[Secure-testing-commits] r57945 - data/CVE
Author: carnil Date: 2017-11-23 06:58:28 + (Thu, 23 Nov 2017) New Revision: 57945 Modified: data/CVE/list Log: Add xrdp issue, CVE-2017-16927 Modified: data/CVE/list === --- data/CVE/list 2017-11-23 04:57:31 UTC (rev 57944) +++ data/CVE/list 2017-11-23 06:58:28 UTC (rev 57945) @@ -1,3 +1,7 @@ +CVE-2017-16927 [buffer oveflow in scp_v0s_accept function] + - xrdp + NOTE: Proposed pull request: https://github.com/neutrinolabs/xrdp/pull/958 + NOTE: https://groups.google.com/forum/#!topic/xrdp-devel/PmVfMuy_xBA CVE-2017-16926 (Ohcount 3.0.0 is prone to a command injection via specially crafted ...) - ohcount (bug #882372) CVE-2017-16925 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57944 - data/CVE
Author: carnil Date: 2017-11-23 04:57:31 + (Thu, 23 Nov 2017) New Revision: 57944 Modified: data/CVE/list Log: Remove one no-dsa tagged entry which got update Modified: data/CVE/list === --- data/CVE/list 2017-11-22 23:51:06 UTC (rev 57943) +++ data/CVE/list 2017-11-23 04:57:31 UTC (rev 57944) @@ -43221,7 +43221,6 @@ RESERVED - xorg-server 2:1.19.2-1 (low; bug #856398) [jessie] - xorg-server 2:1.16.4-1+deb8u2 - [wheezy] - xorg-server (Minor issue, can be fixed in a point update or next DSA) NOTE: https://www.x41-dsec.de/lab/advisories/x41-2017-001-xorg/ CVE-2017-2623 RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57943 - data/CVE
Author: pochu Date: 2017-11-22 23:51:06 + (Wed, 22 Nov 2017) New Revision: 57943 Modified: data/CVE/list Log: busybox no-dsa on wheezy Modified: data/CVE/list === --- data/CVE/list 2017-11-22 23:25:38 UTC (rev 57942) +++ data/CVE/list 2017-11-22 23:51:06 UTC (rev 57943) @@ -1351,6 +1351,7 @@ - busybox (bug #882258) [stretch] - busybox (Minor issue, can be fixed via point release) [jessie] - busybox (Minor issue, can be fixed via point release) + [wheezy] - busybox (Minor issue) NOTE: https://www.twistlock.com/2017/11/20/cve-2017-16544-busybox-autocompletion-vulnerability/ NOTE: https://git.busybox.net/busybox/commit/?id=c3797d40a1c57352192c6106cc0f435e7d9c11e8 CVE-2017-16543 (Zoho ManageEngine Applications Manager 13 allows SQL injection via ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57942 - in data: . DLA
Author: pochu
Date: 2017-11-22 23:25:38 + (Wed, 22 Nov 2017)
New Revision: 57942
Modified:
data/DLA/list
data/dla-needed.txt
Log:
Reserve DLA-1186-1 for xorg-server
Modified: data/DLA/list
===
--- data/DLA/list 2017-11-22 21:19:22 UTC (rev 57941)
+++ data/DLA/list 2017-11-22 23:25:38 UTC (rev 57942)
@@ -1,3 +1,6 @@
+[23 Nov 2017] DLA-1186-1 xorg-server - security update
+ {CVE-2017-2624 CVE-2017-12176 CVE-2017-12177 CVE-2017-12178
CVE-2017-12180 CVE-2017-12182 CVE-2017-12183 CVE-2017-12184 CVE-2017-12185
CVE-2017-12187 CVE-2017-13723}
+ [wheezy] - xorg-server 2:1.12.4-6+deb7u8
[22 Nov 2017] DLA-1185-1 sam2p - security update
{CVE-2017-16663}
[wheezy] - sam2p 0.49.1-1+deb7u2
Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-11-22 21:19:22 UTC (rev 57941)
+++ data/dla-needed.txt 2017-11-22 23:25:38 UTC (rev 57942)
@@ -117,7 +117,3 @@
--
wordpress
--
-xorg-server (Emilio Pozuelo)
- NOTE: 2017-10-07: See notes against CVEs for wheezy-specific info. (lamby)
- NOTE: 2017-10-08: Possibly more CVEs incoming. (lamby)
---
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57941 - data/CVE
Author: carnil Date: 2017-11-22 21:19:22 + (Wed, 22 Nov 2017) New Revision: 57941 Modified: data/CVE/list Log: Add CVE-2017-15288/scala Modified: data/CVE/list === --- data/CVE/list 2017-11-22 21:19:11 UTC (rev 57940) +++ data/CVE/list 2017-11-22 21:19:22 UTC (rev 57941) @@ -4740,6 +4740,11 @@ NOTE: https://lists.gnu.org/archive/html/qemu-devel/2017-10/msg02557.html NOTE: Fixed by: https://git.qemu.org/gitweb.cgi?p=qemu.git;a=commit;h=eb38e1bc3740725ca29a535351de94107ec58d51 CVE-2017-15288 (The compilation daemon in Scala before 2.10.7, 2.11.x before 2.11.12, ...) + - scala + NOTE: http://scala-lang.org/news/security-update-nov17.html + NOTE: https://github.com/scala/scala/pull/6108 + NOTE: https://github.com/scala/scala/pull/6120 + NOTE: https://github.com/scala/scala/pull/6128 TODO: check CVE-2017-15287 (There is XSS in the BouquetEditor WebPlugin for Dream Multimedia ...) NOT-FOR-US: BouquetEditor WebPlugin ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57940 - data/CVE
Author: carnil Date: 2017-11-22 21:19:11 + (Wed, 22 Nov 2017) New Revision: 57940 Modified: data/CVE/list Log: Process three NFUs Modified: data/CVE/list === --- data/CVE/list 2017-11-22 21:10:15 UTC (rev 57939) +++ data/CVE/list 2017-11-22 21:19:11 UTC (rev 57940) @@ -4061,7 +4061,7 @@ CVE-2017-15529 RESERVED CVE-2017-15528 (Prior to v 7.6, the Install Norton Security (INS) product can be ...) - TODO: check + NOT-FOR-US: Install Norton Security CVE-2017-15527 (Prior to ITMS 8.1 RU4, the Symantec Management Console can be ...) NOT-FOR-US: Symantec CVE-2017-15526 (Prior to SEE v11.1.3MP1, Symantec Endpoint Encryption can be ...) @@ -27238,7 +27238,7 @@ CVE-2017-7737 (An information disclosure vulnerability in Fortinet FortiWeb 5.8.2 and ...) NOT-FOR-US: Fortinet CVE-2017-7736 (A stored Cross-site Scripting (XSS) vulnerability in Fortinet FortiWeb ...) - TODO: check + NOT-FOR-US: Fortinet CVE-2017-7735 (A Cross-Site Scripting vulnerability in Fortinet FortiOS versions ...) NOT-FOR-US: Fortinet FortiOS CVE-2017-7734 (A Cross-Site Scripting vulnerability in Fortinet FortiOS versions ...) @@ -32362,7 +32362,7 @@ CVE-2017-6167 RESERVED CVE-2017-6166 (In BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, Link Controller, ...) - TODO: check + NOT-FOR-US: F5 BIG-IP CVE-2017-6165 (In F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, GTM, Link ...) NOT-FOR-US: F5 BIG-IP CVE-2017-6164 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57939 - data/CVE
Author: sectracker
Date: 2017-11-22 21:10:15 + (Wed, 22 Nov 2017)
New Revision: 57939
Modified:
data/CVE/list
Log:
automatic update
Modified: data/CVE/list
===
--- data/CVE/list 2017-11-22 20:57:18 UTC (rev 57938)
+++ data/CVE/list 2017-11-22 21:10:15 UTC (rev 57939)
@@ -1047,6 +1047,7 @@
NOTE: https://github.com/bit-team/backintime/issues/834
NOTE:
https://github.com/bit-team/backintime/commit/cef81d0da93ff601252607df3db1a48f7f6f01b3
CVE-2017-16663 (In sam2p 0.49.4, there are integer overflows (with resultant
heap-based ...)
+ {DLA-1185-1}
- sam2p
NOTE: https://github.com/pts/sam2p/issues/16
CVE-2017-16662
@@ -4059,8 +4060,8 @@
RESERVED
CVE-2017-15529
RESERVED
-CVE-2017-15528
- RESERVED
+CVE-2017-15528 (Prior to v 7.6, the Install Norton Security (INS) product can
be ...)
+ TODO: check
CVE-2017-15527 (Prior to ITMS 8.1 RU4, the Symantec Management Console can be
...)
NOT-FOR-US: Symantec
CVE-2017-15526 (Prior to SEE v11.1.3MP1, Symantec Endpoint Encryption can be
...)
@@ -5248,15 +5249,13 @@
CVE-2017-15100
RESERVED
- foreman (bug #663101)
-CVE-2017-15099
- RESERVED
+CVE-2017-15099 (INSERT ... ON CONFLICT DO UPDATE commands in PostgreSQL 10.x
before ...)
{DSA-4028-1}
- postgresql-10 10.1-1
- postgresql-9.6
- postgresql-9.4 (ON CONFLICT DO UPDATE and RLS
introduced in 9.5)
- postgresql-9.1 (ON CONFLICT DO UPDATE and RLS
introduced in 9.5)
-CVE-2017-15098
- RESERVED
+CVE-2017-15098 (Invalid json_populate_recordset or jsonb_populate_recordset
function ...)
{DSA-4028-1 DSA-4027-1}
- postgresql-10 10.1-1
- postgresql-9.6
@@ -10857,8 +10856,8 @@
RESERVED
CVE-2017-13072
RESERVED
-CVE-2017-13071
- RESERVED
+CVE-2017-13071 (QNAP has already patched this vulnerability. This security
concern ...)
+ TODO: check
CVE-2017-13070
RESERVED
CVE-2017-13069 (QNAP discovered a number of command injection vulnerabilities
found in ...)
@@ -13848,8 +13847,7 @@
RESERVED
CVE-2017-12194
RESERVED
-CVE-2017-12193
- RESERVED
+CVE-2017-12193 (The assoc_array_insert_into_terminal_node function in
lib/assoc_array.c ...)
- linux 4.13.13-1
[wheezy] - linux (Vulnerable code introduced in 3.13-rc1)
NOTE: Fixed by:
https://git.kernel.org/linus/ea6789980fdaa610d7eb63602c746bf6ec70cd2b (4.14-rc7)
@@ -13861,8 +13859,7 @@
NOTE: Introduced by:
https://git.kernel.org/linus/61ea0c0ba904a55f55317d850c1072ff7835ac92 (3.13-rc1)
CVE-2017-12191
RESERVED
-CVE-2017-12190 [memory leak when merging buffers in SCSI IO vectors]
- RESERVED
+CVE-2017-12190 (The bio_map_user_iov and bio_unmap_user functions in
block/bio.c in the ...)
- linux 4.13.10-1
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1495089
CVE-2017-12189
@@ -25984,7 +25981,7 @@
RESERVED
CVE-2017-8028
RESERVED
- {DLA-1180-1}
+ {DSA-4046-1 DLA-1180-1}
- libspring-ldap-java
NOTE: https://pivotal.io/security/cve-2017-8028
NOTE: https://github.com/spring-projects/spring-ldap/issues/430
@@ -27240,8 +27237,8 @@
RESERVED
CVE-2017-7737 (An information disclosure vulnerability in Fortinet FortiWeb
5.8.2 and ...)
NOT-FOR-US: Fortinet
-CVE-2017-7736
- RESERVED
+CVE-2017-7736 (A stored Cross-site Scripting (XSS) vulnerability in Fortinet
FortiWeb ...)
+ TODO: check
CVE-2017-7735 (A Cross-Site Scripting vulnerability in Fortinet FortiOS
versions ...)
NOT-FOR-US: Fortinet FortiOS
CVE-2017-7734 (A Cross-Site Scripting vulnerability in Fortinet FortiOS
versions ...)
@@ -32364,8 +32361,8 @@
NOT-FOR-US: F5 BIG-IP
CVE-2017-6167
RESERVED
-CVE-2017-6166
- RESERVED
+CVE-2017-6166 (In BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, Link
Controller, ...)
+ TODO: check
CVE-2017-6165 (In F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, GTM, Link
...)
NOT-FOR-US: F5 BIG-IP
CVE-2017-6164
@@ -52120,7 +52117,7 @@
CVE-2016-8642 (In Moodle 2.x and 3.x, the question engine allows access to
files that ...)
- moodle 2.7.17+dfsg-1
NOTE: https://moodle.org/mod/forum/discuss.php?d=343275
-CVE-2016-10089 (Nagios 4.2.4 and earlier allows local users to gain root
privileges ...)
+CVE-2016-10089 (Nagios 4.3.2 and earlier allows local users to gain root
privileges ...)
- nagios3 (Vulnerable code not present)
NOTE: Flaw in upstream damon-init.in. Debian package installs an own
init-skript.
CVE-2016-8641
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57938 - data/CVE
Author: carnil Date: 2017-11-22 20:57:18 + (Wed, 22 Nov 2017) New Revision: 57938 Modified: data/CVE/list Log: Expand todo for two CVEs Modified: data/CVE/list === --- data/CVE/list 2017-11-22 20:57:06 UTC (rev 57937) +++ data/CVE/list 2017-11-22 20:57:18 UTC (rev 57938) @@ -42415,7 +42415,7 @@ CVE-2017-2920 (An memory corruption vulnerability exists in the .SVG parsing ...) NOT-FOR-US: Computerinsel Photoline CVE-2017-2919 (An exploitable stack based buffer overflow vulnerability exists in the ...) - TODO: check + TODO: check, libxls is not packaged in Debian, but embedded in r-cran-readxl CVE-2017-2918 RESERVED CVE-2017-2917 (An exploitable vulnerability exists in the notifications functionality ...) @@ -42460,7 +42460,7 @@ CVE-2017-2898 (An exploitable vulnerability exists in the signature verification of ...) NOT-FOR-US: Circle with Disney CVE-2017-2897 (An exploitable out-of-bounds write vulnerability exists in the ...) - TODO: check + TODO: check, libxls is not packaged in Debian, but embedded in r-cran-readxl CVE-2017-2896 (An exploitable out-of-bounds write vulnerability exists in the ...) TODO: check, libxls is not packaged in Debian, but embedded in r-cran-readxl CVE-2017-2895 (An exploitable arbitrary memory read vulnerability exists in the MQTT ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57937 - data/CVE
Author: carnil Date: 2017-11-22 20:57:06 + (Wed, 22 Nov 2017) New Revision: 57937 Modified: data/CVE/list Log: Process NFUs Modified: data/CVE/list === --- data/CVE/list 2017-11-22 19:33:52 UTC (rev 57936) +++ data/CVE/list 2017-11-22 20:57:06 UTC (rev 57937) @@ -674,7 +674,7 @@ CVE-2017-16821 (b3log Symphony (aka Sym) 2.2.0 has XSS in processor/AdminProcessor.java ...) NOT-FOR-US: b3log Symphony CVE-2017-16819 (A stored cross-site scripting vulnerability in the Icon Time Systems ...) - TODO: check + NOT-FOR-US: Icon Time Systems RTC-1000 CVE-2017-16818 RESERVED - ceph @@ -5442,7 +5442,7 @@ NOTE: version, although the internal lame code was only fixed in 3.100 (strictly speaking that would be NOTE: severity:unimportant for stretch onwards, but we don't have suite-specific severity annotations CVE-2017-15044 (The default installation of DocuWare Fulltext Search server through ...) - TODO: check + NOT-FOR-US: DocuWare Fulltext Search server CVE-2017-15043 RESERVED CVE-2017-15042 (An unintended cleartext issue exists in Go before 1.8.4 and 1.9.x ...) @@ -17252,15 +17252,15 @@ CVE-2017-11094 RESERVED CVE-2017-11093 (In android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2017-11092 (In android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2017-11091 (In android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2017-11090 (In android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2017-11089 (In android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2017-11088 RESERVED CVE-2017-11087 @@ -17268,7 +17268,7 @@ CVE-2017-11086 RESERVED CVE-2017-11085 (In android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2017-11084 RESERVED CVE-2017-11083 @@ -17292,7 +17292,7 @@ CVE-2017-11074 RESERVED CVE-2017-11073 (In android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2017-11072 RESERVED CVE-2017-11071 @@ -21098,7 +21098,7 @@ CVE-2017-9697 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-9696 (In android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2017-9695 RESERVED CVE-2017-9694 @@ -21114,7 +21114,7 @@ RESERVED NOT-FOR-US: Qualcomm driver for Android CVE-2017-9690 (In android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2017-9689 RESERVED CVE-2017-9688 @@ -25363,7 +25363,7 @@ CVE-2017-8280 (In all Qualcomm products with Android releases from CAF using the ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-8279 (In android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2017-8278 (In all Qualcomm products with Android releases from CAF using the ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-8277 (In all Qualcomm products with Android releases from CAF using the ...) @@ -32137,7 +32137,7 @@ CVE-2017-6265 RESERVED CVE-2017-6264 (An elevation of privilege vulnerability exists in the NVIDIA GPU ...) - TODO: check + NOT-FOR-US: NVIDIA components for Android CVE-2017-6263 RESERVED CVE-2017-6262 @@ -33560,7 +33560,7 @@ CVE-2017-5730 RESERVED CVE-2017-5729 (Frame replay vulnerability in Wi-Fi subsystem in Intel Dual-Band and ...) - TODO: check + NOT-FOR-US: Intel CVE-2017-5728 RESERVED CVE-2017-5727 @@ -33580,7 +33580,7 @@ CVE-2017-5720 RESERVED CVE-2017-5719 (A vulnerability in the Intel Deep Learning Training Tool Beta 1 allows ...) - TODO: check + NOT-FOR-US: Intel CVE-2017-5718 RESERVED CVE-2017-5717 @@ -33594,21 +33594,21 @@ CVE-2017-5713 RESERVED CVE-2017-5712 (Buffer overflow in Active Management Technology (AMT) in Intel ...) - TODO: check + NOT-FOR-US: Intel CVE-2017-5711 (Multiple buffer overflows in Active Management Technology (AMT) in ...) - TODO: check + NOT-FOR-US: Int
[Secure-testing-commits] r57936 - in data: . CVE
Author: pochu Date: 2017-11-22 19:33:52 + (Wed, 22 Nov 2017) New Revision: 57936 Modified: data/CVE/list data/dla-needed.txt Log: ruby-passenger n/a on wheezy Modified: data/CVE/list === --- data/CVE/list 2017-11-22 19:19:28 UTC (rev 57935) +++ data/CVE/list 2017-11-22 19:33:52 UTC (rev 57936) @@ -2075,6 +2075,7 @@ - passenger - ruby-passenger [jessie] - ruby-passenger (Minor issue) + [wheezy] - ruby-passenger (Vulnerable code introduced later) NOTE: https://blog.phusion.nl/2017/10/13/passenger-security-advisory-5-1-11/ NOTE: https://github.com/phusion/passenger/commit/4043718264095cde6623c2cbe8c644541036d7bf NOTE: http://www.openwall.com/lists/oss-security/2017/11/21/2 and following. Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-11-22 19:19:28 UTC (rev 57935) +++ data/dla-needed.txt 2017-11-22 19:33:52 UTC (rev 57936) @@ -84,8 +84,6 @@ rtpproxy NOTE: it's not clear to me if a fix is even possible. -- Raphaël Hertzog -- -ruby-passenger (Emilio Pozuelo) --- simplesamlphp NOTE: 2017-09-04: Maintainer will handle this. NOTE: https://lists.debian.org/debian-lts/2017/09/msg00010.html ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57935 - in data: . CVE
Author: pochu Date: 2017-11-22 19:19:28 + (Wed, 22 Nov 2017) New Revision: 57935 Modified: data/CVE/list data/dla-needed.txt Log: simple-xml no-dsa on wheezy Modified: data/CVE/list === --- data/CVE/list 2017-11-22 18:48:58 UTC (rev 57934) +++ data/CVE/list 2017-11-22 19:19:28 UTC (rev 57935) @@ -161,6 +161,7 @@ - simple-xml [stretch] - simple-xml (Minor issue) [jessie] - simple-xml (Minor issue) + [wheezy] - simple-xml (Minor issue) NOTE: https://github.com/ngallagher/simplexml/issues/18 CVE-2017-1000163 (The Phoenix Framework versions 1.0.0 through 1.0.4, 1.1.0 through ...) NOT-FOR-US: Phoenix Framework Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-11-22 18:48:58 UTC (rev 57934) +++ data/dla-needed.txt 2017-11-22 19:19:28 UTC (rev 57935) @@ -86,8 +86,6 @@ -- ruby-passenger (Emilio Pozuelo) -- -simple-xml (Emilio Pozuelo) --- simplesamlphp NOTE: 2017-09-04: Maintainer will handle this. NOTE: https://lists.debian.org/debian-lts/2017/09/msg00010.html ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57934 - data
Author: apo Date: 2017-11-22 18:48:58 + (Wed, 22 Nov 2017) New Revision: 57934 Modified: data/dla-needed.txt Log: Claim sox in dla-needed.txt Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-11-22 18:15:50 UTC (rev 57933) +++ data/dla-needed.txt 2017-11-22 18:48:58 UTC (rev 57934) @@ -92,7 +92,7 @@ NOTE: 2017-09-04: Maintainer will handle this. NOTE: https://lists.debian.org/debian-lts/2017/09/msg00010.html -- -sox +sox (Markus Koschany) NOTE: No patches. Contacted upstream. Waiting for feedback NOTE: > 12% of sponsors use sox hence I have decided to add it here. NOTE: https://sourceforge.net/p/sox/bugs/296/ ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57933 - data
Author: pochu Date: 2017-11-22 18:15:50 + (Wed, 22 Nov 2017) New Revision: 57933 Modified: data/dla-needed.txt Log: dla: claim simple-xml and ruby-passenger Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-11-22 18:14:51 UTC (rev 57932) +++ data/dla-needed.txt 2017-11-22 18:15:50 UTC (rev 57933) @@ -84,6 +84,10 @@ rtpproxy NOTE: it's not clear to me if a fix is even possible. -- Raphaël Hertzog -- +ruby-passenger (Emilio Pozuelo) +-- +simple-xml (Emilio Pozuelo) +-- simplesamlphp NOTE: 2017-09-04: Maintainer will handle this. NOTE: https://lists.debian.org/debian-lts/2017/09/msg00010.html ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57932 - data
Author: pochu Date: 2017-11-22 18:14:51 + (Wed, 22 Nov 2017) New Revision: 57932 Modified: data/dla-needed.txt Log: dla: drop mysql-connector-python, issue is postponed Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-11-22 18:01:53 UTC (rev 57931) +++ data/dla-needed.txt 2017-11-22 18:14:51 UTC (rev 57932) @@ -63,9 +63,6 @@ NOTE: For CVE-2017-14409, https://security-tracker.debian.org/tracker/CVE-2017-9872 might be of interest, files are very similar NOTE: adapting/writing patches seems to be very time consuming, mp3gain is dead upstream so this might be a candidate for no-dsa -- Hugo Lefeuvre -- -mysql-connector-python - NOTE: 20170927: Wait for more issues (see ML: https://lists.debian.org/debian-lts/2017/08/msg00039.html) -- Hugo Lefeuvre --- openexr (Guido Günther) NOTE: 20170902: CVE-2017-12596: bug reported upstream but no response yet (lamby) -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57930 - data/CVE
Author: apo Date: 2017-11-22 18:01:11 + (Wed, 22 Nov 2017) New Revision: 57930 Modified: data/CVE/list Log: CVE-2017-16663,sam2p: Will be fixed in Wheezy Modified: data/CVE/list === --- data/CVE/list 2017-11-22 17:26:09 UTC (rev 57929) +++ data/CVE/list 2017-11-22 18:01:11 UTC (rev 57930) @@ -1047,7 +1047,6 @@ NOTE: https://github.com/bit-team/backintime/commit/cef81d0da93ff601252607df3db1a48f7f6f01b3 CVE-2017-16663 (In sam2p 0.49.4, there are integer overflows (with resultant heap-based ...) - sam2p - [wheezy] - sam2p (Minor issue) NOTE: https://github.com/pts/sam2p/issues/16 CVE-2017-16662 RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57931 - in data: . DLA
Author: apo
Date: 2017-11-22 18:01:53 + (Wed, 22 Nov 2017)
New Revision: 57931
Modified:
data/DLA/list
data/dla-needed.txt
Log:
Reserve DLA-1185-1 for sam2p
Modified: data/DLA/list
===
--- data/DLA/list 2017-11-22 18:01:11 UTC (rev 57930)
+++ data/DLA/list 2017-11-22 18:01:53 UTC (rev 57931)
@@ -1,3 +1,6 @@
+[22 Nov 2017] DLA-1185-1 sam2p - security update
+ {CVE-2017-16663}
+ [wheezy] - sam2p 0.49.1-1+deb7u2
[21 Nov 2017] DLA-1184-1 optipng - security update
{CVE-2017-1000229}
[wheezy] - optipng 0.6.4-1+deb7u3
Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-11-22 18:01:11 UTC (rev 57930)
+++ data/dla-needed.txt 2017-11-22 18:01:53 UTC (rev 57931)
@@ -87,8 +87,6 @@
rtpproxy
NOTE: it's not clear to me if a fix is even possible. -- Raphaël Hertzog
--
-sam2p (Markus Koschany)
---
simplesamlphp
NOTE: 2017-09-04: Maintainer will handle this.
NOTE: https://lists.debian.org/debian-lts/2017/09/msg00010.html
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57929 - in data: . DSA
Author: seb
Date: 2017-11-22 17:26:09 + (Wed, 22 Nov 2017)
New Revision: 57929
Modified:
data/DSA/list
data/dsa-needed.txt
Log:
Reserve DSA-4046-1 for libspring-ldap-java (CVE-2017-8028)
Modified: data/DSA/list
===
--- data/DSA/list 2017-11-22 17:01:01 UTC (rev 57928)
+++ data/DSA/list 2017-11-22 17:26:09 UTC (rev 57929)
@@ -1,3 +1,6 @@
+[22 Nov 2017] DSA-4046-1 libspring-ldap-java - security update
+ {CVE-2017-8028}
+ [jessie] - libspring-ldap-java 1.3.1.RELEASE-5+deb8u1
[21 Nov 2017] DSA-4045-1 vlc - security update
{CVE-2017-9300 CVE-2017-10699}
[jessie] - vlc 2.2.7-1~deb8u1
Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2017-11-22 17:01:01 UTC (rev 57928)
+++ data/dsa-needed.txt 2017-11-22 17:26:09 UTC (rev 57929)
@@ -19,9 +19,6 @@
libav/oldstable
We can ship the next libav 11.x point release when available
--
-libspring-ldap-java (seb)
- 2017-11-20: Markus Koschany prepared update, acked for upload
---
libvpx/oldstable
--
linux
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57928 - data
Author: jmm Date: 2017-11-22 17:01:01 + (Wed, 22 Nov 2017) New Revision: 57928 Modified: data/dsa-needed.txt Log: take otrs Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-11-22 16:08:44 UTC (rev 57927) +++ data/dsa-needed.txt 2017-11-22 17:01:01 UTC (rev 57928) @@ -34,7 +34,7 @@ -- openjdk-7/oldstable (jmm) -- -otrs2 +otrs2 (jmm) -- php-horde-image -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57927 - data/CVE
Author: carnil Date: 2017-11-22 16:08:44 + (Wed, 22 Nov 2017) New Revision: 57927 Modified: data/CVE/list Log: Add fixed version for CVE-2017-16664/otrs2 Modified: data/CVE/list === --- data/CVE/list 2017-11-22 15:39:33 UTC (rev 57926) +++ data/CVE/list 2017-11-22 16:08:44 UTC (rev 57927) @@ -1036,7 +1036,7 @@ CVE-2017-16665 (RemObjects Remoting SDK 9 1.0.0.0 for Delphi is vulnerable to a ...) NOT-FOR-US: RemObjects Remoting SDK CVE-2017-16664 (Code injection exists in Kernel/System/Spelling.pm in Open Ticket ...) - - otrs2 (bug #882370) + - otrs2 5.0.24-1 (bug #882370) NOTE: https://www.otrs.com/security-advisory-2017-07-security-update-otrs-framework/ NOTE: OTRS 5: https://github.com/OTRS/otrs/commit/4c36932d0c42343f21246a107e17a2ebbd9c2c7d NOTE: OTRS 3.3: https://github.com/OTRS/otrs/commit/2e58a4bbd99b2477d72c3b2d9fef009537ab19ce ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57926 - data
Author: carnil Date: 2017-11-22 15:39:33 + (Wed, 22 Nov 2017) New Revision: 57926 Modified: data/dsa-needed.txt Log: Add otrs2 to dsa-needed list Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-11-22 09:18:51 UTC (rev 57925) +++ data/dsa-needed.txt 2017-11-22 15:39:33 UTC (rev 57926) @@ -34,6 +34,8 @@ -- openjdk-7/oldstable (jmm) -- +otrs2 +-- php-horde-image -- php5 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57925 - data/CVE
Author: carnil Date: 2017-11-22 09:18:51 + (Wed, 22 Nov 2017) New Revision: 57925 Modified: data/CVE/list Log: Process NFUs Modified: data/CVE/list === --- data/CVE/list 2017-11-22 09:12:26 UTC (rev 57924) +++ data/CVE/list 2017-11-22 09:18:51 UTC (rev 57925) @@ -23760,15 +23760,15 @@ CVE-2017-8865 RESERVED CVE-2017-8864 (Client-side enforcement using JavaScript of server-side security ...) - TODO: check + NOT-FOR-US: Cohu CVE-2017-8863 (Information disclosure of .esp source code on the Cohu 3960 allows an ...) - TODO: check + NOT-FOR-US: Cohu CVE-2017-8862 (The webupgrade function on the Cohu 3960HD does not verify the firmware ...) - TODO: check + NOT-FOR-US: Cohu CVE-2017-8861 (Missing authentication for the remote configuration port 1236/tcp on ...) - TODO: check + NOT-FOR-US: Cohu CVE-2017-8860 (Information disclosure through directory listing on the Cohu 3960HD ...) - TODO: check + NOT-FOR-US: Cohu CVE-2017-8859 (In Veritas NetBackup Appliance 3.0 and earlier, unauthenticated users ...) NOT-FOR-US: Veritas NetBackup CVE-2017-8858 (In Veritas NetBackup 8.0 and earlier and NetBackup Appliance 3.0 and ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57924 - data/CVE
Author: carnil Date: 2017-11-22 09:12:26 + (Wed, 22 Nov 2017) New Revision: 57924 Modified: data/CVE/list Log: ohcount CVE assigned Modified: data/CVE/list === --- data/CVE/list 2017-11-22 09:10:22 UTC (rev 57923) +++ data/CVE/list 2017-11-22 09:12:26 UTC (rev 57924) @@ -1,6 +1,4 @@ CVE-2017-16926 (Ohcount 3.0.0 is prone to a command injection via specially crafted ...) - TODO: check -CVE-2017- [Command injection through file names] - ohcount (bug #882372) CVE-2017-16925 RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57923 - data/CVE
Author: sectracker
Date: 2017-11-22 09:10:22 + (Wed, 22 Nov 2017)
New Revision: 57923
Modified:
data/CVE/list
Log:
automatic update
Modified: data/CVE/list
===
--- data/CVE/list 2017-11-22 08:33:10 UTC (rev 57922)
+++ data/CVE/list 2017-11-22 09:10:22 UTC (rev 57923)
@@ -1,3 +1,5 @@
+CVE-2017-16926 (Ohcount 3.0.0 is prone to a command injection via specially
crafted ...)
+ TODO: check
CVE-2017- [Command injection through file names]
- ohcount (bug #882372)
CVE-2017-16925
@@ -18241,6 +18243,7 @@
CVE-2017-10700 (In the medialibrary component in QNAP NAS 4.3.3.0229, an ...)
NOT-FOR-US: QNAP
CVE-2017-10699 (avcodec 2.2.x, as used in VideoLAN VLC media player 2.2.7-x
before ...)
+ {DSA-4045-1}
- vlc 2.2.6-3
[wheezy] - vlc (Not supported in wheezy LTS)
NOTE:
http://git.videolan.org/?p=vlc/vlc-2.2.git;a=commitdiff;h=6cc73bcad19da2cd2e95671173f2e0d203a57e9b
@@ -22395,6 +22398,7 @@
- vlc 2.2.5.1-1
[wheezy] - vlc (Not supported in wheezy LTS)
CVE-2017-9300 (plugins\codec\libflac_plugin.dll in VideoLAN VLC media player
2.2.4 ...)
+ {DSA-4045-1}
- vlc 2.2.6-3
[wheezy] - vlc (Not supported in wheezy LTS)
NOTE:
https://git.videolan.org/?p=vlc/vlc-2.2.git;a=commit;h=55a82442cfea9dab8b853f3a4610f2880c5fadf3
@@ -23757,16 +23761,16 @@
RESERVED
CVE-2017-8865
RESERVED
-CVE-2017-8864
- RESERVED
-CVE-2017-8863
- RESERVED
-CVE-2017-8862
- RESERVED
-CVE-2017-8861
- RESERVED
-CVE-2017-8860
- RESERVED
+CVE-2017-8864 (Client-side enforcement using JavaScript of server-side
security ...)
+ TODO: check
+CVE-2017-8863 (Information disclosure of .esp source code on the Cohu 3960
allows an ...)
+ TODO: check
+CVE-2017-8862 (The webupgrade function on the Cohu 3960HD does not verify the
firmware ...)
+ TODO: check
+CVE-2017-8861 (Missing authentication for the remote configuration port
1236/tcp on ...)
+ TODO: check
+CVE-2017-8860 (Information disclosure through directory listing on the Cohu
3960HD ...)
+ TODO: check
CVE-2017-8859 (In Veritas NetBackup Appliance 3.0 and earlier, unauthenticated
users ...)
NOT-FOR-US: Veritas NetBackup
CVE-2017-8858 (In Veritas NetBackup 8.0 and earlier and NetBackup Appliance
3.0 and ...)
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57922 - data/CVE
Author: jmm Date: 2017-11-22 08:33:10 + (Wed, 22 Nov 2017) New Revision: 57922 Modified: data/CVE/list Log: new ceph issue, NFU concludes external check Modified: data/CVE/list === --- data/CVE/list 2017-11-22 06:10:27 UTC (rev 57921) +++ data/CVE/list 2017-11-22 08:33:10 UTC (rev 57922) @@ -116,6 +116,8 @@ NOT-FOR-US: Jenkins CVE-2017-1000395 NOT-FOR-US: Jenkins +CVE-2017-1000394 + NOT-FOR-US: Jenkins CVE-2017-1000393 NOT-FOR-US: Jenkins CVE-2017-1000392 @@ -674,6 +676,8 @@ TODO: check CVE-2017-16818 RESERVED + - ceph + NOTE: https://github.com/ceph/ceph/commit/b3118cabb8060a8cc6a01c4e8264cb18e7b1745a CVE-2017-16817 RESERVED CVE-2017-16816 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
