date:20171117

[Secure-testing-commits] r57774 - data/CVE

2017-11-17 Thread Salvatore Bonaccorso

Author: carnil
Date: 2017-11-18 07:46:51 + (Sat, 18 Nov 2017)
New Revision: 57774

Modified:
   data/CVE/list
Log:
CVE-2017-13826 confirmed to be rejected

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-18 01:44:53 UTC (rev 57773)
+++ data/CVE/list   2017-11-18 07:46:51 UTC (rev 57774)
@@ -8711,7 +8711,7 @@
 CVE-2017-13827
RESERVED
 CVE-2017-13826 (An issue was discovered in certain Apple products. macOS 
before ...)
-   NOT-FOR-US: Postfix as used by Apple, but actually a dupe of 
CVE-2017-10140. Requested reject at MITRE
+   REJECTED
 CVE-2017-13825 (An issue was discovered in certain Apple products. macOS 
before ...)
NOT-FOR-US: Apple
 CVE-2017-13824 (An issue was discovered in certain Apple products. macOS 
before ...)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57773 - in data: . DLA

2017-11-17 Thread Chris Lamb

Author: lamby
Date: 2017-11-18 01:44:53 + (Sat, 18 Nov 2017)
New Revision: 57773

Modified:
   data/DLA/list
   data/dla-needed.txt
Log:
Reserve DLA-1175-1 for lynx-cur

Modified: data/DLA/list
===
--- data/DLA/list   2017-11-18 01:37:43 UTC (rev 57772)
+++ data/DLA/list   2017-11-18 01:44:53 UTC (rev 57773)
@@ -1,3 +1,6 @@
+[18 Nov 2017] DLA-1175-1 lynx-cur - security update
+   {CVE-2017-1000211}
+   [wheezy] - lynx-cur 2.8.8dev.12-2+deb7u2
 [18 Nov 2017] DLA-1174-1 konversation - security update
{CVE-2017-15923}
[wheezy] - konversation 1.4-1+deb7u2

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-11-18 01:37:43 UTC (rev 57772)
+++ data/dla-needed.txt 2017-11-18 01:44:53 UTC (rev 57773)
@@ -60,8 +60,6 @@
 --
 linux
 --
-lynx-cur (Chris Lamb)
---
 ming (Hugo Lefeuvre)
   NOTE: 20171116: wip, currently working on it with upstream, might take a 
while
 --


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57772 - data

2017-11-17 Thread Chris Lamb

Author: lamby
Date: 2017-11-18 01:37:43 + (Sat, 18 Nov 2017)
New Revision: 57772

Modified:
   data/dla-needed.txt
Log:
Claim lynx-cur in data/dla-needed.txt

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-11-18 01:20:41 UTC (rev 57771)
+++ data/dla-needed.txt 2017-11-18 01:37:43 UTC (rev 57772)
@@ -60,7 +60,7 @@
 --
 linux
 --
-lynx-cur
+lynx-cur (Chris Lamb)
 --
 ming (Hugo Lefeuvre)
   NOTE: 20171116: wip, currently working on it with upstream, might take a 
while


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57771 - in data: . DLA

2017-11-17 Thread Chris Lamb

Author: lamby
Date: 2017-11-18 01:20:41 + (Sat, 18 Nov 2017)
New Revision: 57771

Modified:
   data/DLA/list
   data/dla-needed.txt
Log:
Reserve DLA-1174-1 for konversation.

Modified: data/DLA/list
===
--- data/DLA/list   2017-11-18 01:10:09 UTC (rev 57770)
+++ data/DLA/list   2017-11-18 01:20:41 UTC (rev 57771)
@@ -1,3 +1,6 @@
+[18 Nov 2017] DLA-1174-1 konversation - security update
+   {CVE-2017-15923}
+   [wheezy] - konversation 1.4-1+deb7u2
 [18 Nov 2017] DLA-1173-1 procmail - security update
{CVE-2017-16844}
[wheezy] - procmail 3.22-20+deb7u2

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-11-18 01:10:09 UTC (rev 57770)
+++ data/dla-needed.txt 2017-11-18 01:20:41 UTC (rev 57771)
@@ -21,8 +21,6 @@
 jasperreports
   NOTE: 20171031: No details available. Asked upstream for clarification.
 --
-konversation (Chris Lamb)
---
 lame (Hugo Lefeuvre)
   NOTE: Couldn't reproduce CVE-2017-{69-72}, but successfully reproduced 
CVE-2017-150{18,45,46} 
   NOTE: 20171116: 3.100 available: check with the security team whether a 
backport is possible or not


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57770 - in data: . DLA

2017-11-17 Thread Chris Lamb

Author: lamby
Date: 2017-11-18 01:10:09 + (Sat, 18 Nov 2017)
New Revision: 57770

Modified:
   data/DLA/list
   data/dla-needed.txt
Log:
Reserve DLA-1173-1 for procmail

Modified: data/DLA/list
===
--- data/DLA/list   2017-11-18 00:44:08 UTC (rev 57769)
+++ data/DLA/list   2017-11-18 01:10:09 UTC (rev 57770)
@@ -1,3 +1,6 @@
+[18 Nov 2017] DLA-1173-1 procmail - security update
+   {CVE-2017-16844}
+   [wheezy] - procmail 3.22-20+deb7u2
 [16 Nov 2017] DLA-1172-1 firefox-esr - security update
{CVE-2017-7826 CVE-2017-7828 CVE-2017-7830}
[wheezy] - firefox-esr 52.5.0esr-1~deb7u1

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-11-18 00:44:08 UTC (rev 57769)
+++ data/dla-needed.txt 2017-11-18 01:10:09 UTC (rev 57770)
@@ -91,8 +91,6 @@
   NOTE: drawForm is doForm1 in wheezy
   NOTE: exploit does not loop but code looks affected
 --
-procmail (Chris Lamb)
---
 python-werkzeug (Thorsten Alteholz)
 --
 python2.6 (Roberto C. Sánchez)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57769 - in data: . CVE

2017-11-17 Thread Chris Lamb

Author: lamby
Date: 2017-11-18 00:44:08 + (Sat, 18 Nov 2017)
New Revision: 57769

Modified:
   data/CVE/list
   data/dla-needed.txt
Log:
CVE-2017-16820/collectd not vulnerable in wheezy on closer inspetion.

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-17 23:56:46 UTC (rev 57768)
+++ data/CVE/list   2017-11-18 00:44:08 UTC (rev 57769)
@@ -494,6 +494,7 @@
NOT-FOR-US: Snap Creek Duplicator (WordPress Site Migration & Backup) 
plugin for WordPress
 CVE-2017-16820 (The csnmp_read_table function in snmp.c in the SNMP plugin in 
collectd ...)
- collectd  (bug #881757)
+   [wheezy] - collectd  (Vulnerable code not present)
NOTE: https://github.com/collectd/collectd/issues/2291
 CVE-2017-16814
RESERVED

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-11-17 23:56:46 UTC (rev 57768)
+++ data/dla-needed.txt 2017-11-18 00:44:08 UTC (rev 57769)
@@ -16,8 +16,6 @@
 --
 cacti
 --
-collectd (Chris Lamb)
---
 irssi (Rhonda D'Vine)
 --
 jasperreports


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57768 - data

2017-11-17 Thread Roberto C. Sanchez

Author: roberto
Date: 2017-11-17 23:56:46 + (Fri, 17 Nov 2017)
New Revision: 57768

Modified:
   data/dla-needed.txt
Log:
Claim python2.6 in dla-needed.txt

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-11-17 23:45:56 UTC (rev 57767)
+++ data/dla-needed.txt 2017-11-17 23:56:46 UTC (rev 57768)
@@ -97,7 +97,7 @@
 --
 python-werkzeug (Thorsten Alteholz)
 --
-python2.6
+python2.6 (Roberto C. Sánchez)
 --
 python2.7 (Roberto C. Sánchez)
 --


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57767 - data

2017-11-17 Thread Chris Lamb

Author: lamby
Date: 2017-11-17 23:45:56 + (Fri, 17 Nov 2017)
New Revision: 57767

Modified:
   data/dla-needed.txt
Log:
Triage python2.6 for LTS

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-11-17 23:39:54 UTC (rev 57766)
+++ data/dla-needed.txt 2017-11-17 23:45:56 UTC (rev 57767)
@@ -97,6 +97,8 @@
 --
 python-werkzeug (Thorsten Alteholz)
 --
+python2.6
+--
 python2.7 (Roberto C. Sánchez)
 --
 qemu


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57766 - data/CVE

2017-11-17 Thread Chris Lamb

Author: lamby
Date: 2017-11-17 23:39:54 + (Fri, 17 Nov 2017)
New Revision: 57766

Modified:
   data/CVE/list
Log:
data/CVE/list: Add commit for CVE-2017-1000203/root-system

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-17 23:37:41 UTC (rev 57765)
+++ data/CVE/list   2017-11-17 23:39:54 UTC (rev 57766)
@@ -32,6 +32,7 @@
REJECTED
 CVE-2017-1000203 (ROOT version 6.9.03 and below is vulnerable to an 
authenticated shell ...)
- root-system 
+   NOTE: 
https://github.com/root-project/root/commit/88ccff152604e0f1012653a596d802ff7ede3145#diff-6cd6f6c31bac70116b7ca7abdc8e517e
 CVE-2017-1000192 (Cygnux sysPass version 2.1.7 and older is vulnerable to a 
Local File ...)
TODO: check
 CVE-2017-1000191 (Jool 3.5.0-3.5.1 is vulnerable to a kernel crashing packet 
resulting ...)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57765 - data

2017-11-17 Thread Chris Lamb

Author: lamby
Date: 2017-11-17 23:37:41 + (Fri, 17 Nov 2017)
New Revision: 57765

Modified:
   data/dla-needed.txt
Log:
Triage lynx-cur for LTS

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-11-17 23:36:03 UTC (rev 57764)
+++ data/dla-needed.txt 2017-11-17 23:37:41 UTC (rev 57765)
@@ -64,6 +64,8 @@
 --
 linux
 --
+lynx-cur
+--
 ming (Hugo Lefeuvre)
   NOTE: 20171116: wip, currently working on it with upstream, might take a 
while
 --


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57764 - data

2017-11-17 Thread Chris Lamb

Author: lamby
Date: 2017-11-17 23:36:03 + (Fri, 17 Nov 2017)
New Revision: 57764

Modified:
   data/dla-needed.txt
Log:
tcpdump in wheezy does not appear to be vulnerable to 
.

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-11-17 23:31:02 UTC (rev 57763)
+++ data/dla-needed.txt 2017-11-17 23:36:03 UTC (rev 57764)
@@ -129,6 +129,9 @@
 swftools
   NOTE: 20171118: At least CVE-2017-16797 is present. (lamby)
 --
+tcpdump
+  NOTE: 20171118: PoC 
(https://github.com/the-tcpdump-group/tcpdump/issues/645) does not appear to be 
be vulnerable.
+--
 tiff (Brian May)
   NOTE: CVE-2017-9935: no upstream fix -- Brian May 2017-11-06
   NOTE: CVE-2017-11613: no upstream fix, "not a bug" according to RH -- 
anarcat 2017-10-24


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57763 - data

2017-11-17 Thread Chris Lamb

Author: lamby
Date: 2017-11-17 23:31:02 + (Fri, 17 Nov 2017)
New Revision: 57763

Modified:
   data/dla-needed.txt
Log:
Consistently indent data/dla-needed.txt.

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-11-17 23:18:59 UTC (rev 57762)
+++ data/dla-needed.txt 2017-11-17 23:31:02 UTC (rev 57763)
@@ -32,7 +32,7 @@
   NOTE: a backport to Stretch, which will therefore make a backport to 
Jessie/Wheezy impossible).
 --
 ldns
- NOTE: 20178: Fix for CVE-2017-1000231 will need some adjustment for 
wheezy (lamby)
+  NOTE: 20178: Fix for CVE-2017-1000231 will need some adjustment for 
wheezy (lamby)
 --
 libav (Hugo Lefeuvre)
   NOTE: 20171116: Diego Biurrun (from the libav team) is working on patches.
@@ -138,8 +138,7 @@
   NOTE: CVE-2017-11613: no upstream fix, "not a bug" according to RH -- 
anarcat 2017-10-24
 --
 wireshark (Thorsten Alteholz)
-  NOTE: 2017-08-28: Contacted maintainer since most NOTE: issues affect
-  Jessie/Stretch as well
+  NOTE: 2017-08-28: Contacted maintainer since most NOTE: issues affect 
Jessie/Stretch as well
 --
 wordpress
 --


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57762 - data/CVE

2017-11-17 Thread Salvatore Bonaccorso

Author: carnil
Date: 2017-11-17 23:18:59 + (Fri, 17 Nov 2017)
New Revision: 57762

Modified:
   data/CVE/list
Log:
Mark CVE-2017-16869 as unimportant

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-17 23:04:25 UTC (rev 57761)
+++ data/CVE/list   2017-11-17 23:18:59 UTC (rev 57762)
@@ -53,8 +53,9 @@
 CVE-2017-16870 (The UpdraftPlus plugin through 1.13.12 for WordPress has SSRF 
in the ...)
NOT-FOR-US: UpdraftPlus plugin for WordPress
 CVE-2017-16869 (p_mach.cpp in UPX 3.94 allows remote attackers to cause a 
denial of ...)
-   - upx-ucl  (bug #882041)
+   - upx-ucl  (bug #882041; unimportant)
NOTE: https://github.com/upx/upx/issues/146
+   NOTE: crash in CLI tool, no security impact
 CVE-2017-16868 (In SWFTools 0.9.2, the wav_convert2mono function in lib/wav.c 
does not ...)
- swftools 
NOTE: https://github.com/matthiaskramm/swftools/issues/52


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57761 - data/CVE

2017-11-17 Thread Salvatore Bonaccorso

Author: carnil
Date: 2017-11-17 23:04:25 + (Fri, 17 Nov 2017)
New Revision: 57761

Modified:
   data/CVE/list
Log:
Remove TODO for CVE-2017-1000161

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-17 23:04:14 UTC (rev 57760)
+++ data/CVE/list   2017-11-17 23:04:25 UTC (rev 57761)
@@ -44,7 +44,6 @@
TODO: check
 CVE-2017-1000161
REJECTED
-   TODO: check
 CVE-2017-16872 (An issue was discovered in Teluu pjproject (pjlib and 
pjlib-util) in ...)
- pjproject 2.7.1~dfsg-1
NOTE: https://trac.pjsip.org/repos/ticket/2056


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57760 - data/CVE

2017-11-17 Thread Salvatore Bonaccorso

Author: carnil
Date: 2017-11-17 23:04:14 + (Fri, 17 Nov 2017)
New Revision: 57760

Modified:
   data/CVE/list
Log:
Add CVE-2017-1000203/root-system

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-17 23:04:02 UTC (rev 57759)
+++ data/CVE/list   2017-11-17 23:04:14 UTC (rev 57760)
@@ -31,7 +31,7 @@
 CVE-2017-1000204
REJECTED
 CVE-2017-1000203 (ROOT version 6.9.03 and below is vulnerable to an 
authenticated shell ...)
-   TODO: check
+   - root-system 
 CVE-2017-1000192 (Cygnux sysPass version 2.1.7 and older is vulnerable to a 
Local File ...)
TODO: check
 CVE-2017-1000191 (Jool 3.5.0-3.5.1 is vulnerable to a kernel crashing packet 
resulting ...)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57759 - data/CVE

2017-11-17 Thread Salvatore Bonaccorso

Author: carnil
Date: 2017-11-17 23:04:02 + (Fri, 17 Nov 2017)
New Revision: 57759

Modified:
   data/CVE/list
Log:
Process NFUs

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-17 23:03:51 UTC (rev 57758)
+++ data/CVE/list   2017-11-17 23:04:02 UTC (rev 57759)
@@ -21,7 +21,7 @@
 CVE-2017-1000215 (ROOT xrootd version 4.6.0 and below is vulnerable to an ...)
- xrootd  (bug #687222)
 CVE-2017-1000212 (Elixir's vim plugin, alchemist.vim is vulnerable to remote 
code ...)
-   TODO: check
+   NOT-FOR-US: Elixir's vim plugin
 CVE-2017-1000211 (Lynx version 2.8.8 and older is vulnerable to a use after 
free in the ...)
- lynx 2.8.9dev16-1
- lynx-cur 
@@ -17518,15 +17518,15 @@
 CVE-2017-10891
RESERVED
 CVE-2017-10890 (Session management issue in RX-V200 firmware versions prior to 
...)
-   TODO: check
+   NOT-FOR-US: RX-V200 firmware
 CVE-2017-10889 (TablePress prior to version 1.8.1 allows an attacker to 
conduct XML ...)
TODO: check
 CVE-2017-10888 (BOOK WALKER for Windows Ver.1.2.9 and earlier, BOOK WALKER for 
Mac ...)
-   TODO: check
+   NOT-FOR-US: BOOK WALKER
 CVE-2017-10887 (Untrusted search path vulnerability in BOOK WALKER for Windows 
...)
-   TODO: check
+   NOT-FOR-US: BOOK WALKER
 CVE-2017-10886 (Cross-site scripting vulnerability in CS-Cart Japanese Edition 
v4.3.10 ...)
-   TODO: check
+   NOT-FOR-US: CS-Cart
 CVE-2017-10885 (Untrusted search path vulnerability in HYPER SBI Ver. 2.2 and 
earlier ...)
NOT-FOR-US: HYPER SBI
 CVE-2017-10884


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57758 - data/CVE

2017-11-17 Thread Salvatore Bonaccorso

Author: carnil
Date: 2017-11-17 23:03:51 + (Fri, 17 Nov 2017)
New Revision: 57758

Modified:
   data/CVE/list
Log:
Add CVE-2017-1000215/xrootd, itp'ed

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-17 22:51:04 UTC (rev 57757)
+++ data/CVE/list   2017-11-17 23:03:51 UTC (rev 57758)
@@ -19,7 +19,7 @@
 CVE-2017-1000222
REJECTED
 CVE-2017-1000215 (ROOT xrootd version 4.6.0 and below is vulnerable to an ...)
-   TODO: check
+   - xrootd  (bug #687222)
 CVE-2017-1000212 (Elixir's vim plugin, alchemist.vim is vulnerable to remote 
code ...)
TODO: check
 CVE-2017-1000211 (Lynx version 2.8.8 and older is vulnerable to a use after 
free in the ...)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57757 - data/CVE

2017-11-17 Thread Salvatore Bonaccorso

Author: carnil
Date: 2017-11-17 22:51:04 + (Fri, 17 Nov 2017)
New Revision: 57757

Modified:
   data/CVE/list
Log:
Add bug reference for CVE-2017-16869

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-17 22:50:19 UTC (rev 57756)
+++ data/CVE/list   2017-11-17 22:51:04 UTC (rev 57757)
@@ -54,7 +54,7 @@
 CVE-2017-16870 (The UpdraftPlus plugin through 1.13.12 for WordPress has SSRF 
in the ...)
NOT-FOR-US: UpdraftPlus plugin for WordPress
 CVE-2017-16869 (p_mach.cpp in UPX 3.94 allows remote attackers to cause a 
denial of ...)
-   - upx-ucl 
+   - upx-ucl  (bug #882041)
NOTE: https://github.com/upx/upx/issues/146
 CVE-2017-16868 (In SWFTools 0.9.2, the wav_convert2mono function in lib/wav.c 
does not ...)
- swftools 


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57755 - data/CVE

2017-11-17 Thread Salvatore Bonaccorso

Author: carnil
Date: 2017-11-17 22:50:07 + (Fri, 17 Nov 2017)
New Revision: 57755

Modified:
   data/CVE/list
Log:
Add another swftools issue

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-17 22:47:35 UTC (rev 57754)
+++ data/CVE/list   2017-11-17 22:50:07 UTC (rev 57755)
@@ -57,7 +57,8 @@
- upx-ucl 
NOTE: https://github.com/upx/upx/issues/146
 CVE-2017-16868 (In SWFTools 0.9.2, the wav_convert2mono function in lib/wav.c 
does not ...)
-   TODO: check
+   - swftools 
+   NOTE: https://github.com/matthiaskramm/swftools/issues/52
 CVE-2017-16867 (Amazon Key through 2017-11-16 mishandles Cloud Cam 802.11 ...)
NOT-FOR-US: Amazon Key
 CVE-2017-1000248 (Redis-store <=v1.3.0 allows unsafe objects to be loaded 
from redis ...)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57756 - data/CVE

2017-11-17 Thread Salvatore Bonaccorso

Author: carnil
Date: 2017-11-17 22:50:19 + (Fri, 17 Nov 2017)
New Revision: 57756

Modified:
   data/CVE/list
Log:
Process NFUs

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-17 22:50:07 UTC (rev 57755)
+++ data/CVE/list   2017-11-17 22:50:19 UTC (rev 57756)
@@ -8052,7 +8052,7 @@
 CVE-2017-14112
RESERVED
 CVE-2017-14111 (The workstation logging function in Philips IntelliSpace ...)
-   TODO: check
+   NOT-FOR-US: Philips IntelliSpace Cardiovascular and Xcelera
 CVE-2017-14110
RESERVED
 CVE-2017-1000201 (The tcmu-runner daemon in tcmu-runner version 1.0.5 to 1.2.0 
is ...)
@@ -8304,7 +8304,7 @@
 CVE-2017-14029 (An Uncontrolled Search Path Element issue was discovered in 
Trihedral ...)
NOT-FOR-US: Trihedral VTScada
 CVE-2017-14028 (A Resource Exhaustion issue was discovered in Moxa NPort 5110 
Version ...)
-   TODO: check
+   NOT-FOR-US: Moxa
 CVE-2017-14027 (A Use of Hard-coded Credentials issue was discovered in 
Korenix JetNet ...)
NOT-FOR-US: Korenix
 CVE-2017-14026
@@ -9233,13 +9233,13 @@
NOTE: 
http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2017q3/011729.html
NOTE: 
http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=63437ffbb58837b214b4b92cb1c54bc5f3279928
 CVE-2017-13703 (An issue was discovered on MOXA EDS-G512E 5.1 build 16072215 
devices. A ...)
-   TODO: check
+   NOT-FOR-US: Moxa
 CVE-2017-13702 (An issue was discovered on MOXA EDS-G512E 5.1 build 16072215 
devices. ...)
-   TODO: check
+   NOT-FOR-US: Moxa
 CVE-2017-13701
RESERVED
 CVE-2017-13700 (An issue was discovered on MOXA EDS-G512E 5.1 build 16072215 
devices. ...)
-   TODO: check
+   NOT-FOR-US: Moxa
 CVE-2017-13699
RESERVED
 CVE-2017-13698


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57754 - in data: . DSA

2017-11-17 Thread Moritz Muehlenhoff

Author: jmm
Date: 2017-11-17 22:47:35 + (Fri, 17 Nov 2017)
New Revision: 57754

Modified:
   data/DSA/list
   data/dsa-needed.txt
Log:
imagemagick DSA


Modified: data/DSA/list
===
--- data/DSA/list   2017-11-17 22:41:54 UTC (rev 57753)
+++ data/DSA/list   2017-11-17 22:47:35 UTC (rev 57754)
@@ -1,3 +1,6 @@
+[17 Nov 2017] DSA-4040-1 imagemagick - security update
+   {CVE-2017-11352 CVE-2017-11640 CVE-2017-12431 CVE-2017-12640 
CVE-2017-12877 CVE-2017-12983 CVE-2017-13134 CVE-2017-13139 CVE-2017-13144 
CVE-2017-13758 CVE-2017-13769 CVE-2017-14224 CVE-2017-14607 CVE-2017-14682 
CVE-2017-14989 CVE-2017-15277 CVE-2017-16546}
+   [jessie] - imagemagick 8:6.8.9.9-5+deb8u11
 [16 Nov 2017] DSA-4039-1 opensaml2 - security update
{CVE-2017-16853}
[jessie] - opensaml2 2.5.3-2+deb8u2

Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2017-11-17 22:41:54 UTC (rev 57753)
+++ data/dsa-needed.txt 2017-11-17 22:47:35 UTC (rev 57754)
@@ -16,8 +16,6 @@
 --
 graphicsmagick
 --
-imagemagick/oldstable (jmm)
---
 libav/oldstable
   We can ship the next libav 11.x point release when available
 --


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57751 - data/CVE

2017-11-17 Thread Salvatore Bonaccorso

Author: carnil
Date: 2017-11-17 22:41:31 + (Fri, 17 Nov 2017)
New Revision: 57751

Modified:
   data/CVE/list
Log:
Add CVE-2017-1000206/htslib

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-17 22:41:19 UTC (rev 57750)
+++ data/CVE/list   2017-11-17 22:41:31 UTC (rev 57751)
@@ -27,7 +27,7 @@
- lynx-cur 
NOTE: 
https://github.com/ThomasDickey/lynx-snapshots/commit/280a61b300a1614f6037efc0902ff7ecf17146e9
 CVE-2017-1000206 (samtools htslib library version 1.4.0 and earlier is 
vulnerable to ...)
-   TODO: check
+   - htslib 1.4.1-1
 CVE-2017-1000204
REJECTED
 CVE-2017-1000203 (ROOT version 6.9.03 and below is vulnerable to an 
authenticated shell ...)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57749 - data/CVE

2017-11-17 Thread Salvatore Bonaccorso

Author: carnil
Date: 2017-11-17 22:41:08 + (Fri, 17 Nov 2017)
New Revision: 57749

Modified:
   data/CVE/list
Log:
Cleanup REJECTED entries (doublecheckd with MITRE entry)

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-17 22:18:51 UTC (rev 57748)
+++ data/CVE/list   2017-11-17 22:41:08 UTC (rev 57749)
@@ -16,10 +16,8 @@
RESERVED
 CVE-2017-1000233
REJECTED
-   TODO: check
 CVE-2017-1000222
REJECTED
-   TODO: check
 CVE-2017-1000215 (ROOT xrootd version 4.6.0 and below is vulnerable to an ...)
TODO: check
 CVE-2017-1000212 (Elixir's vim plugin, alchemist.vim is vulnerable to remote 
code ...)
@@ -30,7 +28,6 @@
TODO: check
 CVE-2017-1000204
REJECTED
-   TODO: check
 CVE-2017-1000203 (ROOT version 6.9.03 and below is vulnerable to an 
authenticated shell ...)
TODO: check
 CVE-2017-1000192 (Cygnux sysPass version 2.1.7 and older is vulnerable to a 
Local File ...)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57753 - data/CVE

2017-11-17 Thread Salvatore Bonaccorso

Author: carnil
Date: 2017-11-17 22:41:54 + (Fri, 17 Nov 2017)
New Revision: 57753

Modified:
   data/CVE/list
Log:
Add CVE-2017-16869/upx-ucl

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-17 22:41:43 UTC (rev 57752)
+++ data/CVE/list   2017-11-17 22:41:54 UTC (rev 57753)
@@ -54,7 +54,8 @@
 CVE-2017-16870 (The UpdraftPlus plugin through 1.13.12 for WordPress has SSRF 
in the ...)
NOT-FOR-US: UpdraftPlus plugin for WordPress
 CVE-2017-16869 (p_mach.cpp in UPX 3.94 allows remote attackers to cause a 
denial of ...)
-   TODO: check
+   - upx-ucl 
+   NOTE: https://github.com/upx/upx/issues/146
 CVE-2017-16868 (In SWFTools 0.9.2, the wav_convert2mono function in lib/wav.c 
does not ...)
TODO: check
 CVE-2017-16867 (Amazon Key through 2017-11-16 mishandles Cloud Cam 802.11 ...)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57752 - data/CVE

2017-11-17 Thread Salvatore Bonaccorso

Author: carnil
Date: 2017-11-17 22:41:43 + (Fri, 17 Nov 2017)
New Revision: 57752

Modified:
   data/CVE/list
Log:
Process NFUs

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-17 22:41:31 UTC (rev 57751)
+++ data/CVE/list   2017-11-17 22:41:43 UTC (rev 57752)
@@ -50,9 +50,9 @@
NOTE: https://trac.pjsip.org/repos/ticket/2056
NOTE: https://trac.pjsip.org/repos/changeset/5682
 CVE-2017-16871 (The UpdraftPlus plugin through 1.13.12 for WordPress allows 
remote PHP ...)
-   TODO: check
+   NOT-FOR-US: UpdraftPlus plugin for WordPress
 CVE-2017-16870 (The UpdraftPlus plugin through 1.13.12 for WordPress has SSRF 
in the ...)
-   TODO: check
+   NOT-FOR-US: UpdraftPlus plugin for WordPress
 CVE-2017-16869 (p_mach.cpp in UPX 3.94 allows remote attackers to cause a 
denial of ...)
TODO: check
 CVE-2017-16868 (In SWFTools 0.9.2, the wav_convert2mono function in lib/wav.c 
does not ...)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57750 - data/CVE

2017-11-17 Thread Salvatore Bonaccorso

Author: carnil
Date: 2017-11-17 22:41:19 + (Fri, 17 Nov 2017)
New Revision: 57750

Modified:
   data/CVE/list
Log:
Add lynx issue

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-17 22:41:08 UTC (rev 57749)
+++ data/CVE/list   2017-11-17 22:41:19 UTC (rev 57750)
@@ -23,7 +23,9 @@
 CVE-2017-1000212 (Elixir's vim plugin, alchemist.vim is vulnerable to remote 
code ...)
TODO: check
 CVE-2017-1000211 (Lynx version 2.8.8 and older is vulnerable to a use after 
free in the ...)
-   TODO: check
+   - lynx 2.8.9dev16-1
+   - lynx-cur 
+   NOTE: 
https://github.com/ThomasDickey/lynx-snapshots/commit/280a61b300a1614f6037efc0902ff7ecf17146e9
 CVE-2017-1000206 (samtools htslib library version 1.4.0 and earlier is 
vulnerable to ...)
TODO: check
 CVE-2017-1000204


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57748 - data/CVE

2017-11-17 Thread Salvatore Bonaccorso

Author: carnil
Date: 2017-11-17 22:18:51 + (Fri, 17 Nov 2017)
New Revision: 57748

Modified:
   data/CVE/list
Log:
Record changesets for pjproject issues

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-17 22:16:42 UTC (rev 57747)
+++ data/CVE/list   2017-11-17 22:18:51 UTC (rev 57748)
@@ -9,6 +9,7 @@
 CVE-2017-16875 (An issue was discovered in Teluu pjproject (pjlib and 
pjlib-util) in ...)
- pjproject 2.7.1~dfsg-1
NOTE: https://trac.pjsip.org/repos/ticket/2055
+   NOTE: https://trac.pjsip.org/repos/changeset/5680
 CVE-2017-16874
RESERVED
 CVE-2017-16873
@@ -48,6 +49,7 @@
 CVE-2017-16872 (An issue was discovered in Teluu pjproject (pjlib and 
pjlib-util) in ...)
- pjproject 2.7.1~dfsg-1
NOTE: https://trac.pjsip.org/repos/ticket/2056
+   NOTE: https://trac.pjsip.org/repos/changeset/5682
 CVE-2017-16871 (The UpdraftPlus plugin through 1.13.12 for WordPress allows 
remote PHP ...)
TODO: check
 CVE-2017-16870 (The UpdraftPlus plugin through 1.13.12 for WordPress has SSRF 
in the ...)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57746 - data/CVE

2017-11-17 Thread Salvatore Bonaccorso

Author: carnil
Date: 2017-11-17 22:16:28 + (Fri, 17 Nov 2017)
New Revision: 57746

Modified:
   data/CVE/list
Log:
Add two pjproject issues

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-17 21:10:14 UTC (rev 57745)
+++ data/CVE/list   2017-11-17 22:16:28 UTC (rev 57746)
@@ -7,7 +7,8 @@
 CVE-2017-16876
RESERVED
 CVE-2017-16875 (An issue was discovered in Teluu pjproject (pjlib and 
pjlib-util) in ...)
-   TODO: check
+   - pjproject 2.7.1~dfsg-1
+   NOTE: https://trac.pjsip.org/repos/ticket/2055
 CVE-2017-16874
RESERVED
 CVE-2017-16873
@@ -45,7 +46,8 @@
REJECTED
TODO: check
 CVE-2017-16872 (An issue was discovered in Teluu pjproject (pjlib and 
pjlib-util) in ...)
-   TODO: check
+   - pjproject 2.7.1~dfsg-1
+   NOTE: https://trac.pjsip.org/repos/ticket/2056
 CVE-2017-16871 (The UpdraftPlus plugin through 1.13.12 for WordPress allows 
remote PHP ...)
TODO: check
 CVE-2017-16870 (The UpdraftPlus plugin through 1.13.12 for WordPress has SSRF 
in the ...)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57747 - data/CVE

2017-11-17 Thread Salvatore Bonaccorso

Author: carnil
Date: 2017-11-17 22:16:42 + (Fri, 17 Nov 2017)
New Revision: 57747

Modified:
   data/CVE/list
Log:
Process NFUs

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-17 22:16:28 UTC (rev 57746)
+++ data/CVE/list   2017-11-17 22:16:42 UTC (rev 57747)
@@ -32053,7 +32053,7 @@
 CVE-2017-6169
RESERVED
 CVE-2017-6168 (On BIG-IP versions 11.6.0-11.6.2 (fixed in 11.6.2 HF1), 
12.0.0-12.1.2 ...)
-   TODO: check
+   NOT-FOR-US: F5 BIG-IP
 CVE-2017-6167
RESERVED
 CVE-2017-6166
@@ -36638,29 +36638,29 @@
 CVE-2017-4939
RESERVED
 CVE-2017-4938 (VMware Workstation (12.x before 12.5.8) and Fusion (8.x before 
8.5.9) ...)
-   TODO: check
+   NOT-FOR-US: VMware
 CVE-2017-4937 (VMware Workstation (12.x before 12.5.8) and Horizon View Client 
for ...)
-   TODO: check
+   NOT-FOR-US: VMware
 CVE-2017-4936 (VMware Workstation (12.x before 12.5.8) and Horizon View Client 
for ...)
-   TODO: check
+   NOT-FOR-US: VMware
 CVE-2017-4935 (VMware Workstation (12.x before 12.5.8) and Horizon View Client 
for ...)
-   TODO: check
+   NOT-FOR-US: VMware
 CVE-2017-4934 (VMware Workstation (12.x before 12.5.8) and Fusion (8.x before 
8.5.9) ...)
-   TODO: check
+   NOT-FOR-US: VMware
 CVE-2017-4933
RESERVED
 CVE-2017-4932 (VMware AirWatch Launcher for Android prior to 3.2.2 contains a 
...)
-   TODO: check
+   NOT-FOR-US: VMware
 CVE-2017-4931 (VMware AirWatch Console 9.x prior to 9.2.0 contains a 
vulnerability ...)
-   TODO: check
+   NOT-FOR-US: VMware
 CVE-2017-4930 (VMware AirWatch Console 9.x prior to 9.2.0 contains a 
vulnerability ...)
-   TODO: check
+   NOT-FOR-US: VMware
 CVE-2017-4929 (VMware NSX Edge (6.2.x before 6.2.9 and 6.3.x before 6.3.5) 
contains a ...)
-   TODO: check
+   NOT-FOR-US: VMware
 CVE-2017-4928 (The flash-based vSphere Web Client (6.0 prior to 6.0 U3c and 
5.5 prior ...)
-   TODO: check
+   NOT-FOR-US: VMware
 CVE-2017-4927 (VMware vCenter Server (6.5 prior to 6.5 U1 and 6.0 prior to 6.0 
U3c) ...)
-   TODO: check
+   NOT-FOR-US: VMware
 CVE-2017-4926 (VMware vCenter Server (6.5 prior to 6.5 U1) contains a 
vulnerability ...)
NOT-FOR-US: VMware
 CVE-2017-4925 (VMware ESXi 6.5 without patch ESXi650-201707101-SG, ESXi 6.0 
without ...)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57745 - data/CVE

2017-11-17 Thread security tracker role

Author: sectracker
Date: 2017-11-17 21:10:14 + (Fri, 17 Nov 2017)
New Revision: 57745

Modified:
   data/CVE/list
Log:
automatic update

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-17 19:45:46 UTC (rev 57744)
+++ data/CVE/list   2017-11-17 21:10:14 UTC (rev 57745)
@@ -1,13 +1,59 @@
-CVE-2017-16872
+CVE-2017-16879
RESERVED
-CVE-2017-16871
+CVE-2017-16878
RESERVED
-CVE-2017-16870
+CVE-2017-16877 (ZEIT Next.js before 2.4.1 has directory traversal under the 
/_next and ...)
+   TODO: check
+CVE-2017-16876
RESERVED
-CVE-2017-16869
+CVE-2017-16875 (An issue was discovered in Teluu pjproject (pjlib and 
pjlib-util) in ...)
+   TODO: check
+CVE-2017-16874
RESERVED
-CVE-2017-16868
+CVE-2017-16873
RESERVED
+CVE-2017-1000233
+   REJECTED
+   TODO: check
+CVE-2017-1000222
+   REJECTED
+   TODO: check
+CVE-2017-1000215 (ROOT xrootd version 4.6.0 and below is vulnerable to an ...)
+   TODO: check
+CVE-2017-1000212 (Elixir's vim plugin, alchemist.vim is vulnerable to remote 
code ...)
+   TODO: check
+CVE-2017-1000211 (Lynx version 2.8.8 and older is vulnerable to a use after 
free in the ...)
+   TODO: check
+CVE-2017-1000206 (samtools htslib library version 1.4.0 and earlier is 
vulnerable to ...)
+   TODO: check
+CVE-2017-1000204
+   REJECTED
+   TODO: check
+CVE-2017-1000203 (ROOT version 6.9.03 and below is vulnerable to an 
authenticated shell ...)
+   TODO: check
+CVE-2017-1000192 (Cygnux sysPass version 2.1.7 and older is vulnerable to a 
Local File ...)
+   TODO: check
+CVE-2017-1000191 (Jool 3.5.0-3.5.1 is vulnerable to a kernel crashing packet 
resulting ...)
+   TODO: check
+CVE-2017-1000170 (jqueryFileTree 2.1.5 and older Directory Traversal ...)
+   TODO: check
+CVE-2017-1000169 (QuickerBB version <= 0.7.2 is vulnerable to arbitrary 
file writes ...)
+   TODO: check
+CVE-2017-1000168 (sodiumoxide 0.0.13 and older scalarmult() vulnerable to 
degenerate ...)
+   TODO: check
+CVE-2017-1000161
+   REJECTED
+   TODO: check
+CVE-2017-16872 (An issue was discovered in Teluu pjproject (pjlib and 
pjlib-util) in ...)
+   TODO: check
+CVE-2017-16871 (The UpdraftPlus plugin through 1.13.12 for WordPress allows 
remote PHP ...)
+   TODO: check
+CVE-2017-16870 (The UpdraftPlus plugin through 1.13.12 for WordPress has SSRF 
in the ...)
+   TODO: check
+CVE-2017-16869 (p_mach.cpp in UPX 3.94 allows remote attackers to cause a 
denial of ...)
+   TODO: check
+CVE-2017-16868 (In SWFTools 0.9.2, the wav_convert2mono function in lib/wav.c 
does not ...)
+   TODO: check
 CVE-2017-16867 (Amazon Key through 2017-11-16 mishandles Cloud Cam 802.11 ...)
NOT-FOR-US: Amazon Key
 CVE-2017-1000248 (Redis-store <=v1.3.0 allows unsafe objects to be loaded 
from redis ...)
@@ -329,8 +375,7 @@
NOT-FOR-US: Zoho ManageEngine Applications Manager
 CVE-2017-16846 (Zoho ManageEngine Applications Manager 13 allows SQL injection 
via the ...)
NOT-FOR-US: Zoho ManageEngine Applications Manager
-CVE-2017-16845 [ps2: information leakage via post_load routine]
-   RESERVED
+CVE-2017-16845 (hw/input/ps2.c in Qemu does not validate 'rptr' and 'count' 
values ...)
- qemu 
- qemu-kvm 
NOTE: 
https://lists.gnu.org/archive/html/qemu-devel/2017-11/msg02982.html
@@ -431,8 +476,8 @@
RESERVED
 CVE-2017-16821 (b3log Symphony (aka Sym) 2.2.0 has XSS in 
processor/AdminProcessor.java ...)
NOT-FOR-US: b3log Symphony
-CVE-2017-16819
-   RESERVED
+CVE-2017-16819 (A stored cross-site scripting vulnerability in the Icon Time 
Systems ...)
+   TODO: check
 CVE-2017-16818
RESERVED
 CVE-2017-16817
@@ -8001,8 +8046,8 @@
REJECTED
 CVE-2017-14112
RESERVED
-CVE-2017-14111
-   RESERVED
+CVE-2017-14111 (The workstation logging function in Philips IntelliSpace ...)
+   TODO: check
 CVE-2017-14110
RESERVED
 CVE-2017-1000201 (The tcmu-runner daemon in tcmu-runner version 1.0.5 to 1.2.0 
is ...)
@@ -9182,14 +9227,14 @@
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1495510
NOTE: 
http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2017q3/011729.html
NOTE: 
http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=63437ffbb58837b214b4b92cb1c54bc5f3279928
-CVE-2017-13703
-   RESERVED
-CVE-2017-13702
-   RESERVED
+CVE-2017-13703 (An issue was discovered on MOXA EDS-G512E 5.1 build 16072215 
devices. A ...)
+   TODO: check
+CVE-2017-13702 (An issue was discovered on MOXA EDS-G512E 5.1 build 16072215 
devices. ...)
+   TODO: check
 CVE-2017-13701
RESERVED
-CVE-2017-13700
-   RESERVED
+CVE-2017-13700 (An issue was discovered on MOXA EDS-G512E 5.1 build 16072215 
devices. ...)
+   TODO: check
 CVE-2017-13699
RESERVED
 CVE-2017-13698
@@ -17467,16 +17512,16 @@
RESERVED
 CVE

[Secure-testing-commits] r57744 - data/CVE

2017-11-17 Thread Salvatore Bonaccorso

Author: carnil
Date: 2017-11-17 19:45:46 + (Fri, 17 Nov 2017)
New Revision: 57744

Modified:
   data/CVE/list
Log:
Update information for CVE-2017-1000158/python2.7

Add python2.6 which has the same code.

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-17 19:30:28 UTC (rev 57743)
+++ data/CVE/list   2017-11-17 19:45:46 UTC (rev 57744)
@@ -112,9 +112,11 @@
 CVE-2017-1000160 (EllisLab ExpressionEngine 3.4.2 is vulnerable to cross-site 
scripting ...)
NOT-FOR-US: EllisLab ExpressionEngine
 CVE-2017-1000158 (CPython (aka Python) up to 2.7.13 is vulnerable to an 
integer overflow ...)
-   - python2.7 
-   TODO: check other versions
+   - python2.7 2.7.13-4
+   - python2.6 
NOTE: https://bugs.python.org/issue30657
+   NOTE: 
https://github.com/python/cpython/commit/c3c9db89273fabc62ea1b48389d9a3000c1c03ae
+   NOTE: The 2.7.13-4 upload included the commit in 
debian/patches/git-updates.diff
 CVE-2017-1000129 (Serendipity 2.0.3 is vulnerable to a SQL injection in the 
blog ...)
- serendipity 
 CVE-2017-1000125 (Codiad(full version) is vulnerable to write anything to 
configure file ...)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57743 - data/CVE

2017-11-17 Thread Salvatore Bonaccorso

Author: carnil
Date: 2017-11-17 19:30:28 + (Fri, 17 Nov 2017)
New Revision: 57743

Modified:
   data/CVE/list
Log:
Add bug reference for CVE-2017-1000248, #882034

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-17 19:27:33 UTC (rev 57742)
+++ data/CVE/list   2017-11-17 19:30:28 UTC (rev 57743)
@@ -11,7 +11,7 @@
 CVE-2017-16867 (Amazon Key through 2017-11-16 mishandles Cloud Cam 802.11 ...)
NOT-FOR-US: Amazon Key
 CVE-2017-1000248 (Redis-store <=v1.3.0 allows unsafe objects to be loaded 
from redis ...)
-   - ruby-redis-store 
+   - ruby-redis-store  (bug #882034)
NOTE: 
https://github.com/redis-store/redis-store/commit/e0c1398d54a9661c8c70267c3a925ba6b192142e
 CVE-2017-1000247 (British Columbia Institute of Technology CodeIgniter 3.1.3 
is ...)
NOT-FOR-US: CodeIgniter


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57742 - data/CVE

2017-11-17 Thread Salvatore Bonaccorso

Author: carnil
Date: 2017-11-17 19:27:33 + (Fri, 17 Nov 2017)
New Revision: 57742

Modified:
   data/CVE/list
Log:
Add bug reference for optipng issue, #882032

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-17 19:19:27 UTC (rev 57741)
+++ data/CVE/list   2017-11-17 19:27:33 UTC (rev 57742)
@@ -45,7 +45,7 @@
NOTE: https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=1256
NOTE: 
https://git.nlnetlabs.nl/ldns/commit/?id=c8391790c96d4c8a2c10f9ab1460fda83b509fc2
 CVE-2017-1000229 (Integer overflow bug in function minitiff_read_info() of 
optipng 0.7.6 ...)
-   - optipng 
+   - optipng  (bug #882032)
NOTE: https://sourceforge.net/p/optipng/bugs/65/
 CVE-2017-1000228 (nodejs ejs versions older than 2.5.3 is vulnerable to remote 
code ...)
NOT-FOR-US: nodejs ejs


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57741 - data/CVE

2017-11-17 Thread Salvatore Bonaccorso

Author: carnil
Date: 2017-11-17 19:19:27 + (Fri, 17 Nov 2017)
New Revision: 57741

Modified:
   data/CVE/list
Log:
Sort one entry

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-17 19:18:35 UTC (rev 57740)
+++ data/CVE/list   2017-11-17 19:19:27 UTC (rev 57741)
@@ -23606,8 +23606,8 @@
 CVE-2017-8807 (vbf_stp_error in bin/varnishd/cache/cache_fetch.c in Varnish 
HTTP Cache ...)
{DSA-4034-1}
- varnish  (bug #881808)
+   [jessie] - varnish  (Vulnerable code not present, issue 
introduced in 4.1.0)
[wheezy] - varnish  (Vulnerable code not present, issue 
introduced in 4.1.0)
-   [jessie] - varnish  (Vulnerable code not present, issue 
introduced in 4.1.0)
NOTE: http://varnish-cache.org/security/VSV2.html
NOTE: https://github.com/varnishcache/varnish-cache/pull/2429
NOTE: Fixed by: 
https://github.com/varnishcache/varnish-cache/commit/176f8a075a


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57740 - data

2017-11-17 Thread Roberto C. Sanchez

Author: roberto
Date: 2017-11-17 19:18:35 + (Fri, 17 Nov 2017)
New Revision: 57740

Modified:
   data/dla-needed.txt
Log:
Claim python2.7 in dla-needed.txt

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-11-17 19:16:23 UTC (rev 57739)
+++ data/dla-needed.txt 2017-11-17 19:18:35 UTC (rev 57740)
@@ -95,7 +95,7 @@
 --
 python-werkzeug (Thorsten Alteholz)
 --
-python2.7
+python2.7 (Roberto C. Sánchez)
 --
 qemu
   NOTE: 20171012 Can wait for more issues to pile up


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57739 - data

2017-11-17 Thread Chris Lamb

Author: lamby
Date: 2017-11-17 19:16:23 + (Fri, 17 Nov 2017)
New Revision: 57739

Modified:
   data/dla-needed.txt
Log:
Claim konversation in data/dla-needed.txt

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-11-17 19:12:25 UTC (rev 57738)
+++ data/dla-needed.txt 2017-11-17 19:16:23 UTC (rev 57739)
@@ -23,7 +23,7 @@
 jasperreports
   NOTE: 20171031: No details available. Asked upstream for clarification.
 --
-konversation
+konversation (Chris Lamb)
 --
 lame (Hugo Lefeuvre)
   NOTE: Couldn't reproduce CVE-2017-{69-72}, but successfully reproduced 
CVE-2017-150{18,45,46} 


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57738 - data/CVE

2017-11-17 Thread Chris Lamb

Author: lamby
Date: 2017-11-17 19:12:25 + (Fri, 17 Nov 2017)
New Revision: 57738

Modified:
   data/CVE/list
Log:
CVE-2017-8807/varnish also not vulnerable in wheezy.

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-17 19:09:53 UTC (rev 57737)
+++ data/CVE/list   2017-11-17 19:12:25 UTC (rev 57738)
@@ -23606,6 +23606,7 @@
 CVE-2017-8807 (vbf_stp_error in bin/varnishd/cache/cache_fetch.c in Varnish 
HTTP Cache ...)
{DSA-4034-1}
- varnish  (bug #881808)
+   [wheezy] - varnish  (Vulnerable code not present, issue 
introduced in 4.1.0)
[jessie] - varnish  (Vulnerable code not present, issue 
introduced in 4.1.0)
NOTE: http://varnish-cache.org/security/VSV2.html
NOTE: https://github.com/varnishcache/varnish-cache/pull/2429


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57737 - data

2017-11-17 Thread Salvatore Bonaccorso

Author: carnil
Date: 2017-11-17 19:09:53 + (Fri, 17 Nov 2017)
New Revision: 57737

Modified:
   data/dsa-needed.txt
Log:
Add procmail to dsa-needed list

Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2017-11-17 19:09:38 UTC (rev 57736)
+++ data/dsa-needed.txt 2017-11-17 19:09:53 UTC (rev 57737)
@@ -42,6 +42,8 @@
 --
 poppler
 --
+procmail
+--
 qemu/oldstable
 --
 salt


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57736 - data

2017-11-17 Thread Chris Lamb

Author: lamby
Date: 2017-11-17 19:09:38 + (Fri, 17 Nov 2017)
New Revision: 57736

Modified:
   data/dla-needed.txt
Log:
data/dla-needed.txt: Note that opensaml2 and shibboleth-sp2 fixes are 
essentially the same.

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-11-17 19:08:37 UTC (rev 57735)
+++ data/dla-needed.txt 2017-11-17 19:09:38 UTC (rev 57736)
@@ -82,6 +82,7 @@
 openjdk-7 (Emilio Pozuelo)
 --
 opensaml2
+ NOTE: 20171118: Same as shibboleth-sp2
 --
 optipng
 --
@@ -110,6 +111,7 @@
   NOTE: it's not clear to me if a fix is even possible. -- Raphaël Hertzog
 --
 shibboleth-sp2
+ NOTE: 20171118: Same as opensaml2
 --
 simplesamlphp
   NOTE: 2017-09-04: Maintainer will handle this.


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57735 - data

2017-11-17 Thread Chris Lamb

Author: lamby
Date: 2017-11-17 19:08:37 + (Fri, 17 Nov 2017)
New Revision: 57735

Modified:
   data/dla-needed.txt
Log:
Triage shibboleth-sp2 for LTS

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-11-17 19:04:28 UTC (rev 57734)
+++ data/dla-needed.txt 2017-11-17 19:08:37 UTC (rev 57735)
@@ -109,6 +109,8 @@
 rtpproxy
   NOTE: it's not clear to me if a fix is even possible. -- Raphaël Hertzog
 --
+shibboleth-sp2
+--
 simplesamlphp
   NOTE: 2017-09-04: Maintainer will handle this.
   NOTE: https://lists.debian.org/debian-lts/2017/09/msg00010.html


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57734 - data

2017-11-17 Thread Chris Lamb

Author: lamby
Date: 2017-11-17 19:04:28 + (Fri, 17 Nov 2017)
New Revision: 57734

Modified:
   data/dla-needed.txt
Log:
Triage opensaml2 for LTS

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-11-17 19:02:24 UTC (rev 57733)
+++ data/dla-needed.txt 2017-11-17 19:04:28 UTC (rev 57734)
@@ -81,6 +81,8 @@
 --
 openjdk-7 (Emilio Pozuelo)
 --
+opensaml2
+--
 optipng
 --
 poppler (Markus Koschany)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57733 - data

2017-11-17 Thread Chris Lamb

Author: lamby
Date: 2017-11-17 19:02:24 + (Fri, 17 Nov 2017)
New Revision: 57733

Modified:
   data/dla-needed.txt
Log:
Triage konversation for LTS

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-11-17 19:01:48 UTC (rev 57732)
+++ data/dla-needed.txt 2017-11-17 19:02:24 UTC (rev 57733)
@@ -23,6 +23,8 @@
 jasperreports
   NOTE: 20171031: No details available. Asked upstream for clarification.
 --
+konversation
+--
 lame (Hugo Lefeuvre)
   NOTE: Couldn't reproduce CVE-2017-{69-72}, but successfully reproduced 
CVE-2017-150{18,45,46} 
   NOTE: 20171116: 3.100 available: check with the security team whether a 
backport is possible or not


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57732 - data/CVE

2017-11-17 Thread Chris Lamb

Author: lamby
Date: 2017-11-17 19:01:48 + (Fri, 17 Nov 2017)
New Revision: 57732

Modified:
   data/CVE/list
Log:
data/CVE/list: Mark CVE-2017-16239/nova as not supported in wheezy LTS.

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-17 19:00:34 UTC (rev 57731)
+++ data/CVE/list   2017-11-17 19:01:48 UTC (rev 57732)
@@ -1826,6 +1826,7 @@
RESERVED
 CVE-2017-16239 (In OpenStack Nova through 14.0.9, 15.x through 15.0.7, and 
16.x through ...)
- nova 2:16.0.3-1 (bug #882009)
+   [wheezy] - nova  (Not supported in wheezy LTS)
NOTE: https://launchpad.net/bugs/1664931
NOTE: https://security.openstack.org/ossa/OSSA-2017-005.html
TODO: check / verify affected versions


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57731 - data/CVE

2017-11-17 Thread Chris Lamb

Author: lamby
Date: 2017-11-17 19:00:34 + (Fri, 17 Nov 2017)
New Revision: 57731

Modified:
   data/CVE/list
Log:
data/CVE/list: Mark CVE-2017-88* (mediawiki) as not supported in wheezy LTS

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-17 18:58:38 UTC (rev 57730)
+++ data/CVE/list   2017-11-17 19:00:34 UTC (rev 57731)
@@ -23561,11 +23561,13 @@
 CVE-2017-8815 (The language converter in MediaWiki before 1.27.4, 1.28.x 
before ...)
{DSA-4036-1}
- mediawiki 1:1.27.4-1
+   [wheezy] - mediawiki  (Not supported in wheezy LTS)
NOTE: 
https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-November/000216.html
NOTE: https://phabricator.wikimedia.org/T119158
 CVE-2017-8814 (The language converter in MediaWiki before 1.27.4, 1.28.x 
before ...)
{DSA-4036-1}
- mediawiki 1:1.27.4-1
+   [wheezy] - mediawiki  (Not supported in wheezy LTS)
NOTE: 
https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-November/000216.html
NOTE: https://phabricator.wikimedia.org/T124404
 CVE-2017-8813
@@ -23573,26 +23575,31 @@
 CVE-2017-8812 (MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x 
before 1.29.2 ...)
{DSA-4036-1}
- mediawiki 1:1.27.4-1
+   [wheezy] - mediawiki  (Not supported in wheezy LTS)
NOTE: 
https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-November/000216.html
NOTE: https://phabricator.wikimedia.org/T125163
 CVE-2017-8811 (The implementation of raw message parameter expansion in 
MediaWiki ...)
{DSA-4036-1}
- mediawiki 1:1.27.4-1
+   [wheezy] - mediawiki  (Not supported in wheezy LTS)
NOTE: 
https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-November/000216.html
NOTE: https://phabricator.wikimedia.org/T176247
 CVE-2017-8810 (MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x 
before ...)
{DSA-4036-1}
- mediawiki 1:1.27.4-1
+   [wheezy] - mediawiki  (Not supported in wheezy LTS)
NOTE: 
https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-November/000216.html
NOTE: https://phabricator.wikimedia.org/T134100
 CVE-2017-8809 (api.php in MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 
1.29.x ...)
{DSA-4036-1}
- mediawiki 1:1.27.4-1
+   [wheezy] - mediawiki  (Not supported in wheezy LTS)
NOTE: 
https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-November/000216.html
NOTE: https://phabricator.wikimedia.org/T128209
 CVE-2017-8808 (MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x 
before 1.29.2 ...)
{DSA-4036-1}
- mediawiki 1:1.27.4-1
+   [wheezy] - mediawiki  (Not supported in wheezy LTS)
NOTE: 
https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-November/000216.html
NOTE: https://phabricator.wikimedia.org/T178451
 CVE-2017-8807 (vbf_stp_error in bin/varnishd/cache/cache_fetch.c in Varnish 
HTTP Cache ...)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57730 - data/CVE

2017-11-17 Thread Chris Lamb

Author: lamby
Date: 2017-11-17 18:58:38 + (Fri, 17 Nov 2017)
New Revision: 57730

Modified:
   data/CVE/list
Log:
data/CVE/list: Add note for CVE-2017-16835/pnp4nagios

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-17 18:45:51 UTC (rev 57729)
+++ data/CVE/list   2017-11-17 18:58:38 UTC (rev 57730)
@@ -355,6 +355,9 @@
 CVE-2017-16834 (PNP4Nagios through 0.6.26 has /usr/bin/npcd and npcd.cfg owned 
by an ...)
- pnp4nagios 
NOTE: https://github.com/lingej/pnp4nagios/issues/140
+   NOTE: Fixed by dh_fixperms, surely? eg.
+   NOTE: $ ls -l /etc/pnp4nagios/npcd.cfg
+   NOTE: -rw-r--r-- 1 root root 4149 Nov 25  2012 /etc/pnp4nagios/npcd.cfg
 CVE-2017-16833 (Stored cross-site scripting (XSS) vulnerability in Gemirro 
before ...)
NOT-FOR-US: Gemirro
 CVE-2017-16853 (The DynamicMetadataProvider class in ...)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57729 - data

2017-11-17 Thread Chris Lamb

Author: lamby
Date: 2017-11-17 18:45:51 + (Fri, 17 Nov 2017)
New Revision: 57729

Modified:
   data/dla-needed.txt
Log:
data/dla-needed.txt: At least CVE-2017-16797 is present for swftools in wheezy.

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-11-17 18:45:48 UTC (rev 57728)
+++ data/dla-needed.txt 2017-11-17 18:45:51 UTC (rev 57729)
@@ -119,6 +119,7 @@
   NOTE: 2017-10-27: At a quick glance, I can't see that this is vulnerable. 
--lamby
 --
 swftools
+  NOTE: 20171118: At least CVE-2017-16797 is present. (lamby)
 --
 tiff (Brian May)
   NOTE: CVE-2017-9935: no upstream fix -- Brian May 2017-11-06


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57728 - data

2017-11-17 Thread Chris Lamb

Author: lamby
Date: 2017-11-17 18:45:48 + (Fri, 17 Nov 2017)
New Revision: 57728

Modified:
   data/dla-needed.txt
Log:
Triage swftools for LTS

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-11-17 18:40:46 UTC (rev 57727)
+++ data/dla-needed.txt 2017-11-17 18:45:48 UTC (rev 57728)
@@ -118,6 +118,8 @@
 suricata
   NOTE: 2017-10-27: At a quick glance, I can't see that this is vulnerable. 
--lamby
 --
+swftools
+--
 tiff (Brian May)
   NOTE: CVE-2017-9935: no upstream fix -- Brian May 2017-11-06
   NOTE: CVE-2017-11613: no upstream fix, "not a bug" according to RH -- 
anarcat 2017-10-24


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57727 - data/CVE

2017-11-17 Thread Chris Lamb

Author: lamby
Date: 2017-11-17 18:40:46 + (Fri, 17 Nov 2017)
New Revision: 57727

Modified:
   data/CVE/list
Log:
No dwarf support in wheezy's radare2.

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-17 18:38:15 UTC (rev 57726)
+++ data/CVE/list   2017-11-17 18:40:46 UTC (rev 57727)
@@ -462,6 +462,7 @@
NOT-FOR-US: Ulterius
 CVE-2017-16805 (In radare2 2.0.1, libr/bin/dwarf.c allows remote attackers to 
cause a ...)
- radare2 
+   [wheezy] - radare2  (Vulnerable code does not exist; no 
dwarf support)
NOTE: 
https://github.com/radare/radare2/commit/2ca9ab45891b6ae8e32b6c28c81eebca059cbe5d
NOTE: https://github.com/radare/radare2/issues/8813
 CVE-2017-16803 (In Libav through 11.11 and 12.x through 12.1, the 
smacker_decode_tree ...)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57726 - data

2017-11-17 Thread Chris Lamb

Author: lamby
Date: 2017-11-17 18:38:15 + (Fri, 17 Nov 2017)
New Revision: 57726

Modified:
   data/dla-needed.txt
Log:
Triage python2.7 for LTS

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-11-17 18:35:57 UTC (rev 57725)
+++ data/dla-needed.txt 2017-11-17 18:38:15 UTC (rev 57726)
@@ -90,6 +90,8 @@
 --
 python-werkzeug (Thorsten Alteholz)
 --
+python2.7
+--
 qemu
   NOTE: 20171012 Can wait for more issues to pile up
 --


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57725 - data/CVE

2017-11-17 Thread Moritz Muehlenhoff

Author: jmm
Date: 2017-11-17 18:35:57 + (Fri, 17 Nov 2017)
New Revision: 57725

Modified:
   data/CVE/list
Log:
procmail fixed


Modified: data/CVE/list
===
--- data/CVE/list   2017-11-17 18:35:26 UTC (rev 57724)
+++ data/CVE/list   2017-11-17 18:35:57 UTC (rev 57725)
@@ -333,7 +333,7 @@
- qemu-kvm 
NOTE: 
https://lists.gnu.org/archive/html/qemu-devel/2017-11/msg02982.html
 CVE-2017-16844 (Heap-based buffer overflow in the loadbuf function in 
formisc.c in ...)
-   - procmail  (bug #876511)
+   - procmail 3.22-26 (bug #876511)
 CVE-2017-16843 (Vonage VDV-23 115 3.2.11-0.9.40 devices have stored XSS via 
the ...)
NOT-FOR-US: Vonage VDV-23
 CVE-2017-16842 (Cross-site scripting (XSS) vulnerability in ...)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57724 - data/CVE

2017-11-17 Thread Moritz Muehlenhoff

Author: jmm
Date: 2017-11-17 18:35:26 + (Fri, 17 Nov 2017)
New Revision: 57724

Modified:
   data/CVE/list
Log:
nova fixed


Modified: data/CVE/list
===
--- data/CVE/list   2017-11-17 18:34:54 UTC (rev 57723)
+++ data/CVE/list   2017-11-17 18:35:26 UTC (rev 57724)
@@ -1821,7 +1821,7 @@
 CVE-2017-16240
RESERVED
 CVE-2017-16239 (In OpenStack Nova through 14.0.9, 15.x through 15.0.7, and 
16.x through ...)
-   - nova  (bug #882009)
+   - nova 2:16.0.3-1 (bug #882009)
NOTE: https://launchpad.net/bugs/1664931
NOTE: https://security.openstack.org/ossa/OSSA-2017-005.html
TODO: check / verify affected versions


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57722 - data

2017-11-17 Thread Chris Lamb

Author: lamby
Date: 2017-11-17 18:34:52 + (Fri, 17 Nov 2017)
New Revision: 57722

Modified:
   data/dla-needed.txt
Log:
Triage procmail for LTS

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-11-17 18:33:55 UTC (rev 57721)
+++ data/dla-needed.txt 2017-11-17 18:34:52 UTC (rev 57722)
@@ -86,6 +86,8 @@
   NOTE: drawForm is doForm1 in wheezy
   NOTE: exploit does not loop but code looks affected
 --
+procmail
+--
 python-werkzeug (Thorsten Alteholz)
 --
 qemu


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57723 - data

2017-11-17 Thread Chris Lamb

Author: lamby
Date: 2017-11-17 18:34:54 + (Fri, 17 Nov 2017)
New Revision: 57723

Modified:
   data/dla-needed.txt
Log:
Claim procmail in data/dla-needed.txt

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-11-17 18:34:52 UTC (rev 57722)
+++ data/dla-needed.txt 2017-11-17 18:34:54 UTC (rev 57723)
@@ -86,7 +86,7 @@
   NOTE: drawForm is doForm1 in wheezy
   NOTE: exploit does not loop but code looks affected
 --
-procmail
+procmail (Chris Lamb)
 --
 python-werkzeug (Thorsten Alteholz)
 --


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57721 - data/CVE

2017-11-17 Thread Moritz Muehlenhoff

Author: jmm
Date: 2017-11-17 18:33:55 + (Fri, 17 Nov 2017)
New Revision: 57721

Modified:
   data/CVE/list
Log:
chicken uploaded to sid, keeping the version that initially hit experimental


Modified: data/CVE/list
===
--- data/CVE/list   2017-11-17 18:32:50 UTC (rev 57720)
+++ data/CVE/list   2017-11-17 18:33:55 UTC (rev 57721)
@@ -15971,8 +15971,7 @@
[stretch] - yadm 1.06-1+deb9u1
NOTE: https://github.com/TheLocehiliosan/yadm/issues/74
 CVE-2017-11343 (Due to an incomplete fix for CVE-2012-6125, all versions of 
CHICKEN ...)
-   [experimental] - chicken 4.12.0-0.2
-   - chicken  (bug #870266)
+   - chicken 4.12.0-0.2 (bug #870266)
[stretch] - chicken  (Minor issue)
[jessie] - chicken  (Minor issue)
[wheezy] - chicken  (Minor issue)
@@ -21803,8 +21802,7 @@
 CVE-2017-9325
RESERVED
 CVE-2017-9334 (An incorrect "pair?" check in the Scheme 
"length" procedure results in ...)
-   [experimental] - chicken 4.12.0-0.2
-   - chicken  (low; bug #863884)
+   - chicken 4.12.0-0.2 (low; bug #863884)
[stretch] - chicken  (Minor issue)
[jessie] - chicken  (Minor issue)
[wheezy] - chicken  (Minor issue)
@@ -29666,8 +29664,7 @@
NOT-FOR-US: SAP
 CVE-2017-6949 (An issue was discovered in CHICKEN Scheme through 4.12.0. When 
using a ...)
{DLA-908-1}
-   [experimental] - chicken 4.12.0-0.2
-   - chicken  (bug #858057)
+   - chicken 4.12.0-0.2 (bug #858057)
[stretch] - chicken  (Minor issue)
[jessie] - chicken  (Minor issue)
NOTE: 
http://lists.gnu.org/archive/html/chicken-announce/2017-03/msg0.html
@@ -39249,8 +39246,7 @@
NOTE: https://github.com/docker/docker/compare/v1.12.5...v1.12.6
NOTE: 
https://github.com/opencontainers/runc/commit/50a19c6ff828c58e5dab13830bd3dacde268afe5
 CVE-2016-9954 (The backtrack compilation code in the Irregex package (aka 
IrRegular ...)
-   [experimental] - chicken 4.12.0-0.2
-   - chicken  (low; bug #851278)
+   - chicken 4.12.0-0.2 (low; bug #851278)
[stretch] - chicken  (Minor issue)
[jessie] - chicken  (Minor issue)
[wheezy] - chicken  (Minor issue)
@@ -57448,15 +57444,13 @@
NOTE: Claimed to not affect ffmpeg
 CVE-2016-6831 (The "process-execute" and "process-spawn" 
procedures did not free ...)
{DLA-643-1}
-   [experimental] - chicken 4.12.0-0.2
-   - chicken  (bug #834845)
+   - chicken 4.12.0-0.2 (bug #834845)
[stretch] - chicken  (Minor issue)
[jessie] - chicken  (Minor issue)
NOTE: Fixed in the same upstream patch which is provided for 
CVE-2016-6830
 CVE-2016-6830 (The "process-execute" and "process-spawn" 
procedures in CHICKEN Scheme ...)
{DLA-643-1}
-   [experimental] - chicken 4.12.0-0.2
-   - chicken  (bug #834845)
+   - chicken 4.12.0-0.2 (bug #834845)
[stretch] - chicken  (Minor issue)
[jessie] - chicken  (Minor issue)
NOTE: 
http://lists.nongnu.org/archive/html/chicken-announce/2016-08/msg1.html


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57720 - data

2017-11-17 Thread Chris Lamb

Author: lamby
Date: 2017-11-17 18:32:50 + (Fri, 17 Nov 2017)
New Revision: 57720

Modified:
   data/dla-needed.txt
Log:
Triage optipng for LTS

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-11-17 18:27:15 UTC (rev 57719)
+++ data/dla-needed.txt 2017-11-17 18:32:50 UTC (rev 57720)
@@ -79,6 +79,8 @@
 --
 openjdk-7 (Emilio Pozuelo)
 --
+optipng
+--
 poppler (Markus Koschany)
   NOTE: not fixed in sid yet so did not ping maintainer
   NOTE: drawForm is doForm1 in wheezy


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57719 - data

2017-11-17 Thread Chris Lamb

Author: lamby
Date: 2017-11-17 18:27:15 + (Fri, 17 Nov 2017)
New Revision: 57719

Modified:
   data/dla-needed.txt
Log:
data/dla-needed.txt: Add comment for ldns.

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-11-17 18:25:53 UTC (rev 57718)
+++ data/dla-needed.txt 2017-11-17 18:27:15 UTC (rev 57719)
@@ -30,6 +30,7 @@
   NOTE: a backport to Stretch, which will therefore make a backport to 
Jessie/Wheezy impossible).
 --
 ldns
+ NOTE: 20178: Fix for CVE-2017-1000231 will need some adjustment for 
wheezy (lamby)
 --
 libav (Hugo Lefeuvre)
   NOTE: 20171116: Diego Biurrun (from the libav team) is working on patches.


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57718 - data

2017-11-17 Thread Chris Lamb

Author: lamby
Date: 2017-11-17 18:25:53 + (Fri, 17 Nov 2017)
New Revision: 57718

Modified:
   data/dla-needed.txt
Log:
Triage ldns for LTS

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-11-17 18:20:21 UTC (rev 57717)
+++ data/dla-needed.txt 2017-11-17 18:25:53 UTC (rev 57718)
@@ -29,6 +29,8 @@
   NOTE: (since Stretch isn't affected by these issues they are probably not 
going to accept
   NOTE: a backport to Stretch, which will therefore make a backport to 
Jessie/Wheezy impossible).
 --
+ldns
+--
 libav (Hugo Lefeuvre)
   NOTE: 20171116: Diego Biurrun (from the libav team) is working on patches.
 --


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57717 - data

2017-11-17 Thread Chris Lamb

Author: lamby
Date: 2017-11-17 18:20:21 + (Fri, 17 Nov 2017)
New Revision: 57717

Modified:
   data/dla-needed.txt
Log:
Claim collectd in data/dla-needed.txt

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-11-17 18:20:17 UTC (rev 57716)
+++ data/dla-needed.txt 2017-11-17 18:20:21 UTC (rev 57717)
@@ -16,7 +16,7 @@
 --
 cacti
 --
-collectd
+collectd (Chris Lamb)
 --
 irssi (Rhonda D'Vine)
 --


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57716 - data

2017-11-17 Thread Chris Lamb

Author: lamby
Date: 2017-11-17 18:20:17 + (Fri, 17 Nov 2017)
New Revision: 57716

Modified:
   data/dla-needed.txt
Log:
Triage collectd for LTS

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-11-17 17:05:47 UTC (rev 57715)
+++ data/dla-needed.txt 2017-11-17 18:20:17 UTC (rev 57716)
@@ -16,6 +16,8 @@
 --
 cacti
 --
+collectd
+--
 irssi (Rhonda D'Vine)
 --
 jasperreports


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57715 - data/CVE

2017-11-17 Thread Emilio Pozuelo Monfort

Author: pochu
Date: 2017-11-17 17:05:47 + (Fri, 17 Nov 2017)
New Revision: 57715

Modified:
   data/CVE/list
Log:
binutils ignored on wheezy

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-17 16:37:41 UTC (rev 57714)
+++ data/CVE/list   2017-11-17 17:05:47 UTC (rev 57715)
@@ -371,42 +371,49 @@
- binutils 
[stretch] - binutils  (Minor issue)
[jessie] - binutils  (Minor issue)
+   [wheezy] - binutils  (Minor issue)
NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22373
NOTE: 
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=0bb6961f18b8e832d88b490d421ca56cea16c45b
 CVE-2017-16831 (coffgen.c in the Binary File Descriptor (BFD) library (aka 
libbfd), as ...)
- binutils 
[stretch] - binutils  (Minor issue)
[jessie] - binutils  (Minor issue)
+   [wheezy] - binutils  (Minor issue)
NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22385
NOTE: 
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=6cee897971d4d7cd37d2a686bb6d2aa3e759c8ca
 CVE-2017-16830 (The print_gnu_property_note function in readelf.c in GNU 
Binutils ...)
- binutils 
[stretch] - binutils  (Minor issue)
[jessie] - binutils  (Minor issue)
+   [wheezy] - binutils  (Minor issue)
NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22384
NOTE: 
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=6ab2c4ed51f9c4243691755e1b1d2149c6a426f4
 CVE-2017-16829 (The _bfd_elf_parse_gnu_properties function in elf-properties.c 
in the ...)
- binutils 
[stretch] - binutils  (Minor issue)
[jessie] - binutils  (Minor issue)
+   [wheezy] - binutils  (Minor issue)
NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22307
NOTE: 
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=cf54ebff3b7361989712fd9c0128a9b255578163
 CVE-2017-16828 (The display_debug_frames function in dwarf.c in GNU Binutils 
2.29.1 ...)
- binutils 
[stretch] - binutils  (Minor issue)
[jessie] - binutils  (Minor issue)
+   [wheezy] - binutils  (Minor issue)
NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22386
NOTE: 
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=bf59c5d5f4f5b8b4da1f5f605cfa546f8029b43d
 CVE-2017-16827 (The aout_get_external_symbols function in aoutx.h in the 
Binary File ...)
- binutils 
[stretch] - binutils  (Minor issue)
[jessie] - binutils  (Minor issue)
+   [wheezy] - binutils  (Minor issue)
NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22306
NOTE: 
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=0301ce1486b1450f219202677f30d0fa97335419
 CVE-2017-16826 (The coff_slurp_line_table function in coffcode.h in the Binary 
File ...)
- binutils 
[stretch] - binutils  (Minor issue)
[jessie] - binutils  (Minor issue)
+   [wheezy] - binutils  (Minor issue)
NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22376
NOTE: 
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=a67d66eb97e7613a38ffe6622d837303b3ecd31d
 CVE-2017-16825


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57714 - data/CVE

2017-11-17 Thread Salvatore Bonaccorso

Author: carnil
Date: 2017-11-17 16:37:41 + (Fri, 17 Nov 2017)
New Revision: 57714

Modified:
   data/CVE/list
Log:
Add ldns bugs, #882014, #882015

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-17 16:30:04 UTC (rev 57713)
+++ data/CVE/list   2017-11-17 16:37:41 UTC (rev 57714)
@@ -37,11 +37,11 @@
 CVE-2017-1000234 (I, Librarian version <=4.6 & 4.7 is vulnerable to 
Directory ...)
NOT-FOR-US: I, Librarian
 CVE-2017-1000232 (A double-free vulnerability in str2host.c in ldns 1.7.0 have 
...)
-   - ldns 
+   - ldns  (bug #882014)
NOTE: https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=1257
NOTE: 
https://git.nlnetlabs.nl/ldns/commit/?id=3bdeed02505c9bbacb3b64a97ddcb1de967153b7
 CVE-2017-1000231 (A double-free vulnerability in parse.c in ldns 1.7.0 have 
unspecified ...)
-   - ldns 
+   - ldns  (bug #882015)
NOTE: https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=1256
NOTE: 
https://git.nlnetlabs.nl/ldns/commit/?id=c8391790c96d4c8a2c10f9ab1460fda83b509fc2
 CVE-2017-1000229 (Integer overflow bug in function minitiff_read_info() of 
optipng 0.7.6 ...)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57713 - data/CVE

2017-11-17 Thread Salvatore Bonaccorso

Author: carnil
Date: 2017-11-17 16:30:04 + (Fri, 17 Nov 2017)
New Revision: 57713

Modified:
   data/CVE/list
Log:
Add references to fix for ldns issues

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-17 16:04:40 UTC (rev 57712)
+++ data/CVE/list   2017-11-17 16:30:04 UTC (rev 57713)
@@ -39,9 +39,11 @@
 CVE-2017-1000232 (A double-free vulnerability in str2host.c in ldns 1.7.0 have 
...)
- ldns 
NOTE: https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=1257
+   NOTE: 
https://git.nlnetlabs.nl/ldns/commit/?id=3bdeed02505c9bbacb3b64a97ddcb1de967153b7
 CVE-2017-1000231 (A double-free vulnerability in parse.c in ldns 1.7.0 have 
unspecified ...)
- ldns 
NOTE: https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=1256
+   NOTE: 
https://git.nlnetlabs.nl/ldns/commit/?id=c8391790c96d4c8a2c10f9ab1460fda83b509fc2
 CVE-2017-1000229 (Integer overflow bug in function minitiff_read_info() of 
optipng 0.7.6 ...)
- optipng 
NOTE: https://sourceforge.net/p/optipng/bugs/65/


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57712 - data/CVE

2017-11-17 Thread Salvatore Bonaccorso

Author: carnil
Date: 2017-11-17 16:04:40 + (Fri, 17 Nov 2017)
New Revision: 57712

Modified:
   data/CVE/list
Log:
Add bug reference for python-pysaml2, #882012

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-17 16:01:45 UTC (rev 57711)
+++ data/CVE/list   2017-11-17 16:04:40 UTC (rev 57712)
@@ -16,7 +16,7 @@
 CVE-2017-1000247 (British Columbia Institute of Technology CodeIgniter 3.1.3 
is ...)
NOT-FOR-US: CodeIgniter
 CVE-2017-1000246 (Python package pysaml2 version 4.4.0 and earlier reuses the 
...)
-   - python-pysaml2 
+   - python-pysaml2  (bug #882012)
[stretch] - python-pysaml2  (Minor issue)
[jessie] - python-pysaml2  (Minor issue)
NOTE: https://github.com/rohe/pysaml2/issues/417


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57711 - data/CVE

2017-11-17 Thread Salvatore Bonaccorso

Author: carnil
Date: 2017-11-17 16:01:45 + (Fri, 17 Nov 2017)
New Revision: 57711

Modified:
   data/CVE/list
Log:
Mark python-pysaml2 issue as no-dsa

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-17 15:53:03 UTC (rev 57710)
+++ data/CVE/list   2017-11-17 16:01:45 UTC (rev 57711)
@@ -17,6 +17,8 @@
NOT-FOR-US: CodeIgniter
 CVE-2017-1000246 (Python package pysaml2 version 4.4.0 and earlier reuses the 
...)
- python-pysaml2 
+   [stretch] - python-pysaml2  (Minor issue)
+   [jessie] - python-pysaml2  (Minor issue)
NOTE: https://github.com/rohe/pysaml2/issues/417
 CVE-2017-1000241 (The application OpenEMR version 5.0.0, 5.0.1-dev and prior 
is affected ...)
NOT-FOR-US: OpenEMR


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57710 - data/CVE

2017-11-17 Thread Salvatore Bonaccorso

Author: carnil
Date: 2017-11-17 15:53:03 + (Fri, 17 Nov 2017)
New Revision: 57710

Modified:
   data/CVE/list
Log:
Sync status for CVE-2016-10208 for wheezy's src:linux

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-17 15:51:30 UTC (rev 57709)
+++ data/CVE/list   2017-11-17 15:53:03 UTC (rev 57710)
@@ -32894,7 +32894,6 @@
 CVE-2016-10208 (The ext4_fill_super function in fs/ext4/super.c in the Linux 
kernel ...)
- linux 4.9.10-1
[jessie] - linux 3.16.43-1
-   [wheezy] - linux  (Vulnerable code introduced later)
NOTE: Fixed by: 
https://github.com/torvalds/linux/commit/3a4b77cd47bb837b8557595ec7425f281f2ca1fe
 (4.10-rc1)
NOTE: Introduced by: 
https://github.com/torvalds/linux/commit/952fc18ef9ec707ebdc16c0786ec360295e5ff15
 (3.6-rc1)
 CVE-2017-5886 (Heap-based buffer overflow in the 
PoDoFo::PdfTokenizer::GetNextToken ...)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57709 - data/CVE

2017-11-17 Thread Salvatore Bonaccorso

Author: carnil
Date: 2017-11-17 15:51:30 + (Fri, 17 Nov 2017)
New Revision: 57709

Modified:
   data/CVE/list
Log:
Add bug reference for CVE-2017-16239, #882009

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-17 09:56:46 UTC (rev 57708)
+++ data/CVE/list   2017-11-17 15:51:30 UTC (rev 57709)
@@ -1810,7 +1810,7 @@
 CVE-2017-16240
RESERVED
 CVE-2017-16239 (In OpenStack Nova through 14.0.9, 15.x through 15.0.7, and 
16.x through ...)
-   - nova 
+   - nova  (bug #882009)
NOTE: https://launchpad.net/bugs/1664931
NOTE: https://security.openstack.org/ossa/OSSA-2017-005.html
TODO: check / verify affected versions


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57708 - data/CVE

2017-11-17 Thread Salvatore Bonaccorso

Author: carnil
Date: 2017-11-17 09:56:46 + (Fri, 17 Nov 2017)
New Revision: 57708

Modified:
   data/CVE/list
Log:
Adjust one note for swftools

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-17 09:33:04 UTC (rev 57707)
+++ data/CVE/list   2017-11-17 09:56:46 UTC (rev 57708)
@@ -92,7 +92,7 @@
NOTE: https://github.com/matthiaskramm/swftools/issues/33
 CVE-2017-1000182 (In SWFTools, a memory leak was found in wav2swf. ...)
- swftools 
-   NOTE: https://github.com/matthiaskramm/swftools/issues/32
+   NOTE: https://github.com/matthiaskramm/swftools/issues/30
 CVE-2017-1000176 (In SWFTools, a memcpy buffer overflow was found in swfc. ...)
- swftools 
NOTE: https://github.com/matthiaskramm/swftools/issues/23


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57707 - data/CVE

2017-11-17 Thread Moritz Muehlenhoff

Author: jmm
Date: 2017-11-17 09:33:04 + (Fri, 17 Nov 2017)
New Revision: 57707

Modified:
   data/CVE/list
Log:
NFUs, some need further investigation with Mono maintainers


Modified: data/CVE/list
===
--- data/CVE/list   2017-11-17 09:29:52 UTC (rev 57706)
+++ data/CVE/list   2017-11-17 09:33:04 UTC (rev 57707)
@@ -14297,7 +14297,7 @@
 CVE-2017-11884 (Microsoft Excel 2016 Click-to-Run (C2R) allows an attacker to 
run ...)
NOT-FOR-US: Microsoft
 CVE-2017-11883 (.NET Core 1.0, 1.1, and 2.0 allow an unauthenticated attacker 
to ...)
-   TODO: check
+   TODO: check with Debian mono maintainers
 CVE-2017-11882 (Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 
Service ...)
NOT-FOR-US: Microsoft
 CVE-2017-11881
@@ -14305,7 +14305,7 @@
 CVE-2017-11880 (Windows kernel in Windows 7 SP1, Windows Server 2008 SP2 and 
R2 SP1, ...)
NOT-FOR-US: Microsoft
 CVE-2017-11879 (ASP.NET Core 2.0 allows an attacker to steal log-in session 
...)
-   TODO: check
+   NOT-FOR-US: Microsoft
 CVE-2017-11878 (Microsoft Excel 2007 Service Pack 3, Microsoft Excel 2010 
Service Pack ...)
NOT-FOR-US: Microsoft
 CVE-2017-11877 (Microsoft Excel 2007 Service Pack 3, Microsoft Excel 2010 
Service Pack ...)
@@ -14523,7 +14523,7 @@
 CVE-2017-11771 (The Microsoft Windows Search component on Microsoft Windows 
Server ...)
NOT-FOR-US: Microsoft
 CVE-2017-11770 (.NET Core 1.0, 1.1, and 2.0 allow an unauthenticated attacker 
to ...)
-   TODO: check
+   TODO: check with Debian mono maintainers
 CVE-2017-11769 (The Microsoft Windows TRIE component on Microsoft Windows 10 
Gold, ...)
NOT-FOR-US: Microsoft
 CVE-2017-11768 (Windows Media Player in Windows 7 SP1, Windows Server 2008 SP2 
and R2 ...)
@@ -23880,7 +23880,7 @@
 CVE-2017-8701
RESERVED
 CVE-2017-8700 (ASP.NET Core 1.0, 1.1, and 2.0 allow an attacker to bypass ...)
-   TODO: check
+   NOT-FOR-US: Microsoft
 CVE-2017-8699 (Windows Shell in Microsoft Windows 7 SP1, Windows Server 2008 
and R2 ...)
NOT-FOR-US: Microsoft
 CVE-2017-8698


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57706 - data/CVE

2017-11-17 Thread Moritz Muehlenhoff

Author: jmm
Date: 2017-11-17 09:29:52 + (Fri, 17 Nov 2017)
New Revision: 57706

Modified:
   data/CVE/list
Log:
NFU


Modified: data/CVE/list
===
--- data/CVE/list   2017-11-17 09:26:56 UTC (rev 57705)
+++ data/CVE/list   2017-11-17 09:29:52 UTC (rev 57706)
@@ -78119,6 +78119,7 @@
[wheezy] - ruby-actionpack-2.3 
 CVE-2016-0750
RESERVED
+   NOT-FOR-US: Infinispan
 CVE-2016-0749 (The smartcard interaction in SPICE allows remote attackers to 
cause a ...)
{DSA-3596-1}
- spice 0.12.6-4.1 (bug #826585)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57705 - data/CVE

2017-11-17 Thread Moritz Muehlenhoff

Author: jmm
Date: 2017-11-17 09:26:56 + (Fri, 17 Nov 2017)
New Revision: 57705

Modified:
   data/CVE/list
Log:
new python issue


Modified: data/CVE/list
===
--- data/CVE/list   2017-11-17 09:26:09 UTC (rev 57704)
+++ data/CVE/list   2017-11-17 09:26:56 UTC (rev 57705)
@@ -108,7 +108,9 @@
 CVE-2017-1000160 (EllisLab ExpressionEngine 3.4.2 is vulnerable to cross-site 
scripting ...)
NOT-FOR-US: EllisLab ExpressionEngine
 CVE-2017-1000158 (CPython (aka Python) up to 2.7.13 is vulnerable to an 
integer overflow ...)
-   TODO: check
+   - python2.7 
+   TODO: check other versions
+   NOTE: https://bugs.python.org/issue30657
 CVE-2017-1000129 (Serendipity 2.0.3 is vulnerable to a SQL injection in the 
blog ...)
- serendipity 
 CVE-2017-1000125 (Codiad(full version) is vulnerable to write anything to 
configure file ...)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57704 - data/CVE

2017-11-17 Thread Moritz Muehlenhoff

Author: jmm
Date: 2017-11-17 09:26:09 + (Fri, 17 Nov 2017)
New Revision: 57704

Modified:
   data/CVE/list
Log:
NFUs


Modified: data/CVE/list
===
--- data/CVE/list   2017-11-17 09:24:07 UTC (rev 57703)
+++ data/CVE/list   2017-11-17 09:26:09 UTC (rev 57704)
@@ -58,9 +58,9 @@
 CVE-2017-1000219 (npm/KyleRoss windows-cpu all versions vulnerable to command 
injection ...)
NOT-FOR-US: npm/KyleRoss windows-cpu
 CVE-2017-1000218 (LightFTP version 1.1 is vulnerable to a buffer overflow in 
the ...)
-   TODO: check
+   NOT-FOR-US: LightFTP
 CVE-2017-1000213 (WBCE v1.1.11 is vulnerable to reflected XSS via the 
"begriff" POST ...)
-   TODO: check
+   NOT-FOR-US: WBCE
 CVE-2017-1000210 (picoTCP (versions 1.7.0 - 1.5.0) is vulnerable to stack 
buffer ...)
NOT-FOR-US: picoTCP
 CVE-2017-1000209 (The Java WebSocket client nv-websocket-client does not 
verify that the ...)
@@ -284,7 +284,7 @@
 CVE-2018-0001
RESERVED
 CVE-2017-16866 (dayrui FineCms 5.2.0 before 2017.11.16 has Cross Site 
Scripting (XSS) ...)
-   TODO: check
+   NOT-FOR-US: dayrui FineCms
 CVE-2017-16865
RESERVED
 CVE-2017-16864
@@ -329,7 +329,7 @@
 CVE-2017-16844 (Heap-based buffer overflow in the loadbuf function in 
formisc.c in ...)
- procmail  (bug #876511)
 CVE-2017-16843 (Vonage VDV-23 115 3.2.11-0.9.40 devices have stored XSS via 
the ...)
-   TODO: check
+   NOT-FOR-US: Vonage VDV-23
 CVE-2017-16842 (Cross-site scripting (XSS) vulnerability in ...)
NOT-FOR-US: Yoast SEO plugin for WordPress
 CVE-2017-16841 (LanSweeper 6.0.100.75 has XSS via the description parameter to 
...)
@@ -524,7 +524,7 @@
 CVE-2017-16778
RESERVED
 CVE-2017-16777 (If HashiCorp Vagrant VMware Fusion plugin (aka 
vagrant-vmware-fusion) ...)
-   TODO: check
+   NOT-FOR-US: HashiCorp Vagrant VMware Fusion plugin
 CVE-2017-16776
RESERVED
 CVE-2017-16775
@@ -640,7 +640,7 @@
 CVE-2017-16720
RESERVED
 CVE-2017-16719 (An Injection issue was discovered in Moxa NPort 5110 Version 
2.2, NPort ...)
-   TODO: check
+   NOT-FOR-US: Moxa
 CVE-2017-16718
RESERVED
 CVE-2017-16717
@@ -648,7 +648,7 @@
 CVE-2017-16716
RESERVED
 CVE-2017-16715 (An Information Exposure issue was discovered in Moxa NPort 
5110 Version ...)
-   TODO: check
+   NOT-FOR-US: Moxa
 CVE-2017-16714
RESERVED
 CVE-2017-16713
@@ -3158,7 +3158,7 @@
 CVE-2017-15807
RESERVED
 CVE-2017-15806 (The send function in the ezcMailMtaTransport class in Zeta 
Components ...)
-   TODO: check
+   NOT-FOR-US: Zeta Components Mail
 CVE-2016-10516 (Cross-site scripting (XSS) vulnerability in the render_full 
function in ...)
- python-werkzeug 0.11.11+dfsg1-1
NOTE: 
http://blog.neargle.com/2016/09/21/flask-src-review-get-a-xss-from-debuger/
@@ -3771,9 +3771,9 @@
 CVE-2017-15518
RESERVED
 CVE-2017-15517 (AltaVault OST Plug-in versions prior to 1.2.2 may allow 
attackers to ...)
-   TODO: check
+   NOT-FOR-US: AltaVault OST Plug-in
 CVE-2017-15516 (NetApp SnapCenter Server versions 1.1 through 2.x are 
susceptible to a ...)
-   TODO: check
+   NOT-FOR-US: NetApp
 CVE-2017-15515
RESERVED
 CVE-2017-15514


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57703 - data/CVE

2017-11-17 Thread Moritz Muehlenhoff

Author: jmm
Date: 2017-11-17 09:24:07 + (Fri, 17 Nov 2017)
New Revision: 57703

Modified:
   data/CVE/list
Log:
new ruby-redis-store issue


Modified: data/CVE/list
===
--- data/CVE/list   2017-11-17 09:22:50 UTC (rev 57702)
+++ data/CVE/list   2017-11-17 09:24:07 UTC (rev 57703)
@@ -11,7 +11,8 @@
 CVE-2017-16867 (Amazon Key through 2017-11-16 mishandles Cloud Cam 802.11 ...)
NOT-FOR-US: Amazon Key
 CVE-2017-1000248 (Redis-store <=v1.3.0 allows unsafe objects to be loaded 
from redis ...)
-   TODO: check
+   - ruby-redis-store 
+   NOTE: 
https://github.com/redis-store/redis-store/commit/e0c1398d54a9661c8c70267c3a925ba6b192142e
 CVE-2017-1000247 (British Columbia Institute of Technology CodeIgniter 3.1.3 
is ...)
NOT-FOR-US: CodeIgniter
 CVE-2017-1000246 (Python package pysaml2 version 4.4.0 and earlier reuses the 
...)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57702 - data/CVE

2017-11-17 Thread Moritz Muehlenhoff

Author: jmm
Date: 2017-11-17 09:22:50 + (Fri, 17 Nov 2017)
New Revision: 57702

Modified:
   data/CVE/list
Log:
new swftools issues


Modified: data/CVE/list
===
--- data/CVE/list   2017-11-17 09:21:32 UTC (rev 57701)
+++ data/CVE/list   2017-11-17 09:22:50 UTC (rev 57702)
@@ -81,17 +81,23 @@
 CVE-2017-1000188 (nodejs ejs version older than 2.5.5 is vulnerable to a ...)
NOT-FOR-US: nodejs ejs
 CVE-2017-1000187 (In SWFTools, an address access exception was found in 
pdf2swf. ...)
-   TODO: check
+   - swftools 
+   NOTE: https://github.com/matthiaskramm/swftools/issues/36
 CVE-2017-1000186 (In SWFTools, a stack overflow was found in pdf2swf. ...)
-   TODO: check
+   - swftools 
+   NOTE: https://github.com/matthiaskramm/swftools/issues/34
 CVE-2017-1000185 (In SWFTools, a memcpy buffer overflow was found in gif2swf. 
...)
-   TODO: check
+   - swftools 
+   NOTE: https://github.com/matthiaskramm/swftools/issues/33
 CVE-2017-1000182 (In SWFTools, a memory leak was found in wav2swf. ...)
-   TODO: check
+   - swftools 
+   NOTE: https://github.com/matthiaskramm/swftools/issues/32
 CVE-2017-1000176 (In SWFTools, a memcpy buffer overflow was found in swfc. ...)
-   TODO: check
+   - swftools 
+   NOTE: https://github.com/matthiaskramm/swftools/issues/23
 CVE-2017-1000174 (In SWFTools, an address access exception was found in 
swfdump ...)
-   TODO: check
+   - swftools 
+   NOTE: https://github.com/matthiaskramm/swftools/issues/21
 CVE-2017-1000173 (Creolabs Gravity Version: 1.0 Heap Overflow Potential Code 
Execution. ...)
NOT-FOR-US: Creolabs Gravity
 CVE-2017-1000172 (Creolabs Gravity Version: 1.0 Use-After-Free Possible code 
execution. ...)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57701 - data/CVE

2017-11-17 Thread Moritz Muehlenhoff

Author: jmm
Date: 2017-11-17 09:21:32 + (Fri, 17 Nov 2017)
New Revision: 57701

Modified:
   data/CVE/list
Log:
new optipng issue


Modified: data/CVE/list
===
--- data/CVE/list   2017-11-17 09:20:46 UTC (rev 57700)
+++ data/CVE/list   2017-11-17 09:21:32 UTC (rev 57701)
@@ -40,7 +40,8 @@
- ldns 
NOTE: https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=1256
 CVE-2017-1000229 (Integer overflow bug in function minitiff_read_info() of 
optipng 0.7.6 ...)
-   TODO: check
+   - optipng 
+   NOTE: https://sourceforge.net/p/optipng/bugs/65/
 CVE-2017-1000228 (nodejs ejs versions older than 2.5.3 is vulnerable to remote 
code ...)
NOT-FOR-US: nodejs ejs
 CVE-2017-1000226 (Stop User Enumeration 1.3.8 allows user enumeration via the 
REST API ...)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57700 - data/CVE

2017-11-17 Thread Moritz Muehlenhoff

Author: jmm
Date: 2017-11-17 09:20:46 + (Fri, 17 Nov 2017)
New Revision: 57700

Modified:
   data/CVE/list
Log:
new ldns issues


Modified: data/CVE/list
===
--- data/CVE/list   2017-11-17 09:19:38 UTC (rev 57699)
+++ data/CVE/list   2017-11-17 09:20:46 UTC (rev 57700)
@@ -34,9 +34,11 @@
 CVE-2017-1000234 (I, Librarian version <=4.6 & 4.7 is vulnerable to 
Directory ...)
NOT-FOR-US: I, Librarian
 CVE-2017-1000232 (A double-free vulnerability in str2host.c in ldns 1.7.0 have 
...)
-   TODO: check
+   - ldns 
+   NOTE: https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=1257
 CVE-2017-1000231 (A double-free vulnerability in parse.c in ldns 1.7.0 have 
unspecified ...)
-   TODO: check
+   - ldns 
+   NOTE: https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=1256
 CVE-2017-1000229 (Integer overflow bug in function minitiff_read_info() of 
optipng 0.7.6 ...)
TODO: check
 CVE-2017-1000228 (nodejs ejs versions older than 2.5.3 is vulnerable to remote 
code ...)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57699 - data/CVE

2017-11-17 Thread Moritz Muehlenhoff

Author: jmm
Date: 2017-11-17 09:19:38 + (Fri, 17 Nov 2017)
New Revision: 57699

Modified:
   data/CVE/list
Log:
new pysaml issue


Modified: data/CVE/list
===
--- data/CVE/list   2017-11-17 09:18:16 UTC (rev 57698)
+++ data/CVE/list   2017-11-17 09:19:38 UTC (rev 57699)
@@ -15,7 +15,8 @@
 CVE-2017-1000247 (British Columbia Institute of Technology CodeIgniter 3.1.3 
is ...)
NOT-FOR-US: CodeIgniter
 CVE-2017-1000246 (Python package pysaml2 version 4.4.0 and earlier reuses the 
...)
-   TODO: check
+   - python-pysaml2 
+   NOTE: https://github.com/rohe/pysaml2/issues/417
 CVE-2017-1000241 (The application OpenEMR version 5.0.0, 5.0.1-dev and prior 
is affected ...)
NOT-FOR-US: OpenEMR
 CVE-2017-1000240 (The application OpenEMR is affected by multiple reflected 
& stored ...)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57698 - data/CVE

2017-11-17 Thread Moritz Muehlenhoff

Author: jmm
Date: 2017-11-17 09:18:16 + (Fri, 17 Nov 2017)
New Revision: 57698

Modified:
   data/CVE/list
Log:
NFUs


Modified: data/CVE/list
===
--- data/CVE/list   2017-11-17 09:10:18 UTC (rev 57697)
+++ data/CVE/list   2017-11-17 09:18:16 UTC (rev 57698)
@@ -9,29 +9,29 @@
 CVE-2017-16868
RESERVED
 CVE-2017-16867 (Amazon Key through 2017-11-16 mishandles Cloud Cam 802.11 ...)
-   TODO: check
+   NOT-FOR-US: Amazon Key
 CVE-2017-1000248 (Redis-store <=v1.3.0 allows unsafe objects to be loaded 
from redis ...)
TODO: check
 CVE-2017-1000247 (British Columbia Institute of Technology CodeIgniter 3.1.3 
is ...)
-   TODO: check
+   NOT-FOR-US: CodeIgniter
 CVE-2017-1000246 (Python package pysaml2 version 4.4.0 and earlier reuses the 
...)
TODO: check
 CVE-2017-1000241 (The application OpenEMR version 5.0.0, 5.0.1-dev and prior 
is affected ...)
-   TODO: check
+   NOT-FOR-US: OpenEMR
 CVE-2017-1000240 (The application OpenEMR is affected by multiple reflected 
& stored ...)
-   TODO: check
+   NOT-FOR-US: OpenEMR
 CVE-2017-1000239 (InvoicePlane version 1.4.10 is vulnerable to a Stored Cross 
Site ...)
-   TODO: check
+   NOT-FOR-US: InvoicePlane
 CVE-2017-1000238 (InvoicePlane version 1.4.10 is vulnerable to a Arbitrary 
File Upload ...)
-   TODO: check
+   NOT-FOR-US: InvoicePlane
 CVE-2017-1000237 (I, Librarian version <=4.6 & 4.7 is vulnerable to 
Server-Side Request ...)
-   TODO: check
+   NOT-FOR-US: I, Librarian
 CVE-2017-1000236 (I, Librarian version <=4.6 & 4.7 is vulnerable to 
Reflected Cross-Site ...)
-   TODO: check
+   NOT-FOR-US: I, Librarian
 CVE-2017-1000235 (I, Librarian version <=4.6 & 4.7 is vulnerable to OS 
Command Injection ...)
-   TODO: check
+   NOT-FOR-US: I, Librarian
 CVE-2017-1000234 (I, Librarian version <=4.6 & 4.7 is vulnerable to 
Directory ...)
-   TODO: check
+   NOT-FOR-US: I, Librarian
 CVE-2017-1000232 (A double-free vulnerability in str2host.c in ldns 1.7.0 have 
...)
TODO: check
 CVE-2017-1000231 (A double-free vulnerability in parse.c in ldns 1.7.0 have 
unspecified ...)
@@ -39,43 +39,43 @@
 CVE-2017-1000229 (Integer overflow bug in function minitiff_read_info() of 
optipng 0.7.6 ...)
TODO: check
 CVE-2017-1000228 (nodejs ejs versions older than 2.5.3 is vulnerable to remote 
code ...)
-   TODO: check
+   NOT-FOR-US: nodejs ejs
 CVE-2017-1000226 (Stop User Enumeration 1.3.8 allows user enumeration via the 
REST API ...)
TODO: check
 CVE-2017-1000225 (Reflected XSS in Relevanssi Premium version 1.14.8 when 
using ...)
-   TODO: check
+   NOT-FOR-US: Relevanssi
 CVE-2017-1000224 (CSRF in YouTube (WordPress plugin) could allow 
unauthenticated ...)
-   TODO: check
+   NOT-FOR-US: Wordpress plugin
 CVE-2017-1000223 (A stored web content injection vulnerability (WCI, a.k.a 
XSS) is ...)
-   TODO: check
+   NOT-FOR-US: MODX Revolution
 CVE-2017-1000220 (soyuka/pidusage <=1.1.4 is vulnerable to command 
injection in the ...)
-   TODO: check
+   NOT-FOR-US: soyuka/pidusage
 CVE-2017-1000219 (npm/KyleRoss windows-cpu all versions vulnerable to command 
injection ...)
-   TODO: check
+   NOT-FOR-US: npm/KyleRoss windows-cpu
 CVE-2017-1000218 (LightFTP version 1.1 is vulnerable to a buffer overflow in 
the ...)
TODO: check
 CVE-2017-1000213 (WBCE v1.1.11 is vulnerable to reflected XSS via the 
"begriff" POST ...)
TODO: check
 CVE-2017-1000210 (picoTCP (versions 1.7.0 - 1.5.0) is vulnerable to stack 
buffer ...)
-   TODO: check
+   NOT-FOR-US: picoTCP
 CVE-2017-1000209 (The Java WebSocket client nv-websocket-client does not 
verify that the ...)
-   TODO: check
+   NOT-FOR-US: Java WebSocket client nv-websocket-client
 CVE-2017-1000208 (A vulnerability in Swagger-Parser's (version <= 1.0.30) 
yaml parsing ...)
-   TODO: check
+   NOT-FOR-US: Swagger-Parser
 CVE-2017-1000197 (October CMS build 412 is vulnerable to file path 
modification in asset ...)
-   TODO: check
+   NOT-FOR-US: October CMS
 CVE-2017-1000196 (October CMS build 412 is vulnerable to PHP code execution in 
the asset ...)
-   TODO: check
+   NOT-FOR-US: October CMS
 CVE-2017-1000195 (October CMS build 412 is vulnerable to PHP object injection 
in asset ...)
-   TODO: check
+   NOT-FOR-US: October CMS
 CVE-2017-1000194 (October CMS build 412 is vulnerable to Apache configuration 
...)
-   TODO: check
+   NOT-FOR-US: October CMS
 CVE-2017-1000193 (October CMS build 412 is vulnerable to stored WCI (a.k.a 
XSS) in brand ...)
-   TODO: check
+   NOT-FOR-US: October CMS
 CVE-2017-1000189 (nodejs ejs version older than 2.5.5 is vulnerable to a ...)
-   TODO: check
+   NOT-FOR-US: nodejs ejs
 CVE-2017-1000188 (nodejs ejs version older than 2.5.5 is vulnerable to a ...)
-   TODO: check

[Secure-testing-commits] r57697 - data/CVE

2017-11-17 Thread security tracker role

Author: sectracker
Date: 2017-11-17 09:10:18 + (Fri, 17 Nov 2017)
New Revision: 57697

Modified:
   data/CVE/list
Log:
automatic update

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-17 06:20:29 UTC (rev 57696)
+++ data/CVE/list   2017-11-17 09:10:18 UTC (rev 57697)
@@ -1,3 +1,107 @@
+CVE-2017-16872
+   RESERVED
+CVE-2017-16871
+   RESERVED
+CVE-2017-16870
+   RESERVED
+CVE-2017-16869
+   RESERVED
+CVE-2017-16868
+   RESERVED
+CVE-2017-16867 (Amazon Key through 2017-11-16 mishandles Cloud Cam 802.11 ...)
+   TODO: check
+CVE-2017-1000248 (Redis-store <=v1.3.0 allows unsafe objects to be loaded 
from redis ...)
+   TODO: check
+CVE-2017-1000247 (British Columbia Institute of Technology CodeIgniter 3.1.3 
is ...)
+   TODO: check
+CVE-2017-1000246 (Python package pysaml2 version 4.4.0 and earlier reuses the 
...)
+   TODO: check
+CVE-2017-1000241 (The application OpenEMR version 5.0.0, 5.0.1-dev and prior 
is affected ...)
+   TODO: check
+CVE-2017-1000240 (The application OpenEMR is affected by multiple reflected 
& stored ...)
+   TODO: check
+CVE-2017-1000239 (InvoicePlane version 1.4.10 is vulnerable to a Stored Cross 
Site ...)
+   TODO: check
+CVE-2017-1000238 (InvoicePlane version 1.4.10 is vulnerable to a Arbitrary 
File Upload ...)
+   TODO: check
+CVE-2017-1000237 (I, Librarian version <=4.6 & 4.7 is vulnerable to 
Server-Side Request ...)
+   TODO: check
+CVE-2017-1000236 (I, Librarian version <=4.6 & 4.7 is vulnerable to 
Reflected Cross-Site ...)
+   TODO: check
+CVE-2017-1000235 (I, Librarian version <=4.6 & 4.7 is vulnerable to OS 
Command Injection ...)
+   TODO: check
+CVE-2017-1000234 (I, Librarian version <=4.6 & 4.7 is vulnerable to 
Directory ...)
+   TODO: check
+CVE-2017-1000232 (A double-free vulnerability in str2host.c in ldns 1.7.0 have 
...)
+   TODO: check
+CVE-2017-1000231 (A double-free vulnerability in parse.c in ldns 1.7.0 have 
unspecified ...)
+   TODO: check
+CVE-2017-1000229 (Integer overflow bug in function minitiff_read_info() of 
optipng 0.7.6 ...)
+   TODO: check
+CVE-2017-1000228 (nodejs ejs versions older than 2.5.3 is vulnerable to remote 
code ...)
+   TODO: check
+CVE-2017-1000226 (Stop User Enumeration 1.3.8 allows user enumeration via the 
REST API ...)
+   TODO: check
+CVE-2017-1000225 (Reflected XSS in Relevanssi Premium version 1.14.8 when 
using ...)
+   TODO: check
+CVE-2017-1000224 (CSRF in YouTube (WordPress plugin) could allow 
unauthenticated ...)
+   TODO: check
+CVE-2017-1000223 (A stored web content injection vulnerability (WCI, a.k.a 
XSS) is ...)
+   TODO: check
+CVE-2017-1000220 (soyuka/pidusage <=1.1.4 is vulnerable to command 
injection in the ...)
+   TODO: check
+CVE-2017-1000219 (npm/KyleRoss windows-cpu all versions vulnerable to command 
injection ...)
+   TODO: check
+CVE-2017-1000218 (LightFTP version 1.1 is vulnerable to a buffer overflow in 
the ...)
+   TODO: check
+CVE-2017-1000213 (WBCE v1.1.11 is vulnerable to reflected XSS via the 
"begriff" POST ...)
+   TODO: check
+CVE-2017-1000210 (picoTCP (versions 1.7.0 - 1.5.0) is vulnerable to stack 
buffer ...)
+   TODO: check
+CVE-2017-1000209 (The Java WebSocket client nv-websocket-client does not 
verify that the ...)
+   TODO: check
+CVE-2017-1000208 (A vulnerability in Swagger-Parser's (version <= 1.0.30) 
yaml parsing ...)
+   TODO: check
+CVE-2017-1000197 (October CMS build 412 is vulnerable to file path 
modification in asset ...)
+   TODO: check
+CVE-2017-1000196 (October CMS build 412 is vulnerable to PHP code execution in 
the asset ...)
+   TODO: check
+CVE-2017-1000195 (October CMS build 412 is vulnerable to PHP object injection 
in asset ...)
+   TODO: check
+CVE-2017-1000194 (October CMS build 412 is vulnerable to Apache configuration 
...)
+   TODO: check
+CVE-2017-1000193 (October CMS build 412 is vulnerable to stored WCI (a.k.a 
XSS) in brand ...)
+   TODO: check
+CVE-2017-1000189 (nodejs ejs version older than 2.5.5 is vulnerable to a ...)
+   TODO: check
+CVE-2017-1000188 (nodejs ejs version older than 2.5.5 is vulnerable to a ...)
+   TODO: check
+CVE-2017-1000187 (In SWFTools, an address access exception was found in 
pdf2swf. ...)
+   TODO: check
+CVE-2017-1000186 (In SWFTools, a stack overflow was found in pdf2swf. ...)
+   TODO: check
+CVE-2017-1000185 (In SWFTools, a memcpy buffer overflow was found in gif2swf. 
...)
+   TODO: check
+CVE-2017-1000182 (In SWFTools, a memory leak was found in wav2swf. ...)
+   TODO: check
+CVE-2017-1000176 (In SWFTools, a memcpy buffer overflow was found in swfc. ...)
+   TODO: check
+CVE-2017-1000174 (In SWFTools, an address access exception was found in 
swfdump ...)
+   TODO: check
+CVE-2017-1000173 (Creolabs Gravity Version: 1.0 Heap Overflow Potential Code 
Execution.

78 matches

Mail list logo