[Secure-testing-commits] r58375 - data
Author: carnil Date: 2017-12-09 07:53:35 + (Sat, 09 Dec 2017) New Revision: 58375 Modified: data/dsa-needed.txt Log: Add rsync to dsa-needed list Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-12-09 07:53:32 UTC (rev 58374) +++ data/dsa-needed.txt 2017-12-09 07:53:35 UTC (rev 58375) @@ -50,6 +50,8 @@ -- ruby2.1/oldstable -- +rsync (carnil) +-- salt -- simplesamlphp ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58374 - data
Author: carnil Date: 2017-12-09 07:53:32 + (Sat, 09 Dec 2017) New Revision: 58374 Modified: data/dsa-needed.txt Log: Add firefox-esr to dsa-needed list Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-12-09 07:39:34 UTC (rev 58373) +++ data/dsa-needed.txt 2017-12-09 07:53:32 UTC (rev 58374) @@ -16,6 +16,8 @@ -- chromium-browser -- +firefox-esr +-- graphicsmagick -- libav/oldstable ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58373 - data/CVE
Author: carnil Date: 2017-12-09 07:39:34 + (Sat, 09 Dec 2017) New Revision: 58373 Modified: data/CVE/list Log: CVE-2017-7843/firefox-esr fixed in unstable Modified: data/CVE/list === --- data/CVE/list 2017-12-09 07:37:08 UTC (rev 58372) +++ data/CVE/list 2017-12-09 07:39:34 UTC (rev 58373) @@ -30820,7 +30820,7 @@ CVE-2017-7843 RESERVED - firefox 57.0.1-1 - - firefox-esr + - firefox-esr 52.5.2esr-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-27/#CVE-2017-7843 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-28/#CVE-2017-7843 NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1410106 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58372 - data/CVE
Author: carnil Date: 2017-12-09 07:37:08 + (Sat, 09 Dec 2017) New Revision: 58372 Modified: data/CVE/list Log: Four CVEs for wordpress fixed in unstable Modified: data/CVE/list === --- data/CVE/list 2017-12-08 21:26:23 UTC (rev 58371) +++ data/CVE/list 2017-12-09 07:37:08 UTC (rev 58372) @@ -2068,19 +2068,19 @@ CVE-2017-17089 RESERVED CVE-2017-17091 (wp-admin/user-new.php in WordPress before 4.9.1 sets the newbloguser ...) - - wordpress (bug #883314) + - wordpress 4.9.1+dfsg-1 (bug #883314) NOTE: https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c NOTE: https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/ CVE-2017-17093 (wp-includes/general-template.php in WordPress before 4.9.1 does not ...) - - wordpress (bug #883314) + - wordpress 4.9.1+dfsg-1 (bug #883314) NOTE: https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a NOTE: https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/ CVE-2017-17094 (wp-includes/feed.php in WordPress before 4.9.1 does not properly ...) - - wordpress (bug #883314) + - wordpress 4.9.1+dfsg-1 (bug #883314) NOTE: https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de NOTE: https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/ CVE-2017-17092 (wp-includes/functions.php in WordPress before 4.9.1 does not require ...) - - wordpress (bug #883314) + - wordpress 4.9.1+dfsg-1 (bug #883314) NOTE: https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509 NOTE: https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/ CVE-2017-17095 (tools/pal2rgb.c in pal2rgb in LibTIFF 4.0.9 allows remote attackers to ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58371 - data/CVE
Author: carnil Date: 2017-12-08 21:26:23 + (Fri, 08 Dec 2017) New Revision: 58371 Modified: data/CVE/list Log: Process two issues in kibana, itp'ed, #700337 Modified: data/CVE/list === --- data/CVE/list 2017-12-08 21:19:37 UTC (rev 58370) +++ data/CVE/list 2017-12-08 21:26:23 UTC (rev 58371) @@ -20031,9 +20031,9 @@ CVE-2017-11483 RESERVED CVE-2017-11482 (The Kibana fix for CVE-2017-8451 was found to be incomplete. With ...) - TODO: check + - kibana (bug #700337) CVE-2017-11481 (Kibana versions prior to 6.0.1 and 5.6.5 had a cross-site scripting ...) - TODO: check + - kibana (bug #700337) CVE-2017-11480 (Packetbeat versions prior to 5.6.4 are affected by a denial of service ...) TODO: check CVE-2017-11479 (Kibana versions prior to 5.6.1 had a cross-site scripting (XSS) ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58370 - data/CVE
Author: carnil Date: 2017-12-08 21:19:37 + (Fri, 08 Dec 2017) New Revision: 58370 Modified: data/CVE/list Log: Add openjpeg2 issues Modified: data/CVE/list === --- data/CVE/list 2017-12-08 21:10:25 UTC (rev 58369) +++ data/CVE/list 2017-12-08 21:19:37 UTC (rev 58370) @@ -1,7 +1,9 @@ CVE-2017-17480 (In OpenJPEG 2.3.0, a stack-based buffer overflow was discovered in the ...) - TODO: check + - openjpeg2 + NOTE: https://github.com/uclouvain/openjpeg/issues/1044 CVE-2017-17479 (In OpenJPEG 2.3.0, a stack-based buffer overflow was discovered in the ...) - TODO: check + - openjpeg2 + NOTE: https://github.com/uclouvain/openjpeg/issues/1044 CVE-2017-17478 RESERVED CVE-2017-17477 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58369 - data/CVE
Author: sectracker
Date: 2017-12-08 21:10:25 + (Fri, 08 Dec 2017)
New Revision: 58369
Modified:
data/CVE/list
Log:
automatic update
Modified: data/CVE/list
===
--- data/CVE/list 2017-12-08 19:20:32 UTC (rev 58368)
+++ data/CVE/list 2017-12-08 21:10:25 UTC (rev 58369)
@@ -1,3 +1,13 @@
+CVE-2017-17480 (In OpenJPEG 2.3.0, a stack-based buffer overflow was
discovered in the ...)
+ TODO: check
+CVE-2017-17479 (In OpenJPEG 2.3.0, a stack-based buffer overflow was
discovered in the ...)
+ TODO: check
+CVE-2017-17478
+ RESERVED
+CVE-2017-17477
+ RESERVED
+CVE-2017-17476
+ RESERVED
CVE-2017-17475 (TG Soft Vir.IT eXplorer Lite 8.5.42 allows local users to
cause a ...)
NOT-FOR-US: TG Soft Vir.IT eXplorer Lite
CVE-2017-17474 (TG Soft Vir.IT eXplorer Lite 8.5.42 allows local users to
cause a ...)
@@ -3770,7 +3780,7 @@
- linux 4.13.13-1
NOTE: Fixed by:
https://git.kernel.org/linus/1137b5e2529a8f5ca8ee709288ecba3e68044df2
CVE-2017-16938 (A global buffer overflow in OptiPNG 0.7.6 allows remote
attackers to ...)
- {DLA-1196-1}
+ {DSA-4058-1 DLA-1196-1}
- optipng 0.7.6-1.1 (bug #878839)
NOTE: https://sourceforge.net/p/optipng/bugs/69/
CVE-2017-16937
@@ -3831,8 +3841,7 @@
NOT-FOR-US: Shenzhen Tenda
CVE-2017-16922
RESERVED
-CVE-2017-16921 [OSA-2017-09: Remote code execution]
- RESERVED
+CVE-2017-16921 (In OTRS 6.0.x up to and including 6.0.1, OTRS 5.0.x up to and
including ...)
- otrs2 6.0.2-1 (bug #883774)
NOTE:
https://www.otrs.com/security-advisory-2017-09-security-update-otrs-framework/
NOTE: https://bugs.otrs.org/show_bug.cgi?id=13357
@@ -4158,7 +4167,7 @@
NOTE: https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=1256
NOTE:
https://git.nlnetlabs.nl/ldns/commit/?id=c8391790c96d4c8a2c10f9ab1460fda83b509fc2
CVE-2017-1000229 (Integer overflow bug in function minitiff_read_info() of
optipng 0.7.6 ...)
- {DLA-1184-1}
+ {DSA-4058-1 DLA-1184-1}
- optipng 0.7.6-1.1 (bug #882032)
NOTE: https://sourceforge.net/p/optipng/bugs/65/
NOTE: Proposed patch:
https://sourceforge.net/p/optipng/bugs/_discuss/thread/2a56b3aa/f6bb/attachment/0001-Prevent-integer-overflow-bug-65-CVE-2017-1000229.patch
@@ -4441,8 +4450,7 @@
NOT-FOR-US: Atlassian Confluence
CVE-2017-16855 (Ipsilon before 2.1.0 has a "SAML2 multi-session
vulnerability." ...)
- ipsilon (bug #826838)
-CVE-2017-16854 [OSA-2017-08: Information Disclosure]
- RESERVED
+CVE-2017-16854 (In Open Ticket Request System (OTRS) through 3.3.20, 4 through
4.0.26, ...)
- otrs2 6.0.2-1
NOTE:
https://www.otrs.com/security-advisory-2017-08-security-update-otrs-framework/
NOTE: https://bugs.otrs.org/show_bug.cgi?id=13347
@@ -5099,6 +5107,7 @@
- swauth 1.2.0-4 (bug #882314)
NOTE: https://bugs.launchpad.net/swift/+bug/1655781
CVE-2017-16612 (libXcursor before 1.1.15 has various integer overflows that
could lead ...)
+ {DSA-4059-1}
- libxcursor (bug #883792)
NOTE: http://www.openwall.com/lists/oss-security/2017/11/28/6
NOTE:
https://cgit.freedesktop.org/xorg/lib/libXcursor/commit/?id=4794b5dd34688158fb51a2943032569d3780c4b8
@@ -7196,16 +7205,16 @@
RESERVED
CVE-2017-15896
RESERVED
-CVE-2017-15895
- RESERVED
-CVE-2017-15894
- RESERVED
-CVE-2017-15893
- RESERVED
+CVE-2017-15895 (Directory traversal vulnerability in the
SYNO.FileStation.Extract in ...)
+ TODO: check
+CVE-2017-15894 (Directory traversal vulnerability in the
SYNO.FileStation.Extract in ...)
+ TODO: check
+CVE-2017-15893 (Directory traversal vulnerability in the
SYNO.FileStation.Extract in ...)
+ TODO: check
CVE-2017-15892
RESERVED
-CVE-2017-15891
- RESERVED
+CVE-2017-15891 (Improper access control vulnerability in SYNO.Cal.EventBase in
...)
+ TODO: check
CVE-2017-15890
RESERVED
CVE-2017-15889 (Command injection vulnerability in smart.cgi in Synology
DiskStation ...)
@@ -16281,8 +16290,8 @@
RESERVED
CVE-2017-12824 (Special crafted InPage document leads to arbitrary code
execution in ...)
NOT-FOR-US: InPage
-CVE-2017-12823
- RESERVED
+CVE-2017-12823 (Kernel pool memory corruption in one of drivers in Kaspersky
Embedded ...)
+ TODO: check
CVE-2017-12822 (Remote enabling and disabling admin interface in Gemalto's
HASP SRM, ...)
NOT-FOR-US: Gemalto
CVE-2017-12821 (Memory corruption in Gemalto's HASP SRM, Sentinel HASP and
Sentinel ...)
@@ -18629,8 +18638,8 @@
RESERVED
CVE-2017-11941
RESERVED
-CVE-2017-11940
- RESERVED
+CVE-2017-11940 (The Microsoft Malware Protection Engine running on Microsoft
Forefront ...)
+ TODO: check
CVE-2017-11939
RESERVED
CVE-2017-11938
@@ -20019,12 +20028,12 @@
RESERVED
[Secure-testing-commits] r58368 - in data: . DSA
Author: carnil
Date: 2017-12-08 19:20:32 + (Fri, 08 Dec 2017)
New Revision: 58368
Modified:
data/DSA/list
data/dsa-needed.txt
Log:
Reserve DSA number for libxcursor
Modified: data/DSA/list
===
--- data/DSA/list 2017-12-08 18:03:50 UTC (rev 58367)
+++ data/DSA/list 2017-12-08 19:20:32 UTC (rev 58368)
@@ -1,3 +1,7 @@
+[08 Dec 2017] DSA-4059-1 libxcursor - security update
+ {CVE-2017-16612}
+ [jessie] - libxcursor 1:1.1.14-1+deb8u1
+ [stretch] - libxcursor 1:1.1.14-1+deb9u1
[08 Dec 2017] DSA-4058-1 optipng - security update
{CVE-2017-16938 CVE-2017-1000229}
[jessie] - optipng 0.7.5-1+deb8u2
Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2017-12-08 18:03:50 UTC (rev 58367)
+++ data/dsa-needed.txt 2017-12-08 19:20:32 UTC (rev 58368)
@@ -23,9 +23,6 @@
--
libvpx/oldstable
--
-libxcursor (carnil)
- jessie- and stretch-security update ready
---
linux
Wait until more issues have piled up
--
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58367 - data/DSA
Author: carnil
Date: 2017-12-08 18:03:50 + (Fri, 08 Dec 2017)
New Revision: 58367
Modified:
data/DSA/list
Log:
Reserve DSA for optipng update
Modified: data/DSA/list
===
--- data/DSA/list 2017-12-08 17:53:42 UTC (rev 58366)
+++ data/DSA/list 2017-12-08 18:03:50 UTC (rev 58367)
@@ -1,3 +1,7 @@
+[08 Dec 2017] DSA-4058-1 optipng - security update
+ {CVE-2017-16938 CVE-2017-1000229}
+ [jessie] - optipng 0.7.5-1+deb8u2
+ [stretch] - optipng 0.7.6-1+deb9u1
[08 Dec 2017] DSA-4057-1 erlang - security update
{CVE-2017-1000385}
[jessie] - erlang 1:17.3-dfsg-4+deb8u2
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58366 - data/CVE
Author: carnil
Date: 2017-12-08 17:53:42 + (Fri, 08 Dec 2017)
New Revision: 58366
Modified:
data/CVE/list
Log:
Two optipng issues fixed in unstable
Modified: data/CVE/list
===
--- data/CVE/list 2017-12-08 16:36:08 UTC (rev 58365)
+++ data/CVE/list 2017-12-08 17:53:42 UTC (rev 58366)
@@ -3771,7 +3771,7 @@
NOTE: Fixed by:
https://git.kernel.org/linus/1137b5e2529a8f5ca8ee709288ecba3e68044df2
CVE-2017-16938 (A global buffer overflow in OptiPNG 0.7.6 allows remote
attackers to ...)
{DLA-1196-1}
- - optipng (bug #878839)
+ - optipng 0.7.6-1.1 (bug #878839)
NOTE: https://sourceforge.net/p/optipng/bugs/69/
CVE-2017-16937
RESERVED
@@ -4159,7 +4159,7 @@
NOTE:
https://git.nlnetlabs.nl/ldns/commit/?id=c8391790c96d4c8a2c10f9ab1460fda83b509fc2
CVE-2017-1000229 (Integer overflow bug in function minitiff_read_info() of
optipng 0.7.6 ...)
{DLA-1184-1}
- - optipng (bug #882032)
+ - optipng 0.7.6-1.1 (bug #882032)
NOTE: https://sourceforge.net/p/optipng/bugs/65/
NOTE: Proposed patch:
https://sourceforge.net/p/optipng/bugs/_discuss/thread/2a56b3aa/f6bb/attachment/0001-Prevent-integer-overflow-bug-65-CVE-2017-1000229.patch
CVE-2017-1000228 (nodejs ejs versions older than 2.5.3 is vulnerable to remote
code ...)
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58365 - data/CVE
Author: mattia Date: 2017-12-08 16:36:08 + (Fri, 08 Dec 2017) New Revision: 58365 Modified: data/CVE/list Log: link upstream commit for libpodofo/CVE-2017-8378 Modified: data/CVE/list === --- data/CVE/list 2017-12-08 16:08:51 UTC (rev 58364) +++ data/CVE/list 2017-12-08 16:36:08 UTC (rev 58365) @@ -29189,8 +29189,8 @@ [stretch] - libpodofo (Minor issue) [jessie] - libpodofo (Minor issue) [wheezy] - libpodofo (Minor issue) - NOTE: https://github.com/xiangxiaobo/poc_and_report/tree/master/podofo_heapoverflow_PdfParser.ReadObjects - NOTE: Proposed patch (for wheezy) attached to bug #861597. + NOTE: PoC: https://github.com/xiangxiaobo/poc_and_report/tree/master/podofo_heapoverflow_PdfParser.ReadObjects + NOTE: Upstream commit: https://sourceforge.net/p/podofo/code/1833/ CVE-2017-8377 (GeniXCMS 1.0.2 has SQL Injection in ...) NOT-FOR-US: GeniXCMS CVE-2017-8376 (GeniXCMS 1.0.2 has XSS triggered by an authenticated comment that is ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58364 - data/CVE
Author: carnil
Date: 2017-12-08 16:08:51 + (Fri, 08 Dec 2017)
New Revision: 58364
Modified:
data/CVE/list
Log:
Cleanup trailing whitespaces
Modified: data/CVE/list
===
--- data/CVE/list 2017-12-08 16:08:39 UTC (rev 58363)
+++ data/CVE/list 2017-12-08 16:08:51 UTC (rev 58364)
@@ -2179,7 +2179,7 @@
RESERVED
{DSA-4057-1}
- erlang 1:20.1.7+dfsg-1
- NOTE:
https://groups.google.com/forum/#!topic/erlang-programming/J0LH-j6fRlM
+ NOTE:
https://groups.google.com/forum/#!topic/erlang-programming/J0LH-j6fRlM
NOTE:
https://github.com/erlang/otp/commit/38b07caa2a1c6cd3537eadd36770afa54f067562
(OTP-20.1.7)
NOTE:
https://github.com/erlang/otp/commit/3b4386dd19b7e669f557c95ace8d7ba228291927
(OTP-19.3.6.4)
NOTE:
https://github.com/erlang/otp/commit/de3b9cdb8521d7edd524b4e17d1e3f883f832ec0
(OTP-18.3.4.7)
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58363 - data/CVE
Author: carnil Date: 2017-12-08 16:08:39 + (Fri, 08 Dec 2017) New Revision: 58363 Modified: data/CVE/list Log: Update firefox/firefox-esr entries Modified: data/CVE/list === --- data/CVE/list 2017-12-08 14:52:12 UTC (rev 58362) +++ data/CVE/list 2017-12-08 16:08:39 UTC (rev 58363) @@ -30798,12 +30798,21 @@ RESERVED CVE-2017-7845 RESERVED + - firefox (Only affects Firefox on Windows) + - firefox-esr (Only affects Firefox on Windows) + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-29/#CVE-2017-7845 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-28/#CVE-2017-7845 CVE-2017-7844 RESERVED - firefox 57.0.1-1 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-27/#CVE-2017-7844 CVE-2017-7843 RESERVED - firefox 57.0.1-1 + - firefox-esr + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-27/#CVE-2017-7843 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-28/#CVE-2017-7843 + NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1410106 CVE-2017-7842 RESERVED - firefox 57.0-1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58362 - data
Author: alteholz Date: 2017-12-08 14:52:12 + (Fri, 08 Dec 2017) New Revision: 58362 Modified: data/dla-needed.txt Log: add qemu-kvm to dla-needed.txt Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-12-08 14:51:36 UTC (rev 58361) +++ data/dla-needed.txt 2017-12-08 14:52:12 UTC (rev 58362) @@ -74,6 +74,8 @@ -- qemu -- +qemu-kvm +-- rsync (Thorsten Alteholz) -- rtpproxy ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58361 - data
Author: alteholz Date: 2017-12-08 14:51:36 + (Fri, 08 Dec 2017) New Revision: 58361 Modified: data/dla-needed.txt Log: add libxml2 Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-12-08 14:49:37 UTC (rev 58360) +++ data/dla-needed.txt 2017-12-08 14:51:36 UTC (rev 58361) @@ -51,6 +51,8 @@ -- libxfont (Emilio Pozuelo) -- +libxml2 (Thorsten Alteholz) +-- linux -- ming (Hugo Lefeuvre) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58360 - data
Author: alteholz Date: 2017-12-08 14:49:37 + (Fri, 08 Dec 2017) New Revision: 58360 Modified: data/dla-needed.txt Log: add qemu to dla-needed.txt Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-12-08 14:48:31 UTC (rev 58359) +++ data/dla-needed.txt 2017-12-08 14:49:37 UTC (rev 58360) @@ -70,6 +70,8 @@ -- otrs2 (Emilio Pozuelo) -- +qemu +-- rsync (Thorsten Alteholz) -- rtpproxy ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58359 - data/CVE
Author: alteholz Date: 2017-12-08 14:48:31 + (Fri, 08 Dec 2017) New Revision: 58359 Modified: data/CVE/list Log: follow security team for CVE-2017-17456 and CVE-2017-17457 Modified: data/CVE/list === --- data/CVE/list 2017-12-08 14:45:02 UTC (rev 58358) +++ data/CVE/list 2017-12-08 14:48:31 UTC (rev 58359) @@ -168,11 +168,13 @@ - libsndfile (low) [stretch] - libsndfile (Minor issue) [jessie] - libsndfile (Minor issue) + [wheezy] - libsndfile (Minor issue) NOTE: https://github.com/erikd/libsndfile/issues/344 CVE-2017-17456 (The function d2alaw_array() in alaw.c of libsndfile 1.0.29pre1 may lead ...) - libsndfile (low) [stretch] - libsndfile (Minor issue) [jessie] - libsndfile (Minor issue) + [wheezy] - libsndfile (Minor issue) NOTE: https://github.com/erikd/libsndfile/issues/344 CVE-2017-17455 RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58358 - data/CVE
Author: alteholz
Date: 2017-12-08 14:45:02 + (Fri, 08 Dec 2017)
New Revision: 58358
Modified:
data/CVE/list
Log:
follow security team for CVE-2017-17440
Modified: data/CVE/list
===
--- data/CVE/list 2017-12-08 14:41:57 UTC (rev 58357)
+++ data/CVE/list 2017-12-08 14:45:02 UTC (rev 58358)
@@ -417,6 +417,7 @@
- libextractor (bug #883528)
[stretch] - libextractor (Minor issue)
[jessie] - libextractor (Minor issue)
+ [wheezy] - libextractor (Minor issue)
NOTE: Fixed by:
https://gnunet.org/git/libextractor.git/commit/?id=7cc63b001ceaf81143795321379c835486d0c92e
CVE-2017-17439 (In Heimdal through 7.4, remote unauthenticated attackers are
able to ...)
{DSA-4055-1}
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58357 - data/CVE
Author: alteholz Date: 2017-12-08 14:41:57 + (Fri, 08 Dec 2017) New Revision: 58357 Modified: data/CVE/list Log: follow security team for CVE-2017-17446 Modified: data/CVE/list === --- data/CVE/list 2017-12-08 09:18:39 UTC (rev 58356) +++ data/CVE/list 2017-12-08 14:41:57 UTC (rev 58357) @@ -409,6 +409,7 @@ - game-music-emu 0.6.2-1 (bug #883691) [stretch] - game-music-emu (Minor issue) [jessie] - game-music-emu (Minor issue) + [wheezy] - game-music-emu (Minor issue) NOTE: https://bitbucket.org/mpyne/game-music-emu/issues/14/addresssanitizer-negative-size-param-size NOTE: Patch: https://bitbucket.org/mpyne/game-music-emu/commits/205290614cdc057541b26adeea05a9d45993f860 NOTE: Additional hardening: https://bitbucket.org/mpyne/game-music-emu/commits/4a441e94cba14268bc4e983d4dfd6ed112084d00 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58356 - data/CVE
Author: carnil Date: 2017-12-08 09:18:39 + (Fri, 08 Dec 2017) New Revision: 58356 Modified: data/CVE/list Log: Process NFUs Modified: data/CVE/list === --- data/CVE/list 2017-12-08 09:16:56 UTC (rev 58355) +++ data/CVE/list 2017-12-08 09:18:39 UTC (rev 58356) @@ -1,23 +1,23 @@ CVE-2017-17475 (TG Soft Vir.IT eXplorer Lite 8.5.42 allows local users to cause a ...) - TODO: check + NOT-FOR-US: TG Soft Vir.IT eXplorer Lite CVE-2017-17474 (TG Soft Vir.IT eXplorer Lite 8.5.42 allows local users to cause a ...) - TODO: check + NOT-FOR-US: TG Soft Vir.IT eXplorer Lite CVE-2017-17473 (TG Soft Vir.IT eXplorer Lite 8.5.42 allows local users to cause a ...) - TODO: check + NOT-FOR-US: TG Soft Vir.IT eXplorer Lite CVE-2017-17472 (TG Soft Vir.IT eXplorer Lite 8.5.42 allows local users to cause a ...) - TODO: check + NOT-FOR-US: TG Soft Vir.IT eXplorer Lite CVE-2017-17471 (TG Soft Vir.IT eXplorer Lite 8.5.42 allows local users to cause a ...) - TODO: check + NOT-FOR-US: TG Soft Vir.IT eXplorer Lite CVE-2017-17470 (TG Soft Vir.IT eXplorer Lite 8.5.42 allows local users to cause a ...) - TODO: check + NOT-FOR-US: TG Soft Vir.IT eXplorer Lite CVE-2017-17469 (TG Soft Vir.IT eXplorer Lite 8.5.42 allows local users to cause a ...) - TODO: check + NOT-FOR-US: TG Soft Vir.IT eXplorer Lite CVE-2017-17468 (TG Soft Vir.IT eXplorer Lite 8.5.42 allows local users to gain ...) - TODO: check + NOT-FOR-US: TG Soft Vir.IT eXplorer Lite CVE-2017-17467 (TG Soft Vir.IT eXplorer Lite 8.5.42 allows local users to cause a ...) - TODO: check + NOT-FOR-US: TG Soft Vir.IT eXplorer Lite CVE-2017-17466 (TG Soft Vir.IT eXplorer Lite 8.5.42 allows local users to gain ...) - TODO: check + NOT-FOR-US: TG Soft Vir.IT eXplorer Lite CVE-2017-17465 (K7Sentry.sys 15.1.0.59 in K7 Antivirus 15.1.0309 has a NULL pointer ...) TODO: check CVE-2017-17464 (K7Sentry.sys 15.1.0.59 in K7 Antivirus 15.1.0309 has a NULL pointer ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58355 - data/CVE
Author: carnil Date: 2017-12-08 09:16:56 + (Fri, 08 Dec 2017) New Revision: 58355 Modified: data/CVE/list Log: Add CVE-2017-17461/node-marked Modified: data/CVE/list === --- data/CVE/list 2017-12-08 09:10:15 UTC (rev 58354) +++ data/CVE/list 2017-12-08 09:16:56 UTC (rev 58355) @@ -27,7 +27,9 @@ CVE-2017-17462 RESERVED CVE-2017-17461 (A Regular expression Denial of Service (ReDoS) vulnerability in the ...) - TODO: check + - node-marked (unimportant) + NOTE: https://www.checkmarx.com/advisories/regular-expression-denial-service-redos-vulnerability-marked-npm-package/ + NOTE: nodejs not covered by security support CVE-2017-17460 RESERVED CVE-2018-1340 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58354 - data/CVE
Author: sectracker
Date: 2017-12-08 09:10:15 + (Fri, 08 Dec 2017)
New Revision: 58354
Modified:
data/CVE/list
Log:
automatic update
Modified: data/CVE/list
===
--- data/CVE/list 2017-12-08 08:27:16 UTC (rev 58353)
+++ data/CVE/list 2017-12-08 09:10:15 UTC (rev 58354)
@@ -1,3 +1,35 @@
+CVE-2017-17475 (TG Soft Vir.IT eXplorer Lite 8.5.42 allows local users to
cause a ...)
+ TODO: check
+CVE-2017-17474 (TG Soft Vir.IT eXplorer Lite 8.5.42 allows local users to
cause a ...)
+ TODO: check
+CVE-2017-17473 (TG Soft Vir.IT eXplorer Lite 8.5.42 allows local users to
cause a ...)
+ TODO: check
+CVE-2017-17472 (TG Soft Vir.IT eXplorer Lite 8.5.42 allows local users to
cause a ...)
+ TODO: check
+CVE-2017-17471 (TG Soft Vir.IT eXplorer Lite 8.5.42 allows local users to
cause a ...)
+ TODO: check
+CVE-2017-17470 (TG Soft Vir.IT eXplorer Lite 8.5.42 allows local users to
cause a ...)
+ TODO: check
+CVE-2017-17469 (TG Soft Vir.IT eXplorer Lite 8.5.42 allows local users to
cause a ...)
+ TODO: check
+CVE-2017-17468 (TG Soft Vir.IT eXplorer Lite 8.5.42 allows local users to gain
...)
+ TODO: check
+CVE-2017-17467 (TG Soft Vir.IT eXplorer Lite 8.5.42 allows local users to
cause a ...)
+ TODO: check
+CVE-2017-17466 (TG Soft Vir.IT eXplorer Lite 8.5.42 allows local users to gain
...)
+ TODO: check
+CVE-2017-17465 (K7Sentry.sys 15.1.0.59 in K7 Antivirus 15.1.0309 has a NULL
pointer ...)
+ TODO: check
+CVE-2017-17464 (K7Sentry.sys 15.1.0.59 in K7 Antivirus 15.1.0309 has a NULL
pointer ...)
+ TODO: check
+CVE-2017-17463 (Vivo modems allow remote attackers to obtain sensitive
information by ...)
+ TODO: check
+CVE-2017-17462
+ RESERVED
+CVE-2017-17461 (A Regular expression Denial of Service (ReDoS) vulnerability
in the ...)
+ TODO: check
+CVE-2017-17460
+ RESERVED
CVE-2018-1340
RESERVED
CVE-2018-1339
@@ -2139,6 +2171,7 @@
NOT-FOR-US: WordPress plugin wp-thumb-post
CVE-2017-1000385 [TLS server vunlerable to Adaptive Chosen Ciphertext attack
allowing plaintext recovery ot MITM attack]
RESERVED
+ {DSA-4057-1}
- erlang 1:20.1.7+dfsg-1
NOTE:
https://groups.google.com/forum/#!topic/erlang-programming/J0LH-j6fRlM
NOTE:
https://github.com/erlang/otp/commit/38b07caa2a1c6cd3537eadd36770afa54f067562
(OTP-20.1.7)
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58353 - data/CVE
Author: carnil Date: 2017-12-08 08:27:16 + (Fri, 08 Dec 2017) New Revision: 58353 Modified: data/CVE/list Log: Mark CVE-2017-1000248/ruby-redis-store as no-dsa Modified: data/CVE/list === --- data/CVE/list 2017-12-08 06:51:32 UTC (rev 58352) +++ data/CVE/list 2017-12-08 08:27:16 UTC (rev 58353) @@ -4083,6 +4083,7 @@ NOT-FOR-US: Amazon Key CVE-2017-1000248 (Redis-store <=v1.3.0 allows unsafe objects to be loaded from redis ...) - ruby-redis-store 1.1.6-2 (bug #882034) + [stretch] - ruby-redis-store (Minor issue) NOTE: https://github.com/redis-store/redis-store/commit/e0c1398d54a9661c8c70267c3a925ba6b192142e CVE-2017-1000247 (British Columbia Institute of Technology CodeIgniter 3.1.3 is ...) NOT-FOR-US: CodeIgniter ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
