[Secure-testing-commits] r58134 - in data: . DSA
Author: carnil Date: 2017-11-30 07:48:36 + (Thu, 30 Nov 2017) New Revision: 58134 Modified: data/DSA/list data/dsa-needed.txt Log: Reserve DSA number for exim4 update Modified: data/DSA/list === --- data/DSA/list 2017-11-30 06:18:11 UTC (rev 58133) +++ data/DSA/list 2017-11-30 07:48:36 UTC (rev 58134) @@ -1,3 +1,6 @@ +[30 Nov 2017] DSA-4053-1 exim4 - security update + {CVE-2017-16943 CVE-2017-16944} + [stretch] - exim4 4.89-2+deb9u2 [29 Nov 2017] DSA-4052-1 bzr - security update {CVE-2017-14176} [jessie] - bzr 2.6.0+bzr6595-6+deb8u1 Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-11-30 06:18:11 UTC (rev 58133) +++ data/dsa-needed.txt 2017-11-30 07:48:36 UTC (rev 58134) @@ -14,8 +14,6 @@ -- 389-ds-base (fw) -- -exim4/stable (carnil) --- graphicsmagick -- libav/oldstable ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58133 - data/CVE
Author: carnil Date: 2017-11-30 06:18:11 + (Thu, 30 Nov 2017) New Revision: 58133 Modified: data/CVE/list Log: Add commit fixing CVE-2017-15108/spice-vdagent Modified: data/CVE/list === --- data/CVE/list 2017-11-30 06:13:37 UTC (rev 58132) +++ data/CVE/list 2017-11-30 06:18:11 UTC (rev 58133) @@ -6955,6 +6955,7 @@ CVE-2017-15108 [spice-vdagent: Improper validation of xfers->save_dir in vdagent_file_xfers_data()] RESERVED - spice-vdagent + NOTE: Fixed by: https://cgit.freedesktop.org/spice/linux/vd_agent/commit/?id=8ba174816d245757e743e636df357910e1d5eb61 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1510864 CVE-2017-15107 RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58132 - data/CVE
Author: carnil Date: 2017-11-30 06:13:37 + (Thu, 30 Nov 2017) New Revision: 58132 Modified: data/CVE/list Log: Add CVE-2017-15108/spice-vdagent Modified: data/CVE/list === --- data/CVE/list 2017-11-30 06:02:20 UTC (rev 58131) +++ data/CVE/list 2017-11-30 06:13:37 UTC (rev 58132) @@ -6952,8 +6952,10 @@ - moodle CVE-2017-15109 RESERVED -CVE-2017-15108 +CVE-2017-15108 [spice-vdagent: Improper validation of xfers->save_dir in vdagent_file_xfers_data()] RESERVED + - spice-vdagent + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1510864 CVE-2017-15107 RESERVED CVE-2017-15106 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58131 - data/CVE
Author: carnil Date: 2017-11-30 06:02:20 + (Thu, 30 Nov 2017) New Revision: 58131 Modified: data/CVE/list Log: Add source package breezy as well for the CVE-2017-14176 (since "identical" code and so same CVE should apply) Modified: data/CVE/list === --- data/CVE/list 2017-11-30 05:44:05 UTC (rev 58130) +++ data/CVE/list 2017-11-30 06:02:20 UTC (rev 58131) @@ -9882,6 +9882,7 @@ CVE-2017-14176 (Bazaar through 2.7.0, when Subprocess SSH is used, allows remote ...) {DSA-4052-1 DLA-1107-1} - bzr 2.7.0+bzr6622-7 (bug #874429) + - breezy 3.0.0~bzr6772-1 NOTE: https://bugs.launchpad.net/bzr/+bug/1710979 CVE-2017-14159 (slapd in OpenLDAP 2.4.45 and earlier creates a PID file after dropping ...) - openldap (unimportant) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58130 - data/CVE
Author: carnil Date: 2017-11-30 05:44:05 + (Thu, 30 Nov 2017) New Revision: 58130 Modified: data/CVE/list Log: Add CVE-2017-1000405/linux Modified: data/CVE/list === --- data/CVE/list 2017-11-29 23:01:01 UTC (rev 58129) +++ data/CVE/list 2017-11-30 05:44:05 UTC (rev 58130) @@ -1744,6 +1744,11 @@ RESERVED CVE-2017-1000406 NOT-FOR-US: OpenDayLight +CVE-2017-1000405 ["Dirty COW" variant on transparent huge pages] + - linux + NOTE: Fixed by: https://git.kernel.org/linus/a8f97366452ed491d13cf1e44241bc0b5740b1f0 + NOTE: http://www.openwall.com/lists/oss-security/2017/11/30/1 + NOTE: https://github.com/bindecy/HugeDirtyCowPOC CVE-2017-1000404 RESERVED NOT-FOR-US: Jenkins plugin ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58129 - data
Author: carnil Date: 2017-11-29 23:01:01 + (Wed, 29 Nov 2017) New Revision: 58129 Modified: data/next-point-update.txt Log: add proposed update for golang-github-go-ldap-ldap Modified: data/next-point-update.txt === --- data/next-point-update.txt 2017-11-29 21:50:07 UTC (rev 58128) +++ data/next-point-update.txt 2017-11-29 23:01:01 UTC (rev 58129) @@ -55,3 +55,5 @@ [stretch] - pdns-recursor 4.0.4-1+deb9u2 CVE-2017-15094 [stretch] - pdns-recursor 4.0.4-1+deb9u2 +CVE-2017-14623 + [stretch] - golang-github-go-ldap-ldap 2.4.1-1+deb9u1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58128 - / stamps
Author: carnil Date: 2017-11-29 21:50:07 + (Wed, 29 Nov 2017) New Revision: 58128 Added: stamps/.gitignore Modified: .gitignore Log: Don't ignore (when using git) stamps directory Reasoning, on git clean the directory will be removed. But the security tracker needs the stamps dir (e.g. Makefile). Modified: .gitignore === --- .gitignore 2017-11-29 21:38:29 UTC (rev 58127) +++ .gitignore 2017-11-29 21:50:07 UTC (rev 58128) @@ -4,7 +4,6 @@ .gitignore data/nvd/ data/security.db* -stamps/ *_Packages *_Sources *.pyc Added: stamps/.gitignore === --- stamps/.gitignore (rev 0) +++ stamps/.gitignore 2017-11-29 21:50:07 UTC (rev 58128) @@ -0,0 +1,6 @@ +# +# general rules +# +.gitignore +*-* +*~ ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58127 - /
Author: agx Date: 2017-11-29 21:38:29 + (Wed, 29 Nov 2017) New Revision: 58127 Modified: .gitignore Log: gitignore stamps dir Modified: .gitignore === --- .gitignore 2017-11-29 21:38:26 UTC (rev 58126) +++ .gitignore 2017-11-29 21:38:29 UTC (rev 58127) @@ -4,6 +4,7 @@ .gitignore data/nvd/ data/security.db* +stamps/ *_Packages *_Sources *.pyc ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58126 - data/CVE
Author: agx Date: 2017-11-29 21:38:26 + (Wed, 29 Nov 2017) New Revision: 58126 Modified: data/CVE/list Log: lts: mark CVE-2017-14989 as postponed Modified: data/CVE/list === --- data/CVE/list 2017-11-29 21:38:11 UTC (rev 58125) +++ data/CVE/list 2017-11-29 21:38:26 UTC (rev 58126) @@ -7462,6 +7462,7 @@ NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/28bad01242898d7f863deedbfa8502c348293093 CVE-2017-14988 (Header::readfrom in IlmImf/ImfHeader.cpp in OpenEXR 2.2.0 allows remote ...) - openexr (bug #878551) + [wheezy] - openexr (Should be fixed along in future update) NOTE: https://github.com/openexr/openexr/issues/248 CVE-2017-14987 RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58125 - bin
Author: agx Date: 2017-11-29 21:38:11 + (Wed, 29 Nov 2017) New Revision: 58125 Modified: bin/report-vuln Log: report-vuln: Support generation of mail headers Modified: bin/report-vuln === --- bin/report-vuln 2017-11-29 21:25:13 UTC (rev 58124) +++ bin/report-vuln 2017-11-29 21:38:11 UTC (rev 58125) @@ -8,14 +8,14 @@ # # report-vuln(){ # TMPFILE="$HOME/reportbug.tmp" -# $HOME/debian/svn/secure-testing/bin/report-vuln "$@" > $TMPFILE -# mutt -i $TMPFILE sub...@bugs.debian.org +# $HOME/debian/svn/secure-testing/bin/report-vuln -m "$@" > $TMPFILE +# mutt -H $TMPFILE # rm $TMPFILE # } # # in bash, this can be simply: # -# mutt -i <($HOME/debian/svn/secure-testing/bin/report-vuln) sub...@bugs.debian.org +# mutt -H <($HOME/debian/svn/secure-testing/bin/report-vuln -m ) # # export http_proxy if you need to use an http proxy to report bugs @@ -113,21 +113,28 @@ return ret + '\n' -def gen_text(pkg, cveid, blanks=False, severity=None, affected=None, cc=False, cclist=None, src=False): +def gen_text(pkg, cveid, blanks=False, severity=None, affected=None, cc=False, cclist=None, src=False, mh=False): vuln_suff = 'y' cve_suff = '' time_w = 'was' temp_id_cnt = 0 +header = '' +if mh: +header += '''To: sub...@bugs.debian.org +Subject: %s: %s + +''' % (pkg, ' '.join(cveid)) + if len(cveid) > 1: cve_suff = 's' vuln_suff = 'ies' time_w = 'were' if src: -header = '''Source: %s\n''' % (pkg) +header += '''Source: %s\n''' % (pkg) else: -header = '''Package: %s\n''' % (pkg) +header += '''Package: %s\n''' % (pkg) if affected is None: if blanks: @@ -212,6 +219,7 @@ parser.add_argument('--cc-list', dest='cclist', default=['t...@security.debian.org', 'secure-testing-t...@lists.alioth.debian.org'], help='list of addresses to add in CC (default: %(default)s)') parser.add_argument('--src', action="store_true", help='report against source package') +parser.add_argument('-m', '--mail-header', action="store_true", help='generate a mail header') parser.add_argument('pkg', help='affected package') parser.add_argument('cve', nargs='+', help='relevant CVE for this source package, may be used multiple time if the issue has multiple CVEs') args = parser.parse_args() @@ -231,7 +239,7 @@ if not c.match(arg) and not temp_id.match(arg): error(arg + ' does not seem to be a valid CVE id') -gen_text(pkg, cve, affected=args.affected, blanks=args.blanks, severity=args.severity, cc=args.cc, cclist=args.cclist, src=args.src) +gen_text(pkg, cve, affected=args.affected, blanks=args.blanks, severity=args.severity, cc=args.cc, cclist=args.cclist, src=args.src, mh=args.mail_header) if __name__ == '__main__': main() ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58124 - data/CVE
Author: carnil Date: 2017-11-29 21:25:13 + (Wed, 29 Nov 2017) New Revision: 58124 Modified: data/CVE/list Log: CVE-2017-8807/varnish fixed in unstable Modified: data/CVE/list === --- data/CVE/list 2017-11-29 21:10:19 UTC (rev 58123) +++ data/CVE/list 2017-11-29 21:25:13 UTC (rev 58124) @@ -25729,7 +25729,7 @@ NOTE: https://phabricator.wikimedia.org/T178451 CVE-2017-8807 (vbf_stp_error in bin/varnishd/cache/cache_fetch.c in Varnish HTTP Cache ...) {DSA-4034-1} - - varnish (bug #881808) + - varnish 5.2.1-1 (bug #881808) [jessie] - varnish (Vulnerable code not present, issue introduced in 4.1.0) [wheezy] - varnish (Vulnerable code not present, issue introduced in 4.1.0) NOTE: http://varnish-cache.org/security/VSV2.html ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58123 - data/CVE
Author: sectracker Date: 2017-11-29 21:10:19 + (Wed, 29 Nov 2017) New Revision: 58123 Modified: data/CVE/list Log: automatic update Modified: data/CVE/list === --- data/CVE/list 2017-11-29 19:50:37 UTC (rev 58122) +++ data/CVE/list 2017-11-29 21:10:19 UTC (rev 58123) @@ -1,3 +1,21 @@ +CVE-2017-17066 + RESERVED +CVE-2017-17065 + RESERVED +CVE-2017-17064 + RESERVED +CVE-2017-17063 + RESERVED +CVE-2017-17062 + RESERVED +CVE-2017-17061 + RESERVED +CVE-2017-17060 + RESERVED +CVE-2017-17059 (XSS exists in the amtyThumb amty-thumb-recent-post (aka amtyThumb posts ...) + TODO: check +CVE-2017-1000385 + RESERVED CVE-2017-17058 (The WooCommerce plugin through 3.x for WordPress has a Directory ...) NOT-FOR-US: WooCommerce plugin for WordPress CVE-2017-17057 @@ -1727,42 +1745,61 @@ CVE-2017-1000406 NOT-FOR-US: OpenDayLight CVE-2017-1000404 + RESERVED NOT-FOR-US: Jenkins plugin CVE-2017-1000403 + RESERVED NOT-FOR-US: Jenkins plugin CVE-2017-1000402 + RESERVED NOT-FOR-US: Jenkins plugin CVE-2017-1000401 + RESERVED NOT-FOR-US: Jenkins CVE-2017-1000400 + RESERVED NOT-FOR-US: Jenkins CVE-2017-1000399 + RESERVED NOT-FOR-US: Jenkins CVE-2017-1000398 + RESERVED NOT-FOR-US: Jenkins CVE-2017-1000397 + RESERVED NOT-FOR-US: Jenkins plugin CVE-2017-1000396 + RESERVED NOT-FOR-US: Jenkins CVE-2017-1000395 + RESERVED NOT-FOR-US: Jenkins CVE-2017-1000394 + RESERVED NOT-FOR-US: Jenkins CVE-2017-1000393 + RESERVED NOT-FOR-US: Jenkins CVE-2017-1000392 + RESERVED NOT-FOR-US: Jenkins CVE-2017-1000391 + RESERVED NOT-FOR-US: Jenkins CVE-2017-1000390 + RESERVED NOT-FOR-US: Jenkins plugin CVE-2017-1000389 + RESERVED NOT-FOR-US: Jenkins plugin CVE-2017-1000388 + RESERVED NOT-FOR-US: Jenkins plugin CVE-2017-1000387 + RESERVED NOT-FOR-US: Jenkins plugin CVE-2017-1000386 + RESERVED NOT-FOR-US: Jenkins plugin CVE-2017-16884 RESERVED @@ -3737,6 +3774,7 @@ CVE-2017-16242 RESERVED CVE-2017-1000384 [Arbitrary file read] + RESERVED - passenger - ruby-passenger [jessie] - ruby-passenger (Minor issue) @@ -9203,10 +9241,10 @@ RESERVED CVE-2017-14379 (EMC RSA Authentication Manager before 8.2 SP1 P6 has a cross-site ...) NOT-FOR-US: EMC -CVE-2017-14378 - RESERVED -CVE-2017-14377 - RESERVED +CVE-2017-14378 (EMC RSA Authentication Agent API 8.5 for C and RSA Authentication Agent ...) + TODO: check +CVE-2017-14377 (EMC RSA Authentication Agent for Web: Apache Web Server version 8.0 and ...) + TODO: check CVE-2017-14376 (EMC AppSync Server prior to 3.5.0.1 contains database accounts with ...) NOT-FOR-US: EMC AppSync Server CVE-2017-14375 (EMC Unisphere for VMAX Virtual Appliance (vApp) versions prior to ...) @@ -9733,14 +9771,14 @@ RESERVED CVE-2017-14190 RESERVED -CVE-2017-14189 - RESERVED +CVE-2017-14189 (An improper access control vulnerability in Fortinet FortiWebManager ...) + TODO: check CVE-2017-14188 RESERVED CVE-2017-14187 RESERVED -CVE-2017-14186 - RESERVED +CVE-2017-14186 (A Cross-site Scripting (XSS) vulnerability in Fortinet FortiOS 5.6.0 ...) + TODO: check CVE-2017-14185 RESERVED CVE-2017-14184 @@ -9836,7 +9874,7 @@ NOTE: http://www.openwall.com/lists/oss-security/2017/09/21/3 NOTE: https://gitlab.xiph.org/xiph/vorbis/issues/2330 CVE-2017-14176 (Bazaar through 2.7.0, when Subprocess SSH is used, allows remote ...) - {DLA-1107-1} + {DSA-4052-1 DLA-1107-1} - bzr 2.7.0+bzr6622-7 (bug #874429) NOTE: https://bugs.launchpad.net/bzr/+bug/1710979 CVE-2017-14159 (slapd in OpenLDAP 2.4.45 and earlier creates a PID file after dropping ...) @@ -10608,8 +10646,8 @@ RESERVED CVE-2017-13873 RESERVED -CVE-2017-13872 - RESERVED +CVE-2017-13872 (An issue was discovered in certain Apple products. macOS High Sierra ...) + TODO: check CVE-2017-13871 RESERVED CVE-2017-13870 @@ -25627,21 +25665,20 @@ RESERVED CVE-2017-8819 RESERVED -CVE-2017-8818 [SSL out of buffer access] - RESERVED +CVE-2017-8818 (curl and libcurl before 7.57.0 on 32-bit platforms allow attackers to ...) - curl [stretch] - curl (Vulnerable code not present) [jessie] - curl (Vulnerable code not present) [wheezy] - curl (Vulnerable code not present) NOTE: https://curl.haxx.se/docs/adv_2017-af0a.html NOTE: https://curl.haxx.se/CVE-2017-8818.patch -CVE-2017-8817 [FTP wildcard out of bounds read] - RESERVED +CVE-2017-8817 (The
[Secure-testing-commits] r58122 - in data: . DSA
Author: carnil Date: 2017-11-29 19:50:37 + (Wed, 29 Nov 2017) New Revision: 58122 Modified: data/DSA/list data/dsa-needed.txt Log: Reserve DSA number for bzr update Modified: data/DSA/list === --- data/DSA/list 2017-11-29 19:15:27 UTC (rev 58121) +++ data/DSA/list 2017-11-29 19:50:37 UTC (rev 58122) @@ -1,3 +1,7 @@ +[29 Nov 2017] DSA-4052-1 bzr - security update + {CVE-2017-14176} + [jessie] - bzr 2.6.0+bzr6595-6+deb8u1 + [stretch] - bzr 2.7.0+bzr6619-7+deb9u1 [29 Nov 2017] DSA-4051-1 curl - security update {CVE-2017-8816 CVE-2017-8817} [jessie] - curl 7.38.0-4+deb8u8 Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-11-29 19:15:27 UTC (rev 58121) +++ data/dsa-needed.txt 2017-11-29 19:50:37 UTC (rev 58122) @@ -14,8 +14,6 @@ -- 389-ds-base (fw) -- -bzr (carnil) --- exim4/stable (carnil) -- graphicsmagick ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58121 - data/CVE
Author: carnil Date: 2017-11-29 19:15:27 + (Wed, 29 Nov 2017) New Revision: 58121 Modified: data/CVE/list Log: Add fixing version for CVE-2017-16944/exim4 Modified: data/CVE/list === --- data/CVE/list 2017-11-29 15:39:30 UTC (rev 58120) +++ data/CVE/list 2017-11-29 19:15:27 UTC (rev 58121) @@ -1557,7 +1557,7 @@ [wheezy] - libsndfile (Minor issue) NOTE: https://github.com/erikd/libsndfile/issues/341 CVE-2017-16944 (The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 ...) - - exim4 (bug #882671) + - exim4 4.89-13 (bug #882671) [jessie] - exim4 (ESMTP CHUNKING extension introduced in 4.88) [wheezy] - exim4 (ESMTP CHUNKING extension introduced in 4.88) NOTE: https://bugs.exim.org/show_bug.cgi?id=2201 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58120 - data/CVE
Author: agx Date: 2017-11-29 15:39:30 + (Wed, 29 Nov 2017) New Revision: 58120 Modified: data/CVE/list Log: CVE-2017-12596: link to upstream fix Modified: data/CVE/list === --- data/CVE/list 2017-11-29 15:22:09 UTC (rev 58119) +++ data/CVE/list 2017-11-29 15:39:30 UTC (rev 58120) @@ -14602,6 +14602,7 @@ CVE-2017-12596 (In OpenEXR 2.2.0, a crafted image causes a heap-based buffer over-read ...) - openexr (bug #877352) NOTE: https://github.com/openexr/openexr/issues/238 + NOTE: Upstream fix https://github.com/openexr/openexr/commit/f09f5f26c1924c4f7e183428ca79c9881afaf53c CVE-2017-12595 (The tokenizer in QPDF 6.0.0 and 7.0.b1 is recursive for arrays and ...) - qpdf 7.0.0-1 [stretch] - qpdf (Minor issue) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58119 - bin
Author: agx Date: 2017-11-29 15:22:09 + (Wed, 29 Nov 2017) New Revision: 58119 Modified: bin/report-vuln Log: report-vuln: don't fail if description_from_list return None If no description was found None is returned. This fixes Traceback (most recent call last): File "bin/report-vuln", line 237, in main() File "bin/report-vuln", line 234, in main gen_text(pkg, cve, affected=args.affected, blanks=args.blanks, severity=args.severity, cc=args.cc, cclist=args.cclist, src=args.src) File "bin/report-vuln", line 156, in gen_text print get_cve(cve) File "bin/report-vuln", line 114, in get_cve return ret + '\n' TypeError: unsupported operand type(s) for +: 'NoneType' and 'str' in case of a yet unknown CVE. Modified: bin/report-vuln === --- bin/report-vuln 2017-11-29 15:21:40 UTC (rev 58118) +++ bin/report-vuln 2017-11-29 15:22:09 UTC (rev 58119) @@ -108,7 +108,7 @@ if ret == '': ret = description_from_list(id) -if ret == '': +if not ret: ret = 'No description was found (try on a search engine)' return ret + '\n' ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58118 - bin
Author: agx Date: 2017-11-29 15:21:40 + (Wed, 29 Nov 2017) New Revision: 58118 Modified: bin/report-vuln Log: report-vuln: Use spaces instead of tabs Modified: bin/report-vuln === --- bin/report-vuln 2017-11-29 14:48:58 UTC (rev 58117) +++ bin/report-vuln 2017-11-29 15:21:40 UTC (rev 58118) @@ -25,118 +25,118 @@ temp_id = re.compile('(?:CVE|cve)\-[0-9]{4}-') def setup_path(): - dirname = os.path.dirname - base = dirname(dirname(os.path.realpath(sys.argv[0]))) - sys.path.insert(0, os.path.join(base, "lib", "python")) +dirname = os.path.dirname +base = dirname(dirname(os.path.realpath(sys.argv[0]))) +sys.path.insert(0, os.path.join(base, "lib", "python")) def description_from_list(id, pkg='', skip_entries=0): - setup_path() - import bugs - import debian_support - is_temp = temp_id.match(id) - skipped = 0 +setup_path() +import bugs +import debian_support +is_temp = temp_id.match(id) +skipped = 0 - for bug in bugs.CVEFile(debian_support.findresource( - *"data CVE list".split())): - if bug.name == id or (is_temp and not bug.isFromCVE()): - if pkg != '': - matches = False - for n in bug.notes: - if n.package == pkg and str(n.urgency) != 'unimportant': - matches = True - break - if not matches: - continue - if skipped < skip_entries: - skipped += 1 - continue - return bug.description +for bug in bugs.CVEFile(debian_support.findresource( +*"data CVE list".split())): +if bug.name == id or (is_temp and not bug.isFromCVE()): +if pkg != '': +matches = False +for n in bug.notes: +if n.package == pkg and str(n.urgency) != 'unimportant': +matches = True +break +if not matches: +continue +if skipped < skip_entries: +skipped += 1 +continue +return bug.description def gen_index(ids): - ret = '' - for cnt, id in enumerate(ids): - if temp_id.match(id): - continue -ret += '\n[' + str(cnt) + '] https://security-tracker.debian.org/tracker/' + id + '\n' -ret += 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=' + id +ret = '' +for cnt, id in enumerate(ids): +if temp_id.match(id): +continue +ret += '\n[' + str(cnt) + '] https://security-tracker.debian.org/tracker/' + id + '\n' +ret += 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=' + id - return ret +return ret def http_get(id): - param = urllib.urlencode({'name' : id}) - resp = '' - try: - f = urllib.urlopen('https://cve.mitre.org/cgi-bin/cvename.cgi?%s' % param) - resp = f.read() - except Exception, e: - error('on doing HTTP request' + str(e)) - - f.close() +param = urllib.urlencode({'name' : id}) +resp = '' +try: +f = urllib.urlopen('https://cve.mitre.org/cgi-bin/cvename.cgi?%s' % param) +resp = f.read() +except Exception, e: +error('on doing HTTP request' + str(e)) - return resp +f.close() +return resp + # this is a hack that parses the cve id description from mitre def get_cve(id): - desc = False - r = re.compile('.*Description<.*') - tag = re.compile('.*.*') -reserved = re.compile(r'\*+\s+()?RESERVED()?\s+\*+') - ret = '' - resp = http_get(id) +desc = False +r = re.compile('.* Description<.*') +tag = re.compile('.*.*') +reserved = re.compile(r'\*+\s+()?RESERVED()?\s+\*+') +ret = '' +resp = http_get(id) - for line in resp.rsplit('\n'): - if r.match(line): - desc = True - continue +for line in resp.rsplit('\n'): +if r.match(line): +desc = True +continue - if desc and reserved.search(line): - break +if desc and reserved.search(line): +break - if tag.match(line) and desc: - continue +if tag.match(line) and desc: +continue - if desc and '' in line: - ret += '| ' + re.sub('.*', '', line) - continue +if
[Secure-testing-commits] r58117 - data/CVE
Author: alteholz Date: 2017-11-29 14:48:58 + (Wed, 29 Nov 2017) New Revision: 58117 Modified: data/CVE/list Log: CVE-2017-8816 not for Wheezy Modified: data/CVE/list === --- data/CVE/list 2017-11-29 14:25:12 UTC (rev 58116) +++ data/CVE/list 2017-11-29 14:48:58 UTC (rev 58117) @@ -25642,6 +25642,7 @@ CVE-2017-8816 [NTLM buffer overflow via integer overflow] RESERVED - curl + [wheezy] - curl (Vulnerable code not present, introduced in 7.36.0) NOTE: https://curl.haxx.se/docs/adv_2017-11e7.html NOTE: https://curl.haxx.se/CVE-2017-8816.patch CVE-2017-8815 (The language converter in MediaWiki before 1.27.4, 1.28.x before ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58116 - data/CVE
Author: carnil Date: 2017-11-29 14:25:12 + (Wed, 29 Nov 2017) New Revision: 58116 Modified: data/CVE/list Log: Add fixing version for CVE-2017-14623/golang-github-go-ldap-ldap Modified: data/CVE/list === --- data/CVE/list 2017-11-29 14:21:57 UTC (rev 58115) +++ data/CVE/list 2017-11-29 14:25:12 UTC (rev 58116) @@ -8504,7 +8504,7 @@ NOTE: https://github.com/ImageMagick/ImageMagick/issues/722 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/9ff805077fd5297dc41dc989f9dba59877e12f97 CVE-2017-14623 (In the ldap.v2 (aka go-ldap) package through 2.5.0 for Go, an attacker ...) - - golang-github-go-ldap-ldap (low; bug #876404) + - golang-github-go-ldap-ldap 2.5.1-1 (low; bug #876404) [stretch] - golang-github-go-ldap-ldap (Minor issue) NOTE: https://github.com/go-ldap/ldap/pull/126 NOTE: https://github.com/go-ldap/ldap/commit/95ede1266b237bf8e9aa5dce0b3250e51bfefe66 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58115 - data
Author: alteholz Date: 2017-11-29 14:21:57 + (Wed, 29 Nov 2017) New Revision: 58115 Modified: data/dla-needed.txt Log: claim curl Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-11-29 13:34:57 UTC (rev 58114) +++ data/dla-needed.txt 2017-11-29 14:21:57 UTC (rev 58115) @@ -17,7 +17,7 @@ couchdb NOTE: Only in wheezy, we are on our own. -- -curl +curl (Thorsten Alteholz) -- irssi (Rhonda D'Vine) -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58114 - data/CVE
Author: lamby Date: 2017-11-29 13:34:57 + (Wed, 29 Nov 2017) New Revision: 58114 Modified: data/CVE/list Log: Triage qemu-kvm for wheezy. Modified: data/CVE/list === --- data/CVE/list 2017-11-29 13:28:50 UTC (rev 58113) +++ data/CVE/list 2017-11-29 13:34:57 UTC (rev 58114) @@ -6875,11 +6875,13 @@ RESERVED - qemu - qemu-kvm + [wheezy] - qemu-kvm (Vulnerable code introduced later) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2017-11/msg05044.html CVE-2017-15118 [stack buffer overflow in NBD server triggered via long export name] RESERVED - qemu - qemu-kvm + [wheezy] - qemu-kvm (Vulnerable code introduced later) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2017-11/msg05045.html CVE-2017-15117 REJECTED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58113 - data
Author: lamby Date: 2017-11-29 13:28:50 + (Wed, 29 Nov 2017) New Revision: 58113 Modified: data/dla-needed.txt Log: Triage thunderbird for LTS Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-11-29 13:26:28 UTC (rev 58112) +++ data/dla-needed.txt 2017-11-29 13:28:50 UTC (rev 58113) @@ -107,6 +107,9 @@ swftools NOTE: 20171118: At least CVE-2017-16797 is present. (lamby) -- +thunderbird + NOTE: 20171129: Not sure if vulnerable as patches are private atm. (lamby) +-- tiff (Brian May) NOTE: CVE-2017-9935: no upstream fix -- Brian May 2017-11-06 NOTE: CVE-2017-11613: no upstream fix, "not a bug" according to RH -- anarcat 2017-10-24 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58112 - data
Author: lamby Date: 2017-11-29 13:26:28 + (Wed, 29 Nov 2017) New Revision: 58112 Modified: data/dla-needed.txt Log: Triage curl for LTS Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-11-29 10:54:26 UTC (rev 58111) +++ data/dla-needed.txt 2017-11-29 13:26:28 UTC (rev 58112) @@ -17,6 +17,8 @@ couchdb NOTE: Only in wheezy, we are on our own. -- +curl +-- irssi (Rhonda D'Vine) -- jasperreports ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58111 - in data: . DSA
Author: corsac Date: 2017-11-29 10:54:26 + (Wed, 29 Nov 2017) New Revision: 58111 Modified: data/DSA/list data/dsa-needed.txt Log: allocate DSA number for curl Modified: data/DSA/list === --- data/DSA/list 2017-11-29 09:54:12 UTC (rev 58110) +++ data/DSA/list 2017-11-29 10:54:26 UTC (rev 58111) @@ -1,3 +1,7 @@ +[29 Nov 2017] DSA-4051-1 curl - security update + {CVE-2017-8816 CVE-2017-8817} + [jessie] - curl 7.38.0-4+deb8u8 + [stretch] - curl 7.52.1-5+deb9u3 [28 Nov 2017] DSA-4050-1 xen - security update {CVE-2017-14316 CVE-2017-14317 CVE-2017-14318 CVE-2017-14319 CVE-2017-15588 CVE-2017-15589 CVE-2017-15590 CVE-2017-15591 CVE-2017-15592 CVE-2017-15593 CVE-2017-15594 CVE-2017-15595 CVE-2017-15597 CVE-2017-17044 CVE-2017-17045 CVE-2017-17046} [stretch] - xen 4.8.2+xsa245-0+deb9u1 Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-11-29 09:54:12 UTC (rev 58110) +++ data/dsa-needed.txt 2017-11-29 10:54:26 UTC (rev 58111) @@ -16,8 +16,6 @@ -- bzr (carnil) -- -curl (corsac) --- exim4/stable (carnil) -- graphicsmagick ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58110 - data/CVE
Author: carnil Date: 2017-11-29 09:54:12 + (Wed, 29 Nov 2017) New Revision: 58110 Modified: data/CVE/list Log: Add CVE-2017-17054/aubio, not removed TODO yet since superficially checked only Modified: data/CVE/list === --- data/CVE/list 2017-11-29 09:54:00 UTC (rev 58109) +++ data/CVE/list 2017-11-29 09:54:12 UTC (rev 58110) @@ -7,6 +7,8 @@ CVE-2017-17055 RESERVED CVE-2017-17054 (In aubio 0.4.6, a divide-by-zero error exists in the function ...) + - aubio + NOTE: https://github.com/aubio/aubio/issues/148 TODO: check CVE-2017-17051 RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58109 - data/CVE
Author: carnil Date: 2017-11-29 09:54:00 + (Wed, 29 Nov 2017) New Revision: 58109 Modified: data/CVE/list Log: Process NFUs Modified: data/CVE/list === --- data/CVE/list 2017-11-29 09:49:11 UTC (rev 58108) +++ data/CVE/list 2017-11-29 09:54:00 UTC (rev 58109) @@ -1,5 +1,5 @@ CVE-2017-17058 (The WooCommerce plugin through 3.x for WordPress has a Directory ...) - TODO: check + NOT-FOR-US: WooCommerce plugin for WordPress CVE-2017-17057 RESERVED CVE-2017-17056 @@ -11,15 +11,15 @@ CVE-2017-17051 RESERVED CVE-2017-17050 (TG Soft Vir.IT eXplorer Lite 8.5.42 allows local users to cause a ...) - TODO: check + NOT-FOR-US: TG Soft Vir.IT eXplorer Lite CVE-2017-17049 (TG Soft Vir.IT eXplorer Lite 8.5.42 allows local users to cause a ...) - TODO: check + NOT-FOR-US: TG Soft Vir.IT eXplorer Lite CVE-2017-17048 RESERVED CVE-2017-17047 RESERVED CVE-2017-17043 (The Emag Marketplace Connector plugin 1.0.0 for WordPress has reflected ...) - TODO: check + NOT-FOR-US: Emag Marketplace Connector for WordPress CVE-2017-17053 (The init_new_context function in arch/x86/include/asm/mmu_context.h in ...) - linux 4.12.12-1 [stretch] - linux 4.9.47-1 @@ -23914,7 +23914,7 @@ CVE-2017-9316 (Firmware upgrade authentication bypass vulnerability was found in ...) NOT-FOR-US: Dahua CVE-2017-9315 (Customer of Dahua IP camera or IP PTZ could submit relevant device ...) - TODO: check + NOT-FOR-US: Dahua CVE-2017-9314 (Authentication vulnerability found in Dahua NVR models NVR50XX, ...) NOT-FOR-US: Dahua NVR CVE-2017-9313 (Multiple Cross-site scripting (XSS) vulnerabilities in Webmin before ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58108 - data
Author: carnil Date: 2017-11-29 09:49:11 + (Wed, 29 Nov 2017) New Revision: 58108 Modified: data/dsa-needed.txt Log: Add curl to dsa-needed list Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-11-29 09:46:02 UTC (rev 58107) +++ data/dsa-needed.txt 2017-11-29 09:49:11 UTC (rev 58108) @@ -16,6 +16,8 @@ -- bzr (carnil) -- +curl (corsac) +-- exim4/stable (carnil) -- graphicsmagick ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58107 - data/CVE
Author: carnil Date: 2017-11-29 09:46:02 + (Wed, 29 Nov 2017) New Revision: 58107 Modified: data/CVE/list Log: Add references to patches for curl issues Modified: data/CVE/list === --- data/CVE/list 2017-11-29 09:42:39 UTC (rev 58106) +++ data/CVE/list 2017-11-29 09:46:02 UTC (rev 58107) @@ -25629,14 +25629,17 @@ [jessie] - curl (Vulnerable code not present) [wheezy] - curl (Vulnerable code not present) NOTE: https://curl.haxx.se/docs/adv_2017-af0a.html + NOTE: https://curl.haxx.se/CVE-2017-8818.patch CVE-2017-8817 [FTP wildcard out of bounds read] RESERVED - curl NOTE: https://curl.haxx.se/docs/adv_2017-ae72.html + NOTE: https://curl.haxx.se/CVE-2017-8817.patch CVE-2017-8816 [NTLM buffer overflow via integer overflow] RESERVED - curl NOTE: https://curl.haxx.se/docs/adv_2017-11e7.html + NOTE: https://curl.haxx.se/CVE-2017-8816.patch CVE-2017-8815 (The language converter in MediaWiki before 1.27.4, 1.28.x before ...) {DSA-4036-1} - mediawiki 1:1.27.4-1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58106 - data/CVE
Author: carnil Date: 2017-11-29 09:42:39 + (Wed, 29 Nov 2017) New Revision: 58106 Modified: data/CVE/list Log: Add new curl issues Modified: data/CVE/list === --- data/CVE/list 2017-11-29 09:10:23 UTC (rev 58105) +++ data/CVE/list 2017-11-29 09:42:39 UTC (rev 58106) @@ -25622,12 +25622,21 @@ RESERVED CVE-2017-8819 RESERVED -CVE-2017-8818 +CVE-2017-8818 [SSL out of buffer access] RESERVED -CVE-2017-8817 + - curl + [stretch] - curl (Vulnerable code not present) + [jessie] - curl (Vulnerable code not present) + [wheezy] - curl (Vulnerable code not present) + NOTE: https://curl.haxx.se/docs/adv_2017-af0a.html +CVE-2017-8817 [FTP wildcard out of bounds read] RESERVED -CVE-2017-8816 + - curl + NOTE: https://curl.haxx.se/docs/adv_2017-ae72.html +CVE-2017-8816 [NTLM buffer overflow via integer overflow] RESERVED + - curl + NOTE: https://curl.haxx.se/docs/adv_2017-11e7.html CVE-2017-8815 (The language converter in MediaWiki before 1.27.4, 1.28.x before ...) {DSA-4036-1} - mediawiki 1:1.27.4-1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58105 - data/CVE
Author: sectracker Date: 2017-11-29 09:10:23 + (Wed, 29 Nov 2017) New Revision: 58105 Modified: data/CVE/list Log: automatic update Modified: data/CVE/list === --- data/CVE/list 2017-11-29 08:37:04 UTC (rev 58104) +++ data/CVE/list 2017-11-29 09:10:23 UTC (rev 58105) @@ -1,10 +1,32 @@ -CVE-2017-17053 [x86/mm: Fix use-after-free of ldt_struct] +CVE-2017-17058 (The WooCommerce plugin through 3.x for WordPress has a Directory ...) + TODO: check +CVE-2017-17057 + RESERVED +CVE-2017-17056 + RESERVED +CVE-2017-17055 + RESERVED +CVE-2017-17054 (In aubio 0.4.6, a divide-by-zero error exists in the function ...) + TODO: check +CVE-2017-17051 + RESERVED +CVE-2017-17050 (TG Soft Vir.IT eXplorer Lite 8.5.42 allows local users to cause a ...) + TODO: check +CVE-2017-17049 (TG Soft Vir.IT eXplorer Lite 8.5.42 allows local users to cause a ...) + TODO: check +CVE-2017-17048 + RESERVED +CVE-2017-17047 + RESERVED +CVE-2017-17043 (The Emag Marketplace Connector plugin 1.0.0 for WordPress has reflected ...) + TODO: check +CVE-2017-17053 (The init_new_context function in arch/x86/include/asm/mmu_context.h in ...) - linux 4.12.12-1 [stretch] - linux 4.9.47-1 [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/ccd5b3235180eef3cfec337df1c8554ab151b5cc -CVE-2017-17052 [fork: fix incorrect fput of ->exe_file causing use-after-free] +CVE-2017-17052 (The mm_init function in kernel/fork.c in the Linux kernel before ...) - linux 4.12.12-1 [stretch] - linux 4.9.47-1 [jessie] - linux (Vulnerable code not present) @@ -93,13 +115,16 @@ RESERVED CVE-2017-17027 RESERVED -CVE-2017-17045 [XSA-247: Missing p2m error checking in PoD code] +CVE-2017-17045 (An issue was discovered in Xen through 4.9.x allowing HVM guest OS ...) + {DSA-4050-1} - xen NOTE: https://xenbits.xen.org/xsa/advisory-247.html -CVE-2017-17044 [XSA-246: x86: infinite loop due to missing PoD error checking] +CVE-2017-17044 (An issue was discovered in Xen through 4.9.x allowing HVM guest OS ...) + {DSA-4050-1} - xen NOTE: https://xenbits.xen.org/xsa/advisory-246.html -CVE-2017-17046 [XSA-245: ARM: Some memory not scrubbed at boot] +CVE-2017-17046 (An issue was discovered in Xen through 4.9.x on the ARM platform ...) + {DSA-4050-1} - xen NOTE: https://xenbits.xen.org/xsa/advisory-245.html CVE-2018-0705 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58104 - data/CVE
Author: carnil Date: 2017-11-29 08:37:04 + (Wed, 29 Nov 2017) New Revision: 58104 Modified: data/CVE/list Log: Record fix for CVE-2017-1000248 via experimental Modified: data/CVE/list === --- data/CVE/list 2017-11-29 08:09:13 UTC (rev 58103) +++ data/CVE/list 2017-11-29 08:37:04 UTC (rev 58104) @@ -1862,6 +1862,7 @@ CVE-2017-16867 (Amazon Key through 2017-11-16 mishandles Cloud Cam 802.11 ...) NOT-FOR-US: Amazon Key CVE-2017-1000248 (Redis-store =v1.3.0 allows unsafe objects to be loaded from redis ...) + [experimental] - ruby-redis-store 1.3.0-2 - ruby-redis-store (bug #882034) NOTE: https://github.com/redis-store/redis-store/commit/e0c1398d54a9661c8c70267c3a925ba6b192142e CVE-2017-1000247 (British Columbia Institute of Technology CodeIgniter 3.1.3 is ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58103 - data/CVE
Author: jmm Date: 2017-11-29 08:09:13 + (Wed, 29 Nov 2017) New Revision: 58103 Modified: data/CVE/list Log: NFU Modified: data/CVE/list === --- data/CVE/list 2017-11-29 06:46:17 UTC (rev 58102) +++ data/CVE/list 2017-11-29 08:09:13 UTC (rev 58103) @@ -15535,6 +15535,7 @@ RESERVED CVE-2017-12195 RESERVED + NOT-FOR-US: OpenShift CVE-2017-12194 RESERVED CVE-2017-12193 (The assoc_array_insert_into_terminal_node function in lib/assoc_array.c ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits