[Secure-testing-commits] r58409 - data/CVE
Author: carnil Date: 2017-12-10 07:19:30 + (Sun, 10 Dec 2017) New Revision: 58409 Modified: data/CVE/list Log: Two CVEs will be included in openafs update Modified: data/CVE/list === --- data/CVE/list 2017-12-10 05:14:14 UTC (rev 58408) +++ data/CVE/list 2017-12-10 07:19:30 UTC (rev 58409) @@ -52818,7 +52818,6 @@ CVE-2016-9772 (OpenAFS 1.6.19 and earlier allows remote attackers to obtain sensitive ...) {DLA-733-1} - openafs 1.6.20-1 (bug #846922) - [jessie] - openafs (Minor issue; can be fixed in point release) NOTE: https://www.openafs.org/pages/security/OPENAFS-SA-2016-003.txt NOTE: Upstream patch: https://www.openafs.org/pages/security/openafs-sa-2016-003-master.patch (master) NOTE: Upstream patch: https://www.openafs.org/pages/security/openafs-sa-2016-003.patch @@ -70639,7 +70638,6 @@ CVE-2016-4536 (The client in OpenAFS before 1.6.17 does not properly initialize the ...) {DLA-493-1} - openafs 1.6.17-1 - [jessie] - openafs (Minor issue, can be included in a future DSA or via jessie-pu) NOTE: https://www.openafs.org/pages/security/OPENAFS-SA-2016-002.txt CVE-2016-4486 (The rtnl_fill_link_ifmap function in net/core/rtnetlink.c in the Linux ...) {DSA-3607-1 DLA-516-1} ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58408 - data/CVE
Author: carnil Date: 2017-12-10 05:14:14 + (Sun, 10 Dec 2017) New Revision: 58408 Modified: data/CVE/list Log: Update xen entries after point release The xen version in unstable was not updated. As consequence SRM decided to prop-up the xen source package to unstable and the issues are source-wise fixed there. No quarantee though xen binary packages are fully working in unstable. Modified: data/CVE/list === --- data/CVE/list 2017-12-09 22:34:39 UTC (rev 58407) +++ data/CVE/list 2017-12-10 05:14:14 UTC (rev 58408) @@ -2331,15 +2331,15 @@ RESERVED CVE-2017-17045 (An issue was discovered in Xen through 4.9.x allowing HVM guest OS ...) {DSA-4050-1} - - xen + - xen 4.8.2+xsa245-0+deb9u1 NOTE: https://xenbits.xen.org/xsa/advisory-247.html CVE-2017-17044 (An issue was discovered in Xen through 4.9.x allowing HVM guest OS ...) {DSA-4050-1} - - xen + - xen 4.8.2+xsa245-0+deb9u1 NOTE: https://xenbits.xen.org/xsa/advisory-246.html CVE-2017-17046 (An issue was discovered in Xen through 4.9.x on the ARM platform ...) {DSA-4050-1} - - xen + - xen 4.8.2+xsa245-0+deb9u1 NOTE: https://xenbits.xen.org/xsa/advisory-245.html CVE-2018-0705 RESERVED @@ -7995,7 +7995,7 @@ RESERVED CVE-2017-15597 (An issue was discovered in Xen through 4.9.x. Grant copying code made ...) {DSA-4050-1} - - xen + - xen 4.8.2+xsa245-0+deb9u1 NOTE: https://xenbits.xen.org/xsa/advisory-236.html CVE-2017-15586 RESERVED @@ -8811,38 +8811,38 @@ NOT-FOR-US: Mirasys Video Management System CVE-2017-15594 (An issue was discovered in Xen through 4.9.x allowing x86 SVM PV guest ...) {DSA-4050-1} - - xen + - xen 4.8.2+xsa245-0+deb9u1 [wheezy] - xen (minor issue) NOTE: https://xenbits.xen.org/xsa/advisory-244.html CVE-2017-15592 (An issue was discovered in Xen through 4.9.x allowing x86 HVM guest OS ...) {DSA-4050-1 DLA-1181-1} - - xen + - xen 4.8.2+xsa245-0+deb9u1 NOTE: https://xenbits.xen.org/xsa/advisory-243.html CVE-2017-15593 (An issue was discovered in Xen through 4.9.x allowing x86 PV guest OS ...) {DSA-4050-1 DLA-1181-1} - - xen + - xen 4.8.2+xsa245-0+deb9u1 NOTE: https://xenbits.xen.org/xsa/advisory-242.html CVE-2017-15588 (An issue was discovered in Xen through 4.9.x allowing x86 PV guest OS ...) {DSA-4050-1 DLA-1181-1} - - xen + - xen 4.8.2+xsa245-0+deb9u1 NOTE: https://xenbits.xen.org/xsa/advisory-241.html CVE-2017-15595 (An issue was discovered in Xen through 4.9.x allowing x86 PV guest OS ...) {DSA-4050-1 DLA-1181-1} - - xen + - xen 4.8.2+xsa245-0+deb9u1 NOTE: https://xenbits.xen.org/xsa/advisory-240.html CVE-2017-15589 (An issue was discovered in Xen through 4.9.x allowing x86 HVM guest OS ...) {DSA-4050-1 DLA-1181-1} - - xen + - xen 4.8.2+xsa245-0+deb9u1 NOTE: https://xenbits.xen.org/xsa/advisory-239.html CVE-2017-15591 (An issue was discovered in Xen 4.5.x through 4.9.x allowing attackers ...) {DSA-4050-1} - - xen + - xen 4.8.2+xsa245-0+deb9u1 [jessie] - xen (Only affects 4.5 and later) [wheezy] - xen (Only affects 4.5 and later) NOTE: https://xenbits.xen.org/xsa/advisory-238.html CVE-2017-15590 (An issue was discovered in Xen through 4.9.x allowing x86 guest OS ...) {DSA-4050-1} - - xen + - xen 4.8.2+xsa245-0+deb9u1 NOTE: https://xenbits.xen.org/xsa/advisory-237.html CVE-2017-15289 (The mode4and5 write functions in hw/display/cirrus_vga.c in Qemu allow ...) - qemu (bug #880832) @@ -11826,21 +11826,21 @@ NOT-FOR-US: Mirasvit Helpdesk MX CVE-2017-14319 (A grant unmapping issue was discovered in Xen through 4.9.x. When ...) {DSA-4050-1 DLA-1132-1} - - xen + - xen 4.8.2+xsa245-0+deb9u1 NOTE: https://xenbits.xen.org/xsa/advisory-234.html CVE-2017-14318 (An issue was discovered in Xen 4.5.x through 4.9.x. The function ...) {DSA-4050-1 DLA-1132-1} - - xen + - xen 4.8.2+xsa245-0+deb9u1 [jessie] - xen (Only affects 4.5 and later) NOTE: https://xenbits.xen.org/xsa/advisory-232.html NOTE: Wheezy will be affected with the upcoming grant table backport CVE-2017-14317 (A domain cleanup issue was discovered in the C xenstore daemon (aka ...) {DSA-4050-1 DLA-1132-1} - - xen + - xen 4.8.2+xsa245-0+deb9u1 NOTE: https://xenbits.xen.org/xsa/advisory-233.html CVE-2017-14316 (A parameter verification issue was discovered in Xen through 4.9.x. The ...) {DSA-4050-1 DLA-1132-1} - - xen + - xen 4.8.2+xsa245-0+deb9u1 NOTE: https://xenbits.xen.org/xsa/advisory-231.html CVE-2017-14315 (In Apple iOS
[Secure-testing-commits] r58407 - in data: . CVE
Author: jmm Date: 2017-12-09 22:34:39 + (Sat, 09 Dec 2017) New Revision: 58407 Modified: data/CVE/list data/dsa-needed.txt Log: stable triage Modified: data/CVE/list === --- data/CVE/list 2017-12-09 21:10:14 UTC (rev 58406) +++ data/CVE/list 2017-12-09 22:34:39 UTC (rev 58407) @@ -3848,6 +3848,8 @@ RESERVED CVE-2017-16927 (The scp_v0s_accept function in sesman/libscp/libscp_v0.c in the session ...) - xrdp (bug #882463) + [stretch] - xrdp (Minor issue) + [jessie] - xrdp (Minor issue) NOTE: Proposed pull request: https://github.com/neutrinolabs/xrdp/pull/958 NOTE: https://groups.google.com/forum/#!topic/xrdp-devel/PmVfMuy_xBA CVE-2017-16926 (Ohcount 3.0.0 is prone to a command injection via specially crafted ...) @@ -4615,6 +4617,8 @@ CVE-2017-16816 [A user can cause the condor_schedd to crash by submitting a job designed for that purpose] RESERVED - condor 8.6.8~dfsg.1-1 + [stretch] - condor (Minor issue) + [jessie] - condor (Minor issue) NOTE: http://research.cs.wisc.edu/htcondor//security/vulnerabilities/HTCONDOR-2017-0001.html CVE-2017-16815 (installer.php in the Snap Creek Duplicator (WordPress Site Migration & ...) NOT-FOR-US: Snap Creek Duplicator (WordPress Site Migration & Backup) plugin for WordPress @@ -7639,6 +7643,8 @@ NOT-FOR-US: IrfanView CVE-2017-15736 (Cross-site scripting (XSS) vulnerability (stored) in SPIP before 3.1.7 ...) - spip (bug #879954) + [stretch] - spip (Minor issue) + [jessie] - spip (Minor issue) [wheezy] - spip (vulnerable code not present) NOTE: https://core.spip.net/projects/spip/repository/revisions/23701 CVE-2017-15735 (In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) ...) @@ -10031,7 +10037,7 @@ CVE-2017-14942 (Intelbras WRN 150 devices allow remote attackers to read the ...) NOT-FOR-US: Intelbras WRN 150 devices CVE-2017-14941 (Jaspersoft JasperReports 4.7 suffers from a saved credential disclosure ...) - - jasperreports (bug #880467) + - jasperreports (bug #880467) NOTE: https://github.com/binary1985/VulnerabilityDisclosure/blob/master/JasperSoft%20JasperReports%20-%204.7%20-%20CVE-2017-14941 CVE-2017-14940 (scan_unit_for_symbols in dwarf2.c in the Binary File Descriptor (BFD) ...) - binutils Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-12-09 21:10:14 UTC (rev 58406) +++ data/dsa-needed.txt 2017-12-09 22:34:39 UTC (rev 58407) @@ -56,6 +56,9 @@ -- qemu/oldstable -- +redmine/stable + oldstable also affected, but might be worth EOLing +-- ruby2.1/oldstable -- rsync (carnil) @@ -66,6 +69,12 @@ -- sqlite3/oldstable -- +sssd/stable +-- +tomcat7/oldstable +-- +tomcat8 +-- tiff wait until more issues are around -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58406 - data/CVE
Author: sectracker Date: 2017-12-09 21:10:14 + (Sat, 09 Dec 2017) New Revision: 58406 Modified: data/CVE/list Log: automatic update Modified: data/CVE/list === --- data/CVE/list 2017-12-09 20:23:13 UTC (rev 58405) +++ data/CVE/list 2017-12-09 21:10:14 UTC (rev 58406) @@ -2109,16 +2109,19 @@ CVE-2017-17086 (Indeo Otter through 1.7.4 mishandles a "" substring in an ...) NOT-FOR-US: Indeo Otter CVE-2017-17085 (In Wireshark 2.4.0 to 2.4.2 and 2.2.0 to 2.2.10, the CIP Safety ...) + {DSA-4060-1} - wireshark 2.4.3-1 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14250 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=f5939debe96e3c3953c6020818f1fbb80eb83ce8 NOTE: https://www.wireshark.org/security/wnpa-sec-2017-49.html CVE-2017-17084 (In Wireshark 2.4.0 to 2.4.2 and 2.2.0 to 2.2.10, the IWARP_MPA ...) + {DSA-4060-1} - wireshark 2.4.3-1 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14236 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=8502fe94ef9e431860921507e1a351c5e3f5c634 NOTE: https://www.wireshark.org/security/wnpa-sec-2017-47.html CVE-2017-17083 (In Wireshark 2.4.0 to 2.4.2 and 2.2.0 to 2.2.10, the NetBIOS dissector ...) + {DSA-4060-1} - wireshark 2.4.3-1 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14249 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=79768d63d14fbce6bf7fb4d4a1c86be0c5205eb3 @@ -3794,6 +3797,7 @@ CVE-2017-16940 RESERVED CVE-2017-16939 (The XFRM dump policy implementation in net/xfrm/xfrm_user.c in the ...) + {DLA-1200-1} - linux 4.13.13-1 [stretch] - linux 4.9.65-1 NOTE: Fixed by: https://git.kernel.org/linus/1137b5e2529a8f5ca8ee709288ecba3e68044df2 @@ -3955,6 +3959,7 @@ RESERVED CVE-2017-1000407 [DoS via write flood to I/O port 0x80] RESERVED + {DLA-1200-1} - linux NOTE: https://www.spinics.net/lists/kvm/msg159809.html CVE-2017-1000406 (OpenDaylight Karaf 0.6.1-Carbon fails to clear the cache after a ...) @@ -5023,6 +5028,7 @@ [jessie] - linux 3.16.51-1 [wheezy] - linux (Vulnerable code not present) CVE-2017-16649 (The usbnet_generic_cdc_bind function in drivers/net/usb/cdc_ether.c in ...) + {DLA-1200-1} - linux 4.13.13-1 [stretch] - linux 4.9.65-1 [jessie] - linux 3.16.51-1 @@ -5047,6 +5053,7 @@ [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) CVE-2017-16643 (The parse_hid_report_descriptor function in drivers/input/tablet/gtco.c ...) + {DLA-1200-1} - linux 4.13.13-1 [stretch] - linux 4.9.65-1 [jessie] - linux 3.16.51-1 @@ -5333,14 +5340,17 @@ - linux [wheezy] - linux (Vulnerable code not present) CVE-2017-16537 (The imon_probe function in drivers/media/rc/imon.c in the Linux kernel ...) + {DLA-1200-1} - linux 4.13.13-1 [stretch] - linux 4.9.65-1 [jessie] - linux 3.16.51-1 CVE-2017-16536 (The cx231xx_usb_probe function in ...) + {DLA-1200-1} - linux 4.13.13-1 [stretch] - linux 4.9.65-1 [jessie] - linux 3.16.51-1 CVE-2017-16535 (The usb_get_bos_descriptor function in drivers/usb/core/config.c in the ...) + {DLA-1200-1} - linux 4.13.10-1 [stretch] - linux 4.9.65-1 [jessie] - linux 3.16.51-1 @@ -5352,16 +5362,19 @@ [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/2e1c42391ff2556387b3cb6308b24f6f65619feb CVE-2017-16533 (The usbhid_parse function in drivers/hid/usbhid/hid-core.c in the Linux ...) + {DLA-1200-1} - linux 4.13.10-1 [stretch] - linux 4.9.65-1 [jessie] - linux 3.16.51-1 NOTE: Fixed by: https://git.kernel.org/linus/f043bfc98c193c284e2cd768fefabe18ac2fed9b CVE-2017-16532 (The get_endpoints function in drivers/usb/misc/usbtest.c in the Linux ...) + {DLA-1200-1} - linux 4.13.13-1 [stretch] - linux 4.9.65-1 [jessie] - linux 3.16.51-1 NOTE: Fixed by: https://git.kernel.org/linus/7c80f9e4a588f1925b07134bb2e3689335f6c6d8 CVE-2017-16531 (drivers/usb/core/config.c in the Linux kernel before 4.13.6 allows ...) + {DLA-1200-1} - linux 4.13.10-1 [stretch] - linux 4.9.65-1 [jessie] - linux 3.16.51-1 @@ -5373,6 +5386,7 @@ [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/786de92b3cb26012d3d0f00ee37adf14527f35c4 CVE-2017-16529 (The snd_usb_create_streams function in sound/usb/card.c in the Linux ...) + {DLA-1200-1} - linux 4.13.10-1 [stretch] - linux 4.9.65-1 [jessie] - linux 3
[Secure-testing-commits] r58405 - data/CVE
Author: carnil Date: 2017-12-09 20:23:13 + (Sat, 09 Dec 2017) New Revision: 58405 Modified: data/CVE/list Log: Process several NFUs Modified: data/CVE/list === --- data/CVE/list 2017-12-09 19:50:11 UTC (rev 58404) +++ data/CVE/list 2017-12-09 20:23:13 UTC (rev 58405) @@ -35,11 +35,11 @@ CVE-2017-17466 (TG Soft Vir.IT eXplorer Lite 8.5.42 allows local users to gain ...) NOT-FOR-US: TG Soft Vir.IT eXplorer Lite CVE-2017-17465 (K7Sentry.sys 15.1.0.59 in K7 Antivirus 15.1.0309 has a NULL pointer ...) - TODO: check + NOT-FOR-US: K7 Antivirus CVE-2017-17464 (K7Sentry.sys 15.1.0.59 in K7 Antivirus 15.1.0309 has a NULL pointer ...) - TODO: check + NOT-FOR-US: K7 Antivirus CVE-2017-17463 (Vivo modems allow remote attackers to obtain sensitive information by ...) - TODO: check + NOT-FOR-US: Vivo modems CVE-2017-17462 RESERVED CVE-2017-17461 (A Regular expression Denial of Service (ReDoS) vulnerability in the ...) @@ -5670,127 +5670,127 @@ CVE-2017-16421 RESERVED CVE-2017-16420 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) - TODO: check + NOT-FOR-US: Adobe CVE-2017-16419 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) - TODO: check + NOT-FOR-US: Adobe CVE-2017-16418 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) - TODO: check + NOT-FOR-US: Adobe CVE-2017-16417 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) - TODO: check + NOT-FOR-US: Adobe CVE-2017-16416 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) - TODO: check + NOT-FOR-US: Adobe CVE-2017-16415 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) - TODO: check + NOT-FOR-US: Adobe CVE-2017-16414 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) - TODO: check + NOT-FOR-US: Adobe CVE-2017-16413 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) - TODO: check + NOT-FOR-US: Adobe CVE-2017-16412 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) - TODO: check + NOT-FOR-US: Adobe CVE-2017-16411 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) - TODO: check + NOT-FOR-US: Adobe CVE-2017-16410 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) - TODO: check + NOT-FOR-US: Adobe CVE-2017-16409 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) - TODO: check + NOT-FOR-US: Adobe CVE-2017-16408 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) - TODO: check + NOT-FOR-US: Adobe CVE-2017-16407 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) - TODO: check + NOT-FOR-US: Adobe CVE-2017-16406 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) - TODO: check + NOT-FOR-US: Adobe CVE-2017-16405 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) - TODO: check + NOT-FOR-US: Adobe CVE-2017-16404 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) - TODO: check + NOT-FOR-US: Adobe CVE-2017-16403 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) - TODO: check + NOT-FOR-US: Adobe CVE-2017-16402 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) - TODO: check + NOT-FOR-US: Adobe CVE-2017-16401 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) - TODO: check + NOT-FOR-US: Adobe CVE-2017-16400 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) - TODO: check + NOT-FOR-US: Adobe CVE-2017-16399 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) - TODO: check + NOT-FOR-US: Adobe CVE-2017-16398 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) - TODO: check + NOT-FOR-US: Adobe CVE-2017-16397 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) - TODO: check + NOT-FOR-US: Adobe CVE-2017-16396 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) - TODO: check + NOT-FOR-US: Adobe CVE-2017-16395 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) - TODO: check + NOT-FOR-US: Adobe CVE-2017-16394 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) - TODO: check + NOT-FOR-US: Adobe CVE-2017-16393 (An issue was discovered in Adobe Acrobat and Reader
[Secure-testing-commits] r58404 - in data: . DLA
Author: benh Date: 2017-12-09 19:50:11 + (Sat, 09 Dec 2017) New Revision: 58404 Modified: data/DLA/list data/dla-needed.txt Log: Reserve DLA-1200-1 for linux Modified: data/DLA/list === --- data/DLA/list 2017-12-09 19:43:36 UTC (rev 58403) +++ data/DLA/list 2017-12-09 19:50:11 UTC (rev 58404) @@ -1,3 +1,6 @@ +[09 Dec 2017] DLA-1200-1 linux - security update + {CVE-2016-10208 CVE-2017-8824 CVE-2017-8831 CVE-2017-12190 CVE-2017-13080 CVE-2017-14051 CVE-2017-15115 CVE-2017-15265 CVE-2017-15299 CVE-2017-15649 CVE-2017-15868 CVE-2017-16525 CVE-2017-16527 CVE-2017-16529 CVE-2017-16531 CVE-2017-16532 CVE-2017-16533 CVE-2017-16535 CVE-2017-16536 CVE-2017-16537 CVE-2017-16643 CVE-2017-16649 CVE-2017-16939 CVE-2017-1000407} + [wheezy] - linux 3.2.96-1 [09 Dec 2017] DLA-1199-1 thunderbird - security update {CVE-2017-7826 CVE-2017-7828 CVE-2017-7830} [wheezy] - thunderbird 1:52.5.0-1~deb7u1 Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-12-09 19:43:36 UTC (rev 58403) +++ data/dla-needed.txt 2017-12-09 19:50:11 UTC (rev 58404) @@ -55,8 +55,6 @@ -- libxml2 (Thorsten Alteholz) -- -linux --- ming (Hugo Lefeuvre) NOTE: 20171120: wip, currently working on it with upstream, might take a while NOTE: Some issues currently in upstream's bug tracker are missing a CVE number, so number of issues might increase in the next weeks ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58403 - data/CVE
Author: carnil Date: 2017-12-09 19:43:36 + (Sat, 09 Dec 2017) New Revision: 58403 Modified: data/CVE/list Log: Sync wheezy status for CVE-2017-1000405 Modified: data/CVE/list === --- data/CVE/list 2017-12-09 19:42:10 UTC (rev 58402) +++ data/CVE/list 2017-12-09 19:43:36 UTC (rev 58403) @@ -3963,6 +3963,7 @@ - linux 4.14.2-1 [stretch] - linux 4.9.65-1 [jessie] - linux 3.16.51-1 + [wheezy] - linux (vulnerable code not present, cf. kernel-sec information) NOTE: Fixed by: https://git.kernel.org/linus/a8f97366452ed491d13cf1e44241bc0b5740b1f0 NOTE: http://www.openwall.com/lists/oss-security/2017/11/30/1 NOTE: https://github.com/bindecy/HugeDirtyCowPOC ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58402 - data/CVE
Author: carnil Date: 2017-12-09 19:42:10 + (Sat, 09 Dec 2017) New Revision: 58402 Modified: data/CVE/list Log: Ignore CVE-2017-174{48,49,50} for wheezy Modified: data/CVE/list === --- data/CVE/list 2017-12-09 19:39:09 UTC (rev 58401) +++ data/CVE/list 2017-12-09 19:42:10 UTC (rev 58402) @@ -206,12 +206,15 @@ NOT-FOR-US: Wordpress plugin CVE-2017-17450 (net/netfilter/xt_osf.c in the Linux kernel through 4.14.4 does not ...) - linux + [wheezy] - linux (User namespaces not supported) NOTE: https://lkml.org/lkml/2017/12/5/982 CVE-2017-17449 (The __netlink_deliver_tap_skb function in net/netlink/af_netlink.c in ...) - linux + [wheezy] - linux (User namespaces not supported) NOTE: https://lkml.org/lkml/2017/12/5/950 CVE-2017-17448 (net/netfilter/nfnetlink_cthelper.c in the Linux kernel through 4.14.4 ...) - linux + [wheezy] - linux (User namespaces not supported) NOTE: https://patchwork.kernel.org/patch/10089373/ CVE-2018-1280 RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58401 - data/CVE
Author: carnil Date: 2017-12-09 19:39:09 + (Sat, 09 Dec 2017) New Revision: 58401 Modified: data/CVE/list Log: CVE-2017-16994 not affected for jessie and wheezy Modified: data/CVE/list === --- data/CVE/list 2017-12-09 19:37:36 UTC (rev 58400) +++ data/CVE/list 2017-12-09 19:39:09 UTC (rev 58401) @@ -3661,6 +3661,8 @@ CVE-2017-16994 (The walk_hugetlb_range function in mm/pagewalk.c in the Linux kernel ...) - linux 4.14.2-1 [stretch] - linux 4.9.65-1 + [jessie] - linux (Vulnerable code introduced in 4.0) + [wheezy] - linux (Vulnerable code introduced in 4.0) NOTE: Fixed by: https://git.kernel.org/linus/373c4557d2aa362702c4c2d41288fb1e54990b7c (4.15-rc1) CVE-2017-16993 RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58400 - data/CVE
Author: carnil Date: 2017-12-09 19:37:36 + (Sat, 09 Dec 2017) New Revision: 58400 Modified: data/CVE/list Log: Sync CVE-2017-1000410 with kernel-sec information Modified: data/CVE/list === --- data/CVE/list 2017-12-09 19:35:22 UTC (rev 58399) +++ data/CVE/list 2017-12-09 19:37:36 UTC (rev 58400) @@ -480,6 +480,7 @@ NOTE: Fixed by: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=34697694e8a93b325b18f25f7dcded55d6baeaf6 CVE-2017-1000410 (The Linux kernel version 3.3-rc1 and later is affected by a ...) - linux + [wheezy] - linux (Vulnerable code introduced in 3.3) NOTE: http://www.openwall.com/lists/oss-security/2017/12/06/3 CVE-2017-1000409 RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58399 - data/CVE
Author: carnil Date: 2017-12-09 19:35:22 + (Sat, 09 Dec 2017) New Revision: 58399 Modified: data/CVE/list Log: Sync CVE-2017-0861 with kernel-sec Modified: data/CVE/list === --- data/CVE/list 2017-12-09 19:28:38 UTC (rev 58398) +++ data/CVE/list 2017-12-09 19:35:22 UTC (rev 58399) @@ -51432,8 +51432,12 @@ CVE-2017-0862 (An elevation of privilege vulnerability in the Upstream kernel kernel. ...) NOT-FOR-US: Android driver (proprietary, not part of upstream kernel) CVE-2017-0861 (Use-after-free vulnerability in the snd_pcm_info function in the ALSA ...) - - linux + - linux 4.13.4-1 + [stretch] - linux (Minor issue, cf. kernel-sec information) + [jessie] - linux (Minor issue, cf. kernel-sec information) + [wheezy] - linux (Minor issue, cf. kernel-sec information) NOTE: https://git.kernel.org/linus/362bca57f5d78220f8b5907b875961af9436e229 + NOTE: UAF actually already removed in https://git.kernel.org/linus/e11f0f90a626f93899687b1cc909ee37dd6c5809 CVE-2017-0860 (An elevation of privilege vulnerability in the Android system ...) NOT-FOR-US: Android CVE-2017-0859 (Another vulnerability in the Android media framework (n/a). Product: ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58398 - data/CVE
Author: carnil Date: 2017-12-09 19:28:38 + (Sat, 09 Dec 2017) New Revision: 58398 Modified: data/CVE/list Log: Update status for CVE-2017-3737, thanks Q_ Modified: data/CVE/list === --- data/CVE/list 2017-12-09 16:14:23 UTC (rev 58397) +++ data/CVE/list 2017-12-09 19:28:38 UTC (rev 58398) @@ -43781,13 +43781,13 @@ NOTE: OpenSSL_1_0_2-stable: https://git.openssl.org/?p=openssl.git;a=commit;h=ca51bafc1a88d8b8348f5fd97adc5d6ca93f8e76 CVE-2017-3737 (OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an "error ...) - openssl 1.1.0b-2 - [jessie] - openssl (Issue introduced in 1.0.2b) - [wheezy] - openssl (Issue introduced in 1.0.2b) - openssl1.0 NOTE: Not fully correct tracking, the issue just does not affect OpenSSL 1.1.0 NOTE: thus mark as fixed in the firs 1.1.0 version which entered unstable. NOTE: https://www.openssl.org/news/secadv/20171207.txt NOTE: OpenSSL_1_0_2-stable: https://git.openssl.org/?p=openssl.git;a=commit;h=898fb884b706aaeb283de4812340bb0bde8476dc + NOTE: From the maintainer: Versions before 1.0.2b always had the problem, in 1.0.2b + NOTE: it was attempted to get this fixed but the fix was incomplete. CVE-2017-3736 (There is a carry propagating bug in the x86_64 Montgomery squaring ...) {DSA-4017-1} - openssl 1.1.0g-1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58397 - data/DLA
Author: agx Date: 2017-12-09 16:14:23 + (Sat, 09 Dec 2017) New Revision: 58397 Modified: data/DLA/list Log: lts: Grab DLA-1199-1 for thunderbird Modified: data/DLA/list === --- data/DLA/list 2017-12-09 16:07:59 UTC (rev 58396) +++ data/DLA/list 2017-12-09 16:14:23 UTC (rev 58397) @@ -1,3 +1,6 @@ +[09 Dec 2017] DLA-1199-1 thunderbird - security update + {CVE-2017-7826 CVE-2017-7828 CVE-2017-7830} + [wheezy] - thunderbird 1:52.5.0-1~deb7u1 [04 Dec 2017] DLA-1198-1 libextractor - security update {CVE-2017-15266 CVE-2017-15267 CVE-2017-15600 CVE-2017-15601 CVE-2017-15602 CVE-2017-15922} [wheezy] - libextractor 1:0.6.3-5+deb7u1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58396 - in data: . CVE
Author: jmm Date: 2017-12-09 16:07:59 + (Sat, 09 Dec 2017) New Revision: 58396 Modified: data/CVE/list data/dsa-needed.txt Log: stable triage Modified: data/CVE/list === --- data/CVE/list 2017-12-09 15:42:23 UTC (rev 58395) +++ data/CVE/list 2017-12-09 16:07:59 UTC (rev 58396) @@ -2289,6 +2289,8 @@ RESERVED CVE-2017-17042 (lib/yard/core_ext/file.rb in the server in YARD before 0.9.11 does not ...) - yard 0.9.12-1 + [stretch] - yard (Minor issue) + [jessie] - yard (Minor issue) NOTE: Fixed by: https://github.com/lsegal/yard/commit/b0217b3e30dc53d057b168250635975e62b4 (0.9.11) CVE-2017-17041 RESERVED @@ -4170,12 +4172,16 @@ NOT-FOR-US: I, Librarian CVE-2017-1000232 (A double-free vulnerability in str2host.c in ldns 1.7.0 have ...) - ldns (bug #882014) + [stretch] - ldns (Minor issue) + [jessie] - ldns (Minor issue) [wheezy] - ldns (Vulnerable code not present) NOTE: https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=1257 NOTE: https://git.nlnetlabs.nl/ldns/commit/?id=3bdeed02505c9bbacb3b64a97ddcb1de967153b7 CVE-2017-1000231 (A double-free vulnerability in parse.c in ldns 1.7.0 have unspecified ...) {DLA-1182-1} - ldns (bug #882015) + [stretch] - ldns (Minor issue) + [jessie] - ldns (Minor issue) NOTE: https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=1256 NOTE: https://git.nlnetlabs.nl/ldns/commit/?id=c8391790c96d4c8a2c10f9ab1460fda83b509fc2 CVE-2017-1000229 (Integer overflow bug in function minitiff_read_info() of optipng 0.7.6 ...) @@ -4967,6 +4973,8 @@ NOTE: OTRS 3.3: https://github.com/OTRS/otrs/commit/2e58a4bbd99b2477d72c3b2d9fef009537ab19ce CVE-2017-16667 (backintime (aka Back in Time) before 1.1.24 did improper ...) - backintime (bug #881205) + [stretch] - backintime (Minor issue) + [jessie] - backintime (Minor issue) [wheezy] - backintime (Vulnerable code does not exist) NOTE: https://github.com/bit-team/backintime/issues/834 NOTE: https://github.com/bit-team/backintime/commit/cef81d0da93ff601252607df3db1a48f7f6f01b3 @@ -8560,7 +8568,9 @@ CVE-2017-15378 (SQL Injection exists in the E-Sic 1.0 password reset parameter (aka the ...) NOT-FOR-US: E-Sic CVE-2017-15377 (In Suricata before 4.x, it was possible to trigger lots of redundant ...) - - suricata 1:4.0.0-1 + - suricata 1:4.0.0-1 (low) + [stretch] - suricata (Minor issue) + [jessie] - suricata (Minor issue) NOTE: https://github.com/OISF/suricata/pull/2680/commits/47afc577ff763150f9b47f10331f5ef9eb847a57 NOTE: https://redmine.openinfosecfoundation.org/issues/2231 CVE-2017-15376 (The TELNET service in Mobatek MobaXterm 10.4 does not require ...) @@ -10564,6 +10574,8 @@ CVE-2017-14737 (A cryptographic cache-based side channel in the RSA implementation in ...) {DLA-1125-1} - botan1.10 1.10.17-0.1 (bug #877436) + [stretch] - botan1.10 (Minor issue) + [jessie] - botan1.10 (Minor issue) NOTE: https://github.com/randombit/botan/issues/1222 NOTE: https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/wang-shuai NOTE: for 1.10: https://github.com/randombit/botan/commit/aeb87170d1b9013b079c300c8858bad477d30bd4 Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-12-09 15:42:23 UTC (rev 58395) +++ data/dsa-needed.txt 2017-12-09 16:07:59 UTC (rev 58396) @@ -14,6 +14,8 @@ -- 389-ds-base (fw) -- +asterisk +-- chromium-browser -- firefox-esr (jmm) @@ -46,6 +48,8 @@ -- phpmyadmin/oldstable -- +pjproject +-- poppler 2017-11-23: santiago will prepare a debdiff 2017-12-02: santiago prepared debdiffs available for review ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58395 - data/CVE
Author: carnil Date: 2017-12-09 15:42:23 + (Sat, 09 Dec 2017) New Revision: 58395 Modified: data/CVE/list Log: Addcommit reference for CVE-2017-8824/linux Modified: data/CVE/list === --- data/CVE/list 2017-12-09 13:47:06 UTC (rev 58394) +++ data/CVE/list 2017-12-09 15:42:23 UTC (rev 58395) @@ -28111,6 +28111,7 @@ CVE-2017-8824 (The dccp_disconnect function in net/dccp/proto.c in the Linux kernel ...) - linux NOTE: http://lists.openwall.net/netdev/2017/12/04/224 + NOTE: Fixed by: https://git.kernel.org/linus/69c64866ce072dea1d1e59a0d61e0f66c0dffb76 CVE-2017-8823 (In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 ...) {DSA-4054-1} - tor 0.3.1.9-1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58394 - data/CVE
Author: carnil Date: 2017-12-09 13:47:06 + (Sat, 09 Dec 2017) New Revision: 58394 Modified: data/CVE/list Log: Add bug reference for CVE-2017-16611, #883929 Modified: data/CVE/list === --- data/CVE/list 2017-12-09 13:14:40 UTC (rev 58393) +++ data/CVE/list 2017-12-09 13:47:06 UTC (rev 58394) @@ -5134,7 +5134,7 @@ NOTE: https://cgit.freedesktop.org/xorg/lib/libXcursor/commit/?id=4794b5dd34688158fb51a2943032569d3780c4b8 NOTE: https://marc.info/?l=freedesktop-xorg-announce&m=151188036018262&w=2 CVE-2017-16611 (In libXfont before 1.5.4 and libXfont2 before 2.0.3, a local attacker ...) - - libxfont (low) + - libxfont (low; bug #883929) [stretch] - libxfont (Minor issue) [jessie] - libxfont (Minor issue) - libxfont1 (unimportant) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58393 - data/CVE
Author: jmm Date: 2017-12-09 13:14:40 + (Sat, 09 Dec 2017) New Revision: 58393 Modified: data/CVE/list Log: mysql-connector-net bug Modified: data/CVE/list === --- data/CVE/list 2017-12-09 13:12:42 UTC (rev 58392) +++ data/CVE/list 2017-12-09 13:14:40 UTC (rev 58393) @@ -24080,7 +24080,7 @@ CVE-2017-10278 (Vulnerability in the Oracle Tuxedo component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2017-10277 (Vulnerability in the MySQL Connectors component of Oracle MySQL ...) - - mysql-connector-net + - mysql-connector-net (bug #883923) [stretch] - mysql-connector-net (Minor issue) [jessie] - mysql-connector-net (Minor issue) [wheezy] - mysql-connector-net (Minor issue) @@ -24277,7 +24277,7 @@ [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) CVE-2017-10203 (Vulnerability in the MySQL Connectors component of Oracle MySQL ...) - - mysql-connector-net + - mysql-connector-net (bug #883923) [stretch] - mysql-connector-net (Minor issue) [jessie] - mysql-connector-net (Minor issue) [wheezy] - mysql-connector-net (Minor issue) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58392 - data/CVE
Author: carnil Date: 2017-12-09 13:12:42 + (Sat, 09 Dec 2017) New Revision: 58392 Modified: data/CVE/list Log: Remove bug number for libical3, since libical source Modified: data/CVE/list === --- data/CVE/list 2017-12-09 13:05:12 UTC (rev 58391) +++ data/CVE/list 2017-12-09 13:12:42 UTC (rev 58392) @@ -53083,7 +53083,7 @@ NOT-FOR-US: JMX endpoint of Red Hat JBoss EAP 5 CVE-2016-9584 (libical allows remote attackers to cause a denial of service ...) {DLA-959-1} - - libical3 3.0.1-1 (bug #852034) + - libical3 3.0.1-1 - libical (bug #852034) [stretch] - libical (Minor issue) [jessie] - libical (Minor issue) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58391 - data/CVE
Author: jmm Date: 2017-12-09 13:05:12 + (Sat, 09 Dec 2017) New Revision: 58391 Modified: data/CVE/list Log: mysql-connector-net no-dsa Modified: data/CVE/list === --- data/CVE/list 2017-12-09 12:49:29 UTC (rev 58390) +++ data/CVE/list 2017-12-09 13:05:12 UTC (rev 58391) @@ -24081,6 +24081,8 @@ NOT-FOR-US: Oracle CVE-2017-10277 (Vulnerability in the MySQL Connectors component of Oracle MySQL ...) - mysql-connector-net + [stretch] - mysql-connector-net (Minor issue) + [jessie] - mysql-connector-net (Minor issue) [wheezy] - mysql-connector-net (Minor issue) CVE-2017-10276 (Vulnerability in the MySQL Server component of Oracle MySQL ...) - mysql-5.7 5.7.20-1 (bug #878398) @@ -24276,6 +24278,8 @@ [wheezy] - virtualbox (DSA 3454) CVE-2017-10203 (Vulnerability in the MySQL Connectors component of Oracle MySQL ...) - mysql-connector-net + [stretch] - mysql-connector-net (Minor issue) + [jessie] - mysql-connector-net (Minor issue) [wheezy] - mysql-connector-net (Minor issue) CVE-2017-10202 (Vulnerability in the OJVM component of Oracle Database Server. ...) NOT-FOR-US: Oracle ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58390 - in data: . CVE
Author: jmm Date: 2017-12-09 12:49:29 + (Sat, 09 Dec 2017) New Revision: 58390 Modified: data/CVE/list data/dsa-needed.txt Log: various stable triage Modified: data/CVE/list === --- data/CVE/list 2017-12-09 11:52:10 UTC (rev 58389) +++ data/CVE/list 2017-12-09 12:49:29 UTC (rev 58390) @@ -170,6 +170,8 @@ RESERVED CVE-2017-17459 (http_transport.c in Fossil before 2.4, when the SSH sync protocol is ...) - fossil 1:2.4-1 + [stretch] - fossil (Minor issue) + [jessie] - fossil (Minor issue) NOTE: https://www.fossil-scm.org/xfer/info/1f63db591c77108c CVE-2017-17458 (In Mercurial before 4.4.1, it is possible that a specially malformed ...) - mercurial 4.4.1-1 @@ -4600,6 +4602,8 @@ NOT-FOR-US: Snap Creek Duplicator (WordPress Site Migration & Backup) plugin for WordPress CVE-2017-16820 (The csnmp_read_table function in snmp.c in the SNMP plugin in collectd ...) - collectd (bug #881757) + [stretch] - collectd (Minor issue) + [jessie] - collectd (Minor issue) [wheezy] - collectd (Vulnerable code not present) NOTE: https://github.com/collectd/collectd/issues/2291 CVE-2017-16814 @@ -8983,6 +8987,8 @@ RESERVED CVE-2017-15232 (libjpeg-turbo 1.5.2 has a NULL Pointer Dereference in jdpostct.c and ...) - libjpeg-turbo (low; bug #878567) + [stretch] - libjpeg-turbo (Minor issue) + [jessie] - libjpeg-turbo (Minor issue) - libjpeg6b (Vulnerable code not present) - libjpeg8 (Vulnerable code not present) - libjpeg9 (Vulnerable code not present) @@ -53073,6 +53079,7 @@ NOT-FOR-US: JMX endpoint of Red Hat JBoss EAP 5 CVE-2016-9584 (libical allows remote attackers to cause a denial of service ...) {DLA-959-1} + - libical3 3.0.1-1 (bug #852034) - libical (bug #852034) [stretch] - libical (Minor issue) [jessie] - libical (Minor issue) Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-12-09 11:52:10 UTC (rev 58389) +++ data/dsa-needed.txt 2017-12-09 12:49:29 UTC (rev 58390) @@ -30,10 +30,14 @@ -- openafs (jmm) -- +openjpeg2 +-- openssl1.0/stable -- otrs2 -- +passenger/stable +-- php-horde-image -- php5 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58389 - data
Author: jmm Date: 2017-12-09 11:52:10 + (Sat, 09 Dec 2017) New Revision: 58389 Modified: data/dsa-needed.txt Log: take thunderbird and firefox Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-12-09 11:49:51 UTC (rev 58388) +++ data/dsa-needed.txt 2017-12-09 11:52:10 UTC (rev 58389) @@ -16,8 +16,8 @@ -- chromium-browser -- -firefox-esr --- +firefox-esr (jmm) +-- graphicsmagick -- libav/oldstable @@ -61,7 +61,7 @@ tiff wait until more issues are around -- -thunderbird +thunderbird (jmm) -- wordpress -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58388 - in data: . CVE DSA
Author: jmm Date: 2017-12-09 11:49:51 + (Sat, 09 Dec 2017) New Revision: 58388 Modified: data/CVE/list data/DSA/list data/dsa-needed.txt Log: wireshark DSA Modified: data/CVE/list === --- data/CVE/list 2017-12-09 10:49:14 UTC (rev 58387) +++ data/CVE/list 2017-12-09 11:49:51 UTC (rev 58388) @@ -13301,6 +13301,7 @@ NOTE: https://www.wireshark.org/security/wnpa-sec-2017-38.html CVE-2017-13766 (In Wireshark 2.4.0 and 2.2.0 to 2.2.8, the Profinet I/O dissector could ...) - wireshark 2.4.1-1 + [stretch] - wireshark 2.2.6+g32dac6a-2+deb9u1 [jessie] - wireshark (Vulnerable code not present) [wheezy] - wireshark (Vulnerable code not present) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13847 Modified: data/DSA/list === --- data/DSA/list 2017-12-09 10:49:14 UTC (rev 58387) +++ data/DSA/list 2017-12-09 11:49:51 UTC (rev 58388) @@ -1,3 +1,7 @@ +[09 Dec 2017] DSA-4060-1 wireshark - security update + {CVE-2017-11408 CVE-2017-17083 CVE-2017-17084 CVE-2017-17085} + [jessie] - wireshark 1.12.1+g01b65bf-4+deb8u12 + [stretch] - wireshark 2.2.6+g32dac6a-2+deb9u1 [08 Dec 2017] DSA-4059-1 libxcursor - security update {CVE-2017-16612} [jessie] - libxcursor 1:1.1.14-1+deb8u1 Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-12-09 10:49:14 UTC (rev 58387) +++ data/dsa-needed.txt 2017-12-09 11:49:51 UTC (rev 58388) @@ -63,8 +63,6 @@ -- thunderbird -- -wireshark (jmm) --- wordpress -- xen/oldstable ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58387 - data
Author: pochu Date: 2017-12-09 10:49:14 + (Sat, 09 Dec 2017) New Revision: 58387 Modified: data/dla-needed.txt Log: dla: claim firefox-esr Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-12-09 10:18:12 UTC (rev 58386) +++ data/dla-needed.txt 2017-12-09 10:49:14 UTC (rev 58387) @@ -17,6 +17,8 @@ couchdb NOTE: Only in wheezy, we are on our own. -- +firefox-esr (Emilio Pozuelo) +-- irssi (Rhonda D'Vine) -- jasperreports ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58386 - data
Author: carnil Date: 2017-12-09 10:18:12 + (Sat, 09 Dec 2017) New Revision: 58386 Modified: data/next-oldstable-point-update.txt Log: Remove packages included in 8.10 Modified: data/next-oldstable-point-update.txt === --- data/next-oldstable-point-update.txt2017-12-09 10:17:30 UTC (rev 58385) +++ data/next-oldstable-point-update.txt2017-12-09 10:18:12 UTC (rev 58386) @@ -1,106 +1,3 @@ -CVE-2016-7942 - [jessie] - libx11 2:1.6.2-3+deb8u1 -CVE-2016-7943 - [jessie] - libx11 2:1.6.2-3+deb8u1 -CVE-2016-7952 - [jessie] - libxtst 2:1.2.2-1+deb8u1 -CVE-2016-7951 - [jessie] - libxtst 2:1.2.2-1+deb8u1 -CVE-2016-5407 - [jessie] - libxv 2:1.0.10-1+deb8u1 -CVE-2016-7945 - [jessie] - libxi 2:1.7.4-1+deb8u1 -CVE-2016-7946 - [jessie] - libxi 2:1.7.4-1+deb8u1 -CVE-2016-7944 - [jessie] - libxfixes 1:5.0.1-2+deb8u1 -CVE-2016-7947 - [jessie] - libxrandr 2:1.4.2-1+deb8u1 -CVE-2016-7948 - [jessie] - libxrandr 2:1.4.2-1+deb8u1 -CVE-2016-7953 - [jessie] - libxvmc 2:1.0.8-2+deb8u1 -CVE-2017-8296 - [jessie] - kedpm 1.0+deb8u1 -CVE-2017-3 - [jessie] - ncurses 5.9+20140913-1+deb8u1 -CVE-2017-2 - [jessie] - ncurses 5.9+20140913-1+deb8u1 -CVE-2017-10684 - [jessie] - ncurses 5.9+20140913-1+deb8u1 -CVE-2017-10685 - [jessie] - ncurses 5.9+20140913-1+deb8u1 -CVE-2017-13728 - [jessie] - ncurses 5.9+20140913-1+deb8u1 -CVE-2017-13729 - [jessie] - ncurses 5.9+20140913-1+deb8u1 -CVE-2017-13730 - [jessie] - ncurses 5.9+20140913-1+deb8u1 -CVE-2017-13731 - [jessie] - ncurses 5.9+20140913-1+deb8u1 -CVE-2017-13732 - [jessie] - ncurses 5.9+20140913-1+deb8u1 -CVE-2017-13733 - [jessie] - ncurses 5.9+20140913-1+deb8u1 -CVE-2017-13734 - [jessie] - ncurses 5.9+20140913-1+deb8u1 -CVE-2017-9604 - [jessie] - kdepim 4:4.14.1-1+deb8u1 -CVE-2016-10030 - [jessie] - slurm-llnl 14.03.9-5+deb8u1 -CVE-2017-1000368 - [jessie] - sudo 1.8.10p3-1+deb8u5 -CVE-2017-9765 - [jessie] - gsoap 2.8.17-1+deb8u1 -CVE-2017-11368 - [jessie] - krb5 1.12.1+dfsg-19+deb8u3 -CVE-2016-3120 - [jessie] - krb5 1.12.1+dfsg-19+deb8u3 -CVE-2016-3119 - [jessie] - krb5 1.12.1+dfsg-19+deb8u3 -CVE-2015-2694 - [jessie] - krb5 1.12.1+dfsg-19+deb8u3 -CVE-2017-13709 - [jessie] - flightgear 3.0.0-5+deb8u3 -CVE-2017-14226 - [jessie] - libwpd 0.10.0-2+deb8u1 -CVE-2017-10140 - [jessie] - db5.3 5.3.28-9+deb8u1 - [jessie] - db 5.1.29-9+deb8u1 -CVE-2017-14727 - [jessie] - weechat 1.0.1-1+deb8u2 -CVE-2014-8184 - [jessie] - liblouis 2.5.3-3+deb8u1 -CVE-2017-14952 - [jessie] - icu 52.1-8+deb8u6 -CVE-2017-2810 - [jessie] - python-tablib 0.9.11-2+deb8u1 -CVE-2017-2816 - [jessie] - libofx 1:0.9.10-1+deb8u1 -CVE-2017-14731 - [jessie] - libofx 1:0.9.10-1+deb8u1 -CVE-2017-14628 - [jessie] - sam2p 0.49.2-3+deb8u1 -CVE-2017-14629 - [jessie] - sam2p 0.49.2-3+deb8u1 -CVE-2017-14630 - [jessie] - sam2p 0.49.2-3+deb8u1 -CVE-2017-14631 - [jessie] - sam2p 0.49.2-3+deb8u1 -CVE-2017-14636 - [jessie] - sam2p 0.49.2-3+deb8u1 -CVE-2017-14637 - [jessie] - sam2p 0.49.2-3+deb8u1 -CVE-2017-16663 - [jessie] - sam2p 0.49.2-3+deb8u1 -CVE-2017-15928 - [jessie] - ruby-ox 2.1.1-2+deb8u1 -CVE-2017-15091 - [jessie] - pdns 3.4.1-4+deb8u8 -CVE-2017-15093 - [jessie] - pdns-recursor 3.6.2-2+deb8u4 -CVE-2017-16899 - [jessie] - transfig 1:3.2.5.e-4+deb8u1 CVE-2015-8872 [jessie] - dosfstools 3.0.27-1+deb8u1 CVE-2016-4804 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58385 - data/CVE
Author: carnil Date: 2017-12-09 10:17:30 + (Sat, 09 Dec 2017) New Revision: 58385 Modified: data/CVE/list Log: Review changes for 8.10 included via jessie-pu Modified: data/CVE/list === --- data/CVE/list 2017-12-09 09:36:06 UTC (rev 58384) +++ data/CVE/list 2017-12-09 10:17:30 UTC (rev 58385) @@ -3909,7 +3909,7 @@ - fig2dev 1:3.2.6a-5 (bug #881143) [stretch] - fig2dev 1:3.2.6a-2+deb9u1 - transfig - [jessie] - transfig (Minor issue) + [jessie] - transfig 1:3.2.5.e-4+deb8u1 [wheezy] - transfig (Minor issue) CVE-2017-16898 (The printMP3Headers function in util/listmp3.c in libming v0.4.8 or ...) - ming @@ -4969,7 +4969,7 @@ CVE-2017-16663 (In sam2p 0.49.4, there are integer overflows (with resultant heap-based ...) {DLA-1185-1} - sam2p - [jessie] - sam2p (Minor issue) + [jessie] - sam2p 0.49.2-3+deb8u1 NOTE: https://github.com/pts/sam2p/issues/16 CVE-2017-16662 RESERVED @@ -7164,7 +7164,7 @@ CVE-2017-15928 (In the Ox gem 2.8.0 for Ruby, the process crashes with a segmentation ...) - ruby-ox 2.8.2-1 (bug #881445) [stretch] - ruby-ox 2.1.1-2+deb9u1 - [jessie] - ruby-ox (Minor issue) + [jessie] - ruby-ox 2.1.1-2+deb8u1 NOTE: https://github.com/ohler55/ox/issues/194 NOTE: https://github.com/ohler55/ox/commit/e4565dbc167f0d38c3f93243d7a4fcfc391cbfc8 CVE-2017-15927 @@ -9417,7 +9417,7 @@ RESERVED - pdns-recursor 4.0.7-1 [stretch] - pdns-recursor 4.0.4-1+deb9u2 - [jessie] - pdns-recursor (Minor issue) + [jessie] - pdns-recursor 3.6.2-2+deb8u4 [wheezy] - pdns-recursor (Vulnerable code introduced later) NOTE: https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-06.html NOTE: https://downloads.powerdns.com/patches/2017-06/ @@ -9433,7 +9433,7 @@ RESERVED - pdns 4.0.5-1 [stretch] - pdns 4.0.3-1+deb9u2 - [jessie] - pdns (Minor issue) + [jessie] - pdns 3.4.1-4+deb8u8 [wheezy] - pdns (Vulnerable code not present) NOTE: https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2017-04.html NOTE: https://downloads.powerdns.com/patches/2017-04/ @@ -9958,7 +9958,7 @@ CVE-2017-14952 (Double free in i18n/zonemeta.cpp in International Components for ...) - icu 57.1-7 (bug #878840) [stretch] - icu 57.1-6+deb9u1 - [jessie] - icu (Should be fixed along in future update) + [jessie] - icu 52.1-8+deb8u6 [wheezy] - icu (Can be fixed in next update) NOTE: http://www.sourcebrella.com/blog/double-free-vulnerability-international-components-unicode-icu/ NOTE: http://bugs.icu-project.org/trac/changeset/40324/trunk/icu4c/source/i18n/zonemeta.cpp @@ -10579,7 +10579,7 @@ {DLA-1192-1} - libofx 1:0.9.11-5 (bug #877442) [stretch] - libofx 1:0.9.10-2+deb9u1 - [jessie] - libofx (Minor issue) + [jessie] - libofx 1:0.9.10-1+deb8u1 NOTE: https://github.com/libofx/libofx/issues/10 NOTE: https://github.com/libofx/libofx/commit/fad8418f34094de42e1307113598e0e8bee0a2bd CVE-2017-14730 (The init script in the Gentoo app-admin/logstash-bin package before ...) @@ -10645,7 +10645,7 @@ {DLA--1} - weechat 1.9.1-1 (bug #876553) [stretch] - weechat 1.6-1+deb9u2 - [jessie] - weechat (Minor issue; requires a malicious IRC server) + [jessie] - weechat 1.0.1-1+deb8u2 NOTE: Fixed by: https://github.com/weechat/weechat/commit/f105c6f0b56fb5687b2d2aedf37cb1d1b434d556 CVE-2017-14717 (In EPESI 1.8.2 rev20170830, there is Stored XSS in the Tasks ...) NOT-FOR-US: EPESI @@ -10840,12 +10840,12 @@ CVE-2017-14637 (In sam2p 0.49.3, there is an invalid read of size 2 in the parse_rgb ...) {DLA-1127-1} - sam2p (bug #876744) - [jessie] - sam2p (Minor issue) + [jessie] - sam2p 0.49.2-3+deb8u1 NOTE: https://github.com/pts/sam2p/issues/14 (bug 5) CVE-2017-14636 (Because of an integer overflow in sam2p 0.49.3, a loop executes ...) {DLA-1127-1} - sam2p (bug #876744) - [jessie] - sam2p (Minor issue) + [jessie] - sam2p 0.49.2-3+deb8u1 NOTE: https://github.com/pts/sam2p/issues/14 (bug 4) CVE-2017-14635 (In Open Ticket Request System (OTRS) 3.3.x before 3.3.18, 4.x before ...) {DSA-4021-1 DLA-1119-1} @@ -10884,22 +10884,22 @@ CVE-2017-14631 (In sam2p 0.49.3, the pcxLoadRaster function in in_pcx.cpp has an ...) {DLA-1127-1} - sam2p (bug #876744) - [jessie] - sam2p (Minor issue) + [jessie] - sam2p 0.49.2-3+deb8u1 NOTE: https://github.com/pts/sam2p/issues/14 (bug 1) CVE-2017-14630 (In sam2p 0.49.3, an integer overflow exists in the pcxLoadImage24 ...) {DLA-1127-1} - sam2p (bug
[Secure-testing-commits] r58384 - data
Author: carnil Date: 2017-12-09 09:36:06 + (Sat, 09 Dec 2017) New Revision: 58384 Modified: data/next-point-update.txt Log: Remove packages included in 9.3 Modified: data/next-point-update.txt === --- data/next-point-update.txt 2017-12-09 09:35:58 UTC (rev 58383) +++ data/next-point-update.txt 2017-12-09 09:36:06 UTC (rev 58384) @@ -1,47 +1,3 @@ -CVE-2017-10989 - [stretch] - sqlite3 3.16.2-5+deb9u1 -CVE-2017-13709 - [stretch] - flightgear 1:2016.4.4+dfsg-3+deb9u1 -CVE-2017-13738 - [stretch] - liblouis 3.0.0-3+deb9u1 -CVE-2017-13739 - [stretch] - liblouis 3.0.0-3+deb9u1 -CVE-2017-13740 - [stretch] - liblouis 3.0.0-3+deb9u1 -CVE-2017-13741 - [stretch] - liblouis 3.0.0-3+deb9u1 -CVE-2017-13742 - [stretch] - liblouis 3.0.0-3+deb9u1 -CVE-2017-13743 - [stretch] - liblouis 3.0.0-3+deb9u1 -CVE-2017-13744 - [stretch] - liblouis 3.0.0-3+deb9u1 -CVE-2017-14727 - [stretch] - weechat 1.6-1+deb9u2 -CVE-2017-2810 - [stretch] - python-tablib 0.9.11-2+deb9u1 -CVE-2017-14952 - [stretch] - icu 57.1-6+deb9u1 -CVE-2017-2816 - [stretch] - libofx 1:0.9.10-2+deb9u1 -CVE-2017-14731 - [stretch] - libofx 1:0.9.10-2+deb9u1 -CVE-2017-1000158 - [stretch] - python2.7 2.7.13-2+deb9u2 -CVE-2017-15928 - [stretch] - ruby-ox 2.1.1-2+deb9u1 -CVE-2017-15090 - [stretch] - pdns-recursor 4.0.4-1+deb9u2 -CVE-2017-15091 - [stretch] - pdns 4.0.3-1+deb9u2 -CVE-2017-15092 - [stretch] - pdns-recursor 4.0.4-1+deb9u2 -CVE-2017-15093 - [stretch] - pdns-recursor 4.0.4-1+deb9u2 -CVE-2017-15094 - [stretch] - pdns-recursor 4.0.4-1+deb9u2 -CVE-2017-16899 - [stretch] - fig2dev 1:3.2.6a-2+deb9u1 CVE-2017-12424 [stretch] - shadow 1:4.4-4.1+deb9u1 CVE-2017-9951 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58383 - data/CVE
Author: carnil Date: 2017-12-09 09:35:58 + (Sat, 09 Dec 2017) New Revision: 58383 Modified: data/CVE/list Log: Review changes for 9.3 included via stretch-pu Modified: data/CVE/list === --- data/CVE/list 2017-12-09 09:14:28 UTC (rev 58382) +++ data/CVE/list 2017-12-09 09:35:58 UTC (rev 58383) @@ -3907,7 +3907,7 @@ RESERVED CVE-2017-16899 (An array index error in the fig2dev program in Xfig 3.2.6a allows ...) - fig2dev 1:3.2.6a-5 (bug #881143) - [stretch] - fig2dev (Minor issue) + [stretch] - fig2dev 1:3.2.6a-2+deb9u1 - transfig [jessie] - transfig (Minor issue) [wheezy] - transfig (Minor issue) @@ -4256,7 +4256,7 @@ CVE-2017-1000158 (CPython (aka Python) up to 2.7.13 is vulnerable to an integer overflow ...) {DLA-1190-1 DLA-1189-1} - python2.7 2.7.13-4 - [stretch] - python2.7 (Minor issue) + [stretch] - python2.7 2.7.13-2+deb9u2 [jessie] - python2.7 (Minor issue) - python2.6 NOTE: https://bugs.python.org/issue30657 @@ -7163,7 +7163,7 @@ RESERVED CVE-2017-15928 (In the Ox gem 2.8.0 for Ruby, the process crashes with a segmentation ...) - ruby-ox 2.8.2-1 (bug #881445) - [stretch] - ruby-ox (Minor issue) + [stretch] - ruby-ox 2.1.1-2+deb9u1 [jessie] - ruby-ox (Minor issue) NOTE: https://github.com/ohler55/ox/issues/194 NOTE: https://github.com/ohler55/ox/commit/e4565dbc167f0d38c3f93243d7a4fcfc391cbfc8 @@ -9408,7 +9408,7 @@ CVE-2017-15094 [Memory leak in DNSSEC parsing] RESERVED - pdns-recursor 4.0.7-1 - [stretch] - pdns-recursor (Minor issue) + [stretch] - pdns-recursor 4.0.4-1+deb9u2 [jessie] - pdns-recursor (Issue introduced in 4.0.0) [wheezy] - pdns-recursor (Issue introduced in 4.0.0) NOTE: https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-07.html @@ -9416,7 +9416,7 @@ CVE-2017-15093 [Configuration file injection in the API] RESERVED - pdns-recursor 4.0.7-1 - [stretch] - pdns-recursor (Minor issue) + [stretch] - pdns-recursor 4.0.4-1+deb9u2 [jessie] - pdns-recursor (Minor issue) [wheezy] - pdns-recursor (Vulnerable code introduced later) NOTE: https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-06.html @@ -9424,7 +9424,7 @@ CVE-2017-15092 [Cross-Site Scripting in the web interface] RESERVED - pdns-recursor 4.0.7-1 - [stretch] - pdns-recursor (Minor issue) + [stretch] - pdns-recursor 4.0.4-1+deb9u2 [jessie] - pdns-recursor (Issue introduced in 4.0.0) [wheezy] - pdns-recursor (Issue introduced in 4.0.0) NOTE: https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-05.html @@ -9432,7 +9432,7 @@ CVE-2017-15091 [Missing check on API operations] RESERVED - pdns 4.0.5-1 - [stretch] - pdns (Minor issue) + [stretch] - pdns 4.0.3-1+deb9u2 [jessie] - pdns (Minor issue) [wheezy] - pdns (Vulnerable code not present) NOTE: https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2017-04.html @@ -9440,7 +9440,7 @@ CVE-2017-15090 [Insufficient validation of DNSSEC signatures] RESERVED - pdns-recursor 4.0.7-1 - [stretch] - pdns-recursor (Minor issue) + [stretch] - pdns-recursor 4.0.4-1+deb9u2 [jessie] - pdns-recursor (Issue introduced in 4.0.0) [wheezy] - pdns-recursor (Issue introduced in 4.0.0) NOTE: https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-03.html @@ -9957,7 +9957,7 @@ NOT-FOR-US: HikVision CVE-2017-14952 (Double free in i18n/zonemeta.cpp in International Components for ...) - icu 57.1-7 (bug #878840) - [stretch] - icu (Should be fixed along in future update) + [stretch] - icu 57.1-6+deb9u1 [jessie] - icu (Should be fixed along in future update) [wheezy] - icu (Can be fixed in next update) NOTE: http://www.sourcebrella.com/blog/double-free-vulnerability-international-components-unicode-icu/ @@ -10578,7 +10578,7 @@ CVE-2017-14731 (ofx_proc_file in ofx_preproc.cpp in LibOFX 0.9.12 allows remote ...) {DLA-1192-1} - libofx 1:0.9.11-5 (bug #877442) - [stretch] - libofx (Minor issue) + [stretch] - libofx 1:0.9.10-2+deb9u1 [jessie] - libofx (Minor issue) NOTE: https://github.com/libofx/libofx/issues/10 NOTE: https://github.com/libofx/libofx/commit/fad8418f34094de42e1307113598e0e8bee0a2bd @@ -10644,7 +10644,7 @@ CVE-2017-14727 (logger.c in the logger plugin in WeeChat before 1.9.1 allows a crash ...) {DLA--1} - weechat 1.9.1-1 (bug #876553) - [stretch] - weechat (Minor issue; requires a malicious IRC server) + [stretch]
[Secure-testing-commits] r58382 - in data: . CVE
Author: carnil Date: 2017-12-09 09:14:28 + (Sat, 09 Dec 2017) New Revision: 58382 Modified: data/CVE/list data/next-oldstable-point-update.txt Log: Merge already 3.16.51-1 fixes (sync with kernel-sec) Modified: data/CVE/list === --- data/CVE/list 2017-12-09 09:10:18 UTC (rev 58381) +++ data/CVE/list 2017-12-09 09:14:28 UTC (rev 58382) @@ -3952,6 +3952,7 @@ CVE-2017-1000405 (The Linux Kernel versions 2.6.38 through 4.14 have a problematic use ...) - linux 4.14.2-1 [stretch] - linux 4.9.65-1 + [jessie] - linux 3.16.51-1 NOTE: Fixed by: https://git.kernel.org/linus/a8f97366452ed491d13cf1e44241bc0b5740b1f0 NOTE: http://www.openwall.com/lists/oss-security/2017/11/30/1 NOTE: https://github.com/bindecy/HugeDirtyCowPOC @@ -5000,10 +5001,12 @@ CVE-2017-16650 (The qmi_wwan_bind function in drivers/net/usb/qmi_wwan.c in the Linux ...) - linux 4.13.13-1 [stretch] - linux 4.9.65-1 + [jessie] - linux 3.16.51-1 [wheezy] - linux (Vulnerable code not present) CVE-2017-16649 (The usbnet_generic_cdc_bind function in drivers/net/usb/cdc_ether.c in ...) - linux 4.13.13-1 [stretch] - linux 4.9.65-1 + [jessie] - linux 3.16.51-1 CVE-2017-16648 (The dvb_frontend_free function in drivers/media/dvb-core/dvb_frontend.c ...) - linux (Vulnerable code not present) CVE-2017-16647 (drivers/net/usb/asix_devices.c in the Linux kernel through 4.13.11 ...) @@ -5027,6 +5030,7 @@ CVE-2017-16643 (The parse_hid_report_descriptor function in drivers/input/tablet/gtco.c ...) - linux 4.13.13-1 [stretch] - linux 4.9.65-1 + [jessie] - linux 3.16.51-1 CVE-2017-16642 (In PHP before 5.6.32, 7.x before 7.0.25, and 7.1.x before 7.1.11, an ...) - php7.1 7.1.11-1 - php7.0 7.0.25-1 @@ -5312,12 +5316,15 @@ CVE-2017-16537 (The imon_probe function in drivers/media/rc/imon.c in the Linux kernel ...) - linux 4.13.13-1 [stretch] - linux 4.9.65-1 + [jessie] - linux 3.16.51-1 CVE-2017-16536 (The cx231xx_usb_probe function in ...) - linux 4.13.13-1 [stretch] - linux 4.9.65-1 + [jessie] - linux 3.16.51-1 CVE-2017-16535 (The usb_get_bos_descriptor function in drivers/usb/core/config.c in the ...) - linux 4.13.10-1 [stretch] - linux 4.9.65-1 + [jessie] - linux 3.16.51-1 NOTE: Fixed by: https://git.kernel.org/linus/1c0edc3633b56000e18d82fc241e3995ca18a69e CVE-2017-16534 (The cdc_parse_cdc_header function in drivers/usb/core/message.c in the ...) - linux 4.13.10-1 @@ -5328,23 +5335,28 @@ CVE-2017-16533 (The usbhid_parse function in drivers/hid/usbhid/hid-core.c in the Linux ...) - linux 4.13.10-1 [stretch] - linux 4.9.65-1 + [jessie] - linux 3.16.51-1 NOTE: Fixed by: https://git.kernel.org/linus/f043bfc98c193c284e2cd768fefabe18ac2fed9b CVE-2017-16532 (The get_endpoints function in drivers/usb/misc/usbtest.c in the Linux ...) - linux 4.13.13-1 [stretch] - linux 4.9.65-1 + [jessie] - linux 3.16.51-1 NOTE: Fixed by: https://git.kernel.org/linus/7c80f9e4a588f1925b07134bb2e3689335f6c6d8 CVE-2017-16531 (drivers/usb/core/config.c in the Linux kernel before 4.13.6 allows ...) - linux 4.13.10-1 [stretch] - linux 4.9.65-1 + [jessie] - linux 3.16.51-1 NOTE: Fixed by: https://git.kernel.org/linus/bd7a3fe770ebd8391d1c7d072ff88e9e76d063eb CVE-2017-16530 (The uas driver in the Linux kernel before 4.13.6 allows local users to ...) - linux 4.13.10-1 [stretch] - linux 4.9.65-1 + [jessie] - linux 3.16.51-1 [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/786de92b3cb26012d3d0f00ee37adf14527f35c4 CVE-2017-16529 (The snd_usb_create_streams function in sound/usb/card.c in the Linux ...) - linux 4.13.10-1 [stretch] - linux 4.9.65-1 + [jessie] - linux 3.16.51-1 NOTE: Fixed by: https://git.kernel.org/linus/bfc81a8bc18e3c4ba0cbaa7666ff76be2f998991 CVE-2017-16528 (sound/core/seq_device.c in the Linux kernel before 4.13.4 allows local ...) - linux 4.13.4-1 @@ -5355,6 +5367,7 @@ CVE-2017-16527 (sound/usb/mixer.c in the Linux kernel before 4.13.8 allows local users ...) - linux 4.13.10-1 [stretch] - linux 4.9.65-1 + [jessie] - linux 3.16.51-1 NOTE: Fixed by: https://git.kernel.org/linus/124751d5e63c823092060074bd0abaae61aaa9c4 CVE-2017-16526 (drivers/uwb/uwbd.c in the Linux kernel before 4.13.6 allows local users ...) - linux 4.13.10-1 @@ -5363,6 +5376,7 @@ CVE-2017-16525 (The usb_serial_console_disconnect function in ...) - linux 4.13.10-1 [stretch] - linux 4.9.65-1 + [jessie] - linux 3.16.51-1 CVE-2017-16524 (Web Viewer 1.0.0.193 on Samsung SRN-1670D devices suffers from an ...)
[Secure-testing-commits] r58381 - data/CVE
Author: sectracker Date: 2017-12-09 09:10:18 + (Sat, 09 Dec 2017) New Revision: 58381 Modified: data/CVE/list Log: automatic update Modified: data/CVE/list === --- data/CVE/list 2017-12-09 09:06:37 UTC (rev 58380) +++ data/CVE/list 2017-12-09 09:10:18 UTC (rev 58381) @@ -1,3 +1,7 @@ +CVE-2017-17482 + RESERVED +CVE-2017-17481 + RESERVED CVE-2017-17480 (In OpenJPEG 2.3.0, a stack-based buffer overflow was discovered in the ...) - openjpeg2 NOTE: https://github.com/uclouvain/openjpeg/issues/1044 @@ -5632,128 +5636,128 @@ RESERVED CVE-2017-16421 RESERVED -CVE-2017-16420 - RESERVED -CVE-2017-16419 - RESERVED -CVE-2017-16418 - RESERVED -CVE-2017-16417 - RESERVED -CVE-2017-16416 - RESERVED -CVE-2017-16415 - RESERVED -CVE-2017-16414 - RESERVED -CVE-2017-16413 - RESERVED -CVE-2017-16412 - RESERVED -CVE-2017-16411 - RESERVED -CVE-2017-16410 - RESERVED -CVE-2017-16409 - RESERVED -CVE-2017-16408 - RESERVED -CVE-2017-16407 - RESERVED -CVE-2017-16406 - RESERVED -CVE-2017-16405 - RESERVED -CVE-2017-16404 - RESERVED -CVE-2017-16403 - RESERVED -CVE-2017-16402 - RESERVED -CVE-2017-16401 - RESERVED -CVE-2017-16400 - RESERVED -CVE-2017-16399 - RESERVED -CVE-2017-16398 - RESERVED -CVE-2017-16397 - RESERVED -CVE-2017-16396 - RESERVED -CVE-2017-16395 - RESERVED -CVE-2017-16394 - RESERVED -CVE-2017-16393 - RESERVED -CVE-2017-16392 - RESERVED -CVE-2017-16391 - RESERVED -CVE-2017-16390 - RESERVED -CVE-2017-16389 - RESERVED -CVE-2017-16388 - RESERVED -CVE-2017-16387 - RESERVED -CVE-2017-16386 - RESERVED -CVE-2017-16385 - RESERVED -CVE-2017-16384 - RESERVED -CVE-2017-16383 - RESERVED -CVE-2017-16382 - RESERVED -CVE-2017-16381 - RESERVED -CVE-2017-16380 - RESERVED -CVE-2017-16379 - RESERVED -CVE-2017-16378 - RESERVED -CVE-2017-16377 - RESERVED -CVE-2017-16376 - RESERVED -CVE-2017-16375 - RESERVED -CVE-2017-16374 - RESERVED -CVE-2017-16373 - RESERVED -CVE-2017-16372 - RESERVED -CVE-2017-16371 - RESERVED -CVE-2017-16370 - RESERVED -CVE-2017-16369 - RESERVED -CVE-2017-16368 - RESERVED -CVE-2017-16367 - RESERVED -CVE-2017-16366 - RESERVED -CVE-2017-16365 - RESERVED -CVE-2017-16364 - RESERVED -CVE-2017-16363 - RESERVED -CVE-2017-16362 - RESERVED -CVE-2017-16361 - RESERVED -CVE-2017-16360 - RESERVED +CVE-2017-16420 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) + TODO: check +CVE-2017-16419 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) + TODO: check +CVE-2017-16418 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) + TODO: check +CVE-2017-16417 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) + TODO: check +CVE-2017-16416 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) + TODO: check +CVE-2017-16415 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) + TODO: check +CVE-2017-16414 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) + TODO: check +CVE-2017-16413 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) + TODO: check +CVE-2017-16412 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) + TODO: check +CVE-2017-16411 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) + TODO: check +CVE-2017-16410 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) + TODO: check +CVE-2017-16409 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) + TODO: check +CVE-2017-16408 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) + TODO: check +CVE-2017-16407 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) + TODO: check +CVE-2017-16406 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) + TODO: check +CVE-2017-16405 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) + TODO: check +CVE-2017-16404 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) + TODO: check +CVE-2017-16403 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) + TODO: check +CVE-2017-16402 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) + TODO: check +CVE-2017-16401 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and ...) + TODO: ch
[Secure-testing-commits] r58380 - in data: . CVE
Author: carnil Date: 2017-12-09 09:06:37 + (Sat, 09 Dec 2017) New Revision: 58380 Modified: data/CVE/list data/next-oldstable-point-update.txt Log: Sync CVE-2017-15274 with kernel-sec Modified: data/CVE/list === --- data/CVE/list 2017-12-09 09:04:21 UTC (rev 58379) +++ data/CVE/list 2017-12-09 09:06:37 UTC (rev 58380) @@ -8842,6 +8842,7 @@ CVE-2017-15274 (security/keys/keyctl.c in the Linux kernel before 4.11.5 does not ...) - linux 4.11.6-1 [stretch] - linux 4.9.47-1 + [jessie] - linux 3.16.48-1 [wheezy] - linux 3.2.93-1 NOTE: Fixed by: https://git.kernel.org/linus/5649645d725c73df4302428ee4e02c869248b4c5 (4.12-rc5) CVE-2017-15273 (Mahara 15.04 before 15.04.15, 16.04 before 16.04.9, 16.10 before ...) Modified: data/next-oldstable-point-update.txt === --- data/next-oldstable-point-update.txt2017-12-09 09:04:21 UTC (rev 58379) +++ data/next-oldstable-point-update.txt2017-12-09 09:06:37 UTC (rev 58380) @@ -69,8 +69,6 @@ [jessie] - db 5.1.29-9+deb8u1 CVE-2017-14727 [jessie] - weechat 1.0.1-1+deb8u2 -CVE-2017-15274 - [jessie] - linux 3.16.48-1 CVE-2014-8184 [jessie] - liblouis 2.5.3-3+deb8u1 CVE-2017-14952 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58379 - in data: . CVE
Author: carnil Date: 2017-12-09 09:04:21 + (Sat, 09 Dec 2017) New Revision: 58379 Modified: data/CVE/list data/next-point-update.txt Log: Merge already 4.9.65-1 fixes (sync with kernel-sec) Modified: data/CVE/list === --- data/CVE/list 2017-12-09 08:35:30 UTC (rev 58378) +++ data/CVE/list 2017-12-09 09:04:21 UTC (rev 58379) @@ -3651,6 +3651,7 @@ RESERVED CVE-2017-16994 (The walk_hugetlb_range function in mm/pagewalk.c in the Linux kernel ...) - linux 4.14.2-1 + [stretch] - linux 4.9.65-1 NOTE: Fixed by: https://git.kernel.org/linus/373c4557d2aa362702c4c2d41288fb1e54990b7c (4.15-rc1) CVE-2017-16993 RESERVED @@ -3780,6 +3781,7 @@ RESERVED CVE-2017-16939 (The XFRM dump policy implementation in net/xfrm/xfrm_user.c in the ...) - linux 4.13.13-1 + [stretch] - linux 4.9.65-1 NOTE: Fixed by: https://git.kernel.org/linus/1137b5e2529a8f5ca8ee709288ecba3e68044df2 CVE-2017-16938 (A global buffer overflow in OptiPNG 0.7.6 allows remote attackers to ...) {DSA-4058-1 DLA-1196-1} @@ -3945,6 +3947,7 @@ NOT-FOR-US: OpenDayLight CVE-2017-1000405 (The Linux Kernel versions 2.6.38 through 4.14 have a problematic use ...) - linux 4.14.2-1 + [stretch] - linux 4.9.65-1 NOTE: Fixed by: https://git.kernel.org/linus/a8f97366452ed491d13cf1e44241bc0b5740b1f0 NOTE: http://www.openwall.com/lists/oss-security/2017/11/30/1 NOTE: https://github.com/bindecy/HugeDirtyCowPOC @@ -4992,21 +4995,26 @@ NOTE: https://github.com/roundcube/roundcubemail/issues/6026 CVE-2017-16650 (The qmi_wwan_bind function in drivers/net/usb/qmi_wwan.c in the Linux ...) - linux 4.13.13-1 + [stretch] - linux 4.9.65-1 [wheezy] - linux (Vulnerable code not present) CVE-2017-16649 (The usbnet_generic_cdc_bind function in drivers/net/usb/cdc_ether.c in ...) - linux 4.13.13-1 + [stretch] - linux 4.9.65-1 CVE-2017-16648 (The dvb_frontend_free function in drivers/media/dvb-core/dvb_frontend.c ...) - linux (Vulnerable code not present) CVE-2017-16647 (drivers/net/usb/asix_devices.c in the Linux kernel through 4.13.11 ...) - linux 4.13.13-1 + [stretch] - linux 4.9.65-1 [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) CVE-2017-16646 (drivers/media/usb/dvb-usb/dib0700_devices.c in the Linux kernel through ...) - linux 4.13.13-1 + [stretch] - linux 4.9.65-1 [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) CVE-2017-16645 (The ims_pcu_get_cdc_union_desc function in drivers/input/misc/ims-pcu.c ...) - linux 4.14.2-1 + [stretch] - linux 4.9.65-1 [wheezy] - linux (Vulnerable code not present) CVE-2017-16644 (The hdpvr_probe function in drivers/media/usb/hdpvr/hdpvr-core.c in the ...) - linux @@ -5014,6 +5022,7 @@ [wheezy] - linux (Vulnerable code not present) CVE-2017-16643 (The parse_hid_report_descriptor function in drivers/input/tablet/gtco.c ...) - linux 4.13.13-1 + [stretch] - linux 4.9.65-1 CVE-2017-16642 (In PHP before 5.6.32, 7.x before 7.0.25, and 7.1.x before 7.1.11, an ...) - php7.1 7.1.11-1 - php7.0 7.0.25-1 @@ -5298,45 +5307,58 @@ [wheezy] - linux (Vulnerable code not present) CVE-2017-16537 (The imon_probe function in drivers/media/rc/imon.c in the Linux kernel ...) - linux 4.13.13-1 + [stretch] - linux 4.9.65-1 CVE-2017-16536 (The cx231xx_usb_probe function in ...) - linux 4.13.13-1 + [stretch] - linux 4.9.65-1 CVE-2017-16535 (The usb_get_bos_descriptor function in drivers/usb/core/config.c in the ...) - linux 4.13.10-1 + [stretch] - linux 4.9.65-1 NOTE: Fixed by: https://git.kernel.org/linus/1c0edc3633b56000e18d82fc241e3995ca18a69e CVE-2017-16534 (The cdc_parse_cdc_header function in drivers/usb/core/message.c in the ...) - linux 4.13.10-1 + [stretch] - linux 4.9.65-1 [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/2e1c42391ff2556387b3cb6308b24f6f65619feb CVE-2017-16533 (The usbhid_parse function in drivers/hid/usbhid/hid-core.c in the Linux ...) - linux 4.13.10-1 + [stretch] - linux 4.9.65-1 NOTE: Fixed by: https://git.kernel.org/linus/f043bfc98c193c284e2cd768fefabe18ac2fed9b CVE-2017-16532 (The get_endpoints function in drivers/usb/misc/usbtest.c in the Linux ...) - linux 4.13.13-1 + [stretch] - linux 4.9.65-1 NOTE: Fixed by: https://git.kernel.org/linus/7c80f9e4a588f1925b07134bb2e3689335f6c6d8 CVE-2017-16531 (drivers/usb/core/config.c in the Linux kernel before 4.13.6 allows ...) - linux 4.13.10-1 +
[Secure-testing-commits] r58378 - data
Author: carnil Date: 2017-12-09 08:35:30 + (Sat, 09 Dec 2017) New Revision: 58378 Modified: data/next-oldstable-point-update.txt Log: Move packages which likely will not be included in 8.10 to the end Some were not uploaded after confirmation, dosfstools, mactelnet, salt and sqlite3 should be repinged. Modified: data/next-oldstable-point-update.txt === --- data/next-oldstable-point-update.txt2017-12-09 08:23:01 UTC (rev 58377) +++ data/next-oldstable-point-update.txt2017-12-09 08:35:30 UTC (rev 58378) @@ -1,9 +1,3 @@ -CVE-2015-8872 - [jessie] - dosfstools 3.0.27-1+deb8u1 -CVE-2016-4804 - [jessie] - dosfstools 3.0.27-1+deb8u1 -CVE-2016-7115 - [jessie] - mactelnet 0.4.0-1+deb8u1 CVE-2016-7942 [jessie] - libx11 2:1.6.2-3+deb8u1 CVE-2016-7943 @@ -26,14 +20,6 @@ [jessie] - libxrandr 2:1.4.2-1+deb8u1 CVE-2016-7953 [jessie] - libxvmc 2:1.0.8-2+deb8u1 -CVE-2015-6918 - [jessie] - salt 2014.1.13+ds-3+deb8u1 -CVE-2015-6941 - [jessie] - salt 2014.1.13+ds-3+deb8u1 -CVE-2015-8034 - [jessie] - salt 2014.1.13+ds-3+deb8u1 -CVE-2016-3176 - [jessie] - salt 2014.1.13+ds-3+deb8u1 CVE-2017-8296 [jessie] - kedpm 1.0+deb8u1 CVE-2017-3 @@ -64,8 +50,6 @@ [jessie] - slurm-llnl 14.03.9-5+deb8u1 CVE-2017-1000368 [jessie] - sudo 1.8.10p3-1+deb8u5 -CVE-2016-10396 - [jessie] - ipsec-tools 1:0.8.2+20140711-2+deb8u2 CVE-2017-9765 [jessie] - gsoap 2.8.17-1+deb8u1 CVE-2017-11368 @@ -74,6 +58,8 @@ [jessie] - krb5 1.12.1+dfsg-19+deb8u3 CVE-2016-3119 [jessie] - krb5 1.12.1+dfsg-19+deb8u3 +CVE-2015-2694 + [jessie] - krb5 1.12.1+dfsg-19+deb8u3 CVE-2017-13709 [jessie] - flightgear 3.0.0-5+deb8u3 CVE-2017-14226 @@ -83,23 +69,6 @@ [jessie] - db 5.1.29-9+deb8u1 CVE-2017-14727 [jessie] - weechat 1.0.1-1+deb8u2 -CVE-2015- [busybox: pointer misuse unziping files] - [jessie] - busybox 1:1.22.0-9+deb8u2 - NOTE: For #803097 -CVE-2014-9645 - [jessie] - busybox 1:1.22.0-9+deb8u2 -CVE-2016-2148 - [jessie] - busybox 1:1.22.0-9+deb8u2 -CVE-2016-2147 - [jessie] - busybox 1:1.22.0-9+deb8u2 -CVE-2011-5325 - [jessie] - busybox 1:1.22.0-9+deb8u2 -CVE-2017-15873 - [jessie] - busybox 1:1.22.0-9+deb8u2 -CVE-2017-16544 - [jessie] - busybox 1:1.22.0-9+deb8u2 -CVE-2017-10989 - [jessie] - sqlite3 3.8.7.1-1+deb8u3 CVE-2017-15274 [jessie] - linux 3.16.48-1 CVE-2014-8184 @@ -128,10 +97,6 @@ [jessie] - sam2p 0.49.2-3+deb8u1 CVE-2017-15928 [jessie] - ruby-ox 2.1.1-2+deb8u1 -CVE-2017-10378 - [jessie] - mariadb-10.0 10.0.33-0+deb8u1 -CVE-2017-10268 - [jessie] - mariadb-10.0 10.0.33-0+deb8u1 CVE-2017-15091 [jessie] - pdns 3.4.1-4+deb8u8 CVE-2017-15093 @@ -186,3 +151,40 @@ [jessie] - linux 3.16.51-1 CVE-2017-1000405 [jessie] - linux 3.16.51-1 +CVE-2015-8872 + [jessie] - dosfstools 3.0.27-1+deb8u1 +CVE-2016-4804 + [jessie] - dosfstools 3.0.27-1+deb8u1 +CVE-2016-7115 + [jessie] - mactelnet 0.4.0-1+deb8u1 +CVE-2015-6918 + [jessie] - salt 2014.1.13+ds-3+deb8u1 +CVE-2015-6941 + [jessie] - salt 2014.1.13+ds-3+deb8u1 +CVE-2015-8034 + [jessie] - salt 2014.1.13+ds-3+deb8u1 +CVE-2016-3176 + [jessie] - salt 2014.1.13+ds-3+deb8u1 +CVE-2016-10396 + [jessie] - ipsec-tools 1:0.8.2+20140711-2+deb8u2 +CVE-2015- [busybox: pointer misuse unziping files] + [jessie] - busybox 1:1.22.0-9+deb8u2 + NOTE: For #803097 +CVE-2014-9645 + [jessie] - busybox 1:1.22.0-9+deb8u2 +CVE-2016-2148 + [jessie] - busybox 1:1.22.0-9+deb8u2 +CVE-2016-2147 + [jessie] - busybox 1:1.22.0-9+deb8u2 +CVE-2011-5325 + [jessie] - busybox 1:1.22.0-9+deb8u2 +CVE-2017-15873 + [jessie] - busybox 1:1.22.0-9+deb8u2 +CVE-2017-16544 + [jessie] - busybox 1:1.22.0-9+deb8u2 +CVE-2017-10989 + [jessie] - sqlite3 3.8.7.1-1+deb8u3 +CVE-2017-10378 + [jessie] - mariadb-10.0 10.0.33-0+deb8u1 +CVE-2017-10268 + [jessie] - mariadb-10.0 10.0.33-0+deb8u1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58377 - data/CVE
Author: carnil Date: 2017-12-09 08:23:01 + (Sat, 09 Dec 2017) New Revision: 58377 Modified: data/CVE/list Log: Drop stretch and jessie lines for libnet-ping-external-perl Modified: data/CVE/list === --- data/CVE/list 2017-12-09 08:20:55 UTC (rev 58376) +++ data/CVE/list 2017-12-09 08:23:01 UTC (rev 58377) @@ -5050,8 +5050,6 @@ RESERVED CVE-2008-7319 (The Net::Ping::External extension through 0.15 for Perl does not ...) - libnet-ping-external-perl (bug #881097) - [stretch] - libnet-ping-external-perl (Remove in next point update) - [jessie] - libnet-ping-external-perl (Remove in next point update) NOTE: https://rt.cpan.org/Public/Bug/Display.html?id=33230 NOTE: Proposed patch: http://matthias.sdfeu.org/devel/net-ping-external-cmd-injection.patch CVE-2017-16638 (The Gentoo net-misc/vde package before version 2.3.2-r4 may allow ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58376 - data
Author: carnil Date: 2017-12-09 08:20:55 + (Sat, 09 Dec 2017) New Revision: 58376 Modified: data/next-point-update.txt Log: Move packages which likely will not be included in 9.3 to the end Some were not confirmed to be uploade,d or neither uploaded, glibc will be skipped due to regression and will be in 9.4. Modified: data/next-point-update.txt === --- data/next-point-update.txt 2017-12-09 07:53:35 UTC (rev 58375) +++ data/next-point-update.txt 2017-12-09 08:20:55 UTC (rev 58376) @@ -1,11 +1,7 @@ -CVE-2017-12424 - [stretch] - shadow 1:4.4-4.1+deb9u1 CVE-2017-10989 [stretch] - sqlite3 3.16.2-5+deb9u1 CVE-2017-13709 [stretch] - flightgear 1:2016.4.4+dfsg-3+deb9u1 -CVE-2017-9951 - [stretch] - memcached 1.4.33-1+deb9u1 CVE-2017-13738 [stretch] - liblouis 3.0.0-3+deb9u1 CVE-2017-13739 @@ -22,19 +18,6 @@ [stretch] - liblouis 3.0.0-3+deb9u1 CVE-2017-14727 [stretch] - weechat 1.6-1+deb9u2 -CVE-2015- [busybox: pointer misuse unziping files] - [stretch] - busybox 1:1.22.0-19+deb9u1 - NOTE: For #803097 -CVE-2016-2148 - [stretch] - busybox 1:1.22.0-19+deb9u1 -CVE-2016-2147 - [stretch] - busybox 1:1.22.0-19+deb9u1 -CVE-2011-5325 - [stretch] - busybox 1:1.22.0-19+deb9u1 -CVE-2017-15873 - [stretch] - busybox 1:1.22.0-19+deb9u1 -CVE-2017-16544 - [stretch] - busybox 1:1.22.0-19+deb9u1 CVE-2017-2810 [stretch] - python-tablib 0.9.11-2+deb9u1 CVE-2017-14952 @@ -47,8 +30,6 @@ [stretch] - python2.7 2.7.13-2+deb9u2 CVE-2017-15928 [stretch] - ruby-ox 2.1.1-2+deb9u1 -CVE-2017-12133 - [stretch] - glibc 2.24-11+deb9u2 CVE-2017-15090 [stretch] - pdns-recursor 4.0.4-1+deb9u2 CVE-2017-15091 @@ -59,8 +40,6 @@ [stretch] - pdns-recursor 4.0.4-1+deb9u2 CVE-2017-15094 [stretch] - pdns-recursor 4.0.4-1+deb9u2 -CVE-2017-14623 - [stretch] - golang-github-go-ldap-ldap 2.4.1-1+deb9u1 CVE-2017-16899 [stretch] - fig2dev 1:3.2.6a-2+deb9u1 CVE-2017-0786 @@ -135,3 +114,24 @@ [stretch] - linux 4.9.65-1 CVE-2017-1000405 [stretch] - linux 4.9.65-1 +CVE-2017-12424 + [stretch] - shadow 1:4.4-4.1+deb9u1 +CVE-2017-9951 + [stretch] - memcached 1.4.33-1+deb9u1 +CVE-2015- [busybox: pointer misuse unziping files] + [stretch] - busybox 1:1.22.0-19+deb9u1 + NOTE: For #803097 +CVE-2016-2148 + [stretch] - busybox 1:1.22.0-19+deb9u1 +CVE-2016-2147 + [stretch] - busybox 1:1.22.0-19+deb9u1 +CVE-2011-5325 + [stretch] - busybox 1:1.22.0-19+deb9u1 +CVE-2017-15873 + [stretch] - busybox 1:1.22.0-19+deb9u1 +CVE-2017-16544 + [stretch] - busybox 1:1.22.0-19+deb9u1 +CVE-2017-12133 + [stretch] - glibc 2.24-11+deb9u2 +CVE-2017-14623 + [stretch] - golang-github-go-ldap-ldap 2.4.1-1+deb9u1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits