[Secure-testing-commits] r58221 - data
Author: carnil Date: 2017-12-03 07:57:31 + (Sun, 03 Dec 2017) New Revision: 58221 Modified: data/next-point-update.txt Log: Record pending CVEs for linux in stretch via stretch point release Modified: data/next-point-update.txt === --- data/next-point-update.txt 2017-12-02 21:37:42 UTC (rev 58220) +++ data/next-point-update.txt 2017-12-03 07:57:31 UTC (rev 58221) @@ -63,3 +63,75 @@ [stretch] - golang-github-go-ldap-ldap 2.4.1-1+deb9u1 CVE-2017-16899 [stretch] - fig2dev 1:3.2.6a-2+deb9u1 +CVE-2017-0786 + [stretch] - linux 4.9.65-1 +CVE-2017-12188 + [stretch] - linux 4.9.65-1 +CVE-2017-12190 + [stretch] - linux 4.9.65-1 +CVE-2017-12192 + [stretch] - linux 4.9.65-1 +CVE-2017-12193 + [stretch] - linux 4.9.65-1 +CVE-2017-13080 + [stretch] - linux 4.9.65-1 +CVE-2017-15115 + [stretch] - linux 4.9.65-1 +CVE-2017-15265 + [stretch] - linux 4.9.65-1 +CVE-2017-15299 + [stretch] - linux 4.9.65-1 +CVE-2017-15306 + [stretch] - linux 4.9.65-1 +CVE-2017-15537 + [stretch] - linux 4.9.65-1 +CVE-2017-15649 + [stretch] - linux 4.9.65-1 +CVE-2017-15951 + [stretch] - linux 4.9.65-1 +CVE-2017-16525 + [stretch] - linux 4.9.65-1 +CVE-2017-16526 + [stretch] - linux 4.9.65-1 +CVE-2017-16527 + [stretch] - linux 4.9.65-1 +CVE-2017-16528 + [stretch] - linux 4.9.65-1 +CVE-2017-16529 + [stretch] - linux 4.9.65-1 +CVE-2017-16530 + [stretch] - linux 4.9.65-1 +CVE-2017-16531 + [stretch] - linux 4.9.65-1 +CVE-2017-16532 + [stretch] - linux 4.9.65-1 +CVE-2017-16533 + [stretch] - linux 4.9.65-1 +CVE-2017-16534 + [stretch] - linux 4.9.65-1 +CVE-2017-16535 + [stretch] - linux 4.9.65-1 +CVE-2017-16536 + [stretch] - linux 4.9.65-1 +CVE-2017-16537 + [stretch] - linux 4.9.65-1 +CVE-2017-16643 + [stretch] - linux 4.9.65-1 +CVE-2017-16645 + [stretch] - linux 4.9.65-1 +CVE-2017-16646 + [stretch] - linux 4.9.65-1 +CVE-2017-16647 + [stretch] - linux 4.9.65-1 +CVE-2017-16649 + [stretch] - linux 4.9.65-1 +CVE-2017-16650 + [stretch] - linux 4.9.65-1 +CVE-2017-16939 + [stretch] - linux 4.9.65-1 +CVE-2017-16994 + [stretch] - linux 4.9.65-1 +CVE-2017-1000255 + [stretch] - linux 4.9.65-1 +CVE-2017-1000405 + [stretch] - linux 4.9.65-1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58219 - data/CVE
Author: carnil Date: 2017-12-02 21:31:01 + (Sat, 02 Dec 2017) New Revision: 58219 Modified: data/CVE/list Log: Update CVE-2017-17054/aubio Modified: data/CVE/list === --- data/CVE/list 2017-12-02 16:25:14 UTC (rev 58218) +++ data/CVE/list 2017-12-02 21:31:01 UTC (rev 58219) @@ -736,8 +736,10 @@ RESERVED CVE-2017-17054 (In aubio 0.4.6, a divide-by-zero error exists in the function ...) - aubio + [stretch] - aubio (Minor issue) + [jessie] - aubio (Vulnerability introduced in 0.4.3) + [wheezy] - aubio (Vulnerability introduced in 0.4.3) NOTE: https://github.com/aubio/aubio/issues/148 - TODO: check CVE-2017-17051 RESERVED CVE-2017-17050 (TG Soft Vir.IT eXplorer Lite 8.5.42 allows local users to cause a ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58220 - data/CVE
Author: carnil Date: 2017-12-02 21:37:42 + (Sat, 02 Dec 2017) New Revision: 58220 Modified: data/CVE/list Log: Add bug refrence for CVE-2017-17054 Modified: data/CVE/list === --- data/CVE/list 2017-12-02 21:31:01 UTC (rev 58219) +++ data/CVE/list 2017-12-02 21:37:42 UTC (rev 58220) @@ -735,7 +735,7 @@ CVE-2017-17055 RESERVED CVE-2017-17054 (In aubio 0.4.6, a divide-by-zero error exists in the function ...) - - aubio + - aubio (bug #883355) [stretch] - aubio (Minor issue) [jessie] - aubio (Vulnerability introduced in 0.4.3) [wheezy] - aubio (Vulnerability introduced in 0.4.3) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58218 - data/CVE
Author: carnil Date: 2017-12-02 16:25:14 + (Sat, 02 Dec 2017) New Revision: 58218 Modified: data/CVE/list Log: Add bug reference for asterisk issue Modified: data/CVE/list === --- data/CVE/list 2017-12-02 12:40:59 UTC (rev 58217) +++ data/CVE/list 2017-12-02 16:25:14 UTC (rev 58218) @@ -1,5 +1,5 @@ CVE-2017-17090 (An issue was discovered in chan_skinny.c in Asterisk Open Source ...) - - asterisk + - asterisk (bug #883342) NOTE: http://downloads.digium.com/pub/security/AST-2017-013.html NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-27452 CVE-2018-1040 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58217 - data/CVE
Author: carnil Date: 2017-12-02 12:40:59 + (Sat, 02 Dec 2017) New Revision: 58217 Modified: data/CVE/list Log: tor issues fixed in unstable Modified: data/CVE/list === --- data/CVE/list 2017-12-02 12:40:49 UTC (rev 58216) +++ data/CVE/list 2017-12-02 12:40:59 UTC (rev 58217) @@ -26449,27 +26449,27 @@ RESERVED CVE-2017-8823 [TROVE-2017-013: Use-after-free in onion service v2] RESERVED - - tor + - tor 0.3.1.9-1 NOTE: https://bugs.torproject.org/24313 NOTE: https://blog.torproject.org/new-stable-tor-releases-security-fixes-0319-03013-02914-02817-02516 CVE-2017-8822 [TROVE-2017-012: Relays can pick themselves in a circuit path] RESERVED - - tor + - tor 0.3.1.9-1 NOTE: https://bugs.torproject.org/21534 NOTE: https://blog.torproject.org/new-stable-tor-releases-security-fixes-0319-03013-02914-02817-02516 CVE-2017-8821 [TROVE-2017-011: An attacker can make Tor ask for a password] RESERVED - - tor + - tor 0.3.1.9-1 NOTE: https://bugs.torproject.org/24246 NOTE: https://blog.torproject.org/new-stable-tor-releases-security-fixes-0319-03013-02914-02817-02516 CVE-2017-8820 [TROVE-2017-010: Remote DoS attack against directory authorities] RESERVED - - tor + - tor 0.3.1.9-1 NOTE: https://bugs.torproject.org/24245 NOTE: https://blog.torproject.org/new-stable-tor-releases-security-fixes-0319-03013-02914-02817-02516 CVE-2017-8819 [TROVE-2017-009: Replay-cache ineffective for v2 onion services] RESERVED - - tor + - tor 0.3.1.9-1 NOTE: https://bugs.torproject.org/24244 NOTE: https://blog.torproject.org/new-stable-tor-releases-security-fixes-0319-03013-02914-02817-02516 CVE-2017-8818 (curl and libcurl before 7.57.0 on 32-bit platforms allow attackers to ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58216 - data
Author: carnil Date: 2017-12-02 12:40:49 + (Sat, 02 Dec 2017) New Revision: 58216 Modified: data/dsa-needed.txt Log: Expand note for poppler Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-12-02 12:19:52 UTC (rev 58215) +++ data/dsa-needed.txt 2017-12-02 12:40:49 UTC (rev 58216) @@ -39,6 +39,7 @@ -- poppler 2017-11-23: santiago will prepare a debdiff + 2017-12-02: santiago prepared debdiffs available for review -- qemu/oldstable -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58215 - data/CVE
Author: aurel32 Date: 2017-12-02 12:19:52 + (Sat, 02 Dec 2017) New Revision: 58215 Modified: data/CVE/list Log: Update CVE entries fixed in glibc 2.25-3 Modified: data/CVE/list === --- data/CVE/list 2017-12-02 11:01:41 UTC (rev 58214) +++ data/CVE/list 2017-12-02 12:19:52 UTC (rev 58215) @@ -5899,7 +5899,7 @@ CVE-2017-15805 (Cisco Small Business SA520 and SA540 devices with firmware 2.1.71 and ...) NOT-FOR-US: Cisco CVE-2017-15804 (The glob function in glob.c in the GNU C Library (aka glibc or libc6) ...) - - glibc (low; bug #879955) + - glibc 2.25-3 (low; bug #879955) [stretch] - glibc (Minor issue) [jessie] - glibc (Minor issue) - eglibc (low) @@ -6193,7 +6193,7 @@ NOTE: Fixed by: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=c20f4fcb74da2d0432c7b54499bb98f48236b904 CVE-2017-15671 (The glob function in glob.c in the GNU C Library (aka glibc or libc6) ...) [experimental] - glibc 2.26-0experimental0 - - glibc (low; bug #879500) + - glibc 2.25-3 (low; bug #879500) [stretch] - glibc (Minor issue) [jessie] - glibc (Minor issue) - eglibc (low) @@ -6202,7 +6202,7 @@ NOTE: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=c66c908230169c1bab1f83b071eb585baa214b9f CVE-2017-15670 (The GNU C Library (aka glibc or libc6) before 2.27 contains an ...) [experimental] - glibc 2.26-0experimental0 - - glibc (low; bug #879501) + - glibc 2.25-3 (low; bug #879501) [stretch] - glibc (Minor issue) [jessie] - glibc (Minor issue) - eglibc (low) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58214 - data/CVE
Author: carnil Date: 2017-12-02 11:01:41 + (Sat, 02 Dec 2017) New Revision: 58214 Modified: data/CVE/list Log: Add bug reference for CVE-2017-17095 Modified: data/CVE/list === --- data/CVE/list 2017-12-02 10:37:41 UTC (rev 58213) +++ data/CVE/list 2017-12-02 11:01:41 UTC (rev 58214) @@ -621,7 +621,7 @@ NOTE: https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509 NOTE: https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/ CVE-2017-17095 (tools/pal2rgb.c in pal2rgb in LibTIFF 4.0.9 allows remote attackers to ...) - - tiff (unimportant) + - tiff (unimportant; bug #883320) - tiff3 (unimportant) NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2750 NOTE: Crash in CLI tool not treated as a security issue ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58213 - data/CVE
Author: carnil Date: 2017-12-02 10:37:41 + (Sat, 02 Dec 2017) New Revision: 58213 Modified: data/CVE/list Log: Add note on introducing and fixing commit for CVE-2017-1000159 Modified: data/CVE/list === --- data/CVE/list 2017-12-02 10:19:28 UTC (rev 58212) +++ data/CVE/list 2017-12-02 10:37:41 UTC (rev 58213) @@ -1378,6 +1378,8 @@ CVE-2017-1000159 (Command injection in evince 3.24.8 via filename when printing to PDF ...) - evince 3.25.92-1 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=784947 + NOTE: Introduced by: https://git.gnome.org/browse/evince/commit/?id=1fcca0b8041de0d6074d7e17fba174da36c65f99 (EVINCE_0_9_1) + NOTE: Fixed by: https://git.gnome.org/browse/evince/commit/?id=350404c76dc8601e2cdd2636490e2afc83d3090e (3.25.91) CVE-2018-0485 RESERVED CVE-2018-0484 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58212 - data
Author: seb Date: 2017-12-02 10:19:28 + (Sat, 02 Dec 2017) New Revision: 58212 Modified: data/dsa-needed.txt Log: Leave wireshark to jmm Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-12-02 09:18:42 UTC (rev 58211) +++ data/dsa-needed.txt 2017-12-02 10:19:28 UTC (rev 58212) @@ -53,7 +53,7 @@ -- tor -- -wireshark (seb) +wireshark 2017-05-13: asked balint@ if he wants to prepare an update now 2017-07-28: re-ping balint@ -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58211 - data/CVE
Author: carnil Date: 2017-12-02 09:18:42 + (Sat, 02 Dec 2017) New Revision: 58211 Modified: data/CVE/list Log: Add bug reference for wordpress issues, #883314 Modified: data/CVE/list === --- data/CVE/list 2017-12-02 09:17:09 UTC (rev 58210) +++ data/CVE/list 2017-12-02 09:18:42 UTC (rev 58211) @@ -605,19 +605,19 @@ CVE-2017-17089 RESERVED CVE-2017-17091 (wp-admin/user-new.php in WordPress before 4.9.1 sets the newbloguser ...) - - wordpress + - wordpress (bug #883314) NOTE: https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c NOTE: https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/ CVE-2017-17093 (wp-includes/general-template.php in WordPress before 4.9.1 does not ...) - - wordpress + - wordpress (bug #883314) NOTE: https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a NOTE: https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/ CVE-2017-17094 (wp-includes/feed.php in WordPress before 4.9.1 does not properly ...) - - wordpress + - wordpress (bug #883314) NOTE: https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de NOTE: https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/ CVE-2017-17092 (wp-includes/functions.php in WordPress before 4.9.1 does not require ...) - - wordpress + - wordpress (bug #883314) NOTE: https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509 NOTE: https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/ CVE-2017-17095 (tools/pal2rgb.c in pal2rgb in LibTIFF 4.0.9 allows remote attackers to ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58210 - data/CVE
Author: carnil Date: 2017-12-02 09:17:09 + (Sat, 02 Dec 2017) New Revision: 58210 Modified: data/CVE/list Log: Add asterisk issue, CVE-2017-17090 Modified: data/CVE/list === --- data/CVE/list 2017-12-02 09:10:16 UTC (rev 58209) +++ data/CVE/list 2017-12-02 09:17:09 UTC (rev 58210) @@ -1,5 +1,7 @@ CVE-2017-17090 (An issue was discovered in chan_skinny.c in Asterisk Open Source ...) - TODO: check + - asterisk + NOTE: http://downloads.digium.com/pub/security/AST-2017-013.html + NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-27452 CVE-2018-1040 RESERVED CVE-2018-1039 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58209 - data/CVE
Author: sectracker Date: 2017-12-02 09:10:16 + (Sat, 02 Dec 2017) New Revision: 58209 Modified: data/CVE/list Log: automatic update Modified: data/CVE/list === --- data/CVE/list 2017-12-02 08:42:31 UTC (rev 58208) +++ data/CVE/list 2017-12-02 09:10:16 UTC (rev 58209) @@ -1,3 +1,5 @@ +CVE-2017-17090 (An issue was discovered in chan_skinny.c in Asterisk Open Source ...) + TODO: check CVE-2018-1040 RESERVED CVE-2018-1039 @@ -600,23 +602,23 @@ RESERVED CVE-2017-17089 RESERVED -CVE-2017-17091 [Use a properly generated hash for the 'newbloguser' key instead of a determinate substring] +CVE-2017-17091 (wp-admin/user-new.php in WordPress before 4.9.1 sets the newbloguser ...) - wordpress NOTE: https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c NOTE: https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/ -CVE-2017-17093 [Add escaping to the language attributes used on 'html' elements] +CVE-2017-17093 (wp-includes/general-template.php in WordPress before 4.9.1 does not ...) - wordpress NOTE: https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a NOTE: https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/ -CVE-2017-17094 [Ensure the attributes of enclosures are correctly escaped in RSS and Atom feeds] +CVE-2017-17094 (wp-includes/feed.php in WordPress before 4.9.1 does not properly ...) - wordpress NOTE: https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de NOTE: https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/ -CVE-2017-17092 [Remove the ability to upload JavaScript files for users who do not have the 'unfiltered_html' capability] +CVE-2017-17092 (wp-includes/functions.php in WordPress before 4.9.1 does not require ...) - wordpress NOTE: https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509 NOTE: https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/ -CVE-2017-17095 [heap-based buffer overflow in the pal2rgb tool] +CVE-2017-17095 (tools/pal2rgb.c in pal2rgb in LibTIFF 4.0.9 allows remote attackers to ...) - tiff (unimportant) - tiff3 (unimportant) NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2750 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58208 - data
Author: lamby Date: 2017-12-02 08:42:31 + (Sat, 02 Dec 2017) New Revision: 58208 Modified: data/dla-needed.txt Log: Triage tor for LTS Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-12-02 06:21:38 UTC (rev 58207) +++ data/dla-needed.txt 2017-12-02 08:42:31 UTC (rev 58208) @@ -98,6 +98,8 @@ NOTE: CVE-2017-9935: no upstream fix -- Brian May 2017-11-06 NOTE: CVE-2017-11613: no upstream fix, "not a bug" according to RH -- anarcat 2017-10-24 -- +tor +-- wireshark (Thorsten Alteholz) NOTE: 2017-08-28: Contacted maintainer since most issues affect NOTE: Jessie/Stretch as well ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
