[Secure-testing-commits] r58165 - data/CVE

2017-11-30 Thread Salvatore Bonaccorso 
Author: carnil
Date: 2017-12-01 07:38:45 + (Fri, 01 Dec 2017)
New Revision: 58165

Modified:
   data/CVE/list
Log:
Mark spice-vdagent issue as no-dsa

Modified: data/CVE/list
===
--- data/CVE/list   2017-12-01 07:32:14 UTC (rev 58164)
+++ data/CVE/list   2017-12-01 07:38:45 UTC (rev 58165)
@@ -7011,6 +7011,8 @@
 CVE-2017-15108 [spice-vdagent: Improper validation of xfers->save_dir in 
vdagent_file_xfers_data()]
RESERVED
- spice-vdagent  (bug #883238)
+   [stretch] - spice-vdagent  (Minor issue)
+   [jessie] - spice-vdagent  (Minor issue)
NOTE: Fixed by: 
https://cgit.freedesktop.org/spice/linux/vd_agent/commit/?id=8ba174816d245757e743e636df357910e1d5eb61
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1510864
 CVE-2017-15107


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r58164 - data/CVE

2017-11-30 Thread Salvatore Bonaccorso 
Author: carnil
Date: 2017-12-01 07:32:14 + (Fri, 01 Dec 2017)
New Revision: 58164

Modified:
   data/CVE/list
Log:
Add bug reference for CVE-2017-15108

Modified: data/CVE/list
===
--- data/CVE/list   2017-12-01 06:19:38 UTC (rev 58163)
+++ data/CVE/list   2017-12-01 07:32:14 UTC (rev 58164)
@@ -7010,7 +7010,7 @@
RESERVED
 CVE-2017-15108 [spice-vdagent: Improper validation of xfers->save_dir in 
vdagent_file_xfers_data()]
RESERVED
-   - spice-vdagent 
+   - spice-vdagent  (bug #883238)
NOTE: Fixed by: 
https://cgit.freedesktop.org/spice/linux/vd_agent/commit/?id=8ba174816d245757e743e636df357910e1d5eb61
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1510864
 CVE-2017-15107


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r58163 - data/CVE

2017-11-30 Thread Salvatore Bonaccorso 
Author: carnil
Date: 2017-12-01 06:19:38 + (Fri, 01 Dec 2017)
New Revision: 58163

Modified:
   data/CVE/list
Log:
Mark CVE-2017-7545 as NFU

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-30 22:24:18 UTC (rev 58162)
+++ data/CVE/list   2017-12-01 06:19:38 UTC (rev 58163)
@@ -29734,6 +29734,7 @@
NOTE: https://www.postgresql.org/about/news/1772/
 CVE-2017-7545
RESERVED
+   NOT-FOR-US: jbpm-designer / jBPM
 CVE-2017-7544 (libexif through 0.6.21 is vulnerable to out-of-bounds heap read 
...)
- libexif 0.6.21-2.1 (bug #876466)
[stretch] - libexif  (Minor issue)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r58162 - data

2017-11-30 Thread Markus Koschany 
Author: apo
Date: 2017-11-30 22:24:18 + (Thu, 30 Nov 2017)
New Revision: 58162

Modified:
   data/dla-needed.txt
Log:
Claim libextractor in dla-needed.txt


Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-11-30 21:22:40 UTC (rev 58161)
+++ data/dla-needed.txt 2017-11-30 22:24:18 UTC (rev 58162)
@@ -31,7 +31,7 @@
 libav (Hugo Lefeuvre)
   NOTE: 20171116: Diego Biurrun (from the libav team) is working on patches.
 --
-libextractor
+libextractor (Markus Koschany)
   NOTE: not all patches available, so didn't bother maintainer yet
 --
 libnet-ping-external-perl


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r58161 - data/CVE

2017-11-30 Thread Salvatore Bonaccorso 
Author: carnil
Date: 2017-11-30 21:22:40 + (Thu, 30 Nov 2017)
New Revision: 58161

Modified:
   data/CVE/list
Log:
Add fixing version for CVE-2017-15116/linux

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-30 21:19:00 UTC (rev 58160)
+++ data/CVE/list   2017-11-30 21:22:40 UTC (rev 58161)
@@ -6985,7 +6985,7 @@
 CVE-2017-15117
REJECTED
 CVE-2017-15116 (The rngapi_reset function in crypto/rng.c in the Linux kernel 
before ...)
-   TODO: check
+   - linux 4.2.1-1
 CVE-2017-15115 (The sctp_do_peeloff function in net/sctp/socket.c in the Linux 
kernel ...)
- linux 4.13.13-1
NOTE: 
https://git.kernel.org/linus/df80cd9b28b9ebaa284a41df611dbf3a2d05ca74 
(v4.14-rc6)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r58160 - data/DLA

2017-11-30 Thread Markus Koschany 
Author: apo
Date: 2017-11-30 21:19:00 + (Thu, 30 Nov 2017)
New Revision: 58160

Modified:
   data/DLA/list
Log:
sox,CVE-2017-15372 and CVE-2017-15642 will also be fixed in DLA-1197-1


Modified: data/DLA/list
===
--- data/DLA/list   2017-11-30 21:12:22 UTC (rev 58159)
+++ data/DLA/list   2017-11-30 21:19:00 UTC (rev 58160)
@@ -1,5 +1,5 @@
 [30 Nov 2017] DLA-1197-1 sox - security update
-   {CVE-2017-11332 CVE-2017-11358 CVE-2017-11359 CVE-2017-15370 
CVE-2017-15371}
+   {CVE-2017-11332 CVE-2017-11358 CVE-2017-11359 CVE-2017-15370 
CVE-2017-15371 CVE-2017-15372 CVE-2017-15642}
[wheezy] - sox 14.4.0-3+deb7u2
 [30 Nov 2017] DLA-1196-1 optipng - security update
{CVE-2017-16938}


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r58159 - data

2017-11-30 Thread Salvatore Bonaccorso 
Author: carnil
Date: 2017-11-30 21:12:22 + (Thu, 30 Nov 2017)
New Revision: 58159

Modified:
   data/next-oldstable-point-update.txt
   data/next-point-update.txt
Log:
Two more CVEs to be included in {jessie,stretch}-pu update for busybox

Modified: data/next-oldstable-point-update.txt
===
--- data/next-oldstable-point-update.txt2017-11-30 21:10:21 UTC (rev 
58158)
+++ data/next-oldstable-point-update.txt2017-11-30 21:12:22 UTC (rev 
58159)
@@ -94,6 +94,10 @@
[jessie] - busybox 1:1.22.0-9+deb8u2
 CVE-2011-5325
[jessie] - busybox 1:1.22.0-9+deb8u2
+CVE-2017-15873
+   [jessie] - busybox 1:1.22.0-9+deb8u2
+CVE-2017-16544
+   [jessie] - busybox 1:1.22.0-9+deb8u2
 CVE-2017-10989
[jessie] - sqlite3 3.8.7.1-1+deb8u3
 CVE-2017-15274

Modified: data/next-point-update.txt
===
--- data/next-point-update.txt  2017-11-30 21:10:21 UTC (rev 58158)
+++ data/next-point-update.txt  2017-11-30 21:12:22 UTC (rev 58159)
@@ -31,6 +31,10 @@
[stretch] - busybox 1:1.22.0-19+deb9u1
 CVE-2011-5325
[stretch] - busybox 1:1.22.0-19+deb9u1
+CVE-2017-15873
+   [stretch] - busybox 1:1.22.0-19+deb9u1
+CVE-2017-16544
+   [stretch] - busybox 1:1.22.0-19+deb9u1
 CVE-2017-2810
[stretch] - python-tablib 0.9.11-2+deb9u1
 CVE-2017-14952


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r58158 - data/CVE

2017-11-30 Thread security tracker role 
Author: sectracker
Date: 2017-11-30 21:10:21 + (Thu, 30 Nov 2017)
New Revision: 58158

Modified:
   data/CVE/list
Log:
automatic update

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-30 21:08:48 UTC (rev 58157)
+++ data/CVE/list   2017-11-30 21:10:21 UTC (rev 58158)
@@ -1,3 +1,47 @@
+CVE-2018-0740
+   RESERVED
+CVE-2018-0739
+   RESERVED
+CVE-2018-0738
+   RESERVED
+CVE-2018-0737
+   RESERVED
+CVE-2018-0736
+   RESERVED
+CVE-2018-0735
+   RESERVED
+CVE-2018-0734
+   RESERVED
+CVE-2018-0733
+   RESERVED
+CVE-2018-0732
+   RESERVED
+CVE-2018-0731
+   RESERVED
+CVE-2017-17079
+   RESERVED
+CVE-2017-17078
+   RESERVED
+CVE-2017-17077
+   RESERVED
+CVE-2017-17076
+   RESERVED
+CVE-2017-17075
+   RESERVED
+CVE-2017-17074
+   RESERVED
+CVE-2017-17073
+   RESERVED
+CVE-2017-17072
+   RESERVED
+CVE-2017-17071
+   RESERVED
+CVE-2017-17070
+   RESERVED
+CVE-2017-17069
+   RESERVED
+CVE-2017-17068
+   RESERVED
 CVE-2017-17067 (Splunk Web in Splunk Enterprise 7.0.x before 7.0.0.1, 6.6.x 
before ...)
TODO: check
 CVE-2017-17066
@@ -2,4 +46,4 @@
RESERVED
-CVE-2017-17065
-   RESERVED
+CVE-2017-17065 (An issue was discovered on D-Link DIR-605L Model B before ...)
+   TODO: check
 CVE-2017-17064
@@ -1603,6 +1647,7 @@
- linux 4.13.13-1
NOTE: Fixed by: 
https://git.kernel.org/linus/1137b5e2529a8f5ca8ee709288ecba3e68044df2
 CVE-2017-16938 (A global buffer overflow in OptiPNG 0.7.6 allows remote 
attackers to ...)
+   {DLA-1196-1}
- optipng  (bug #878839)
NOTE: https://sourceforge.net/p/optipng/bugs/69/
 CVE-2017-16937
@@ -1624,12 +1669,14 @@
NOTE: 
https://github.com/Cacti/cacti/commit/69983495cd41bf0903fe02baeef84b1fa85f2846
NOTE: Fix for the incomplete fix for CVE-2016-2313
 CVE-2017-16932 (parser.c in libxml2 before 2.9.5 does not prevent infinite 
recursion in ...)
+   {DLA-1194-1}
- libxml2  (bug #882613)
[stretch] - libxml2  (Minor issue)
[jessie] - libxml2  (Minor issue)
NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=759579
NOTE: 
https://github.com/GNOME/libxml2/commit/899a5d9f0ed13b8e32449a08a361e0de127dd961
 CVE-2017-16931 (parser.c in libxml2 before 2.9.5 mishandles parameter-entity 
references ...)
+   {DLA-1194-1}
- libxml2 2.9.4+dfsg1-3.1
[stretch] - libxml2 2.9.4+dfsg1-2.2+deb9u1
[jessie] - libxml2 2.9.1+dfsg1-5+deb8u5
@@ -6232,11 +6279,13 @@
[jessie] - sox  (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1500553
 CVE-2017-15371 (There is a reachable assertion abort in the function ...)
+   {DLA-1197-1}
- sox 14.4.2-2 (bug #878809)
[stretch] - sox  (Minor issue)
[jessie] - sox  (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1500570
 CVE-2017-15370 (There is a heap-based buffer overflow in the ImaExpandS 
function of ...)
+   {DLA-1197-1}
- sox 14.4.2-2 (bug #878810)
[stretch] - sox  (Minor issue)
[jessie] - sox  (Minor issue)
@@ -6935,8 +6984,8 @@
NOTE: 
https://lists.gnu.org/archive/html/qemu-devel/2017-11/msg05045.html
 CVE-2017-15117
REJECTED
-CVE-2017-15116
-   RESERVED
+CVE-2017-15116 (The rngapi_reset function in crypto/rng.c in the Linux kernel 
before ...)
+   TODO: check
 CVE-2017-15115 (The sctp_do_peeloff function in net/sctp/socket.c in the Linux 
kernel ...)
- linux 4.13.13-1
NOTE: 
https://git.kernel.org/linus/df80cd9b28b9ebaa284a41df611dbf3a2d05ca74 
(v4.14-rc6)
@@ -7596,8 +7645,8 @@
NOT-FOR-US: Wordpress plugin
 CVE-2015-9233 (The cp-contact-form-with-paypal (aka CP Contact Form with 
PayPal) ...)
NOT-FOR-US: Wordpress plugin
-CVE-2017-14949
-   RESERVED
+CVE-2017-14949 (Restlet Framework before 2.3.12 allows remote attackers to 
access ...)
+   TODO: check
 CVE-2017-14948
RESERVED
 CVE-2017-14947 (Artifex GSView 6.0 Beta on Windows allows attackers to execute 
...)
@@ -7824,8 +7873,7 @@
RESERVED
 CVE-2017-14869
RESERVED
-CVE-2017-14868
-   RESERVED
+CVE-2017-14868 (Restlet Framework before 2.3.11, when using SimpleXMLProvider, 
allows ...)
- restlet  (bug #596472)
 CVE-2017-14866 (There is a heap-based buffer overflow in the Exiv2::s2Data 
function of ...)
[experimental] - exiv2  (bug #880015)
@@ -14524,8 +14572,7 @@
NOT-FOR-US: Apache Camel
 CVE-2017-12632
RESERVED
-CVE-2017-12631
-   RESERVED
+CVE-2017-12631 (Apache CXF Fediz ships with a number of container-specific 
plugins to ...)
NOT-FOR-US: Apache CXF
 CVE-2017-12630
RESERVED
@@ -15263,96 +15310,96 @@
RESERVED
 CVE-2017-12373
RESERVED
-CVE-2017-12372
-   RESERVED
-CVE-2017-12371
-   RESERVED
-CVE-2017-12370
-   RESERVED
-CVE-2017-12369
-

[Secure-testing-commits] r58157 - data

2017-11-30 Thread Salvatore Bonaccorso 
Author: carnil
Date: 2017-11-30 21:08:48 + (Thu, 30 Nov 2017)
New Revision: 58157

Modified:
   data/next-oldstable-point-update.txt
Log:
Record proposed update for CVE-2017-16899 via jessie-pu

Modified: data/next-oldstable-point-update.txt
===
--- data/next-oldstable-point-update.txt2017-11-30 21:08:08 UTC (rev 
58156)
+++ data/next-oldstable-point-update.txt2017-11-30 21:08:48 UTC (rev 
58157)
@@ -132,3 +132,5 @@
[jessie] - pdns 3.4.1-4+deb8u8
 CVE-2017-15093
[jessie] - pdns-recursor 3.6.2-2+deb8u4
+CVE-2017-16899
+   [jessie] - transfig 1:3.2.5.e-4+deb8u1


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r58156 - data

2017-11-30 Thread Salvatore Bonaccorso 
Author: carnil
Date: 2017-11-30 21:08:08 + (Thu, 30 Nov 2017)
New Revision: 58156

Modified:
   data/next-point-update.txt
Log:
Record proposed update for CVE-2017-16899

Modified: data/next-point-update.txt
===
--- data/next-point-update.txt  2017-11-30 21:00:27 UTC (rev 58155)
+++ data/next-point-update.txt  2017-11-30 21:08:08 UTC (rev 58156)
@@ -57,3 +57,5 @@
[stretch] - pdns-recursor 4.0.4-1+deb9u2
 CVE-2017-14623
[stretch] - golang-github-go-ldap-ldap 2.4.1-1+deb9u1
+CVE-2017-16899
+   [stretch] - fig2dev 1:3.2.6a-2+deb9u1


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r58155 - data/CVE

2017-11-30 Thread Markus Koschany 
Author: apo
Date: 2017-11-30 21:00:27 + (Thu, 30 Nov 2017)
New Revision: 58155

Modified:
   data/CVE/list
Log:
Fix wrong "is fixed" version for sox CVE-2017-15372 and CVE-2017-15642


Modified: data/CVE/list
===
--- data/CVE/list   2017-11-30 20:51:27 UTC (rev 58154)
+++ data/CVE/list   2017-11-30 21:00:27 UTC (rev 58155)
@@ -5562,7 +5562,7 @@
[jessie] - musl  (Minor issue)
NOTE: 
https://git.musl-libc.org/cgit/musl/patch/?id=45ca5d3fcb6f874bf5ba55d0e9651cef68515395
 CVE-2017-15642 (In lsx_aiffstartread in aiff.c in Sound eXchange (SoX) 14.4.2, 
there is ...)
-   - sox 4.4.2-2 (bug #882144)
+   - sox 14.4.2-2 (bug #882144)
[stretch] - sox  (Minor issue)
[jessie] - sox  (Minor issue)
NOTE: https://sourceforge.net/p/sox/bugs/298/
@@ -6227,7 +6227,7 @@
 CVE-2017-15373 (E-Sic 1.0 allows SQL injection via the q parameter to ...)
NOT-FOR-US: E-Sic
 CVE-2017-15372 (There is a stack-based buffer overflow in the ...)
-   - sox 4.4.2-2 (bug #878808)
+   - sox 14.4.2-2 (bug #878808)
[stretch] - sox  (Minor issue)
[jessie] - sox  (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1500553


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r58154 - in data: . DLA

2017-11-30 Thread Markus Koschany 
Author: apo
Date: 2017-11-30 20:51:27 + (Thu, 30 Nov 2017)
New Revision: 58154

Modified:
   data/DLA/list
   data/dla-needed.txt
Log:
Reserve DLA-1197-1 for sox

Modified: data/DLA/list
===
--- data/DLA/list   2017-11-30 19:54:09 UTC (rev 58153)
+++ data/DLA/list   2017-11-30 20:51:27 UTC (rev 58154)
@@ -1,3 +1,6 @@
+[30 Nov 2017] DLA-1197-1 sox - security update
+   {CVE-2017-11332 CVE-2017-11358 CVE-2017-11359 CVE-2017-15370 
CVE-2017-15371}
+   [wheezy] - sox 14.4.0-3+deb7u2
 [30 Nov 2017] DLA-1196-1 optipng - security update
{CVE-2017-16938}
[wheezy] - optipng 0.6.4-1+deb7u4

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-11-30 19:54:09 UTC (rev 58153)
+++ data/dla-needed.txt 2017-11-30 20:51:27 UTC (rev 58154)
@@ -82,15 +82,6 @@
   NOTE: 2017-09-04: Maintainer will handle this.
   NOTE: https://lists.debian.org/debian-lts/2017/09/msg00010.html
 --
-sox (Markus Koschany)
-  NOTE: No patches. Contacted upstream. Waiting for feedback
-  NOTE: > 12% of sponsors use sox hence I have decided to add it here.
-  NOTE: https://sourceforge.net/p/sox/bugs/296/
-  NOTE: 2017-09-01: pinged upstream (Markus)
-  NOTE: please check https://bugs.debian.org/882236 too (but please note that
-  NOTE: the CVE is specifically assigned for libvorbis, so do not reuse the 
-  NOTE: CVE when applying the fix)
---
 suricata
   NOTE: 2017-10-27: At a quick glance, I can't see that this is vulnerable. 
--lamby
 --


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r58153 - data/CVE

2017-11-30 Thread Salvatore Bonaccorso 
Author: carnil
Date: 2017-11-30 19:54:09 + (Thu, 30 Nov 2017)
New Revision: 58153

Modified:
   data/CVE/list
Log:
Add fixing version for three linux CVEs and upload to sid

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-30 19:22:29 UTC (rev 58152)
+++ data/CVE/list   2017-11-30 19:54:09 UTC (rev 58153)
@@ -1471,7 +1471,7 @@
 CVE-2018-0086
RESERVED
 CVE-2017-16994 (The walk_hugetlb_range function in mm/pagewalk.c in the Linux 
kernel ...)
-   - linux 
+   - linux 4.14.2-1
NOTE: Fixed by: 
https://git.kernel.org/linus/373c4557d2aa362702c4c2d41288fb1e54990b7c (4.15-rc1)
 CVE-2017-16993
RESERVED
@@ -1750,7 +1750,7 @@
NOT-FOR-US: OpenDayLight
 CVE-2017-1000405 ["Dirty COW" variant on transparent huge pages]
RESERVED
-   - linux 
+   - linux 4.14.2-1
NOTE: Fixed by: 
https://git.kernel.org/linus/a8f97366452ed491d13cf1e44241bc0b5740b1f0
NOTE: http://www.openwall.com/lists/oss-security/2017/11/30/1
NOTE: https://github.com/bindecy/HugeDirtyCowPOC
@@ -2788,7 +2788,7 @@
[jessie] - linux  (Vulnerable code not present)
[wheezy] - linux  (Vulnerable code not present)
 CVE-2017-16645 (The ims_pcu_get_cdc_union_desc function in 
drivers/input/misc/ims-pcu.c ...)
-   - linux 
+   - linux 4.14.2-1
[wheezy] - linux  (Vulnerable code not present)
 CVE-2017-16644 (The hdpvr_probe function in 
drivers/media/usb/hdpvr/hdpvr-core.c in the ...)
- linux 


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r58152 - data/CVE

2017-11-30 Thread Emilio Pozuelo Monfort 
Author: pochu
Date: 2017-11-30 19:22:29 + (Thu, 30 Nov 2017)
New Revision: 58152

Modified:
   data/CVE/list
Log:
CVE-2017-16611/libxfont: add commit for 1.5 branch

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-30 18:33:24 UTC (rev 58151)
+++ data/CVE/list   2017-11-30 19:22:29 UTC (rev 58152)
@@ -2904,6 +2904,7 @@
- libxfont1  (unimportant)
NOTE: http://www.openwall.com/lists/oss-security/2017/11/28/7
NOTE: 
https://cgit.freedesktop.org/xorg/lib/libXfont/commit/?id=7b377456f95d2ec3ead40f4fb74ea620191f88c8
+   NOTE: (for 1.5.x): 
https://cgit.freedesktop.org/xorg/lib/libXfont/commit/?h=libXfont-1.5-branch=5ed8ac0e4f063825b8ecda48e9a111d3ce92e825
NOTE: 
https://marc.info/?l=freedesktop-xorg-announce=151188049718337=2
NOTE: 
https://marc.info/?l=freedesktop-xorg-announce=151188044218304=2
 CVE-2017-16610


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r58151 - in data: . DLA

2017-11-30 Thread Antoine Beaupré 
Author: anarcat
Date: 2017-11-30 18:33:24 + (Thu, 30 Nov 2017)
New Revision: 58151

Modified:
   data/DLA/list
   data/dla-needed.txt
Log:
Reserve DLA-1196-1 for optipng

Modified: data/DLA/list
===
--- data/DLA/list   2017-11-30 18:08:03 UTC (rev 58150)
+++ data/DLA/list   2017-11-30 18:33:24 UTC (rev 58151)
@@ -1,3 +1,6 @@
+[30 Nov 2017] DLA-1196-1 optipng - security update
+   {CVE-2017-16938}
+   [wheezy] - optipng 0.6.4-1+deb7u4
 [30 Nov 2017] DLA-1195-1 curl - security update
{CVE-2017-8817}
[wheezy] - curl 7.26.0-1+wheezy23

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-11-30 18:08:03 UTC (rev 58150)
+++ data/dla-needed.txt 2017-11-30 18:33:24 UTC (rev 58151)
@@ -71,9 +71,6 @@
   NOTE: github). Pinged sourceforge project owner with sourceforge's
   NOTE: integrated messaging feature. -- Raphaël Hertzog
 --
-optipng (anarcat)
-  NOTE: 20171127: Can confirm vulnerable in wheezy. (lamby)
---
 otrs2 (Emilio Pozuelo)
 --
 rsync (Thorsten Alteholz)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r58150 - data/CVE

2017-11-30 Thread Salvatore Bonaccorso 
Author: carnil
Date: 2017-11-30 18:08:03 + (Thu, 30 Nov 2017)
New Revision: 58150

Modified:
   data/CVE/list
Log:
Add CVE-2017-1570{1,2}/qpid-java, #840131

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-30 18:06:04 UTC (rev 58149)
+++ data/CVE/list   2017-11-30 18:08:03 UTC (rev 58150)
@@ -5410,8 +5410,10 @@
RESERVED
 CVE-2017-15702
RESERVED
+   - qpid-java  (bug #840131)
 CVE-2017-15701
RESERVED
+   - qpid-java  (bug #840131)
 CVE-2017-15700
RESERVED
 CVE-2017-15699


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r58149 - data/CVE

2017-11-30 Thread Salvatore Bonaccorso 
Author: carnil
Date: 2017-11-30 18:06:04 + (Thu, 30 Nov 2017)
New Revision: 58149

Modified:
   data/CVE/list
Log:
Update older Qpid Java Broker NFUs to now track itp'ed bug #840131

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-30 17:55:14 UTC (rev 58148)
+++ data/CVE/list   2017-11-30 18:06:04 UTC (rev 58149)
@@ -53407,7 +53407,7 @@
 CVE-2016-8742
RESERVED
 CVE-2016-8741 (The Apache Qpid Broker for Java can be configured to use 
different so ...)
-   NOT-FOR-US: Apache Qpid Java Broker
+   - qpid-java  (bug #840131)
 CVE-2016-8740 (The mod_http2 module in the Apache HTTP Server 2.4.17 through 
2.4.23, ...)
- apache2 2.4.25-1 (bug #847124)
[jessie] - apache2  (Vulnerable code not present)
@@ -66513,7 +66513,7 @@
 CVE-2016-4975
RESERVED
 CVE-2016-4974 (Apache Qpid AMQP 0-x JMS client before 6.0.4 and JMS (AMQP 1.0) 
before ...)
-   NOT-FOR-US: Apache Qpid Java Broker
+   - qpid-java  (bug #840131)
 CVE-2016-4973 (Binaries compiled against targets that use the libssp library 
in GCC ...)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1324759
- gcc-6  (Uses glibc-internal SSP)
@@ -68258,7 +68258,7 @@
- libstruts1.2-java  (Only affects 2.3.20 to 2.3.28.1)
NOTE: https://struts.apache.org/docs/s2-039.html
 CVE-2016-4432 (The AMQP 0-8, 0-9, 0-91, and 0-10 connection handling in Apache 
Qpid ...)
-   NOT-FOR-US: Apache Qpid Java Broker
+   - qpid-java  (bug #840131)
 CVE-2016-4431 (Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers 
to ...)
- libstruts1.2-java  (Only affects 2.3.20 to 2.3.28.1)
NOTE: https://struts.apache.org/docs/s2-040.html
@@ -71836,7 +71836,7 @@
 CVE-2016-3095 (server/bin/pulp-gen-ca-certificate in Pulp before 2.8.2 allows 
local ...)
NOT-FOR-US: Pulp (Red Hat)
 CVE-2016-3094 (PlainSaslServer.java in Apache Qpid Java before 6.0.3, when the 
broker ...)
-   NOT-FOR-US: Apache Qpid Java Broker
+   - qpid-java  (bug #840131)
 CVE-2016-3093 (Apache Struts 2.0.0 through 2.3.24.1 does not properly cache 
method ...)
- libstruts1.2-java  (Only affects Struts 2.x)
NOTE: https://struts.apache.org/docs/s2-034.html


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r58148 - data/CVE

2017-11-30 Thread Salvatore Bonaccorso 
Author: carnil
Date: 2017-11-30 17:55:14 + (Thu, 30 Nov 2017)
New Revision: 58148

Modified:
   data/CVE/list
Log:
Slit up note over multiple lines

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-30 17:10:55 UTC (rev 58147)
+++ data/CVE/list   2017-11-30 17:55:14 UTC (rev 58148)
@@ -13858,11 +13858,14 @@
 CVE-2017-12873 (SimpleSAMLphp 1.7.0 through 1.14.10 might allow attackers to 
obtain ...)
- simplesamlphp 1.14.15-1
NOTE: https://simplesamlphp.org/security/201612-04
-   NOTE: Patches: 
https://github.com/simplesamlphp/simplesamlphp/commit/90dca835158495b173808273e7df127303b8b953aa
 
https://github.com/simplesamlphp/simplesamlphp/commit/e2daf4ceb6e580815c3741384b3a09b85a5fc231
 
https://github.com/simplesamlphp/simplesamlphp/commit/300d8aa48fe93706ade95be481c68e9cf2f32d1f
+   NOTE: Patches: 
https://github.com/simplesamlphp/simplesamlphp/commit/90dca835158495b173808273e7df127303b8b953aa
+   NOTE: 
https://github.com/simplesamlphp/simplesamlphp/commit/e2daf4ceb6e580815c3741384b3a09b85a5fc231
+   NOTE: 
https://github.com/simplesamlphp/simplesamlphp/commit/300d8aa48fe93706ade95be481c68e9cf2f32d1f
 CVE-2017-12872 (The (1) Htpasswd authentication source in the authcrypt module 
and (2) ...)
- simplesamlphp 1.14.15-1
NOTE: https://simplesamlphp.org/security/201703-01
-   NOTE: Patch: 
https://github.com/simplesamlphp/simplesamlphp/commit/ab7761d4a523a4ed00479fb1ddba688e7ca72439
 
https://github.com/simplesamlphp/simplesamlphp/commit/caf764cc2c9b68ac29741070ebdf133a595443f1
+   NOTE: Patches: 
https://github.com/simplesamlphp/simplesamlphp/commit/ab7761d4a523a4ed00479fb1ddba688e7ca72439
+   NOTE: 
https://github.com/simplesamlphp/simplesamlphp/commit/caf764cc2c9b68ac29741070ebdf133a595443f1
 CVE-2017-12871 (The aesEncrypt method in lib/SimpleSAML/Utils/Crypto.php in 
...)
- simplesamlphp 1.14.15-1
[jessie] - simplesamlphp  (Vulnerable code not present)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r58147 - data/CVE

2017-11-30 Thread Raphaël Hertzog 
Author: hertzog
Date: 2017-11-30 17:10:55 + (Thu, 30 Nov 2017)
New Revision: 58147

Modified:
   data/CVE/list
Log:
Add patches for simplesamlphp issues

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-30 15:53:22 UTC (rev 58146)
+++ data/CVE/list   2017-11-30 17:10:55 UTC (rev 58147)
@@ -13854,12 +13854,15 @@
NOTE: Issue lies in simplesamlphp/simplesamlphp-module-infocard and 
fixed
NOTE: in 1.0.1. The module is embedded in src:simplesamlphp
NOTE: https://simplesamlphp.org/security/201612-03
+   NOTE: Patch: 
https://github.com/simplesamlphp/simplesamlphp-module-infocard/commit/7353762acacd827a61378629f87de991451089da
 CVE-2017-12873 (SimpleSAMLphp 1.7.0 through 1.14.10 might allow attackers to 
obtain ...)
- simplesamlphp 1.14.15-1
NOTE: https://simplesamlphp.org/security/201612-04
+   NOTE: Patches: 
https://github.com/simplesamlphp/simplesamlphp/commit/90dca835158495b173808273e7df127303b8b953aa
 
https://github.com/simplesamlphp/simplesamlphp/commit/e2daf4ceb6e580815c3741384b3a09b85a5fc231
 
https://github.com/simplesamlphp/simplesamlphp/commit/300d8aa48fe93706ade95be481c68e9cf2f32d1f
 CVE-2017-12872 (The (1) Htpasswd authentication source in the authcrypt module 
and (2) ...)
- simplesamlphp 1.14.15-1
NOTE: https://simplesamlphp.org/security/201703-01
+   NOTE: Patch: 
https://github.com/simplesamlphp/simplesamlphp/commit/ab7761d4a523a4ed00479fb1ddba688e7ca72439
 
https://github.com/simplesamlphp/simplesamlphp/commit/caf764cc2c9b68ac29741070ebdf133a595443f1
 CVE-2017-12871 (The aesEncrypt method in lib/SimpleSAML/Utils/Crypto.php in 
...)
- simplesamlphp 1.14.15-1
[jessie] - simplesamlphp  (Vulnerable code not present)
@@ -13867,16 +13870,20 @@
NOTE: https://simplesamlphp.org/security/201703-02
 CVE-2017-12870 (SimpleSAMLphp 1.14.12 and earlier make it easier for 
man-in-the-middle ...)
- simplesamlphp 1.14.15-1
+   [wheezy] - simplesamlphp  (Minor issue mitigated by HTTPS 
usage, hard to backport)
NOTE: https://simplesamlphp.org/security/201704-01
 CVE-2017-12869 (The multiauth module in SimpleSAMLphp 1.14.13 and earlier 
allows ...)
- simplesamlphp 1.14.15-1
NOTE: https://simplesamlphp.org/security/201704-02
+   NOTE: Patch: 
https://github.com/simplesamlphp/simplesamlphp/commit/f1e485284dd428ab3cd9500c62e19c7c7234be9a
 CVE-2017-12868 (The secureCompare method in lib/SimpleSAML/Utils/Crypto.php in 
...)
- simplesamlphp 1.14.15-1
NOTE: https://simplesamlphp.org/security/201705-01
+   NOTE: Patch: 
https://github.com/simplesamlphp/simplesamlphp/commit/caf764cc2c9b68ac29741070ebdf133a595443f1
 CVE-2017-12867 (The SimpleSAML_Auth_TimeLimitedToken class in SimpleSAMLphp 
1.14.14 ...)
- simplesamlphp 1.14.15-1
NOTE: https://simplesamlphp.org/security/201708-01
+   NOTE: Patch: 
https://github.com/simplesamlphp/simplesamlphp/commit/608f24c2d5afd70c2af050785d2b12f878b33c68
 CVE-2017-12855 (Xen maintains the _GTF_{read,writ}ing bits as appropriate, to 
inform ...)
{DSA-3969-1 DLA-1132-1}
- xen 4.8.1-1+deb9u3


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r58146 - data/CVE

2017-11-30 Thread Salvatore Bonaccorso 
Author: carnil
Date: 2017-11-30 15:53:22 + (Thu, 30 Nov 2017)
New Revision: 58146

Modified:
   data/CVE/list
Log:
curl issues fixed in unstable

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-30 14:39:30 UTC (rev 58145)
+++ data/CVE/list   2017-11-30 15:53:22 UTC (rev 58146)
@@ -25682,7 +25682,7 @@
 CVE-2017-8819
RESERVED
 CVE-2017-8818 (curl and libcurl before 7.57.0 on 32-bit platforms allow 
attackers to ...)
-   - curl 
+   - curl 7.57.0-1
[stretch] - curl  (Vulnerable code not present)
[jessie] - curl  (Vulnerable code not present)
[wheezy] - curl  (Vulnerable code not present)
@@ -25690,12 +25690,12 @@
NOTE: https://curl.haxx.se/CVE-2017-8818.patch
 CVE-2017-8817 (The FTP wildcard function in curl and libcurl before 7.57.0 
allows ...)
{DSA-4051-1}
-   - curl 
+   - curl 7.57.0-1
NOTE: https://curl.haxx.se/docs/adv_2017-ae72.html
NOTE: https://curl.haxx.se/CVE-2017-8817.patch
 CVE-2017-8816 (The NTLM authentication feature in curl and libcurl before 
7.57.0 on ...)
{DSA-4051-1}
-   - curl 
+   - curl 7.57.0-1
[wheezy] - curl  (Vulnerable code not present, introduced 
in 7.36.0)
NOTE: https://curl.haxx.se/docs/adv_2017-11e7.html
NOTE: https://curl.haxx.se/CVE-2017-8816.patch


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r58145 - data/CVE

2017-11-30 Thread Salvatore Bonaccorso 
Author: carnil
Date: 2017-11-30 14:39:30 + (Thu, 30 Nov 2017)
New Revision: 58145

Modified:
   data/CVE/list
Log:
CVE-2017-1000248 fixed in unstable

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-30 14:05:52 UTC (rev 58144)
+++ data/CVE/list   2017-11-30 14:39:30 UTC (rev 58145)
@@ -1936,8 +1936,7 @@
 CVE-2017-16867 (Amazon Key through 2017-11-16 mishandles Cloud Cam 802.11 ...)
NOT-FOR-US: Amazon Key
 CVE-2017-1000248 (Redis-store =v1.3.0 allows unsafe objects to be loaded 
from redis ...)
-   [experimental] - ruby-redis-store 1.3.0-2
-   - ruby-redis-store  (bug #882034)
+   - ruby-redis-store 1.1.6-2 (bug #882034)
NOTE: 
https://github.com/redis-store/redis-store/commit/e0c1398d54a9661c8c70267c3a925ba6b192142e
 CVE-2017-1000247 (British Columbia Institute of Technology CodeIgniter 3.1.3 
is ...)
NOT-FOR-US: CodeIgniter


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r58144 - in data: . DLA

2017-11-30 Thread Thorsten Alteholz 
Author: alteholz
Date: 2017-11-30 14:05:52 + (Thu, 30 Nov 2017)
New Revision: 58144

Modified:
   data/DLA/list
   data/dla-needed.txt
Log:
Reserve DLA-1195-1 for curl

Modified: data/DLA/list
===
--- data/DLA/list   2017-11-30 14:04:10 UTC (rev 58143)
+++ data/DLA/list   2017-11-30 14:05:52 UTC (rev 58144)
@@ -1,3 +1,6 @@
+[30 Nov 2017] DLA-1195-1 curl - security update
+   {CVE-2017-8817}
+   [wheezy] - curl 7.26.0-1+wheezy23
 [30 Nov 2017] DLA-1194-1 libxml2 - security update
{CVE-2017-16931 CVE-2017-16932}
[wheezy] - libxml2 2.8.0+dfsg1-7+wheezy11

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-11-30 14:04:10 UTC (rev 58143)
+++ data/dla-needed.txt 2017-11-30 14:05:52 UTC (rev 58144)
@@ -17,8 +17,6 @@
 couchdb
   NOTE: Only in wheezy, we are on our own.
 --
-curl (Thorsten Alteholz)
---
 irssi (Rhonda D'Vine)
 --
 jasperreports


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r58143 - in data: . DLA

2017-11-30 Thread Thorsten Alteholz 
Author: alteholz
Date: 2017-11-30 14:04:10 + (Thu, 30 Nov 2017)
New Revision: 58143

Modified:
   data/DLA/list
   data/dla-needed.txt
Log:
Reserve DLA-1194-1 for libxml2

Modified: data/DLA/list
===
--- data/DLA/list   2017-11-30 13:35:58 UTC (rev 58142)
+++ data/DLA/list   2017-11-30 14:04:10 UTC (rev 58143)
@@ -1,3 +1,6 @@
+[30 Nov 2017] DLA-1194-1 libxml2 - security update
+   {CVE-2017-16931 CVE-2017-16932}
+   [wheezy] - libxml2 2.8.0+dfsg1-7+wheezy11
 [27 Nov 2017] DLA-1193-1 roundcube - security update
{CVE-2017-16651}
[wheezy] - roundcube 0.7.2-9+deb7u9

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-11-30 13:35:58 UTC (rev 58142)
+++ data/dla-needed.txt 2017-11-30 14:04:10 UTC (rev 58143)
@@ -56,8 +56,6 @@
 --
 libxfont (Emilio Pozuelo)
 --
-libxml2 (Thorsten Alteholz)
---
 linux
 --
 ming (Hugo Lefeuvre)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r58142 - data

2017-11-30 Thread Raphaël Hertzog 
Author: hertzog
Date: 2017-11-30 13:35:58 + (Thu, 30 Nov 2017)
New Revision: 58142

Modified:
   data/dla-needed.txt
Log:
Take simplesamlphp in dla-needed.txt

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-11-30 12:54:23 UTC (rev 58141)
+++ data/dla-needed.txt 2017-11-30 13:35:58 UTC (rev 58142)
@@ -85,7 +85,7 @@
 rtpproxy
   NOTE: it's not clear to me if a fix is even possible. -- Raphaël Hertzog
 --
-simplesamlphp
+simplesamlphp (Raphaël Hertzog)
   NOTE: 2017-09-04: Maintainer will handle this.
   NOTE: https://lists.debian.org/debian-lts/2017/09/msg00010.html
 --


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r58141 - data

2017-11-30 Thread Guido Guenther 
Author: agx
Date: 2017-11-30 12:54:23 + (Thu, 30 Nov 2017)
New Revision: 58141

Modified:
   data/dla-needed.txt
Log:
lts: Grab swftools

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-11-30 12:04:26 UTC (rev 58140)
+++ data/dla-needed.txt 2017-11-30 12:54:23 UTC (rev 58141)
@@ -101,7 +101,7 @@
 suricata
   NOTE: 2017-10-27: At a quick glance, I can't see that this is vulnerable. 
--lamby
 --
-swftools
+swftools (Guido Günther)
   NOTE: 20171118: At least CVE-2017-16797 is present. (lamby)
 --
 thunderbird (Guido Günther)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r58140 - data/CVE

2017-11-30 Thread Salvatore Bonaccorso 
Author: carnil
Date: 2017-11-30 12:04:26 + (Thu, 30 Nov 2017)
New Revision: 58140

Modified:
   data/CVE/list
Log:
Mark CVE-2017-12631 as NFU

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-30 11:41:49 UTC (rev 58139)
+++ data/CVE/list   2017-11-30 12:04:26 UTC (rev 58140)
@@ -14514,6 +14514,7 @@
RESERVED
 CVE-2017-12631
RESERVED
+   NOT-FOR-US: Apache CXF
 CVE-2017-12630
RESERVED
 CVE-2017-12629 (Remote code execution occurs in Apache Solr before 7.1 with 
Apache ...)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r58139 - / stamps

2017-11-30 Thread Salvatore Bonaccorso 
Author: carnil
Date: 2017-11-30 11:41:49 + (Thu, 30 Nov 2017)
New Revision: 58139

Added:
   stamps/.keep
Removed:
   stamps/.gitignore
Modified:
   .gitignore
Log:
Move stamps to global .gitignore and add .keep file

We just want to keep at least the directory stamps around in both cases
were someone works with git (git-svn) or svn. Thus don't distribute
configration in various .gitingore and use method used already by other
various projects with a .keep file instead.

Move back Guido's addition of stamps to .gitignore

Thanks: Guido G?\195?\188nther 

Modified: .gitignore
===
--- .gitignore  2017-11-30 10:36:38 UTC (rev 58138)
+++ .gitignore  2017-11-30 11:41:49 UTC (rev 58139)
@@ -4,6 +4,7 @@
 .gitignore
 data/nvd/
 data/security.db*
+stamps/
 *_Packages
 *_Sources
 *.pyc

Deleted: stamps/.gitignore
===
--- stamps/.gitignore   2017-11-30 10:36:38 UTC (rev 58138)
+++ stamps/.gitignore   2017-11-30 11:41:49 UTC (rev 58139)
@@ -1,6 +0,0 @@
-#
-# general rules
-#
-.gitignore
-*-*
-*~

Added: stamps/.keep
===

___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r58138 - data

2017-11-30 Thread Guido Guenther 
Author: agx
Date: 2017-11-30 10:36:38 + (Thu, 30 Nov 2017)
New Revision: 58138

Modified:
   data/dla-needed.txt
Log:
lts: grab thunderbird

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-11-30 10:35:37 UTC (rev 58137)
+++ data/dla-needed.txt 2017-11-30 10:36:38 UTC (rev 58138)
@@ -104,8 +104,7 @@
 swftools
   NOTE: 20171118: At least CVE-2017-16797 is present. (lamby)
 --
-thunderbird
-  NOTE: 20171129: Not sure if vulnerable as patches are private atm. (lamby)
+thunderbird (Guido Günther)
 --
 tiff (Brian May)
   NOTE: CVE-2017-9935: no upstream fix -- Brian May 2017-11-06


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r58137 - data

2017-11-30 Thread Guido Guenther 
Author: agx
Date: 2017-11-30 10:35:37 + (Thu, 30 Nov 2017)
New Revision: 58137

Modified:
   data/dla-needed.txt
Log:
lts: remove openexr

CVE-2017-12596 was already addressed by DLA-1083-1 and the other can be
postponed (no upstream fix available yet ant it's unclear if it's really
a bug)

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-11-30 10:28:05 UTC (rev 58136)
+++ data/dla-needed.txt 2017-11-30 10:35:37 UTC (rev 58137)
@@ -75,9 +75,6 @@
   NOTE: github). Pinged sourceforge project owner with sourceforge's
   NOTE: integrated messaging feature. -- Raphaël Hertzog
 --
-openexr (Guido Günther)
-  NOTE: 20170902: CVE-2017-12596: bug reported upstream but no response yet 
(lamby)
---
 optipng (anarcat)
   NOTE: 20171127: Can confirm vulnerable in wheezy. (lamby)
 --


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r58136 - data/CVE

2017-11-30 Thread Guido Guenther 
Author: agx
Date: 2017-11-30 10:28:05 + (Thu, 30 Nov 2017)
New Revision: 58136

Modified:
   data/CVE/list
Log:
lts: CVE-2017-12596 was fixed by DLA-1083-1 as well

The patches added checks that address this CVE as well. See

  https://github.com/openexr/openexr/issues/238

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-30 09:10:14 UTC (rev 58135)
+++ data/CVE/list   2017-11-30 10:28:05 UTC (rev 58136)
@@ -14654,6 +14654,7 @@
NOTE: https://github.com/opencv/opencv/issues/9309
 CVE-2017-12596 (In OpenEXR 2.2.0, a crafted image causes a heap-based buffer 
over-read ...)
- openexr  (bug #877352)
+   [wheezy] - openexr 1.6.1-6+deb7u1
NOTE: https://github.com/openexr/openexr/issues/238
NOTE: Upstream fix 
https://github.com/openexr/openexr/commit/f09f5f26c1924c4f7e183428ca79c9881afaf53c
 CVE-2017-12595 (The tokenizer in QPDF 6.0.0 and 7.0.b1 is recursive for arrays 
and ...)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r58135 - data/CVE

2017-11-30 Thread security tracker role 
Author: sectracker
Date: 2017-11-30 09:10:14 + (Thu, 30 Nov 2017)
New Revision: 58135

Modified:
   data/CVE/list
Log:
automatic update

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-30 07:48:36 UTC (rev 58134)
+++ data/CVE/list   2017-11-30 09:10:14 UTC (rev 58135)
@@ -1,3 +1,5 @@
+CVE-2017-17067 (Splunk Web in Splunk Enterprise 7.0.x before 7.0.0.1, 6.6.x 
before ...)
+   TODO: check
 CVE-2017-17066
RESERVED
 CVE-2017-17065
@@ -1575,6 +1577,7 @@
[wheezy] - libsndfile  (Minor issue)
NOTE: https://github.com/erikd/libsndfile/issues/341
 CVE-2017-16944 (The receive_msg function in receive.c in the SMTP daemon in 
Exim 4.88 ...)
+   {DSA-4053-1}
- exim4 4.89-13 (bug #882671)
[jessie] - exim4  (ESMTP CHUNKING extension introduced in 
4.88)
[wheezy] - exim4  (ESMTP CHUNKING extension introduced in 
4.88)
@@ -1583,6 +1586,7 @@
NOTE: 
https://lists.exim.org/lurker/message/20171125.034842.d1d75cac.en.html
NOTE: 4.89-10 adds a workaround which disables the affected code by 
default
 CVE-2017-16943 (The receive_msg function in receive.c in the SMTP daemon in 
Exim 4.88 ...)
+   {DSA-4053-1}
- exim4 4.89-12 (bug #882648)
[jessie] - exim4  (ESMTP CHUNKING extension introduced in 
4.88)
[wheezy] - exim4  (ESMTP CHUNKING extension introduced in 
4.88)
@@ -1745,6 +1749,7 @@
 CVE-2017-1000406
NOT-FOR-US: OpenDayLight
 CVE-2017-1000405 ["Dirty COW" variant on transparent huge pages]
+   RESERVED
- linux 
NOTE: Fixed by: 
https://git.kernel.org/linus/a8f97366452ed491d13cf1e44241bc0b5740b1f0
NOTE: http://www.openwall.com/lists/oss-security/2017/11/30/1
@@ -8650,8 +8655,8 @@
RESERVED
 CVE-2017-14592
RESERVED
-CVE-2017-14591
-   RESERVED
+CVE-2017-14591 (Atlassian Fisheye and Crucible versions less than 4.4.3 and 
version ...)
+   TODO: check
 CVE-2017-14590
RESERVED
 CVE-2017-14589
@@ -9762,12 +9767,12 @@
RESERVED
 CVE-2017-14199
RESERVED
-CVE-2017-14198
-   RESERVED
-CVE-2017-14197
-   RESERVED
-CVE-2017-14196
-   RESERVED
+CVE-2017-14198 (An issue was discovered in Squiz Matrix before 5.3.6.1 and 
5.4.x before ...)
+   TODO: check
+CVE-2017-14197 (An issue was discovered in Squiz Matrix before 5.3.6.1 and 
5.4.x before ...)
+   TODO: check
+CVE-2017-14196 (An issue was discovered in Squiz Matrix from 5.3 through to 
5.3.6.1 and ...)
+   TODO: check
 CVE-2017-14195 (The call_msg function in controllers/Form.php in dayrui 
FineCms 5.0.11 ...)
NOT-FOR-US: dayrui FineCms
 CVE-2017-14194 (The out function in controllers/member/Login.php in dayrui 
FineCms ...)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits