[Secure-testing-commits] r58205 - data/CVE
Author: carnil Date: 2017-12-02 06:20:16 + (Sat, 02 Dec 2017) New Revision: 58205 Modified: data/CVE/list Log: Add tiff3 source package Modified: data/CVE/list === --- data/CVE/list 2017-12-02 06:19:59 UTC (rev 58204) +++ data/CVE/list 2017-12-02 06:20:16 UTC (rev 58205) @@ -618,6 +618,7 @@ NOTE: https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/ CVE-2017- [heap-based buffer overflow in the pal2rgb tool] - tiff + - tiff3 NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2750 CVE-2017-17088 RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58204 - data/CVE
Author: carnil Date: 2017-12-02 06:19:59 + (Sat, 02 Dec 2017) New Revision: 58204 Modified: data/CVE/list Log: Add CVEs for wordpress issues Modified: data/CVE/list === --- data/CVE/list 2017-12-01 23:17:24 UTC (rev 58203) +++ data/CVE/list 2017-12-02 06:19:59 UTC (rev 58204) @@ -600,19 +600,19 @@ RESERVED CVE-2017-17089 RESERVED -CVE-2017- [Use a properly generated hash for the 'newbloguser' key instead of a determinate substring] +CVE-2017-17091 [Use a properly generated hash for the 'newbloguser' key instead of a determinate substring] - wordpress NOTE: https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c NOTE: https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/ -CVE-2017- [Add escaping to the language attributes used on 'html' elements] +CVE-2017-17093 [Add escaping to the language attributes used on 'html' elements] - wordpress NOTE: https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a NOTE: https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/ -CVE-2017- [Ensure the attributes of enclosures are correctly escaped in RSS and Atom feeds] +CVE-2017-17094 [Ensure the attributes of enclosures are correctly escaped in RSS and Atom feeds] - wordpress NOTE: https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de NOTE: https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/ -CVE-2017- [Remove the ability to upload JavaScript files for users who do not have the 'unfiltered_html' capability] +CVE-2017-17092 [Remove the ability to upload JavaScript files for users who do not have the 'unfiltered_html' capability] - wordpress NOTE: https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509 NOTE: https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/ ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58207 - data/CVE
Author: carnil Date: 2017-12-02 06:21:38 + (Sat, 02 Dec 2017) New Revision: 58207 Modified: data/CVE/list Log: Mark CVE-2017-17095 as unimportant Modified: data/CVE/list === --- data/CVE/list 2017-12-02 06:20:28 UTC (rev 58206) +++ data/CVE/list 2017-12-02 06:21:38 UTC (rev 58207) @@ -617,9 +617,10 @@ NOTE: https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509 NOTE: https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/ CVE-2017-17095 [heap-based buffer overflow in the pal2rgb tool] - - tiff - - tiff3 + - tiff (unimportant) + - tiff3 (unimportant) NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2750 + NOTE: Crash in CLI tool not treated as a security issue CVE-2017-17088 RESERVED CVE-2017-17087 (fileio.c in Vim prior to 8.0.1263 sets the group ownership of a .swp ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58206 - data/CVE
Author: carnil Date: 2017-12-02 06:20:28 + (Sat, 02 Dec 2017) New Revision: 58206 Modified: data/CVE/list Log: CVE assigned for tiff issue Modified: data/CVE/list === --- data/CVE/list 2017-12-02 06:20:16 UTC (rev 58205) +++ data/CVE/list 2017-12-02 06:20:28 UTC (rev 58206) @@ -616,7 +616,7 @@ - wordpress NOTE: https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509 NOTE: https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/ -CVE-2017- [heap-based buffer overflow in the pal2rgb tool] +CVE-2017-17095 [heap-based buffer overflow in the pal2rgb tool] - tiff - tiff3 NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2750 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58203 - data/CVE
Author: carnil
Date: 2017-12-01 23:17:24 + (Fri, 01 Dec 2017)
New Revision: 58203
Modified:
data/CVE/list
Log:
Add CVE-2017-784{3,4}/firefox
Modified: data/CVE/list
===
--- data/CVE/list 2017-12-01 23:14:02 UTC (rev 58202)
+++ data/CVE/list 2017-12-01 23:17:24 UTC (rev 58203)
@@ -29208,8 +29208,10 @@
RESERVED
CVE-2017-7844
RESERVED
+ - firefox 57.0.1-1
CVE-2017-7843
RESERVED
+ - firefox 57.0.1-1
CVE-2017-7842
RESERVED
- firefox 57.0-1
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58202 - data/CVE
Author: carnil Date: 2017-12-01 23:14:02 + (Fri, 01 Dec 2017) New Revision: 58202 Modified: data/CVE/list Log: Add fixing version for CVE-2014-9488/less Upstream fixed it in 475, first version in unstable containing the fix is 481-1. Modified: data/CVE/list === --- data/CVE/list 2017-12-01 23:09:19 UTC (rev 58201) +++ data/CVE/list 2017-12-01 23:14:02 UTC (rev 58202) @@ -107217,7 +107217,7 @@ CVE-2014-9490 (The numtok function in lib/raven/okjson.rb in the raven-ruby gem ...) NOT-FOR-US: raven ruby gem CVE-2014-9488 (The is_utf8_well_formed function in GNU less before 475 allows remote ...) - - less (unimportant; bug #780247) + - less 481-1 (unimportant; bug #780247) NOTE: http://www.openwall.com/lists/oss-security/2015/03/10/14 NOTE: https://blog.fuzzing-project.org/3-less-out-of-bounds-read-access-TFPA-0022014.html CVE-2014-9484 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58201 - data/CVE
Author: carnil
Date: 2017-12-01 23:09:19 + (Fri, 01 Dec 2017)
New Revision: 58201
Modified:
data/CVE/list
Log:
Add fixed version for 19 mysql-5.7 CVEs
Note: CVE-2017-3731 is mentioned both in upstream and changelog, but the
CVE is for openssl, so not added it to the tracker for mysql-5.7.
Modified: data/CVE/list
===
--- data/CVE/list 2017-12-01 22:59:55 UTC (rev 58200)
+++ data/CVE/list 2017-12-01 23:09:19 UTC (rev 58201)
@@ -22091,7 +22091,7 @@
- glassfish (Vulnerable code not included, see bug
#853998)
CVE-2017-10384 (Vulnerability in the MySQL Server component of Oracle MySQL
...)
{DSA-4002-1 DLA-1141-1}
- - mysql-5.7 (bug #878398)
+ - mysql-5.7 5.7.20-1 (bug #878398)
- mysql-5.5 (bug #878402)
NOTE:
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixMSQL
CVE-2017-10383 (Vulnerability in the Oracle Hospitality Guest Access component
of ...)
@@ -22104,7 +22104,7 @@
NOT-FOR-US: Java Advanced Management Console
CVE-2017-10379 (Vulnerability in the MySQL Server component of Oracle MySQL
...)
{DSA-4002-1 DLA-1141-1}
- - mysql-5.7 (bug #878398)
+ - mysql-5.7 5.7.20-1 (bug #878398)
- mysql-5.5 (bug #878402)
NOTE:
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixMSQL
CVE-2017-10378 (Vulnerability in the MySQL Server component of Oracle MySQL
...)
@@ -22143,7 +22143,7 @@
CVE-2017-10366 (Vulnerability in the PeopleSoft Enterprise PT PeopleTools
component of ...)
NOT-FOR-US: Oracle
CVE-2017-10365 (Vulnerability in the MySQL Server component of Oracle MySQL
...)
- - mysql-5.7 (bug #878398)
+ - mysql-5.7 5.7.20-1 (bug #878398)
- mysql-5.5 (Only affects MySQL 5.7)
NOTE:
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixMSQL
CVE-2017-10364 (Vulnerability in the PeopleSoft Enterprise PeopleTools
component of ...)
@@ -22287,7 +22287,7 @@
CVE-2017-10321 (Vulnerability in the Core RDBMS component of Oracle Database
Server. ...)
NOT-FOR-US: Oracle
CVE-2017-10320 (Vulnerability in the MySQL Server component of Oracle MySQL
...)
- - mysql-5.7 (bug #878398)
+ - mysql-5.7 5.7.20-1 (bug #878398)
- mysql-5.5 (Only affects MySQL 5.7)
NOTE:
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixMSQL
CVE-2017-10319 (Vulnerability in the Oracle Hospitality Suite8 component of
Oracle ...)
@@ -22301,17 +22301,17 @@
CVE-2017-10315 (Vulnerability in the Siebel UI Framework component of Oracle
Siebel ...)
NOT-FOR-US: Oracle
CVE-2017-10314 (Vulnerability in the MySQL Server component of Oracle MySQL
...)
- - mysql-5.7 (bug #878398)
+ - mysql-5.7 5.7.20-1 (bug #878398)
- mysql-5.5 (Only affects MySQL 5.6 and 5.7)
NOTE:
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixMSQL
CVE-2017-10313 (Vulnerability in the MySQL Server component of Oracle MySQL
...)
- - mysql-5.7 (bug #878398)
+ - mysql-5.7 5.7.20-1 (bug #878398)
- mysql-5.5 (Only affects MySQL 5.7)
NOTE:
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixMSQL
CVE-2017-10312 (Vulnerability in the Oracle Hyperion BI+ component of Oracle
Hyperion ...)
NOT-FOR-US: Oracle
CVE-2017-10311 (Vulnerability in the MySQL Server component of Oracle MySQL
...)
- - mysql-5.7 (bug #878398)
+ - mysql-5.7 5.7.20-1 (bug #878398)
- mysql-5.5 (Only affects MySQL 5.7)
NOTE:
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixMSQL
CVE-2017-10310 (Vulnerability in the Oracle Hyperion Financial Reporting
component of ...)
@@ -22344,7 +22344,7 @@
CVE-2017-10297
RESERVED
CVE-2017-10296 (Vulnerability in the MySQL Server component of Oracle MySQL
...)
- - mysql-5.7 (bug #878398)
+ - mysql-5.7 5.7.20-1 (bug #878398)
- mysql-5.5 (Only affects MySQL 5.7)
NOTE:
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixMSQL
CVE-2017-10295 (Vulnerability in the Java SE, Java SE Embedded, JRockit
component of ...)
@@ -22356,7 +22356,7 @@
- openjdk-6
[wheezy] - openjdk-6
CVE-2017-10294 (Vulnerability in the MySQL Server component of Oracle MySQL
...)
- - mysql-5.7 (bug #878398)
+ - mysql-5.7 5.7.20-1 (bug #878398)
- mysql-5.5 (Only affects MySQL 5.6 and 5.7)
NOTE:
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixMSQL
CVE-2017-10293 (Vulnerability in the Java SE component of Oracle Java SE ...)
@@ -22376,7 +22376,7 @@
CVE-2017-10287 (Vulnerability in the PeopleSoft Enterprise FSCM component of
Oracle ...)
NOT-FOR-US: Oracle
CVE-2017-10286
[Secure-testing-commits] r58200 - data/CVE
Author: carnil Date: 2017-12-01 22:59:55 + (Fri, 01 Dec 2017) New Revision: 58200 Modified: data/CVE/list Log: Add related tor bugs Modified: data/CVE/list === --- data/CVE/list 2017-12-01 22:57:09 UTC (rev 58199) +++ data/CVE/list 2017-12-01 22:59:55 UTC (rev 58200) @@ -26442,22 +26442,27 @@ CVE-2017-8823 [TROVE-2017-013: Use-after-free in onion service v2] RESERVED - tor + NOTE: https://bugs.torproject.org/24313 NOTE: https://blog.torproject.org/new-stable-tor-releases-security-fixes-0319-03013-02914-02817-02516 CVE-2017-8822 [TROVE-2017-012: Relays can pick themselves in a circuit path] RESERVED - tor + NOTE: https://bugs.torproject.org/21534 NOTE: https://blog.torproject.org/new-stable-tor-releases-security-fixes-0319-03013-02914-02817-02516 CVE-2017-8821 [TROVE-2017-011: An attacker can make Tor ask for a password] RESERVED - tor + NOTE: https://bugs.torproject.org/24246 NOTE: https://blog.torproject.org/new-stable-tor-releases-security-fixes-0319-03013-02914-02817-02516 CVE-2017-8820 [TROVE-2017-010: Remote DoS attack against directory authorities] RESERVED - tor + NOTE: https://bugs.torproject.org/24245 NOTE: https://blog.torproject.org/new-stable-tor-releases-security-fixes-0319-03013-02914-02817-02516 CVE-2017-8819 [TROVE-2017-009: Replay-cache ineffective for v2 onion services] RESERVED - tor + NOTE: https://bugs.torproject.org/24244 NOTE: https://blog.torproject.org/new-stable-tor-releases-security-fixes-0319-03013-02914-02817-02516 CVE-2017-8818 (curl and libcurl before 7.57.0 on 32-bit platforms allow attackers to ...) - curl 7.57.0-1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58199 - data
Author: carnil Date: 2017-12-01 22:57:09 + (Fri, 01 Dec 2017) New Revision: 58199 Modified: data/dsa-needed.txt Log: Add tor to dsa-needed list Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-12-01 22:56:48 UTC (rev 58198) +++ data/dsa-needed.txt 2017-12-01 22:57:09 UTC (rev 58199) @@ -51,6 +51,8 @@ -- thunderbird -- +tor +-- wireshark (seb) 2017-05-13: asked balint@ if he wants to prepare an update now 2017-07-28: re-ping balint@ ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58198 - data/CVE
Author: carnil Date: 2017-12-01 22:56:48 + (Fri, 01 Dec 2017) New Revision: 58198 Modified: data/CVE/list Log: Add new tor issues Modified: data/CVE/list === --- data/CVE/list 2017-12-01 21:41:40 UTC (rev 58197) +++ data/CVE/list 2017-12-01 22:56:48 UTC (rev 58198) @@ -26439,16 +26439,26 @@ NOTE: https://github.com/dinhviethoa/libetpan/issues/274 CVE-2017-8824 RESERVED -CVE-2017-8823 +CVE-2017-8823 [TROVE-2017-013: Use-after-free in onion service v2] RESERVED -CVE-2017-8822 + - tor + NOTE: https://blog.torproject.org/new-stable-tor-releases-security-fixes-0319-03013-02914-02817-02516 +CVE-2017-8822 [TROVE-2017-012: Relays can pick themselves in a circuit path] RESERVED -CVE-2017-8821 + - tor + NOTE: https://blog.torproject.org/new-stable-tor-releases-security-fixes-0319-03013-02914-02817-02516 +CVE-2017-8821 [TROVE-2017-011: An attacker can make Tor ask for a password] RESERVED -CVE-2017-8820 + - tor + NOTE: https://blog.torproject.org/new-stable-tor-releases-security-fixes-0319-03013-02914-02817-02516 +CVE-2017-8820 [TROVE-2017-010: Remote DoS attack against directory authorities] RESERVED -CVE-2017-8819 + - tor + NOTE: https://blog.torproject.org/new-stable-tor-releases-security-fixes-0319-03013-02914-02817-02516 +CVE-2017-8819 [TROVE-2017-009: Replay-cache ineffective for v2 onion services] RESERVED + - tor + NOTE: https://blog.torproject.org/new-stable-tor-releases-security-fixes-0319-03013-02914-02817-02516 CVE-2017-8818 (curl and libcurl before 7.57.0 on 32-bit platforms allow attackers to ...) - curl 7.57.0-1 [stretch] - curl (Vulnerable code not present) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58197 - data/CVE
Author: jmm Date: 2017-12-01 21:41:40 + (Fri, 01 Dec 2017) New Revision: 58197 Modified: data/CVE/list Log: NFUs Modified: data/CVE/list === --- data/CVE/list 2017-12-01 21:36:43 UTC (rev 58196) +++ data/CVE/list 2017-12-01 21:41:40 UTC (rev 58197) @@ -2256,11 +2256,11 @@ CVE-2017-16954 RESERVED CVE-2017-16953 (connoppp.cgi on ZTE ZXDSL 831CII devices does not require HTTP Basic ...) - TODO: check + NOT-FOR-US: ZTE CVE-2017-16952 (KMPlayer 4.2.2.4 allows remote attackers to cause a denial of service ...) TODO: check CVE-2017-16951 (Winamp Pro 5.66 Build 3512 allows remote attackers to cause a denial ...) - TODO: check + NOT-FOR-US: Winamp CVE-2017-16950 RESERVED CVE-2017-16949 @@ -2429,11 +2429,11 @@ NOTE: https://discourse.tt-rss.org/t/sql-injection-in-forgotpass-fixed/669 NOTE: https://git.tt-rss.org/git/tt-rss/commit/2352c320c2ed34ec7df1ad22f0c55a1b26489815 CVE-2017-16895 (The (1) arq_updater, (2) arqcommitter, (3) standardrestorer, (4) ...) - TODO: check + NOT-FOR-US: Arq CVE-2017-16894 (In Laravel framework through 5.5.21, remote attackers can obtain ...) NOT-FOR-US: Laravel framework CVE-2017-16893 (The application Piwigo is affected by an SQL injection vulnerability ...) - TODO: check + - piwigo CVE-2017-16892 (In Bftpd before 4.7, there is a memory leak in the file rename ...) - bftpd (bug #640469) NOTE: http://bftpd.sourceforge.net/news.html#032390 @@ -6102,7 +6102,7 @@ CVE-2017-15708 RESERVED CVE-2017-15707 (In Apache Struts 2.5 to 2.5.14, the REST Plugin is using an outdated ...) - TODO: check + - libstruts1.2-java (Specific to 2.x) CVE-2017-15706 RESERVED CVE-2017-15705 @@ -6978,7 +6978,7 @@ CVE-2017-15358 RESERVED CVE-2017-15357 (The setpermissions function in the auto-updater in Arq before 5.9.7 ...) - TODO: check + NOT-FOR-US: Arq CVE-2017-15356 RESERVED CVE-2017-15355 @@ -8298,7 +8298,7 @@ - linux (Vulnerable code introduced in v4.13-rc1) NOTE: Fixed by: https://git.kernel.org/linus/6c85501f2fabcfc4fc6ed976543d252c4eaf4be9 CVE-2017-14953 (HikVision Wi-Fi IP cameras, when used in a wired configuration, allow ...) - TODO: check + NOT-FOR-US: HikVision CVE-2017-14952 (Double free in i18n/zonemeta.cpp in International Components for ...) - icu 57.1-7 (bug #878840) [stretch] - icu (Should be fixed along in future update) @@ -9375,7 +9375,7 @@ CVE-2017-14592 RESERVED CVE-2017-14591 (Atlassian Fisheye and Crucible versions less than 4.4.3 and version ...) - TODO: check + NOT-FOR-US: Atlassian CVE-2017-14590 RESERVED CVE-2017-14589 @@ -9385,9 +9385,9 @@ CVE-2017-14587 (The administration user deletion resource in Atlassian FishEye and ...) NOT-FOR-US: Atlassian CVE-2017-14586 (The Hipchat for Mac desktop client is vulnerable to client-side remote ...) - TODO: check + NOT-FOR-US: Atlassian CVE-2017-14585 (A Server Side Request Forgery (SSRF) vulnerability could lead to ...) - TODO: check + NOT-FOR-US: Atlassian CVE-2017-14584 RESERVED CVE-2017-14583 @@ -9690,9 +9690,9 @@ CVE-2017-14488 RESERVED CVE-2017-14487 (The OhMiBod Remote app for Android and iOS allows remote attackers to ...) - TODO: check + NOT-FOR-US: OhMiBod Remote app CVE-2017-14486 (The Vibease Wireless Remote Vibrator app for Android and the Vibease ...) - TODO: check + NOT-FOR-US: Vibease Wireless Remote Vibrator app CVE-2017-14485 RESERVED CVE-2017-14484 (The Gentoo sci-mathematics/gimps package before 28.10-r1 for Great ...) @@ -10487,11 +10487,11 @@ CVE-2017-14199 RESERVED CVE-2017-14198 (An issue was discovered in Squiz Matrix before 5.3.6.1 and 5.4.x before ...) - TODO: check + NOT-FOR-US: Squiz Matrix CVE-2017-14197 (An issue was discovered in Squiz Matrix before 5.3.6.1 and 5.4.x before ...) - TODO: check + NOT-FOR-US: Squiz Matrix CVE-2017-14196 (An issue was discovered in Squiz Matrix from 5.3 through to 5.3.6.1 and ...) - TODO: check + NOT-FOR-US: Squiz Matrix CVE-2017-14195 (The call_msg function in controllers/Form.php in dayrui FineCms 5.0.11 ...) NOT-FOR-US: dayrui FineCms CVE-2017-14194 (The out function in controllers/member/Login.php in dayrui FineCms ...) @@ -12124,9 +12124,9 @@ CVE-2017-13665 RESERVED CVE-2017-13664 (Password file exposure in firmware in iSmartAlarm CubeOne version ...) - TODO: check + NOT-FOR-US: iSmartAlarm CubeOne CVE-2017-13663 (Encryption key exposure in firmware in iSmartAlarm CubeOne version ...) - TODO: check + NOT-FOR-US: iSmartAlarm CubeOne CVE-2017-13662 RESERVED CVE-2017-13661
[Secure-testing-commits] r58196 - data/CVE
Author: jmm Date: 2017-12-01 21:36:43 + (Fri, 01 Dec 2017) New Revision: 58196 Modified: data/CVE/list Log: NFUs Modified: data/CVE/list === --- data/CVE/list 2017-12-01 21:10:21 UTC (rev 58195) +++ data/CVE/list 2017-12-01 21:36:43 UTC (rev 58196) @@ -1356,19 +1356,19 @@ CVE-2017-16995 RESERVED CVE-2016-10702 (Pebble Smartwatch devices through 4.3 mishandle UUID storage, which ...) - TODO: check + NOT-FOR-US: Pebble CVE-2016-10701 (In Hitachi Vantara Pentaho BA Platform through 8.0, a CSRF issue exists ...) NOT-FOR-US: Hitachi Vantara Pentaho BA Platform CVE-2017-1001004 (typed-function before 0.10.6 had an arbitrary code execution in the ...) - TODO: check + NOT-FOR-US: typed-function CVE-2017-1001003 (math.js before 3.17.0 had an issue where private properties such as a ...) - TODO: check + NOT-FOR-US: math.js CVE-2017-1001002 (math.js before 3.17.0 had an arbitrary code execution in the ...) - TODO: check + NOT-FOR-US: math.js CVE-2017-1000214 (GitPHP by xiphux is vulnerable to OS Command Injections ...) - TODO: check + NOT-FOR-US: GitPHP CVE-2017-1000207 (A vulnerability in Swagger-Parser's version <= 1.0.30 and Swagger ...) - TODO: check + NOT-FOR-US: Swagger-Parser CVE-2017-1000159 (Command injection in evince 3.24.8 via filename when printing to PDF ...) - evince 3.25.92-1 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=784947 @@ -2238,7 +2238,7 @@ CVE-2017-16963 RESERVED CVE-2017-16962 (The WebMail components (Crystal, pronto, and pronto4) in CommuniGate ...) - TODO: check + NOT-FOR-US: CommuniGate Pro CVE-2017-16961 (A SQL injection vulnerability in core/inc/auto-modules.php in BigTree ...) NOT-FOR-US: BigTree CMS CVE-2017-16960 (TP-Link TL-WVR, TL-WAR, TL-ER, and TL-R devices allow remote ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58195 - data/CVE
Author: sectracker Date: 2017-12-01 21:10:21 + (Fri, 01 Dec 2017) New Revision: 58195 Modified: data/CVE/list Log: automatic update Modified: data/CVE/list === --- data/CVE/list 2017-12-01 19:56:17 UTC (rev 58194) +++ data/CVE/list 2017-12-01 21:10:21 UTC (rev 58195) @@ -1,3 +1,605 @@ +CVE-2018-1040 + RESERVED +CVE-2018-1039 + RESERVED +CVE-2018-1038 + RESERVED +CVE-2018-1037 + RESERVED +CVE-2018-1036 + RESERVED +CVE-2018-1035 + RESERVED +CVE-2018-1034 + RESERVED +CVE-2018-1033 + RESERVED +CVE-2018-1032 + RESERVED +CVE-2018-1031 + RESERVED +CVE-2018-1030 + RESERVED +CVE-2018-1029 + RESERVED +CVE-2018-1028 + RESERVED +CVE-2018-1027 + RESERVED +CVE-2018-1026 + RESERVED +CVE-2018-1025 + RESERVED +CVE-2018-1024 + RESERVED +CVE-2018-1023 + RESERVED +CVE-2018-1022 + RESERVED +CVE-2018-1021 + RESERVED +CVE-2018-1020 + RESERVED +CVE-2018-1019 + RESERVED +CVE-2018-1018 + RESERVED +CVE-2018-1017 + RESERVED +CVE-2018-1016 + RESERVED +CVE-2018-1015 + RESERVED +CVE-2018-1014 + RESERVED +CVE-2018-1013 + RESERVED +CVE-2018-1012 + RESERVED +CVE-2018-1011 + RESERVED +CVE-2018-1010 + RESERVED +CVE-2018-1009 + RESERVED +CVE-2018-1008 + RESERVED +CVE-2018-1007 + RESERVED +CVE-2018-1006 + RESERVED +CVE-2018-1005 + RESERVED +CVE-2018-1004 + RESERVED +CVE-2018-1003 + RESERVED +CVE-2018-1002 + RESERVED +CVE-2018-1001 + RESERVED +CVE-2018-1000 + RESERVED +CVE-2018-0999 + RESERVED +CVE-2018-0998 + RESERVED +CVE-2018-0997 + RESERVED +CVE-2018-0996 + RESERVED +CVE-2018-0995 + RESERVED +CVE-2018-0994 + RESERVED +CVE-2018-0993 + RESERVED +CVE-2018-0992 + RESERVED +CVE-2018-0991 + RESERVED +CVE-2018-0990 + RESERVED +CVE-2018-0989 + RESERVED +CVE-2018-0988 + RESERVED +CVE-2018-0987 + RESERVED +CVE-2018-0986 + RESERVED +CVE-2018-0985 + RESERVED +CVE-2018-0984 + RESERVED +CVE-2018-0983 + RESERVED +CVE-2018-0982 + RESERVED +CVE-2018-0981 + RESERVED +CVE-2018-0980 + RESERVED +CVE-2018-0979 + RESERVED +CVE-2018-0978 + RESERVED +CVE-2018-0977 + RESERVED +CVE-2018-0976 + RESERVED +CVE-2018-0975 + RESERVED +CVE-2018-0974 + RESERVED +CVE-2018-0973 + RESERVED +CVE-2018-0972 + RESERVED +CVE-2018-0971 + RESERVED +CVE-2018-0970 + RESERVED +CVE-2018-0969 + RESERVED +CVE-2018-0968 + RESERVED +CVE-2018-0967 + RESERVED +CVE-2018-0966 + RESERVED +CVE-2018-0965 + RESERVED +CVE-2018-0964 + RESERVED +CVE-2018-0963 + RESERVED +CVE-2018-0962 + RESERVED +CVE-2018-0961 + RESERVED +CVE-2018-0960 + RESERVED +CVE-2018-0959 + RESERVED +CVE-2018-0958 + RESERVED +CVE-2018-0957 + RESERVED +CVE-2018-0956 + RESERVED +CVE-2018-0955 + RESERVED +CVE-2018-0954 + RESERVED +CVE-2018-0953 + RESERVED +CVE-2018-0952 + RESERVED +CVE-2018-0951 + RESERVED +CVE-2018-0950 + RESERVED +CVE-2018-0949 + RESERVED +CVE-2018-0948 + RESERVED +CVE-2018-0947 + RESERVED +CVE-2018-0946 + RESERVED +CVE-2018-0945 + RESERVED +CVE-2018-0944 + RESERVED +CVE-2018-0943 + RESERVED +CVE-2018-0942 + RESERVED +CVE-2018-0941 + RESERVED +CVE-2018-0940 + RESERVED +CVE-2018-0939 + RESERVED +CVE-2018-0938 + RESERVED +CVE-2018-0937 + RESERVED +CVE-2018-0936 + RESERVED +CVE-2018-0935 + RESERVED +CVE-2018-0934 + RESERVED +CVE-2018-0933 + RESERVED +CVE-2018-0932 + RESERVED +CVE-2018-0931 + RESERVED +CVE-2018-0930 + RESERVED +CVE-2018-0929 + RESERVED +CVE-2018-0928 + RESERVED +CVE-2018-0927 + RESERVED +CVE-2018-0926 + RESERVED +CVE-2018-0925 + RESERVED +CVE-2018-0924 + RESERVED +CVE-2018-0923 + RESERVED +CVE-2018-0922 + RESERVED +CVE-2018-0921 + RESERVED +CVE-2018-0920 + RESERVED +CVE-2018-0919 + RESERVED +CVE-2018-0918 + RESERVED +CVE-2018-0917 + RESERVED +CVE-2018-0916 + RESERVED +CVE-2018-0915 + RESERVED +CVE-2018-0914 + RESERVED +CVE-2018-0913 + RESERVED +CVE-2018-0912 + RESERVED +CVE-2018-0911 + RESERVED +CVE-2018-0910 + RESERVED +CVE-2018-0909 + RESERVED +CVE-2018-0908 + RESERVED +CVE-2018-0907 + RESERVED +CVE-2018-0906 + RESERVED +CVE-2018-0905 + RESERVED +CVE-2018-0904 + RESERVED +CVE-2018-0903 + RESERVED +CVE-2018-0902 + RESERVED +CVE-2018-0901 + RESERVED +CVE-2018-0900 + RESERVED +CVE-2018-0899 + RESERVED +CVE-2018-0898 + RESERVED +CVE-2018-0897 + RESERVED +CVE-2018-0896 +
[Secure-testing-commits] r58194 - data/CVE
Author: jmm Date: 2017-12-01 19:56:17 + (Fri, 01 Dec 2017) New Revision: 58194 Modified: data/CVE/list Log: more wireshark triage Modified: data/CVE/list === --- data/CVE/list 2017-12-01 19:51:51 UTC (rev 58193) +++ data/CVE/list 2017-12-01 19:56:17 UTC (rev 58194) @@ -11062,6 +11062,8 @@ NOTE: https://www.wireshark.org/security/wnpa-sec-2017-39.html CVE-2017-13765 (In Wireshark 2.4.0, 2.2.0 to 2.2.8, and 2.0.0 to 2.0.14, the IrCOMM ...) - wireshark 2.4.1-1 + [stretch] - wireshark (Minor issue) + [jessie] - wireshark (Minor issue) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13929 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=94666d4357096fc45e3bcad3d9414a14f0831bc8 NOTE: https://www.wireshark.org/security/wnpa-sec-2017-41.html @@ -18053,7 +18055,9 @@ NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=e57c86ef8e3b57b7f90c224f6053d1eacf20e1ba NOTE: https://www.wireshark.org/security/wnpa-sec-2017-34.html CVE-2017-11407 (In Wireshark 2.2.0 to 2.2.7 and 2.0.0 to 2.0.13, the MQ dissector could ...) - - wireshark 2.4.0-1 (bug #870172) + - wireshark 2.4.0-1 (low; bug #870172) + [stretch] - wireshark (Minor issue) + [jessie] - wireshark (Minor issue) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13792 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=4e54dae7f0d7840836ee6d5ce1e688f152ab2978 NOTE: https://www.wireshark.org/security/wnpa-sec-2017-35.html ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58193 - data/CVE
Author: carnil
Date: 2017-12-01 19:51:51 + (Fri, 01 Dec 2017)
New Revision: 58193
Modified:
data/CVE/list
Log:
Process NFUs
Modified: data/CVE/list
===
--- data/CVE/list 2017-12-01 18:36:19 UTC (rev 58192)
+++ data/CVE/list 2017-12-01 19:51:51 UTC (rev 58193)
@@ -5579,7 +5579,7 @@
CVE-2017-15674
RESERVED
CVE-2017-15673 (The files function in the administration section in CS-Cart
4.6.2 and ...)
- TODO: check
+ NOT-FOR-US: CS-Cart
CVE-2017-15672 (The read_header function in libavcodec/ffv1dec.c in FFmpeg
3.3.4 and ...)
{DSA-4049-1}
- ffmpeg 7:3.4-1
@@ -5746,7 +5746,7 @@
CVE-2017-15608
RESERVED
CVE-2017-15607 (Inedo Otter before 1.7.4 has directory traversal in
filesystem-based ...)
- TODO: check
+ NOT-FOR-US: Inedo Otter
CVE-2017-15606
RESERVED
CVE-2017-15605
@@ -9907,13 +9907,13 @@
CVE-2017-14190
RESERVED
CVE-2017-14189 (An improper access control vulnerability in Fortinet
FortiWebManager ...)
- TODO: check
+ NOT-FOR-US: Fortinet
CVE-2017-14188
RESERVED
CVE-2017-14187
RESERVED
CVE-2017-14186 (A Cross-site Scripting (XSS) vulnerability in Fortinet FortiOS
5.6.0 ...)
- TODO: check
+ NOT-FOR-US: Fortinet
CVE-2017-14185
RESERVED
CVE-2017-14184
@@ -10783,7 +10783,7 @@
CVE-2017-13873
RESERVED
CVE-2017-13872 (An issue was discovered in certain Apple products. macOS High
Sierra ...)
- TODO: check
+ NOT-FOR-US: Apple
CVE-2017-13871
RESERVED
CVE-2017-13870
@@ -15386,95 +15386,95 @@
CVE-2017-12373
RESERVED
CVE-2017-12372 (A "Cisco WebEx Network Recording Player Remote Code
Execution ...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2017-12371 (A "Cisco WebEx Network Recording Player Remote Code
Execution ...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2017-12370 (A "Cisco WebEx Network Recording Player Remote Code
Execution ...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2017-12369 (A "Cisco WebEx Network Recording Player Out-of-Bounds
Vulnerability" ...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2017-12368 (A "Cisco WebEx Network Recording Player Remote Code
Execution ...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2017-12367 (A "Cisco WebEx Network Recording Player Denial of Service
...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2017-12366 (A vulnerability in Cisco WebEx Meeting Center could allow an
...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2017-12365 (A vulnerability in Cisco WebEx Event Center could allow an ...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2017-12364 (A SQL Injection vulnerability in the web framework of Cisco
Prime ...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2017-12363 (A vulnerability in Cisco WebEx Meeting Server could allow an
...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2017-12362 (A vulnerability in Cisco Meeting Server versions prior to
2.2.2 could ...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2017-12361 (A vulnerability in Cisco Jabber for Windows could allow an ...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2017-12360 (A vulnerability in Cisco WebEx Network Recording Player for
WebEx ...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2017-12359 (A Buffer Overflow vulnerability in Cisco WebEx Network
Recording Player ...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2017-12358 (A vulnerability in the web-based management interface of Cisco
Jabber ...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2017-12357 (A vulnerability in the web-based management interface of Cisco
Unified ...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2017-12356 (A vulnerability in the web-based management interface of Cisco
Jabber ...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2017-12355 (A vulnerability in the Local Packet Transport Services (LPTS)
ingress ...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2017-12354 (A vulnerability in the web-based interface of Cisco Secure
Access ...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2017-12353 (A vulnerability in the Multipurpose Internet Mail Extensions
(MIME) ...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2017-12352 (A vulnerability in certain system script files that are
installed at ...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2017-12351 (A vulnerability in the guest shell feature of Cisco NX-OS
System ...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2017-12350 (A vulnerability in Cisco Umbrella Insights Virtual Appliances
2.1.0 and ...)
NOT-FOR-US: Cisco
CVE-2017-12349 (Multiple vulnerabilities in the web-based management interface
of Cisco ...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2017-12348 (Multiple vulnerabilities in the web-based management interface
of Cisco ...)
-
[Secure-testing-commits] r58192 - data/CVE
Author: jmm Date: 2017-12-01 18:36:19 + (Fri, 01 Dec 2017) New Revision: 58192 Modified: data/CVE/list Log: further wireshark triage Modified: data/CVE/list === --- data/CVE/list 2017-12-01 18:21:43 UTC (rev 58191) +++ data/CVE/list 2017-12-01 18:36:19 UTC (rev 58192) @@ -6842,24 +6842,33 @@ - kanboard (bug #790814) CVE-2017-15193 (In Wireshark 2.4.0 to 2.4.1 and 2.2.0 to 2.2.9, the MBIM dissector ...) - wireshark 2.4.2-1 (low) + [stretch] - wireshark (Minor issue) + [jessie] - wireshark (Minor issue) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14056 NOTE: https://code.wireshark.org/review/23537 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=afb9ff7982971aba6e42472de0db4c1bedfc641b NOTE: https://www.wireshark.org/security/wnpa-sec-2017-43.html CVE-2017-15192 (In Wireshark 2.4.0 to 2.4.1 and 2.2.0 to 2.2.9, the BT ATT dissector ...) - wireshark 2.4.2-1 (low) + [stretch] - wireshark (Minor issue) + [jessie] - wireshark (Minor issue) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14049 NOTE: https://code.wireshark.org/review/23470 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=3689dc1db36037436b1616715f9a3f888fc9a0f6 NOTE: https://www.wireshark.org/security/wnpa-sec-2017-42.html CVE-2017-15191 (In Wireshark 2.4.0 to 2.4.1, 2.2.0 to 2.2.9, and 2.0.0 to 2.0.15, the ...) - wireshark 2.4.2-1 (low) + [stretch] - wireshark (Minor issue) + [jessie] - wireshark (Minor issue) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14068 NOTE: https://code.wireshark.org/review/23591 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=8dbb21dfde14221dab09b6b9c7719b9067c1f06e NOTE: https://www.wireshark.org/security/wnpa-sec-2017-44.html CVE-2017-15190 (In Wireshark 2.4.0 to 2.4.1, the RTSP dissector could crash. This was ...) - wireshark 2.4.2-1 (low) + [stretch] - wireshark (Only affects 2.4) + [jessie] - wireshark (Only affects 2.4) + [wheezy] - wireshark (Only affects 2.4) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14077 NOTE: https://code.wireshark.org/review/23635 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=e27870eaa6efa1c2dac08aa41a67fe9f0839e6e0 @@ -23982,6 +23991,8 @@ NOT-FOR-US: Subsonic CVE-2017-9354 (In Wireshark 2.2.0 to 2.2.6 and 2.0.0 to 2.0.12, the RGMP dissector ...) - wireshark 2.2.7-1 (bug #864058) + [stretch] - wireshark (Minor issue) + [jessie] - wireshark (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2017-32.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13646 CVE-2017-9353 (In Wireshark 2.2.0 to 2.2.6, the IPv6 dissector could crash. This was ...) @@ -23998,12 +24009,16 @@ NOTE: https://www.wireshark.org/security/wnpa-sec-2017-22.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13599 CVE-2017-9351 (In Wireshark 2.2.0 to 2.2.6 and 2.0.0 to 2.0.12, the DHCP dissector ...) - - wireshark 2.2.7-1 (bug #864058) + - wireshark 2.2.7-1 (low; bug #864058) + [stretch] - wireshark (Minor issue) + [jessie] - wireshark (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2017-24.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13628 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13609 CVE-2017-9350 (In Wireshark 2.2.0 to 2.2.6 and 2.0.0 to 2.0.12, the openSAFETY ...) - - wireshark 2.2.7-1 (bug #864058) + - wireshark 2.2.7-1 (low; bug #864058) + [stretch] - wireshark (Minor issue) + [jessie] - wireshark (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2017-28.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13649 NOTE: When fixing this entry make sure to apply the complete fix and adding @@ -24017,6 +24032,7 @@ NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13685 CVE-2017-9348 (In Wireshark 2.2.0 to 2.2.6, the DOF dissector could read past the end ...) - wireshark 2.2.7-1 (bug #864058) + [stretch] - wireshark (Minor issue) [jessie] - wireshark (Only affects 2.2.x) [wheezy] - wireshark (Only affects 2.2.x) NOTE: https://www.wireshark.org/security/wnpa-sec-2017-23.html ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58191 - data/CVE
Author: carnil
Date: 2017-12-01 18:21:43 + (Fri, 01 Dec 2017)
New Revision: 58191
Modified:
data/CVE/list
Log:
package NOTEs: Switch to sources.debian.org links where previous referencing
sources.debian.net
Modified: data/CVE/list
===
--- data/CVE/list 2017-12-01 18:18:50 UTC (rev 58190)
+++ data/CVE/list 2017-12-01 18:21:43 UTC (rev 58191)
@@ -26778,7 +26778,7 @@
- lame 3.99.5+repack1-7
[wheezy] - lame 3.99.5+repack1-3+deb7u1
NOTE: https://sourceforge.net/p/lame/bugs/458/
- NOTE: Issue addressed in Debian via:
https://sources.debian.net/patches/lame/3.99.5%2Brepack1-9/0001-Add-check-for-invalid-input-sample-rate.patch/
+ NOTE: Issue addressed in Debian via:
https://sources.debian.org/patches/lame/3.99.5%2Brepack1-9/0001-Add-check-for-invalid-input-sample-rate.patch/
NOTE: in the revised version as included in 3.99.5+repack1-7
CVE-2016-10366 (Kibana versions after and including 4.3 and before 4.6.2 are
...)
- kibana (bug #700337)
@@ -29167,7 +29167,7 @@
NOTE: Fixed by:
https://github.com/erikd/libsndfile/commit/60b234301adf258786d8b90be5c1d437fc8799e0
NOTE:
https://blogs.gentoo.org/ago/2017/04/11/libsndfile-invalid-memory-read-and-invalid-memory-write-in/
NOTE: 1.0.27-2 in unstable contain fix_bufferoverflows.patch meant to
address this issue
- NOTE:
https://sources.debian.net/data/main/libs/libsndfile/1.0.27-2/debian/patches/fix_bufferoverflows.patch
+ NOTE:
https://sources.debian.org/data/main/libs/libsndfile/1.0.27-2/debian/patches/fix_bufferoverflows.patch
CVE-2017-7740
RESERVED
CVE-2017-7739 (A reflected Cross-site Scripting (XSS) vulnerability in web
proxy ...)
@@ -29667,7 +29667,7 @@
NOTE:
https://github.com/erikd/libsndfile/commit/708e996c87c5fae77b104ccfeb8f6db784c32074
NOTE:
https://github.com/erikd/libsndfile/commit/f457b7b5ecfe91697ed01cfc825772c4d8de1236
NOTE: 1.0.27-2 in unstable contain fix_bufferoverflows.patch meant to
address this issue
- NOTE:
https://sources.debian.net/data/main/libs/libsndfile/1.0.27-2/debian/patches/fix_bufferoverflows.patch
+ NOTE:
https://sources.debian.org/data/main/libs/libsndfile/1.0.27-2/debian/patches/fix_bufferoverflows.patch
CVE-2017-7585 (In libsndfile before 1.0.28, an error in the
"flac_buffer_copy()" ...)
{DLA-928-1}
- libsndfile 1.0.27-2
@@ -29675,7 +29675,7 @@
NOTE:
https://github.com/erikd/libsndfile/commit/60b234301adf258786d8b90be5c1d437fc8799e0
NOTE:
https://secuniaresearch.flexerasoftware.com/secunia_research/2017-4/
NOTE: 1.0.27-2 in unstable contain fix_bufferoverflows.patch meant to
address this issue
- NOTE:
https://sources.debian.net/data/main/libs/libsndfile/1.0.27-2/debian/patches/fix_bufferoverflows.patch
+ NOTE:
https://sources.debian.org/data/main/libs/libsndfile/1.0.27-2/debian/patches/fix_bufferoverflows.patch
CVE-2017-7584 (Memory Corruption Vulnerability in Foxit PDF Toolkit before 2.1
allows ...)
NOT-FOR-US: Foxit PDF Toolkit
CVE-2017-7583 (ILIAS before 5.2.3 has XSS via SVG documents. ...)
@@ -71973,7 +71973,7 @@
- ansible 2.0.1.0-2 (bug #819676)
[jessie] - ansible (Vulnerable code not present)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1322925
- NOTE:
https://sources.debian.net/src/ansible/2.0.1.0-1/lib/ansible/modules/extras/cloud/lxc/lxc_container.py/?hl=523#L523
+ NOTE:
https://sources.debian.org/src/ansible/2.0.1.0-1/lib/ansible/modules/extras/cloud/lxc/lxc_container.py/?hl=523#L523
CVE-2016-3095 (server/bin/pulp-gen-ca-certificate in Pulp before 2.8.2 allows
local ...)
NOT-FOR-US: Pulp (Red Hat)
CVE-2016-3094 (PlainSaslServer.java in Apache Qpid Java before 6.0.3, when the
broker ...)
@@ -84017,7 +84017,7 @@
[jessie] - salt (Minor issue)
NOTE: For jessie: /var/cache/salt/minion is created with restricted
permissions on
NOTE: first start of salt-minion in verify_env mitigating the issue, cf.
- NOTE:
https://sources.debian.net/src/salt/2014.1.13%2Bds-3/salt/utils/verify.py/#L207
+ NOTE:
https://sources.debian.org/src/salt/2014.1.13%2Bds-3/salt/utils/verify.py/#L207
NOTE:
https://github.com/cachedout/salt/commit/097838ec0c52b1e96f7f761e5fb3cd7e79808741
NOTE: https://github.com/saltstack/salt/issues/28455
CVE-2014-9755 (The hardware VPN client in Viprinet MultichannelVPN Router 300
version ...)
@@ -94748,7 +94748,7 @@
NOTE: "original" implementation of legal? using ^[0-9a-f]{24}$ regular
expression
NOTE: Fix:
https://github.com/mongodb/mongo-ruby-driver/commit/bb544c2f6fd62940f04ddc1abeeaa3f23c1a9ade
(1.x-stable)
NOTE: http://sakurity.com/blog/2015/06/04/mongo_ruby_regexp.html
- NOTE:
https://sources.debian.net/src/ruby-bson/1.10.0-1/lib/bson/types/object_id.rb/#L54
+ NOTE:
h
[Secure-testing-commits] r58190 - check-external
Author: carnil
Date: 2017-12-01 18:18:50 + (Fri, 01 Dec 2017)
New Revision: 58190
Modified:
check-external/unknown-packages.py
Log:
unknown-packages: Switch to https URL for sources.debian.org
Modified: check-external/unknown-packages.py
===
--- check-external/unknown-packages.py 2017-12-01 18:18:47 UTC (rev 58189)
+++ check-external/unknown-packages.py 2017-12-01 18:18:50 UTC (rev 58190)
@@ -49,7 +49,7 @@
def fromSources(pkg):
try:
- data =
json.load(urllib2.urlopen('http://sources.debian.org/api/src/%s/latest/' %pkg))
+ data =
json.load(urllib2.urlopen('https://sources.debian.org/api/src/%s/latest/' %pkg))
except urllib2.HTTPError as e:
return []
if 'error' in data: return []
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58189 - check-external
Author: carnil
Date: 2017-12-01 18:18:47 + (Fri, 01 Dec 2017)
New Revision: 58189
Modified:
check-external/unknown-packages.py
Log:
unknown-packages: Use sources.debian.org rather than sources.debian.net
Modified: check-external/unknown-packages.py
===
--- check-external/unknown-packages.py 2017-12-01 18:18:45 UTC (rev 58188)
+++ check-external/unknown-packages.py 2017-12-01 18:18:47 UTC (rev 58189)
@@ -49,7 +49,7 @@
def fromSources(pkg):
try:
- data =
json.load(urllib2.urlopen('http://sources.debian.net/api/src/%s/latest/' %pkg))
+ data =
json.load(urllib2.urlopen('http://sources.debian.org/api/src/%s/latest/' %pkg))
except urllib2.HTTPError as e:
return []
if 'error' in data: return []
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58188 - bin
Author: carnil
Date: 2017-12-01 18:18:45 + (Fri, 01 Dec 2017)
New Revision: 58188
Modified:
bin/tracker_service.py
Log:
tracker_service: use sources.debian.org rather sources.debian.net
Modified: bin/tracker_service.py
===
--- bin/tracker_service.py 2017-12-01 17:28:02 UTC (rev 58187)
+++ bin/tracker_service.py 2017-12-01 18:18:45 UTC (rev 58188)
@@ -1571,7 +1571,7 @@
return url.absolute("https://bugs.debian.org/cgi-bin/pkgreport.cgi";,
pkg=debian)
def url_source_code(self, url, package):
-return url.absolute("https://sources.debian.net/src/%s/"; % package)
+return url.absolute("https://sources.debian.org/src/%s/"; % package)
def url_pts(self, url, package):
return url.absolute("https://tracker.debian.org/pkg/%s"; % package)
def url_testing_status(self, url, package):
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58187 - data/CVE
Author: lamby Date: 2017-12-01 17:28:02 + (Fri, 01 Dec 2017) New Revision: 58187 Modified: data/CVE/list Log: Follow stable in wheezy for CVE-2017-17087 (vim) Modified: data/CVE/list === --- data/CVE/list 2017-12-01 17:23:31 UTC (rev 58186) +++ data/CVE/list 2017-12-01 17:28:02 UTC (rev 58187) @@ -23,6 +23,7 @@ - vim [stretch] - vim (Minor issue) [jessie] - vim (Minor issue) + [wheezy] - vim (Minor issue) NOTE: https://github.com/vim/vim/commit/5a73e0ca54c77e067c3b12ea6f35e3e8681e8cf8 CVE-2017-17086 (Indeo Otter through 1.7.4 mishandles a "" substring in an ...) NOT-FOR-US: Indeo Otter ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58186 - data/CVE
Author: lamby Date: 2017-12-01 17:23:31 + (Fri, 01 Dec 2017) New Revision: 58186 Modified: data/CVE/list Log: CVE-2017-15108/spice-vdagent not vulnerable in wheezy. Modified: data/CVE/list === --- data/CVE/list 2017-12-01 15:44:29 UTC (rev 58185) +++ data/CVE/list 2017-12-01 17:23:31 UTC (rev 58186) @@ -7071,6 +7071,7 @@ - spice-vdagent (bug #883238) [stretch] - spice-vdagent (Minor issue) [jessie] - spice-vdagent (Minor issue) + [wheezy] - spice-vdagent (Vulnerable code not present) NOTE: Fixed by: https://cgit.freedesktop.org/spice/linux/vd_agent/commit/?id=8ba174816d245757e743e636df357910e1d5eb61 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1510864 CVE-2017-15107 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58185 - data/CVE
Author: jmm Date: 2017-12-01 15:44:29 + (Fri, 01 Dec 2017) New Revision: 58185 Modified: data/CVE/list Log: wireshark triage Modified: data/CVE/list === --- data/CVE/list 2017-12-01 15:38:34 UTC (rev 58184) +++ data/CVE/list 2017-12-01 15:44:29 UTC (rev 58185) @@ -45,8 +45,8 @@ RESERVED CVE-2017-17081 (The gmc_mmx function in libavcodec/x86/mpegvideodsp.c in FFmpeg 3.4 ...) - ffmpeg + [stretch] - ffmpeg (Can wait for the next 3.2.x release) NOTE: https://github.com/FFmpeg/FFmpeg/commit/58cf31cee7a456057f337b3102a03206d833d5e8 - TODO: check CVE-2017-17080 (elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as ...) - binutils [stretch] - binutils (Minor issue) @@ -6865,6 +6865,8 @@ NOTE: https://www.wireshark.org/security/wnpa-sec-2017-45.html CVE-2017-15189 (In Wireshark 2.4.0 to 2.4.1, the DOCSIS dissector could go into an ...) - wireshark 2.4.2-1 (low) + [stretch] - wireshark (Minor issue) + [jessie] - wireshark (Minor issue) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14080 NOTE: https://code.wireshark.org/review/23663 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=625bab309d9dd21db2d8ae2aa3511810d32842a8 @@ -11036,6 +11038,8 @@ NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/2c1b360d80e5f8f7c7108c0afedde64ab79318ff CVE-2017-13767 (In Wireshark 2.4.0, 2.2.0 to 2.2.8, and 2.0.0 to 2.0.14, the MSDP ...) - wireshark 2.4.1-1 + [stretch] - wireshark (Minor issue) + [jessie] - wireshark (Minor issue) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13933 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=6f18ace2a2683418a9368a8dfd92da6bd8213e15 NOTE: https://www.wireshark.org/security/wnpa-sec-2017-38.html @@ -11052,6 +11056,8 @@ NOTE: https://www.wireshark.org/security/wnpa-sec-2017-41.html CVE-2017-13764 (In Wireshark 2.4.0, the Modbus dissector could crash with a NULL ...) - wireshark 2.4.1-1 + [stretch] - wireshark (Minor issue) + [jessie] - wireshark (Minor issue) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13925 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=b87ffbd12bddf64582c0a6e082b462744474de94 NOTE: https://www.wireshark.org/security/wnpa-sec-2017-40.html @@ -18015,6 +18021,7 @@ NOTE: https://www.wireshark.org/security/wnpa-sec-2017-28.html CVE-2017-11410 (In Wireshark through 2.0.13 and 2.2.x through 2.2.7, the WBXML ...) - wireshark 2.4.0-1 (bug #870180) + [stretch] - wireshark (Minor issue) [jessie] - wireshark (Incomplete fix for CVE-2017-7702 not applied) [wheezy] - wireshark (Incomplete fix for CVE-2017-7702 not applied) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13796 @@ -18041,6 +18048,8 @@ NOTE: https://www.wireshark.org/security/wnpa-sec-2017-35.html CVE-2017-11406 (In Wireshark 2.2.0 to 2.2.7 and 2.0.0 to 2.0.13, the DOCSIS dissector ...) - wireshark 2.4.0-1 (bug #870172) + [stretch] - wireshark (Minor issue) + [jessie] - wireshark (Minor issue) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13797 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=250216263c3a3f2c651e80d9c6b3dc0adc53dc2c NOTE: https://www.wireshark.org/security/wnpa-sec-2017-36.html @@ -22597,7 +22606,9 @@ CVE-2017-9767 (Multiple cross-site scripting (XSS) vulnerabilities in Quali ...) NOT-FOR-US: Quali CloudShell CVE-2017-9766 (In Wireshark 2.2.7, PROFINET IO data with a high recursion depth allows ...) - - wireshark 2.4.0-1 (bug #870175) + - wireshark 2.4.0-1 (low; bug #870175) + [stretch] - wireshark (Minor issue) + [jessie] - wireshark (Minor issue) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13811 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=d6e888400ba64de3147da4c23edf389b CVE-2017-9765 (Integer overflow in the soap_get function in Genivia gSOAP 2.7.x and ...) @@ -23179,9 +23190,13 @@ NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=3c2aebbedd37fab054e80f2e315de07d7e9b5bdb CVE-2017-9617 (In Wireshark 2.2.7, deeply nested DAAP data may cause stack exhaustion ...) - wireshark 2.4.0-1 (low; bug #870174) + [stretch] - wireshark (Minor issue) + [jessie] - wireshark (Minor issue) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13799 CVE-2017-9616 (In Wireshark 2.2.7, overly deep mp4 chunks may cause stack exhaustion ...) - wireshark 2.4.0-1 (low; bug #870173) + [stretch] - wireshark (Minor issue) + [jessie] - wiresha
[Secure-testing-commits] r58184 - bin
Author: agx
Date: 2017-12-01 15:38:34 + (Fri, 01 Dec 2017)
New Revision: 58184
Modified:
bin/report-vuln
Log:
report-vuln: use Python3 compatible exception syntax
Modified: bin/report-vuln
===
--- bin/report-vuln 2017-12-01 15:34:50 UTC (rev 58183)
+++ bin/report-vuln 2017-12-01 15:38:34 UTC (rev 58184)
@@ -61,7 +61,7 @@
try:
f = urllib.urlopen('https://cve.mitre.org/cgi-bin/cvename.cgi?%s' %
param)
resp = f.read()
-except Exception, e:
+except Exception as e:
error('on doing HTTP request' + str(e))
f.close()
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58183 - bin
Author: agx Date: 2017-12-01 15:34:50 + (Fri, 01 Dec 2017) New Revision: 58183 Modified: bin/report-vuln Log: report-vuln: don't report version as None when not set This also brings back the X-Debbug-CC entries Modified: bin/report-vuln === --- bin/report-vuln 2017-12-01 14:19:09 UTC (rev 58182) +++ bin/report-vuln 2017-12-01 15:34:50 UTC (rev 58183) @@ -132,11 +132,11 @@ if affected is None: if blanks: -ret += "Version: FILLINAFFECTEDVERSION\n" -else: -ret += "Version: %s\n" % affected -if cc and len(cclist) > 0: -ret += "X-Debbugs-CC: %s\n" % " ".join(cclist) + ret += "Version: FILLINAFFECTEDVERSION\n" +else: +ret += "Version: %s\n" % affected +if cc and len(cclist) > 0: +ret += "X-Debbugs-CC: %s\n" % " ".join(cclist) ret += '''Severity: %s Tags: security ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58182 - bin
Author: agx
Date: 2017-12-01 14:19:09 + (Fri, 01 Dec 2017)
New Revision: 58182
Modified:
bin/report-vuln
Log:
report-vuln: allow to invoke mailer
This allows to invoke the mailer directly like
bin/report-vuln -M ...
the default behaviour is unchanged.
Modified: bin/report-vuln
===
--- bin/report-vuln 2017-12-01 12:04:20 UTC (rev 58181)
+++ bin/report-vuln 2017-12-01 14:19:09 UTC (rev 58182)
@@ -1,25 +1,18 @@
#!/usr/bin/env python
#
-# generate bug report content for a given package name
-# and a number of CVE ids
+# generate bug report content/mail for a given package name and a
+# number of CVE ids
#
-# you could use it for example in combination with the
-# following shell function:
+# To invoke the mailer right away:
#
-# report-vuln(){
-# TMPFILE="$HOME/reportbug.tmp"
-# $HOME/debian/svn/secure-testing/bin/report-vuln -m "$@" > $TMPFILE
-# mutt -H $TMPFILE
-# rm $TMPFILE
-# }
+# $HOME/debian/svn/secure-testing/bin/report-vuln -M
#
-# in bash, this can be simply:
-#
-# mutt -H <($HOME/debian/svn/secure-testing/bin/report-vuln -m )
-#
# export http_proxy if you need to use an http proxy to report bugs
+from __future__ import print_function
+
import argparse
+from tempfile import NamedTemporaryFile
import sys, re, urllib, os
temp_id = re.compile('(?:CVE|cve)\-[0-9]{4}-')
@@ -118,10 +111,11 @@
cve_suff = ''
time_w = 'was'
temp_id_cnt = 0
-header = ''
+ret = ''
+
if mh:
-header += '''To: sub...@bugs.debian.org
+ret += '''To: sub...@bugs.debian.org
Subject: %s: %s
''' % (pkg, ' '.join(cveid))
@@ -132,56 +126,55 @@
time_w = 'were'
if src:
-header += '''Source: %s\n''' % (pkg)
+ret += 'Source: %s\n' % (pkg)
else:
-header += '''Package: %s\n''' % (pkg)
+ret += 'Package: %s\n' % (pkg)
if affected is None:
if blanks:
-header += "Version: FILLINAFFECTEDVERSION\n"
+ret += "Version: FILLINAFFECTEDVERSION\n"
else:
-header += "Version: %s\n" % affected
+ret += "Version: %s\n" % affected
if cc and len(cclist) > 0:
-header += "X-Debbugs-CC: %s\n" % " ".join(cclist)
-header += '''Severity: %s
+ret += "X-Debbugs-CC: %s\n" % " ".join(cclist)
+ret += '''Severity: %s
Tags: security
Hi,
-the following vulnerabilit%s %s published for %s.
+the following vulnerabilit%s %s published for %s.\n
''' % (severity, vuln_suff, time_w, pkg)
-footer = '''If you fix the vulnerabilit%s please also make sure to include
the
-CVE (Common Vulnerabilities & Exposures) id%s in your changelog entry.
-
-For further information see:''' % (vuln_suff, cve_suff)
-
-print header
for cnt, cve in enumerate(cveid):
if not temp_id.match(cve):
-print cve + '[' + str(cnt) + ']:'
-print get_cve(cve)
+ret += cve + '[' + str(cnt) + ']:\n'
+ret += get_cve(cve) + '\n'
else:
-print '''Issue without CVE id #%d [%d]:''' % (temp_id_cnt, cnt)
+ret += 'Issue without CVE id #%d [%d]:\n' % (temp_id_cnt, cnt)
desc = description_from_list(cve, pkg, temp_id_cnt)
if desc:
-print desc + '\n'
+ret += desc + '\n\n'
else:
-print 'No description has been specified\n'
+ret += 'No description has been specified\n\n'
temp_id_cnt += 1
-print footer
-print gen_index(cveid)
+ret += '''If you fix the vulnerabilit%s please also make sure to include
the
+CVE (Common Vulnerabilities & Exposures) id%s in your changelog entry.
+For further information see:\n''' % (vuln_suff, cve_suff)
+ret += gen_index(cveid) + '\n'
+
if temp_id_cnt > 0:
-print
'\nhttps://security-tracker.debian.org/tracker/source-package/%s' % (pkg)
-print '(issues without CVE id are assigned a TEMP one, but it may
change over time)\n'
+ret +=
'\nhttps://security-tracker.debian.org/tracker/source-package/%s\n' % (pkg)
+ret += '(issues without CVE id are assigned a TEMP one, but it may
change over time)\n'
if not blanks:
-print '''\nPlease adjust the affected versions in the BTS as
needed.\n'''
+ret += '\nPlease adjust the affected versions in the BTS as needed.\n'
+return ret
+
def error(msg):
-print 'error: ' + msg
+print('error: ' + msg, file=sys.stderr)
sys.exit(1)
class NegateAction(argparse.Action):
@@ -220,6 +213,10 @@
help='list of addresses to add in CC (default:
%(default)s)')
parser.add_argument('--src', action="store_true", help='report against
source package')
parser.add_argument('-m', '--mail-header', action="store_true",
help='generate a mail header')
+parser.add_argument('-M', '--mail', action="store_t
[Secure-testing-commits] r58181 - data/CVE
Author: carnil Date: 2017-12-01 12:04:20 + (Fri, 01 Dec 2017) New Revision: 58181 Modified: data/CVE/list Log: Split wordpress entry into the four fixed security issues Modified: data/CVE/list === --- data/CVE/list 2017-12-01 11:15:48 UTC (rev 58180) +++ data/CVE/list 2017-12-01 12:04:20 UTC (rev 58181) @@ -1,6 +1,19 @@ -CVE-2017- [wordpress 4.9.1 fixes security vulnerabilities] +CVE-2017- [Use a properly generated hash for the 'newbloguser' key instead of a determinate substring] - wordpress + NOTE: https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c NOTE: https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/ +CVE-2017- [Add escaping to the language attributes used on 'html' elements] + - wordpress + NOTE: https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a + NOTE: https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/ +CVE-2017- [Ensure the attributes of enclosures are correctly escaped in RSS and Atom feeds] + - wordpress + NOTE: https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de + NOTE: https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/ +CVE-2017- [Remove the ability to upload JavaScript files for users who do not have the 'unfiltered_html' capability] + - wordpress + NOTE: https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509 + NOTE: https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/ CVE-2017- [heap-based buffer overflow in the pal2rgb tool] - tiff NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2750 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58180 - data/CVE
Author: fgeek-guest Date: 2017-12-01 11:15:48 + (Fri, 01 Dec 2017) New Revision: 58180 Modified: data/CVE/list Log: new wordpress release Modified: data/CVE/list === --- data/CVE/list 2017-12-01 10:30:10 UTC (rev 58179) +++ data/CVE/list 2017-12-01 11:15:48 UTC (rev 58180) @@ -1,3 +1,6 @@ +CVE-2017- [wordpress 4.9.1 fixes security vulnerabilities] + - wordpress + NOTE: https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/ CVE-2017- [heap-based buffer overflow in the pal2rgb tool] - tiff NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2750 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58179 - data/CVE
Author: fgeek-guest Date: 2017-12-01 10:30:10 + (Fri, 01 Dec 2017) New Revision: 58179 Modified: data/CVE/list Log: NFU Modified: data/CVE/list === --- data/CVE/list 2017-12-01 10:28:22 UTC (rev 58178) +++ data/CVE/list 2017-12-01 10:30:10 UTC (rev 58179) @@ -86,7 +86,7 @@ CVE-2017-17066 RESERVED CVE-2017-17065 (An issue was discovered on D-Link DIR-605L Model B before ...) - TODO: check + NOT-FOR-US: D-Link CVE-2017-17064 RESERVED CVE-2017-17063 @@ -98,7 +98,7 @@ CVE-2017-17060 RESERVED CVE-2017-17059 (XSS exists in the amtyThumb amty-thumb-recent-post (aka amtyThumb posts ...) - TODO: check + NOT-FOR-US: WordPress plugin wp-thumb-post CVE-2017-1000385 RESERVED CVE-2017-17058 (The WooCommerce plugin through 3.x for WordPress has a Directory ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58178 - data/CVE
Author: fgeek-guest Date: 2017-12-01 10:28:22 + (Fri, 01 Dec 2017) New Revision: 58178 Modified: data/CVE/list Log: NFU Modified: data/CVE/list === --- data/CVE/list 2017-12-01 10:27:24 UTC (rev 58177) +++ data/CVE/list 2017-12-01 10:28:22 UTC (rev 58178) @@ -82,7 +82,7 @@ CVE-2017-17068 RESERVED CVE-2017-17067 (Splunk Web in Splunk Enterprise 7.0.x before 7.0.0.1, 6.6.x before ...) - TODO: check + NOT-FOR-US: Splunk Web CVE-2017-17066 RESERVED CVE-2017-17065 (An issue was discovered on D-Link DIR-605L Model B before ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58177 - data/CVE
Author: fgeek-guest Date: 2017-12-01 10:27:24 + (Fri, 01 Dec 2017) New Revision: 58177 Modified: data/CVE/list Log: NFU Modified: data/CVE/list === --- data/CVE/list 2017-12-01 10:18:45 UTC (rev 58176) +++ data/CVE/list 2017-12-01 10:27:24 UTC (rev 58177) @@ -9,7 +9,7 @@ [jessie] - vim (Minor issue) NOTE: https://github.com/vim/vim/commit/5a73e0ca54c77e067c3b12ea6f35e3e8681e8cf8 CVE-2017-17086 (Indeo Otter through 1.7.4 mishandles a "" substring in an ...) - TODO: check + NOT-FOR-US: Indeo Otter CVE-2017-17085 (In Wireshark 2.4.0 to 2.4.2 and 2.2.0 to 2.2.10, the CIP Safety ...) - wireshark NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14250 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58176 - data/CVE
Author: fgeek-guest Date: 2017-12-01 10:18:45 + (Fri, 01 Dec 2017) New Revision: 58176 Modified: data/CVE/list Log: new tiff issue. heap-based buffer overflow in the pal2rgb tool Modified: data/CVE/list === --- data/CVE/list 2017-12-01 09:55:28 UTC (rev 58175) +++ data/CVE/list 2017-12-01 10:18:45 UTC (rev 58176) @@ -1,3 +1,6 @@ +CVE-2017- [heap-based buffer overflow in the pal2rgb tool] + - tiff + NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2750 CVE-2017-17088 RESERVED CVE-2017-17087 (fileio.c in Vim prior to 8.0.1263 sets the group ownership of a .swp ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58175 - data/CVE
Author: fgeek-guest Date: 2017-12-01 09:55:28 + (Fri, 01 Dec 2017) New Revision: 58175 Modified: data/CVE/list Log: CVE-2017-16933/icinga2 bts Modified: data/CVE/list === --- data/CVE/list 2017-12-01 09:36:27 UTC (rev 58174) +++ data/CVE/list 2017-12-01 09:55:28 UTC (rev 58175) @@ -1695,7 +1695,7 @@ CVE-2017-16934 (The web server on DBL DBLTek devices allows remote attackers to execute ...) NOT-FOR-US: DBL DBLTek devices CVE-2017-16933 (etc/initsystem/prepare-dirs in Icinga 2.x through 2.8.0 has a chown ...) - - icinga2 + - icinga2 (bug #883247) NOTE: https://github.com/Icinga/icinga2/issues/5793 CVE-2016-10700 (auth_login.php in Cacti before 1.0.0 allows remote authenticated users ...) - cacti 0.8.8h+ds1-5 (bug #833420) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58174 - data/CVE
Author: carnil Date: 2017-12-01 09:36:27 + (Fri, 01 Dec 2017) New Revision: 58174 Modified: data/CVE/list Log: Add CVE-2017-17080/binutils Modified: data/CVE/list === --- data/CVE/list 2017-12-01 09:34:35 UTC (rev 58173) +++ data/CVE/list 2017-12-01 09:36:27 UTC (rev 58174) @@ -29,7 +29,11 @@ NOTE: https://github.com/FFmpeg/FFmpeg/commit/58cf31cee7a456057f337b3102a03206d833d5e8 TODO: check CVE-2017-17080 (elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as ...) - TODO: check + - binutils + [stretch] - binutils (Minor issue) + [jessie] - binutils (Minor issue) + [wheezy] - binutils (Minor issue) + NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22421 CVE-2018-0740 RESERVED CVE-2018-0739 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58173 - data/CVE
Author: carnil Date: 2017-12-01 09:34:35 + (Fri, 01 Dec 2017) New Revision: 58173 Modified: data/CVE/list Log: Add CVE-2017-17081/ffmpeg, kept TODO since need to be further checked Modified: data/CVE/list === --- data/CVE/list 2017-12-01 09:32:46 UTC (rev 58172) +++ data/CVE/list 2017-12-01 09:34:35 UTC (rev 58173) @@ -25,6 +25,8 @@ CVE-2017-17082 RESERVED CVE-2017-17081 (The gmc_mmx function in libavcodec/x86/mpegvideodsp.c in FFmpeg 3.4 ...) + - ffmpeg + NOTE: https://github.com/FFmpeg/FFmpeg/commit/58cf31cee7a456057f337b3102a03206d833d5e8 TODO: check CVE-2017-17080 (elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as ...) TODO: check ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58172 - data/CVE
Author: carnil Date: 2017-12-01 09:32:46 + (Fri, 01 Dec 2017) New Revision: 58172 Modified: data/CVE/list Log: Add CVE-2017-17083/wireshark Modified: data/CVE/list === --- data/CVE/list 2017-12-01 09:31:23 UTC (rev 58171) +++ data/CVE/list 2017-12-01 09:32:46 UTC (rev 58172) @@ -18,7 +18,10 @@ NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=8502fe94ef9e431860921507e1a351c5e3f5c634 NOTE: https://www.wireshark.org/security/wnpa-sec-2017-47.html CVE-2017-17083 (In Wireshark 2.4.0 to 2.4.2 and 2.2.0 to 2.2.10, the NetBIOS dissector ...) - TODO: check + - wireshark + NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14249 + NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=79768d63d14fbce6bf7fb4d4a1c86be0c5205eb3 + NOTE: https://www.wireshark.org/security/wnpa-sec-2017-48.html CVE-2017-17082 RESERVED CVE-2017-17081 (The gmc_mmx function in libavcodec/x86/mpegvideodsp.c in FFmpeg 3.4 ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58171 - data/CVE
Author: carnil Date: 2017-12-01 09:31:23 + (Fri, 01 Dec 2017) New Revision: 58171 Modified: data/CVE/list Log: Add CVE-2017-17084/wireshark Modified: data/CVE/list === --- data/CVE/list 2017-12-01 09:29:55 UTC (rev 58170) +++ data/CVE/list 2017-12-01 09:31:23 UTC (rev 58171) @@ -13,7 +13,10 @@ NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=f5939debe96e3c3953c6020818f1fbb80eb83ce8 NOTE: https://www.wireshark.org/security/wnpa-sec-2017-49.html CVE-2017-17084 (In Wireshark 2.4.0 to 2.4.2 and 2.2.0 to 2.2.10, the IWARP_MPA ...) - TODO: check + - wireshark + NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14236 + NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=8502fe94ef9e431860921507e1a351c5e3f5c634 + NOTE: https://www.wireshark.org/security/wnpa-sec-2017-47.html CVE-2017-17083 (In Wireshark 2.4.0 to 2.4.2 and 2.2.0 to 2.2.10, the NetBIOS dissector ...) TODO: check CVE-2017-17082 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58170 - data/CVE
Author: carnil Date: 2017-12-01 09:29:55 + (Fri, 01 Dec 2017) New Revision: 58170 Modified: data/CVE/list Log: Add CVE-2017-17085/wireshark Modified: data/CVE/list === --- data/CVE/list 2017-12-01 09:28:18 UTC (rev 58169) +++ data/CVE/list 2017-12-01 09:29:55 UTC (rev 58170) @@ -8,7 +8,10 @@ CVE-2017-17086 (Indeo Otter through 1.7.4 mishandles a "" substring in an ...) TODO: check CVE-2017-17085 (In Wireshark 2.4.0 to 2.4.2 and 2.2.0 to 2.2.10, the CIP Safety ...) - TODO: check + - wireshark + NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14250 + NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=f5939debe96e3c3953c6020818f1fbb80eb83ce8 + NOTE: https://www.wireshark.org/security/wnpa-sec-2017-49.html CVE-2017-17084 (In Wireshark 2.4.0 to 2.4.2 and 2.2.0 to 2.2.10, the IWARP_MPA ...) TODO: check CVE-2017-17083 (In Wireshark 2.4.0 to 2.4.2 and 2.2.0 to 2.2.10, the NetBIOS dissector ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58169 - data/CVE
Author: carnil Date: 2017-12-01 09:28:18 + (Fri, 01 Dec 2017) New Revision: 58169 Modified: data/CVE/list Log: Add vim issue Modified: data/CVE/list === --- data/CVE/list 2017-12-01 09:19:06 UTC (rev 58168) +++ data/CVE/list 2017-12-01 09:28:18 UTC (rev 58169) @@ -1,7 +1,10 @@ CVE-2017-17088 RESERVED CVE-2017-17087 (fileio.c in Vim prior to 8.0.1263 sets the group ownership of a .swp ...) - TODO: check + - vim + [stretch] - vim (Minor issue) + [jessie] - vim (Minor issue) + NOTE: https://github.com/vim/vim/commit/5a73e0ca54c77e067c3b12ea6f35e3e8681e8cf8 CVE-2017-17086 (Indeo Otter through 1.7.4 mishandles a "" substring in an ...) TODO: check CVE-2017-17085 (In Wireshark 2.4.0 to 2.4.2 and 2.2.0 to 2.2.10, the CIP Safety ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58168 - data/CVE
Author: fgeek-guest Date: 2017-12-01 09:19:06 + (Fri, 01 Dec 2017) New Revision: 58168 Modified: data/CVE/list Log: NFU Modified: data/CVE/list === --- data/CVE/list 2017-12-01 09:11:59 UTC (rev 58167) +++ data/CVE/list 2017-12-01 09:19:06 UTC (rev 58168) @@ -9325,11 +9325,11 @@ CVE-2017-14380 RESERVED CVE-2017-14379 (EMC RSA Authentication Manager before 8.2 SP1 P6 has a cross-site ...) - NOT-FOR-US: EMC + NOT-FOR-US: EMC RSA CVE-2017-14378 (EMC RSA Authentication Agent API 8.5 for C and RSA Authentication Agent ...) - TODO: check + NOT-FOR-US: EMC RSA CVE-2017-14377 (EMC RSA Authentication Agent for Web: Apache Web Server version 8.0 and ...) - TODO: check + NOT-FOR-US: EMC RSA CVE-2017-14376 (EMC AppSync Server prior to 3.5.0.1 contains database accounts with ...) NOT-FOR-US: EMC AppSync Server CVE-2017-14375 (EMC Unisphere for VMAX Virtual Appliance (vApp) versions prior to ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58167 - data/CVE
Author: fgeek-guest Date: 2017-12-01 09:11:59 + (Fri, 01 Dec 2017) New Revision: 58167 Modified: data/CVE/list Log: NFU Modified: data/CVE/list === --- data/CVE/list 2017-12-01 09:10:17 UTC (rev 58166) +++ data/CVE/list 2017-12-01 09:11:59 UTC (rev 58167) @@ -18374,13 +18374,13 @@ CVE-2017-11287 RESERVED CVE-2017-11286 (Adobe ColdFusion has an XML external entity (XXE) injection ...) - TODO: check + NOT-FOR-US: Adobe ColdFusion CVE-2017-11285 (Adobe ColdFusion has a cross-site scripting (XSS) vulnerability. This ...) - TODO: check + NOT-FOR-US: Adobe ColdFusion CVE-2017-11284 (Adobe ColdFusion has an Untrusted Data Deserialization vulnerability. ...) - TODO: check + NOT-FOR-US: Adobe ColdFusion CVE-2017-11283 (Adobe ColdFusion has an Untrusted Data Deserialization vulnerability. ...) - TODO: check + NOT-FOR-US: Adobe ColdFusion CVE-2017-11282 (Adobe Flash Player has an exploitable memory corruption vulnerability ...) NOT-FOR-US: Adobe CVE-2017-11281 (Adobe Flash Player has an exploitable memory corruption vulnerability ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58166 - data/CVE
Author: sectracker
Date: 2017-12-01 09:10:17 + (Fri, 01 Dec 2017)
New Revision: 58166
Modified:
data/CVE/list
Log:
automatic update
Modified: data/CVE/list
===
--- data/CVE/list 2017-12-01 07:38:45 UTC (rev 58165)
+++ data/CVE/list 2017-12-01 09:10:17 UTC (rev 58166)
@@ -1,3 +1,21 @@
+CVE-2017-17088
+ RESERVED
+CVE-2017-17087 (fileio.c in Vim prior to 8.0.1263 sets the group ownership of
a .swp ...)
+ TODO: check
+CVE-2017-17086 (Indeo Otter through 1.7.4 mishandles a
"" substring in an ...)
+ TODO: check
+CVE-2017-17085 (In Wireshark 2.4.0 to 2.4.2 and 2.2.0 to 2.2.10, the CIP
Safety ...)
+ TODO: check
+CVE-2017-17084 (In Wireshark 2.4.0 to 2.4.2 and 2.2.0 to 2.2.10, the IWARP_MPA
...)
+ TODO: check
+CVE-2017-17083 (In Wireshark 2.4.0 to 2.4.2 and 2.2.0 to 2.2.10, the NetBIOS
dissector ...)
+ TODO: check
+CVE-2017-17082
+ RESERVED
+CVE-2017-17081 (The gmc_mmx function in libavcodec/x86/mpegvideodsp.c in
FFmpeg 3.4 ...)
+ TODO: check
+CVE-2017-17080 (elf.c in the Binary File Descriptor (BFD) library (aka
libbfd), as ...)
+ TODO: check
CVE-2018-0740
RESERVED
CVE-2018-0739
@@ -1793,10 +1811,9 @@
RESERVED
CVE-2017-16885
RESERVED
-CVE-2017-1000406
+CVE-2017-1000406 (OpenDaylight Karaf 0.6.1-Carbon fails to clear the cache
after a ...)
NOT-FOR-US: OpenDayLight
-CVE-2017-1000405 ["Dirty COW" variant on transparent huge pages]
- RESERVED
+CVE-2017-1000405 (The Linux Kernel versions 2.6.38 through 4.14 have a
problematic use ...)
- linux 4.14.2-1
NOTE: Fixed by:
https://git.kernel.org/linus/a8f97366452ed491d13cf1e44241bc0b5740b1f0
NOTE: http://www.openwall.com/lists/oss-security/2017/11/30/1
@@ -5609,6 +5626,7 @@
[jessie] - musl (Minor issue)
NOTE:
https://git.musl-libc.org/cgit/musl/patch/?id=45ca5d3fcb6f874bf5ba55d0e9651cef68515395
CVE-2017-15642 (In lsx_aiffstartread in aiff.c in Sound eXchange (SoX) 14.4.2,
there is ...)
+ {DLA-1197-1}
- sox 14.4.2-2 (bug #882144)
[stretch] - sox (Minor issue)
[jessie] - sox (Minor issue)
@@ -5689,8 +5707,8 @@
NOT-FOR-US: Octopus Deploy
CVE-2017-15608
RESERVED
-CVE-2017-15607
- RESERVED
+CVE-2017-15607 (Inedo Otter before 1.7.4 has directory traversal in
filesystem-based ...)
+ TODO: check
CVE-2017-15606
RESERVED
CVE-2017-15605
@@ -6274,6 +6292,7 @@
CVE-2017-15373 (E-Sic 1.0 allows SQL injection via the q parameter to ...)
NOT-FOR-US: E-Sic
CVE-2017-15372 (There is a stack-based buffer overflow in the ...)
+ {DLA-1197-1}
- sox 14.4.2-2 (bug #878808)
[stretch] - sox (Minor issue)
[jessie] - sox (Minor issue)
@@ -18354,19 +18373,17 @@
RESERVED
CVE-2017-11287
RESERVED
-CVE-2017-11286
- RESERVED
-CVE-2017-11285
- RESERVED
-CVE-2017-11284
- RESERVED
-CVE-2017-11283
- RESERVED
-CVE-2017-11282
- RESERVED
+CVE-2017-11286 (Adobe ColdFusion has an XML external entity (XXE) injection
...)
+ TODO: check
+CVE-2017-11285 (Adobe ColdFusion has a cross-site scripting (XSS)
vulnerability. This ...)
+ TODO: check
+CVE-2017-11284 (Adobe ColdFusion has an Untrusted Data Deserialization
vulnerability. ...)
+ TODO: check
+CVE-2017-11283 (Adobe ColdFusion has an Untrusted Data Deserialization
vulnerability. ...)
+ TODO: check
+CVE-2017-11282 (Adobe Flash Player has an exploitable memory corruption
vulnerability ...)
NOT-FOR-US: Adobe
-CVE-2017-11281
- RESERVED
+CVE-2017-11281 (Adobe Flash Player has an exploitable memory corruption
vulnerability ...)
NOT-FOR-US: Adobe
CVE-2017-11280 (Adobe Digital Editions 4.5.4 and earlier has an exploitable
memory ...)
NOT-FOR-US: Adobe
@@ -43632,10 +43649,10 @@
NOT-FOR-US: Adobe
CVE-2017-3106 (Adobe Flash Player versions 26.0.0.137 and earlier have an
exploitable ...)
NOT-FOR-US: Adobe Flash Player
-CVE-2017-3105
- RESERVED
-CVE-2017-3104
- RESERVED
+CVE-2017-3105 (Adobe RoboHelp has an Open Redirect vulnerability. This affects
...)
+ TODO: check
+CVE-2017-3104 (Adobe RoboHelp has a cross-site scripting (XSS) vulnerability.
This ...)
+ TODO: check
CVE-2017-3103 (Adobe Connect versions 9.6.1 and earlier have a stored
cross-site ...)
NOT-FOR-US: Adobe Connect
CVE-2017-3102 (Adobe Connect versions 9.6.1 and earlier have a reflected
cross-site ...)
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
