[Secure-testing-commits] r58978 - data/CVE
Author: carnil Date: 2017-12-27 23:13:38 + (Wed, 27 Dec 2017) New Revision: 58978 Modified: data/CVE/list Log: CVE-2017-17850/asterisk fixed in unstable Modified: data/CVE/list === --- data/CVE/list 2017-12-27 22:20:49 UTC (rev 58977) +++ data/CVE/list 2017-12-27 23:13:38 UTC (rev 58978) @@ -248,7 +248,7 @@ CVE-2017-17851 RESERVED CVE-2017-17850 (An issue was discovered in Asterisk 13.18.4 and older, 14.7.4 and ...) - - asterisk (bug #885072) + - asterisk 1:13.18.5~dfsg-1 (bug #885072) [stretch] - asterisk (Vulnerable code introduced after 13.15.0) [jessie] - asterisk (Vulnerable code introduced after 13.15.0) [wheezy] - asterisk (Vulnerable code introduced after 13.15.0) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58977 - data/CVE
Author: carnil Date: 2017-12-27 22:20:49 + (Wed, 27 Dec 2017) New Revision: 58977 Modified: data/CVE/list Log: Update information for CVE-2017-17850/asterisk Maintainer confirmed question about introducing versions. Confirmed to be post 13.15.0 and post 13.18.0 partially, resulting in 1:13.17.0~dfsg-1 beeing the first version in Debian including the vulnerability. Thanks: Bernhard Schmidt and Tzafrir Modified: data/CVE/list === --- data/CVE/list 2017-12-27 22:17:17 UTC (rev 58976) +++ data/CVE/list 2017-12-27 22:20:49 UTC (rev 58977) @@ -249,6 +249,9 @@ RESERVED CVE-2017-17850 (An issue was discovered in Asterisk 13.18.4 and older, 14.7.4 and ...) - asterisk (bug #885072) + [stretch] - asterisk (Vulnerable code introduced after 13.15.0) + [jessie] - asterisk (Vulnerable code introduced after 13.15.0) + [wheezy] - asterisk (Vulnerable code introduced after 13.15.0) NOTE: http://downloads.asterisk.org/pub/security/AST-2017-014.html NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-27480 CVE-2017-17849 (A buffer overflow vulnerability in GetGo Download Manager 5.3.0.2712 ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58973 - data/CVE
Author: carnil Date: 2017-12-27 22:07:12 + (Wed, 27 Dec 2017) New Revision: 58973 Modified: data/CVE/list Log: Add CVE-2017-17914/imagemagick Modified: data/CVE/list === --- data/CVE/list 2017-12-27 22:05:19 UTC (rev 58972) +++ data/CVE/list 2017-12-27 22:07:12 UTC (rev 58973) @@ -69,7 +69,10 @@ NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/1721f1b7e67a NOTE: https://sourceforge.net/p/graphicsmagick/bugs/535/ CVE-2017-17914 (In ImageMagick 7.0.7-16 Q16, a vulnerability was found in the function ...) - TODO: check + - imagemagick + NOTE: https://github.com/ImageMagick/ImageMagick/issues/908 + NOTE: https://github.com/ImageMagick/ImageMagick/commit/650ec57d84b7b1dce66435b8cd3b58f7ae66db1b + NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/42781eeebadf111a2e01559735ea504a78192046 CVE-2017-17913 (In GraphicsMagick 1.4 snapshot-20171217 Q8, there is a stack-based ...) TODO: check CVE-2017-17912 (In GraphicsMagick 1.4 snapshot-20171217 Q8, there is a heap-based ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58971 - data/CVE
Author: carnil Date: 2017-12-27 22:01:56 + (Wed, 27 Dec 2017) New Revision: 58971 Modified: data/CVE/list Log: Add CVE-2017-17934/imagemagick Modified: data/CVE/list === --- data/CVE/list 2017-12-27 22:00:17 UTC (rev 58970) +++ data/CVE/list 2017-12-27 22:01:56 UTC (rev 58971) @@ -24,7 +24,10 @@ NOTE: https://code.wireshark.org/review/#/c/24997/ NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=137ab7d5681486c6d6cc8faac4300b7cd4ec0cf1 CVE-2017-17934 (ImageMagick 7.0.7-17 Q16 x86_64 has memory leaks in coders/msl.c, ...) - TODO: check + - imagemagick (unimportant) + NOTE: https://github.com/ImageMagick/ImageMagick/issues/920 + NOTE: https://github.com/ImageMagick/ImageMagick/commit/3755d2289b032919c065f6ab11ef570063f7f828 + NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/08278c7cf1c0b4f1da4cdcfaa857ff6b2373a1b2 CVE-2017-17933 RESERVED CVE-2017-17932 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58976 - data/CVE
Author: carnil Date: 2017-12-27 22:17:17 + (Wed, 27 Dec 2017) New Revision: 58976 Modified: data/CVE/list Log: Process NFUs Modified: data/CVE/list === --- data/CVE/list 2017-12-27 22:12:08 UTC (rev 58975) +++ data/CVE/list 2017-12-27 22:17:17 UTC (rev 58976) @@ -33,21 +33,21 @@ CVE-2017-17932 RESERVED CVE-2017-17931 (PHP Scripts Mall Resume Clone Script has SQL Injection via the ...) - TODO: check + NOT-FOR-US: PHP Scripts Mall Resume Clone Script CVE-2017-17930 (PHP Scripts Mall Professional Service Script has CSRF via ...) - TODO: check + NOT-FOR-US: PHP Scripts Mall Professional Service Script CVE-2017-17929 (PHP Scripts Mall Professional Service Script has XSS via the ...) - TODO: check + NOT-FOR-US: PHP Scripts Mall Professional Service Script CVE-2017-17928 (PHP Scripts Mall Professional Service Script has SQL injection via the ...) - TODO: check + NOT-FOR-US: PHP Scripts Mall Professional Service Script CVE-2017-17927 (PHP Scripts Mall Professional Service Script allows remote attackers to ...) - TODO: check + NOT-FOR-US: PHP Scripts Mall Professional Service Script CVE-2017-17926 (PHP Scripts Mall Professional Service Script has a predicable ...) - TODO: check + NOT-FOR-US: PHP Scripts Mall Professional Service Script CVE-2017-17925 (PHP Scripts Mall Professional Service Script has XSS via the ...) - TODO: check + NOT-FOR-US: PHP Scripts Mall Professional Service Script CVE-2017-17924 (PHP Scripts Mall Professional Service Script allows remote attackers to ...) - TODO: check + NOT-FOR-US: PHP Scripts Mall Professional Service Script CVE-2017-17923 RESERVED CVE-2017-17922 @@ -83,7 +83,7 @@ NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/0d871e813a4f NOTE: https://sourceforge.net/p/graphicsmagick/bugs/533/ CVE-2017-17911 (packages/core/contact.php in Archon 3.21 rev-1 has XSS in the referer ...) - TODO: check + NOT-FOR-US: Archon CVE-2017-17910 RESERVED CVE-2017-17909 (PHP Scripts Mall Responsive Realestate Script has XSS via the ...) @@ -194,9 +194,9 @@ CVE-2017-17877 (An issue was discovered in Valve Steam Link build 643. When the SSH ...) NOT-FOR-US: Valve Steam Link CVE-2017-17876 (Biometric Shift Employee Management System 3.0 allows remote attackers ...) - TODO: check + NOT-FOR-US: Biometric Shift Employee Management System CVE-2017-17875 (The JEXTN FAQ Pro extension 4.0.0 for Joomla! has SQL Injection via the ...) - TODO: check + NOT-FOR-US: JEXTN FAQ Pro extension for Joomla! CVE-2017-17874 (Vanguard Marketplace Digital Products PHP 1.4 allows arbitrary file ...) NOT-FOR-US: Vanguard Marketplace Digital Products PHP CVE-2017-17873 (Vanguard Marketplace Digital Products PHP 1.4 has SQL Injection via the ...) @@ -10695,7 +10695,7 @@ CVE-2017-16769 RESERVED CVE-2017-16768 (Cross-site scripting (XSS) vulnerability in User Policy editor in ...) - TODO: check + NOT-FOR-US: Synology MailPlus Server CVE-2017-16767 RESERVED CVE-2017-16766 (An improper access control vulnerability in synodsmnotify in Synology ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58975 - data/CVE
Author: carnil Date: 2017-12-27 22:12:08 + (Wed, 27 Dec 2017) New Revision: 58975 Modified: data/CVE/list Log: Add CVE-2017-17912/graphicsmagick Modified: data/CVE/list === --- data/CVE/list 2017-12-27 22:10:20 UTC (rev 58974) +++ data/CVE/list 2017-12-27 22:12:08 UTC (rev 58975) @@ -79,7 +79,9 @@ NOTE: https://sourceforge.net/p/graphicsmagick/bugs/536/ TODO: check, potentially just unimportant like similar issue in imagemagick CVE-2017-17912 (In GraphicsMagick 1.4 snapshot-20171217 Q8, there is a heap-based ...) - TODO: check + - graphicsmagick + NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/0d871e813a4f + NOTE: https://sourceforge.net/p/graphicsmagick/bugs/533/ CVE-2017-17911 (packages/core/contact.php in Archon 3.21 rev-1 has XSS in the referer ...) TODO: check CVE-2017-17910 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58974 - data/CVE
Author: carnil Date: 2017-12-27 22:10:20 + (Wed, 27 Dec 2017) New Revision: 58974 Modified: data/CVE/list Log: Add CVE-2017-17913/graphicsmagick Modified: data/CVE/list === --- data/CVE/list 2017-12-27 22:07:12 UTC (rev 58973) +++ data/CVE/list 2017-12-27 22:10:20 UTC (rev 58974) @@ -74,7 +74,10 @@ NOTE: https://github.com/ImageMagick/ImageMagick/commit/650ec57d84b7b1dce66435b8cd3b58f7ae66db1b NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/42781eeebadf111a2e01559735ea504a78192046 CVE-2017-17913 (In GraphicsMagick 1.4 snapshot-20171217 Q8, there is a stack-based ...) - TODO: check + - graphicsmagick + NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/6dda3c33f35f + NOTE: https://sourceforge.net/p/graphicsmagick/bugs/536/ + TODO: check, potentially just unimportant like similar issue in imagemagick CVE-2017-17912 (In GraphicsMagick 1.4 snapshot-20171217 Q8, there is a heap-based ...) TODO: check CVE-2017-17911 (packages/core/contact.php in Archon 3.21 rev-1 has XSS in the referer ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58972 - data/CVE
Author: carnil Date: 2017-12-27 22:05:19 + (Wed, 27 Dec 2017) New Revision: 58972 Modified: data/CVE/list Log: Add CVE-2017-17915/graphicsmagick Modified: data/CVE/list === --- data/CVE/list 2017-12-27 22:01:56 UTC (rev 58971) +++ data/CVE/list 2017-12-27 22:05:19 UTC (rev 58972) @@ -65,7 +65,9 @@ CVE-2017-17916 RESERVED CVE-2017-17915 (In GraphicsMagick 1.4 snapshot-20171217 Q8, there is a heap-based ...) - TODO: check + - graphicsmagick + NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/1721f1b7e67a + NOTE: https://sourceforge.net/p/graphicsmagick/bugs/535/ CVE-2017-17914 (In ImageMagick 7.0.7-16 Q16, a vulnerability was found in the function ...) TODO: check CVE-2017-17913 (In GraphicsMagick 1.4 snapshot-20171217 Q8, there is a stack-based ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58970 - data/CVE
Author: carnil Date: 2017-12-27 22:00:17 + (Wed, 27 Dec 2017) New Revision: 58970 Modified: data/CVE/list Log: Add CVE-2017-17935/wireshark Modified: data/CVE/list === --- data/CVE/list 2017-12-27 21:10:22 UTC (rev 58969) +++ data/CVE/list 2017-12-27 22:00:17 UTC (rev 58970) @@ -19,7 +19,10 @@ CVE-2018-3600 RESERVED CVE-2017-17935 (The File_read_line function in epan/wslua/wslua_file.c in Wireshark ...) - TODO: check + - wireshark + NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14295 + NOTE: https://code.wireshark.org/review/#/c/24997/ + NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=137ab7d5681486c6d6cc8faac4300b7cd4ec0cf1 CVE-2017-17934 (ImageMagick 7.0.7-17 Q16 x86_64 has memory leaks in coders/msl.c, ...) TODO: check CVE-2017-17933 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58969 - data/CVE
Author: sectracker
Date: 2017-12-27 21:10:22 + (Wed, 27 Dec 2017)
New Revision: 58969
Modified:
data/CVE/list
Log:
automatic update
Modified: data/CVE/list
===
--- data/CVE/list 2017-12-27 18:53:50 UTC (rev 58968)
+++ data/CVE/list 2017-12-27 21:10:22 UTC (rev 58969)
@@ -1,3 +1,73 @@
+CVE-2018-3609
+ RESERVED
+CVE-2018-3608
+ RESERVED
+CVE-2018-3607
+ RESERVED
+CVE-2018-3606
+ RESERVED
+CVE-2018-3605
+ RESERVED
+CVE-2018-3604
+ RESERVED
+CVE-2018-3603
+ RESERVED
+CVE-2018-3602
+ RESERVED
+CVE-2018-3601
+ RESERVED
+CVE-2018-3600
+ RESERVED
+CVE-2017-17935 (The File_read_line function in epan/wslua/wslua_file.c in
Wireshark ...)
+ TODO: check
+CVE-2017-17934 (ImageMagick 7.0.7-17 Q16 x86_64 has memory leaks in
coders/msl.c, ...)
+ TODO: check
+CVE-2017-17933
+ RESERVED
+CVE-2017-17932
+ RESERVED
+CVE-2017-17931 (PHP Scripts Mall Resume Clone Script has SQL Injection via the
...)
+ TODO: check
+CVE-2017-17930 (PHP Scripts Mall Professional Service Script has CSRF via ...)
+ TODO: check
+CVE-2017-17929 (PHP Scripts Mall Professional Service Script has XSS via the
...)
+ TODO: check
+CVE-2017-17928 (PHP Scripts Mall Professional Service Script has SQL injection
via the ...)
+ TODO: check
+CVE-2017-17927 (PHP Scripts Mall Professional Service Script allows remote
attackers to ...)
+ TODO: check
+CVE-2017-17926 (PHP Scripts Mall Professional Service Script has a predicable
...)
+ TODO: check
+CVE-2017-17925 (PHP Scripts Mall Professional Service Script has XSS via the
...)
+ TODO: check
+CVE-2017-17924 (PHP Scripts Mall Professional Service Script allows remote
attackers to ...)
+ TODO: check
+CVE-2017-17923
+ RESERVED
+CVE-2017-17922
+ RESERVED
+CVE-2017-17921
+ RESERVED
+CVE-2017-17920
+ RESERVED
+CVE-2017-17919
+ RESERVED
+CVE-2017-17918
+ RESERVED
+CVE-2017-17917
+ RESERVED
+CVE-2017-17916
+ RESERVED
+CVE-2017-17915 (In GraphicsMagick 1.4 snapshot-20171217 Q8, there is a
heap-based ...)
+ TODO: check
+CVE-2017-17914 (In ImageMagick 7.0.7-16 Q16, a vulnerability was found in the
function ...)
+ TODO: check
+CVE-2017-17913 (In GraphicsMagick 1.4 snapshot-20171217 Q8, there is a
stack-based ...)
+ TODO: check
+CVE-2017-17912 (In GraphicsMagick 1.4 snapshot-20171217 Q8, there is a
heap-based ...)
+ TODO: check
+CVE-2017-17911 (packages/core/contact.php in Archon 3.21 rev-1 has XSS in the
referer ...)
+ TODO: check
CVE-2017-17910
RESERVED
CVE-2017-17909 (PHP Scripts Mall Responsive Realestate Script has XSS via the
...)
@@ -107,10 +177,10 @@
NOT-FOR-US: Valve Steam Link
CVE-2017-17877 (An issue was discovered in Valve Steam Link build 643. When
the SSH ...)
NOT-FOR-US: Valve Steam Link
-CVE-2017-17876
- RESERVED
-CVE-2017-17875
- RESERVED
+CVE-2017-17876 (Biometric Shift Employee Management System 3.0 allows remote
attackers ...)
+ TODO: check
+CVE-2017-17875 (The JEXTN FAQ Pro extension 4.0.0 for Joomla! has SQL
Injection via the ...)
+ TODO: check
CVE-2017-17874 (Vanguard Marketplace Digital Products PHP 1.4 allows arbitrary
file ...)
NOT-FOR-US: Vanguard Marketplace Digital Products PHP
CVE-2017-17873 (Vanguard Marketplace Digital Products PHP 1.4 has SQL
Injection via the ...)
@@ -10608,8 +10678,8 @@
RESERVED
CVE-2017-16769
RESERVED
-CVE-2017-16768
- RESERVED
+CVE-2017-16768 (Cross-site scripting (XSS) vulnerability in User Policy editor
in ...)
+ TODO: check
CVE-2017-16767
RESERVED
CVE-2017-16766 (An improper access control vulnerability in synodsmnotify in
Synology ...)
@@ -21074,8 +21144,8 @@
NOTE: https://github.com/ImageMagick/ImageMagick/issues/666
CVE-2017-13057
RESERVED
-CVE-2017-13056
- RESERVED
+CVE-2017-13056 (The launchURL function in PDF-XChange Viewer 2.5 (Build 314.0)
might ...)
+ TODO: check
CVE-2017-13055 (The ISO IS-IS parser in tcpdump before 4.9.2 has a buffer
over-read in ...)
{DSA-3971-1 DLA-1097-1}
- tcpdump 4.9.2-1
@@ -25352,32 +25422,28 @@
RESERVED
CVE-2017-11699
RESERVED
-CVE-2017-11698 [heap-buffer-overflow (write of size 2) in __get_page
(lib/dbm/src/h_page.c:704)]
- RESERVED
+CVE-2017-11698 (Heap-based buffer overflow in the __get_page function in ...)
- nss (bug #873259; unimportant)
NOTE: Issues triggered by crafted DBM databases, which would
NOTE: require local user access to a machine running NSS and
NOTE: crafting the local DBM files.
NOTE: http://seclists.org/fulldisclosure/2017/Aug/17
NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1360779
-CVE-2017-11697 [Floating Point Exception in __hash_open (hash.c:229)]
- RESERVED
+CVE-2017-11697 (T
[Secure-testing-commits] r58968 - data
Author: jmm Date: 2017-12-27 18:53:50 + (Wed, 27 Dec 2017) New Revision: 58968 Modified: data/next-oldstable-point-update.txt data/next-point-update.txt Log: soundtouch spu/ospu Modified: data/next-oldstable-point-update.txt === --- data/next-oldstable-point-update.txt2017-12-27 18:19:28 UTC (rev 58967) +++ data/next-oldstable-point-update.txt2017-12-27 18:53:50 UTC (rev 58968) @@ -39,3 +39,9 @@ [jessie] - kildclient 3.0.0-2+deb8u1 CVE-2017-9868 [jessie] - mosquitto 1.3.4-2+deb8u2 +CVE-2017-9258 + [jessie] - soundtouch 1.8.0-1+deb8u1 +CVE-2017-9259 + [jessie] - soundtouch 1.8.0-1+deb8u1 +CVE-2017-9260 + [jessie] - soundtouch 1.8.0-1+deb8u1 Modified: data/next-point-update.txt === --- data/next-point-update.txt 2017-12-27 18:19:28 UTC (rev 58967) +++ data/next-point-update.txt 2017-12-27 18:53:50 UTC (rev 58968) @@ -29,3 +29,9 @@ [stretch] - ntopng 2.4+dfsg1-3+deb9u1 CVE-2017-7459 [stretch] - ntopng 2.4+dfsg1-3+deb9u1 +CVE-2017-9258 + [stretch] - soundtouch 1.9.2-2+deb9u1 +CVE-2017-9259 + [stretch] - soundtouch 1.9.2-2+deb9u1 +CVE-2017-9260 + [stretch] - soundtouch 1.9.2-2+deb9u1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58967 - data/CVE
Author: carnil Date: 2017-12-27 18:19:28 + (Wed, 27 Dec 2017) New Revision: 58967 Modified: data/CVE/list Log: Three soundtouch issues fixed in unstable Modified: data/CVE/list === --- data/CVE/list 2017-12-27 18:16:43 UTC (rev 58966) +++ data/CVE/list 2017-12-27 18:19:28 UTC (rev 58967) @@ -32758,17 +32758,17 @@ NOTE: https://github.com/ImageMagick/ImageMagick/issues/476 NOTE: https://github.com/ImageMagick/ImageMagick/commit/01d522e990aa57cbe67d222dd5e8f7196cc6d199 CVE-2017-9260 (The TDStretchSSE::calcCrossCorr function in ...) - - soundtouch (low; bug #870857) + - soundtouch 1.9.2-3 (low; bug #870857) [stretch] - soundtouch (Minor issue) [jessie] - soundtouch (Minor issue) [wheezy] - soundtouch (Minor issue) CVE-2017-9259 (The TDStretch::acceptNewOverlapLength function in ...) - - soundtouch (low; bug #870856) + - soundtouch 1.9.2-3 (low; bug #870856) [stretch] - soundtouch (Minor issue) [jessie] - soundtouch (Minor issue) [wheezy] - soundtouch (Minor issue) CVE-2017-9258 (The TDStretch::processSamples function in ...) - - soundtouch (low; bug #870854) + - soundtouch 1.9.2-3 (low; bug #870854) [stretch] - soundtouch (Minor issue) [jessie] - soundtouch (Minor issue) [wheezy] - soundtouch (Minor issue) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58966 - data/CVE
Author: carnil Date: 2017-12-27 18:16:43 + (Wed, 27 Dec 2017) New Revision: 58966 Modified: data/CVE/list Log: Two libvorbis issues fixed in unstable Modified: data/CVE/list === --- data/CVE/list 2017-12-27 17:11:43 UTC (rev 58965) +++ data/CVE/list 2017-12-27 18:16:43 UTC (rev 58966) @@ -16864,11 +16864,11 @@ NOTE: https://github.com/erikd/libsndfile/issues/318 NOTE: Fixed by: https://github.com/erikd/libsndfile/commit/85c877d5072866aadbe8ed0c3e0590fbb5e16788 CVE-2017-14633 (In Xiph.Org libvorbis 1.3.5, an out-of-bounds array read vulnerability ...) - - libvorbis (bug #876778) + - libvorbis 1.3.5-4.1 (bug #876778) NOTE: https://gitlab.xiph.org/xiph/vorbis/issues/2329 NOTE: https://github.com/xiph/vorbis/pull/34 CVE-2017-14632 (Xiph.Org libvorbis 1.3.5 allows Remote Code Execution upon freeing ...) - - libvorbis (bug #876779) + - libvorbis 1.3.5-4.1 (bug #876779) [jessie] - libvorbis (Vulnerable code not present) [wheezy] - libvorbis (Vulnerable code not present) NOTE: https://gitlab.xiph.org/xiph/vorbis/issues/2328 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58965 - data
Author: agx Date: 2017-12-27 17:11:43 + (Wed, 27 Dec 2017) New Revision: 58965 Modified: data/dla-needed.txt Log: lts: update vorbis status Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-12-27 17:07:40 UTC (rev 58964) +++ data/dla-needed.txt 2017-12-27 17:11:43 UTC (rev 58965) @@ -39,9 +39,8 @@ NOTE: https://lists.debian.org/debian-lts/2017/05/msg00012.html -- libvorbis (Guido Günther) - NOTE: 20171120: Fixes for issues submitted upstream to libvorbis, - NOTE: theora and sox. Awaiting feedback. Underlying reason for CVE-2017-14160 - NOTE: unclear. + NOTE: Underlying reason for CVE-2017-14160 yet unclear, no ustream feedback on this. + NOTE: Fixes for other CVEs applied upstream. -- linux -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58964 - data
Author: agx Date: 2017-12-27 17:07:40 + (Wed, 27 Dec 2017) New Revision: 58964 Modified: data/dla-needed.txt Log: lts: thunderbird uploaded Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-12-27 16:40:59 UTC (rev 58963) +++ data/dla-needed.txt 2017-12-27 17:07:40 UTC (rev 58964) @@ -63,8 +63,6 @@ NOTE: 20171118: At least CVE-2017-16797 is present. (lamby) NOTE: 20171210: likely to be turned into a pkg with limited sec support -- -thunderbird (Guido Günther) --- tiff -- tiff3 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58963 - /
Author: carnil Date: 2017-12-27 16:40:59 + (Wed, 27 Dec 2017) New Revision: 58963 Modified: TODO.gitmigration Log: Add note for bin/tracker-data.py, needs possibly rewrite Modified: TODO.gitmigration === --- TODO.gitmigration 2017-12-27 14:43:12 UTC (rev 58962) +++ TODO.gitmigration 2017-12-27 16:40:59 UTC (rev 58963) @@ -71,6 +71,9 @@ (user creation, guest-user?) - Adjust role account procmailrc for trigger updates via mail +bin/tracker_data.py: +- needs a rewrite, contact buxy (Raphaël Hertzog) + old repository: - Add a pre-receive hook to prevent accidental pushes to the old alioth account ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58962 - data
Author: carnil Date: 2017-12-27 14:43:12 + (Wed, 27 Dec 2017) New Revision: 58962 Modified: data/next-point-update.txt Log: Add ntopng update as proposed via stretch-pu Modified: data/next-point-update.txt === --- data/next-point-update.txt 2017-12-27 12:30:28 UTC (rev 58961) +++ data/next-point-update.txt 2017-12-27 14:43:12 UTC (rev 58962) @@ -25,3 +25,7 @@ [stretch] - kildclient 3.1.0-1+deb9u1 CVE-2017-9868 [stretch] - mosquitto 1.4.10-3+deb9u1 +CVE-2017-7458 + [stretch] - ntopng 2.4+dfsg1-3+deb9u1 +CVE-2017-7459 + [stretch] - ntopng 2.4+dfsg1-3+deb9u1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58961 - data/CVE
Author: jmm
Date: 2017-12-27 12:30:28 + (Wed, 27 Dec 2017)
New Revision: 58961
Modified:
data/CVE/list
Log:
mark remaining imagemagick no-dsa issues as ignored
Modified: data/CVE/list
===
--- data/CVE/list 2017-12-27 11:43:00 UTC (rev 58960)
+++ data/CVE/list 2017-12-27 12:30:28 UTC (rev 58961)
@@ -5154,15 +5154,15 @@
NOT-FOR-US: Panda Global Protection
CVE-2017-17682 (In ImageMagick 7.0.7-12 Q16, a large loop vulnerability was
found in ...)
- imagemagick (low)
- [stretch] - imagemagick (Minor issue)
- [jessie] - imagemagick (Minor issue)
+ [stretch] - imagemagick (Minor issue)
+ [jessie] - imagemagick (Minor issue)
NOTE: https://github.com/ImageMagick/ImageMagick/issues/870
NOTE: ImageMagick-6:
https://github.com/ImageMagick/ImageMagick/commit/da649f031e36753c69268c5c027e695b8ae45e9a
NOTE:
https://github.com/ImageMagick/ImageMagick/commit/06c8dd4de59e48d282d4f224faa64ab9012a711a
CVE-2017-17681 (In ImageMagick 7.0.7-12 Q16, an infinite loop vulnerability
was found ...)
- imagemagick (low)
- [stretch] - imagemagick (Minor issue)
- [jessie] - imagemagick (Minor issue)
+ [stretch] - imagemagick (Minor issue)
+ [jessie] - imagemagick (Minor issue)
NOTE: https://github.com/ImageMagick/ImageMagick/issues/869
NOTE:
https://github.com/ImageMagick/ImageMagick/commit/f6ca1441a5260165dabc627d26f60c32af1d5678
NOTE: different fix:
https://github.com/ImageMagick/ImageMagick/commit/73d59a74e0b0a864c1a9581b8a4bdbee427125e2
@@ -14774,8 +14774,8 @@
CVE-2017-15281 (ReadPSDImage in coders/psd.c in ImageMagick 7.0.7-6 allows
remote ...)
{DLA-1139-1}
- imagemagick (low; bug #878579)
- [stretch] - imagemagick (Minor issue)
- [jessie] - imagemagick (Minor issue)
+ [stretch] - imagemagick (Minor issue)
+ [jessie] - imagemagick (Minor issue)
NOTE: https://github.com/ImageMagick/ImageMagick/issues/832
NOTE: ImageMagick-6:
https://github.com/ImageMagick/ImageMagick/commit/e9d1c2adae866861a291535997b2263f26becb1e
NOTE:
https://github.com/ImageMagick/ImageMagick/commit/32cbfc57962321b2ead627129c9d9ffbfcdb
@@ -15702,8 +15702,8 @@
CVE-2017-15017 (ImageMagick 7.0.7-0 Q16 has a NULL pointer dereference
vulnerability in ...)
{DLA-1131-1}
- imagemagick (low; bug #878554)
- [stretch] - imagemagick (Minor issue)
- [jessie] - imagemagick (Minor issue)
+ [stretch] - imagemagick (Minor issue)
+ [jessie] - imagemagick (Minor issue)
NOTE: https://github.com/ImageMagick/ImageMagick/issues/723
NOTE: ImageMagick-6:
https://github.com/ImageMagick/ImageMagick/commit/5a1006a249516a875558c3d642e719b1eac8f820
NOTE:
https://github.com/ImageMagick/ImageMagick/commit/0cff8bac0a47f8693cfe57f026fcd752689ff375
@@ -15716,8 +15716,8 @@
NOTE: emf.c not compiled under Debian
CVE-2017-15015 (ImageMagick 7.0.7-0 Q16 has a NULL pointer dereference
vulnerability in ...)
- imagemagick (low; bug #878555)
- [stretch] - imagemagick (Minor issue)
- [jessie] - imagemagick (Minor issue)
+ [stretch] - imagemagick (Minor issue)
+ [jessie] - imagemagick (Minor issue)
[wheezy] - imagemagick (Vulnerable code not present)
NOTE: https://github.com/ImageMagick/ImageMagick/issues/724
NOTE: ImageMagick-6:
https://github.com/ImageMagick/ImageMagick/commit/0cbb3b3b02e7af493a9aafa8f7e7d23fc70644e4
@@ -16525,8 +16525,8 @@
CVE-2017-14741 (The ReadCAPTIONImage function in coders/caption.c in
ImageMagick ...)
{DLA-1131-1}
- imagemagick (low; bug #878548)
- [stretch] - imagemagick (Minor issue)
- [jessie] - imagemagick (Minor issue)
+ [stretch] - imagemagick (Minor issue)
+ [jessie] - imagemagick (Minor issue)
NOTE: https://github.com/ImageMagick/ImageMagick/issues/771
NOTE:
https://github.com/ImageMagick/ImageMagick/commit/7d8e14899c562157c7760a77fc91625a27cb596f
NOTE: ImageMagick-6:
https://github.com/ImageMagick/ImageMagick/commit/bb11d07139efe0f5e4ce0e4afda32abdbe82fa9d
@@ -16535,8 +16535,8 @@
CVE-2017-14739 (The AcquireResampleFilterThreadSet function in ...)
{DLA-1131-1}
- imagemagick (low; bug #878547)
- [stretch] - imagemagick (Minor issue)
- [jessie] - imagemagick (Minor issue)
+ [stretch] - imagemagick (Minor issue)
+ [jessie] - imagemagick (Minor issue)
NOTE: https://github.com/ImageMagick/ImageMagick/issues/780
NOTE:
https://github.com/ImageMagick/ImageMagick/commit/6017a80fe8327fefb77fa677d81154db2b857d1d
NOTE: ImageMagick-6:
https://github.com/ImageMagick/ImageMagick/commit/700fcf95b2c3f554dfbe75833b91f19dde208089
@@ -16898,8 +16898,8 @@
NOT-FOR-US: CyberLink LabelPrint
CVE-2017-14626 (Image
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add note on why not importing all existing secure-testing users
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a391cf43 by Salvatore Bonaccorso at 2017-12-27T11:43:00+00:00 Add note on why not importing all existing secure-testing users git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@58960 e39458fd-73e7-0310-bf30-c45bca0a0e42 - - - - - 1 changed file: - TODO.gitmigration Changes: = TODO.gitmigration = --- a/TODO.gitmigration +++ b/TODO.gitmigration @@ -40,6 +40,7 @@ alioth project: - migrate (active) users (maybe based on only the ones which commited to the svn repository in recent years?) - get the DD acl applied (then point above only applies to -guest users) + => We will add Debian group by default, *-guest user need to re-apply hooks: - this is problematic, we run syntax/sanity checks pre-commit. But with View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a391cf43ebdf2c90ca4ebe14f5d5e7bbac3c72a1 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a391cf43ebdf2c90ca4ebe14f5d5e7bbac3c72a1 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 2 commits: Add uncommited dsa-candidates.signature
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 04374abf by Salvatore Bonaccorso at 2017-12-27T11:22:37+00:00 Add uncommited dsa-candidates.signature git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@58958 e39458fd-73e7-0310-bf30-c45bca0a0e42 - - - - - c5796cd2 by Salvatore Bonaccorso at 2017-12-27T11:22:38+00:00 Add uncommited unknown-packages.signature git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@58959 e39458fd-73e7-0310-bf30-c45bca0a0e42 - - - - - 2 changed files: - + doc/dsa-candidates.signature - + doc/unknown-packages.signature Changes: = doc/dsa-candidates.signature = --- /dev/null +++ b/doc/dsa-candidates.signature @@ -0,0 +1,4 @@ +-- +The above is a list of DSA candidates based on the tracker's information. +One should evaluate the candidates and either add them to dsa-needed.txt +or consider tagging them no-dsa. = doc/unknown-packages.signature = --- /dev/null +++ b/doc/unknown-packages.signature @@ -0,0 +1,4 @@ +-- +In above list (well, probably is just one) are "packages" mentioned in +the CVE list that we could not find around. This probably as a result +of spelling error, so please consider to check them and fix their name. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/0cb51e79aabdc4aca6b379599ec37d20596e4112...c5796cd249c16bbdad446aa58c2e698c3651fd16 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/0cb51e79aabdc4aca6b379599ec37d20596e4112...c5796cd249c16bbdad446aa58c2e698c3651fd16 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58960 - /
Author: carnil Date: 2017-12-27 11:43:00 + (Wed, 27 Dec 2017) New Revision: 58960 Modified: TODO.gitmigration Log: Add note on why not importing all existing secure-testing users Modified: TODO.gitmigration === --- TODO.gitmigration 2017-12-27 11:22:38 UTC (rev 58959) +++ TODO.gitmigration 2017-12-27 11:43:00 UTC (rev 58960) @@ -40,6 +40,7 @@ - migrate (active) users (maybe based on only the ones which commited to the svn repository in recent years?) - get the DD acl applied (then point above only applies to -guest users) + => We will add Debian group by default, *-guest user need to re-apply hooks: - this is problematic, we run syntax/sanity checks pre-commit. But with ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58957 - doc
Author: carnil Date: 2017-12-27 11:22:36 + (Wed, 27 Dec 2017) New Revision: 58957 Added: doc/compare-embed-usertags.signature Log: Add mising/uncommited compare-embed-usertags.signature Added: doc/compare-embed-usertags.signature === --- doc/compare-embed-usertags.signature(rev 0) +++ doc/compare-embed-usertags.signature2017-12-27 11:22:36 UTC (rev 58957) @@ -0,0 +1,3 @@ +-- +The output might be a bit terse, but the above bugs are known to be +missing from the embedded-code-copies data. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58958 - doc
Author: carnil Date: 2017-12-27 11:22:37 + (Wed, 27 Dec 2017) New Revision: 58958 Added: doc/dsa-candidates.signature Log: Add uncommited dsa-candidates.signature Added: doc/dsa-candidates.signature === --- doc/dsa-candidates.signature(rev 0) +++ doc/dsa-candidates.signature2017-12-27 11:22:37 UTC (rev 58958) @@ -0,0 +1,4 @@ +-- +The above is a list of DSA candidates based on the tracker's information. +One should evaluate the candidates and either add them to dsa-needed.txt +or consider tagging them no-dsa. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58959 - doc
Author: carnil Date: 2017-12-27 11:22:38 + (Wed, 27 Dec 2017) New Revision: 58959 Added: doc/unknown-packages.signature Log: Add uncommited unknown-packages.signature Added: doc/unknown-packages.signature === --- doc/unknown-packages.signature (rev 0) +++ doc/unknown-packages.signature 2017-12-27 11:22:38 UTC (rev 58959) @@ -0,0 +1,4 @@ +-- +In above list (well, probably is just one) are "packages" mentioned in +the CVE list that we could not find around. This probably as a result +of spelling error, so please consider to check them and fix their name. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58956 - in data: . debsecan
Author: carnil Date: 2017-12-27 11:22:35 + (Wed, 27 Dec 2017) New Revision: 58956 Added: data/debsecan/ data/debsecan/.keep Log: debsecan uses data/debsecan so needs to be present on checkout Added: data/debsecan/.keep === ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58955 - check-external
Author: carnil Date: 2017-12-27 11:16:09 + (Wed, 27 Dec 2017) New Revision: 58955 Added: check-external/signature Log: Add previously uncommited file used as signature for the external-check Added: check-external/signature === --- check-external/signature(rev 0) +++ check-external/signature2017-12-27 11:16:09 UTC (rev 58955) @@ -0,0 +1,4 @@ +-- +The output might be a bit terse, but the above ids are known elsewhere, +check the references in the tracker. The second part indicates the status +of that id in the tracker at the moment the script was run. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58954 - /
Author: carnil Date: 2017-12-27 09:58:03 + (Wed, 27 Dec 2017) New Revision: 58954 Modified: TODO.gitmigration Log: Add role account todo item: procmailrc adjustments Modified: TODO.gitmigration === --- TODO.gitmigration 2017-12-27 07:06:38 UTC (rev 58953) +++ TODO.gitmigration 2017-12-27 09:58:03 UTC (rev 58954) @@ -68,6 +68,7 @@ cf. https://salsa.debian.org/salsa/support/issues/5 - what needs to be done to allow sectracker role account to commit (user creation, guest-user?) +- Adjust role account procmailrc for trigger updates via mail old repository: - Add a pre-receive hook to prevent accidental pushes to the old alioth ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
