[Secure-testing-commits] r58134 - in data: . DSA
Author: carnil
Date: 2017-11-30 07:48:36 + (Thu, 30 Nov 2017)
New Revision: 58134
Modified:
data/DSA/list
data/dsa-needed.txt
Log:
Reserve DSA number for exim4 update
Modified: data/DSA/list
===
--- data/DSA/list 2017-11-30 06:18:11 UTC (rev 58133)
+++ data/DSA/list 2017-11-30 07:48:36 UTC (rev 58134)
@@ -1,3 +1,6 @@
+[30 Nov 2017] DSA-4053-1 exim4 - security update
+ {CVE-2017-16943 CVE-2017-16944}
+ [stretch] - exim4 4.89-2+deb9u2
[29 Nov 2017] DSA-4052-1 bzr - security update
{CVE-2017-14176}
[jessie] - bzr 2.6.0+bzr6595-6+deb8u1
Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2017-11-30 06:18:11 UTC (rev 58133)
+++ data/dsa-needed.txt 2017-11-30 07:48:36 UTC (rev 58134)
@@ -14,8 +14,6 @@
--
389-ds-base (fw)
--
-exim4/stable (carnil)
---
graphicsmagick
--
libav/oldstable
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58133 - data/CVE
Author: carnil Date: 2017-11-30 06:18:11 + (Thu, 30 Nov 2017) New Revision: 58133 Modified: data/CVE/list Log: Add commit fixing CVE-2017-15108/spice-vdagent Modified: data/CVE/list === --- data/CVE/list 2017-11-30 06:13:37 UTC (rev 58132) +++ data/CVE/list 2017-11-30 06:18:11 UTC (rev 58133) @@ -6955,6 +6955,7 @@ CVE-2017-15108 [spice-vdagent: Improper validation of xfers->save_dir in vdagent_file_xfers_data()] RESERVED - spice-vdagent + NOTE: Fixed by: https://cgit.freedesktop.org/spice/linux/vd_agent/commit/?id=8ba174816d245757e743e636df357910e1d5eb61 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1510864 CVE-2017-15107 RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58132 - data/CVE
Author: carnil Date: 2017-11-30 06:13:37 + (Thu, 30 Nov 2017) New Revision: 58132 Modified: data/CVE/list Log: Add CVE-2017-15108/spice-vdagent Modified: data/CVE/list === --- data/CVE/list 2017-11-30 06:02:20 UTC (rev 58131) +++ data/CVE/list 2017-11-30 06:13:37 UTC (rev 58132) @@ -6952,8 +6952,10 @@ - moodle CVE-2017-15109 RESERVED -CVE-2017-15108 +CVE-2017-15108 [spice-vdagent: Improper validation of xfers->save_dir in vdagent_file_xfers_data()] RESERVED + - spice-vdagent + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1510864 CVE-2017-15107 RESERVED CVE-2017-15106 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58131 - data/CVE
Author: carnil
Date: 2017-11-30 06:02:20 + (Thu, 30 Nov 2017)
New Revision: 58131
Modified:
data/CVE/list
Log:
Add source package breezy as well for the CVE-2017-14176 (since "identical"
code and so same CVE should apply)
Modified: data/CVE/list
===
--- data/CVE/list 2017-11-30 05:44:05 UTC (rev 58130)
+++ data/CVE/list 2017-11-30 06:02:20 UTC (rev 58131)
@@ -9882,6 +9882,7 @@
CVE-2017-14176 (Bazaar through 2.7.0, when Subprocess SSH is used, allows
remote ...)
{DSA-4052-1 DLA-1107-1}
- bzr 2.7.0+bzr6622-7 (bug #874429)
+ - breezy 3.0.0~bzr6772-1
NOTE: https://bugs.launchpad.net/bzr/+bug/1710979
CVE-2017-14159 (slapd in OpenLDAP 2.4.45 and earlier creates a PID file after
dropping ...)
- openldap (unimportant)
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58130 - data/CVE
Author: carnil Date: 2017-11-30 05:44:05 + (Thu, 30 Nov 2017) New Revision: 58130 Modified: data/CVE/list Log: Add CVE-2017-1000405/linux Modified: data/CVE/list === --- data/CVE/list 2017-11-29 23:01:01 UTC (rev 58129) +++ data/CVE/list 2017-11-30 05:44:05 UTC (rev 58130) @@ -1744,6 +1744,11 @@ RESERVED CVE-2017-1000406 NOT-FOR-US: OpenDayLight +CVE-2017-1000405 ["Dirty COW" variant on transparent huge pages] + - linux + NOTE: Fixed by: https://git.kernel.org/linus/a8f97366452ed491d13cf1e44241bc0b5740b1f0 + NOTE: http://www.openwall.com/lists/oss-security/2017/11/30/1 + NOTE: https://github.com/bindecy/HugeDirtyCowPOC CVE-2017-1000404 RESERVED NOT-FOR-US: Jenkins plugin ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58129 - data
Author: carnil Date: 2017-11-29 23:01:01 + (Wed, 29 Nov 2017) New Revision: 58129 Modified: data/next-point-update.txt Log: add proposed update for golang-github-go-ldap-ldap Modified: data/next-point-update.txt === --- data/next-point-update.txt 2017-11-29 21:50:07 UTC (rev 58128) +++ data/next-point-update.txt 2017-11-29 23:01:01 UTC (rev 58129) @@ -55,3 +55,5 @@ [stretch] - pdns-recursor 4.0.4-1+deb9u2 CVE-2017-15094 [stretch] - pdns-recursor 4.0.4-1+deb9u2 +CVE-2017-14623 + [stretch] - golang-github-go-ldap-ldap 2.4.1-1+deb9u1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58128 - / stamps
Author: carnil Date: 2017-11-29 21:50:07 + (Wed, 29 Nov 2017) New Revision: 58128 Added: stamps/.gitignore Modified: .gitignore Log: Don't ignore (when using git) stamps directory Reasoning, on git clean the directory will be removed. But the security tracker needs the stamps dir (e.g. Makefile). Modified: .gitignore === --- .gitignore 2017-11-29 21:38:29 UTC (rev 58127) +++ .gitignore 2017-11-29 21:50:07 UTC (rev 58128) @@ -4,7 +4,6 @@ .gitignore data/nvd/ data/security.db* -stamps/ *_Packages *_Sources *.pyc Added: stamps/.gitignore === --- stamps/.gitignore (rev 0) +++ stamps/.gitignore 2017-11-29 21:50:07 UTC (rev 58128) @@ -0,0 +1,6 @@ +# +# general rules +# +.gitignore +*-* +*~ ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58127 - /
Author: agx Date: 2017-11-29 21:38:29 + (Wed, 29 Nov 2017) New Revision: 58127 Modified: .gitignore Log: gitignore stamps dir Modified: .gitignore === --- .gitignore 2017-11-29 21:38:26 UTC (rev 58126) +++ .gitignore 2017-11-29 21:38:29 UTC (rev 58127) @@ -4,6 +4,7 @@ .gitignore data/nvd/ data/security.db* +stamps/ *_Packages *_Sources *.pyc ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58126 - data/CVE
Author: agx Date: 2017-11-29 21:38:26 + (Wed, 29 Nov 2017) New Revision: 58126 Modified: data/CVE/list Log: lts: mark CVE-2017-14989 as postponed Modified: data/CVE/list === --- data/CVE/list 2017-11-29 21:38:11 UTC (rev 58125) +++ data/CVE/list 2017-11-29 21:38:26 UTC (rev 58126) @@ -7462,6 +7462,7 @@ NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/28bad01242898d7f863deedbfa8502c348293093 CVE-2017-14988 (Header::readfrom in IlmImf/ImfHeader.cpp in OpenEXR 2.2.0 allows remote ...) - openexr (bug #878551) + [wheezy] - openexr (Should be fixed along in future update) NOTE: https://github.com/openexr/openexr/issues/248 CVE-2017-14987 RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58125 - bin
Author: agx
Date: 2017-11-29 21:38:11 + (Wed, 29 Nov 2017)
New Revision: 58125
Modified:
bin/report-vuln
Log:
report-vuln: Support generation of mail headers
Modified: bin/report-vuln
===
--- bin/report-vuln 2017-11-29 21:25:13 UTC (rev 58124)
+++ bin/report-vuln 2017-11-29 21:38:11 UTC (rev 58125)
@@ -8,14 +8,14 @@
#
# report-vuln(){
# TMPFILE="$HOME/reportbug.tmp"
-# $HOME/debian/svn/secure-testing/bin/report-vuln "$@" > $TMPFILE
-# mutt -i $TMPFILE sub...@bugs.debian.org
+# $HOME/debian/svn/secure-testing/bin/report-vuln -m "$@" > $TMPFILE
+# mutt -H $TMPFILE
# rm $TMPFILE
# }
#
# in bash, this can be simply:
#
-# mutt -i <($HOME/debian/svn/secure-testing/bin/report-vuln)
sub...@bugs.debian.org
+# mutt -H <($HOME/debian/svn/secure-testing/bin/report-vuln -m )
#
# export http_proxy if you need to use an http proxy to report bugs
@@ -113,21 +113,28 @@
return ret + '\n'
-def gen_text(pkg, cveid, blanks=False, severity=None, affected=None, cc=False,
cclist=None, src=False):
+def gen_text(pkg, cveid, blanks=False, severity=None, affected=None, cc=False,
cclist=None, src=False, mh=False):
vuln_suff = 'y'
cve_suff = ''
time_w = 'was'
temp_id_cnt = 0
+header = ''
+if mh:
+header += '''To: sub...@bugs.debian.org
+Subject: %s: %s
+
+''' % (pkg, ' '.join(cveid))
+
if len(cveid) > 1:
cve_suff = 's'
vuln_suff = 'ies'
time_w = 'were'
if src:
-header = '''Source: %s\n''' % (pkg)
+header += '''Source: %s\n''' % (pkg)
else:
-header = '''Package: %s\n''' % (pkg)
+header += '''Package: %s\n''' % (pkg)
if affected is None:
if blanks:
@@ -212,6 +219,7 @@
parser.add_argument('--cc-list', dest='cclist',
default=['t...@security.debian.org',
'secure-testing-t...@lists.alioth.debian.org'],
help='list of addresses to add in CC (default:
%(default)s)')
parser.add_argument('--src', action="store_true", help='report against
source package')
+parser.add_argument('-m', '--mail-header', action="store_true",
help='generate a mail header')
parser.add_argument('pkg', help='affected package')
parser.add_argument('cve', nargs='+', help='relevant CVE for this source
package, may be used multiple time if the issue has multiple CVEs')
args = parser.parse_args()
@@ -231,7 +239,7 @@
if not c.match(arg) and not temp_id.match(arg):
error(arg + ' does not seem to be a valid CVE id')
-gen_text(pkg, cve, affected=args.affected, blanks=args.blanks,
severity=args.severity, cc=args.cc, cclist=args.cclist, src=args.src)
+gen_text(pkg, cve, affected=args.affected, blanks=args.blanks,
severity=args.severity, cc=args.cc, cclist=args.cclist, src=args.src,
mh=args.mail_header)
if __name__ == '__main__':
main()
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58124 - data/CVE
Author: carnil
Date: 2017-11-29 21:25:13 + (Wed, 29 Nov 2017)
New Revision: 58124
Modified:
data/CVE/list
Log:
CVE-2017-8807/varnish fixed in unstable
Modified: data/CVE/list
===
--- data/CVE/list 2017-11-29 21:10:19 UTC (rev 58123)
+++ data/CVE/list 2017-11-29 21:25:13 UTC (rev 58124)
@@ -25729,7 +25729,7 @@
NOTE: https://phabricator.wikimedia.org/T178451
CVE-2017-8807 (vbf_stp_error in bin/varnishd/cache/cache_fetch.c in Varnish
HTTP Cache ...)
{DSA-4034-1}
- - varnish (bug #881808)
+ - varnish 5.2.1-1 (bug #881808)
[jessie] - varnish (Vulnerable code not present, issue
introduced in 4.1.0)
[wheezy] - varnish (Vulnerable code not present, issue
introduced in 4.1.0)
NOTE: http://varnish-cache.org/security/VSV2.html
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58123 - data/CVE
Author: sectracker
Date: 2017-11-29 21:10:19 + (Wed, 29 Nov 2017)
New Revision: 58123
Modified:
data/CVE/list
Log:
automatic update
Modified: data/CVE/list
===
--- data/CVE/list 2017-11-29 19:50:37 UTC (rev 58122)
+++ data/CVE/list 2017-11-29 21:10:19 UTC (rev 58123)
@@ -1,3 +1,21 @@
+CVE-2017-17066
+ RESERVED
+CVE-2017-17065
+ RESERVED
+CVE-2017-17064
+ RESERVED
+CVE-2017-17063
+ RESERVED
+CVE-2017-17062
+ RESERVED
+CVE-2017-17061
+ RESERVED
+CVE-2017-17060
+ RESERVED
+CVE-2017-17059 (XSS exists in the amtyThumb amty-thumb-recent-post (aka
amtyThumb posts ...)
+ TODO: check
+CVE-2017-1000385
+ RESERVED
CVE-2017-17058 (The WooCommerce plugin through 3.x for WordPress has a
Directory ...)
NOT-FOR-US: WooCommerce plugin for WordPress
CVE-2017-17057
@@ -1727,42 +1745,61 @@
CVE-2017-1000406
NOT-FOR-US: OpenDayLight
CVE-2017-1000404
+ RESERVED
NOT-FOR-US: Jenkins plugin
CVE-2017-1000403
+ RESERVED
NOT-FOR-US: Jenkins plugin
CVE-2017-1000402
+ RESERVED
NOT-FOR-US: Jenkins plugin
CVE-2017-1000401
+ RESERVED
NOT-FOR-US: Jenkins
CVE-2017-1000400
+ RESERVED
NOT-FOR-US: Jenkins
CVE-2017-1000399
+ RESERVED
NOT-FOR-US: Jenkins
CVE-2017-1000398
+ RESERVED
NOT-FOR-US: Jenkins
CVE-2017-1000397
+ RESERVED
NOT-FOR-US: Jenkins plugin
CVE-2017-1000396
+ RESERVED
NOT-FOR-US: Jenkins
CVE-2017-1000395
+ RESERVED
NOT-FOR-US: Jenkins
CVE-2017-1000394
+ RESERVED
NOT-FOR-US: Jenkins
CVE-2017-1000393
+ RESERVED
NOT-FOR-US: Jenkins
CVE-2017-1000392
+ RESERVED
NOT-FOR-US: Jenkins
CVE-2017-1000391
+ RESERVED
NOT-FOR-US: Jenkins
CVE-2017-1000390
+ RESERVED
NOT-FOR-US: Jenkins plugin
CVE-2017-1000389
+ RESERVED
NOT-FOR-US: Jenkins plugin
CVE-2017-1000388
+ RESERVED
NOT-FOR-US: Jenkins plugin
CVE-2017-1000387
+ RESERVED
NOT-FOR-US: Jenkins plugin
CVE-2017-1000386
+ RESERVED
NOT-FOR-US: Jenkins plugin
CVE-2017-16884
RESERVED
@@ -3737,6 +3774,7 @@
CVE-2017-16242
RESERVED
CVE-2017-1000384 [Arbitrary file read]
+ RESERVED
- passenger
- ruby-passenger
[jessie] - ruby-passenger (Minor issue)
@@ -9203,10 +9241,10 @@
RESERVED
CVE-2017-14379 (EMC RSA Authentication Manager before 8.2 SP1 P6 has a
cross-site ...)
NOT-FOR-US: EMC
-CVE-2017-14378
- RESERVED
-CVE-2017-14377
- RESERVED
+CVE-2017-14378 (EMC RSA Authentication Agent API 8.5 for C and RSA
Authentication Agent ...)
+ TODO: check
+CVE-2017-14377 (EMC RSA Authentication Agent for Web: Apache Web Server
version 8.0 and ...)
+ TODO: check
CVE-2017-14376 (EMC AppSync Server prior to 3.5.0.1 contains database accounts
with ...)
NOT-FOR-US: EMC AppSync Server
CVE-2017-14375 (EMC Unisphere for VMAX Virtual Appliance (vApp) versions prior
to ...)
@@ -9733,14 +9771,14 @@
RESERVED
CVE-2017-14190
RESERVED
-CVE-2017-14189
- RESERVED
+CVE-2017-14189 (An improper access control vulnerability in Fortinet
FortiWebManager ...)
+ TODO: check
CVE-2017-14188
RESERVED
CVE-2017-14187
RESERVED
-CVE-2017-14186
- RESERVED
+CVE-2017-14186 (A Cross-site Scripting (XSS) vulnerability in Fortinet FortiOS
5.6.0 ...)
+ TODO: check
CVE-2017-14185
RESERVED
CVE-2017-14184
@@ -9836,7 +9874,7 @@
NOTE: http://www.openwall.com/lists/oss-security/2017/09/21/3
NOTE: https://gitlab.xiph.org/xiph/vorbis/issues/2330
CVE-2017-14176 (Bazaar through 2.7.0, when Subprocess SSH is used, allows
remote ...)
- {DLA-1107-1}
+ {DSA-4052-1 DLA-1107-1}
- bzr 2.7.0+bzr6622-7 (bug #874429)
NOTE: https://bugs.launchpad.net/bzr/+bug/1710979
CVE-2017-14159 (slapd in OpenLDAP 2.4.45 and earlier creates a PID file after
dropping ...)
@@ -10608,8 +10646,8 @@
RESERVED
CVE-2017-13873
RESERVED
-CVE-2017-13872
- RESERVED
+CVE-2017-13872 (An issue was discovered in certain Apple products. macOS High
Sierra ...)
+ TODO: check
CVE-2017-13871
RESERVED
CVE-2017-13870
@@ -25627,21 +25665,20 @@
RESERVED
CVE-2017-8819
RESERVED
-CVE-2017-8818 [SSL out of buffer access]
- RESERVED
+CVE-2017-8818 (curl and libcurl before 7.57.0 on 32-bit platforms allow
attackers to ...)
- curl
[stretch] - curl (Vulnerable code not present)
[jessie] - curl (Vulnerable code not present)
[wheezy] - curl (Vulnerable code not present)
NOTE: https://curl.haxx.se/docs/adv_2017-af0a.html
NOTE: https://curl.haxx.se/CVE-2017-8818.patch
-CVE-2017-8817 [FTP wildcard out of bounds read]
- RESERVED
+CVE-2017-8817 (The
[Secure-testing-commits] r58122 - in data: . DSA
Author: carnil
Date: 2017-11-29 19:50:37 + (Wed, 29 Nov 2017)
New Revision: 58122
Modified:
data/DSA/list
data/dsa-needed.txt
Log:
Reserve DSA number for bzr update
Modified: data/DSA/list
===
--- data/DSA/list 2017-11-29 19:15:27 UTC (rev 58121)
+++ data/DSA/list 2017-11-29 19:50:37 UTC (rev 58122)
@@ -1,3 +1,7 @@
+[29 Nov 2017] DSA-4052-1 bzr - security update
+ {CVE-2017-14176}
+ [jessie] - bzr 2.6.0+bzr6595-6+deb8u1
+ [stretch] - bzr 2.7.0+bzr6619-7+deb9u1
[29 Nov 2017] DSA-4051-1 curl - security update
{CVE-2017-8816 CVE-2017-8817}
[jessie] - curl 7.38.0-4+deb8u8
Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2017-11-29 19:15:27 UTC (rev 58121)
+++ data/dsa-needed.txt 2017-11-29 19:50:37 UTC (rev 58122)
@@ -14,8 +14,6 @@
--
389-ds-base (fw)
--
-bzr (carnil)
---
exim4/stable (carnil)
--
graphicsmagick
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58121 - data/CVE
Author: carnil Date: 2017-11-29 19:15:27 + (Wed, 29 Nov 2017) New Revision: 58121 Modified: data/CVE/list Log: Add fixing version for CVE-2017-16944/exim4 Modified: data/CVE/list === --- data/CVE/list 2017-11-29 15:39:30 UTC (rev 58120) +++ data/CVE/list 2017-11-29 19:15:27 UTC (rev 58121) @@ -1557,7 +1557,7 @@ [wheezy] - libsndfile (Minor issue) NOTE: https://github.com/erikd/libsndfile/issues/341 CVE-2017-16944 (The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 ...) - - exim4 (bug #882671) + - exim4 4.89-13 (bug #882671) [jessie] - exim4 (ESMTP CHUNKING extension introduced in 4.88) [wheezy] - exim4 (ESMTP CHUNKING extension introduced in 4.88) NOTE: https://bugs.exim.org/show_bug.cgi?id=2201 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58120 - data/CVE
Author: agx Date: 2017-11-29 15:39:30 + (Wed, 29 Nov 2017) New Revision: 58120 Modified: data/CVE/list Log: CVE-2017-12596: link to upstream fix Modified: data/CVE/list === --- data/CVE/list 2017-11-29 15:22:09 UTC (rev 58119) +++ data/CVE/list 2017-11-29 15:39:30 UTC (rev 58120) @@ -14602,6 +14602,7 @@ CVE-2017-12596 (In OpenEXR 2.2.0, a crafted image causes a heap-based buffer over-read ...) - openexr (bug #877352) NOTE: https://github.com/openexr/openexr/issues/238 + NOTE: Upstream fix https://github.com/openexr/openexr/commit/f09f5f26c1924c4f7e183428ca79c9881afaf53c CVE-2017-12595 (The tokenizer in QPDF 6.0.0 and 7.0.b1 is recursive for arrays and ...) - qpdf 7.0.0-1 [stretch] - qpdf (Minor issue) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58119 - bin
Author: agx Date: 2017-11-29 15:22:09 + (Wed, 29 Nov 2017) New Revision: 58119 Modified: bin/report-vuln Log: report-vuln: don't fail if description_from_list return None If no description was found None is returned. This fixes Traceback (most recent call last): File "bin/report-vuln", line 237, in main() File "bin/report-vuln", line 234, in main gen_text(pkg, cve, affected=args.affected, blanks=args.blanks, severity=args.severity, cc=args.cc, cclist=args.cclist, src=args.src) File "bin/report-vuln", line 156, in gen_text print get_cve(cve) File "bin/report-vuln", line 114, in get_cve return ret + '\n' TypeError: unsupported operand type(s) for +: 'NoneType' and 'str' in case of a yet unknown CVE. Modified: bin/report-vuln === --- bin/report-vuln 2017-11-29 15:21:40 UTC (rev 58118) +++ bin/report-vuln 2017-11-29 15:22:09 UTC (rev 58119) @@ -108,7 +108,7 @@ if ret == '': ret = description_from_list(id) -if ret == '': +if not ret: ret = 'No description was found (try on a search engine)' return ret + '\n' ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58118 - bin
Author: agx
Date: 2017-11-29 15:21:40 + (Wed, 29 Nov 2017)
New Revision: 58118
Modified:
bin/report-vuln
Log:
report-vuln: Use spaces instead of tabs
Modified: bin/report-vuln
===
--- bin/report-vuln 2017-11-29 14:48:58 UTC (rev 58117)
+++ bin/report-vuln 2017-11-29 15:21:40 UTC (rev 58118)
@@ -25,118 +25,118 @@
temp_id = re.compile('(?:CVE|cve)\-[0-9]{4}-')
def setup_path():
- dirname = os.path.dirname
- base = dirname(dirname(os.path.realpath(sys.argv[0])))
- sys.path.insert(0, os.path.join(base, "lib", "python"))
+dirname = os.path.dirname
+base = dirname(dirname(os.path.realpath(sys.argv[0])))
+sys.path.insert(0, os.path.join(base, "lib", "python"))
def description_from_list(id, pkg='', skip_entries=0):
- setup_path()
- import bugs
- import debian_support
- is_temp = temp_id.match(id)
- skipped = 0
+setup_path()
+import bugs
+import debian_support
+is_temp = temp_id.match(id)
+skipped = 0
- for bug in bugs.CVEFile(debian_support.findresource(
- *"data CVE list".split())):
- if bug.name == id or (is_temp and not bug.isFromCVE()):
- if pkg != '':
- matches = False
- for n in bug.notes:
- if n.package == pkg and str(n.urgency)
!= 'unimportant':
- matches = True
- break
- if not matches:
- continue
- if skipped < skip_entries:
- skipped += 1
- continue
- return bug.description
+for bug in bugs.CVEFile(debian_support.findresource(
+*"data CVE list".split())):
+if bug.name == id or (is_temp and not bug.isFromCVE()):
+if pkg != '':
+matches = False
+for n in bug.notes:
+if n.package == pkg and str(n.urgency) != 'unimportant':
+matches = True
+break
+if not matches:
+continue
+if skipped < skip_entries:
+skipped += 1
+continue
+return bug.description
def gen_index(ids):
- ret = ''
- for cnt, id in enumerate(ids):
- if temp_id.match(id):
- continue
-ret += '\n[' + str(cnt) + ']
https://security-tracker.debian.org/tracker/' + id + '\n'
-ret += 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=' +
id
+ret = ''
+for cnt, id in enumerate(ids):
+if temp_id.match(id):
+continue
+ret += '\n[' + str(cnt) + ']
https://security-tracker.debian.org/tracker/' + id + '\n'
+ret += 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=' + id
- return ret
+return ret
def http_get(id):
- param = urllib.urlencode({'name' : id})
- resp = ''
- try:
- f =
urllib.urlopen('https://cve.mitre.org/cgi-bin/cvename.cgi?%s' % param)
- resp = f.read()
- except Exception, e:
- error('on doing HTTP request' + str(e))
-
- f.close()
+param = urllib.urlencode({'name' : id})
+resp = ''
+try:
+f = urllib.urlopen('https://cve.mitre.org/cgi-bin/cvename.cgi?%s' %
param)
+resp = f.read()
+except Exception, e:
+error('on doing HTTP request' + str(e))
- return resp
+f.close()
+return resp
+
# this is a hack that parses the cve id description from mitre
def get_cve(id):
- desc = False
- r = re.compile('.*Description<.*')
- tag = re.compile('.*.*')
-reserved = re.compile(r'\*+\s+()?RESERVED()?\s+\*+')
- ret = ''
- resp = http_get(id)
+desc = False
+r = re.compile('.*Description<.*')
+tag = re.compile('.*.*')
+reserved = re.compile(r'\*+\s+()?RESERVED()?\s+\*+')
+ret = ''
+resp = http_get(id)
- for line in resp.rsplit('\n'):
- if r.match(line):
- desc = True
- continue
+for line in resp.rsplit('\n'):
+if r.match(line):
+desc = True
+continue
- if desc and reserved.search(line):
- break
+if desc and reserved.search(line):
+break
- if tag.match(line) and desc:
- continue
+if tag.match(line) and desc:
+continue
- if desc and '' in line:
- ret += '| ' + re.sub('.*', '', line)
- continue
+if
[Secure-testing-commits] r58117 - data/CVE
Author: alteholz Date: 2017-11-29 14:48:58 + (Wed, 29 Nov 2017) New Revision: 58117 Modified: data/CVE/list Log: CVE-2017-8816 not for Wheezy Modified: data/CVE/list === --- data/CVE/list 2017-11-29 14:25:12 UTC (rev 58116) +++ data/CVE/list 2017-11-29 14:48:58 UTC (rev 58117) @@ -25642,6 +25642,7 @@ CVE-2017-8816 [NTLM buffer overflow via integer overflow] RESERVED - curl + [wheezy] - curl (Vulnerable code not present, introduced in 7.36.0) NOTE: https://curl.haxx.se/docs/adv_2017-11e7.html NOTE: https://curl.haxx.se/CVE-2017-8816.patch CVE-2017-8815 (The language converter in MediaWiki before 1.27.4, 1.28.x before ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58116 - data/CVE
Author: carnil Date: 2017-11-29 14:25:12 + (Wed, 29 Nov 2017) New Revision: 58116 Modified: data/CVE/list Log: Add fixing version for CVE-2017-14623/golang-github-go-ldap-ldap Modified: data/CVE/list === --- data/CVE/list 2017-11-29 14:21:57 UTC (rev 58115) +++ data/CVE/list 2017-11-29 14:25:12 UTC (rev 58116) @@ -8504,7 +8504,7 @@ NOTE: https://github.com/ImageMagick/ImageMagick/issues/722 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/9ff805077fd5297dc41dc989f9dba59877e12f97 CVE-2017-14623 (In the ldap.v2 (aka go-ldap) package through 2.5.0 for Go, an attacker ...) - - golang-github-go-ldap-ldap (low; bug #876404) + - golang-github-go-ldap-ldap 2.5.1-1 (low; bug #876404) [stretch] - golang-github-go-ldap-ldap (Minor issue) NOTE: https://github.com/go-ldap/ldap/pull/126 NOTE: https://github.com/go-ldap/ldap/commit/95ede1266b237bf8e9aa5dce0b3250e51bfefe66 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58115 - data
Author: alteholz Date: 2017-11-29 14:21:57 + (Wed, 29 Nov 2017) New Revision: 58115 Modified: data/dla-needed.txt Log: claim curl Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-11-29 13:34:57 UTC (rev 58114) +++ data/dla-needed.txt 2017-11-29 14:21:57 UTC (rev 58115) @@ -17,7 +17,7 @@ couchdb NOTE: Only in wheezy, we are on our own. -- -curl +curl (Thorsten Alteholz) -- irssi (Rhonda D'Vine) -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58114 - data/CVE
Author: lamby Date: 2017-11-29 13:34:57 + (Wed, 29 Nov 2017) New Revision: 58114 Modified: data/CVE/list Log: Triage qemu-kvm for wheezy. Modified: data/CVE/list === --- data/CVE/list 2017-11-29 13:28:50 UTC (rev 58113) +++ data/CVE/list 2017-11-29 13:34:57 UTC (rev 58114) @@ -6875,11 +6875,13 @@ RESERVED - qemu - qemu-kvm + [wheezy] - qemu-kvm (Vulnerable code introduced later) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2017-11/msg05044.html CVE-2017-15118 [stack buffer overflow in NBD server triggered via long export name] RESERVED - qemu - qemu-kvm + [wheezy] - qemu-kvm (Vulnerable code introduced later) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2017-11/msg05045.html CVE-2017-15117 REJECTED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58113 - data
Author: lamby Date: 2017-11-29 13:28:50 + (Wed, 29 Nov 2017) New Revision: 58113 Modified: data/dla-needed.txt Log: Triage thunderbird for LTS Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-11-29 13:26:28 UTC (rev 58112) +++ data/dla-needed.txt 2017-11-29 13:28:50 UTC (rev 58113) @@ -107,6 +107,9 @@ swftools NOTE: 20171118: At least CVE-2017-16797 is present. (lamby) -- +thunderbird + NOTE: 20171129: Not sure if vulnerable as patches are private atm. (lamby) +-- tiff (Brian May) NOTE: CVE-2017-9935: no upstream fix -- Brian May 2017-11-06 NOTE: CVE-2017-11613: no upstream fix, "not a bug" according to RH -- anarcat 2017-10-24 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58112 - data
Author: lamby Date: 2017-11-29 13:26:28 + (Wed, 29 Nov 2017) New Revision: 58112 Modified: data/dla-needed.txt Log: Triage curl for LTS Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-11-29 10:54:26 UTC (rev 58111) +++ data/dla-needed.txt 2017-11-29 13:26:28 UTC (rev 58112) @@ -17,6 +17,8 @@ couchdb NOTE: Only in wheezy, we are on our own. -- +curl +-- irssi (Rhonda D'Vine) -- jasperreports ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58111 - in data: . DSA
Author: corsac
Date: 2017-11-29 10:54:26 + (Wed, 29 Nov 2017)
New Revision: 58111
Modified:
data/DSA/list
data/dsa-needed.txt
Log:
allocate DSA number for curl
Modified: data/DSA/list
===
--- data/DSA/list 2017-11-29 09:54:12 UTC (rev 58110)
+++ data/DSA/list 2017-11-29 10:54:26 UTC (rev 58111)
@@ -1,3 +1,7 @@
+[29 Nov 2017] DSA-4051-1 curl - security update
+ {CVE-2017-8816 CVE-2017-8817}
+ [jessie] - curl 7.38.0-4+deb8u8
+ [stretch] - curl 7.52.1-5+deb9u3
[28 Nov 2017] DSA-4050-1 xen - security update
{CVE-2017-14316 CVE-2017-14317 CVE-2017-14318 CVE-2017-14319
CVE-2017-15588 CVE-2017-15589 CVE-2017-15590 CVE-2017-15591 CVE-2017-15592
CVE-2017-15593 CVE-2017-15594 CVE-2017-15595 CVE-2017-15597 CVE-2017-17044
CVE-2017-17045 CVE-2017-17046}
[stretch] - xen 4.8.2+xsa245-0+deb9u1
Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2017-11-29 09:54:12 UTC (rev 58110)
+++ data/dsa-needed.txt 2017-11-29 10:54:26 UTC (rev 58111)
@@ -16,8 +16,6 @@
--
bzr (carnil)
--
-curl (corsac)
---
exim4/stable (carnil)
--
graphicsmagick
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58110 - data/CVE
Author: carnil Date: 2017-11-29 09:54:12 + (Wed, 29 Nov 2017) New Revision: 58110 Modified: data/CVE/list Log: Add CVE-2017-17054/aubio, not removed TODO yet since superficially checked only Modified: data/CVE/list === --- data/CVE/list 2017-11-29 09:54:00 UTC (rev 58109) +++ data/CVE/list 2017-11-29 09:54:12 UTC (rev 58110) @@ -7,6 +7,8 @@ CVE-2017-17055 RESERVED CVE-2017-17054 (In aubio 0.4.6, a divide-by-zero error exists in the function ...) + - aubio + NOTE: https://github.com/aubio/aubio/issues/148 TODO: check CVE-2017-17051 RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58109 - data/CVE
Author: carnil Date: 2017-11-29 09:54:00 + (Wed, 29 Nov 2017) New Revision: 58109 Modified: data/CVE/list Log: Process NFUs Modified: data/CVE/list === --- data/CVE/list 2017-11-29 09:49:11 UTC (rev 58108) +++ data/CVE/list 2017-11-29 09:54:00 UTC (rev 58109) @@ -1,5 +1,5 @@ CVE-2017-17058 (The WooCommerce plugin through 3.x for WordPress has a Directory ...) - TODO: check + NOT-FOR-US: WooCommerce plugin for WordPress CVE-2017-17057 RESERVED CVE-2017-17056 @@ -11,15 +11,15 @@ CVE-2017-17051 RESERVED CVE-2017-17050 (TG Soft Vir.IT eXplorer Lite 8.5.42 allows local users to cause a ...) - TODO: check + NOT-FOR-US: TG Soft Vir.IT eXplorer Lite CVE-2017-17049 (TG Soft Vir.IT eXplorer Lite 8.5.42 allows local users to cause a ...) - TODO: check + NOT-FOR-US: TG Soft Vir.IT eXplorer Lite CVE-2017-17048 RESERVED CVE-2017-17047 RESERVED CVE-2017-17043 (The Emag Marketplace Connector plugin 1.0.0 for WordPress has reflected ...) - TODO: check + NOT-FOR-US: Emag Marketplace Connector for WordPress CVE-2017-17053 (The init_new_context function in arch/x86/include/asm/mmu_context.h in ...) - linux 4.12.12-1 [stretch] - linux 4.9.47-1 @@ -23914,7 +23914,7 @@ CVE-2017-9316 (Firmware upgrade authentication bypass vulnerability was found in ...) NOT-FOR-US: Dahua CVE-2017-9315 (Customer of Dahua IP camera or IP PTZ could submit relevant device ...) - TODO: check + NOT-FOR-US: Dahua CVE-2017-9314 (Authentication vulnerability found in Dahua NVR models NVR50XX, ...) NOT-FOR-US: Dahua NVR CVE-2017-9313 (Multiple Cross-site scripting (XSS) vulnerabilities in Webmin before ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58108 - data
Author: carnil Date: 2017-11-29 09:49:11 + (Wed, 29 Nov 2017) New Revision: 58108 Modified: data/dsa-needed.txt Log: Add curl to dsa-needed list Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-11-29 09:46:02 UTC (rev 58107) +++ data/dsa-needed.txt 2017-11-29 09:49:11 UTC (rev 58108) @@ -16,6 +16,8 @@ -- bzr (carnil) -- +curl (corsac) +-- exim4/stable (carnil) -- graphicsmagick ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58107 - data/CVE
Author: carnil
Date: 2017-11-29 09:46:02 + (Wed, 29 Nov 2017)
New Revision: 58107
Modified:
data/CVE/list
Log:
Add references to patches for curl issues
Modified: data/CVE/list
===
--- data/CVE/list 2017-11-29 09:42:39 UTC (rev 58106)
+++ data/CVE/list 2017-11-29 09:46:02 UTC (rev 58107)
@@ -25629,14 +25629,17 @@
[jessie] - curl (Vulnerable code not present)
[wheezy] - curl (Vulnerable code not present)
NOTE: https://curl.haxx.se/docs/adv_2017-af0a.html
+ NOTE: https://curl.haxx.se/CVE-2017-8818.patch
CVE-2017-8817 [FTP wildcard out of bounds read]
RESERVED
- curl
NOTE: https://curl.haxx.se/docs/adv_2017-ae72.html
+ NOTE: https://curl.haxx.se/CVE-2017-8817.patch
CVE-2017-8816 [NTLM buffer overflow via integer overflow]
RESERVED
- curl
NOTE: https://curl.haxx.se/docs/adv_2017-11e7.html
+ NOTE: https://curl.haxx.se/CVE-2017-8816.patch
CVE-2017-8815 (The language converter in MediaWiki before 1.27.4, 1.28.x
before ...)
{DSA-4036-1}
- mediawiki 1:1.27.4-1
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58106 - data/CVE
Author: carnil
Date: 2017-11-29 09:42:39 + (Wed, 29 Nov 2017)
New Revision: 58106
Modified:
data/CVE/list
Log:
Add new curl issues
Modified: data/CVE/list
===
--- data/CVE/list 2017-11-29 09:10:23 UTC (rev 58105)
+++ data/CVE/list 2017-11-29 09:42:39 UTC (rev 58106)
@@ -25622,12 +25622,21 @@
RESERVED
CVE-2017-8819
RESERVED
-CVE-2017-8818
+CVE-2017-8818 [SSL out of buffer access]
RESERVED
-CVE-2017-8817
+ - curl
+ [stretch] - curl (Vulnerable code not present)
+ [jessie] - curl (Vulnerable code not present)
+ [wheezy] - curl (Vulnerable code not present)
+ NOTE: https://curl.haxx.se/docs/adv_2017-af0a.html
+CVE-2017-8817 [FTP wildcard out of bounds read]
RESERVED
-CVE-2017-8816
+ - curl
+ NOTE: https://curl.haxx.se/docs/adv_2017-ae72.html
+CVE-2017-8816 [NTLM buffer overflow via integer overflow]
RESERVED
+ - curl
+ NOTE: https://curl.haxx.se/docs/adv_2017-11e7.html
CVE-2017-8815 (The language converter in MediaWiki before 1.27.4, 1.28.x
before ...)
{DSA-4036-1}
- mediawiki 1:1.27.4-1
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58105 - data/CVE
Author: sectracker
Date: 2017-11-29 09:10:23 + (Wed, 29 Nov 2017)
New Revision: 58105
Modified:
data/CVE/list
Log:
automatic update
Modified: data/CVE/list
===
--- data/CVE/list 2017-11-29 08:37:04 UTC (rev 58104)
+++ data/CVE/list 2017-11-29 09:10:23 UTC (rev 58105)
@@ -1,10 +1,32 @@
-CVE-2017-17053 [x86/mm: Fix use-after-free of ldt_struct]
+CVE-2017-17058 (The WooCommerce plugin through 3.x for WordPress has a
Directory ...)
+ TODO: check
+CVE-2017-17057
+ RESERVED
+CVE-2017-17056
+ RESERVED
+CVE-2017-17055
+ RESERVED
+CVE-2017-17054 (In aubio 0.4.6, a divide-by-zero error exists in the function
...)
+ TODO: check
+CVE-2017-17051
+ RESERVED
+CVE-2017-17050 (TG Soft Vir.IT eXplorer Lite 8.5.42 allows local users to
cause a ...)
+ TODO: check
+CVE-2017-17049 (TG Soft Vir.IT eXplorer Lite 8.5.42 allows local users to
cause a ...)
+ TODO: check
+CVE-2017-17048
+ RESERVED
+CVE-2017-17047
+ RESERVED
+CVE-2017-17043 (The Emag Marketplace Connector plugin 1.0.0 for WordPress has
reflected ...)
+ TODO: check
+CVE-2017-17053 (The init_new_context function in
arch/x86/include/asm/mmu_context.h in ...)
- linux 4.12.12-1
[stretch] - linux 4.9.47-1
[jessie] - linux (Vulnerable code not present)
[wheezy] - linux (Vulnerable code not present)
NOTE: Fixed by:
https://git.kernel.org/linus/ccd5b3235180eef3cfec337df1c8554ab151b5cc
-CVE-2017-17052 [fork: fix incorrect fput of ->exe_file causing use-after-free]
+CVE-2017-17052 (The mm_init function in kernel/fork.c in the Linux kernel
before ...)
- linux 4.12.12-1
[stretch] - linux 4.9.47-1
[jessie] - linux (Vulnerable code not present)
@@ -93,13 +115,16 @@
RESERVED
CVE-2017-17027
RESERVED
-CVE-2017-17045 [XSA-247: Missing p2m error checking in PoD code]
+CVE-2017-17045 (An issue was discovered in Xen through 4.9.x allowing HVM
guest OS ...)
+ {DSA-4050-1}
- xen
NOTE: https://xenbits.xen.org/xsa/advisory-247.html
-CVE-2017-17044 [XSA-246: x86: infinite loop due to missing PoD error checking]
+CVE-2017-17044 (An issue was discovered in Xen through 4.9.x allowing HVM
guest OS ...)
+ {DSA-4050-1}
- xen
NOTE: https://xenbits.xen.org/xsa/advisory-246.html
-CVE-2017-17046 [XSA-245: ARM: Some memory not scrubbed at boot]
+CVE-2017-17046 (An issue was discovered in Xen through 4.9.x on the ARM
platform ...)
+ {DSA-4050-1}
- xen
NOTE: https://xenbits.xen.org/xsa/advisory-245.html
CVE-2018-0705
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58104 - data/CVE
Author: carnil Date: 2017-11-29 08:37:04 + (Wed, 29 Nov 2017) New Revision: 58104 Modified: data/CVE/list Log: Record fix for CVE-2017-1000248 via experimental Modified: data/CVE/list === --- data/CVE/list 2017-11-29 08:09:13 UTC (rev 58103) +++ data/CVE/list 2017-11-29 08:37:04 UTC (rev 58104) @@ -1862,6 +1862,7 @@ CVE-2017-16867 (Amazon Key through 2017-11-16 mishandles Cloud Cam 802.11 ...) NOT-FOR-US: Amazon Key CVE-2017-1000248 (Redis-store =v1.3.0 allows unsafe objects to be loaded from redis ...) + [experimental] - ruby-redis-store 1.3.0-2 - ruby-redis-store (bug #882034) NOTE: https://github.com/redis-store/redis-store/commit/e0c1398d54a9661c8c70267c3a925ba6b192142e CVE-2017-1000247 (British Columbia Institute of Technology CodeIgniter 3.1.3 is ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58103 - data/CVE
Author: jmm Date: 2017-11-29 08:09:13 + (Wed, 29 Nov 2017) New Revision: 58103 Modified: data/CVE/list Log: NFU Modified: data/CVE/list === --- data/CVE/list 2017-11-29 06:46:17 UTC (rev 58102) +++ data/CVE/list 2017-11-29 08:09:13 UTC (rev 58103) @@ -15535,6 +15535,7 @@ RESERVED CVE-2017-12195 RESERVED + NOT-FOR-US: OpenShift CVE-2017-12194 RESERVED CVE-2017-12193 (The assoc_array_insert_into_terminal_node function in lib/assoc_array.c ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
