[Secure-testing-commits] r58409 - data/CVE
Author: carnil
Date: 2017-12-10 07:19:30 + (Sun, 10 Dec 2017)
New Revision: 58409
Modified:
data/CVE/list
Log:
Two CVEs will be included in openafs update
Modified: data/CVE/list
===
--- data/CVE/list 2017-12-10 05:14:14 UTC (rev 58408)
+++ data/CVE/list 2017-12-10 07:19:30 UTC (rev 58409)
@@ -52818,7 +52818,6 @@
CVE-2016-9772 (OpenAFS 1.6.19 and earlier allows remote attackers to obtain
sensitive ...)
{DLA-733-1}
- openafs 1.6.20-1 (bug #846922)
- [jessie] - openafs (Minor issue; can be fixed in point release)
NOTE: https://www.openafs.org/pages/security/OPENAFS-SA-2016-003.txt
NOTE: Upstream patch:
https://www.openafs.org/pages/security/openafs-sa-2016-003-master.patch (master)
NOTE: Upstream patch:
https://www.openafs.org/pages/security/openafs-sa-2016-003.patch
@@ -70639,7 +70638,6 @@
CVE-2016-4536 (The client in OpenAFS before 1.6.17 does not properly
initialize the ...)
{DLA-493-1}
- openafs 1.6.17-1
- [jessie] - openafs (Minor issue, can be included in a future
DSA or via jessie-pu)
NOTE: https://www.openafs.org/pages/security/OPENAFS-SA-2016-002.txt
CVE-2016-4486 (The rtnl_fill_link_ifmap function in net/core/rtnetlink.c in
the Linux ...)
{DSA-3607-1 DLA-516-1}
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58408 - data/CVE
Author: carnil
Date: 2017-12-10 05:14:14 + (Sun, 10 Dec 2017)
New Revision: 58408
Modified:
data/CVE/list
Log:
Update xen entries after point release
The xen version in unstable was not updated. As consequence SRM decided
to prop-up the xen source package to unstable and the issues are
source-wise fixed there. No quarantee though xen binary packages are
fully working in unstable.
Modified: data/CVE/list
===
--- data/CVE/list 2017-12-09 22:34:39 UTC (rev 58407)
+++ data/CVE/list 2017-12-10 05:14:14 UTC (rev 58408)
@@ -2331,15 +2331,15 @@
RESERVED
CVE-2017-17045 (An issue was discovered in Xen through 4.9.x allowing HVM
guest OS ...)
{DSA-4050-1}
- - xen
+ - xen 4.8.2+xsa245-0+deb9u1
NOTE: https://xenbits.xen.org/xsa/advisory-247.html
CVE-2017-17044 (An issue was discovered in Xen through 4.9.x allowing HVM
guest OS ...)
{DSA-4050-1}
- - xen
+ - xen 4.8.2+xsa245-0+deb9u1
NOTE: https://xenbits.xen.org/xsa/advisory-246.html
CVE-2017-17046 (An issue was discovered in Xen through 4.9.x on the ARM
platform ...)
{DSA-4050-1}
- - xen
+ - xen 4.8.2+xsa245-0+deb9u1
NOTE: https://xenbits.xen.org/xsa/advisory-245.html
CVE-2018-0705
RESERVED
@@ -7995,7 +7995,7 @@
RESERVED
CVE-2017-15597 (An issue was discovered in Xen through 4.9.x. Grant copying
code made ...)
{DSA-4050-1}
- - xen
+ - xen 4.8.2+xsa245-0+deb9u1
NOTE: https://xenbits.xen.org/xsa/advisory-236.html
CVE-2017-15586
RESERVED
@@ -8811,38 +8811,38 @@
NOT-FOR-US: Mirasys Video Management System
CVE-2017-15594 (An issue was discovered in Xen through 4.9.x allowing x86 SVM
PV guest ...)
{DSA-4050-1}
- - xen
+ - xen 4.8.2+xsa245-0+deb9u1
[wheezy] - xen (minor issue)
NOTE: https://xenbits.xen.org/xsa/advisory-244.html
CVE-2017-15592 (An issue was discovered in Xen through 4.9.x allowing x86 HVM
guest OS ...)
{DSA-4050-1 DLA-1181-1}
- - xen
+ - xen 4.8.2+xsa245-0+deb9u1
NOTE: https://xenbits.xen.org/xsa/advisory-243.html
CVE-2017-15593 (An issue was discovered in Xen through 4.9.x allowing x86 PV
guest OS ...)
{DSA-4050-1 DLA-1181-1}
- - xen
+ - xen 4.8.2+xsa245-0+deb9u1
NOTE: https://xenbits.xen.org/xsa/advisory-242.html
CVE-2017-15588 (An issue was discovered in Xen through 4.9.x allowing x86 PV
guest OS ...)
{DSA-4050-1 DLA-1181-1}
- - xen
+ - xen 4.8.2+xsa245-0+deb9u1
NOTE: https://xenbits.xen.org/xsa/advisory-241.html
CVE-2017-15595 (An issue was discovered in Xen through 4.9.x allowing x86 PV
guest OS ...)
{DSA-4050-1 DLA-1181-1}
- - xen
+ - xen 4.8.2+xsa245-0+deb9u1
NOTE: https://xenbits.xen.org/xsa/advisory-240.html
CVE-2017-15589 (An issue was discovered in Xen through 4.9.x allowing x86 HVM
guest OS ...)
{DSA-4050-1 DLA-1181-1}
- - xen
+ - xen 4.8.2+xsa245-0+deb9u1
NOTE: https://xenbits.xen.org/xsa/advisory-239.html
CVE-2017-15591 (An issue was discovered in Xen 4.5.x through 4.9.x allowing
attackers ...)
{DSA-4050-1}
- - xen
+ - xen 4.8.2+xsa245-0+deb9u1
[jessie] - xen (Only affects 4.5 and later)
[wheezy] - xen (Only affects 4.5 and later)
NOTE: https://xenbits.xen.org/xsa/advisory-238.html
CVE-2017-15590 (An issue was discovered in Xen through 4.9.x allowing x86
guest OS ...)
{DSA-4050-1}
- - xen
+ - xen 4.8.2+xsa245-0+deb9u1
NOTE: https://xenbits.xen.org/xsa/advisory-237.html
CVE-2017-15289 (The mode4and5 write functions in hw/display/cirrus_vga.c in
Qemu allow ...)
- qemu (bug #880832)
@@ -11826,21 +11826,21 @@
NOT-FOR-US: Mirasvit Helpdesk MX
CVE-2017-14319 (A grant unmapping issue was discovered in Xen through 4.9.x.
When ...)
{DSA-4050-1 DLA-1132-1}
- - xen
+ - xen 4.8.2+xsa245-0+deb9u1
NOTE: https://xenbits.xen.org/xsa/advisory-234.html
CVE-2017-14318 (An issue was discovered in Xen 4.5.x through 4.9.x. The
function ...)
{DSA-4050-1 DLA-1132-1}
- - xen
+ - xen 4.8.2+xsa245-0+deb9u1
[jessie] - xen (Only affects 4.5 and later)
NOTE: https://xenbits.xen.org/xsa/advisory-232.html
NOTE: Wheezy will be affected with the upcoming grant table backport
CVE-2017-14317 (A domain cleanup issue was discovered in the C xenstore daemon
(aka ...)
{DSA-4050-1 DLA-1132-1}
- - xen
+ - xen 4.8.2+xsa245-0+deb9u1
NOTE: https://xenbits.xen.org/xsa/advisory-233.html
CVE-2017-14316 (A parameter verification issue was discovered in Xen through
4.9.x. The ...)
{DSA-4050-1 DLA-1132-1}
- - xen
+ - xen 4.8.2+xsa245-0+deb9u1
NOTE: https://xenbits.xen.org/xsa/advisory-231.html
CVE-2017-14315 (In Apple iOS
[Secure-testing-commits] r58407 - in data: . CVE
Author: jmm Date: 2017-12-09 22:34:39 + (Sat, 09 Dec 2017) New Revision: 58407 Modified: data/CVE/list data/dsa-needed.txt Log: stable triage Modified: data/CVE/list === --- data/CVE/list 2017-12-09 21:10:14 UTC (rev 58406) +++ data/CVE/list 2017-12-09 22:34:39 UTC (rev 58407) @@ -3848,6 +3848,8 @@ RESERVED CVE-2017-16927 (The scp_v0s_accept function in sesman/libscp/libscp_v0.c in the session ...) - xrdp (bug #882463) + [stretch] - xrdp (Minor issue) + [jessie] - xrdp (Minor issue) NOTE: Proposed pull request: https://github.com/neutrinolabs/xrdp/pull/958 NOTE: https://groups.google.com/forum/#!topic/xrdp-devel/PmVfMuy_xBA CVE-2017-16926 (Ohcount 3.0.0 is prone to a command injection via specially crafted ...) @@ -4615,6 +4617,8 @@ CVE-2017-16816 [A user can cause the condor_schedd to crash by submitting a job designed for that purpose] RESERVED - condor 8.6.8~dfsg.1-1 + [stretch] - condor (Minor issue) + [jessie] - condor (Minor issue) NOTE: http://research.cs.wisc.edu/htcondor//security/vulnerabilities/HTCONDOR-2017-0001.html CVE-2017-16815 (installer.php in the Snap Creek Duplicator (WordPress Site Migration & ...) NOT-FOR-US: Snap Creek Duplicator (WordPress Site Migration & Backup) plugin for WordPress @@ -7639,6 +7643,8 @@ NOT-FOR-US: IrfanView CVE-2017-15736 (Cross-site scripting (XSS) vulnerability (stored) in SPIP before 3.1.7 ...) - spip (bug #879954) + [stretch] - spip (Minor issue) + [jessie] - spip (Minor issue) [wheezy] - spip (vulnerable code not present) NOTE: https://core.spip.net/projects/spip/repository/revisions/23701 CVE-2017-15735 (In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) ...) @@ -10031,7 +10037,7 @@ CVE-2017-14942 (Intelbras WRN 150 devices allow remote attackers to read the ...) NOT-FOR-US: Intelbras WRN 150 devices CVE-2017-14941 (Jaspersoft JasperReports 4.7 suffers from a saved credential disclosure ...) - - jasperreports (bug #880467) + - jasperreports (bug #880467) NOTE: https://github.com/binary1985/VulnerabilityDisclosure/blob/master/JasperSoft%20JasperReports%20-%204.7%20-%20CVE-2017-14941 CVE-2017-14940 (scan_unit_for_symbols in dwarf2.c in the Binary File Descriptor (BFD) ...) - binutils Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-12-09 21:10:14 UTC (rev 58406) +++ data/dsa-needed.txt 2017-12-09 22:34:39 UTC (rev 58407) @@ -56,6 +56,9 @@ -- qemu/oldstable -- +redmine/stable + oldstable also affected, but might be worth EOLing +-- ruby2.1/oldstable -- rsync (carnil) @@ -66,6 +69,12 @@ -- sqlite3/oldstable -- +sssd/stable +-- +tomcat7/oldstable +-- +tomcat8 +-- tiff wait until more issues are around -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58406 - data/CVE
Author: sectracker
Date: 2017-12-09 21:10:14 + (Sat, 09 Dec 2017)
New Revision: 58406
Modified:
data/CVE/list
Log:
automatic update
Modified: data/CVE/list
===
--- data/CVE/list 2017-12-09 20:23:13 UTC (rev 58405)
+++ data/CVE/list 2017-12-09 21:10:14 UTC (rev 58406)
@@ -2109,16 +2109,19 @@
CVE-2017-17086 (Indeo Otter through 1.7.4 mishandles a
"" substring in an ...)
NOT-FOR-US: Indeo Otter
CVE-2017-17085 (In Wireshark 2.4.0 to 2.4.2 and 2.2.0 to 2.2.10, the CIP
Safety ...)
+ {DSA-4060-1}
- wireshark 2.4.3-1
NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14250
NOTE:
https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=f5939debe96e3c3953c6020818f1fbb80eb83ce8
NOTE: https://www.wireshark.org/security/wnpa-sec-2017-49.html
CVE-2017-17084 (In Wireshark 2.4.0 to 2.4.2 and 2.2.0 to 2.2.10, the IWARP_MPA
...)
+ {DSA-4060-1}
- wireshark 2.4.3-1
NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14236
NOTE:
https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=8502fe94ef9e431860921507e1a351c5e3f5c634
NOTE: https://www.wireshark.org/security/wnpa-sec-2017-47.html
CVE-2017-17083 (In Wireshark 2.4.0 to 2.4.2 and 2.2.0 to 2.2.10, the NetBIOS
dissector ...)
+ {DSA-4060-1}
- wireshark 2.4.3-1
NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14249
NOTE:
https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=79768d63d14fbce6bf7fb4d4a1c86be0c5205eb3
@@ -3794,6 +3797,7 @@
CVE-2017-16940
RESERVED
CVE-2017-16939 (The XFRM dump policy implementation in net/xfrm/xfrm_user.c in
the ...)
+ {DLA-1200-1}
- linux 4.13.13-1
[stretch] - linux 4.9.65-1
NOTE: Fixed by:
https://git.kernel.org/linus/1137b5e2529a8f5ca8ee709288ecba3e68044df2
@@ -3955,6 +3959,7 @@
RESERVED
CVE-2017-1000407 [DoS via write flood to I/O port 0x80]
RESERVED
+ {DLA-1200-1}
- linux
NOTE: https://www.spinics.net/lists/kvm/msg159809.html
CVE-2017-1000406 (OpenDaylight Karaf 0.6.1-Carbon fails to clear the cache
after a ...)
@@ -5023,6 +5028,7 @@
[jessie] - linux 3.16.51-1
[wheezy] - linux (Vulnerable code not present)
CVE-2017-16649 (The usbnet_generic_cdc_bind function in
drivers/net/usb/cdc_ether.c in ...)
+ {DLA-1200-1}
- linux 4.13.13-1
[stretch] - linux 4.9.65-1
[jessie] - linux 3.16.51-1
@@ -5047,6 +5053,7 @@
[jessie] - linux (Vulnerable code not present)
[wheezy] - linux (Vulnerable code not present)
CVE-2017-16643 (The parse_hid_report_descriptor function in
drivers/input/tablet/gtco.c ...)
+ {DLA-1200-1}
- linux 4.13.13-1
[stretch] - linux 4.9.65-1
[jessie] - linux 3.16.51-1
@@ -5333,14 +5340,17 @@
- linux
[wheezy] - linux (Vulnerable code not present)
CVE-2017-16537 (The imon_probe function in drivers/media/rc/imon.c in the
Linux kernel ...)
+ {DLA-1200-1}
- linux 4.13.13-1
[stretch] - linux 4.9.65-1
[jessie] - linux 3.16.51-1
CVE-2017-16536 (The cx231xx_usb_probe function in ...)
+ {DLA-1200-1}
- linux 4.13.13-1
[stretch] - linux 4.9.65-1
[jessie] - linux 3.16.51-1
CVE-2017-16535 (The usb_get_bos_descriptor function in
drivers/usb/core/config.c in the ...)
+ {DLA-1200-1}
- linux 4.13.10-1
[stretch] - linux 4.9.65-1
[jessie] - linux 3.16.51-1
@@ -5352,16 +5362,19 @@
[wheezy] - linux (Vulnerable code not present)
NOTE: Fixed by:
https://git.kernel.org/linus/2e1c42391ff2556387b3cb6308b24f6f65619feb
CVE-2017-16533 (The usbhid_parse function in drivers/hid/usbhid/hid-core.c in
the Linux ...)
+ {DLA-1200-1}
- linux 4.13.10-1
[stretch] - linux 4.9.65-1
[jessie] - linux 3.16.51-1
NOTE: Fixed by:
https://git.kernel.org/linus/f043bfc98c193c284e2cd768fefabe18ac2fed9b
CVE-2017-16532 (The get_endpoints function in drivers/usb/misc/usbtest.c in
the Linux ...)
+ {DLA-1200-1}
- linux 4.13.13-1
[stretch] - linux 4.9.65-1
[jessie] - linux 3.16.51-1
NOTE: Fixed by:
https://git.kernel.org/linus/7c80f9e4a588f1925b07134bb2e3689335f6c6d8
CVE-2017-16531 (drivers/usb/core/config.c in the Linux kernel before 4.13.6
allows ...)
+ {DLA-1200-1}
- linux 4.13.10-1
[stretch] - linux 4.9.65-1
[jessie] - linux 3.16.51-1
@@ -5373,6 +5386,7 @@
[wheezy] - linux (Vulnerable code not present)
NOTE: Fixed by:
https://git.kernel.org/linus/786de92b3cb26012d3d0f00ee37adf14527f35c4
CVE-2017-16529 (The snd_usb_create_streams function in sound/usb/card.c in the
Linux ...)
+ {DLA-1200-1}
- linux 4.13.10-1
[stretch] - linux 4.9.65-1
[jessie] - linux 3
[Secure-testing-commits] r58405 - data/CVE
Author: carnil Date: 2017-12-09 20:23:13 + (Sat, 09 Dec 2017) New Revision: 58405 Modified: data/CVE/list Log: Process several NFUs Modified: data/CVE/list === --- data/CVE/list 2017-12-09 19:50:11 UTC (rev 58404) +++ data/CVE/list 2017-12-09 20:23:13 UTC (rev 58405) @@ -35,11 +35,11 @@ CVE-2017-17466 (TG Soft Vir.IT eXplorer Lite 8.5.42 allows local users to gain ...) NOT-FOR-US: TG Soft Vir.IT eXplorer Lite CVE-2017-17465 (K7Sentry.sys 15.1.0.59 in K7 Antivirus 15.1.0309 has a NULL pointer ...) - TODO: check + NOT-FOR-US: K7 Antivirus CVE-2017-17464 (K7Sentry.sys 15.1.0.59 in K7 Antivirus 15.1.0309 has a NULL pointer ...) - TODO: check + NOT-FOR-US: K7 Antivirus CVE-2017-17463 (Vivo modems allow remote attackers to obtain sensitive information by ...) - TODO: check + NOT-FOR-US: Vivo modems CVE-2017-17462 RESERVED CVE-2017-17461 (A Regular expression Denial of Service (ReDoS) vulnerability in the ...) @@ -5670,127 +5670,127 @@ CVE-2017-16421 RESERVED CVE-2017-16420 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) - TODO: check + NOT-FOR-US: Adobe CVE-2017-16419 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) - TODO: check + NOT-FOR-US: Adobe CVE-2017-16418 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) - TODO: check + NOT-FOR-US: Adobe CVE-2017-16417 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) - TODO: check + NOT-FOR-US: Adobe CVE-2017-16416 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) - TODO: check + NOT-FOR-US: Adobe CVE-2017-16415 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) - TODO: check + NOT-FOR-US: Adobe CVE-2017-16414 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) - TODO: check + NOT-FOR-US: Adobe CVE-2017-16413 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) - TODO: check + NOT-FOR-US: Adobe CVE-2017-16412 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) - TODO: check + NOT-FOR-US: Adobe CVE-2017-16411 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) - TODO: check + NOT-FOR-US: Adobe CVE-2017-16410 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) - TODO: check + NOT-FOR-US: Adobe CVE-2017-16409 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) - TODO: check + NOT-FOR-US: Adobe CVE-2017-16408 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) - TODO: check + NOT-FOR-US: Adobe CVE-2017-16407 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) - TODO: check + NOT-FOR-US: Adobe CVE-2017-16406 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) - TODO: check + NOT-FOR-US: Adobe CVE-2017-16405 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) - TODO: check + NOT-FOR-US: Adobe CVE-2017-16404 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) - TODO: check + NOT-FOR-US: Adobe CVE-2017-16403 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) - TODO: check + NOT-FOR-US: Adobe CVE-2017-16402 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) - TODO: check + NOT-FOR-US: Adobe CVE-2017-16401 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) - TODO: check + NOT-FOR-US: Adobe CVE-2017-16400 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) - TODO: check + NOT-FOR-US: Adobe CVE-2017-16399 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) - TODO: check + NOT-FOR-US: Adobe CVE-2017-16398 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) - TODO: check + NOT-FOR-US: Adobe CVE-2017-16397 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) - TODO: check + NOT-FOR-US: Adobe CVE-2017-16396 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) - TODO: check + NOT-FOR-US: Adobe CVE-2017-16395 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) - TODO: check + NOT-FOR-US: Adobe CVE-2017-16394 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) - TODO: check + NOT-FOR-US: Adobe CVE-2017-16393 (An issue was discovered in Adobe Acrobat and Reader
[Secure-testing-commits] r58404 - in data: . DLA
Author: benh
Date: 2017-12-09 19:50:11 + (Sat, 09 Dec 2017)
New Revision: 58404
Modified:
data/DLA/list
data/dla-needed.txt
Log:
Reserve DLA-1200-1 for linux
Modified: data/DLA/list
===
--- data/DLA/list 2017-12-09 19:43:36 UTC (rev 58403)
+++ data/DLA/list 2017-12-09 19:50:11 UTC (rev 58404)
@@ -1,3 +1,6 @@
+[09 Dec 2017] DLA-1200-1 linux - security update
+ {CVE-2016-10208 CVE-2017-8824 CVE-2017-8831 CVE-2017-12190
CVE-2017-13080 CVE-2017-14051 CVE-2017-15115 CVE-2017-15265 CVE-2017-15299
CVE-2017-15649 CVE-2017-15868 CVE-2017-16525 CVE-2017-16527 CVE-2017-16529
CVE-2017-16531 CVE-2017-16532 CVE-2017-16533 CVE-2017-16535 CVE-2017-16536
CVE-2017-16537 CVE-2017-16643 CVE-2017-16649 CVE-2017-16939 CVE-2017-1000407}
+ [wheezy] - linux 3.2.96-1
[09 Dec 2017] DLA-1199-1 thunderbird - security update
{CVE-2017-7826 CVE-2017-7828 CVE-2017-7830}
[wheezy] - thunderbird 1:52.5.0-1~deb7u1
Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-12-09 19:43:36 UTC (rev 58403)
+++ data/dla-needed.txt 2017-12-09 19:50:11 UTC (rev 58404)
@@ -55,8 +55,6 @@
--
libxml2 (Thorsten Alteholz)
--
-linux
---
ming (Hugo Lefeuvre)
NOTE: 20171120: wip, currently working on it with upstream, might take a
while
NOTE: Some issues currently in upstream's bug tracker are missing a CVE
number, so number of issues might increase in the next weeks
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58403 - data/CVE
Author: carnil Date: 2017-12-09 19:43:36 + (Sat, 09 Dec 2017) New Revision: 58403 Modified: data/CVE/list Log: Sync wheezy status for CVE-2017-1000405 Modified: data/CVE/list === --- data/CVE/list 2017-12-09 19:42:10 UTC (rev 58402) +++ data/CVE/list 2017-12-09 19:43:36 UTC (rev 58403) @@ -3963,6 +3963,7 @@ - linux 4.14.2-1 [stretch] - linux 4.9.65-1 [jessie] - linux 3.16.51-1 + [wheezy] - linux (vulnerable code not present, cf. kernel-sec information) NOTE: Fixed by: https://git.kernel.org/linus/a8f97366452ed491d13cf1e44241bc0b5740b1f0 NOTE: http://www.openwall.com/lists/oss-security/2017/11/30/1 NOTE: https://github.com/bindecy/HugeDirtyCowPOC ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58402 - data/CVE
Author: carnil
Date: 2017-12-09 19:42:10 + (Sat, 09 Dec 2017)
New Revision: 58402
Modified:
data/CVE/list
Log:
Ignore CVE-2017-174{48,49,50} for wheezy
Modified: data/CVE/list
===
--- data/CVE/list 2017-12-09 19:39:09 UTC (rev 58401)
+++ data/CVE/list 2017-12-09 19:42:10 UTC (rev 58402)
@@ -206,12 +206,15 @@
NOT-FOR-US: Wordpress plugin
CVE-2017-17450 (net/netfilter/xt_osf.c in the Linux kernel through 4.14.4 does
not ...)
- linux
+ [wheezy] - linux (User namespaces not supported)
NOTE: https://lkml.org/lkml/2017/12/5/982
CVE-2017-17449 (The __netlink_deliver_tap_skb function in
net/netlink/af_netlink.c in ...)
- linux
+ [wheezy] - linux (User namespaces not supported)
NOTE: https://lkml.org/lkml/2017/12/5/950
CVE-2017-17448 (net/netfilter/nfnetlink_cthelper.c in the Linux kernel through
4.14.4 ...)
- linux
+ [wheezy] - linux (User namespaces not supported)
NOTE: https://patchwork.kernel.org/patch/10089373/
CVE-2018-1280
RESERVED
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58401 - data/CVE
Author: carnil Date: 2017-12-09 19:39:09 + (Sat, 09 Dec 2017) New Revision: 58401 Modified: data/CVE/list Log: CVE-2017-16994 not affected for jessie and wheezy Modified: data/CVE/list === --- data/CVE/list 2017-12-09 19:37:36 UTC (rev 58400) +++ data/CVE/list 2017-12-09 19:39:09 UTC (rev 58401) @@ -3661,6 +3661,8 @@ CVE-2017-16994 (The walk_hugetlb_range function in mm/pagewalk.c in the Linux kernel ...) - linux 4.14.2-1 [stretch] - linux 4.9.65-1 + [jessie] - linux (Vulnerable code introduced in 4.0) + [wheezy] - linux (Vulnerable code introduced in 4.0) NOTE: Fixed by: https://git.kernel.org/linus/373c4557d2aa362702c4c2d41288fb1e54990b7c (4.15-rc1) CVE-2017-16993 RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58400 - data/CVE
Author: carnil Date: 2017-12-09 19:37:36 + (Sat, 09 Dec 2017) New Revision: 58400 Modified: data/CVE/list Log: Sync CVE-2017-1000410 with kernel-sec information Modified: data/CVE/list === --- data/CVE/list 2017-12-09 19:35:22 UTC (rev 58399) +++ data/CVE/list 2017-12-09 19:37:36 UTC (rev 58400) @@ -480,6 +480,7 @@ NOTE: Fixed by: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=34697694e8a93b325b18f25f7dcded55d6baeaf6 CVE-2017-1000410 (The Linux kernel version 3.3-rc1 and later is affected by a ...) - linux + [wheezy] - linux (Vulnerable code introduced in 3.3) NOTE: http://www.openwall.com/lists/oss-security/2017/12/06/3 CVE-2017-1000409 RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58399 - data/CVE
Author: carnil Date: 2017-12-09 19:35:22 + (Sat, 09 Dec 2017) New Revision: 58399 Modified: data/CVE/list Log: Sync CVE-2017-0861 with kernel-sec Modified: data/CVE/list === --- data/CVE/list 2017-12-09 19:28:38 UTC (rev 58398) +++ data/CVE/list 2017-12-09 19:35:22 UTC (rev 58399) @@ -51432,8 +51432,12 @@ CVE-2017-0862 (An elevation of privilege vulnerability in the Upstream kernel kernel. ...) NOT-FOR-US: Android driver (proprietary, not part of upstream kernel) CVE-2017-0861 (Use-after-free vulnerability in the snd_pcm_info function in the ALSA ...) - - linux + - linux 4.13.4-1 + [stretch] - linux (Minor issue, cf. kernel-sec information) + [jessie] - linux (Minor issue, cf. kernel-sec information) + [wheezy] - linux (Minor issue, cf. kernel-sec information) NOTE: https://git.kernel.org/linus/362bca57f5d78220f8b5907b875961af9436e229 + NOTE: UAF actually already removed in https://git.kernel.org/linus/e11f0f90a626f93899687b1cc909ee37dd6c5809 CVE-2017-0860 (An elevation of privilege vulnerability in the Android system ...) NOT-FOR-US: Android CVE-2017-0859 (Another vulnerability in the Android media framework (n/a). Product: ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58398 - data/CVE
Author: carnil
Date: 2017-12-09 19:28:38 + (Sat, 09 Dec 2017)
New Revision: 58398
Modified:
data/CVE/list
Log:
Update status for CVE-2017-3737, thanks Q_
Modified: data/CVE/list
===
--- data/CVE/list 2017-12-09 16:14:23 UTC (rev 58397)
+++ data/CVE/list 2017-12-09 19:28:38 UTC (rev 58398)
@@ -43781,13 +43781,13 @@
NOTE: OpenSSL_1_0_2-stable:
https://git.openssl.org/?p=openssl.git;a=commit;h=ca51bafc1a88d8b8348f5fd97adc5d6ca93f8e76
CVE-2017-3737 (OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an
"error ...)
- openssl 1.1.0b-2
- [jessie] - openssl (Issue introduced in 1.0.2b)
- [wheezy] - openssl (Issue introduced in 1.0.2b)
- openssl1.0
NOTE: Not fully correct tracking, the issue just does not affect
OpenSSL 1.1.0
NOTE: thus mark as fixed in the firs 1.1.0 version which entered
unstable.
NOTE: https://www.openssl.org/news/secadv/20171207.txt
NOTE: OpenSSL_1_0_2-stable:
https://git.openssl.org/?p=openssl.git;a=commit;h=898fb884b706aaeb283de4812340bb0bde8476dc
+ NOTE: From the maintainer: Versions before 1.0.2b always had the
problem, in 1.0.2b
+ NOTE: it was attempted to get this fixed but the fix was incomplete.
CVE-2017-3736 (There is a carry propagating bug in the x86_64 Montgomery
squaring ...)
{DSA-4017-1}
- openssl 1.1.0g-1
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58397 - data/DLA
Author: agx
Date: 2017-12-09 16:14:23 + (Sat, 09 Dec 2017)
New Revision: 58397
Modified:
data/DLA/list
Log:
lts: Grab DLA-1199-1 for thunderbird
Modified: data/DLA/list
===
--- data/DLA/list 2017-12-09 16:07:59 UTC (rev 58396)
+++ data/DLA/list 2017-12-09 16:14:23 UTC (rev 58397)
@@ -1,3 +1,6 @@
+[09 Dec 2017] DLA-1199-1 thunderbird - security update
+ {CVE-2017-7826 CVE-2017-7828 CVE-2017-7830}
+ [wheezy] - thunderbird 1:52.5.0-1~deb7u1
[04 Dec 2017] DLA-1198-1 libextractor - security update
{CVE-2017-15266 CVE-2017-15267 CVE-2017-15600 CVE-2017-15601
CVE-2017-15602 CVE-2017-15922}
[wheezy] - libextractor 1:0.6.3-5+deb7u1
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58396 - in data: . CVE
Author: jmm
Date: 2017-12-09 16:07:59 + (Sat, 09 Dec 2017)
New Revision: 58396
Modified:
data/CVE/list
data/dsa-needed.txt
Log:
stable triage
Modified: data/CVE/list
===
--- data/CVE/list 2017-12-09 15:42:23 UTC (rev 58395)
+++ data/CVE/list 2017-12-09 16:07:59 UTC (rev 58396)
@@ -2289,6 +2289,8 @@
RESERVED
CVE-2017-17042 (lib/yard/core_ext/file.rb in the server in YARD before 0.9.11
does not ...)
- yard 0.9.12-1
+ [stretch] - yard (Minor issue)
+ [jessie] - yard (Minor issue)
NOTE: Fixed by:
https://github.com/lsegal/yard/commit/b0217b3e30dc53d057b168250635975e62b4
(0.9.11)
CVE-2017-17041
RESERVED
@@ -4170,12 +4172,16 @@
NOT-FOR-US: I, Librarian
CVE-2017-1000232 (A double-free vulnerability in str2host.c in ldns 1.7.0 have
...)
- ldns (bug #882014)
+ [stretch] - ldns (Minor issue)
+ [jessie] - ldns (Minor issue)
[wheezy] - ldns (Vulnerable code not present)
NOTE: https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=1257
NOTE:
https://git.nlnetlabs.nl/ldns/commit/?id=3bdeed02505c9bbacb3b64a97ddcb1de967153b7
CVE-2017-1000231 (A double-free vulnerability in parse.c in ldns 1.7.0 have
unspecified ...)
{DLA-1182-1}
- ldns (bug #882015)
+ [stretch] - ldns (Minor issue)
+ [jessie] - ldns (Minor issue)
NOTE: https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=1256
NOTE:
https://git.nlnetlabs.nl/ldns/commit/?id=c8391790c96d4c8a2c10f9ab1460fda83b509fc2
CVE-2017-1000229 (Integer overflow bug in function minitiff_read_info() of
optipng 0.7.6 ...)
@@ -4967,6 +4973,8 @@
NOTE: OTRS 3.3:
https://github.com/OTRS/otrs/commit/2e58a4bbd99b2477d72c3b2d9fef009537ab19ce
CVE-2017-16667 (backintime (aka Back in Time) before 1.1.24 did improper ...)
- backintime (bug #881205)
+ [stretch] - backintime (Minor issue)
+ [jessie] - backintime (Minor issue)
[wheezy] - backintime (Vulnerable code does not exist)
NOTE: https://github.com/bit-team/backintime/issues/834
NOTE:
https://github.com/bit-team/backintime/commit/cef81d0da93ff601252607df3db1a48f7f6f01b3
@@ -8560,7 +8568,9 @@
CVE-2017-15378 (SQL Injection exists in the E-Sic 1.0 password reset parameter
(aka the ...)
NOT-FOR-US: E-Sic
CVE-2017-15377 (In Suricata before 4.x, it was possible to trigger lots of
redundant ...)
- - suricata 1:4.0.0-1
+ - suricata 1:4.0.0-1 (low)
+ [stretch] - suricata (Minor issue)
+ [jessie] - suricata (Minor issue)
NOTE:
https://github.com/OISF/suricata/pull/2680/commits/47afc577ff763150f9b47f10331f5ef9eb847a57
NOTE: https://redmine.openinfosecfoundation.org/issues/2231
CVE-2017-15376 (The TELNET service in Mobatek MobaXterm 10.4 does not require
...)
@@ -10564,6 +10574,8 @@
CVE-2017-14737 (A cryptographic cache-based side channel in the RSA
implementation in ...)
{DLA-1125-1}
- botan1.10 1.10.17-0.1 (bug #877436)
+ [stretch] - botan1.10 (Minor issue)
+ [jessie] - botan1.10 (Minor issue)
NOTE: https://github.com/randombit/botan/issues/1222
NOTE:
https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/wang-shuai
NOTE: for 1.10:
https://github.com/randombit/botan/commit/aeb87170d1b9013b079c300c8858bad477d30bd4
Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2017-12-09 15:42:23 UTC (rev 58395)
+++ data/dsa-needed.txt 2017-12-09 16:07:59 UTC (rev 58396)
@@ -14,6 +14,8 @@
--
389-ds-base (fw)
--
+asterisk
+--
chromium-browser
--
firefox-esr (jmm)
@@ -46,6 +48,8 @@
--
phpmyadmin/oldstable
--
+pjproject
+--
poppler
2017-11-23: santiago will prepare a debdiff
2017-12-02: santiago prepared debdiffs available for review
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58395 - data/CVE
Author: carnil
Date: 2017-12-09 15:42:23 + (Sat, 09 Dec 2017)
New Revision: 58395
Modified:
data/CVE/list
Log:
Addcommit reference for CVE-2017-8824/linux
Modified: data/CVE/list
===
--- data/CVE/list 2017-12-09 13:47:06 UTC (rev 58394)
+++ data/CVE/list 2017-12-09 15:42:23 UTC (rev 58395)
@@ -28111,6 +28111,7 @@
CVE-2017-8824 (The dccp_disconnect function in net/dccp/proto.c in the Linux
kernel ...)
- linux
NOTE: http://lists.openwall.net/netdev/2017/12/04/224
+ NOTE: Fixed by:
https://git.kernel.org/linus/69c64866ce072dea1d1e59a0d61e0f66c0dffb76
CVE-2017-8823 (In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17,
0.2.9 ...)
{DSA-4054-1}
- tor 0.3.1.9-1
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58394 - data/CVE
Author: carnil Date: 2017-12-09 13:47:06 + (Sat, 09 Dec 2017) New Revision: 58394 Modified: data/CVE/list Log: Add bug reference for CVE-2017-16611, #883929 Modified: data/CVE/list === --- data/CVE/list 2017-12-09 13:14:40 UTC (rev 58393) +++ data/CVE/list 2017-12-09 13:47:06 UTC (rev 58394) @@ -5134,7 +5134,7 @@ NOTE: https://cgit.freedesktop.org/xorg/lib/libXcursor/commit/?id=4794b5dd34688158fb51a2943032569d3780c4b8 NOTE: https://marc.info/?l=freedesktop-xorg-announce&m=151188036018262&w=2 CVE-2017-16611 (In libXfont before 1.5.4 and libXfont2 before 2.0.3, a local attacker ...) - - libxfont (low) + - libxfont (low; bug #883929) [stretch] - libxfont (Minor issue) [jessie] - libxfont (Minor issue) - libxfont1 (unimportant) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58393 - data/CVE
Author: jmm Date: 2017-12-09 13:14:40 + (Sat, 09 Dec 2017) New Revision: 58393 Modified: data/CVE/list Log: mysql-connector-net bug Modified: data/CVE/list === --- data/CVE/list 2017-12-09 13:12:42 UTC (rev 58392) +++ data/CVE/list 2017-12-09 13:14:40 UTC (rev 58393) @@ -24080,7 +24080,7 @@ CVE-2017-10278 (Vulnerability in the Oracle Tuxedo component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2017-10277 (Vulnerability in the MySQL Connectors component of Oracle MySQL ...) - - mysql-connector-net + - mysql-connector-net (bug #883923) [stretch] - mysql-connector-net (Minor issue) [jessie] - mysql-connector-net (Minor issue) [wheezy] - mysql-connector-net (Minor issue) @@ -24277,7 +24277,7 @@ [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) CVE-2017-10203 (Vulnerability in the MySQL Connectors component of Oracle MySQL ...) - - mysql-connector-net + - mysql-connector-net (bug #883923) [stretch] - mysql-connector-net (Minor issue) [jessie] - mysql-connector-net (Minor issue) [wheezy] - mysql-connector-net (Minor issue) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58392 - data/CVE
Author: carnil
Date: 2017-12-09 13:12:42 + (Sat, 09 Dec 2017)
New Revision: 58392
Modified:
data/CVE/list
Log:
Remove bug number for libical3, since libical source
Modified: data/CVE/list
===
--- data/CVE/list 2017-12-09 13:05:12 UTC (rev 58391)
+++ data/CVE/list 2017-12-09 13:12:42 UTC (rev 58392)
@@ -53083,7 +53083,7 @@
NOT-FOR-US: JMX endpoint of Red Hat JBoss EAP 5
CVE-2016-9584 (libical allows remote attackers to cause a denial of service
...)
{DLA-959-1}
- - libical3 3.0.1-1 (bug #852034)
+ - libical3 3.0.1-1
- libical (bug #852034)
[stretch] - libical (Minor issue)
[jessie] - libical (Minor issue)
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58391 - data/CVE
Author: jmm Date: 2017-12-09 13:05:12 + (Sat, 09 Dec 2017) New Revision: 58391 Modified: data/CVE/list Log: mysql-connector-net no-dsa Modified: data/CVE/list === --- data/CVE/list 2017-12-09 12:49:29 UTC (rev 58390) +++ data/CVE/list 2017-12-09 13:05:12 UTC (rev 58391) @@ -24081,6 +24081,8 @@ NOT-FOR-US: Oracle CVE-2017-10277 (Vulnerability in the MySQL Connectors component of Oracle MySQL ...) - mysql-connector-net + [stretch] - mysql-connector-net (Minor issue) + [jessie] - mysql-connector-net (Minor issue) [wheezy] - mysql-connector-net (Minor issue) CVE-2017-10276 (Vulnerability in the MySQL Server component of Oracle MySQL ...) - mysql-5.7 5.7.20-1 (bug #878398) @@ -24276,6 +24278,8 @@ [wheezy] - virtualbox (DSA 3454) CVE-2017-10203 (Vulnerability in the MySQL Connectors component of Oracle MySQL ...) - mysql-connector-net + [stretch] - mysql-connector-net (Minor issue) + [jessie] - mysql-connector-net (Minor issue) [wheezy] - mysql-connector-net (Minor issue) CVE-2017-10202 (Vulnerability in the OJVM component of Oracle Database Server. ...) NOT-FOR-US: Oracle ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58390 - in data: . CVE
Author: jmm
Date: 2017-12-09 12:49:29 + (Sat, 09 Dec 2017)
New Revision: 58390
Modified:
data/CVE/list
data/dsa-needed.txt
Log:
various stable triage
Modified: data/CVE/list
===
--- data/CVE/list 2017-12-09 11:52:10 UTC (rev 58389)
+++ data/CVE/list 2017-12-09 12:49:29 UTC (rev 58390)
@@ -170,6 +170,8 @@
RESERVED
CVE-2017-17459 (http_transport.c in Fossil before 2.4, when the SSH sync
protocol is ...)
- fossil 1:2.4-1
+ [stretch] - fossil (Minor issue)
+ [jessie] - fossil (Minor issue)
NOTE: https://www.fossil-scm.org/xfer/info/1f63db591c77108c
CVE-2017-17458 (In Mercurial before 4.4.1, it is possible that a specially
malformed ...)
- mercurial 4.4.1-1
@@ -4600,6 +4602,8 @@
NOT-FOR-US: Snap Creek Duplicator (WordPress Site Migration & Backup)
plugin for WordPress
CVE-2017-16820 (The csnmp_read_table function in snmp.c in the SNMP plugin in
collectd ...)
- collectd (bug #881757)
+ [stretch] - collectd (Minor issue)
+ [jessie] - collectd (Minor issue)
[wheezy] - collectd (Vulnerable code not present)
NOTE: https://github.com/collectd/collectd/issues/2291
CVE-2017-16814
@@ -8983,6 +8987,8 @@
RESERVED
CVE-2017-15232 (libjpeg-turbo 1.5.2 has a NULL Pointer Dereference in
jdpostct.c and ...)
- libjpeg-turbo (low; bug #878567)
+ [stretch] - libjpeg-turbo (Minor issue)
+ [jessie] - libjpeg-turbo (Minor issue)
- libjpeg6b (Vulnerable code not present)
- libjpeg8 (Vulnerable code not present)
- libjpeg9 (Vulnerable code not present)
@@ -53073,6 +53079,7 @@
NOT-FOR-US: JMX endpoint of Red Hat JBoss EAP 5
CVE-2016-9584 (libical allows remote attackers to cause a denial of service
...)
{DLA-959-1}
+ - libical3 3.0.1-1 (bug #852034)
- libical (bug #852034)
[stretch] - libical (Minor issue)
[jessie] - libical (Minor issue)
Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2017-12-09 11:52:10 UTC (rev 58389)
+++ data/dsa-needed.txt 2017-12-09 12:49:29 UTC (rev 58390)
@@ -30,10 +30,14 @@
--
openafs (jmm)
--
+openjpeg2
+--
openssl1.0/stable
--
otrs2
--
+passenger/stable
+--
php-horde-image
--
php5
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58389 - data
Author: jmm Date: 2017-12-09 11:52:10 + (Sat, 09 Dec 2017) New Revision: 58389 Modified: data/dsa-needed.txt Log: take thunderbird and firefox Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-12-09 11:49:51 UTC (rev 58388) +++ data/dsa-needed.txt 2017-12-09 11:52:10 UTC (rev 58389) @@ -16,8 +16,8 @@ -- chromium-browser -- -firefox-esr --- +firefox-esr (jmm) +-- graphicsmagick -- libav/oldstable @@ -61,7 +61,7 @@ tiff wait until more issues are around -- -thunderbird +thunderbird (jmm) -- wordpress -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58388 - in data: . CVE DSA
Author: jmm
Date: 2017-12-09 11:49:51 + (Sat, 09 Dec 2017)
New Revision: 58388
Modified:
data/CVE/list
data/DSA/list
data/dsa-needed.txt
Log:
wireshark DSA
Modified: data/CVE/list
===
--- data/CVE/list 2017-12-09 10:49:14 UTC (rev 58387)
+++ data/CVE/list 2017-12-09 11:49:51 UTC (rev 58388)
@@ -13301,6 +13301,7 @@
NOTE: https://www.wireshark.org/security/wnpa-sec-2017-38.html
CVE-2017-13766 (In Wireshark 2.4.0 and 2.2.0 to 2.2.8, the Profinet I/O
dissector could ...)
- wireshark 2.4.1-1
+ [stretch] - wireshark 2.2.6+g32dac6a-2+deb9u1
[jessie] - wireshark (Vulnerable code not present)
[wheezy] - wireshark (Vulnerable code not present)
NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13847
Modified: data/DSA/list
===
--- data/DSA/list 2017-12-09 10:49:14 UTC (rev 58387)
+++ data/DSA/list 2017-12-09 11:49:51 UTC (rev 58388)
@@ -1,3 +1,7 @@
+[09 Dec 2017] DSA-4060-1 wireshark - security update
+ {CVE-2017-11408 CVE-2017-17083 CVE-2017-17084 CVE-2017-17085}
+ [jessie] - wireshark 1.12.1+g01b65bf-4+deb8u12
+ [stretch] - wireshark 2.2.6+g32dac6a-2+deb9u1
[08 Dec 2017] DSA-4059-1 libxcursor - security update
{CVE-2017-16612}
[jessie] - libxcursor 1:1.1.14-1+deb8u1
Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2017-12-09 10:49:14 UTC (rev 58387)
+++ data/dsa-needed.txt 2017-12-09 11:49:51 UTC (rev 58388)
@@ -63,8 +63,6 @@
--
thunderbird
--
-wireshark (jmm)
---
wordpress
--
xen/oldstable
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58387 - data
Author: pochu Date: 2017-12-09 10:49:14 + (Sat, 09 Dec 2017) New Revision: 58387 Modified: data/dla-needed.txt Log: dla: claim firefox-esr Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-12-09 10:18:12 UTC (rev 58386) +++ data/dla-needed.txt 2017-12-09 10:49:14 UTC (rev 58387) @@ -17,6 +17,8 @@ couchdb NOTE: Only in wheezy, we are on our own. -- +firefox-esr (Emilio Pozuelo) +-- irssi (Rhonda D'Vine) -- jasperreports ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58386 - data
Author: carnil Date: 2017-12-09 10:18:12 + (Sat, 09 Dec 2017) New Revision: 58386 Modified: data/next-oldstable-point-update.txt Log: Remove packages included in 8.10 Modified: data/next-oldstable-point-update.txt === --- data/next-oldstable-point-update.txt2017-12-09 10:17:30 UTC (rev 58385) +++ data/next-oldstable-point-update.txt2017-12-09 10:18:12 UTC (rev 58386) @@ -1,106 +1,3 @@ -CVE-2016-7942 - [jessie] - libx11 2:1.6.2-3+deb8u1 -CVE-2016-7943 - [jessie] - libx11 2:1.6.2-3+deb8u1 -CVE-2016-7952 - [jessie] - libxtst 2:1.2.2-1+deb8u1 -CVE-2016-7951 - [jessie] - libxtst 2:1.2.2-1+deb8u1 -CVE-2016-5407 - [jessie] - libxv 2:1.0.10-1+deb8u1 -CVE-2016-7945 - [jessie] - libxi 2:1.7.4-1+deb8u1 -CVE-2016-7946 - [jessie] - libxi 2:1.7.4-1+deb8u1 -CVE-2016-7944 - [jessie] - libxfixes 1:5.0.1-2+deb8u1 -CVE-2016-7947 - [jessie] - libxrandr 2:1.4.2-1+deb8u1 -CVE-2016-7948 - [jessie] - libxrandr 2:1.4.2-1+deb8u1 -CVE-2016-7953 - [jessie] - libxvmc 2:1.0.8-2+deb8u1 -CVE-2017-8296 - [jessie] - kedpm 1.0+deb8u1 -CVE-2017-3 - [jessie] - ncurses 5.9+20140913-1+deb8u1 -CVE-2017-2 - [jessie] - ncurses 5.9+20140913-1+deb8u1 -CVE-2017-10684 - [jessie] - ncurses 5.9+20140913-1+deb8u1 -CVE-2017-10685 - [jessie] - ncurses 5.9+20140913-1+deb8u1 -CVE-2017-13728 - [jessie] - ncurses 5.9+20140913-1+deb8u1 -CVE-2017-13729 - [jessie] - ncurses 5.9+20140913-1+deb8u1 -CVE-2017-13730 - [jessie] - ncurses 5.9+20140913-1+deb8u1 -CVE-2017-13731 - [jessie] - ncurses 5.9+20140913-1+deb8u1 -CVE-2017-13732 - [jessie] - ncurses 5.9+20140913-1+deb8u1 -CVE-2017-13733 - [jessie] - ncurses 5.9+20140913-1+deb8u1 -CVE-2017-13734 - [jessie] - ncurses 5.9+20140913-1+deb8u1 -CVE-2017-9604 - [jessie] - kdepim 4:4.14.1-1+deb8u1 -CVE-2016-10030 - [jessie] - slurm-llnl 14.03.9-5+deb8u1 -CVE-2017-1000368 - [jessie] - sudo 1.8.10p3-1+deb8u5 -CVE-2017-9765 - [jessie] - gsoap 2.8.17-1+deb8u1 -CVE-2017-11368 - [jessie] - krb5 1.12.1+dfsg-19+deb8u3 -CVE-2016-3120 - [jessie] - krb5 1.12.1+dfsg-19+deb8u3 -CVE-2016-3119 - [jessie] - krb5 1.12.1+dfsg-19+deb8u3 -CVE-2015-2694 - [jessie] - krb5 1.12.1+dfsg-19+deb8u3 -CVE-2017-13709 - [jessie] - flightgear 3.0.0-5+deb8u3 -CVE-2017-14226 - [jessie] - libwpd 0.10.0-2+deb8u1 -CVE-2017-10140 - [jessie] - db5.3 5.3.28-9+deb8u1 - [jessie] - db 5.1.29-9+deb8u1 -CVE-2017-14727 - [jessie] - weechat 1.0.1-1+deb8u2 -CVE-2014-8184 - [jessie] - liblouis 2.5.3-3+deb8u1 -CVE-2017-14952 - [jessie] - icu 52.1-8+deb8u6 -CVE-2017-2810 - [jessie] - python-tablib 0.9.11-2+deb8u1 -CVE-2017-2816 - [jessie] - libofx 1:0.9.10-1+deb8u1 -CVE-2017-14731 - [jessie] - libofx 1:0.9.10-1+deb8u1 -CVE-2017-14628 - [jessie] - sam2p 0.49.2-3+deb8u1 -CVE-2017-14629 - [jessie] - sam2p 0.49.2-3+deb8u1 -CVE-2017-14630 - [jessie] - sam2p 0.49.2-3+deb8u1 -CVE-2017-14631 - [jessie] - sam2p 0.49.2-3+deb8u1 -CVE-2017-14636 - [jessie] - sam2p 0.49.2-3+deb8u1 -CVE-2017-14637 - [jessie] - sam2p 0.49.2-3+deb8u1 -CVE-2017-16663 - [jessie] - sam2p 0.49.2-3+deb8u1 -CVE-2017-15928 - [jessie] - ruby-ox 2.1.1-2+deb8u1 -CVE-2017-15091 - [jessie] - pdns 3.4.1-4+deb8u8 -CVE-2017-15093 - [jessie] - pdns-recursor 3.6.2-2+deb8u4 -CVE-2017-16899 - [jessie] - transfig 1:3.2.5.e-4+deb8u1 CVE-2015-8872 [jessie] - dosfstools 3.0.27-1+deb8u1 CVE-2016-4804 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58385 - data/CVE
Author: carnil
Date: 2017-12-09 10:17:30 + (Sat, 09 Dec 2017)
New Revision: 58385
Modified:
data/CVE/list
Log:
Review changes for 8.10 included via jessie-pu
Modified: data/CVE/list
===
--- data/CVE/list 2017-12-09 09:36:06 UTC (rev 58384)
+++ data/CVE/list 2017-12-09 10:17:30 UTC (rev 58385)
@@ -3909,7 +3909,7 @@
- fig2dev 1:3.2.6a-5 (bug #881143)
[stretch] - fig2dev 1:3.2.6a-2+deb9u1
- transfig
- [jessie] - transfig (Minor issue)
+ [jessie] - transfig 1:3.2.5.e-4+deb8u1
[wheezy] - transfig (Minor issue)
CVE-2017-16898 (The printMP3Headers function in util/listmp3.c in libming
v0.4.8 or ...)
- ming
@@ -4969,7 +4969,7 @@
CVE-2017-16663 (In sam2p 0.49.4, there are integer overflows (with resultant
heap-based ...)
{DLA-1185-1}
- sam2p
- [jessie] - sam2p (Minor issue)
+ [jessie] - sam2p 0.49.2-3+deb8u1
NOTE: https://github.com/pts/sam2p/issues/16
CVE-2017-16662
RESERVED
@@ -7164,7 +7164,7 @@
CVE-2017-15928 (In the Ox gem 2.8.0 for Ruby, the process crashes with a
segmentation ...)
- ruby-ox 2.8.2-1 (bug #881445)
[stretch] - ruby-ox 2.1.1-2+deb9u1
- [jessie] - ruby-ox (Minor issue)
+ [jessie] - ruby-ox 2.1.1-2+deb8u1
NOTE: https://github.com/ohler55/ox/issues/194
NOTE:
https://github.com/ohler55/ox/commit/e4565dbc167f0d38c3f93243d7a4fcfc391cbfc8
CVE-2017-15927
@@ -9417,7 +9417,7 @@
RESERVED
- pdns-recursor 4.0.7-1
[stretch] - pdns-recursor 4.0.4-1+deb9u2
- [jessie] - pdns-recursor (Minor issue)
+ [jessie] - pdns-recursor 3.6.2-2+deb8u4
[wheezy] - pdns-recursor (Vulnerable code introduced
later)
NOTE:
https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-06.html
NOTE: https://downloads.powerdns.com/patches/2017-06/
@@ -9433,7 +9433,7 @@
RESERVED
- pdns 4.0.5-1
[stretch] - pdns 4.0.3-1+deb9u2
- [jessie] - pdns (Minor issue)
+ [jessie] - pdns 3.4.1-4+deb8u8
[wheezy] - pdns (Vulnerable code not present)
NOTE:
https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2017-04.html
NOTE: https://downloads.powerdns.com/patches/2017-04/
@@ -9958,7 +9958,7 @@
CVE-2017-14952 (Double free in i18n/zonemeta.cpp in International Components
for ...)
- icu 57.1-7 (bug #878840)
[stretch] - icu 57.1-6+deb9u1
- [jessie] - icu (Should be fixed along in future update)
+ [jessie] - icu 52.1-8+deb8u6
[wheezy] - icu (Can be fixed in next update)
NOTE:
http://www.sourcebrella.com/blog/double-free-vulnerability-international-components-unicode-icu/
NOTE:
http://bugs.icu-project.org/trac/changeset/40324/trunk/icu4c/source/i18n/zonemeta.cpp
@@ -10579,7 +10579,7 @@
{DLA-1192-1}
- libofx 1:0.9.11-5 (bug #877442)
[stretch] - libofx 1:0.9.10-2+deb9u1
- [jessie] - libofx (Minor issue)
+ [jessie] - libofx 1:0.9.10-1+deb8u1
NOTE: https://github.com/libofx/libofx/issues/10
NOTE:
https://github.com/libofx/libofx/commit/fad8418f34094de42e1307113598e0e8bee0a2bd
CVE-2017-14730 (The init script in the Gentoo app-admin/logstash-bin package
before ...)
@@ -10645,7 +10645,7 @@
{DLA--1}
- weechat 1.9.1-1 (bug #876553)
[stretch] - weechat 1.6-1+deb9u2
- [jessie] - weechat (Minor issue; requires a malicious IRC
server)
+ [jessie] - weechat 1.0.1-1+deb8u2
NOTE: Fixed by:
https://github.com/weechat/weechat/commit/f105c6f0b56fb5687b2d2aedf37cb1d1b434d556
CVE-2017-14717 (In EPESI 1.8.2 rev20170830, there is Stored XSS in the Tasks
...)
NOT-FOR-US: EPESI
@@ -10840,12 +10840,12 @@
CVE-2017-14637 (In sam2p 0.49.3, there is an invalid read of size 2 in the
parse_rgb ...)
{DLA-1127-1}
- sam2p (bug #876744)
- [jessie] - sam2p (Minor issue)
+ [jessie] - sam2p 0.49.2-3+deb8u1
NOTE: https://github.com/pts/sam2p/issues/14 (bug 5)
CVE-2017-14636 (Because of an integer overflow in sam2p 0.49.3, a loop
executes ...)
{DLA-1127-1}
- sam2p (bug #876744)
- [jessie] - sam2p (Minor issue)
+ [jessie] - sam2p 0.49.2-3+deb8u1
NOTE: https://github.com/pts/sam2p/issues/14 (bug 4)
CVE-2017-14635 (In Open Ticket Request System (OTRS) 3.3.x before 3.3.18, 4.x
before ...)
{DSA-4021-1 DLA-1119-1}
@@ -10884,22 +10884,22 @@
CVE-2017-14631 (In sam2p 0.49.3, the pcxLoadRaster function in in_pcx.cpp has
an ...)
{DLA-1127-1}
- sam2p (bug #876744)
- [jessie] - sam2p (Minor issue)
+ [jessie] - sam2p 0.49.2-3+deb8u1
NOTE: https://github.com/pts/sam2p/issues/14 (bug 1)
CVE-2017-14630 (In sam2p 0.49.3, an integer overflow exists in the
pcxLoadImage24 ...)
{DLA-1127-1}
- sam2p (bug
[Secure-testing-commits] r58384 - data
Author: carnil Date: 2017-12-09 09:36:06 + (Sat, 09 Dec 2017) New Revision: 58384 Modified: data/next-point-update.txt Log: Remove packages included in 9.3 Modified: data/next-point-update.txt === --- data/next-point-update.txt 2017-12-09 09:35:58 UTC (rev 58383) +++ data/next-point-update.txt 2017-12-09 09:36:06 UTC (rev 58384) @@ -1,47 +1,3 @@ -CVE-2017-10989 - [stretch] - sqlite3 3.16.2-5+deb9u1 -CVE-2017-13709 - [stretch] - flightgear 1:2016.4.4+dfsg-3+deb9u1 -CVE-2017-13738 - [stretch] - liblouis 3.0.0-3+deb9u1 -CVE-2017-13739 - [stretch] - liblouis 3.0.0-3+deb9u1 -CVE-2017-13740 - [stretch] - liblouis 3.0.0-3+deb9u1 -CVE-2017-13741 - [stretch] - liblouis 3.0.0-3+deb9u1 -CVE-2017-13742 - [stretch] - liblouis 3.0.0-3+deb9u1 -CVE-2017-13743 - [stretch] - liblouis 3.0.0-3+deb9u1 -CVE-2017-13744 - [stretch] - liblouis 3.0.0-3+deb9u1 -CVE-2017-14727 - [stretch] - weechat 1.6-1+deb9u2 -CVE-2017-2810 - [stretch] - python-tablib 0.9.11-2+deb9u1 -CVE-2017-14952 - [stretch] - icu 57.1-6+deb9u1 -CVE-2017-2816 - [stretch] - libofx 1:0.9.10-2+deb9u1 -CVE-2017-14731 - [stretch] - libofx 1:0.9.10-2+deb9u1 -CVE-2017-1000158 - [stretch] - python2.7 2.7.13-2+deb9u2 -CVE-2017-15928 - [stretch] - ruby-ox 2.1.1-2+deb9u1 -CVE-2017-15090 - [stretch] - pdns-recursor 4.0.4-1+deb9u2 -CVE-2017-15091 - [stretch] - pdns 4.0.3-1+deb9u2 -CVE-2017-15092 - [stretch] - pdns-recursor 4.0.4-1+deb9u2 -CVE-2017-15093 - [stretch] - pdns-recursor 4.0.4-1+deb9u2 -CVE-2017-15094 - [stretch] - pdns-recursor 4.0.4-1+deb9u2 -CVE-2017-16899 - [stretch] - fig2dev 1:3.2.6a-2+deb9u1 CVE-2017-12424 [stretch] - shadow 1:4.4-4.1+deb9u1 CVE-2017-9951 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58383 - data/CVE
Author: carnil
Date: 2017-12-09 09:35:58 + (Sat, 09 Dec 2017)
New Revision: 58383
Modified:
data/CVE/list
Log:
Review changes for 9.3 included via stretch-pu
Modified: data/CVE/list
===
--- data/CVE/list 2017-12-09 09:14:28 UTC (rev 58382)
+++ data/CVE/list 2017-12-09 09:35:58 UTC (rev 58383)
@@ -3907,7 +3907,7 @@
RESERVED
CVE-2017-16899 (An array index error in the fig2dev program in Xfig 3.2.6a
allows ...)
- fig2dev 1:3.2.6a-5 (bug #881143)
- [stretch] - fig2dev (Minor issue)
+ [stretch] - fig2dev 1:3.2.6a-2+deb9u1
- transfig
[jessie] - transfig (Minor issue)
[wheezy] - transfig (Minor issue)
@@ -4256,7 +4256,7 @@
CVE-2017-1000158 (CPython (aka Python) up to 2.7.13 is vulnerable to an
integer overflow ...)
{DLA-1190-1 DLA-1189-1}
- python2.7 2.7.13-4
- [stretch] - python2.7 (Minor issue)
+ [stretch] - python2.7 2.7.13-2+deb9u2
[jessie] - python2.7 (Minor issue)
- python2.6
NOTE: https://bugs.python.org/issue30657
@@ -7163,7 +7163,7 @@
RESERVED
CVE-2017-15928 (In the Ox gem 2.8.0 for Ruby, the process crashes with a
segmentation ...)
- ruby-ox 2.8.2-1 (bug #881445)
- [stretch] - ruby-ox (Minor issue)
+ [stretch] - ruby-ox 2.1.1-2+deb9u1
[jessie] - ruby-ox (Minor issue)
NOTE: https://github.com/ohler55/ox/issues/194
NOTE:
https://github.com/ohler55/ox/commit/e4565dbc167f0d38c3f93243d7a4fcfc391cbfc8
@@ -9408,7 +9408,7 @@
CVE-2017-15094 [Memory leak in DNSSEC parsing]
RESERVED
- pdns-recursor 4.0.7-1
- [stretch] - pdns-recursor (Minor issue)
+ [stretch] - pdns-recursor 4.0.4-1+deb9u2
[jessie] - pdns-recursor (Issue introduced in 4.0.0)
[wheezy] - pdns-recursor (Issue introduced in 4.0.0)
NOTE:
https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-07.html
@@ -9416,7 +9416,7 @@
CVE-2017-15093 [Configuration file injection in the API]
RESERVED
- pdns-recursor 4.0.7-1
- [stretch] - pdns-recursor (Minor issue)
+ [stretch] - pdns-recursor 4.0.4-1+deb9u2
[jessie] - pdns-recursor (Minor issue)
[wheezy] - pdns-recursor (Vulnerable code introduced
later)
NOTE:
https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-06.html
@@ -9424,7 +9424,7 @@
CVE-2017-15092 [Cross-Site Scripting in the web interface]
RESERVED
- pdns-recursor 4.0.7-1
- [stretch] - pdns-recursor (Minor issue)
+ [stretch] - pdns-recursor 4.0.4-1+deb9u2
[jessie] - pdns-recursor (Issue introduced in 4.0.0)
[wheezy] - pdns-recursor (Issue introduced in 4.0.0)
NOTE:
https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-05.html
@@ -9432,7 +9432,7 @@
CVE-2017-15091 [Missing check on API operations]
RESERVED
- pdns 4.0.5-1
- [stretch] - pdns (Minor issue)
+ [stretch] - pdns 4.0.3-1+deb9u2
[jessie] - pdns (Minor issue)
[wheezy] - pdns (Vulnerable code not present)
NOTE:
https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2017-04.html
@@ -9440,7 +9440,7 @@
CVE-2017-15090 [Insufficient validation of DNSSEC signatures]
RESERVED
- pdns-recursor 4.0.7-1
- [stretch] - pdns-recursor (Minor issue)
+ [stretch] - pdns-recursor 4.0.4-1+deb9u2
[jessie] - pdns-recursor (Issue introduced in 4.0.0)
[wheezy] - pdns-recursor (Issue introduced in 4.0.0)
NOTE:
https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-03.html
@@ -9957,7 +9957,7 @@
NOT-FOR-US: HikVision
CVE-2017-14952 (Double free in i18n/zonemeta.cpp in International Components
for ...)
- icu 57.1-7 (bug #878840)
- [stretch] - icu (Should be fixed along in future update)
+ [stretch] - icu 57.1-6+deb9u1
[jessie] - icu (Should be fixed along in future update)
[wheezy] - icu (Can be fixed in next update)
NOTE:
http://www.sourcebrella.com/blog/double-free-vulnerability-international-components-unicode-icu/
@@ -10578,7 +10578,7 @@
CVE-2017-14731 (ofx_proc_file in ofx_preproc.cpp in LibOFX 0.9.12 allows
remote ...)
{DLA-1192-1}
- libofx 1:0.9.11-5 (bug #877442)
- [stretch] - libofx (Minor issue)
+ [stretch] - libofx 1:0.9.10-2+deb9u1
[jessie] - libofx (Minor issue)
NOTE: https://github.com/libofx/libofx/issues/10
NOTE:
https://github.com/libofx/libofx/commit/fad8418f34094de42e1307113598e0e8bee0a2bd
@@ -10644,7 +10644,7 @@
CVE-2017-14727 (logger.c in the logger plugin in WeeChat before 1.9.1 allows a
crash ...)
{DLA--1}
- weechat 1.9.1-1 (bug #876553)
- [stretch] - weechat (Minor issue; requires a malicious IRC
server)
+ [stretch]
[Secure-testing-commits] r58382 - in data: . CVE
Author: carnil Date: 2017-12-09 09:14:28 + (Sat, 09 Dec 2017) New Revision: 58382 Modified: data/CVE/list data/next-oldstable-point-update.txt Log: Merge already 3.16.51-1 fixes (sync with kernel-sec) Modified: data/CVE/list === --- data/CVE/list 2017-12-09 09:10:18 UTC (rev 58381) +++ data/CVE/list 2017-12-09 09:14:28 UTC (rev 58382) @@ -3952,6 +3952,7 @@ CVE-2017-1000405 (The Linux Kernel versions 2.6.38 through 4.14 have a problematic use ...) - linux 4.14.2-1 [stretch] - linux 4.9.65-1 + [jessie] - linux 3.16.51-1 NOTE: Fixed by: https://git.kernel.org/linus/a8f97366452ed491d13cf1e44241bc0b5740b1f0 NOTE: http://www.openwall.com/lists/oss-security/2017/11/30/1 NOTE: https://github.com/bindecy/HugeDirtyCowPOC @@ -5000,10 +5001,12 @@ CVE-2017-16650 (The qmi_wwan_bind function in drivers/net/usb/qmi_wwan.c in the Linux ...) - linux 4.13.13-1 [stretch] - linux 4.9.65-1 + [jessie] - linux 3.16.51-1 [wheezy] - linux (Vulnerable code not present) CVE-2017-16649 (The usbnet_generic_cdc_bind function in drivers/net/usb/cdc_ether.c in ...) - linux 4.13.13-1 [stretch] - linux 4.9.65-1 + [jessie] - linux 3.16.51-1 CVE-2017-16648 (The dvb_frontend_free function in drivers/media/dvb-core/dvb_frontend.c ...) - linux (Vulnerable code not present) CVE-2017-16647 (drivers/net/usb/asix_devices.c in the Linux kernel through 4.13.11 ...) @@ -5027,6 +5030,7 @@ CVE-2017-16643 (The parse_hid_report_descriptor function in drivers/input/tablet/gtco.c ...) - linux 4.13.13-1 [stretch] - linux 4.9.65-1 + [jessie] - linux 3.16.51-1 CVE-2017-16642 (In PHP before 5.6.32, 7.x before 7.0.25, and 7.1.x before 7.1.11, an ...) - php7.1 7.1.11-1 - php7.0 7.0.25-1 @@ -5312,12 +5316,15 @@ CVE-2017-16537 (The imon_probe function in drivers/media/rc/imon.c in the Linux kernel ...) - linux 4.13.13-1 [stretch] - linux 4.9.65-1 + [jessie] - linux 3.16.51-1 CVE-2017-16536 (The cx231xx_usb_probe function in ...) - linux 4.13.13-1 [stretch] - linux 4.9.65-1 + [jessie] - linux 3.16.51-1 CVE-2017-16535 (The usb_get_bos_descriptor function in drivers/usb/core/config.c in the ...) - linux 4.13.10-1 [stretch] - linux 4.9.65-1 + [jessie] - linux 3.16.51-1 NOTE: Fixed by: https://git.kernel.org/linus/1c0edc3633b56000e18d82fc241e3995ca18a69e CVE-2017-16534 (The cdc_parse_cdc_header function in drivers/usb/core/message.c in the ...) - linux 4.13.10-1 @@ -5328,23 +5335,28 @@ CVE-2017-16533 (The usbhid_parse function in drivers/hid/usbhid/hid-core.c in the Linux ...) - linux 4.13.10-1 [stretch] - linux 4.9.65-1 + [jessie] - linux 3.16.51-1 NOTE: Fixed by: https://git.kernel.org/linus/f043bfc98c193c284e2cd768fefabe18ac2fed9b CVE-2017-16532 (The get_endpoints function in drivers/usb/misc/usbtest.c in the Linux ...) - linux 4.13.13-1 [stretch] - linux 4.9.65-1 + [jessie] - linux 3.16.51-1 NOTE: Fixed by: https://git.kernel.org/linus/7c80f9e4a588f1925b07134bb2e3689335f6c6d8 CVE-2017-16531 (drivers/usb/core/config.c in the Linux kernel before 4.13.6 allows ...) - linux 4.13.10-1 [stretch] - linux 4.9.65-1 + [jessie] - linux 3.16.51-1 NOTE: Fixed by: https://git.kernel.org/linus/bd7a3fe770ebd8391d1c7d072ff88e9e76d063eb CVE-2017-16530 (The uas driver in the Linux kernel before 4.13.6 allows local users to ...) - linux 4.13.10-1 [stretch] - linux 4.9.65-1 + [jessie] - linux 3.16.51-1 [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/786de92b3cb26012d3d0f00ee37adf14527f35c4 CVE-2017-16529 (The snd_usb_create_streams function in sound/usb/card.c in the Linux ...) - linux 4.13.10-1 [stretch] - linux 4.9.65-1 + [jessie] - linux 3.16.51-1 NOTE: Fixed by: https://git.kernel.org/linus/bfc81a8bc18e3c4ba0cbaa7666ff76be2f998991 CVE-2017-16528 (sound/core/seq_device.c in the Linux kernel before 4.13.4 allows local ...) - linux 4.13.4-1 @@ -5355,6 +5367,7 @@ CVE-2017-16527 (sound/usb/mixer.c in the Linux kernel before 4.13.8 allows local users ...) - linux 4.13.10-1 [stretch] - linux 4.9.65-1 + [jessie] - linux 3.16.51-1 NOTE: Fixed by: https://git.kernel.org/linus/124751d5e63c823092060074bd0abaae61aaa9c4 CVE-2017-16526 (drivers/uwb/uwbd.c in the Linux kernel before 4.13.6 allows local users ...) - linux 4.13.10-1 @@ -5363,6 +5376,7 @@ CVE-2017-16525 (The usb_serial_console_disconnect function in ...) - linux 4.13.10-1 [stretch] - linux 4.9.65-1 + [jessie] - linux 3.16.51-1 CVE-2017-16524 (Web Viewer 1.0.0.193 on Samsung SRN-1670D devices suffers from an ...)
[Secure-testing-commits] r58381 - data/CVE
Author: sectracker Date: 2017-12-09 09:10:18 + (Sat, 09 Dec 2017) New Revision: 58381 Modified: data/CVE/list Log: automatic update Modified: data/CVE/list === --- data/CVE/list 2017-12-09 09:06:37 UTC (rev 58380) +++ data/CVE/list 2017-12-09 09:10:18 UTC (rev 58381) @@ -1,3 +1,7 @@ +CVE-2017-17482 + RESERVED +CVE-2017-17481 + RESERVED CVE-2017-17480 (In OpenJPEG 2.3.0, a stack-based buffer overflow was discovered in the ...) - openjpeg2 NOTE: https://github.com/uclouvain/openjpeg/issues/1044 @@ -5632,128 +5636,128 @@ RESERVED CVE-2017-16421 RESERVED -CVE-2017-16420 - RESERVED -CVE-2017-16419 - RESERVED -CVE-2017-16418 - RESERVED -CVE-2017-16417 - RESERVED -CVE-2017-16416 - RESERVED -CVE-2017-16415 - RESERVED -CVE-2017-16414 - RESERVED -CVE-2017-16413 - RESERVED -CVE-2017-16412 - RESERVED -CVE-2017-16411 - RESERVED -CVE-2017-16410 - RESERVED -CVE-2017-16409 - RESERVED -CVE-2017-16408 - RESERVED -CVE-2017-16407 - RESERVED -CVE-2017-16406 - RESERVED -CVE-2017-16405 - RESERVED -CVE-2017-16404 - RESERVED -CVE-2017-16403 - RESERVED -CVE-2017-16402 - RESERVED -CVE-2017-16401 - RESERVED -CVE-2017-16400 - RESERVED -CVE-2017-16399 - RESERVED -CVE-2017-16398 - RESERVED -CVE-2017-16397 - RESERVED -CVE-2017-16396 - RESERVED -CVE-2017-16395 - RESERVED -CVE-2017-16394 - RESERVED -CVE-2017-16393 - RESERVED -CVE-2017-16392 - RESERVED -CVE-2017-16391 - RESERVED -CVE-2017-16390 - RESERVED -CVE-2017-16389 - RESERVED -CVE-2017-16388 - RESERVED -CVE-2017-16387 - RESERVED -CVE-2017-16386 - RESERVED -CVE-2017-16385 - RESERVED -CVE-2017-16384 - RESERVED -CVE-2017-16383 - RESERVED -CVE-2017-16382 - RESERVED -CVE-2017-16381 - RESERVED -CVE-2017-16380 - RESERVED -CVE-2017-16379 - RESERVED -CVE-2017-16378 - RESERVED -CVE-2017-16377 - RESERVED -CVE-2017-16376 - RESERVED -CVE-2017-16375 - RESERVED -CVE-2017-16374 - RESERVED -CVE-2017-16373 - RESERVED -CVE-2017-16372 - RESERVED -CVE-2017-16371 - RESERVED -CVE-2017-16370 - RESERVED -CVE-2017-16369 - RESERVED -CVE-2017-16368 - RESERVED -CVE-2017-16367 - RESERVED -CVE-2017-16366 - RESERVED -CVE-2017-16365 - RESERVED -CVE-2017-16364 - RESERVED -CVE-2017-16363 - RESERVED -CVE-2017-16362 - RESERVED -CVE-2017-16361 - RESERVED -CVE-2017-16360 - RESERVED +CVE-2017-16420 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) + TODO: check +CVE-2017-16419 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) + TODO: check +CVE-2017-16418 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) + TODO: check +CVE-2017-16417 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) + TODO: check +CVE-2017-16416 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) + TODO: check +CVE-2017-16415 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) + TODO: check +CVE-2017-16414 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) + TODO: check +CVE-2017-16413 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) + TODO: check +CVE-2017-16412 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) + TODO: check +CVE-2017-16411 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) + TODO: check +CVE-2017-16410 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) + TODO: check +CVE-2017-16409 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) + TODO: check +CVE-2017-16408 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) + TODO: check +CVE-2017-16407 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) + TODO: check +CVE-2017-16406 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) + TODO: check +CVE-2017-16405 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) + TODO: check +CVE-2017-16404 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) + TODO: check +CVE-2017-16403 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) + TODO: check +CVE-2017-16402 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) + TODO: check +CVE-2017-16401 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) + TODO: ch
[Secure-testing-commits] r58380 - in data: . CVE
Author: carnil Date: 2017-12-09 09:06:37 + (Sat, 09 Dec 2017) New Revision: 58380 Modified: data/CVE/list data/next-oldstable-point-update.txt Log: Sync CVE-2017-15274 with kernel-sec Modified: data/CVE/list === --- data/CVE/list 2017-12-09 09:04:21 UTC (rev 58379) +++ data/CVE/list 2017-12-09 09:06:37 UTC (rev 58380) @@ -8842,6 +8842,7 @@ CVE-2017-15274 (security/keys/keyctl.c in the Linux kernel before 4.11.5 does not ...) - linux 4.11.6-1 [stretch] - linux 4.9.47-1 + [jessie] - linux 3.16.48-1 [wheezy] - linux 3.2.93-1 NOTE: Fixed by: https://git.kernel.org/linus/5649645d725c73df4302428ee4e02c869248b4c5 (4.12-rc5) CVE-2017-15273 (Mahara 15.04 before 15.04.15, 16.04 before 16.04.9, 16.10 before ...) Modified: data/next-oldstable-point-update.txt === --- data/next-oldstable-point-update.txt2017-12-09 09:04:21 UTC (rev 58379) +++ data/next-oldstable-point-update.txt2017-12-09 09:06:37 UTC (rev 58380) @@ -69,8 +69,6 @@ [jessie] - db 5.1.29-9+deb8u1 CVE-2017-14727 [jessie] - weechat 1.0.1-1+deb8u2 -CVE-2017-15274 - [jessie] - linux 3.16.48-1 CVE-2014-8184 [jessie] - liblouis 2.5.3-3+deb8u1 CVE-2017-14952 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58379 - in data: . CVE
Author: carnil
Date: 2017-12-09 09:04:21 + (Sat, 09 Dec 2017)
New Revision: 58379
Modified:
data/CVE/list
data/next-point-update.txt
Log:
Merge already 4.9.65-1 fixes (sync with kernel-sec)
Modified: data/CVE/list
===
--- data/CVE/list 2017-12-09 08:35:30 UTC (rev 58378)
+++ data/CVE/list 2017-12-09 09:04:21 UTC (rev 58379)
@@ -3651,6 +3651,7 @@
RESERVED
CVE-2017-16994 (The walk_hugetlb_range function in mm/pagewalk.c in the Linux
kernel ...)
- linux 4.14.2-1
+ [stretch] - linux 4.9.65-1
NOTE: Fixed by:
https://git.kernel.org/linus/373c4557d2aa362702c4c2d41288fb1e54990b7c (4.15-rc1)
CVE-2017-16993
RESERVED
@@ -3780,6 +3781,7 @@
RESERVED
CVE-2017-16939 (The XFRM dump policy implementation in net/xfrm/xfrm_user.c in
the ...)
- linux 4.13.13-1
+ [stretch] - linux 4.9.65-1
NOTE: Fixed by:
https://git.kernel.org/linus/1137b5e2529a8f5ca8ee709288ecba3e68044df2
CVE-2017-16938 (A global buffer overflow in OptiPNG 0.7.6 allows remote
attackers to ...)
{DSA-4058-1 DLA-1196-1}
@@ -3945,6 +3947,7 @@
NOT-FOR-US: OpenDayLight
CVE-2017-1000405 (The Linux Kernel versions 2.6.38 through 4.14 have a
problematic use ...)
- linux 4.14.2-1
+ [stretch] - linux 4.9.65-1
NOTE: Fixed by:
https://git.kernel.org/linus/a8f97366452ed491d13cf1e44241bc0b5740b1f0
NOTE: http://www.openwall.com/lists/oss-security/2017/11/30/1
NOTE: https://github.com/bindecy/HugeDirtyCowPOC
@@ -4992,21 +4995,26 @@
NOTE: https://github.com/roundcube/roundcubemail/issues/6026
CVE-2017-16650 (The qmi_wwan_bind function in drivers/net/usb/qmi_wwan.c in
the Linux ...)
- linux 4.13.13-1
+ [stretch] - linux 4.9.65-1
[wheezy] - linux (Vulnerable code not present)
CVE-2017-16649 (The usbnet_generic_cdc_bind function in
drivers/net/usb/cdc_ether.c in ...)
- linux 4.13.13-1
+ [stretch] - linux 4.9.65-1
CVE-2017-16648 (The dvb_frontend_free function in
drivers/media/dvb-core/dvb_frontend.c ...)
- linux (Vulnerable code not present)
CVE-2017-16647 (drivers/net/usb/asix_devices.c in the Linux kernel through
4.13.11 ...)
- linux 4.13.13-1
+ [stretch] - linux 4.9.65-1
[jessie] - linux (Vulnerable code not present)
[wheezy] - linux (Vulnerable code not present)
CVE-2017-16646 (drivers/media/usb/dvb-usb/dib0700_devices.c in the Linux
kernel through ...)
- linux 4.13.13-1
+ [stretch] - linux 4.9.65-1
[jessie] - linux (Vulnerable code not present)
[wheezy] - linux (Vulnerable code not present)
CVE-2017-16645 (The ims_pcu_get_cdc_union_desc function in
drivers/input/misc/ims-pcu.c ...)
- linux 4.14.2-1
+ [stretch] - linux 4.9.65-1
[wheezy] - linux (Vulnerable code not present)
CVE-2017-16644 (The hdpvr_probe function in
drivers/media/usb/hdpvr/hdpvr-core.c in the ...)
- linux
@@ -5014,6 +5022,7 @@
[wheezy] - linux (Vulnerable code not present)
CVE-2017-16643 (The parse_hid_report_descriptor function in
drivers/input/tablet/gtco.c ...)
- linux 4.13.13-1
+ [stretch] - linux 4.9.65-1
CVE-2017-16642 (In PHP before 5.6.32, 7.x before 7.0.25, and 7.1.x before
7.1.11, an ...)
- php7.1 7.1.11-1
- php7.0 7.0.25-1
@@ -5298,45 +5307,58 @@
[wheezy] - linux (Vulnerable code not present)
CVE-2017-16537 (The imon_probe function in drivers/media/rc/imon.c in the
Linux kernel ...)
- linux 4.13.13-1
+ [stretch] - linux 4.9.65-1
CVE-2017-16536 (The cx231xx_usb_probe function in ...)
- linux 4.13.13-1
+ [stretch] - linux 4.9.65-1
CVE-2017-16535 (The usb_get_bos_descriptor function in
drivers/usb/core/config.c in the ...)
- linux 4.13.10-1
+ [stretch] - linux 4.9.65-1
NOTE: Fixed by:
https://git.kernel.org/linus/1c0edc3633b56000e18d82fc241e3995ca18a69e
CVE-2017-16534 (The cdc_parse_cdc_header function in
drivers/usb/core/message.c in the ...)
- linux 4.13.10-1
+ [stretch] - linux 4.9.65-1
[jessie] - linux (Vulnerable code not present)
[wheezy] - linux (Vulnerable code not present)
NOTE: Fixed by:
https://git.kernel.org/linus/2e1c42391ff2556387b3cb6308b24f6f65619feb
CVE-2017-16533 (The usbhid_parse function in drivers/hid/usbhid/hid-core.c in
the Linux ...)
- linux 4.13.10-1
+ [stretch] - linux 4.9.65-1
NOTE: Fixed by:
https://git.kernel.org/linus/f043bfc98c193c284e2cd768fefabe18ac2fed9b
CVE-2017-16532 (The get_endpoints function in drivers/usb/misc/usbtest.c in
the Linux ...)
- linux 4.13.13-1
+ [stretch] - linux 4.9.65-1
NOTE: Fixed by:
https://git.kernel.org/linus/7c80f9e4a588f1925b07134bb2e3689335f6c6d8
CVE-2017-16531 (drivers/usb/core/config.c in the Linux kernel before 4.13.6
allows ...)
- linux 4.13.10-1
+
[Secure-testing-commits] r58378 - data
Author: carnil Date: 2017-12-09 08:35:30 + (Sat, 09 Dec 2017) New Revision: 58378 Modified: data/next-oldstable-point-update.txt Log: Move packages which likely will not be included in 8.10 to the end Some were not uploaded after confirmation, dosfstools, mactelnet, salt and sqlite3 should be repinged. Modified: data/next-oldstable-point-update.txt === --- data/next-oldstable-point-update.txt2017-12-09 08:23:01 UTC (rev 58377) +++ data/next-oldstable-point-update.txt2017-12-09 08:35:30 UTC (rev 58378) @@ -1,9 +1,3 @@ -CVE-2015-8872 - [jessie] - dosfstools 3.0.27-1+deb8u1 -CVE-2016-4804 - [jessie] - dosfstools 3.0.27-1+deb8u1 -CVE-2016-7115 - [jessie] - mactelnet 0.4.0-1+deb8u1 CVE-2016-7942 [jessie] - libx11 2:1.6.2-3+deb8u1 CVE-2016-7943 @@ -26,14 +20,6 @@ [jessie] - libxrandr 2:1.4.2-1+deb8u1 CVE-2016-7953 [jessie] - libxvmc 2:1.0.8-2+deb8u1 -CVE-2015-6918 - [jessie] - salt 2014.1.13+ds-3+deb8u1 -CVE-2015-6941 - [jessie] - salt 2014.1.13+ds-3+deb8u1 -CVE-2015-8034 - [jessie] - salt 2014.1.13+ds-3+deb8u1 -CVE-2016-3176 - [jessie] - salt 2014.1.13+ds-3+deb8u1 CVE-2017-8296 [jessie] - kedpm 1.0+deb8u1 CVE-2017-3 @@ -64,8 +50,6 @@ [jessie] - slurm-llnl 14.03.9-5+deb8u1 CVE-2017-1000368 [jessie] - sudo 1.8.10p3-1+deb8u5 -CVE-2016-10396 - [jessie] - ipsec-tools 1:0.8.2+20140711-2+deb8u2 CVE-2017-9765 [jessie] - gsoap 2.8.17-1+deb8u1 CVE-2017-11368 @@ -74,6 +58,8 @@ [jessie] - krb5 1.12.1+dfsg-19+deb8u3 CVE-2016-3119 [jessie] - krb5 1.12.1+dfsg-19+deb8u3 +CVE-2015-2694 + [jessie] - krb5 1.12.1+dfsg-19+deb8u3 CVE-2017-13709 [jessie] - flightgear 3.0.0-5+deb8u3 CVE-2017-14226 @@ -83,23 +69,6 @@ [jessie] - db 5.1.29-9+deb8u1 CVE-2017-14727 [jessie] - weechat 1.0.1-1+deb8u2 -CVE-2015- [busybox: pointer misuse unziping files] - [jessie] - busybox 1:1.22.0-9+deb8u2 - NOTE: For #803097 -CVE-2014-9645 - [jessie] - busybox 1:1.22.0-9+deb8u2 -CVE-2016-2148 - [jessie] - busybox 1:1.22.0-9+deb8u2 -CVE-2016-2147 - [jessie] - busybox 1:1.22.0-9+deb8u2 -CVE-2011-5325 - [jessie] - busybox 1:1.22.0-9+deb8u2 -CVE-2017-15873 - [jessie] - busybox 1:1.22.0-9+deb8u2 -CVE-2017-16544 - [jessie] - busybox 1:1.22.0-9+deb8u2 -CVE-2017-10989 - [jessie] - sqlite3 3.8.7.1-1+deb8u3 CVE-2017-15274 [jessie] - linux 3.16.48-1 CVE-2014-8184 @@ -128,10 +97,6 @@ [jessie] - sam2p 0.49.2-3+deb8u1 CVE-2017-15928 [jessie] - ruby-ox 2.1.1-2+deb8u1 -CVE-2017-10378 - [jessie] - mariadb-10.0 10.0.33-0+deb8u1 -CVE-2017-10268 - [jessie] - mariadb-10.0 10.0.33-0+deb8u1 CVE-2017-15091 [jessie] - pdns 3.4.1-4+deb8u8 CVE-2017-15093 @@ -186,3 +151,40 @@ [jessie] - linux 3.16.51-1 CVE-2017-1000405 [jessie] - linux 3.16.51-1 +CVE-2015-8872 + [jessie] - dosfstools 3.0.27-1+deb8u1 +CVE-2016-4804 + [jessie] - dosfstools 3.0.27-1+deb8u1 +CVE-2016-7115 + [jessie] - mactelnet 0.4.0-1+deb8u1 +CVE-2015-6918 + [jessie] - salt 2014.1.13+ds-3+deb8u1 +CVE-2015-6941 + [jessie] - salt 2014.1.13+ds-3+deb8u1 +CVE-2015-8034 + [jessie] - salt 2014.1.13+ds-3+deb8u1 +CVE-2016-3176 + [jessie] - salt 2014.1.13+ds-3+deb8u1 +CVE-2016-10396 + [jessie] - ipsec-tools 1:0.8.2+20140711-2+deb8u2 +CVE-2015- [busybox: pointer misuse unziping files] + [jessie] - busybox 1:1.22.0-9+deb8u2 + NOTE: For #803097 +CVE-2014-9645 + [jessie] - busybox 1:1.22.0-9+deb8u2 +CVE-2016-2148 + [jessie] - busybox 1:1.22.0-9+deb8u2 +CVE-2016-2147 + [jessie] - busybox 1:1.22.0-9+deb8u2 +CVE-2011-5325 + [jessie] - busybox 1:1.22.0-9+deb8u2 +CVE-2017-15873 + [jessie] - busybox 1:1.22.0-9+deb8u2 +CVE-2017-16544 + [jessie] - busybox 1:1.22.0-9+deb8u2 +CVE-2017-10989 + [jessie] - sqlite3 3.8.7.1-1+deb8u3 +CVE-2017-10378 + [jessie] - mariadb-10.0 10.0.33-0+deb8u1 +CVE-2017-10268 + [jessie] - mariadb-10.0 10.0.33-0+deb8u1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58377 - data/CVE
Author: carnil Date: 2017-12-09 08:23:01 + (Sat, 09 Dec 2017) New Revision: 58377 Modified: data/CVE/list Log: Drop stretch and jessie lines for libnet-ping-external-perl Modified: data/CVE/list === --- data/CVE/list 2017-12-09 08:20:55 UTC (rev 58376) +++ data/CVE/list 2017-12-09 08:23:01 UTC (rev 58377) @@ -5050,8 +5050,6 @@ RESERVED CVE-2008-7319 (The Net::Ping::External extension through 0.15 for Perl does not ...) - libnet-ping-external-perl (bug #881097) - [stretch] - libnet-ping-external-perl (Remove in next point update) - [jessie] - libnet-ping-external-perl (Remove in next point update) NOTE: https://rt.cpan.org/Public/Bug/Display.html?id=33230 NOTE: Proposed patch: http://matthias.sdfeu.org/devel/net-ping-external-cmd-injection.patch CVE-2017-16638 (The Gentoo net-misc/vde package before version 2.3.2-r4 may allow ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58376 - data
Author: carnil Date: 2017-12-09 08:20:55 + (Sat, 09 Dec 2017) New Revision: 58376 Modified: data/next-point-update.txt Log: Move packages which likely will not be included in 9.3 to the end Some were not confirmed to be uploade,d or neither uploaded, glibc will be skipped due to regression and will be in 9.4. Modified: data/next-point-update.txt === --- data/next-point-update.txt 2017-12-09 07:53:35 UTC (rev 58375) +++ data/next-point-update.txt 2017-12-09 08:20:55 UTC (rev 58376) @@ -1,11 +1,7 @@ -CVE-2017-12424 - [stretch] - shadow 1:4.4-4.1+deb9u1 CVE-2017-10989 [stretch] - sqlite3 3.16.2-5+deb9u1 CVE-2017-13709 [stretch] - flightgear 1:2016.4.4+dfsg-3+deb9u1 -CVE-2017-9951 - [stretch] - memcached 1.4.33-1+deb9u1 CVE-2017-13738 [stretch] - liblouis 3.0.0-3+deb9u1 CVE-2017-13739 @@ -22,19 +18,6 @@ [stretch] - liblouis 3.0.0-3+deb9u1 CVE-2017-14727 [stretch] - weechat 1.6-1+deb9u2 -CVE-2015- [busybox: pointer misuse unziping files] - [stretch] - busybox 1:1.22.0-19+deb9u1 - NOTE: For #803097 -CVE-2016-2148 - [stretch] - busybox 1:1.22.0-19+deb9u1 -CVE-2016-2147 - [stretch] - busybox 1:1.22.0-19+deb9u1 -CVE-2011-5325 - [stretch] - busybox 1:1.22.0-19+deb9u1 -CVE-2017-15873 - [stretch] - busybox 1:1.22.0-19+deb9u1 -CVE-2017-16544 - [stretch] - busybox 1:1.22.0-19+deb9u1 CVE-2017-2810 [stretch] - python-tablib 0.9.11-2+deb9u1 CVE-2017-14952 @@ -47,8 +30,6 @@ [stretch] - python2.7 2.7.13-2+deb9u2 CVE-2017-15928 [stretch] - ruby-ox 2.1.1-2+deb9u1 -CVE-2017-12133 - [stretch] - glibc 2.24-11+deb9u2 CVE-2017-15090 [stretch] - pdns-recursor 4.0.4-1+deb9u2 CVE-2017-15091 @@ -59,8 +40,6 @@ [stretch] - pdns-recursor 4.0.4-1+deb9u2 CVE-2017-15094 [stretch] - pdns-recursor 4.0.4-1+deb9u2 -CVE-2017-14623 - [stretch] - golang-github-go-ldap-ldap 2.4.1-1+deb9u1 CVE-2017-16899 [stretch] - fig2dev 1:3.2.6a-2+deb9u1 CVE-2017-0786 @@ -135,3 +114,24 @@ [stretch] - linux 4.9.65-1 CVE-2017-1000405 [stretch] - linux 4.9.65-1 +CVE-2017-12424 + [stretch] - shadow 1:4.4-4.1+deb9u1 +CVE-2017-9951 + [stretch] - memcached 1.4.33-1+deb9u1 +CVE-2015- [busybox: pointer misuse unziping files] + [stretch] - busybox 1:1.22.0-19+deb9u1 + NOTE: For #803097 +CVE-2016-2148 + [stretch] - busybox 1:1.22.0-19+deb9u1 +CVE-2016-2147 + [stretch] - busybox 1:1.22.0-19+deb9u1 +CVE-2011-5325 + [stretch] - busybox 1:1.22.0-19+deb9u1 +CVE-2017-15873 + [stretch] - busybox 1:1.22.0-19+deb9u1 +CVE-2017-16544 + [stretch] - busybox 1:1.22.0-19+deb9u1 +CVE-2017-12133 + [stretch] - glibc 2.24-11+deb9u2 +CVE-2017-14623 + [stretch] - golang-github-go-ldap-ldap 2.4.1-1+deb9u1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
