[Secure-testing-commits] r58352 - in data: . DSA
Author: jmm
Date: 2017-12-08 06:51:32 + (Fri, 08 Dec 2017)
New Revision: 58352
Modified:
data/DSA/list
data/dsa-needed.txt
Log:
erlang DSA
Modified: data/DSA/list
===
--- data/DSA/list 2017-12-08 06:44:41 UTC (rev 58351)
+++ data/DSA/list 2017-12-08 06:51:32 UTC (rev 58352)
@@ -1,3 +1,7 @@
+[08 Dec 2017] DSA-4057-1 erlang - security update
+ {CVE-2017-1000385}
+ [jessie] - erlang 1:17.3-dfsg-4+deb8u2
+ [stretch] - erlang 1:19.2.1+dfsg-2+deb9u1
[07 Dec 2017] DSA-4056-1 nova - security update
{CVE-2017-16239}
[stretch] - nova 2:14.0.0-4+deb9u1
Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2017-12-08 06:44:41 UTC (rev 58351)
+++ data/dsa-needed.txt 2017-12-08 06:51:32 UTC (rev 58352)
@@ -16,8 +16,6 @@
--
chromium-browser
--
-erlang (jmm)
---
graphicsmagick
--
libav/oldstable
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58351 - data
Author: jmm Date: 2017-12-08 06:44:41 + (Fri, 08 Dec 2017) New Revision: 58351 Modified: data/dsa-needed.txt Log: add openafs to dsa-needed Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-12-08 06:11:46 UTC (rev 58350) +++ data/dsa-needed.txt 2017-12-08 06:44:41 UTC (rev 58351) @@ -31,6 +31,8 @@ linux Wait until more issues have piled up -- +openafs (jmm) +-- openssl1.0/stable -- otrs2 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58350 - data/CVE
Author: carnil Date: 2017-12-08 06:11:46 + (Fri, 08 Dec 2017) New Revision: 58350 Modified: data/CVE/list Log: Process CVE-2017-15097, mark as NFU, add note Modified: data/CVE/list === --- data/CVE/list 2017-12-08 05:48:14 UTC (rev 58349) +++ data/CVE/list 2017-12-08 06:11:46 UTC (rev 58350) @@ -9274,6 +9274,9 @@ [wheezy] - postgresql-9.1 (Vulnerable code does not exist) CVE-2017-15097 RESERVED + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1508985 + NOTE: Similar issues as CVE-2016-1255 in Debian + NOT-FOR-US: Red Hat specific provides scripts for starting the database server during system boot and for initializing the database CVE-2017-15096 (A flaw was found in GlusterFS in versions prior to 3.10. A null ...) - glusterfs 3.12.2-2 (bug #880017) [stretch] - glusterfs (Vulnerable code introduced later) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58349 - data
Author: pabs Date: 2017-12-08 05:48:14 + (Fri, 08 Dec 2017) New Revision: 58349 Modified: data/embedded-code-copies Log: Convert (embedded) to (embed) (embed) is the correct keyword for the format. Modified: data/embedded-code-copies === --- data/embedded-code-copies 2017-12-08 05:48:06 UTC (rev 58348) +++ data/embedded-code-copies 2017-12-08 05:48:14 UTC (rev 58349) @@ -3322,7 +3322,7 @@ - flightgear (embed) flite - - flightgear (embedded) + - flightgear (embed) NOTE: seems to declare linking with system shared library, but build logs suspiciously still build embedded copy. sox @@ -3338,7 +3338,7 @@ - praat (embed) libxls (not packaged in Debian, http://libxls.sourceforge.net/) - - r-cran-readxl (embedded) + - r-cran-readxl (embed) woff2 (ITP: #883828) - webkit2gtk 2.20-1 (embed) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58348 - data
Author: pabs Date: 2017-12-08 05:48:06 + (Fri, 08 Dec 2017) New Revision: 58348 Modified: data/embedded-code-copies Log: List packages that embed woff2 or brotli Modified: data/embedded-code-copies === --- data/embedded-code-copies 2017-12-07 21:43:17 UTC (rev 58347) +++ data/embedded-code-copies 2017-12-08 05:48:06 UTC (rev 58348) @@ -3339,3 +3339,29 @@ libxls (not packaged in Debian, http://libxls.sourceforge.net/) - r-cran-readxl (embedded) + +woff2 (ITP: #883828) + - webkit2gtk 2.20-1 (embed) + - chromium-browser (embed) + - firefox (embed) + - firefox-esr (embed) + - icedove (embed) + - thunderbird (embed) + - qtwebengine-opensource-src (embed) + - qtwebkit-opensource-src (embed) + - texlive-bin (embed) + +brotli + - webkit2gtk (embed) + - chromium-browser (embed) + - firefox (embed) + - firefox-esr (embed) + - icedove (embed) + - thunderbird (embed) + - qtwebengine-opensource-src (embed) + - qtwebkit-opensource-src (embed) + - texlive-bin (embed) + - rr (embed) + - h2o (embed) + - hhvm (embed) + - apitrace (embed) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58347 - data/CVE
Author: jmm Date: 2017-12-07 21:43:17 + (Thu, 07 Dec 2017) New Revision: 58347 Modified: data/CVE/list Log: NFUs Modified: data/CVE/list === --- data/CVE/list 2017-12-07 21:37:01 UTC (rev 58346) +++ data/CVE/list 2017-12-07 21:43:17 UTC (rev 58347) @@ -149,7 +149,7 @@ CVE-2017-17452 RESERVED CVE-2017-17451 (The WP Mailster plugin before 1.5.5 for WordPress has XSS in the ...) - TODO: check + NOT-FOR-US: Wordpress plugin CVE-2017-17450 (net/netfilter/xt_osf.c in the Linux kernel through 4.14.4 does not ...) - linux NOTE: https://lkml.org/lkml/2017/12/5/982 @@ -396,9 +396,9 @@ CVE-2017-17437 RESERVED CVE-2017-17436 (An issue was discovered in the software on Vaultek Gun Safe VT20i ...) - TODO: check + NOT-FOR-US: Vaultek Gun Safe CVE-2017-17435 (An issue was discovered in the software on Vaultek Gun Safe VT20i ...) - TODO: check + NOT-FOR-US: Vaultek Gun Safe CVE-2017-17434 (The daemon in rsync 3.1.2, and 3.1.3-development before 2017-12-03, ...) - rsync (bug #883665) NOTE: https://git.samba.org/?p=rsync.git;a=commit;h=5509597decdbd7b91994210f700329d8a35e70a1 @@ -409,7 +409,7 @@ CVE-2017-17431 (GeniXCMS 1.1.5 has XSS via the from, id, lang, menuid, mod, q, status, ...) NOT-FOR-US: GeniXCMS CVE-2017-17430 (Sangoma NetBorder / Vega Session Controller before 2.3.12-80-GA allows ...) - TODO: check + NOT-FOR-US: Sangoma NetBorder / Vega Session Controller CVE-2017-17429 RESERVED CVE-2017-17428 @@ -595,7 +595,7 @@ CVE-2017-17385 RESERVED CVE-2017-17384 (ISPConfig 3.x before 3.1.9 allows remote authenticated users to obtain ...) - TODO: check + NOT-FOR-US: ISPConfig CVE-2017-17383 (Jenkins through 2.93 allows remote authenticated administrators to ...) - jenkins CVE-2017-17382 @@ -2151,7 +2151,7 @@ CVE-2017-17056 (The ZKTime Web Software 2.0.1.12280 allows the Administrator to ...) NOT-FOR-US: ZKTeco ZKTime Web Software CVE-2017-17055 (Artica Web Proxy before 3.06.112911 allows remote attackers to execute ...) - TODO: check + NOT-FOR-US: Artica Web Proxy CVE-2017-17054 (In aubio 0.4.6, a divide-by-zero error exists in the function ...) - aubio (bug #883355) [stretch] - aubio (Minor issue) @@ -3956,7 +3956,7 @@ RESERVED NOT-FOR-US: Jenkins plugin CVE-2017-16884 (Cross-site scripting (XSS) vulnerability in MistServer before 2.13 ...) - TODO: check + NOT-FOR-US: MistServer CVE-2017-16883 (The outputSWF_TEXT_RECORD function in util/outputscript.c in libming <= ...) - ming NOTE: https://github.com/libming/libming/issues/77 @@ -4396,7 +4396,7 @@ CVE-2017-16858 RESERVED CVE-2017-16857 (It is possible to bypass the bitbucket auto-unapprove plugin via ...) - TODO: check + NOT-FOR-US: Atlassian CVE-2017-16856 (The RSS Feed macro in Atlassian Confluence before version 6.5.2 allows ...) NOT-FOR-US: Atlassian Confluence CVE-2017-16855 (Ipsilon before 2.1.0 has a "SAML2 multi-session vulnerability." ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58345 - data
Author: jmm Date: 2017-12-07 21:36:37 + (Thu, 07 Dec 2017) New Revision: 58345 Modified: data/dsa-needed.txt Log: add ruby2.1 to dsa-needed Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-12-07 21:35:53 UTC (rev 58344) +++ data/dsa-needed.txt 2017-12-07 21:36:37 UTC (rev 58345) @@ -49,6 +49,8 @@ -- qemu/oldstable -- +ruby2.1/oldstable +-- salt -- simplesamlphp ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58344 - data/CVE
Author: jmm Date: 2017-12-07 21:35:53 + (Thu, 07 Dec 2017) New Revision: 58344 Modified: data/CVE/list Log: qemu triage Modified: data/CVE/list === --- data/CVE/list 2017-12-07 21:23:37 UTC (rev 58343) +++ data/CVE/list 2017-12-07 21:35:53 UTC (rev 58344) @@ -602,6 +602,8 @@ RESERVED CVE-2017-17381 (The Virtio Vring implementation in QEMU allows local OS guest users to ...) - qemu (bug #883625) + [stretch] - qemu (Can be fixed along in later update) + [jessie] - qemu (Vulnerable code not present) - qemu-kvm NOTE: https://lists.gnu.org/archive/html/qemu-devel/2017-12/msg00166.html CVE-2018-1140 @@ -9186,6 +9188,8 @@ CVE-2017-15119 [DoS via large option request] RESERVED - qemu (bug #883399) + [stretch] - qemu (Can be fixed along in later update) + [jessie] - qemu (Vulnerable code not present) - qemu-kvm [wheezy] - qemu-kvm (Vulnerable code introduced later) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2017-11/msg05044.html ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58346 - data
Author: jmm Date: 2017-12-07 21:37:01 + (Thu, 07 Dec 2017) New Revision: 58346 Modified: data/dsa-needed.txt Log: add xen to dsa-needed Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-12-07 21:36:37 UTC (rev 58345) +++ data/dsa-needed.txt 2017-12-07 21:37:01 UTC (rev 58346) @@ -66,5 +66,7 @@ -- wordpress -- +xen/oldstable +-- zendframework/oldstable -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58343 - data/CVE
Author: jmm Date: 2017-12-07 21:23:37 + (Thu, 07 Dec 2017) New Revision: 58343 Modified: data/CVE/list Log: openssl triage Modified: data/CVE/list === --- data/CVE/list 2017-12-07 21:19:45 UTC (rev 58342) +++ data/CVE/list 2017-12-07 21:23:37 UTC (rev 58343) @@ -43621,8 +43621,11 @@ CVE-2017-3739 RESERVED CVE-2017-3738 (There is an overflow bug in the AVX2 Montgomery multiplication ...) - - openssl - - openssl1.0 + - openssl (low) + [stretch] - openssl (Can be fixed with next OpenSSL advisory round) + [jessie] - openssl (Vulnerable code not present) + [wheezy] - openssl (Vulnerable code not present) + - openssl1.0 (low) NOTE: https://www.openssl.org/news/secadv/20171207.txt NOTE: OpenSSL_1_1_0-stable: https://git.openssl.org/?p=openssl.git;a=commit;h=e502cc86df9dafded1694fceb3228ee34d11c11a NOTE: OpenSSL_1_0_2-stable: https://git.openssl.org/?p=openssl.git;a=commit;h=ca51bafc1a88d8b8348f5fd97adc5d6ca93f8e76 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58342 - data/CVE
Author: carnil Date: 2017-12-07 21:19:45 + (Thu, 07 Dec 2017) New Revision: 58342 Modified: data/CVE/list Log: Add CVE-2017-17459/fossil Modified: data/CVE/list === --- data/CVE/list 2017-12-07 21:14:42 UTC (rev 58341) +++ data/CVE/list 2017-12-07 21:19:45 UTC (rev 58342) @@ -119,7 +119,8 @@ CVE-2018-1281 RESERVED CVE-2017-17459 (http_transport.c in Fossil before 2.4, when the SSH sync protocol is ...) - TODO: check + - fossil 1:2.4-1 + NOTE: https://www.fossil-scm.org/xfer/info/1f63db591c77108c CVE-2017-17458 (In Mercurial before 4.4.1, it is possible that a specially malformed ...) - mercurial 4.4.1-1 NOTE: https://bz.mercurial-scm.org/show_bug.cgi?id=5730 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58341 - data/CVE
Author: carnil Date: 2017-12-07 21:14:42 + (Thu, 07 Dec 2017) New Revision: 58341 Modified: data/CVE/list Log: Add CVE-2017-17458/mercurial, fixed already in unstable Modified: data/CVE/list === --- data/CVE/list 2017-12-07 21:10:12 UTC (rev 58340) +++ data/CVE/list 2017-12-07 21:14:42 UTC (rev 58341) @@ -121,7 +121,10 @@ CVE-2017-17459 (http_transport.c in Fossil before 2.4, when the SSH sync protocol is ...) TODO: check CVE-2017-17458 (In Mercurial before 4.4.1, it is possible that a specially malformed ...) - TODO: check + - mercurial 4.4.1-1 + NOTE: https://bz.mercurial-scm.org/show_bug.cgi?id=5730 + NOTE: https://www.mercurial-scm.org/pipermail/mercurial-devel/2017-November/107333.html + NOTE: https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.4.1_.282017-11-07.29 CVE-2017-1002102 RESERVED CVE-2017-1002101 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58340 - data/CVE
Author: sectracker
Date: 2017-12-07 21:10:12 + (Thu, 07 Dec 2017)
New Revision: 58340
Modified:
data/CVE/list
Log:
automatic update
Modified: data/CVE/list
===
--- data/CVE/list 2017-12-07 20:59:36 UTC (rev 58339)
+++ data/CVE/list 2017-12-07 21:10:12 UTC (rev 58340)
@@ -1,3 +1,131 @@
+CVE-2018-1340
+ RESERVED
+CVE-2018-1339
+ RESERVED
+CVE-2018-1338
+ RESERVED
+CVE-2018-1337
+ RESERVED
+CVE-2018-1336
+ RESERVED
+CVE-2018-1335
+ RESERVED
+CVE-2018-1334
+ RESERVED
+CVE-2018-1333
+ RESERVED
+CVE-2018-1332
+ RESERVED
+CVE-2018-1331
+ RESERVED
+CVE-2018-1330
+ RESERVED
+CVE-2018-1329
+ RESERVED
+CVE-2018-1328
+ RESERVED
+CVE-2018-1327
+ RESERVED
+CVE-2018-1326
+ RESERVED
+CVE-2018-1325
+ RESERVED
+CVE-2018-1324
+ RESERVED
+CVE-2018-1323
+ RESERVED
+CVE-2018-1322
+ RESERVED
+CVE-2018-1321
+ RESERVED
+CVE-2018-1320
+ RESERVED
+CVE-2018-1319
+ RESERVED
+CVE-2018-1318
+ RESERVED
+CVE-2018-1317
+ RESERVED
+CVE-2018-1316
+ RESERVED
+CVE-2018-1315
+ RESERVED
+CVE-2018-1314
+ RESERVED
+CVE-2018-1313
+ RESERVED
+CVE-2018-1312
+ RESERVED
+CVE-2018-1311
+ RESERVED
+CVE-2018-1310
+ RESERVED
+CVE-2018-1309
+ RESERVED
+CVE-2018-1308
+ RESERVED
+CVE-2018-1307
+ RESERVED
+CVE-2018-1306
+ RESERVED
+CVE-2018-1305
+ RESERVED
+CVE-2018-1304
+ RESERVED
+CVE-2018-1303
+ RESERVED
+CVE-2018-1302
+ RESERVED
+CVE-2018-1301
+ RESERVED
+CVE-2018-1300
+ RESERVED
+CVE-2018-1299
+ RESERVED
+CVE-2018-1298
+ RESERVED
+CVE-2018-1297
+ RESERVED
+CVE-2018-1296
+ RESERVED
+CVE-2018-1295
+ RESERVED
+CVE-2018-1294
+ RESERVED
+CVE-2018-1293
+ RESERVED
+CVE-2018-1292
+ RESERVED
+CVE-2018-1291
+ RESERVED
+CVE-2018-1290
+ RESERVED
+CVE-2018-1289
+ RESERVED
+CVE-2018-1288
+ RESERVED
+CVE-2018-1287
+ RESERVED
+CVE-2018-1286
+ RESERVED
+CVE-2018-1285
+ RESERVED
+CVE-2018-1284
+ RESERVED
+CVE-2018-1283
+ RESERVED
+CVE-2018-1282
+ RESERVED
+CVE-2018-1281
+ RESERVED
+CVE-2017-17459 (http_transport.c in Fossil before 2.4, when the SSH sync
protocol is ...)
+ TODO: check
+CVE-2017-17458 (In Mercurial before 4.4.1, it is possible that a specially
malformed ...)
+ TODO: check
+CVE-2017-1002102
+ RESERVED
+CVE-2017-1002101
+ RESERVED
CVE-2017-17457 (The function d2ulaw_array() in ulaw.c of libsndfile 1.0.29pre1
may lead ...)
- libsndfile (low)
[stretch] - libsndfile (Minor issue)
@@ -290,7 +418,7 @@
NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22375
NOTE: Introduced by:
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d5c3fafc4307c9b7a4c7d5cb381fcdbfad340bcc
NOTE: Fixed by:
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=34697694e8a93b325b18f25f7dcded55d6baeaf6
-CVE-2017-1000410 [Info Leak in the Linux Kernel via Bluetooth]
+CVE-2017-1000410 (The Linux kernel version 3.3-rc1 and later is affected by a
...)
- linux
NOTE: http://www.openwall.com/lists/oss-security/2017/12/06/3
CVE-2017-1000409
@@ -5856,6 +5984,7 @@
NOTE: http://www.openwall.com/lists/oss-security/2017/12/05/5
NOTE: https://launchpad.net/bugs/1732976
CVE-2017-16239 (In OpenStack Nova through 14.0.9, 15.x through 15.0.7, and
16.x through ...)
+ {DSA-4056-1}
- nova 2:16.0.3-1 (bug #882009)
[jessie] - nova (Vulnerble code introduced later)
[wheezy] - nova (Vulnerble code introduced later)
@@ -11363,8 +11492,8 @@
NOT-FOR-US: Cloud Foundry Foundation GrootFS
CVE-2017-14387
RESERVED
-CVE-2017-14386
- RESERVED
+CVE-2017-14386 (The web user interface of Dell 2335dn and 2355dn Multifunction
Laser ...)
+ TODO: check
CVE-2017-14385
RESERVED
CVE-2017-14384
@@ -18455,8 +18584,8 @@
RESERVED
CVE-2017-11938
RESERVED
-CVE-2017-11937
- RESERVED
+CVE-2017-11937 (The Microsoft Malware Protection Engine running on Microsoft
Forefront ...)
+ TODO: check
CVE-2017-11936
RESERVED
CVE-2017-11935
@@ -43487,15 +43616,13 @@
NOT-FOR-US: Lenovo
CVE-2017-3739
RESERVED
-CVE-2017-3738 [rsaz_1024_mul_avx2 overflow bug on x86_64]
- RESERVED
+CVE-2017-3738 (There is an overflow bug in the AVX2 Montgomery multiplication
...)
- openssl
- openssl1.0
NOTE: https://www.openssl.org/news/secadv/20171207.txt
NOTE: OpenSSL_1_1_0-stable:
https://git.openssl.org/?p=openssl.git;a=commit;h=e502cc86df9dafded1694fceb3228ee34d11c11a
NOTE: OpenSSL_1_0_2-stable:
https://git.openssl.org/?p=openssl.git;a=commit;h=ca51bafc1a88d8b8348f5fd97adc5d6ca93f8e76
-CVE-2017-3737 [Read/write after SSL object in error state
[Secure-testing-commits] r58339 - in data: . CVE
Author: jmm Date: 2017-12-07 20:59:36 + (Thu, 07 Dec 2017) New Revision: 58339 Modified: data/CVE/list data/dsa-needed.txt Log: various no-dsa add two openssl and sqlite to dsa-needed Modified: data/CVE/list === --- data/CVE/list 2017-12-07 19:29:48 UTC (rev 58338) +++ data/CVE/list 2017-12-07 20:59:36 UTC (rev 58339) @@ -1,8 +1,12 @@ CVE-2017-17457 (The function d2ulaw_array() in ulaw.c of libsndfile 1.0.29pre1 may lead ...) - - libsndfile + - libsndfile (low) + [stretch] - libsndfile (Minor issue) + [jessie] - libsndfile (Minor issue) NOTE: https://github.com/erikd/libsndfile/issues/344 CVE-2017-17456 (The function d2alaw_array() in alaw.c of libsndfile 1.0.29pre1 may lead ...) - - libsndfile + - libsndfile (low) + [stretch] - libsndfile (Minor issue) + [jessie] - libsndfile (Minor issue) NOTE: https://github.com/erikd/libsndfile/issues/344 CVE-2017-17455 RESERVED @@ -3605,7 +3609,9 @@ CVE-2017-16934 (The web server on DBL DBLTek devices allows remote attackers to execute ...) NOT-FOR-US: DBL DBLTek devices CVE-2017-16933 (etc/initsystem/prepare-dirs in Icinga 2.x through 2.8.0 has a chown ...) - - icinga2 (bug #883247) + - icinga2 (low; bug #883247) + [stretch] - icinga2 (Minor issue) + [jessie] - icinga2 (Minor issue) NOTE: https://github.com/Icinga/icinga2/issues/5793 CVE-2016-10700 (auth_login.php in Cacti before 1.0.0 allows remote authenticated users ...) - cacti 0.8.8h+ds1-5 (bug #833420) @@ -3936,8 +3942,9 @@ NOTE: https://github.com/upx/upx/issues/146 NOTE: crash in CLI tool, no security impact CVE-2017-16868 (In SWFTools 0.9.2, the wav_convert2mono function in lib/wav.c does not ...) - - swftools + - swftools (unimportant) NOTE: https://github.com/matthiaskramm/swftools/issues/52 + NOTE: Crash in CLI tool, no security impact CVE-2017-16867 (Amazon Key through 2017-11-16 mishandles Cloud Cam 802.11 ...) NOT-FOR-US: Amazon Key CVE-2017-1000248 (Redis-store <=v1.3.0 allows unsafe objects to be loaded from redis ...) @@ -4020,23 +4027,31 @@ CVE-2017-1000188 (nodejs ejs version older than 2.5.5 is vulnerable to a ...) NOT-FOR-US: nodejs ejs CVE-2017-1000187 (In SWFTools, an address access exception was found in pdf2swf. ...) - - swftools + - swftools (unimportant) NOTE: https://github.com/matthiaskramm/swftools/issues/36 + NOTE: Crash in CLI tool, no security implications CVE-2017-1000186 (In SWFTools, a stack overflow was found in pdf2swf. ...) - - swftools + - swftools (unimportant) NOTE: https://github.com/matthiaskramm/swftools/issues/34 + NOTE: Crash in CLI tool, no security implications CVE-2017-1000185 (In SWFTools, a memcpy buffer overflow was found in gif2swf. ...) - swftools + [stretch] - swftools (Minor issue) + [jessie] - swftools (Minor issue) NOTE: https://github.com/matthiaskramm/swftools/issues/33 CVE-2017-1000182 (In SWFTools, a memory leak was found in wav2swf. ...) - - swftools + - swftools (unimportant) NOTE: https://github.com/matthiaskramm/swftools/issues/30 + NOTE: Crash in CLI tool, no security implications CVE-2017-1000176 (In SWFTools, a memcpy buffer overflow was found in swfc. ...) - swftools + [stretch] - swftools (Minor issue) + [jessie] - swftools (Minor issue) NOTE: https://github.com/matthiaskramm/swftools/issues/23 CVE-2017-1000174 (In SWFTools, an address access exception was found in swfdump ...) - - swftools + - swftools (unimportant) NOTE: https://github.com/matthiaskramm/swftools/issues/21 + NOTE: Crash in CLI tool, no security implications CVE-2017-1000173 (Creolabs Gravity Version: 1.0 Heap Overflow Potential Code Execution. ...) NOT-FOR-US: Creolabs Gravity CVE-2017-1000172 (Creolabs Gravity Version: 1.0 Use-After-Free Possible code execution. ...) @@ -4449,17 +4464,23 @@ NOT-FOR-US: CMS Made Simple CVE-2017-16797 (In SWFTools 0.9.2, the png_load function in lib/png.c does not properly ...) - swftools + [stretch] - swftools (Minor issue) + [jessie] - swftools (Minor issue) NOTE: https://github.com/matthiaskramm/swftools/issues/51 CVE-2017-16796 (In SWFTools 0.9.2, the png_load function in lib/png.c does not check ...) - - swftools + - swftools (unimportant) NOTE: https://github.com/matthiaskramm/swftools/issues/51 + NOTE: Crash in CLI tool, no security implications CVE-2017-16795 RESERVED CVE-2017-16794 (The png_load function in lib/png.c in SWFTools 0.9.2 does not properly ...) - - swftools + - swftools (unimportant) NOTE: https://github.com/matthiaskramm/swftools/issues/
[Secure-testing-commits] r58338 - data/CVE
Author: carnil Date: 2017-12-07 19:29:48 + (Thu, 07 Dec 2017) New Revision: 58338 Modified: data/CVE/list Log: Hint to the fix for CVE-2017-16926 The commit changes ohcount to use libmagic instead of spawning a process to run file and allowing the injection. Modified: data/CVE/list === --- data/CVE/list 2017-12-07 19:15:38 UTC (rev 58337) +++ data/CVE/list 2017-12-07 19:29:48 UTC (rev 58338) @@ -3643,6 +3643,7 @@ - ohcount (bug #882372) [stretch] - ohcount (Minor issue) [jessie] - ohcount (Minor issue) + NOTE: https://github.com/blackducksoftware/ohcount/commit/6bed45d6fb7c080ae5c163c12b4eb8749a3492ac (v3.1.0) CVE-2017-16925 RESERVED CVE-2017-16924 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58337 - data/CVE
Author: carnil Date: 2017-12-07 19:15:38 + (Thu, 07 Dec 2017) New Revision: 58337 Modified: data/CVE/list Log: Mark CVE-2017-16876 as no-dsa Modified: data/CVE/list === --- data/CVE/list 2017-12-07 19:07:55 UTC (rev 58336) +++ data/CVE/list 2017-12-07 19:15:38 UTC (rev 58337) @@ -3874,6 +3874,7 @@ CVE-2017-16876 RESERVED - mistune 0.8.1-1 + [stretch] - mistune (Minor issue) NOTE: https://github.com/lepture/mistune/commit/5f06d724bc05580e7f203db2d4a4905fc1127f98 CVE-2017-16875 (An issue was discovered in Teluu pjproject (pjlib and pjlib-util) in ...) - pjproject 2.7.1~dfsg-1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58336 - data
Author: carnil Date: 2017-12-07 19:07:55 + (Thu, 07 Dec 2017) New Revision: 58336 Modified: data/dsa-needed.txt Log: Add and take libxcursor in dsa-needed list Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-12-07 16:05:21 UTC (rev 58335) +++ data/dsa-needed.txt 2017-12-07 19:07:55 UTC (rev 58336) @@ -25,6 +25,9 @@ -- libvpx/oldstable -- +libxcursor (carnil) + jessie- and stretch-security update ready +-- linux Wait until more issues have piled up -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58335 - data
Author: carnil Date: 2017-12-07 16:05:21 + (Thu, 07 Dec 2017) New Revision: 58335 Modified: data/dsa-needed.txt Log: Add otrs2 to dsa-needed list Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-12-07 15:35:04 UTC (rev 58334) +++ data/dsa-needed.txt 2017-12-07 16:05:21 UTC (rev 58335) @@ -28,6 +28,8 @@ linux Wait until more issues have piled up -- +otrs2 +-- php-horde-image -- php5 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58334 - data/CVE
Author: carnil Date: 2017-12-07 15:35:04 + (Thu, 07 Dec 2017) New Revision: 58334 Modified: data/CVE/list Log: Add bug reference for libxcursor issue, #883792 Modified: data/CVE/list === --- data/CVE/list 2017-12-07 15:29:38 UTC (rev 58333) +++ data/CVE/list 2017-12-07 15:35:04 UTC (rev 58334) @@ -4902,7 +4902,7 @@ - swauth 1.2.0-4 (bug #882314) NOTE: https://bugs.launchpad.net/swift/+bug/1655781 CVE-2017-16612 (libXcursor before 1.1.15 has various integer overflows that could lead ...) - - libxcursor + - libxcursor (bug #883792) NOTE: http://www.openwall.com/lists/oss-security/2017/11/28/6 NOTE: https://cgit.freedesktop.org/xorg/lib/libXcursor/commit/?id=4794b5dd34688158fb51a2943032569d3780c4b8 NOTE: https://marc.info/?l=freedesktop-xorg-announce&m=151188036018262&w=2 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58333 - data/CVE
Author: carnil Date: 2017-12-07 15:29:38 + (Thu, 07 Dec 2017) New Revision: 58333 Modified: data/CVE/list Log: Add bug reference for CVE-2017-15412 Modified: data/CVE/list === --- data/CVE/list 2017-12-07 15:18:11 UTC (rev 58332) +++ data/CVE/list 2017-12-07 15:29:38 UTC (rev 58333) @@ -8154,7 +8154,7 @@ [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15412 [use after free] RESERVED - - libxml2 + - libxml2 (bug #883790) NOTE: https://bugs.chromium.org/p/chromium/issues/detail?id=727039 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=783160 (not public) NOTE: Fixed by: https://git.gnome.org/browse/libxml2/commit/?id=0f3b843b3534784ef57a4f9b874238aa1fda5a73 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58332 - data/CVE
Author: carnil Date: 2017-12-07 15:18:11 + (Thu, 07 Dec 2017) New Revision: 58332 Modified: data/CVE/list Log: CVE-2017-17090/asterisk fixed in unstable Modified: data/CVE/list === --- data/CVE/list 2017-12-07 14:49:13 UTC (rev 58331) +++ data/CVE/list 2017-12-07 15:18:11 UTC (rev 58332) @@ -1274,7 +1274,7 @@ CVE-2017-17096 (Cross-site scripting (XSS) vulnerability in the Content Cards plugin ...) NOT-FOR-US: Wordpress plugin CVE-2017-17090 (An issue was discovered in chan_skinny.c in Asterisk Open Source ...) - - asterisk (bug #883342) + - asterisk 1:13.18.3~dfsg-1 (bug #883342) NOTE: http://downloads.digium.com/pub/security/AST-2017-013.html NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-27452 CVE-2018-1040 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58331 - data/CVE
Author: carnil
Date: 2017-12-07 14:49:13 + (Thu, 07 Dec 2017)
New Revision: 58331
Modified:
data/CVE/list
Log:
Add commits for CVE-2017-373{7,8}
Modified: data/CVE/list
===
--- data/CVE/list 2017-12-07 14:36:37 UTC (rev 58330)
+++ data/CVE/list 2017-12-07 14:49:13 UTC (rev 58331)
@@ -43467,6 +43467,8 @@
- openssl
- openssl1.0
NOTE: https://www.openssl.org/news/secadv/20171207.txt
+ NOTE: OpenSSL_1_1_0-stable:
https://git.openssl.org/?p=openssl.git;a=commit;h=e502cc86df9dafded1694fceb3228ee34d11c11a
+ NOTE: OpenSSL_1_0_2-stable:
https://git.openssl.org/?p=openssl.git;a=commit;h=ca51bafc1a88d8b8348f5fd97adc5d6ca93f8e76
CVE-2017-3737 [Read/write after SSL object in error state]
RESERVED
- openssl 1.1.0b-2
@@ -43476,6 +43478,7 @@
NOTE: Not fully correct tracking, the issue just does not affect
OpenSSL 1.1.0
NOTE: thus mark as fixed in the firs 1.1.0 version which entered
unstable.
NOTE: https://www.openssl.org/news/secadv/20171207.txt
+ NOTE: OpenSSL_1_0_2-stable:
https://git.openssl.org/?p=openssl.git;a=commit;h=898fb884b706aaeb283de4812340bb0bde8476dc
CVE-2017-3736 (There is a carry propagating bug in the x86_64 Montgomery
squaring ...)
{DSA-4017-1}
- openssl 1.1.0g-1
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58330 - data/CVE
Author: carnil Date: 2017-12-07 14:36:37 + (Thu, 07 Dec 2017) New Revision: 58330 Modified: data/CVE/list Log: Add CVE-2017-3738 Modified: data/CVE/list === --- data/CVE/list 2017-12-07 14:34:28 UTC (rev 58329) +++ data/CVE/list 2017-12-07 14:36:37 UTC (rev 58330) @@ -43462,8 +43462,11 @@ NOT-FOR-US: Lenovo CVE-2017-3739 RESERVED -CVE-2017-3738 +CVE-2017-3738 [rsaz_1024_mul_avx2 overflow bug on x86_64] RESERVED + - openssl + - openssl1.0 + NOTE: https://www.openssl.org/news/secadv/20171207.txt CVE-2017-3737 [Read/write after SSL object in error state] RESERVED - openssl 1.1.0b-2 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58329 - data/CVE
Author: carnil
Date: 2017-12-07 14:34:28 + (Thu, 07 Dec 2017)
New Revision: 58329
Modified:
data/CVE/list
Log:
Add CVE-2017-3737
Modified: data/CVE/list
===
--- data/CVE/list 2017-12-07 14:23:01 UTC (rev 58328)
+++ data/CVE/list 2017-12-07 14:34:28 UTC (rev 58329)
@@ -43464,8 +43464,15 @@
RESERVED
CVE-2017-3738
RESERVED
-CVE-2017-3737
+CVE-2017-3737 [Read/write after SSL object in error state]
RESERVED
+ - openssl 1.1.0b-2
+ [jessie] - openssl (Issue introduced in 1.0.2b)
+ [wheezy] - openssl (Issue introduced in 1.0.2b)
+ - openssl1.0
+ NOTE: Not fully correct tracking, the issue just does not affect
OpenSSL 1.1.0
+ NOTE: thus mark as fixed in the firs 1.1.0 version which entered
unstable.
+ NOTE: https://www.openssl.org/news/secadv/20171207.txt
CVE-2017-3736 (There is a carry propagating bug in the x86_64 Montgomery
squaring ...)
{DSA-4017-1}
- openssl 1.1.0g-1
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58328 - data/CVE
Author: carnil Date: 2017-12-07 14:23:01 + (Thu, 07 Dec 2017) New Revision: 58328 Modified: data/CVE/list Log: Add information for CVE-2017-15412 Modified: data/CVE/list === --- data/CVE/list 2017-12-07 14:05:00 UTC (rev 58327) +++ data/CVE/list 2017-12-07 14:23:01 UTC (rev 58328) @@ -8152,9 +8152,12 @@ - chromium-browser [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) -CVE-2017-15412 +CVE-2017-15412 [use after free] RESERVED - libxml2 + NOTE: https://bugs.chromium.org/p/chromium/issues/detail?id=727039 + NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=783160 (not public) + NOTE: Fixed by: https://git.gnome.org/browse/libxml2/commit/?id=0f3b843b3534784ef57a4f9b874238aa1fda5a73 CVE-2017-15411 RESERVED - chromium-browser ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58327 - data/CVE
Author: carnil Date: 2017-12-07 14:05:00 + (Thu, 07 Dec 2017) New Revision: 58327 Modified: data/CVE/list Log: CVE-2017-15422/icu: reference the chromium bug to better identify the issue since no further information provided Modified: data/CVE/list === --- data/CVE/list 2017-12-07 13:52:08 UTC (rev 58326) +++ data/CVE/list 2017-12-07 14:05:00 UTC (rev 58327) @@ -8109,9 +8109,10 @@ - chromium-browser [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) -CVE-2017-15422 +CVE-2017-15422 [integer overflow in icu] RESERVED - icu + NOTE: https://code.google.com/p/chromium/issues/detail?id=774382 CVE-2017-15421 RESERVED CVE-2017-15420 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58326 - data/CVE
Author: carnil Date: 2017-12-07 13:52:08 + (Thu, 07 Dec 2017) New Revision: 58326 Modified: data/CVE/list Log: Update information for CVE-2017-16854/otrs2 Modified: data/CVE/list === --- data/CVE/list 2017-12-07 13:51:56 UTC (rev 58325) +++ data/CVE/list 2017-12-07 13:52:08 UTC (rev 58326) @@ -4252,8 +4252,9 @@ - ipsilon (bug #826838) CVE-2017-16854 [OSA-2017-08: Information Disclosure] RESERVED - - otrs2 + - otrs2 6.0.2-1 NOTE: https://www.otrs.com/security-advisory-2017-08-security-update-otrs-framework/ + NOTE: https://bugs.otrs.org/show_bug.cgi?id=13347 NOTE: OTRS-6: https://github.com/OTRS/otrs/commit/867aba14900f17caacb0285a08b6981bbdbbe016 NOTE: OTRS-5: https://github.com/OTRS/otrs/commit/8748d040058695fda5c9cfcb2a78d8947ed4188d NOTE: OTRS-4: https://github.com/OTRS/otrs/commit/e0deab303e3d0f7c860bba291410512734f4d6b0 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58325 - data/CVE
Author: carnil Date: 2017-12-07 13:51:56 + (Thu, 07 Dec 2017) New Revision: 58325 Modified: data/CVE/list Log: Update information for CVE-2017-16921/otrs2 Modified: data/CVE/list === --- data/CVE/list 2017-12-07 13:46:59 UTC (rev 58324) +++ data/CVE/list 2017-12-07 13:51:56 UTC (rev 58325) @@ -3653,7 +3653,9 @@ RESERVED CVE-2017-16921 [OSA-2017-09: Remote code execution] RESERVED - - otrs2 + - otrs2 6.0.2-1 (bug #883774) + NOTE: https://www.otrs.com/security-advisory-2017-09-security-update-otrs-framework/ + NOTE: https://bugs.otrs.org/show_bug.cgi?id=13357 NOTE: OTRS-6: https://github.com/OTRS/otrs/commit/d12797bf1efa6722c2ba9af6d8238446c2903cd1 NOTE: OTRS-5: https://github.com/OTRS/otrs/commit/d433518d7bd8e9e079af67ef9ea7079cd2f59646 NOTE: OTRS-4: https://github.com/OTRS/otrs/commit/368bc37f137e6344f4db014ee2e03c38e2fc62d2 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58324 - data/CVE
Author: carnil Date: 2017-12-07 13:46:59 + (Thu, 07 Dec 2017) New Revision: 58324 Modified: data/CVE/list Log: Add CVE-2017-16854/otrs2 Modified: data/CVE/list === --- data/CVE/list 2017-12-07 13:35:28 UTC (rev 58323) +++ data/CVE/list 2017-12-07 13:46:59 UTC (rev 58324) @@ -4248,8 +4248,13 @@ NOT-FOR-US: Atlassian Confluence CVE-2017-16855 (Ipsilon before 2.1.0 has a "SAML2 multi-session vulnerability." ...) - ipsilon (bug #826838) -CVE-2017-16854 +CVE-2017-16854 [OSA-2017-08: Information Disclosure] RESERVED + - otrs2 + NOTE: https://www.otrs.com/security-advisory-2017-08-security-update-otrs-framework/ + NOTE: OTRS-6: https://github.com/OTRS/otrs/commit/867aba14900f17caacb0285a08b6981bbdbbe016 + NOTE: OTRS-5: https://github.com/OTRS/otrs/commit/8748d040058695fda5c9cfcb2a78d8947ed4188d + NOTE: OTRS-4: https://github.com/OTRS/otrs/commit/e0deab303e3d0f7c860bba291410512734f4d6b0 CVE-2017-16851 (Zoho ManageEngine Applications Manager 13 allows SQL injection via the ...) NOT-FOR-US: Zoho ManageEngine Applications Manager CVE-2017-16850 (Zoho ManageEngine Applications Manager 13 allows SQL injection via the ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58323 - data/CVE
Author: carnil Date: 2017-12-07 13:35:28 + (Thu, 07 Dec 2017) New Revision: 58323 Modified: data/CVE/list Log: Add CVE-2017-16921/otrs2 Modified: data/CVE/list === --- data/CVE/list 2017-12-07 12:53:29 UTC (rev 58322) +++ data/CVE/list 2017-12-07 13:35:28 UTC (rev 58323) @@ -3651,8 +3651,13 @@ NOT-FOR-US: Shenzhen Tenda CVE-2017-16922 RESERVED -CVE-2017-16921 +CVE-2017-16921 [OSA-2017-09: Remote code execution] RESERVED + - otrs2 + NOTE: OTRS-6: https://github.com/OTRS/otrs/commit/d12797bf1efa6722c2ba9af6d8238446c2903cd1 + NOTE: OTRS-5: https://github.com/OTRS/otrs/commit/d433518d7bd8e9e079af67ef9ea7079cd2f59646 + NOTE: OTRS-4: https://github.com/OTRS/otrs/commit/368bc37f137e6344f4db014ee2e03c38e2fc62d2 + NOTE: OTRS-4: https://github.com/OTRS/otrs/commit/4043ebb2580cd8f87e7758e95bf0d77eea5c82ae CVE-2017-16920 (v5/config/system.php in dayrui FineCms 5.2.0 has a default SYS_KEY ...) NOT-FOR-US: dayrui FineCms CVE-2017-16919 (MapOS 3.1.11 and earlier has a Stored Cross-site Scripting (XSS) ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58322 - in data: . CVE
Author: jmm Date: 2017-12-07 12:53:29 + (Thu, 07 Dec 2017) New Revision: 58322 Modified: data/CVE/list data/dsa-needed.txt Log: new chromium issues (also libxml/icu) Modified: data/CVE/list === --- data/CVE/list 2017-12-07 10:12:09 UTC (rev 58321) +++ data/CVE/list 2017-12-07 12:53:29 UTC (rev 58322) @@ -8073,46 +8073,99 @@ RESERVED CVE-2017-15427 RESERVED + - chromium-browser + [jessie] - chromium-browser (End of life, see DSA 4020) + [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15426 RESERVED + - chromium-browser + [jessie] - chromium-browser (End of life, see DSA 4020) + [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15425 RESERVED + - chromium-browser + [jessie] - chromium-browser (End of life, see DSA 4020) + [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15424 RESERVED + - chromium-browser + [jessie] - chromium-browser (End of life, see DSA 4020) + [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15423 RESERVED + - chromium-browser + [jessie] - chromium-browser (End of life, see DSA 4020) + [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15422 RESERVED + - icu CVE-2017-15421 RESERVED CVE-2017-15420 RESERVED + - chromium-browser + [jessie] - chromium-browser (End of life, see DSA 4020) + [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15419 RESERVED + - chromium-browser + [jessie] - chromium-browser (End of life, see DSA 4020) + [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15418 RESERVED + - chromium-browser + [jessie] - chromium-browser (End of life, see DSA 4020) + [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15417 RESERVED + - chromium-browser + [jessie] - chromium-browser (End of life, see DSA 4020) + [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15416 RESERVED + - chromium-browser + [jessie] - chromium-browser (End of life, see DSA 4020) + [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15415 RESERVED + - chromium-browser + [jessie] - chromium-browser (End of life, see DSA 4020) + [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15414 RESERVED CVE-2017-15413 RESERVED + - chromium-browser + [jessie] - chromium-browser (End of life, see DSA 4020) + [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15412 RESERVED + - libxml2 CVE-2017-15411 RESERVED + - chromium-browser + [jessie] - chromium-browser (End of life, see DSA 4020) + [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15410 RESERVED + - chromium-browser + [jessie] - chromium-browser (End of life, see DSA 4020) + [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15409 RESERVED + - chromium-browser + [jessie] - chromium-browser (End of life, see DSA 4020) + [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15408 RESERVED + - chromium-browser + [jessie] - chromium-browser (End of life, see DSA 4020) + [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15407 RESERVED + - chromium-browser + [jessie] - chromium-browser (End of life, see DSA 4020) + [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15406 RESERVED CVE-2017-15405 Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-12-07 10:12:09 UTC (rev 58321) +++ data/dsa-needed.txt 2017-12-07 12:53:29 UTC (rev 58322) @@ -14,6 +14,8 @@ -- 389-ds-base (fw) -- +chromium-browser +-- erlang (jmm) -- graphicsmagick ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58321 - data
Author: jmm Date: 2017-12-07 10:12:09 + (Thu, 07 Dec 2017) New Revision: 58321 Modified: data/dsa-needed.txt Log: take erlang Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-12-07 10:02:24 UTC (rev 58320) +++ data/dsa-needed.txt 2017-12-07 10:12:09 UTC (rev 58321) @@ -14,7 +14,7 @@ -- 389-ds-base (fw) -- -erlang +erlang (jmm) -- graphicsmagick -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58320 - data/CVE
Author: carnil Date: 2017-12-07 10:02:24 + (Thu, 07 Dec 2017) New Revision: 58320 Modified: data/CVE/list Log: CVE-2017-17051/nova fixed Modified: data/CVE/list === --- data/CVE/list 2017-12-07 09:37:21 UTC (rev 58319) +++ data/CVE/list 2017-12-07 10:02:24 UTC (rev 58320) @@ -5811,7 +5811,7 @@ CVE-2017-16240 RESERVED CVE-2017-17051 (An issue was discovered in the default FilterScheduler in OpenStack ...) - - nova (bug #883621) + - nova 2:16.0.3-6 (bug #883621) [stretch] - nova (Fix for CVE-2017-16239 not applied and not affecting 14.x.y) [jessie] - nova (Vulnerable code not present) [wheezy] - nova (Vulnerable code not present) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58319 - data/CVE
Author: carnil Date: 2017-12-07 09:37:21 + (Thu, 07 Dec 2017) New Revision: 58319 Modified: data/CVE/list Log: Add two new libsndfile issues Modified: data/CVE/list === --- data/CVE/list 2017-12-07 09:13:50 UTC (rev 58318) +++ data/CVE/list 2017-12-07 09:37:21 UTC (rev 58319) @@ -1,7 +1,9 @@ CVE-2017-17457 (The function d2ulaw_array() in ulaw.c of libsndfile 1.0.29pre1 may lead ...) - TODO: check + - libsndfile + NOTE: https://github.com/erikd/libsndfile/issues/344 CVE-2017-17456 (The function d2alaw_array() in alaw.c of libsndfile 1.0.29pre1 may lead ...) - TODO: check + - libsndfile + NOTE: https://github.com/erikd/libsndfile/issues/344 CVE-2017-17455 RESERVED CVE-2017-17454 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58318 - data/CVE
Author: carnil Date: 2017-12-07 09:13:50 + (Thu, 07 Dec 2017) New Revision: 58318 Modified: data/CVE/list Log: Add fixing version for CVE-2017-17446/game-music-emu, #883691 Modified: data/CVE/list === --- data/CVE/list 2017-12-07 09:11:59 UTC (rev 58317) +++ data/CVE/list 2017-12-07 09:13:50 UTC (rev 58318) @@ -234,7 +234,7 @@ CVE-2017-17441 RESERVED CVE-2017-17446 (The Mem_File_Reader::read_avail function in Data_Reader.cpp in the ...) - - game-music-emu (bug #883691) + - game-music-emu 0.6.2-1 (bug #883691) [stretch] - game-music-emu (Minor issue) [jessie] - game-music-emu (Minor issue) NOTE: https://bitbucket.org/mpyne/game-music-emu/issues/14/addresssanitizer-negative-size-param-size ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58317 - data/CVE
Author: carnil Date: 2017-12-07 09:11:59 + (Thu, 07 Dec 2017) New Revision: 58317 Modified: data/CVE/list Log: Add three new linux issues Modified: data/CVE/list === --- data/CVE/list 2017-12-07 09:10:16 UTC (rev 58316) +++ data/CVE/list 2017-12-07 09:11:59 UTC (rev 58317) @@ -13,11 +13,14 @@ CVE-2017-17451 (The WP Mailster plugin before 1.5.5 for WordPress has XSS in the ...) TODO: check CVE-2017-17450 (net/netfilter/xt_osf.c in the Linux kernel through 4.14.4 does not ...) - TODO: check + - linux + NOTE: https://lkml.org/lkml/2017/12/5/982 CVE-2017-17449 (The __netlink_deliver_tap_skb function in net/netlink/af_netlink.c in ...) - TODO: check + - linux + NOTE: https://lkml.org/lkml/2017/12/5/950 CVE-2017-17448 (net/netfilter/nfnetlink_cthelper.c in the Linux kernel through 4.14.4 ...) - TODO: check + - linux + NOTE: https://patchwork.kernel.org/patch/10089373/ CVE-2018-1280 RESERVED CVE-2018-1279 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58315 - in data: . DSA
Author: seb
Date: 2017-12-07 09:10:07 + (Thu, 07 Dec 2017)
New Revision: 58315
Modified:
data/DSA/list
data/dsa-needed.txt
Log:
Reserve DSA-4056-1 for CVE-2017-16239 (nova)
Modified: data/DSA/list
===
--- data/DSA/list 2017-12-07 08:29:28 UTC (rev 58314)
+++ data/DSA/list 2017-12-07 09:10:07 UTC (rev 58315)
@@ -1,3 +1,6 @@
+[07 Dec 2017] DSA-4056-1 nova - security update
+ {CVE-2017-16239}
+ [stretch] - nova 2:14.0.0-4+deb9u1
[07 Dec 2017] DSA-4055-1 heimdal - security update
{CVE-2017-17439}
[stretch] - heimdal 7.1.0+dfsg-13+deb9u2
Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2017-12-07 08:29:28 UTC (rev 58314)
+++ data/dsa-needed.txt 2017-12-07 09:10:07 UTC (rev 58315)
@@ -26,11 +26,6 @@
linux
Wait until more issues have piled up
--
-nova (seb)
- 2017-11-20: maintainer prepared debdiff. Asked for extra ACK from SRM
- due to new dependency being introduced
- Important: original fix would introduce a regression (needs fix upstream)
---
php-horde-image
--
php5
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58316 - data/CVE
Author: sectracker
Date: 2017-12-07 09:10:16 + (Thu, 07 Dec 2017)
New Revision: 58316
Modified:
data/CVE/list
Log:
automatic update
Modified: data/CVE/list
===
--- data/CVE/list 2017-12-07 09:10:07 UTC (rev 58315)
+++ data/CVE/list 2017-12-07 09:10:16 UTC (rev 58316)
@@ -1,3 +1,23 @@
+CVE-2017-17457 (The function d2ulaw_array() in ulaw.c of libsndfile 1.0.29pre1
may lead ...)
+ TODO: check
+CVE-2017-17456 (The function d2alaw_array() in alaw.c of libsndfile 1.0.29pre1
may lead ...)
+ TODO: check
+CVE-2017-17455
+ RESERVED
+CVE-2017-17454
+ RESERVED
+CVE-2017-17453
+ RESERVED
+CVE-2017-17452
+ RESERVED
+CVE-2017-17451 (The WP Mailster plugin before 1.5.5 for WordPress has XSS in
the ...)
+ TODO: check
+CVE-2017-17450 (net/netfilter/xt_osf.c in the Linux kernel through 4.14.4 does
not ...)
+ TODO: check
+CVE-2017-17449 (The __netlink_deliver_tap_skb function in
net/netlink/af_netlink.c in ...)
+ TODO: check
+CVE-2017-17448 (net/netfilter/nfnetlink_cthelper.c in the Linux kernel through
4.14.4 ...)
+ TODO: check
CVE-2018-1280
RESERVED
CVE-2018-1279
@@ -223,6 +243,7 @@
[jessie] - libextractor (Minor issue)
NOTE: Fixed by:
https://gnunet.org/git/libextractor.git/commit/?id=7cc63b001ceaf81143795321379c835486d0c92e
CVE-2017-17439 (In Heimdal through 7.4, remote unauthenticated attackers are
able to ...)
+ {DSA-4055-1}
- heimdal (bug #878144)
[jessie] - heimdal (Vulnerability introduced in 7.0)
[wheezy] - heimdal (Vulnerability introduced in 7.0)
@@ -233,10 +254,10 @@
RESERVED
CVE-2017-17437
RESERVED
-CVE-2017-17436
- RESERVED
-CVE-2017-17435
- RESERVED
+CVE-2017-17436 (An issue was discovered in the software on Vaultek Gun Safe
VT20i ...)
+ TODO: check
+CVE-2017-17435 (An issue was discovered in the software on Vaultek Gun Safe
VT20i ...)
+ TODO: check
CVE-2017-17434 (The daemon in rsync 3.1.2, and 3.1.3-development before
2017-12-03, ...)
- rsync (bug #883665)
NOTE:
https://git.samba.org/?p=rsync.git;a=commit;h=5509597decdbd7b91994210f700329d8a35e70a1
@@ -246,8 +267,8 @@
NOTE:
https://git.samba.org/?p=rsync.git;a=commit;h=3e06d40029cfdce9d0f73d87cfd4edaf54be9c51
CVE-2017-17431 (GeniXCMS 1.1.5 has XSS via the from, id, lang, menuid, mod, q,
status, ...)
NOT-FOR-US: GeniXCMS
-CVE-2017-17430
- RESERVED
+CVE-2017-17430 (Sangoma NetBorder / Vega Session Controller before
2.3.12-80-GA allows ...)
+ TODO: check
CVE-2017-17429
RESERVED
CVE-2017-17428
@@ -432,8 +453,8 @@
RESERVED
CVE-2017-17385
RESERVED
-CVE-2017-17384
- RESERVED
+CVE-2017-17384 (ISPConfig 3.x before 3.1.9 allows remote authenticated users
to obtain ...)
+ TODO: check
CVE-2017-17383 (Jenkins through 2.93 allows remote authenticated
administrators to ...)
- jenkins
CVE-2017-17382
@@ -2629,7 +2650,7 @@
NOT-FOR-US: GitPHP
CVE-2017-1000207 (A vulnerability in Swagger-Parser's version <= 1.0.30 and
Swagger ...)
NOT-FOR-US: Swagger-Parser
-CVE-2017-1000159 (Command injection in evince 3.24.8 via filename when
printing to PDF ...)
+CVE-2017-1000159 (Command injection in evince via filename when printing to
PDF. This ...)
- evince 3.25.92-1
NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=784947
NOTE: Introduced by:
https://git.gnome.org/browse/evince/commit/?id=1fcca0b8041de0d6074d7e17fba174da36c65f99
(EVINCE_0_9_1)
@@ -169200,7 +169221,7 @@
NOT-FOR-US: Opera
CVE-2002-2483
- linux-2.6 2.4.20
-CVE-2012-1002 (Unspecified vulnerability in OpenConf 4.x before 4.12 has
unknown ...)
+CVE-2012-1002 (SQL injection vulnerability in author/edit.php in OpenConf 4.x
before ...)
NOT-FOR-US: OpenConf
CVE-2012-1001
RESERVED
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58314 - data/CVE
Author: carnil Date: 2017-12-07 08:29:28 + (Thu, 07 Dec 2017) New Revision: 58314 Modified: data/CVE/list Log: Add patch for CVE-2017-17446/game-music-emu Modified: data/CVE/list === --- data/CVE/list 2017-12-07 07:33:21 UTC (rev 58313) +++ data/CVE/list 2017-12-07 08:29:28 UTC (rev 58314) @@ -215,6 +215,8 @@ [stretch] - game-music-emu (Minor issue) [jessie] - game-music-emu (Minor issue) NOTE: https://bitbucket.org/mpyne/game-music-emu/issues/14/addresssanitizer-negative-size-param-size + NOTE: Patch: https://bitbucket.org/mpyne/game-music-emu/commits/205290614cdc057541b26adeea05a9d45993f860 + NOTE: Additional hardening: https://bitbucket.org/mpyne/game-music-emu/commits/4a441e94cba14268bc4e983d4dfd6ed112084d00 CVE-2017-17440 (GNU Libextractor 1.6 allows remote attackers to cause a denial of ...) - libextractor (bug #883528) [stretch] - libextractor (Minor issue) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
