[Secure-testing-commits] r58925 - /
Author: carnil Date: 2017-12-26 07:48:21 + (Tue, 26 Dec 2017) New Revision: 58925 Modified: TODO.gitmigration Log: Add a further todo to take into account Modified: TODO.gitmigration === --- TODO.gitmigration 2017-12-26 07:41:09 UTC (rev 58924) +++ TODO.gitmigration 2017-12-26 07:48:21 UTC (rev 58925) @@ -51,6 +51,10 @@ - what needs to be done to allow sectracker role account to commit (user creation, guest-user?) +old repository: +- Add a pre-receive hook to prevent accidental pushes to the old alioth + account + References: === Mailinglists: https://lists.debian.org/debian-devel-announce/2017/09/msg4.html ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58924 - data/CVE
Author: carnil Date: 2017-12-26 07:41:09 + (Tue, 26 Dec 2017) New Revision: 58924 Modified: data/CVE/list Log: Mark dolibarr issues as no-dsa Modified: data/CVE/list === --- data/CVE/list 2017-12-26 07:17:18 UTC (rev 58923) +++ data/CVE/list 2017-12-26 07:41:09 UTC (rev 58924) @@ -18,16 +18,24 @@ RESERVED CVE-2017-17900 (SQL injection vulnerability in fourn/index.php in Dolibarr ERP/CRM ...) - dolibarr + [stretch] - dolibarr (Minor issue) + [jessie] - dolibarr (Minor issue) NOTE: https://github.com/Dolibarr/dolibarr/commit/4a5988accbb770b74105baacd5a034689272128c CVE-2017-17899 (SQL injection vulnerability in adherents/subscription/info.php in ...) - dolibarr + [stretch] - dolibarr (Minor issue) + [jessie] - dolibarr (Minor issue) NOTE: https://github.com/Dolibarr/dolibarr/commit/4a5988accbb770b74105baacd5a034689272128c CVE-2017-17898 (Dolibarr ERP/CRM version 6.0.4 does not block direct requests to ...) - dolibarr + [stretch] - dolibarr (Minor issue) + [jessie] - dolibarr (Minor issue) NOTE: https://github.com/Dolibarr/dolibarr/commit/4a5988accbb770b74105baacd5a034689272128c NOTE: https://github.com/Dolibarr/dolibarr/commit/6a62e139604dbbd5729e57df2433b37a5950c35c CVE-2017-17897 (SQL injection vulnerability in comm/multiprix.php in Dolibarr ERP/CRM ...) - dolibarr + [stretch] - dolibarr (Minor issue) + [jessie] - dolibarr (Minor issue) NOTE: https://github.com/Dolibarr/dolibarr/commit/4a5988accbb770b74105baacd5a034689272128c CVE-2017-17896 (Readymade Job Site Script has XSS via the keyword parameter to the /job ...) NOT-FOR-US: Readymade Job Site Script ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58923 - data/CVE
Author: carnil Date: 2017-12-26 07:17:18 + (Tue, 26 Dec 2017) New Revision: 58923 Modified: data/CVE/list Log: Add bug reference for CVE-2017-142{38,39,40,41}/dolibarr Modified: data/CVE/list === --- data/CVE/list 2017-12-26 07:10:39 UTC (rev 58922) +++ data/CVE/list 2017-12-26 07:17:18 UTC (rev 58923) @@ -17967,22 +17967,22 @@ [jessie] - dolibarr (Minor issue) NOTE: https://github.com/Dolibarr/dolibarr/commit/33e2179b65331d9d9179b59d746817c5be1fecdb CVE-2017-14241 (Cross-site scripting (XSS) vulnerability in Dolibarr ERP/CRM 6.0.0 ...) - - dolibarr + - dolibarr (bug #885320) [stretch] - dolibarr (Minor issue) [jessie] - dolibarr (Minor issue) NOTE: https://github.com/Dolibarr/dolibarr/commit/d26b2a694de30f95e46ea54ea72cc54f0d38e548 CVE-2017-14240 (There is a sensitive information disclosure vulnerability in ...) - - dolibarr + - dolibarr (bug #885320) [stretch] - dolibarr (Minor issue) [jessie] - dolibarr (Minor issue) NOTE: https://github.com/Dolibarr/dolibarr/commit/d26b2a694de30f95e46ea54ea72cc54f0d38e548 CVE-2017-14239 (Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ERP/CRM ...) - - dolibarr + - dolibarr (bug #885320) [stretch] - dolibarr (Minor issue) [jessie] - dolibarr (Minor issue) NOTE: https://github.com/Dolibarr/dolibarr/commit/d26b2a694de30f95e46ea54ea72cc54f0d38e548 CVE-2017-14238 (SQL injection vulnerability in admin/menus/edit.php in Dolibarr ERP/CRM ...) - - dolibarr + - dolibarr (bug #885320) [stretch] - dolibarr (Minor issue) [jessie] - dolibarr (Minor issue) NOTE: https://github.com/Dolibarr/dolibarr/commit/d26b2a694de30f95e46ea54ea72cc54f0d38e548 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58922 - data/CVE
Author: carnil Date: 2017-12-26 07:10:39 + (Tue, 26 Dec 2017) New Revision: 58922 Modified: data/CVE/list Log: Add bug reference for CVE-2017-14242/dolibarr Modified: data/CVE/list === --- data/CVE/list 2017-12-26 06:33:36 UTC (rev 58921) +++ data/CVE/list 2017-12-26 07:10:39 UTC (rev 58922) @@ -17962,7 +17962,7 @@ CVE-2017-14243 (An authentication bypass vulnerability on UTStar WA3002G4 ADSL ...) NOT-FOR-US: UTStar CVE-2017-14242 (SQL injection vulnerability in don/list.php in Dolibarr version 6.0.0 ...) - - dolibarr + - dolibarr (bug #885319) [stretch] - dolibarr (Minor issue) [jessie] - dolibarr (Minor issue) NOTE: https://github.com/Dolibarr/dolibarr/commit/33e2179b65331d9d9179b59d746817c5be1fecdb ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58921 - /
Author: carnil Date: 2017-12-26 06:33:36 + (Tue, 26 Dec 2017) New Revision: 58921 Modified: TODO.gitmigration Log: Add one more open question to check Modified: TODO.gitmigration === --- TODO.gitmigration 2017-12-25 22:08:11 UTC (rev 58920) +++ TODO.gitmigration 2017-12-26 06:33:36 UTC (rev 58921) @@ -48,6 +48,8 @@ sectracker role account: - can the role account be added to the project and get the notifications? +- what needs to be done to allow sectracker role account to commit + (user creation, guest-user?) References: === ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58919 - data/CVE
Author: jmm Date: 2017-12-25 22:02:38 + (Mon, 25 Dec 2017) New Revision: 58919 Modified: data/CVE/list Log: nasm no-dsa Modified: data/CVE/list === --- data/CVE/list 2017-12-25 21:48:11 UTC (rev 58918) +++ data/CVE/list 2017-12-25 22:02:38 UTC (rev 58919) @@ -274,22 +274,30 @@ TODO: check CVE-2017-17820 (In Netwide Assembler (NASM) 2.14rc0, there is a use-after-free in ...) - nasm 2.13.02-0.1 + [stretch] - nasm (Minor issue) + [jessie] - nasm (Minor issue) NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392433 - TODO: check CVE-2017-17819 (In Netwide Assembler (NASM) 2.14rc0, there is an illegal address access ...) - nasm 2.13.02-0.1 + [stretch] - nasm (Minor issue) + [jessie] - nasm (Minor issue) NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392435 NOTE: http://repo.or.cz/nasm.git/commit/7524cfd91492e6e3719b959498be584a9ced13af (nasm-2.13.02rc3) CVE-2017-17818 (In Netwide Assembler (NASM) 2.14rc0, there is a heap-based buffer ...) - nasm 2.13.02-0.1 + [stretch] - nasm (Minor issue) + [jessie] - nasm (Minor issue) NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392428 - TODO: check CVE-2017-17817 (In Netwide Assembler (NASM) 2.14rc0, there is a use-after-free in ...) - nasm 2.13.02-0.1 + [stretch] - nasm (Minor issue) + [jessie] - nasm (Minor issue) NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392427 TODO: check CVE-2017-17816 (In Netwide Assembler (NASM) 2.14rc0, there is a use-after-free in ...) - nasm 2.13.02-0.1 + [stretch] - nasm (Minor issue) + [jessie] - nasm (Minor issue) NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392426 TODO: check CVE-2017-17815 (In Netwide Assembler (NASM) 2.14rc0, there is an illegal address access ...) @@ -298,22 +306,29 @@ NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392436 CVE-2017-17814 (In Netwide Assembler (NASM) 2.14rc0, there is a use-after-free in ...) - nasm 2.13.02-0.1 + [stretch] - nasm (Minor issue) + [jessie] - nasm (Minor issue) NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392430 - TODO: check CVE-2017-17813 (In Netwide Assembler (NASM) 2.14rc0, there is a use-after-free in the ...) - nasm 2.13.02-0.1 + [stretch] - nasm (Minor issue) + [jessie] - nasm (Minor issue) NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392429 - TODO: check CVE-2017-17812 (In Netwide Assembler (NASM) 2.14rc0, there is a heap-based buffer ...) - nasm 2.13.02-0.1 + [stretch] - nasm (Minor issue) + [jessie] - nasm (Minor issue) NOTE: http://repo.or.cz/nasm.git/commit/9b7ee09abfd426b99aa1ea81d19a3b2818eeabf9 (nasm-2.13.02rc3) NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392424 CVE-2017-17811 (In Netwide Assembler (NASM) 2.14rc0, there is a heap-based buffer ...) - nasm 2.13.02-0.1 + [stretch] - nasm (Minor issue) + [jessie] - nasm (Minor issue) NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392432 - TODO: check CVE-2017-17810 (In Netwide Assembler (NASM) 2.14rc0, there is a "SEGV on unknown ...) - nasm 2.13.02-0.1 + [stretch] - nasm (Minor issue) + [jessie] - nasm (Minor issue) NOTE: http://repo.or.cz/nasm.git/commit/59ce1c67b16967c652765e62aa130b7e43f21dd4 (nasm-2.13.02rc3) NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392431 CVE-2017-17809 (In Golden Frog VyprVPN before 2.15.0.5828 for macOS, the vyprvpnservice ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58918 - data/CVE
Author: carnil Date: 2017-12-25 21:48:11 + (Mon, 25 Dec 2017) New Revision: 58918 Modified: data/CVE/list Log: Remove unneeded note for CVE-2007-6063 (information tracked both in security-tracker and kernel-sec) Modified: data/CVE/list === --- data/CVE/list 2017-12-25 21:35:05 UTC (rev 58917) +++ data/CVE/list 2017-12-25 21:48:11 UTC (rev 58918) @@ -237865,7 +237865,6 @@ CVE-2007-6063 (Buffer overflow in the isdn_net_setcfg function in isdn_net.c in Linux ...) {DSA-1503-2 DSA-1504-1 DSA-1503-1 DSA-1436-1} - linux-2.6 2.6.23-2 - NOTE: kernel-sec is aware of this CVE-2007-6062 (irc-channel.c in ngIRCd before 0.10.3 allows remote attackers to cause ...) - ngircd 0.10.3-1 (bug #451875) [etch] - ngircd 0.10.0-2etch1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58920 - /
Author: carnil Date: 2017-12-25 22:08:11 + (Mon, 25 Dec 2017) New Revision: 58920 Modified: TODO.gitmigration Log: Add todo item about role account accessing project and getting notifications Modified: TODO.gitmigration === --- TODO.gitmigration 2017-12-25 22:02:38 UTC (rev 58919) +++ TODO.gitmigration 2017-12-25 22:08:11 UTC (rev 58920) @@ -46,6 +46,9 @@ - move this file to git - ping federico3 to update the codebase for security-metrics.d.n (uses git-svn) +sectracker role account: +- can the role account be added to the project and get the notifications? + References: === Mailinglists: https://lists.debian.org/debian-devel-announce/2017/09/msg4.html ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58916 - data/CVE
Author: sectracker Date: 2017-12-25 21:10:15 + (Mon, 25 Dec 2017) New Revision: 58916 Modified: data/CVE/list Log: automatic update Modified: data/CVE/list === --- data/CVE/list 2017-12-25 20:34:23 UTC (rev 58915) +++ data/CVE/list 2017-12-25 21:10:15 UTC (rev 58916) @@ -1,3 +1,17 @@ +CVE-2017-17909 (PHP Scripts Mall Responsive Realestate Script has XSS via the ...) + TODO: check +CVE-2017-17908 (PHP Scripts Mall Responsive Realestate Script has CSRF via ...) + TODO: check +CVE-2017-17907 (PHP Scripts Mall Car Rental Script has XSS via the admin/areaedit.php ...) + TODO: check +CVE-2017-17906 (PHP Scripts Mall Car Rental Script has SQL Injection via the ...) + TODO: check +CVE-2017-17905 (PHP Scripts Mall Car Rental Script has CSRF via admin/sitesettings.php. ...) + TODO: check +CVE-2017-17904 (FS Lynda Clone has XSS via the keywords parameter to tutorial/ or the ...) + TODO: check +CVE-2017-17903 (FS Lynda Clone has CSRF via user/edit_profile, as demonstrated by ...) + TODO: check CVE-2017-17902 RESERVED CVE-2017-17901 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58917 - data/CVE
Author: carnil Date: 2017-12-25 21:35:05 + (Mon, 25 Dec 2017) New Revision: 58917 Modified: data/CVE/list Log: Process NFUs Modified: data/CVE/list === --- data/CVE/list 2017-12-25 21:10:15 UTC (rev 58916) +++ data/CVE/list 2017-12-25 21:35:05 UTC (rev 58917) @@ -1,17 +1,17 @@ CVE-2017-17909 (PHP Scripts Mall Responsive Realestate Script has XSS via the ...) - TODO: check + NOT-FOR-US: PHP Scripts Mall Responsive Realestate Script CVE-2017-17908 (PHP Scripts Mall Responsive Realestate Script has CSRF via ...) - TODO: check + NOT-FOR-US: PHP Scripts Mall Responsive Realestate Script CVE-2017-17907 (PHP Scripts Mall Car Rental Script has XSS via the admin/areaedit.php ...) - TODO: check + NOT-FOR-US: PHP Scripts Mall Car Rental Script CVE-2017-17906 (PHP Scripts Mall Car Rental Script has SQL Injection via the ...) - TODO: check + NOT-FOR-US: PHP Scripts Mall Car Rental Script CVE-2017-17905 (PHP Scripts Mall Car Rental Script has CSRF via admin/sitesettings.php. ...) - TODO: check + NOT-FOR-US: PHP Scripts Mall Car Rental Script CVE-2017-17904 (FS Lynda Clone has XSS via the keywords parameter to tutorial/ or the ...) - TODO: check + NOT-FOR-US: FS Lynda Clone CVE-2017-17903 (FS Lynda Clone has CSRF via user/edit_profile, as demonstrated by ...) - TODO: check + NOT-FOR-US: FS Lynda Clone CVE-2017-17902 RESERVED CVE-2017-17901 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58915 - data/CVE
Author: geissert Date: 2017-12-25 20:34:23 + (Mon, 25 Dec 2017) New Revision: 58915 Modified: data/CVE/list Log: Whitespace cleanup in NFU entries Modified: data/CVE/list === --- data/CVE/list 2017-12-25 18:41:45 UTC (rev 58914) +++ data/CVE/list 2017-12-25 20:34:23 UTC (rev 58915) @@ -81,7 +81,7 @@ CVE-2017-17878 (An issue was discovered in Valve Steam Link build 643. Root passwords ...) NOT-FOR-US: Valve Steam Link CVE-2017-17877 (An issue was discovered in Valve Steam Link build 643. When the SSH ...) - NOT-FOR-US: Valve Steam Link + NOT-FOR-US: Valve Steam Link CVE-2017-17876 RESERVED CVE-2017-17875 @@ -10729,11 +10729,11 @@ CVE-2017-16683 (Denial of Service (DOS) in SAP Business Objects Platform, Enterprise ...) NOT-FOR-US: SAP Business Objects Platform CVE-2017-16682 (SAP NetWeaver Internet Transaction Server (ITS), SAP Basis from 7.00 ...) - NOT-FOR-US: SAP NetWeaver Internet Transaction Server + NOT-FOR-US: SAP NetWeaver Internet Transaction Server CVE-2017-16681 (Cross-Site Scripting (XSS) vulnerability in SAP Business Intelligence ...) NOT-FOR-US: SAP Business Intelligence Promotion Management Application CVE-2017-16680 (Two potential audit log injections in SAP HANA extended application ...) - NOT-FOR-US: SAP HANA extended application services + NOT-FOR-US: SAP HANA extended application services CVE-2017-16679 (URL redirection vulnerability in SAP's Startup Service, SAP KERNEL 32 ...) NOT-FOR-US: SAP's Startup Service CVE-2017-16678 (Server Side Request Forgery (SSRF) vulnerability in SAP NetWeaver ...) @@ -14612,7 +14612,7 @@ CVE-2017-15305 (XSS exists in NexusPHP 1.5 via the keyword parameter to messages.php. ...) NOT-FOR-US: NexusPHP CVE-2017-15304 (/bin/login.php in the Web Panel on the Airtame HDMI dongle with ...) - NOT-FOR-US: Airtame HDMI dongle + NOT-FOR-US: Airtame HDMI dongle CVE-2017-15303 (In CPUID CPU-Z before 1.43, there is an arbitrary memory write that ...) NOT-FOR-US: CPUID CPU-Z CVE-2017-15302 (In CPUID CPU-Z through 1.81, there are improper access rights to a ...) @@ -16978,7 +16978,7 @@ CVE-2017-14584 RESERVED CVE-2017-14583 (NetApp Clustered Data ONTAP versions 9.x prior to 9.1P10 and 9.2P2 are ...) - NOT-FOR-US: NetApp Clustered Data ONTAP + NOT-FOR-US: NetApp Clustered Data ONTAP CVE-2017-14582 (The Zoho Site24x7 Mobile Network Poller application before 1.1.5 for ...) NOT-FOR-US: Zoho CVE-2017- [pcb code injection by malicious layout file] @@ -17547,11 +17547,11 @@ CVE-2017-14388 (Cloud Foundry Foundation GrootFS release 0.3.x versions prior to 0.30.0 ...) NOT-FOR-US: Cloud Foundry Foundation GrootFS CVE-2017-14387 (The NFS service in EMC Isilon OneFS 8.1.0.0, 8.0.1.0 - 8.0.1.1, and ...) - NOT-FOR-US: EMC Isilon OneFS + NOT-FOR-US: EMC Isilon OneFS CVE-2017-14386 (The web user interface of Dell 2335dn and 2355dn Multifunction Laser ...) NOT-FOR-US: Dell CVE-2017-14385 (An issue was discovered in EMC Data Domain DD OS 5.7 family, versions ...) - NOT-FOR-US: EMC Data Domain DD OS + NOT-FOR-US: EMC Data Domain DD OS CVE-2017-14384 RESERVED CVE-2017-14383 @@ -17561,7 +17561,7 @@ CVE-2017-14381 RESERVED CVE-2017-14380 (In EMC Isilon OneFS 8.1.0.0, 8.0.1.0 - 8.0.1.1, 8.0.0.0 - 8.0.0.4, ...) - NOT-FOR-US: EMC Isilon OneFS + NOT-FOR-US: EMC Isilon OneFS CVE-2017-14379 (EMC RSA Authentication Manager before 8.2 SP1 P6 has a cross-site ...) NOT-FOR-US: EMC RSA CVE-2017-14378 (EMC RSA Authentication Agent API 8.5 for C and RSA Authentication Agent ...) @@ -49339,7 +49339,7 @@ CVE-2016-10043 (An issue was discovered in Radisys MRF Web Panel (SWMS) 9.0.1. The ...) NOT-FOR-US: Radisys MRF Web Panel CVE-2016-10042 (Authorization Bypass in the Web interface of Arcadyan SLT-00 Star* (aka ...) - NOT-FOR-US: Arcadyan SLT-00 Star* devices + NOT-FOR-US: Arcadyan SLT-00 Star* devices CVE-2016-10041 (An issue was discovered in Sprecher Automation SPRECON-E Service ...) NOT-FOR-US: Sprecher Automation SPRECON-E Service CVE-2016-10040 (Stack-based buffer overflow in QXmlSimpleReader in Qt 4.8.5 allows ...) @@ -54415,9 +54415,9 @@ CVE-2017-2277 (WG-C10 v3.0.79 and earlier allows an attacker to bypass access ...) NOT-FOR-US: WG-C10 CVE-2017-2276 (Buffer overflow in WG-C10 v3.0.79 and earlier allows an attacker to ...) - NOT-FOR-US: WG-C10 + NOT-FOR-US: WG-C10 CVE-2017-2275 (WG-C10 v3.0.79 and earlier allows an attacker to execute arbitrary OS ...) - NOT-FOR-US: WG-C10 + NOT-FOR-US: WG-C10 CVE-2017-2274 (Cross-site scripting vulnerability in WMR-433 firmware Ver.1.02 and ...) NOT-FOR-US: WMR-433* firmware CVE-2017-2273 (Cross-site request forgery (CSRF) vulnerabili
[Secure-testing-commits] r58914 - data/CVE
Author: gcs Date: 2017-12-25 18:41:45 + (Mon, 25 Dec 2017) New Revision: 58914 Modified: data/CVE/list Log: Add CVE-2017-1778[23]/graphicsmagick fixed version in unstable Modified: data/CVE/list === --- data/CVE/list 2017-12-25 16:36:03 UTC (rev 58913) +++ data/CVE/list 2017-12-25 18:41:45 UTC (rev 58914) @@ -438,13 +438,13 @@ NOTE: https://github.com/ruby/ruby/pull/1777 NOTE: Fixed by: https://github.com/ruby/ruby/commit/e7464561b5151501beb356fc750d5dd1a88014f7 CVE-2017-17783 (In GraphicsMagick 1.3.27a, there is a buffer over-read in ReadPALMImage ...) - - graphicsmagick (bug #884904) + - graphicsmagick 1.3.27-2 (bug #884904) [stretch] - graphicsmagick (Minor issue, built with QuantumDepth=16) [jessie] - graphicsmagick (Minor issue) NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick?cmd=changeset;node=60932931559a NOTE: https://sourceforge.net/p/graphicsmagick/bugs/529/ CVE-2017-17782 (In GraphicsMagick 1.3.27a, there is a heap-based buffer over-read in ...) - - graphicsmagick (bug #884905) + - graphicsmagick 1.3.27-2 (bug #884905) NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick?cmd=changeset;node=8e3d2264109c NOTE: https://sourceforge.net/p/graphicsmagick/bugs/530/ CVE-2017-17781 (In Horde Groupware through 5.2.22, SQL Injection exists via the group ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58912 - data
Author: lamby Date: 2017-12-25 16:36:02 + (Mon, 25 Dec 2017) New Revision: 58912 Modified: data/dla-needed.txt Log: data/dla-needed.txt: Add wordpress note. Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-12-25 14:57:52 UTC (rev 58911) +++ data/dla-needed.txt 2017-12-25 16:36:02 UTC (rev 58912) @@ -78,6 +78,7 @@ NOTE: ourselves. See https://lists.debian.org/cak0odpxnte9c82ltt85jn_piyj_odw7wj3vttam1lnmqa7k...@mail.gmail.com -- wordpress + NOTE: 2017-12-25: Fix requires migrating users from MD5 -> bcrypt. (lamby) -- xen -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58913 - data
Author: lamby Date: 2017-12-25 16:36:03 + (Mon, 25 Dec 2017) New Revision: 58913 Modified: data/dla-needed.txt Log: data/dla-needed.txt: Tidy various notes. Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-12-25 16:36:02 UTC (rev 58912) +++ data/dla-needed.txt 2017-12-25 16:36:03 UTC (rev 58913) @@ -14,7 +14,7 @@ -- ca-certificates NOTE: 20170719: maintainer will handle the upload, see https://lists.debian.org/d0b9674a-ac5b-5cc9-1982-fb6f36155...@pbandjelly.org - NOTE: 20171013: anarcat pinged maintainer: https://lists.debian.org/87efpuc95w@curie.anarc.at + NOTE: 20171013: pinged maintainer: https://lists.debian.org/87efpuc95w@curie.anarc.at (anarcat) -- couchdb NOTE: Only in wheezy, we are on our own. @@ -57,7 +57,7 @@ nasm -- rtpproxy - NOTE: it's not clear to me if a fix is even possible. -- Raphaël Hertzog + NOTE: it's not clear to me if a fix is even possible. (Raphaël Hertzog) -- swftools (Guido Günther) NOTE: 20171118: At least CVE-2017-16797 is present. (lamby) @@ -72,10 +72,9 @@ tor -- wireshark (Thorsten Alteholz) - NOTE: 2017-08-28: Contacted maintainer since most issues affect - NOTE: Jessie/Stretch as well - NOTE: 2017-12-12: The maintainer asked us to handle the package - NOTE: ourselves. See https://lists.debian.org/cak0odpxnte9c82ltt85jn_piyj_odw7wj3vttam1lnmqa7k...@mail.gmail.com + NOTE: 2017-08-28: Contacted maintainer since most issues affect Jessie/Stretch as well + NOTE: 2017-12-12: The maintainer asked us to handle the package ourselves. See + NOTE: See https://lists.debian.org/cak0odpxnte9c82ltt85jn_piyj_odw7wj3vttam1lnmqa7k...@mail.gmail.com -- wordpress NOTE: 2017-12-25: Fix requires migrating users from MD5 -> bcrypt. (lamby) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58911 - data
Author: agx Date: 2017-12-25 14:57:52 + (Mon, 25 Dec 2017) New Revision: 58911 Modified: data/dla-needed.txt Log: lts: ruby DLAs released Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-12-25 09:59:37 UTC (rev 58910) +++ data/dla-needed.txt 2017-12-25 14:57:52 UTC (rev 58911) @@ -59,10 +59,6 @@ rtpproxy NOTE: it's not clear to me if a fix is even possible. -- Raphaël Hertzog -- -ruby1.8 (Guido Günther) --- -ruby1.9.1 (Guido Günther) --- swftools (Guido Günther) NOTE: 20171118: At least CVE-2017-16797 is present. (lamby) NOTE: 20171210: likely to be turned into a pkg with limited sec support ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58910 - data/CVE
Author: carnil Date: 2017-12-25 09:59:37 + (Mon, 25 Dec 2017) New Revision: 58910 Modified: data/CVE/list Log: Process NFUs Modified: data/CVE/list === --- data/CVE/list 2017-12-25 09:34:04 UTC (rev 58909) +++ data/CVE/list 2017-12-25 09:59:37 UTC (rev 58910) @@ -32,7 +32,7 @@ CVE-2017-17889 RESERVED CVE-2017-17888 (cgi-bin/write.cgi in Anti-Web through 3.8.7, as used on NetBiter / HMS, ...) - TODO: check + NOT-FOR-US: Anti-Web CVE-2017-17887 (In ImageMagick 7.0.7-16 Q16, a memory leak vulnerability was found in ...) - imagemagick (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/903 @@ -79,27 +79,27 @@ NOTE: https://github.com/ImageMagick/ImageMagick/commit/72b3994a948a8a90dc664f3e7f72464878a31fbf NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/e41f18ecccbdd1c38e1382057718e91e8f8d6d80 CVE-2017-17878 (An issue was discovered in Valve Steam Link build 643. Root passwords ...) - TODO: check + NOT-FOR-US: Valve Steam Link CVE-2017-17877 (An issue was discovered in Valve Steam Link build 643. When the SSH ...) - TODO: check + NOT-FOR-US: Valve Steam Link CVE-2017-17876 RESERVED CVE-2017-17875 RESERVED CVE-2017-17874 (Vanguard Marketplace Digital Products PHP 1.4 allows arbitrary file ...) - TODO: check + NOT-FOR-US: Vanguard Marketplace Digital Products PHP CVE-2017-17873 (Vanguard Marketplace Digital Products PHP 1.4 has SQL Injection via the ...) - TODO: check + NOT-FOR-US: Vanguard Marketplace Digital Products PHP CVE-2017-17872 (The JEXTN Video Gallery extension 3.0.5 for Joomla! has SQL Injection ...) - TODO: check + NOT-FOR-US: JEXTN Video Gallery extension for Joomla! CVE-2017-17871 (The "JEXTN Question And Answer" extension 3.1.0 for Joomla! has SQL ...) - TODO: check + NOT-FOR-US: "JEXTN Question And Answer" extension for Joomla! CVE-2017-17870 (The JBuildozer extension 1.4.1 for Joomla! has SQL Injection via the ...) - TODO: check + NOT-FOR-US: JBuildozer extension for Joomla! CVE-2017-17869 (The mgl-instagram-gallery plugin for WordPress has XSS via the ...) - TODO: check + NOT-FOR-US: mgl-instagram-gallery plugin for WordPress CVE-2017-17868 (In Liferay Portal 6.1.0, the tags section has XSS via a Public Render ...) - TODO: check + NOT-FOR-US: Liferay Portal CVE-2017-17867 RESERVED CVE-2017-17866 (pdf/pdf-write.c in Artifex MuPDF before 1.12.0 mishandles certain ...) @@ -131,7 +131,7 @@ CVE-2017-17860 RESERVED CVE-2017-17859 (Samsung Internet Browser 6.2.01.12 allows remote attackers to bypass ...) - TODO: check + NOT-FOR-US: Samsung Internet Browser CVE-2017-17858 RESERVED CVE-2017-17851 @@ -141,7 +141,7 @@ NOTE: http://downloads.asterisk.org/pub/security/AST-2017-014.html NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-27480 CVE-2017-17849 (A buffer overflow vulnerability in GetGo Download Manager 5.3.0.2712 ...) - TODO: check + NOT-FOR-US: GetGo Download Manager CVE-2017-17857 (The check_stack_boundary function in kernel/bpf/verifier.c in the Linux ...) - linux 4.14.7-1 [stretch] - linux (Vulnerable code introdued later) @@ -14594,7 +14594,7 @@ CVE-2017-15312 (Huawei SmartCare V200R003C10 has a stored XSS (cross-site scripting) ...) NOT-FOR-US: Huawei CVE-2017-15311 (The baseband modules of Mate 10, Mate 10 Pro, Mate 9, Mate 9 Pro ...) - TODO: check + NOT-FOR-US: Huawei CVE-2017-15310 (Huawei iReader app before 8.0.2.301 has an arbitrary file deletion ...) NOT-FOR-US: Huawei CVE-2017-15309 (Huawei iReader app before 8.0.2.301 has a path traversal vulnerability ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58909 - data/CVE
Author: carnil Date: 2017-12-25 09:34:04 + (Mon, 25 Dec 2017) New Revision: 58909 Modified: data/CVE/list Log: Process NFUs Modified: data/CVE/list === --- data/CVE/list 2017-12-25 09:10:18 UTC (rev 58908) +++ data/CVE/list 2017-12-25 09:34:04 UTC (rev 58909) @@ -16,17 +16,17 @@ - dolibarr NOTE: https://github.com/Dolibarr/dolibarr/commit/4a5988accbb770b74105baacd5a034689272128c CVE-2017-17896 (Readymade Job Site Script has XSS via the keyword parameter to the /job ...) - TODO: check + NOT-FOR-US: Readymade Job Site Script CVE-2017-17895 (Readymade Job Site Script has SQL Injection via the location_name array ...) - TODO: check + NOT-FOR-US: Readymade Job Site Script CVE-2017-17894 (Readymade Job Site Script has CSRF via the /job URI. ...) - TODO: check + NOT-FOR-US: Readymade Job Site Script CVE-2017-17893 (Readymade Video Sharing Script has XSS via the search_video.php search ...) - TODO: check + NOT-FOR-US: Readymade Video Sharing Script CVE-2017-17892 (Readymade Video Sharing Script has SQL Injection via the viewsubs.php ...) - TODO: check + NOT-FOR-US: Readymade Video Sharing Script CVE-2017-17891 (Readymade Video Sharing Script has CSRF via user-profile-edit.php. ...) - TODO: check + NOT-FOR-US: Readymade Video Sharing Script CVE-2017-17890 RESERVED CVE-2017-17889 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58908 - data/CVE
Author: sectracker Date: 2017-12-25 09:10:18 + (Mon, 25 Dec 2017) New Revision: 58908 Modified: data/CVE/list Log: automatic update Modified: data/CVE/list === --- data/CVE/list 2017-12-25 08:32:05 UTC (rev 58907) +++ data/CVE/list 2017-12-25 09:10:18 UTC (rev 58908) @@ -1,3 +1,5 @@ +CVE-2017-17902 + RESERVED CVE-2017-17901 RESERVED CVE-2017-17900 (SQL injection vulnerability in fourn/index.php in Dolibarr ERP/CRM ...) @@ -106,7 +108,7 @@ NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=698699 (not public) CVE-2017-17865 RESERVED -CVE-2017-17864 (kernel/bpf/verifier.c in the Linux kernel before 4.14 mishandles ...) +CVE-2017-17864 (kernel/bpf/verifier.c in the Linux kernel through 4.14.8 mishandles ...) {DSA-4073-1} - linux 4.14.7-1 [jessie] - linux (Vulnerable code not present) @@ -7968,7 +7970,7 @@ NOTE: https://github.com/erlang/otp/commit/3b4386dd19b7e669f557c95ace8d7ba228291927 (OTP-19.3.6.4) NOTE: https://github.com/erlang/otp/commit/de3b9cdb8521d7edd524b4e17d1e3f883f832ec0 (OTP-18.3.4.7) NOTE: https://robotattack.org/ -CVE-2017-17058 (The WooCommerce plugin through 3.x for WordPress has a Directory ...) +CVE-2017-17058 (** DISPUTED ** The WooCommerce plugin through 3.x for WordPress has a ...) NOT-FOR-US: WooCommerce plugin for WordPress CVE-2017-17057 (There is a reflected XSS vulnerability in ZKTime Web 2.0.1.12280. The ...) NOT-FOR-US: ZKTeco ZKTime Web Software ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58907 - data/CVE
Author: carnil Date: 2017-12-25 08:32:05 + (Mon, 25 Dec 2017) New Revision: 58907 Modified: data/CVE/list Log: Add four new dolibarr issues Modified: data/CVE/list === --- data/CVE/list 2017-12-24 21:10:13 UTC (rev 58906) +++ data/CVE/list 2017-12-25 08:32:05 UTC (rev 58907) @@ -1,13 +1,18 @@ CVE-2017-17901 RESERVED CVE-2017-17900 (SQL injection vulnerability in fourn/index.php in Dolibarr ERP/CRM ...) - TODO: check + - dolibarr + NOTE: https://github.com/Dolibarr/dolibarr/commit/4a5988accbb770b74105baacd5a034689272128c CVE-2017-17899 (SQL injection vulnerability in adherents/subscription/info.php in ...) - TODO: check + - dolibarr + NOTE: https://github.com/Dolibarr/dolibarr/commit/4a5988accbb770b74105baacd5a034689272128c CVE-2017-17898 (Dolibarr ERP/CRM version 6.0.4 does not block direct requests to ...) - TODO: check + - dolibarr + NOTE: https://github.com/Dolibarr/dolibarr/commit/4a5988accbb770b74105baacd5a034689272128c + NOTE: https://github.com/Dolibarr/dolibarr/commit/6a62e139604dbbd5729e57df2433b37a5950c35c CVE-2017-17897 (SQL injection vulnerability in comm/multiprix.php in Dolibarr ERP/CRM ...) - TODO: check + - dolibarr + NOTE: https://github.com/Dolibarr/dolibarr/commit/4a5988accbb770b74105baacd5a034689272128c CVE-2017-17896 (Readymade Job Site Script has XSS via the keyword parameter to the /job ...) TODO: check CVE-2017-17895 (Readymade Job Site Script has SQL Injection via the location_name array ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits