[Secure-testing-commits] r58165 - data/CVE
Author: carnil Date: 2017-12-01 07:38:45 + (Fri, 01 Dec 2017) New Revision: 58165 Modified: data/CVE/list Log: Mark spice-vdagent issue as no-dsa Modified: data/CVE/list === --- data/CVE/list 2017-12-01 07:32:14 UTC (rev 58164) +++ data/CVE/list 2017-12-01 07:38:45 UTC (rev 58165) @@ -7011,6 +7011,8 @@ CVE-2017-15108 [spice-vdagent: Improper validation of xfers->save_dir in vdagent_file_xfers_data()] RESERVED - spice-vdagent (bug #883238) + [stretch] - spice-vdagent (Minor issue) + [jessie] - spice-vdagent (Minor issue) NOTE: Fixed by: https://cgit.freedesktop.org/spice/linux/vd_agent/commit/?id=8ba174816d245757e743e636df357910e1d5eb61 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1510864 CVE-2017-15107 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58164 - data/CVE
Author: carnil Date: 2017-12-01 07:32:14 + (Fri, 01 Dec 2017) New Revision: 58164 Modified: data/CVE/list Log: Add bug reference for CVE-2017-15108 Modified: data/CVE/list === --- data/CVE/list 2017-12-01 06:19:38 UTC (rev 58163) +++ data/CVE/list 2017-12-01 07:32:14 UTC (rev 58164) @@ -7010,7 +7010,7 @@ RESERVED CVE-2017-15108 [spice-vdagent: Improper validation of xfers->save_dir in vdagent_file_xfers_data()] RESERVED - - spice-vdagent + - spice-vdagent (bug #883238) NOTE: Fixed by: https://cgit.freedesktop.org/spice/linux/vd_agent/commit/?id=8ba174816d245757e743e636df357910e1d5eb61 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1510864 CVE-2017-15107 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58163 - data/CVE
Author: carnil Date: 2017-12-01 06:19:38 + (Fri, 01 Dec 2017) New Revision: 58163 Modified: data/CVE/list Log: Mark CVE-2017-7545 as NFU Modified: data/CVE/list === --- data/CVE/list 2017-11-30 22:24:18 UTC (rev 58162) +++ data/CVE/list 2017-12-01 06:19:38 UTC (rev 58163) @@ -29734,6 +29734,7 @@ NOTE: https://www.postgresql.org/about/news/1772/ CVE-2017-7545 RESERVED + NOT-FOR-US: jbpm-designer / jBPM CVE-2017-7544 (libexif through 0.6.21 is vulnerable to out-of-bounds heap read ...) - libexif 0.6.21-2.1 (bug #876466) [stretch] - libexif (Minor issue) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58162 - data
Author: apo Date: 2017-11-30 22:24:18 + (Thu, 30 Nov 2017) New Revision: 58162 Modified: data/dla-needed.txt Log: Claim libextractor in dla-needed.txt Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-11-30 21:22:40 UTC (rev 58161) +++ data/dla-needed.txt 2017-11-30 22:24:18 UTC (rev 58162) @@ -31,7 +31,7 @@ libav (Hugo Lefeuvre) NOTE: 20171116: Diego Biurrun (from the libav team) is working on patches. -- -libextractor +libextractor (Markus Koschany) NOTE: not all patches available, so didn't bother maintainer yet -- libnet-ping-external-perl ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58161 - data/CVE
Author: carnil Date: 2017-11-30 21:22:40 + (Thu, 30 Nov 2017) New Revision: 58161 Modified: data/CVE/list Log: Add fixing version for CVE-2017-15116/linux Modified: data/CVE/list === --- data/CVE/list 2017-11-30 21:19:00 UTC (rev 58160) +++ data/CVE/list 2017-11-30 21:22:40 UTC (rev 58161) @@ -6985,7 +6985,7 @@ CVE-2017-15117 REJECTED CVE-2017-15116 (The rngapi_reset function in crypto/rng.c in the Linux kernel before ...) - TODO: check + - linux 4.2.1-1 CVE-2017-15115 (The sctp_do_peeloff function in net/sctp/socket.c in the Linux kernel ...) - linux 4.13.13-1 NOTE: https://git.kernel.org/linus/df80cd9b28b9ebaa284a41df611dbf3a2d05ca74 (v4.14-rc6) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58160 - data/DLA
Author: apo Date: 2017-11-30 21:19:00 + (Thu, 30 Nov 2017) New Revision: 58160 Modified: data/DLA/list Log: sox,CVE-2017-15372 and CVE-2017-15642 will also be fixed in DLA-1197-1 Modified: data/DLA/list === --- data/DLA/list 2017-11-30 21:12:22 UTC (rev 58159) +++ data/DLA/list 2017-11-30 21:19:00 UTC (rev 58160) @@ -1,5 +1,5 @@ [30 Nov 2017] DLA-1197-1 sox - security update - {CVE-2017-11332 CVE-2017-11358 CVE-2017-11359 CVE-2017-15370 CVE-2017-15371} + {CVE-2017-11332 CVE-2017-11358 CVE-2017-11359 CVE-2017-15370 CVE-2017-15371 CVE-2017-15372 CVE-2017-15642} [wheezy] - sox 14.4.0-3+deb7u2 [30 Nov 2017] DLA-1196-1 optipng - security update {CVE-2017-16938} ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58159 - data
Author: carnil Date: 2017-11-30 21:12:22 + (Thu, 30 Nov 2017) New Revision: 58159 Modified: data/next-oldstable-point-update.txt data/next-point-update.txt Log: Two more CVEs to be included in {jessie,stretch}-pu update for busybox Modified: data/next-oldstable-point-update.txt === --- data/next-oldstable-point-update.txt2017-11-30 21:10:21 UTC (rev 58158) +++ data/next-oldstable-point-update.txt2017-11-30 21:12:22 UTC (rev 58159) @@ -94,6 +94,10 @@ [jessie] - busybox 1:1.22.0-9+deb8u2 CVE-2011-5325 [jessie] - busybox 1:1.22.0-9+deb8u2 +CVE-2017-15873 + [jessie] - busybox 1:1.22.0-9+deb8u2 +CVE-2017-16544 + [jessie] - busybox 1:1.22.0-9+deb8u2 CVE-2017-10989 [jessie] - sqlite3 3.8.7.1-1+deb8u3 CVE-2017-15274 Modified: data/next-point-update.txt === --- data/next-point-update.txt 2017-11-30 21:10:21 UTC (rev 58158) +++ data/next-point-update.txt 2017-11-30 21:12:22 UTC (rev 58159) @@ -31,6 +31,10 @@ [stretch] - busybox 1:1.22.0-19+deb9u1 CVE-2011-5325 [stretch] - busybox 1:1.22.0-19+deb9u1 +CVE-2017-15873 + [stretch] - busybox 1:1.22.0-19+deb9u1 +CVE-2017-16544 + [stretch] - busybox 1:1.22.0-19+deb9u1 CVE-2017-2810 [stretch] - python-tablib 0.9.11-2+deb9u1 CVE-2017-14952 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58158 - data/CVE
Author: sectracker Date: 2017-11-30 21:10:21 + (Thu, 30 Nov 2017) New Revision: 58158 Modified: data/CVE/list Log: automatic update Modified: data/CVE/list === --- data/CVE/list 2017-11-30 21:08:48 UTC (rev 58157) +++ data/CVE/list 2017-11-30 21:10:21 UTC (rev 58158) @@ -1,3 +1,47 @@ +CVE-2018-0740 + RESERVED +CVE-2018-0739 + RESERVED +CVE-2018-0738 + RESERVED +CVE-2018-0737 + RESERVED +CVE-2018-0736 + RESERVED +CVE-2018-0735 + RESERVED +CVE-2018-0734 + RESERVED +CVE-2018-0733 + RESERVED +CVE-2018-0732 + RESERVED +CVE-2018-0731 + RESERVED +CVE-2017-17079 + RESERVED +CVE-2017-17078 + RESERVED +CVE-2017-17077 + RESERVED +CVE-2017-17076 + RESERVED +CVE-2017-17075 + RESERVED +CVE-2017-17074 + RESERVED +CVE-2017-17073 + RESERVED +CVE-2017-17072 + RESERVED +CVE-2017-17071 + RESERVED +CVE-2017-17070 + RESERVED +CVE-2017-17069 + RESERVED +CVE-2017-17068 + RESERVED CVE-2017-17067 (Splunk Web in Splunk Enterprise 7.0.x before 7.0.0.1, 6.6.x before ...) TODO: check CVE-2017-17066 @@ -2,4 +46,4 @@ RESERVED -CVE-2017-17065 - RESERVED +CVE-2017-17065 (An issue was discovered on D-Link DIR-605L Model B before ...) + TODO: check CVE-2017-17064 @@ -1603,6 +1647,7 @@ - linux 4.13.13-1 NOTE: Fixed by: https://git.kernel.org/linus/1137b5e2529a8f5ca8ee709288ecba3e68044df2 CVE-2017-16938 (A global buffer overflow in OptiPNG 0.7.6 allows remote attackers to ...) + {DLA-1196-1} - optipng (bug #878839) NOTE: https://sourceforge.net/p/optipng/bugs/69/ CVE-2017-16937 @@ -1624,12 +1669,14 @@ NOTE: https://github.com/Cacti/cacti/commit/69983495cd41bf0903fe02baeef84b1fa85f2846 NOTE: Fix for the incomplete fix for CVE-2016-2313 CVE-2017-16932 (parser.c in libxml2 before 2.9.5 does not prevent infinite recursion in ...) + {DLA-1194-1} - libxml2 (bug #882613) [stretch] - libxml2 (Minor issue) [jessie] - libxml2 (Minor issue) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=759579 NOTE: https://github.com/GNOME/libxml2/commit/899a5d9f0ed13b8e32449a08a361e0de127dd961 CVE-2017-16931 (parser.c in libxml2 before 2.9.5 mishandles parameter-entity references ...) + {DLA-1194-1} - libxml2 2.9.4+dfsg1-3.1 [stretch] - libxml2 2.9.4+dfsg1-2.2+deb9u1 [jessie] - libxml2 2.9.1+dfsg1-5+deb8u5 @@ -6232,11 +6279,13 @@ [jessie] - sox (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1500553 CVE-2017-15371 (There is a reachable assertion abort in the function ...) + {DLA-1197-1} - sox 14.4.2-2 (bug #878809) [stretch] - sox (Minor issue) [jessie] - sox (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1500570 CVE-2017-15370 (There is a heap-based buffer overflow in the ImaExpandS function of ...) + {DLA-1197-1} - sox 14.4.2-2 (bug #878810) [stretch] - sox (Minor issue) [jessie] - sox (Minor issue) @@ -6935,8 +6984,8 @@ NOTE: https://lists.gnu.org/archive/html/qemu-devel/2017-11/msg05045.html CVE-2017-15117 REJECTED -CVE-2017-15116 - RESERVED +CVE-2017-15116 (The rngapi_reset function in crypto/rng.c in the Linux kernel before ...) + TODO: check CVE-2017-15115 (The sctp_do_peeloff function in net/sctp/socket.c in the Linux kernel ...) - linux 4.13.13-1 NOTE: https://git.kernel.org/linus/df80cd9b28b9ebaa284a41df611dbf3a2d05ca74 (v4.14-rc6) @@ -7596,8 +7645,8 @@ NOT-FOR-US: Wordpress plugin CVE-2015-9233 (The cp-contact-form-with-paypal (aka CP Contact Form with PayPal) ...) NOT-FOR-US: Wordpress plugin -CVE-2017-14949 - RESERVED +CVE-2017-14949 (Restlet Framework before 2.3.12 allows remote attackers to access ...) + TODO: check CVE-2017-14948 RESERVED CVE-2017-14947 (Artifex GSView 6.0 Beta on Windows allows attackers to execute ...) @@ -7824,8 +7873,7 @@ RESERVED CVE-2017-14869 RESERVED -CVE-2017-14868 - RESERVED +CVE-2017-14868 (Restlet Framework before 2.3.11, when using SimpleXMLProvider, allows ...) - restlet (bug #596472) CVE-2017-14866 (There is a heap-based buffer overflow in the Exiv2::s2Data function of ...) [experimental] - exiv2 (bug #880015) @@ -14524,8 +14572,7 @@ NOT-FOR-US: Apache Camel CVE-2017-12632 RESERVED -CVE-2017-12631 - RESERVED +CVE-2017-12631 (Apache CXF Fediz ships with a number of container-specific plugins to ...) NOT-FOR-US: Apache CXF CVE-2017-12630 RESERVED @@ -15263,96 +15310,96 @@ RESERVED CVE-2017-12373 RESERVED -CVE-2017-12372 - RESERVED -CVE-2017-12371 - RESERVED -CVE-2017-12370 - RESERVED -CVE-2017-12369 -
[Secure-testing-commits] r58157 - data
Author: carnil Date: 2017-11-30 21:08:48 + (Thu, 30 Nov 2017) New Revision: 58157 Modified: data/next-oldstable-point-update.txt Log: Record proposed update for CVE-2017-16899 via jessie-pu Modified: data/next-oldstable-point-update.txt === --- data/next-oldstable-point-update.txt2017-11-30 21:08:08 UTC (rev 58156) +++ data/next-oldstable-point-update.txt2017-11-30 21:08:48 UTC (rev 58157) @@ -132,3 +132,5 @@ [jessie] - pdns 3.4.1-4+deb8u8 CVE-2017-15093 [jessie] - pdns-recursor 3.6.2-2+deb8u4 +CVE-2017-16899 + [jessie] - transfig 1:3.2.5.e-4+deb8u1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58156 - data
Author: carnil Date: 2017-11-30 21:08:08 + (Thu, 30 Nov 2017) New Revision: 58156 Modified: data/next-point-update.txt Log: Record proposed update for CVE-2017-16899 Modified: data/next-point-update.txt === --- data/next-point-update.txt 2017-11-30 21:00:27 UTC (rev 58155) +++ data/next-point-update.txt 2017-11-30 21:08:08 UTC (rev 58156) @@ -57,3 +57,5 @@ [stretch] - pdns-recursor 4.0.4-1+deb9u2 CVE-2017-14623 [stretch] - golang-github-go-ldap-ldap 2.4.1-1+deb9u1 +CVE-2017-16899 + [stretch] - fig2dev 1:3.2.6a-2+deb9u1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58155 - data/CVE
Author: apo Date: 2017-11-30 21:00:27 + (Thu, 30 Nov 2017) New Revision: 58155 Modified: data/CVE/list Log: Fix wrong "is fixed" version for sox CVE-2017-15372 and CVE-2017-15642 Modified: data/CVE/list === --- data/CVE/list 2017-11-30 20:51:27 UTC (rev 58154) +++ data/CVE/list 2017-11-30 21:00:27 UTC (rev 58155) @@ -5562,7 +5562,7 @@ [jessie] - musl (Minor issue) NOTE: https://git.musl-libc.org/cgit/musl/patch/?id=45ca5d3fcb6f874bf5ba55d0e9651cef68515395 CVE-2017-15642 (In lsx_aiffstartread in aiff.c in Sound eXchange (SoX) 14.4.2, there is ...) - - sox 4.4.2-2 (bug #882144) + - sox 14.4.2-2 (bug #882144) [stretch] - sox (Minor issue) [jessie] - sox (Minor issue) NOTE: https://sourceforge.net/p/sox/bugs/298/ @@ -6227,7 +6227,7 @@ CVE-2017-15373 (E-Sic 1.0 allows SQL injection via the q parameter to ...) NOT-FOR-US: E-Sic CVE-2017-15372 (There is a stack-based buffer overflow in the ...) - - sox 4.4.2-2 (bug #878808) + - sox 14.4.2-2 (bug #878808) [stretch] - sox (Minor issue) [jessie] - sox (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1500553 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58154 - in data: . DLA
Author: apo Date: 2017-11-30 20:51:27 + (Thu, 30 Nov 2017) New Revision: 58154 Modified: data/DLA/list data/dla-needed.txt Log: Reserve DLA-1197-1 for sox Modified: data/DLA/list === --- data/DLA/list 2017-11-30 19:54:09 UTC (rev 58153) +++ data/DLA/list 2017-11-30 20:51:27 UTC (rev 58154) @@ -1,3 +1,6 @@ +[30 Nov 2017] DLA-1197-1 sox - security update + {CVE-2017-11332 CVE-2017-11358 CVE-2017-11359 CVE-2017-15370 CVE-2017-15371} + [wheezy] - sox 14.4.0-3+deb7u2 [30 Nov 2017] DLA-1196-1 optipng - security update {CVE-2017-16938} [wheezy] - optipng 0.6.4-1+deb7u4 Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-11-30 19:54:09 UTC (rev 58153) +++ data/dla-needed.txt 2017-11-30 20:51:27 UTC (rev 58154) @@ -82,15 +82,6 @@ NOTE: 2017-09-04: Maintainer will handle this. NOTE: https://lists.debian.org/debian-lts/2017/09/msg00010.html -- -sox (Markus Koschany) - NOTE: No patches. Contacted upstream. Waiting for feedback - NOTE: > 12% of sponsors use sox hence I have decided to add it here. - NOTE: https://sourceforge.net/p/sox/bugs/296/ - NOTE: 2017-09-01: pinged upstream (Markus) - NOTE: please check https://bugs.debian.org/882236 too (but please note that - NOTE: the CVE is specifically assigned for libvorbis, so do not reuse the - NOTE: CVE when applying the fix) --- suricata NOTE: 2017-10-27: At a quick glance, I can't see that this is vulnerable. --lamby -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58153 - data/CVE
Author: carnil Date: 2017-11-30 19:54:09 + (Thu, 30 Nov 2017) New Revision: 58153 Modified: data/CVE/list Log: Add fixing version for three linux CVEs and upload to sid Modified: data/CVE/list === --- data/CVE/list 2017-11-30 19:22:29 UTC (rev 58152) +++ data/CVE/list 2017-11-30 19:54:09 UTC (rev 58153) @@ -1471,7 +1471,7 @@ CVE-2018-0086 RESERVED CVE-2017-16994 (The walk_hugetlb_range function in mm/pagewalk.c in the Linux kernel ...) - - linux + - linux 4.14.2-1 NOTE: Fixed by: https://git.kernel.org/linus/373c4557d2aa362702c4c2d41288fb1e54990b7c (4.15-rc1) CVE-2017-16993 RESERVED @@ -1750,7 +1750,7 @@ NOT-FOR-US: OpenDayLight CVE-2017-1000405 ["Dirty COW" variant on transparent huge pages] RESERVED - - linux + - linux 4.14.2-1 NOTE: Fixed by: https://git.kernel.org/linus/a8f97366452ed491d13cf1e44241bc0b5740b1f0 NOTE: http://www.openwall.com/lists/oss-security/2017/11/30/1 NOTE: https://github.com/bindecy/HugeDirtyCowPOC @@ -2788,7 +2788,7 @@ [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) CVE-2017-16645 (The ims_pcu_get_cdc_union_desc function in drivers/input/misc/ims-pcu.c ...) - - linux + - linux 4.14.2-1 [wheezy] - linux (Vulnerable code not present) CVE-2017-16644 (The hdpvr_probe function in drivers/media/usb/hdpvr/hdpvr-core.c in the ...) - linux ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58152 - data/CVE
Author: pochu Date: 2017-11-30 19:22:29 + (Thu, 30 Nov 2017) New Revision: 58152 Modified: data/CVE/list Log: CVE-2017-16611/libxfont: add commit for 1.5 branch Modified: data/CVE/list === --- data/CVE/list 2017-11-30 18:33:24 UTC (rev 58151) +++ data/CVE/list 2017-11-30 19:22:29 UTC (rev 58152) @@ -2904,6 +2904,7 @@ - libxfont1 (unimportant) NOTE: http://www.openwall.com/lists/oss-security/2017/11/28/7 NOTE: https://cgit.freedesktop.org/xorg/lib/libXfont/commit/?id=7b377456f95d2ec3ead40f4fb74ea620191f88c8 + NOTE: (for 1.5.x): https://cgit.freedesktop.org/xorg/lib/libXfont/commit/?h=libXfont-1.5-branch=5ed8ac0e4f063825b8ecda48e9a111d3ce92e825 NOTE: https://marc.info/?l=freedesktop-xorg-announce=151188049718337=2 NOTE: https://marc.info/?l=freedesktop-xorg-announce=151188044218304=2 CVE-2017-16610 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58151 - in data: . DLA
Author: anarcat Date: 2017-11-30 18:33:24 + (Thu, 30 Nov 2017) New Revision: 58151 Modified: data/DLA/list data/dla-needed.txt Log: Reserve DLA-1196-1 for optipng Modified: data/DLA/list === --- data/DLA/list 2017-11-30 18:08:03 UTC (rev 58150) +++ data/DLA/list 2017-11-30 18:33:24 UTC (rev 58151) @@ -1,3 +1,6 @@ +[30 Nov 2017] DLA-1196-1 optipng - security update + {CVE-2017-16938} + [wheezy] - optipng 0.6.4-1+deb7u4 [30 Nov 2017] DLA-1195-1 curl - security update {CVE-2017-8817} [wheezy] - curl 7.26.0-1+wheezy23 Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-11-30 18:08:03 UTC (rev 58150) +++ data/dla-needed.txt 2017-11-30 18:33:24 UTC (rev 58151) @@ -71,9 +71,6 @@ NOTE: github). Pinged sourceforge project owner with sourceforge's NOTE: integrated messaging feature. -- Raphaël Hertzog -- -optipng (anarcat) - NOTE: 20171127: Can confirm vulnerable in wheezy. (lamby) --- otrs2 (Emilio Pozuelo) -- rsync (Thorsten Alteholz) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58150 - data/CVE
Author: carnil Date: 2017-11-30 18:08:03 + (Thu, 30 Nov 2017) New Revision: 58150 Modified: data/CVE/list Log: Add CVE-2017-1570{1,2}/qpid-java, #840131 Modified: data/CVE/list === --- data/CVE/list 2017-11-30 18:06:04 UTC (rev 58149) +++ data/CVE/list 2017-11-30 18:08:03 UTC (rev 58150) @@ -5410,8 +5410,10 @@ RESERVED CVE-2017-15702 RESERVED + - qpid-java (bug #840131) CVE-2017-15701 RESERVED + - qpid-java (bug #840131) CVE-2017-15700 RESERVED CVE-2017-15699 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58149 - data/CVE
Author: carnil Date: 2017-11-30 18:06:04 + (Thu, 30 Nov 2017) New Revision: 58149 Modified: data/CVE/list Log: Update older Qpid Java Broker NFUs to now track itp'ed bug #840131 Modified: data/CVE/list === --- data/CVE/list 2017-11-30 17:55:14 UTC (rev 58148) +++ data/CVE/list 2017-11-30 18:06:04 UTC (rev 58149) @@ -53407,7 +53407,7 @@ CVE-2016-8742 RESERVED CVE-2016-8741 (The Apache Qpid Broker for Java can be configured to use different so ...) - NOT-FOR-US: Apache Qpid Java Broker + - qpid-java (bug #840131) CVE-2016-8740 (The mod_http2 module in the Apache HTTP Server 2.4.17 through 2.4.23, ...) - apache2 2.4.25-1 (bug #847124) [jessie] - apache2 (Vulnerable code not present) @@ -66513,7 +66513,7 @@ CVE-2016-4975 RESERVED CVE-2016-4974 (Apache Qpid AMQP 0-x JMS client before 6.0.4 and JMS (AMQP 1.0) before ...) - NOT-FOR-US: Apache Qpid Java Broker + - qpid-java (bug #840131) CVE-2016-4973 (Binaries compiled against targets that use the libssp library in GCC ...) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1324759 - gcc-6 (Uses glibc-internal SSP) @@ -68258,7 +68258,7 @@ - libstruts1.2-java (Only affects 2.3.20 to 2.3.28.1) NOTE: https://struts.apache.org/docs/s2-039.html CVE-2016-4432 (The AMQP 0-8, 0-9, 0-91, and 0-10 connection handling in Apache Qpid ...) - NOT-FOR-US: Apache Qpid Java Broker + - qpid-java (bug #840131) CVE-2016-4431 (Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to ...) - libstruts1.2-java (Only affects 2.3.20 to 2.3.28.1) NOTE: https://struts.apache.org/docs/s2-040.html @@ -71836,7 +71836,7 @@ CVE-2016-3095 (server/bin/pulp-gen-ca-certificate in Pulp before 2.8.2 allows local ...) NOT-FOR-US: Pulp (Red Hat) CVE-2016-3094 (PlainSaslServer.java in Apache Qpid Java before 6.0.3, when the broker ...) - NOT-FOR-US: Apache Qpid Java Broker + - qpid-java (bug #840131) CVE-2016-3093 (Apache Struts 2.0.0 through 2.3.24.1 does not properly cache method ...) - libstruts1.2-java (Only affects Struts 2.x) NOTE: https://struts.apache.org/docs/s2-034.html ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58148 - data/CVE
Author: carnil Date: 2017-11-30 17:55:14 + (Thu, 30 Nov 2017) New Revision: 58148 Modified: data/CVE/list Log: Slit up note over multiple lines Modified: data/CVE/list === --- data/CVE/list 2017-11-30 17:10:55 UTC (rev 58147) +++ data/CVE/list 2017-11-30 17:55:14 UTC (rev 58148) @@ -13858,11 +13858,14 @@ CVE-2017-12873 (SimpleSAMLphp 1.7.0 through 1.14.10 might allow attackers to obtain ...) - simplesamlphp 1.14.15-1 NOTE: https://simplesamlphp.org/security/201612-04 - NOTE: Patches: https://github.com/simplesamlphp/simplesamlphp/commit/90dca835158495b173808273e7df127303b8b953aa https://github.com/simplesamlphp/simplesamlphp/commit/e2daf4ceb6e580815c3741384b3a09b85a5fc231 https://github.com/simplesamlphp/simplesamlphp/commit/300d8aa48fe93706ade95be481c68e9cf2f32d1f + NOTE: Patches: https://github.com/simplesamlphp/simplesamlphp/commit/90dca835158495b173808273e7df127303b8b953aa + NOTE: https://github.com/simplesamlphp/simplesamlphp/commit/e2daf4ceb6e580815c3741384b3a09b85a5fc231 + NOTE: https://github.com/simplesamlphp/simplesamlphp/commit/300d8aa48fe93706ade95be481c68e9cf2f32d1f CVE-2017-12872 (The (1) Htpasswd authentication source in the authcrypt module and (2) ...) - simplesamlphp 1.14.15-1 NOTE: https://simplesamlphp.org/security/201703-01 - NOTE: Patch: https://github.com/simplesamlphp/simplesamlphp/commit/ab7761d4a523a4ed00479fb1ddba688e7ca72439 https://github.com/simplesamlphp/simplesamlphp/commit/caf764cc2c9b68ac29741070ebdf133a595443f1 + NOTE: Patches: https://github.com/simplesamlphp/simplesamlphp/commit/ab7761d4a523a4ed00479fb1ddba688e7ca72439 + NOTE: https://github.com/simplesamlphp/simplesamlphp/commit/caf764cc2c9b68ac29741070ebdf133a595443f1 CVE-2017-12871 (The aesEncrypt method in lib/SimpleSAML/Utils/Crypto.php in ...) - simplesamlphp 1.14.15-1 [jessie] - simplesamlphp (Vulnerable code not present) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58147 - data/CVE
Author: hertzog Date: 2017-11-30 17:10:55 + (Thu, 30 Nov 2017) New Revision: 58147 Modified: data/CVE/list Log: Add patches for simplesamlphp issues Modified: data/CVE/list === --- data/CVE/list 2017-11-30 15:53:22 UTC (rev 58146) +++ data/CVE/list 2017-11-30 17:10:55 UTC (rev 58147) @@ -13854,12 +13854,15 @@ NOTE: Issue lies in simplesamlphp/simplesamlphp-module-infocard and fixed NOTE: in 1.0.1. The module is embedded in src:simplesamlphp NOTE: https://simplesamlphp.org/security/201612-03 + NOTE: Patch: https://github.com/simplesamlphp/simplesamlphp-module-infocard/commit/7353762acacd827a61378629f87de991451089da CVE-2017-12873 (SimpleSAMLphp 1.7.0 through 1.14.10 might allow attackers to obtain ...) - simplesamlphp 1.14.15-1 NOTE: https://simplesamlphp.org/security/201612-04 + NOTE: Patches: https://github.com/simplesamlphp/simplesamlphp/commit/90dca835158495b173808273e7df127303b8b953aa https://github.com/simplesamlphp/simplesamlphp/commit/e2daf4ceb6e580815c3741384b3a09b85a5fc231 https://github.com/simplesamlphp/simplesamlphp/commit/300d8aa48fe93706ade95be481c68e9cf2f32d1f CVE-2017-12872 (The (1) Htpasswd authentication source in the authcrypt module and (2) ...) - simplesamlphp 1.14.15-1 NOTE: https://simplesamlphp.org/security/201703-01 + NOTE: Patch: https://github.com/simplesamlphp/simplesamlphp/commit/ab7761d4a523a4ed00479fb1ddba688e7ca72439 https://github.com/simplesamlphp/simplesamlphp/commit/caf764cc2c9b68ac29741070ebdf133a595443f1 CVE-2017-12871 (The aesEncrypt method in lib/SimpleSAML/Utils/Crypto.php in ...) - simplesamlphp 1.14.15-1 [jessie] - simplesamlphp (Vulnerable code not present) @@ -13867,16 +13870,20 @@ NOTE: https://simplesamlphp.org/security/201703-02 CVE-2017-12870 (SimpleSAMLphp 1.14.12 and earlier make it easier for man-in-the-middle ...) - simplesamlphp 1.14.15-1 + [wheezy] - simplesamlphp (Minor issue mitigated by HTTPS usage, hard to backport) NOTE: https://simplesamlphp.org/security/201704-01 CVE-2017-12869 (The multiauth module in SimpleSAMLphp 1.14.13 and earlier allows ...) - simplesamlphp 1.14.15-1 NOTE: https://simplesamlphp.org/security/201704-02 + NOTE: Patch: https://github.com/simplesamlphp/simplesamlphp/commit/f1e485284dd428ab3cd9500c62e19c7c7234be9a CVE-2017-12868 (The secureCompare method in lib/SimpleSAML/Utils/Crypto.php in ...) - simplesamlphp 1.14.15-1 NOTE: https://simplesamlphp.org/security/201705-01 + NOTE: Patch: https://github.com/simplesamlphp/simplesamlphp/commit/caf764cc2c9b68ac29741070ebdf133a595443f1 CVE-2017-12867 (The SimpleSAML_Auth_TimeLimitedToken class in SimpleSAMLphp 1.14.14 ...) - simplesamlphp 1.14.15-1 NOTE: https://simplesamlphp.org/security/201708-01 + NOTE: Patch: https://github.com/simplesamlphp/simplesamlphp/commit/608f24c2d5afd70c2af050785d2b12f878b33c68 CVE-2017-12855 (Xen maintains the _GTF_{read,writ}ing bits as appropriate, to inform ...) {DSA-3969-1 DLA-1132-1} - xen 4.8.1-1+deb9u3 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58146 - data/CVE
Author: carnil Date: 2017-11-30 15:53:22 + (Thu, 30 Nov 2017) New Revision: 58146 Modified: data/CVE/list Log: curl issues fixed in unstable Modified: data/CVE/list === --- data/CVE/list 2017-11-30 14:39:30 UTC (rev 58145) +++ data/CVE/list 2017-11-30 15:53:22 UTC (rev 58146) @@ -25682,7 +25682,7 @@ CVE-2017-8819 RESERVED CVE-2017-8818 (curl and libcurl before 7.57.0 on 32-bit platforms allow attackers to ...) - - curl + - curl 7.57.0-1 [stretch] - curl (Vulnerable code not present) [jessie] - curl (Vulnerable code not present) [wheezy] - curl (Vulnerable code not present) @@ -25690,12 +25690,12 @@ NOTE: https://curl.haxx.se/CVE-2017-8818.patch CVE-2017-8817 (The FTP wildcard function in curl and libcurl before 7.57.0 allows ...) {DSA-4051-1} - - curl + - curl 7.57.0-1 NOTE: https://curl.haxx.se/docs/adv_2017-ae72.html NOTE: https://curl.haxx.se/CVE-2017-8817.patch CVE-2017-8816 (The NTLM authentication feature in curl and libcurl before 7.57.0 on ...) {DSA-4051-1} - - curl + - curl 7.57.0-1 [wheezy] - curl (Vulnerable code not present, introduced in 7.36.0) NOTE: https://curl.haxx.se/docs/adv_2017-11e7.html NOTE: https://curl.haxx.se/CVE-2017-8816.patch ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58145 - data/CVE
Author: carnil Date: 2017-11-30 14:39:30 + (Thu, 30 Nov 2017) New Revision: 58145 Modified: data/CVE/list Log: CVE-2017-1000248 fixed in unstable Modified: data/CVE/list === --- data/CVE/list 2017-11-30 14:05:52 UTC (rev 58144) +++ data/CVE/list 2017-11-30 14:39:30 UTC (rev 58145) @@ -1936,8 +1936,7 @@ CVE-2017-16867 (Amazon Key through 2017-11-16 mishandles Cloud Cam 802.11 ...) NOT-FOR-US: Amazon Key CVE-2017-1000248 (Redis-store =v1.3.0 allows unsafe objects to be loaded from redis ...) - [experimental] - ruby-redis-store 1.3.0-2 - - ruby-redis-store (bug #882034) + - ruby-redis-store 1.1.6-2 (bug #882034) NOTE: https://github.com/redis-store/redis-store/commit/e0c1398d54a9661c8c70267c3a925ba6b192142e CVE-2017-1000247 (British Columbia Institute of Technology CodeIgniter 3.1.3 is ...) NOT-FOR-US: CodeIgniter ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58144 - in data: . DLA
Author: alteholz Date: 2017-11-30 14:05:52 + (Thu, 30 Nov 2017) New Revision: 58144 Modified: data/DLA/list data/dla-needed.txt Log: Reserve DLA-1195-1 for curl Modified: data/DLA/list === --- data/DLA/list 2017-11-30 14:04:10 UTC (rev 58143) +++ data/DLA/list 2017-11-30 14:05:52 UTC (rev 58144) @@ -1,3 +1,6 @@ +[30 Nov 2017] DLA-1195-1 curl - security update + {CVE-2017-8817} + [wheezy] - curl 7.26.0-1+wheezy23 [30 Nov 2017] DLA-1194-1 libxml2 - security update {CVE-2017-16931 CVE-2017-16932} [wheezy] - libxml2 2.8.0+dfsg1-7+wheezy11 Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-11-30 14:04:10 UTC (rev 58143) +++ data/dla-needed.txt 2017-11-30 14:05:52 UTC (rev 58144) @@ -17,8 +17,6 @@ couchdb NOTE: Only in wheezy, we are on our own. -- -curl (Thorsten Alteholz) --- irssi (Rhonda D'Vine) -- jasperreports ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58143 - in data: . DLA
Author: alteholz Date: 2017-11-30 14:04:10 + (Thu, 30 Nov 2017) New Revision: 58143 Modified: data/DLA/list data/dla-needed.txt Log: Reserve DLA-1194-1 for libxml2 Modified: data/DLA/list === --- data/DLA/list 2017-11-30 13:35:58 UTC (rev 58142) +++ data/DLA/list 2017-11-30 14:04:10 UTC (rev 58143) @@ -1,3 +1,6 @@ +[30 Nov 2017] DLA-1194-1 libxml2 - security update + {CVE-2017-16931 CVE-2017-16932} + [wheezy] - libxml2 2.8.0+dfsg1-7+wheezy11 [27 Nov 2017] DLA-1193-1 roundcube - security update {CVE-2017-16651} [wheezy] - roundcube 0.7.2-9+deb7u9 Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-11-30 13:35:58 UTC (rev 58142) +++ data/dla-needed.txt 2017-11-30 14:04:10 UTC (rev 58143) @@ -56,8 +56,6 @@ -- libxfont (Emilio Pozuelo) -- -libxml2 (Thorsten Alteholz) --- linux -- ming (Hugo Lefeuvre) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58142 - data
Author: hertzog Date: 2017-11-30 13:35:58 + (Thu, 30 Nov 2017) New Revision: 58142 Modified: data/dla-needed.txt Log: Take simplesamlphp in dla-needed.txt Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-11-30 12:54:23 UTC (rev 58141) +++ data/dla-needed.txt 2017-11-30 13:35:58 UTC (rev 58142) @@ -85,7 +85,7 @@ rtpproxy NOTE: it's not clear to me if a fix is even possible. -- Raphaël Hertzog -- -simplesamlphp +simplesamlphp (Raphaël Hertzog) NOTE: 2017-09-04: Maintainer will handle this. NOTE: https://lists.debian.org/debian-lts/2017/09/msg00010.html -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58141 - data
Author: agx Date: 2017-11-30 12:54:23 + (Thu, 30 Nov 2017) New Revision: 58141 Modified: data/dla-needed.txt Log: lts: Grab swftools Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-11-30 12:04:26 UTC (rev 58140) +++ data/dla-needed.txt 2017-11-30 12:54:23 UTC (rev 58141) @@ -101,7 +101,7 @@ suricata NOTE: 2017-10-27: At a quick glance, I can't see that this is vulnerable. --lamby -- -swftools +swftools (Guido Günther) NOTE: 20171118: At least CVE-2017-16797 is present. (lamby) -- thunderbird (Guido Günther) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58140 - data/CVE
Author: carnil Date: 2017-11-30 12:04:26 + (Thu, 30 Nov 2017) New Revision: 58140 Modified: data/CVE/list Log: Mark CVE-2017-12631 as NFU Modified: data/CVE/list === --- data/CVE/list 2017-11-30 11:41:49 UTC (rev 58139) +++ data/CVE/list 2017-11-30 12:04:26 UTC (rev 58140) @@ -14514,6 +14514,7 @@ RESERVED CVE-2017-12631 RESERVED + NOT-FOR-US: Apache CXF CVE-2017-12630 RESERVED CVE-2017-12629 (Remote code execution occurs in Apache Solr before 7.1 with Apache ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58139 - / stamps
Author: carnil Date: 2017-11-30 11:41:49 + (Thu, 30 Nov 2017) New Revision: 58139 Added: stamps/.keep Removed: stamps/.gitignore Modified: .gitignore Log: Move stamps to global .gitignore and add .keep file We just want to keep at least the directory stamps around in both cases were someone works with git (git-svn) or svn. Thus don't distribute configration in various .gitingore and use method used already by other various projects with a .keep file instead. Move back Guido's addition of stamps to .gitignore Thanks: Guido G?\195?\188ntherModified: .gitignore === --- .gitignore 2017-11-30 10:36:38 UTC (rev 58138) +++ .gitignore 2017-11-30 11:41:49 UTC (rev 58139) @@ -4,6 +4,7 @@ .gitignore data/nvd/ data/security.db* +stamps/ *_Packages *_Sources *.pyc Deleted: stamps/.gitignore === --- stamps/.gitignore 2017-11-30 10:36:38 UTC (rev 58138) +++ stamps/.gitignore 2017-11-30 11:41:49 UTC (rev 58139) @@ -1,6 +0,0 @@ -# -# general rules -# -.gitignore -*-* -*~ Added: stamps/.keep === ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58138 - data
Author: agx Date: 2017-11-30 10:36:38 + (Thu, 30 Nov 2017) New Revision: 58138 Modified: data/dla-needed.txt Log: lts: grab thunderbird Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-11-30 10:35:37 UTC (rev 58137) +++ data/dla-needed.txt 2017-11-30 10:36:38 UTC (rev 58138) @@ -104,8 +104,7 @@ swftools NOTE: 20171118: At least CVE-2017-16797 is present. (lamby) -- -thunderbird - NOTE: 20171129: Not sure if vulnerable as patches are private atm. (lamby) +thunderbird (Guido Günther) -- tiff (Brian May) NOTE: CVE-2017-9935: no upstream fix -- Brian May 2017-11-06 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58137 - data
Author: agx Date: 2017-11-30 10:35:37 + (Thu, 30 Nov 2017) New Revision: 58137 Modified: data/dla-needed.txt Log: lts: remove openexr CVE-2017-12596 was already addressed by DLA-1083-1 and the other can be postponed (no upstream fix available yet ant it's unclear if it's really a bug) Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-11-30 10:28:05 UTC (rev 58136) +++ data/dla-needed.txt 2017-11-30 10:35:37 UTC (rev 58137) @@ -75,9 +75,6 @@ NOTE: github). Pinged sourceforge project owner with sourceforge's NOTE: integrated messaging feature. -- Raphaël Hertzog -- -openexr (Guido Günther) - NOTE: 20170902: CVE-2017-12596: bug reported upstream but no response yet (lamby) --- optipng (anarcat) NOTE: 20171127: Can confirm vulnerable in wheezy. (lamby) -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58136 - data/CVE
Author: agx Date: 2017-11-30 10:28:05 + (Thu, 30 Nov 2017) New Revision: 58136 Modified: data/CVE/list Log: lts: CVE-2017-12596 was fixed by DLA-1083-1 as well The patches added checks that address this CVE as well. See https://github.com/openexr/openexr/issues/238 Modified: data/CVE/list === --- data/CVE/list 2017-11-30 09:10:14 UTC (rev 58135) +++ data/CVE/list 2017-11-30 10:28:05 UTC (rev 58136) @@ -14654,6 +14654,7 @@ NOTE: https://github.com/opencv/opencv/issues/9309 CVE-2017-12596 (In OpenEXR 2.2.0, a crafted image causes a heap-based buffer over-read ...) - openexr (bug #877352) + [wheezy] - openexr 1.6.1-6+deb7u1 NOTE: https://github.com/openexr/openexr/issues/238 NOTE: Upstream fix https://github.com/openexr/openexr/commit/f09f5f26c1924c4f7e183428ca79c9881afaf53c CVE-2017-12595 (The tokenizer in QPDF 6.0.0 and 7.0.b1 is recursive for arrays and ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58135 - data/CVE
Author: sectracker Date: 2017-11-30 09:10:14 + (Thu, 30 Nov 2017) New Revision: 58135 Modified: data/CVE/list Log: automatic update Modified: data/CVE/list === --- data/CVE/list 2017-11-30 07:48:36 UTC (rev 58134) +++ data/CVE/list 2017-11-30 09:10:14 UTC (rev 58135) @@ -1,3 +1,5 @@ +CVE-2017-17067 (Splunk Web in Splunk Enterprise 7.0.x before 7.0.0.1, 6.6.x before ...) + TODO: check CVE-2017-17066 RESERVED CVE-2017-17065 @@ -1575,6 +1577,7 @@ [wheezy] - libsndfile (Minor issue) NOTE: https://github.com/erikd/libsndfile/issues/341 CVE-2017-16944 (The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 ...) + {DSA-4053-1} - exim4 4.89-13 (bug #882671) [jessie] - exim4 (ESMTP CHUNKING extension introduced in 4.88) [wheezy] - exim4 (ESMTP CHUNKING extension introduced in 4.88) @@ -1583,6 +1586,7 @@ NOTE: https://lists.exim.org/lurker/message/20171125.034842.d1d75cac.en.html NOTE: 4.89-10 adds a workaround which disables the affected code by default CVE-2017-16943 (The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 ...) + {DSA-4053-1} - exim4 4.89-12 (bug #882648) [jessie] - exim4 (ESMTP CHUNKING extension introduced in 4.88) [wheezy] - exim4 (ESMTP CHUNKING extension introduced in 4.88) @@ -1745,6 +1749,7 @@ CVE-2017-1000406 NOT-FOR-US: OpenDayLight CVE-2017-1000405 ["Dirty COW" variant on transparent huge pages] + RESERVED - linux NOTE: Fixed by: https://git.kernel.org/linus/a8f97366452ed491d13cf1e44241bc0b5740b1f0 NOTE: http://www.openwall.com/lists/oss-security/2017/11/30/1 @@ -8650,8 +8655,8 @@ RESERVED CVE-2017-14592 RESERVED -CVE-2017-14591 - RESERVED +CVE-2017-14591 (Atlassian Fisheye and Crucible versions less than 4.4.3 and version ...) + TODO: check CVE-2017-14590 RESERVED CVE-2017-14589 @@ -9762,12 +9767,12 @@ RESERVED CVE-2017-14199 RESERVED -CVE-2017-14198 - RESERVED -CVE-2017-14197 - RESERVED -CVE-2017-14196 - RESERVED +CVE-2017-14198 (An issue was discovered in Squiz Matrix before 5.3.6.1 and 5.4.x before ...) + TODO: check +CVE-2017-14197 (An issue was discovered in Squiz Matrix before 5.3.6.1 and 5.4.x before ...) + TODO: check +CVE-2017-14196 (An issue was discovered in Squiz Matrix from 5.3 through to 5.3.6.1 and ...) + TODO: check CVE-2017-14195 (The call_msg function in controllers/Form.php in dayrui FineCms 5.0.11 ...) NOT-FOR-US: dayrui FineCms CVE-2017-14194 (The out function in controllers/member/Login.php in dayrui FineCms ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits