[Secure-testing-commits] r58953 - data/CVE
Author: carnil Date: 2017-12-27 07:06:38 + (Wed, 27 Dec 2017) New Revision: 58953 Modified: data/CVE/list Log: Add fixing version in unstable for CVE-2017-7416, #866722 Modified: data/CVE/list === --- data/CVE/list 2017-12-26 20:07:27 UTC (rev 58952) +++ data/CVE/list 2017-12-27 07:06:38 UTC (rev 58953) @@ -38723,7 +38723,7 @@ CVE-2017-7417 RESERVED CVE-2017-7416 (ntopng before 3.0 allows XSS because GET and POST parameters are ...) - - ntopng (bug #866722) + - ntopng 3.2+dfsg1-1 (bug #866722) [stretch] - ntopng (Minor issue) [jessie] - ntopng (Minor issue) CVE-2017-7415 (Atlassian Confluence 6.x before 6.0.7 allows remote attackers to bypass ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58952 - tools/git-migration
Author: carnil Date: 2017-12-26 20:07:27 + (Tue, 26 Dec 2017) New Revision: 58952 Modified: tools/git-migration/AUTHORS.txt Log: Sync AUTHORS.txt with new contributors and sync mirror Modified: tools/git-migration/AUTHORS.txt === --- tools/git-migration/AUTHORS.txt 2017-12-26 19:43:53 UTC (rev 58951) +++ tools/git-migration/AUTHORS.txt 2017-12-26 20:07:27 UTC (rev 58952) @@ -12,6 +12,7 @@ andrewsh = Andrew Shadura apo = Markus Koschany apo-guest = Markus Koschany +apoikos = Apollon Oikonomopoulos atoell-guest = Arno Töll atomo64-guest = Raphael Geissert aurel32 = Aurelien Jarno ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58951 - /
Author: carnil Date: 2017-12-26 19:43:53 + (Tue, 26 Dec 2017) New Revision: 58951 Modified: TODO.gitmigration Log: Add more notes for the hook task Modified: TODO.gitmigration === --- TODO.gitmigration 2017-12-26 18:01:19 UTC (rev 58950) +++ TODO.gitmigration 2017-12-26 19:43:53 UTC (rev 58951) @@ -48,6 +48,12 @@ [18:58] < carnil> is there a way to implement such pre-commit checks with gitlab/salsa? [18:58] < Myon> carnil: I think the short answer is "no" [18:59] < Myon> the longer answer might include protected branches and runners and stuff + [...] + [20:15] < formorer> carnil: you answer was probably answered, but no thats not possible. Not allowing random hooks was a design decision because it opens several interesting security consequences + [20:17] < formorer> carnil: but if you provide a hook, we can review it and enable it + [20:18] < formorer> carnil: see https://docs.gitlab.com/ce/administration/custom_hooks.html for details + [20:19] < formorer> hope that helps + [20:27] < formorer> carnil: https://wiki.debian.org/Salsa/Doc#Custom_Hooks security-team.debian.org website ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58950 - /
Author: carnil Date: 2017-12-26 18:01:19 + (Tue, 26 Dec 2017) New Revision: 58950 Modified: TODO.gitmigration Log: Add note on hooks, we will have the problem that no pre-commit checks can be done, how to implement? Modified: TODO.gitmigration === --- TODO.gitmigration 2017-12-26 16:22:51 UTC (rev 58949) +++ TODO.gitmigration 2017-12-26 18:01:19 UTC (rev 58950) @@ -41,6 +41,14 @@ to the svn repository in recent years?) - get the DD acl applied (then point above only applies to -guest users) +hooks: +- this is problematic, we run syntax/sanity checks pre-commit. But with + salsa/gitlab there is no easy way anymore without involving protected + braches/runners: + [18:58] < carnil> is there a way to implement such pre-commit checks with gitlab/salsa? + [18:58] < Myon> carnil: I think the short answer is "no" + [18:59] < Myon> the longer answer might include protected branches and runners and stuff + security-team.debian.org website - move this file to git ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58949 - data/CVE
Author: carnil Date: 2017-12-26 16:22:51 + (Tue, 26 Dec 2017) New Revision: 58949 Modified: data/CVE/list Log: Mark zoo as removed from the archive Modified: data/CVE/list === --- data/CVE/list 2017-12-26 16:21:00 UTC (rev 58948) +++ data/CVE/list 2017-12-26 16:22:51 UTC (rev 58949) @@ -115264,7 +115264,7 @@ CVE-2015-0552 (Directory traversal vulnerability in the gcab_folder_extract function ...) - gcab 0.4-2 (bug #774580) CVE-2015- [Zoo directory traversal] - - zoo (low; bug #774453) + - zoo (low; bug #774453) [stretch] - zoo (Minor issue) [jessie] - zoo (Minor issue) [wheezy] - zoo (Minor issue) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58948 - data/CVE
Author: carnil Date: 2017-12-26 16:21:00 + (Tue, 26 Dec 2017) New Revision: 58948 Modified: data/CVE/list Log: Add bug reference for CVE-2007-3126 Modified: data/CVE/list === --- data/CVE/list 2017-12-26 16:10:30 UTC (rev 58947) +++ data/CVE/list 2017-12-26 16:21:00 UTC (rev 58948) @@ -246069,7 +246069,7 @@ CVE-2007-3127 (content.php in WSPortal 1.0, when magic_quotes_gpc is disabled, allows ...) NOT-FOR-US: WSPortal CVE-2007-3126 (Gimp before 2.8.22 allows context-dependent attackers to cause a ...) - - gimp (unimportant) + - gimp (unimportant; bug #885382) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=773233 NOTE: https://git.gnome.org/browse/gimp/commit/?id=46bcd82800e37b0f5aead76184430ef2fe802748 (master) NOTE: https://git.gnome.org/browse/gimp/commit/?id=323ecb73f7bf36788fb7066eb2d6678830cd5de7 (gimp-2-8) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58947 - data/CVE
Author: carnil Date: 2017-12-26 16:10:30 + (Tue, 26 Dec 2017) New Revision: 58947 Modified: data/CVE/list Log: Add upstream bug for CVE-2007-3126 Modified: data/CVE/list === --- data/CVE/list 2017-12-26 15:03:02 UTC (rev 58946) +++ data/CVE/list 2017-12-26 16:10:30 UTC (rev 58947) @@ -246070,6 +246070,7 @@ NOT-FOR-US: WSPortal CVE-2007-3126 (Gimp before 2.8.22 allows context-dependent attackers to cause a ...) - gimp (unimportant) + NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=773233 NOTE: https://git.gnome.org/browse/gimp/commit/?id=46bcd82800e37b0f5aead76184430ef2fe802748 (master) NOTE: https://git.gnome.org/browse/gimp/commit/?id=323ecb73f7bf36788fb7066eb2d6678830cd5de7 (gimp-2-8) CVE-2007-3125 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58946 - data/CVE
Author: carnil
Date: 2017-12-26 15:03:02 + (Tue, 26 Dec 2017)
New Revision: 58946
Modified:
data/CVE/list
Log:
Add bug reference for CVE-2017-17788
Modified: data/CVE/list
===
--- data/CVE/list 2017-12-26 14:42:57 UTC (rev 58945)
+++ data/CVE/list 2017-12-26 15:03:02 UTC (rev 58946)
@@ -554,7 +554,7 @@
NOTE: Crash in desktop tool, no/negligable security impact
CVE-2017-17788 (In GIMP 2.8.22, there is a stack-based buffer over-read in ...)
{DLA-1220-1}
- - gimp (unimportant)
+ - gimp (unimportant; bug #885347)
NOTE:
https://git.gnome.org/browse/gimp/commit/?id=702c4227e8b6169f781e4bb5ae4b5733f51ab126
(master)
NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=790783
NOTE: Crash in desktop tool, no/negligable security impact
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58945 - data/CVE
Author: carnil Date: 2017-12-26 14:42:57 + (Tue, 26 Dec 2017) New Revision: 58945 Modified: data/CVE/list Log: Add commits for old gimp issue Modified: data/CVE/list === --- data/CVE/list 2017-12-26 14:30:45 UTC (rev 58944) +++ data/CVE/list 2017-12-26 14:42:57 UTC (rev 58945) @@ -246070,6 +246070,8 @@ NOT-FOR-US: WSPortal CVE-2007-3126 (Gimp before 2.8.22 allows context-dependent attackers to cause a ...) - gimp (unimportant) + NOTE: https://git.gnome.org/browse/gimp/commit/?id=46bcd82800e37b0f5aead76184430ef2fe802748 (master) + NOTE: https://git.gnome.org/browse/gimp/commit/?id=323ecb73f7bf36788fb7066eb2d6678830cd5de7 (gimp-2-8) CVE-2007-3125 REJECTED CVE-2007-3124 (Buffer overflow in backup/src/vmsbackup.c (aka the backup utility) in ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58944 - data/CVE
Author: carnil Date: 2017-12-26 14:30:45 + (Tue, 26 Dec 2017) New Revision: 58944 Modified: data/CVE/list Log: Add bug reference for CVE-2017-15365, #885345 Modified: data/CVE/list === --- data/CVE/list 2017-12-26 14:09:38 UTC (rev 58943) +++ data/CVE/list 2017-12-26 14:30:45 UTC (rev 58944) @@ -14533,7 +14533,7 @@ CVE-2017-15365 [Replication in sql/event_data_objects.cc occurs before ACL checks] RESERVED - mariadb-10.2 (bug #884065) - - mariadb-10.1 + - mariadb-10.1 (bug #885345) - mariadb-10.0 - percona-xtrabackup - mysql-5.7 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58943 - /
Author: carnil Date: 2017-12-26 14:09:38 + (Tue, 26 Dec 2017) New Revision: 58943 Modified: TODO.gitmigration Log: Add a note on using deploy keys Modified: TODO.gitmigration === --- TODO.gitmigration 2017-12-26 13:41:33 UTC (rev 58942) +++ TODO.gitmigration 2017-12-26 14:09:38 UTC (rev 58943) @@ -48,6 +48,7 @@ sectracker role account: - Creation request: https://salsa.debian.org/salsa/support/issues/6 + -> Use 'deploy keys' - can the role account be added to the project and get the notifications? Possible alternative: https://docs.gitlab.com/ce/user/project/integrations/emails_on_push.html cf. https://salsa.debian.org/salsa/support/issues/5 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58942 - data/CVE
Author: carnil Date: 2017-12-26 13:41:33 + (Tue, 26 Dec 2017) New Revision: 58942 Modified: data/CVE/list Log: CVE-2017-17365 confirmed to affect MariaDB 10.1 as well Modified: data/CVE/list === --- data/CVE/list 2017-12-26 13:34:27 UTC (rev 58941) +++ data/CVE/list 2017-12-26 13:41:33 UTC (rev 58942) @@ -14533,12 +14533,12 @@ CVE-2017-15365 [Replication in sql/event_data_objects.cc occurs before ACL checks] RESERVED - mariadb-10.2 (bug #884065) - - mariadb-10.1 + - mariadb-10.1 - mariadb-10.0 - percona-xtrabackup - mysql-5.7 - mysql-5.5 - NOTE: MariaDB: Fixed in 10.2.10 + NOTE: MariaDB: Fixed in 10.2.10, 10.1.30 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1524234 NOTE: https://www.percona.com/doc/percona-xtradb-cluster/LATEST/release-notes/Percona-XtraDB-Cluster-5.7.19-29.22-3.html NOTE: Likely (unconfirmed) fix: https://github.com/MariaDB/server/commit/0b5a5258abbeaf8a0c3a18c7e753699787fdf46e?diff=unified ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58941 - data/CVE
Author: jmm Date: 2017-12-26 13:34:27 + (Tue, 26 Dec 2017) New Revision: 58941 Modified: data/CVE/list Log: NFUs Modified: data/CVE/list === --- data/CVE/list 2017-12-26 13:33:24 UTC (rev 58940) +++ data/CVE/list 2017-12-26 13:34:27 UTC (rev 58941) @@ -19048,21 +19048,21 @@ NOTE: https://webkitgtk.org/security/WSA-2017-0010.html NOTE: Not covered by security support CVE-2017-13865 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) - TODO: check + NOT-FOR-US: Apple CVE-2017-13864 (An issue was discovered in certain Apple products. iCloud before 7.2 ...) - TODO: check + NOT-FOR-US: Apple CVE-2017-13863 RESERVED CVE-2017-13862 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) - TODO: check + NOT-FOR-US: Apple CVE-2017-13861 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) - TODO: check + NOT-FOR-US: Apple CVE-2017-13860 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) - TODO: check + NOT-FOR-US: Apple CVE-2017-13859 RESERVED CVE-2017-13858 (An issue was discovered in certain Apple products. macOS before ...) - TODO: check + NOT-FOR-US: Apple CVE-2017-13857 RESERVED CVE-2017-13856 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) @@ -19070,7 +19070,7 @@ NOTE: https://webkitgtk.org/security/WSA-2017-0010.html NOTE: Not covered by security support CVE-2017-13855 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) - TODO: check + NOT-FOR-US: Apple CVE-2017-13854 RESERVED CVE-2017-13853 @@ -19084,9 +19084,9 @@ CVE-2017-13849 (An issue was discovered in certain Apple products. iOS before 11.1 is ...) NOT-FOR-US: Apple CVE-2017-13848 (An issue was discovered in certain Apple products. macOS before ...) - TODO: check + NOT-FOR-US: Apple CVE-2017-13847 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) - TODO: check + NOT-FOR-US: Apple CVE-2017-13846 (An issue was discovered in certain Apple products. macOS before ...) TODO: check, potentially PCRE CVE-2017-13845 @@ -20764,7 +20764,7 @@ CVE-2017-13176 RESERVED CVE-2017-13175 (An information disclosure vulnerability in the NVIDIA libwilhelm. ...) - TODO: check + NOT-FOR-US: NVIDIA driver for Android CVE-2017-13174 (An elevation of privilege vulnerability in the kernel edl. Product: ...) TODO: check CVE-2017-13173 (An elevation of privilege vulnerability in the MediaTek system server. ...) @@ -22618,9 +22618,9 @@ CVE-2017-12742 RESERVED CVE-2017-12741 (A vulnerability has been identified in the following Siemens industrial ...) - TODO: check + NOT-FOR-US: Siemens CVE-2017-12740 (Siemens LOGO! Soft Comfort (All versions before V8.2) lacks integrity ...) - TODO: check + NOT-FOR-US: Siemens CVE-2017-12739 (An issue was discovered on Siemens SICAM RTUs SM-2556 COM Modules with ...) NOT-FOR-US: Siemens CVE-2017-12738 (An issue was discovered on Siemens SICAM RTUs SM-2556 COM Modules with ...) @@ -22628,7 +22628,7 @@ CVE-2017-12737 (An issue was discovered on Siemens SICAM RTUs SM-2556 COM Modules with ...) NOT-FOR-US: Siemens CVE-2017-12736 (A vulnerability has been identified in the following Siemens products: ...) - TODO: check + NOT-FOR-US: Siemens CVE-2017-12735 (A vulnerability has been identified in Siemens LOGO! devices. An ...) NOT-FOR-US: Siemens CVE-2017-12734 (A vulnerability has been identified in Siemens LOGO! devices before ...) @@ -27970,7 +27970,7 @@ CVE-2017-10910 RESERVED CVE-2017-10909 (Untrusted search path vulnerability in Music Center for PC version ...) - TODO: check + NOT-FOR-US: Music Center for PC CVE-2017-10908 (H2O version 2.2.3 and earlier allows remote attackers to cause a ...) - h2o 2.2.4+dfsg-1 (medium) NOTE: https://github.com/h2o/h2o/issues/1544 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58940 - data/CVE
Author: carnil Date: 2017-12-26 13:33:24 + (Tue, 26 Dec 2017) New Revision: 58940 Modified: data/CVE/list Log: Update information for CVE-2017-17087 Modified: data/CVE/list === --- data/CVE/list 2017-12-26 13:28:44 UTC (rev 58939) +++ data/CVE/list 2017-12-26 13:33:24 UTC (rev 58940) @@ -7916,11 +7916,11 @@ CVE-2017-17088 (The Enterprise version of SyncBreeze 10.2.12 and earlier is affected ...) NOT-FOR-US: SyncBreeze CVE-2017-17087 (fileio.c in Vim prior to 8.0.1263 sets the group ownership of a .swp ...) - - vim + - vim 2:8.0.1401-1 [stretch] - vim (Minor issue) [jessie] - vim (Minor issue) [wheezy] - vim (Minor issue) - NOTE: https://github.com/vim/vim/commit/5a73e0ca54c77e067c3b12ea6f35e3e8681e8cf8 + NOTE: https://github.com/vim/vim/commit/5a73e0ca54c77e067c3b12ea6f35e3e8681e8cf8 (8.0.1263) CVE-2017-17086 (Indeo Otter through 1.7.4 mishandles a "" substring in an ...) NOT-FOR-US: Indeo Otter CVE-2017-17085 (In Wireshark 2.4.0 to 2.4.2 and 2.2.0 to 2.2.10, the CIP Safety ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58939 - data/CVE
Author: jmm Date: 2017-12-26 13:28:44 + (Tue, 26 Dec 2017) New Revision: 58939 Modified: data/CVE/list Log: hdf no-dsa rtpproxy unimportant NFUs Modified: data/CVE/list === --- data/CVE/list 2017-12-26 13:26:09 UTC (rev 58938) +++ data/CVE/list 2017-12-26 13:28:44 UTC (rev 58939) @@ -5658,26 +5658,36 @@ RESERVED CVE-2017-17509 (In HDF5 1.10.1, there is an out of bounds write vulnerability in the ...) - hdf5 (bug #884365) + [stretch] - hdf5 (Minor issue) + [jessie] - hdf5 (Minor issue) [wheezy] - hdf5 (Minor issue) NOTE: POC: https://github.com/xiaoqx/pocs/blob/master/hdf5/5-hdf5-heap-overflow-H5G__ent_decode_vec NOTE: https://github.com/xiaoqx/pocs/blob/master/hdf5/readme.md CVE-2017-17508 (In HDF5 1.10.1, there is a divide-by-zero vulnerability in the function ...) - hdf5 (bug #884365) + [stretch] - hdf5 (Minor issue) + [jessie] - hdf5 (Minor issue) [wheezy] - hdf5 (Minor issue) NOTE: POC: https://github.com/xiaoqx/pocs/blob/master/hdf5/1-hdf5-divbyzero-H5T_set_loc NOTE: https://github.com/xiaoqx/pocs/blob/master/hdf5/readme.md CVE-2017-17507 (In HDF5 1.10.1, there is an out of bounds read vulnerability in the ...) - hdf5 (bug #884365) + [stretch] - hdf5 (Minor issue) + [jessie] - hdf5 (Minor issue) [wheezy] - hdf5 (Minor issue) NOTE: POC: https://github.com/xiaoqx/pocs/blob/master/hdf5/3-hdf5-outbound-read-H5T_conv_struct_opt NOTE: https://github.com/xiaoqx/pocs/blob/master/hdf5/readme.md CVE-2017-17506 (In HDF5 1.10.1, there is an out of bounds read vulnerability in the ...) - hdf5 (bug #884365) + [stretch] - hdf5 (Minor issue) + [jessie] - hdf5 (Minor issue) [wheezy] - hdf5 (Minor issue) NOTE: POC: https://github.com/xiaoqx/pocs/blob/master/hdf5/4-hdf5-outbound-read-H5Opline_pline_decode NOTE: https://github.com/xiaoqx/pocs/blob/master/hdf5/readme.md CVE-2017-17505 (In HDF5 1.10.1, there is a NULL pointer dereference in the function ...) - hdf5 (bug #884365) + [stretch] - hdf5 (Minor issue) + [jessie] - hdf5 (Minor issue) [wheezy] - hdf5 (Minor issue) NOTE: POC: https://github.com/xiaoqx/pocs/blob/master/hdf5/2-hdf5-null-pointer-H5O_pline_decode NOTE: https://github.com/xiaoqx/pocs/blob/master/hdf5/readme.md @@ -14619,7 +14629,7 @@ CVE-2017-15322 (Some Huawei smartphones with software of BGO-L03C158B003CUSTC158D001 ...) NOT-FOR-US: Huawei CVE-2017-15321 (Huawei FusionSphere OpenStack V100R006C000SPC102 (NFV) has an ...) - TODO: check + NOT-FOR-US: Huawei CVE-2017-15320 (RP200 V500R002C00, V600R006C00; TE30 V100R001C10, V500R002C00, ...) NOT-FOR-US: Huawei CVE-2017-15319 (RP200 V500R002C00, V600R006C00; TE30 V100R001C10, V500R002C00, ...) @@ -18441,9 +18451,10 @@ CVE-2017-14115 (The AT&T U-verse 9.2.2h0d83 firmware for the Arris NVG589 and NVG599 ...) NOT-FOR-US: Arris CVE-2017-14114 (RTPproxy through 2.2.alpha.20160822 has a NAT feature that results in ...) - - rtpproxy (bug #874070) + - rtpproxy (unimportant; bug #874070) NOTE: https://rtpbleed.com/ NOTE: https://github.com/sippy/rtpproxy/issues/70 + NOTE: Design limitation in RTP protocol CVE-2017-14113 REJECTED CVE-2017-14112 @@ -18957,7 +18968,7 @@ CVE-2017-13904 RESERVED CVE-2017-13903 (An issue was discovered in certain Apple products. iOS before 11.2.1 ...) - TODO: check + NOT-FOR-US: Apple CVE-2017-13902 RESERVED CVE-2017-13901 @@ -18997,7 +19008,7 @@ CVE-2017-13884 RESERVED CVE-2017-13883 (An issue was discovered in certain Apple products. macOS before ...) - TODO: check + NOT-FOR-US: Apple CVE-2017-13882 RESERVED CVE-2017-13881 @@ -19005,33 +19016,33 @@ CVE-2017-13880 RESERVED CVE-2017-13879 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) - TODO: check + NOT-FOR-US: Apple CVE-2017-13878 (An issue was discovered in certain Apple products. macOS before ...) - TODO: check + NOT-FOR-US: Apple CVE-2017-13877 RESERVED CVE-2017-13876 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) - TODO: check + NOT-FOR-US: Apple CVE-2017-13875 (An issue was discovered in certain Apple products. macOS before ...) - TODO: check + NOT-FOR-US: Apple CVE-2017-13874 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) - TODO: check + NOT-FOR-US: Apple CVE-2017-13873 RESERVED CVE-2017-13872 (An issue was discovered in certain Apple products. macOS High Sierra ...) NOT-FOR-US: Apple CVE-2017-13871 (An issue was discovered in certain Apple products. macOS before ...) - TODO: check +
[Secure-testing-commits] r58938 - data/CVE
Author: carnil Date: 2017-12-26 13:26:09 + (Tue, 26 Dec 2017) New Revision: 58938 Modified: data/CVE/list Log: Mark CVE-2017-1000382 as unimportant Modified: data/CVE/list === --- data/CVE/list 2017-12-26 13:19:59 UTC (rev 58937) +++ data/CVE/list 2017-12-26 13:26:09 UTC (rev 58938) @@ -11941,11 +11941,12 @@ NOTE: file when creating a backup file. That's hardly incorrect behaviour NOTE: Upstream report: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=29182 CVE-2017-1000382 (VIM version 8.0.1187 (and other versions most likely) ignores umask ...) - - vim - [stretch] - vim (Minor issue) - [jessie] - vim (Minor issue) - [wheezy] - vim (Minor issue) + - vim (unimportant) NOTE: http://www.openwall.com/lists/oss-security/2017/10/31/15 + NOTE: Cf. http://www.openwall.com/lists/oss-security/2017/11/01/4 + NOTE: vim creates the .swp file according to the permissions of the file being + NOTE: edited, admitely ignoring the umask, so in the reporters case the .swp + NOTE: file is readable by others. But that seem to be the intended behaviour. CVE-2017-16248 (The Catalyst-Plugin-Static-Simple module before 0.34 for Perl allows ...) - libcatalyst-plugin-static-simple-perl 0.34-1 (bug #880458) [stretch] - libcatalyst-plugin-static-simple-perl (Minor issue) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58937 - data
Author: jmm Date: 2017-12-26 13:19:59 + (Tue, 26 Dec 2017) New Revision: 58937 Modified: data/dsa-needed.txt Log: add and take imagemagick Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-12-26 12:54:06 UTC (rev 58936) +++ data/dsa-needed.txt 2017-12-26 13:19:59 UTC (rev 58937) @@ -22,6 +22,8 @@ -- graphicsmagick -- +imagemagick (jmm) +-- libav/oldstable We can ship the next libav 11.x point release when available -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58936 - data/CVE
Author: jmm Date: 2017-12-26 12:54:06 + (Tue, 26 Dec 2017) New Revision: 58936 Modified: data/CVE/list Log: imagemagick bugs Modified: data/CVE/list === --- data/CVE/list 2017-12-26 12:49:34 UTC (rev 58935) +++ data/CVE/list 2017-12-26 12:54:06 UTC (rev 58936) @@ -5682,7 +5682,7 @@ NOTE: POC: https://github.com/xiaoqx/pocs/blob/master/hdf5/2-hdf5-null-pointer-H5O_pline_decode NOTE: https://github.com/xiaoqx/pocs/blob/master/hdf5/readme.md CVE-2017-17504 (ImageMagick before 7.0.7-12 has a coders/png.c ...) - - imagemagick + - imagemagick (bug #885340) NOTE: https://github.com/ImageMagick/ImageMagick/issues/872 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/ce3a586a43a7d13442587eb7f28d129557b6a135 NOTE: ImageMagick-7: https://github.com/ImageMagick/ImageMagick/commit/59c49559e302e06bfba46cb6feb4e39adbe675b6 @@ -5704,7 +5704,7 @@ NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/1366f2dd9931 NOTE: https://sourceforge.net/p/graphicsmagick/bugs/523/ CVE-2017-17499 (ImageMagick before 6.9.9-24 and 7.x before 7.0.7-12 has a ...) - - imagemagick + - imagemagick (bug #885339) NOTE: https://github.com/ImageMagick/ImageMagick/commit/8c35502217c1879cb8257c617007282eee3fe1cc NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/dd96d671e4d5ae22c6894c302e8996c13f24c45a NOTE: https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=33078&sid=5fbb164c3830293138917f9b14264ed1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58935 - data/CVE
Author: jmm Date: 2017-12-26 12:49:34 + (Tue, 26 Dec 2017) New Revision: 58935 Modified: data/CVE/list Log: filed bug for undertow Modified: data/CVE/list === --- data/CVE/list 2017-12-26 12:39:25 UTC (rev 58934) +++ data/CVE/list 2017-12-26 12:49:34 UTC (rev 58935) @@ -24175,7 +24175,7 @@ NOTE: https://community.openvpn.net/openvpn/changeset/a9f5c744d6b09f2495ca48d2c926efd3a4b981e6/ (release/2.2) CVE-2017-12165 [improper whitespace parsing leading to potential HTTP request smuggling] RESERVED - - undertow + - undertow (bug #885338) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1490301 CVE-2017-12164 [lock screen can be circumvented when autologin is set] RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58934 - /
Author: carnil Date: 2017-12-26 12:39:25 + (Tue, 26 Dec 2017) New Revision: 58934 Modified: TODO.gitmigration Log: Add reference for role account Modified: TODO.gitmigration === --- TODO.gitmigration 2017-12-26 12:15:10 UTC (rev 58933) +++ TODO.gitmigration 2017-12-26 12:39:25 UTC (rev 58934) @@ -47,6 +47,7 @@ - ping federico3 to update the codebase for security-metrics.d.n (uses git-svn) sectracker role account: +- Creation request: https://salsa.debian.org/salsa/support/issues/6 - can the role account be added to the project and get the notifications? Possible alternative: https://docs.gitlab.com/ce/user/project/integrations/emails_on_push.html cf. https://salsa.debian.org/salsa/support/issues/5 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58933 - data/CVE
Author: carnil
Date: 2017-12-26 12:15:10 + (Tue, 26 Dec 2017)
New Revision: 58933
Modified:
data/CVE/list
Log:
Add fixing version for CVE-2017-17511
Modified: data/CVE/list
===
--- data/CVE/list 2017-12-26 11:48:58 UTC (rev 58932)
+++ data/CVE/list 2017-12-26 12:15:10 UTC (rev 58933)
@@ -5649,7 +5649,7 @@
NOTE:
https://anonscm.debian.org/git/collab-maint/sensible-utils.git/commit/?id=e16c937c43126df7f08d355277f99dd94cc21ce5
CVE-2017-17511 (KildClient 3.1.0 does not validate strings before launching
the program ...)
{DLA-1210-1}
- - kildclient (bug #885007)
+ - kildclient 3.2.0-1 (bug #885007)
[stretch] - kildclient (Minor issue)
[jessie] - kildclient (Minor issue)
NOTE:
https://sources.debian.org/src/kildclient/3.1.0-1/src/worldgui.c/?hl=1159#L1159
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58932 - data/CVE
Author: jmm Date: 2017-12-26 11:48:58 + (Tue, 26 Dec 2017) New Revision: 58932 Modified: data/CVE/list Log: one imagemagick issue unimportant Modified: data/CVE/list === --- data/CVE/list 2017-12-26 11:47:32 UTC (rev 58931) +++ data/CVE/list 2017-12-26 11:48:58 UTC (rev 58932) @@ -93,10 +93,11 @@ NOTE: https://github.com/ImageMagick/ImageMagick/commit/ece953bbe14e8514afc23e05e4030eea872e29da NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/aa601d79a630f6de0694fadbeee31456a357fa73 CVE-2017-17880 (In ImageMagick 7.0.7-16 Q16 x86_64 2017-12-21, there is a stack-based ...) - - imagemagick + - imagemagick (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/907 NOTE: https://github.com/ImageMagick/ImageMagick/commit/4b5d1edb02c432040e3ff894d0c461bcce6fd2c9 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/663b3b432c202cd2aeda7ea7e82b74cce51ab1cf + NOTE: webp support not enabled, see #806425 CVE-2017-17879 (In ImageMagick 7.0.7-16 Q16 x86_64 2017-12-21, there is a heap-based ...) - imagemagick (bug #885125) NOTE: https://github.com/ImageMagick/ImageMagick/issues/906 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58931 - in data: . CVE
Author: jmm Date: 2017-12-26 11:47:32 + (Tue, 26 Dec 2017) New Revision: 58931 Modified: data/CVE/list data/dsa-needed.txt Log: stable triage Modified: data/CVE/list === --- data/CVE/list 2017-12-26 11:01:16 UTC (rev 58930) +++ data/CVE/list 2017-12-26 11:47:32 UTC (rev 58931) @@ -669,7 +669,8 @@ NOT-FOR-US: wp-concours plugin for WordPress CVE-2017-17718 (The Net::LDAP (aka net-ldap) gem before 0.16.0 for Ruby has Missing SSL ...) - ruby-net-ldap (bug #884693) - [jessie] - ruby-net-ldap (Doc always said that there is no validation) + [stretch] - ruby-net-ldap (Minor issue) + [jessie] - ruby-net-ldap (Documentation already states that there is no validation) [wheezy] - ruby-net-ldap (Doc always said that there is no validation) NOTE: https://github.com/ruby-ldap/ruby-net-ldap/issues/258 NOTE: Versions < 0.10 properly acknowledge in their documentation the lack of any SSL @@ -5578,8 +5579,7 @@ - postbooks (unimportant) NOTE: https://sources.debian.org/src/postbooks/4.7.0-3/guiclient/guiclient.cpp/?hl=1610#L1610 CVE-2017-17524 (library/www_browser.pl in SWI-Prolog 7.2.3 does not validate strings ...) - - swi-prolog - [wheezy] - swi-prolog (Minor Issue) + - swi-prolog (unimportant) NOTE: https://sources.debian.org/src/swi-prolog/7.2.3+dfsg-1/library/www_browser.pl/?hl=68#L68 NOTE: In wheezy it is technically possible to trigger an argument injection NOTE: vulnerability however it is quoted in an unusual way which makes it highly @@ -15225,6 +15225,8 @@ CVE-2017-15124 [memory exhaustion through framebuffer update request message in VNC server] RESERVED - qemu (bug #884806) + [stretch] - qemu (Can be fixed along in later update) + [jessie] - qemu (Can be fixed along in later update) [wheezy] - qemu (Can be fixed along in later update) - qemu-kvm [wheezy] - qemu-kvm (Can be fixed along in later update) @@ -20823,6 +20825,7 @@ NOT-FOR-US: libbpg CVE-2017-13135 (A NULL Pointer Dereference exists in VideoLAN x265, as used in libbpg ...) - x265 + [stretch] - x265 (Minor issue) NOTE: https://github.com/ebel34/bpg-web-encoder/issues/1 NOTE: https://bitbucket.org/multicoreware/x265/issues/385/cve-2017-13135 NOTE: https://bitbucket.org/multicoreware/x265/commits/78c0f2c8ba087b38e291226a9555b4b4dab323a5/raw Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-12-26 11:01:16 UTC (rev 58930) +++ data/dsa-needed.txt 2017-12-26 11:47:32 UTC (rev 58931) @@ -16,6 +16,8 @@ -- asterisk -- +chromium-browser/stable +-- gimp (carnil) -- graphicsmagick ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58930 - data/CVE
Author: jmm Date: 2017-12-26 11:01:16 + (Tue, 26 Dec 2017) New Revision: 58930 Modified: data/CVE/list Log: one more nasm entry Modified: data/CVE/list === --- data/CVE/list 2017-12-26 10:14:29 UTC (rev 58929) +++ data/CVE/list 2017-12-26 11:01:16 UTC (rev 58930) @@ -303,15 +303,15 @@ [stretch] - nasm (Minor issue) [jessie] - nasm (Minor issue) NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392427 - TODO: check CVE-2017-17816 (In Netwide Assembler (NASM) 2.14rc0, there is a use-after-free in ...) - nasm 2.13.02-0.1 [stretch] - nasm (Minor issue) [jessie] - nasm (Minor issue) NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392426 - TODO: check CVE-2017-17815 (In Netwide Assembler (NASM) 2.14rc0, there is an illegal address access ...) - nasm 2.13.02-0.1 + [stretch] - nasm (Minor issue) + [jessie] - nasm (Minor issue) NOTE: http://repo.or.cz/nasm.git/commit/c9244eaadd05b27637cde06021bac3fa1d920aa3 (nasm-2.13.02rc3) NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392436 CVE-2017-17814 (In Netwide Assembler (NASM) 2.14rc0, there is a use-after-free in ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58929 - /
Author: carnil Date: 2017-12-26 10:14:29 + (Tue, 26 Dec 2017) New Revision: 58929 Modified: TODO.gitmigration Log: Add possible alternative Modified: TODO.gitmigration === --- TODO.gitmigration 2017-12-26 10:01:07 UTC (rev 58928) +++ TODO.gitmigration 2017-12-26 10:14:29 UTC (rev 58929) @@ -48,6 +48,8 @@ sectracker role account: - can the role account be added to the project and get the notifications? + Possible alternative: https://docs.gitlab.com/ce/user/project/integrations/emails_on_push.html + cf. https://salsa.debian.org/salsa/support/issues/5 - what needs to be done to allow sectracker role account to commit (user creation, guest-user?) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58928 - data/CVE
Author: carnil Date: 2017-12-26 10:01:07 + (Tue, 26 Dec 2017) New Revision: 58928 Modified: data/CVE/list Log: Update information for CVE-2017-17536/phabricator Modified: data/CVE/list === --- data/CVE/list 2017-12-26 09:10:19 UTC (rev 58927) +++ data/CVE/list 2017-12-26 10:01:07 UTC (rev 58928) @@ -5526,7 +5526,11 @@ CVE-2018-1341 RESERVED CVE-2017-17536 (Phabricator before 2017-11-10 does not block the --config and ...) - - phabricator + - phabricator (unimportant) + NOTE: Fixed by: https://github.com/phacility/phabricator/commit/a7921a4448093d00defa8bd18f35b8c8f8bf3314 + NOTE: Starting with 0~git20160726-3 the Phabricator package is not built + NOTE: The issue is unfixed in the source up to 0~git20170812-1 + NOTE: Fixed in 0~git20171202-1 (not yet accepted from NEW) CVE-2017-17535 (lib/gui.py in Bob Hepple gjots2 2.4.1 does not validate strings before ...) - gjots2 (unimportant) NOTE: https://sources.debian.org/src/gjots2/2.4.1-2/lib/gui.py/?hl=2188#L2188 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58927 - data/CVE
Author: sectracker Date: 2017-12-26 09:10:19 + (Tue, 26 Dec 2017) New Revision: 58927 Modified: data/CVE/list Log: automatic update Modified: data/CVE/list === --- data/CVE/list 2017-12-26 08:01:08 UTC (rev 58926) +++ data/CVE/list 2017-12-26 09:10:19 UTC (rev 58927) @@ -1,3 +1,5 @@ +CVE-2017-17910 + RESERVED CVE-2017-17909 (PHP Scripts Mall Responsive Realestate Script has XSS via the ...) NOT-FOR-US: PHP Scripts Mall Responsive Realestate Script CVE-2017-17908 (PHP Scripts Mall Responsive Realestate Script has CSRF via ...) @@ -18946,8 +18948,8 @@ RESERVED CVE-2017-13904 RESERVED -CVE-2017-13903 - RESERVED +CVE-2017-13903 (An issue was discovered in certain Apple products. iOS before 11.2.1 ...) + TODO: check CVE-2017-13902 RESERVED CVE-2017-13901 @@ -18986,73 +18988,70 @@ RESERVED CVE-2017-13884 RESERVED -CVE-2017-13883 - RESERVED +CVE-2017-13883 (An issue was discovered in certain Apple products. macOS before ...) + TODO: check CVE-2017-13882 RESERVED CVE-2017-13881 RESERVED CVE-2017-13880 RESERVED -CVE-2017-13879 - RESERVED -CVE-2017-13878 - RESERVED +CVE-2017-13879 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) + TODO: check +CVE-2017-13878 (An issue was discovered in certain Apple products. macOS before ...) + TODO: check CVE-2017-13877 RESERVED -CVE-2017-13876 - RESERVED -CVE-2017-13875 - RESERVED -CVE-2017-13874 - RESERVED +CVE-2017-13876 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) + TODO: check +CVE-2017-13875 (An issue was discovered in certain Apple products. macOS before ...) + TODO: check +CVE-2017-13874 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) + TODO: check CVE-2017-13873 RESERVED CVE-2017-13872 (An issue was discovered in certain Apple products. macOS High Sierra ...) NOT-FOR-US: Apple -CVE-2017-13871 - RESERVED -CVE-2017-13870 - RESERVED +CVE-2017-13871 (An issue was discovered in certain Apple products. macOS before ...) + TODO: check +CVE-2017-13870 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) - webkit2gtk 2.18.4-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0010.html NOTE: Not covered by security support -CVE-2017-13869 - RESERVED -CVE-2017-13868 - RESERVED -CVE-2017-13867 - RESERVED -CVE-2017-13866 - RESERVED +CVE-2017-13869 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) + TODO: check +CVE-2017-13868 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) + TODO: check +CVE-2017-13867 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) + TODO: check +CVE-2017-13866 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) - webkit2gtk 2.18.4-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0010.html NOTE: Not covered by security support -CVE-2017-13865 - RESERVED -CVE-2017-13864 - RESERVED +CVE-2017-13865 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) + TODO: check +CVE-2017-13864 (An issue was discovered in certain Apple products. iCloud before 7.2 ...) + TODO: check CVE-2017-13863 RESERVED -CVE-2017-13862 - RESERVED -CVE-2017-13861 - RESERVED -CVE-2017-13860 - RESERVED +CVE-2017-13862 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) + TODO: check +CVE-2017-13861 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) + TODO: check +CVE-2017-13860 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) + TODO: check CVE-2017-13859 RESERVED -CVE-2017-13858 - RESERVED +CVE-2017-13858 (An issue was discovered in certain Apple products. macOS before ...) + TODO: check CVE-2017-13857 RESERVED -CVE-2017-13856 - RESERVED +CVE-2017-13856 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) - webkit2gtk 2.18.4-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0010.html NOTE: Not covered by security support -CVE-2017-13855 - RESERVED +CVE-2017-13855 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) + TODO: check CVE-2017-13854 RESERVED CVE-2017-13853 @@ -19065,10 +19064,10 @@ RESERVED CVE-2017-13849 (An issue was discovered in certain Apple products. iOS before 11.1 is ...) NOT-FOR-US: Apple -CVE-2017-13848 - RESERVED -CVE-2017-13847 - RESERVED +CVE-2017-13848 (An issue was discovered in certain Apple products. mac
[Secure-testing-commits] r58926 - data/CVE
Author: carnil Date: 2017-12-26 08:01:08 + (Tue, 26 Dec 2017) New Revision: 58926 Modified: data/CVE/list Log: Add bug reference for four dolibarr issues Modified: data/CVE/list === --- data/CVE/list 2017-12-26 07:48:21 UTC (rev 58925) +++ data/CVE/list 2017-12-26 08:01:08 UTC (rev 58926) @@ -17,23 +17,23 @@ CVE-2017-17901 RESERVED CVE-2017-17900 (SQL injection vulnerability in fourn/index.php in Dolibarr ERP/CRM ...) - - dolibarr + - dolibarr (bug #885321) [stretch] - dolibarr (Minor issue) [jessie] - dolibarr (Minor issue) NOTE: https://github.com/Dolibarr/dolibarr/commit/4a5988accbb770b74105baacd5a034689272128c CVE-2017-17899 (SQL injection vulnerability in adherents/subscription/info.php in ...) - - dolibarr + - dolibarr (bug #885321) [stretch] - dolibarr (Minor issue) [jessie] - dolibarr (Minor issue) NOTE: https://github.com/Dolibarr/dolibarr/commit/4a5988accbb770b74105baacd5a034689272128c CVE-2017-17898 (Dolibarr ERP/CRM version 6.0.4 does not block direct requests to ...) - - dolibarr + - dolibarr (bug #885321) [stretch] - dolibarr (Minor issue) [jessie] - dolibarr (Minor issue) NOTE: https://github.com/Dolibarr/dolibarr/commit/4a5988accbb770b74105baacd5a034689272128c NOTE: https://github.com/Dolibarr/dolibarr/commit/6a62e139604dbbd5729e57df2433b37a5950c35c CVE-2017-17897 (SQL injection vulnerability in comm/multiprix.php in Dolibarr ERP/CRM ...) - - dolibarr + - dolibarr (bug #885321) [stretch] - dolibarr (Minor issue) [jessie] - dolibarr (Minor issue) NOTE: https://github.com/Dolibarr/dolibarr/commit/4a5988accbb770b74105baacd5a034689272128c ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
