[Secure-testing-commits] r58287 - data/CVE
Author: carnil Date: 2017-12-06 07:56:02 + (Wed, 06 Dec 2017) New Revision: 58287 Modified: data/CVE/list Log: Add CVE-2017-15868/linux Modified: data/CVE/list === --- data/CVE/list 2017-12-06 07:55:52 UTC (rev 58286) +++ data/CVE/list 2017-12-06 07:56:02 UTC (rev 58287) @@ -6772,8 +6772,10 @@ RESERVED CVE-2017-15869 RESERVED -CVE-2017-15868 +CVE-2017-15868 [Bluetooth: bnep: bnep_add_connection() should verify that it's dealing with l2cap socket] RESERVED + - linux 4.0.2-1 + NOTE: Fixed by: https://git.kernel.org/linus/71bb99a02b32b4cc4265118e85f6035ca72923f0 (v3.19-rc3) CVE-2017-15867 (Multiple cross-site scripting (XSS) vulnerabilities in the ...) NOT-FOR-US: user-login-history plugin for WordPress CVE-2017-15866 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58286 - data
Author: carnil Date: 2017-12-06 07:55:52 + (Wed, 06 Dec 2017) New Revision: 58286 Modified: data/dsa-needed.txt Log: Add erlang to dsa-needed list Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-12-06 06:40:17 UTC (rev 58285) +++ data/dsa-needed.txt 2017-12-06 07:55:52 UTC (rev 58286) @@ -14,6 +14,8 @@ -- 389-ds-base (fw) -- +erlang +-- graphicsmagick -- libav/oldstable ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58285 - data/CVE
Author: carnil Date: 2017-12-06 06:40:17 + (Wed, 06 Dec 2017) New Revision: 58285 Modified: data/CVE/list Log: Add CVE-2017-12169/freeipa Modified: data/CVE/list === --- data/CVE/list 2017-12-06 06:37:17 UTC (rev 58284) +++ data/CVE/list 2017-12-06 06:40:17 UTC (rev 58285) @@ -17514,8 +17514,11 @@ NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1493056 CVE-2017-12170 (Downstream version 1.0.46-1 of pure-ftpd as shipped in Fedora was ...) - pure-ftpd (Fedora specific packaging error) -CVE-2017-12169 +CVE-2017-12169 [Password hash disclosure via 'System: Read Stage Users' permission] RESERVED + - freeipa + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1487697 + TODO: check, disputed as well if valid CVE assignment CVE-2017-12168 (The access_pmu_evcntr function in arch/arm64/kvm/sys_regs.c in the ...) - linux 4.8.11-1 [jessie] - linux (Vulnerable code not present) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58284 - data/CVE
Author: carnil Date: 2017-12-06 06:37:17 + (Wed, 06 Dec 2017) New Revision: 58284 Modified: data/CVE/list Log: Add CVE-2017-15121/linux Modified: data/CVE/list === --- data/CVE/list 2017-12-06 05:36:58 UTC (rev 58283) +++ data/CVE/list 2017-12-06 06:37:17 UTC (rev 58284) @@ -8667,8 +8667,10 @@ RESERVED CVE-2017-15122 RESERVED -CVE-2017-15121 +CVE-2017-15121 [vfs: BUG in truncate_inode_pages_range() and fuse client] RESERVED + - linux + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1520893 CVE-2017-15120 RESERVED CVE-2017-15119 [DoS via large option request] ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58282 - data/CVE
Author: carnil Date: 2017-12-06 05:20:04 + (Wed, 06 Dec 2017) New Revision: 58282 Modified: data/CVE/list Log: Add information for condor issue Modified: data/CVE/list === --- data/CVE/list 2017-12-05 22:48:11 UTC (rev 58281) +++ data/CVE/list 2017-12-06 05:20:04 UTC (rev 58282) @@ -4095,9 +4095,10 @@ NOTE: https://github.com/ceph/ceph/commit/b3118cabb8060a8cc6a01c4e8264cb18e7b1745a CVE-2017-16817 RESERVED -CVE-2017-16816 +CVE-2017-16816 [A user can cause the condor_schedd to crash by submitting a job designed for that purpose] RESERVED - condor 8.6.8~dfsg.1-1 + NOTE: http://research.cs.wisc.edu/htcondor//security/vulnerabilities/HTCONDOR-2017-0001.html CVE-2017-16815 (installer.php in the Snap Creek Duplicator (WordPress Site Migration & ...) NOT-FOR-US: Snap Creek Duplicator (WordPress Site Migration & Backup) plugin for WordPress CVE-2017-16820 (The csnmp_read_table function in snmp.c in the SNMP plugin in collectd ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58283 - data/CVE
Author: carnil Date: 2017-12-06 05:36:58 + (Wed, 06 Dec 2017) New Revision: 58283 Modified: data/CVE/list Log: CVE-2017-17432/openafs assigned Modified: data/CVE/list === --- data/CVE/list 2017-12-06 05:20:04 UTC (rev 58282) +++ data/CVE/list 2017-12-06 05:36:58 UTC (rev 58283) @@ -17,7 +17,7 @@ RESERVED CVE-2017-1000408 RESERVED -CVE-2017- [OPENAFS-SA-2017-001: Rx assertion failure from insufficient input validation] +CVE-2017-17432 [OPENAFS-SA-2017-001: Rx assertion failure from insufficient input validation] - openafs 1.6.22-1 (bug #883602) NOTE: https://www.openafs.org/pages/security/OPENAFS-SA-2017-001.txt CVE-2018-1180 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58281 - data/CVE
Author: jmm
Date: 2017-12-05 22:48:11 + (Tue, 05 Dec 2017)
New Revision: 58281
Modified:
data/CVE/list
Log:
thunderbird fixed
Modified: data/CVE/list
===
--- data/CVE/list 2017-12-05 22:31:15 UTC (rev 58280)
+++ data/CVE/list 2017-12-05 22:48:11 UTC (rev 58281)
@@ -30304,7 +30304,7 @@
{DSA-4035-1 DLA-1172-1}
- firefox 57.0-1
- firefox-esr 52.5.0esr-1
- - thunderbird
+ - thunderbird 1:52.5.0-1
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2017-24/#CVE-2017-7830
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2017-25/#CVE-2017-7830
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2017-26/#CVE-2017-7830
@@ -30315,7 +30315,7 @@
{DSA-4035-1 DLA-1172-1}
- firefox 57.0-1
- firefox-esr 52.5.0esr-1
- - thunderbird
+ - thunderbird 1:52.5.0-1
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2017-24/#CVE-2017-7828
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2017-25/#CVE-2017-7828
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2017-26/#CVE-2017-7828
@@ -30328,7 +30328,7 @@
{DSA-4035-1 DLA-1172-1}
- firefox 57.0-1
- firefox-esr 52.5.0esr-1
- - thunderbird
+ - thunderbird 1:52.5.0-1
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2017-24/#CVE-2017-7826
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2017-25/#CVE-2017-7826
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2017-26/#CVE-2017-7826
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58280 - data/CVE
Author: jmm Date: 2017-12-05 22:31:15 + (Tue, 05 Dec 2017) New Revision: 58280 Modified: data/CVE/list Log: new condor issue Modified: data/CVE/list === --- data/CVE/list 2017-12-05 21:29:44 UTC (rev 58279) +++ data/CVE/list 2017-12-05 22:31:15 UTC (rev 58280) @@ -4097,6 +4097,7 @@ RESERVED CVE-2017-16816 RESERVED + - condor 8.6.8~dfsg.1-1 CVE-2017-16815 (installer.php in the Snap Creek Duplicator (WordPress Site Migration & ...) NOT-FOR-US: Snap Creek Duplicator (WordPress Site Migration & Backup) plugin for WordPress CVE-2017-16820 (The csnmp_read_table function in snmp.c in the SNMP plugin in collectd ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58279 - data/CVE
Author: carnil Date: 2017-12-05 21:29:44 + (Tue, 05 Dec 2017) New Revision: 58279 Modified: data/CVE/list Log: Add bug reference for CVE-2017-17381/qemu Modified: data/CVE/list === --- data/CVE/list 2017-12-05 21:25:24 UTC (rev 58278) +++ data/CVE/list 2017-12-05 21:29:44 UTC (rev 58279) @@ -190,7 +190,7 @@ RESERVED CVE-2017-17381 [virtio: divide by zero exception while updating rings] RESERVED - - qemu + - qemu (bug #883625) - qemu-kvm NOTE: https://lists.gnu.org/archive/html/qemu-devel/2017-12/msg00166.html CVE-2018-1140 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58278 - data/CVE
Author: carnil Date: 2017-12-05 21:25:24 + (Tue, 05 Dec 2017) New Revision: 58278 Modified: data/CVE/list Log: Record information on glibc issue Modified: data/CVE/list === --- data/CVE/list 2017-12-05 21:10:17 UTC (rev 58277) +++ data/CVE/list 2017-12-05 21:25:24 UTC (rev 58278) @@ -7,7 +7,12 @@ CVE-2017-17427 RESERVED CVE-2017-17426 (The malloc function in the GNU C Library (aka glibc or libc6) 2.26 ...) - TODO: check + - glibc + - eglibc + NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22375 + NOTE: Introduced by: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d5c3fafc4307c9b7a4c7d5cb381fcdbfad340bcc + NOTE: Fixed by: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=34697694e8a93b325b18f25f7dcded55d6baeaf6 + TODO: check, verify the introducing commit CVE-2017-1000409 RESERVED CVE-2017-1000408 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58277 - data/CVE
Author: sectracker Date: 2017-12-05 21:10:17 + (Tue, 05 Dec 2017) New Revision: 58277 Modified: data/CVE/list Log: automatic update Modified: data/CVE/list === --- data/CVE/list 2017-12-05 21:08:45 UTC (rev 58276) +++ data/CVE/list 2017-12-05 21:10:17 UTC (rev 58277) @@ -1,3 +1,17 @@ +CVE-2017-17430 + RESERVED +CVE-2017-17429 + RESERVED +CVE-2017-17428 + RESERVED +CVE-2017-17427 + RESERVED +CVE-2017-17426 (The malloc function in the GNU C Library (aka glibc or libc6) 2.26 ...) + TODO: check +CVE-2017-1000409 + RESERVED +CVE-2017-1000408 + RESERVED CVE-2017- [OPENAFS-SA-2017-001: Rx assertion failure from insufficient input validation] - openafs 1.6.22-1 (bug #883602) NOTE: https://www.openafs.org/pages/security/OPENAFS-SA-2017-001.txt @@ -1689,8 +1703,8 @@ RESERVED CVE-2017-17067 (Splunk Web in Splunk Enterprise 7.0.x before 7.0.0.1, 6.6.x before ...) NOT-FOR-US: Splunk Web -CVE-2017-17066 - RESERVED +CVE-2017-17066 (The (1) i2pd before 2.17 and (2) kovri pre-alpha implementations of the ...) + TODO: check CVE-2017-17065 (An issue was discovered on D-Link DIR-605L Model B before ...) NOT-FOR-US: D-Link CVE-2017-17064 @@ -3335,10 +3349,10 @@ NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=766956 NOTE: https://github.com/GNOME/libxml2/commit/e26630548e7d138d2c560844c43820b6767251e3 NOTE: Not a duplicate but a variant of the issue of CVE-2017-9049 and CVE-2017-9050 -CVE-2017-16930 - RESERVED -CVE-2017-16929 - RESERVED +CVE-2017-16930 (The remote management interface on the Claymore Dual GPU miner 10.1 ...) + TODO: check +CVE-2017-16929 (The remote management interface on the Claymore Dual GPU miner 10.1 is ...) + TODO: check CVE-2017-16928 RESERVED CVE-2017-16927 (The scp_v0s_accept function in sesman/libscp/libscp_v0.c in the session ...) @@ -3446,6 +3460,7 @@ CVE-2017-16885 RESERVED CVE-2017-1000407 [DoS via write flood to I/O port 0x80] + RESERVED - linux NOTE: https://www.spinics.net/lists/kvm/msg159809.html CVE-2017-1000406 (OpenDaylight Karaf 0.6.1-Carbon fails to clear the cache after a ...) @@ -3623,9 +3638,9 @@ - pjproject 2.7.1~dfsg-1 NOTE: https://trac.pjsip.org/repos/ticket/2056 NOTE: https://trac.pjsip.org/repos/changeset/5682 -CVE-2017-16871 (The UpdraftPlus plugin through 1.13.12 for WordPress allows remote PHP ...) +CVE-2017-16871 (** DISPUTED ** The UpdraftPlus plugin through 1.13.12 for WordPress ...) NOT-FOR-US: UpdraftPlus plugin for WordPress -CVE-2017-16870 (The UpdraftPlus plugin through 1.13.12 for WordPress has SSRF in the ...) +CVE-2017-16870 (** DISPUTED ** The UpdraftPlus plugin through 1.13.12 for WordPress ...) NOT-FOR-US: UpdraftPlus plugin for WordPress CVE-2017-16869 (** DISPUTED ** p_mach.cpp in UPX 3.94 allows remote attackers to cause ...) - upx-ucl (bug #882041; unimportant) @@ -3942,10 +3957,10 @@ RESERVED CVE-2017-16858 RESERVED -CVE-2017-16857 - RESERVED -CVE-2017-16856 - RESERVED +CVE-2017-16857 (It is possible to bypass the bitbucket auto-unapprove plugin via ...) + TODO: check +CVE-2017-16856 (The RSS Feed macro in Atlassian Confluence before version 6.5.2 allows ...) + TODO: check CVE-2017-16855 (Ipsilon before 2.1.0 has a "SAML2 multi-session vulnerability." ...) - ipsilon (bug #826838) CVE-2017-16854 @@ -5513,7 +5528,7 @@ RESERVED CVE-2017-16240 RESERVED -CVE-2017-17051 [Regression introduced with the fix for OSSA-2017-005 (CVE-2017-16239)] +CVE-2017-17051 (An issue was discovered in the default FilterScheduler in OpenStack ...) - nova (bug #883621) [stretch] - nova (Fix for CVE-2017-16239 not applied and not affecting 14.x.y) [jessie] - nova (Vulnerable code not present) @@ -6873,8 +6888,8 @@ RESERVED CVE-2017-15814 RESERVED -CVE-2017-15813 - RESERVED +CVE-2017-15813 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) + TODO: check CVE-2017-15812 (The Easy Appointments plugin before 1.12.0 for WordPress has XSS via a ...) NOT-FOR-US: Wordpress plugin CVE-2017-15811 (The Pootle Button plugin before 1.2.0 for WordPress has XSS via the ...) @@ -9458,16 +9473,16 @@ - nodejs (unimportant) NOTE: Debian doesn't use zlib 1.2.9 yet NOTE: https://nodejs.org/en/blog/vulnerability/oct-2017-dos/ -CVE-2017-14918 - RESERVED -CVE-2017-14917 - RESERVED -CVE-2017-14916 - RESERVED +CVE-2017-14918 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) + TODO: check +CVE-2017-14917 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) + TODO: check +CVE-2017-14916 (In Android for MS
[Secure-testing-commits] r58276 - data/CVE
Author: carnil Date: 2017-12-05 21:08:45 + (Tue, 05 Dec 2017) New Revision: 58276 Modified: data/CVE/list Log: CVE-2017-1000385/erlang fixed in unstable Modified: data/CVE/list === --- data/CVE/list 2017-12-05 21:06:02 UTC (rev 58275) +++ data/CVE/list 2017-12-05 21:08:45 UTC (rev 58276) @@ -1707,7 +1707,7 @@ NOT-FOR-US: WordPress plugin wp-thumb-post CVE-2017-1000385 [TLS server vunlerable to Adaptive Chosen Ciphertext attack allowing plaintext recovery ot MITM attack] RESERVED - - erlang + - erlang 1:20.1.7+dfsg-1 NOTE: https://groups.google.com/forum/#!topic/erlang-programming/J0LH-j6fRlM NOTE: https://github.com/erlang/otp/commit/38b07caa2a1c6cd3537eadd36770afa54f067562 (OTP-20.1.7) NOTE: https://github.com/erlang/otp/commit/3b4386dd19b7e669f557c95ace8d7ba228291927 (OTP-19.3.6.4) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58275 - data/CVE
Author: carnil Date: 2017-12-05 21:06:02 + (Tue, 05 Dec 2017) New Revision: 58275 Modified: data/CVE/list Log: Add information for erlang issue Modified: data/CVE/list === --- data/CVE/list 2017-12-05 20:38:00 UTC (rev 58274) +++ data/CVE/list 2017-12-05 21:06:02 UTC (rev 58275) @@ -1709,7 +1709,9 @@ RESERVED - erlang NOTE: https://groups.google.com/forum/#!topic/erlang-programming/J0LH-j6fRlM - TODO: check + NOTE: https://github.com/erlang/otp/commit/38b07caa2a1c6cd3537eadd36770afa54f067562 (OTP-20.1.7) + NOTE: https://github.com/erlang/otp/commit/3b4386dd19b7e669f557c95ace8d7ba228291927 (OTP-19.3.6.4) + NOTE: https://github.com/erlang/otp/commit/de3b9cdb8521d7edd524b4e17d1e3f883f832ec0 (OTP-18.3.4.7) CVE-2017-17058 (The WooCommerce plugin through 3.x for WordPress has a Directory ...) NOT-FOR-US: WooCommerce plugin for WordPress CVE-2017-17057 (There is a reflected XSS vulnerability in ZKTime Web 2.0.1.12280. The ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58274 - data/CVE
Author: carnil Date: 2017-12-05 20:38:00 + (Tue, 05 Dec 2017) New Revision: 58274 Modified: data/CVE/list Log: Bug reference for CVE-2017-17051, #883621 Modified: data/CVE/list === --- data/CVE/list 2017-12-05 20:28:51 UTC (rev 58273) +++ data/CVE/list 2017-12-05 20:38:00 UTC (rev 58274) @@ -5512,7 +5512,7 @@ CVE-2017-16240 RESERVED CVE-2017-17051 [Regression introduced with the fix for OSSA-2017-005 (CVE-2017-16239)] - - nova + - nova (bug #883621) [stretch] - nova (Fix for CVE-2017-16239 not applied and not affecting 14.x.y) [jessie] - nova (Vulnerable code not present) [wheezy] - nova (Vulnerable code not present) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58273 - data/CVE
Author: carnil Date: 2017-12-05 20:28:51 + (Tue, 05 Dec 2017) New Revision: 58273 Modified: data/CVE/list Log: Add bug reference for CVE-2017-17051 Modified: data/CVE/list === --- data/CVE/list 2017-12-05 20:02:09 UTC (rev 58272) +++ data/CVE/list 2017-12-05 20:28:51 UTC (rev 58273) @@ -5517,6 +5517,7 @@ [jessie] - nova (Vulnerable code not present) [wheezy] - nova (Vulnerable code not present) NOTE: http://www.openwall.com/lists/oss-security/2017/12/05/5 + NOTE: https://launchpad.net/bugs/1732976 CVE-2017-16239 (In OpenStack Nova through 14.0.9, 15.x through 15.0.7, and 16.x through ...) - nova 2:16.0.3-1 (bug #882009) [jessie] - nova (Vulnerble code introduced later) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58272 - data/CVE
Author: carnil Date: 2017-12-05 20:02:09 + (Tue, 05 Dec 2017) New Revision: 58272 Modified: data/CVE/list Log: Add CVE-2017-17051/nova Modified: data/CVE/list === --- data/CVE/list 2017-12-05 19:37:27 UTC (rev 58271) +++ data/CVE/list 2017-12-05 20:02:09 UTC (rev 58272) @@ -1724,8 +1724,6 @@ [jessie] - aubio (Vulnerability introduced in 0.4.3) [wheezy] - aubio (Vulnerability introduced in 0.4.3) NOTE: https://github.com/aubio/aubio/issues/148 -CVE-2017-17051 - RESERVED CVE-2017-17050 (TG Soft Vir.IT eXplorer Lite 8.5.42 allows local users to cause a ...) NOT-FOR-US: TG Soft Vir.IT eXplorer Lite CVE-2017-17049 (TG Soft Vir.IT eXplorer Lite 8.5.42 allows local users to cause a ...) @@ -5513,13 +5511,20 @@ RESERVED CVE-2017-16240 RESERVED +CVE-2017-17051 [Regression introduced with the fix for OSSA-2017-005 (CVE-2017-16239)] + - nova + [stretch] - nova (Fix for CVE-2017-16239 not applied and not affecting 14.x.y) + [jessie] - nova (Vulnerable code not present) + [wheezy] - nova (Vulnerable code not present) + NOTE: http://www.openwall.com/lists/oss-security/2017/12/05/5 CVE-2017-16239 (In OpenStack Nova through 14.0.9, 15.x through 15.0.7, and 16.x through ...) - nova 2:16.0.3-1 (bug #882009) [jessie] - nova (Vulnerble code introduced later) [wheezy] - nova (Vulnerble code introduced later) NOTE: https://launchpad.net/bugs/1664931 NOTE: https://security.openstack.org/ossa/OSSA-2017-005.html - NOTE: Regression fix: http://www.openwall.com/lists/oss-security/2017/12/05/4 + NOTE: Regression fix: http://www.openwall.com/lists/oss-security/2017/12/05/4 got + NOTE: a seprate CVE. CVE-2017-16238 RESERVED CVE-2017-16237 (In Vir.IT eXplorer Anti-Virus before 8.5.42, the driver file ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58271 - data/CVE
Author: carnil Date: 2017-12-05 19:37:27 + (Tue, 05 Dec 2017) New Revision: 58271 Modified: data/CVE/list Log: Add openafs issue, #883602 Modified: data/CVE/list === --- data/CVE/list 2017-12-05 16:06:09 UTC (rev 58270) +++ data/CVE/list 2017-12-05 19:37:27 UTC (rev 58271) @@ -1,3 +1,6 @@ +CVE-2017- [OPENAFS-SA-2017-001: Rx assertion failure from insufficient input validation] + - openafs 1.6.22-1 (bug #883602) + NOTE: https://www.openafs.org/pages/security/OPENAFS-SA-2017-001.txt CVE-2018-1180 RESERVED CVE-2018-1179 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58270 - data/CVE
Author: jmm Date: 2017-12-05 16:06:09 + (Tue, 05 Dec 2017) New Revision: 58270 Modified: data/CVE/list Log: new kfreebsd issues Modified: data/CVE/list === --- data/CVE/list 2017-12-05 16:04:10 UTC (rev 58269) +++ data/CVE/list 2017-12-05 16:06:09 UTC (rev 58270) @@ -50084,11 +50084,14 @@ CVE-2017-1089 RESERVED CVE-2017-1088 (In FreeBSD before 11.1-STABLE, 11.1-RELEASE-p4, 11.0-RELEASE-p15, ...) - TODO: check + - kfreebsd-10 (unimportant) + NOTE: kfreebsd not covered by security support CVE-2017-1087 (In FreeBSD 10.x before 10.4-STABLE, 10.4-RELEASE-p3, and ...) - TODO: check + - kfreebsd-10 (unimportant) + NOTE: kfreebsd not covered by security support CVE-2017-1086 (In FreeBSD before 11.1-STABLE, 11.1-RELEASE-p4, 11.0-RELEASE-p15, ...) - TODO: check + - kfreebsd-10 (unimportant) + NOTE: kfreebsd not covered by security support CVE-2017-1085 RESERVED CVE-2017-1084 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58269 - data/CVE
Author: jmm Date: 2017-12-05 16:04:10 + (Tue, 05 Dec 2017) New Revision: 58269 Modified: data/CVE/list Log: mark as NFU, limited to builds on Android Modified: data/CVE/list === --- data/CVE/list 2017-12-05 15:41:50 UTC (rev 58268) +++ data/CVE/list 2017-12-05 16:04:10 UTC (rev 58269) @@ -51125,11 +51125,7 @@ CVE-2017-0673 (A remote code execution vulnerability in the Android media framework. ...) NOT-FOR-US: Android media framework CVE-2017-0672 (A denial of service vulnerability in the Android libraries. Product: ...) - - firefox-esr - - firefox 54.0-1 - - qtwebengine-opensource-src - - icedove - - thunderbird + NOT-FOR-US: Android CVE-2017-0671 (A remote code execution vulnerability in the Android libraries. ...) NOT-FOR-US: Android NOTE: Not publicly available ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58268 - data/CVE
Author: jmm Date: 2017-12-05 15:41:50 + (Tue, 05 Dec 2017) New Revision: 58268 Modified: data/CVE/list Log: no need to track android bugs for firefox, those only affect Firefox builds for Android Modified: data/CVE/list === --- data/CVE/list 2017-12-05 15:37:29 UTC (rev 58267) +++ data/CVE/list 2017-12-05 15:41:50 UTC (rev 58268) @@ -50773,11 +50773,6 @@ NOT-FOR-US: Fluoride Bluetooth stack in Android CVE-2017-0841 (A remote code execution vulnerability in the Android system ...) - android-platform-system-core (unimportant) - - firefox - - firefox-esr - - icedove - - thunderbird - TODO: Vulnerable code exists in firefox/firefox-esr and thunderbird/icedove but not sure if affected NOTE: Fixed by https://android.googlesource.com/platform/system/core/+/47efc676c849e3abf32001d66e2d6eb887e83c48%5E!/ CVE-2017-0840 (An information disclosure vulnerability in the Android media framework ...) NOT-FOR-US: Android media framework ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58267 - data/CVE
Author: jmm Date: 2017-12-05 15:37:29 + (Tue, 05 Dec 2017) New Revision: 58267 Modified: data/CVE/list Log: NFUs Modified: data/CVE/list === --- data/CVE/list 2017-12-05 15:10:29 UTC (rev 58266) +++ data/CVE/list 2017-12-05 15:37:29 UTC (rev 58267) @@ -20925,15 +20925,15 @@ CVE-2017-11018 (In android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11017 (In android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2017-11016 RESERVED CVE-2017-11015 (In android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2017-11014 (In android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2017-11013 (In android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2017-11012 (In android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11011 @@ -21304,9 +21304,9 @@ CVE-2017-10900 (PTW-WMS1 firmware version 2.000.012 allows remote attackers to bypass ...) NOT-FOR-US: PTW-WMS1 firmware CVE-2017-10899 (SQL injection vulnerability in the A-Reserve and A-Reserve for MT ...) - TODO: check + NOT-FOR-US: A-Reserve CVE-2017-10898 (SQL injection vulnerability in the A-Member and A-Member for MT cloud ...) - TODO: check + NOT-FOR-US: A-Member CVE-2017-10897 RESERVED CVE-2017-10896 @@ -29525,7 +29525,7 @@ CVE-2017-8045 (In Pivotal Spring AMQP versions prior to 1.7.4, 1.6.11, and 1.5.7, an ...) NOT-FOR-US: Spring AMQP CVE-2017-8044 (In Pivotal Single Sign-On for PCF (1.3.x versions prior to 1.3.4 and ...) - TODO: check + NOT-FOR-US: Pivotal SSO CVE-2017-8043 RESERVED CVE-2017-8042 @@ -50724,17 +50724,17 @@ CVE-2017-0866 (An elevation of privilege vulnerability in the Direct rendering ...) NOT-FOR-US: NVIDIA components for Android CVE-2017-0865 (An elevation of privilege vulnerability in the MediaTek soc driver. ...) - TODO: check + NOT-FOR-US: MediaTek driver for Android CVE-2017-0864 (An elevation of privilege vulnerability in the MediaTek ioctl ...) - TODO: check + NOT-FOR-US: MediaTek driver for Android CVE-2017-0863 (An elevation of privilege vulnerability in the Upstream kernel video ...) - TODO: check + NOT-FOR-US: Android driver (proprietary, not part of upstream kernel) CVE-2017-0862 (An elevation of privilege vulnerability in the Upstream kernel kernel. ...) - TODO: check + NOT-FOR-US: Android driver (proprietary, not part of upstream kernel) CVE-2017-0861 (An elevation of privilege vulnerability in the Upstream kernel audio ...) - TODO: check + NOT-FOR-US: Android driver (proprietary, not part of upstream kernel) CVE-2017-0860 (An elevation of privilege vulnerability in the Android system ...) - TODO: check + NOT-FOR-US: Android CVE-2017-0859 (Another vulnerability in the Android media framework (n/a). Product: ...) NOT-FOR-US: Android media framework CVE-2017-0858 (Another vulnerability in the Android media framework (n/a). Product: ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58266 - data/CVE
Author: carnil Date: 2017-12-05 15:10:29 + (Tue, 05 Dec 2017) New Revision: 58266 Modified: data/CVE/list Log: Add note for CVE-2017-16239/nova Modified: data/CVE/list === --- data/CVE/list 2017-12-05 09:18:13 UTC (rev 58265) +++ data/CVE/list 2017-12-05 15:10:29 UTC (rev 58266) @@ -5516,6 +5516,7 @@ [wheezy] - nova (Vulnerble code introduced later) NOTE: https://launchpad.net/bugs/1664931 NOTE: https://security.openstack.org/ossa/OSSA-2017-005.html + NOTE: Regression fix: http://www.openwall.com/lists/oss-security/2017/12/05/4 CVE-2017-16238 RESERVED CVE-2017-16237 (In Vir.IT eXplorer Anti-Virus before 8.5.42, the driver file ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58265 - data/CVE
Author: jmm
Date: 2017-12-05 09:18:13 + (Tue, 05 Dec 2017)
New Revision: 58265
Modified:
data/CVE/list
Log:
nasm fixed
further wireshark triage
Modified: data/CVE/list
===
--- data/CVE/list 2017-12-05 09:10:17 UTC (rev 58264)
+++ data/CVE/list 2017-12-05 09:18:13 UTC (rev 58265)
@@ -11398,7 +11398,7 @@
NOTE: https://github.com/mdadams/jasper/issues/146
NOTE: Possible false-positive, cf.
https://github.com/mdadams/jasper/issues/146#issuecomment-330674648
CVE-2017-14228 (In Netwide Assembler (NASM) 2.14rc0, there is an illegal
address access ...)
- - nasm (unimportant; bug #874731)
+ - nasm 2.13.02-0.1 (unimportant; bug #874731)
NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392423
NOTE: Crash in CLI tool, no securiy impact
CVE-2017-14227 (In MongoDB libbson 1.7.0, the bson_iter_codewscope function in
...)
@@ -12658,6 +12658,8 @@
NOTE: https://www.wireshark.org/security/wnpa-sec-2017-38.html
CVE-2017-13766 (In Wireshark 2.4.0 and 2.2.0 to 2.2.8, the Profinet I/O
dissector could ...)
- wireshark 2.4.1-1
+ [jessie] - wireshark (Vulnerable code not present)
+ [wheezy] - wireshark (Vulnerable code not present)
NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13847
NOTE:
https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=2096bc1e5078732543e0a3ee115a2ce520a72bbc
NOTE:
https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=af7b093ca528516c14247acb545046199d30843e
@@ -19643,7 +19645,8 @@
NOTE:
https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=3c7168cc5f044b4da8747d35da0b2b204dabf398
NOTE: https://www.wireshark.org/security/wnpa-sec-2017-13.html
CVE-2017-11409 (In Wireshark 2.0.0 to 2.0.13, the GPRS LLC dissector could go
into a ...)
- - wireshark 2.2.0~rc1+g438c022-1
+ - wireshark 2.2.0~rc1+g438c022-1 (low)
+ [jessie] - wireshark (Minor issue)
NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13603
NOTE:
https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=57b83bbbd76f543eb8d108919f13b662910bff9a
NOTE: https://www.wireshark.org/security/wnpa-sec-2017-37.html
@@ -20690,7 +20693,7 @@
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1464686
CVE-2017-1 (In Netwide Assembler (NASM) 2.14rc0, preproc.c allows remote
attackers ...)
{DLA-1041-1}
- - nasm (bug #867988)
+ - nasm 2.13.02-0.1 (bug #867988)
[stretch] - nasm (Minor issue)
[jessie] - nasm (Minor issue)
NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392415
@@ -21798,7 +21801,7 @@
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1466411
CVE-2017-10686 (In Netwide Assembler (NASM) 2.14rc0, there are multiple heap
use after ...)
{DLA-1041-1}
- - nasm (bug #867988)
+ - nasm 2.13.02-0.1 (bug #867988)
[stretch] - nasm (Minor issue)
[jessie] - nasm (Minor issue)
NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392414
@@ -30777,6 +30780,7 @@
NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13581
CVE-2017-7747 (In Wireshark 2.2.0 to 2.2.5 and 2.0.0 to 2.0.11, the PacketBB
dissector ...)
- wireshark 2.2.6+g32dac6a-1
+ [jessie] - wireshark (Minor issue)
NOTE: https://www.wireshark.org/security/wnpa-sec-2017-18.html
NOTE:
https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=5cfd52d6629cf8a7ab67c6bacd3431a964f43584
NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13559
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58264 - data/CVE
Author: sectracker Date: 2017-12-05 09:10:17 + (Tue, 05 Dec 2017) New Revision: 58264 Modified: data/CVE/list Log: automatic update Modified: data/CVE/list === --- data/CVE/list 2017-12-05 07:43:45 UTC (rev 58263) +++ data/CVE/list 2017-12-05 09:10:17 UTC (rev 58264) @@ -1,3 +1,165 @@ +CVE-2018-1180 + RESERVED +CVE-2018-1179 + RESERVED +CVE-2018-1178 + RESERVED +CVE-2018-1177 + RESERVED +CVE-2018-1176 + RESERVED +CVE-2018-1175 + RESERVED +CVE-2018-1174 + RESERVED +CVE-2018-1173 + RESERVED +CVE-2018-1172 + RESERVED +CVE-2018-1171 + RESERVED +CVE-2018-1170 + RESERVED +CVE-2018-1169 + RESERVED +CVE-2018-1168 + RESERVED +CVE-2018-1167 + RESERVED +CVE-2018-1166 + RESERVED +CVE-2018-1165 + RESERVED +CVE-2018-1164 + RESERVED +CVE-2018-1163 + RESERVED +CVE-2018-1162 + RESERVED +CVE-2018-1161 + RESERVED +CVE-2018-1160 + RESERVED +CVE-2018-1159 + RESERVED +CVE-2018-1158 + RESERVED +CVE-2018-1157 + RESERVED +CVE-2018-1156 + RESERVED +CVE-2018-1155 + RESERVED +CVE-2018-1154 + RESERVED +CVE-2018-1153 + RESERVED +CVE-2018-1152 + RESERVED +CVE-2018-1151 + RESERVED +CVE-2018-1150 + RESERVED +CVE-2018-1149 + RESERVED +CVE-2018-1148 + RESERVED +CVE-2018-1147 + RESERVED +CVE-2018-1146 + RESERVED +CVE-2018-1145 + RESERVED +CVE-2018-1144 + RESERVED +CVE-2018-1143 + RESERVED +CVE-2018-1142 + RESERVED +CVE-2018-1141 + RESERVED +CVE-2017-17425 + RESERVED +CVE-2017-17424 + RESERVED +CVE-2017-17423 + RESERVED +CVE-2017-17422 + RESERVED +CVE-2017-17421 + RESERVED +CVE-2017-17420 + RESERVED +CVE-2017-17419 + RESERVED +CVE-2017-17418 + RESERVED +CVE-2017-17417 + RESERVED +CVE-2017-17416 + RESERVED +CVE-2017-17415 + RESERVED +CVE-2017-17414 + RESERVED +CVE-2017-17413 + RESERVED +CVE-2017-17412 + RESERVED +CVE-2017-17411 + RESERVED +CVE-2017-17410 + RESERVED +CVE-2017-17409 + RESERVED +CVE-2017-17408 + RESERVED +CVE-2017-17407 + RESERVED +CVE-2017-17406 + RESERVED +CVE-2017-17405 + RESERVED +CVE-2017-17404 + RESERVED +CVE-2017-17403 + RESERVED +CVE-2017-17402 + RESERVED +CVE-2017-17401 + RESERVED +CVE-2017-17400 + RESERVED +CVE-2017-17399 + RESERVED +CVE-2017-17398 + RESERVED +CVE-2017-17397 + RESERVED +CVE-2017-17396 + RESERVED +CVE-2017-17395 + RESERVED +CVE-2017-17394 + RESERVED +CVE-2017-17393 + RESERVED +CVE-2017-17392 + RESERVED +CVE-2017-17391 + RESERVED +CVE-2017-17390 + RESERVED +CVE-2017-17389 + RESERVED +CVE-2017-17388 + RESERVED +CVE-2017-17387 + RESERVED +CVE-2017-17386 + RESERVED +CVE-2017-17385 + RESERVED CVE-2017-17384 RESERVED CVE-2017-17383 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
