[Secure-testing-commits] r58906 - data/CVE
Author: sectracker Date: 2017-12-24 21:10:13 + (Sun, 24 Dec 2017) New Revision: 58906 Modified: data/CVE/list Log: automatic update Modified: data/CVE/list === --- data/CVE/list 2017-12-24 19:57:27 UTC (rev 58905) +++ data/CVE/list 2017-12-24 21:10:13 UTC (rev 58906) @@ -1,3 +1,31 @@ +CVE-2017-17901 + RESERVED +CVE-2017-17900 (SQL injection vulnerability in fourn/index.php in Dolibarr ERP/CRM ...) + TODO: check +CVE-2017-17899 (SQL injection vulnerability in adherents/subscription/info.php in ...) + TODO: check +CVE-2017-17898 (Dolibarr ERP/CRM version 6.0.4 does not block direct requests to ...) + TODO: check +CVE-2017-17897 (SQL injection vulnerability in comm/multiprix.php in Dolibarr ERP/CRM ...) + TODO: check +CVE-2017-17896 (Readymade Job Site Script has XSS via the keyword parameter to the /job ...) + TODO: check +CVE-2017-17895 (Readymade Job Site Script has SQL Injection via the location_name array ...) + TODO: check +CVE-2017-17894 (Readymade Job Site Script has CSRF via the /job URI. ...) + TODO: check +CVE-2017-17893 (Readymade Video Sharing Script has XSS via the search_video.php search ...) + TODO: check +CVE-2017-17892 (Readymade Video Sharing Script has SQL Injection via the viewsubs.php ...) + TODO: check +CVE-2017-17891 (Readymade Video Sharing Script has CSRF via user-profile-edit.php. ...) + TODO: check +CVE-2017-17890 + RESERVED +CVE-2017-17889 + RESERVED +CVE-2017-17888 (cgi-bin/write.cgi in Anti-Web through 3.8.7, as used on NetBiter / HMS, ...) + TODO: check CVE-2017-17887 (In ImageMagick 7.0.7-16 Q16, a memory leak vulnerability was found in ...) - imagemagick (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/903 @@ -105,8 +133,8 @@ - asterisk (bug #885072) NOTE: http://downloads.asterisk.org/pub/security/AST-2017-014.html NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-27480 -CVE-2017-17849 - RESERVED +CVE-2017-17849 (A buffer overflow vulnerability in GetGo Download Manager 5.3.0.2712 ...) + TODO: check CVE-2017-17857 (The check_stack_boundary function in kernel/bpf/verifier.c in the Linux ...) - linux 4.14.7-1 [stretch] - linux (Vulnerable code introdued later) @@ -392,6 +420,7 @@ CVE-2017-17791 RESERVED CVE-2017-17790 (The lazy_initialize function in lib/resolv.rb in Ruby through 2.4.3 ...) + {DLA-1222-1 DLA-1221-1} - ruby2.5 (bug #884878) - ruby2.3 (bug #884879) [stretch] - ruby2.3 (Minor issue, can be fixed along in future DSA) @@ -6314,6 +6343,7 @@ CVE-2017-17406 RESERVED CVE-2017-17405 (Ruby before 2.4.3 allows Net::FTP command injection. Net::FTP#get, ...) + {DLA-1222-1 DLA-1221-1} - ruby2.5 2.5.0~rc1-1 (bug #884437) - ruby2.3 2.3.6-1 (bug #884438) [stretch] - ruby2.3 (Minor issue, can be fixed along in a future update) @@ -36824,14 +36854,17 @@ NOT-FOR-US: Nessus CVE-2017-7848 RESERVED + {DLA-1223-1} - thunderbird 1:52.5.2-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-30/#CVE-2017-7848 CVE-2017-7847 RESERVED + {DLA-1223-1} - thunderbird 1:52.5.2-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-30/#CVE-2017-7847 CVE-2017-7846 RESERVED + {DLA-1223-1} - thunderbird 1:52.5.2-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-30/#CVE-2017-7846 CVE-2017-7845 @@ -36911,6 +36944,7 @@ NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-26/#CVE-2017-7830 CVE-2017-7829 RESERVED + {DLA-1223-1} - thunderbird 1:52.5.2-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-30/#CVE-2017-7829 CVE-2017-7828 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58905 - data
Author: carnil Date: 2017-12-24 19:57:27 + (Sun, 24 Dec 2017) New Revision: 58905 Modified: data/dsa-needed.txt Log: Add thunderbird to dsa-needed list Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-12-24 19:55:31 UTC (rev 58904) +++ data/dsa-needed.txt 2017-12-24 19:57:27 UTC (rev 58905) @@ -65,6 +65,8 @@ -- sssd/stable -- +thunderbird +-- tomcat7/oldstable -- tomcat8 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58904 - data/CVE
Author: carnil Date: 2017-12-24 19:55:31 + (Sun, 24 Dec 2017) New Revision: 58904 Modified: data/CVE/list Log: Add new thunderbird issues Modified: data/CVE/list === --- data/CVE/list 2017-12-24 18:32:04 UTC (rev 58903) +++ data/CVE/list 2017-12-24 19:55:31 UTC (rev 58904) @@ -36824,16 +36824,24 @@ NOT-FOR-US: Nessus CVE-2017-7848 RESERVED + - thunderbird 1:52.5.2-1 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-30/#CVE-2017-7848 CVE-2017-7847 RESERVED + - thunderbird 1:52.5.2-1 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-30/#CVE-2017-7847 CVE-2017-7846 RESERVED + - thunderbird 1:52.5.2-1 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-30/#CVE-2017-7846 CVE-2017-7845 RESERVED - firefox (Only affects Firefox on Windows) - firefox-esr (Only affects Firefox on Windows) + - thunderbird (Only affects Firefox on Windows) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-29/#CVE-2017-7845 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-28/#CVE-2017-7845 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-30/#CVE-2017-7845 CVE-2017-7844 RESERVED - firefox 57.0.1-1 @@ -36903,6 +36911,8 @@ NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-26/#CVE-2017-7830 CVE-2017-7829 RESERVED + - thunderbird 1:52.5.2-1 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-30/#CVE-2017-7829 CVE-2017-7828 RESERVED {DSA-4061-1 DSA-4035-1 DLA-1199-1 DLA-1172-1} ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58903 - data/DLA
Author: agx Date: 2017-12-24 18:32:04 + (Sun, 24 Dec 2017) New Revision: 58903 Modified: data/DLA/list Log: lts: Grab DLAs for ruby1.8, ruby1.9.1 and thunderbird Modified: data/DLA/list === --- data/DLA/list 2017-12-24 16:18:09 UTC (rev 58902) +++ data/DLA/list 2017-12-24 18:32:04 UTC (rev 58903) @@ -1,3 +1,12 @@ +[24 Dec 2017] DLA-1223-1 thunderbird - security update + {CVE-2017-7829 CVE-2017-7846 CVE-2017-7847 CVE-2017-7848} + [wheezy] - thunderbird 1:52.5.2-1~deb7u1 +[24 Dec 2017] DLA-1222-1 ruby1.8 - security update + {CVE-2017-17405 CVE-2017-17790} + [wheezy] - ruby1.8 1.8.7.358-7.1+deb7u5 +[24 Dec 2017] DLA-1221-1 ruby1.9.1 - security update + {CVE-2017-17405 CVE-2017-17790} + [wheezy] - ruby1.9.1 1.9.3.194-8.1+deb7u7 [23 Dec 2017] DLA-1220-1 gimp - security update {CVE-2017-17784 CVE-2017-17785 CVE-2017-17786 CVE-2017-17787 CVE-2017-17788 CVE-2017-17789} [wheezy] - gimp 2.8.2-2+deb7u3 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58902 - data/CVE
Author: carnil Date: 2017-12-24 16:18:09 + (Sun, 24 Dec 2017) New Revision: 58902 Modified: data/CVE/list Log: CVE-2017-17405/ruby2.5 adressed in unstable Modified: data/CVE/list === --- data/CVE/list 2017-12-24 16:13:22 UTC (rev 58901) +++ data/CVE/list 2017-12-24 16:18:09 UTC (rev 58902) @@ -6314,7 +6314,7 @@ CVE-2017-17406 RESERVED CVE-2017-17405 (Ruby before 2.4.3 allows Net::FTP command injection. Net::FTP#get, ...) - - ruby2.5 (bug #884437) + - ruby2.5 2.5.0~rc1-1 (bug #884437) - ruby2.3 2.3.6-1 (bug #884438) [stretch] - ruby2.3 (Minor issue, can be fixed along in a future update) - ruby2.1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58901 - data/CVE
Author: carnil Date: 2017-12-24 16:13:22 + (Sun, 24 Dec 2017) New Revision: 58901 Modified: data/CVE/list Log: Update status for CVE-2017-1786{3,4}/linux Modified: data/CVE/list === --- data/CVE/list 2017-12-24 13:38:44 UTC (rev 58900) +++ data/CVE/list 2017-12-24 16:13:22 UTC (rev 58901) @@ -75,12 +75,12 @@ RESERVED CVE-2017-17864 (kernel/bpf/verifier.c in the Linux kernel before 4.14 mishandles ...) {DSA-4073-1} - - linux + - linux 4.14.7-1 [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) CVE-2017-17863 (kernel/bpf/verifier.c in the Linux kernel 4.9.x through 4.9.71 does not ...) {DSA-4073-1} - - linux + - linux 4.14.7-1 [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) NOTE: https://www.spinics.net/lists/stable/msg206985.html ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58900 - data/CVE
Author: carnil Date: 2017-12-24 13:38:44 + (Sun, 24 Dec 2017) New Revision: 58900 Modified: data/CVE/list Log: CVE-2017-9868/mosquitto adressed with unstable upload Modified: data/CVE/list === --- data/CVE/list 2017-12-24 12:53:35 UTC (rev 58899) +++ data/CVE/list 2017-12-24 13:38:44 UTC (rev 58900) @@ -28997,7 +28997,7 @@ NOTE: severity:unimportant for stretch onwards, but we don't have suite-specific severity annotations CVE-2017-9868 (In Mosquitto through 1.4.12, mosquitto.db (aka the persistence file) is ...) {DLA-1146-1} - - mosquitto (bug #865959) + - mosquitto 1.4.14-1 (bug #865959) [stretch] - mosquitto (Minor issue) [jessie] - mosquitto (Minor issue) NOTE: https://github.com/eclipse/mosquitto/issues/468 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58897 - data
Author: lamby Date: 2017-12-24 12:53:06 + (Sun, 24 Dec 2017) New Revision: 58897 Modified: data/dla-needed.txt Log: Triage mupdf for LTS Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-12-24 09:47:41 UTC (rev 58896) +++ data/dla-needed.txt 2017-12-24 12:53:06 UTC (rev 58897) @@ -51,6 +51,8 @@ NOTE: 20171120: wip, currently working on it with upstream, might take a while NOTE: Some issues currently in upstream's bug tracker are missing a CVE number, so number of issues might increase in the next weeks -- +mupdf +-- rtpproxy NOTE: it's not clear to me if a fix is even possible. -- Raphaël Hertzog -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58899 - data
Author: lamby Date: 2017-12-24 12:53:35 + (Sun, 24 Dec 2017) New Revision: 58899 Modified: data/dla-needed.txt Log: Triage nasm for LTS Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-12-24 12:53:08 UTC (rev 58898) +++ data/dla-needed.txt 2017-12-24 12:53:35 UTC (rev 58899) @@ -54,6 +54,8 @@ mupdf NOTE: 20171224: Upstream patch does not apply to LTS cleanly. Might need hanges to apps/pdfclean.c rather than pdf-write.c (lamby) -- +nasm +-- rtpproxy NOTE: it's not clear to me if a fix is even possible. -- Raphaël Hertzog -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58898 - data
Author: lamby Date: 2017-12-24 12:53:08 + (Sun, 24 Dec 2017) New Revision: 58898 Modified: data/dla-needed.txt Log: Add explanatory note for mupdf. Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-12-24 12:53:06 UTC (rev 58897) +++ data/dla-needed.txt 2017-12-24 12:53:08 UTC (rev 58898) @@ -52,6 +52,7 @@ NOTE: Some issues currently in upstream's bug tracker are missing a CVE number, so number of issues might increase in the next weeks -- mupdf + NOTE: 20171224: Upstream patch does not apply to LTS cleanly. Might need hanges to apps/pdfclean.c rather than pdf-write.c (lamby) -- rtpproxy NOTE: it's not clear to me if a fix is even possible. -- Raphaël Hertzog ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58896 - data/CVE
Author: carnil Date: 2017-12-24 09:47:41 + (Sun, 24 Dec 2017) New Revision: 58896 Modified: data/CVE/list Log: Add prefix for commit to better identify it Modified: data/CVE/list === --- data/CVE/list 2017-12-24 09:46:22 UTC (rev 58895) +++ data/CVE/list 2017-12-24 09:47:41 UTC (rev 58896) @@ -37,7 +37,7 @@ - imagemagick NOTE: https://github.com/ImageMagick/ImageMagick/issues/907 NOTE: https://github.com/ImageMagick/ImageMagick/commit/4b5d1edb02c432040e3ff894d0c461bcce6fd2c9 - NOTE: https://github.com/ImageMagick/ImageMagick/commit/663b3b432c202cd2aeda7ea7e82b74cce51ab1cf + NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/663b3b432c202cd2aeda7ea7e82b74cce51ab1cf CVE-2017-17879 (In ImageMagick 7.0.7-16 Q16 x86_64 2017-12-21, there is a heap-based ...) - imagemagick (bug #885125) NOTE: https://github.com/ImageMagick/ImageMagick/issues/906 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58895 - data/CVE
Author: carnil Date: 2017-12-24 09:46:22 + (Sun, 24 Dec 2017) New Revision: 58895 Modified: data/CVE/list Log: Add bug reference for CVE-2017-17879 Modified: data/CVE/list === --- data/CVE/list 2017-12-24 09:39:15 UTC (rev 58894) +++ data/CVE/list 2017-12-24 09:46:22 UTC (rev 58895) @@ -39,7 +39,7 @@ NOTE: https://github.com/ImageMagick/ImageMagick/commit/4b5d1edb02c432040e3ff894d0c461bcce6fd2c9 NOTE: https://github.com/ImageMagick/ImageMagick/commit/663b3b432c202cd2aeda7ea7e82b74cce51ab1cf CVE-2017-17879 (In ImageMagick 7.0.7-16 Q16 x86_64 2017-12-21, there is a heap-based ...) - - imagemagick + - imagemagick (bug #885125) NOTE: https://github.com/ImageMagick/ImageMagick/issues/906 NOTE: https://github.com/ImageMagick/ImageMagick/commit/72b3994a948a8a90dc664f3e7f72464878a31fbf NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/e41f18ecccbdd1c38e1382057718e91e8f8d6d80 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58894 - data/CVE
Author: carnil Date: 2017-12-24 09:39:15 + (Sun, 24 Dec 2017) New Revision: 58894 Modified: data/CVE/list Log: Add CVE-2017-17879 Modified: data/CVE/list === --- data/CVE/list 2017-12-24 09:36:39 UTC (rev 58893) +++ data/CVE/list 2017-12-24 09:39:15 UTC (rev 58894) @@ -39,7 +39,10 @@ NOTE: https://github.com/ImageMagick/ImageMagick/commit/4b5d1edb02c432040e3ff894d0c461bcce6fd2c9 NOTE: https://github.com/ImageMagick/ImageMagick/commit/663b3b432c202cd2aeda7ea7e82b74cce51ab1cf CVE-2017-17879 (In ImageMagick 7.0.7-16 Q16 x86_64 2017-12-21, there is a heap-based ...) - TODO: check + - imagemagick + NOTE: https://github.com/ImageMagick/ImageMagick/issues/906 + NOTE: https://github.com/ImageMagick/ImageMagick/commit/72b3994a948a8a90dc664f3e7f72464878a31fbf + NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/e41f18ecccbdd1c38e1382057718e91e8f8d6d80 CVE-2017-17878 (An issue was discovered in Valve Steam Link build 643. Root passwords ...) TODO: check CVE-2017-17877 (An issue was discovered in Valve Steam Link build 643. When the SSH ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58893 - data/CVE
Author: carnil Date: 2017-12-24 09:36:39 + (Sun, 24 Dec 2017) New Revision: 58893 Modified: data/CVE/list Log: Add CVE-2017-17880 Modified: data/CVE/list === --- data/CVE/list 2017-12-24 09:29:12 UTC (rev 58892) +++ data/CVE/list 2017-12-24 09:36:39 UTC (rev 58893) @@ -34,7 +34,10 @@ NOTE: https://github.com/ImageMagick/ImageMagick/commit/ece953bbe14e8514afc23e05e4030eea872e29da NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/aa601d79a630f6de0694fadbeee31456a357fa73 CVE-2017-17880 (In ImageMagick 7.0.7-16 Q16 x86_64 2017-12-21, there is a stack-based ...) - TODO: check + - imagemagick + NOTE: https://github.com/ImageMagick/ImageMagick/issues/907 + NOTE: https://github.com/ImageMagick/ImageMagick/commit/4b5d1edb02c432040e3ff894d0c461bcce6fd2c9 + NOTE: https://github.com/ImageMagick/ImageMagick/commit/663b3b432c202cd2aeda7ea7e82b74cce51ab1cf CVE-2017-17879 (In ImageMagick 7.0.7-16 Q16 x86_64 2017-12-21, there is a heap-based ...) TODO: check CVE-2017-17878 (An issue was discovered in Valve Steam Link build 643. Root passwords ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58892 - data/CVE
Author: carnil Date: 2017-12-24 09:29:12 + (Sun, 24 Dec 2017) New Revision: 58892 Modified: data/CVE/list Log: Add CVE-2017-17881 Modified: data/CVE/list === --- data/CVE/list 2017-12-24 09:27:02 UTC (rev 58891) +++ data/CVE/list 2017-12-24 09:29:12 UTC (rev 58892) @@ -29,7 +29,10 @@ NOTE: https://github.com/ImageMagick/ImageMagick/commit/903f14eb94521aa6dca9d9ac55d3d9a6c7676a63 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/92fbef516b94ed96fa2a672831acd5dafb242ac5 CVE-2017-17881 (In ImageMagick 7.0.7-12 Q16, a memory leak vulnerability was found in ...) - TODO: check + - imagemagick (unimportant) + NOTE: https://github.com/ImageMagick/ImageMagick/issues/878 + NOTE: https://github.com/ImageMagick/ImageMagick/commit/ece953bbe14e8514afc23e05e4030eea872e29da + NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/aa601d79a630f6de0694fadbeee31456a357fa73 CVE-2017-17880 (In ImageMagick 7.0.7-16 Q16 x86_64 2017-12-21, there is a stack-based ...) TODO: check CVE-2017-17879 (In ImageMagick 7.0.7-16 Q16 x86_64 2017-12-21, there is a heap-based ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58891 - data/CVE
Author: carnil Date: 2017-12-24 09:27:02 + (Sun, 24 Dec 2017) New Revision: 58891 Modified: data/CVE/list Log: Add CVE-2017-17882 Modified: data/CVE/list === --- data/CVE/list 2017-12-24 09:26:46 UTC (rev 58890) +++ data/CVE/list 2017-12-24 09:27:02 UTC (rev 58891) @@ -24,7 +24,10 @@ NOTE: https://github.com/ImageMagick/ImageMagick/commit/b0a7241df0f889cc3158ba82774ff21fa1da87ec NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/2a1ec7d97f356e9fb6dbc328da17d93ab7a8167c CVE-2017-17882 (In ImageMagick 7.0.7-12 Q16, a memory leak vulnerability was found in ...) - TODO: check + - imagemagick (unimportant) + NOTE: https://github.com/ImageMagick/ImageMagick/issues/880 + NOTE: https://github.com/ImageMagick/ImageMagick/commit/903f14eb94521aa6dca9d9ac55d3d9a6c7676a63 + NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/92fbef516b94ed96fa2a672831acd5dafb242ac5 CVE-2017-17881 (In ImageMagick 7.0.7-12 Q16, a memory leak vulnerability was found in ...) TODO: check CVE-2017-17880 (In ImageMagick 7.0.7-16 Q16 x86_64 2017-12-21, there is a stack-based ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58890 - data/CVE
Author: carnil Date: 2017-12-24 09:26:46 + (Sun, 24 Dec 2017) New Revision: 58890 Modified: data/CVE/list Log: Add CVE-2017-17883 Modified: data/CVE/list === --- data/CVE/list 2017-12-24 09:26:30 UTC (rev 58889) +++ data/CVE/list 2017-12-24 09:26:46 UTC (rev 58890) @@ -19,7 +19,10 @@ NOTE: https://github.com/ImageMagick/ImageMagick/commit/4d6accd355119d54429a86a1859b8329f0130f30 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/82f20a898107a9c1ef6ad2024c4b191719b294ea CVE-2017-17883 (In ImageMagick 7.0.7-12 Q16, a memory leak vulnerability was found in ...) - TODO: check + - imagemagick (unimportant) + NOTE: https://github.com/ImageMagick/ImageMagick/issues/877 + NOTE: https://github.com/ImageMagick/ImageMagick/commit/b0a7241df0f889cc3158ba82774ff21fa1da87ec + NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/2a1ec7d97f356e9fb6dbc328da17d93ab7a8167c CVE-2017-17882 (In ImageMagick 7.0.7-12 Q16, a memory leak vulnerability was found in ...) TODO: check CVE-2017-17881 (In ImageMagick 7.0.7-12 Q16, a memory leak vulnerability was found in ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58889 - data/CVE
Author: carnil Date: 2017-12-24 09:26:30 + (Sun, 24 Dec 2017) New Revision: 58889 Modified: data/CVE/list Log: Add CVE-2017-17884 Modified: data/CVE/list === --- data/CVE/list 2017-12-24 09:22:57 UTC (rev 5) +++ data/CVE/list 2017-12-24 09:26:30 UTC (rev 58889) @@ -14,7 +14,10 @@ NOTE: https://github.com/ImageMagick/ImageMagick/commit/2ba085736fd49ad89c1937d1ee2b80ae4e11ab97 NOTE: Imagemagick-6: https://github.com/ImageMagick/ImageMagick/commit/5e863ae629010110772321fd181bac34c4b57345 CVE-2017-17884 (In ImageMagick 7.0.7-16 Q16, a memory leak vulnerability was found in ...) - TODO: check + - imagemagick (unimportant) + NOTE: https://github.com/ImageMagick/ImageMagick/issues/902 + NOTE: https://github.com/ImageMagick/ImageMagick/commit/4d6accd355119d54429a86a1859b8329f0130f30 + NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/82f20a898107a9c1ef6ad2024c4b191719b294ea CVE-2017-17883 (In ImageMagick 7.0.7-12 Q16, a memory leak vulnerability was found in ...) TODO: check CVE-2017-17882 (In ImageMagick 7.0.7-12 Q16, a memory leak vulnerability was found in ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58888 - data/CVE
Author: carnil Date: 2017-12-24 09:22:57 + (Sun, 24 Dec 2017) New Revision: 5 Modified: data/CVE/list Log: Add CVE-2017-17885 Modified: data/CVE/list === --- data/CVE/list 2017-12-24 09:20:07 UTC (rev 58887) +++ data/CVE/list 2017-12-24 09:22:57 UTC (rev 5) @@ -9,7 +9,10 @@ NOTE: https://github.com/ImageMagick/ImageMagick/commit/8204599ef0e85324876459e5d45db00660920482 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/4a71d71f4ae289b6672102efaef6543643e8efb8 CVE-2017-17885 (In ImageMagick 7.0.7-12 Q16, a memory leak vulnerability was found in ...) - TODO: check + - imagemagick (unimportant) + NOTE: https://github.com/ImageMagick/ImageMagick/issues/879 + NOTE: https://github.com/ImageMagick/ImageMagick/commit/2ba085736fd49ad89c1937d1ee2b80ae4e11ab97 + NOTE: Imagemagick-6: https://github.com/ImageMagick/ImageMagick/commit/5e863ae629010110772321fd181bac34c4b57345 CVE-2017-17884 (In ImageMagick 7.0.7-16 Q16, a memory leak vulnerability was found in ...) TODO: check CVE-2017-17883 (In ImageMagick 7.0.7-12 Q16, a memory leak vulnerability was found in ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58887 - data/CVE
Author: carnil Date: 2017-12-24 09:20:07 + (Sun, 24 Dec 2017) New Revision: 58887 Modified: data/CVE/list Log: Add CVE-2017-17886 Modified: data/CVE/list === --- data/CVE/list 2017-12-24 09:13:07 UTC (rev 58886) +++ data/CVE/list 2017-12-24 09:20:07 UTC (rev 58887) @@ -4,7 +4,10 @@ NOTE: https://github.com/ImageMagick/ImageMagick/commit/7a42f63927e7f2e26846b7ed4560e9cb4984af7b NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/dddce3e790b5b0f5dad91a7960de67af5bdea789 CVE-2017-17886 (In ImageMagick 7.0.7-12 Q16, a memory leak vulnerability was found in ...) - TODO: check + - imagemagick (unimportant) + NOTE: https://github.com/ImageMagick/ImageMagick/issues/874 + NOTE: https://github.com/ImageMagick/ImageMagick/commit/8204599ef0e85324876459e5d45db00660920482 + NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/4a71d71f4ae289b6672102efaef6543643e8efb8 CVE-2017-17885 (In ImageMagick 7.0.7-12 Q16, a memory leak vulnerability was found in ...) TODO: check CVE-2017-17884 (In ImageMagick 7.0.7-16 Q16, a memory leak vulnerability was found in ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58886 - data/CVE
Author: carnil Date: 2017-12-24 09:13:07 + (Sun, 24 Dec 2017) New Revision: 58886 Modified: data/CVE/list Log: Add CVE-2017-17887 Modified: data/CVE/list === --- data/CVE/list 2017-12-24 09:10:14 UTC (rev 58885) +++ data/CVE/list 2017-12-24 09:13:07 UTC (rev 58886) @@ -1,5 +1,8 @@ CVE-2017-17887 (In ImageMagick 7.0.7-16 Q16, a memory leak vulnerability was found in ...) - TODO: check + - imagemagick (unimportant) + NOTE: https://github.com/ImageMagick/ImageMagick/issues/903 + NOTE: https://github.com/ImageMagick/ImageMagick/commit/7a42f63927e7f2e26846b7ed4560e9cb4984af7b + NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/dddce3e790b5b0f5dad91a7960de67af5bdea789 CVE-2017-17886 (In ImageMagick 7.0.7-12 Q16, a memory leak vulnerability was found in ...) TODO: check CVE-2017-17885 (In ImageMagick 7.0.7-12 Q16, a memory leak vulnerability was found in ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58884 - data/CVE
Author: geissert Date: 2017-12-24 08:39:29 + (Sun, 24 Dec 2017) New Revision: 58884 Modified: data/CVE/list Log: i2pd itp Modified: data/CVE/list === --- data/CVE/list 2017-12-24 08:05:19 UTC (rev 58883) +++ data/CVE/list 2017-12-24 08:39:29 UTC (rev 58884) @@ -7841,7 +7841,7 @@ CVE-2017-17067 (Splunk Web in Splunk Enterprise 7.0.x before 7.0.0.1, 6.6.x before ...) NOT-FOR-US: Splunk Web CVE-2017-17066 (The (1) i2pd before 2.17 and (2) kovri pre-alpha implementations of the ...) - TODO: check + - i2pd (bug #883770) CVE-2017-17065 (An issue was discovered on D-Link DIR-605L Model B before ...) NOT-FOR-US: D-Link CVE-2017-17064 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58885 - data/CVE
Author: sectracker Date: 2017-12-24 09:10:14 + (Sun, 24 Dec 2017) New Revision: 58885 Modified: data/CVE/list Log: automatic update Modified: data/CVE/list === --- data/CVE/list 2017-12-24 08:39:29 UTC (rev 58884) +++ data/CVE/list 2017-12-24 09:10:14 UTC (rev 58885) @@ -1,3 +1,45 @@ +CVE-2017-17887 (In ImageMagick 7.0.7-16 Q16, a memory leak vulnerability was found in ...) + TODO: check +CVE-2017-17886 (In ImageMagick 7.0.7-12 Q16, a memory leak vulnerability was found in ...) + TODO: check +CVE-2017-17885 (In ImageMagick 7.0.7-12 Q16, a memory leak vulnerability was found in ...) + TODO: check +CVE-2017-17884 (In ImageMagick 7.0.7-16 Q16, a memory leak vulnerability was found in ...) + TODO: check +CVE-2017-17883 (In ImageMagick 7.0.7-12 Q16, a memory leak vulnerability was found in ...) + TODO: check +CVE-2017-17882 (In ImageMagick 7.0.7-12 Q16, a memory leak vulnerability was found in ...) + TODO: check +CVE-2017-17881 (In ImageMagick 7.0.7-12 Q16, a memory leak vulnerability was found in ...) + TODO: check +CVE-2017-17880 (In ImageMagick 7.0.7-16 Q16 x86_64 2017-12-21, there is a stack-based ...) + TODO: check +CVE-2017-17879 (In ImageMagick 7.0.7-16 Q16 x86_64 2017-12-21, there is a heap-based ...) + TODO: check +CVE-2017-17878 (An issue was discovered in Valve Steam Link build 643. Root passwords ...) + TODO: check +CVE-2017-17877 (An issue was discovered in Valve Steam Link build 643. When the SSH ...) + TODO: check +CVE-2017-17876 + RESERVED +CVE-2017-17875 + RESERVED +CVE-2017-17874 (Vanguard Marketplace Digital Products PHP 1.4 allows arbitrary file ...) + TODO: check +CVE-2017-17873 (Vanguard Marketplace Digital Products PHP 1.4 has SQL Injection via the ...) + TODO: check +CVE-2017-17872 (The JEXTN Video Gallery extension 3.0.5 for Joomla! has SQL Injection ...) + TODO: check +CVE-2017-17871 (The "JEXTN Question And Answer" extension 3.1.0 for Joomla! has SQL ...) + TODO: check +CVE-2017-17870 (The JBuildozer extension 1.4.1 for Joomla! has SQL Injection via the ...) + TODO: check +CVE-2017-17869 (The mgl-instagram-gallery plugin for WordPress has XSS via the ...) + TODO: check +CVE-2017-17868 (In Liferay Portal 6.1.0, the tags section has XSS via a Public Render ...) + TODO: check +CVE-2017-17867 + RESERVED CVE-2017-17866 (pdf/pdf-write.c in Artifex MuPDF before 1.12.0 mishandles certain ...) - mupdf (bug #885120) NOTE: Fixed by: http://git.ghostscript.com/?p=mupdf.git;h=520cc26d18c9ee245b56e9e91f9d4fcae02be5f0 @@ -26,8 +68,8 @@ RESERVED CVE-2017-17860 RESERVED -CVE-2017-17859 - RESERVED +CVE-2017-17859 (Samsung Internet Browser 6.2.01.12 allows remote attackers to bypass ...) + TODO: check CVE-2017-17858 RESERVED CVE-2017-17851 @@ -9617,8 +9659,8 @@ CVE-2017-16898 (The printMP3Headers function in util/listmp3.c in libming v0.4.8 or ...) - ming NOTE: https://github.com/libming/libming/issues/75 -CVE-2017-16897 - RESERVED +CVE-2017-16897 (A vulnerability has been discovered in the Auth0 passport-wsfed-saml2 ...) + TODO: check CVE-2017-16896 (A SQL injection in classes/handler/public.php in the forgotpass ...) - tt-rss (bug #882543) NOTE: https://discourse.tt-rss.org/t/sql-injection-in-forgotpass-fixed/669 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58883 - data/CVE
Author: carnil Date: 2017-12-24 08:05:19 + (Sun, 24 Dec 2017) New Revision: 58883 Modified: data/CVE/list Log: Reference fix for CVE-2017-13135/x265 Modified: data/CVE/list === --- data/CVE/list 2017-12-24 08:00:08 UTC (rev 58882) +++ data/CVE/list 2017-12-24 08:05:19 UTC (rev 58883) @@ -20679,7 +20679,7 @@ - x265 NOTE: https://github.com/ebel34/bpg-web-encoder/issues/1 NOTE: https://bitbucket.org/multicoreware/x265/issues/385/cve-2017-13135 - TODO: check + NOTE: https://bitbucket.org/multicoreware/x265/commits/78c0f2c8ba087b38e291226a9555b4b4dab323a5/raw CVE-2017-13134 (In ImageMagick 7.0.6-6 and GraphicsMagick 1.3.26, a heap-based buffer ...) {DSA-4040-1 DSA-4032-1 DLA-1170-1 DLA-1081-1} - imagemagick (bug #873099) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58882 - data/CVE
Author: carnil Date: 2017-12-24 08:00:08 + (Sun, 24 Dec 2017) New Revision: 58882 Modified: data/CVE/list Log: Add bug reference for CVE-2017-17866 Modified: data/CVE/list === --- data/CVE/list 2017-12-24 07:59:54 UTC (rev 58881) +++ data/CVE/list 2017-12-24 08:00:08 UTC (rev 58882) @@ -1,5 +1,5 @@ CVE-2017-17866 (pdf/pdf-write.c in Artifex MuPDF before 1.12.0 mishandles certain ...) - - mupdf + - mupdf (bug #885120) NOTE: Fixed by: http://git.ghostscript.com/?p=mupdf.git;h=520cc26d18c9ee245b56e9e91f9d4fcae02be5f0 NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=698699 (not public) CVE-2017-17865 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58880 - data/CVE
Author: carnil Date: 2017-12-24 07:59:42 + (Sun, 24 Dec 2017) New Revision: 58880 Modified: data/CVE/list Log: Process NFUs Modified: data/CVE/list === --- data/CVE/list 2017-12-24 07:44:12 UTC (rev 58879) +++ data/CVE/list 2017-12-24 07:59:42 UTC (rev 58880) @@ -105,7 +105,7 @@ CVE-2017-17833 RESERVED CVE-2017-17832 (ServersCheck Monitoring Software before 14.2.3 is prone to a ...) - TODO: check + NOT-FOR-US: ServersCheck Monitoring Software CVE-2017-17843 (An issue was discovered in Enigmail before 1.9.9 that allows remote ...) {DSA-4070-1 DLA-1219-1} - enigmail 2:1.9.9-1 @@ -6233,7 +6233,7 @@ CVE-2017-17412 RESERVED CVE-2017-17411 (This vulnerability allows remote attackers to execute arbitrary code ...) - TODO: check + NOT-FOR-US: web management portal of Linksys WVBR0 WVBR0 CVE-2017-17410 (This vulnerability allows remote attackers to execute arbitrary code ...) NOT-FOR-US: Bitdefender Internet Security 2018 CVE-2017-17409 (This vulnerability allows remote attackers to execute arbitrary code ...) @@ -8471,7 +8471,7 @@ CVE-2017-17011 RESERVED CVE-2017-17010 (Untrusted search path vulnerability in Content Manager Assistant for ...) - TODO: check + NOT-FOR-US: Content Manager Assistant for PlayStation CVE-2017-17009 RESERVED CVE-2017-17008 @@ -10453,7 +10453,7 @@ CVE-2017-16767 RESERVED CVE-2017-16766 (An improper access control vulnerability in synodsmnotify in Synology ...) - TODO: check + NOT-FOR-US: Synology DiskStation Manager CVE-2017-16765 (XSS exists on D-Link DWR-933 1.00(WW)B17 devices via cgi-bin/gui.cgi. ...) NOT-FOR-US: D-Link CVE-2017-16764 (An exploitable vulnerability exists in the YAML parsing functionality ...) @@ -13426,7 +13426,7 @@ CVE-2017-15701 (In Apache Qpid Broker-J versions 6.1.0 through 6.1.4 (inclusive) the ...) - qpid-java (bug #840131) CVE-2017-15700 (A flaw in the org.apache.sling.auth.core.AuthUtil#isRedirectValid ...) - TODO: check + NOT-FOR-US: Apache Sling Authentication Service CVE-2017-15699 RESERVED TODO: check, this is possibly specific to AMQ Interconnect as used by Red Hat JBoss, although based on Apache Qpid project @@ -14454,7 +14454,7 @@ CVE-2017-15329 RESERVED CVE-2017-15328 (Huawei HG8245H version earlier than V300R018C00SPC110 has an ...) - TODO: check + NOT-FOR-US: Huawei CVE-2017-15327 RESERVED CVE-2017-15326 @@ -14462,41 +14462,41 @@ CVE-2017-15325 RESERVED CVE-2017-15324 (Huawei S12700 V200R006C00, V200R007C00, V200R007C01, V200R007C20, ...) - TODO: check + NOT-FOR-US: Huawei CVE-2017-15323 RESERVED CVE-2017-15322 (Some Huawei smartphones with software of BGO-L03C158B003CUSTC158D001 ...) - TODO: check + NOT-FOR-US: Huawei CVE-2017-15321 (Huawei FusionSphere OpenStack V100R006C000SPC102 (NFV) has an ...) TODO: check CVE-2017-15320 (RP200 V500R002C00, V600R006C00; TE30 V100R001C10, V500R002C00, ...) - TODO: check + NOT-FOR-US: Huawei CVE-2017-15319 (RP200 V500R002C00, V600R006C00; TE30 V100R001C10, V500R002C00, ...) - TODO: check + NOT-FOR-US: Huawei CVE-2017-15318 (RP200 V500R002C00, V600R006C00; TE30 V100R001C10, V500R002C00, ...) - TODO: check + NOT-FOR-US: Huawei CVE-2017-15317 (AR120-S V200R006C10, V200R007C00, V200R008C20, V200R008C30; AR1200 ...) - TODO: check + NOT-FOR-US: Huawei CVE-2017-15316 (The GPU driver of Mate 9 Huawei smart phones with software before ...) - TODO: check + NOT-FOR-US: Huawei CVE-2017-15315 RESERVED CVE-2017-15314 RESERVED CVE-2017-15313 (Huawei SmartCare V200R003C10 has a CSV injection vulnerability. An ...) - TODO: check + NOT-FOR-US: Huawei CVE-2017-15312 (Huawei SmartCare V200R003C10 has a stored XSS (cross-site scripting) ...) - TODO: check + NOT-FOR-US: Huawei CVE-2017-15311 (The baseband modules of Mate 10, Mate 10 Pro, Mate 9, Mate 9 Pro ...) TODO: check CVE-2017-15310 (Huawei iReader app before 8.0.2.301 has an arbitrary file deletion ...) - TODO: check + NOT-FOR-US: Huawei CVE-2017-15309 (Huawei iReader app before 8.0.2.301 has a path traversal vulnerability ...) - TODO: check + NOT-FOR-US: Huawei CVE-2017-15308 (Huawei iReader app before 8.0.2.301 has an input validation ...) - TODO: check + NOT-FOR-US: Huawei CVE-2017-15307 (Huawei Honor 8 smartphone with software versions earlier than ...) - TODO: check + NOT-FOR-US: Huawei CVE-2017-15306 (The kvm_vm_ioctl_check_extension function in arch/powerpc/kvm/powerpc.c ...) - linux 4.13.13-1 [stretch] - linux 4.9.65-1 @@ -16858,7 +16858,7 @@ CVE-2017-14591 (Atlassian Fisheye and Crucible versions less than 4.4.3 and v
[Secure-testing-commits] r58881 - data/CVE
Author: carnil Date: 2017-12-24 07:59:54 + (Sun, 24 Dec 2017) New Revision: 58881 Modified: data/CVE/list Log: Mark CVE-2015-4100 as specific to the puppet enterprise versions Modified: data/CVE/list === --- data/CVE/list 2017-12-24 07:59:42 UTC (rev 58880) +++ data/CVE/list 2017-12-24 07:59:54 UTC (rev 58881) @@ -103305,7 +103305,8 @@ CVE-2015-4101 RESERVED CVE-2015-4100 (Puppet Enterprise 3.7.x and 3.8.0 might allow remote authenticated ...) - TODO: check + - puppet (Only affects Puppet Enterprise) + NOTE: https://puppet.com/security/cve/CVE-2015-4100 CVE-2015-4099 RESERVED CVE-2015-4098 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits