessie] - chicken (Minor issue)
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57642 - data/CVE
Author: carnil Date: 2017-11-15 05:33:19 + (Wed, 15 Nov 2017) New Revision: 57642 Modified: data/CVE/list Log: Add mediawiki entries Modified: data/CVE/list === --- data/CVE/list 2017-11-14 21:35:14 UTC (rev 57641) +++ data/CVE/list 2017-11-15 05:33:19 UTC (rev 57642) @@ -23118,20 +23118,34 @@ RESERVED CVE-2017-8815 RESERVED + - mediawiki 1:1.27.4-1 + NOTE: https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-November/000216.html CVE-2017-8814 RESERVED + - mediawiki 1:1.27.4-1 + NOTE: https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-November/000216.html CVE-2017-8813 REJECTED CVE-2017-8812 RESERVED + - mediawiki 1:1.27.4-1 + NOTE: https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-November/000216.html CVE-2017-8811 RESERVED + - mediawiki 1:1.27.4-1 + NOTE: https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-November/000216.html CVE-2017-8810 RESERVED + - mediawiki 1:1.27.4-1 + NOTE: https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-November/000216.html CVE-2017-8809 RESERVED + - mediawiki 1:1.27.4-1 + NOTE: https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-November/000216.html CVE-2017-8808 RESERVED + - mediawiki 1:1.27.4-1 + NOTE: https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-November/000216.html CVE-2017-8807 RESERVED CVE-2017-8806 (The Debian pg_ctlcluster, pg_createcluster, and pg_upgradecluster ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57641 - data/CVE
Author: carnil Date: 2017-11-14 21:35:14 + (Tue, 14 Nov 2017) New Revision: 57641 Modified: data/CVE/list Log: Record cacti fixes in unstable Modified: data/CVE/list === --- data/CVE/list 2017-11-14 21:15:32 UTC (rev 57640) +++ data/CVE/list 2017-11-14 21:35:14 UTC (rev 57641) @@ -93,7 +93,7 @@ CVE-2017-16780 (The installer in MyBB before 1.8.13 allows remote attackers to execute ...) NOT-FOR-US: MyBB CVE-2017-16785 (Cacti 1.1.27 has reflected XSS via the PATH_INFO to host.php. ...) - - cacti + - cacti 1.1.27+ds1-3 [stretch] - cacti (Vulnerable code does not exist) [jessie] - cacti (Vulnerable code does not exist) [wheezy] - cacti (Vulnerable code does not exist) @@ -422,21 +422,21 @@ NOTE: https://github.com/derickr/timelib/commit/aa9156006e88565e1f1a5f7cc088b18322d57536 NOTE: https://github.com/php/php-src/commit/5c0455bf2c8cd3c25401407f158e820aa3b239e1 CVE-2017-16661 (Cacti 1.1.27 allows remote authenticated administrators to read ...) - - cacti + - cacti 1.1.27+ds1-3 [stretch] - cacti (Vulnerable code does not exist) [jessie] - cacti (Vulnerable code does not exist) [wheezy] - cacti (Vulnerable code does not exist) NOTE: https://github.com/Cacti/cacti/issues/1066 NOTE: affected code was introduced in the 1.x release CVE-2017-16660 (Cacti 1.1.27 allows remote authenticated administrators to conduct ...) - - cacti + - cacti 1.1.27+ds1-3 [stretch] - cacti (Vulnerable code does not exist) [jessie] - cacti (Vulnerable code does not exist) [wheezy] - cacti (Vulnerable code does not exist) NOTE: https://github.com/Cacti/cacti/issues/1066 NOTE: affected code was introduced in the 1.x release CVE-2017-16641 (lib/rrd.php in Cacti 1.1.27 allows remote authenticated administrators ...) - - cacti (bug #881110) + - cacti 1.1.27+ds1-3 (bug #881110) NOTE: https://github.com/Cacti/cacti/issues/1057 NOTE: https://github.com/Cacti/cacti/commit/e8088bb6593e6a49d000c342d17402f01db8740e CVE-2017-16640 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57640 - data/CVE
Author: carnil Date: 2017-11-14 21:15:32 + (Tue, 14 Nov 2017) New Revision: 57640 Modified: data/CVE/list Log: Process some NFUs Modified: data/CVE/list === --- data/CVE/list 2017-11-14 21:15:21 UTC (rev 57639) +++ data/CVE/list 2017-11-14 21:15:32 UTC (rev 57640) @@ -3,7 +3,7 @@ CVE-2017-16816 RESERVED CVE-2017-16815 (installer.php in the Snap Creek Duplicator (WordPress Site Migration & ...) - TODO: check + NOT-FOR-US: Snap Creek Duplicator (WordPress Site Migration & Backup) plugin for WordPress CVE-2017-16820 [snmp plugin: double free or heap corruption] - collectd (bug #881757) NOTE: https://github.com/collectd/collectd/issues/2291 @@ -11990,7 +11990,7 @@ CVE-2017-12625 (Apache Hive 2.1.x before 2.1.2, 2.2.x before 2.2.1, and 2.3.x before ...) NOT-FOR-US: Apache Hive CVE-2017-12624 (Apache CXF supports sending and receiving attachments via either the ...) - TODO: check + NOT-FOR-US: Apache CXF CVE-2017-12623 (An authorized user could upload a template which contained malicious ...) NOT-FOR-US: Apache NiFi CVE-2017-12622 @@ -22342,7 +22342,7 @@ CVE-2017-9086 RESERVED CVE-2017-9085 (Multiple cross-site scripting (XSS) vulnerabilities in Kodak InSite 6.5 ...) - TODO: check + NOT-FOR-US: Kodak InSite CVE-2017-9084 RESERVED CVE-2017-9083 (poppler 0.54.0, as used in Evince and other products, has a NULL ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57639 - data/CVE
Author: carnil Date: 2017-11-14 21:15:21 + (Tue, 14 Nov 2017) New Revision: 57639 Modified: data/CVE/list Log: Add nova issue Modified: data/CVE/list === --- data/CVE/list 2017-11-14 21:10:19 UTC (rev 57638) +++ data/CVE/list 2017-11-14 21:15:21 UTC (rev 57639) @@ -1393,7 +1393,10 @@ CVE-2017-16240 RESERVED CVE-2017-16239 (In OpenStack Nova through 14.0.9, 15.x through 15.0.7, and 16.x through ...) - TODO: check + - nova + NOTE: https://launchpad.net/bugs/1664931 + NOTE: https://security.openstack.org/ossa/OSSA-2017-005.html + TODO: check / verify affected versions CVE-2017-16238 RESERVED CVE-2017-16237 (In Vir.IT eXplorer Anti-Virus before 8.5.42, the driver file ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57638 - data/CVE
Author: sectracker
Date: 2017-11-14 21:10:19 + (Tue, 14 Nov 2017)
New Revision: 57638
Modified:
data/CVE/list
Log:
automatic update
Modified: data/CVE/list
===
--- data/CVE/list 2017-11-14 20:55:39 UTC (rev 57637)
+++ data/CVE/list 2017-11-14 21:10:19 UTC (rev 57638)
@@ -1,3 +1,9 @@
+CVE-2017-16817
+ RESERVED
+CVE-2017-16816
+ RESERVED
+CVE-2017-16815 (installer.php in the Snap Creek Duplicator (WordPress Site
Migration & ...)
+ TODO: check
CVE-2017-16820 [snmp plugin: double free or heap corruption]
- collectd (bug #881757)
NOTE: https://github.com/collectd/collectd/issues/2291
@@ -1386,8 +1392,8 @@
RESERVED
CVE-2017-16240
RESERVED
-CVE-2017-16239
- RESERVED
+CVE-2017-16239 (In OpenStack Nova through 14.0.9, 15.x through 15.0.7, and
16.x through ...)
+ TODO: check
CVE-2017-16238
RESERVED
CVE-2017-16237 (In Vir.IT eXplorer Anti-Virus before 8.5.42, the driver file
...)
@@ -11949,12 +11955,10 @@
NOT-FOR-US: Ipswitch IMail
CVE-2017-12637 (Directory traversal vulnerability in ...)
NOT-FOR-US: SAP
-CVE-2017-12636
- RESERVED
+CVE-2017-12636 (CouchDB administrative users can configure the database server
via ...)
- couchdb
NOTE: http://www.openwall.com/lists/oss-security/2017/11/14/6
-CVE-2017-12635
- RESERVED
+CVE-2017-12635 (Due to differences in the Erlang-based JSON parser and ...)
- couchdb
NOTE: http://www.openwall.com/lists/oss-security/2017/11/14/6
CVE-2017-12634
@@ -11982,8 +11986,8 @@
RESERVED
CVE-2017-12625 (Apache Hive 2.1.x before 2.1.2, 2.2.x before 2.2.1, and 2.3.x
before ...)
NOT-FOR-US: Apache Hive
-CVE-2017-12624
- RESERVED
+CVE-2017-12624 (Apache CXF supports sending and receiving attachments via
either the ...)
+ TODO: check
CVE-2017-12623 (An authorized user could upload a template which contained
malicious ...)
NOT-FOR-US: Apache NiFi
CVE-2017-12622
@@ -17551,6 +17555,7 @@
CVE-2017-10673 (admin/profile.php in GetSimple CMS 3.x has XSS in a name
field. ...)
NOT-FOR-US: GetSimple CMS
CVE-2017-10672 (Use-after-free in the XML-LibXML module through 2.0129 for
Perl allows ...)
+ {DLA-1171-1}
- libxml-libxml-perl 2.0128+dfsg-5 (bug #866676)
NOTE: https://rt.cpan.org/Public/Bug/Display.html?id=122246
NOTE: Pull request: https://github.com/shlomif/perl-XML-LibXML/pull/8
@@ -22333,8 +22338,8 @@
RESERVED
CVE-2017-9086
RESERVED
-CVE-2017-9085
- RESERVED
+CVE-2017-9085 (Multiple cross-site scripting (XSS) vulnerabilities in Kodak
InSite 6.5 ...)
+ TODO: check
CVE-2017-9084
RESERVED
CVE-2017-9083 (poppler 0.54.0, as used in Evince and other products, has a
NULL ...)
@@ -31247,10 +31252,10 @@
NOT-FOR-US: NVIDIA Windows GPU Display Driver
CVE-2017-6276
RESERVED
-CVE-2017-6275
- RESERVED
-CVE-2017-6274
- RESERVED
+CVE-2017-6275 (An information disclosure vulnerability exists in the Thermal
Driver, ...)
+ TODO: check
+CVE-2017-6274 (An elevation of Privilege vulnerability exists in the Thermal
Driver, ...)
+ TODO: check
CVE-2017-6273 (NVIDIA ADSP Firmware contains a vulnerability in the ADSP
Loader ...)
NOT-FOR-US: NVIDIA ADSP Firmware
CVE-2017-6272 (NVIDIA GPU Display Driver contains a vulnerability in the
kernel mode ...)
@@ -31290,8 +31295,8 @@
NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/4544
CVE-2017-6265
RESERVED
-CVE-2017-6264
- RESERVED
+CVE-2017-6264 (An elevation of privilege vulnerability exists in the NVIDIA
GPU ...)
+ TODO: check
CVE-2017-6263
RESERVED
CVE-2017-6262
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57637 - data/CVE
Author: carnil Date: 2017-11-14 20:55:39 + (Tue, 14 Nov 2017) New Revision: 57637 Modified: data/CVE/list Log: CVE-2017-16820/collectd assigned Modified: data/CVE/list === --- data/CVE/list 2017-11-14 20:34:04 UTC (rev 57636) +++ data/CVE/list 2017-11-14 20:55:39 UTC (rev 57637) @@ -1,4 +1,4 @@ -CVE-2017- [snmp plugin: double free or heap corruption] +CVE-2017-16820 [snmp plugin: double free or heap corruption] - collectd (bug #881757) NOTE: https://github.com/collectd/collectd/issues/2291 CVE-2017-16814 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57636 - data/CVE
Author: jmm Date: 2017-11-14 20:34:04 + (Tue, 14 Nov 2017) New Revision: 57636 Modified: data/CVE/list Log: libofx no-dsa Modified: data/CVE/list === --- data/CVE/list 2017-11-14 20:29:22 UTC (rev 57635) +++ data/CVE/list 2017-11-14 20:34:04 UTC (rev 57636) @@ -5671,6 +5671,8 @@ RESERVED CVE-2017-14731 (ofx_proc_file in ofx_preproc.cpp in LibOFX 0.9.12 allows remote ...) - libofx 1:0.9.11-5 (bug #877442) + [stretch] - libofx (Minor issue) + [jessie] - libofx (Minor issue) NOTE: https://github.com/libofx/libofx/issues/10 NOTE: https://github.com/libofx/libofx/commit/fad8418f34094de42e1307113598e0e8bee0a2bd CVE-2017-14730 (The init script in the Gentoo app-admin/logstash-bin package before ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57635 - data/CVE
Author: jmm Date: 2017-11-14 20:29:22 + (Tue, 14 Nov 2017) New Revision: 57635 Modified: data/CVE/list Log: NFUs Modified: data/CVE/list === --- data/CVE/list 2017-11-14 20:26:40 UTC (rev 57634) +++ data/CVE/list 2017-11-14 20:29:22 UTC (rev 57635) @@ -19,9 +19,9 @@ [jessie] - tcpdump (Can be fixed along in a future update) NOTE: https://github.com/the-tcpdump-group/tcpdump/issues/645 CVE-2017-16807 (A cross-site Scripting (XSS) vulnerability in Kirby Panel before 2.3.3, ...) - TODO: check + NOT-FOR-US: Kirby Panel CVE-2017-16806 (The Process function in RemoteTaskServer/WebServer/HttpServer.cs in ...) - TODO: check + NOT-FOR-US: Ulterius CVE-2017-16805 (In radare2 2.0.1, libr/bin/dwarf.c allows remote attackers to cause a ...) - radare2 NOTE: https://github.com/radare/radare2/commit/2ca9ab45891b6ae8e32b6c28c81eebca059cbe5d @@ -8270,7 +8270,7 @@ NOTE: https://webkitgtk.org/security/WSA-2017-0009.html NOTE: Not covered by security support CVE-2017-13797 (An issue was discovered in certain Apple products. iOS before 11.1 is ...) - TODO: check + NOT-FOR-US: Apple-specific Webkit change (since not mentioned in webkitgtk releases) CVE-2017-13796 (An issue was discovered in certain Apple products. iOS before 11.1 is ...) - webkit2gtk 2.18.1-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0009.html @@ -8296,9 +8296,9 @@ NOTE: https://webkitgtk.org/security/WSA-2017-0009.html NOTE: Not covered by security support CVE-2017-13790 (An issue was discovered in certain Apple products. Safari before ...) - TODO: check + NOT-FOR-US: Apple Safari CVE-2017-13789 (An issue was discovered in certain Apple products. Safari before ...) - TODO: check + NOT-FOR-US: Apple Safari CVE-2017-13788 (An issue was discovered in certain Apple products. iOS before 11.1 is ...) - webkit2gtk 2.18.3-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0009.html @@ -38589,7 +38589,7 @@ CVE-2017-3768 RESERVED CVE-2017-3767 (A local privilege escalation vulnerability was identified in the ...) - TODO: check + NOT-FOR-US: Lenovo CVE-2017-3766 RESERVED CVE-2017-3765 @@ -44865,7 +44865,7 @@ CVE-2017-1478 RESERVED CVE-2017-1477 (IBM Security Access Manager Appliance 9.0.3 is vulnerable to a XML ...) - TODO: check + NOT-FOR-US: IBM CVE-2017-1476 RESERVED CVE-2017-1475 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57634 - data/CVE
Author: elbrus Date: 2017-11-14 20:26:40 + (Tue, 14 Nov 2017) New Revision: 57634 Modified: data/CVE/list Log: [cacti] Update CVE-2017-16660 and CVE-2017-16661 with unaffected versions Modified: data/CVE/list === --- data/CVE/list 2017-11-14 20:16:41 UTC (rev 57633) +++ data/CVE/list 2017-11-14 20:26:40 UTC (rev 57634) @@ -92,8 +92,8 @@ [jessie] - cacti (Vulnerable code does not exist) [wheezy] - cacti (Vulnerable code does not exist) NOTE: https://github.com/Cacti/cacti/issues/1071 -NOTE: this is more or less a dublicate of CVE-2017-16641 -NOTE: one of the applied patches reopened the vulnerability + NOTE: this is more or less a dublicate of CVE-2017-16641 + NOTE: one of the applied patches reopened the vulnerability CVE-2017-16779 RESERVED CVE-2017-16778 @@ -417,12 +417,18 @@ NOTE: https://github.com/php/php-src/commit/5c0455bf2c8cd3c25401407f158e820aa3b239e1 CVE-2017-16661 (Cacti 1.1.27 allows remote authenticated administrators to read ...) - cacti + [stretch] - cacti (Vulnerable code does not exist) + [jessie] - cacti (Vulnerable code does not exist) [wheezy] - cacti (Vulnerable code does not exist) NOTE: https://github.com/Cacti/cacti/issues/1066 + NOTE: affected code was introduced in the 1.x release CVE-2017-16660 (Cacti 1.1.27 allows remote authenticated administrators to conduct ...) - cacti + [stretch] - cacti (Vulnerable code does not exist) + [jessie] - cacti (Vulnerable code does not exist) [wheezy] - cacti (Vulnerable code does not exist) NOTE: https://github.com/Cacti/cacti/issues/1066 + NOTE: affected code was introduced in the 1.x release CVE-2017-16641 (lib/rrd.php in Cacti 1.1.27 allows remote authenticated administrators ...) - cacti (bug #881110) NOTE: https://github.com/Cacti/cacti/issues/1057 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57633 - data/CVE
Author: elbrus Date: 2017-11-14 20:16:41 + (Tue, 14 Nov 2017) New Revision: 57633 Modified: data/CVE/list Log: [cacti] add info for CVE-2017-16785 Modified: data/CVE/list === --- data/CVE/list 2017-11-14 20:08:34 UTC (rev 57632) +++ data/CVE/list 2017-11-14 20:16:41 UTC (rev 57633) @@ -88,7 +88,12 @@ NOT-FOR-US: MyBB CVE-2017-16785 (Cacti 1.1.27 has reflected XSS via the PATH_INFO to host.php. ...) - cacti + [stretch] - cacti (Vulnerable code does not exist) + [jessie] - cacti (Vulnerable code does not exist) + [wheezy] - cacti (Vulnerable code does not exist) NOTE: https://github.com/Cacti/cacti/issues/1071 +NOTE: this is more or less a dublicate of CVE-2017-16641 +NOTE: one of the applied patches reopened the vulnerability CVE-2017-16779 RESERVED CVE-2017-16778 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57632 - data/CVE
Author: carnil Date: 2017-11-14 20:08:34 + (Tue, 14 Nov 2017) New Revision: 57632 Modified: data/CVE/list Log: Add collectd issue, #881757 Modified: data/CVE/list === --- data/CVE/list 2017-11-14 20:04:34 UTC (rev 57631) +++ data/CVE/list 2017-11-14 20:08:34 UTC (rev 57632) @@ -1,3 +1,6 @@ +CVE-2017- [snmp plugin: double free or heap corruption] + - collectd (bug #881757) + NOTE: https://github.com/collectd/collectd/issues/2291 CVE-2017-16814 RESERVED CVE-2017-16813 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57631 - data
Author: jmm Date: 2017-11-14 20:04:34 + (Tue, 14 Nov 2017) New Revision: 57631 Modified: data/dsa-needed.txt Log: take firefox Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-11-14 19:38:14 UTC (rev 57630) +++ data/dsa-needed.txt 2017-11-14 20:04:34 UTC (rev 57631) @@ -14,7 +14,7 @@ -- 389-ds-base (fw) -- -firefox-esr (presumably jmm) +firefox-esr (jmm) -- graphicsmagick -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57630 - data
Author: carnil Date: 2017-11-14 19:38:14 + (Tue, 14 Nov 2017) New Revision: 57630 Modified: data/dsa-needed.txt Log: Add firefox-esr (possibly taken by jmm as usual) Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-11-14 19:38:10 UTC (rev 57629) +++ data/dsa-needed.txt 2017-11-14 19:38:14 UTC (rev 57630) @@ -14,6 +14,8 @@ -- 389-ds-base (fw) -- +firefox-esr (presumably jmm) +-- graphicsmagick -- imagemagick/oldstable (jmm) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57629 - data/CVE
Author: carnil Date: 2017-11-14 19:38:10 + (Tue, 14 Nov 2017) New Revision: 57629 Modified: data/CVE/list Log: Add one more firefox-esr issue listed from mfsa2017-25 Modified: data/CVE/list === --- data/CVE/list 2017-11-14 19:31:07 UTC (rev 57628) +++ data/CVE/list 2017-11-14 19:38:10 UTC (rev 57629) @@ -25837,13 +25837,16 @@ CVE-2017-7830 RESERVED - firefox + - firefox-esr NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-24/#CVE-2017-7830 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-25/#CVE-2017-7828 CVE-2017-7829 RESERVED CVE-2017-7828 RESERVED - firefox NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-24/#CVE-2017-7828 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-25/#CVE-2017-7828 CVE-2017-7827 RESERVED - firefox @@ -25853,6 +25856,7 @@ - firefox - firefox-esr NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-24/#CVE-2017-7826 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-25/#CVE-2017-7826 CVE-2017-7825 RESERVED - firefox (Only affects Firefox on OS X) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57628 - data/CVE
Author: carnil
Date: 2017-11-14 19:31:07 + (Tue, 14 Nov 2017)
New Revision: 57628
Modified:
data/CVE/list
Log:
Add references for CVE-2017-1263{5,6}
Modified: data/CVE/list
===
--- data/CVE/list 2017-11-14 18:31:55 UTC (rev 57627)
+++ data/CVE/list 2017-11-14 19:31:07 UTC (rev 57628)
@@ -11936,9 +11936,11 @@
CVE-2017-12636
RESERVED
- couchdb
+ NOTE: http://www.openwall.com/lists/oss-security/2017/11/14/6
CVE-2017-12635
RESERVED
- couchdb
+ NOTE: http://www.openwall.com/lists/oss-security/2017/11/14/6
CVE-2017-12634
RESERVED
CVE-2017-12633
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57627 - data/CVE
Author: jmm Date: 2017-11-14 18:31:55 + (Tue, 14 Nov 2017) New Revision: 57627 Modified: data/CVE/list Log: new couchdb issues Modified: data/CVE/list === --- data/CVE/list 2017-11-14 17:07:20 UTC (rev 57626) +++ data/CVE/list 2017-11-14 18:31:55 UTC (rev 57627) @@ -11935,8 +11935,10 @@ NOT-FOR-US: SAP CVE-2017-12636 RESERVED + - couchdb CVE-2017-12635 RESERVED + - couchdb CVE-2017-12634 RESERVED CVE-2017-12633 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57626 - in data: . DLA
Author: hertzog
Date: 2017-11-14 17:07:20 + (Tue, 14 Nov 2017)
New Revision: 57626
Modified:
data/DLA/list
data/dla-needed.txt
Log:
Reserve DLA-1171-1 for libxml-libxml-perl
Modified: data/DLA/list
===
--- data/DLA/list 2017-11-14 16:56:12 UTC (rev 57625)
+++ data/DLA/list 2017-11-14 17:07:20 UTC (rev 57626)
@@ -1,3 +1,6 @@
+[14 Nov 2017] DLA-1171-1 libxml-libxml-perl - security update
+ {CVE-2017-10672}
+ [wheezy] - libxml-libxml-perl 2.0001+dfsg-1+deb7u2
[14 Nov 2017] DLA-1170-1 graphicsmagick - security update
{CVE-2017-13134 CVE-2017-16547}
[wheezy] - graphicsmagick 1.3.16-1.1+deb7u15
Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-11-14 16:56:12 UTC (rev 57625)
+++ data/dla-needed.txt 2017-11-14 17:07:20 UTC (rev 57626)
@@ -49,8 +49,6 @@
NOTE: asked for reproducers for CVE-2017-14160 and CVE-2017-14633 on
NOTE: gitlab and vendor-sec
--
-libxml-libxml-perl (Raphaël Hertzog)
---
libxml2 (Thorsten Alteholz)
NOTE: bugfix needs confirmation by upstream
--
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57625 - data/CVE
Author: hertzog Date: 2017-11-14 16:56:12 + (Tue, 14 Nov 2017) New Revision: 57625 Modified: data/CVE/list Log: Update data for CVE-2017-10672 * experimental entry is no longer required * update pull request URL to the one that got merged Modified: data/CVE/list === --- data/CVE/list 2017-11-14 16:48:41 UTC (rev 57624) +++ data/CVE/list 2017-11-14 16:56:12 UTC (rev 57625) @@ -17531,10 +17531,9 @@ CVE-2017-10673 (admin/profile.php in GetSimple CMS 3.x has XSS in a name field. ...) NOT-FOR-US: GetSimple CMS CVE-2017-10672 (Use-after-free in the XML-LibXML module through 2.0129 for Perl allows ...) - [experimental] - libxml-libxml-perl 2.0128+dfsg-4 - libxml-libxml-perl 2.0128+dfsg-5 (bug #866676) NOTE: https://rt.cpan.org/Public/Bug/Display.html?id=122246 - NOTE: Pull request: https://github.com/shlomif/perl-XML-LibXML/pull/9 + NOTE: Pull request: https://github.com/shlomif/perl-XML-LibXML/pull/8 CVE-2017-10671 (Heap-based Buffer Overflow in the de_dotdot function in libhttpd.c in ...) - thttpd CVE-2017-10670 (An XML External Entity (XXE) issue exists in OSCI-Transport 1.2 as used ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57624 - data
Author: hertzog Date: 2017-11-14 16:48:41 + (Tue, 14 Nov 2017) New Revision: 57624 Modified: data/dla-needed.txt Log: Take libxml-libxml-perl in dla-needed.txt Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-11-14 16:05:33 UTC (rev 57623) +++ data/dla-needed.txt 2017-11-14 16:48:41 UTC (rev 57624) @@ -49,8 +49,7 @@ NOTE: asked for reproducers for CVE-2017-14160 and CVE-2017-14633 on NOTE: gitlab and vendor-sec -- -libxml-libxml-perl - NOTE: 20170702: no upstream fix yet, so no need to bother maintainer yet, sent email later +libxml-libxml-perl (Raphaël Hertzog) -- libxml2 (Thorsten Alteholz) NOTE: bugfix needs confirmation by upstream ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57623 - data
Author: roberto Date: 2017-11-14 16:05:33 + (Tue, 14 Nov 2017) New Revision: 57623 Modified: data/dla-needed.txt Log: Claim roundcube in dla-needed.txt Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-11-14 15:42:24 UTC (rev 57622) +++ data/dla-needed.txt 2017-11-14 16:05:33 UTC (rev 57623) @@ -87,8 +87,7 @@ qemu-kvm NOTE: 20171012 Can wait for more issues to pile up -- -roundcube - NOTE: Regarding CVE-2017-16651. The code looks vulnerable in a similar way as later versions but patches will not apply cleanly as the code is rather different. The problem sounds serious though so it should be fixed. +roundcube (Roberto C. Sánchez) -- rsync (Thorsten Alteholz) -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57622 - data/CVE
Author: carnil
Date: 2017-11-14 15:42:24 + (Tue, 14 Nov 2017)
New Revision: 57622
Modified:
data/CVE/list
Log:
ruby2.3 issues fixed in unstable
Modified: data/CVE/list
===
--- data/CVE/list 2017-11-14 15:38:26 UTC (rev 57621)
+++ data/CVE/list 2017-11-14 15:42:24 UTC (rev 57622)
@@ -7773,7 +7773,7 @@
RESERVED
CVE-2017-14033 (The decode method in the OpenSSL::ASN1 module in Ruby before
2.2.8, ...)
{DSA-4031-1 DLA-1114-1}
- - ruby2.3 (bug #875928)
+ - ruby2.3 2.3.5-1 (bug #875928)
- ruby2.1
- ruby1.9.1
- ruby1.8 (vunlerable code not present)
@@ -17260,7 +17260,7 @@
RESERVED
CVE-2017-10784 (The Basic authentication code in WEBrick library in Ruby
before 2.2.8, ...)
{DSA-4031-1 DLA-1114-1 DLA-1113-1}
- - ruby2.3 (bug #875931)
+ - ruby2.3 2.3.5-1 (bug #875931)
- ruby2.1
- ruby1.9.1
- ruby1.8
@@ -45993,7 +45993,7 @@
NOT-FOR-US: private_address_check ruby gem
CVE-2017-0903 (RubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a
...)
{DSA-4031-1}
- - ruby2.3 (bug #879231)
+ - ruby2.3 2.3.5-1 (bug #879231)
- ruby2.1
- ruby1.9.1
[wheezy] - ruby1.9.1 (Vulnerable code introduced later)
@@ -46047,7 +46047,7 @@
NOTE: Not considered a vulnerability per se, if this affects a terminal
emulator it's a bug there
CVE-2017-0898 (Ruby before 2.4.2, 2.3.5, and 2.2.8 is vulnerable to a
malicious ...)
{DSA-4031-1 DLA-1114-1 DLA-1113-1}
- - ruby2.3 (bug #875936)
+ - ruby2.3 2.3.5-1 (bug #875936)
- ruby2.1
- ruby1.9.1
- ruby1.8
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57621 - in data: . CVE
Author: roberto Date: 2017-11-14 15:38:26 + (Tue, 14 Nov 2017) New Revision: 57621 Modified: data/CVE/list data/dla-needed.txt Log: Annotate CVE-2017-16642 as not affecting php5 in wheezy; remove php5 from dla-needed.txt since no issues remain Modified: data/CVE/list === --- data/CVE/list 2017-11-14 15:11:08 UTC (rev 57620) +++ data/CVE/list 2017-11-14 15:38:26 UTC (rev 57621) @@ -402,6 +402,7 @@ - php7.1 7.1.11-1 - php7.0 7.0.25-1 - php5 + [wheezy] - php5 (Vulnerable code not present; proof of concept produces expected non-buggy output; upstream patch also appears overly intrusive) NOTE: Fixed in: 5.6.32, 7.0.25, 7.1.11 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=75055 NOTE: https://github.com/derickr/timelib/commit/aa9156006e88565e1f1a5f7cc088b18322d57536 Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-11-14 15:11:08 UTC (rev 57620) +++ data/dla-needed.txt 2017-11-14 15:38:26 UTC (rev 57621) @@ -74,10 +74,6 @@ -- openjdk-7 (Emilio Pozuelo) -- -php5 (Roberto C. Sánchez) - NOTE: Proposed release date 2017-12-15. The one issue seen so far is not severe. - NOTE: See packages/php5.txt for further information about handling. --- poppler (Markus Koschany) NOTE: not fixed in sid yet so did not ping maintainer NOTE: drawForm is doForm1 in wheezy ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57620 - data/CVE
Author: jmm
Date: 2017-11-14 15:11:08 + (Tue, 14 Nov 2017)
New Revision: 57620
Modified:
data/CVE/list
Log:
new firefox issues
one im issue no-dsa
Modified: data/CVE/list
===
--- data/CVE/list 2017-11-14 11:21:08 UTC (rev 57619)
+++ data/CVE/list 2017-11-14 15:11:08 UTC (rev 57620)
@@ -11238,6 +11238,7 @@
NOTE: https://github.com/ImageMagick/ImageMagick/issues/662
NOTE: ImageMagick-6:
https://github.com/ImageMagick/ImageMagick/commit/98dda239ec398dd56453460849b4c9057fc424e5
NOTE: ImageMagick-7:
https://github.com/ImageMagick/ImageMagick/commit/04178de2247e353fc095846784b9a10fefdbf890
+ NOTE: This doesn't affect the base releases, but got introduced via
security fixes, which got backported to older suites
CVE-2017-12876 (Heap-based buffer overflow in enhance.c in ImageMagick before
7.0.6-6 ...)
- imagemagick (Specific to Imagemagick 7, 6.x uses fixed
pixel cache morphology)
NOTE: https://github.com/ImageMagick/ImageMagick/issues/663
@@ -14464,6 +14465,7 @@
CVE-2017-13145 (In ImageMagick before 6.9.8-8 and 7.x before 7.0.5-9, the
ReadJP2Image ...)
{DSA-4019-1}
- imagemagick 8:6.9.7.4+dfsg-13 (bug #869830)
+ [jessie] - imagemagick (Minor issue)
[wheezy] - imagemagick (Vulnerable code not present)
NOTE: https://github.com/ImageMagick/ImageMagick/issues/501
NOTE:
https://github.com/ImageMagick/ImageMagick/commit/acee073df34aa4d491bf5cb74d3a15fc80f0a3aa
@@ -25784,38 +25786,69 @@
RESERVED
CVE-2017-7842
RESERVED
+ - firefox
+ NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2017-24/#CVE-2017-7842
CVE-2017-7841
RESERVED
CVE-2017-7840
RESERVED
+ - firefox
+ NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2017-24/#CVE-2017-7840
CVE-2017-7839
RESERVED
+ - firefox
+ NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2017-24/#CVE-2017-7839
CVE-2017-7838
RESERVED
+ - firefox
+ NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2017-24/#CVE-2017-7838
CVE-2017-7837
RESERVED
+ - firefox
+ NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2017-24/#CVE-2017-7837
CVE-2017-7836
RESERVED
+ - firefox
+ NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2017-24/#CVE-2017-7836
CVE-2017-7835
RESERVED
+ - firefox
+ NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2017-24/#CVE-2017-7835
CVE-2017-7834
RESERVED
+ - firefox
+ NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2017-24/#CVE-2017-7834
CVE-2017-7833
RESERVED
+ - firefox
+ NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2017-24/#CVE-2017-7833
CVE-2017-7832
RESERVED
+ - firefox
+ NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2017-24/#CVE-2017-7832
CVE-2017-7831
RESERVED
+ - firefox
+ NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2017-24/#CVE-2017-7831
CVE-2017-7830
RESERVED
+ - firefox
+ NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2017-24/#CVE-2017-7830
CVE-2017-7829
RESERVED
CVE-2017-7828
RESERVED
+ - firefox
+ NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2017-24/#CVE-2017-7828
CVE-2017-7827
RESERVED
+ - firefox
+ NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2017-24/#CVE-2017-7827
CVE-2017-7826
RESERVED
+ - firefox
+ - firefox-esr
+ NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2017-24/#CVE-2017-7826
CVE-2017-7825
RESERVED
- firefox (Only affects Firefox on OS X)
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57619 - data/CVE
Author: jmm Date: 2017-11-14 11:21:08 + (Tue, 14 Nov 2017) New Revision: 57619 Modified: data/CVE/list Log: tcpdump no-dsa Modified: data/CVE/list === --- data/CVE/list 2017-11-14 10:08:47 UTC (rev 57618) +++ data/CVE/list 2017-11-14 11:21:08 UTC (rev 57619) @@ -11,7 +11,9 @@ CVE-2017-16809 RESERVED CVE-2017-16808 (tcpdump 4.9.2 has a heap-based buffer over-read related to aoe_print in ...) - - tcpdump + - tcpdump (low) + [stretch] - tcpdump (Can be fixed along in a future update) + [jessie] - tcpdump (Can be fixed along in a future update) NOTE: https://github.com/the-tcpdump-group/tcpdump/issues/645 CVE-2017-16807 (A cross-site Scripting (XSS) vulnerability in Kirby Panel before 2.3.3, ...) TODO: check ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57618 - data/CVE
Author: santiago Date: 2017-11-14 10:08:47 + (Tue, 14 Nov 2017) New Revision: 57618 Modified: data/CVE/list Log: CVE-2017-15565/poppler: add fix url Signed-off-by: Santiago R.R Modified: data/CVE/list === --- data/CVE/list 2017-11-14 09:48:40 UTC (rev 57617) +++ data/CVE/list 2017-11-14 10:08:47 UTC (rev 57618) @@ -3227,6 +3227,7 @@ CVE-2017-15565 (In Poppler 0.59.0, a NULL Pointer Dereference exists in the ...) - poppler (bug #879066) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=103016 + NOTE: Fixed by: https://cgit.freedesktop.org/poppler/poppler/commit/?id=19ebd40547186a8ea6da08c8d8e2a6d6b7e84f5d CVE-2017-15564 RESERVED CVE-2017-15563 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57617 - data/CVE
Author: carnil Date: 2017-11-14 09:48:40 + (Tue, 14 Nov 2017) New Revision: 57617 Modified: data/CVE/list Log: Add radare2 issue Modified: data/CVE/list === --- data/CVE/list 2017-11-14 09:48:28 UTC (rev 57616) +++ data/CVE/list 2017-11-14 09:48:40 UTC (rev 57617) @@ -18,7 +18,9 @@ CVE-2017-16806 (The Process function in RemoteTaskServer/WebServer/HttpServer.cs in ...) TODO: check CVE-2017-16805 (In radare2 2.0.1, libr/bin/dwarf.c allows remote attackers to cause a ...) - TODO: check + - radare2 + NOTE: https://github.com/radare/radare2/commit/2ca9ab45891b6ae8e32b6c28c81eebca059cbe5d + NOTE: https://github.com/radare/radare2/issues/8813 CVE-2017-16803 (In Libav through 11.11 and 12.x through 12.1, the smacker_decode_tree ...) - libav - ffmpeg ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57616 - data/CVE
Author: carnil Date: 2017-11-14 09:48:28 + (Tue, 14 Nov 2017) New Revision: 57616 Modified: data/CVE/list Log: Process NFUs Modified: data/CVE/list === --- data/CVE/list 2017-11-14 09:35:10 UTC (rev 57615) +++ data/CVE/list 2017-11-14 09:48:28 UTC (rev 57616) @@ -7,7 +7,7 @@ CVE-2017-16811 RESERVED CVE-2017-16810 (Cross-site scripting (XSS) vulnerability in the All Variables tab in ...) - TODO: check + NOT-FOR-US: Octopus Deploy CVE-2017-16809 RESERVED CVE-2017-16808 (tcpdump 4.9.2 has a heap-based buffer over-read related to aoe_print in ...) @@ -3307,9 +3307,9 @@ CVE-2017-15527 RESERVED CVE-2017-15526 (Prior to SEE v11.1.3MP1, Symantec Endpoint Encryption can be ...) - TODO: check + NOT-FOR-US: Symantec CVE-2017-15525 (Prior to SEE v11.1.3MP1, Symantec Endpoint Encryption can be ...) - TODO: check + NOT-FOR-US: Symantec CVE-2017-15524 RESERVED CVE-2017-15523 @@ -44339,7 +44339,7 @@ CVE-2017-1711 RESERVED CVE-2017-1710 (A vulnerability in the Service Assistant GUI in IBM Storwize V7000 ...) - TODO: check + NOT-FOR-US: IBM CVE-2017-1709 RESERVED CVE-2017-1708 @@ -44853,7 +44853,7 @@ CVE-2017-1454 RESERVED CVE-2017-1453 (IBM Security Access Manager Appliance 9.0.3 could allow a remote ...) - TODO: check + NOT-FOR-US: IBM CVE-2017-1452 (IBM DB2 for Linux, UNIX and Windows 9.7, 10,1, 10.5, and 11.1 ...) NOT-FOR-US: IBM CVE-2017-1451 (IBM DB2 for Linux, UNIX and Windows 9.7, 10,1, 10.5, and 11.1 ...) @@ -45301,7 +45301,7 @@ CVE-2017-1230 (IBM Tivoli Endpoint Manager (IBM BigFix Platform 9.2 and 9.5) uses ...) NOT-FOR-US: IBM Tivoli Endpoint Manager CVE-2017-1229 (IBM Tivoli Endpoint Manager (IBM BigFix 9.2 and 9.5) could allow a ...) - TODO: check + NOT-FOR-US: IBM CVE-2017-1228 (IBM Tivoli Endpoint Manager (IBM BigFix Platform 9.2 and 9.5) could ...) NOT-FOR-US: IBM Tivoli Endpoint Manager CVE-2017-1227 (IBM Tivoli Endpoint Manager could allow a unauthorized user to consume ...) @@ -45317,7 +45317,7 @@ CVE-2017-1222 (IBM Tivoli Endpoint Manager (IBM BigFix Platform 9.2 and 9.5) does not ...) NOT-FOR-US: IBM Tivoli Endpoint Manager CVE-2017-1221 (IBM Tivoli Endpoint Manager (IBM BigFix 9.2 and 9.5) does not require ...) - TODO: check + NOT-FOR-US: IBM CVE-2017-1220 (IBM Tivoli Endpoint Manager (IBM BigFix Platform 9.2 and 9.5) ...) NOT-FOR-US: IBM Tivoli Endpoint Manager CVE-2017-1219 (IBM Tivoli Endpoint Manager is vulnerable to a XML External Entity ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57615 - data/CVE
Author: carnil Date: 2017-11-14 09:35:10 + (Tue, 14 Nov 2017) New Revision: 57615 Modified: data/CVE/list Log: Add tcpdump issue Modified: data/CVE/list === --- data/CVE/list 2017-11-14 09:10:13 UTC (rev 57614) +++ data/CVE/list 2017-11-14 09:35:10 UTC (rev 57615) @@ -11,7 +11,8 @@ CVE-2017-16809 RESERVED CVE-2017-16808 (tcpdump 4.9.2 has a heap-based buffer over-read related to aoe_print in ...) - TODO: check + - tcpdump + NOTE: https://github.com/the-tcpdump-group/tcpdump/issues/645 CVE-2017-16807 (A cross-site Scripting (XSS) vulnerability in Kirby Panel before 2.3.3, ...) TODO: check CVE-2017-16806 (The Process function in RemoteTaskServer/WebServer/HttpServer.cs in ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57614 - data/CVE
Author: sectracker
Date: 2017-11-14 09:10:13 + (Tue, 14 Nov 2017)
New Revision: 57614
Modified:
data/CVE/list
Log:
automatic update
Modified: data/CVE/list
===
--- data/CVE/list 2017-11-14 08:26:59 UTC (rev 57613)
+++ data/CVE/list 2017-11-14 09:10:13 UTC (rev 57614)
@@ -1,3 +1,23 @@
+CVE-2017-16814
+ RESERVED
+CVE-2017-16813
+ RESERVED
+CVE-2017-16812
+ RESERVED
+CVE-2017-16811
+ RESERVED
+CVE-2017-16810 (Cross-site scripting (XSS) vulnerability in the All Variables
tab in ...)
+ TODO: check
+CVE-2017-16809
+ RESERVED
+CVE-2017-16808 (tcpdump 4.9.2 has a heap-based buffer over-read related to
aoe_print in ...)
+ TODO: check
+CVE-2017-16807 (A cross-site Scripting (XSS) vulnerability in Kirby Panel
before 2.3.3, ...)
+ TODO: check
+CVE-2017-16806 (The Process function in
RemoteTaskServer/WebServer/HttpServer.cs in ...)
+ TODO: check
+CVE-2017-16805 (In radare2 2.0.1, libr/bin/dwarf.c allows remote attackers to
cause a ...)
+ TODO: check
CVE-2017-16803 (In Libav through 11.11 and 12.x through 12.1, the
smacker_decode_tree ...)
- libav
- ffmpeg
@@ -588,6 +608,7 @@
NOTE: https://bugzilla.samba.org/show_bug.cgi?id=13112
NOTE:
https://git.samba.org/rsync.git/?p=rsync.git;a=commit;h=47a63d90e71d3e19e0e96052bb8c6b9cb140ecc1
CVE-2017-16547 (The DrawImage function in magick/render.c in GraphicsMagick
1.3.26 does ...)
+ {DLA-1170-1}
- graphicsmagick 1.3.26-18
NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/785758bbbfcc
NOTE: https://sourceforge.net/p/graphicsmagick/bugs/517/
@@ -2429,6 +2450,7 @@
RESERVED
CVE-2017-15923 [Crash in parsing IRC color formatting codes]
RESERVED
+ {DSA-4033-1}
- konversation 1.7.3-1 (bug #881586)
NOTE:
https://cgit.kde.org/konversation.git/commit/?h=1.7&id=6a7f59ee1b9dbc6e5cf9e5f3b306504d02b73ef0
CVE-2017-15922 (In GNU Libextractor 1.4, there is an out-of-bounds read in the
...)
@@ -3283,10 +3305,10 @@
RESERVED
CVE-2017-15527
RESERVED
-CVE-2017-15526
- RESERVED
-CVE-2017-15525
- RESERVED
+CVE-2017-15526 (Prior to SEE v11.1.3MP1, Symantec Endpoint Encryption can be
...)
+ TODO: check
+CVE-2017-15525 (Prior to SEE v11.1.3MP1, Symantec Endpoint Encryption can be
...)
+ TODO: check
CVE-2017-15524
RESERVED
CVE-2017-15523
@@ -9863,7 +9885,7 @@
CVE-2017-13135
RESERVED
CVE-2017-13134 (In ImageMagick 7.0.6-6 and GraphicsMagick 1.3.26, a heap-based
buffer ...)
- {DSA-4032-1 DLA-1081-1}
+ {DSA-4032-1 DLA-1170-1 DLA-1081-1}
- imagemagick (bug #873099)
- graphicsmagick 1.3.26-19 (bug #881524)
NOTE: https://github.com/ImageMagick/ImageMagick/issues/670
@@ -44315,8 +44337,8 @@
RESERVED
CVE-2017-1711
RESERVED
-CVE-2017-1710
- RESERVED
+CVE-2017-1710 (A vulnerability in the Service Assistant GUI in IBM Storwize
V7000 ...)
+ TODO: check
CVE-2017-1709
RESERVED
CVE-2017-1708
@@ -44781,8 +44803,8 @@
RESERVED
CVE-2017-1478
RESERVED
-CVE-2017-1477
- RESERVED
+CVE-2017-1477 (IBM Security Access Manager Appliance 9.0.3 is vulnerable to a
XML ...)
+ TODO: check
CVE-2017-1476
RESERVED
CVE-2017-1475
@@ -44829,8 +44851,8 @@
RESERVED
CVE-2017-1454
RESERVED
-CVE-2017-1453
- RESERVED
+CVE-2017-1453 (IBM Security Access Manager Appliance 9.0.3 could allow a
remote ...)
+ TODO: check
CVE-2017-1452 (IBM DB2 for Linux, UNIX and Windows 9.7, 10,1, 10.5, and 11.1
...)
NOT-FOR-US: IBM
CVE-2017-1451 (IBM DB2 for Linux, UNIX and Windows 9.7, 10,1, 10.5, and 11.1
...)
@@ -45277,8 +45299,8 @@
RESERVED
CVE-2017-1230 (IBM Tivoli Endpoint Manager (IBM BigFix Platform 9.2 and 9.5)
uses ...)
NOT-FOR-US: IBM Tivoli Endpoint Manager
-CVE-2017-1229
- RESERVED
+CVE-2017-1229 (IBM Tivoli Endpoint Manager (IBM BigFix 9.2 and 9.5) could
allow a ...)
+ TODO: check
CVE-2017-1228 (IBM Tivoli Endpoint Manager (IBM BigFix Platform 9.2 and 9.5)
could ...)
NOT-FOR-US: IBM Tivoli Endpoint Manager
CVE-2017-1227 (IBM Tivoli Endpoint Manager could allow a unauthorized user to
consume ...)
@@ -45293,8 +45315,8 @@
NOT-FOR-US: IBM
CVE-2017-1222 (IBM Tivoli Endpoint Manager (IBM BigFix Platform 9.2 and 9.5)
does not ...)
NOT-FOR-US: IBM Tivoli Endpoint Manager
-CVE-2017-1221
- RESERVED
+CVE-2017-1221 (IBM Tivoli Endpoint Manager (IBM BigFix 9.2 and 9.5) does not
require ...)
+ TODO: check
CVE-2017-1220 (IBM Tivoli Endpoint Manager (IBM BigFix Platform 9.2 and 9.5)
...)
NOT-FOR-US: IBM Tivoli Endpoint Manager
CVE-2017-1219 (IBM Tivoli Endpoint Manager is vulnerable to a XML External
Entity ...)
@@ -51369,8 +51391,7 @@
RESERVED
- glance (unimportant)
NOTE: http://www.o
[Secure-testing-commits] r57613 - data/CVE
Author: jmm Date: 2017-11-14 08:26:59 + (Tue, 14 Nov 2017) New Revision: 57613 Modified: data/CVE/list Log: libav issue also affects ffmpeg Modified: data/CVE/list === --- data/CVE/list 2017-11-14 06:25:30 UTC (rev 57612) +++ data/CVE/list 2017-11-14 08:26:59 UTC (rev 57613) @@ -1,8 +1,9 @@ CVE-2017-16803 (In Libav through 11.11 and 12.x through 12.1, the smacker_decode_tree ...) - libav + - ffmpeg NOTE: https://bugzilla.libav.org/show_bug.cgi?id=1098 NOTE: https://github.com/libav/libav/commit/cd4663dc80323ba64989d0c103d51ad3ee0e9c2f - TODO: check, ffmpeg? + NOTE: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/cd4663dc80323ba64989d0c103d51ad3ee0e9c2f CVE-2017-16802 (In the sharingGroupPopulateOrganisations function in ...) NOT-FOR-US: MISP CVE-2017-16804 (In Redmine before 3.2.7 and 3.3.x before 3.3.4, the reminders function ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
