[Secure-testing-commits] r58906 - data/CVE
Author: sectracker
Date: 2017-12-24 21:10:13 + (Sun, 24 Dec 2017)
New Revision: 58906
Modified:
data/CVE/list
Log:
automatic update
Modified: data/CVE/list
===
--- data/CVE/list 2017-12-24 19:57:27 UTC (rev 58905)
+++ data/CVE/list 2017-12-24 21:10:13 UTC (rev 58906)
@@ -1,3 +1,31 @@
+CVE-2017-17901
+ RESERVED
+CVE-2017-17900 (SQL injection vulnerability in fourn/index.php in Dolibarr
ERP/CRM ...)
+ TODO: check
+CVE-2017-17899 (SQL injection vulnerability in adherents/subscription/info.php
in ...)
+ TODO: check
+CVE-2017-17898 (Dolibarr ERP/CRM version 6.0.4 does not block direct requests
to ...)
+ TODO: check
+CVE-2017-17897 (SQL injection vulnerability in comm/multiprix.php in Dolibarr
ERP/CRM ...)
+ TODO: check
+CVE-2017-17896 (Readymade Job Site Script has XSS via the keyword parameter to
the /job ...)
+ TODO: check
+CVE-2017-17895 (Readymade Job Site Script has SQL Injection via the
location_name array ...)
+ TODO: check
+CVE-2017-17894 (Readymade Job Site Script has CSRF via the /job URI. ...)
+ TODO: check
+CVE-2017-17893 (Readymade Video Sharing Script has XSS via the
search_video.php search ...)
+ TODO: check
+CVE-2017-17892 (Readymade Video Sharing Script has SQL Injection via the
viewsubs.php ...)
+ TODO: check
+CVE-2017-17891 (Readymade Video Sharing Script has CSRF via
user-profile-edit.php. ...)
+ TODO: check
+CVE-2017-17890
+ RESERVED
+CVE-2017-17889
+ RESERVED
+CVE-2017-17888 (cgi-bin/write.cgi in Anti-Web through 3.8.7, as used on
NetBiter / HMS, ...)
+ TODO: check
CVE-2017-17887 (In ImageMagick 7.0.7-16 Q16, a memory leak vulnerability was
found in ...)
- imagemagick (unimportant)
NOTE: https://github.com/ImageMagick/ImageMagick/issues/903
@@ -105,8 +133,8 @@
- asterisk (bug #885072)
NOTE: http://downloads.asterisk.org/pub/security/AST-2017-014.html
NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-27480
-CVE-2017-17849
- RESERVED
+CVE-2017-17849 (A buffer overflow vulnerability in GetGo Download Manager
5.3.0.2712 ...)
+ TODO: check
CVE-2017-17857 (The check_stack_boundary function in kernel/bpf/verifier.c in
the Linux ...)
- linux 4.14.7-1
[stretch] - linux (Vulnerable code introdued later)
@@ -392,6 +420,7 @@
CVE-2017-17791
RESERVED
CVE-2017-17790 (The lazy_initialize function in lib/resolv.rb in Ruby through
2.4.3 ...)
+ {DLA-1222-1 DLA-1221-1}
- ruby2.5 (bug #884878)
- ruby2.3 (bug #884879)
[stretch] - ruby2.3 (Minor issue, can be fixed along in
future DSA)
@@ -6314,6 +6343,7 @@
CVE-2017-17406
RESERVED
CVE-2017-17405 (Ruby before 2.4.3 allows Net::FTP command injection.
Net::FTP#get, ...)
+ {DLA-1222-1 DLA-1221-1}
- ruby2.5 2.5.0~rc1-1 (bug #884437)
- ruby2.3 2.3.6-1 (bug #884438)
[stretch] - ruby2.3 (Minor issue, can be fixed along in a
future update)
@@ -36824,14 +36854,17 @@
NOT-FOR-US: Nessus
CVE-2017-7848
RESERVED
+ {DLA-1223-1}
- thunderbird 1:52.5.2-1
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2017-30/#CVE-2017-7848
CVE-2017-7847
RESERVED
+ {DLA-1223-1}
- thunderbird 1:52.5.2-1
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2017-30/#CVE-2017-7847
CVE-2017-7846
RESERVED
+ {DLA-1223-1}
- thunderbird 1:52.5.2-1
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2017-30/#CVE-2017-7846
CVE-2017-7845
@@ -36911,6 +36944,7 @@
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2017-26/#CVE-2017-7830
CVE-2017-7829
RESERVED
+ {DLA-1223-1}
- thunderbird 1:52.5.2-1
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2017-30/#CVE-2017-7829
CVE-2017-7828
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58905 - data
Author: carnil Date: 2017-12-24 19:57:27 + (Sun, 24 Dec 2017) New Revision: 58905 Modified: data/dsa-needed.txt Log: Add thunderbird to dsa-needed list Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-12-24 19:55:31 UTC (rev 58904) +++ data/dsa-needed.txt 2017-12-24 19:57:27 UTC (rev 58905) @@ -65,6 +65,8 @@ -- sssd/stable -- +thunderbird +-- tomcat7/oldstable -- tomcat8 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58904 - data/CVE
Author: carnil
Date: 2017-12-24 19:55:31 + (Sun, 24 Dec 2017)
New Revision: 58904
Modified:
data/CVE/list
Log:
Add new thunderbird issues
Modified: data/CVE/list
===
--- data/CVE/list 2017-12-24 18:32:04 UTC (rev 58903)
+++ data/CVE/list 2017-12-24 19:55:31 UTC (rev 58904)
@@ -36824,16 +36824,24 @@
NOT-FOR-US: Nessus
CVE-2017-7848
RESERVED
+ - thunderbird 1:52.5.2-1
+ NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2017-30/#CVE-2017-7848
CVE-2017-7847
RESERVED
+ - thunderbird 1:52.5.2-1
+ NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2017-30/#CVE-2017-7847
CVE-2017-7846
RESERVED
+ - thunderbird 1:52.5.2-1
+ NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2017-30/#CVE-2017-7846
CVE-2017-7845
RESERVED
- firefox (Only affects Firefox on Windows)
- firefox-esr (Only affects Firefox on Windows)
+ - thunderbird (Only affects Firefox on Windows)
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2017-29/#CVE-2017-7845
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2017-28/#CVE-2017-7845
+ NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2017-30/#CVE-2017-7845
CVE-2017-7844
RESERVED
- firefox 57.0.1-1
@@ -36903,6 +36911,8 @@
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2017-26/#CVE-2017-7830
CVE-2017-7829
RESERVED
+ - thunderbird 1:52.5.2-1
+ NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2017-30/#CVE-2017-7829
CVE-2017-7828
RESERVED
{DSA-4061-1 DSA-4035-1 DLA-1199-1 DLA-1172-1}
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58903 - data/DLA
Author: agx
Date: 2017-12-24 18:32:04 + (Sun, 24 Dec 2017)
New Revision: 58903
Modified:
data/DLA/list
Log:
lts: Grab DLAs for ruby1.8, ruby1.9.1 and thunderbird
Modified: data/DLA/list
===
--- data/DLA/list 2017-12-24 16:18:09 UTC (rev 58902)
+++ data/DLA/list 2017-12-24 18:32:04 UTC (rev 58903)
@@ -1,3 +1,12 @@
+[24 Dec 2017] DLA-1223-1 thunderbird - security update
+ {CVE-2017-7829 CVE-2017-7846 CVE-2017-7847 CVE-2017-7848}
+ [wheezy] - thunderbird 1:52.5.2-1~deb7u1
+[24 Dec 2017] DLA-1222-1 ruby1.8 - security update
+ {CVE-2017-17405 CVE-2017-17790}
+ [wheezy] - ruby1.8 1.8.7.358-7.1+deb7u5
+[24 Dec 2017] DLA-1221-1 ruby1.9.1 - security update
+ {CVE-2017-17405 CVE-2017-17790}
+ [wheezy] - ruby1.9.1 1.9.3.194-8.1+deb7u7
[23 Dec 2017] DLA-1220-1 gimp - security update
{CVE-2017-17784 CVE-2017-17785 CVE-2017-17786 CVE-2017-17787
CVE-2017-17788 CVE-2017-17789}
[wheezy] - gimp 2.8.2-2+deb7u3
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58902 - data/CVE
Author: carnil Date: 2017-12-24 16:18:09 + (Sun, 24 Dec 2017) New Revision: 58902 Modified: data/CVE/list Log: CVE-2017-17405/ruby2.5 adressed in unstable Modified: data/CVE/list === --- data/CVE/list 2017-12-24 16:13:22 UTC (rev 58901) +++ data/CVE/list 2017-12-24 16:18:09 UTC (rev 58902) @@ -6314,7 +6314,7 @@ CVE-2017-17406 RESERVED CVE-2017-17405 (Ruby before 2.4.3 allows Net::FTP command injection. Net::FTP#get, ...) - - ruby2.5 (bug #884437) + - ruby2.5 2.5.0~rc1-1 (bug #884437) - ruby2.3 2.3.6-1 (bug #884438) [stretch] - ruby2.3 (Minor issue, can be fixed along in a future update) - ruby2.1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58901 - data/CVE
Author: carnil
Date: 2017-12-24 16:13:22 + (Sun, 24 Dec 2017)
New Revision: 58901
Modified:
data/CVE/list
Log:
Update status for CVE-2017-1786{3,4}/linux
Modified: data/CVE/list
===
--- data/CVE/list 2017-12-24 13:38:44 UTC (rev 58900)
+++ data/CVE/list 2017-12-24 16:13:22 UTC (rev 58901)
@@ -75,12 +75,12 @@
RESERVED
CVE-2017-17864 (kernel/bpf/verifier.c in the Linux kernel before 4.14
mishandles ...)
{DSA-4073-1}
- - linux
+ - linux 4.14.7-1
[jessie] - linux (Vulnerable code not present)
[wheezy] - linux (Vulnerable code not present)
CVE-2017-17863 (kernel/bpf/verifier.c in the Linux kernel 4.9.x through 4.9.71
does not ...)
{DSA-4073-1}
- - linux
+ - linux 4.14.7-1
[jessie] - linux (Vulnerable code not present)
[wheezy] - linux (Vulnerable code not present)
NOTE: https://www.spinics.net/lists/stable/msg206985.html
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58900 - data/CVE
Author: carnil
Date: 2017-12-24 13:38:44 + (Sun, 24 Dec 2017)
New Revision: 58900
Modified:
data/CVE/list
Log:
CVE-2017-9868/mosquitto adressed with unstable upload
Modified: data/CVE/list
===
--- data/CVE/list 2017-12-24 12:53:35 UTC (rev 58899)
+++ data/CVE/list 2017-12-24 13:38:44 UTC (rev 58900)
@@ -28997,7 +28997,7 @@
NOTE: severity:unimportant for stretch onwards, but we don't have
suite-specific severity annotations
CVE-2017-9868 (In Mosquitto through 1.4.12, mosquitto.db (aka the persistence
file) is ...)
{DLA-1146-1}
- - mosquitto (bug #865959)
+ - mosquitto 1.4.14-1 (bug #865959)
[stretch] - mosquitto (Minor issue)
[jessie] - mosquitto (Minor issue)
NOTE: https://github.com/eclipse/mosquitto/issues/468
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58897 - data
Author: lamby Date: 2017-12-24 12:53:06 + (Sun, 24 Dec 2017) New Revision: 58897 Modified: data/dla-needed.txt Log: Triage mupdf for LTS Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-12-24 09:47:41 UTC (rev 58896) +++ data/dla-needed.txt 2017-12-24 12:53:06 UTC (rev 58897) @@ -51,6 +51,8 @@ NOTE: 20171120: wip, currently working on it with upstream, might take a while NOTE: Some issues currently in upstream's bug tracker are missing a CVE number, so number of issues might increase in the next weeks -- +mupdf +-- rtpproxy NOTE: it's not clear to me if a fix is even possible. -- Raphaël Hertzog -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58899 - data
Author: lamby Date: 2017-12-24 12:53:35 + (Sun, 24 Dec 2017) New Revision: 58899 Modified: data/dla-needed.txt Log: Triage nasm for LTS Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-12-24 12:53:08 UTC (rev 58898) +++ data/dla-needed.txt 2017-12-24 12:53:35 UTC (rev 58899) @@ -54,6 +54,8 @@ mupdf NOTE: 20171224: Upstream patch does not apply to LTS cleanly. Might need hanges to apps/pdfclean.c rather than pdf-write.c (lamby) -- +nasm +-- rtpproxy NOTE: it's not clear to me if a fix is even possible. -- Raphaël Hertzog -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58898 - data
Author: lamby Date: 2017-12-24 12:53:08 + (Sun, 24 Dec 2017) New Revision: 58898 Modified: data/dla-needed.txt Log: Add explanatory note for mupdf. Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-12-24 12:53:06 UTC (rev 58897) +++ data/dla-needed.txt 2017-12-24 12:53:08 UTC (rev 58898) @@ -52,6 +52,7 @@ NOTE: Some issues currently in upstream's bug tracker are missing a CVE number, so number of issues might increase in the next weeks -- mupdf + NOTE: 20171224: Upstream patch does not apply to LTS cleanly. Might need hanges to apps/pdfclean.c rather than pdf-write.c (lamby) -- rtpproxy NOTE: it's not clear to me if a fix is even possible. -- Raphaël Hertzog ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58896 - data/CVE
Author: carnil Date: 2017-12-24 09:47:41 + (Sun, 24 Dec 2017) New Revision: 58896 Modified: data/CVE/list Log: Add prefix for commit to better identify it Modified: data/CVE/list === --- data/CVE/list 2017-12-24 09:46:22 UTC (rev 58895) +++ data/CVE/list 2017-12-24 09:47:41 UTC (rev 58896) @@ -37,7 +37,7 @@ - imagemagick NOTE: https://github.com/ImageMagick/ImageMagick/issues/907 NOTE: https://github.com/ImageMagick/ImageMagick/commit/4b5d1edb02c432040e3ff894d0c461bcce6fd2c9 - NOTE: https://github.com/ImageMagick/ImageMagick/commit/663b3b432c202cd2aeda7ea7e82b74cce51ab1cf + NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/663b3b432c202cd2aeda7ea7e82b74cce51ab1cf CVE-2017-17879 (In ImageMagick 7.0.7-16 Q16 x86_64 2017-12-21, there is a heap-based ...) - imagemagick (bug #885125) NOTE: https://github.com/ImageMagick/ImageMagick/issues/906 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58895 - data/CVE
Author: carnil Date: 2017-12-24 09:46:22 + (Sun, 24 Dec 2017) New Revision: 58895 Modified: data/CVE/list Log: Add bug reference for CVE-2017-17879 Modified: data/CVE/list === --- data/CVE/list 2017-12-24 09:39:15 UTC (rev 58894) +++ data/CVE/list 2017-12-24 09:46:22 UTC (rev 58895) @@ -39,7 +39,7 @@ NOTE: https://github.com/ImageMagick/ImageMagick/commit/4b5d1edb02c432040e3ff894d0c461bcce6fd2c9 NOTE: https://github.com/ImageMagick/ImageMagick/commit/663b3b432c202cd2aeda7ea7e82b74cce51ab1cf CVE-2017-17879 (In ImageMagick 7.0.7-16 Q16 x86_64 2017-12-21, there is a heap-based ...) - - imagemagick + - imagemagick (bug #885125) NOTE: https://github.com/ImageMagick/ImageMagick/issues/906 NOTE: https://github.com/ImageMagick/ImageMagick/commit/72b3994a948a8a90dc664f3e7f72464878a31fbf NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/e41f18ecccbdd1c38e1382057718e91e8f8d6d80 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58894 - data/CVE
Author: carnil Date: 2017-12-24 09:39:15 + (Sun, 24 Dec 2017) New Revision: 58894 Modified: data/CVE/list Log: Add CVE-2017-17879 Modified: data/CVE/list === --- data/CVE/list 2017-12-24 09:36:39 UTC (rev 58893) +++ data/CVE/list 2017-12-24 09:39:15 UTC (rev 58894) @@ -39,7 +39,10 @@ NOTE: https://github.com/ImageMagick/ImageMagick/commit/4b5d1edb02c432040e3ff894d0c461bcce6fd2c9 NOTE: https://github.com/ImageMagick/ImageMagick/commit/663b3b432c202cd2aeda7ea7e82b74cce51ab1cf CVE-2017-17879 (In ImageMagick 7.0.7-16 Q16 x86_64 2017-12-21, there is a heap-based ...) - TODO: check + - imagemagick + NOTE: https://github.com/ImageMagick/ImageMagick/issues/906 + NOTE: https://github.com/ImageMagick/ImageMagick/commit/72b3994a948a8a90dc664f3e7f72464878a31fbf + NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/e41f18ecccbdd1c38e1382057718e91e8f8d6d80 CVE-2017-17878 (An issue was discovered in Valve Steam Link build 643. Root passwords ...) TODO: check CVE-2017-17877 (An issue was discovered in Valve Steam Link build 643. When the SSH ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58893 - data/CVE
Author: carnil Date: 2017-12-24 09:36:39 + (Sun, 24 Dec 2017) New Revision: 58893 Modified: data/CVE/list Log: Add CVE-2017-17880 Modified: data/CVE/list === --- data/CVE/list 2017-12-24 09:29:12 UTC (rev 58892) +++ data/CVE/list 2017-12-24 09:36:39 UTC (rev 58893) @@ -34,7 +34,10 @@ NOTE: https://github.com/ImageMagick/ImageMagick/commit/ece953bbe14e8514afc23e05e4030eea872e29da NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/aa601d79a630f6de0694fadbeee31456a357fa73 CVE-2017-17880 (In ImageMagick 7.0.7-16 Q16 x86_64 2017-12-21, there is a stack-based ...) - TODO: check + - imagemagick + NOTE: https://github.com/ImageMagick/ImageMagick/issues/907 + NOTE: https://github.com/ImageMagick/ImageMagick/commit/4b5d1edb02c432040e3ff894d0c461bcce6fd2c9 + NOTE: https://github.com/ImageMagick/ImageMagick/commit/663b3b432c202cd2aeda7ea7e82b74cce51ab1cf CVE-2017-17879 (In ImageMagick 7.0.7-16 Q16 x86_64 2017-12-21, there is a heap-based ...) TODO: check CVE-2017-17878 (An issue was discovered in Valve Steam Link build 643. Root passwords ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58892 - data/CVE
Author: carnil Date: 2017-12-24 09:29:12 + (Sun, 24 Dec 2017) New Revision: 58892 Modified: data/CVE/list Log: Add CVE-2017-17881 Modified: data/CVE/list === --- data/CVE/list 2017-12-24 09:27:02 UTC (rev 58891) +++ data/CVE/list 2017-12-24 09:29:12 UTC (rev 58892) @@ -29,7 +29,10 @@ NOTE: https://github.com/ImageMagick/ImageMagick/commit/903f14eb94521aa6dca9d9ac55d3d9a6c7676a63 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/92fbef516b94ed96fa2a672831acd5dafb242ac5 CVE-2017-17881 (In ImageMagick 7.0.7-12 Q16, a memory leak vulnerability was found in ...) - TODO: check + - imagemagick (unimportant) + NOTE: https://github.com/ImageMagick/ImageMagick/issues/878 + NOTE: https://github.com/ImageMagick/ImageMagick/commit/ece953bbe14e8514afc23e05e4030eea872e29da + NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/aa601d79a630f6de0694fadbeee31456a357fa73 CVE-2017-17880 (In ImageMagick 7.0.7-16 Q16 x86_64 2017-12-21, there is a stack-based ...) TODO: check CVE-2017-17879 (In ImageMagick 7.0.7-16 Q16 x86_64 2017-12-21, there is a heap-based ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58891 - data/CVE
Author: carnil Date: 2017-12-24 09:27:02 + (Sun, 24 Dec 2017) New Revision: 58891 Modified: data/CVE/list Log: Add CVE-2017-17882 Modified: data/CVE/list === --- data/CVE/list 2017-12-24 09:26:46 UTC (rev 58890) +++ data/CVE/list 2017-12-24 09:27:02 UTC (rev 58891) @@ -24,7 +24,10 @@ NOTE: https://github.com/ImageMagick/ImageMagick/commit/b0a7241df0f889cc3158ba82774ff21fa1da87ec NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/2a1ec7d97f356e9fb6dbc328da17d93ab7a8167c CVE-2017-17882 (In ImageMagick 7.0.7-12 Q16, a memory leak vulnerability was found in ...) - TODO: check + - imagemagick (unimportant) + NOTE: https://github.com/ImageMagick/ImageMagick/issues/880 + NOTE: https://github.com/ImageMagick/ImageMagick/commit/903f14eb94521aa6dca9d9ac55d3d9a6c7676a63 + NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/92fbef516b94ed96fa2a672831acd5dafb242ac5 CVE-2017-17881 (In ImageMagick 7.0.7-12 Q16, a memory leak vulnerability was found in ...) TODO: check CVE-2017-17880 (In ImageMagick 7.0.7-16 Q16 x86_64 2017-12-21, there is a stack-based ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58890 - data/CVE
Author: carnil Date: 2017-12-24 09:26:46 + (Sun, 24 Dec 2017) New Revision: 58890 Modified: data/CVE/list Log: Add CVE-2017-17883 Modified: data/CVE/list === --- data/CVE/list 2017-12-24 09:26:30 UTC (rev 58889) +++ data/CVE/list 2017-12-24 09:26:46 UTC (rev 58890) @@ -19,7 +19,10 @@ NOTE: https://github.com/ImageMagick/ImageMagick/commit/4d6accd355119d54429a86a1859b8329f0130f30 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/82f20a898107a9c1ef6ad2024c4b191719b294ea CVE-2017-17883 (In ImageMagick 7.0.7-12 Q16, a memory leak vulnerability was found in ...) - TODO: check + - imagemagick (unimportant) + NOTE: https://github.com/ImageMagick/ImageMagick/issues/877 + NOTE: https://github.com/ImageMagick/ImageMagick/commit/b0a7241df0f889cc3158ba82774ff21fa1da87ec + NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/2a1ec7d97f356e9fb6dbc328da17d93ab7a8167c CVE-2017-17882 (In ImageMagick 7.0.7-12 Q16, a memory leak vulnerability was found in ...) TODO: check CVE-2017-17881 (In ImageMagick 7.0.7-12 Q16, a memory leak vulnerability was found in ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58889 - data/CVE
Author: carnil Date: 2017-12-24 09:26:30 + (Sun, 24 Dec 2017) New Revision: 58889 Modified: data/CVE/list Log: Add CVE-2017-17884 Modified: data/CVE/list === --- data/CVE/list 2017-12-24 09:22:57 UTC (rev 5) +++ data/CVE/list 2017-12-24 09:26:30 UTC (rev 58889) @@ -14,7 +14,10 @@ NOTE: https://github.com/ImageMagick/ImageMagick/commit/2ba085736fd49ad89c1937d1ee2b80ae4e11ab97 NOTE: Imagemagick-6: https://github.com/ImageMagick/ImageMagick/commit/5e863ae629010110772321fd181bac34c4b57345 CVE-2017-17884 (In ImageMagick 7.0.7-16 Q16, a memory leak vulnerability was found in ...) - TODO: check + - imagemagick (unimportant) + NOTE: https://github.com/ImageMagick/ImageMagick/issues/902 + NOTE: https://github.com/ImageMagick/ImageMagick/commit/4d6accd355119d54429a86a1859b8329f0130f30 + NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/82f20a898107a9c1ef6ad2024c4b191719b294ea CVE-2017-17883 (In ImageMagick 7.0.7-12 Q16, a memory leak vulnerability was found in ...) TODO: check CVE-2017-17882 (In ImageMagick 7.0.7-12 Q16, a memory leak vulnerability was found in ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58888 - data/CVE
Author: carnil Date: 2017-12-24 09:22:57 + (Sun, 24 Dec 2017) New Revision: 5 Modified: data/CVE/list Log: Add CVE-2017-17885 Modified: data/CVE/list === --- data/CVE/list 2017-12-24 09:20:07 UTC (rev 58887) +++ data/CVE/list 2017-12-24 09:22:57 UTC (rev 5) @@ -9,7 +9,10 @@ NOTE: https://github.com/ImageMagick/ImageMagick/commit/8204599ef0e85324876459e5d45db00660920482 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/4a71d71f4ae289b6672102efaef6543643e8efb8 CVE-2017-17885 (In ImageMagick 7.0.7-12 Q16, a memory leak vulnerability was found in ...) - TODO: check + - imagemagick (unimportant) + NOTE: https://github.com/ImageMagick/ImageMagick/issues/879 + NOTE: https://github.com/ImageMagick/ImageMagick/commit/2ba085736fd49ad89c1937d1ee2b80ae4e11ab97 + NOTE: Imagemagick-6: https://github.com/ImageMagick/ImageMagick/commit/5e863ae629010110772321fd181bac34c4b57345 CVE-2017-17884 (In ImageMagick 7.0.7-16 Q16, a memory leak vulnerability was found in ...) TODO: check CVE-2017-17883 (In ImageMagick 7.0.7-12 Q16, a memory leak vulnerability was found in ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58887 - data/CVE
Author: carnil Date: 2017-12-24 09:20:07 + (Sun, 24 Dec 2017) New Revision: 58887 Modified: data/CVE/list Log: Add CVE-2017-17886 Modified: data/CVE/list === --- data/CVE/list 2017-12-24 09:13:07 UTC (rev 58886) +++ data/CVE/list 2017-12-24 09:20:07 UTC (rev 58887) @@ -4,7 +4,10 @@ NOTE: https://github.com/ImageMagick/ImageMagick/commit/7a42f63927e7f2e26846b7ed4560e9cb4984af7b NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/dddce3e790b5b0f5dad91a7960de67af5bdea789 CVE-2017-17886 (In ImageMagick 7.0.7-12 Q16, a memory leak vulnerability was found in ...) - TODO: check + - imagemagick (unimportant) + NOTE: https://github.com/ImageMagick/ImageMagick/issues/874 + NOTE: https://github.com/ImageMagick/ImageMagick/commit/8204599ef0e85324876459e5d45db00660920482 + NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/4a71d71f4ae289b6672102efaef6543643e8efb8 CVE-2017-17885 (In ImageMagick 7.0.7-12 Q16, a memory leak vulnerability was found in ...) TODO: check CVE-2017-17884 (In ImageMagick 7.0.7-16 Q16, a memory leak vulnerability was found in ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58886 - data/CVE
Author: carnil Date: 2017-12-24 09:13:07 + (Sun, 24 Dec 2017) New Revision: 58886 Modified: data/CVE/list Log: Add CVE-2017-17887 Modified: data/CVE/list === --- data/CVE/list 2017-12-24 09:10:14 UTC (rev 58885) +++ data/CVE/list 2017-12-24 09:13:07 UTC (rev 58886) @@ -1,5 +1,8 @@ CVE-2017-17887 (In ImageMagick 7.0.7-16 Q16, a memory leak vulnerability was found in ...) - TODO: check + - imagemagick (unimportant) + NOTE: https://github.com/ImageMagick/ImageMagick/issues/903 + NOTE: https://github.com/ImageMagick/ImageMagick/commit/7a42f63927e7f2e26846b7ed4560e9cb4984af7b + NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/dddce3e790b5b0f5dad91a7960de67af5bdea789 CVE-2017-17886 (In ImageMagick 7.0.7-12 Q16, a memory leak vulnerability was found in ...) TODO: check CVE-2017-17885 (In ImageMagick 7.0.7-12 Q16, a memory leak vulnerability was found in ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58884 - data/CVE
Author: geissert Date: 2017-12-24 08:39:29 + (Sun, 24 Dec 2017) New Revision: 58884 Modified: data/CVE/list Log: i2pd itp Modified: data/CVE/list === --- data/CVE/list 2017-12-24 08:05:19 UTC (rev 58883) +++ data/CVE/list 2017-12-24 08:39:29 UTC (rev 58884) @@ -7841,7 +7841,7 @@ CVE-2017-17067 (Splunk Web in Splunk Enterprise 7.0.x before 7.0.0.1, 6.6.x before ...) NOT-FOR-US: Splunk Web CVE-2017-17066 (The (1) i2pd before 2.17 and (2) kovri pre-alpha implementations of the ...) - TODO: check + - i2pd (bug #883770) CVE-2017-17065 (An issue was discovered on D-Link DIR-605L Model B before ...) NOT-FOR-US: D-Link CVE-2017-17064 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58885 - data/CVE
Author: sectracker Date: 2017-12-24 09:10:14 + (Sun, 24 Dec 2017) New Revision: 58885 Modified: data/CVE/list Log: automatic update Modified: data/CVE/list === --- data/CVE/list 2017-12-24 08:39:29 UTC (rev 58884) +++ data/CVE/list 2017-12-24 09:10:14 UTC (rev 58885) @@ -1,3 +1,45 @@ +CVE-2017-17887 (In ImageMagick 7.0.7-16 Q16, a memory leak vulnerability was found in ...) + TODO: check +CVE-2017-17886 (In ImageMagick 7.0.7-12 Q16, a memory leak vulnerability was found in ...) + TODO: check +CVE-2017-17885 (In ImageMagick 7.0.7-12 Q16, a memory leak vulnerability was found in ...) + TODO: check +CVE-2017-17884 (In ImageMagick 7.0.7-16 Q16, a memory leak vulnerability was found in ...) + TODO: check +CVE-2017-17883 (In ImageMagick 7.0.7-12 Q16, a memory leak vulnerability was found in ...) + TODO: check +CVE-2017-17882 (In ImageMagick 7.0.7-12 Q16, a memory leak vulnerability was found in ...) + TODO: check +CVE-2017-17881 (In ImageMagick 7.0.7-12 Q16, a memory leak vulnerability was found in ...) + TODO: check +CVE-2017-17880 (In ImageMagick 7.0.7-16 Q16 x86_64 2017-12-21, there is a stack-based ...) + TODO: check +CVE-2017-17879 (In ImageMagick 7.0.7-16 Q16 x86_64 2017-12-21, there is a heap-based ...) + TODO: check +CVE-2017-17878 (An issue was discovered in Valve Steam Link build 643. Root passwords ...) + TODO: check +CVE-2017-17877 (An issue was discovered in Valve Steam Link build 643. When the SSH ...) + TODO: check +CVE-2017-17876 + RESERVED +CVE-2017-17875 + RESERVED +CVE-2017-17874 (Vanguard Marketplace Digital Products PHP 1.4 allows arbitrary file ...) + TODO: check +CVE-2017-17873 (Vanguard Marketplace Digital Products PHP 1.4 has SQL Injection via the ...) + TODO: check +CVE-2017-17872 (The JEXTN Video Gallery extension 3.0.5 for Joomla! has SQL Injection ...) + TODO: check +CVE-2017-17871 (The "JEXTN Question And Answer" extension 3.1.0 for Joomla! has SQL ...) + TODO: check +CVE-2017-17870 (The JBuildozer extension 1.4.1 for Joomla! has SQL Injection via the ...) + TODO: check +CVE-2017-17869 (The mgl-instagram-gallery plugin for WordPress has XSS via the ...) + TODO: check +CVE-2017-17868 (In Liferay Portal 6.1.0, the tags section has XSS via a Public Render ...) + TODO: check +CVE-2017-17867 + RESERVED CVE-2017-17866 (pdf/pdf-write.c in Artifex MuPDF before 1.12.0 mishandles certain ...) - mupdf (bug #885120) NOTE: Fixed by: http://git.ghostscript.com/?p=mupdf.git;h=520cc26d18c9ee245b56e9e91f9d4fcae02be5f0 @@ -26,8 +68,8 @@ RESERVED CVE-2017-17860 RESERVED -CVE-2017-17859 - RESERVED +CVE-2017-17859 (Samsung Internet Browser 6.2.01.12 allows remote attackers to bypass ...) + TODO: check CVE-2017-17858 RESERVED CVE-2017-17851 @@ -9617,8 +9659,8 @@ CVE-2017-16898 (The printMP3Headers function in util/listmp3.c in libming v0.4.8 or ...) - ming NOTE: https://github.com/libming/libming/issues/75 -CVE-2017-16897 - RESERVED +CVE-2017-16897 (A vulnerability has been discovered in the Auth0 passport-wsfed-saml2 ...) + TODO: check CVE-2017-16896 (A SQL injection in classes/handler/public.php in the forgotpass ...) - tt-rss (bug #882543) NOTE: https://discourse.tt-rss.org/t/sql-injection-in-forgotpass-fixed/669 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58883 - data/CVE
Author: carnil
Date: 2017-12-24 08:05:19 + (Sun, 24 Dec 2017)
New Revision: 58883
Modified:
data/CVE/list
Log:
Reference fix for CVE-2017-13135/x265
Modified: data/CVE/list
===
--- data/CVE/list 2017-12-24 08:00:08 UTC (rev 58882)
+++ data/CVE/list 2017-12-24 08:05:19 UTC (rev 58883)
@@ -20679,7 +20679,7 @@
- x265
NOTE: https://github.com/ebel34/bpg-web-encoder/issues/1
NOTE: https://bitbucket.org/multicoreware/x265/issues/385/cve-2017-13135
- TODO: check
+ NOTE:
https://bitbucket.org/multicoreware/x265/commits/78c0f2c8ba087b38e291226a9555b4b4dab323a5/raw
CVE-2017-13134 (In ImageMagick 7.0.6-6 and GraphicsMagick 1.3.26, a heap-based
buffer ...)
{DSA-4040-1 DSA-4032-1 DLA-1170-1 DLA-1081-1}
- imagemagick (bug #873099)
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58882 - data/CVE
Author: carnil Date: 2017-12-24 08:00:08 + (Sun, 24 Dec 2017) New Revision: 58882 Modified: data/CVE/list Log: Add bug reference for CVE-2017-17866 Modified: data/CVE/list === --- data/CVE/list 2017-12-24 07:59:54 UTC (rev 58881) +++ data/CVE/list 2017-12-24 08:00:08 UTC (rev 58882) @@ -1,5 +1,5 @@ CVE-2017-17866 (pdf/pdf-write.c in Artifex MuPDF before 1.12.0 mishandles certain ...) - - mupdf + - mupdf (bug #885120) NOTE: Fixed by: http://git.ghostscript.com/?p=mupdf.git;h=520cc26d18c9ee245b56e9e91f9d4fcae02be5f0 NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=698699 (not public) CVE-2017-17865 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58880 - data/CVE
Author: carnil
Date: 2017-12-24 07:59:42 + (Sun, 24 Dec 2017)
New Revision: 58880
Modified:
data/CVE/list
Log:
Process NFUs
Modified: data/CVE/list
===
--- data/CVE/list 2017-12-24 07:44:12 UTC (rev 58879)
+++ data/CVE/list 2017-12-24 07:59:42 UTC (rev 58880)
@@ -105,7 +105,7 @@
CVE-2017-17833
RESERVED
CVE-2017-17832 (ServersCheck Monitoring Software before 14.2.3 is prone to a
...)
- TODO: check
+ NOT-FOR-US: ServersCheck Monitoring Software
CVE-2017-17843 (An issue was discovered in Enigmail before 1.9.9 that allows
remote ...)
{DSA-4070-1 DLA-1219-1}
- enigmail 2:1.9.9-1
@@ -6233,7 +6233,7 @@
CVE-2017-17412
RESERVED
CVE-2017-17411 (This vulnerability allows remote attackers to execute
arbitrary code ...)
- TODO: check
+ NOT-FOR-US: web management portal of Linksys WVBR0 WVBR0
CVE-2017-17410 (This vulnerability allows remote attackers to execute
arbitrary code ...)
NOT-FOR-US: Bitdefender Internet Security 2018
CVE-2017-17409 (This vulnerability allows remote attackers to execute
arbitrary code ...)
@@ -8471,7 +8471,7 @@
CVE-2017-17011
RESERVED
CVE-2017-17010 (Untrusted search path vulnerability in Content Manager
Assistant for ...)
- TODO: check
+ NOT-FOR-US: Content Manager Assistant for PlayStation
CVE-2017-17009
RESERVED
CVE-2017-17008
@@ -10453,7 +10453,7 @@
CVE-2017-16767
RESERVED
CVE-2017-16766 (An improper access control vulnerability in synodsmnotify in
Synology ...)
- TODO: check
+ NOT-FOR-US: Synology DiskStation Manager
CVE-2017-16765 (XSS exists on D-Link DWR-933 1.00(WW)B17 devices via
cgi-bin/gui.cgi. ...)
NOT-FOR-US: D-Link
CVE-2017-16764 (An exploitable vulnerability exists in the YAML parsing
functionality ...)
@@ -13426,7 +13426,7 @@
CVE-2017-15701 (In Apache Qpid Broker-J versions 6.1.0 through 6.1.4
(inclusive) the ...)
- qpid-java (bug #840131)
CVE-2017-15700 (A flaw in the
org.apache.sling.auth.core.AuthUtil#isRedirectValid ...)
- TODO: check
+ NOT-FOR-US: Apache Sling Authentication Service
CVE-2017-15699
RESERVED
TODO: check, this is possibly specific to AMQ Interconnect as used by
Red Hat JBoss, although based on Apache Qpid project
@@ -14454,7 +14454,7 @@
CVE-2017-15329
RESERVED
CVE-2017-15328 (Huawei HG8245H version earlier than V300R018C00SPC110 has an
...)
- TODO: check
+ NOT-FOR-US: Huawei
CVE-2017-15327
RESERVED
CVE-2017-15326
@@ -14462,41 +14462,41 @@
CVE-2017-15325
RESERVED
CVE-2017-15324 (Huawei S12700 V200R006C00, V200R007C00, V200R007C01,
V200R007C20, ...)
- TODO: check
+ NOT-FOR-US: Huawei
CVE-2017-15323
RESERVED
CVE-2017-15322 (Some Huawei smartphones with software of
BGO-L03C158B003CUSTC158D001 ...)
- TODO: check
+ NOT-FOR-US: Huawei
CVE-2017-15321 (Huawei FusionSphere OpenStack V100R006C000SPC102 (NFV) has an
...)
TODO: check
CVE-2017-15320 (RP200 V500R002C00, V600R006C00; TE30 V100R001C10, V500R002C00,
...)
- TODO: check
+ NOT-FOR-US: Huawei
CVE-2017-15319 (RP200 V500R002C00, V600R006C00; TE30 V100R001C10, V500R002C00,
...)
- TODO: check
+ NOT-FOR-US: Huawei
CVE-2017-15318 (RP200 V500R002C00, V600R006C00; TE30 V100R001C10, V500R002C00,
...)
- TODO: check
+ NOT-FOR-US: Huawei
CVE-2017-15317 (AR120-S V200R006C10, V200R007C00, V200R008C20, V200R008C30;
AR1200 ...)
- TODO: check
+ NOT-FOR-US: Huawei
CVE-2017-15316 (The GPU driver of Mate 9 Huawei smart phones with software
before ...)
- TODO: check
+ NOT-FOR-US: Huawei
CVE-2017-15315
RESERVED
CVE-2017-15314
RESERVED
CVE-2017-15313 (Huawei SmartCare V200R003C10 has a CSV injection
vulnerability. An ...)
- TODO: check
+ NOT-FOR-US: Huawei
CVE-2017-15312 (Huawei SmartCare V200R003C10 has a stored XSS (cross-site
scripting) ...)
- TODO: check
+ NOT-FOR-US: Huawei
CVE-2017-15311 (The baseband modules of Mate 10, Mate 10 Pro, Mate 9, Mate 9
Pro ...)
TODO: check
CVE-2017-15310 (Huawei iReader app before 8.0.2.301 has an arbitrary file
deletion ...)
- TODO: check
+ NOT-FOR-US: Huawei
CVE-2017-15309 (Huawei iReader app before 8.0.2.301 has a path traversal
vulnerability ...)
- TODO: check
+ NOT-FOR-US: Huawei
CVE-2017-15308 (Huawei iReader app before 8.0.2.301 has an input validation
...)
- TODO: check
+ NOT-FOR-US: Huawei
CVE-2017-15307 (Huawei Honor 8 smartphone with software versions earlier than
...)
- TODO: check
+ NOT-FOR-US: Huawei
CVE-2017-15306 (The kvm_vm_ioctl_check_extension function in
arch/powerpc/kvm/powerpc.c ...)
- linux 4.13.13-1
[stretch] - linux 4.9.65-1
@@ -16858,7 +16858,7 @@
CVE-2017-14591 (Atlassian Fisheye and Crucible versions less than 4.4.3 and
v
[Secure-testing-commits] r58881 - data/CVE
Author: carnil Date: 2017-12-24 07:59:54 + (Sun, 24 Dec 2017) New Revision: 58881 Modified: data/CVE/list Log: Mark CVE-2015-4100 as specific to the puppet enterprise versions Modified: data/CVE/list === --- data/CVE/list 2017-12-24 07:59:42 UTC (rev 58880) +++ data/CVE/list 2017-12-24 07:59:54 UTC (rev 58881) @@ -103305,7 +103305,8 @@ CVE-2015-4101 RESERVED CVE-2015-4100 (Puppet Enterprise 3.7.x and 3.8.0 might allow remote authenticated ...) - TODO: check + - puppet (Only affects Puppet Enterprise) + NOTE: https://puppet.com/security/cve/CVE-2015-4100 CVE-2015-4099 RESERVED CVE-2015-4098 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
