[Secure-testing-commits] r57696 - data/CVE
Author: carnil Date: 2017-11-17 06:20:29 + (Fri, 17 Nov 2017) New Revision: 57696 Modified: data/CVE/list Log: Add CVE-2017-16845/qemu Modified: data/CVE/list === --- data/CVE/list 2017-11-17 05:17:38 UTC (rev 57695) +++ data/CVE/list 2017-11-17 06:20:29 UTC (rev 57696) @@ -206,8 +206,11 @@ NOT-FOR-US: Zoho ManageEngine Applications Manager CVE-2017-16846 (Zoho ManageEngine Applications Manager 13 allows SQL injection via the ...) NOT-FOR-US: Zoho ManageEngine Applications Manager -CVE-2017-16845 +CVE-2017-16845 [ps2: information leakage via post_load routine] RESERVED + - qemu + - qemu-kvm + NOTE: https://lists.gnu.org/archive/html/qemu-devel/2017-11/msg02982.html CVE-2017-16844 (Heap-based buffer overflow in the loadbuf function in formisc.c in ...) - procmail (bug #876511) CVE-2017-16843 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57695 - data/CVE
Author: carnil
Date: 2017-11-17 05:17:38 + (Fri, 17 Nov 2017)
New Revision: 57695
Modified:
data/CVE/list
Log:
linux 4.13.13-1 released to unstable
Modified: data/CVE/list
===
--- data/CVE/list 2017-11-16 21:30:15 UTC (rev 57694)
+++ data/CVE/list 2017-11-17 05:17:38 UTC (rev 57695)
@@ -686,18 +686,18 @@
NOTE: release-1.2:
https://github.com/roundcube/roundcubemail/commit/9be2224c779d7abc7b29eea2b83a8a3671c543e0
NOTE: https://github.com/roundcube/roundcubemail/issues/6026
CVE-2017-16650 (The qmi_wwan_bind function in drivers/net/usb/qmi_wwan.c in
the Linux ...)
- - linux
+ - linux 4.13.13-1
[wheezy] - linux (Vulnerable code not present)
CVE-2017-16649 (The usbnet_generic_cdc_bind function in
drivers/net/usb/cdc_ether.c in ...)
- - linux
+ - linux 4.13.13-1
CVE-2017-16648 (The dvb_frontend_free function in
drivers/media/dvb-core/dvb_frontend.c ...)
- linux (Vulnerable code not present)
CVE-2017-16647 (drivers/net/usb/asix_devices.c in the Linux kernel through
4.13.11 ...)
- - linux
+ - linux 4.13.13-1
[jessie] - linux (Vulnerable code not present)
[wheezy] - linux (Vulnerable code not present)
CVE-2017-16646 (drivers/media/usb/dvb-usb/dib0700_devices.c in the Linux
kernel through ...)
- - linux
+ - linux 4.13.13-1
[jessie] - linux (Vulnerable code not present)
[wheezy] - linux (Vulnerable code not present)
CVE-2017-16645 (The ims_pcu_get_cdc_union_desc function in
drivers/input/misc/ims-pcu.c ...)
@@ -708,7 +708,7 @@
[jessie] - linux (Vulnerable code not present)
[wheezy] - linux (Vulnerable code not present)
CVE-2017-16643 (The parse_hid_report_descriptor function in
drivers/input/tablet/gtco.c ...)
- - linux
+ - linux 4.13.13-1
CVE-2017-16642 (In PHP before 5.6.32, 7.x before 7.0.25, and 7.1.x before
7.1.11, an ...)
- php7.1 7.1.11-1
- php7.0 7.0.25-1
@@ -969,9 +969,9 @@
- linux
[wheezy] - linux (Vulnerable code not present)
CVE-2017-16537 (The imon_probe function in drivers/media/rc/imon.c in the
Linux kernel ...)
- - linux
+ - linux 4.13.13-1
CVE-2017-16536 (The cx231xx_usb_probe function in ...)
- - linux
+ - linux 4.13.13-1
CVE-2017-16535 (The usb_get_bos_descriptor function in
drivers/usb/core/config.c in the ...)
- linux 4.13.10-1
NOTE: Fixed by:
https://git.kernel.org/linus/1c0edc3633b56000e18d82fc241e3995ca18a69e
@@ -984,7 +984,7 @@
- linux 4.13.10-1
NOTE: Fixed by:
https://git.kernel.org/linus/f043bfc98c193c284e2cd768fefabe18ac2fed9b
CVE-2017-16532 (The get_endpoints function in drivers/usb/misc/usbtest.c in
the Linux ...)
- - linux
+ - linux 4.13.13-1
NOTE: Fixed by:
https://git.kernel.org/linus/7c80f9e4a588f1925b07134bb2e3689335f6c6d8
CVE-2017-16531 (drivers/usb/core/config.c in the Linux kernel before 4.13.6
allows ...)
- linux 4.13.10-1
@@ -4225,7 +4225,7 @@
CVE-2017-15307
RESERVED
CVE-2017-15306 (The kvm_vm_ioctl_check_extension function in
arch/powerpc/kvm/powerpc.c ...)
- - linux
+ - linux 4.13.13-1
[jessie] - linux (Vulnerable code introduced later)
[wheezy] - linux (Vulnerable code introduced later)
NOTE: Fixed by:
https://git.kernel.org/linus/ac64115a66c18c01745bbd3c47a36b124e5fd8c0 (4.14-rc7)
@@ -4761,7 +4761,7 @@
CVE-2017-15116
RESERVED
CVE-2017-15115 (The sctp_do_peeloff function in net/sctp/socket.c in the Linux
kernel ...)
- - linux
+ - linux 4.13.13-1
NOTE:
https://git.kernel.org/linus/df80cd9b28b9ebaa284a41df611dbf3a2d05ca74
(v4.14-rc6)
CVE-2017-15114 [Passwordless access for non-libvirt related services when
using shared certificate authority]
RESERVED
@@ -10365,7 +10365,7 @@
CVE-2017-13080 (Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of
the ...)
{DSA-3999-1 DLA-1150-1}
- wpa 2:2.4-1.1
- - linux
+ - linux 4.13.13-1
NOTE: https://w1.fi/security/2017-1/
NOTE:
https://git.kernel.org/linus/fdf7cb4185b60c68e1a75e61691c4afdc15dea0e
(v4.14-rc6)
CVE-2017-13079 (Wi-Fi Protected Access (WPA and WPA2) that supports IEEE
802.11w ...)
@@ -13385,7 +13385,7 @@
RESERVED
CVE-2017-12193
RESERVED
- - linux
+ - linux 4.13.13-1
[wheezy] - linux (Vulnerable code introduced in 3.13-rc1)
NOTE: Fixed by:
https://git.kernel.org/linus/ea6789980fdaa610d7eb63602c746bf6ec70cd2b (4.14-rc7)
NOTE: Introduced by:
https://git.kernel.org/linus/3cb989501c2688cacbb7dc4b0d353faf838f53a1 (3.13-rc1)
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57694 - data/CVE
Author: carnil Date: 2017-11-16 21:30:15 + (Thu, 16 Nov 2017) New Revision: 57694 Modified: data/CVE/list Log: Process NFUs Modified: data/CVE/list === --- data/CVE/list 2017-11-16 21:27:42 UTC (rev 57693) +++ data/CVE/list 2017-11-16 21:30:15 UTC (rev 57694) @@ -195,17 +195,17 @@ CVE-2017-16854 RESERVED CVE-2017-16851 (Zoho ManageEngine Applications Manager 13 allows SQL injection via the ...) - TODO: check + NOT-FOR-US: Zoho ManageEngine Applications Manager CVE-2017-16850 (Zoho ManageEngine Applications Manager 13 allows SQL injection via the ...) - TODO: check + NOT-FOR-US: Zoho ManageEngine Applications Manager CVE-2017-16849 (Zoho ManageEngine Applications Manager 13 allows SQL injection via the ...) - TODO: check + NOT-FOR-US: Zoho ManageEngine Applications Manager CVE-2017-16848 (Zoho ManageEngine Applications Manager 13 allows SQL injection via the ...) - TODO: check + NOT-FOR-US: Zoho ManageEngine Applications Manager CVE-2017-16847 (Zoho ManageEngine Applications Manager 13 allows SQL injection via the ...) - TODO: check + NOT-FOR-US: Zoho ManageEngine Applications Manager CVE-2017-16846 (Zoho ManageEngine Applications Manager 13 allows SQL injection via the ...) - TODO: check + NOT-FOR-US: Zoho ManageEngine Applications Manager CVE-2017-16845 RESERVED CVE-2017-16844 (Heap-based buffer overflow in the loadbuf function in formisc.c in ...) @@ -903,7 +903,7 @@ CVE-2017-16561 (/view/friend_profile.php in Ingenious School Management System 2.3.0 is ...) NOT-FOR-US: Ingenious School Management System CVE-2017-16560 (SanDisk Secure Access 3.01 vault decrypts and copies encrypted files ...) - TODO: check + NOT-FOR-US: SanDisk Secure Access CVE-2017-16559 RESERVED CVE-2017-16558 @@ -122915,7 +122915,7 @@ CVE-2014-2846 (Directory traversal vulnerability in opt/arkeia/wui/htdocs/index.php ...) NOT-FOR-US: Arkeia Server Backup CVE-2014-2845 (Cyberduck before 4.4.4 on Windows does not properly validate X.509 ...) - TODO: check + NOT-FOR-US: Cyberduck on Windows CVE-2014-2844 (Cross-site scripting (XSS) vulnerability in F-Secure Messaging Secure ...) NOT-FOR-US: F-Secure Messaging Secure Gateway CVE-2014-2843 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57692 - data/CVE
Author: carnil Date: 2017-11-16 21:27:31 + (Thu, 16 Nov 2017) New Revision: 57692 Modified: data/CVE/list Log: Process one NFU Modified: data/CVE/list === --- data/CVE/list 2017-11-16 21:27:20 UTC (rev 57691) +++ data/CVE/list 2017-11-16 21:27:31 UTC (rev 57692) @@ -33044,7 +33044,7 @@ CVE-2017-5739 RESERVED CVE-2017-5738 (Escalation of privilege vulnerability in admin portal for Intel Unite ...) - TODO: check + NOT-FOR-US: Intel Unite App CVE-2017-5737 RESERVED CVE-2017-5736 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57691 - data/CVE
Author: carnil Date: 2017-11-16 21:27:20 + (Thu, 16 Nov 2017) New Revision: 57691 Modified: data/CVE/list Log: Add CVE-2017-16855/ipsilon Modified: data/CVE/list === --- data/CVE/list 2017-11-16 21:20:20 UTC (rev 57690) +++ data/CVE/list 2017-11-16 21:27:20 UTC (rev 57691) @@ -191,7 +191,7 @@ CVE-2017-16856 RESERVED CVE-2017-16855 (Ipsilon before 2.1.0 has a "SAML2 multi-session vulnerability." ...) - TODO: check + - ipsilon (bug #826838) CVE-2017-16854 RESERVED CVE-2017-16851 (Zoho ManageEngine Applications Manager 13 allows SQL injection via the ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57693 - data/CVE
Author: carnil
Date: 2017-11-16 21:27:42 + (Thu, 16 Nov 2017)
New Revision: 57693
Modified:
data/CVE/list
Log:
Convert older CVE entries for Ipsilon to respective ITP/RFP bug
Modified: data/CVE/list
===
--- data/CVE/list 2017-11-16 21:27:31 UTC (rev 57692)
+++ data/CVE/list 2017-11-16 21:27:42 UTC (rev 57693)
@@ -89178,7 +89178,7 @@
CVE-2015-5302 (libreport 2.0.7 before 2.6.3 only saves changes to the first
file when ...)
NOT-FOR-US: abrt/libreport
CVE-2015-5301 (providers/saml2/admin.py in the Identity Provider (IdP) server
in ...)
- NOT-FOR-US: Ipsilon
+ - ipsilon (bug #826838)
CVE-2015-5300 (The panic_gate check in NTP before 4.2.8p5 is only re-enabled
after ...)
{DSA-3388-1 DLA-335-1}
- ntp 1:4.2.8p4+dfsg-2
@@ -89523,13 +89523,13 @@
- util-linux 2.27-1 (unimportant; bug #798067)
NOTE: https://www.spinics.net/lists/util-linux-ng/msg11873.html
CVE-2015-5217 (providers/saml2/admin.py in the Identity Provider (IdP) server
in ...)
- NOT-FOR-US: Ipsilon
+ - ipsilon (bug #826838)
CVE-2015-5216
RESERVED
- NOT-FOR-US: Ipsilon
+ - ipsilon (bug #826838)
CVE-2015-5215
RESERVED
- NOT-FOR-US: Ipsilon
+ - ipsilon (bug #826838)
CVE-2015-5214 (LibreOffice before 4.4.6 and 5.x before 5.0.1 and Apache
OpenOffice ...)
{DSA-3394-1}
- libreoffice 1:5.0.1~rc2-1
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57690 - data/CVE
Author: carnil
Date: 2017-11-16 21:20:20 + (Thu, 16 Nov 2017)
New Revision: 57690
Modified:
data/CVE/list
Log:
Add source package name for CVE-2017-15864
Modified: data/CVE/list
===
--- data/CVE/list 2017-11-16 21:16:44 UTC (rev 57689)
+++ data/CVE/list 2017-11-16 21:20:20 UTC (rev 57690)
@@ -2917,7 +2917,9 @@
CVE-2017-15865 (bgpd in FRRouting (FRR) before 2.0.2 and 3.x before 3.0.2, as
used in ...)
- frr (bug #863249)
CVE-2017-15864 (In the Agent Frontend in Open Ticket Request System (OTRS)
3.3.x ...)
- TODO: check
+ - otrs2
+ NOTE:
https://www.otrs.com/security-advisory-2017-06-security-update-otrs-3-3/
+ TODO: check, upstream claims affects only 3.3.x series
CVE-2016-10517 (networking.c in Redis before 3.2.7 allows "Cross Protocol
Scripting" ...)
{DLA-1161-1}
- redis 3:3.2.7-1
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57689 - data/CVE
Author: carnil Date: 2017-11-16 21:16:44 + (Thu, 16 Nov 2017) New Revision: 57689 Modified: data/CVE/list Log: Add CVE-2017-16844/procmail, #876511 Modified: data/CVE/list === --- data/CVE/list 2017-11-16 21:11:52 UTC (rev 57688) +++ data/CVE/list 2017-11-16 21:16:44 UTC (rev 57689) @@ -209,7 +209,7 @@ CVE-2017-16845 RESERVED CVE-2017-16844 (Heap-based buffer overflow in the loadbuf function in formisc.c in ...) - TODO: check + - procmail (bug #876511) CVE-2017-16843 RESERVED CVE-2017-16842 (Cross-site scripting (XSS) vulnerability in ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57688 - in data: . DSA
Author: carnil
Date: 2017-11-16 21:11:52 + (Thu, 16 Nov 2017)
New Revision: 57688
Modified:
data/DSA/list
data/dsa-needed.txt
Log:
Reserve DSA number for opensaml2 update
Modified: data/DSA/list
===
--- data/DSA/list 2017-11-16 21:10:13 UTC (rev 57687)
+++ data/DSA/list 2017-11-16 21:11:52 UTC (rev 57688)
@@ -1,3 +1,7 @@
+[16 Nov 2017] DSA-4039-1 opensaml2 - security update
+ {CVE-2017-16853}
+ [jessie] - opensaml2 2.5.3-2+deb8u2
+ [stretch] - opensaml2 2.6.0-4+deb9u1
[16 Nov 2017] DSA-4038-1 shibboleth-sp2 - security update
{CVE-2017-16852}
[jessie] - shibboleth-sp2 2.5.3+dfsg-2+deb8u1
Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2017-11-16 21:10:13 UTC (rev 57687)
+++ data/dsa-needed.txt 2017-11-16 21:11:52 UTC (rev 57688)
@@ -30,8 +30,6 @@
--
openjdk-7/oldstable (jmm)
--
-opensaml2 (carnil)
---
php-horde-image
--
php5
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57687 - data/CVE
Author: sectracker Date: 2017-11-16 21:10:13 + (Thu, 16 Nov 2017) New Revision: 57687 Modified: data/CVE/list Log: automatic update Modified: data/CVE/list === --- data/CVE/list 2017-11-16 21:05:33 UTC (rev 57686) +++ data/CVE/list 2017-11-16 21:10:13 UTC (rev 57687) @@ -1,3 +1,215 @@ +CVE-2018-0085 + RESERVED +CVE-2018-0084 + RESERVED +CVE-2018-0083 + RESERVED +CVE-2018-0082 + RESERVED +CVE-2018-0081 + RESERVED +CVE-2018-0080 + RESERVED +CVE-2018-0079 + RESERVED +CVE-2018-0078 + RESERVED +CVE-2018-0077 + RESERVED +CVE-2018-0076 + RESERVED +CVE-2018-0075 + RESERVED +CVE-2018-0074 + RESERVED +CVE-2018-0073 + RESERVED +CVE-2018-0072 + RESERVED +CVE-2018-0071 + RESERVED +CVE-2018-0070 + RESERVED +CVE-2018-0069 + RESERVED +CVE-2018-0068 + RESERVED +CVE-2018-0067 + RESERVED +CVE-2018-0066 + RESERVED +CVE-2018-0065 + RESERVED +CVE-2018-0064 + RESERVED +CVE-2018-0063 + RESERVED +CVE-2018-0062 + RESERVED +CVE-2018-0061 + RESERVED +CVE-2018-0060 + RESERVED +CVE-2018-0059 + RESERVED +CVE-2018-0058 + RESERVED +CVE-2018-0057 + RESERVED +CVE-2018-0056 + RESERVED +CVE-2018-0055 + RESERVED +CVE-2018-0054 + RESERVED +CVE-2018-0053 + RESERVED +CVE-2018-0052 + RESERVED +CVE-2018-0051 + RESERVED +CVE-2018-0050 + RESERVED +CVE-2018-0049 + RESERVED +CVE-2018-0048 + RESERVED +CVE-2018-0047 + RESERVED +CVE-2018-0046 + RESERVED +CVE-2018-0045 + RESERVED +CVE-2018-0044 + RESERVED +CVE-2018-0043 + RESERVED +CVE-2018-0042 + RESERVED +CVE-2018-0041 + RESERVED +CVE-2018-0040 + RESERVED +CVE-2018-0039 + RESERVED +CVE-2018-0038 + RESERVED +CVE-2018-0037 + RESERVED +CVE-2018-0036 + RESERVED +CVE-2018-0035 + RESERVED +CVE-2018-0034 + RESERVED +CVE-2018-0033 + RESERVED +CVE-2018-0032 + RESERVED +CVE-2018-0031 + RESERVED +CVE-2018-0030 + RESERVED +CVE-2018-0029 + RESERVED +CVE-2018-0028 + RESERVED +CVE-2018-0027 + RESERVED +CVE-2018-0026 + RESERVED +CVE-2018-0025 + RESERVED +CVE-2018-0024 + RESERVED +CVE-2018-0023 + RESERVED +CVE-2018-0022 + RESERVED +CVE-2018-0021 + RESERVED +CVE-2018-0020 + RESERVED +CVE-2018-0019 + RESERVED +CVE-2018-0018 + RESERVED +CVE-2018-0017 + RESERVED +CVE-2018-0016 + RESERVED +CVE-2018-0015 + RESERVED +CVE-2018-0014 + RESERVED +CVE-2018-0013 + RESERVED +CVE-2018-0012 + RESERVED +CVE-2018-0011 + RESERVED +CVE-2018-0010 + RESERVED +CVE-2018-0009 + RESERVED +CVE-2018-0008 + RESERVED +CVE-2018-0007 + RESERVED +CVE-2018-0006 + RESERVED +CVE-2018-0005 + RESERVED +CVE-2018-0004 + RESERVED +CVE-2018-0003 + RESERVED +CVE-2018-0002 + RESERVED +CVE-2018-0001 + RESERVED +CVE-2017-16866 + RESERVED +CVE-2017-16865 + RESERVED +CVE-2017-16864 + RESERVED +CVE-2017-16863 + RESERVED +CVE-2017-16862 + RESERVED +CVE-2017-16861 + RESERVED +CVE-2017-16860 + RESERVED +CVE-2017-16859 + RESERVED +CVE-2017-16858 + RESERVED +CVE-2017-16857 + RESERVED +CVE-2017-16856 + RESERVED +CVE-2017-16855 (Ipsilon before 2.1.0 has a "SAML2 multi-session vulnerability." ...) + TODO: check +CVE-2017-16854 + RESERVED +CVE-2017-16851 (Zoho ManageEngine Applications Manager 13 allows SQL injection via the ...) + TODO: check +CVE-2017-16850 (Zoho ManageEngine Applications Manager 13 allows SQL injection via the ...) + TODO: check +CVE-2017-16849 (Zoho ManageEngine Applications Manager 13 allows SQL injection via the ...) + TODO: check +CVE-2017-16848 (Zoho ManageEngine Applications Manager 13 allows SQL injection via the ...) + TODO: check +CVE-2017-16847 (Zoho ManageEngine Applications Manager 13 allows SQL injection via the ...) + TODO: check +CVE-2017-16846 (Zoho ManageEngine Applications Manager 13 allows SQL injection via the ...) + TODO: check +CVE-2017-16845 + RESERVED +CVE-2017-16844 (Heap-based buffer overflow in the loadbuf function in formisc.c in ...) + TODO: check CVE-2017-16843 RESERVED CVE-2017-16842 (Cross-site scripting (XSS) vulnerability in ...) @@ -21,11 +233,12 @@ NOTE: https://github.com/lingej/pnp4nagios/issues/140 CVE-2017-16833 (Stored cross-site scripting (XSS) vulnerability in Gemirro before ...) NOT-FOR-US: Gemirro -CVE-2017-16853 [CPPOST-105] +CVE-2017-16853 (The DynamicMetadataProvider class in ...) - opensaml2 (bug #881856) NOTE: https://git.shibboleth.net/view/?p=cpp-opensaml.git;a=commit;h=6182b0acf2df670e75423c2ed7afe6950ef11c9d NOTE: https://shibboleth.net/
[Secure-testing-commits] r57686 - in data: . DSA
Author: carnil
Date: 2017-11-16 21:05:33 + (Thu, 16 Nov 2017)
New Revision: 57686
Modified:
data/DSA/list
data/dsa-needed.txt
Log:
Reserve DSA number for shibboleth-sp2
Modified: data/DSA/list
===
--- data/DSA/list 2017-11-16 20:12:45 UTC (rev 57685)
+++ data/DSA/list 2017-11-16 21:05:33 UTC (rev 57686)
@@ -1,3 +1,7 @@
+[16 Nov 2017] DSA-4038-1 shibboleth-sp2 - security update
+ {CVE-2017-16852}
+ [jessie] - shibboleth-sp2 2.5.3+dfsg-2+deb8u1
+ [stretch] - shibboleth-sp2 2.6.0+dfsg1-4+deb9u1
[16 Nov 2017] DSA-4037-1 jackson-databind - security update
{CVE-2017-15095}
[jessie] - jackson-databind 2.4.2-2+deb8u2
Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2017-11-16 20:12:45 UTC (rev 57685)
+++ data/dsa-needed.txt 2017-11-16 21:05:33 UTC (rev 57686)
@@ -48,8 +48,6 @@
--
salt
--
-shibboleth-sp2 (carnil)
---
simplesamlphp
--
tiff
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57685 - data/CVE
Author: carnil Date: 2017-11-16 20:12:45 + (Thu, 16 Nov 2017) New Revision: 57685 Modified: data/CVE/list Log: Update CVE-2017-16648 with kernel-sec information Modified: data/CVE/list === --- data/CVE/list 2017-11-16 18:15:52 UTC (rev 57684) +++ data/CVE/list 2017-11-16 20:12:45 UTC (rev 57685) @@ -478,10 +478,7 @@ CVE-2017-16649 (The usbnet_generic_cdc_bind function in drivers/net/usb/cdc_ether.c in ...) - linux CVE-2017-16648 (The dvb_frontend_free function in drivers/media/dvb-core/dvb_frontend.c ...) - - linux - [stretch] - linux (Vulnerable code not present) - [jessie] - linux (Vulnerable code not present) - [wheezy] - linux (Vulnerable code not present) + - linux (Vulnerable code not present) CVE-2017-16647 (drivers/net/usb/asix_devices.c in the Linux kernel through 4.13.11 ...) - linux [jessie] - linux (Vulnerable code not present) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57684 - data/CVE
Author: carnil
Date: 2017-11-16 18:15:52 + (Thu, 16 Nov 2017)
New Revision: 57684
Modified:
data/CVE/list
Log:
CVE-2017-1685{2,3} assigned for shibboleth-sp2 and opensaml2
Modified: data/CVE/list
===
--- data/CVE/list 2017-11-16 18:14:27 UTC (rev 57683)
+++ data/CVE/list 2017-11-16 18:15:52 UTC (rev 57684)
@@ -21,11 +21,11 @@
NOTE: https://github.com/lingej/pnp4nagios/issues/140
CVE-2017-16833 (Stored cross-site scripting (XSS) vulnerability in Gemirro
before ...)
NOT-FOR-US: Gemirro
-CVE-2017- [CPPOST-105]
+CVE-2017-16853 [CPPOST-105]
- opensaml2 (bug #881856)
NOTE:
https://git.shibboleth.net/view/?p=cpp-opensaml.git;a=commit;h=6182b0acf2df670e75423c2ed7afe6950ef11c9d
NOTE: https://shibboleth.net/community/advisories/secadv_20171115.txt
-CVE-2017- [SSPCPP-763]
+CVE-2017-16852 [SSPCPP-763]
- shibboleth-sp2 (bug #881857)
NOTE:
https://git.shibboleth.net/view/?p=cpp-sp.git;a=commit;h=b66cceb0e992c351ad5e2c665229ede82f261b16
NOTE: https://shibboleth.net/community/advisories/secadv_20171115.txt
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57683 - data
Author: carnil Date: 2017-11-16 18:14:27 + (Thu, 16 Nov 2017) New Revision: 57683 Modified: data/dsa-needed.txt Log: Take cae of releasing opensaml2 and shibboleth-sp2 Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-11-16 16:47:58 UTC (rev 57682) +++ data/dsa-needed.txt 2017-11-16 18:14:27 UTC (rev 57683) @@ -30,7 +30,7 @@ -- openjdk-7/oldstable (jmm) -- -opensaml2 +opensaml2 (carnil) -- php-horde-image -- @@ -48,7 +48,7 @@ -- salt -- -shibboleth-sp2 +shibboleth-sp2 (carnil) -- simplesamlphp -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57682 - data
Author: hle
Date: 2017-11-16 16:47:58 + (Thu, 16 Nov 2017)
New Revision: 57682
Modified:
data/dla-needed.txt
Log:
Update lame, libav and ming entries in dla-needed.
Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-11-16 13:34:51 UTC (rev 57681)
+++ data/dla-needed.txt 2017-11-16 16:47:58 UTC (rev 57682)
@@ -22,11 +22,13 @@
NOTE: 20171031: No details available. Asked upstream for clarification.
--
lame (Hugo Lefeuvre)
- NOTE: Couldn't reproduce CVE-2017-{69-72}. Wait for next upstream release
3.100 ?
- NOTE: https://lists.debian.org/debian-lts/2017/09/msg00082.html
+ NOTE: Couldn't reproduce CVE-2017-{69-72}, but successfully reproduced
CVE-2017-150{18,45,46}
+ NOTE: 20171116: 3.100 available: check with the security team whether a
backport is possible or not
+ NOTE: (since Stretch isn't affected by these issues they are probably not
going to accept
+ NOTE: a backport to Stretch, which will therefore make a backport to
Jessie/Wheezy impossible).
--
libav (Hugo Lefeuvre)
- NOTE: Diego Biurrun (from the libav team) is working on patches.
+ NOTE: 20171116: Diego Biurrun (from the libav team) is working on patches.
--
libextractor
NOTE: not all patches available, so didn't bothered maintainer yet
@@ -56,7 +58,7 @@
linux
--
ming (Hugo Lefeuvre)
- NOTE: 20171014: wip, currently working on it with upstream, might take a
while
+ NOTE: 20171116: wip, currently working on it with upstream, might take a
while
--
mp3gain
NOTE: Successfully reproduced CVE-2017-144{09, 07} but couldn't reproduce
CVE-2017-144{06, 08, 10, 11, 12} (valgrind in Wheezy, gcc+asan in Jessie).
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57681 - data/CVE
Author: jmm Date: 2017-11-16 13:34:51 + (Thu, 16 Nov 2017) New Revision: 57681 Modified: data/CVE/list Log: tboot rfp/itp Modified: data/CVE/list === --- data/CVE/list 2017-11-16 13:27:06 UTC (rev 57680) +++ data/CVE/list 2017-11-16 13:34:51 UTC (rev 57681) @@ -11,7 +11,7 @@ CVE-2017-16838 RESERVED CVE-2017-16837 (Certain function pointers in Trusted Boot (tboot) through 1.9.6 are not ...) - TODO: check + - tboot (bug #803180) CVE-2017-16836 (Arris TG1682G devices with Comcast TG1682_2.0s7_PRODse ...) NOT-FOR-US: Arris TG1682G devices CVE-2017-16835 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57680 - data/CVE
Author: carnil Date: 2017-11-16 13:27:06 + (Thu, 16 Nov 2017) New Revision: 57680 Modified: data/CVE/list Log: Add two jasperreports issues Modified: data/CVE/list === --- data/CVE/list 2017-11-16 13:24:07 UTC (rev 57679) +++ data/CVE/list 2017-11-16 13:27:06 UTC (rev 57680) @@ -33740,9 +33740,11 @@ CVE-2017-5534 RESERVED CVE-2017-5533 (A vulnerability in the server content cache of TIBCO JasperReports ...) - TODO: check + - jasperreports + NOTE: http://www.tibco.com/support/advisories/2017/11/tibco-security-advisory-november-15-2017-tibco-jasperreports-server-2017 CVE-2017-5532 (A vulnerability in the report renderer component of TIBCO ...) - TODO: check + - jasperreports + NOTE: https://www.tibco.com/support/advisories/2017/11/tibco-security-advisory-november-15-2017-tibco-jasperreports-2017-5532 CVE-2017-5531 (Deployments of TIBCO Managed File Transfer Command Center versions ...) NOT-FOR-US: TIBCO CVE-2017-5530 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57679 - data/CVE
Author: carnil Date: 2017-11-16 13:24:07 + (Thu, 16 Nov 2017) New Revision: 57679 Modified: data/CVE/list Log: Process NFUs Modified: data/CVE/list === --- data/CVE/list 2017-11-16 11:36:49 UTC (rev 57678) +++ data/CVE/list 2017-11-16 13:24:07 UTC (rev 57679) @@ -1,9 +1,9 @@ CVE-2017-16843 RESERVED CVE-2017-16842 (Cross-site scripting (XSS) vulnerability in ...) - TODO: check + NOT-FOR-US: Yoast SEO plugin for WordPress CVE-2017-16841 (LanSweeper 6.0.100.75 has XSS via the description parameter to ...) - TODO: check + NOT-FOR-US: LanSweeper CVE-2017-16840 RESERVED CVE-2017-16839 @@ -13,14 +13,14 @@ CVE-2017-16837 (Certain function pointers in Trusted Boot (tboot) through 1.9.6 are not ...) TODO: check CVE-2017-16836 (Arris TG1682G devices with Comcast TG1682_2.0s7_PRODse ...) - TODO: check + NOT-FOR-US: Arris TG1682G devices CVE-2017-16835 RESERVED CVE-2017-16834 (PNP4Nagios through 0.6.26 has /usr/bin/npcd and npcd.cfg owned by an ...) - pnp4nagios NOTE: https://github.com/lingej/pnp4nagios/issues/140 CVE-2017-16833 (Stored cross-site scripting (XSS) vulnerability in Gemirro before ...) - TODO: check + NOT-FOR-US: Gemirro CVE-2017- [CPPOST-105] - opensaml2 (bug #881856) NOTE: https://git.shibboleth.net/view/?p=cpp-opensaml.git;a=commit;h=6182b0acf2df670e75423c2ed7afe6950ef11c9d @@ -80,7 +80,7 @@ CVE-2017-16822 RESERVED CVE-2017-16821 (b3log Symphony (aka Sym) 2.2.0 has XSS in processor/AdminProcessor.java ...) - TODO: check + NOT-FOR-US: b3log Symphony CVE-2017-16819 RESERVED CVE-2017-16818 @@ -12843,7 +12843,7 @@ CVE-2017-12351 RESERVED CVE-2017-12350 (A vulnerability in Cisco Umbrella Insights Virtual Appliances 2.1.0 and ...) - TODO: check + NOT-FOR-US: Cisco CVE-2017-12349 RESERVED CVE-2017-12348 @@ -14055,27 +14055,27 @@ CVE-2017-11838 (ChakraCore and Internet Explorer in Microsoft Windows 7 SP1, Windows ...) NOT-FOR-US: Microsoft CVE-2017-11837 (ChakraCore and Internet Explorer in Microsoft Windows 7 SP1, Windows ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2017-11836 (ChakraCore, and Microsoft Edge in Microsoft Windows 10 Gold, 1511, ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2017-11835 (Microsoft graphics in Windows 7 SP1 and Windows Server 2008 SP2 and R2 ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2017-11834 (Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 SP2 ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2017-11833 (Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, 1703, 1709, ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2017-11832 (The Microsoft Windows embedded OpenType (EOT) font engine in Windows 7 ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2017-11831 (Windows kernel in Windows 7 SP1, Windows 8.1 and RT 8.1, Windows ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2017-11830 (Device Guard in Windows 10 Gold, 1511, 1607, 1703, and 1709, Windows ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2017-11829 (Microsoft Windows 10 allows an elevation of privilege vulnerability ...) NOT-FOR-US: Microsoft CVE-2017-11828 RESERVED CVE-2017-11827 (Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 R2 ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2017-11826 (Microsoft Office 2010, SharePoint Enterprise Server 2010, SharePoint ...) NOT-FOR-US: Microsoft CVE-2017-11825 (Microsoft Office 2016 Click-to-Run (C2R) and Microsoft Office 2016 for ...) @@ -14123,7 +14123,7 @@ CVE-2017-11804 (ChakraCore and Microsoft Edge in Microsoft Windows 10 Gold, 1511, ...) NOT-FOR-US: Microsoft CVE-2017-11803 (Microsoft Edge in Microsoft Windows 10 1703, 1709 and Windows Server, ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2017-11802 (ChakraCore and Microsoft Edge in Microsoft Windows 10 Gold, 1511, ...) NOT-FOR-US: Microsoft CVE-2017-11801 (ChakraCore allows an attacker to execute arbitrary code in the context ...) @@ -14147,13 +14147,13 @@ CVE-2017-11792 (ChakraCore and Microsoft Edge in Microsoft Windows 10 1703 allow an ...) NOT-FOR-US: Microsoft CVE-2017-11791 (ChakraCore and Internet Explorer in Microsoft Windows 7 SP1, Windows ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2017-11790 (Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 SP2 ...) NOT-FOR-US: Microsoft CVE-2017-11789 RESERVED CVE-2017-11788 (Windows Search in Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2017-11787 RESERVED CVE-2017-11786 (Skype for Business in Microsoft Lync 2013 SP1 and Sk
[Secure-testing-commits] r57678 - in data: . DSA
Author: seb
Date: 2017-11-16 11:36:49 + (Thu, 16 Nov 2017)
New Revision: 57678
Modified:
data/DSA/list
data/dsa-needed.txt
Log:
Reserve DSA-4037-1 for jackson-databind (CVE-2017-15095)
Modified: data/DSA/list
===
--- data/DSA/list 2017-11-16 10:11:39 UTC (rev 57677)
+++ data/DSA/list 2017-11-16 11:36:49 UTC (rev 57678)
@@ -1,3 +1,7 @@
+[16 Nov 2017] DSA-4037-1 jackson-databind - security update
+ {CVE-2017-15095}
+ [jessie] - jackson-databind 2.4.2-2+deb8u2
+ [stretch] - jackson-databind 2.8.6-1+deb9u2
[15 Nov 2017] DSA-4036-1 mediawiki - security update
{CVE-2017-8808 CVE-2017-8809 CVE-2017-8810 CVE-2017-8811 CVE-2017-8812
CVE-2017-8814 CVE-2017-8815}
[stretch] - mediawiki 1:1.27.4-1~deb9u1
Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2017-11-16 10:11:39 UTC (rev 57677)
+++ data/dsa-needed.txt 2017-11-16 11:36:49 UTC (rev 57678)
@@ -18,9 +18,6 @@
--
imagemagick/oldstable (jmm)
--
-jackson-databind (seb)
- For CVE-2017-15095 (see notes for missing commits)
---
libav/oldstable
We can ship the next libav 11.x point release when available
--
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57677 - data
Author: pochu Date: 2017-11-16 10:11:39 + (Thu, 16 Nov 2017) New Revision: 57677 Modified: data/dla-needed.txt Log: dla: add note to libreoffice and unclaim it Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-11-16 09:50:06 UTC (rev 57676) +++ data/dla-needed.txt 2017-11-16 10:11:39 UTC (rev 57677) @@ -38,9 +38,10 @@ -- libofx (Thorsten Alteholz) -- -libreoffice (Emilio Pozuelo) +libreoffice NOTE: regression update, see: NOTE: https://lists.debian.org/debian-lts/2017/05/msg00012.html + NOTE: there are some new CVEs now as well -- libspring-ldap-java -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57676 - data/CVE
Author: jmm Date: 2017-11-16 09:50:06 + (Thu, 16 Nov 2017) New Revision: 57676 Modified: data/CVE/list Log: NFUs Modified: data/CVE/list === --- data/CVE/list 2017-11-16 09:10:18 UTC (rev 57675) +++ data/CVE/list 2017-11-16 09:50:06 UTC (rev 57676) @@ -12869,7 +12869,7 @@ CVE-2017-12338 RESERVED CVE-2017-12337 (A vulnerability in the upgrade mechanism of Cisco collaboration ...) - TODO: check + NOT-FOR-US: Cisco CVE-2017-12336 RESERVED CVE-2017-12335 @@ -12897,55 +12897,55 @@ CVE-2017-12324 RESERVED CVE-2017-12323 (Multiple vulnerabilities in the web interface of the Cisco Registered ...) - TODO: check + NOT-FOR-US: Cisco CVE-2017-12322 (Multiple vulnerabilities in the web interface of the Cisco Registered ...) - TODO: check + NOT-FOR-US: Cisco CVE-2017-12321 (Multiple vulnerabilities in the web interface of the Cisco Registered ...) - TODO: check + NOT-FOR-US: Cisco CVE-2017-12320 (Multiple vulnerabilities in the web interface of the Cisco Registered ...) - TODO: check + NOT-FOR-US: Cisco CVE-2017-12319 RESERVED CVE-2017-12318 (A vulnerability in the TCP state machine of Cisco RF Gateway 1 devices ...) - TODO: check + NOT-FOR-US: Cisco CVE-2017-12317 (The Cisco AMP For Endpoints application allows an authenticated, local ...) NOT-FOR-US: Cisco CVE-2017-12316 (A vulnerability in the Guest Portal login page of Cisco Identity ...) - TODO: check + NOT-FOR-US: Cisco CVE-2017-12315 (A vulnerability in system logging when replication is being configured ...) - TODO: check + NOT-FOR-US: Cisco CVE-2017-12314 (A vulnerability in the Cisco FindIT Network Discovery Utility could ...) - TODO: check + NOT-FOR-US: Cisco CVE-2017-12313 (An untrusted search path (aka DLL Preload) vulnerability in the Cisco ...) - TODO: check + NOT-FOR-US: Cisco CVE-2017-12312 (An untrusted search path (aka DLL Preloading) vulnerability in the ...) - TODO: check + NOT-FOR-US: Cisco CVE-2017-12311 (A vulnerability in the H.264 decoder function of Cisco Meeting Server ...) - TODO: check + NOT-FOR-US: Cisco CVE-2017-12310 RESERVED CVE-2017-12309 (A vulnerability in the Cisco Email Security Appliance (ESA) could allow ...) - TODO: check + NOT-FOR-US: Cisco CVE-2017-12308 RESERVED CVE-2017-12307 RESERVED CVE-2017-12306 (A vulnerability in the upgrade process of Cisco Spark Board could allow ...) - TODO: check + NOT-FOR-US: Cisco CVE-2017-12305 (A vulnerability in the debug interface of Cisco IP Phone 8800 series ...) - TODO: check + NOT-FOR-US: Cisco CVE-2017-12304 (A vulnerability in the IOS daemon (IOSd) web-based management interface ...) - TODO: check + NOT-FOR-US: Cisco CVE-2017-12303 (A vulnerability in the Advanced Malware Protection (AMP) file filtering ...) - TODO: check + NOT-FOR-US: Cisco CVE-2017-12302 (A vulnerability in the Cisco Unified Communications Manager SQL ...) - TODO: check + NOT-FOR-US: Cisco CVE-2017-12301 (A vulnerability in the Python scripting subsystem of Cisco NX-OS ...) NOT-FOR-US: Cisco CVE-2017-12300 (A vulnerability in the SNORT detection engine of Cisco Firepower System ...) - TODO: check + NOT-FOR-US: Cisco CVE-2017-12299 (A vulnerability exists in the process of creating default IP blocks ...) - TODO: check + NOT-FOR-US: Cisco CVE-2017-12298 (A vulnerability in Cisco WebEx Meeting Center could allow an ...) NOT-FOR-US: Cisco CVE-2017-12297 @@ -12959,11 +12959,11 @@ CVE-2017-12293 (A vulnerability in Cisco WebEx Meetings Server could allow an ...) NOT-FOR-US: Cisco CVE-2017-12292 (Multiple vulnerabilities in the web interface of the Cisco Registered ...) - TODO: check + NOT-FOR-US: Cisco CVE-2017-12291 (Multiple vulnerabilities in the web interface of the Cisco Registered ...) - TODO: check + NOT-FOR-US: Cisco CVE-2017-12290 (Multiple vulnerabilities in the web interface of the Cisco Registered ...) - TODO: check + NOT-FOR-US: Cisco CVE-2017-12289 (A vulnerability in conditional, verbose debug logging for the IPsec ...) NOT-FOR-US: Cisco CVE-2017-12288 (A vulnerability in the web-based management interface of Cisco Unified ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57675 - data/CVE
Author: sectracker
Date: 2017-11-16 09:10:18 + (Thu, 16 Nov 2017)
New Revision: 57675
Modified:
data/CVE/list
Log:
automatic update
Modified: data/CVE/list
===
--- data/CVE/list 2017-11-16 08:03:57 UTC (rev 57674)
+++ data/CVE/list 2017-11-16 09:10:18 UTC (rev 57675)
@@ -1,4 +1,22 @@
-CVE-2017-16834 [root privilege escalation via insecure permissions]
+CVE-2017-16843
+ RESERVED
+CVE-2017-16842 (Cross-site scripting (XSS) vulnerability in ...)
+ TODO: check
+CVE-2017-16841 (LanSweeper 6.0.100.75 has XSS via the description parameter to
...)
+ TODO: check
+CVE-2017-16840
+ RESERVED
+CVE-2017-16839
+ RESERVED
+CVE-2017-16838
+ RESERVED
+CVE-2017-16837 (Certain function pointers in Trusted Boot (tboot) through
1.9.6 are not ...)
+ TODO: check
+CVE-2017-16836 (Arris TG1682G devices with Comcast TG1682_2.0s7_PRODse ...)
+ TODO: check
+CVE-2017-16835
+ RESERVED
+CVE-2017-16834 (PNP4Nagios through 0.6.26 has /usr/bin/npcd and npcd.cfg owned
by an ...)
- pnp4nagios
NOTE: https://github.com/lingej/pnp4nagios/issues/140
CVE-2017-16833 (Stored cross-site scripting (XSS) vulnerability in Gemirro
before ...)
@@ -4530,8 +4548,7 @@
RESERVED
CVE-2017-15116
RESERVED
-CVE-2017-15115 [sctp: use-after-free in sctp_cmp_addr_exact()]
- RESERVED
+CVE-2017-15115 (The sctp_do_peeloff function in net/sctp/socket.c in the Linux
kernel ...)
- linux
NOTE:
https://git.kernel.org/linus/df80cd9b28b9ebaa284a41df611dbf3a2d05ca74
(v4.14-rc6)
CVE-2017-15114 [Passwordless access for non-libvirt related services when
using shared certificate authority]
@@ -4563,8 +4580,7 @@
RESERVED
CVE-2017-15103
RESERVED
-CVE-2017-15102 [NULL pointer dereference due to race condition in probe
function of legousbtower driver]
- RESERVED
+CVE-2017-15102 (The tower_probe function in drivers/usb/misc/legousbtower.c in
the ...)
- linux 4.7.8-1
[jessie] - linux 3.16.43-1
[wheezy] - linux 3.2.86-1
@@ -7868,8 +7884,8 @@
NOTE: Fixed by:
https://git.kernel.org/linus/e6f77540c067b48dee10f1e33678415bfcc89017
NOTE: https://patchwork.kernel.org/patch/9929625/
NOTE: Non issue, only "exploitable" with root access
-CVE-2017-14034
- RESERVED
+CVE-2017-14034 (The restore_tqb_pixels function in hevc_filter.c in
libavcodec, as used ...)
+ TODO: check
CVE-2017-14033 (The decode method in the OpenSSL::ASN1 module in Ruby before
2.2.8, ...)
{DSA-4031-1 DLA-1114-1}
- ruby2.3 2.3.5-1 (bug #875928)
@@ -9986,10 +10002,10 @@
NOT-FOR-US: Wordpress theme
CVE-2017-13137 (The FormCraft Basic plugin 1.0.5 for WordPress has SQL
injection in the ...)
NOT-FOR-US: Wordpress plugin
-CVE-2017-13136
- RESERVED
-CVE-2017-13135
- RESERVED
+CVE-2017-13136 (The image_alloc function in bpgenc.c in libbpg 0.9.7 has an
integer ...)
+ TODO: check
+CVE-2017-13135 (A NULL Pointer Dereference exists in VideoLAN x265, as used in
libbpg ...)
+ TODO: check
CVE-2017-13134 (In ImageMagick 7.0.6-6 and GraphicsMagick 1.3.26, a heap-based
buffer ...)
{DSA-4032-1 DLA-1170-1 DLA-1081-1}
- imagemagick (bug #873099)
@@ -12826,8 +12842,8 @@
RESERVED
CVE-2017-12351
RESERVED
-CVE-2017-12350
- RESERVED
+CVE-2017-12350 (A vulnerability in Cisco Umbrella Insights Virtual Appliances
2.1.0 and ...)
+ TODO: check
CVE-2017-12349
RESERVED
CVE-2017-12348
@@ -12852,8 +12868,8 @@
RESERVED
CVE-2017-12338
RESERVED
-CVE-2017-12337
- RESERVED
+CVE-2017-12337 (A vulnerability in the upgrade mechanism of Cisco
collaboration ...)
+ TODO: check
CVE-2017-12336
RESERVED
CVE-2017-12335
@@ -12880,56 +12896,56 @@
RESERVED
CVE-2017-12324
RESERVED
-CVE-2017-12323
- RESERVED
-CVE-2017-12322
- RESERVED
-CVE-2017-12321
- RESERVED
-CVE-2017-12320
- RESERVED
+CVE-2017-12323 (Multiple vulnerabilities in the web interface of the Cisco
Registered ...)
+ TODO: check
+CVE-2017-12322 (Multiple vulnerabilities in the web interface of the Cisco
Registered ...)
+ TODO: check
+CVE-2017-12321 (Multiple vulnerabilities in the web interface of the Cisco
Registered ...)
+ TODO: check
+CVE-2017-12320 (Multiple vulnerabilities in the web interface of the Cisco
Registered ...)
+ TODO: check
CVE-2017-12319
RESERVED
-CVE-2017-12318
- RESERVED
+CVE-2017-12318 (A vulnerability in the TCP state machine of Cisco RF Gateway 1
devices ...)
+ TODO: check
CVE-2017-12317 (The Cisco AMP For Endpoints application allows an
authenticated, local ...)
NOT-FOR-US: Cisco
-CVE-2017-12316
- RESERVED
-CVE-2017-12315
- RESERVED
-CVE-2017-12314
- RESERVED
-CVE-2017-12313
- RESERVED
-CVE-2017-12312
- RESERVED
-CVE-2017-12
[Secure-testing-commits] r57674 - data
Author: carnil Date: 2017-11-16 08:03:57 + (Thu, 16 Nov 2017) New Revision: 57674 Modified: data/next-point-update.txt Log: libofx proposed for stretch-pu Modified: data/next-point-update.txt === --- data/next-point-update.txt 2017-11-16 06:51:00 UTC (rev 57673) +++ data/next-point-update.txt 2017-11-16 08:03:57 UTC (rev 57674) @@ -35,3 +35,7 @@ [stretch] - python-tablib 0.9.11-2+deb9u1 CVE-2017-14952 [stretch] - icu 57.1-6+deb9u1 +CVE-2017-2816 + [stretch] - libofx 1:0.9.10-2+deb9u1 +CVE-2017-14731 + [stretch] - libofx 1:0.9.10-2+deb9u1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
