[Secure-testing-commits] r58235 - data/CVE
Author: apo Date: 2017-12-03 23:07:15 + (Sun, 03 Dec 2017) New Revision: 58235 Modified: data/CVE/list Log: libextractor,CVE-2017-15266,CVE-2017-15267: Remove no-dsa tag for Wheezy Will be fixed with an upcoming DLA. Modified: data/CVE/list === --- data/CVE/list 2017-12-03 23:05:47 UTC (rev 58234) +++ data/CVE/list 2017-12-03 23:07:15 UTC (rev 58235) @@ -7269,7 +7269,6 @@ - libextractor 1:1.6-1 (bug #878314) [stretch] - libextractor (Minor issue) [jessie] - libextractor (Minor issue) - [wheezy] - libextractor (Minor issue) NOTE: http://lists.gnu.org/archive/html/bug-libextractor/2017-10/msg3.html NOTE: http://openwall.com/lists/oss-security/2017/10/11/1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1499600 @@ -7278,7 +7277,6 @@ - libextractor 1:1.6-1 (bug #878314) [stretch] - libextractor (Minor issue) [jessie] - libextractor (Minor issue) - [wheezy] - libextractor (Minor issue) NOTE: http://lists.gnu.org/archive/html/bug-libextractor/2017-10/msg2.html NOTE: http://openwall.com/lists/oss-security/2017/10/11/1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1499599 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58234 - data/CVE
Author: apo Date: 2017-12-03 23:05:47 + (Sun, 03 Dec 2017) New Revision: 58234 Modified: data/CVE/list Log: libextractor: Add missing links to patches Modified: data/CVE/list === --- data/CVE/list 2017-12-03 21:10:18 UTC (rev 58233) +++ data/CVE/list 2017-12-03 23:05:47 UTC (rev 58234) @@ -6376,13 +6376,16 @@ CVE-2017-15602 (In GNU Libextractor 1.4, there is an integer signedness error for the ...) - libextractor 1:1.6-1 NOTE: http://lists.gnu.org/archive/html/bug-libextractor/2017-10/msg5.html + NOTE: Fixed by https://gnunet.org/git/libextractor.git/commit/?id=ffab889c1710c7646af9ed360c796a2a0a619efc CVE-2017-15601 (In GNU Libextractor 1.4, there is a heap-based buffer overflow in the ...) - libextractor 1:1.6-1 NOTE: http://lists.gnu.org/archive/html/bug-libextractor/2017-10/msg6.html + NOTE: Fixed by https://gnunet.org/git/libextractor.git/commit/?id=f813535dad4ad860b989952a46266a1469801091 CVE-2017-15600 (In GNU Libextractor 1.4, there is a NULL Pointer Dereference in the ...) - libextractor 1:1.6-1 NOTE: http://lists.gnu.org/archive/html/bug-libextractor/2017-10/msg4.html NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1501695 + NOTE: Fixed by https://gnunet.org/git/libextractor.git/commit/?id=38e8933539ee9d044057b18a971c2eae3c21aba7 CVE-2017-15599 RESERVED CVE-2017-15598 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58233 - data/CVE
Author: sectracker
Date: 2017-12-03 21:10:18 + (Sun, 03 Dec 2017)
New Revision: 58233
Modified:
data/CVE/list
Log:
automatic update
Modified: data/CVE/list
===
--- data/CVE/list 2017-12-03 18:52:55 UTC (rev 58232)
+++ data/CVE/list 2017-12-03 21:10:18 UTC (rev 58233)
@@ -1,3 +1,13 @@
+CVE-2017-17100
+ RESERVED
+CVE-2017-17099
+ RESERVED
+CVE-2017-17098
+ RESERVED
+CVE-2017-17097
+ RESERVED
+CVE-2017-17096 (Cross-site scripting (XSS) vulnerability in the Content Cards
plugin ...)
+ TODO: check
CVE-2017-17090 (An issue was discovered in chan_skinny.c in Asterisk Open
Source ...)
- asterisk (bug #883342)
NOTE: http://downloads.digium.com/pub/security/AST-2017-013.html
@@ -26453,22 +26463,27 @@
CVE-2017-8824
RESERVED
CVE-2017-8823 (In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17,
0.2.9 ...)
+ {DSA-4054-1}
- tor 0.3.1.9-1
NOTE: https://bugs.torproject.org/24313
NOTE:
https://blog.torproject.org/new-stable-tor-releases-security-fixes-0319-03013-02914-02817-02516
CVE-2017-8822 (In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17,
0.2.9 ...)
+ {DSA-4054-1}
- tor 0.3.1.9-1
NOTE: https://bugs.torproject.org/21534
NOTE:
https://blog.torproject.org/new-stable-tor-releases-security-fixes-0319-03013-02914-02817-02516
CVE-2017-8821 (In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17,
0.2.9 ...)
+ {DSA-4054-1}
- tor 0.3.1.9-1
NOTE: https://bugs.torproject.org/24246
NOTE:
https://blog.torproject.org/new-stable-tor-releases-security-fixes-0319-03013-02914-02817-02516
CVE-2017-8820 (In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17,
0.2.9 ...)
+ {DSA-4054-1}
- tor 0.3.1.9-1
NOTE: https://bugs.torproject.org/24245
NOTE:
https://blog.torproject.org/new-stable-tor-releases-security-fixes-0319-03013-02914-02817-02516
CVE-2017-8819 (In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17,
0.2.9 ...)
+ {DSA-4054-1}
- tor 0.3.1.9-1
NOTE: https://bugs.torproject.org/24244
NOTE:
https://blog.torproject.org/new-stable-tor-releases-security-fixes-0319-03013-02914-02817-02516
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58232 - in data: . DSA
Author: jmm
Date: 2017-12-03 18:52:55 + (Sun, 03 Dec 2017)
New Revision: 58232
Modified:
data/DSA/list
data/dsa-needed.txt
Log:
tor DSA
Modified: data/DSA/list
===
--- data/DSA/list 2017-12-03 16:40:49 UTC (rev 58231)
+++ data/DSA/list 2017-12-03 18:52:55 UTC (rev 58232)
@@ -1,3 +1,7 @@
+[03 Dec 2017] DSA-4054-1 tor - security update
+ {CVE-2017-8819 CVE-2017-8820 CVE-2017-8821 CVE-2017-8822 CVE-2017-8823}
+ [jessie] - tor 0.2.5.16-1
+ [stretch] - tor 0.2.9.14-1
[30 Nov 2017] DSA-4053-1 exim4 - security update
{CVE-2017-16943 CVE-2017-16944}
[stretch] - exim4 4.89-2+deb9u2
Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2017-12-03 16:40:49 UTC (rev 58231)
+++ data/dsa-needed.txt 2017-12-03 18:52:55 UTC (rev 58232)
@@ -52,8 +52,6 @@
--
thunderbird
--
-tor
---
wireshark
2017-05-13: asked balint@ if he wants to prepare an update now
2017-07-28: re-ping balint@
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58231 - data/CVE
Author: carnil Date: 2017-12-03 16:40:49 + (Sun, 03 Dec 2017) New Revision: 58231 Modified: data/CVE/list Log: Add bug reference for CVE-2017-15118 Modified: data/CVE/list === --- data/CVE/list 2017-12-03 16:29:31 UTC (rev 58230) +++ data/CVE/list 2017-12-03 16:40:49 UTC (rev 58231) @@ -7654,7 +7654,7 @@ NOTE: https://lists.gnu.org/archive/html/qemu-devel/2017-11/msg05044.html CVE-2017-15118 [stack buffer overflow in NBD server triggered via long export name] RESERVED - - qemu + - qemu (bug #883406) [stretch] - qemu (Vulnerable code introduced in 2.10) [jessie] - qemu (Vulnerable code introduced in 2.10) [wheezy] - qemu (Vulnerable code introduced in 2.10) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58230 - data/CVE
Author: carnil Date: 2017-12-03 16:29:31 + (Sun, 03 Dec 2017) New Revision: 58230 Modified: data/CVE/list Log: Add information about introducing commit for CVE-2017-15118 Modified: data/CVE/list === --- data/CVE/list 2017-12-03 16:20:14 UTC (rev 58229) +++ data/CVE/list 2017-12-03 16:29:31 UTC (rev 58230) @@ -7659,6 +7659,7 @@ [jessie] - qemu (Vulnerable code introduced in 2.10) [wheezy] - qemu (Vulnerable code introduced in 2.10) - qemu-kvm (Vulnerable code introduced in 2.10) + NOTE: Introduced by: https://git.qemu.org/?p=qemu.git;a=commit;h=f37708f6b8 NOTE: https://lists.gnu.org/archive/html/qemu-devel/2017-11/msg05045.html CVE-2017-15117 REJECTED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58229 - data/CVE
Author: carnil Date: 2017-12-03 16:20:14 + (Sun, 03 Dec 2017) New Revision: 58229 Modified: data/CVE/list Log: Update CVE-2017-15118/qemu information Modified: data/CVE/list === --- data/CVE/list 2017-12-03 16:08:11 UTC (rev 58228) +++ data/CVE/list 2017-12-03 16:20:14 UTC (rev 58229) @@ -7655,8 +7655,10 @@ CVE-2017-15118 [stack buffer overflow in NBD server triggered via long export name] RESERVED - qemu - - qemu-kvm - [wheezy] - qemu-kvm (Vulnerable code introduced later) + [stretch] - qemu (Vulnerable code introduced in 2.10) + [jessie] - qemu (Vulnerable code introduced in 2.10) + [wheezy] - qemu (Vulnerable code introduced in 2.10) + - qemu-kvm (Vulnerable code introduced in 2.10) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2017-11/msg05045.html CVE-2017-15117 REJECTED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58228 - data/CVE
Author: carnil Date: 2017-12-03 16:08:11 + (Sun, 03 Dec 2017) New Revision: 58228 Modified: data/CVE/list Log: Add bug referece for CVE-2017-15119/qemu Modified: data/CVE/list === --- data/CVE/list 2017-12-03 10:19:24 UTC (rev 58227) +++ data/CVE/list 2017-12-03 16:08:11 UTC (rev 58228) @@ -7648,7 +7648,7 @@ RESERVED CVE-2017-15119 [DoS via large option request] RESERVED - - qemu + - qemu (bug #883399) - qemu-kvm [wheezy] - qemu-kvm (Vulnerable code introduced later) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2017-11/msg05044.html ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58227 - data/CVE
Author: carnil Date: 2017-12-03 10:19:24 + (Sun, 03 Dec 2017) New Revision: 58227 Modified: data/CVE/list Log: Process two NFUs Modified: data/CVE/list === --- data/CVE/list 2017-12-03 10:19:11 UTC (rev 58226) +++ data/CVE/list 2017-12-03 10:19:24 UTC (rev 58227) @@ -2268,7 +2268,7 @@ CVE-2017-16953 (connoppp.cgi on ZTE ZXDSL 831CII devices does not require HTTP Basic ...) NOT-FOR-US: ZTE CVE-2017-16952 (KMPlayer 4.2.2.4 allows remote attackers to cause a denial of service ...) - TODO: check + NOT-FOR-US: K-Multimedia Player CVE-2017-16951 (Winamp Pro 5.66 Build 3512 allows remote attackers to cause a denial ...) NOT-FOR-US: Winamp CVE-2017-16950 @@ -33265,7 +33265,7 @@ CVE-2017-6680 (A vulnerability in the AutoVNF logging function of Cisco Ultra Services ...) NOT-FOR-US: Cisco CVE-2017-6679 (The Cisco Umbrella Virtual Appliance Version 2.0.3 and prior contained ...) - TODO: check + NOT-FOR-US: Cisco CVE-2017-6678 (A vulnerability in the ingress UDP packet processing functionality of ...) NOT-FOR-US: Cisco CVE-2017-6677 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58226 - data/CVE
Author: carnil Date: 2017-12-03 10:19:11 + (Sun, 03 Dec 2017) New Revision: 58226 Modified: data/CVE/list Log: Process CVE-2017-14949 Modified: data/CVE/list === --- data/CVE/list 2017-12-03 09:31:19 UTC (rev 58225) +++ data/CVE/list 2017-12-03 10:19:11 UTC (rev 58226) @@ -8325,7 +8325,7 @@ CVE-2015-9233 (The cp-contact-form-with-paypal (aka CP Contact Form with PayPal) ...) NOT-FOR-US: Wordpress plugin CVE-2017-14949 (Restlet Framework before 2.3.12 allows remote attackers to access ...) - TODO: check + - restlet (bug #596472) CVE-2017-14948 RESERVED CVE-2017-14947 (Artifex GSView 6.0 Beta on Windows allows attackers to execute ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58225 - tools/git-migration
Author: carnil Date: 2017-12-03 09:31:19 + (Sun, 03 Dec 2017) New Revision: 58225 Modified: tools/git-migration/AUTHORS.txt Log: sync AUTHORS.txt Modified: tools/git-migration/AUTHORS.txt === --- tools/git-migration/AUTHORS.txt 2017-12-03 09:28:00 UTC (rev 58224) +++ tools/git-migration/AUTHORS.txt 2017-12-03 09:31:19 UTC (rev 58225) @@ -144,6 +144,7 @@ skitt = Stephen Kitt skx = Steve Kemp smcv = Simon McVittie +sramacher = Sebastian Ramacher stef-guest = Stefan Fritsch sunweaver = Mike Gabriel taffit = David Prévot ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58224 - data/CVE
Author: carnil Date: 2017-12-03 09:28:00 + (Sun, 03 Dec 2017) New Revision: 58224 Modified: data/CVE/list Log: Mark CVE-2017-14516 as NFU Modified: data/CVE/list === --- data/CVE/list 2017-12-03 09:10:31 UTC (rev 58223) +++ data/CVE/list 2017-12-03 09:28:00 UTC (rev 58224) @@ -9581,7 +9581,7 @@ NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=102687 NOTE: https://cgit.freedesktop.org/poppler/poppler/commit/?id=476394e7a025e02e4897da2e765df2c895d0708f CVE-2017-14516 (Cross-Site Scripting (XSS) exists in SAP Business Objects Financial ...) - TODO: check + NOT-FOR-US: SAP Business Objects Financial Consolidation CVE-2017-14515 (Heap-based Buffer Overflow on Tenda W15E devices before 15.11.0.14 ...) NOT-FOR-US: Tenda W15E devices CVE-2017-14514 (Directory Traversal on Tenda W15E devices before 15.11.0.14 allows ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58223 - data/CVE
Author: sectracker Date: 2017-12-03 09:10:31 + (Sun, 03 Dec 2017) New Revision: 58223 Modified: data/CVE/list Log: automatic update Modified: data/CVE/list === --- data/CVE/list 2017-12-03 08:03:43 UTC (rev 58222) +++ data/CVE/list 2017-12-03 09:10:31 UTC (rev 58223) @@ -651,7 +651,7 @@ NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=79768d63d14fbce6bf7fb4d4a1c86be0c5205eb3 NOTE: https://www.wireshark.org/security/wnpa-sec-2017-48.html CVE-2017-17082 - RESERVED + REJECTED CVE-2017-17081 (The gmc_mmx function in libavcodec/x86/mpegvideodsp.c in FFmpeg 3.4 ...) - ffmpeg [stretch] - ffmpeg (Can wait for the next 3.2.x release) @@ -9580,8 +9580,8 @@ [jessie] - poppler (Minor issue) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=102687 NOTE: https://cgit.freedesktop.org/poppler/poppler/commit/?id=476394e7a025e02e4897da2e765df2c895d0708f -CVE-2017-14516 - RESERVED +CVE-2017-14516 (Cross-Site Scripting (XSS) exists in SAP Business Objects Financial ...) + TODO: check CVE-2017-14515 (Heap-based Buffer Overflow on Tenda W15E devices before 15.11.0.14 ...) NOT-FOR-US: Tenda W15E devices CVE-2017-14514 (Directory Traversal on Tenda W15E devices before 15.11.0.14 allows ...) @@ -26449,28 +26449,23 @@ NOTE: https://github.com/dinhviethoa/libetpan/issues/274 CVE-2017-8824 RESERVED -CVE-2017-8823 [TROVE-2017-013: Use-after-free in onion service v2] - RESERVED +CVE-2017-8823 (In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 ...) - tor 0.3.1.9-1 NOTE: https://bugs.torproject.org/24313 NOTE: https://blog.torproject.org/new-stable-tor-releases-security-fixes-0319-03013-02914-02817-02516 -CVE-2017-8822 [TROVE-2017-012: Relays can pick themselves in a circuit path] - RESERVED +CVE-2017-8822 (In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 ...) - tor 0.3.1.9-1 NOTE: https://bugs.torproject.org/21534 NOTE: https://blog.torproject.org/new-stable-tor-releases-security-fixes-0319-03013-02914-02817-02516 -CVE-2017-8821 [TROVE-2017-011: An attacker can make Tor ask for a password] - RESERVED +CVE-2017-8821 (In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 ...) - tor 0.3.1.9-1 NOTE: https://bugs.torproject.org/24246 NOTE: https://blog.torproject.org/new-stable-tor-releases-security-fixes-0319-03013-02914-02817-02516 -CVE-2017-8820 [TROVE-2017-010: Remote DoS attack against directory authorities] - RESERVED +CVE-2017-8820 (In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 ...) - tor 0.3.1.9-1 NOTE: https://bugs.torproject.org/24245 NOTE: https://blog.torproject.org/new-stable-tor-releases-security-fixes-0319-03013-02914-02817-02516 -CVE-2017-8819 [TROVE-2017-009: Replay-cache ineffective for v2 onion services] - RESERVED +CVE-2017-8819 (In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 ...) - tor 0.3.1.9-1 NOTE: https://bugs.torproject.org/24244 NOTE: https://blog.torproject.org/new-stable-tor-releases-security-fixes-0319-03013-02914-02817-02516 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58222 - data
Author: carnil Date: 2017-12-03 08:03:43 + (Sun, 03 Dec 2017) New Revision: 58222 Modified: data/next-oldstable-point-update.txt Log: Record pending CVEs for linux in jessie via jessie point release Modified: data/next-oldstable-point-update.txt === --- data/next-oldstable-point-update.txt2017-12-03 07:57:31 UTC (rev 58221) +++ data/next-oldstable-point-update.txt2017-12-03 08:03:43 UTC (rev 58222) @@ -138,3 +138,51 @@ [jessie] - pdns-recursor 3.6.2-2+deb8u4 CVE-2017-16899 [jessie] - transfig 1:3.2.5.e-4+deb8u1 +CVE-2017-0786 + [jessie] - linux 3.16.51-1 +CVE-2017-8831 + [jessie] - linux 3.16.51-1 +CVE-2017-12190 + [jessie] - linux 3.16.51-1 +CVE-2017-12192 + [jessie] - linux 3.16.51-1 +CVE-2017-12193 + [jessie] - linux 3.16.51-1 +CVE-2017-13080 + [jessie] - linux 3.16.51-1 +CVE-2017-15115 + [jessie] - linux 3.16.51-1 +CVE-2017-15265 + [jessie] - linux 3.16.51-1 +CVE-2017-15299 + [jessie] - linux 3.16.51-1 +CVE-2017-15649 + [jessie] - linux 3.16.51-1 +CVE-2017-16525 + [jessie] - linux 3.16.51-1 +CVE-2017-16527 + [jessie] - linux 3.16.51-1 +CVE-2017-16529 + [jessie] - linux 3.16.51-1 +CVE-2017-16530 + [jessie] - linux 3.16.51-1 +CVE-2017-16531 + [jessie] - linux 3.16.51-1 +CVE-2017-16532 + [jessie] - linux 3.16.51-1 +CVE-2017-16533 + [jessie] - linux 3.16.51-1 +CVE-2017-16535 + [jessie] - linux 3.16.51-1 +CVE-2017-16536 + [jessie] - linux 3.16.51-1 +CVE-2017-16537 + [jessie] - linux 3.16.51-1 +CVE-2017-16643 + [jessie] - linux 3.16.51-1 +CVE-2017-16649 + [jessie] - linux 3.16.51-1 +CVE-2017-16650 + [jessie] - linux 3.16.51-1 +CVE-2017-1000405 + [jessie] - linux 3.16.51-1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
